Configuring a PA-220 for small network - Part 1
Assumptions: Home network would consist of a fibre broadband connection to the PA-220 and there will be 2 zones (a DMZ and an internal trusted zone)
Part 1: Get it Up and Running
The 1st thing to do is to establish some basic information such as:
- 1. IP Address from your ISP (if static IP)
- 2. Determine an IP range you would like to have for your internal zone and DMZ zone
- 3. Determine the IP to be used for the MGT port
- 4. Determine the IP for your default gateway
- 5. Determine which DNS service you will be using
Once you got that information, you will want to do an initial setup (assuming the PA-220 is brand new or factory reset).
Plug in your computer directly to the MGT port via an ethernet cable. Set the ethernet port IP of your computer to an address in the 192.168.1.0/24 range. (e.g. 192.168.1.2)
Connect to the PA-220 on your browser via the URL https://192.168.1.1
When Prompted, use the default username/password which is admin/admin
(note that you will be asked to change the password on 1st login if your box is shipped with PAN-OS 9.0.4 or later)
If you have an older box, go to Device -> Administrators
Click on the admin role and you should get a window to change the password like this:
Next, you would need to configure the MGT interface by going to Device -> Setup - > Interfaces and click on the “Management” interface.
You should see this window:
I would suggest to start with using a static IP (DHCP for MGT is mainly used in some cloud environment like AWS and Azure) and I have chosen the MGT IP to be 10.0.5.1 with a netmask of 255.255.255.0 and the gateway to be 10.0.5.254.
You can enhance the security by limiting the IP addresses that can access the MGT interface by adding them to the table on the left. (but I suggest you do this later once you have setup your whole environment)
Next you would need to setup your DNS service. Go to Device -> Setup -> Services. And click on the gear icon.
You should get to this screen.
In this example, I use Google DNS (184.108.40.206) as the primary and Cloudflare (220.127.116.11) as the secondary. Obviously, you can use whatever DNS server you wish here.
To set the time server, clink on the NTP tab on top to set the NTP server:
If you wish, you could setup the hostname and domain in the Device -> Setup -> Management tab, but this is not necessary.
After you have done all that, it is time to commit the changes. Go to the top right of the window and click on the “Commit” button.
Now that you have it all setup, you would need to change the IP of your computer to re-login to the firewall.