set Format ConfigurationΒΆ
The following PAN-OS configuration is required as a starting point for the labs.
NOTE: This configuration uses the default credentials: admin / admin and adminr / admin. If you apply this configuration to your own firewall, be certain to change the passwords from the default. Do not apply this configuration to a production firewall. Use this configuration at your own risk.
If you need a firewall to run this lab on, you can easily deploy a firewall in AWS. A firewall license is not necessary for any steps in this lab.
1set deviceconfig system type static
2set deviceconfig system update-server updates.paloaltonetworks.com
3set deviceconfig system update-schedule
4set deviceconfig system timezone US/Pacific
5set deviceconfig system service disable-telnet yes
6set deviceconfig system service disable-http yes
7set deviceconfig system hostname PA-VM
8set deviceconfig system ip-address 192.168.1.103
9set deviceconfig system netmask 255.255.255.0
10set deviceconfig system default-gateway 192.168.1.254
11set deviceconfig system dns-setting servers primary 8.8.8.8
12set deviceconfig system ntp-servers primary-ntp-server ntp-server-address us.pool.ntp.org
13set deviceconfig system ntp-servers primary-ntp-server authentication-type none
14set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address north-america.pool.ntp.org
15set deviceconfig system ntp-servers secondary-ntp-server authentication-type none
16set deviceconfig setting config rematch yes
17set deviceconfig setting management hostname-type-in-syslog FQDN
18set deviceconfig setting management disable-predefined-reports [ spyware-infected-hosts top-application-categories top-technology-categories bandwidth-trend risk-trend threat-trend top-users top-attacker-sources top-attacker-destinations top-victim-sources top-victim-destinations top-attackers-by-source-countries top-attackers-by-destination-countries top-victims-by-source-countries top-victims-by-destination-countries top-sources top-destinations top-destination-countries top-source-countries top-connections top-ingress-interfaces top-egress-interfaces top-ingress-zones top-egress-zones top-applications top-http-applications top-rules top-attacks top-spyware-threats top-viruses top-vulnerabilities wildfire-file-digests top-websites top-url-categories top-url-users top-url-user-behavior top-blocked-websites top-blocked-url-categories top-blocked-url-users top-blocked-url-user-behavior blocked-credential-post unknown-tcp-connections unknown-udp-connections top-denied-sources top-denied-destinations top-denied-applications risky-users "SaaS Application Usage" gtp-events-summary gtp-malicious-wildfire-submissions gtp-security-events gtp-v1-causes gtp-v2-causes gtp-users-visiting-malicious-url top-gtp-attacker-destinations top-gtp-attacker-sources top-gtp-victim-destinations top-gtp-victim-sources sctp-error-causes sctp-events-summary sctp-security-events ]
19set deviceconfig setting auto-mac-detect yes
20set network interface ethernet ethernet1/1 virtual-wire
21set network interface ethernet ethernet1/2 virtual-wire
22set network profiles monitor-profile default interval 3
23set network profiles monitor-profile default threshold 5
24set network profiles monitor-profile default action wait-recover
25set network ike crypto-profiles ike-crypto-profiles default encryption [ aes-128-cbc 3des ]
26set network ike crypto-profiles ike-crypto-profiles default hash sha1
27set network ike crypto-profiles ike-crypto-profiles default dh-group group2
28set network ike crypto-profiles ike-crypto-profiles default lifetime hours 8
29set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 encryption aes-128-cbc
30set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 hash sha256
31set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 dh-group group19
32set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 lifetime hours 8
33set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 encryption aes-256-cbc
34set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 hash sha384
35set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 dh-group group20
36set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 lifetime hours 8
37set network ike crypto-profiles ipsec-crypto-profiles default esp encryption [ aes-128-cbc 3des ]
38set network ike crypto-profiles ipsec-crypto-profiles default esp authentication sha1
39set network ike crypto-profiles ipsec-crypto-profiles default dh-group group2
40set network ike crypto-profiles ipsec-crypto-profiles default lifetime hours 1
41set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 esp encryption aes-128-gcm
42set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 esp authentication none
43set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 dh-group group19
44set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 lifetime hours 1
45set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 esp encryption aes-256-gcm
46set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 esp authentication none
47set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 dh-group group20
48set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 lifetime hours 1
49set network ike crypto-profiles global-protect-app-crypto-profiles default encryption aes-128-cbc
50set network ike crypto-profiles global-protect-app-crypto-profiles default authentication sha1
51set network qos profile default class-bandwidth-type mbps class class1 priority real-time
52set network qos profile default class-bandwidth-type mbps class class2 priority high
53set network qos profile default class-bandwidth-type mbps class class3 priority high
54set network qos profile default class-bandwidth-type mbps class class4 priority medium
55set network qos profile default class-bandwidth-type mbps class class5 priority medium
56set network qos profile default class-bandwidth-type mbps class class6 priority low
57set network qos profile default class-bandwidth-type mbps class class7 priority low
58set network qos profile default class-bandwidth-type mbps class class8 priority low
59set network virtual-router default protocol bgp enable no
60set network virtual-router default protocol bgp dampening-profile default cutoff 1.25
61set network virtual-router default protocol bgp dampening-profile default reuse 0.5
62set network virtual-router default protocol bgp dampening-profile default max-hold-time 900
63set network virtual-router default protocol bgp dampening-profile default decay-half-life-reachable 300
64set network virtual-router default protocol bgp dampening-profile default decay-half-life-unreachable 900
65set network virtual-router default protocol bgp dampening-profile default enable yes
66set network virtual-wire default-vwire interface1 ethernet1/1
67set network virtual-wire default-vwire interface2 ethernet1/2
68set shared application
69set shared application-group
70set shared service
71set shared service-group
72set shared botnet configuration http dynamic-dns enabled yes
73set shared botnet configuration http dynamic-dns threshold 5
74set shared botnet configuration http malware-sites enabled yes
75set shared botnet configuration http malware-sites threshold 5
76set shared botnet configuration http recent-domains enabled yes
77set shared botnet configuration http recent-domains threshold 5
78set shared botnet configuration http ip-domains enabled yes
79set shared botnet configuration http ip-domains threshold 10
80set shared botnet configuration http executables-from-unknown-sites enabled yes
81set shared botnet configuration http executables-from-unknown-sites threshold 5
82set shared botnet configuration other-applications irc yes
83set shared botnet configuration unknown-applications unknown-tcp destinations-per-hour 10
84set shared botnet configuration unknown-applications unknown-tcp sessions-per-hour 10
85set shared botnet configuration unknown-applications unknown-tcp session-length maximum-bytes 100
86set shared botnet configuration unknown-applications unknown-tcp session-length minimum-bytes 50
87set shared botnet configuration unknown-applications unknown-udp destinations-per-hour 10
88set shared botnet configuration unknown-applications unknown-udp sessions-per-hour 10
89set shared botnet configuration unknown-applications unknown-udp session-length maximum-bytes 100
90set shared botnet configuration unknown-applications unknown-udp session-length minimum-bytes 50
91set shared botnet report topn 100
92set shared botnet report scheduled yes
93set shared content-preview application
94set shared content-preview application-type category
95set shared content-preview application-type technology
96set shared local-user-database user-group
97set zone trust network virtual-wire ethernet1/2
98set zone untrust network virtual-wire ethernet1/1
99set user-id-collector setting enable-mapping-timeout yes
100set user-id-collector setting ip-user-mapping-timeout 45
101set service-group
102set service
103set schedule
104set rulebase security rules rule2 to untrust
105set rulebase security rules rule2 from trust
106set rulebase security rules rule2 source any
107set rulebase security rules rule2 source-user any
108set rulebase security rules rule2 category any
109set rulebase security rules rule2 application any
110set rulebase security rules rule2 service application-default
111set rulebase security rules rule2 hip-profiles any
112set rulebase security rules rule2 action deny
113set rulebase security rules rule2 destination group2
114set rulebase security rules rule1 to untrust
115set rulebase security rules rule1 from trust
116set rulebase security rules rule1 source any
117set rulebase security rules rule1 destination any
118set rulebase security rules rule1 source-user any
119set rulebase security rules rule1 category any
120set rulebase security rules rule1 application any
121set rulebase security rules rule1 service any
122set rulebase security rules rule1 hip-profiles any
123set rulebase security rules rule1 action allow
124set import network interface [ ethernet1/1 ethernet1/2 ]
125set dynamic-user-group dug1 filter '"tag01" or "tag02"'
126set application-group
127set application
128set address-group group1 static [ addr1 addr2 addr3 ]
129set address-group group2 dynamic filter '"tag01" or "tag02"'
130set address addr1 ip-netmask 10.0.0.1
131set address addr2 ip-netmask 10.0.0.2
132set address addr3 ip-netmask 10.0.0.3
133set address addr4 ip-netmask 10.0.0.4
134set address addr5 ip-netmask 10.0.0.5
135set mgt-config users admin phash $1$fniyibcj$0tm9SixJw/wOkFkDnEqVw/
136set mgt-config users admin permissions role-based superuser yes
137set mgt-config users adminr permissions role-based superreader yes
138set mgt-config users adminr phash $1$rhprpgfp$JiYMvTDuUUWW4F7ND06JI1