Saucepan

User Tools

Site Tools

Trace: forwarding firewall_rules dns_servers firewall_rules best_practice doh_dot best_practice tunneling dhcp cloud_network_automation
paloaltonetworks:new_setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:new_setup [2021/02/17 13:34] bstaffordpaloaltonetworks:new_setup [2025/10/29 10:54] (current) – [New Setup] bstafford
Line 1: Line 1:
 ====== New Setup ====== ====== New Setup ======
-Things to remember when setting gup a new firewall.+Things to remember when setting up a new firewall.
  
 +===== Set MGMT to DHCP =====
 +<code>configure
 +set deviceconfig system type dhcp-client send-hostname no accept-dhcp-hostname no send-client-id no accept-dhcp-domain no</code>
  
 +===== Proxy URL =====
 Enable the firewall to return a clean block page even if the HTTPS session is not being decrypted (this requires the endpoint to trust the Forward Trust certificate on the firewall). Note that this only works for URL filtering. If you block an application (e.g. Twitter) without decryption, you will just get a native browser error (e.g. Security Connection Failed). Enable the firewall to return a clean block page even if the HTTPS session is not being decrypted (this requires the endpoint to trust the Forward Trust certificate on the firewall). Note that this only works for URL filtering. If you block an application (e.g. Twitter) without decryption, you will just get a native browser error (e.g. Security Connection Failed).
 <code>set deviceconfig setting ssl-decrypt url-proxy yes</code> <code>set deviceconfig setting ssl-decrypt url-proxy yes</code>
Line 8: Line 12:
 <code><url-proxy>yes</url-proxy></code> <code><url-proxy>yes</url-proxy></code>
  
 +===== Management SSL =====
 +Secure SSL on the management interface by disabling old ciphers.
  
-Secure SSL on the management interface+**Use ECDSA Certificates**. If going self signed, you will need to create a CA and then create the MGMT cert from that. This will prevent some RSA ciphers being used and helps in Nessus audits.
 <code>set shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no keyxchg-algo-rsa no</code> <code>set shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no keyxchg-algo-rsa no</code>
  
 +===== Management SSH =====
 Secure SSH on the management interface Secure SSH on the management interface
 On PAN-OS 9.1 and earlier On PAN-OS 9.1 and earlier
Line 27: Line 33:
 run set ssh service-restart mgmt</code> run set ssh service-restart mgmt</code>
  
 +===== Detailed Threat Logs =====
 Enable more detailed logging in Threat logs for Zone Protection Profile events. Details [[https://live.paloaltonetworks.com/t5/blogs/pan-os-8-1-2-introduces-new-log-options/ba-p/217858|here]]. Enable more detailed logging in Threat logs for Zone Protection Profile events. Details [[https://live.paloaltonetworks.com/t5/blogs/pan-os-8-1-2-introduces-new-log-options/ba-p/217858|here]].
 <code>set system setting additional-threat-log on</code> <code>set system setting additional-threat-log on</code>
paloaltonetworks/new_setup.1613568856.txt.gz · Last modified: (external edit)