Building my Palo Alto Networks Firewall Physical Lab Using PA-200

Management and Dataplanes

Whether physical or virtual, the management plane and dataplane functionality is integral to all Palo Alto Networks firewalls. These functions have dedicated hardware resources, making them independent of each other. The following diagram details the architecture of a PA-200 firewall:

Every Palo Alto Networks firewall assigns a minimum of these functions to the management plane:

* Configuration management

* Logging

* Reporting functions

* User-ID agent process

* Route updates

The Management Network and Console connector terminates directly on this plane.

The following functions are assigned to the dataplane:

* Signature Match Processor:
 - All Content-ID and App-ID services

* Security Processors
 - Session management
 - Encryption/decryption
 - Compression/decompression
 - Policy enforcement

* Network Processor:
 - Route
 - ARP
 - MAC lookup
 - QoS
 - NAT
 - Flow control

The dataplane connects directly to the traffic interfaces.

As more computing capability is added to more powerful firewalls models, the management and dataplanes gain other functionality as required, sometimes implemented on dedicated cards. Several core functions gain FPGAs (field-programmable gate arrays) for flexible high-performance processing. Additional management plane functions might include:

* First packet processing

* Switch fabric management

Dedicated log collection and processing is implemented as a separate card.


I usually build my virtual lab as I go along with my IT certification studies but I've built a hardware lab first since I've bought a PA-200 firewall and my switches were already available. I always try to build labs using real gear in order to get my feet wet and build the confidence in actual deployment just like what I did with the Cisco ASA 5505 and Check Point 1140 firewalls. My lab is based on RoutHub's topology and I've used PAN firewall visio stencils which is a free on this link.

Below is how the actual physical rack looked like. The Cisco 2811 router will be used for building a site-to-site IPSec VPN, BGP and dual Internet links with the PA-200 firewall.

Perform a Factory Reset on a Palo Alto Networks Firewall

Choosing the Appropriate Firewall

Feature and performance requirements impact the choice of firewall model. All Palo Alto Networks firewalls run the same version of PAN-OS software ensuring the same primary feature set. When you investigate which model fits a given need, evaluate throughput, maximum concurrent sessions, and connections per second with App-ID, threat prevention, and decryption features enabled. Note that there are two published throughput statistics: firewall throughput and threat prevention throughput. Threat prevention throughput is the expected throughput with all of the defensive options, and firewall throughput is the throughput with no defense options enabled. This link provides a PDF features of all PAN firewall models including throughput.


I had a nice online deal and bought a PA-200 firewall but the owner didn't know the password that was configured. The PAN firewall doesn't have a password recovery unlike in a Cisco device so I performed a factory reset instead. You'll need to set your terminal emulation software using these settings (9600-8-N-1-N):

    Welcome to the PanOS Bootloader.

U-Boot 6.0.4.0-9 (Build time: Jun 12 2014 - 15:45:53)

Skipping PCIe port 0 BIST, reset not done. (port not configured)
Skipping PCIe port 1 BIST, reset not done. (port not configured)
BIST check passed.
Warning: Clock descriptor tuple not found in eeprom, using defaults
MERLIN board revision major:1, minor:0, serial #: 001606021801
OCTEON CN6220-AAP pass 2.2, Core clock: 800 MHz, IO clock: 800 MHz, DDR clock: 666 MHz (1332 Mhz data rate)
DRAM: 4 GiB
Clearing DRAM...... done
Using default environment

Flash: 8 MiB
PCIe: Link timeout on port 0, probably the slot is empty
PCIe: Port 1 link active, 1 lanes, speed gen1
Net:   octmgmt0, octeth0, octeth1, octeth2, octeth3
ata0: lba 48 mode
         Model: Virtium - StorFly VSFA25RC016G-201 Firm: L0629A Ser#: P1T05003152901110087
            Type: Hard Disk
            Supports 48-bit addressing
            Capacity: 15196.4 MB = 14.8 GB (31122240 x 512)

        Autoboot to default partition in 5 seconds.
        Enter 'maint' to boot to maint partition.   

Entry: maint    // TYPE maint

Booting to maint mode.   

Allocating memory for ELF segment: addr: 0xffffffff80100000 (adjusted to: 0x100000), size0xd86bb0
Allocated memory for ELF segment: addr: 0xffffffff80100000, size 0xd86bb0
Bootloader: Done loading app on coremask: 0x3
Starting cores 0x3
Linux version 2.6.32.27-oct2-mp-6.0.4.0.16 (build@eng-bf0-3.paloaltonetworks.local) (gcc version 4.3.3 (Cavium Networks Version: 2_2_0 build 113) ) #4 SMP Fri Jun 27 18:35:00 PDT 2014
CVMSEG size: 2 cache lines (256 bytes)
Cavium Networks SDK-2.0
bootconsole [early0] enabled
CPU revision is: 000d900a (Cavium Octeon II)
Checking for the multiply/shift bug... no.
Checking for the daddiu bug... no.
Determined physical RAM map:
 memory: 0000000000043000 @ 0000000000d9d000 (usable after init)
 memory: 0000000007000000 @ 0000000000f00000 (usable)
 memory: 0000000007c00000 @ 0000000008200000 (usable)
 memory: 0000000031400000 @ 0000000020000000 (usable)
INIT: version 2.86 booting

                Welcome to PanOS
Starting udev: [  OK  ]
Setting clock  (utc): Sat Feb 11 16:27:50 PST 2017 [  OK  ]
Setting hostname PA-200:  [  OK  ]
Checking filesystems:
   Running filesystem check on pancfg: [  OK  ]
   Running filesystem check on panrepo: [  OK  ]
[  OK  ]
Remounting root filesystem in read-write mode:  [  OK  ]
mount: can't find / in /etc/fstab or /etc/mtab
Enabling /etc/fstab swaps:  [  OK  ]
INIT: Entering runlevel: 3
Entering non-interactive startup
Starting Networking: [  OK  ]
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]
Starting portmap: [  OK  ]
Starting NFS statd: [  OK  ]
Starting panhttpd:  [  OK  ]
Starting sshd: [  OK  ]
Starting ha-sshd: [  OK  ]
Starting xinetd: [  OK  ]
Starting ntpd: [  OK  ]
Starting NFS services:  [  OK  ]
Starting NFS daemon: [  OK  ]
Starting NFS mountd: [  OK  ]
Starting PAN Software: port_link: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
[  OK  ]

<OUTPUT TRUNCATED>

Connect your console cable (with USB-to-serial adapter) to PAN firewall CONSOLE port. During bootup, type maint to enter maintenance mode. Hit Enter to select Continue.

 

Press down arrow key > choose Factory Reset > hit Enter.

 

Press down arrow key > Factory Reset > hit Enter.

The process took a few minutes to complete.

 

You'll need to reboot by pressing down arrow key > Reboot > hit Enter.

 

Starting PAN Software: port_link: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
[  OK  ]

200 login: Octeon POW only ethernet driver    // CAN'T LOGIN ON THIS PROMPT
Waiting for another core to setup the IPD hardware...Done

PA-HDF login: admin     // DEFAULT LOGIN: admin / admin
Password:
Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.
admin@PA-200> show system info

hostname: PA-200
ip-address: 192.168.1.1     // HTTPS TO THIS DEFAULT IP
netmask: 255.255.255.0   
default-gateway:
ipv6-address: unknown
ipv6-link-local-address: unknown
ipv6-default-gateway:
mac-address: b4:0c:25:45:58:00
time: Sat Feb 11 16:50:13 2017
uptime: 0 days, 0:04:12
family: 200
model: PA-200
serial: 001606021234
sw-version: 6.0.4
global-protect-client-package-version: 0.0.0
app-version: 410-2049
app-release-date: unknown
av-version: 0
av-release-date: unknown
threat-version: 0
threat-release-date: unknown
wildfire-version: 0
wildfire-release-date: unknown
url-filtering-version: 0000.00.00.000
global-protect-datafile-version: 0
global-protect-datafile-release-date: unknown
logdb-version: 6.0.6
platform-family: 200
logger_mode: False
vpn-disable-mode: off
operational-mode: normal
multi-vsys: off


If you know the admin password (superuser) and need to re-deploy the PAN firewall, you could issue the CLI command to perform a factory reset.

admin@PA-200-LAB> request
> acknowledge                Acknowledge alarm logs
> anti-virus                 Perform anti-virus upgrade operations
> certificate                Manage certificates
> commit-lock                commit-lock
> config-lock                config-lock
> content                    Perform content upgrade operations
> data-filtering             Perform data filtering related operations
> device-registration        Device registration process
> dhcp                       Request to perform DHCP related actions
> global-protect-client      Perform GlobalProtect client package operations
> global-protect-gateway     request to perform global-protect-gateway functions
> global-protect-portal      request to perform global-protect-portal functions
> global-protect-satellite   request to perform global-protect-satellite functions
> high-availability          Perform HA operations
> last-acknowledge-time      Last alarm acknowledgement time
> license                    Perform license related operations
> master-key                 Change masterkey
> password-change-history    Password History
> password-hash              Generate password hash
> quota-enforcement          Manually enforce disk quota enforcement for logs and pcaps
> restart                    Restart the system or software modules
> shutdown                   Shutdown the system or software modules
--more--
> stats                      Generate stats dump
> support                    Technical support information
> system                     Perform system-level operations
> tech-support               Generate tech support dump
> url-filtering              Perform URL filtering related operations
> wildfire                   Perform wildfire upgrade operations

admin@PA-200-LAB> request system
> external-list        Perform external-list refresh/sanity functions
> fqdn                 Perform fqdn refresh/reset functions
> private-data-reset   Delete private data, keep software, content installations
> self-test            FIPS/CC self test commands
> self-test-job        Run FIPS/CC self test job
> software             Perform system software installation functions

admin@PA-200-LAB> request system private-data-reset