customer management instructions: palo alto vm series
TRANSCRIPT
October 25, 2018 © 2018 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. Page 1
AT&T FlexWare Applications: Test and Turn Up (TTU) Process Palo Alto VM Series Virtual Security
Customer Management Instructions: Palo Alto VM Series Virtual Security
This guide is designed to help you understand the steps involved with launching your Palo Alto Networks VM-Series Virtual Security application (Palo Alto-VM).
AT&T Recommends
• As a network administrator, you should have a working knowledge of configuring and administering your Palo Alto Networks next-generation security appliance.
• As a network administrator, please thoroughly review the Palo Alto-VM documentation and be familiar with Palo Alto-VM configuration options and details.
While AT&T is always available to assist, you are ultimately responsible for the configuration and administration of your Palo Alto-VM virtual firewall.
Service Launch Requirements
Begin by reviewing the Palo Alto-VM Software Documentation available on the Palo Alto website. This documentation provides detailed information on all aspects of Palo Alto-VM firewall administration. You can find the documentation here:
VM Series Documentation: https://www.paloaltonetworks.com/documentation/80/virtualization Palo Alto PAN OS 8.0
Documentation: https://www.paloaltonetworks.com/documentation/80/pan-os
Specific versions can be selected at the top of the page. Some guides may be only listed under the major release if there are no changes. Version 8.0 should be selected if a guide is not found under more specific releases.
Information on the Palo Alto website is maintained by Palo Alto, which is solely responsible for the accuracy of the available documentation.
October 25, 2018 © 2018 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. Page 2
AT&T FlexWare Applications: Test and Turn Up (TTU) Process Palo Alto VM Series Virtual Security
The following guides are recommended reading:
• PAN-OS 8.0 Administrator's Guide
• What's New in PAN-OS 8.0
• PAN-OS 8.0 Web Interface Reference
• What's New in Virtualization
Figure 1: The Palo Alto documentation webpage.
October 25, 2018 © 2018 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. Page 3
AT&T FlexWare Applications: Test and Turn Up (TTU) Process Palo Alto VM Series Virtual Security
Verify Configuration Settings and Policies In the Palo Alto Networks VM GUI
NOTE: An AT&T Technician will be online with you to verify these settings as part of the Test and Turn Up (TTU) process.
The Palo Alto Networks-VM GUI is accessed using a connected web browser. In your browser’s address bar, type:
https:/[yourmgmt_ip]/login
Replace [yourmgmt_ip] in the URL with the actual management IP you provided to the AT&T Lead Engineer during the initial data gathering consultation for your service.
The next steps are:
• Change your admin password
• Verify all ordered features are correctly licensed
• Enable the installed default policy
• Optionally, create a custom policy
Changing Your Admin Password
Your assigned AT&T Technician will supply a temporary admin password for initial access to the Palo Alto Networks-VM GUI. This password should be changed immediately after accessing the GUI for the first time.
1. After logging in with your supplied credentials, navigate to Device > Administrators.
2. Double-click on the user admin option
3. Type the old password, type a new password, and click OK.
4. Click Commit to commit all changes.
October 25, 2018 © 2018 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. Page 4
AT&T FlexWare Applications: Test and Turn Up (TTU) Process Palo Alto VM Series Virtual Security
Verifying Licensed Features
In the Palo Alto Networks-VM GUI, click the Device tab and select the Licenses option on the left-hand toolbar.
Check that all ordered features are licensed. Notify your AT&T technician if you find features that are licensed incorrectly.
Enable the Default Policy
A default policy is installed that will allow http/https access and DNS (domain name service) queries to the Internet. Prior to enabling this policy, general Internet access through the Palo Alto-VM will be denied.
In the Palo Alto Networks-VM GUI, click the Policies tab and select the Security option on the left-hand toolbar.
Select Policy 1 and right-click on Enable at the bottom of the page.
From a browser, visit a few websites to verify proper operation. After these steps the Palo Alto Networks-VM is operational. More restrictive alternate policies may be created to further secure your system if desired.
October 25, 2018 © 2018 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. Page 5
AT&T FlexWare Applications: Test and Turn Up (TTU) Process Palo Alto VM Series Virtual Security
Additional Configuration Guidelines
• Do NOT Add/Remove/Change IPs and VLANs (virtual local area network) on the Palo Alto Networks-VM application. These modifications require concurrent changes to your AT&T FlexWare device and the installed vRouter, do not make these changes without filing a Change Order MACD with AT&T.
• Do not alter your RIP (routing information protocol) configuration.This information is required for routing between the the Palo Alto Networks-VM and your AT&T Router.
• NAT (network address translation) is enabled and uses an egress interface toward the Internet. NAT is required for Internet connectivity.
• Do not execute a hard shutdown of the Palo Alto Networks-VM application. Only use the reboot function only. If a hard shutdown of your firewall occurs, you must file a support ticket to have the filrewall brought up manually by AT&T.
• Take care not to lose your admin password. AT&T does not have the ability to reset the admin password.
• Do not apply any configuration changes that will lock you out of your vFirewall. AT&T does not have the abilty to modify your firewall policies the Palo Alto Networks-VM is customer managed
• Regularly backup your configuration. Since the vFirewall is customer managed, AT&T does not have visibility into the actual configuration and AT&T does not perform standard backups of the vFirewall. AT&T can only restore the Palo Alto Networks-VM to its original configuration.
• Do not upgrade/downgrade the firmware to a version not currently supported for the AT&T FlexWare Device. AT&T can provide currently supported versions upon request via support process
General Customer Responsibilities:
• Palo Alto Networks-VM configuration and policy management: You will have access to the PAN OS-VM through the management IP that was provided to AT&T during consultation with the AT&T Lead Engineer. The PAN OS GUI can be configured via same mechanisms as Palo Alto Networks physical firewalls
• Palo Alto Networks-VM monitoring and reporting: You are responsible for any Palo Alto Networks-VM specific health monitoring. The PAN OS UI (user interface) provides a dashboard with statistics, and SNMP (simple network management protocol)/system logs (SYSLOG) monitoring can be setup to monitor your customer provided network management infrastructure.
• Palo Alto Networks VM-Series Backup and Firmware Upgrades: As a network administrator, you are responsible for maintaining a backup of your Palo Alto Networks VM-Series configuration. You are also responsible for scheduling firmware upgrades, but you must contact AT&T prior to any firmware upgrade to confirm the upgrade version is supported by the AT&T FlexWare Device offer.
October 25, 2018 © 2018 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. Page 6
AT&T FlexWare Applications: Test and Turn Up (TTU) Process Palo Alto VM Series Virtual Security
• Make sure your Palo Alto Networks VM-Series firewall is always connected to the internet to receive license and feature updates. These updates are automatically downloaded in real-time from Palo Alto Networks service over the Internet. AT&T will verify that updates are working during turn-up as part of initial licensing and provisioning.
AT&T Responsibilities:
• Provide Initial installation, configuration and licensing of the Palo Alto Networks VM- Series-VM. AT&T will provision the Palo Alto Networks-VM with initial configuration as specified by you in consultation with your AT&T Lead Engineer. AT&T will do the networking and router configuration on the FlexWare Device to put the Palo Alto Networks-VM in line of appropriate customer traffic on the FlexWare Device
• AT&T will handle the Palo Alto Networks-VM licensing and provide the serial number to you in case you need direct support from the vendor.
• AT&T will monitor the Palo Alto Networks-VM on the FlexWare Device. The state of the virtual machine will only be monitored for up/down status on the FlexWare Device,
• AT&T will verify that the virtual machine is in an up status at all times and restart if necessary
• AT&T operations team can restart the Palo Alto Networks-VM in consultation with you if necessary
October 25, 2018 © 2018 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. Page 7
AT&T FlexWare Applications: Test and Turn Up (TTU) Process Palo Alto VM Series Virtual Security
How to Get Support
Support tickets are created with Palo Alto Networks either through the Palo Alto Networks Support web portal or over the phone.
Before seeking support from Palo Alto Networks, you must register on the Palo Alto Networks support site. If you have any issues with this process, please contact AT&T’s Global Customer Support Center at 1-844-736-3843.
To register for support, begin by accessing your account on the Palo Alto Networks support site.
NOTE: If you do not have account, you can learn how to create one by following this link: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Create-Your-User-Account/ta-p/57494
On the Palo Alto Networks support site, expand the Assets option and click on Devices.
Click Register New Device.
Select the following and then click Submit
Option Selection
Select Device Type Register usage-based VM-Series models
Select Cloud Marketplace CSSP
October 25, 2018 © 2018 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. Page 8
AT&T FlexWare Applications: Test and Turn Up (TTU) Process Palo Alto VM Series Virtual Security
Complete the Device Registration form. When all required fields are complete, click Agree and Submit.
October 25, 2018 © 2018 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. Page 9
AT&T FlexWare Applications: Test and Turn Up (TTU) Process Palo Alto VM Series Virtual Security
Field Notes
Serial Number Type: 015300000007295
October 25, 2018 © 2018 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. Page 10
AT&T FlexWare Applications: Test and Turn Up (TTU) Process Palo Alto VM Series Virtual Security
CSSP Reference ID Type: 75861-ABCD
Device Name Optionally, type USABCDSANCA0101UPFW01. As this field is optional you may type an alternate name.
Device Tag This field is optional and may be left blank.
City Type your City.
Postal Code Type your Postal/ZIP code.
Country Select your Country from the drop-down list.
Region/State Select your Region/State from the drop-down list.
Accessing AT&T Support Resources
You can always access AT&T Support Resources at http://carecentral.att.com/attflexware.
October 25, 2018 © 2018 AT&T Intellectual Property. All rights reserved. AT&T and the Globe logo are registered trademarks of AT&T Intellectual Property. Page 11
AT&T FlexWare Applications: Test and Turn Up (TTU) Process Palo Alto VM Series Virtual Security
Figure 2: Image showing the landing page of the AT&T Business Care Central website.
You will find Customer Care links to your support overview and information on how to speak to an AT&T agent.
Additionally, Customer Management Instruction documents like this one are available in the Managing Your Solution section.
Open Cases may be created directly on the Palo Alto customer support info page: https://live.paloaltonetworks.com/t5/custom/page/page-id/Support.