Skip to content

PAN-OS の基本

PAN-OS の基本をメモしておきます。 今回は PAN-OS 10.1.4 で試しました。

初期化する

PAN-OS のコンフィグを初期化するには request system private-data-reset を実行します。

1
2
> request system private-data-reset
Executing this command will remove all logs and configuration will revert back to factory defaults. The system will restart and then reset the data. Are you sure you want to continue? (y or n)

詳しくは How to Remove all Logs and Restore the Default Configuration に書かれています。

Note: The request system private-data-reset command will not perform the same actions as a factory reset of the device from Maintenance Mode. Private-data-reset will not do a zero-ization of the data and will not erase the system disks. Performing a bit-level recovery procedure can still retrieve the data from the device. Also, all the content packages installed will remain with the same PAN-OS, but all the logs and saved configurations on the firewall will be cleared.

初期ユーザ名&パスワード

初期ログイン情報は以下の通り、いずれも admin です。

初期ユーザ名 初期パスワード
admin admin

初回ログイン時はパスワード変更を要求されます。 この際、初期パスワードと同じ admin パスワードを再設定することは出来ません。

1
2
3
4
5
6
7
PA-xxx login: admin
Password:
Last login: Sat Dec 25 18:06:04 on ttyS0
Enter old password :
Enter new password :
Confirm password   :
Password changed

more を表示しない (≒ terminal length 0)

コマンド実行時に more を非表示にするには set cli pager off を実行します。 コンフィグとして保持されない為、ログインする度に実行する必要があります。

1
set cli pager off

set ベースのコンフィグを表示する

set cli config-output-format set を実行すると set ベースでコンフィグを表示出来ます。

1
set cli config-output-format set

set 以外にも defualtjsonxml という選択肢があります。

1
2
3
4
5
admin@PA-xxx> set cli config-output-format
  default   default
  json      json
  set       set
  xml       xml

実際の実行例は以下です。 show config running などの出力は set ベースにならないので注意が必要です。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
admin@PA-xxx> set cli config-output-format set
admin@PA-xxx> configure
Entering configuration mode
[edit]
admin@PA-xxx# show
set deviceconfig system ip-address 192.168.1.1
set deviceconfig system netmask 255.255.255.0
    ・
    ・
    ・

初期設定例

初期設定例は以下の通りです。

1
2
3
4
5
6
7
8
9
set deviceconfig system ip-address 10.0.0.1
set deviceconfig system netmask 255.255.255.0
set deviceconfig system default-gateway 10.0.0.254
set deviceconfig system timezone Asia/Tokyo
set deviceconfig system hostname PaloAlto
set deviceconfig system dns-setting servers primary 1.1.1.1
set deviceconfig system dns-setting servers secondary 1.0.0.1
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 216.239.35.12
set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address 216.239.35.8

SSH 公開鍵を登録する

1
set mgt-config users admin public-key c3NoLXJzYS …(snip)… JzXzIwMjEK

ゾーンの変更 (virtual wire → layer3)

PaloAlto はデフォルトでインターフェイスのゾーン設定が virtual-vire になっている機種があります。 これを layer3 へ変更する設定例は以下の通りです。

1
2
3
4
5
6
7
8
delete network virtual-wire default-vwire interface1
delete zone untrust network virtual-wire ethernet1/1
set network interface ethernet ethernet1/1 layer3 ip 10.0.1.100/24
set zone l3-untrust network layer3 ethernet1/1
delete zone trust network virtual-wire ethernet1/2
delete network virtual-wire default-vwire interface2
set network interface ethernet ethernet1/2 layer3 ip 10.0.2.100/24
set zone l3-trust network layer3 ethernet1/2

初期ポリシーの削除

デフォルトで存在しているポリシー rule1 を削除するには以下を実行します。

1
delete rulebase security rules rule1

ポリシーの設定

l3-trustl3-untrust 向きの通信を全許可」するポリシーの設定例は以下の通りです。

1
2
3
4
5
6
7
8
set rulebase security rules rule1 from l3-trust
set rulebase security rules rule1 to l3-untrust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 service any
set rulebase security rules rule1 application any
set rulebase security rules rule1 action allow
set rulebase security rules rule1 log-end yes

NAT の設定

l3-trustl3-untrust 向きの通信を Src NAT」する設定例は以下の通りです。

1
2
3
4
5
6
set rulebase nat rules nat1 to l3-untrust
set rulebase nat rules nat1 from l3-trust
set rulebase nat rules nat1 source any
set rulebase nat rules nat1 destination any
set rulebase nat rules nat1 service any
set rulebase nat rules nat1 source-translation dynamic-ip-and-port interface-address interface ethernet1/1

参考

初期コンフィグ

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
set deviceconfig system ip-address 192.168.1.1
set deviceconfig system netmask 255.255.255.0
set deviceconfig system update-server updates.paloaltonetworks.com
set deviceconfig system update-schedule threats recurring weekly day-of-week wednesday
set deviceconfig system update-schedule threats recurring weekly at 01:02
set deviceconfig system update-schedule threats recurring weekly action download-only
set deviceconfig system timezone US/Pacific
set deviceconfig system service disable-telnet yes
set deviceconfig system service disable-http yes
set deviceconfig system hostname PA-xxx
set deviceconfig setting config rematch yes
set deviceconfig setting management hostname-type-in-syslog FQDN
set network interface ethernet ethernet1/1 virtual-wire
set network interface ethernet ethernet1/2 virtual-wire
set network interface loopback units
set network interface vlan units
set network interface tunnel units
set network vlan
set network virtual-wire default-vwire interface1 ethernet1/1
set network virtual-wire default-vwire interface2 ethernet1/2
set network profiles monitor-profile default interval 3
set network profiles monitor-profile default threshold 5
set network profiles monitor-profile default action wait-recover
set network ike crypto-profiles ike-crypto-profiles default encryption [ aes-128-cbc 3des ]
set network ike crypto-profiles ike-crypto-profiles default hash sha1
set network ike crypto-profiles ike-crypto-profiles default dh-group group2
set network ike crypto-profiles ike-crypto-profiles default lifetime hours 8
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 encryption aes-128-cbc
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 hash sha256
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 dh-group group19
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-128 lifetime hours 8
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 encryption aes-256-cbc
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 hash sha384
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 dh-group group20
set network ike crypto-profiles ike-crypto-profiles Suite-B-GCM-256 lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles default esp encryption [ aes-128-cbc 3des ]
set network ike crypto-profiles ipsec-crypto-profiles default esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles default dh-group group2
set network ike crypto-profiles ipsec-crypto-profiles default lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 esp encryption aes-128-gcm
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 esp authentication none
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 dh-group group19
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-128 lifetime hours 1
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 esp encryption aes-256-gcm
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 esp authentication none
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 dh-group group20
set network ike crypto-profiles ipsec-crypto-profiles Suite-B-GCM-256 lifetime hours 1
set network ike crypto-profiles global-protect-app-crypto-profiles default encryption aes-128-cbc
set network ike crypto-profiles global-protect-app-crypto-profiles default authentication sha1
set network qos profile default class-bandwidth-type mbps class class1 priority real-time
set network qos profile default class-bandwidth-type mbps class class2 priority high
set network qos profile default class-bandwidth-type mbps class class3 priority high
set network qos profile default class-bandwidth-type mbps class class4 priority medium
set network qos profile default class-bandwidth-type mbps class class5 priority medium
set network qos profile default class-bandwidth-type mbps class class6 priority low
set network qos profile default class-bandwidth-type mbps class class7 priority low
set network qos profile default class-bandwidth-type mbps class class8 priority low
set network virtual-router default protocol bgp enable no
set network virtual-router default protocol bgp dampening-profile default cutoff 1.25
set network virtual-router default protocol bgp dampening-profile default reuse 0.5
set network virtual-router default protocol bgp dampening-profile default max-hold-time 900
set network virtual-router default protocol bgp dampening-profile default decay-half-life-reachable 300
set network virtual-router default protocol bgp dampening-profile default decay-half-life-unreachable 900
set network virtual-router default protocol bgp dampening-profile default enable yes
set shared application
set shared application-group
set shared service
set shared service-group
set shared botnet configuration http dynamic-dns enabled yes
set shared botnet configuration http dynamic-dns threshold 5
set shared botnet configuration http malware-sites enabled yes
set shared botnet configuration http malware-sites threshold 5
set shared botnet configuration http recent-domains enabled yes
set shared botnet configuration http recent-domains threshold 5
set shared botnet configuration http ip-domains enabled yes
set shared botnet configuration http ip-domains threshold 10
set shared botnet configuration http executables-from-unknown-sites enabled yes
set shared botnet configuration http executables-from-unknown-sites threshold 5
set shared botnet configuration other-applications irc yes
set shared botnet configuration unknown-applications unknown-tcp destinations-per-hour 10
set shared botnet configuration unknown-applications unknown-tcp sessions-per-hour 10
set shared botnet configuration unknown-applications unknown-tcp session-length maximum-bytes 100
set shared botnet configuration unknown-applications unknown-tcp session-length minimum-bytes 50
set shared botnet configuration unknown-applications unknown-udp destinations-per-hour 10
set shared botnet configuration unknown-applications unknown-udp sessions-per-hour 10
set shared botnet configuration unknown-applications unknown-udp session-length maximum-bytes 100
set shared botnet configuration unknown-applications unknown-udp session-length minimum-bytes 50
set shared botnet report topn 100
set shared botnet report scheduled yes
set zone trust network virtual-wire ethernet1/2
set zone untrust network virtual-wire ethernet1/1
set service-group
set service
set schedule
set rulebase security rules rule1 from trust
set rulebase security rules rule1 to untrust
set rulebase security rules rule1 source any
set rulebase security rules rule1 destination any
set rulebase security rules rule1 service any
set rulebase security rules rule1 application any
set rulebase security rules rule1 action allow
set rulebase security rules rule1 log-end yes
set application-group
set application
set mgt-config users admin phash 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456
set mgt-config users admin permissions role-based superuser yes
set mgt-config password-complexity enabled yes
set mgt-config password-complexity minimum-length 8