====== New Setup ======
Things to remember when setting up a new firewall.
===== Set MGMT to DHCP =====
configure
set deviceconfig system type dhcp-client send-hostname no accept-dhcp-hostname no send-client-id no accept-dhcp-domain no
===== Proxy URL =====
Enable the firewall to return a clean block page even if the HTTPS session is not being decrypted (this requires the endpoint to trust the Forward Trust certificate on the firewall). Note that this only works for URL filtering. If you block an application (e.g. Twitter) without decryption, you will just get a native browser error (e.g. Security Connection Failed).
set deviceconfig setting ssl-decrypt url-proxy yes
You can check a configuration to see if this is set by searching for
yes
===== Management SSL =====
Secure SSL on the management interface by disabling old ciphers.
**Use ECDSA Certificates**. If going self signed, you will need to create a CA and then create the MGMT cert from that. This will prevent some RSA ciphers being used and helps in Nessus audits.
set shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no keyxchg-algo-rsa no
===== Management SSH =====
Secure SSH on the management interface
On PAN-OS 9.1 and earlier
configure
delete deviceconfig system ssh
set deviceconfig system ssh ciphers mgmt aes256-ctr
set deviceconfig system ssh ciphers mgmt aes256-gcm
set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
set deviceconfig system ssh session-rekey mgmt interval 3600
set deviceconfig system ssh mac mgmt hmac-sha2-256
set deviceconfig system ssh mac mgmt hmac-sha2-512
commit
run set ssh service-restart mgmt
===== Detailed Threat Logs =====
Enable more detailed logging in Threat logs for Zone Protection Profile events. Details [[https://live.paloaltonetworks.com/t5/blogs/pan-os-8-1-2-introduces-new-log-options/ba-p/217858|here]].
set system setting additional-threat-log on