Paloalto

【Paloalto】初期設定の方法【CLI】

【Paloalto】初期設定の方法【CLI】

paloalto(PA-200)で検証を行っています。
今回はPaloalto(PA-200)で初期設定する方法(CLI)をまとめていきます!

  • 機種はPA-200
  • OSのバージョンはsw-version: 8.0.19

ログインする

前提として、Paloalto機器の電源入っていることとします。
コンソールケーブルをPaloaltoのコンソールポートに接続し、Teratermなどからコンソール接続します。

初期アカウントとパスワードは以下の通りです。

初期アカウントadmin
初期パスワードadmin

初期コンフィグを確認する

↓ログインできたら、初期コンフィグを確認します。

<コンフィグ確認コマンド>
set cli pager off
set cli config-output-format set
configure
show

サンプルの出力結果

admin@PA-200# show
set deviceconfig system ip-address 192.168.1.1
set deviceconfig system netmask 255.255.255.0
set deviceconfig system update-server updates.paloaltonetworks.com
set deviceconfig system update-schedule threats recurring weekly day-of-week wednesday
set deviceconfig system update-schedule threats recurring weekly at 01:02
set deviceconfig system update-schedule threats recurring weekly action download-only
set deviceconfig system timezone US/Pacific
set deviceconfig system service disable-telnet yes
set deviceconfig system service disable-http yes
set deviceconfig system hostname PA-200
set deviceconfig setting config rematch yes
set deviceconfig setting management hostname-type-in-syslog FQDN
set network interface ethernet ethernet1/1 virtual-wire
set network interface ethernet ethernet1/2 virtual-wire
set network interface loopback units
set network interface vlan units
set network interface tunnel units
set network vlan
set network virtual-wire default-vwire interface1 ethernet1/1
set network virtual-wire default-vwire interface2 ethernet1/2
set network profiles monitor-profile default interval 3
set network profiles monitor-profile default threshold 5
set network profiles monitor-profile default action wait-recover
set network ike crypto-profiles ike-crypto-profiles default encryption [ aes-128-cbc 3des ]
set network ike crypto-profiles ike-crypto-profiles default hash sha1
set network ike crypto-profiles ike-crypto-profiles default dh-group group2
set network ike crypto-profiles ike-crypto-profiles default lifetime hours 8
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 encryption aes-128-cbc
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 hash sha256
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 dh-group group19
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 lifetime hours 8
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 encryption aes-256-cbc
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 hash sha384
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 dh-group group20
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles default esp encryption [ aes-128-cbc 3des ]
set network ike crypto-profiles ipsec-crypto-profiles default esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles default dh-group group2
set network ike crypto-profiles ipsec-crypto-profiles default lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 esp encryption aes-128-gcm
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 esp authentication none
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 dh-group group19
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 esp encryption aes-256-gcm
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 esp authentication none
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 dh-group group20
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 lifetime hours 1
set network ike crypto-profiles global-protect-app-crypto-profiles default encryption aes-128-cbc
set network ike crypto-profiles global-protect-app-crypto-profiles default authentication sha1
set network qos profile default class class1 priority real-time
set network qos profile default class class2 priority high
set network qos profile default class class3 priority high
set network qos profile default class class4 priority medium
set network qos profile default class class5 priority medium
set network qos profile default class class6 priority low
set network qos profile default class class7 priority low
set network qos profile default class class8 priority low
set network virtual-router default protocol bgp enable no
set network virtual-router default protocol bgp dampening-profile default cutoff 1.25
set network virtual-router default protocol bgp dampening-profile default reuse 0.5
set network virtual-router default protocol bgp dampening-profile default max-hold-time 900
set network virtual-router default protocol bgp dampening-profile default decay-half-life-reachable 300
set network virtual-router default protocol bgp dampening-profile default decay-half-life-unreachable 900
set network virtual-router default protocol bgp dampening-profile default enable yes
set shared application
set shared application-group
set shared service
set shared service-group
set shared botnet configuration http dynamic-dns enabled yes
set shared botnet configuration http dynamic-dns threshold 5
set shared botnet configuration http malware-sites enabled yes
set shared botnet configuration http malware-sites threshold 5
set shared botnet configuration http recent-domains enabled yes
set shared botnet configuration http recent-domains threshold 5
set shared botnet configuration http ip-domains enabled yes
set shared botnet configuration http ip-domains threshold 10
set shared botnet configuration http executables-from-unknown-sites enabled yes
set shared botnet configuration http executables-from-unknown-sites threshold 5
set shared botnet configuration other-applications irc yes
set shared botnet configuration unknown-applications unknown-tcp destinations-per-hour 10
set shared botnet configuration unknown-applications unknown-tcp sessions-per-hour 10
set shared botnet configuration unknown-applications unknown-tcp session-length maximum-bytes 100
set shared botnet configuration unknown-applications unknown-tcp session-length minimum-bytes 50
set shared botnet configuration unknown-applications unknown-udp destinations-per-hour 10
set shared botnet configuration unknown-applications unknown-udp sessions-per-hour 10
set shared botnet configuration unknown-applications unknown-udp session-length maximum-bytes 100
set shared botnet configuration unknown-applications unknown-udp session-length minimum-bytes 50
set shared botnet report topn 100
set shared botnet report scheduled yes
set zone trust network virtual-wire ethernet1/2
set zone untrust network virtual-wire ethernet1/1
set service-group
set service
set schedule
set rulebase security rules rule1 from trust
set rulebase security rules rule1 to untrust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 service any
set rulebase security rules rule1 application any
set rulebase security rules rule1 action allow
set rulebase security rules rule1 log-end yes
set application-group
set application
set mgt-config users admin phash *****
set mgt-config users admin permissions role-based superuser yes
[edit]
admin@PA-200#

不要なコンフィグを削除する

↓構築していく上で不要なコンフィグが入っていることかと思いますので、デフォルトの不要なコンフィグを削除します。

※自身の検証環境なので、使わない機能は削除しています。

delete network ike
delete network qos
delete shared botnet
delete network virtual-router default
delete network virtual-wire default-vwire

初期設定(マネジメントIPの設定)

↓GUIでアクセスする際に必要なManagementポートのIPアドレスをデフォルトから変更しましょう。

set deviceconfig system ip-address XX
set deviceconfig system netmask XX

初期設定(ホスト名の設定)

↓Paloaltoのホスト名を設定します。

set deviceconfig system hostname XX

初期設定(タイムゾーンの設定)

↓タイムゾーンの設定を「Asia/Tokyo」にします。

set deviceconfig system timezone Asia/Tokyo

初期設定(新規ユーザの作成)

↓デフォルトのアカウントとは別に、新規のユーザ(test-user)とそのパスワードを設定します。

set mgt-config users test-user password
set mgt-config users test-user permissions role-based superuser yes

↓デフォルトのアカウント(admin)のパスワードを変更する方法

set mgt-config users admin password

↓デフォルトのアカウント(admin)を削除する方法
※必ず別の管理者権限のアカウントがあることを確認してから削除すること

delete mgt-config users admin
【Paloalto】新規ユーザ作成とパスワード変更の方法【CLI】Paloalto(PA-200)で新規ユーザアカウントを作成する方法、パスワードを変更する方法とアカウントを削除する方法(CLI)をまとめていきます!ユーザアカウントを削除する場合は、別の管理者権限のアカウントがあることを必ず確認しましょう!...

差分比較、同期

↓コンフィグの差分を確認して、同期します。

<コンフィグレーションモードにいる場合>
run show config diff
commit

同期後のコンフィグ

admin@PA-200-first# show 
set deviceconfig system ip-address 192.168.2.150 
set deviceconfig system netmask 255.255.255.0 
set deviceconfig system update-server updates.paloaltonetworks.com 
set deviceconfig system update-schedule threats recurring weekly day-of-week wednesday 
set deviceconfig system update-schedule threats recurring weekly at 01:02 
set deviceconfig system update-schedule threats recurring weekly action download-only 
set deviceconfig system timezone Asia/Tokyo 
set deviceconfig system service disable-telnet yes 
set deviceconfig system service disable-http yes 
set deviceconfig system hostname PA-200-first 
set deviceconfig setting config rematch yes 
set deviceconfig setting management hostname-type-in-syslog FQDN 
set network interface ethernet ethernet1/1 virtual-wire 
set network interface ethernet ethernet1/2 virtual-wire 
set network interface loopback units 
set network interface vlan units 
set network interface tunnel units 
set network vlan 
set network virtual-wire 
set network profiles monitor-profile default interval 3 
set network profiles monitor-profile default threshold 5 
set network profiles monitor-profile default action wait-recover 
set network virtual-router 
set shared application 
set shared application-group 
set shared service 
set shared service-group 
set zone trust network virtual-wire ethernet1/2 
set zone untrust network virtual-wire ethernet1/1 
set service-group 
set service 
set schedule 
set rulebase security rules rule1 from trust 
set rulebase security rules rule1 to untrust 
set rulebase security rules rule1 source any 
set rulebase security rules rule1 destination any 
set rulebase security rules rule1 service any 
set rulebase security rules rule1 application any 
set rulebase security rules rule1 action allow 
set rulebase security rules rule1 log-end yes 
set application-group 
set application 
set mgt-config users admin phash *****
set mgt-config users admin permissions role-based superuser yes 
[edit] 
admin@PA-200-first#

まとめ

最後にまとめになります!

  • 初期アカウントとパスワードはadmin/admin
  • 不要なデフォルトコンフィグは削除しておこう!

以上!

おすすめの関連記事