Palo Alto Networks의 방화벽에 대한 기본 설정 및 업그레이드 방법에 대해서 정리한다.
기본적인 사항은 모두 CLI 또는 GUI로 진행하며, Serial Console 접근은 LAN to USB를 통해 Rocky Linux에서 진행한다.
[root@rockylinux ~]# dnf install -y minicom[root@rockylinux ~]# dmesg | tail -n 3
[ 8439.816482] usb 3-2: Detected FT232R
[ 8439.816605] ftdi_sio ttyUSB0: Unable to read latency timer: -32
[ 8439.816906] usb 3-2: FTDI USB Serial Device converter now attached to ttyUSB0[configuration]
▶ Serial port setup▶ A - Serial Device: /dev/ttyUSB0
▶ E - Bps/Par/Bits: 115200 8N1[Comm Parameters]
▶ C: 9600lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x A - Serial Device : /dev/ttyUSB0 ◀ x
x x
x C - Callin Program : x
x D - Callout Program : x
x E - Bps/Par/Bits : 9600 8N1 ◀ x
x F - Hardware Flow Control : Yes x
x G - Software Flow Control : No x
x x
x Change which setting? x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj[configuration]
▶ Exit[1]: What are the Serial Settings to Access Console Port?
기본 관리자 암호는 admin / admin이다.
pa login: admin
Password: admin
WARNING: Your password has expired. You must change your password now.
Enter old password: admin
Enter new password: change-your-password
Confirm new password: change-your-password2번 항목의 최초 관리자 암호를 설정 후 변경을 원하는 경우 재설정하는 방법이다.
admin@pa-3260> configure
Entering configuration mode
[edit]
admin@pa-3260# set mgt-config users admin password
Enter password : change-your-password
Confirm password : change-your-password
admin@pa-3260# commit
admin@pa-3260# exit[3]: How to Create Management Users, Assign Roles, and Change Password from the PAN-OS CLI
[4]: From the CLI can I update other admin account passwords?
admin@pa-3260> request system private-data-reset
Executing this command will remove all logs and configuration will revert back to factory defaults. The system will restart and then reset the data.
Are you sure you want to continue? (y/n) (y or n) y[5]: How to remove all logs and restore the default configuration
admin@pa-3260> configure
admin@pa-3260# set deviceconfig system ip-address 172.16.0.102 netmask 255.255.0.0 default-gateway 172.16.0.1
admin@pa-3260# commit
admin@pa-3260# exitadmin@pa-3260> show interface management
-------------------------------------------------------------------------------
Name: Management Interface
Link status:
Runtime link speed/duplex/state: 1000/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address xx:xx:xx:xx:xx:xx
Ip address: 172.16.0.102
Netmask: 255.255.0.0
Default gateway: 172.16.0.1
-------------------------------------------------------------------admin@pa-3260> configure
admin@pa-3260# set deviceconfig system service disable-ssh yes
admin@pa-3260# set deviceconfig system service disable-icmp yes
admin@pa-3260# set deviceconfig system service disable-https yes
admin@pa-3260# commit
admin@pa-3260# exitManagement Interface에 Trust Zone에 추가하여 SSH, ICMP, HTTPS 관리용 서비스를 허용할 수 있도록 한다.
특정 IP 또는 특정 CIDR 내에서 허용 가능하다.
admin@pa-3260> configure
admin@pa-3260# set deviceconfig system permitted-ip 172.16.0.2/32
admin@pa-3260# commit
admin@pa-3260# exitadmin@pa-3260> configure
admin@pa-3260# set deviceconfig system permitted-ip 172.16.0.0/16
admin@pa-3260# set deviceconfig system permitted-ip 192.168.0.0/16
admin@pa-3260# commit
admin@pa-3260# exitadmin@pa-3260> configure
admin@pa-3260# delete deviceconfig system permitted-ip
admin@pa-3260# commit
admin@pa-3260# exitUpgrade Path를 지키면서 진행한다.
admin@pa-3260> show system info | match sw-version
sw-version: 10.1.14admin@pa-3260> request system software check
Version Size Released on Downloaded
-------------------------------------------------------------------------
11.1.6-h3 808MB 2025/02/20 18:45:54 no
11.1.6-h1 771MB 2025/01/31 07:52:29 no
11.1.6 808MB 2024/12/05 09:46:05 no
11.1.5-h1 751MB 2024/11/16 05:28:11 no
11.1.5 755MB 2024/10/17 03:06:47 no
11.1.4-h7 706MB 2024/11/16 03:25:29 no
11.1.4 662MB 2024/06/27 08:16:49 no
11.1.4-h13 789MB 2025/02/20 06:59:49 no
11.1.4-h9 786MB 2024/12/12 12:59:58 no
11.1.4-h4 706MB 2024/10/03 06:56:39 no
11.1.4-h1 666MB 2024/08/07 22:19:59 no
11.1.3-h11 695MB 2024/11/16 05:17:43 no
11.1.3-h1 648MB 2024/06/06 07:15:09 no
11.1.3 648MB 2024/05/14 15:14:22 no
11.1.3-h13 759MB 2024/11/26 06:18:35 no
11.1.3-h10 652MB 2024/10/30 09:40:50 no
11.1.3-h6 652MB 2024/09/05 11:49:48 no
11.1.3-h4 695MB 2024/08/08 13:01:31 no
11.1.3-h2 652MB 2024/07/18 08:43:59 no
11.1.2-h18 623MB 2025/02/18 10:47:01 no
11.1.2 511MB 2024/02/25 22:54:14 no
11.1.2-h16 623MB 2024/12/04 01:14:00 no
11.1.2-h15 619MB 2024/11/16 05:12:42 no
11.1.2-h14 511MB 2024/10/24 06:48:17 no
11.1.2-h12 511MB 2024/09/05 09:07:18 no
11.1.2-h9 515MB 2024/07/31 08:34:35 no
11.1.2-h4 511MB 2024/05/09 05:24:22 no
11.1.2-h3 511MB 2024/04/14 08:08:51 no
11.1.2-h1 511MB 2024/03/13 07:07:40 no
11.1.1-h2 515MB 2024/11/17 04:47:05 no
11.1.1 504MB 2023/12/26 10:11:19 no
11.1.1-h1 511MB 2024/04/16 06:17:07 no
11.1.0-h4 265MB 2024/11/16 05:11:55 no
11.1.0-h3 353MB 2024/04/16 08:52:33 no
11.1.0-h2 347MB 2024/01/07 16:55:20 no
11.1.0 1220MB 2023/11/02 12:01:35 no
11.0.6 703MB 2024/10/07 05:54:58 no
11.0.6-h1 703MB 2024/11/17 06:12:43 no
11.0.5-h2 708MB 2024/11/17 06:01:51 no
11.0.5 688MB 2024/06/21 08:32:52 no
11.0.5-h1 688MB 2024/08/07 12:36:17 no
11.0.4 679MB 2024/04/08 12:29:15 no
11.0.4-h6 684MB 2024/11/17 05:00:27 no
11.0.4-h5 684MB 2024/08/05 07:20:18 no
11.0.4-h2 679MB 2024/04/17 00:20:14 no
11.0.4-h1 679MB 2024/04/14 08:43:07 no
11.0.3 548MB 2023/11/06 10:02:03 no
11.0.3-h13 552MB 2024/11/16 15:05:02 no
11.0.3-h12 548MB 2024/05/16 12:18:49 no
11.0.3-h10 548MB 2024/04/16 06:48:58 no
11.0.3-h5 548MB 2024/02/22 08:13:45 no
11.0.3-h3 548MB 2024/01/15 03:40:45 no
11.0.2-h5 591MB 2024/11/16 13:14:44 no
11.0.2-h2 520MB 2023/09/21 12:00:39 no
11.0.2-h1 520MB 2023/08/16 14:25:38 no
11.0.2 520MB 2023/06/28 10:13:28 no
11.0.2-h4 520MB 2024/04/16 03:18:22 no
11.0.2-h3 520MB 2024/01/10 12:21:44 no
11.0.1 239MB 2023/03/29 15:05:37 no
11.0.1-h5 538MB 2024/11/16 12:23:55 no
11.0.1-h4 239MB 2024/04/18 09:29:58 no
11.0.1-h3 239MB 2024/01/06 14:50:11 no
11.0.1-h2 239MB 2023/05/30 11:10:59 no
11.0.0-h3 311MB 2024/04/18 09:04:02 no
11.0.0-h1 305MB 2023/11/06 17:10:18 no
11.0.0 1099MB 2022/11/17 04:46:11 no
11.0.0-h4 213MB 2024/11/16 10:53:35 no
11.0.0-h2 305MB 2023/12/28 09:47:38 no
10.2.13-h2 835MB 2024/12/27 07:10:06 no
10.2.13 835MB 2024/12/12 06:14:39 no
10.2.13-h5 855MB 2025/02/28 16:36:58 no
10.2.13-h4 835MB 2025/02/14 14:14:30 no
10.2.13-h3 831MB 2025/01/30 05:50:21 no
10.2.13-h1 835MB 2024/12/20 11:26:28 no
10.2.12-h6 829MB 2025/02/14 16:11:22 no
10.2.12-h3 833MB 2024/12/20 11:24:15 no
10.2.12-h1 833MB 2024/10/24 10:25:34 no
10.2.12 833MB 2024/09/30 13:01:33 no
10.2.12-h4 853MB 2024/12/30 05:07:32 no
10.2.12-h2 853MB 2024/11/15 03:55:25 no
10.2.11-h10 832MB 2024/12/27 07:08:13 no
10.2.11-h9 828MB 2024/12/19 13:08:10 no
10.2.11-h4 852MB 2024/10/20 17:26:35 no
10.2.11 852MB 2024/08/12 06:31:27 no
10.2.11-h13 832MB 2025/02/28 12:46:00 no
10.2.11-h12 852MB 2025/02/18 08:50:41 no
10.2.11-h6 852MB 2024/11/15 08:00:34 no
10.2.11-h3 832MB 2024/09/30 13:55:07 no
10.2.11-h2 828MB 2024/09/12 08:02:52 no
10.2.11-h1 832MB 2024/08/29 08:54:37 no
10.2.10-h14 875MB 2025/02/18 10:21:16 no
10.2.10-h10 829MB 2024/12/06 08:22:04 no
10.2.10-h9 833MB 2024/11/15 04:01:50 no
10.2.10 808MB 2024/06/24 12:40:13 no
10.2.10-h12 809MB 2024/12/26 05:00:04 no
10.2.10-h7 812MB 2024/10/11 01:56:35 no
10.2.10-h5 834MB 2024/09/24 07:46:39 no
10.2.10-h4 812MB 2024/08/28 09:18:23 no
10.2.10-h3 812MB 2024/07/31 09:20:52 no
10.2.10-h2 833MB 2024/07/16 10:51:05 no
10.2.9 806MB 2024/04/01 12:56:05 no
10.2.9-h21 831MB 2025/02/13 12:12:28 no
10.2.9-h19 810MB 2024/12/26 07:54:08 no
10.2.9-h18 831MB 2024/12/19 10:42:21 no
10.2.9-h16 831MB 2024/11/15 03:44:27 no
10.2.9-h14 831MB 2024/10/20 16:58:27 no
10.2.9-h11 810MB 2024/08/29 07:52:51 no
10.2.9-h9 831MB 2024/08/01 10:31:41 no
10.2.9-h1 806MB 2024/04/14 04:43:03 no
10.2.8-h19 810MB 2024/12/27 06:54:33 no
10.2.8-h15 830MB 2024/11/15 08:08:25 no
10.2.8-h10 806MB 2024/08/27 10:32:43 no
10.2.8 803MB 2024/02/12 13:02:43 no
10.2.8-h21 810MB 2025/02/13 12:11:19 no
10.2.8-h18 810MB 2024/12/19 08:02:08 no
10.2.8-h13 810MB 2024/10/20 16:35:50 no
10.2.8-h4 805MB 2024/05/15 10:59:30 no
10.2.8-h3 803MB 2024/04/15 04:52:35 no
10.2.7-h24 817MB 2025/02/13 12:10:51 no
10.2.7-h19 748MB 2024/12/05 10:46:29 no
10.2.7-h18 815MB 2024/11/15 08:07:54 no
10.2.7 716MB 2023/11/09 07:06:42 no
10.2.7-h21 748MB 2024/12/20 05:02:17 no
10.2.7-h16 815MB 2024/10/20 18:31:36 no
10.2.7-h12 815MB 2024/08/29 06:58:29 no
10.2.7-h8 744MB 2024/04/15 06:37:08 no
10.2.7-h6 744MB 2024/03/04 07:32:31 no
10.2.7-h3 744MB 2023/12/18 07:45:15 no
10.2.6-h6 721MB 2024/11/17 03:09:30 no
10.2.6-h3 716MB 2024/04/16 05:14:53 no
10.2.6-h1 716MB 2024/01/04 11:28:49 no
10.2.6 716MB 2023/09/27 08:55:44 no
10.2.5-h9 825MB 2024/11/15 08:29:44 no
10.2.5-h6 726MB 2024/04/16 09:50:31 no
10.2.5 726MB 2023/08/17 08:41:14 no
10.2.4-h32 727MB 2024/11/15 08:31:26 no
10.2.4-h16 722MB 2024/04/18 02:34:42 no
10.2.4-h10 722MB 2024/01/02 17:08:44 no
10.2.4-h4 722MB 2023/07/27 11:02:13 no
10.2.4 669MB 2023/03/30 09:26:11 no
10.2.4-h3 722MB 2023/07/05 09:58:29 no
10.2.4-h2 669MB 2023/05/16 12:19:57 no
10.2.3 299MB 2022/09/29 11:26:56 no
10.2.3-h14 502MB 2024/11/15 08:31:39 no
10.2.3-h13 502MB 2024/04/18 04:03:33 no
10.2.3-h12 502MB 2024/02/27 12:06:11 no
10.2.3-h11 506MB 2024/01/02 10:46:54 no
10.2.3-h9 506MB 2023/11/07 03:33:34 no
10.2.3-h4 299MB 2023/02/13 14:50:57 no
10.2.3-h2 299MB 2022/12/13 10:27:23 no
10.2.2-h6 579MB 2024/11/15 03:33:56 no
10.2.2-h5 279MB 2024/04/18 02:16:44 no
10.2.2-h4 279MB 2024/01/04 07:59:28 no
10.2.2-h2 279MB 2022/08/18 09:06:33 no
10.2.2 279MB 2022/06/07 10:22:04 no
10.2.1 271MB 2022/04/18 13:10:59 no
10.2.1-h3 276MB 2024/11/15 20:21:22 no
10.2.1-h2 271MB 2024/04/18 06:40:02 no
10.2.1-h1 271MB 2024/01/03 20:02:55 no
10.2.0 1113MB 2022/02/27 11:32:30 no
10.2.0-h4 322MB 2024/11/15 19:41:25 no
10.2.0-h3 318MB 2024/04/18 05:29:52 no
10.2.0-h2 312MB 2024/01/04 15:23:18 no
10.1.14 589MB 2024/05/30 14:47:45 yesGUI에서 Device -> Software에서 Preferred Releases와 Base Releases를 선택해서 안정화(stable) 버전을 기준으로 다운로드한다.
- Step 1
admin@pa-3260> request system software download version 10.2.0
admin@pa-3260> request system software download version 10.2.10-h9- Step 2
admin@pa-3260> request system software download version 11.0.0
admin@pa-3260> request system software download version 11.0.4-h6- Step 3
admin@pa-3260> request system software download version 11.1.0
admin@pa-3260> request system software download version 11.1.6-h3
# Upgrade: 10.1.14 -> 10.2.0
admin@pa-3260> request system software install version 10.2.0
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n) y
Software install job enqueued with jobid 2. Run 'show jobs id 2' to monitor its status. Please reboot the device after the installation is done.
4
# Show jobs
admin@pa-3260> show jobs id 2
Enqueued Dequeued ID Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2025/03/01 20:49:15 20:49:15 2 SWInstall FIN OK 20:53:36
Warnings:
Details:Software installation successfully completed. Please reboot to switch to the new version.
# Reboot
admin@pa-3260> request restart system
Executing this command will disconnect the current session. Do you want to continue? (y or n) y
# Check version
admin@pa-3260> show system info | match sw-version
sw-version: 10.2.0
# Upgrade: 10.2.0 -> 10.2.10-h9
admin@pa-3260> request system software install version 10.2.10-h9
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n) y
Software install job enqueued with jobid 2. Run 'show jobs id 2' to monitor its status. Please reboot the device after the installation is done.
4
# Show jobs
admin@pa-3260> show jobs id 2
Enqueued Dequeued ID Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2025/03/01 21:10:15 21:10:15 2 SWInstall FIN OK 21:14:36
Warnings:
Details:Software installation successfully completed. Please reboot to switch to the new version.
# Check version
admin@pa-3260> show system info | match sw-version
sw-version: 10.2.10-h9# Upgrade: 10.2.10-h9 -> 11.0.0
admin@pa-3260> request system software install version 11.0.0
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n) y
Software install job enqueued with jobid 2. Run 'show jobs id 2' to monitor its status. Please reboot the device after the installation is done.
4
# Show jobs
admin@pa-3260> show jobs id 2
Enqueued Dequeued ID Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2025/03/01 21:20:15 21:20:15 2 SWInstall FIN OK 21:24:36
Warnings:
Details:Software installation successfully completed. Please reboot to switch to the new version.
# Reboot
admin@pa-3260> request restart system
Executing this command will disconnect the current session. Do you want to continue? (y or n) y
# Check version
admin@pa-3260> show system info | match sw-version
sw-version: 11.0.0
# Upgrade: 11.0.0 -> 11.0.4-h6
admin@pa-3260> request system software install version 11.0.4-h6
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n) y
Software install job enqueued with jobid 2. Run 'show jobs id 2' to monitor its status. Please reboot the device after the installation is done.
4
# Show jobs
admin@pa-3260> show jobs id 2
Enqueued Dequeued ID Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2025/03/01 21:30:15 21:30:15 2 SWInstall FIN OK 21:34:36
Warnings:
Details:Software installation successfully completed. Please reboot to switch to the new version.
# Check version
admin@pa-3260> show system info | match sw-version
sw-version: 11.0.4-h6# Upgrade: 11.0.4-h6 -> 11.1.0
admin@pa-3260> request system software install version 11.1.0
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n) y
Software install job enqueued with jobid 2. Run 'show jobs id 2' to monitor its status. Please reboot the device after the installation is done.
4
# Show jobs
admin@pa-3260> show jobs id 2
Enqueued Dequeued ID Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2025/03/01 21:40:15 21:40:15 2 SWInstall FIN OK 21:44:36
Warnings:
Details:Software installation successfully completed. Please reboot to switch to the new version.
# Reboot
admin@pa-3260> request restart system
Executing this command will disconnect the current session. Do you want to continue? (y or n) y
# Check version
admin@pa-3260> show system info | match sw-version
sw-version: 11.1.0
# Upgrade: 11.1.0 -> 11.1.6-h3
admin@pa-3260> request system software install version 11.1.6-h3
Executing this command will install a new version of software. It will not take effect until system is restarted. Do you want to continue? (y or n) y
Software install job enqueued with jobid 2. Run 'show jobs id 2' to monitor its status. Please reboot the device after the installation is done.
4
# Show jobs
admin@pa-3260> show jobs id 2
Enqueued Dequeued ID Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2025/03/01 22:00:15 22:00:15 2 SWInstall FIN OK 22:04:36
Warnings:
Details:Software installation successfully completed. Please reboot to switch to the new version.
# Check version
admin@pa-3260> show system info | match sw-version
sw-version: 11.1.6-h3[6]: Identifying Preferred/Recommended PAN-OS Versions
[7]: How to View and Install PAN-OS Software through the CLI
[8]: Use CLI Commands for Upgrade Tasks
업그레이드시 발생할 수 있으므로 최신 버전으로 업그레이드가 필요하다.
Content 버전의 요구 사항을 충족하지 못함.
admin@pa-3260> show jobs id 2
Enqueued Dequeued ID Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2025/03/01 22:31:05 22:31:05 2 SWInstall FIN FAIL 22:35:00
Warnings:
Details:Failed to install 10.2.10-h9 with the following errors.
SW version is 10.2.10-h9
Nothing pending to cancel
Error: Upgrading from 10.2.0 to 10.2.10-h9 requires a content version of 8614 or greater and found 8552-7333.
Failed to install version 10.2.10-h9 type panosadmin@pa-3260> request content upgrade download latest
admin@pa-3260> show jobs id 5
Enqueued Dequeued ID Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2025/03/01 22:40:05 22:40:05 5 Downld FIN OK 22:40:17
Warnings:
Details:File successfully downloadedadmin@pa-3260> request content upgrade check
Version Size Released on Downloaded Installed
-------------------------------------------------------------------------
8942-9262 100MB 2025/02/12 07:23:02 KST no no
8947-9281 100MB 2025/02/21 06:55:21 KST yes no
8939-9248 100MB 2025/02/01 00:29:51 KST no no
8945-9271 100MB 2025/02/15 13:22:25 KST no no
8941-9260 100MB 2025/02/11 03:10:10 KST no no
8949-9297 100MB 2025/02/28 02:55:39 KST yes no
8943-9264 100MB 2025/02/13 03:31:11 KST no no
8940-9250 100MB 2025/02/04 07:49:41 KST no no
8948-9284 100MB 2025/02/25 04:59:36 KST no no
8946-9276 100MB 2025/02/19 09:28:24 KST no noadmin@pa-3260> request content upgrade install version latest
Content install job enqueued with jobid 6
6
admin@pa-3260> show jobs id 6
Enqueued Dequeued ID Type Status Result Completed
------------------------------------------------------------------------------------------------------------------------------
2025/03/01 22:44:23 22:44:23 6 Content ACT PEND 59%
Warnings:
Details:[9]: Content Version Error Upgrading Major Platform OS with an Older Content Database
끝.