As my PA-220 firewall heads towards EoL I swapped it out for a PA-410 and OS 11.x
I've worked professionally with firewall platforms for nearly 20 years, during that time I've configured Netscreen, Juniper, Palo Alto and Cisco to name a few of the dominant vendors. The most admin friendly and enjoyable platform to work with in my opinion is Palo Alto. I first encountered them in 2013 with the 5000 series and OS4.x which was being used at a top tier financial institution for low latency trading.
Whilst there are some nuances to setting up your terminal and outputting the config in 'set' based format rather than XML it quickly shows its strength as an engineer friendly platform. Unusually it has an excellent GUI, why would I use the GUI as a professional I hear you say? Good question, they've done a really good job of making it intuitive and the live monitoring 'Session Browser' is a quick and easy means to see sessions passing through the firewall. There are also software and dynamic updates pages which can make small scale upgrades quicker through the UI.
In January 2023 the EoL bulletin was updated with the PA-220 end of sale date and the last supported OS as 10.2.x (URL). OS 11 was released in May this year and it's clear that the writing is on the wall for my trusted platform. I wasn't entirely sad about this as the commit speed felt quite slow with perhaps an underpowered CPU.
My use case in this instance is as a SoHo deployment, used to protect my work assets, home LAN and guest networks whilst providing logical isolation. With individuals more frequently working from home since 2020 there are more risks with domestic networks particularly for those who have flat networks with all nodes sharing the same segment. Using the Palo Alto firewall I'm able to simply isolate Home, Work, Smart TV's and multiple Wi-Fi networks and ensure never the twain shall meet.
One item that has changed in the past few years is ISP bandwidth and fibre to the premises (FTTP) becoming increasingly available. The 220 had a maximum backplane throughput of approx. 500Mbp/s depending on the exact type of traffic passing through the data-plane. I hope soon to have 1Gbp/s and it would be a shame to halve the potential ISP bandwidth with my firewall platform. The PA-400 series benefits from a significant uplift:
So my new platform arrived and I was excited to get started on the preparation to swap it out, I have a USB A to console cable and connected it to my Linux laptop, it is fairly similar on a mac. Having powered up the platform I needed to connect via terminal to get the basics set.
With that set and basic access established there are a few more basics to sort out before ethernet based MGT access is available. If you have Panorama and a larger enterprise deployment then there is the option of ZTP, otherwise:
With a strong and unique password set it's time to set the management IP and upgrade the factory installed software and dynamic updates:
Note: without a custom SSH profile setup to comply with modern standards you're likely to have to issue the SSH with an option command to allow ssh-rsa (you can fix this later). Having committed the changes time to upgrade.
Bleeding edge (11.0.2-h2)
Software strategy is an important consideration for any enterprise, it may be that you require new features or simply wish to negate any CVE's with the latest patches. I decided to go straight to the latest release which is 11.0.2-h2. This ended up being a mistake and cost me around 2hrs to figure out the problem and solution.
The issue was that as I built up the platform using my existing config the 'auto-commit' job kept running and getting stuck. I killed the job using the cli and reset the process but it kept being an issue. Eventually I managed to kill it and downgrade the platform to 11.0.2 but it was a good reminder that the appetite for bleeding edge releases may not be appropriate for all organisations.
Having downloaded the updates, setup NTP, Syslog and ensured that my logs were arriving in Splunk I set about porting over the interfaces config, zones and security policies section by section using ssh with regular commits. I note that there were approximately 8000 lines of 'content-preview' configuration in the PA-220 running-config. I simply used 'sed' to delete this cruft:
sed 'set shared content-preview/d' PA-220-cleaned.conf
Again I performed all of this using the CLI via a Bash shell. If your organisation only allows you to have Windows consider requesting WSL (Windows Sub-system Linux) to make your life much easier and take advantage of a *nix like shell.
With my config committed and service routes set, I placed it in the cabinet and crossed fingers that I'd completed the conversion successfully. The boot time appears much quicker on the 410 than the 220 and I think within approx. 3 minutes it is ready to pass traffic (the former up to 7 minutes). I patched my cables over, cleared the ISP router ARP cache and immediately I was in business on the new hardware.
It was a great relief and always satisfying to get it right first time. After leaving 72hrs to ensure stability I'll arrange for the secure and responsible destruction of the existing hardware.
CND has many years of experience securing clients with firewall platforms and other components forming a robust security posture. If you need help replacing or upgrading EoL platforms please get in touch, we are always keen to help clients on such tasks.