Things to remember when setting up a new firewall.
configure set deviceconfig system type dhcp-client send-hostname no accept-dhcp-hostname no send-client-id no accept-dhcp-domain no
Enable the firewall to return a clean block page even if the HTTPS session is not being decrypted (this requires the endpoint to trust the Forward Trust certificate on the firewall). Note that this only works for URL filtering. If you block an application (e.g. Twitter) without decryption, you will just get a native browser error (e.g. Security Connection Failed).
set deviceconfig setting ssl-decrypt url-proxy yes
You can check a configuration to see if this is set by searching for
<url-proxy>yes</url-proxy>
Secure SSL on the management interface by disabling old ciphers.
Use ECDSA Certificates. If going self signed, you will need to create a CA and then create the MGMT cert from that. This will prevent some RSA ciphers being used and helps in Nessus audits.
set shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no keyxchg-algo-rsa no
Secure SSH on the management interface On PAN-OS 9.1 and earlier
configure delete deviceconfig system ssh set deviceconfig system ssh ciphers mgmt aes256-ctr set deviceconfig system ssh ciphers mgmt aes256-gcm set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256 set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256 set deviceconfig system ssh session-rekey mgmt interval 3600 set deviceconfig system ssh mac mgmt hmac-sha2-256 set deviceconfig system ssh mac mgmt hmac-sha2-512 commit run set ssh service-restart mgmt
Enable more detailed logging in Threat logs for Zone Protection Profile events. Details here.
set system setting additional-threat-log on