In the last post related to PA NGN Firewalls we made a walk through the initial steps to get connectivity with our device. We assumed we got connected to the firewall using the MGMT port and accessed its default IP address using the web browser.

This wouldn’t be complete if we do not go to the CLI. Pure, text-only, for badasses. So let’s see how to configure using it. We will of course assume we already have our firewall powered on, we are connected using the out-of-band console port and the link is established -remember 9600-N-1.

Steps shown below are the exact same ones, with the small detail that I’m configuring a Palo Alto Firewall VM running in the QEMU platform. So forget about the promt message and just get to the point, that is, the commands.

After we log in with the default credentials, we will fire a show command to get the current config of the MGMT port.

show interface management

1

We get the following output:

2

We can see an IP address is already set up. In this case my VM is connected to a VLAN that has a DHCP scope and the firewall got an IP address from it. In case no DHCP is available, it will show the default IP address we saw in the last post 192.168.1.1.

If we want to change it, and ajust our firewall to be reachable in our network, we have to fire the following commands:

configure

To get into configuration mode:

3

And then first specify we will use an static configuration. This is important, if we don’t enter this, the change will have no effect after the commit, so please pay attention here and remember how important this is:

set deviceconfig system type static

4

Now we can set our parameters up:

set deviceconfig system ip-address [mgmt ip address] netmask [mgmt network mask]
set deviceconfig system default-gateway [default gateway]
set deviceconfig system dns-settings servers primary [DNS server 1] secondary [DNS server 2]

5

And commit :

6

Now, once more forget about that message telling there’s a conflict. That’s in my environment and should not matter in yours, so you can oversee it.

Let’s see if the changes were applied:

7

There we are, we have now our Palo Alto firewall ready to connect to the management subnet and get to th WebGUI for further configuration.