PaloAlto Networks PA-3000 Series User manual
©2013 Palo Alto Networks, Inc. All rights reserved.
Palo Alto Networks and PAN-OS are registered trademarks of Palo Alto Networks, Inc.
Part Number 810-000117-00B https://paloaltonetworks.com
Performing the Final Setup
CONFIGURE THE SECURITY POLICY
The following example policy allows all traffic to flow from the trust zone to the untrust
zone while inspecting for viruses, vulnerabilities, and spyware. In addition, the policy denies
the flow of traffic from the untrust zone to the trust zone.
Select Policies > Security click Add and name the new rule
rule1
.
Click the Source tab and in the Source Zone section click Add and select
trust
.
Click the Destination tab and in the Destination Zone section click Add and select
untrust
.
Click the Actions tab and in the Action Setting section select the Allow radio button.
In the Profile Setting section select Profiles from the Profile Type drop-down list.
In the Antivirus, Vulnerability Protection, and Anti-Spyware drop-down lists, select
default.
Click OK to save the changes and then Commit.
DEPLOY THE FIREWALL AND VERIFY THE NETWORK AND SECURITY CONFIGURATION
Connect port 1 to the Internet.
Connect port 2 to your local network.
From a computer on your local network other than the computer you are using to configure
the PA-3000 Series firewall, try to connect to the Internet to validate proper connectivity.
CONFIGURE THE MANAGEMENT INTERFACE
Select Device > Setup and in the Management Interface Settings section, click the Edit icon.
In the IP Address, Netmask, and Default Gateway fields, enter the values that you
received from your network administrator for accessing your enterprise management
network.
In the Services section, select the services that will be allowed on the MGT interface. For
example, select Ping, HTTPS, and SSH.
Click OK and then Commit.
Disconnect your computer from the firewall and then connect the MGT port on the firewall
to your enterprise management network.
VERIFY THE MANAGEMENT CONFIGURATION
Connect your computer to the enterprise management network.
Open a browser window and type https://<MGT_port_IP_Address>.
Log in to the web interface of the PA-3000 Series firewall.
Where to Go Next
•Refer to https://paloaltonetworks.com/documentation for information on configuring the
features of the PA-3000 Series firewall.
•Refer to the
PA-3000 Series Hardware Reference Guide
for information on rack
installation, safety warnings, and specifications.
Before You Begin
•Register your PA-3000 Series firewall at https://support.paloaltonetworks.com to
obtain the latest software and App-ID updates, and to activate support or subscriptions.
•Obtain an IP address from your network administrator for configuring the management
port on the PA-3000 Series firewall.
•Have an RJ-45 Ethernet cable to connect your computer to the management port on the
PA-3000 Series firewall.
•Set your computer’s IP address to 192.168.1.2 and the subnet mask to 255.255.255.0.
NOTE: This document assumes the firewall has been properly rack-mounted and
powered up as described in the
PA-3000 Series Hardware Reference Guide
.
Perform the Initial Setup
Connect your computer to the management port (MGT) using an RJ-45 Ethernet cable.
Turn your computer on.
Launch a web browser and enter https://192.168.1.1.
The login page of the firewall’s web interface appears.
Type admin in both the Name and Password fields.
Click Login.
Select Device > Administrators and click the
admin
account.
Type the old password in the Old Password field.
Type the new password in the New Password field.
Type the new password again in the Confirm New Password field.
Click OK.
Proceed to the next section to choose a deployment option.
1
2
3
4
5
6
7
8
9
10
11
12
1
2
3
4
5
6
7
8
9
10
11
13
14
15
16
17
18
PA-3000 Series
Quick Start
OPTION A VIRTUAL WIRE DEPLOYMENT
The default configuration of the PA-3000 Series firewall is a virtual wire between ports 1 and 2, which enforces
security policies. No configuration is required for this basic setting. Proceed to Performing the Final Setup.
OPTION C LAYER 3 DEPLOYMENT
CONFIGURE THE INTERFACES
Obtain two IP addresses for ports 1 and 2 on the PA-3000 Series firewall from your network
administrator. This example uses IPv4 addresses; IPv6 is also supported.
Select Network > Interfaces, click ethernet1/1 and select Layer 3 from the Interface Type drop-
down.
Click the IPv4 tab and select Static. Click Add in the IP field and enter the IP address and subnet
mask for port 1 in the IP field. For example, 10.1.1.1/24.
Click OK to save the changes.
Select ethernet1/2 and select Layer 3 from the Interface Type drop-down.
Click the IPv4 tab and select Static. Click Add in the IP field and enter the IP address and subnet
mask for port 2 in the IP field. For example, 10.1.2.1/24.
Click OK to save the changes.
CONFIGURE THE SECURITY ZONES
Select Network > Zones and Add a new zone. Enter
trust
as the Name and select Layer 3 as the Type.
In the Interfaces section, click Add, select ethernet1/2 and then click OK.
Add another zone named
untrust
and choose Layer3 from the Type drop-down list.
In the Interfaces section, click Add, select ethernet1/1 and then click OK.
CONFIGURE THE VIRTUAL ROUTERS
You must assign a virtual router to all Layer 3 interfaces (including the loopback interface) to enable
routing.
Select Network > Virtual Routers and then click default.
In the Interfaces section, click Add and add ethernet1/1 and ethernet1/2.
Add a default route by clicking the Static Routes tab and click Add. Enter a Name for the static route
and enter a route in the Destination field (for example, 0.0.0.0/0).
Add static routes and other routing protocols as needed and click OK when finished.
Commit the configuration and proceed to Performing the Final Setup.
OPTION B LAYER 2 DEPLOYMENT
CONFIGURE THE INTERFACES
Select Network > Interfaces and click the Ethernet tab.
Click ethernet1/1 and select Layer 2 from the Interface Type drop-down and then click OK.
Click ethernet1/2 and select Layer 2 from the Interface Type drop-down and then click OK.
CONFIGURE THE SECURITY ZONES
Select Network > Zones and Add a new zone. Enter
trust
as the Name and select Layer 2 as the Type.
In the Interfaces section, click Add and select ethernet1/2 and then click OK.
Add another zone named
untrust
and choose Layer2 from the Type drop-down.
In the Interfaces section, click Add and select ethernet1/1 and then click OK.
CONFIGURE THE VLANS
Select Network > VLANs and then click Add and name the new VLAN
vlan-1
.
In the Interfaces section, click Add and add ethernet1/1 and ethernet1/2 and then click OK.
Commit the configuration and proceed to Performing the Final Setup.
Choose a Deployment Option
•OPTION A: Virtual Wire deployment—Choose this option to transparently place the PA-3000 Series firewall
between two devices where no routing, switching, or NAT is required.
•OPTION B: Layer 2 deployment—Choose this option to deploy the PA-3000 Series firewall in a Layer 2
environment where switching is required.
•OPTION C: Layer 3 deployment—Choose this option to deploy the PA-3000 Series firewall in a Layer 3
environment where routing and NAT are required.
1
2
3
4
5
6
7
8
10
11
12
13
14
15
ethernet1/2 ethernet1/1User
Network Internet
PA-3000 Series
9
PREREQUISITE LAYER 2 AND LAYER 3 DEPLOYMENTS
To deploy the firewall in Layer 2 mode (option B) or Layer 3 mode (option C), you must first delete the default virtual
wire configuration in the following order:
To delete the default security policy, select Policies > Security, select
rule1
, and click Delete.
Next, delete the default virtual wire by selecting Network > Virtual Wires, selecting the virtual wire and
clicking Delete.
To delete the default trust and untrust zones, select Network > Zones, select each zone and click Delete.
Finally, delete the interface configuration by selecting Network > Interfaces and then select each
interface (ethernet1/1 and ethernet1/2) and click Delete.
Commit the changes and continue to Option B Layer 2 Deployment or Option C Layer 3 Deployment.
1
2
3
4
5
1
2
3
4
5
6
7
8
10
9
16
Other PaloAlto Networks Firewall manuals
PaloAlto Networks
PaloAlto Networks ION 1200 Series Application guide
PaloAlto Networks
PaloAlto Networks PA-200 User manual
PaloAlto Networks
PaloAlto Networks PA-1400 Series User manual
PaloAlto Networks
PaloAlto Networks PA-220 User manual
PaloAlto Networks
PaloAlto Networks Prisma SD-WAN ION 9000 Application guide
PaloAlto Networks
PaloAlto Networks PA-7000 Series Application guide
PaloAlto Networks
PaloAlto Networks PA-7080 User manual
PaloAlto Networks
PaloAlto Networks PA-800 SERIES User manual
PaloAlto Networks
PaloAlto Networks PA-220R Application guide
PaloAlto Networks
PaloAlto Networks PA-7050 PAN-AIRDUCT Parts list manual
PaloAlto Networks
PaloAlto Networks PA-220 Application guide
PaloAlto Networks
PaloAlto Networks PA-3200 Series User manual
PaloAlto Networks
PaloAlto Networks PA-3400 Series Application guide
PaloAlto Networks
PaloAlto Networks PA-410 User manual
PaloAlto Networks
PaloAlto Networks PA-7000 Series Application guide
PaloAlto Networks
PaloAlto Networks PA-3020 Operating and maintenance manual
PaloAlto Networks
PaloAlto Networks PA-220R Application guide
PaloAlto Networks
PaloAlto Networks PA-3200 Series Application guide
PaloAlto Networks
PaloAlto Networks PA-5200 Series User manual
PaloAlto Networks
PaloAlto Networks M-300 Application guide
Popular Firewall manuals by other brands
Watchguard
Watchguard SOHO Features guide
W&T
W&T 55211 manual
Atlante Informatica
Atlante Informatica AFEL Series user manual
ZyXEL Communications
ZyXEL Communications ZyWALL SEM-DUAL user guide
Fortinet
Fortinet FortiManager-100 quick start guide
ZyXEL Communications
ZyXEL Communications ZyWALL 1100 Series user guide
D-Link
D-Link DFL-210 - NetDefend - Security Appliance user manual
Dell
Dell SonicWall NSA 2600 Getting started guide
NETGEAR
NETGEAR FVX538v2 - ProSafe VPN Firewall Dual WAN Specifications
H3C
H3C SecPath F5020 Interface configuration guide
Aaeon
Aaeon FWS-2260 user manual
Draytek
Draytek Vigor3900 Series user guide
