Pan OS and Global Protect VPN - Paiet/Capstone GitHub Wiki

Palo Alto Networks firewalls and GlobalProtect VPN use a web-based management interface, with two main modes: operational mode and configuration mode. To enter configuration mode, simply click on the "CONFIGURE" button in the upper-right corner of the screen. Once in configuration mode, browse the configuration tree using the menu on the left-hand side of the screen, and configure settings using the options on the right-hand side.

To apply changes, click on the "Commit" button in the upper-right corner of the screen. It is also possible to preview changes before committing them by clicking on the "Preview" button. If there is a particularly risky procedure that might cause a device lockout, it would be prudent to use the "Commit and Preview" option, which applies the changes, but waits for the administrator to click on the "Commit" button in the preview window to confirm the changes.

Hardware For Palo Alto Networks firewalls, there is no need to add a virtual serial console, as the firewall is managed through a web interface.

Installation The installation of Palo Alto Networks firewalls and GlobalProtect VPN is typically done through the initial configuration wizard, which is launched upon first boot. This wizard guides the administrator through basic settings such as network configuration, licensing, and initial user accounts.

Setup Before configuring services, set the basic system information, including the following steps.

Hostname In the "Device" tab, click on "Setup" and then "Management", and set the hostname in the "General Settings" section.

Accounts In the "Device" tab, click on "Authentication Profile" to create new user accounts.

Interfaces Ethernets In the "Network" tab, click on "Interfaces" and select an ethernet interface to configure. From here, basic settings such as IP address, netmask, and link speed/duplex can be configured.

VLANs To create a VLAN interface, select the parent ethernet interface, click on the "Add" button, and select "VLAN Sub-Interface". From here, basic settings such as VLAN ID, IP address, and netmask can be configured.

Tunnel Interfaces (GlobalProtect VPN) To create a GlobalProtect tunnel interface, select the "Network" tab, click on "GlobalProtect", and then "Gateways". From here, select the appropriate gateway and click on the "Add" button to add a tunnel interface. Basic settings such as IP address, netmask, and authentication settings can be configured.

Routing Static To add a static route, select the "Network" tab, click on "Virtual Routers", and select the appropriate virtual router. From here, click on the "Static Routes" tab and click on the "Add" button to add a new static route. Basic settings such as destination network, next hop IP address, and metric can be configured.

BGP To configure BGP, select the "Network" tab, click on "Virtual Routers", and select the appropriate virtual router. From here, click on the "BGP" tab and click on the "Add" button to add a new BGP instance. Basic settings such as local AS number, peer AS number, and neighbor IP address can be configured.

Firewall The Palo Alto Networks firewall uses security policies to control traffic flow. Policies are comprised of a number of conditions and actions, and are evaluated in a top-down order.

As an example, the below configuration would create a new security policy called "SSH", which drops all traffic by default, but accepts established connections (for example, to allow return TCP traffic), and accepts SSH traffic.

Create a new security policy by selecting the "Policies" tab, and clicking on the "Security" tab. Click on the "Add"