Saucepan

User Tools

Site Tools

Trace: cloud_network_automation dns_exfiltration powershell best_practice migration licencing forwarding firewall_rules dns_servers firewall_rules
paloaltonetworks:new_setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
paloaltonetworks:new_setup [2021/02/17 13:33] – created bstaffordpaloaltonetworks:new_setup [2025/10/29 10:54] (current) – [New Setup] bstafford
Line 1: Line 1:
 +====== New Setup ======
 +Things to remember when setting up a new firewall.
 +
 +===== Set MGMT to DHCP =====
 +<code>configure
 +set deviceconfig system type dhcp-client send-hostname no accept-dhcp-hostname no send-client-id no accept-dhcp-domain no</code>
 +
 +===== Proxy URL =====
 Enable the firewall to return a clean block page even if the HTTPS session is not being decrypted (this requires the endpoint to trust the Forward Trust certificate on the firewall). Note that this only works for URL filtering. If you block an application (e.g. Twitter) without decryption, you will just get a native browser error (e.g. Security Connection Failed). Enable the firewall to return a clean block page even if the HTTPS session is not being decrypted (this requires the endpoint to trust the Forward Trust certificate on the firewall). Note that this only works for URL filtering. If you block an application (e.g. Twitter) without decryption, you will just get a native browser error (e.g. Security Connection Failed).
 <code>set deviceconfig setting ssl-decrypt url-proxy yes</code> <code>set deviceconfig setting ssl-decrypt url-proxy yes</code>
Line 4: Line 12:
 <code><url-proxy>yes</url-proxy></code> <code><url-proxy>yes</url-proxy></code>
  
 +===== Management SSL =====
 +Secure SSL on the management interface by disabling old ciphers.
  
-Secure SSL on the management interface+**Use ECDSA Certificates**. If going self signed, you will need to create a CA and then create the MGMT cert from that. This will prevent some RSA ciphers being used and helps in Nessus audits.
 <code>set shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no keyxchg-algo-rsa no</code> <code>set shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no keyxchg-algo-rsa no</code>
  
 +===== Management SSH =====
 Secure SSH on the management interface Secure SSH on the management interface
 On PAN-OS 9.1 and earlier On PAN-OS 9.1 and earlier
Line 23: Line 33:
 run set ssh service-restart mgmt</code> run set ssh service-restart mgmt</code>
  
 +===== Detailed Threat Logs =====
 Enable more detailed logging in Threat logs for Zone Protection Profile events. Details [[https://live.paloaltonetworks.com/t5/blogs/pan-os-8-1-2-introduces-new-log-options/ba-p/217858|here]]. Enable more detailed logging in Threat logs for Zone Protection Profile events. Details [[https://live.paloaltonetworks.com/t5/blogs/pan-os-8-1-2-introduces-new-log-options/ba-p/217858|here]].
 <code>set system setting additional-threat-log on</code> <code>set system setting additional-threat-log on</code>
paloaltonetworks/new_setup.1613568817.txt.gz · Last modified: (external edit)