PAN Configuration Introduction

The following guide presents a basic configuration for a Palo Alto Networks PA-220 – running PAN-OS 9.1.12-h3.

It should be noted, that there are more recent major releases: 10.x which provides an entirely new GUI. Unfortunately, this user interface runs poorly on the PA-220.

This guide uses the PA-220 as an edge layer 3 (routed) firewall, and further uses the additional ports to act as a simple mini-switch, which may be a beneficial configuration for small branch offices which is what the PA-220 is targeted for. The PA-220 also has the advantage of being fan-less, making it useful for desktop/quiet environments.

The front of the PA-220 includes 8x 1Gb/s data ports, 1x Out of Band Management port, one serial console port, and a USB console port. The additional USB port is used to bootstrap the firewall for rapid deployment.

(For this guide we won’t be using either of the USB ports.)

The back is fairly straight forward, there are two power inputs through external power bricks. The firewall only comes with a single power supply, but a second can be ordered for redundant power.

Once the firewall is powered up, you should see a PA-220 Login: prompt through the serial console. Additionally, you can connect your browser to the default address of 192.168. 1.1 through the Out-of-Band management port.

The default username and password is “admin:admin” and you’ll be prompted to use a change the password immediately after login with a strong password. The new password will take effect after you commit the new configuration.

If you wish to change the Out-of-Band management address before you first connect, this can be done through the console port and you can either set your own static address or use DHCP.

The following within configuration mode will configure the management port to use DHCP:

set deviceconfig system type dhcp-client accept-dhcp-domain no accept-dhcp-hostname no send-client-id no send-hostname no
commit

However, if you’d prefer to configure a static address immediately, this configuration may be used instead:

set deviceconfig system type static
set deviceconfig system ip-address 192.168.1.1 netmask 255.255.255.0 default-gateway 192.168.1.254 dns-setting servers primary 1.1.1.1
commit

(In this case, we’re setting the device to the default 192.168.1.1/24 a gateway of 192.168.1.254 and use Cloudflare’s 1.1.1.1 DNS server.)

At this point you should be able to navigate to the GUI using either the DHCP learned address or the static you configured. I’ll continue through the GUI configuration in Part 1.

DavisSystem

Consolidated Notes From the Desk of Sean Davis.

A basic configuration for a Palo Alto Network PA-220 on PANOS 9.1.12

2022-01-13