Configuração Inicial
Configuração Inicial
Configuração da interface de WAN -
Primeiro acesso admin admin, tentar até dar modo recover
Acesso via web acesso admin admin
Embedded Files
admin@PA-VM# set deviceconfig system type dhcp-client >> dhcp mode
admin@PA-VM# set deviceconfig system type static ip estatico
admin@PA-VM# show deviceconfig
deviceconfig {
system {
type {
dhcp-client {
send-hostname yes;
send-client-id no;
accept-dhcp-hostname no;
accept-dhcp-domain no;
}
}
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
weekly {
day-of-week wednesday;
at 01:02;
action download-only;
}
}
}
}
timezone US/Pacific;
service {
disable-telnet yes;
disable-http yes;
}
hostname PA-VM;
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
}
auto-mac-detect yes;
}
}
[edit]
admin@PA-VM#
admin@PA-VM> show routing fib virtual-router default
total virtual-router shown : 1
--------------------------------------------------------------------------------
virtual-router name: default
interfaces:
ethernet1/2
route table:
flags: u - up, h - host, g - gateway, e - ecmp, * - preferred path
maximum of fib entries for device: 512
maximum of IPv4 fib entries for device: 512
maximum of IPv6 fib entries for device: 512
number of fib entries for device: 4
maximum of fib entries for this fib: 512
number of fib entries for this fib: 4
number of fib entries shown: 4
id destination nexthop flags interface mtu
--------------------------------------------------------------------------------
11 1.1.1.1/32 192.168.80.2 ug ethernet1/2 1500
12 1.1.1.2/32 192.168.80.2 ug ethernet1/2 1500
10 192.168.80.0/24 0.0.0.0 u ethernet1/2 1500
9 192.168.80.1/32 0.0.0.0 uh ethernet1/2 1500
--------------------------------------------------------------------------------
Configurando BGP via cli
admin@PA-VM# set network virtual-router default protocol bgp peer-group LAN enable yes peer LAN1 peer-address 192.168.80.2
admin@PA-VM# show
deviceconfig {
system {
type {
static;
}
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
weekly {
day-of-week wednesday;
at 01:02;
action download-only;
}
}
}
}
timezone US/Pacific;
service {
disable-telnet no;
disable-http yes;
}
hostname PA-VM;
ip-address 192.168.20.1;
netmask 255.255.255.0;
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
}
auto-mac-detect yes;
}
}
network {
interface {
ethernet {
ethernet1/2 {
comment lan;
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
ip {
192.168.80.1/24;
}
lldp {
enable no;
}
}
}
ethernet1/1 {
layer3 {
ipv6 {
neighbor-discovery {
router-advertisement {
enable no;
}
}
}
ndp-proxy {
enabled no;
}
ip {
192.168.1.50/24;
}
lldp {
enable no;
}
}
comment WAN;
}
}
}
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
}
ike {
crypto-profiles {
ike-crypto-profiles {
default {
encryption [ aes-128-cbc 3des];
hash sha1;
dh-group group2;
lifetime {
hours 8;
}
}
Suite-B-GCM-128 {
encryption aes-128-cbc;
hash sha256;
dh-group group19;
lifetime {
hours 8;
}
}
Suite-B-GCM-256 {
encryption aes-256-cbc;
hash sha384;
dh-group group20;
lifetime {
hours 8;
}
}
}
ipsec-crypto-profiles {
default {
esp {
encryption [ aes-128-cbc 3des];
authentication sha1;
}
dh-group group2;
lifetime {
hours 1;
}
}
Suite-B-GCM-128 {
esp {
encryption aes-128-gcm;
authentication none;
}
dh-group group19;
lifetime {
hours 1;
}
}
Suite-B-GCM-256 {
esp {
encryption aes-256-gcm;
authentication none;
}
dh-group group20;
lifetime {
hours 1;
}
}
}
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
}
qos {
profile {
default {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
class3 {
priority high;
}
class4 {
priority medium;
}
class5 {
priority medium;
}
class6 {
priority low;
}
class7 {
priority low;
}
class8 {
priority low;
}
}
}
}
}
virtual-router {
default {
protocol {
bgp {
enable yes;
dampening-profile {
default {
cutoff 1.25;
reuse 0.5;
max-hold-time 900;
decay-half-life-reachable 300;
decay-half-life-unreachable 900;
enable yes;
}
}
routing-options {
graceful-restart {
enable yes;
}
med {
always-compare-med yes;
}
}
local-as 5000;
peer-group {
LAN {
type {
ebgp {
remove-private-as yes;
import-nexthop original;
export-nexthop resolve;
}
}
peer {
LAN1 {
peer-address {
ip 192.168.80.2;
}
connection-options {
incoming-bgp-connection {
remote-port 0;
allow yes;
}
outgoing-bgp-connection {
local-port 0;
allow yes;
}
multihop 0;
keep-alive-interval 30;
open-delay-time 0;
hold-time 90;
idle-hold-time 15;
min-route-adv-interval 30;
}
subsequent-address-family-identifier {
unicast yes;
multicast no;
}
local-address {
ip 192.168.80.1/24;
interface ethernet1/2;
}
bfd {
profile Inherit-vr-global-setting;
}
max-prefixes 5000;
enable yes;
peer-as 65000;
enable-mp-bgp no;
address-family-identifier ipv4;
enable-sender-side-loop-detection yes;
reflector-client non-client;
peering-type unspecified;
}
}
aggregated-confed-as-path yes;
soft-reset-with-stored-info no;
enable yes;
}
}
router-id 192.168.80.1;
install-route yes;
}
rip {
enable no;
}
ospf {
enable no;
}
ospfv3 {
enable no;
}
redist-profile {
REDISTRIBUIDO {
filter {
type [ connect static];
interface ethernet1/2;
}
priority 1;
action {
redist;
}
}
}
}
interface ethernet1/2;
ecmp {
algorithm {
ip-modulo;
}
}
}
}
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
unknown-udp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
}
zone {
LAN {
network {
layer3 ethernet1/2;
}
}
WAN {
network {
layer3 ethernet1/1;
}
}
}
service-group;
service;
schedule;
rulebase {
security {
rules {
ping {
to any;
from any;
source any;
destination any;
source-user any;
category any;
application any;
service application-default;
hip-profiles any;
action allow;
}
}
}
}
import {
network {
interface [ ethernet1/2 ethernet1/1];
}
}
application-group;
application;
mgt-config {
users {
admin {
phash fnRL/G5lXVMug;
permissions {
role-based {
superuser yes;
}
}
}
}
}
[edit]
Page updated
Google Sites
Report abuse