How To Factory Reset Your Palo Alto Firewall And Configure IP Management | PART 2

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] foreign if you're just joining us my name is Keith Barker and this video is part of the playlist for Palo Alto firewalls 0 to 60. so in this video we're going to focus on this first task right here a factory reset of the pedal to Farwell and the initial bootstrap configuration to give it an IP address so we can manage it over the network and let me go ahead and introduce this Hardware to you right now and here it is this is a little pa 440 let me give you a better view of the front here so we have eight ethernet ports these are gigabit ports right here we have an Ethernet Management Port right here we've got a console port with an RJ45 connection also USB connection for console access this is a PA 440 that's the model number of this device and as we continue I've got a switch right here below it with some ethernet ports and cables that we'll be plugging in however initially to bootstrap this device I'm going to use this cable right here and this is a rollover cable that goes from my computer from a USB port over to the console Port so that way we can get initial access to work with and manage this firewall for its initial configuration so I'll go ahead and plug the console cable into the console port and then we'll head back to the computer use a terminal emulator and connect through this console cable to this firewall so I'm currently logged on to the firewall via the console port and what I'm going to do is a factory reset of this device right now so here at the command prompt for the firewall we're going to issue the command debug system maintenance mode and press enter the prompt that comes back says executing this command will disconnect the current session and reboot the system into maintenance mode and do you want to continue so I'm going to respond with Y to that and the system is now going down it's going to reboot it's going to come back up into maintenance mode and from there I'm going to issue a factory reset and thanks to the magic of editing this will only take a few seconds on camera however in reality it might take four to five minutes for each of these boots alright so now it's booted into maintenance mode so I'm going to go ahead and press enter to continue and then I'll hit the a down arrow a couple times to go to factory reset and press enter here and it currently has pan oss the operating system on the firewall all of 11.0.1 so I'm going to use that and I'm not going to go ahead and choose the scrub option because if I did it would take hours and hours due to a factory reset here so I'm going to bypass the scrub so I'm just going to arrow down to factory reset and then with factory reset highlighted press enter again and this factory reset is probably going to take about four to five minutes to go ahead and complete now this is a PA 440 it's like the baby bear version of the Hardware Appliances so it's not gonna be quite as fast as a higher end model so through the magic of editing once again this process for the factory reset although in reality it may take four to five minutes on camera it'll take about 10 seconds alright so it is on its way and when it's done we'll resume together and just as a reminder it's this physical firewall which is a pa440 which is going through that factory reset right now all right over 70 we're almost there all right and it is done so I'm going to go ahead and use the arrow keys to go down to reboot press enter and now the firewall is going to reboot just like it came in from the factory so any existing configuration or log files or anything else like that that were on that firewall they are completely gone so this reboot also is going to take a few minutes and after it fully reboots and initializes we also want to pay attention to the prompt because we want to tell it that we want to stop the zero touch provisioning and that we want to configure the firewall manually all right so for this question do you want to exit ztp mode and configure the firewall in standard mode we're going to type in yes for that and press enter it's going to say are you sure I'm going to say Y and press enter and then it's going to go ahead and reboot once again so the benefit of saying no to the zero touch provisioning is that we can now walk through the process manually together and not need Panorama or any cloud services for the initial configuration bootstrap of the firewall so once again this boot will take about 2-3 minutes and when it reboots we'll come right back and we'll resume together and in preparation for our next step here regarding IP management let's talk about how we're going to manage this physical Appliance there's the Management Port here and I have that Management Port connect it into my home office Network which is the 192.168.1 network with a 24-bit mask and I want to use the IP address of dot 19 for managing this Palo Alto firewall so my management computer is right here and currently I have my console cable going over to the console port on the Palo Alto firewall and that's our current CLI or command line interface access to the firewall at the moment but once we configure an IP address on the management interface we can then go ahead and start interacting with the Palo Alto firewall from the measurement PC over the IP network instead of using the console cable so once it has the IP address we can connect to it with SSH or we could use a browser with https to connect and work with the firewall so now that the firewall is booting up what we're going to do is still using the console cable I'm going to give the firewall a name like firewall 19 will give the management interface the IP address of 192.168 1.19 I'll specify a default gateway which is dot one I'll specify a DNS server it can use and the initial login to do the configuration on the firewall is the username admin and the password of admin that's the default however once we log in it's going to force us to change the password from admin to some other password of our choice so now that the firewall is completely rebooted let's go back to our management PC with my terminal emulation program which is secure CRT which is using the serial connection here to go to the console port on the pallet to firewall and let's initially configure the firewall with its basic IP addressing information so here at the firewall we'll go ahead and log in as admin the default password is admin so we'll put that in as the password and now it's asking us to change the password starting with what is the old password which is still admin so I'll type that in and now I'll specify the new password I want to use on this firewall and once I've typed that in I'll confirm that and press enter and now we are logged into operational mode here on the firewall and for the initial bootstrap here are the commands that we are going to issue we're going to type in configure which puts us into configuration mode on the firewall and then we're going to do some set device config system commands to specify the host name the IP address that we want to use on the management interface along with the mask which is a 24-bit mask the default gateway it should use on the management interface the DNS server settings and actually I want to change this one to 192.168.1.100 I have an internal DNA server can use and we'll back that up with a Google DNS server at 8.8.8.8 and then I'll specify an ntp server out on the public internet and we'll click on paste and away it goes so that paste function was part of the secure CRT terminal emulation program now on some networking devices when you put in a command in the configuration mode it'll automatically take those commands and use them however on some networking devices like a Palo Alto firewall when we input commands in configuration mode those are made part of What's called the candidate configuration and to move those from the candidate configuration over to the running configuration we need to issue a commit so this commit is simply taking these changes that we implemented and putting them into action so once this is completely done these settings will now be enforced and start being used on the firewall alright so that commit has now completed let's take a look at our topology so now that we have this IP address 192.168.1.19 assigned to this management interface it'd be convenient if we physically connected that to my home network so our next step is to put a physical Cable in place between the management interface and this VLAN where my management computer is so let's do that next so here's the Palo Alto firewall here's the management port and this cable leads off to a switch which is right below it which leads off to VLAN 1 which is where I have the 192 168 one network so I'll go ahead and plug that in and as a result of this firewall and its management interface now being connected to the network and being correctly configured with the IP address I want to use we should be able to connect to this firewall for management via this ethernet port so we should be able to connect via SSH and we should also be able to open up a web browser to this IP address on this management interface for the management of this firewall so let's test both of those on this firewall right now so currently with secure CRT I'm currently connected on my local serial Port com5 let me go ahead and open up a new connection and let me zoom in a little bit there so it's easier to read and let's go ahead and connect over to 192.168.1.19 that's the IP address we just assigned to the management interface the default port for sh's TCP Port 22 I'll log in as admin and we'll click on connect it asks me if I want to accept the host key based on this SSH session because it's a brand new connection and it's also asking me for a password which I will type in so this is the password we just reset a few moments ago at the CLI and I'm going to tell secure CRT please save that password for me and we'll click on okay all right and so now we're connecting to the IP address of 192.1681.19 via SSH and we are in so here if we do a show system info and press enter we can confirm a few things including the IP address that we assigned on the management interface the default gateway it's using the mod model number pa440 the version of pan OS that we're using Etc so now that we know we can access it via sh let's also verify we can access this firewall at its management interface via a browser so as I connect over to 192.1681.19 because at the moment it's using a self-signed certificate my browsers give me a warning that's normal for a brand new firewall with a self-signed certificate we'll click on Advanced I'll click on proceed we'll log in as admin we'll put in the password that we set up a few minutes ago and click login all right and we have some welcome messages here so I'll say don't show that one and don't show that one and don't show that one and don't show that one for future logins and we'll click on close it's also encouraging us to set up Telemetry data collection I'm going to go ahead and say okay to that and we can revisit that later and then here we are at the dashboard we can clean this up a little bit alien move system resources up here we don't need that widget and if we want to add additional widgets here we could let's go to widgets and go to system and let me bring the interfaces and I'll move that over right here fantastic and if we need to change or modify the details on our management interface that's done by clicking here on device on the top Tab and the left clicking on setup and then with setup select on the left we click on the sub tab of interfaces and here's our management interface so if we click on that if we need to change the details we could do it right here so by default it's allowing ping to the management interface it's allowing SSH and https for web management now this firewall has already been registered with Palo Alto however because I did a factory reset this firewall doesn't know about its licenses so with device on the top selected on the left let's scroll down to licenses right here and currently it says I don't know so I'm going to click right here on retrieve license keys from license server up at Palo Alto networks so went out retrieve the licenses and these are all the licenses that are in place on this firewall and again this is only here because previously I'd registered this firewall with Palo Alto if it's a brand new firewall it had been registered yet you'd want to through the registration process that way you can apply your licenses for the firewall the second thing we want to do on a factory reset firewall is also to make sure we have the latest and greatest updates so to check that with Device tab still selected on the left we'd go over to software here says no updated information available and that's because we need to click here on check now so we can go out and see what the latest and greatest versions are regarding the Panos software so now it's showing us that the latest version is 11.01 and that's the flavor I currently have installed so that's great the next thing we should check is to make sure we have the latest and greatest updates regarding the features of antivirus and threat protection and so forth so because it's a brand new firewall here it doesn't show anything at the moment so we'll click here on check now so again this is on device Dynamic updates check now and this should show us what's available alright so this is showing us Wildfire device dictionary however what is not showing us by default is any information regarding antivirus so that's a normal behavior that I've experienced so what we'll do first is we'll go to Applications and threats and let's download the latest and greatest version of applications and threats so I'll click here on download so that's actively downloading that so we'll go ahead and let that finish so we can close this little status window and later we can go back to task manager by clicking the task down here and that can show us our status also this firewall in the background went out and got its device certificate from Palo Alto networks and that's because it had previously been registered with Palo Alto so once that download is done regarding applications and threats when that finish in the background once that download completes and this screen is refreshed we'll have a little check right here to indicate that this flavor of the applications and threats has been downloaded and they're just updated fantastic and then from here we can click on install to go ahead and start using the latest and greatest applications and threats so we'll click on continue installation so that's in motion we'll click on close so that's in the process now of installing the applications and threads and once it's done and then once we click on check now we'll also based on the licensing I have it'll also show show us the options for the antivirus signatures as well so to save a few moments I'm going to go ahead and download all the latest and greatest versions click on check now and then get everything up to date and while that's cooking let me go ahead and close that it'll continue the background let's also do a little initial cleanup as well we're getting a brand new firewall and do that we'll go to the network Tab and by default on this firewall it has a virtual wire set up by default so if you're not using a virtual wire we can go ahead and just delete it so we'll click here on network and on the left we'll select virtual wires and there's our default virtual wire let's go ahead and delete it and click on yes and the other thing I'm going to do is go to our policies we'll get more into this as we go into further configuration but initially I'm going to click on policies and go to our security policy by clicking on security on the left and this default rule rule one I'm going to go ahead and delete that as well so with it highlighted selected we'll click down here on delete and click on yes so here in the web interface for the Palo Alto firewall when we're making changes these changes are only being made to the candidate configuration it's not the running config just like at the CLI if we want to move our changes over to the running config we need to go ahead and commit those changes so to do that in the GUI we click up here on Commit and then here's a summary and then we'll go ahead and click on commit to confirm or commit so now that commit is active it's in motion we'll go ahead and click on close let that finish in the background and if we ever need to check on the status of our commit we can go down here to tasks and that will show us our current status so that's in motion it'll be done here in a moment and while that's finishing up let's also go back to device and go back down to Dynamic updates on the left here and now that we have the applications and threats installed let's go ahead and click on check now and what that should show us it should also show us now the antivirus at the top and sure enough so there's our antivirus so I'll go ahead and download the latest version by clicking on download so that is currently downloading the latest Ingress anti-virus definitions so we'll let that finish and once it's done there'll be a check here saying it's downloaded and then we'll go ahead and install it once the download is complete alright so let's download it let's go ahead and click on install so now it's actually installing the antivirus definitions on the firewall so go ahead and click on close let that finish in the background we can also schedule the dynamic updates for antivirus applications and threats and so forth so they happen at a frequency and interval that we specify automatically so let me go ahead and check on the status by clicking here on tasks and it is almost done so as we take a look at our progress together we did a factory reset of this Palo Alto firewall we set up the IP address for the management interface that we want to use we also verified we can connect to that device via SSH and through the web interface we check to make sure it had a license we checked to make sure we had a current version of the software the pan OS running on the firewall and we also did the dynamic updates for getting applications and threats and viruses so what is our next step well our next step is to go ahead and set up the layer 3 interfaces specifically this one this one and this one and also to configure the security zones and preparation to support user traffic going through the firewall and that is exactly what you and I get to do in the very next video as part of this playlist so if you have time I'll see you there in just a moment
Info
Channel: Keith Barker - The OG of IT
Views: 25,390
Rating: undefined out of 5
Keywords: ogit, Keith Barker
Id: vMM8ob1jooM
Channel Id: undefined
Length: 16min 42sec (1002 seconds)
Published: Sat Apr 22 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.