Best Practices for Palo Alto Firewall Implementation and CIS Hardening
Introduction In today’s evolving cybersecurity landscape, the firewall continues to serve as a foundational component of enterprise network defense. When implementing a Palo Alto Networks (PAN) firewall—whether as part of a new deployment or to strengthen an existing environment—it is critical to follow industry-recognized best practices and hardening guidelines. This article outlines recommended approaches for securely configuring PAN firewalls, with a focus on alignment with CIS (Center for Internet Security) benchmarks and proven strategies to reduce risk, enhance visibility, and maintain operational control.
Home > Enterprise security devices or applications > Paloalto firewall > Best Practices for Palo Alto Firewall Implementation and CIS Hardening
Power-On Self-Test (POST)
At startup, the firewall conducts a Power-On Self-Test (POST) to verify hardware integrity—covering components like memory, network interfaces, and cooling systems. Only after POST completes successfully does the device proceed to its configuration and operational stages
Registering the Firewall with Palo Alto Networks
To activate licenses and access updates, the device must be registered on the Palo Alto Networks Customer Support Portal (CSP).
Steps:
1. Navigate to: http s://support.paloaltonetworks.com/ 2. Log in or create an account. 3. Go to Assets > Devices > Register New Device. 4. Enter the serial number (found on the firewall label or under Dashboard > General Information). 5. Assign the device to a support account and complete the registration
License Activation
Once registered, licenses and subscriptions such as Threat Prevention, URL Filtering, and WildFire should be activated.
Steps:
1. In the firewall web interface, go to Device > Licenses. 2. Click “Retrieve license keys from Palo Alto Networks”. 3. The device will fetch and install all entitled licenses.
Software and Content Updates
Keeping your Palo Alto firewall up to date with the latest PAN-OS software and content updates is essential to maintaining a secure and resilient network perimeter. This step not only patches vulnerabilities but also ensures that the firewall can detect and prevent emerging threats.
PAN-OS Software Update
Steps
1. Navigate to: Device > Software 2. Click "Check Now" to retrieve the list of available PAN-OS versions. 3. Download the latest recommended version (usually marked as "preferred release") suitable for your environment. 4. Click Install, and Reboot the firewall as required.
- NOTE: It is best practice to perform upgrades during planned maintenance windows after taking a full configuration backup.
Schedule Regular Automatic content Updates
To ensure the firewall remains up-to-date without manual intervention, configure automatic scheduled updates:
Steps
1. Navigate to: Device > Dynamic Updates > Schedule 2. Set the update frequency for each content type as follows: 3. Applications and Threats: Daily (recommended) 4. Antivirus: Daily 5. WildFire: Hourly (for near real-time malware detection) 6. URL Filtering: Daily or Weekly (based on policy needs) 7. Enable the option to "Download and Install Automatically" after fetching the update.
Remove Default Admin Access
One of the most basic yet critical steps in hardening a Palo Alto firewall is changing the default login credentials. Out-of-the-box, PA firewalls use the default username admin and password admin, which is publicly known and widely exploited by attackers scanning for poorly configured devices.
Leaving default credentials unchanged exposes the firewall to brute-force attacks, unauthorized access, and potential full compromise of the device—undermining all other security configurations.
Best Practices:
- Create a New Admin User & Remove Default admin:
- Create a new superuser account with a unique username.
- Log in using the new account, and then delete or disable the default admin account.
- This ensures that attackers can’t attempt access using a well-known username.
- Use a Strong and Complex Password
Implementation Steps on PA Firewall:
1. Navigate to: 2. Device > Admin Roles → Create role-based profiles 3. Device > Administrators → Add new admin user 4. Device > Setup > Management → Configure password policies
Configuring Security Zone LAN,WAN, VPN Zones
Security zones are the foundation of traffic segmentation and policy enforcement in a Palo Alto firewall. Proper zone configuration is critical to secure firewall deployment, allowing administrators to control, inspect, and log traffic based on logical boundaries.
Configuration Steps:
1. Navigate to: 2. Network > Zones > Add 3. Name: LAN (or more specific like LAN-Users) 4. Type: Layer3 5. Log Setting: Attach a log forwarding profile for visibility 6. Interfaces: Assign trusted internal interface(s) (e.g., ethernet1/2)
Best Practices:
- Use separate zones for users, servers, and management traffic.
- Apply intra-zone restrictions to prevent lateral movement.
- Enforce DNS, NTP, and AD traffic through strict policy rules.
Configuring ISP and LAN Interfaces on Palo Alto Firewalls
Proper configuration of firewall interfaces is foundational to both functionality and security. Whether you're deploying a new Palo Alto firewall or hardening an existing one, correctly setting up WAN (ISP-facing) and LAN (internal-facing) ports ensures reliable routing, proper zone assignment, and secure traffic enforcement.
Step-by-Step: Configuring WAN (ISP) Interfaces
These are the external-facing interfaces, usually connecting to a modem or ISP router.
1.Configure Layer 3 Interface
1. Go to: Network > Interfaces > Ethernet 2. Select the appropriate port (e.g., ethernet1/1) 3. Interface Type: Layer3 4. Virtual Router: default or a custom one 5. Security Zone: WAN
2.Assign Interface to a Zone
1. Go to: Network > Zones > Add 2. Name: WAN 3. Type: Layer3
3. Configure IP Addressing
1. Choose Static IP, DHCP, or PPPoE depending on ISP: 2. Static: Manually assign public IP/gateway/DNS 3. DHCP: Automatically assigned by ISP
4. Configure Default Route
1. Go to: Network > Virtual Routers > [Default] > Static Routes 2. Destination: 0.0.0.0/0 3. Next Hop: IP of ISP gateway 4. Interface: ethernet1/1
5. Enable Interface Management
#Only enable HTTPS, SSH, or Ping if required for remote support
Best Practice: Only allow firewall management access (e.g., HTTPS, SSH, Ping) to users connected via VPN. Block all other sources, including WAN.
Steps to Configuration:
1. Create a Secure Interface Management Profile 2. Go to: 3. Network > Network Profiles > Interface Mgmt 4. Click Add 5. Name: Mgmt-VPN-Only 6. Enable only the protocols you want (e.g.): 7. HTTPS (for GUI access) 8. SSH (for CLI, optional) 9. Ping (optional for diagnostics)
Restrict Access by IP:Under Permitted IP Addresses, enter the VPN subnet (e.g., 10.10.10.0/24) used by your GlobalProtect or IPSec VPN.
Apply Management Profile to Trusted Interfaces Only
1. Apply the new profile to the interface(s) accessible only via VPN, not to WAN-facing ports. 2. Go to: 3. Network > Interfaces > Ethernet 4. Select the interface you want to allow management access on (e.g., ethernet1/2 for LAN or loopback interface used for management). 5. Under the Advanced tab, set: 6. Management Profile: Mgmt-VPN-Only
'''DO NOT apply this profile to WAN-facing interfaces (e.g., ethernet1/1)'''
Configuring routing respective L3 and FW for inbound and outbound traffic
Effective routing and firewall policy configuration are foundational to a secure and functional Palo Alto firewall deployment. Proper handling of Layer 3 routing combined with precise firewall rules ensures traffic flows as intended, while maintaining strict security controls as outlined in CIS hardening guidelines.
This section covers best practices for configuring Layer 3 interfaces and routing along with inbound/outbound firewall policy design for new deployments or securing existing Palo Alto firewalls.
Understanding Layer 3 Routing on Palo Alto Firewalls
Palo Alto firewalls support Layer 3 interfaces that connect different networks or zones and forward traffic based on routing tables.
Key Concepts:
- Virtual Routers: Palo Alto uses virtual routers to hold routing information (static routes, dynamic routing protocols).
- Static Routes: Manually configured routes defining next hops for destination prefixes.
- Dynamic Routing: Protocols like OSPF, BGP, or RIP can be configured if the firewall integrates into a dynamic network environment.
- Default Route: The route used for any traffic that doesn’t match a more specific prefix (usually towards the ISP).
Best Practices for Layer 3 Routing Configuration
- Use Virtual Routers Wisely: Use one virtual router unless your network segmentation or multi-tenant environment requires separate routing domains.
- Define Static Routes with Explicit Next Hops: For simple deployments, static routes with clear next hops improve predictability and auditability.
- Implement Dynamic Routing Where Needed: Use OSPF or BGP to enable failover and dynamic path selection for complex or multi-ISP environments.
- Configure Default Route to WAN: Ensure the default route points to your ISP gateway for outbound internet traffic.
- Use Route Redistribution Carefully: If running dynamic routing protocols, be mindful when redistributing routes to avoid routing loops.
- Monitor and Audit Routing Tables Regularly: Ensure no unintended routes exist that could leak traffic outside intended paths.
Configuring SNAT Policies for Outbound Traffic on Palo Alto Firewalls
Source NAT (SNAT) is essential for allowing internal users to access the internet by translating their private IP addresses into a public IP address or a pool of public IPs. Proper SNAT configuration is a critical step in firewall deployment and hardening.
This guide covers best practices and a detailed step-by-step process to configure SNAT policies, ensuring secure and reliable outbound connectivity while aligning with CIS hardening standards.
What is SNAT and Why is it Important?
- SNAT modifies the source IP address of outbound packets from a private IP (e.g., 192.168.x.x) to a public IP assigned by your ISP.
- It enables multiple internal hosts to share a limited number of public IPs.
- SNAT also hides the internal network topology and enhances security by masking private IPs.
- Proper SNAT ensures return traffic is routed back correctly to the firewall and internal hosts.
Step-by-Step Configuration of SNAT Policy
Step 1: Define Address Object for SNAT IP
1. Navigate to: 2. Objects > Addresses 3. Click Add 4. Name: SNAT_Public_IP (or a descriptive name) 5. Type: IP Netmask 6. IP Address: Enter your public IP address (e.g., 203.0.113.20) 7. Click OK 8. If you have multiple IPs, create an Address Group.
Step 2: Configure Source NAT Rule
1. Navigate to: 2. Policies > NAT 3. Click Add 4. Give the rule a meaningful name, e.g., SNAT_LAN_to_WAN
Configure the following:
Original Packet
1. Source Zone: LAN (your trusted/internal zone) 2. Destination Zone: WAN (your ISP/external zone) 3. Source Address: any (or specific subnet if required) 4. Destination Address: any 5. Service: any
Translated Packet
#Translation Type: Dynamic IP And Port (DIPP) #Address Type: Translated Address #Translated Address: Select the previously created SNAT_Public_IP #Click OK to save the NAT Rule #Commit the Changes
Configuring DNAT (Destination NAT) for Inbound Traffic on Palo Alto Firewalls
Destination NAT (DNAT) allows external clients to access internal servers or services by translating a public IP address and port to a private internal IP and port. This is essential for hosting public-facing services like web servers, VPN portals, or mail servers securely behind your Palo Alto firewall.
Best Practices for DNAT Configuration
- Restrict DNAT rules to only required services and ports. Avoid broad or open rules.
- Place publicly accessible servers in a dedicated DMZ zone.
- Use specific destination ports in the NAT rule rather than “any” port.
- Apply security policies that restrict inbound traffic to only what’s necessary.
- Enable logging and monitoring for inbound NAT sessions.
- Regularly audit DNAT rules to remove unused or outdated mappings.
Steps to Configuration of DNAT on Palo Alto Firewall
Step 1: Create Address Objects Create objects for the public IP (external) and internal server IP.
1. Navigate to: 2. Objects > Addresses 3. Add public IP object: 4. Name: Public_Web_IP 5. Type: IP Netmask 6. IP Address: Your public-facing IP (e.g., 198.51.100.10) 7. Add internal server IP object: 8. Name: Internal_Web_Server 9. Type: IP Netmask 10. IP Address: Internal server IP (e.g., 10.1.10.20)
Step 2: Configure the Destination NAT Rule
1. Navigate to: 2. Policies > NAT 3. Click Add 4. Name the rule, e.g., DNAT_Web_Server 5. Configure the following fields: 6. Original Packet 7. Source Zone: WAN (untrusted external zone) 8. Destination Zone: WAN 9. Destination Address: Public_Web_IP 10. Service: Specify service port (e.g., service-http for port 80)
Translated Packet
1. Translation Type: Static IP 2. Translated Address: Internal_Web_Server 3. Destination Port: Leave blank (same port) or specify if different
Step 3: Create Security Policy to Allow Inbound Traffic
1. Navigate to: 2. Policies > Security 3. Click Add
Configure:
1. Name: Allow_DNAT_Web 2. Source Zone: WAN 3. Destination Zone: DMZ (or zone of internal server) 4. Destination Address: Internal_Web_Server 5. Service: service-http (or matching port) 6. Action: Allow 7. Log Setting: Enable at session start and end
Best Practice: Restrict DNAT Access to Specific ISPs/Regions: DNAT rules should be limited to trusted ISPs or specific geographic regions to reduce exposure and mitigate the risk of unauthorized access attempts from untrusted networks.
Configuring Security and User Policies on Palo Alto Firewalls
Security policies are the heart of any firewall deployment. On Palo Alto Networks (PAN) firewalls, security policies define which traffic is allowed or denied between zones, users, and applications — while enabling advanced inspection and threat prevention. Configuring these policies correctly ensures secure segmentation, user accountability, and compliance with CIS hardening guidelines. This section walks through best practices and practical steps to configure both traditional security rules and User-ID-based access controls.
Understanding Security Policies on PAN-OS
- Palo Alto firewalls use zone-based, stateful security policies that control traffic between interfaces and zones. These policies support:
- App-ID: Enforce access based on the actual application, not just port.
- User-ID: Tie traffic to authenticated users or groups.
- Content-ID: Inspect traffic for threats, viruses, and malicious content.
- Logging: Track policy hits and generate audit/compliance reports.
Best Practices for Security Policy Configuration
- Deny by Default: Use an explicit deny-all rule at the bottom of the policy stack.
- Use App-ID and not just ports: App-ID reduces risks of port-hopping and unknown applications.
- Enable User-ID: Policies based on user identity improve control and visibility.
- Attach Threat Prevention Profiles: Protect traffic with Anti-virus, Anti-Spyware, and Vulnerability profiles.
- Log all sessions: Enable logging at session end (or start and end for critical rules).
- Clean up unused policies: Regularly audit policies to remove obsolete or overly permissive rules.
Port Restrictions on Incoming and Outgoing Traffic: All incoming and outgoing network traffic should be strictly controlled based on port usage. Only the ports necessary for the client's applications and services should be allowed, minimizing the attack surface and improving overall network security.
1.Steps to Configure Basic Security Policies
1. Go to: Policies > Security 2. Click Add 3. Configure the General tab: 4. Name: Allow_LAN_to_Internet 5. Rule Type: universal (default) 6. Source tab: 7. Zone: LAN 8. Address: any (or your internal subnet) 9. Destination tab: 10. Zone: WAN 11. Address: any 12. Application tab: Select only necessary applications (e.g., web-browsing, ssl, dns, ntp) 13. Avoid using "any" unless strictly necessary 14. Service/URL Category tab: 15. Service: application-default (best practice)
Actions tab:
1. Action: Allow 2. Enable Log at session end 3. Attach a Security Profile Group (with Antivirus, Anti-Spyware, Vulnerability Protection, etc.) 4. Click OK
2.Create a User-Based Security Policy
1. Go to: Policies > Security > Add 2. Source tab: 3. Zone: LAN 4. User: Select individual users or AD groups (e.g., Domain Users, IT_Admins) 5. Configure other tabs (Destination, Application, etc.) as usual 6. Actions tab: 7. Action: Allow 8. Logging: enabled 9. Attach Security Profiles
- This allows role-based access control to specific resources (e.g., only HR staff can access payroll systems).
Configuring URL Filtering Profiles and Applying Them to Policies in Palo Alto Firewalls
Controlling web access is a critical component of enterprise security and compliance. URL Filtering Profiles in Palo Alto firewalls allow administrators to control, monitor, and restrict access to web content based on URL categories and custom lists. This helps in preventing access to malicious, inappropriate, or non-business-related websites, and aligns with several CIS benchmark recommendations.
This article covers best practices and step-by-step guidance on configuring URL Filtering Profiles and assigning them to relevant security policies.
Steps to Configure URL Filtering Profile
Step 1: Create a URL Filtering Profile
1. Go to: 2. Objects > Security Profiles > URL Filtering 3. Click Add 4. Enter a descriptive name, e.g., Corp_URL_Filter_Profile 5. Under URL Category, 6. define actions: 7. Malware:Block 8. Phishing: Block 9. Command-and-Control: Block 10. Adult and Pornography: Block 11. Streaming Media Alert or Block (if needed) 12. Business and Economy: Allow 13. Enable Logging.
Step 2: Apply URL Filtering Profile to a Security Policy
Now that your profile is ready, you need to assign it to relevant outbound security policies.
Steps:
1. Go to: 2. Policies > Security 3. Edit the relevant outbound policy (e.g., Allow_LAN_to_Internet) 4. Go to the Actions tab 5. Under Profile Setting: 6. Set Profile Type to Profiles 7. Under URL Filtering, select Corp_URL_Filter_Profile 8. Optionally attach other profiles (Antivirus, Anti-Spyware, etc.) under the same policy. 9. Ensure Log at Session End is enabled. 10. Click OK, then Commit the configuration.
Configuring Antivirus Profiles and Applying Them to Policies in Palo Alto Firewalls
Malware continues to be a primary threat vector in enterprise environments. Palo Alto Networks firewalls provide Antivirus profiles to detect and block malicious files and payloads traversing supported protocols (HTTP, SMTP, FTP, IMAP, POP3, and SMB). Applying a properly tuned Antivirus profile helps prevent malware infections, aligns with CIS Benchmarks, and supports regulatory compliance frameworks like NIST and ISO 27001.
This article outlines best practices and step-by-step instructions for configuring Antivirus Profiles and applying them to security policies.
Steps to Configure Antivirus Profile
Step 1: Create an Antivirus Profile
1. Navigate to: 2. Objects > Security Profiles > Antivirus 3. Click Add to create a new profile. 4. Enter a descriptive name, e.g., Corp_AV_Profile 5. For each protocol (HTTP, SMTP, IMAP, FTP, SMB), set the following: 6. Action: Block or Reset-Both 7. Enable WildFire Inline ML detection (if licensed) 8. Enable Packet Capture (optional but recommended for high/critical severities). 9. Click OK to save the profile.
Step 2: Apply Antivirus Profile to a Security Policy
Once the profile is created, attach it to security policies handling traffic that could carry malicious content (typically internet-bound or email/FTP-related traffic).
1. Navigate to: 2. Policies > Security 3. Edit the appropriate policy (e.g., Allow_LAN_to_Internet) 4. Go to the Actions tab. 5. Under Profile Setting: 6. Set Profile Type to Profiles 7. Under Antivirus, select Corp_AV_Profile 8. Optionally attach additional profiles (e.g., Anti-Spyware, Vulnerability Protection) 9. Ensure Log at Session End is enabled. 10. Click OK, then Commit the configuration.
Best Practices
- Always clone the default profile and apply your own naming and logging preferences.
- Enable WildFire Integration for zero-day malware detection.
- Apply the Antivirus profile to all policies that permit inbound or outbound file-based traffic (e.g., web, email, FTP).
- Regularly review Threat logs under Monitor > Logs > Threat for detection trends.
- Use packet capture to assist in forensic analysis of blocked threats.
Enforce a 1-hour lockout period after login attempt threshold is reached
To defend against unauthorized access attempts, Brute-Force Protection is implemented for VPN login authentication. This security mechanism monitors failed login attempts and automatically enforces a temporary lockout policy under the following conditions:
- If a user exceeds 10 consecutive failed login attempts, the system will block further login attempts from the source IP address.
- The lockout duration is set to 1 hour (3600 seconds).
- During this period, any additional login attempts from the same source IP will be denied.
This control helps to mitigate brute-force attacks targeting VPN credentials by slowing down repeated guessing attempts and deterring automated password attacks. It also supports broader compliance efforts aligned with CIS Benchmarks and Zero Trust principles.
Configuration Steps
Create or Modify a Vulnerability Protection Profile
1. Navigate to Objects > Security Profiles > Vulnerability Protection. 2. Create a new profile or edit an existing one. 3. Locate Threat ID 40017 in the profile under exceptions tab 4. Click enable on Threat ID 40017 5. Click the Edit (pencil icon) beside the threat name.
Adjust Time Attributes
In the Edit Time Attribute dialog:
1. Set Number hits to 10 2. Set Time Interval to 3600 seconds. 3. Choose Action as block-ip. 4. Define the Block Duration (e.g., 3600 seconds). 5. Apply Block by: source IP or IP source and destination IP as appropriate.
Apply the Profile to Security Policies
1. Go to Policies > Security. 2. Identify the security policy governing VPN access. 3. Under the Actions tab, enable the Vulnerability Protection profile created in previous steps. 4. Commit the configuration.
Best Practice Notes
- Threat ID 40017 typically identifies suspicious behaviors or potential exploits. Blocking by IP helps mitigate lateral movement and brute-force attempts.
- Use source and destination IP block mode cautiously to avoid impacting legitimate traffic.
Mandatory MFA for SSL VPN Users: All users accessing the network via SSL VPN must authenticate using Multi-Factor Authentication (MFA). This adds an essential layer of security by requiring a second form of verification beyond just the password.
Enforcing Multi-Factor Authentication for SSL VPN Access
To strengthen identity verification and protect remote access channels, Multi-Factor Authentication (MFA) is mandated for all users connecting to the network via SSL VPN. This control is a critical component of Palo Alto firewall best practices and aligns with CIS (Center for Internet Security) Benchmarks for secure remote access.
Why MFA Is Essential for SSL VPN
SSL VPNs serve as gateways for remote users to access internal network resources. Without MFA, these portals are highly vulnerable to credential-based attacks, including:
- Brute-force and credential stuffing attacks
- Phishing and social engineering exploits
- Unauthorized access due to compromised credentials
MFA significantly reduces the risk by requiring users to present two or more verification factors:
Implementation Steps in Palo Alto Networks Firewall
Step 1: Configure Authentication Profile
- Navigate to Device > Authentication Profile.
- Click Add, then configure:
- Name: e.g., SSL-VPN-MFA
- Type: Select RADIUS or SAML (based on your MFA provider)
- User Domain and Username Modifier as needed
Step 2: Configure RADIUS or SAML for MFA
- Depending on your MFA solution (e.g., Duo, Okta, Azure AD), configure:
- RADIUS Server Profile: For Duo or similar tools
- SAML Identity Provider: For cloud MFA platforms (e.g., Azure AD, Okta)
For RADIUS-based MFA (e.g., Duo):
- Go to Device > Server Profiles > RADIUS, and click Add
- Configure the IP address, shared secret, and timeout/retry settings
For SAML-based MFA (e.g., Azure AD/Okta):
- Go to Device > Server Profiles > SAML Identity Provider
- Import IdP metadata and configure certificate validation
Step 3: Apply MFA Profile to GlobalProtect Portal and Gateway
- Go to Network > GlobalProtect > Portals
- Select the relevant portal configuration
- Under Authentication, assign the newly created MFA-enabled profile
- Repeat the above for GlobalProtect > Gateways
Best Practices
- Enforce MFA for all user roles, including admins and third-party vendors
- Disable fallback to password-only authentication
- Use time-based one-time passwords (TOTP) or push notifications (Duo, Microsoft Authenticator) as MFA methods
- Log and monitor all VPN authentication attempts for anomaly detection
- Integrate MFA with User-ID for context-aware security policies
Home > Enterprise security devices or applications > Paloalto firewall > Best Practices for Palo Alto Firewall Implementation and CIS Hardening