Performing the Final Setup

CONFIGURE THE SECURITY POLICY

The following example policy allows all traffic to flow from the trust zone to the untrust
zone while inspecting for viruses, vulnerabilities, and spyware. In addition, the policy denies
the flow of traffic from the untrust zone to the trust zone.

Select Policies > Security click Add and name the new rule rule1.

Click the Source tab and in the Source Zone section click Add and select trust.

Click the Destination tab and in the Destination Zone section click Add and select untrust.

Click the Actions tab and in the Action Setting section select the Allow radio button.

In the Profile Setting section select Profiles from the Profile Type drop-down list.

In the Antivirus, Vulnerability Protection, and Anti-Spyware drop-down lists, select

default.

Click OK to save the changes and then Commit.

DEPLOY THE FIREWALL AND VERIFY THE NETWORK AND SECURITY CONFIGURATION

Connect port 1 to the Internet.

Connect port 2 to your local network.

10

From a computer on your local network other than the computer you are using to configure
the PA-3000 Series firewall, try to connect to the Internet to validate proper connectivity.

PA-3000 Series
Quick Start
Before You Begin

Register your PA-3000 Series firewall at https://support.paloaltonetworks.com to

obtain the latest software and App-ID updates, and to activate support or subscriptions.

Obtain an IP address from your network administrator for configuring the management
port on the PA-3000 Series firewall.

Have an RJ-45 Ethernet cable to connect your computer to the management port on the
PA-3000 Series firewall.

Set your computers IP address to 192.168.1.2 and the subnet mask to 255.255.255.0.

CONFIGURE THE MANAGEMENT INTERFACE

11

Select Device > Setup and in the Management Interface Settings section, click the Edit icon.

12

In the IP Address, Netmask, and Default Gateway fields, enter the values that you
received from your network administrator for accessing your enterprise management
network.

13

In the Services section, select the services that will be allowed on the MGT interface. For
example, select Ping, HTTPS, and SSH.

14
Click
OK and then Commit.

15

Disconnect your computer from the firewall and then connect the MGT port on the firewall
to your enterprise management network.

NOTE: This document assumes the firewall has been properly rack-mounted and
powered up as described in the PA-3000 Series Hardware Reference Guide.

Perform the Initial Setup

1 Connect your computer to the management port (MGT) using an RJ-45 Ethernet cable.
2 Turn your computer on.
3 Launch a web browser and enter https://192.168.1.1.

VERIFY THE MANAGEMENT CONFIGURATION

16

Connect your computer to the enterprise management network.

4
Type
admin in both the Name and Password fields.

The login page of the firewalls web interface appears.

17

Open a browser window and type https://<MGT_port_IP_Address>.

5
Click
Login.

18

Log in to the web interface of the PA-3000 Series firewall.

6
Select
Device > Administrators and click the admin account.

7 Type the old password in the Old Password field.

Where to Go Next

8 Type the new password in the New Password field.

Refer to https://paloaltonetworks.com/documentation for information on configuring the

9 Type the new password again in the Confirm New Password field.

Refer to the PA-3000 Series Hardware Reference Guide for information on rack

11 Proceed to the next section to choose a deployment option.

features of the PA-3000 Series firewall.

installation, safety warnings, and specifications.

2013 Palo Alto Networks, Inc. All rights reserved.

Palo Alto Networks and PAN-OS are registered trademarks of Palo Alto Networks, Inc.
Part Number 810-000117-00B https://paloaltonetworks.com

10
Click
OK.

Choose a Deployment Option

OPTION A: Virtual Wire deploymentChoose this option to transparently place the PA-3000 Series firewall
between two devices where no routing, switching, or NAT is required.

OPTION B: Layer 2 deploymentChoose this option to deploy the PA-3000 Series firewall in a Layer 2
environment where switching is required.

OPTION C: Layer 3 deploymentChoose this option to deploy the PA-3000 Series firewall in a Layer 3
environment where routing and NAT are required.
User
Network

OPTION

ethernet1/2

ethernet1/1

Internet

PA-3000 Series

A VIRTUAL WIRE DEPLOYMENT

The default configuration of the PA-3000 Series firewall is a virtual wire between ports 1 and 2, which enforces
security policies. No configuration is required for this basic setting. Proceed to Performing the Final Setup.

PREREQUISITE

LAYER 2 AND LAYER 3 DEPLOYMENTS

To deploy the firewall in Layer 2 mode (option B) or Layer 3 mode (option C), you must first delete the default virtual
wire configuration in the following order:
1

To delete the default security policy, select Policies > Security, select rule1, and click Delete.

Next, delete the default virtual wire by selecting Network > Virtual Wires, selecting the virtual wire and
clicking Delete.

3 To delete the default trust and untrust zones, select Network > Zones, select each zone and click Delete.
4 Finally, delete the interface configuration by selecting Network > Interfaces and then select each
interface (ethernet1/1 and ethernet1/2) and click Delete.
5 Commit the changes and continue to Option B Layer 2 Deployment or Option C Layer 3 Deployment.
OPTION B LAYER 2 DEPLOYMENT
CONFIGURE THE INTERFACES
1
Select
Network > Interfaces and click the Ethernet tab.

Click
ethernet1/1 and select Layer 2 from the Interface Type drop-down and then click OK.
2
Click
ethernet1/2 and select Layer 2 from the Interface Type drop-down and then click OK.
3

CONFIGURE THE SECURITY ZONES

4
Select
Network > Zones and Add a new zone. Enter trust as the Name and select Layer 2 as the Type.

5 In the Interfaces section, click Add and select ethernet1/2 and then click OK.
6 Add another zone named untrust and choose Layer2 from the Type drop-down.
7 In the Interfaces section, click Add and select ethernet1/1 and then click OK.

CONFIGURE THE VLANS

8
Select
Network > VLANs and then click Add and name the new VLAN vlan-1.

9 In the Interfaces section, click Add and add ethernet1/1 and ethernet1/2 and then click OK.
10 Commit the configuration and proceed to Performing the Final Setup.

OPTION

C LAYER 3 DEPLOYMENT

CONFIGURE THE INTERFACES

1 Obtain two IP addresses for ports 1 and 2 on the PA-3000 Series firewall from your network
administrator. This example uses IPv4 addresses; IPv6 is also supported.
2 Select Network > Interfaces, click ethernet1/1 and select Layer 3 from the Interface Type dropdown.
3 Click the IPv4 tab and select Static. Click Add in the IP field and enter the IP address and subnet
mask for port 1 in the IP field. For example, 10.1.1.1/24.
4
Click
OK to save the changes.
5
Select
ethernet1/2 and select Layer 3 from the Interface Type drop-down.

6 Click the IPv4 tab and select Static. Click Add in the IP field and enter the IP address and subnet
mask for port 2 in the IP field. For example, 10.1.2.1/24.
7
Click
OK to save the changes.

CONFIGURE THE SECURITY ZONES

8 Select Network > Zones and Add a new zone. Enter trust as the Name and select Layer 3 as the Type.

In the Interfaces section, click Add, select ethernet1/2 and then click OK.

10 Add another zone named untrust and choose Layer3 from the Type drop-down list.
11 In the Interfaces section, click Add, select ethernet1/1 and then click OK.

CONFIGURE THE VIRTUAL ROUTERS

You must assign a virtual router to all Layer 3 interfaces (including the loopback interface) to enable
routing.

12 Select Network > Virtual Routers and then click default.

13 In the Interfaces section, click Add and add ethernet1/1 and ethernet1/2.
14 Add a default route by clicking the Static Routes tab and click Add. Enter a Name for the static route
and enter a route in the Destination field (for example, 0.0.0.0/0).
15

Add static routes and other routing protocols as needed and click OK when finished.

16

Commit the configuration and proceed to Performing the Final Setup.