Feature and performance requirements impact the choice of firewall model. All Palo Alto Networks firewalls run the same version of PAN-OS software ensuring the same primary feature set. When you investigate which model fits a given need, evaluate throughput, maximum concurrent sessions, and connections per second with App-ID, threat prevention, and decryption features enabled. Note that there are two published throughput statistics: firewall throughput and threat prevention throughput. Threat prevention throughput is the expected throughput with all of the defensive options, and firewall throughput is the throughput with no defense options enabled. This link provides a PDF features of all PAN firewall models including throughput.
I had a nice online deal and bought a PA-200 firewall but the owner didn't know the password that was configured. The PAN firewall doesn't have a password recovery unlike in a Cisco device so I performed a factory reset instead. You'll need to set your terminal emulation software using these settings (9600-8-N-1-N):
Welcome to the PanOS Bootloader.
U-Boot 6.0.4.0-9 (Build time: Jun 12 2014 - 15:45:53)
Skipping PCIe port 0 BIST, reset not done. (port not configured)
Skipping PCIe port 1 BIST, reset not done. (port not configured)
BIST check passed.
Warning: Clock descriptor tuple not found in eeprom, using defaults
MERLIN board revision major:1, minor:0, serial #: 001606021801
OCTEON CN6220-AAP pass 2.2, Core clock: 800 MHz, IO clock: 800 MHz, DDR clock: 666 MHz (1332 Mhz data rate)
DRAM: 4 GiB
Clearing DRAM...... done
Using default environment
Flash: 8 MiB
PCIe: Link timeout on port 0, probably the slot is empty
PCIe: Port 1 link active, 1 lanes, speed gen1
Net: octmgmt0, octeth0, octeth1, octeth2, octeth3
ata0: lba 48 mode
Model: Virtium - StorFly VSFA25RC016G-201 Firm: L0629A Ser#: P1T05003152901110087
Type: Hard Disk
Supports 48-bit addressing
Capacity: 15196.4 MB = 14.8 GB (31122240 x 512)
Autoboot to default partition in 5 seconds.
Enter 'maint' to boot to maint partition.
Entry: maint // TYPE maint
Booting to maint mode.
Allocating memory for ELF segment: addr: 0xffffffff80100000 (adjusted to: 0x100000), size0xd86bb0
Allocated memory for ELF segment: addr: 0xffffffff80100000, size 0xd86bb0
Bootloader: Done loading app on coremask: 0x3
Starting cores 0x3
Linux version 2.6.32.27-oct2-mp-6.0.4.0.16 (build@eng-bf0-3.paloaltonetworks.local) (gcc version 4.3.3 (Cavium Networks Version: 2_2_0 build 113) ) #4 SMP Fri Jun 27 18:35:00 PDT 2014
CVMSEG size: 2 cache lines (256 bytes)
Cavium Networks SDK-2.0
bootconsole [early0] enabled
CPU revision is: 000d900a (Cavium Octeon II)
Checking for the multiply/shift bug... no.
Checking for the daddiu bug... no.
Determined physical RAM map:
memory: 0000000000043000 @ 0000000000d9d000 (usable after init)
memory: 0000000007000000 @ 0000000000f00000 (usable)
memory: 0000000007c00000 @ 0000000008200000 (usable)
memory: 0000000031400000 @ 0000000020000000 (usable)
INIT: version 2.86 booting
Welcome to PanOS
Starting udev: [ OK ]
Setting clock (utc): Sat Feb 11 16:27:50 PST 2017 [ OK ]
Setting hostname PA-200: [ OK ]
Checking filesystems:
Running filesystem check on pancfg: [ OK ]
Running filesystem check on panrepo: [ OK ]
[ OK ]
Remounting root filesystem in read-write mode: [ OK ]
mount: can't find / in /etc/fstab or /etc/mtab
Enabling /etc/fstab swaps: [ OK ]
INIT: Entering runlevel: 3
Entering non-interactive startup
Starting Networking: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
Starting portmap: [ OK ]
Starting NFS statd: [ OK ]
Starting panhttpd: [ OK ]
Starting sshd: [ OK ]
Starting ha-sshd: [ OK ]
Starting xinetd: [ OK ]
Starting ntpd: [ OK ]
Starting NFS services: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
Starting PAN Software: port_link: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
[ OK ]
<OUTPUT TRUNCATED>
Connect your console cable (with USB-to-serial adapter) to PAN firewall
CONSOLE port. During bootup, type maint to enter
maintenance mode. Hit Enter to select Continue.
Press down arrow key
> choose Factory Reset > hit Enter.
Press down arrow key
> Factory Reset > hit Enter.
The process took a few minutes to complete.
You'll need to reboot by pressing
down arrow key > Reboot > hit Enter.
Starting PAN Software: port_link: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
[ OK ]
200 login: Octeon POW only ethernet driver // CAN'T LOGIN ON THIS PROMPT
Waiting for another core to setup the IPD hardware...Done
PA-HDF login: admin // DEFAULT LOGIN: admin / admin
Password:
Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.
admin@PA-200> show system info
hostname: PA-200
ip-address: 192.168.1.1 // HTTPS TO THIS DEFAULT IP
netmask: 255.255.255.0
default-gateway:
ipv6-address: unknown
ipv6-link-local-address: unknown
ipv6-default-gateway:
mac-address: b4:0c:25:45:58:00
time: Sat Feb 11 16:50:13 2017
uptime: 0 days, 0:04:12
family: 200
model: PA-200
serial: 001606021234
sw-version: 6.0.4
global-protect-client-package-version: 0.0.0
app-version: 410-2049
app-release-date: unknown
av-version: 0
av-release-date: unknown
threat-version: 0
threat-release-date: unknown
wildfire-version: 0
wildfire-release-date: unknown
url-filtering-version: 0000.00.00.000
global-protect-datafile-version: 0
global-protect-datafile-release-date: unknown
logdb-version: 6.0.6
platform-family: 200
logger_mode: False
vpn-disable-mode: off
operational-mode: normal
multi-vsys: off
If you know the admin password (superuser) and need to re-deploy the PAN firewall, you could issue the CLI command to perform a factory reset.
admin@PA-200-LAB> request
> acknowledge Acknowledge alarm logs
> anti-virus Perform anti-virus upgrade operations
> certificate Manage certificates
> commit-lock commit-lock
> config-lock config-lock
> content Perform content upgrade operations
> data-filtering Perform data filtering related operations
> device-registration Device registration process
> dhcp Request to perform DHCP related actions
> global-protect-client Perform GlobalProtect client package operations
> global-protect-gateway request to perform global-protect-gateway functions
> global-protect-portal request to perform global-protect-portal functions
> global-protect-satellite request to perform global-protect-satellite functions
> high-availability Perform HA operations
> last-acknowledge-time Last alarm acknowledgement time
> license Perform license related operations
> master-key Change masterkey
> password-change-history Password History
> password-hash Generate password hash
> quota-enforcement Manually enforce disk quota enforcement for logs and pcaps
> restart Restart the system or software modules
> shutdown Shutdown the system or software modules
--more--
> stats Generate stats dump
> support Technical support information
> system Perform system-level operations
> tech-support Generate tech support dump
> url-filtering Perform URL filtering related operations
> wildfire Perform wildfire upgrade operations
admin@PA-200-LAB> request system
> external-list Perform external-list refresh/sanity functions
> fqdn Perform fqdn refresh/reset functions
> private-data-reset Delete private data, keep software, content installations
> self-test FIPS/CC self test commands
> self-test-job Run FIPS/CC self test job
> software Perform system software installation functions
admin@PA-200-LAB> request system private-data-reset
No comments:
Post a Comment