Saturday, July 29, 2017

Palo Alto PA-220 - Web Interface Initial Management Access

If you followed my previous post Palo Alto PA-220 Initial Configuration - Micro USB if you issue the following command from the operational prompt show interface management you can see how the RJ-45 MGT port on the front of the PA-220 is configured.

show interface management command.
By default the management port is configured with a IP address. The quick start guide also references this.

You will need to configure the network interface card on your management workstation to be on this network for connectivity to the MGT port on the front of the firewall. are valid IP addresses to use on your workstation. Below are screenshots from a Windows 10 workstation showing the setting of an IPv4 address.
For the network card to be configured, click on the above to set an IPv4 address. 
Assign an IP address on the same network as the MGT (management port of the firewall.) Click ok and close. 

The firewall comes pre-packaged with an RJ-45 cable, connect this to your management workstation and the MGT port on the firewall.

In your web browser, type in the address of the MGT port, you will most likely get a certificate error.

Certificate error browsing to web interface of PA-220.

If you accept the certificate warning you should see a similar login form as pictured below.

Administrative login page for the firewall.

Login with admin/admin the default credentials for the firewall.

You will be warned each time you login that the device is setup with default credentials, and you need to change them. Go ahead and say ok. You may also see a message showing you all of the new features within PanOS.

Initial dashboard screen. 
From within the web interface, you can assign IP addresses to interfaces, change the default credentials, set firewall policy, etc.

Palo Alto PA-220 Initial Configuration - Micro USB

There are multiple ways to configure a PA-220 out of the box, via Web interface and the console ports. 
I have always used standard RJ-45 console ports before but never micro-USB. I thought I would connect the cable provided in the box to my Windows 10 laptop and give it a try. From the quick start guide, a link is provided for setting up the micro USB console port here: Palo Alto Networks Micro USB Console Port

The Microchip USB/driver is installed in Windows 10 by default. After connecting the USB cable to my laptop and the other end to the micro USB port on the front of the PA-220, I checked out device manager in Windows to see that it shows up as a USB Serial Device (COM4.) It may very well show up as a different COM port for you, so your mileage may vary. 

Device manager screenshot, showing USB Serial Device (COM4) under Ports (COM & LPT)

I always tend to use Putty for terminal emulation in Windows. You can find Putty here: Putty Download

In Putty you will want to select Serial and type in the COM port found in device manager. Leave the speed at 9600 as pictured below. 

Putty settings for the micro USB console port.
When you click Open in Putty you should see a PA-220 login: prompt. 

PA-220 login prompt

Of note here, the PA-220 login prompt will only show up when the firewall has completely finished booting. Pay attention to the STAT LED on the front of the firewall, it will be ready to authenticate you when it turns GREEN (from my previous post, this process may take around 9 minutes.) Interpret the LEDs on a PA-220 Firewall

admin/admin is the default password for Palo Alto firewalls out of the box. 

After authenticating you should see the following prompt:

PA-220 - Command prompt.
If you type a question mark ? you will see a list of commands available at this prompt. 

The > prompt indicates operational mode (i.e. non configuration mode.) 

You can execute various show commands, ping a device, reboot/restart the firewall or services from this mode of operation. 

If you type in a command, followed by a space with another question mark you can step through the commands to find the one you are looking for. 

request ? command. 

Palo Alto PA-220 Initial Hardware Setup

I recently had the opportunity to check out a Palo Alto Networks PA-220. Here is a breakdown of what shipped. I will have future blog posts to cover initial setup of the device.

PA-220 and accessories.

Cables and mounting hardware.
After un-boxing the firewall, you will notice on the back of the firewall an option to connect two power adapters. By default, the firewall only ships with a single power adapter. The documentation references connecting a second power adapter to a separate circuit in order to provide power redundancy. Connect Power to a PA-220 FirewallElectrical Specs

PA-220 back view of power inputs and grounding post. 

On the front side of the firewall from left to right you will notice Ethernet ports 1-8 (10/100/1000,) a copper MGT (management) port (RJ-45,) a copper CONSOLE port (RJ-45) a micro USB console port and USB port.

PA-220 front view.

You will also notice the ever important indicator lights, HA, STAT, ALM, TEMP, and PWR. Here is a link to the Palo Alto website for interpreting the indicator LEDs: Interpret the LEDs on a PA-220 Firewall

When connecting power for the first time the PWR light should turn green, after a few minutes the TEMP and STAT lights should turn on. Once the firewall is fully booted the STAT light will turn from amber to green. ** VERY IMPORTANT NOTE ** The entire boot process on a PA-220 is around 9 minutes from power on to the STAT LED turning green for initial configuration. 

In my next posts I will cover initial setup of the PA-220.

Sunday, July 16, 2017

Top Information Security Podcasts

Podcasts are a great way of maximizing time spent exercising, driving places, etc and maybe even learn a few things along the way. This is a list of information security podcasts I am currently listening to and would highly recommend.