Panorama admin guide

Panorama admin guide DEFAULT

This is my basic checklist when installing a new Palo Alto firewall. I used it for a few clusters during the last weeks. It shows the steps required for a PA firewall from the unpacking until it is plugged into Panorama, the central management platform from Palo Alto.

Here is the list. This is not a full step-by-step guide. That is: I have not referenced to any commits, or the like. You should know, when to commit or when to reboot. ;)

Basics for each device separately:

  1. Device -> Setup -> Management: General Settings (Hostname, Domain, Time), Management Interface Settings (IP Address, Netmask, Default Gateway)
  2. Device -> Setup -> Services: DNS Server, NTP Server
  3. Device -> Licenses: “Retrieve license keys from license server”, and if PAN-DB: download and activation

Delete default configuration:

  1. Policies -> Security: rule1
  2. Network -> Virtual Wires, Zones, Interfaces

Cluster High Availability:

  1. Dedicated interfaces OR interface type “HA” (Network -> Interfaces)
  2. Device -> High Availability -> General Setup: Enable, Group ID, Peer HA1 IP Address
  3. Control Link (HA1): Port, IP Address, etc.
  4. Same for Data Link (HA2), if used

Upgrades:

  1. Device -> Dynamic Updates: “Check Now”
  2. Install at least Applications and Threats (needed for PAN-OS upgrade), Download with “Sync To Peer”, installation on both HA devices separately
  3. Device -> Software: “Check Now”
  4. Download and Sync To Peer
  5. Install PAN-OS on both HA devices separately (+ reboot)

Panorama:

  1. On both HA devices: Device -> Setup -> Management -> Panorama Settings: IP Address
  2. On Panorama: Panorama -> Managed Devices -> Add: serial numbers of both HA devices
  3. Panorama -> Templates: Add the cluster to a new OR existing one
  4. Panorama -> Device Groups: Add the cluster to a new OR existing one
  5. Template -> Device -> Setup -> Services: DNS Server, NTP Server (Commit with “Force Template Values”)
  6. Template -> Device -> Administrators: Create at least one admin account (Superuser)
  7. On each HA device: Delete the admin/admin account!
  8. On Panorama: Template -> Device -> Dynamic Updates: Schedule all needed sections. (Commit with “Force Template Values”)

I am doing at least one “Force Template Values” commit after these installation steps. For example, this forces the DNS settings to come completely from Panorama (green symbol) and not from the overridden configuration from the local device (green/orange symbol).

Now in Panorama:

I am configuring at least two further objects for each firewall template, because they have mostly the same settings among all HA clusters:

  1. Templates -> Network -> Network Profiles -> Interface Mgmt: Add the needed profiles, e.g., “untrust-mgmt”, “trust-mgmt”, “only-ping”, or the like
  2. Templates -> Network -> Network Profiles -> Zone Protection: Add the needed profiles, e.g., “zoneprotection-untrust” and “zoneprotection-turst” with the appropriate values

Now the device is fully integrated into Panorama and can be configured through it. That is, all further settings such as interfaces and routes, objects, policies, etc., are installed through Panorama.

Featured image “Fresh Start” by Alan Levine is licensed under CC BY 2.0.

Sours: https://weberblog.net/palo-alto-firewall-installation-from-scratch-till-panorama/

panorama-admin.pdf

Citation preview

Panorama Administrator's Guide Version 8.0

paloaltonetworks.com/documentation

Contact Information Corporate Headquarters: Palo Alto Networks 3000 Tannery Way Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-support

About the Documentation • For the most recent version of this guide or for access to related documentation, visit the Technical Documentation portal www.paloaltonetworks.com/documentation. • To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/ document-search.html. • Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at [email protected]

Copyright Palo Alto Networks, Inc. www.paloaltonetworks.com © 2017-2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo

Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/ trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised March 26, 2019

2 PANORAMA ADMINISTRATOR'S GUIDE |

Table of Contents Panorama Overview........................................................................................... 9

About Panorama........................................................................................................................................11 Panorama Models..................................................................................................................................... 12 Centralized Firewall Configuration and Update Management.......................................................14 Context Switch—Firewall or Panorama.................................................................................. 14 Templates and Template Stacks...............................................................................................14 Device Groups...............................................................................................................................15 Centralized Logging and Reporting...................................................................................................... 20 Managed Collectors and Collector Groups............................................................................20 Local and Distributed Log Collection...................................................................................... 21 Caveats for a Collector Group with Multiple Log Collectors............................................ 22 Log Forwarding Options.............................................................................................................24 Centralized Reporting..................................................................................................................25 User-ID Redistribution Using Panorama............................................................................................. 26 Role-Based Access Control.................................................................................................................... 27 Administrative Roles....................................................................................................................27 Authentication Profiles and Sequences.................................................................................. 28 Access Domains............................................................................................................................29 Administrative Authentication.................................................................................................. 29 Panorama Commit, Validation, and Preview Operations................................................................ 31 Plan Your Panorama Deployment........................................................................................................ 32 Deploy Panorama: Task Overview....................................................................................................... 34

Set Up Panorama..............................................................................................35

Determine Panorama Log Storage Requirements.............................................................................37 Set Up the Panorama Virtual Appliance............................................................................................. 39 Setup Prerequisites for the Panorama Virtual Appliance................................................... 39 Install the Panorama Virtual Appliance...................................................................................41 Perform Initial Configuration of the Panorama Virtual Appliance....................................44 Set Up the Panorama Virtual Appliance with Local Log Collector................................... 46 Expand Log Storage Capacity on the Panorama Virtual Appliance..................................50 Increase CPUs and Memory on the Panorama Virtual Appliance.................................... 55 Complete the Panorama Virtual Appliance Setup................................................................56 Set Up the M-Series Appliance............................................................................................................. 57 M-Series Appliance Interfaces.................................................................................................. 57 M-Series Setup Overview.......................................................................................................... 57 Perform Initial Configuration of the M-Series Appliance................................................... 58 Set Up the M-Series Appliance as a Log Collector..............................................................61 Increase Storage on the M-Series Appliance........................................................................ 67 Configure Panorama to Use Multiple Interfaces.................................................................. 73 Register Panorama and Install Licenses.............................................................................................. 80 Register Panorama....................................................................................................................... 80 Activate a Panorama Support License.................................................................................... 83 Activate/Retrieve a Firewall Management License on the Panorama Virtual Appliance........................................................................................................................................ 85 Activate/Retrieve a Firewall Management License on the M-Series Appliance............85 Install Content and Software Updates for Panorama......................................................................88 Panorama, Log Collector, Firewall, and WildFire Version Compatibility.........................88 Install Updates for Panorama in an HA Configuration........................................................88

TABLE OF CONTENTS

iii

Install Updates for Panorama with an Internet Connection.............................................. 90 Install Updates for Panorama When Not Internet-Connected......................................... 93 Migrate Panorama Logs to the New Log Format.................................................................95 Transition to a Different Panorama Model........................................................................................ 97 Migrate from a Panorama Virtual Appliance to an M-Series Appliance..........................97 Migrate from an M-Series Appliance to a Panorama Virtual Appliance..........................99 Migrate from an M-100 Appliance to an M-500 Appliance............................................101 Access and Navigate Panorama Management Interfaces.............................................................105 Log in to the Panorama Web Interface................................................................................105 Navigate the Panorama Web Interface................................................................................105 Log in to the Panorama CLI.................................................................................................... 106 Set Up Administrative Access to Panorama.................................................................................... 108 Configure an Admin Role Profile........................................................................................... 108 Configure an Access Domain..................................................................................................108 Configure Administrative Accounts and Authentication..................................................109 Set Up Authentication Using Custom Certificates.........................................................................120 How Are SSL/TLS Connections Mutually Authenticated?...............................................120 Configure Authentication Using Custom Certificates on Panorama............................. 121 Configure Authentication Using Custom Certificates on Managed Devices............... 122 Add New Client Devices..........................................................................................................124 Change Certificates................................................................................................................... 124

Manage Firewalls............................................................................................127 Add a Firewall as a Managed Device................................................................................................ 129 Manage Device Groups........................................................................................................................ 130 Add a Device Group................................................................................................................. 130 Create a Device Group Hierarchy......................................................................................... 130 Create Objects for Use in Shared or Device Group Policy..............................................132 Revert to Inherited Object Values.........................................................................................133 Manage Unused Shared Objects........................................................................................... 133 Manage Precedence of Inherited Objects........................................................................... 134 Move or Clone a Policy Rule or Object to a Different Device Group...........................135 Select a URL Filtering Vendor on Panorama...................................................................... 136 Push a Policy Rule to a Subset of Firewalls........................................................................ 139 Manage the Rule Hierarchy.................................................................................................... 140 Manage Templates and Template Stacks......................................................................................... 142 Template Capabilities and Exceptions.................................................................................. 142 Add a Template.......................................................................................................................... 142 Configure a Template Stack....................................................................................................143 Override a Template Setting...................................................................................................145 Disable/Remove Template Settings...................................................................................... 145 Redistribute User-ID Information to Managed Firewalls..............................................................147 Transition a Firewall to Panorama Management............................................................................150 Plan the Transition to Panorama Management..................................................................150 Migrate a Firewall to Panorama Management................................................................... 151 Migrate a Firewall HA Pair to Panorama Management....................................................154 Load a Partial Firewall Configuration into Panorama....................................................... 156 Use Case: Configure Firewalls Using Panorama.............................................................................159 Device Groups in this Use Case............................................................................................ 159 Templates in this Use Case.....................................................................................................160 Set Up Your Centralized Configuration and Policies........................................................ 161

Manage Log Collection................................................................................. 167 iv TABLE OF CONTENTS

Configure a Managed Collector..........................................................................................................169 Manage Collector Groups.................................................................................................................... 172 Configure a Collector Group...................................................................................................172 Move a Log Collector to a Different Collector Group......................................................174 Remove a Firewall from a Collector Group.........................................................................175 Configure Log Forwarding to Panorama.......................................................................................... 176 Verify Log Forwarding to Panorama................................................................................................. 180 Modify Log Forwarding and Buffering Defaults.............................................................................181 Configure Log Forwarding from Panorama to External Destinations........................................183 Log Collection Deployments................................................................................................................185 Deploy Panorama with Dedicated Log Collectors.............................................................185 Deploy Panorama M-Series Appliances with Local Log Collectors............................... 190 Deploy Panorama Virtual Appliances with Local Log Collectors....................................195 Deploy Panorama Virtual Appliances in Legacy Mode with Local Log Collection......199

Manage WildFire Appliances.......................................................................201 Add Standalone WildFire Appliances to Manage with Panorama.............................................. 203 Configure Basic WildFire Appliance Settings on Panorama........................................................ 206 Remove a WildFire Appliance from Panorama Management......................................................207

Manage Licenses and Updates................................................................... 209

Manage Licenses on Firewalls Using Panorama............................................................................. 211 Deploy Updates to Firewalls, Log Collectors, and WildFire Appliances Using Panorama..... 212 Supported Updates....................................................................................................................212 Schedule a Content Update Using Panorama.................................................................... 213 Upgrade Log Collectors When Panorama Is Internet-Connected..................................214 Upgrade Log Collectors When Panorama Is Not Internet-Connected......................... 216 Upgrade Firewalls When Panorama Is Internet-Connected............................................218 Upgrade Firewalls When Panorama Is Not Internet-Connected....................................218

Monitor Network Activity............................................................................223

Use Panorama for Visibility................................................................................................................. 225 Monitor the Network with the ACC and AppScope.........................................................225 Analyze Log Data.......................................................................................................................227 Generate, Schedule, and Email Reports............................................................................... 227 Ingest Traps ESM Logs on Panorama................................................................................................230 Use Case: Monitor Applications Using Panorama..........................................................................232 Use Case: Respond to an Incident Using Panorama......................................................................235 Incident Notification................................................................................................................. 235 Review the Widgets in the ACC............................................................................................235 Review Threat Logs...................................................................................................................236 Review WildFire Logs............................................................................................................... 236 Review Data Filtering Logs..................................................................................................... 237 Update Security Rules.............................................................................................................. 237

Panorama High Availability.......................................................................... 239 Panorama HA Prerequisites................................................................................................................. 241 Priority and Failover on Panorama in HA........................................................................................ 243 Failover Triggers..................................................................................................................................... 244 HA Heartbeat Polling and Hello Messages......................................................................... 244 HA Path Monitoring..................................................................................................................244

TABLE OF CONTENTS

v

Logging Considerations in Panorama HA.........................................................................................245 Logging Failover on a Panorama Virtual Appliance in Legacy Mode.............................245 Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode......................................................................................................................... 246 Synchronization Between Panorama HA Peers..............................................................................247 Manage a Panorama HA Pair.............................................................................................................. 248 Set Up HA on Panorama......................................................................................................... 248 Set Up Authentication Using Custom Certificates Between HA Peers........................ 249 Test Panorama HA Failover.................................................................................................... 250 Switch Priority after Panorama Failover to Resume NFS Logging.................................251 Restore the Primary Panorama to the Active State.......................................................... 252

Administer Panorama.................................................................................... 253 Preview, Validate, or Commit Configuration Changes.................................................................. 255 Manage Panorama and Firewall Configuration Backups.............................................................. 257 Schedule Export of Configuration Files............................................................................... 257 Save and Export Panorama and Firewall Configurations................................................. 258 Revert Panorama Configuration Changes............................................................................259 Configure the Maximum Number of Configuration Backups on Panorama................ 261 Load a Configuration Backup on a Managed Firewall...................................................... 261 Compare Changes in Panorama Configurations............................................................................. 262 Manage Locks for Restricting Configuration Changes.................................................................. 263 Add Custom Logos to Panorama........................................................................................................265 Use the Panorama Task Manager...................................................................................................... 266 Manage Storage Quotas and Expiration Periods for Logs and Reports.................................... 267 Log and Report Storage........................................................................................................... 267 Log and Report Expiration Periods....................................................................................... 267 Configure Storage Quotas and Expiration Periods for Logs and Reports.................... 268 Configure the Run Time for Panorama Reports.................................................................269 Monitor Panorama..................................................................................................................................270 Panorama System and Configuration Logs..........................................................................270 Monitor Panorama and Log Collector Statistics Using SNMP........................................ 270 Reboot or Shut Down Panorama....................................................................................................... 273 Configure Panorama Password Profiles and Complexity............................................................. 274

Troubleshooting.............................................................................................. 275 Troubleshoot Panorama System Issues............................................................................................ 277 Generate Diagnostic Files for Panorama............................................................................. 277 Diagnose Panorama Suspended State..................................................................................277 Monitor the File System Integrity Check.............................................................................277 Manage Panorama Storage for Software and Content Updates....................................277 Recover from Split Brain in Panorama HA Deployments................................................ 278 Troubleshoot Log Storage and Connection Issues.........................................................................280 Verify Panorama Port Usage.................................................................................................. 280 Resolve Zero Log Storage for a Collector Group.............................................................. 282 Replace a Failed Disk on an M-Series Appliance...............................................................282 Replace the Virtual Disk on an ESXi Server........................................................................282 Replace the Virtual Disk on vCloud Air............................................................................... 283 Migrate Logs to a New M-Series Appliance in Log Collector Mode............................. 284 Migrate Logs to a New M-Series Appliance in Panorama Mode................................... 288 Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability....................................................................................................................................294

vi TABLE OF CONTENTS

Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability....................................................................................................................................300 Migrate Log Collectors after Failure/RMA of Non-HA Panorama.................................305 Regenerate Metadata for M-Series Appliance RAID Pairs.............................................. 307 Replace an RMA Firewall..................................................................................................................... 309 Partial Device State Generation for Firewalls.................................................................... 309 Before Starting RMA Firewall Replacement....................................................................... 309 Restore the Firewall Configuration after Replacement.................................................... 310 Troubleshoot Commit Failures............................................................................................................313 Troubleshoot Registration or Serial Number Errors...................................................................... 314 Troubleshoot Reporting Errors........................................................................................................... 315 View Task Success or Failure Status................................................................................................. 316 Downgrade from Panorama 8.0......................................................................................................... 317

TABLE OF CONTENTS

vii

viii TABLE OF CONTENTS

Panorama Overview The Panorama™ management server provides centralized monitoring and management of multiple Palo Alto Networks next-generation firewalls and of WildFire appliances and appliance clusters. It provides a single location from which you can oversee all applications, users, and content traversing your network, and then use this knowledge to create application enablement policies that protect and control the network. Using Panorama for centralized policy and firewall management increases operational efficiency in managing and maintaining a distributed network of firewalls. Using Panorama for centralized WildFire appliance and WildFire appliance cluster management increases the number of firewalls a single network supports, provides high availability for fault tolerance, and increases management efficiency. > > > > > > > > >

About Panorama Panorama Models Centralized Firewall Configuration and Update Management Centralized Logging and Reporting User-ID Redistribution Using Panorama Role-Based Access Control Panorama Commit, Validation, and Preview Operations Plan Your Panorama Deployment Deploy Panorama: Task Overview

9

10 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

2019 Palo Alto Networks, Inc.

About Panorama Panorama enables you to effectively configure, manage, and monitor your Palo Alto Networks firewalls with central oversight. The three main areas in which Panorama adds value are: • Centralized configuration and deployment—To simplify central management and rapid deployment of the firewalls and WildFire appliances on your network, use Panorama to pre-stage the firewalls and WildFire appliances for deployment. You can then assemble the firewalls into groups, and create templates to apply a base network and device configuration and use device groups to administer globally shared and local policy rules. See Centralized Firewall Configuration and Update Management. • Aggregated logging with central oversight for analysis and reporting—Collect information on activity across all the managed firewalls on the network and centrally analyze, investigate and report on the data. This comprehensive view of network traffic, user activity, and the associated risks empowers you to respond to potential threats using the rich set of policies to securely enable applications on your network. See Centralized Logging and Reporting. • Distributed administration—Enables you to delegate or restrict access to global and local firewall configurations and policies. See Role-Based Access Control for delegating appropriate levels of access for distributed administration. Three Panorama Models are available: the Panorama virtual appliance, M-500 appliance, and M-100 appliance. Figure 1: Panorama Centralized Management illustrates how you can deploy Panorama in a high availability (HA) configuration to manage firewalls.

Figure 1: Panorama Centralized Management

PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

11

2019 Palo Alto Networks, Inc.

Panorama Models Panorama is available as one of the following virtual or physical appliances, each of which supports licenses for managing up to 25, 100, or 1,000 firewalls: • Panorama virtual appliance—This model allows for simple installation and facilitates server consolidation for sites that need a virtual management appliance. You can install Panorama on a VMware ESXi server or on VMware vCloud Air. The virtual appliance can collect firewall logs locally at rates up to 10,000 logs per second and can manage Dedicated Log Collectors for higher logging rates. The virtual appliance can function only as a Panorama management server, not a Dedicated Log Collector. You can deploy the virtual appliance in the following modes: • Panorama mode—In this mode, the Panorama virtual appliance supports a local Log Collector with 1 to 12 virtual logging disks (see Deploy Panorama Virtual Appliances with Local Log Collectors). Each logging disk has 2TB of storage capacity for a total maximum of 24TB on a single virtual appliance and 48TB on a high availability (HA) pair. Only Panorama mode enables you to add multiple virtual logging disks without losing logs on existing disks. Panorama mode also provides the benefit of faster report generation. In Panorama mode, the virtual appliance does not support NFS storage. As a best practice, deploy the virtual appliance in Panorama mode to optimize log storage and report generation. • Legacy mode—In this mode, the Panorama virtual appliance receives and stores firewall logs without using a local Log Collector (see Deploy Panorama Virtual Appliances in Legacy Mode with Local Log Collection). By default, the virtual appliance in Legacy mode has one disk partition for all data. Approximately 11GB of the partition is allocated to log storage. If you need more local log storage, you can add one virtual disk of up to 8TB on ESXi 5.5 and later versions or on vCloud Air. Earlier ESXi versions support one virtual disk of up to 2TB. If you need more than 8TB, you can mount the virtual appliance in Legacy mode to an NFS datastore but only on the ESXi server, not in vCloud Air. • M-Series appliance—The M-100 appliance and M-500 appliance are dedicated hardware appliances intended for large-scale deployments. In environments with high logging rates (over 10,000 logs per second) and log retention requirements, these appliances enables scaling of your log collection infrastructure. Both M-Series models share the following attributes: • RAID drives to store firewall logs and RAID 1 mirroring to protect against disk failures • SSD to store the logs that Panorama and Log Collectors generate • MGT, Eth1, Eth2, and Eth3 interfaces that support 1Gbps throughput The M-500 appliance has the following additional attributes, which make it more suitable for data centers: • Redundant, hot-swappable power supplies • Front-to-back airflow • Eth4 and Eth5 interfaces that support 10Gbps throughput You can deploy the M-Series appliances in the following modes: • Panorama mode—The appliance functions as a Panorama management server to manage firewalls and Dedicated Log Collectors. The appliance also supports a local Log Collector to aggregate firewall logs. Panorama mode is the default mode. For configuration details, see Deploy Panorama M-Series Appliances with Local Log Collectors. • Log Collector mode—The appliance functions as a Dedicated Log Collector. If multiple firewalls forward large volumes of log data, an M-Series appliance in Log Collector mode provides increased scale and performance. In this mode, the appliance has no web interface for administrative access, only a command line interface (CLI). However, you can manage the appliance using the web interface of the Panorama management server. CLI access to an M-Series appliance in Log Collector mode is

12 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

2019 Palo Alto Networks, Inc.

necessary only for initial setup and debugging. For configuration details, see Deploy Panorama with Dedicated Log Collectors. The log storage capacity and maximum log collection rate varies by model and mode, as described in Table: Panorama Log Storage and Collection Rates. For more details and specifications, see the M-100 and M-500 Hardware Reference Guides. The best Panorama model for your network depends on whether you must deploy within a virtual infrastructure, your bandwidth resources (some networks benefit from deploying Log Collectors close to the firewalls), and your log storage requirements (see Determine Panorama Log Storage Requirements). The following table summarizes the logging capacities of each model: Panorama 8.0 introduced log query and reporting engine enhancements that have improved the speed when generating reports and executing queries. As a result, log ingestion rates have been affected and are lower than in previous Panorama releases. Table 1: Table: Panorama Log Storage and Collection Rates Model Capacities and Features

M-500 Appliance

M-100 Appliance

Virtual Virtual Appliance Appliance in in Legacy Mode Panorama Mode

Maximum Logging Rate for Panorama management server

20,000 logs/ second

10,000 logs/ second

10,000 logs/second

Maximum Logging Rate for Dedicated Log Collector

30,000 logs/ second

18,000 logs/ second

Not applicable: the Panorama virtual appliance cannot be a Dedicated Log Collector.

Maximum Log Storage on Appliance

24TB

8TB

24TB

8TB

(24 2TB or 1TB RAID disks)

(8 2TB or 1TB RAID disks)

(12 virtual logging disks)

(2TB for ESXi versions before v5.5)

Default Log Storage on Appliance

4TB

1TB

2–24TB

~11GB

(8 1TB RAID disks)

(2 2TB RAID disks)

(set during installation)

SSD Storage on Appliance (for logs that M-Series appliances generate)

240GB

120GB

Not applicable

NFS Attached Log Storage

Not available

Not available

ESXi server only

PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

13

2019 Palo Alto Networks, Inc.

Centralized Firewall Configuration and Update Management Panorama uses device groups and templates to group firewalls into logical sets that require similar configuration. You use device groups and templates to centrally manage all configuration elements, policies, and objects on the managed firewalls. Panorama also enables you to centrally manage licenses, software (PAN-OS software, SSL-VPN client software, GlobalProtect™ agent/app software), and content updates (Applications, Threats, WildFire, and Antivirus). • Context Switch—Firewall or Panorama • Templates and Template Stacks • Device Groups

Context Switch—Firewall or Panorama The Panorama web interface enables you to toggle between a Panorama-centric view and a firewall-centric view by using the Context drop-down at the top-left of every tab. You can set the Context to Panorama to manage firewalls centrally or switch context to the web interface of a specific firewall to configure it locally. The similarity of the Panorama and firewall web interfaces enables you to seamlessly move between them to administer and monitor firewalls. The Context drop-down lists only the firewalls that are connected to Panorama. For a Device Group and Template administrator, the drop-down lists only the connected firewalls that are within the Access Domains assigned to that administrator. To search a long list, use the Filters within the drop-down. For firewalls that have a high availability (HA) configuration, the icons have colored backgrounds to indicate HA state (as follows). Knowing the HA state is useful when selecting a firewall context. For example, you generally make firewall-specific configuration changes on the active firewall. • Green—Active. • Yellow—Passive or the firewall is initiating (the initiating state lasts for up to 60 seconds after boot up). • Red—The firewall is non-functional (error state), suspended (an administrator disabled the firewall), or tentative (for a link or path monitoring event in an active/active HA configuration).

Templates and Template Stacks You use templates to configure the settings that enable firewalls to operate on the network. Templates enable you to define a common base configuration using the Network and Device tabs on Panorama. For example, you can use templates to manage interface and zone configurations, server profiles for logging and syslog access, and network profiles for controlling access to zones and IKE gateways. When defining a template, consider assigning firewalls that are the same hardware model and require access to similar network resources, such as gateways and syslog servers. If your network has groups of firewalls with some group-specific settings and some settings that are common across groups, you can simplify management by assigning the firewalls to a template stack for each group. A template stack is a combination of templates: the assigned firewalls inherit the settings from every template in the stack. This enables you to avoid the redundancy of adding every setting to every template. The following figure illustrates an example deployment in which you assign data center firewalls in the Asia-Pacific (APAC) region to a stack that has one template with global settings, one template with APACspecific settings, and one template with data center-specific settings. To manage firewalls in an APAC branch office, you can then re-use the global and APAC-specific templates by adding them to another stack that includes a template with branch-specific settings. Templates in a stack have a configurable priority order that ensures Panorama pushes only one value for any duplicate setting. Panorama evaluates the

14 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

2019 Palo Alto Networks, Inc.

templates listed in a stack configuration from top to bottom, with higher templates having priority. The following figure illustrates a data center stack in which the data center template has a higher priority than the global template: Panorama pushes the idle timeout value from the data center template and ignores the value from the global template.

Figure 2: Template Stacks To accommodate firewalls that have unique settings, you can use templates (single or stacked) to push a limited common base configuration to all firewalls, and in individual firewalls configure firewall-specific settings. Alternatively, you can push a broader common base configuration and in the individual firewalls override certain pushed settings with firewall-specific values. When you override a setting, the firewall saves that setting to its local configuration; Panorama no longer manages the setting. To restore template values after overriding them, you can use Panorama to force the template configuration onto a firewall. For example, after defining a common NTP server in a template and overriding the NTP server configuration on a firewall to accommodate its local time zone, you can later revert to the NTP server defined in the template. You cannot use templates to set firewall modes: virtual private network (VPN) mode, multiple virtual systems mode (multi-vsys mode), and operational mode (normal, Federal Information Processing Standards [FIPS], or Common Criteria [CC]). For details, see Template Capabilities and Exceptions. However, you can assign firewalls that have non-matching modes to the same template or stack. In such cases, Panorama pushes mode-specific settings only to firewalls that support those modes. As an exception, you can configure Panorama to push the settings of the default vsys in a template to firewalls that don’t support virtual systems or have none configured. For the relevant procedures, see Manage Templates and Template Stacks.

Device Groups To use Panorama effectively, you have to group the firewalls in your network into logical units called device groups. A device group enables grouping based on network segmentation, geographic location, organizational function, or any other common aspect of firewalls that require similar policy configurations. Using device groups, you can configure policy rules and the objects they reference. You can organize device PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

15

2019 Palo Alto Networks, Inc.

group hierarchically, with shared rules and objects at the top, and device group-specific rules and objects at subsequent levels. This enables you to create a hierarchy of rules that enforce how firewalls handle traffic. For example, you can define a set of shared rules as a corporate acceptable use policy. Then, to allow only regional offices to access peer-to-peer traffic such as BitTorrent, you can define a device group rule that Panorama pushes only to the regional offices (or define a shared security rule and target it to the regional offices). For the relevant procedures, see Manage Device Groups. The following topics describe device group concepts and components in more detail: • Device Group Hierarchy • Device Group Policies • Device Group Objects

Device Group Hierarchy You can Create a Device Group Hierarchy to nest device groups in a tree hierarchy of up to four levels, with lower-level groups inheriting the settings (policy rules and objects) of higher-level groups. At the bottom level, a device group can have parent, grandparent, and great-grandparent device groups (ancestors). At the top level, a device group can have child, grandchild, and great-grandchild device groups (descendants). All device groups inheriting settings from the Shared location—a container at the top of the hierarchy for configurations that are common to all device groups. Creating a device group hierarchy enables you to organize firewalls based on common policy requirements without redundant configuration. For example, you could configure shared settings that are global to all firewalls, configure device groups with function-specific settings at the first level, and configure device groups with location-specific settings at lower levels. Without a hierarchy, you would have to configure both function- and location-specific settings for every device group in a single level under Shared.

Figure 3: Device Group Hierarchy For details on the order in which firewalls evaluate policy rules in a device group hierarchy, see Device Group Policies. For details on overriding the values of objects that device groups inherit from ancestor device groups, see Device Group Objects.

Device Group Policies Device groups provide a way to implement a layered approach for managing policies across a network of managed firewalls. A firewall evaluates policy rules by layer (shared, device group, and local) and by type (pre-rules, post-rules, and default rules) in the following order from top to bottom. When the firewall receives traffic, it performs the action defined in the first evaluated rule that matches the traffic and disregards all subsequent rules. To change the evaluation order for rules within a particular layer, type, and rulebase (for example, shared Security pre-rules), see Manage the Rule Hierarchy.

16 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

2019 Palo Alto Networks, Inc.

Evaluation Order

Rule Scope and Description

Administration Device

Shared pre-rules

Panorama pushes shared pre-rules to all the firewalls in all device groups. Panorama pushes device groupspecific pre-rules to all the firewalls in a particular device group and its descendant device groups.

These rules are visible on firewalls but you can only manage them in Panorama.

Device group prerules

If a firewall inherits rules from device groups at multiple levels in the device group hierarchy, it evaluates pre-rules in the order of highest to lowest level. This means the firewall first evaluates shared rules and last evaluates the rules of device groups with no descendants. You can use pre-rules to enforce the acceptable use policy of an organization. For example, a pre-rule might block access to specific URL categories or allow Domain Name System (DNS) traffic for all users. Local firewall rules

Local rules are specific to a single firewall or virtual system (vsys).

A local firewall administrator, or a Panorama administrator who switches to a local firewall context, can edit local firewall rules.

Device group postrules

Panorama pushes shared post-rules to all the firewalls in all device groups. Panorama pushes device groupspecific post-rules to all the firewalls in a particular device group and its descendant device groups.

These rules are visible on firewalls but you can only manage them in Panorama.

Shared post-rules

If a firewall inherits rules from device groups at multiple levels in the device group hierarchy, it evaluates post-rules in the order of lowest to highest level. This means the firewall first evaluates the rules of device groups with no descendants and last evaluates shared rules. Post-rules typically include rules to deny access to traffic based on the App-ID™ signatures, User-ID™ information (users or user groups), or service. intrazone-default interzone-default

The default rules apply only to the Security rulebase, and are predefined on Panorama (at the Shared level) and the firewall (in each vsys). These rules

Default rules are initially read-only, either because they are part of the predefined configuration or because Panorama pushed them to firewalls.

PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

17

2019 Palo Alto Networks, Inc.

Evaluation Order

Rule Scope and Description

Administration Device

specify how PAN-OS handles traffic that doesn’t match any other rule.

However, you can override the rule settings for tags, action, logging, and security profiles. The context determines the level at which you can override the rules:

The intrazone-default rule allows all traffic within a zone. The interzonedefault rule denies all traffic between zones. If you override default rules, their order of precedence runs from the lowest context to the highest: overridden settings at the firewall level take precedence over settings at the device group level, which take precedence over settings at the Shared level.

• Panorama—At the Shared or device group level, you can override default rules that are part of the predefined configuration. • Firewall—You can override default rules that are part of the predefined configuration on the firewall or vsys, or that Panorama pushed from the Shared location or a device group.

Whether you view rules on a firewall or in Panorama, the web interface displays them in evaluation order. All the shared, device group, and default rules that the firewall inherits from Panorama are shaded orange. Local firewall rules display between the pre-rules and post-rules.

Figure 4: Rule Hierarchy

Device Group Objects Objects are configuration elements that policy rules reference, for example: IP addresses, URL categories, security profiles, users, services, and applications. Rules of any type (pre-rules, post-rules, default rules, and rules locally defined on a firewall) and any rulebase (Security, NAT, QoS, Policy Based Forwarding, Decryption, Application Override, Captive Portal, and DoS Protection) can reference objects. You can reuse an object in any number of rules that have the same scope as that object in the Device Group Hierarchy. For example, if you add an object to the Shared location, all rules in the hierarchy can reference that shared object because all device groups inherit objects from Shared. If you add an object to a particular device group, only the rules in that device group and its descendant device groups can reference that device group object. If object values in a device group must differ from those inherited from an ancestor device group, you can Override inherited object values (see Step Override inherited object values.). You can also Revert to Inherited Object Values at any time. When you Create Objects for Use in Shared or Device Group Policy once and use them many times, you reduce administrative overhead and ensure consistency across firewall policies.

18 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

2019 Palo Alto Networks, Inc.

You can configure how Panorama handles objects system-wide: • Pushing unused objects—By default, Panorama pushes all objects to firewalls regardless of whether any shared or device group policy rules reference the objects. Optionally, you can configure Panorama to push only referenced objects. For details, see Manage Unused Shared Objects. • Precedence of ancestor and descendant objects—By default, when device groups at multiple levels in the hierarchy have an object with the same name but different values (because of overrides, as an example), policy rules in a descendant device group use the object values in that descendant instead of object values inherited from ancestor device groups or Shared. Optionally, you can reverse this order of precedence to push values from Shared or the highest ancestor containing the object to all descendant device groups. For details, see Manage Precedence of Inherited Objects.

PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

19

2019 Palo Alto Networks, Inc.

Centralized Logging and Reporting Panorama aggregates logs from all managed firewalls and provides visibility across all the traffic on the network. It also provides an audit trail for all policy modifications and configuration changes made to the managed firewalls. In addition to aggregating logs, Panorama can forward them as SNMP traps, email notifications, syslog messages, and HTTP payloads to an external server. For centralized logging and reporting, you also have the option to use the cloud-based Logging Service that is architected to work seamlessly with Panorama. The Logging Service allows your managed firewalls to forward logs to the Logging Service infrastructure instead of to Panorama or to the managed Log Collectors, so you can augment your existing distributed log collection setup or to scale your current logging infrastructure without having to invest time and effort yourself. The Application Command Center (ACC) on Panorama provides a single pane for unified reporting across all the firewalls. It enables you to centrally Monitor Network Activity, to analyze, investigate, and report on traffic and security incidents. On Panorama, you can view logs and generate reports from logs forwarded to the Logging Service, Panorama or to the managed Log Collectors, if configured, or you can query the managed firewalls directly. For example, you can generate reports about traffic, threat, and/or user activity in the managed network based on logs stored on Panorama (and the managed collectors) or by accessing the logs stored locally on the managed firewalls, or on the Logging Service. If you don’t Configure Log Forwarding to Panorama or the Logging Service, you can schedule reports to run on each managed firewall and forward the results to Panorama for a combined view of user activity and network traffic. Although reports don’t provide a granular drill-down on specific information and activities, they still provide a unified monitoring approach. • • • • •

Managed Collectors and Collector Groups Local and Distributed Log Collection Caveats for a Collector Group with Multiple Log Collectors Log Forwarding Options Centralized Reporting

Managed Collectors and Collector Groups Panorama uses Log Collectors to aggregate logs from managed firewalls. When generating reports, Panorama queries the Log Collectors for log information, providing you visibility into all the network activity that your firewalls monitor. Because you use Panorama to configure and manage Log Collectors, they are also known as managed collectors. Panorama can manage two types of Log Collectors: • Local Log Collector—This type of Log Collector runs locally on the Panorama management server. Only an M-500 appliance, M-100 appliance, or Panorama virtual appliance in Panorama mode supports a local Log Collector. If you forward logs to a Panorama virtual appliance in Legacy mode, it stores the logs locally without a Log Collector. • Dedicated Log Collector—This is an M-500 or M-100 appliance in Log Collector mode. You can use an M-Series appliance in Panorama mode or a Panorama virtual appliance in Panorama or Legacy mode to manage Dedicated Log Collectors. To use the Panorama web interface for managing Dedicated Log Collectors, you must add them as managed collectors. Otherwise, administrative access to a Dedicated Log Collector is only available through its CLI using the predefined administrative user (admin) account. Dedicated Log Collectors don’t support additional administrative user accounts. You can use either or both types of Log Collectors to achieve the best logging solution for your environment (see Local and Distributed Log Collection).

20 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

2019 Palo Alto Networks, Inc.

A Collector Group is 1 to 16 managed collectors that operate as a single logical log collection unit. If the Collector Group contains Dedicated Log Collectors, Panorama uniformly distributes the logs across all the disks in each Log Collector and across all Log Collectors in the group. This distribution optimizes the available storage space. To enable a Log Collector to receive logs, you must add it to a Collector Group. You can enable log redundancy by assigning multiple Log Collectors to a Collector Group (see Caveats for a Collector Group with Multiple Log Collectors). The Collector Group configuration specifies which managed firewalls can send logs to the Log Collectors in the group. To configure Log Collectors and Collector Groups, see Manage Log Collection.

Local and Distributed Log Collection Before you Configure Log Forwarding to Panorama, you must decide whether to use local Log Collectors, Dedicated Log Collectors, or both. A local Log Collector is easy to deploy because it requires no additional hardware or virtual machine instance. In a high availability (HA) configuration, you can send logs to the local Log Collector on both Panorama peers; the passive Panorama doesn’t wait for failover to start collecting logs. For local log collection, you can also forward logs to a Panorama virtual appliance in Legacy mode, which stores the logs without using a Log Collector as a logical container. Dedicated Log Collectors are M-500 or M-100 appliances in Log Collector mode. Because they perform only log collection, not firewall management, Dedicated Log Collectors allow for a more robust environment than local Log Collectors. Dedicated Log Collectors provide the following benefits: • Enable the Panorama management server to use more resources for management functions instead of logging. • Provide high-volume log storage on a dedicated hardware appliance. • Enable higher logging rates. • Provide horizontal scalability and redundancy with RAID 1 storage. • Optimize bandwidth resources in networks where more bandwidth is available for firewalls to send logs to nearby Log Collectors than to a remote Panorama management server. • Enable you to meet regional regulatory requirements (for example, regulations might not allow logs to leave a particular region). Distributed Log Collection illustrates a topology in which the Panorama peers in an HA configuration manage the deployment and configuration of firewalls and Dedicated Log Collectors. You can deploy the Panorama management server in an HA configuration but not the Dedicated Log Collectors.

PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

21

2019 Palo Alto Networks, Inc.

Figure 5: Distributed Log Collection

Caveats for a Collector Group with Multiple Log Collectors You can Configure a Collector Group with multiple Log Collectors (up to 16) to ensure log redundancy, increase the log retention period, and accommodate logging rates that exceed the capacity of a single Log Collector (see Panorama Models for capacity information). In any single Collector Group, all the Log Collectors must run on the same Panorama model: all M-500 appliances, all M-100 appliances, or all Panorama virtual appliances. For example, if a single managed firewall generates 48TB of logs, the Collector Group that receives those logs will require at least six Log Collectors that are M-100 appliances or two Log Collectors that are M-500 appliances or Panorama virtual appliances. A Collector Group with multiple Log Collectors uses the available storage space as one logical unit and uniformly distributes the logs across all its Log Collectors. The log distribution is based on the disk capacity of the Log Collectors (see Panorama Models) and a hash algorithm that dynamically decides which Log Collector owns the logs and writes to disk. Although Panorama uses a preference list to prioritize the list of Log Collectors to which a managed firewall can forward logs, Panorama does not necessarily write the logs to the first Log Collector specified in the preference list. For example, consider the following preference list: Managed Firewall

Log Forwarding Preference List Defined in a Collector Group

FW1

L1,L2,L3

FW2

L4,L5,L6

Using this list, FW1 will forward logs to L1 so long as that primary Log Collector is available. However, based on the hash algorithm, Panorama might choose L2 as the owner that writes the logs to its disks. If L2 becomes inaccessible or has a chassis failure, FW1 will not know because it can still connect to L1.

22 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

2019 Palo Alto Networks, Inc.

Figure 6: Example - Typical Log Collector Group Setup In the case where a Collector Group has only one Log Collector and the Log Collector fails, the firewall stores the logs to its HDD/SSD (the available storage space varies by firewall model). As soon as connectivity is restored to the Log Collector, the firewall resumes forwarding logs where it left off before the failure occurred. In the case of a Collector Group with multiple Log Collectors, the firewall does not buffer logs to its local storage if only one Log Collector is down. In the example scenario where L2 is down, FW1 continues sending logs to L1, and L1 stores the log data that would be sent to L2. Once L2 is back up, L1 no longer stores log data intended for L2 and distribution resumes as expected. If one of the Log Collectors in a Collector Group goes down, there is no risk of losing logs should because the logs that would be written to the down Log Collector are redistributed to the next Log Collector in the preference list.

Figure 7: Example - When a Log Collector Fails Palo Alto Networks recommends the following mitigations if using multiple Log Collectors in a Collector Group: • Enable log redundancy when you Configure a Collector Group. This ensures that no logs are lost if any one Log Collector in the Collector Group becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. Log redundancy is available only if each Log Collector has the same number of logging disks. Because enabling redundancy creates more logs, this configuration requires more storage capacity. When a Collector Group runs out of space, it deletes older logs. Enabling redundancy doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives. • Obtain an On-Site-Spare (OSS) to enable prompt replacement if a Log Collector failure occurs. • In addition to forwarding logs to Panorama, configure forwarding to an external service as backup storage. The external service can be a syslog server, email server, SNMP trap server, or HTTP server.

PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

23

2019 Palo Alto Networks, Inc.

Log Forwarding Options By default, each firewall stores its log files locally. To use Panorama for centralized log monitoring and report generation, you must Configure Log Forwarding to Panorama. You can also use external services for archiving, notification, or analysis by forwarding logs to the services directly from the firewalls or from Panorama. External services include syslog servers, email servers, SNMP trap servers, or HTTP-based services. In addition to forwarding firewall logs, you can forward the logs that the Panorama management server and Log Collectors generate. The Panorama management server, Log Collector, or firewall that forwards the logs converts them to a format that is appropriate for the destination (syslog message, email notification, SNMP trap, or HTTP payload). Palo Alto Networks firewalls and Panorama support the following log forwarding options. Before choosing an option, consider the logging capacities of your Panorama Models and Determine Panorama Log Storage Requirements. • Forward logs from firewalls to Panorama and from Panorama to external services—This configuration is best for deployments in which the connections between firewalls and external services have insufficient bandwidth to sustain the logging rate, which is often the case when the connections are remote. This configuration improves firewall performance by offloading some processing to Panorama. You can configure each Collector Group to forward logs to different destinations.

Figure 8: Log Forwarding to Panorama and then to External Services • Forward logs from firewalls to Panorama and to external services in parallel—In this configuration, both Panorama and the external services are endpoints of separate log forwarding flows; the firewalls don’t rely on Panorama to forward logs to external services. This configuration is best for deployments in which the connections between firewalls and external services have sufficient bandwidth to sustain the logging rate, which is often the case when the connections are local.

24 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

2019 Palo Alto Networks, Inc.

Figure 9: Log Forwarding to External Services and Panorama in Parallel

Centralized Reporting Panorama aggregates logs from all managed firewalls and enables reporting on the aggregated data for a global view of application use, user activity, and traffic patterns across the entire network. As soon as the firewalls are added to Panorama, the ACC can display all traffic traversing your network. With logging enabled, clicking into a log entry in the ACC provides direct access to granular details about the application. For generating reports, Panorama uses two sources: the local Panorama database and the remote firewalls that it manages. The Panorama database refers to the local storage on Panorama that is allocated for storing both summarized logs and some detailed logs. If you have a distributed Log Collection deployment, the Panorama database includes the local storage on Panorama and all the managed Log Collectors. Panorama summarizes the information—traffic, application, threat— collected from all managed firewalls at 15-minute intervals. Using the local Panorama database allows for faster response times, however, if you prefer to not forward logs to Panorama, Panorama can directly access the remote firewall and run reports on data that is stored locally on the managed firewalls. Panorama offers more than 40 predefined reports that can be used as is, or they can be customized by combining elements of other reports to generate custom reports and report groups that can be saved. Reports can be generated on demand, on a recurring schedule, and can be scheduled for email delivery. These reports provide information on the user and the context so that you correlate events and identify patterns, trends, and potential areas of interest. With the integrated approach to logging and reporting, the ACC enables correlation of entries from multiple logs relating to the same event. For more information, see Monitor Network Activity.

PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

25

2019 Palo Alto Networks, Inc.

User-ID Redistribution Using Panorama One of the key benefits of the Palo Alto Networks firewall is that it can enforce policies and generate reports based on usernames instead of IP addresses. The challenge for large-scale networks is ensuring every firewall that enforces policies and generates reports has the IP address-to-username mappings for your entire user base. Additionally, every firewall that enforces Authentication Policy requires a complete, identical set of authentication timestamps for your user base. Whenever users authenticate to access services and applications, individual firewalls record the associated timestamps but don’t automatically share them with other firewalls to ensure consistency. User-ID™ solves these challenges for large-scale networks by enabling you to redistribute information (user mappings and timestamps). However, instead of setting up extra connections to redistribute the User-ID information between firewalls, you can leverage your Panorama and distributed log collection infrastructure to Redistribute User-ID Information to Managed Firewalls. The infrastructure has existing connections that enable you to redistribute User-ID information in layers, from firewalls to Log Collectors to Panorama. Panorama can then redistribute the information to the firewalls that enforce policies and generate reports for all your users. Each firewall, Log Collector, or Panorama management server can receive User-ID information from up to 100 redistribution points. The redistribution points can be Windows-based User-ID agents or other firewalls, Log Collectors, and Panorama management servers. Panorama and Log Collectors as User-ID Redistribution Points illustrates a redistribution sequence where the firewalls perform user mapping by directly monitoring information sources such as directory servers and syslog senders. However, you can also use Windows-based User-ID agents to perform the mapping and redistribute the information to firewalls. Only the firewalls record authentication timestamps when user traffic matches Authentication policy rules. You can redistribute user mappings collected through any method except Terminal Services (TS) agents. You cannot redistribute username-to-group mapping or HIP match information.

Figure 10: Panorama and Log Collectors as User-ID Redistribution Points

26 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

2019 Palo Alto Networks, Inc.

Role-Based Access Control Role-based access control (RBAC) enables you to define the privileges and responsibilities of administrative users (administrators). Every administrator must have a user account that specifies a role and authentication method. Administrative Roles define access to specific configuration settings, logs, and reports within Panorama and firewall contexts. For Device Group and Template administrators, you can map roles to Access Domains, which define access to specific device groups, templates, and firewalls (through context switching). By combining each access domain with a role, you can enforce the separation of information among the functional or regional areas of your organization. For example, you can limit an administrator to monitoring activities for data center firewalls but allow that administrator to set policies for test lab firewalls. By default, every Panorama appliance (virtual appliance or M-Series appliance) has a predefined administrative account (admin) that provides full read-write access (superuser access) to all functional areas and to all device groups, templates, and firewalls. For each administrator, you can define an authentication profile that determines how Panorama verifies user access credentials. Instead of using the default account for all administrators, it is a best practice to create a separate administrative account for each person who needs access to the administrative or reporting functions on Panorama. This provides better protection against unauthorized configuration changes and enables Panorama to log and identify the actions of each administrator. • • • •

Administrative Roles Authentication Profiles and Sequences Access Domains Administrative Authentication

Administrative Roles You configure administrator accounts based on the security requirements of your organization, any existing authentication services that your network uses, and the required administrative roles. A role defines the type of system access that is available to an administrator. You can define and restrict access as broadly or granularly as required, depending on the security requirements of your organization. For example, you might decide that a data center administrator can have access to all device and networking configurations, but a security administrator can control only security policy definitions, while other key individuals can have limited CLI or XML API access. The role types are: • Dynamic Roles—These are built-in roles that provide access to Panorama and managed firewalls. When new features are added, Panorama automatically updates the definitions of dynamic roles; you never need to manually update them. The following table lists the access privileges associated with dynamic roles. Dynamic Role

Privileges

Superuser

Full read-write access to Panorama

Superuser (read-only)

Read-only access to Panorama

Panorama administrator

Full access to Panorama except for the following actions: • Create, modify, or delete Panorama or firewall administrators and roles. • Export, validate, revert, save, load, or import a configuration in the Device > Setup > Operations page.

PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

27

2019 Palo Alto Networks, Inc.

Dynamic Role

Privileges • Configure Scheduled Config Export functionality in the Panorama tab.

• Admin Role Profiles—To provide more granular access control over the functional areas of the web interface, CLI, and XML API, you can create custom roles. When new features are added to the product, you must update the roles with corresponding access privileges: Panorama does not automatically add new features to custom role definitions. You select one of the following profile types when you Configure an Admin Role Profile. Admin Role Profile

Description

Panorama

For these roles, you can assign read-write access, read-only access, or no access to all the Panorama features that are available to the superuser dynamic role except the management of Panorama administrators and Panorama roles. For the latter two features, you can assign read-only access or no access, but you cannot assign read-write access. An example use of a Panorama role would be for security administrators who require access to security policy definitions, logs, and reports on Panorama.

Device Group and Template

For these roles, you can assign read-write access, read-only access, or no access to specific functional areas within device groups, templates, and firewall contexts. By combining these roles with Access Domains, you can enforce the separation of information among the functional or regional areas of your organization. Device Group and Template roles have the following limitations: • • • •

No access to the CLI or XML API No access to configuration or system logs No access to VM information sources In the Panorama tab, access is limited to: • Device deployment features (read-write, read-only, or no access) • The device groups specified in the administrator account (read-write, read-only, or no access) • The templates and managed firewalls specified in the administrator account (read-only or no access)

An example use of this role would be for administrators in your operations staff who require access to the device and network configuration areas of the web interface for specific device groups and/or templates.

Authentication Profiles and Sequences An authentication profile defines the authentication service that validates the login credentials of administrators when they access Panorama. The service can be local authentication or an external authentication service. Some services (SAML, TACACS+, and RADIUS) provide the option to manage both authentication and authorization for administrative accounts on the external server instead of on Panorama. In addition to the authentication service, the authentication profile defines options such as Kerberos single sign-on (SSO) and SAML single logout (SSO). Some networks have multiple databases (such as TACACS+ and LDAP) for different users and user groups. To authenticate administrators in such cases, configure an authentication sequence—a ranked order of authentication profiles that Panorama matches an administrator against during login. Panorama checks

28 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

2019 Palo Alto Networks, Inc.

against each profile in sequence until one successfully authenticates the administrator. An administrator is denied access only if authentication fails for all the profiles in the sequence.

Access Domains Access domains control administrative access to specific Device Groups and templates, and also control the ability to switchcontext to the web interface of managed firewalls. Access domains apply only to administrators with Device Group and Template roles. Mapping Administrative Roles to access domains enables very granular control over the information that administrators access on Panorama. For example, consider a scenario where you configure an access domain that includes all the device groups for firewalls in your data centers and you assign that access domain to an administrator who is allowed to monitor data center traffic but who is not allowed to configure the firewalls. In this case, you would map the access domain to a role that enables all monitoring privileges but disables access to device group settings. You configure access domains in the local Panorama configuration and then assign them to administrative accounts and roles. You can perform the assignment locally or use an external SAML, TACACS+, or RADIUS server. Using an external server enables you to quickly reassign access domains through your directory service instead of reconfiguring settings on Panorama. To use an external server, you must define a server profile that enables Panorama to access the server. You must also define Vendor-Specific Attributes (VSAs) on the RADIUS or TACACS+ server, or SAML attributes on the SAML IdP server. For example, if you use a RADIUS server, you would define a VSA number and value for each administrator. The value defined has to match the access domain configured on Panorama. When an administrator tries to log in to Panorama, Panorama queries the RADIUS server for the administrator access domain and attribute number. Based on the response from the RADIUS server, the administrator is authorized for access and is restricted to the firewalls, virtual systems, device groups, and templates that are assigned to the access domain. For the relevant procedures, see: • • • •

Configure an Access Domain. Configure RADIUS Authentication for Panorama Administrators. Configure TACACS+ Authentication for Panorama Administrators. Configure SAML Authentication for Panorama Administrators.

Administrative Authentication You can configure the following types of authentication and authorization (Administrative Roles and Access Domains) for Panorama administrators: Authentication Authorization Method Method

Description

Local

Local

The administrative account credentials and authentication mechanisms are local to Panorama. You use Panorama to assign administrative roles and access domains to the accounts. To further secure the accounts, you can create a password profile that defines a validity period for passwords and set Panorama-wide password complexity settings. For details, see Configure Local or External Authentication for Panorama Administrators.

SSH Keys

Local

The administrative accounts are local to Panorama, but authentication to the CLI is based on SSH keys. You use Panorama to assign administrative roles and access domains to the accounts. For details, see

PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

29

2019 Palo Alto Networks, Inc.

Authentication Authorization Method Method

Description Configure an Administrator with SSH Key-Based Authentication for the CLI.

Certificates

Local

The administrative accounts are local to Panorama, but authentication to the web interface is based on client certificates. You use Panorama to assign administrative roles and access domains to the accounts. For details, see Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface.

External service

Local

The administrative accounts you define locally on Panorama serve as references to the accounts defined on an external Multi-Factor Authentication, SAML, Kerberos, TACACS+, RADIUS, or LDAP server. The external server performs authentication. You use Panorama to assign administrative roles and access domains to the accounts. For details, see Configure Local or External Authentication for Panorama Administrators.

External

External service

The administrative accounts are defined only on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. Panorama maps the attributes to administrator roles and access domains that you define on Panorama. For details, see: • Configure SAML Authentication for Panorama Administrators • Configure TACACS+ Authentication for Panorama Administrators • Configure RADIUS Authentication for Panorama Administrators

30 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

2019 Palo Alto Networks, Inc.

Panorama Commit, Validation, and Preview Operations When you are ready to activate changes that you made to the candidate configuration on Panorama or to push changes to the devices that Panorama manages (firewalls, Log Collectors, and WildFire appliances and appliance clusters), you can Preview, Validate, or Commit Configuration Changes. For example, if you add a Log Collector to the Panorama configuration, firewalls cannot send logs to that Log Collector until you commit the change to Panorama and then push the change to the Collector Group that contains the Log Collector. You can filter changes by administrator or location and then commit, push, validate, or preview only those changes. The location can be specific device groups, templates, Collector Groups, Log Collectors, shared settings, or the Panorama management server. When you commit changes, they become part of the running configuration. Changes that you haven’t committed are part of the candidate configuration. Panorama queues commit requests so that you can initiate a new commit while a previous commit is in progress. Panorama performs the commits in the order they are initiated but prioritizes auto-commits that are initiated by Panorama (such as FQDN refreshes). However, if the queue already has the maximum number of administrator-initiated commits (10), you must wait for Panorama to finish processing a pending commit before initiating a new one. You can Use the Panorama Task Manager ( ) to cancel pending commits or to see details about commits that are pending, in progress, completed, or failed. To check which changes a commit will activate, you can run a commit preview. When you initiate a commit, Panorama checks the validity of the changes before activating them. The validation output displays conditions that block the commit (errors) or that are important to know (warnings). For example, validation could indicate an invalid route destination that you need to fix for the commit to succeed. The validation process enables you to find and fix errors before you commit (it makes no changes to the running configuration). This is useful if you have a fixed commit window and want to be sure the commit will succeed without errors. For details on candidate and running configurations, see Manage Panorama and Firewall Configuration Backups. To prevent multiple administrators from making configuration changes during concurrent sessions, see Manage Locks for Restricting Configuration Changes. When pushing configurations to managed devices, Panorama pushes the running configuration. Because of this, Panorama does not let you push changes to managed devices until you first commit the changes to Panorama.

PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

31

2019 Palo Alto Networks, Inc.

Plan Your Panorama Deployment Determine the management approach. Do you plan to use Panorama to centrally configure and manage the policies, to centrally administer software, content and license updates, and/or centralize logging and reporting across the managed firewalls in the network? If you already deployed and configured the Palo Alto Networks firewalls on your network, determine whether to transition the firewalls to centralized management. This process requires a migration of all configuration and policies from your firewalls to Panorama. For details, see Transition a Firewall to Panorama Management. Verify the Panorama and firewall software versions. Panorama can manage firewalls running PAN-OS versions that match the Panorama version or are earlier than the Panorama version. The exception is that Panorama 6.1 and later versions cannot push configurations to firewalls running PAN-OS 6.0.0 through 6.0.3. Panorama cannot manage firewalls that run a later PAN-OS version than the Panorama version. For example, Panorama 6.0 cannot manage firewalls running PAN-OS 7.0. For versions within the same feature release, although Panorama can manage firewalls running a later version of PAN-OS, we recommend that Panorama run the same version or a later version. For example, if Panorama runs 7.0.3, it is recommended that all managed firewalls run PAN-OS 7.0.3 or earlier versions. Plan to use the same URL filtering database (BrightCloud or PAN-DB) across all managed firewalls. If some firewalls are using the BrightCloud database and others are using PAN-DB, Panorama can only manage security rules for one or the other URL filtering database. URL filtering rules for the other database must be managed locally on the firewalls that use that database. Determine your authentication method between Panorama and its managed devices and high availability peer. By default, Panorama uses predefined certificates to authenticate the SSL connections used for management and inter-device communication. However, you can configure custom certificate-based authentication to enhance the security of the SSL connections between Panorama, firewalls, and log collectors. By using custom certificates, you can establish a unique chain of trust to ensure mutual authentication between Panorama and the devices it manages. You can import the certificates from your enterprise public key infrastructure (PKI) or generate it on Panorama. Plan to use Panorama in a high availability configuration; set it up as an active/passive high availability pair. See Panorama High Availability. Plan how to accommodate network segmentation and security requirements in a large-scale deployment. By default, Panorama running on an M-500 or M-100 appliance uses the management (MGT) interface for administrative access to Panorama and for managing devices (firewalls, Log Collectors, and WildFire appliances and appliance clusters), collecting logs, communicating with Collector Groups, and deploying software and content updates to devices. However, to improve security and enable network segmentation, you can reserve the MGT interface for administrative access and use dedicated M-Series Appliance Interfaces (Eth1, Eth2, Eth3, Eth4, and Eth5) for the other services. For meaningful reports on network activity, plan a logging solution: • Estimate the log storage capacity your network needs to meet security and compliance requirements. Consider such factors as the logging capacities of your Panorama Models, network topology, number of firewalls sending logs, type of log traffic (for example, URL Filtering and Threat logs versus Traffic logs), the rate at which firewalls generate logs, and the number of days for which you want to store logs on Panorama. For details, see Determine Panorama Log Storage Requirements. • Do you need to forward logs to external services (such as a syslog server) in addition to Panorama? See Log Forwarding Options. • If you need a long-term storage solution, do you have a Security Information and Event Management (SIEM) solution, such as Splunk or ArcSight, to which you can forward logs? • Do you need redundancy in logging?

32 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

2019 Palo Alto Networks, Inc.

If you configure a Collector Group with multiple Log Collectors, you can enable redundancy to ensure that no logs are lost if any one Log Collector becomes unavailable (see Caveats for a Collector Group with Multiple Log Collectors). If you deploy Panorama virtual appliances in Legacy mode in an HA configuration, the managed firewalls can send logs to both HA peers so that a copy of each log resides on each peer. This redundancy option is enabled by default (see Modify Log Forwarding and Buffering Defaults). • Will you log to a Network File System (NFS)? If the Panorama virtual appliance is in Legacy mode and does not manage Dedicated Log Collectors, NFS storage is the only option for increasing log storage capacity beyond 8TB. NFS storage is available only if Panorama runs on an ESXi server. If you use NFS storage, keep in mind that the firewalls can send logs only to the primary peer in the HA pair; only the primary peer is mounted to the NFS and can write to it. Determine which role-based access privileges administrators require to access managed firewalls and Panorama. See Set Up Administrative Access to Panorama. Plan the required Device Groups. Consider whether to group firewalls based on function, security policy, geographic location, or network segmentation. An example of a function-based device group is one that contains all the firewalls that a Research and Development team uses. Consider whether to create smaller device groups based on commonality, larger device groups to scale more easily, or a Device Group Hierarchy to simplify complex layers of administration. Plan a layering strategy for administering policies. Consider how firewalls inherit and evaluate policy rules within the Device Group Hierarchy, and how to best implement shared rules, device-group rules, and firewall-specific rules to meet your network needs. For visibility and centralized policy management, consider using Panorama for administering rules even if you need firewall-specific exceptions for shared or device group rules. If necessary, you can Push a Policy Rule to a Subset of Firewalls within a device group. Plan the organization of your firewalls based on how they inherit network configuration settings from Templates and Template Stacks. For example, consider assigning firewalls to templates based on hardware models, geographic proximity, and similar network needs for time zones, a DNS server, and interface settings.

PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview ©

33

2019 Palo Alto Networks, Inc.

Deploy Panorama: Task Overview The following task list summarizes the steps to get started with Panorama. For an example of how to use Panorama for central management, see Use Case: Configure Firewalls Using Panorama. STEP 1 | (M-Series appliance only) Rack mount the appliance. STEP 2 | Perform initial configuration to enable network access to Panorama. See Set Up the Panorama

Virtual Appliance or Set Up the M-Series Appliance.

STEP 3 | Register Panorama and Install Licenses. STEP 4 | Install Content and Software Updates for Panorama. STEP 5 | (Recommended) Set up Panorama in a high availability configuration. See Panorama High

Availability.

STEP 6 | Add a Firewall as a Managed Device. STEP 7 | Add a Device Group or Create a Device Group Hierarchy, Add a Template, and (if applicable)

Configure a Template Stack.

STEP 8 | (Optional) Configure log forwarding to Panorama and/or to external services. See Manage Log

Collection.

STEP 9 | Monitor Network Activity using the visibility and reporting tools on Panorama.

34 PANORAMA ADMINISTRATOR'S GUIDE | Panorama Overview

Set Up Panorama For centralized reporting and cohesive policy management across all the firewalls on your network, you can deploy the Panorama™ management server as a virtual appliance or as a hardware appliance (the M-100 or M-500 appliance). The following topics describe how to set up Panorama on your network: > > > > > > > > >

Determine Panorama Log Storage Requirements Set Up the Panorama Virtual Appliance Set Up the M-Series Appliance Register Panorama and Install Licenses Install Content and Software Updates for Panorama Transition to a Different Panorama Model Access and Navigate Panorama Management Interfaces Set Up Administrative Access to Panorama Set Up Authentication Using Custom Certificates

35

36 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

Determine Panorama Log Storage Requirements When you Plan Your Panorama Deployment, estimate how much log storage capacity Panorama requires to determine which Panorama Models to deploy, whether to expand the storage on those appliances beyond their default capacities, whether to deploy Dedicated Log Collectors, and whether to Configure Log Forwarding from Panorama to External Destinations. When log storage reaches the maximum capacity, Panorama automatically deletes older logs to create space for new ones. Perform the following steps to determine the approximate log storage that Panorama requires. For details and use cases, refer to Panorama Sizing and Design Guide. STEP 1 | Determine the log retention requirements of your organization. Factors that affect log retention requirements include: • IT policy of your organization • Log redundancy—If you enable log redundancy when you Configure a Collector Group, each log will have two copies, which doubles your required log storage capacity. • Regulatory requirements, such as those specified by the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act, and Health Insurance Portability and Accountability Act (HIPAA). If your organization requires the removal of logs after a certain period, you can set the expiration period for each log type. You can also set a storage quota for each log type as a percentage of the total space if you need to prioritize log retention by type. For details, see Manage Storage Quotas and Expiration Periods for Logs and Reports. STEP 2 | Determine the average daily logging rates. Do this multiple times each day at peak and non-peak times to estimate the average. The more often you sample the rates, the more accurate your estimate. 1. Display the current log generation rate in logs per second: • If Panorama is not yet collecting logs, access the CLI of each firewall, run the following command, and calculate the total rates for all the firewalls. This command displays the number of logs received in the last second. > debug log-receiver statistics • If Panorama is already collecting logs, run the following command at the CLI of each appliance that receives logs (Panorama management server or Dedicated Log Collector) and calculate the total rates. This command gives the average logging rate for the last five minutes. > debug log-collector log-collection-stats show incoming-logs You can also use an SNMP manager to determine the logging rates of Log Collectors (see the panLogCollector MIB, OID 1.3.6.1.4.1.25461.1.1.6) and firewalls (see the panDeviceLogging, OID 1.3.6.1.4.1.25461.2.1.2.7). 2. Calculate the average of the sampled rates. 3. Calculate the daily logging rate by multiplying the average logs-per-second by 86,400.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

37

2019 Palo Alto Networks, Inc.

STEP 3 | Estimate the required storage capacity. This formula provides only an estimate; the exact amount of required storage will differ from the formula result. Use the formula: x x The average log size varies considerably by log type. However, you can use 500 bytes as an approximate average log size. For example, if Panorama must store logs for 30 days and the average total logging rate for all firewalls is 21,254,400 logs per day, then the required log storage capacity is: 30 x 500 x 21,254,400 = 318,816,000,000 bytes (approximately 318GB). STEP 4 | Next steps... If you determine that Panorama requires more log storage capacity: • Expand Log Storage Capacity on the Panorama Virtual Appliance. • Increase Storage on the M-Series Appliance.

38 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

Set Up the Panorama Virtual Appliance The Panorama virtual appliance enables you to use your existing VMware virtual infrastructure to centrally manage and monitor Palo Alto Networks firewalls and Dedicated Log Collectors. You can install the virtual appliance on an ESXi server or in vCloud Air. In addition to or instead of deploying Dedicated Log Collectors, you can forward firewall logs directly to the Panorama virtual appliance. For greater log storage capacity and faster reporting, you have the option to switch the virtual appliance from Legacy mode to Panorama mode and configure a local Log Collector. For more details about the Panorama virtual appliance and its modes, see Panorama Models. You can’t use the Panorama virtual appliance as a Dedicated Log Collector. You must Set Up the M-Series Appliance in Log Collector mode to have dedicated log collection capabilities. These topics assume you are familiar with the VMware products required to create the virtual appliance and don’t cover VMware concepts or terminology. • • • • • • •

Setup Prerequisites for the Panorama Virtual Appliance Install the Panorama Virtual Appliance Perform Initial Configuration of the Panorama Virtual Appliance Set Up the Panorama Virtual Appliance with Local Log Collector Expand Log Storage Capacity on the Panorama Virtual Appliance Increase CPUs and Memory on the Panorama Virtual Appliance Complete the Panorama Virtual Appliance Setup

Setup Prerequisites for the Panorama Virtual Appliance Complete the following tasks before you Install the Panorama Virtual Appliance: Use your browser to access the Palo Alto Networks Customer Support web site and Register Panorama You will need the Panorama serial number that you received in the order fulfillment email. After registering Panorama, you can access the Panorama software downloads page. Review the supported Panorama hypervisors to verify the hypervisor meets the minimum version requirements to deploy Panorama. If you will install Panorama on a VMware ESXi server, verify that the server meets the minimum requirements as listed in System Requirements for Panorama Virtual Appliance on an ESXi Server. These requirements apply to Panorama 5.1 and later releases. The requirements vary based on whether you will run the virtual appliance in Panorama mode or Legacy mode. For details on the modes, see Panorama Models. If you install Panorama on VMware vCloud Air, you set the system settings during installation. Table 2: System Requirements for Panorama Virtual Appliance on an ESXi Server Requirements

Panorama Virtual Appliance in Panorama Mode

Panorama Virtual Appliance in Legacy Mode

Virtual hardware version

64-bit kernel-based VMware ESXi 5.1, 5.5, 6.0 or 6.5. The supported version of the virtual hardware family type (also known as the VMware virtual hardware version) on the ESXi server is vmx-09.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

39

2019 Palo Alto Networks, Inc.

Requirements

Panorama Virtual Appliance in Panorama Mode

Panorama Virtual Appliance in Legacy Mode

In Panorama mode, the virtual appliance running on any ESXi version supports up to 12 virtual logging disks with 2TB of log storage each, for a total maximum capacity of 24TB. In Legacy mode, the virtual appliance supports one virtual logging disk. ESXi 5.5 and later versions supports one disk of up to 8TB. Earlier ESXi versions support one disk of up to 2TB. Client computer

To install the Panorama virtual appliance and manage its resources, you must install a VMware vSphere Client or VMware Infrastructure Client that is compatible with your ESXi server.

System disk

81GB

52GB

For log storage, Panorama uses virtual logging disks instead of the system disk or an NFS datastore.

Panorama allocates approximately 11GB on the system disk for log storage. However, you can mount an NFS datastore or add a virtual logging disk to Expand Log Storage Capacity on the Panorama Virtual Appliance.

Set the memory and the number of CPUs based on the log storage capacity of Panorama:

Set the memory and the number of CPUs based on the number of firewalls that Panorama will manage:

• 2TB storage —8 CPUs and 16GB memory • 4TB storage —8 CPUs and 32GB memory • 6 to 8TB storage —12 CPUs and 32GB memory • 10 to 16TB storage —12 CPUs and 64GB memory • 18 to 24TB storage —16 CPUs and 64GB memory

• 1 to 10 firewalls: 4 CPUs and 4GB memory • 11 to 50 firewalls: 8 CPUs and 8GB memory • 51 to 1,000 firewalls: 8 CPUs and 16GB memory

2TB to 24TB

11GB (default log storage on the system disk) to 8TB (if you add a virtual logging disk)

CPUs and memory

Log storage capacity If you are using the Logging Service, you do not need to allocate a

40 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

Requirements

Panorama Virtual Appliance in Panorama Mode

Panorama Virtual Appliance in Legacy Mode

logging disk. All you need is the system disk for Panorama.

Install the Panorama Virtual Appliance Before installation, decide whether to run the virtual appliance in Panorama mode or Legacy mode. Each mode has different resource requirements, as described in Setup Prerequisites for the Panorama Virtual Appliance. You must complete the prerequisites before starting the installation. As a best practice, install the virtual appliance in Panorama mode to optimize log storage and report generation. For details on Panorama and Legacy mode, see Panorama Models. • Install Panorama on an ESXi Server • Install Panorama on vCloud Air • Support for VMware Tools on the Panorama Virtual Appliance

Install Panorama on an ESXi Server Use these instructions to install a new Panorama virtual appliance on a VMware ESXi server. For upgrades to an existing Panorama virtual appliance, skip to Install Content and Software Updates for Panorama. STEP 1 | Download the Panorama 8.0.2 base image Open Virtual Appliance (OVA) file. 1. Go to the Palo Alto Networks software downloads site. (If you can’t log in, go to the Palo Alto Networks Customer Support web site for assistance.) 2. In the Download column in the Panorama Base Images section, download the Panorama 8.0.2 release OVA file (Panorama-ESX-8.0.2.ova). STEP 2 | Install Panorama. 1. 2. 3. 4. 5. 6.

Launch the VMware vSphere Client and connect to the VMware server. Select File > Deploy OVF Template. Browse to select the Panorama OVA file and click Next. Confirm that the product name and description match the downloaded version, and click Next. Enter a descriptive name for the Panorama virtual appliance, and click Next. Select a datastore location (system disk) on which to install the Panorama image. The system disk must have exactly 81GB storage for the virtual appliance in Panorama mode and 52GB for the virtual appliance in Legacy mode. After selecting the datastore, click Next. 7. Select Thick Provision Lazy Zeroed as the disk format, and click Next. 8. Specify which networks in the inventory to use for the Panorama virtual appliance, and click Next.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

41

2019 Palo Alto Networks, Inc.

9. Confirm the selected options, click Finish to start the installation process, and click Close when it finishes. Do not power on the Panorama virtual appliance yet. STEP 3 | Configure resources on the Panorama virtual appliance. 1. Right-click the Panorama virtual appliance and Edit Settings. 2. In the Hardware settings, allocate the CPUs and memory as necessary. The virtual appliance boots up in Panorama mode if you allocate sufficient CPUs and Memory and add a virtual logging disk (later in this procedure). Otherwise, the appliance boots up in Legacy mode. For details on the modes, see Panorama Models. 3. Set the SCSI Controller to LSI Logic Parallel. 4. Add a virtual logging disk. In Panorama mode, this step is required because the virtual appliance can store logs only on a dedicated logging disk. In Legacy mode, the appliance uses approximately 11GB on the system disk for logging by default, so adding a dedicated logging disk to increase storage capacity is optional. 1. Add a disk, select Hard Disk as the hardware type, and click Next. 2. Create a new virtual disk and click Next. 3. Set the Disk Size to exactly 2TB if the virtual appliance is in Panorama mode or up to 8TB if the appliance is in Legacy mode. In Panorama mode, you can later add more logging disks (for a total of 12) with 2TB of storage each. 4. Select the Thick Provision Lazy Zeroed disk format. 5. Select Specify a datastore or datastore structure as the location, Browse to a datastore that has sufficient storage, click OK, and click Next. 6. Select a SCSI Virtual Device Node (you can use the default selection) and click Next. Panorama will fail to boot if you select a format other than SCSI. 7. Verify that the settings are correct and click Finish. 5. Click OK to save your changes. STEP 4 | Power on the Panorama virtual appliance. 1. In the vSphere Client, right-click the Panorama virtual appliance and select Power > Power On. Wait for Panorama to boot up before continuing. 2. Verify that the virtual appliance is running in the correct mode: 1. Right-click the Panorama virtual appliance and select Open Console. 2. Enter your username and password to log in (default is admin for both). 3. Display the mode by running the following command: > show system info In the output, the system-mode indicates either panorama or legacy mode. You are now ready to Perform Initial Configuration of the Panorama Virtual Appliance.

42 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

Install Panorama on vCloud Air Use these instructions to install a new Panorama virtual appliance on VMware vCloud Air. If you are upgrading a Panorama virtual appliance deployed on vCloud Air, skip to Install Content and Software Updates for Panorama. STEP 1 | Download the Panorama 8.0.2 base image Open Virtual Appliance (OVA) file. 1. Go to the Palo Alto Networks software downloads site. (If you can’t log in, go to the Palo Alto Networks Customer Support web site for assistance.) 2. In the Download column in the Panorama Base Images section, download the Panorama 8.0.2 release OVA file (Panorama-ESX-8.0.2.ova). STEP 2 | Import the Panorama image to the vCloud Air catalog. For details on these steps, refer to the OVF Tool User’s Guide. 1. 2. 3. 4.

Install the OVF Tool on your client system. Access the client system CLI. Navigate to the OVF Tool directory (for example, C:\Program Files\VMware\VMware OVF Tool). Convert the OVA file to an OVF package: ovftool.exe

5. Use a browser to access the vCloud Air web console, select your Virtual Private Cloud OnDemand location, and record the browser URL. You will use the URL information to complete the next step. The URL format is: https://.vchs.vmware.com/ compute/cloud/org//#/catalogVAppTemplateList? catalog=. 6. Import the OVF package, using the information from the vCloud Air URL to complete the , , and variables. The other variables are your vCloud Air username and domain @, a virtual data center , and a vCloud Air template . ovftool.exe -st="OVF" "" "vcloud://@:[email protected]?vdc=&org=&vappTemplate=.ovf&catalog=default-catalog" STEP 3 | Install Panorama. 1. Access the vCloud Air web console and select your Virtual Private Cloud OnDemand region. 2. Create a Panorama virtual machine. For the steps, refer to Add a Virtual Machine from a Template in the vCloud Air Documentation Center. Configure the CPU, Memory and Storage as follows: • Set the CPU and Memory based on whether the virtual appliance will be in Panorama mode or Legacy mode: see CPUs and memory. • Set the Storage to exactly 81GB for the virtual appliance in Panorama mode and 52GB for the virtual appliance in Legacy mode. For better logging and reporting performance, select the SSDAccelerated option. The Panorama virtual appliance in Legacy mode uses approximately 11GB for log storage. To increase the log storage capacity, you must Add a Virtual Disk to Panorama on vCloud Air. In Panorama mode, the virtual appliance does not use the system disk for log storage; you must add a virtual logging disk.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

43

2019 Palo Alto Networks, Inc.

STEP 4 | Create vCloud Air NAT rules on the gateway to allow inbound and outbound traffic for the

Panorama virtual appliance.

Refer to Add a NAT Rule in the vCloud Air Documentation Center for the detailed instructions: 1. Add a NAT rule that allows Panorama to receive traffic from the firewalls and allows administrators to access Panorama. 2. Add a NAT rule that allows Panorama to retrieve updates from the Palo Alto Networks update server and to access the firewalls. STEP 5 | Create a vCloud Air firewall rule to allow inbound traffic on the Panorama virtual appliance. Outbound traffic is allowed by default. Refer to Add a Firewall Rule in the vCloud Air Documentation Center for the detailed instructions. STEP 6 | Power on the Panorama virtual appliance if it isn’t already on. In the vCloud Air web console, select the Virtual Machines tab, select the Panorama virtual machine, and click Power On. You are now ready to Perform Initial Configuration of the Panorama Virtual Appliance.

Support for VMware Tools on the Panorama Virtual Appliance VMware Tools is bundled with the software image (ovf) for the Panorama virtual appliance. The support for VMware Tools allows you to use the vSphere environment—vCloud Director and vCenter server—for the following: • View the IP address assigned to the Panorama management interface. • View resource utilization metrics on hard disk, memory, and CPU. You can use these metrics to enable alarms or actions on the vCenter server or vCloud Director. • Graceful shutdown and restart of Panorama using the power off function on the vCenter server or vCloud Director. • Enables a heartbeat mechanism between the vCenter server and Panorama for verifying that Panorama is functioning, or if the firewall/Panorama is rebooting. If the firewall goes into maintenance mode, heartbeats are disabled so that the vCenter server does not shut down the firewall. Disabling heartbeats allows the firewall to stay operational in maintenance mode when it cannot not send heartbeats to the vCenter server.

Perform Initial Configuration of the Panorama Virtual Appliance Based on your Panorama model, use the VMware vSphere Client or vCloud Air web console to set up network access to the Panorama virtual appliance. For unified reporting, consider using Greenwich Mean Time (GMT) or Coordinated Universal Time (UTC) as the uniform time zone across Panorama and all the managed firewalls and Log Collectors. STEP 1 | Gather the required information from your network administrator. Collect the following information for the management (MGT) interface: IP address for the management (MGT) interface Netmask Default gateway DNS server IP address To complete the configuration of the MGT interface, you must specify the IP address, netmask (for IPv4) or prefix length (for IPv6), and default gateway. If you omit settings

44 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

(such as the default gateway), you can access Panorama only through the console port for future configuration changes. As a best practice, always commit a complete MGT interface configuration. STEP 2 | Access the console of the Panorama virtual appliance. 1. Access the console. On an ESXi server: 1. Launch the VMware vSphere Client. 2. Select the Console tab for the Panorama virtual appliance and press enter to access the login screen. On vCloud Air: 1. Access the vCloud Air web console and select your Virtual Private Cloud OnDemand region. 2. Select the Virtual Machines tab, right-click the Panorama virtual machine, and select Open In Console. 2. Enter your username and password to log in (default is admin for both). STEP 3 | Configure the network access settings for the MGT interface. Panorama uses the MGT interface for management traffic, high availability synchronization, log collection, and communication within Collector Groups. 1. Enter the following commands, where is the IP address you want to assign to the Panorama management interface, is the subnet mask, is the IP address of the network gateway, and is the IP address of the DNS server: > configure # set deviceconfig system ip-address netmask default-gateway dns-setting servers primary # commit # exit 2. Use the ping utility to verify network access to external services required for firewall management, such as the default gateway, DNS server, and the Palo Alto Networks Update Server, as shown in the following example: [email protected]> ping host updates.paloaltonetworks.com PING updates.paloaltonetworks.com (67.192.236.252) 56(84) bytes of data. 64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=40.5 ms 64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=53.6 ms 64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=79.5 ms After verifying connectivity, press Ctrl+C to stop the pings. STEP 4 | Configure the general settings. 1. Using a secure connection (HTTPS) from a web browser, log in to the Panorama web interface using the IP address and password you assigned to the management interface (https://). 2. Select Panorama > Setup > Management and edit the General Settings. 3. Enter a Hostname for the server and enter the network Domain name. The domain name is just a label; Panorama doesn’t use it to join the domain. 4. Align the clock on Panorama and the managed firewalls to use the same Time Zone, for example GMT or UTC. If you plan to use the Logging Service, you must configure NTP so that Panorama can stay in sync with the Logging Service.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

45

2019 Palo Alto Networks, Inc.

Timestamps are recorded when Panorama receives the logs and the managed firewalls generate the logs. Aligning the time zones on Panorama and the firewalls ensures that the timestamps are synchronized and the process of querying logs and generating reports on Panorama is harmonious. 5. Enter the Latitude and Longitude to enable accurate placement of the Panorama management server on the world map. 6. Enter the Serial Number you received in the order fulfillment email. 7. Click OK to save your changes. STEP 5 | Change the default administrator password. To ensure that the management interface remains secure, configure the Minimum Password Complexity (Panorama > Setup > Management). 1. Click the admin link on the left side of the web interface footer. 2. Enter the Old Password and the New Password in the appropriate fields and record the new password in a safe location. 3. Click OK. STEP 6 | (Optional) Modify the management interface settings. 1. Select Panorama > Setup > Interfaces and click Management. 2. Select which Network Connectivity Services to allow on the interface (such as SSH access). Don’t select Telnet or HTTP. These services use plaintext and are less secure than the other services. 3. Click OK to save your changes to the interface. STEP 7 | Commit your configuration changes. Select Commit > Commit to Panorama and Commit your changes. STEP 8 | Next steps... 1. If necessary, Expand Log Storage Capacity on the Panorama Virtual Appliance. 2. (Best Practice) Replace the default certificate that Panorama uses to secure HTTPS traffic over the management (MGT) interface. 3. Activate a Panorama Support License 4. Activate/Retrieve a Firewall Management License on the Panorama Virtual Appliance 5. Install Content and Software Updates for Panorama. 6. Set Up Administrative Access to Panorama.

Set Up the Panorama Virtual Appliance with Local Log Collector After you upgrade from a Panorama 7.1 or earlier release to a Panorama 8.0 (or later) release, the Panorama virtual appliance is in Legacy mode by default and is limited to 8TB of local log storage. By switching to Panorama mode, you can create a local Log Collector, add multiple logging disks without losing existing logs, increase log storage to up to 24TB, and enable faster report generation. The Panorama virtual appliance cannot function as a Dedicated Log Collector but can manage Dedicated Log Collectors.

46 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

The virtual appliance supports NFS log storage only in Legacy mode, not in Panorama mode. After switching to Panorama mode, you must migrate the logs that are in the NFS storage to the virtual disks on the local Log Collector. For a new Panorama installation, you can ensure the virtual appliance starts in Panorama mode automatically by specifying sufficient resources when you Install the Panorama Virtual Appliance. After upgrading to Panorama 8.0, the first step is to increase the system resources on the virtual appliance to the minimum required for Panorama mode. Panorama reboots when you increase resources, so perform this procedure during a maintenance window. You must install a larger system disk (81GB), increase CPUs and memory based on the log storage capacity, and add a virtual logging disk. The new logging disk must have at least as much capacity as the appliance currently uses in Legacy mode and cannot be less than 2TB. Adding a virtual disk enables you to migrate existing logs to the Log Collector and enables the Log Collector to store new logs. If Panorama is deployed in an HA configuration, perform the following steps on the secondary peer first and then on the primary peer. STEP 1 | Determine which system resources you need to increase before the virtual appliance can

operate in Panorama mode.

You must run the command specified in this step even if you have determined that Panorama already has adequate resources. 1. Access the Panorama CLI: 1. Use terminal emulation software such as PuTTY to open an SSH session to the IP address that you specified for the Panorama MGT interface. 2. Log in to the CLI when prompted. 2. Check the resources you must increase by running the following command: > request system system-mode panorama Enter y when prompted to continue. The output specifies the resources you must increase. For example: Panorama mode not supported on current system disk of size 52.0 GB. Please attach a disk of size 81.0 GB, then use 'request system clonesystem-disk' to migrate the current system disk Please add a new virtual logging disk with more than 50.00 GB of storage capacity. Not enough CPU cores: Found 4 cores, need 8 cores STEP 2 | Increase the CPUs and memory, and replace the system disk with a larger disk. 1. Access the VMware ESXi vSphere Client, select Virtual Machines, right-click the Panorama virtual appliance, and select Power > Power Off. 2. Right-click the Panorama virtual appliance and Edit Settings. 3. Select Memory and enter the new Memory Size. 4. Select CPUs and specify the number of CPUs (the Number of virtual sockets multiplied by the Number of cores per socket). 5. Add a virtual disk. You will use this disk to replace the existing system disk. PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

47

2019 Palo Alto Networks, Inc.

In the Hardware settings, Add a disk, select Hard Disk as the hardware type, and click Next. Create a new virtual disk and click Next. Set the Disk Size to exactly 81GB and select the Thick Provision Lazy Zeroed disk format. Select Specify a datastore or datastore structure as the location, Browse to a datastore of at least 81GB, click OK, and click Next. 5. Select a SCSI Virtual Device Node (you can use the default selection) and click Next. 1. 2. 3. 4.

Panorama will fail to boot if you select a format other than SCSI. 6. Verify that the settings are correct and then click Finish and OK. 6. Right-click the Panorama virtual appliance and select Power > Power On. Wait for Panorama to reboot before continuing. 7. Return to the Panorama CLI and copy the data from the original system disk to the new system disk: > request system clone-system-disk target sdb Enter y when prompted to continue. The copying process takes around 20 to 25 minutes, during which Panorama reboots. When the process finishes, the output tells you to shut down Panorama. 8. Return to the vSphere Client console, right-click the Panorama virtual appliance, and select Power > Power Off. 9. Right-click the Panorama virtual appliance and Edit Settings. 10.Select the original system disk, click Remove, select Remove from virtual machine, and click OK. 11.Right-click the Panorama virtual appliance and Edit Settings. 12.Select the new system disk, set the Virtual Device Node to SCSI (0:0), and click OK. 13.Right-click the Panorama virtual appliance and select Power > Power On. Before proceeding, wait for Panorama to reboot on the new system disk (around 15 minutes). STEP 3 | Add a virtual logging disk. This is the disk to which you will migrate existing logs. 1. In the VMware ESXi vSphere Client, right-click the Panorama virtual appliance and select Power > Power Off. 2. Right-click the Panorama virtual appliance and Edit Settings. 3. Repeat the steps to Add a virtual disk. Set the Disk Size to a multiple of 2TB based on the amount of log storage you need. The capacity must be at least as large as the existing virtual disk or NFS storage that Panorama currently uses for logs. The disk capacity must be a multiple of 2TB and can be up to 24TB. For example, if the existing disk has 5TB of log storage, you must add a new disk of at least 6TB. After you switch to Panorama mode, Panorama will automatically divide the new disk into 2TB partitions, each of which will function as a separate virtual disk. 4. Right-click the Panorama virtual appliance and select Power > Power On. Wait for Panorama to reboot before continuing. STEP 4 | Switch from Legacy mode to Panorama mode. After switching the mode, the appliance reboots again and then automatically creates a local Log Collector and Collector Group. The existing logs won’t be available for querying or reporting until you migrate them later in this procedure. 1. Return to the Panorama CLI and run the following command.

48 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

> request system system-mode panorama Enter y when prompted to continue. After rebooting, Panorama automatically creates a local Log Collector (named Panorama) and creates a Collector Group (named default) to contain it. Panorama also configures the virtual logging disk you added and divides it into separate 2TB disks. Wait for the process to finish and for Panorama to reboot (around five minutes) before continuing. 2. Log in to the Panorama web interface. 3. In the Dashboard, General Information settings, verify that the Mode is now panorama. In an HA deployment, the secondary peer is in a suspended state at this point because its mode (Panorama) does not match the mode on the primary peer (Legacy). You will un-suspend the secondary peer after switching the primary peer to Panorama mode later in this procedure. 4. Select Panorama > Collector Groupsto verify that the default collector group has been created, and that the local Log Collector is part of the default collector group. 5. Push the configuration to the managed devices. • If there are no pending changes: 1. Select Commit > Push to Devices and Edit Selections. 2. Select Collector Group and make sure the default collector group is selected. 3. Click OK and Push. • If you have pending changes: 1. Select Commit > Commit and Push and Edit Selections. 2. Verify that your Device Group devices and Templates are included. 3. Select Collector Group and make sure the default collector group is selected. 4. Click OK and Commit and Push. 6. Select Panorama > Managed Collectors and verify that the columns display the following information for the local Log Collector: • Collector Name—This defaults to the Panorama hostname. It should be listed under the default Collector Group. • Connected—Check mark • Configuration Status—In sync • Run Time Status—connected STEP 5 | (HA only) Switch the primary Panorama from Legacy mode to Panorama mode. This step triggers failover.

1. Repeat steps 1 through 4 on the primary Panorama. Wait for the primary Panorama to reboot and return to an active HA state. If preemption is not enabled, you must manually fail back: select Panorama > High Availability and, in the Operational Commands section, Make local Panorama functional. 2. On the primary Panorama, select Dashboard and, in the High Availability section, Sync to peer, click Yes, and wait for the Running Config to display Synchronized status. 3. On the secondary Panorama, select Panorama > High Availability and, in the Operational Commands section, Make local Panorama functional. This step is necessary to bring the secondary Panorama out of its suspended HA state. STEP 6 | Migrate existing logs to the new virtual logging disks.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

49

2019 Palo Alto Networks, Inc.

If you deployed Panorama in an HA configuration, perform this only on the primary peer. 1. Return to the Panorama CLI. 2. Start the log migration: > request logdb migrate vm start The process duration varies by the volume of log data you are migrating. To check the status of the migration, run the following command: > request logdb migrate vm status When the migration finishes, the output displays: migration has been done. 3. Verify that the existing logs are available. 1. Log in to the Panorama web interface. 2. Select Panorama > Monitor, select a log type that you know matches some existing logs (for example, Panorama > Monitor > System), and verify that the logs display. STEP 7 | Next steps... Configure log forwarding to Panorama so that the Log Collector receives new logs from firewalls.

Expand Log Storage Capacity on the Panorama Virtual Appliance After you Perform Initial Configuration of the Panorama Virtual Appliance, the available log storage capacity and the options for expanding it depend on the virtual platform (VMware ESXi server or vCloud Air) and mode (Legacy or Panorama mode): see Panorama Models for details. For additional log storage, you can also forward firewall logs to Dedicated Log Collectors (see Configure a Managed Collector) or Configure Log Forwarding from Panorama to External Destinations. Before expanding log storage capacity on Panorama, Determine Panorama Log Storage Requirements. • • • •

Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode Add a Virtual Disk to Panorama on an ESXi Server Add a Virtual Disk to Panorama on vCloud Air Mount the Panorama ESXi Server to an NFS Datastore

Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode The Panorama virtual appliance in Legacy mode can use only one virtual disk for logging. Therefore, if you add a virtual disk that is dedicated for logging, Panorama stops using the default 11GB log storage on the system disk and copies any existing logs to the new logging disk. (Panorama continues using the system disk for data other than logs.) If you replace an existing dedicated logging disk of up to 2TB storage capacity with a disk of up to 8TB, you will lose the logs on the existing disk. To preserve the logs, your choices are: • Configure log forwarding to external destinations before you replace the virtual disk.

50 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

• Set up a new Panorama virtual appliance for the new 8TB disk and maintain access to the

Panorama containing the old disk for as long as you need the logs. To forward firewall logs to the new Panorama virtual appliance, one option is to reconfigure the firewalls to connect with the new Panorama IP address (select Device > Setup > Management and edit the Panorama Settings), add the firewalls as managed devices to the new Panorama, and Configure Log Forwarding to Panorama. To reuse the old Panorama IP address on the new Panorama, another option is to export the configuration of the old Panorama and then import and load the configuration on the new Panorama.

• Copy logs from the old disk to the new disk. Copying can take several hours, depending on

how many logs the disk currently stores, and Panorama cannot collect logs during the process. Contact Palo Alto Networks Customer Support for instructions.

Add a Virtual Disk to Panorama on an ESXi Server To expand log storage capacity on the Panorama virtual appliance, you can add virtual logging disks. If the appliance is in Panorama mode, you can add 1 to 12 virtual logging disks of 2TB each, for a maximum total of 24TB. If the appliance is in Legacy mode, you can add one virtual logging disk of up to 8TB on ESXi 5.5 and later versions or one disk of up to 2TB on earlier ESXi versions. If Panorama loses connectivity to the new virtual disk, Panorama might lose logs during the failure interval. To allow for redundancy, use the virtual disk in a RAID configuration. RAID10 provides the best write performance for applications with high logging characteristics. If necessary, you can Replace the Virtual Disk on an ESXi Server. STEP 1 | Add additional disks to Panorama In all modes, the first logging disk on the Panorama VM must be at least 2TB in order to add additional disks. If the first logging disk is smaller than 2TB, you will be unable to add additional disk space. 1. 2. 3. 4. 5. 6. 7.

Access the VMware vSphere Client and select Virtual Machines. Right-click the Panorama virtual appliance and select Power > Power off. Right-click the Panorama virtual appliance and select Edit Settings. Click Add in the Hardware tab to launch the Add Hardware wizard. Select Hard Disk as the hardware type and click Next. Create a new virtual disk and click Next. Set the Disk Size. If the Panorama virtual appliance is in Panorama mode, set the size to at least 2TB. If the appliance is in Legacy mode, you can set the size to as much as 8TB.

In Panorama mode, you can add disk sizes larger than 2TB and Panorama will automatically create as many 2TB partitions as possible. For example, if disk sdc was 24TB, it will create 12 2TB partitions. These disks will be named sdc1-12. 8. Select the Thick Provision Lazy Zeroed disk format and click Next. 9. Specify a datastore or datastore structure, Browse to a datastore with enough space for the specified Disk Size, click OK, and click Next. 10.Select a SCSI Virtual Device Node (you can use the default selection) and click Next.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

51

2019 Palo Alto Networks, Inc.

The selected node must be in SCSI format; Panorama will fail to boot if you select another format. 11.Verify that the settings are correct and then click Finish and OK. The new disk appears in the list of devices for the virtual appliance. 12.Repeat Step d through Step k to add additional disks to the Panorama virtual appliance if necessary. 13.Right click the Panorama virtual appliance and select Power > Power On. The virtual disk initializes for first-time use. The size of the new disk determines how long initialization takes. STEP 2 | Configure each disk. The following example uses the sdc virtual disk. 1. Log in to the Panorama CLI. 2. Enter the following command to view the disks on the Panorama virtual appliance: show system disk details The user will see the following response: Name : sdb State : Present Size : 2048 MB Status : Available Reason : Admin enabled Name : sdc State : Present Size : 2048 MB Status : Available Reason : Admin disabled 3. Enter the following command and confirm the request when prompted for all disks with the Reason : Admin disabled response: request system disk add sdc 4. Enter the show system disk details command to monitor the status of the disk addition. Continue to Step 3 when all newly added disk responses display Reason : Admin enabled. STEP 3 | Make disks available for logging. 1. 2. 3. 4. 5.

Log in to the Panorama web interface. Select Panorama > Managed Collectors and edit the Log Collector. Select Disks and Add each newly added disk. Click OK. Select Commit > Commit and Push and Commit and Push your changes.

STEP 4 | Configure Panorama to receive logs. This step is intended for new Panorama deployments in Panorama mode. If you are adding logging disks to an existing Panorama virtual appliance, continue to Step 5. 1. Configure a Managed Collector. 2. Configure a Collector Group. 3. Configure Log Forwarding to Panorama. STEP 5 | Verify that the Panorama Log Storage capacity has been increased. 1. Log in to the Panorama web interface.

52 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

2. Select Panorama > Collector Groups and select the Collector Group that the Panorama virtual appliance belongs to. 3. Verify that the Log Storage capacity accurately displays the disk capacity.

Add a Virtual Disk to Panorama on vCloud Air To expand log storage capacity on the Panorama virtual appliance, you can add virtual logging disks. If the appliance is in Panorama mode, you can add 1 to 12 virtual logging disks of 2TB each, for a maximum total of 24TB. If the appliance is in Legacy mode, you can add one virtual logging disk of up to 8TB. If Panorama loses connectivity to the new virtual disk, Panorama might lose logs during the failure interval. If necessary, you can Replace the Virtual Disk on vCloud Air. STEP 1 | Add additional disks to Panorama. In all modes, the first logging disk on the Panorama VM must be at least 2TB in order to add additional disks. If the first logging disk is less than 2TB, you will be unable to add additional disk space. 1. 2. 3. 4.

Access the vCloud Air web console and select your Virtual Private Cloud On Demand region. Select the Panorama virtual appliance in the Virtual Machines tab. Select Actions > Edit Resources and Add another disk. Set the Storage size. If the Panorama virtual appliance is in Panorama mode, set the size to at least 2TB. If the appliance is in Legacy mode, you can set the size to as much as 8TB.

In Panorama mode, you can add disk sizes larger than 2TB and Panorama will automatically create as many 2TB partitions as possible. For example, if disk sdc was 24TB, it will create 12 2TB partitions. These disks will be named sdc1-12. 5. Set the storage tier to Standard or SSD-Accelerated. 6. Repeat Step c and Step d to add additional disks to the Panorama virtual appliance if necessary. 7. Save your changes. STEP 2 | Configure each disk. The following example uses the sdc virtual disk. 1. Log in to the Panorama CLI. 2. Enter the following command to view the disks on the Panorama virtual appliance: show system disk details The user will see the following response: Name : sdb State : Present Size : 2048 MB Status : Available Reason : Admin enabled Name : sdc State : Present Size : 2048 MB Status : Available Reason : Admin disabled

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

53

2019 Palo Alto Networks, Inc.

3. Enter the following command and confirm the request when prompted for all disks with the Reason : Admin disabled response: request system disk add sdc 4. Enter the show system disk details command to monitor the status of the disk addition. Continue to next step when all newly added disk responses display Reason : Admin enabled. STEP 3 | Make disks available for logging. 1. 2. 3. 4. 5.

Log in to the Panorama web interface. Select Panorama > Managed Collectors and edit the Log Collector. Select Disks and Add each newly added disk. Click OK. Select Commit > Commit and Push and Commit and Push your changes.

STEP 4 | Configure Panorama to receive logs. This step is intended for new Panorama deployments in Panorama mode. If you are adding logging disks to an existing virtual Panorama appliance, continue to the next step. 1. Configure a Managed Collector. 2. Configure a Collector Group. 3. Configure Log Forwarding to Panorama. STEP 5 | Verify that the Panorama Log Storage capacity has been increased. 1. Log in to the Panorama web interface. 2. Select Panorama > Collector Groups and select the Collector Group that the virtual Panorama appliance belongs to. 3. Verify that the Log Storage capacity accurately displays the disk capacity.

Mount the Panorama ESXi Server to an NFS Datastore When the Panorama virtual appliance in Legacy mode runs on an ESXi server, mounting to a Network File System (NFS) datastore enables logging to a centralized location and expanding the log storage capacity beyond what a virtual disk supports. (ESXi 5.5 and later versions can support a virtual disk of up to 8TB. Earlier ESXi versions support a virtual disk of up to 2TB.) Before setting up an NFS datastore in a Panorama high availability (HA) configuration, see Logging Considerations in Panorama HA. The Panorama virtual appliance in Panorama mode does not support NFS.

STEP 1 | Select Panorama > Setup > Operations and, in the Miscellaneous section, click Storage

Partition Setup.

STEP 2 | Set the Storage Partition type to NFS V3. STEP 3 | Enter the IP address of the NFS Server. STEP 4 | Enter the Log Directory path for storing the log files. For example, export/panorama. STEP 5 | For the Protocol, select TCP or UDP, and enter the Port for accessing the NFS server. To use NFS over TCP, the NFS server must support it. Common NFS ports are UDP/TCP 111 for RPC and UDP/TCP 2049 for NFS.

54 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

STEP 6 | For optimal NFS performance, in the Read Size and Write Size fields, specify the maximum size

of the chunks of data that the client and server pass back and forth to each other. Defining a read/write size optimizes the data volume and speed in transferring data between Panorama and the NFS datastore.

STEP 7 | (Optional) Select Copy On Setup to copy the existing logs stored on Panorama to the NFS

volume. If Panorama has a lot of logs, this option might initiate the transfer of a large volume of data.

STEP 8 | Click Test Logging Partition to verify that Panorama can access the NFS Server and Log

Directory.

STEP 9 | Click OK to save your changes. STEP 10 | Select Commit > Commit to Panorama and Commit your changes. Until you reboot, the

Panorama virtual appliance writes logs to the local storage disk.

STEP 11 | Select Panorama > Setup > Operations and select Reboot Panorama in the Device

Operations section. After rebooting, Panorama starts writing logs to the NFS datastore.

Increase CPUs and Memory on the Panorama Virtual Appliance When you Perform Initial Configuration of the Panorama Virtual Appliance, you specify the memory and number of CPUs based on whether the appliance is in Panorama mode or Legacy mode and based on the log storage capacity or number of managed firewalls. If you later add storage capacity or managed firewalls, you must also increase the memory and CPUs. Panorama Virtual Appliance in Panorama Mode

Panorama Virtual Appliance in Legacy Mode

Set the memory and the number of CPUs based on the log storage capacity of Panorama:

Set the memory and the number of CPUs based on the number of firewalls that Panorama will manage:

• 2TB storage —8 CPUs and 16GB memory • 4TB storage —8 CPUs and 32GB memory • 6 to 8TB storage —12 CPUs and 32GB memory • 10 to 16TB storage —12 CPUs and 64GB memory • 18 to 24TB storage —16 CPUs and 64GB memory

• 1 to 10 firewalls—4 CPUs and 4GB memory • 11 to 50 firewalls—8 CPUs and 8GB memory • 51 to 1,000 firewalls—8 CPUs and 16GB memory

• Increase CPUs and Memory for Panorama on an ESXi Server • Increase CPUs and Memory for Panorama on vCloud Air

Increase CPUs and Memory for Panorama on an ESXi Server For the minimum CPUs and memory that Panorama requires, see Increase CPUs and Memory on the Panorama Virtual Appliance. STEP 1 | Access the VMware vSphere Client and select Virtual Machines. STEP 2 | Right-click the Panorama virtual appliance and select Power > Power Off.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

55

2019 Palo Alto Networks, Inc.

STEP 3 | Right-click the Panorama virtual appliance and select Edit Settings. STEP 4 | Select Memory and enter the new Memory Size. STEP 5 | Select CPUs and specify the number of CPUs (the Number of virtual sockets multiplied by the

Number of cores per socket).

STEP 6 | Click OK to save your changes. STEP 7 | Right-click the Panorama virtual appliance and select Power > Power On.

Increase CPUs and Memory for Panorama on vCloud Air For the minimum CPUs and memory that Panorama requires, see Increase CPUs and Memory on the Panorama Virtual Appliance. STEP 1 | Access the vCloud Air web console and select your Virtual Private Cloud OnDemand region. STEP 2 | In the Virtual Machines tab, select the Panorama virtual machine and Power Off. STEP 3 | Select Actions > Edit Resources. STEP 4 | Set the CPU and Memory. STEP 5 | Save your changes. STEP 6 | Select the Panorama virtual machine and Power On.

Complete the Panorama Virtual Appliance Setup After you Perform Initial Configuration of the Panorama Virtual Appliance, continue with the following tasks for additional configuration: • • • • • •

Activate a Panorama Support License Activate/Retrieve a Firewall Management License on the Panorama Virtual Appliance Install Content and Software Updates for Panorama Access and Navigate Panorama Management Interfaces Set Up Administrative Access to Panorama Manage Firewalls

56 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

Set Up the M-Series Appliance The M-500 and M-100 appliances are high performance hardware appliances that you can deploy in Panorama mode (as Panorama management servers) or in Log Collector mode (as Dedicated Log Collectors). The appliances provide multiple interfaces that you can assign to various Panorama services such as firewall management and log collection. Before setting up the appliance, consider how you can configure the interfaces to optimize security, enable network segmentation (in large-scale deployments), and load balance the traffic for Panorama services. • • • • • •

M-Series Appliance Interfaces M-Series Setup Overview Perform Initial Configuration of the M-Series Appliance Set Up the M-Series Appliance as a Log Collector Increase Storage on the M-Series Appliance Configure Panorama to Use Multiple Interfaces

M-Series Appliance Interfaces The Panorama M-500 and M-100 appliances have several interfaces for communicating with other systems such as managed firewalls and the client systems of Panorama administrators. Panorama communicates with these systems to perform various services, including managing devices (firewalls, Log Collectors, and WildFire appliances and appliance clusters), collecting logs, communicating with Collector Groups, deploying software and content updates to devices, and providing administrative access to Panorama. By default, Panorama uses its management (MGT) interface for all these services. However, you can improve security by reserving the MGT interface for administrative access and dedicating separate interfaces for the other services. In a large-scale network with multiple subnetworks and heavy log traffic, using multiple interfaces for device management and log collection also enables network segmentation and load balancing (see Configure Panorama to Use Multiple Interfaces). When assigning Panorama services to various interfaces, keep in mind that only the MGT interface allows administrative access to Panorama for configuration and monitoring tasks. You can assign any interface to the other services when you Perform Initial Configuration of the M-Series Appliance. The M-100 and M-500 Appliance Hardware Reference Guides explain where to attach cables for the interfaces. The M-100 appliance support 1Gbps throughput on all its interfaces: MGT, Eth1, Eth2, and Eth3. In addition to these interfaces, the M-500 appliance supports 10Gbps throughput on its Eth4 and Eth5 interfaces. The M-Series appliances do not support Link Aggregation Control Protocol (LACP) for aggregating interfaces.

M-Series Setup Overview Use the following procedures to set up an M-Series appliance: • Set Up an M-Series Appliance in Panorama Mode • Set Up an M-Series Appliance in Log Collector Mode

Set Up an M-Series Appliance in Panorama Mode STEP 1 | Rack mount the M-Series appliance. Refer to the M-100 or M-500 Appliance Hardware

Reference Guide for instructions.

STEP 2 | Perform Initial Configuration of the M-Series Appliance

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

57

2019 Palo Alto Networks, Inc.

STEP 3 | Register Panorama and Install Licenses STEP 4 | Install Content and Software Updates for Panorama STEP 5 | Step 4. This task is required to make the RAID disks available for logging. Optionally, you can

add disks to Increase Storage on the M-Series Appliance.

STEP 6 | Set Up Administrative Access to Panorama STEP 7 | Manage Firewalls STEP 8 | Manage Log Collection

Set Up an M-Series Appliance in Log Collector Mode STEP 1 | Rack mount the M-Series appliance. Refer to the M-100 or M-500 Appliance Hardware

Reference Guide for instructions.

STEP 2 | Perform Initial Configuration of the M-Series Appliance STEP 3 | Register Panorama and Install Licenses STEP 4 | Install Content and Software Updates for Panorama STEP 5 | See step 4. This task is required to make the RAID disks available for logging. Optionally, you

can add disks to Increase Storage on the M-Series Appliance.

STEP 6 | Set Up the M-Series Appliance as a Log Collector STEP 7 | Manage Log Collection

Perform Initial Configuration of the M-Series Appliance By default, Panorama has an IP address of 192.168.1.1 and a username/password of admin/admin. For security reasons, you must change these settings before continuing with other configuration tasks. You must perform these initial configuration tasks either from the Management (MGT) interface or using a direct serial port connection to the console port on the M-500 or M-100 appliance. STEP 1 | Gather the required interface and server information from your network administrator. • Gather the IP address, netmask (for IPv4) or prefix length (for IPv6), and default gateway for each interface that you plan to configure (MGT, Eth1, Eth2, Eth3, Eth4, Eth5). Only the MGT interface is mandatory. Palo Alto Networks recommends that you specify all these settings for the MGT interface. If you omit values for some of these settings (such as the default gateway), you can access Panorama only through the console port for future configuration changes. You cannot commit the configurations for other interfaces unless you specify all these settings. If you plan to use the appliance as a Panorama management server, Palo Alto Networks recommends using the MGT interface only for managing Panorama and using other interfaces for managing devices, collecting logs, communicating with Collector Groups, and deploying updates to devices (see M-Series Appliance Interfaces).

58 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

• Gather the IP addresses of the DNS servers. STEP 2 | Access the M-Series appliance from your computer. 1. Connect to the M-Series appliance in one of the following ways: • Attach a serial cable from a computer to the Console port on the M-Series appliance and connect using terminal emulation software (9600-8-N-1). • Attach an RJ-45 Ethernet cable from a computer to the MGT port on the M-Series appliance. From a browser, go to https://192.168.1.1. Enabling access to this URL might require changing the IP address on the computer to an address in the 192.168.1.0 network (for example, 192.168.1.2). 2. When prompted, log in to the appliance using the default username and password (admin/admin). The appliance starts initializing. STEP 3 | Configure the network access settings for each interface that you will use to manage

Panorama, manage devices, collect logs, communicate with Collector Groups, and deploy updates to devices. 1. Select Panorama > Setup > Interfaces and click the Interface Name. 2. (Non-MGT interfaces only) Enable the interface. 3. Edit the network access settings of each interface that Panorama will use. Only the MGT interface is required. The Eth1, Eth2, Eth3, Eth4, and Eth5 interfaces are optional and apply only if you plan to use the M-Series appliance as a Panorama management server. 1. Complete one or both of the following field sets based on the IP protocols of your network: IPv4—IP Address, Netmask, and Default Gateway IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway 2. Select the Device Management Services that the interface supports: Device Management and Device Log Collection—You can assign one or more interfaces. Collector Group Communication—You can assign only one interface. Device Deployment (software and content updates)—You can assign only one interface. 3. (Optional) Select the Network Connectivity Services that the interface supports. (MGT interface only) Disable Telnet and HTTP; these services use plaintext and so are less secure than other services. 4. Click OK to save your changes.

STEP 4 | Configure the hostname, time zone, and general settings. 1. Select Panorama > Setup > Management and edit the General Settings. 2. Align the clock on Panorama and the managed firewalls to use the same Time Zone, for example GMT or UTC. If you plan to use the Logging service, you must configure NTP so that Panorama can stay in sync with the Logging Service. The firewall records timestamps when it generate logs and Panorama records timestamps upon receiving the logs. Aligning the time zones ensures that the timestamps are synchronized and that the process of querying logs and generating reports on Panorama is harmonious. 3. Enter a Hostname for the server. Panorama uses this as the display name/label for the appliance. For example, this is the name that appears at the CLI prompt. It also appears in the Collector Name field if you add the appliance as a managed collector on the Panorama > Managed Collectors page. 4. (Optional) Enter the Latitude and Longitude to enable accurate placement of the M-Series appliance on the world map. The App Scope > Traffic Maps and App Scope > Threat Maps use these values. 5. Click OK to save your entries.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

59

2019 Palo Alto Networks, Inc.

STEP 5 | Configure the DNS servers and Palo Alto Networks Update Server. 1. Select Panorama > Setup > Services and edit the settings. 2. Enter the IP address of the Primary DNS Server and (optionally) of the Secondary DNS Server. 3. Enter the URL or static address of the Update Server (default updates.paloaltonetworks.com). Select Verify Update Server Identity if you want Panorama to verify that the Update Server from which it downloads software or content packages has an SSL certificate that a trusted authority signed. This option adds an additional level of security for communication between the Panorama management server and Update Server. 4. Click OK to save your entries. STEP 6 | Change the default admin password. 1. Click the admin link in the lower left of the web interface. 2. Enter the Old Password, New Password, and Confirm New Password, and then click OK. Store the new password in a safe location. To ensure that the MGT interface remains secure, configure Minimum Password Complexity settings (select Panorama > Setup > Management) and specify the interval at which administrators must change their passwords. STEP 7 | Commit your configuration changes. Select Commit > Commit to Panorama and Commit your changes. If you plan to use the M-Series appliance as a Panorama management server and you configured interfaces other than MGT, you must assign those interfaces to the Device Log Collection or Collector Group Communication functions when you Configure a Managed Collector. To make the interfaces operational, you must then Configure a Collector Group for the managed collector and perform a Collector Group commit. STEP 8 | Verify network access to external services required for Panorama management, such as the

Palo Alto Networks Update Server.

1. Connect to the M-Series appliance in one of the following ways: • Attach a serial cable from your computer to the Console port on the M-Series appliance. Then use a terminal emulation software (9600-8-N-1) to connect. • Use terminal emulation software such as PuTTY to open an SSH session to the IP address that you specified for the MGT interface of the M-Series appliance during initial configuration. 2. Log in to the CLI when prompted. Use the default admin account and the password that you specified during initial configuration. 3. Use the ping utility to verify network connectivity to the Palo Alto Networks Update Server as shown in the following example. Verify that DNS resolution occurs and the response includes the IP address for the Update Server (10.101.16.13, in this example); the Update Server does not respond to a ping request. > ping host updates.paloaltonetworks.com PING updates.paloaltonetworks.com (10.101.16.13) 56(84) bytes of data. After verifying DNS resolution, press Ctrl+C to stop the ping request. 4. Use the following CLI command to retrieve information on the support entitlement for Panorama from the Update Server:

60 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

> request support check If you have connectivity, the Update Server responds with the support status for Panorama. Because Panorama is not registered, the Update Server returns the following message: Contact Us https://www.paloaltonetworks.com/company/contact-us.html Support Home https://www.paloaltonetworks.com/support/tabs/overview.html Device not found on this update server STEP 9 | Next steps... 1. Register Panorama and Install Licenses. 2. Install Content and Software Updates for Panorama. As a best practice, replace the default certificate that Panorama uses to secure HTTPS traffic over the MGT interface.

Set Up the M-Series Appliance as a Log Collector If you want a dedicated appliance for log collection, configure an M-100 or M-500 appliance in Log Collector mode. To do this, you first perform the initial configuration of the appliance in Panorama mode, which includes licensing, installing software and content updates, and configuring the management (MGT) interface. You then switch the M-100 or M-500 appliance to Log Collector mode and complete the Log Collector configuration. Additionally, if you want to use dedicated M-Series Appliance Interfaces (recommended) instead of the MGT interface for log collection and Collector Group communication, you must first configure the interfaces for the Panorama management server, then configure them for the Log Collector, and then perform a Panorama commit followed by a Collector Group commit. Perform the following steps to set up a new M-Series appliance as a Log Collector or to convert an existing M-Series appliance that was previously deployed as a Panorama management server. Switching the M-Series appliance from Panorama mode to Log Collector mode reboots the appliance, deletes the local Log Collector, deletes any existing log data, and deletes all configurations except the management access settings. Switching the mode does not delete licenses, software updates, or content updates. STEP 1 | Set up the Panorama management server that will manage the Log Collector if you have not

already done so.

Perform one of the following tasks: • Set Up the Panorama Virtual Appliance • Set Up the M-Series Appliance STEP 2 | Record the management IP addresses of the Panorama management server. If you deployed Panorama in a high availability (HA) configuration, you need the IP address of each HA peer. 1. Log in to the web interface of the Panorama management server. 2. Record the IP Address of the solitary (non-HA) or active (HA) Panorama by selecting Panorama > Setup > Management and checking the Management Interface Settings.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

61

2019 Palo Alto Networks, Inc.

3. For an HA deployment, record the Peer HA IP Address of the passive Panorama by selecting Panorama > High Availability and checking the Setup section. STEP 3 | Set up the M-Series appliance that will serve as a Dedicated Log Collector. If you previously deployed this appliance as a Panorama management server, you can skip this step because the MGT interface is already configured and the licenses and updates are already installed. The M-Series appliance in Log Collector mode does not have a web interface for configuration tasks, only a CLI. Therefore, before changing the mode on the M-Series appliance, use the web interface in Panorama mode to: 1. Perform Initial Configuration of the M-Series Appliance. 2. Register Panorama and Install Licenses. 3. Install Content and Software Updates for Panorama. STEP 4 | Access the CLI of the M-Series appliance. 1. Connect to the M-Series appliance in one of the following ways: • Attach a serial cable from your computer to the Console port on the M-Series appliance. Then use terminal emulation software (9600-8-N-1) to connect. • Use terminal emulation software such as PuTTY to open an SSH session to the IP address that you specified for the MGT interface of the M-Series appliance during initial configuration. 2. Log in to the CLI when prompted. Use the default admin account and the password that you specified during initial configuration. STEP 5 | Switch from Panorama mode to Log Collector mode. 1. Switch to Log Collector mode by entering the following command: > request system system-mode logger 2. Enter Y to confirm the mode change. The M-Series appliance reboots. If the reboot process terminates your terminal emulation software session, reconnect to the M-Series appliance to see the Panorama login prompt. If you see a CMS Login prompt, this means the Log Collector has not finished rebooting. Press Enter at the prompt without typing a username or password. 3. Log back in to the CLI. 4. Verify that the switch to Log Collector mode succeeded: > show system info | match system-mode If the mode change succeeded, the output displays: system-mode: logger STEP 6 | Configure the logging disks as RAID1 pairs. If you previously deployed the appliance as a Panorama management server, you can skip this step because the disk pairs are already configured and available. The time required to configure the drives varies from several minutes to a couple of hours, based on the amount of data on the drives.

62 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

1. Determine which disk pairs are present for configuring as RAID pairs on the M-Series appliance: > show system raid detail Perform the remaining steps to configure each disk pair that has present disks. This example uses disk pair A1/A2. 2. To add the first disk in the pair, enter the following command and enter y when prompted to confirm the request: > request system raid add A1 Wait for the process to finish before adding the next disk in the pair. To monitor the progress of the RAID configuration, re-enter: > show system raid detail After the process finishes for the first disk, the output displays the disk pair status as Available but degraded. 3. Add the second disk in the pair: > request system raid add A2 4. Verify that the disk setup is complete: > show system raid detail After the process finishes for the second disk, the output displays the disk pair status as Available and clean: Disk Pair A Status

Available clean

STEP 7 | Enable connectivity between the Log Collector and Panorama management server. Enter the following commands at the Log Collector CLI, where is for the MGT interface of the solitary (non-HA) or active (HA) Panorama and is for the MGT interface of the passive (HA) Panorama, if applicable. > configure # set deviceconfig system panorama-server panoramaserver-2 # commit # exit STEP 8 | Record the serial number of the Log Collector. You need the serial number to add the Log Collector as a managed collector on the Panorama management server. 1. At the Log Collector CLI, enter the following command to display its serial number.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

63

2019 Palo Alto Networks, Inc.

> show system info | match serial 2. Record the serial number. STEP 9 | Add the Log Collector as a managed collector to the Panorama management server. 1. Select Panorama > Managed Collectors and Add a managed collector. 2. In the General settings, enter the serial number (Collector S/N) you recorded for the Log Collector. 3. In the Panorama Server IP field, enter the IP address or FQDN of the solitary (non-HA) or active (HA) Panorama. For HA deployments, enter the IP address or FQDN of the passive Panorama peer in the Panorama Server IP 2 field. These IP addresses must specify a Panorama interface that has Device Management and Device Log Collection services enabled. By default, these services are enabled only on the MGT interface. However, you might have enabled the services on other interfaces when you Set Up the M-Series Appliance that is a Panorama management server. 4. Select Interfaces, click Management, and configure one or both of the following field sets for the MGT interface based on the IP protocols of your network. • IPv4—IP Address, Netmask, and Default Gateway • IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway 5. Click OK twice to save your changes to the Log Collector. 6. Select Commit > Commit to Panorama and Commit your changes to the Panorama configuration. This step is required before you can enable logging disks. 7. Verify that Panorama > Managed Collectors lists the Log Collector you added. The Connected column displays a check mark to indicate that the Log Collector is connected to Panorama. You might have to wait a few minutes before the page displays the updated connection status. At this point, the Configuration Status column displays Out of Sync and the Run Time Status column displays disconnected. The status will change to In Sync and connected after you configure a Collector Group (Step Assign the Log Collector to a Collector Group.). STEP 10 | Enable the logging disks. 1. 2. 3. 4.

Select Panorama > Managed Collectors and edit the Log Collector. Select Disks and Add each RAID disk pair. Click OK to save your changes. Select Commit > Commit to Panorama and Commit your changes to the Panorama configuration.

STEP 11 | (Recommended) Configure the Ethernet1, Ethernet2, Ethernet3, Ethernet4, and Ethernet5

interfaces if the Panorama management server and Log Collector will use them for Device Log Collection (receiving logs from firewalls) and Collector Group Communication.

If you previously deployed the Log Collector as a Panorama management server and configured these interfaces, you must reconfigure them because switching to Log Collector mode (Switch from Panorama mode to Log Collector mode.) would have deleted all configurations except the management access settings. 1. Configure each interface on the Panorama management server (other than the MGT interface) if you haven’t already: 1. Select Panorama > Setup > Interfaces and click the Interface Name. 2. Select to enable the interface. 3. Complete one or both of the following field sets based on the IP protocols of your network:

64 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

IPv4—IP Address, Netmask, and Default Gateway IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway 4. Select the Device Management Services that the interface supports: Device Management and Device Log Collection—You can assign one or more interfaces. Collector Group Communication—You can assign only one interface. Device Deployment (software and content updates)—You can assign only one interface. 5. Click OK to save your changes. 2. Configure each interface on the Log Collector (other than the MGT interface): 1. 2. 3. 4.

Select Panorama > Managed Collectors and edit the Log Collector. Select Interfaces and click the name of the interface. Select to enable the interface. Complete one or both of the following field sets based on the IP protocols of your network: IPv4—IP Address, Netmask, and Default Gateway

IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway 5. Select the Device Management Services that the interface supports: Device Log Collection—You can assign one or more interfaces. Collector Group Communication—You can assign only one interface. 6. Click OK to save your changes to the interface. 3. Click OK to save your changes to the Log Collector. 4. Select Commit > Commit to Panorama and Commit your changes to the Panorama configuration. STEP 12 | (Optional) If your deployment is using custom certificates for authentication between

Panorama and managed devices, deploy the custom client device certificate. For more information, see Set Up Authentication Using Custom Certificates.

1. Select Panorama > Certificate Management > Certificate Profile and choose the certificate profile from the drop-down or click New Certificate Profile to create one. 2. Select Panorama > Managed Collectors > Add > Communication for a Log Collector. 3. Select the Secure Client Communication check box. 4. Select the type of device certificate the Type drop-down. • If you are using a local device certificate, select the Certificate and Certificate Profile from the respective drop-downs. • If you are using SCEP as the device certificate, select the SCEP Profile and Certificate Profile from the respective drop-downs. 5. Click OK. STEP 13 | (Optional) Configure Secure Server Communication on a Log Collector. For more information,

see Set Up Authentication Using Custom Certificates.

1. Select Panorama > Managed Collectors > Add > Communication. 2. Verify that the Custom Certificate Only check box is not selected. This allows you to continue managing all devices while migrating to custom certificates. When the Custom Certificate Only check box is selected, the Log Collector does not authenticate and cannot receive logs from devices using predefined certificates. 3. Select the SSL/TLS service profile from the SSL/TLS Service Profile drop-down. This SSL/TLS service profile applies to all SSL connections between the Log Collector and devices sending it logs. 4. Select the certificate profile from the Certificate Profile drop-down.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

65

2019 Palo Alto Networks, Inc.

5. Select Authorize Client Based on Serial Number to have the server check clients against the serial numbers of managed devices. The client certificate must have the special keyword $UDID set as the CN to authorize based on serial numbers. 6. In Disconnect Wait Time (min), enter the number of minutes Panorama should wait before breaking and reestablishing the connection with its managed devices. This field is blank by default and the range is 0 to 44,640 minutes. The disconnect wait time does not begin counting down until you commit the new configuration. 7. (Optional) Configure an authorization list. 1. Click Add under Authorization List. 2. Select the Subject or Subject Alt Name as the Identifier type. 3. Enter an identifier of the selected type. 4. Click OK. 5. Select Check Authorization List to enforce the authorization list. 8. Click OK. 9. Select Commit > Commit to Panorama. STEP 14 | Assign the Log Collector to a Collector Group. 1. Configure a Collector Group. You must perform a Panorama commit and then a Collector Group commit to synchronize the Log Collector configuration with Panorama and to put the Eth1, Eth2, Eth3, Eth4, and Eth5 interfaces (if you configured them) in an operational state on the Log Collector. In any single Collector Group, all the Log Collectors must run on the same Panorama model: all M-500 appliances, all M-100 appliances, or all Panorama virtual appliances. As a best practice, Enable log redundancy across collectors if you add multiple Log Collectors to a single Collector group. This option requires each Log Collector to have the same number of logging disks. 2. Select Panorama > Managed Collectors to verify that the Log Collector configuration is synchronized with Panorama. The Configuration Status column should display In Sync and the Run Time Status column should display connected. 3. Access the Log Collector CLI and enter the following command to verify that its interfaces are operational: > show interface all The output displays the state as up for each interface that is operational. 4. If the Collector Group has multiple Log Collectors, verify they can communicate with each other by running the following command for each interface that the Log Collectors use. For the source IP address, specify the interface of the Log Collector on which you run the command. For the host IP address, specify the matching interface of another Log Collector in the same Collector Group. > ping source host For example, if a Collector Group contains Log Collector A with an MGT interface set to 192.0.2.1 and Log Collector B with an MGT interface set to 192.0.2.2, log in to Log Collector A and enter: > ping source 192.0.2.1 host 192.0.2.2

66 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

If the Log Collectors can communicate over their MGT interfaces, the output displays: PING 192.0.2.2 (192.0.2.2) from 192.0.2.1 : 56(84) bytes of data. STEP 15 | Next steps... To enable the Log Collector to receive firewall logs: 1. Configure Log Forwarding to Panorama. 2. Verify Log Forwarding to Panorama.

Increase Storage on the M-Series Appliance After you Perform Initial Configuration of the M-Series Appliance, you can increase log storage capacity of the appliance by upgrading the existing drive pairs to larger capacity drives or by installing additional drive pairs in empty drive bays. For example, you can choose to upgrade the existing 1TB drives to 2TB on an M-100 appliance, or you can add 2TB drives to the empty drive bays (B1 through D2). The M-Series appliances leverage RAID 1 for data redundancy in the event of disk failure. Therefore, the pair of drives in a RAID 1 array need to be identical. However, you are free to mix drive capacities across different RAID 1 arrays. For example, the drives in the A1/ A2 RAID 1 array can be 1TB drives, and the drives in the B1/B2 RAID 1 array can be 2TB drives. The following table lists the maximum number of drive bays and the available drive capacities supported on M-Series appliances. Because each drive pair (A1/A2 for example) is in a RAID 1 array, the total storage capacity is half of the total drives installed. For example, if an M-100 appliance has 2TB drives installed in drive bays A1/A2 and B1/B2, the A1/A2 array provides 2TB total storage and the B1/B2 array provides another 2TB for a total of 4TB. Appliance

Number of Supported Drive Bays Supported Drive Capacity

M-100 Appliance

8

1TB or 2TB

M-500 Appliance

24

1TB or 2TB

Before expanding log storage capacity, Determine Panorama Log Storage Requirements. If you need more log storage than a single M-Series appliance supports, you can add Dedicated Log Collectors (see Configure a Managed Collector) or you can Configure Log Forwarding from Panorama to External Destinations. You don’t need to take the M-Series appliance offline to expand the storage when adding drives to an M-Series appliance that is already deployed. When the additional drives are configurable and available, the M-Series appliance redistributes the logs among all available drives. This log redistribution process happens in the background and does not impact uptime or the availability of the M-Series appliance. However, the process does diminish the maximum logging rate. The Redistribution State column (Panorama > Collector Groups) indicates the completion status of the process as a percentage. • Add Additional Drives to an M-Series Appliance • Upgrade Drives on M-Series Appliances Running Panorama 7.0.8 or a Later Release

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

67

2019 Palo Alto Networks, Inc.

• Upgrade Drives on M-Series Appliances Running Panorama 7.0.7 or an Earlier Release

Add Additional Drives to an M-Series Appliance STEP 1 | Install the new drives in the appropriate drive bays. Make sure to add the drives sequentially in the next open drive bays. For example, add drives to B1 and B2 before adding drives to C1 and C2. STEP 2 | Access the command line interface (CLI) on the M-Series appliance. Connect to the M-Series appliance in one of two ways: • Connect a serial cable from your computer to the Console port and connect to the M-Series appliance using terminal emulation software (9600-8-N-1). • Use terminal emulation software (such as PuTTY) to open a Secure Shell (SSH) session to the IP address of the M-Series appliance. STEP 3 | When prompted, log in to the appliance. Use the default administrator account and the assigned password. STEP 4 | Configure each array. The time required to mirror the data on the drive may vary from several minutes to a few hours, depending on the amount of data on the drive. The following example uses the drives in bays B1 and B2. 1. Enter the following commands and confirm the request when prompted: > request system raid add B1 > request system raid add B2 2. To monitor the progress of the RAID configuration, enter the following command: > show system raid detail When the RAID set up is complete, the following response displays: Disk Pair A Status Disk id A1 model size status Disk id A2 model size status Disk Pair B Status Disk id B1 model size status Disk id B2 model

Available clean Present : ST91000640NS : 953869 MB : active sync Present : ST91000640NS : 953869 MB : active sync Available clean Present : ST91000640NS : 953869 MB : active sync Present : ST91000640NS

68 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

size status

: 953869 MB : active sync

STEP 5 | Make the array available for logging. To enable the array for logging, you must first add the appliance as a managed collector on Panorama. If not already added, see Configure a Managed Collector. 1. 2. 3. 4. 5. 6.

Log in to the web interface of the Panorama management server that manages this Log Collector. Select Panorama > Managed Collectors and edit the Log Collector. Select Disks and Add each array. Click OK to save your changes. Select Commit > Commit to Panorama and Commit your changes. Select Commit > Push to Devices, select the Collector Group, and Push your changes.

Upgrade Drives on M-Series Appliances Running Panorama 7.0.8 or a Later Release STEP 1 | Access the command line interface (CLI) on the M-Series appliance. Connect to the M-Series appliance in one of two ways: • Connect a serial cable from your computer to the Console port and connect to the M-Series appliance using terminal emulation software (9600-8-N-1). • Use terminal emulation software (such as PuTTY) to open a Secure Shell (SSH) session to the IP address of the M-Series appliance. STEP 2 | When prompted, log in to the appliance. Use the default administrator account and the assigned password. STEP 3 | Verify that the RAID 1 status for the installed drives shows there are at least two functioning

RAID 1 arrays. During the upgrade, you will upgrade one RAID 1 array at a time and there must be at least one other RAID 1 array that is available to the appliance. The appliance will show an abort error if you try to remove the only functioning array from the configuration. Enter the following command to view RAID status: > show system raid detail For example, the following shows an output from an M-500 appliance with two available arrays (Disk Pair A and Disk Pair B). If there is only one available array, you must add a second array as described in Add Additional Drives to an M-Series Appliance before you upgrade the drives. Disk Pair A Status Disk id A1 model size status Disk id A2 model size status Disk Pair B Status

Available clean Present : ST91000640NS : 953869 MB : active sync Present : ST91000640NS : 953869 MB : active sync Available clean PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

69

2019 Palo Alto Networks, Inc.

Disk id B1 model size status Disk id B2 model size status

Present : ST91000640NS : 953869 MB : active sync Present : ST91000640NS : 953869 MB : active sync

STEP 4 | Remove the first 1TB drive and replace it with a 2TB drive. 1. To remove the first drive from the RAID 1 array configuration (A1 in this example), enter the following command and enter y when prompted to confirm the request: > request system raid remove A1 2. Physically remove the first drive from the drive bay. Press the ejector button on the drive carrier in drive bay A1 to release the ejector handle. Then pull the handle toward you and slide the drive out of the appliance. 3. Remove a 2TB drive from its packaging and place the drive on a table next to the drive you just removed. Take note of how the drive is installed in the carrier because you will install the 2TB drive in this same carrier. 4. Remove the four screws holding the 1TB drive in the carrier and remove the drive from the carrier. 5. Attach the 2TB drive to the carrier using the same four screws you removed from the 1TB drive and then reinsert the carrier with the 2TB drive into drive bay A1. 6. Enter the following command to verify the 2TB drive is recognized: > show system raid detail Verify that the A1 disk shows the correct model and size (about 2TB). If the model and size are not correct, run the above command again until the correct model and size are shown. If the wrong model and size are consistently shown, enter the following command: > request system raid remove A1 Wait for 30 seconds once you run the above command, then remove the disk and reinsert it and repeat the show system raid detail command to verify the size and model. STEP 5 | Copy the data from the remaining installed 1TB drive in the RAID 1 array to the newly installed

2TB drive in that array.

The time required to copy the data may vary from several minutes to a few hours, depending on the amount of data on the drive. 1. To copy the data from the 1TB drive in drive bay A2 to the newly installed 2TB drive in drive bay A1, enter the following command and enter y when prompted: > request system raid copy from A2 to A1 2. To view the status of the copy process, run the following command: > show system raid detail

70 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

Continue running this command to view the RAID detail output until you see that the array (A1/A2 in this example) shows Available. At this point, drive A2 will show not in use because there is a drive size mismatch. STEP 6 | Upgrade the second drive in the RAID 1 array to a 2TB drive. 1. Remove the second 1TB drive (from drive bay A2 in the current example) for the RAID 1 array configuration: > request system raid remove A2 2. Insert the carrier with the newly installed 2TB drive into drive bay A2 and add it to the RAID 1 array configuration: > request system raid add A2 The system will copy the data from A2 to A1 to mirror the drives. 3. To view the status of the copy process, run the following command: > show system raid detail Continue to view the RAID detail output until you see that the array (A1/A2 in this example) shows Available and both disks show active sync. Disk Pair A Status Disk id A1 model size status Disk id A2 model size status

Available clean Present : ST2000NX0253 : 1907138 MB : active sync Present : ST2000NX0253 : 1907138 MB : active sync

STEP 7 | Upgrade drives for additional RAID 1 arrays as needed. To upgrade additional RAID 1 arrays to 2TB drives, repeat this procedure replacing the drive designators as applicable. For example, replace A1 with B1 and A2 with B2 to upgrade the drives in the B1/B2 RAID 1 array.

Upgrade Drives on M-Series Appliances Running Panorama 7.0.7 or an Earlier Release The logs on the 1TB drives will not be available after upgrading drives on an M-Series appliance that is running Panorama 7.0.7 or an earlier release. Even if this is acceptable, we recommend that you perform this upgrade during a maintenance window. If it is important to you to retain logs, you must upgrade to Panorama 7.0.8 or a later release and then use the Upgrade Drives on M-Series Appliances Running Panorama 7.0.8 or a Later Release procedure.

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

71

2019 Palo Alto Networks, Inc.

STEP 1 | Access the command line interface (CLI) on the M-Series appliance. Connect to the M-Series appliance in one of two ways: • Connect a serial cable from your computer to the Console port and connect to the M-Series appliance using terminal emulation software (9600-8-N-1). • Use terminal emulation software (such as PuTTY) to open a Secure Shell (SSH) session to the IP address of the M-Series appliance. STEP 2 | When prompted, log in to the appliance. Use the default administrator account and the assigned password. STEP 3 | Verify that the RAID 1 status for the installed drives shows there are at least two functioning

RAID 1 arrays. During the upgrade, you will upgrade one RAID 1 array at a time and there must be at least one other RAID 1 array that is available to the appliance. The appliance will show an abort error if you try to remove the only functioning array from the configuration. Enter the following command to view RAID status: > show system raid detail For example, the following shows an output from an M-500 appliance with two available arrays (Disk Pair A and Disk Pair B). If there is only one available array, you must add a second array as described in Add Additional Drives to an M-Series Appliance before you upgrade the drives. Disk Pair A Status Disk id A1 model size status Disk id A2 model size status Disk Pair B Status Disk id B1 model size status Disk id B2 model size status

Available clean Present : ST91000640NS : 953869 MB : active sync Present : ST91000640NS : 953869 MB : active sync Available clean Present : ST91000640NS : 953869 MB : active sync Present : ST91000640NS : 953869 MB : active sync

STEP 4 | Remove the first two 1TB drives from the first RAID 1 array configuration and then physically

remove the drives.

1. To remove the drives from the RAID 1 array configuration (A1 and A2 in this example), enter the following commands and enter y when prompted to confirm each request: > request system raid remove A1 > request system raid remove A2 2. Physically remove the drives from the drive bays. Press the ejector button on each drive carrier to release the ejector handle. Then pull the handle toward you and slide the drives out of the appliance.

72 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

3. Remove two 2TB drives from their packaging and place them on a table next to the drives you just removed. Take note of how the drives are installed in the carrier because you will install the 2TB drives in these same carriers. 4. Remove the four screws holding each drive in its carrier and remove the drives from the carriers. 5. Attach the 2TB drives to the carriers using the same screws you just removed and then insert the carriers with the newly installed 2TB drives into the drive bays (A1 and A2 in this example). STEP 5 | Create a new RAID 1 array for the newly installed 2TB drives and ensure that both drives are in

the new array.

1. To create a new array that includes the drive in drive bay A1, enter the following command: > request system raid add A1 2. To view and confirm the status of the new RAID 1 array configuration, enter the following command: > show system raid detail The following output shows that the Disk Pair A array is Available. At this point, drive A2 will show not in use.

Disk Pair A Status Disk id A1 model size status Disk id A2 model size status

Available clean, degraded Present : ST91000640NS : 953869 MB : active sync Present : ST91000640NS : 953869 MB : not in use

3. Add the second disk to the new array. In this example, add A2: > request system raid add A2 4. Continue running the show system raid detail command to view the RAID output until the disk pair status shows clean and both disks show active sync. STEP 6 | Upgrade drives for additional RAID 1 arrays as needed. To upgrade additional RAID 1 arrays to 2TB drives, repeat this procedure replacing the drive designators as applicable. For example, replace A1 with B1 and A2 with B2 to upgrade the drives in the B1/B2 RAID 1 array.

Configure Panorama to Use Multiple Interfaces In a large-scale network, you can improve security and reduce congestion by implementing network segmentation, which involves segregating the subnetworks based on resource usage, user roles, and security requirements. Panorama supports network segmentation by enabling you to use multiple M-Series Appliance Interfaces for managing devices (firewalls, Log Collectors, and WildFire appliances and appliance clusters) and collecting logs; you can assign separate interfaces to the devices on separate subnetworks. Using multiple interfaces to collect logs also provides the benefit of load balancing, which is particularly useful in environments where the firewalls forward logs at high rates to the Log Collectors. PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

73

2019 Palo Alto Networks, Inc.

Because administrators access and manage Panorama over the MGT interface, securing that interface is especially important. One method for improving the security of the MGT interface is to offload Panorama services to other interfaces. In addition to device management and log collection, you can also offload Collector Group communication and deployment of software and content updates to firewalls, Log Collectors, and WildFire appliances and appliance clusters. By offloading these services, you can reserve the MGT interface for administrative traffic and assign it to a secure subnetwork that is segregated from the subnetworks where your firewalls, Log Collectors, and WildFire appliances and appliance clusters reside. • Multiple Interfaces for Network Segmentation Example • Configure Panorama for Network Segmentation

Multiple Interfaces for Network Segmentation Example Figure 11: Multiple Panorama Interfaces illustrates a deployment that uses multiple interfaces on M-500 appliances in Panorama mode and Log Collector mode. In this example, the interfaces support network segmentation as follows: • Panorama management network—To protect the Panorama web interface, CLI, and XML API from unauthorized access, the MGT interface on Panorama connects to a subnetwork that only administrators can access. • Internet—Panorama uses the MGT interface to communicate with external services such as the Palo Alto Networks Update Server. • Perimeter Gateway and Data Center—Panorama uses a separate pair of interfaces to manage the firewalls and Log Collectors in each of these subnetworks. Managing firewalls typically generates less traffic than querying Log Collectors for report information. Therefore, Panorama uses 1Gbps interfaces (Eth1 and Eth2) for managing the firewalls and uses 10Gbps interfaces (Eth4 and Eth5) for querying and managing the Log Collectors. Each Log Collector uses its MGT interface to respond to the queries but uses its Eth4 and Eth5 interfaces for the heavier traffic associated with collecting logs from the firewalls. • Software and content updates—The firewalls and Log Collectors in both subnetworks retrieve software and content updates over the Eth3 interface on Panorama.

74 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

Figure 11: Multiple Panorama Interfaces

Configure Panorama for Network Segmentation To offload Panorama services from the MGT interface to other interfaces, start by configuring the interfaces on the Panorama management server. If your network has heavy log traffic, remember that the Eth4 and Eth5 interfaces on the M-500 appliance support higher throughput (10Gbps) than the other interfaces (1Gbps). Then, configure the Log Collectors in each subnetwork to connect with specific interfaces on Panorama. For each Log Collector, you also select an interface for Collector Group communication and one or more interfaces for collecting logs from firewalls. Finally, configure the firewalls in each subnetwork to connect with interfaces on Panorama. Palo Alto Networks recommends that you specify the IP address, netmask (for IPv4) or prefix length (for IPv6), and default gateway for the MGT interface. If you omit one of these settings (such as the default gateway), you can access the M-Series appliance only through the console port for future configuration changes. Perform the following steps to configure Panorama and Dedicated Log Collectors to use multiple interfaces:

PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

75

2019 Palo Alto Networks, Inc.

STEP 1 | Verify that the M-Series appliances and firewalls have the prerequisite software versions and

configurations.

The M-Series appliances must run Panorama 8.0 or later to use a separate interface for deploying updates and to use multiple interfaces for device management and log collection. The M-Series appliances must run Panorama 6.1 or later to use separate interfaces for log collection or Collector Group communication. The initial configuration of each Panorama management server is complete. This includes configuration of the MGT interface. Log Collectors and Collector Groups are configured. This includes configuration of the MGT interface on the Log Collectors. The initial configuration of the firewalls is complete, you have added the firewalls to Panorama as managed devices, and the firewalls in each subnetwork are assigned to a separate template. The initial configuration of WildFire appliances is complete and you have added WildFire appliances to Panorama as managed devices. STEP 2 | Configure the interfaces on the solitary (non-HA) or active (HA) Panorama management server. Because the MGT interface was configured during initial Panorama configuration, you don’t have to configure it again. Perform these steps for each interface: 1. Log in to the Panorama Web Interface of the solitary (non-HA) or active (HA) Panorama management server. 2. Select Panorama > Setup > Interfaces. 3. Click an Interface Name to edit the interface. 4. Select to enable the interface. 5. Configure one or both of these field sets based on the IP protocols of your network: • IPv4—IP Address, Netmask, and Default Gateway • IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway 6. Select the services that the interface supports: • Device Management and Device Log Collection—Manage firewalls, Log Collectors, and WildFire appliances and appliance clusters, collect logs that the Log Collectors generate, and query the Log Collectors for report information. To support a segmented network, you can enable these services on multiple interfaces. • Collector Group Communication—Communicate with the Collector Groups that Panorama manages across all subnetworks. • Device Deployment—Deploy software and content updates to managed firewalls, Log Collectors, and WildFire appliances and appliance clusters across all subnetworks. 7. Click OK to save your changes to the interface. 8. Click Commit > Commit to Panorama and Commit your changes. STEP 3 | (HA only) Configure the interfaces on the passive Panorama management server. 1. 2. 3. 4. 5.

Log in to the Panorama Web Interface of the active Panorama management server. Select Panorama > Managed Collectors and select the passive HA peer. Select Interfaces and click an interface to edit. Check the Enable Interface box to enable the interface. Configure one or both of these field sets based on the IP protocols of your network: • IPv4—IP Address, Netmask, and Default Gateway • IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway

76 PANORAMA ADMINISTRATOR'S GUIDE | Set Up Panorama ©

2019 Palo Alto Networks, Inc.

6. Select the services that the interface supports: • Device Management and Device Log Collection—Manage firewalls, Log Collectors, and WildFire appliances and appliance clusters, collect logs that the Log Collectors generate, and query the Log Collectors for report information. To support a segmented network, you can enable these services on multiple interfaces. • Collector Group Communication—Communicate with the Collector Groups that Panorama manages across all subnetworks. • Device Deployment—Deploy software and content updates to managed firewalls, Log Collectors, and WildFire appliances and appliance clusters across all subnetworks. 7. Click OK to save your changes to the interface. 8. Select Commit >

Sours: https://pdfcoffee.com/panorama-adminpdf-pdf-free.html
  1. Roblox alternate download
  2. Apex agency reviews
  3. Instacart milk
  4. Lightweight privacy fence
  5. Ige asthma treatment

Panorama AdminGuide

Published on June 2016 | Categories: Types, School Work | Downloads: 16 | Comments: 0 | Views: 467

Download PDF   Embed   Report

Comments

Content

Palo Alto Networks
Panorama™ Administrator’s Guide
Version 6.1

Contact Information
Corporate Headquarters:

Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact-us.html

About this Guide
This guide describes how to set up and use Panorama for centralized management; it is intended for administrators who
want the basic framework to quickly set up the Panorama virtual appliance or the M-100 appliance for centralized
administration of Palo Alto Networks firewalls.
If you have an M-100 appliance, this guide takes over after you finish rack mounting your M-100 appliance.
For more information, refer to the following sources:


For instructions on configuring the features on the firewall, go to the PAN-OS Administrator’s Guide. The Palo Alto
Networks Administrator's Guide will also help you with Panorama configuration items that are similar to the firewall
and are not covered in this guide.



For information on the additional capabilities and for instructions on configuring additional features on the firewall,
refer to https://www.paloaltonetworks.com/documentation.



For access to the knowledge base, discussion forums, and videos, refer to https://live.paloaltonetworks.com.



For contacting support, for information on the support programs, or to manage your account or devices, refer to
https://www.paloaltonetworks.com/support/tabs/overview.html.



For the most current PAN-OS and Panorama 6.1 release notes, go to
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os-release-notes.html.

To provide feedback on the documentation, please write to us at: [email protected]

Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2014–2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
Revision Date: January 15, 2016

2 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Table of Contents
Panorama Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
About Panorama. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Panorama Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Centralized Configuration and Deployment Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Context Switch—Firewall or Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Centralized Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Logging Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Managed Collectors and Collector Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Caveats for a Collector Group with Multiple Log Collectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Centralized Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Panorama Commit Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Administrative Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Authentication Profiles and Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Access Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Administrative Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Panorama Recommended Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Panorama for Centralized Management and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Panorama in a Distributed Log Collection Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Plan Your Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Deploy Panorama: Task Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Set Up Panorama. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Determine Panorama Log Storage Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Set Up the Panorama Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Setup Prerequisites for the Panorama Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Install Panorama on the ESX(i) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Perform Initial Configuration of the Panorama Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Expand Log Storage Capacity on the Panorama Virtual Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Complete the Panorama Virtual Appliance Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Set Up the M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Perform Initial Configuration of the M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Switch from Panorama Mode to Log Collector Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Increase Storage on the M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Migrate from a Panorama Virtual Appliance to an M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Prerequisites for Migrating to an M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Plan to Migrate to an M-100 Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Migrate to an M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Resume Firewall Management after Migrating to an M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . 50

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 3

Table of Contents

Register Panorama and Install Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Register Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Activate a Panorama Support License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Activate/Retrieve a Device Management License on the Panorama Virtual Appliance . . . . . . . . . . .
Activate/Retrieve a Device Management License on the M-100 Appliance. . . . . . . . . . . . . . . . . . . . .

51
51
52
53
53

Install Content and Software Updates for Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Content Update Dependencies for Panorama and Log Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install Updates for Panorama with Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install Updates for Panorama without Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

55
55
55
57

Access and Navigate Panorama Management Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Log in to the Panorama Web Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Navigate the Panorama Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Log in to the Panorama CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

59
59
59
60

Set Up Administrative Access to Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create an Administrative Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Define an Access Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create an Authentication Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Define an Authentication Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Administrative Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

62
62
64
65
65
66

Manage Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Add a Firewall as a Managed Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Manage Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a Device Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create Objects for Use in Shared or Device Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage Shared Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Select a URL Filtering Vendor on Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Push a Policy to a Subset of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage the Rule Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

75
75
76
77
78
79
81

Manage Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Template Capabilities and Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Override a Template Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disable/Remove Template Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

83
83
84
86
87

Transition a Firewall to Panorama Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Use Case: Configure Firewalls Using Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up Your Centralized Configuration and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

89
89
90
91

Manage Log Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Enable Log Forwarding to Panorama. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Log Forwarding to Panorama: Workflows by Log Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Configure Log Forwarding to Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Configure a Managed Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

4 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Table of Contents

Manage Collector Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Configure a Collector Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Move a Log Collector to a Different Collector Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Remove a Firewall from a Collector Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Verify Log Forwarding to Panorama. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Modify Log Forwarding and Buffering Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Enable Log Forwarding from Panorama to External Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Log Collection Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Plan a Log Collection Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Deploy Panorama with Dedicated Log Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Deploy Panorama with Default Log Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Deploy Panorama Virtual Appliances with Local Log Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Manage Licenses and Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Panorama, Log Collector, and Firewall Version Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Manage Licenses on Firewalls Using Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Deploy Updates to Devices Using Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Supported Updates by Device Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Schedule Content Updates to Devices Using Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Install Software Updates on Firewall HA Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Deploy Updates to Devices when Panorama Has an Internet Connection. . . . . . . . . . . . . . . . . . . . . 151
Deploy Updates to Devices when Panorama Has No Internet Connection . . . . . . . . . . . . . . . . . . . . 153

Monitor Network Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Use Panorama for Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Monitor the Network with the ACC and AppScope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Analyze Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Generate, Schedule, and Email Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Use Case: Monitor Applications Using Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Use Case: Respond to an Incident Using Panorama. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Incident Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Review Threat Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Review WildFire Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Review Data Filtering Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Update Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Panorama High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Panorama HA Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Priority and Failover on Panorama in HA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Failover Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
HA Heartbeat Polling and Hello Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
HA Path Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Logging Considerations in Panorama HA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Logging Failover on a Panorama Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Logging Failover on an M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 5

Table of Contents

Synchronization Between Panorama HA Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Manage a Panorama HA Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up HA on Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test Panorama HA Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switch Priority after Panorama Failover to Resume NFS Logging . . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade Panorama in HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restore the Primary Panorama to the Active State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

182
182
184
184
185
186

Administer Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Manage Configuration Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Schedule Export of Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage Panorama Configuration Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the Number of Configuration Backups Panorama Stores . . . . . . . . . . . . . . . . . . . . . . . . .
Load a Configuration Backup on a Managed Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

188
189
190
191
191

Compare Changes in Panorama Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Restrict Access to Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Locations for Taking a Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Take a Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View Lock Holders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable Automatic Acquisition of the Commit Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remove a Lock. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

193
193
193
194
194
194
195

Add Custom Logos to Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
View Panorama Task Completion History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Reallocate Log Storage Quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Monitor Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Panorama System and Configuration Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up Email Alerts for Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up SNMP to Monitor Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

200
200
201
202

Reboot or Shut Down Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Generate Diagnostic Files for Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Configure Panorama Password Profiles and Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Replace a Failed Disk on an M-100 Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Replace the Virtual Disk on a Panorama Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Troubleshoot Panorama System Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Diagnose Panorama Suspended State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitor the File System Integrity Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage Panorama Storage for Software and Content Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recover from Split Brain in Panorama HA Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

214
214
214
214
215

Troubleshoot Log Storage and Connection Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Ports are Used by Panorama? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resolve Zero Log Storage for a Collector Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recover Logs after Failure/RMA of M-100 Appliance in Log Collector Mode. . . . . . . . . . . . . . . . .
Recover Logs after Failure/RMA of M-100 Appliance in Panorama Mode. . . . . . . . . . . . . . . . . . . .

217
217
218
218
221

6 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Table of Contents

Recover Logs after Panorama Failure/RMA in Non-HA Deployments . . . . . . . . . . . . . . . . . . . . . . . 226
Regenerate Metadata for M-100 Appliance RAID Pairs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Replace an RMA Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Partial Device State Generation for Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Before Starting RMA Firewall Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Restore the Firewall Configuration after Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Diagnose Template Commit Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
View Task Success or Failure Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 7

Table of Contents

8 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Panorama Overview
Panorama provides centralized management and visibility of multiple Palo Alto Networks next-generation
firewalls. It allows you to oversee all applications, users, and content traversing the network from one location,
and then use this knowledge to create application enablement policies that protect and control the entire
network. Using Panorama for centralized policy and device management increases operational efficiency in
managing and maintaining a distributed network of firewalls.
The following sections describe Panorama and provide guidelines for planning your Panorama deployment:


About Panorama



Panorama Platforms



Centralized Configuration and Deployment Management



Centralized Logging and Reporting



Panorama Commit Operations



Role-Based Access Control



Panorama Recommended Deployments



Plan Your Deployment



Deploy Panorama: Task Overview

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 9

About Panorama

Panorama Overview

About Panorama
Panorama provides centralized management of the Palo Alto Networks next-generation firewalls, as the
following figure illustrates:

Panorama allows you to effectively configure, manage, and monitor your Palo Alto Networks firewalls using
central oversight with local control, as required. The three focal areas in which Panorama adds value are:


Centralized configuration and deployment—To simplify central management and rapid deployment of
the firewalls on your network, use Panorama to pre-stage the firewalls for deployment. You can then
assemble the firewalls into groups, and create templates to apply a base network and device configuration
and use device groups to administer globally shared and local policies. See Centralized Configuration and
Deployment Management.



Aggregated logging with central oversight for analysis and reporting—Collect information on activity
across all the managed firewalls on the network and centrally analyze, investigate and report on the data. This
comprehensive view of network traffic, user activity, and the associated risks empowers you to respond to
potential threats using the rich set of policies to securely enable applications on your network. See
Centralized Logging and Reporting.



Distributed administration—Allows you to delegate or restrict access to global and local firewall
configurations and policies. See Role-Based Access Control for delegating appropriate levels of access for
distributed administration.

Panorama is available in two platforms: as a virtual appliance and as a dedicated hardware appliance. For more
information, see Panorama Platforms.

10 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Panorama Overview

Panorama Platforms

Panorama Platforms
Panorama is available in two platforms, each of which supports firewall management licenses for managing up
to 25, 100, or 1,000 firewalls:


Panorama virtual appliance—The Panorama virtual appliance is installed on a VMware server. It allows
for a simple installation and facilitates server consolidation for sites that need a virtual management
appliance. It also supports integration with a Network File System (NFS) for increased storage and (> 2TB)
log retention capabilities.
The Panorama virtual appliance best suits environments with logging rates of up to 10,000 logs/second.



M-100 appliance—A dedicated hardware appliance intended for large scale deployments. In environments
with high logging rates and log retention requirements, this platform enables scaling of your log collection
infrastructure. The appliance supports RAID 1 mirroring to protect against disk failures, and the default
configuration ships with two 1TB drives; with additional RAID pairs, the M-100 appliance can support up
to 4TB of log storage.
The M-100 appliance allows for separation of the central management function from the log collection
function by supporting the following deployment modes:


Panorama mode: The appliance performs both the central management and the log collection
functions. This is the default mode.



Log Collector mode: The appliance functions as a dedicated Log Collector, which either an M-100
appliance in Panorama mode or a Panorama virtual appliance can manage.
When deployed in Log Collector mode, the appliance does not have a web interface; administrative
access is CLI only. However, you manage the appliance using the Panorama management server (M-100
appliance in Panorama mode or a Panorama virtual appliance). CLI access to an M-100 appliance in
Log Collector mode is only necessary for initial setup and debugging.

The platform choice depends on your need for a virtual appliance and your log collection requirements (see
Determine Panorama Log Storage Requirements):
Log Collection Rate

Platform

Up to 10,000 logs/second Panorama virtual appliance
Up to 30,000 logs/second M-100 appliance

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 11

Centralized Configuration and Deployment Management

Panorama Overview

Centralized Configuration and Deployment Management
Panorama uses Device Groups and Templates to group devices into smaller and more logical sets that require similar
configuration. All configuration elements, policies, and objects on the managed firewalls can be centrally
managed on Panorama using Device Groups and Templates. In addition to managing configuration and policies,
Panorama enables you to centrally manage licenses, software and associated content updates: SSL-VPN clients,
GlobalProtect agents, dynamic content updates (Applications, Threats, WildFire and Antivirus).


Context Switch—Firewall or Panorama



Templates



Device Groups

Context Switch—Firewall or Panorama
The Panorama web interface allows you to toggle between a Panorama-centric view and a firewall-centric view
using the context switch. You can choose to manage the firewall centrally using Panorama and then switch context
to a specific managed firewall to configure the firewall using the firewall user interface. The similarity of the user
interface on the managed firewalls and Panorama allows you to seamlessly move between the interfaces to
administer and monitor the firewall as required.
If you have configured Access Domains to restrict administrative access to specific managed firewalls, the
Panorama user interface displays only the firewalls/features for which the logged-in administrator has
permissions.

Templates
You use templates to configure the settings that managed firewalls require to operate on the network. Templates
enable you to define a common base configuration using the Network and Device tabs on Panorama. For
example, you can use templates to manage interface and zone configurations, server profiles for logging and
SNMP access, and network profiles for controlling access to zones and IKE gateways. When you group firewalls
to define Template settings, consider grouping firewalls that are alike in hardware model, and require access to
similar network resources, such as gateways and syslog servers.
Using templates, you can push a limited common base configuration to a group of firewalls and then configure
the rest of the settings manually on the firewall. Alternatively, you can push a larger common base configuration
and then override the template settings on the firewall to accommodate firewall-specific changes. When you
override a setting on the firewall, the setting is saved to the local configuration of the firewall and is no longer
managed by the Panorama template. You can, however, use Panorama to force the template configuration onto
the firewall or restore the template settings on the firewall. For example, you can define a common NTP server
in the template, but override the NTP server configuration on the firewall to accommodate for the local time
zone on the firewall. If you then decide to restore the template settings, you can easily undo or revert the local
changes that you implemented on the firewall.
Templates cannot be used to define an operational state change such as FIPS mode or to enable multi-vsys mode
on the firewalls. For more information, see Template Capabilities and Exceptions.

12 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Panorama Overview

Centralized Configuration and Deployment Management

Device Groups
To use Panorama effectively, you must group the firewalls on your network into logical units called device groups.
A device group allows grouping based on network segmentation, geographic location, or by the need to
implement similar policy configurations. A device group can include physical firewalls, virtual firewalls and/or
a virtual system. By default, all managed devices belong to the Shared device group on Panorama.
Device Groups enable central management of policies and objects using the Policies and Objects tabs on
Panorama. Objects are configuration elements that are referenced in policies. Some of the objects that firewall
policies make use of are: IP addresses, URL categories, security profiles, users, services, and applications.
Using Device Groups you can create shared objects or device group-specific objects and then use these objects
to create a hierarchy of rules (and rulebases) to enforce how managed firewalls handle inbound and outbound
traffic. For example, a corporate acceptable use policy could be defined as a set of shared policies. Then, to allow
only the regional offices to access peer-to-peer traffic such as BitTorrent, you can create a security rule as a
shared policy and target it to the regional offices or make it a device group rule that is pushed to the regional
offices. See Use Case: Configure Firewalls Using Panorama.


Policies



Objects

Policies
Device groups provide a way to implement a layered approach for managing policies across a network of
managed firewalls. The following table lists the policy layers, the firewalls to which the policies apply, and the
platform where you administer the policies:
Policy

Scope

Administration Platform

Shared

All the firewalls in all device groups.

Panorama

Device group-specific

All the firewalls assigned to a single device group.

Panorama

Local (firewall-specific)

A single firewall.

Firewall

Default (security rules only) By default, the default rules are shared (apply to all firewalls in Panorama or Firewall
all device groups) and are part of the predefined configuration.
However, if you edit (override) the rules, their scope changes to
the level at which you performed the edits: device group or
local (firewall/virtual system).

Both shared policies and device group-specific policies allow you to craft pre-rules and post-rules to centrally
manage all the rulebases: Security, NAT, QoS, Policy Based Forwarding, Decryption, Application Override,
Captive Portal, and DoS Protection.


Pre-rules—Rules you add to the top of the rule order and that PAN-OS evaluates first. You can use
pre-rules to enforce the Acceptable Use Policy for an organization; for example, to block access to specific
URL categories, or to allow DNS traffic for all users. Pre-rules can be shared or device group-specific.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 13

Centralized Configuration and Deployment Management



Panorama Overview

Post-rules—Rules that PAN-OS evaluates after the pre-rules and the local firewall rules. Post-rules typically
include rules to deny access to traffic based on the App-ID, User-ID, or Service. Like pre-rules, post rules
can be shared or device group-specific.

The pre-rules and post-rules that Panorama pushes are visible on the managed firewalls but only editable in
Panorama. The local firewall administrator or a Panorama administrator who switches to a local firewall context
can edit local firewall rules.
Default policies apply only to the Security rulebase. The default rule interzone-default specifies that the firewall
denies all interzone (between zones) traffic that doesn’t match another rule. The default rule intrazone-default
specifies that the firewall allows all intrazone (within a zone) traffic that doesn’t match another rule. When you
preview rules in Panorama, the default rules appear below all other rules. Initially the default rules are read-only,
either because they are part of the predefined configuration settings or because Panorama pushed them to
devices. However, you can override the settings for tags, action (allow or deny), logging, and security profiles.
The device context determines the level at which you can edit (override) default rules:


On Panorama, you can edit default rules that are part of the predefined configuration. You can edit rules in
a device group or shared context.



On the firewall, you can edit default rules that are part of the predefined configuration, or pushed from a
Panorama shared or device group context. The default rules can be virtual system (vsys) specific.

The order of precedence for default rules runs from the lowest context to the highest: settings edited at the
firewall level override settings at the device group level, which override settings at the shared level.
The evaluation order (from top-first to bottom-last) of all rules is:

When traffic matches a policy rule, the defined action is triggered and the firewall disregards all subsequent
policies. This ability to layer policies creates a hierarchy of rules where local policies are between the pre- and
post-rules, and are editable by switching to the local firewall context, or by accessing the firewall locally. The
firewall web interface visually demarcates this cascade of rules for each device group (and managed firewall),
and provides the ability to scan through a large numbers of rules.

14 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Panorama Overview

Centralized Configuration and Deployment Management

For details on rule management, refer to the PAN-OS Administrator’s Guide.

Objects
Objects are configuration elements that are referenced in policies. Some of the objects that firewall policies
make use of are: IP addresses, URL categories, security profiles, users, services, and applications. Because
objects can be reused across policies, creating shared objects or device group objects reduces duplication of these
configuration elements. For example, creating shared address objects and address groups or shared service
objects and service groups allows you to create one instance of the object and reference it in any rulebase to
manage the firewalls across multiple device groups. Because shared objects are defined once but used many
times, they reduce administrative overhead, and maintain consistency and accuracy everywhere the shared object
is used.
Pre-rules, post-rules and rules locally defined on a firewall can all use shared objects and device group objects.
When creating an object on Panorama, configure the behavior based on whether:


The device group object takes precedence over a shared object, when both objects have the same name. By
default, the Shared Object Takes Precedence option is disabled on Panorama. This behavior ensures that a
shared object only supersedes a device group object with the same name if you explicitly want the value of
a shared object to prevail. When you enable the option for shared objects to take precedence, Panorama
informs you of all the device group objects that will be shadowed. However, if a device has a locally created
object with the same name as a shared or a device group object that is pushed from Panorama, a commit
failure will occur.



All shared and device group objects that are defined on Panorama are pushed to the managed devices. By
default, all objects—those that are and are not referenced in policies—are pushed to the managed devices.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 15

Centralized Logging and Reporting

Panorama Overview

Centralized Logging and Reporting
Panorama aggregates data from all managed firewalls and provides visibility across all the traffic on the network.
It also provides an audit trail for all policy modifications and configuration changes made to the managed
firewalls. In addition to aggregating logs, Panorama can aggregate and forward SNMP traps, email notifications,
and syslog messages to an external destination.
The Application Command Center (ACC) on Panorama provides a single pane for unified reporting across all
the firewalls; it allows you to centrally analyze, investigate, and report on network traffic and security incidents.
On Panorama, you can view logs and generate reports from logs forwarded to Panorama or to the managed Log
Collectors, if configured, or you can query the managed firewalls directly. For example, you can generate reports
about traffic, threat, and/or user activity in the managed network based on logs stored on Panorama (and the
managed Log Collectors) or by accessing the logs stored locally on the managed firewalls.
If you choose not to configure the managed firewalls to forward logs to Panorama, you can schedule reports to
be run on each managed firewall and forward the results to Panorama for a combined view of user activity and
network traffic. Although this view does not provide granular drill-down on specific data and activities, it still
provides a unified reporting approach.


Logging Options



Managed Collectors and Collector Groups



Caveats for a Collector Group with Multiple Log Collectors



Centralized Reporting

Logging Options
Both the Panorama virtual appliance and M-100 appliance can collect logs that the managed firewalls forward.
You can then configure Panorama to forward these aggregated logs to external services (Syslog server, email
server, or SNMP trap server). The logging options vary on each platform.
Panorama Platform

Logging Options

Virtual appliance

Offers three logging options:
• Use the approximately 11GB of internal storage space allocated for logging as soon as
you install the virtual appliance.
• Add a virtual disk that can support up to 2TB of storage.
• Mount a Network File System (NFS) datastore in which you can configure the storage
capacity that is allocated for logging.

16 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Panorama Overview

Centralized Logging and Reporting

Panorama Platform

Logging Options

M-100 appliance

The default shipping configuration includes 1TB disks in a RAID pair, which you can
increase to 4TB RAID storage (see Increase Storage on the M-100 Appliance). When the
M-100 appliance is in Panorama mode, you can enable the RAID disks and use these disks
as the default Log Collector. If you have M-100 appliance is in Log Collector mode
(dedicated Log Collectors), you use Panorama to assign firewalls to the dedicated Log
Collectors. In a deployment with multiple dedicated Log Collectors, Panorama queries all
managed Log Collectors to generate an aggregated view of traffic and cohesive reports. For
easy scaling, begin with a single Panorama and incrementally add dedicated Log Collectors
as your needs expand.

Managed Collectors and Collector Groups
A Log Collector can be local to an M-100 appliance in Panorama mode (default Log Collector) or can be an M-100
appliance in Log Collector mode (dedicated Log Collector). Because you use Panorama to configure and manage
Log Collectors, they are also known as Managed Collectors. An M-100 appliance in Panorama mode or a
Panorama virtual appliance can manage dedicated Log Collectors. To administer dedicated Log Collectors using
the Panorama web interface, you must add them as Managed Collectors. Otherwise, administrative access to a
dedicated Log Collector is only available through its CLI using the default administrative user (admin) account.
Dedicated Log Collectors do not support additional administrative user accounts.
A Collector Group is one or more Managed Collectors that operate as a single logical log collection unit. If the
group contains dedicated Log Collectors, the logs are uniformly distributed across all the disks in each Log
Collector and across all members in the Collector Group. This distribution maximizes the use of the available
storage space. To manage a Log Collector, you must add it to a Collector Group. Each Panorama can manage
up to 64 Log Collectors in a Collector Group. However, Palo Alto Networks recommends placing only one Log
Collector in a Collector Group unless more than 4TB of storage space is required in a Collector Group. For
details, see Caveats for a Collector Group with Multiple Log Collectors.
The Collector Group configuration specifies which managed firewalls can send logs to the Log Collectors in the
group. After you configure the Log Collectors and enable the firewalls to forward logs, each firewall forwards
its logs to the assigned Log Collector.
If you use Panorama to manage firewalls running both PAN-OS 5.0 and a PAN-OS version earlier
than 5.0, note the following compatibility requirements:
• Only devices running PAN-OS v5.0 can send logs to a dedicated Log Collector.
• Devices running PAN-OS versions earlier than 5.0 can only send logs to a Panorama virtual
appliance or to an M-100 appliance in Panorama mode.

Managed Collectors and Collector Groups are integral to a distributed log collection deployment on Panorama.
A distributed log collection deployment allows for easy scalability and incremental addition of dedicated Log
Collectors as your logging needs grow. The M-100 appliance in Panorama mode can log to its default Collector
Group and then be expanded to a distributed log collection deployment with one or more Collector Groups
that include dedicated Log Collectors.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 17

Centralized Logging and Reporting

Panorama Overview

Caveats for a Collector Group with Multiple Log Collectors
Although Palo Alto Networks recommends placing only one Log Collector in a Collector Group, if you have a
scenario where you need more than 4TB of log storage capacity in a Collector Group for the required log
retention period, you will need to add multiple Log Collectors to the group. For example, if a single managed
firewall generates 12 TB of logs, you will require at least three Log Collectors in the Collector Group that
receives those logs.
If a Collector Group contains multiple Log Collectors, the available storage space is used as one logical unit and
the logs are uniformly distributed across all the Log Collectors in the Collector Group. The log distribution is
based on the disk capacity of the Log Collectors (which ranges from 1TB to 4TB, depending on the number of
disk pairs) and a hash algorithm that dynamically decides which Log Collector owns the logs and writes to disk.
Although Panorama uses a preference list to prioritize the list of Log Collectors to which a managed firewall
can forward logs, Panorama does not necessarily write the logs to the first Log Collector specified in the
preference list. For example, consider the following preference list:
Managed Firewall

Log Forwarding Preference List Defined on a Collector Group

FW1

L1,L2,L3

FW2

L4,L5,L6

Using this list, FW1 will forward logs to L1, its primary Log Collector, but the hash algorithm could determine
that the logs will be written on L2. If L2 becomes inaccessible or has a chassis failure, FW1 will not know about
its failure because it is still able to connect to L1, its primary Log Collector.

In the case where a Collector Group has only one Log Collector and the Log Collector fails, the firewall stores
the logs to its HDD/SSD (the available storage space varies by hardware model), and resumes forwarding logs
to the Log Collector where it left off before the failure occurred as soon as connectivity is restored.
With multiple Log Collectors in a Collector Group, the firewall does not buffer logs to its local storage when
it can connect to its Primary Log Collector. Therefore, FW1 will continue sending logs to L1. Because L2 is
unavailable, the Primary Log Collector L1 buffers the logs to its HDD, which has 10GB of log space. If L2
remains unavailable and the logs pending for L2 exceed 10GB, L1 will overwrite the older log entries to continue
logging. In such an event, loss of logs is a risk. Therefore, Palo Alto Networks recommends the following
mitigations if using multiple Log Collectors in a Collector Group:


Obtain an On-Site-Spare (OSS) to enable prompt replacement if a Log Collector failure occurs.

18 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Panorama Overview



Centralized Logging and Reporting

In addition to forwarding logs to Panorama, enable forwarding to an external service as backup storage. The
external service can be a Syslog server, email server, or Simple Network Management Protocol (SNMP) trap
server. For details, see Enable Log Forwarding to Panorama.

Centralized Reporting
Panorama aggregates logs from all managed firewalls and enables reporting on the aggregated data for a global
view of application use, user activity, and traffic patterns across the entire network infrastructure. As soon as the
firewalls are added to Panorama, the ACC can display all traffic traversing your network. With logging enabled,
clicking into a log entry in the ACC provides direct access to granular details about the application.
For generating reports, Panorama uses two sources: the local Panorama database and the remote firewalls that
it manages. The Panorama database refers to the local storage on Panorama that is allocated for storing both
summarized logs and some detailed logs. If you have a Distributed Log Collection deployment, the Panorama
database includes the local storage on Panorama and all the managed Log Collectors. Panorama summarizes the
information—traffic, application, threat— collected from all managed firewalls at 15-minute intervals. Using
the local Panorama database allows for faster response times, however, if you prefer to not forward logs to
Panorama, Panorama can directly access the remote firewall and run reports on data that is stored locally on the
managed firewalls.
Panorama offers more than 40 predefined reports that can be used as is, or they can be customized by
combining elements of other reports to generate custom reports and report groups that can be saved. Reports
can be generated on demand, on a recurring schedule, and can be scheduled for email delivery. These reports
provide information on the user and the context so that you correlate events and identify patterns, trends, and
potential areas of interest. With the integrated approach to logging and reporting, the ACC enables correlation
of entries from multiple logs relating to the same event.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 19

Panorama Commit Operations

Panorama Overview

Panorama Commit Operations
When editing the configuration on Panorama, you are changing the candidate configuration file. The candidate
configuration is a copy of the running configuration along with any changes you made since the last commit.
The Panorama web interface displays all the configuration changes immediately. However, Panorama won’t
implement the changes until you commit them. The commit process validates the changes in the candidate
configuration file and saves it as the running configuration on Panorama.
After any system event or administrator action causes Panorama to reboot, all your changes
since the last commit will be lost. To preserve changes without committing them, periodically click
Save at the top right of the web interface to save a snapshot of the candidate configuration. If a
reboot occurs, you can then revert to the snapshot. For details on backing up and restoring
running and candidate configurations, see Manage Panorama Configuration Backups.

When initiating a commit on Panorama, select one of the following types:
Commit Options

Description

Panorama

Commits the changes on the current candidate configuration to the running configuration
on Panorama. You must first commit your changes on Panorama, before committing any
configuration updates (templates or device groups) to the managed firewalls or Collector
Groups.

Template

Commits network and device configurations from a Panorama template to the selected
firewalls.

Device Group

Commits policies and objects configured from Panorama to the selected firewalls/virtual
systems.

Collector Group

Commits changes to the specified Collector Groups that Panorama manages.

When you perform a commit, Panorama pushes the entire configuration to the managed firewalls. When the
commit completes, a result displays: Commit succeeded or Commit succeeded with warnings.
Some other commit choices are:


Preview Changes—This

option is available when the Commit Type is Panorama. It enables you to compare
the candidate configuration with the running configuration in the same way as the Panorama > Config Audit
feature (see Compare Changes in Panorama Configurations). After clicking Preview Changes, select the
number of lines to include for context, and click OK. As a best practice, preview your configuration changes
before committing them.
Because the preview results display in a new window, your browser must allow pop-ups. If the
preview window does not open, refer to your browser documentation for the steps to unblock
pop-ups.



Include Device and Network Templates—This option is available when committing a device group from
Panorama. It allows you to commit both device group and template changes, to the pertinent firewalls, in a
single commit operation.
If you prefer to commit your changes as separate commit operations, do not select this check box.

20 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Panorama Overview

Panorama Commit Operations



Force Template Values—When

performing a Template commit, the Force Template Values option overrides
all local configuration and removes objects on the selected firewalls or virtual systems that do not exist in
the template or have been overridden by the local configuration. This is an override that reverts all existing
configuration on the managed firewall, and ensures that the firewall inherits the settings defined in the
template only.



Merge with Candidate Config—When

enabled, this option allows you to merge and commit the Panorama
configuration changes with any pending configuration changes that were implemented locally on the target
firewall. If this option is not enabled, the candidate configuration on the firewall is not included in the
commit operation. As a best practice, leave this option disabled if you allow firewall administrators to modify
the configuration directly on a firewall and you don’t want to include their changes when committing changes
from Panorama.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 21

Role-Based Access Control

Panorama Overview

Role-Based Access Control
Role-based access control (RBAC) allows you to specify the privileges and responsibilities accorded to every
administrative user. On Panorama, you can define administrative accounts with specific roles, profiles, or Access
Domains to regulate access to specific features on Panorama and the managed firewalls; these options allow you
to limit administrative access to only the firewalls and areas of the management interface that each administrator
requires to perform the job. By default, every Panorama server comes pre-configured with a default
administrative account (admin) that provides full read-write access (also known as superuser access). As a best
practice, create a separate administrative account for each person who needs access to the administrative or
reporting functions on Panorama. This provides better protection against unauthorized configuration (or
modification) and enables logging of the actions of each administrator.
For every administrative user, you can also define an authentication profile that determines how the user’s access
credentials are verified. To enforce more granular administrative access, use access domains to restrict
administrative access to a particular firewall, device group or template.


Administrative Roles



Authentication Profiles and Sequences



Access Domains



Administrative Authentication

Administrative Roles
The way you configure administrator accounts depends on the security requirements of your organization,
whether it has existing authentication services with which to integrate, and the administrative roles it requires.
A role defines the type of system access an administrator has. The role types are:


Dynamic Roles—These are built-in roles that provide access to Panorama and managed devices. When
new features are added, Panorama automatically updates the definitions of dynamic roles; you never need to
manually update them. The following table lists the access privileges associated with dynamic roles.

Dynamic Role

Privileges

Superuser

Full read-write access to Panorama

Superuser (read-only)

Read-only access to Panorama

Panorama administrator

Full access to Panorama except for the following actions:
• Create, modify, or delete Panorama or device administrators and roles.
• Export, validate, revert, save, load, or import a configuration in the Device > Setup >
Operations page.
• Configure Scheduled Config Export functionality in the Panorama tab.

22 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Panorama Overview



Role-Based Access Control

Admin Role Profiles—To provide more granular access control over the functional areas of the web
interface, CLI, and XML API, you can create custom roles. When new features are added to the product,
you must update the roles with corresponding access privileges: Panorama does not automatically add new
features to custom role definitions. When creating a custom role (see Set Up Administrative Access to
Panorama), you select one of the following profiles:

Administrator Role
Profile

Description

Panorama

For these roles, you can assign read-write access, read-only access, or no access to all the
Panorama features that are available to the superuser dynamic role except the management
of Panorama administrators and Panorama roles. For the latter two features, you can assign
read-only access or no access, but you cannot assign read-write access.
An example use of a Panorama role would be for security administrators who require access
to security policy definitions, logs, and reports on Panorama.

Device Group and Template

For these roles, you can assign read-write access, read-only access, or no access to the device
groups and templates specified in the administrator account definition. Roles with this
profile have the following limitations:
• No access to the CLI or XML API
• No access to configuration or system logs
• No access to App Scope or reports
• No access to VM information sources
• In the Panorama tab, access is limited to device deployment features (read-write,
read-only, or no access) and to the templates, managed devices, and device groups
specified in the administrator account (read-only or no access).
An example use of this role would be for administrators in your operations staff who require
access to the device and network configuration areas of the web interface for specific device
groups and/or templates.

Authentication Profiles and Sequences
Among its other uses, an authentication profile defines how an administrative user is authenticated on Panorama
upon login. If you create a local user account on Panorama, you can authenticate the user to the local database,
or use an external RADIUS, LDAP, or Kerberos server for authentication. If you do not want to create a local
user account, and want to manage both account administration and authentication using an external
authentication mechanism, you must use RADIUS. For a high-level overview of the process, see Use RADIUS
Vendor-Specific Attributes for Account Authentication.
To authenticate to multiple authentication sources—local, RADIUS, LDAP, and/or Kerberos—define an
authentication sequence. An authentication sequence is a ranked order of authentication profiles that an
administrative user is matched against. Panorama checks against the local database first, and then each profile
in sequence until the user is successfully authenticated. The user is denied access to Panorama only if
authentication fails for all the profiles defined in the authentication sequence.
To create authentication profiles and sequences, see Create an Authentication Profile and Define an
Authentication Sequence.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 23

Role-Based Access Control

Panorama Overview

Access Domains
An access domain defines the features and permissions accorded to an administrative user, enabling granular
control over the administrative user’s ability to switch context and access the features on the user interface of
the managed firewalls. Access domains can also limit access to a subset of the device groups and/or templates
created on Panorama and therefore restrict the user’s ability to configure and manage firewalls.
The access domain is linked to RADIUS vendor-specific attributes (VSAs) and is supported only if a RADIUS
server is used for administrator authentication. If RADIUS is not used, the access domain settings are ignored.
For information on defining an access domain, see Define an Access Domain.

Administrative Authentication
There are four ways to authenticate administrative users:


Local administrator account with local authentication—Both the administrator account credentials and
the authentication mechanisms are local to the firewall. To further secure the local administrator account,
create a password profile that defines a validity period for passwords and/or set firewall-wide password
complexity settings. For more information, see Create an Administrative Account.



Local administrator account with certificate- or key-based authentication—With this option, the
administrator accounts are local to the firewall, but authentication is based on SSH keys (for CLI access) or
client certificates/common access cards (for the web interface). For details on how to configure this type of
administrative access, see Enable Certificate-Based Authentication for the Web Interface and Enable SSH
Key-Based Authentication for the CLI.



Local administrator account with external authentication—The administrator accounts are managed
on the local firewall, but the authentication functions are offloaded to an existing LDAP, Kerberos, or
RADIUS service. To configure this type of account, you must first create an authentication profile that
defines how to access the external authentication service and then create an account for each administrator
that references the profile. For more information, see Create an Authentication Profile.



External administrator account and authentication—Account administration and authentication are
handled by an external RADIUS server. To use this option, you must define Vendor Specific Attributes
(VSAs) on your RADIUS server that map to the admin role. For a high-level overview of the process, see
Use RADIUS Vendor-Specific Attributes for Account Authentication. For details on how to configure this
type of administrative access, refer to the Radius Vendor Specific Attributes (VSA) article.

24 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Panorama Overview

Panorama Recommended Deployments

Panorama Recommended Deployments
A Panorama deployment comprises the Panorama management server (which has a browser-based interface),
optional Log Collectors, and the Palo Alto Networks firewalls that Panorama manages. The recommended
deployments are:


Panorama for Centralized Management and Reporting



Panorama in a Distributed Log Collection Deployment
For the procedures to configure the most typical log collection deployments, see Log Collection
Deployments.

Panorama for Centralized Management and Reporting
The following diagram illustrates how you can deploy the Panorama virtual appliance or M-100 appliance in a
redundant configuration for the following benefits:


Centralized management—Centralized policy and device management that allows for rapid deployment
and management of up to one thousand firewalls.



Visibility—Centralized logging and reporting to analyze and report on user-generated traffic and potential
threats.



Role-based access control—Appropriate levels of administrative control at the firewall level or global level
for administration and management.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 25

Panorama Recommended Deployments

Panorama Overview

Panorama in a Distributed Log Collection Deployment
The hardware-based Panorama—the M-100 appliance—can be deployed either as a Panorama management
server that performs management and log collection functions or as a dedicated Log Collector that provides a
comprehensive log collection solution for the firewalls on your network. Using the M-100 appliance as a Log
Collector allows for a more robust environment where the log collection process is offloaded to a dedicated
appliance. Using a dedicated appliance in a Distributed Log Collection (DLC) deployment provides redundancy,
improved scalability, and capacity for longer term log storage.
In a DLC deployment, the Panorama management server (Panorama virtual appliance or an M-100 appliance
in Panorama mode) manages the firewalls and the Log Collectors. Using Panorama, the firewalls are configured
to send logs to one or more Log Collectors; Panorama can then be used to query the Log Collectors and provide
an aggregated view of network traffic. In a DLC configuration, the logs stored on the Log Collectors are
accessible from both the primary and secondary Panorama peers in a high availability (HA) pair.
In the following topology, the Panorama peers in an HA configuration manage the deployment and
configuration of firewalls running PAN-OS 4.x and 5.x or 6.x. This solution provides the following benefits:


Allows for improved performance in the management functions on Panorama



Provides high-volume log storage on a dedicated hardware appliance



Provides horizontal scalability and redundancy with RAID 1 storage

26 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Panorama Overview

Plan Your Deployment

Plan Your Deployment


Determine the management approach. Do you plan to use Panorama to centrally configure and manage
the policies, to centrally administer software, content and license updates, and/or centralize logging and
reporting across the managed devices in the network?
If you already deployed and configured the Palo Alto Networks firewalls on your network, determine
whether to transition the devices to centralized management. This process requires a migration of all
configuration and policies from your firewalls to Panorama. For details, see Transition a Firewall to
Panorama Management.



Verify that Panorama is on the same release version or a later version than the firewalls that it will manage.
For example, Panorama with version 4.0 cannot manage firewalls running PAN-OS 5.0. For versions
within the same feature release, although Panorama can manage firewalls running a later version of
PAN-OS, Palo Alto Networks recommends that Panorama run the same version or a later version. For
example, if Panorama runs 6.0.3, it is recommended that all managed firewalls run PAN-OS 6.0.3 or earlier
versions.



Plan to use the same URL filtering database (BrightCloud or PAN-DB) across all managed firewalls. If
some firewalls are using the BrightCloud database and others are using PAN-DB, Panorama can only
manage security policies for one or the other URL filtering database. URL filtering rules for the other
database must be managed locally on the firewalls that use that database.



Plan to use Panorama in a high availability configuration; set it up as an active/passive high availability pair.
See Panorama High Availability.



Estimate the log storage capacity your network needs to meet security and compliance requirements.
Consider such factors as the network topology, number of firewalls sending logs, type of log traffic (for
example, URL and threat logs versus traffic logs), the rate at which firewalls generate logs, and the number
of days for which you want to store logs on Panorama. For details, see Determine Panorama Log Storage
Requirements.



For meaningful reports on network activity, plan a logging solution:





Do you need to forward logs to a syslog server, in addition to Panorama?



If you need a long-term storage solution, do you have a Security Information and Event Management
(SIEM) solution, such as Splunk or ArcSight, to which you need to forward logs?



Do you need redundancy in logging? With Panorama virtual appliances in HA, each peer can log to its
virtual disk. The managed devices can send logs to both peers in the HA pair. This option provides
redundancy in logging and is best suited to support up to 2TB of log storage capacity.



Will you log to a Network File System (NFS)? Only the Panorama virtual appliance supports NFS.
Consider using NFS if more than 2TB of log storage capacity is required. If using NFS, note that the
managed devices can send logs only to the primary peer in the HA pair, and only the active-primary
Panorama is mounted to the NFS and can write to it.

If your logging solution includes M-100 appliances, by default they use the management (MGT) interface
for configuration, log collection, and Collector Group communication. However, it is a best practice to use
the Eth1 or Eth2 interfaces for log collection and Collector Group communication to improve security,
control traffic prioritization, performance, and scalability. Determine whether your solution would benefit
from using separate interfaces for these functions. For details, see Set Up the M-100 Appliance.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 27

Plan Your Deployment

Panorama Overview



Determine what access privileges, roles, and permissions administrators require to access to the managed
firewalls and Panorama. See Set Up Administrative Access to Panorama.



Plan the required Device Groups. To do this, determine whether to group firewalls based on function,
security policy, geographic location, or network segmentation. An example of a function-based device
group is one that contains all the firewalls that a Research and Development team uses. You might also
group firewalls by the function they perform, such as gateway firewalls, branch office firewalls or
datacenter firewalls.



Plan a layering strategy for administering policies. Think through how policies must be inherited and
evaluated and how to best implement shared rules, device-group rules, and device-specific rules to meet
your network needs.





For visibility and centralized policy management, consider using Panorama for administering policies,
even if you would like to create device-specific exceptions to shared/device-group policies. To apply a
rule to a subset of devices in a device group, you can target the rule(s) to the specific device(s), see Push
a Policy to a Subset of Firewalls.



Consider whether to create smaller device groups based on commonality or to create larger device
groups to scale more easily. See Use Case: Configure Firewalls Using Panorama.

Plan your device organization for how configuration settings (using templates) are inherited and enforced.
For example, think through how to assign devices to templates based on hardware platforms, geographic
proximity and similar network set up needs for time zones, DNS server, and interface settings. See Use
Case: Configure Firewalls Using Panorama.

28 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Panorama Overview

Deploy Panorama: Task Overview

Deploy Panorama: Task Overview
The following task list summarizes the steps to get started with Panorama. For an example of how to use
Panorama for central management, see Use Case: Configure Firewalls Using Panorama.
Deploy Panorama: Task Overview

1.
2.
3.
4.
5.
6.
7.
8.
9.

(M-100 appliance only) Rack mount the appliance. Refer to the M-100 Hardware Reference Guide.
Perform initial configuration to enable network access to Panorama. See Set Up the Panorama Virtual Appliance or
Set Up the M-100 Appliance.
Register Panorama and Install Licenses.
Install Content and Software Updates for Panorama.
Add a Firewall as a Managed Device.
Add a Device Group and Add a Template.
(Optional) Configure log forwarding to Panorama and/or to external services. See Manage Log Collection.
Monitor network activity using the visibility and reporting tools on Panorama. See Monitor the Network with the
ACC and AppScope and Generate, Schedule, and Email Reports.
(Optional/recommended) Set up Panorama in a high availability configuration. See Panorama High Availability.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 29

Deploy Panorama: Task Overview

30 • Panorama 6.1 Administrator’s Guide

Panorama Overview

© Palo Alto Networks, Inc.

Set Up Panorama
For centralized reporting and cohesive policy management across all the firewalls on your network, Panorama
can be deployed as a virtual appliance or as a hardware appliance (the M-100 appliance).
The following topics describe how to set up Panorama on your network:


Determine Panorama Log Storage Requirements



Set Up the Panorama Virtual Appliance



Set Up the M-100 Appliance



Migrate from a Panorama Virtual Appliance to an M-100 Appliance



Register Panorama and Install Licenses



Install Content and Software Updates for Panorama



Access and Navigate Panorama Management Interfaces



Set Up Administrative Access to Panorama

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 31

Determine Panorama Log Storage Requirements

Set Up Panorama

Determine Panorama Log Storage Requirements
When you Plan Your Deployment, estimate how much log storage capacity Panorama requires to determine
which Panorama Platforms to deploy, whether to expand the storage on those platforms beyond their default
capacities, whether to deploy Dedicated Log Collectors, and whether to Enable Log Forwarding from Panorama
to External Destinations. When Panorama reaches the maximum capacity, it automatically deletes older logs to
create space for new ones. Therefore, to ensure that log retention meets your needs, you should configure any
additional storage during the Panorama setup stage. To expand log storage capacity during or after setup, see
Expand Log Storage Capacity on the Panorama Virtual Appliance or Increase Storage on the M-100 Appliance.
Determine Panorama Log Storage Requirements

Step 1

Determine the log retention
requirements of your organization.

You can Reallocate Log Storage Quota for each log type as a
percentage of the total space if you need to prioritize log
retention by type.

Step 2

Determine the average daily logging rates. 1.
Do this multiple times each day at peak
and non-peak times to estimate the
average. The more often you sample the
rates, the more accurate your estimate.

Display the current log generation rate in logs per second:
• If Panorama is not yet collecting logs, access the CLI of each
firewall, run the following command, and calculate the total
rates for all the firewalls. This command displays the number
of logs received in the last second.
> debug

log-receiver statistics

• If Panorama is already collecting logs, run the following
command at the CLI of each platform that receives logs
(Panorama management server or Dedicated Log Collector)
and calculate the total rates. This command gives the average
logging rate for the last five minutes.
> debug

log-collector log-collection-stats show
incoming-logs

You can also use an SNMP manager to determine the
logging rates of M-Series appliances by monitoring
the panLcLogRate object (OID
1.3.6.1.4.1.25461.2.3.30.1.1).
2.
3.
Step 3

Estimate the required storage capacity.
This formula provides only an
estimate; the exact amount of
required storage will differ from
the formula result.

Calculate the average of the sampled rates.
Calculate the daily logging rate by multiplying the average
logs-per-second by 86,400.

Use the formula:
<required storage duration> x <average log size> x <average
logging rate> / <compression factor>
The average log size and the log compression factor vary
considerably by log type. However, you can use 600 bytes as an
approximate average log size and 3 as an approximate compression
factor.
For example, if Panorama must store logs for 30 days and the
average total logging rate for all firewalls is 21,254,400 logs per day,
then the required log storage capacity is: 30 x 600 x 21,254,400 / 3
= 127,526,400,000 bytes (approximately 128GB).

32 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Set Up Panorama

Set Up the Panorama Virtual Appliance

Set Up the Panorama Virtual Appliance
The Panorama virtual appliance consolidates the Panorama management and logging functions into a single
virtual appliance. This solution enables use of an existing VMware virtual infrastructure to easily deploy and
centrally administer and monitor the Palo Alto Networks firewalls in your network as described in the following
sections:


Setup Prerequisites for the Panorama Virtual Appliance



Install Panorama on the ESX(i) Server



Perform Initial Configuration of the Panorama Virtual Appliance



Expand Log Storage Capacity on the Panorama Virtual Appliance



Complete the Panorama Virtual Appliance Setup
You cannot use the Panorama virtual appliance as a dedicated Log Collector. Only an M-100
appliance in Log Collector mode provides dedicated log collection capabilities (see Set Up the
M-100 Appliance). However, you can use the Panorama virtual appliance to manage a dedicated
Log Collector.

Setup Prerequisites for the Panorama Virtual Appliance
To set up a Panorama virtual appliance efficiently, complete the following tasks before you begin:



Verify that your server meets the minimum system requirements for installing Panorama. These
requirements apply to Panorama 5.1 and later releases.

Prerequisites for the Panorama Virtual Appliance

• 64-bit kernel-based VMware ESX(i) 5.1 or 5.5
• A client computer with one of the following: VMware vSphere Client or VMware Infrastructure Client that is
compatible with your ESX(i) server
• Use the following guidelines for allocating CPU and memory:
– Less than 10 managed firewalls: 4 cores and 4GB
– Between 10 and 50 managed firewalls: 8 cores and 8GB
– More than 50 managed firewalls: 8 cores and 16 GB
• 40GB disk space
Regardless of the total disk space, Panorama allocates approximately 11GB for log storage. Increasing the disk
space doesn’t increase the log storage capacity. To Expand Log Storage Capacity on the Panorama Virtual
Appliance, you must add a virtual disk or set up access to a Network File System (NFS) datastore.
VMware concepts and terminology are not covered in this document. This guide assumes
familiarity with the VMware suite of products that are required to create the virtual appliance.



Register the Panorama serial number on the support site at https://support.paloaltonetworks.com (see
Register Panorama). Palo Alto Networks will have sent you the serial number by email. After registering
the serial number on the support site, you gain access to the Panorama software downloads page.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 33

Set Up the Panorama Virtual Appliance

Set Up Panorama

Install Panorama on the ESX(i) Server
Use these instructions to install a new Panorama virtual appliance. If you are upgrading your existing Panorama
virtual appliance, skip to Install Content and Software Updates for Panorama.
Install Panorama on the ESX(i) Server

Step 1

Download and extract the Panorama
1.
base image zip file to the server on which
you will be installing Panorama.
2.
The virtual appliance installation uses the
Open Virtual Machine Format (OVF)
template file, which is included in the base
image.

Step 2

Access the ESX(i) server.

Step 3

Install Panorama.

Go to https://support.paloaltonetworks.com and download
the Panorama Base Image zip file.
Unzip the Panorama base image zip file, and extract the
panorama-esx.ovf file.
This .ovf template file is required for installing Panorama.

Launch the VMware vSphere Client and connect to the VMware
server.

1.
Starting with Panorama 5.1, the Panorama 2.
virtual appliance is installed as a 64-bit
3.
virtual machine.
4.
5.

Choose File > Deploy OVF Template.
Browse to select the panorama-esx.ovf file from the recently
unzipped Panorama base image, and click Next.
Confirm that the product name and description match the
downloaded version, and click Next.
Enter a descriptive name for the Panorama virtual appliance,
and click Next.
Select a Datastore Location on which to install the Panorama
image, and click Next.
Adding additional disk space does not increase the available log
storage capacity on Panorama. To expand log capacity, you must
add a virtual disk or set up access to an NFS datastore. See

Expand Log Storage Capacity on the Panorama Virtual
Appliance.
6.
7.
8.
9.

Select Thick Provision Lazy Zeroed as the disk format, and
click Next.
Specify which networks in the inventory must be used for the
Panorama virtual appliance.
Confirm the selected options and then click Finish to begin the
installation process.
When the installation completes, select the Panorama virtual
appliance, and click Edit Settings... to define the following
settings:
a. Verify that you have allocated the appropriate amount of
memory: at least 4GB.
b. Select Linux as the Guest Operating System and for the
Version select Other Linux (64-bit).
c. For the SCSI controller, select LSI Logic Parallel.

34 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Set Up Panorama

Set Up the Panorama Virtual Appliance

Install Panorama on the ESX(i) Server (Continued)

Step 4

Power on the Panorama virtual appliance. Click the Power On button.
When the Panorama virtual appliance boots, the installation process
is complete.

Continue with Perform Initial Configuration of the Panorama Virtual Appliance.

Perform Initial Configuration of the Panorama Virtual Appliance
Use the Panorama virtual appliance console on the ESX(i) server to set up network access to the Panorama
virtual appliance. To complete initial configuration, you must first configure the management interface, then
access the Panorama web interface to add the serial number for the virtual appliance, and define the time zone
for the Panorama virtual appliance. For unified reporting, consider using GMT or UTC as the uniform time
zone across all the managed devices and Panorama.
.

Configure the Management Interface of the Panorama Virtual Appliance

Step 1

Gather the required information from
your network administrator.

• IP address for MGT port
• Netmask
• Default gateway
• DNS server IP address

Step 2

Access the console of the Panorama
virtual appliance.

1.
2.
3.

Step 3

Select the Console tab on the ESX(i) server for the virtual
Panorama. Press enter to access the login screen.
Enter the default username/password (admin/admin) to log in.
Enter configure to switch to configuration mode.

Configure the network access settings for Enter the following command:
set deviceconfig system ip-address
the management interface.

<Panorama-IP>
netmask <netmask> default-gateway <gateway-IP>
dns-setting servers primary <DNS-IP>

The management interface is used for
where <Panorama-IP> is the IP address you want to assign to the
management traffic, HA connectivity
Panorama management interface, <netmask> is the subnet mask,
synchronization, log collection, and
communication within Collector Groups. <gateway-IP> is the IP address of the network gateway, and
<DNS-IP> is the IP address of the DNS server.
Step 4

Commit your changes and exit the
configuration mode.

© Palo Alto Networks, Inc.

1.
2.

Enter commit.
Enter exit.

Panorama 6.1 Administrator’s Guide • 35

Set Up the Panorama Virtual Appliance

Set Up Panorama

Configure the Management Interface of the Panorama Virtual Appliance (Continued)

Step 5

Verify network access to external services To verify that Panorama has external network access, use the ping
required for firewall management, such as utility. Verify connectivity to the default gateway, DNS server, and
the Palo Alto Networks Update Server. the Palo Alto Networks Update Server as shown in the following
example:
[email protected]> ping host updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (67.192.236.252) 56(84)
bytes of data.
64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=40.5 ms
64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=53.6 ms
64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=79.5 ms

After verifying connectivity, press Ctrl+C to stop the pings.

Configure the Serial Number and Time Zone of the Panorama Virtual Appliance

Step 1

Log in to the Panorama web interface.

Using a secure connection (https) from a web browser, log in using
the IP address and password you assigned to the management
interface (https://<IP address>).

Step 2

(Optional) Modify the management
interface settings.

1.
2.

3.
Step 3

Configure the general settings.

1.
2.

3.

4.
5.
6.

36 • Panorama 6.1 Administrator’s Guide

Select Panorama > Setup > Management and edit the
Management Interface Settings.
Select which management services to allow on the interface.
For example, to enable SSH access, select SSH. As a best
practice, make sure Telnet and HTTP are not selected because
these services use plaintext and are not as secure as the other
services.
Click OK. Click Commit and select Panorama as the Type and
click OK.
Select Panorama > Setup > Management and edit the General
Settings.
Align the clock on Panorama and the managed firewalls to use
the same Time Zone, for example GMT or UTC.
Timestamps are recorded when the logs are received on
Panorama and when they were generated on the firewalls.
Aligning the time zones on both Panorama and the managed
firewalls ensures that the timestamps are in sync, and the
process of querying logs and generating reports on Panorama
is harmonious.
Enter a Hostname for the server and enter the network
Domain name. The domain name is just a label; it will not be
used to join the domain.
Enter the Latitude and Longitude to enable accurate
placement of the server on the world map.
Enter the Serial Number. This was sent to you with the order
fulfillment email.
Click OK.

© Palo Alto Networks, Inc.

Set Up Panorama

Set Up the Panorama Virtual Appliance

Configure the Serial Number and Time Zone of the Panorama Virtual Appliance (Continued)

Step 4

Change the default admin password.

1.

To ensure that the management
interface remains secure, consider
2.
enforcing Minimum Password
Complexity and defining an
interval at which administrators 3.
must change their passwords.
Step 5

Save your configuration changes.

Click on the admin link in the lower left part of the
management console. A dialog to change the administrator’s
password displays.
Enter the Old Password and the New Password in the
appropriate fields and store the new password in a safe location.
Click OK.

Click Commit, select Panorama as the Commit Type, then click OK.

Expand Log Storage Capacity on the Panorama Virtual Appliance
By default, the Panorama virtual appliance has a single disk partition for all data in which, regardless of the total
disk size, approximately 11GB is allocated for log storage. Increasing the disk size doesn’t increase the log
storage capacity. If you need up to 2TB of disk space, add a virtual disk. If you need more than 2TB, use an NFS
datastore. Before expanding log storage capacity, Determine Panorama Log Storage Requirements.
For additional log storage, you can also forward firewall logs to Dedicated Log Collectors (see
Configure a Managed Collector) or Enable Log Forwarding from Panorama to External
Destinations.


Add a Virtual Disk to the Panorama Virtual Appliance



Mount the Panorama Virtual Appliance to an NFS Datastore

Add a Virtual Disk to the Panorama Virtual Appliance
To expand log storage capacity beyond the approximately 11GB internal storage allocated by default on the
Panorama virtual appliance, you can add another virtual disk of up to 2TB.
If Panorama loses connectivity to the new virtual disk, Panorama might lose logs during the failure
interval.
To allow for redundancy, use the virtual disk in a RAID configuration. RAID10 provides the best
write performance for applications with high logging characteristics.
If necessary, you can Replace the Virtual Disk on a Panorama Virtual Appliance.

Add a Virtual Disk to the Panorama Virtual Appliance

Step 1

Power off the Panorama virtual
appliance.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 37

Set Up the Panorama Virtual Appliance

Set Up Panorama

Add a Virtual Disk to the Panorama Virtual Appliance (Continued)

Step 2

On the ESX(i) server, add the virtual disk 1.
to the Panorama virtual appliance.
2.
3.

Select the Panorama virtual appliance on the ESX(i) server.
Click Edit Settings.
Click Add to launch the Add Hardware wizard, and select the
following options when prompted:
a. Select Hard Disk for the hardware type.
b. Select Create a new virtual disk.
c. Select SCSI as the virtual disk type.
d. Select the Thick provisioning disk format.
e. In the location field, select Store with the virtual machine
option. The datastore does not have to reside on the ESX(i)
server.
f. Verify that the settings look correct and click Finish to exit
the wizard. The new disk is added to the list of devices for
the virtual appliance.

Step 3

Power on the Panorama virtual appliance. When powered on, the virtual disk is initialized for first-time use.
The time that the initialization process takes to complete varies by
the size of the new virtual disk.
When the virtual disk is initialized and ready, all existing logs on the
internal storage are moved over to the new virtual disk. All new
entries will now be written to the virtual disk.

Step 4

Verify the size of the virtual disk.

1.
2.

Select Panorama > Setup > Management.
In the Logging and Reporting Settings section, verify that the
Log Storage capacity accurately displays the new disk capacity.

Mount the Panorama Virtual Appliance to an NFS Datastore
Mounting the Panorama virtual appliance to an NFS datastore provides the ability to write logs to a centralized
location and offers the flexibility to expand the log storage capacity beyond 2TB. Before setting up an NFS
datastore in a Panorama high availability configuration, see Logging Considerations in Panorama HA.

38 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Set Up Panorama

Set Up the Panorama Virtual Appliance

Mount the Panorama Virtual Appliance to an NFS Datastore

Step 1

Set up access to the datastore.

1.
2.
3.

Select Panorama > Setup > Operations.
Click Storage Partition Setup link in the Miscellaneous
section.
Select NFS V3.

4.
5.

Enter the IP address of the NFS Server.
Enter the location/path for storing the log files in the Log
Directory field. For example, export/panorama.
6. Select the protocol—TCP or UDP—and enter the Port for
accessing the NFS server.
To use NFS over TCP, the NFS server must support it.
Common NFS ports are UDP/TCP 111 for RPC and
UDP/TCP 2049 for NFS.
7. For optimal NFS performance, in the Read Size and Write
Size fields, specify the maximum size of the chunks of data that
the client and server pass back and forth to each other. Defining
a read/write size optimizes the data volume and speed in
transferring data between Panorama and the NFS datastore.
8. Select Test Logging Partition to verify that Panorama is able to
access the NFS server IP address and the directory location
specified above.
9. (Optional) Select the Copy on Setup option. This setting copies
the existing logs stored on Panorama to the NFS volume. If you
have a lot of existing logs, enabling the Copy on Setup option
might initiate the transfer of a large volume of data.
10. Click Commit and select Panorama as the Commit Type to
save the changes.
Step 2

Reboot the Panorama virtual appliance.
Until a reboot is initiated, logs will be
written to the local storage disk on the
Panorama virtual appliance.

To begin writing logs to the NFS datastore, reboot the virtual
Panorama.
1. Select Panorama > Setup > Operations.
2. In the Device Operations section, select Reboot Panorama.

Complete the Panorama Virtual Appliance Setup
Now that initial configuration is complete, continue with the following sections for additional configuration
instructions:


Activate a Panorama Support License



Activate/Retrieve a Device Management License on the Panorama Virtual Appliance



Install Content and Software Updates for Panorama



Access and Navigate Panorama Management Interfaces



Set Up Administrative Access to Panorama



Manage Firewalls

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 39

Set Up the M-100 Appliance

Set Up Panorama

Set Up the M-100 Appliance
The M-100 management appliance is a high performance hardware platform that you can deploy in two modes:


Panorama mode—The appliance performs both the central management and log collection functions. This
is the default mode.



Log Collector mode—The appliance functions as a dedicated Log Collector. If multiple firewalls forward
large volumes of log data, the M-100 appliance in Log Collector mode provides increased scale and
performance. In this mode, the appliance does not have a web interface, only a command-line interface
(CLI). However, you manage the appliance using the Panorama management server (M-100 appliance in
Panorama mode or a Panorama virtual appliance). CLI access to an M-100 appliance in Log Collector mode
is only necessary for initial setup and debugging.

The Panorama M-100 appliance supports separate interfaces for configuration (of firewalls, Log Collectors, and
Panorama itself), log collection, and communication within Collector Groups. By default, the M-100 appliance
uses the MGT (Eth0) interface for all three functions. Only the MGT interface can support the configuration
function. For the log collection and Collector Group communication functions, you can assign the Eth1 or Eth2
interface to perform either or both when you Perform Initial Configuration of the M-100 Appliance. You
cannot assign multiple interfaces to a single function. The M-100 Hardware Reference Guide explains where to
attach cables for the MGT, Eth1, and Eth2 interfaces on the M-100 appliance. To support separate interfaces,
the M-100 appliances (in Panorama or Log Collector mode) must have Panorama 6.1 or later installed and the
firewalls must have PAN-OS 6.0 or later installed.
Use the following workflows for setting up an M-100 appliance:
M-100 Appliance in Panorama Mode

M-100 Appliance in Log Collector Mode

Step 1

Rack mount the M-100 appliance. Refer to the
M-100 Hardware Reference Guide for
instructions.

Step 1

Rack mount the M-100 appliance. Refer to the
M-100 Hardware Reference Guide for
instructions.

Step 2

Perform Initial Configuration of the M-100
Appliance

Step 2

Perform Initial Configuration of the M-100
Appliance

Step 3

Register Panorama and Install Licenses

Step 3

Register Panorama and Install Licenses

Step 4

Install Content and Software Updates for
Panorama

Step 4

Install Content and Software Updates for
Panorama

Step 5

(Optional) Increase Storage on the M-100
Appliance

Step 5

(Optional) Increase Storage on the M-100
Appliance

Step 6

Set Up Administrative Access to Panorama

Step 6

Step 7

Manage Firewalls

Switch from Panorama Mode to Log Collector
Mode

Step 8

Manage Log Collection

Step 7

Manage Log Collection

40 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Set Up Panorama

Set Up the M-100 Appliance

Perform Initial Configuration of the M-100 Appliance
By default, Panorama has an IP address of 192.168.1.1 and a username/password of admin/admin. For security
reasons, you must change these settings before continuing with other configuration tasks. You must perform
these initial configuration tasks either from the MGT interface or using a direct serial port connection to the
console port on the M-100 appliance.
Perform Initial Configuration of the M-100 Appliance

Step 1

Gather the required interface and server
information from your network
administrator.

• Gather the IP address, netmask (for IPv4) or prefix length (for
IPv6), and default gateway for each interface (MGT, Eth1, and/or
Eth2) that Panorama will use for configuration, log collection, and
Collector Group communication. Only the MGT interface is
mandatory.

Panorama uses the Management (MGT)
interface for configuration (of firewalls,
Log Collectors, and Panorama itself) and • Gather the IP addresses of the DNS servers.
for high availability (HA) synchronization
between peers.
It is a best practice to use the Eth1
and/or Eth2 interfaces for log collection
and/or Collector Group
communication. By default, the M-100
appliance uses the MGT interface for
these functions.
Step 2

Connect your computer to the M-100
appliance.

Connect to the M-100 appliance in one of the following ways:
• Attach a serial cable from a computer to the Console port on the
M-100 appliance and connect using a terminal emulation
software (9600-8-N-1).
• Attach an RJ-45 Ethernet cable from a computer to the MGT
port on the M-100 appliance. From a browser, go to
https://192.168.1.1. Enabling access to this URL might require
changing the IP address on the computer to an address in the
192.168.1.0 network (for example, 192.168.1.2).

Step 3

When prompted, log in to the appliance. Log in using the default username and password (admin/admin).
The appliance will begin to initialize.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 41

Set Up the M-100 Appliance

Set Up Panorama

Perform Initial Configuration of the M-100 Appliance (Continued)

Step 4

Configure the network access settings for 1.
each interface that Panorama will use for 2.
configuration, log collection, and
Collector Group communication.

Select Panorama > Setup > Management.
Edit the Interface Settings of each interface that Panorama will
use: Management, Eth1, and/or Eth2. Only the Management
interface is mandatory.
a. Complete one of the following field sets, depending on the
IP protocol of your network:
– IPv4—IP Address, Netmask, and Default Gateway
– IPv6—IPv6 Address/Prefix Length and Default IPv6
Gateway

b. (Optional) Select the check boxes for the management
services to allow on the interface. Ping is the only option for
Eth1 and Eth2. As a best practice, clear the Telnet and HTTP
check boxes for the Management interface: these services
use plaintext and so are less secure than others.
c. Click OK to save your changes.
Step 5

Configure the hostname, time zone, and
general settings.

1.
2.

3.

4.
5.

6.

42 • Panorama 6.1 Administrator’s Guide

Select Panorama > Setup > Management and edit the General
Settings.
Align the clock on Panorama and the managed firewalls to use
the same Time Zone, for example GMT or UTC.
PAN-OS records timestamps when the firewalls generate logs
and when Panorama receives the logs. Aligning the time zones
ensures that the timestamps are synchronized and that the
process of querying logs and generating reports on Panorama
is harmonious.
Enter a Hostname for the server. Panorama uses this as the
display name/label for the appliance. For example, this is the
name that appears at the CLI prompt. It also appears in the
Collector Name field if you add the appliance as a Managed
Collector on the Panorama > Managed Collectors page.
Enter your network Domain name. The domain name is just a
label; Panorama does not use it to join the domain.
(Optional) Enter the Latitude and Longitude to enable
accurate placement of the server on the world map. The App
Scope > Traffic Maps and App Scope > Threat Maps use these
values.
Click OK.

© Palo Alto Networks, Inc.

Set Up Panorama

Set Up the M-100 Appliance

Perform Initial Configuration of the M-100 Appliance (Continued)

Step 6

Configure the DNS and update servers.

1.
2.
3.

4.
Step 7

Change the default admin password.
To ensure that the management
interface remains secure, enforce

1.
2.

Minimum Password Complexity

and specify the interval at which
administrators must change their
passwords.
Step 8

3.

Select Panorama > Setup > Services and edit the settings.
Enter the IP address of the Primary DNS Server and
(optionally) of the Secondary DNS Server.
The default Update Server is updates.paloaltonetworks.com. If
you need to specify a particular update resource, refer to the
PAN-OS Administrator’s Guide (web resources for content
delivery) for a list of URLs and static addresses.
Select the Verify Update Server Identity check box if
you want Panorama to verify that the server from which
it downloads software or content packages has an SSL
certificate that a trusted authority signed. This option
adds an additional level of security for communication
between the Panorama management server and update
server.
Click OK to save your entries.
Click the admin link in the lower left part of the management
console.
Enter the old administrator password and new password in the
appropriate fields, then store the new password in a safe
location.
Click OK and Commit, select Panorama as the Commit Type,
then click OK.

Verify network access to external services To verify that Panorama has external network access, use the ping
required for firewall management, such as utility. Verify connectivity to the default gateway, DNS server, and
the Palo Alto Networks Update Server. the Palo Alto Networks Update Server as shown in the following
example:
[email protected]> ping host updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (67.192.236.252) 56(84)
bytes of data.
64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=40.5 ms
64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=53.6 ms
64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=79.5 ms

After verifying connectivity, press Ctrl+C to stop the pings.

Continue with Register Panorama and Install Licenses and Install Content and Software Updates for Panorama,
regardless of whether you plan on using the M-100 appliance in Panorama mode or in Log Collector mode.

Switch from Panorama Mode to Log Collector Mode
Using an M-100 appliance as a Log Collector offloads the task of processing logs from the Panorama
management server to a dedicated appliance. Perform the steps below to convert an M-100 appliance from
Panorama mode to Log Collector mode. Ensure that the Panorama management server (virtual appliance or
M-100 appliance in Panorama mode) that will manage the firewalls and the Log Collector is already set up.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 43

Set Up the M-100 Appliance

Set Up Panorama

In Log Collector mode, the M-100 appliance does not support the web interface for configuration
tasks; it supports only SSH access. Therefore, before changing the mode on the M-100
appliance, Perform Initial Configuration of the M-100 Appliance and use the web interface in
Panorama mode to Activate/Retrieve a Device Management License on the M-100 Appliance.
To send logs to an M-100 appliance in Log Collector mode, the Palo Alto Networks firewalls must
run PAN-OS 5.0 or later versions. Palo Alto Networks firewalls running PAN-OS versions earlier
than 5.0 can only send logs to an M-100 appliance in Panorama mode or to a Panorama virtual
appliance.

Switch From Panorama Mode to Log Collector Mode

Step 1

Access the Command Line Interface
(CLI) on the M-100 appliance.

Connect to the M-100 appliance in one of the following ways:
• Attach a serial cable from a computer to the Console port on the
M-100 appliance. Then, connect using a terminal emulation
software (9600-8-N-1).
• Use a terminal emulation software such as PuTTY to open an
SSH session to the IP address assigned to the M-100 appliance
during initial configuration.

Step 2

When prompted, log in to the appliance. Use the default admin account and the password assigned during
initial configuration.

Step 3

Switch from Panorama mode to Log
Collector mode.

1.

To switch to Log Collector mode, enter the following
command:

2.

Enter Yes to confirm the change to Log Collector mode. The
appliance will reboot. If you see a CMS Login prompt, press
Enter without typing a username or password. When the
Panorama login prompt appears, enter the default admin
account and the password assigned during initial configuration.

1.
2.

Log back in to the CLI on the M-100 appliance.
Enter the following command:

request system logger-mode logger

Step 4

Verify that the appliance is in Log
Collector mode.

show system info | match logger_mode

The response printed on screen reads as
logger_mode: True
If the value displays as False, the M-100 appliance is still in
Panorama mode.
Step 5

Specify the IP address of the Panorama
appliance that is managing the Log
Collector.

Enter the following commands in the CLI:
configure
set deviceconfig system panorama-server <ip_address>
commit

Now that you have successfully set up your M-100 appliance, for further instructions on assigning a Log
Collector to a firewall, defining Collector Groups, and managing the Log Collector using Panorama, see Manage
Log Collection.

44 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Set Up Panorama

Set Up the M-100 Appliance

Increase Storage on the M-100 Appliance
The M-100 appliance ships with two disks in a RAID1 configuration. Each M-100 appliance allows for the
addition of up to three additional disk pairs in RAID1, each with a storage capacity of 1TB, to reach a maximum
capacity of 4 TB RAID storage.
Before expanding log storage capacity, Determine Panorama Log Storage Requirements.
If you need more log storage than the Panorama virtual appliance supports, you can forward
firewall logs to Dedicated Log Collectors (see Configure a Managed Collector) or Enable Log
Forwarding from Panorama to External Destinations.
If adding disk pairs to an already deployed M-100 appliance, you do not need to take the system
offline to expand the storage capacity. When the additional disk pairs become available, the
M-100 appliance redistributes the logs among the disk pairs. This log redistribution process
happens in the background and does not impact uptime or the availability of the M-100 appliance.

Increase Storage on the M-100 Appliance

Step 1

Install the new disks in the appropriate
drive bays.

Make sure to add the drives sequentially in the next open disk bay
slot for the disk pair. For example, add B1/B2 before C1/C2.
For information on adding the physical drives, refer to the M-100
Hardware Reference Guide.

Step 2

Access the Command Line Interface
(CLI) on the M-100 appliance.

You can connect to the M-100 appliance in one of the following
ways:
• Connect a serial cable from your computer to the Console port
and connect to the M-100 appliance using terminal emulation
software (9600-8-N-1).
• Use a terminal emulation software such as PuTTY to open an
SSH session to the IP address of the M-100 appliance.

Step 3

When prompted, log in to the appliance. Use the default admin account and the password assigned.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 45

Set Up the M-100 Appliance

Set Up Panorama

Increase Storage on the M-100 Appliance (Continued)

Step 4

Set up each additional disk pair in a RAID This example uses the drives in the disk bays B1 and B2.
configuration.
1. Enter the following commands and confirm the request when
prompted:
The time required to mirror the
data on the drive may vary from
several minutes to a couple hours, 2.
depending on the amount of data
on the drive.

request system raid add B1
request system raid add B2

To monitor the progress of the RAID configuration, enter the
following command:
show system raid detail

When the RAID set up is complete, the following response
displays:
Disk Pair A
Status
Disk id A1
model
size
status
Disk id A2
model
size
status
Disk Pair B
Status
Disk id B1
model
size
status
Disk id B2
model
size
status

Step 5

Make the disk pair available for logging.

1.

To enable the disk pairs for logging, this
2.
appliance must have been added as a
Managed Collector on Panorama. If you
have not already added it, see Configure a
Managed Collector.
3.

Available
clean
Present
: ST91000640NS
: 953869 MB
: active sync
Present
: ST91000640NS
: 953869 MB
: active sync
Available
clean
Present
: ST91000640NS
: 953869 MB
: active sync
Present
: ST91000640NS
: 953869 MB
: active sync

Access the Panorama management server that is managing this
Log Collector (if it is a different appliance).
On the Panorama > Managed Collectors tab, select the Log
Collector and follow the instructions in Step 10 in Configure a
Managed Collector.
Click Commit, for the Commit Type select Panorama, then
click OK.

For further instructions on adding a Log Collector as a Managed Collector on Panorama, defining Collector
Groups, or assigning a Log Collector to a firewall, see Manage Log Collection.

46 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Set Up Panorama

Migrate from a Panorama Virtual Appliance to an M-100 Appliance

Migrate from a Panorama Virtual Appliance to an M-100
Appliance
On a Panorama virtual appliance that has a logging rate of over 10,000 logs per second, migrating to the M-100
appliance will provide improved response time on the web interface and speedier execution of reports. The
M-100 appliance also provides up to 4TB of RAID storage. Use the instructions in the following topics to
migrate the configuration from the Panorama virtual appliance over to an M-100 appliance.


Prerequisites for Migrating to an M-100 Appliance



Plan to Migrate to an M-100 Appliance



Migrate to an M-100 Appliance



Resume Firewall Management after Migrating to an M-100 Appliance

Prerequisites for Migrating to an M-100 Appliance
The following are prerequisites for migrating your current subscription:





Purchase an M-100 appliance.
Obtain a migration upgrade and purchase a new subscription that includes software and hardware support.
Provide your sales representative the serial number of the Panorama virtual appliance you will phase out,
the desired support terms for the M-100 appliance, the auth-code you received when you purchased the
appliance, and the effective date for the migration. On the effective date, Palo Alto Networks will
automatically apply the associated authorization codes to the serial number of your management
appliance, phase out support for the Panorama virtual appliance, and trigger support for the M-100
appliance. Starting at the effective date, you will have a limited time to complete the migration. At the end
of the period, Palo Alto Networks terminates the support entitlement on the Panorama virtual appliance
and you can no longer receive software or threat updates. For details on the license migration process,
refer to the Knowledge Base article Panorama VM License Migration to the M-100 Platform.

Plan to Migrate to an M-100 Appliance


Plan on completing this migration during a maintenance window. Although the firewalls can buffer the
logs and forward them to Panorama when the connection is reestablished, completing the migration
during a maintenance window minimizes loss of log data during the transition time when the Panorama
virtual appliance goes offline and the M-100 appliance comes online.



Consider whether to maintain access to the Panorama virtual appliance after completing the migration.
Because the log format on the Panorama virtual appliance is incompatible with that on the M-100
appliance, existing log data cannot migrate over to the M-100 appliance. Therefore, to access the old logs
the Panorama virtual appliance must remain accessible.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 47

Migrate from a Panorama Virtual Appliance to an M-100 Appliance



Set Up Panorama

Decide whether to use the same IP address on the M-100 appliance or to assign a new one. Palo Alto
Networks recommends reusing the same management IP address to prevent the need to reconfigure each
managed firewall to point to a new IP address.
If you have log compliance requirements, plan to reconfigure a new IP address on the Panorama
virtual appliance to maintain access to the old logs for generating reports.



Keep a new IP address at hand for use in setting up connectivity to the M-100 appliance during initial
configuration. If you have decided to transfer the IP address that was assigned to the Panorama virtual
appliance, this new IP address will be used temporarily. When you restore the configuration file from the
Panorama virtual appliance on the M-100 appliance, this new IP address will be overwritten.

Migrate to an M-100 Appliance
To migrate the configuration from the Panorama virtual appliance to the M-100 appliance, you must perform
tasks on the Panorama virtual appliance and on the M-100 appliance.
Complete the following tasks on the Panorama virtual appliance:
Migrate to an M-100 Appliance: Tasks Performed on the Panorama Virtual Appliance

Step 1

Upgrade to the latest Panorama version.

See Install Content and Software Updates for Panorama.

Step 2

Export the running configuration on the 1.
virtual Panorama.
2.
3.

Step 3

Power off the VM or change the IP
address.

In the Panorama > Setup > Operations tab, Configuration
Management section, select Export named Panorama
configuration snapshot.
Select the active configuration (running-config.xml) and click
OK. The file is downloaded and saved to the local machine.
Rename the file.

If you plan on reusing the MGT interface IP address that was
configured on the Panorama virtual appliance on the M-100
appliance, you can either power off the virtual appliance or assign a
new IP address to the MGT port on the virtual appliance.
To change the IP address, on the Panorama > Setup tab, edit the
Management Interface Settings section and enter the new IP
address.

Complete the following tasks on the Panorama M-100 appliance:
Migrate to an M-100 Appliance: Tasks Performed on the M-100 Appliance

Step 1

Set up network access.

See Perform Initial Configuration of the M-100 Appliance for
instructions.
Consider assigning a new temporary IP address during initial
configuration on the M-100 appliance and reusing the IP address
that was assigned to the Panorama virtual appliance. The temporary
IP address will be overwritten when you import the configuration
later in this process.

48 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Set Up Panorama

Migrate from a Panorama Virtual Appliance to an M-100 Appliance

Migrate to an M-100 Appliance: Tasks Performed on the M-100 Appliance (Continued)

Step 2

Install the same Panorama version as that Install the same Panorama version that you selected in Step 1 above.
running on the Panorama virtual
For instructions on performing the upgrade, see Install Content and
appliance.
Software Updates for Panorama.

Step 3

Register Panorama and retrieve the
license.

See Register Panorama and Install Licenses.

Step 4

Upgrade to the latest Panorama version.

See Install Content and Software Updates for Panorama.

Step 5

Import and load the configuration file.

1.

2.
3.

4.

Step 6

Review and modify the configuration on 1.
Panorama.

In the Panorama > Setup > Operations tab, Configuration
Management section, select Import named Panorama
configuration snapshot.
Browse to select the running-config.xml (or the renamed file)
and click OK.
Select the Load named Panorama configuration snapshot
link to load the configuration file you just imported.
Any errors that occur when loading the configuration file are
displayed onscreen.
If errors occurred, save them to a local file. Review and resolve
each error to ensure the migration included all configuration
components.
If you do not plan to reuse the same network access settings for
the MGT interface, modify the values:
a. Select Panorama > Setup and edit the Management
Interface Settings.
b. Enter the IP Address, Netmask, and Default Gateway.
c. Confirm that the list of IP addresses defined in the
Permitted IP Addresses list is accurate.

2.
3.

To change the hostname, edit the General Settings section of
the Panorama > Setup tab.
Confirm that the administrative access settings (administrators,
roles, and access domains) configured on the appliance are
accurate on the Panorama > Administrators tab, Panorama >
Admin Roles tab, and Panorama > Access Domains tab.

Step 7

Add the default Log Collector back to the When importing the configuration from the Panorama virtual
M-100 appliance.
appliance, the default Log Collector is removed from the M-100
appliance. To add the Log Collector back on the M-100 appliance,
use the instructions in Configure a Managed Collector.

Step 8

Save all your changes to Panorama.

© Palo Alto Networks, Inc.

After reviewing the configuration changes, click Commit. Select
Panorama as the Commit Type and click OK.

Panorama 6.1 Administrator’s Guide • 49

Migrate from a Panorama Virtual Appliance to an M-100 Appliance

Set Up Panorama

Resume Firewall Management after Migrating to an M-100 Appliance
To resume central management, you must restore connectivity to the managed firewalls. Complete this task
during a maintenance window to minimize network disruption.
Resume Firewall Management after Migrating to an M-100 Appliance

Step 1

Log in to Panorama.

Using a secure connection (HTTPS) from a web browser, log in
using the IP address (https://<IP address>), username, and
password assigned during initial configuration.

Step 2

Synchronize the configuration on
Panorama with those of the managed
firewalls.

1.

Select Panorama > Managed Devices, and verify that the
Connected status of each devices displays a check mark.
The status for the Templates and Device Groups will display an
Out of sync icon.

2.

To synchronize the device groups:
a. Click Commit and select Device Groups as the Commit
Type.
b. Select each device group and click OK.

3.

To synchronize the templates:
a. Click Commit and select Panorama as the Commit Type.
b. Click Commit and select Template as the Commit Type.

Step 3

Verify the connection and
synchronization status of the managed
firewalls.

1.
2.

Select Panorama > Managed Devices.
Verify the Status of the following for each firewall:
• In the Connected column, a check mark indicates the firewall
is connected to Panorama.
• In the Shared Policy column, the value In sync indicates the
firewall configuration is synchronized with the device group
in Panorama.
• In the Template column, the value In sync indicates the
firewall configuration is synchronized with the template in
Panorama.

50 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Set Up Panorama

Register Panorama and Install Licenses

Register Panorama and Install Licenses
Before you can begin using Panorama for centralized management, logging, and reporting, you must register,
activate, and retrieve the Panorama licenses. Every instance of Panorama requires valid licenses that entitle you
to manage devices and obtain support. The device management license enforces the maximum number of
devices that Panorama can manage. The support license enables Panorama software updates and dynamic
content updates for the latest Applications and Threats signatures, among other updates that Palo Alto
Networks publishes. To purchase licenses, contact your Palo Alto Networks Systems Engineer or reseller.


Register Panorama



Activate a Panorama Support License



Activate/Retrieve a Device Management License on the Panorama Virtual Appliance



Activate/Retrieve a Device Management License on the M-100 Appliance
If you are running an evaluation license for device management on your Panorama virtual
appliance and want to apply a Panorama license that you purchased, perform the tasks Register
Panorama and Activate/Retrieve a Device Management License on the Panorama Virtual
Appliance.

Register Panorama
Register Panorama

Step 1

Log in to the Panorama web interface.

Using a secure connection (https://<IP address>) from a web
browser, log in using the IP address and password you assigned
during initial configuration.

Step 2

Record the Panorama serial number or
For the authorization code, Sales Order Number, or Customer ID,
authorization code and record your Sales see the order fulfillment email that Palo Alto Networks Customer
Order Number or Customer ID.
Service sent when you placed your order for Panorama.
For the serial number, the location depends on the platform:
• M-100 appliance—See the Dashboard tab, General Information
section, Serial # field.
• Panorama virtual appliance—See the order fulfillment email.

Step 3

Go to the Palo Alto Networks Support
site.

© Palo Alto Networks, Inc.

In a new browser tab or window, go to
https://support.paloaltonetworks.com.

Panorama 6.1 Administrator’s Guide • 51

Register Panorama and Install Licenses

Set Up Panorama

Register Panorama (Continued)

Step 4

Register Panorama. The steps depend on • If this is the first Palo Alto Networks appliance you are registering
whether you already have a login for the
and you do not yet have a login:
Support site.
a. Click Register on the right side of the page, enter your Email
Address, enter the code displayed on the page, and click
Submit.
b. Complete the fields in the Create Contact Details section.
c. Enter a Display Name, Confirm Email Address, and
Password/Confirm Password.
d. Enter the Panorama Device Serial Number or Auth Code.
e. Enter your Sales Order Number or Customer ID.
f. Click Submit.
• If you already have a support account:
a. Log in to the Support site, click the Assets tab, and click
Register New Device.
b. Enter the Panorama Device Serial Number.
c. Enter your City, Postal Code, and Country.
d. Click Submit.

Activate a Panorama Support License
Before activating a Panorama support license on a Panorama M-100 appliance or Panorama virtual appliance,
you must Register Panorama.
Activate a Panorama Support License

1.
2.
3.

Select Panorama > Support and click Activate feature using authorization code.
Enter the Authorization Code and click OK.
Verify that the subscription is activated.

52 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Set Up Panorama

Register Panorama and Install Licenses

Activate/Retrieve a Device Management License on the Panorama Virtual
Appliance
Before activating and retrieving a device management license on the Panorama virtual appliance, you must
Register Panorama. If you are running an evaluation license and want to apply a license that you purchased, you
must still register and activate/retrieve the purchased license.
Activate/Retrieve a Device Management License on the Panorama Virtual Appliance

1.
2.
3.

Select Panorama > Setup > Management and edit the General Settings.
Enter the Panorama Serial Number (included in the order fulfillment email) and click OK.
Click Commit, select Panorama as the Commit Type, then click OK.
To determine how many firewalls a license enables the Panorama virtual appliance to manage, log in to the
Palo Alto Support website (https://support.paloaltonetworks.com), select the Assets tab, find the Panorama
device, and view the Model Name. For example, a license for the PAN-PRA-25 model can manage 25 devices.
This page also displays the Expiration Date and other license information.

Activate/Retrieve a Device Management License on the M-100 Appliance
Before activating and retrieving a Panorama device management license on the M-100 appliance:




Register Panorama.
Locate the authorization codes for the product/subscription you purchased. When you placed your order,
Palo Alto Networks Customer Service sent you an email that listed the auth-code associated with the
purchase. If you cannot locate this email, contact Customer Support to obtain your codes before
proceeding.

After you activate and retrieve the license, the Panorama > Licenses page displays the associated issuance date,
expiration date, and the number of devices that the license enables Panorama to manage.

To activate and retrieve the license, the options are:
Activate/Retrieve a Device Management License on the M-100 Appliance

• Use the web interface to activate and retrieve the 1.
license.
Select this option if Panorama is ready to connect 2.
to the Palo Alto Networks update server (you
completed the task Perform Initial Configuration
of the M-100 Appliance) but you have not
activated the license on the Palo Alto Networks
Support website.

© Palo Alto Networks, Inc.

Select Panorama > Licenses and click Activate feature using
authorization code.
Enter the Authorization Code and click OK. Panorama retrieves
and activates the license.

Panorama 6.1 Administrator’s Guide • 53

Register Panorama and Install Licenses

Set Up Panorama

Activate/Retrieve a Device Management License on the M-100 Appliance (Continued)

• Retrieve the license key from the license server. 1.
If Panorama is not ready to connect to the update
server (for example, you have not completed the
initial M-100 appliance setup), you can activate
the license on the Support website so that, when
Panorama is ready to connect, you can then use
the web interface to retrieve the activated license.
The process of retrieving an activated license is
faster than the process of both retrieving and
activating.

b. In the Assets tab, find your M-100 appliance and, in the
Action column, click the edit icon.
c. Enter the Authorization Code and click Add to activate the
license.
2.
3.

• Manually upload the license from a host to
Panorama. Panorama must have access to that
host.

Activate the license on the Palo Alto Networks Support
website.
a. On a host with Internet access, access the Palo Alto Support
website (https://support.paloaltonetworks.com) in a
browser and log in.

1.

If Panorama is set up (you completed the task
Perform Initial Configuration of the M-100
Appliance) but does not have a connection to the
update server, activate the license on the Support
website, download it to a host that has a
connection to the update server, then upload it to
Panorama.

Configure Panorama to connect to the update server: see
Perform Initial Configuration of the M-100 Appliance.
Select Panorama > Licenses and click Retrieve license keys
from the license server. Panorama retrieves the activated
license.
Activate and download the license from the Palo Alto
Networks Support website.
a. On a host with Internet access, access the Palo Alto Support
website (https://support.paloaltonetworks.com) in a
browser and log in.
b. In the Assets tab, find your M-100 appliance and, in the
Action column, click the edit icon.
c. Enter the Authorization Code and click Add to activate the
license.
d. In the Action column, click the download icon and save the
license key file to the host.

2.
3.
4.

54 • Panorama 6.1 Administrator’s Guide

In the Panorama web interface, select Panorama > Licenses,
click Manually upload license key and click Browse.
Select the key file you downloaded to the host and click Open.
Click OK to upload the activated license key.

© Palo Alto Networks, Inc.

Set Up Panorama

Install Content and Software Updates for Panorama

Install Content and Software Updates for Panorama
A valid support subscription enables access to the Panorama software image and Release Notes. To take
advantage of the latest fixes and security enhancements, it is a good idea to upgrade to the latest software update
or to the update version that your reseller or a Palo Alto Networks Systems Engineer recommends.
Depending on which content subscriptions the managed firewalls have, Panorama and the Log Collectors might
also require content updates. The procedure to install software and content updates depends on whether
Panorama has a direct connection to the Internet.


Content Update Dependencies for Panorama and Log Collectors



Install Updates for Panorama with Internet Connection



Install Updates for Panorama without Internet Connection

Content Update Dependencies for Panorama and Log Collectors
If managing firewalls with additional subscriptions, such as Threat Prevention or WildFire, Panorama also
requires content updates for the Applications and Threats database. Your support subscription allows you to
obtain these updates. Firewalls reference the Applications and Threats database in policy configurations and use
the databases when generating reports. Firewalls use the databases to match the identifiers recorded in the logs
with the corresponding threat, URL, or application names. Therefore, to prevent a mismatch, Palo Alto
Networks recommends that you install the same Applications and Threats database version on Panorama and
on the managed firewalls.
Dedicated Log Collectors (M-100 appliances in Log Collector mode) also require content updates. When you
generate a report from Panorama or the managed firewalls, the Applications and Threats database is used to
retrieve metadata for processing the request. If you do not install the content databases on the dedicated Log
Collectors, the complete dataset required for the report might not be available and can result in an incomplete
or inaccurate display of information.

Install Updates for Panorama with Internet Connection
If Panorama has a direct connection to the Internet, perform the following steps to install Install Content and
Software Updates for Panorama.
Before upgrading a Panorama virtual appliance, ensure the ESX(i) host meets the minimum
resource requirements listed under Setup Prerequisites for the Panorama Virtual Appliance.
If both Panorama and the firewalls it manages require upgrades, upgrade Panorama before
upgrading the firewalls.
Panorama 6.1 and later releases cannot push configurations to firewalls running PAN-OS 6.0.0
through 6.0.3.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 55

Install Content and Software Updates for Panorama

Set Up Panorama

Install Updates for Panorama with Internet Connection

Step 1

Check for, download, and install the
latest content updates.

1.
2.

You must install the content
updates before the software
3.
updates. Also, you must install the
Applications and Threats updates
before the Antivirus and WildFire
updates.

Step 2

Check for, download, and install the latest 1.
software update.
2.
3.
4.

5.
6.

Select Panorama > Dynamic Updates.
Click Check Now to check for the latest updates. If the value in
the Action column is Download, an update is available.
Perform the following steps for each content type
(Applications, Applications and Threats, Antivirus, and/or
WildFire) for which you have a subscription:
a. Click Download to obtain the desired version.
b. Click the Install link in the Action column. When the
installation completes, the Currently Installed column
displays a check mark.
Select Panorama > Software.
Click Check Now to check for the latest update. If an update is
available, the Action column displays a Download link.
Review the Version column to determine the version to which
you want to upgrade.
In the Action column of the desired version, click Download.
When the download completes, the value in the Action column
changes to Install.
Click Install.
Reboot Panorama:
• If prompted to reboot, click Yes. If you see a CMS Login
prompt, press Enter without typing a username or password.
When the Panorama login prompt appears, enter the
username/password you set during initial configuration.
• Otherwise, select Panorama > Setup > Operations and, in
the Device Operations section, click Reboot Panorama.

Step 3

After Panorama reboots, complete the following tasks:
(Only required for a Panorama virtual
appliance upgrading to Panorama 5.1 and 1. Power off the virtual appliance.
later) Modify the settings on the
2. Right click and select Edit Settings... to modify these
Panorama virtual appliance.
parameters:
Important: Before powering on a
a. On the Options tab, change the Guest Operating System
Panorama virtual appliance that runs
from Other Linux (32-bit) to Other Linux (64-bit).
Panorama 5.1 or later, ensure that the
b. On the Hardware tab, change the SCSI Controller from
ESX(i) host supports, and meets the
BusLogic Parallel to LSI Logic Parallel.
minimum system requirements for, a
c. On the Hardware tab, allocate Memory according to the
64-bit operating system (OS). See Setup
number of managed firewalls:
Prerequisites for the Panorama Virtual
Appliance for more information.
– Less than 10 managed firewalls: and 4GB
– Between 10 and 50 managed firewalls: 8GB
– More than 50 managed firewalls: 16 GB
3.

56 • Panorama 6.1 Administrator’s Guide

Power on the virtual appliance.

© Palo Alto Networks, Inc.

Set Up Panorama

Install Content and Software Updates for Panorama

Install Updates for Panorama without Internet Connection
If Panorama does not have a direct connection to the Internet, perform the following steps to install Install
Content and Software Updates for Panorama.
Before upgrading a Panorama virtual appliance, ensure the ESX(i) host meets the minimum
resource requirements listed under Setup Prerequisites for the Panorama Virtual Appliance.
If both Panorama and the firewalls it manages require upgrades, upgrade Panorama before
upgrading the firewalls.
Panorama 6.1 and later releases cannot push configurations to firewalls running PAN-OS 6.0.0
through 6.0.3.

Install Updates for Panorama without Internet Connection

Step 1

Download the content and software
1.
updates to a host that has Internet access.
Panorama must have access to the host.
2.
3.

4.
5.

On a host with Internet access, access the Palo Alto Support
website (https://support.paloaltonetworks.com) in a browser
and log in.
In the Resources section, click Dynamic Updates.
In the section containing the desired content update, click
Download and save the file to the host. Perform this step for
each content type for which you have a subscription:
Applications, Applications and Threats, Antivirus, and/or
Wildfire.
Return to the main page of the Palo Alto Support website and,
in the Resources section, click Software Updates.
Review the Download column to determine the version to
install. The filename format of the update package depends on
the platform:
• Panorama virtual appliance—
Panorama-ESX-<release>.zip (for example,
Panorama-ESX-6.1.0.zip)
• Panorama M-100 appliance—Panorama-m-<release> (for
example, Panorama-m-6.1.0)

6.
Step 2

Upload the content updates to Panorama. 1.
2.

Click the filename and save the file to the host.
Log in to Panorama and select Panorama > Dynamic Updates.
Perform the following steps for each content type for which
you have a subscription:
a. Click Upload and select the Type of content update:
– Applications
– Applications and Threats
– Antivirus
– WildFire
b. Enter the path to the content update File on the host or click
Browse to find it, then click OK.
c. When the Status is Completed, click Close.

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 57

Install Content and Software Updates for Panorama

Set Up Panorama

Install Updates for Panorama without Internet Connection (Continued)

Step 3

Install the content updates.

Perform these steps for each content type for which you have a
subscription.
You must install the content
1. In the Panorama > Dynamic Updates page, click Install From
updates before the software
File.
updates. Also, you must install the
Application and Threat updates 2. Select the Package Type:
before the Antivirus and WildFire
• Applications
updates.
• Applications and Threats
• Antivirus
• Wildfire

Step 4

Upload the software update.

3.

Click OK and, when the Result is Succeeded, click Close.

1.
2.

In the Panorama > Software page, click Upload.
Enter the path to the software update File on the host or click
Browse to find it, then click OK.
When the Result is Succeeded, click Close.

3.
Step 5

Install the software update.

1.
2.
3.

In the Panorama > Software page, click Install From File.
Select the Software File you just uploaded, then click OK.
Reboot Panorama:
• If prompted to reboot, click Yes. If you see a CMS Login
prompt, press Enter without typing a username or password.
When the Panorama login prompt appears, enter the
username/password you set during initial configuration.
• Otherwise, select Panorama > Setup > Operations and, in
the Device Operations section, click Reboot Panorama.

Step 6

After Panorama reboots, complete the following tasks:
(Only required for a Panorama virtual
appliance upgrading to Panorama version 1. Power off the virtual appliance.
5.1 and later) Modify the settings on the 2. Right click and select Edit Settings... to modify these
Panorama virtual appliance.
parameters:
Important: Before powering on a
a. On the Options tab, change the Guest Operating System
Panorama virtual appliance that runs
from Other Linux (32-bit) to Other Linux (64-bit).
version 5.1 or later, ensure that the ESX(i)
b. On the Hardware tab, change the SCSI Controller from
host supports, and meets the minimum
BusLogic Parallel to LSI Logic Parallel.
system requirements for, a 64-bit
c. On the Hardware tab, allocate Memory according to the
operating system (OS). See Setup
number of managed firewalls:
Prerequisites for the Panorama Virtual
Appliance for more information.
– Less than 10 managed firewalls: and 4GB
– Between 10 and 50 managed firewalls: 8GB
– More than 50 managed firewalls: 16 GB
3.

58 • Panorama 6.1 Administrator’s Guide

Power on the virtual appliance.

© Palo Alto Networks, Inc.

Set Up Panorama

Access and Navigate Panorama Management Interfaces

Access and Navigate Panorama Management Interfaces
Panorama provides three management interfaces:


Web Interface—The Panorama web interface is purposefully designed with a similar look and feel to the
firewall web interface. If you are already familiar with the latter, you can navigate, complete administrative
tasks, and generate reports from the Panorama web interface with relative ease. This graphical interface
allows you to access Panorama using HTTPS and it is the best way to perform administrative tasks. See Log
in to the Panorama Web Interface and Navigate the Panorama Web Interface. If you need to enable HTTP
access to Panorama, edit the Management Interface Settings on the Panorama > Setup > Management tab.



Command Line Interface—The Command Line Interface is a no-frills interface that allows you to type
through the commands in rapid succession to complete a series of tasks. The CLI supports two command
modes—operational and configuration—and each mode has its own hierarchy of commands and
statements. When you get familiar with the nesting structure and the syntax for the commands, the CLI
allows quick response times and offers administrative efficiency. See Log in to the Panorama CLI.



XML API—The XML-based API is provided as a web service that is implemented using HTTP/HTTPS
requests and responses. It allows you to streamline your operations and integrate with existing, internally
developed applications and repositories. For information on how to use the Panorama API interface, refer
to the PAN-OS and Panorama XML API Usage Guide.

Log in to the Panorama Web Interface
Log in to the Panorama Web Interface

Step 1

Log in to the Panorama web interface.

Using a secure connection (https) from a web browser, log in using
the IP address and password you assigned during initial
configuration (https://<IP address>).

Step 2

(Optional) Enable HTTP and SSH access. 1.
2.
3.

Select Panorama > Setup > Management and edit the
Management Interface Settings.
Select which management services to allow on the interface.
For example, select HTTP and SSH.
Click OK.

Navigate the Panorama Web Interface
Use the Panorama web interface to configure Panorama, manage and monitor the managed firewalls and Log
Collectors, and to access the web interface of each managed firewall using the Device Context. Refer to the
online help on Panorama for details on the options in each tab in the web interface.
The Panorama web interface includes the following tabs:

© Palo Alto Networks, Inc.

Panorama 6.1 Administrator’s Guide • 59

Access and Navigate Panorama Management Interfaces

Set Up Panorama

Tab

Description

Dashboard

View general information about the Panorama model and network access settings.
This tab includes widgets that display information about applications, logs, system
resources, and system settings.

ACC

View the overall risk and threat level on the network, based on information that
Panorama gathered from the managed firewalls.

Monitor

View and manage logs and reports.

Panorama

Configure Panorama, manage licenses, set up high availability, access software updates
and security alerts, manage administrative access, and manage the deployed firewalls
and Log Collectors.

Device Groups > Policies

Create centralized policies and apply the configuration to multiple firewalls/device
groups.
You must Add a Device Group for this tab to display.

Device Groups > Objects

Define policy objects that can be referenced in policy and shared across all managed
firewalls/device groups.
You must Add a Device Group for this tab to display.

Templates > Network

Configure network setting, such as network profiles, that can be applied to the
managed firewalls.
You must Add a Template for this tab to display.

Templates > Device

Configure device configuration, such as server profiles and admin roles, that can be
applied to the managed firewalls.
You must Add a Template for this tab to display.

Log in to the Panorama CLI
You can log in to the Panorama CLI using a serial port connection or access remotely using an SSH client.

60 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Set Up Panorama

Access and Navigate Panorama Management Interfaces

Log in to the Panorama CLI

• Use SSH to log in to the Panorama CLI.

1.

The same instructions apply for an M-100
appliance in Log Collector mode.

Make sure that you have the following:
• A computer with network access to Panorama
• Panorama IP address
• SSH is enabled on the Management interface. To enable SSH
access, see (Optional) Enable HTTP and SSH access.

2.

To access the CLI using SSH:
a. Enter the Panorama IP address in the SSH client and use
port 22.
b. Enter your administrative access credentials when
prompted. After successfully logging in, the CLI prompt
displays in operational mode. For example:
[email protected]_Sydney>

To enable key-based authentication, see Enable SSH
Key-Based Authentication for the CLI.
• Change to configuration mode.

To go into configuration mode, enter the following command at the
prompt:
[email protected]_Sydney> configure

The prompt changes to [email protected]_Sydney#
• Use a serial port connection to log in to the
Panorama CLI.

1.

Make sure that you have the following:
• A null-modem serial cable that connects Panorama to a
computer with a DB-9 serial port
• A terminal emulation program running on the computer

2.

3.

© Palo Alto Networks, Inc.

Use the following settings in the terminal emulation software to
connect: 9600 baud; 8 data bits; 1 stop bit; No parity; No
hardware flow control.
Enter your administrative access credentials when prompted.

Panorama 6.1 Administrator’s Guide • 61

Set Up Administrative Access to Panorama

Set Up Panorama

Set Up Administrative Access to Panorama
By default, Panorama includes a default administrative account (admin), with full read-write access to all the
functionality on Panorama. As a best practice, create a separate administrative account for each person who
needs access to the administrative or reporting functions of Panorama. This prevents unauthorized
configuration (or modification) and enables logging of the actions of each individual administrator.
Panorama allows you to define and restrict access as broadly or granularly as required, depending on the security
requirements within your organization. For example, you may decide that a datacenter administrator can have
access to all the device and networking configuration, while a security administrator can have control over
security policy definition, the log viewer and reporting, and other key individuals can have limited CLI or XML
API access.
You cannot add an administrative account to an M-100 appliance in Log Collector mode. Only the
default administrative user account with the default username admin is available.

The following topics describe how to configure administrative accounts and set up basic administrative access.
For information on the different options available to authenticate administrative users, see Administrative
Authentication.


Create an Administrative Account



Define an Access Domain



Create an Authentication Profile



Define an Authentication Sequence



Configure Administrative Authentication

Create an Administrative Account
An administrative user must have an account and be assigned to a role. The role defines the type of access the
associated administrator has to Panorama; you can assign the administrative user to a built-in Dynamic Role or
to a custom role (Admin Role Profile) that you define. If you plan to use Admin Role Profiles rather than
Dynamic Roles, create the profiles that define what type of access, if any, to give to the different sections of the
web interface, the CLI, and XML API for each administrator assigned to the role. For more information on
roles, see Administrative Roles.
For each administrative user you can also define the minimum password complexity, a password profile, and use
an authentication profile to use an external authentication service to validate the administrator’s credentials.
If you are defining role-based administrative access on Panorama, read-only access to the Device Groups and
Templates nodes must be provided in order for the administrators to commit their changes to Panorama. If you
are upgrading from an earlier version of Panorama, the upgrade process provides read-only access to the Device
Groups and Templates nodes.
The following example explains how to create a local administrator account with local authentication:

62 • Panorama 6.1 Administrator’s Guide

© Palo Alto Networks, Inc.

Set Up Panorama

Set Up Administrative Access to Panorama

Create an Administrative Account: Local Account/Authentication

Step 1

Create an Admin Role profile.

Complete the following steps for each role you want to create:
This step is only required if using custom 1. Select Panorama > Admin Roles and then click Add.
2. Select Panorama or Device Group and Template to define the
roles instead of using the built-in
scope of administrative privileges to assign. The access
Dynamic Roles available on Panorama.
privileges defined for Panorama are enforced when the
administrator logs in to Panorama; the Device Group and
Template role enforces read-only access to the Managed
Devices, Templates, and Device Groups nodes on the
Panorama tab. Access to all other tabs can be modified as
required.
Read-only access to the Device Groups and/or
Templates node(s) must be provided for a role-based
administrator to commit device groups and/or
template changes to the managed firewalls.
3. For the Web UI and /or XML API tabs, set the access levels for
each functional area of the interface by clicking the adjacent
icon to toggle it to the desired setting (Enable, Read Only, or
Disable):
• For Panorama access, define access to the Web UI, XML API,
and Command Line. The Command Line tab does not allow
granular access. You must select a predefined option:
superuser, superreader, Panorama-admin or None.
• For access to firewalls (Device Group and Template), only
one tab is available: Web UI. From Panorama, you cannot
enable access to the CLI or XML API on a firewall because
no predefined roles restrict access. Therefore, to prevent
privilege-level escalation, the ability to manage access to the
CLI and XML API is not available from Panorama.
4.

Step 2

(Optional) Set requirements for local
user-defined passwords.

Enter a Name for the profile and then click OK to save it.

• Create Password Profiles—Define how often administrators
must change their passwords. Create multiple password profiles
and apply them to administrator accounts as required to enforce
security. To create a password profile, select Panorama >
Password Profiles and then click Add.

Sours: https://docshare.tips/panorama-adminguide_576db4edb6d87f8b4f8b4e83.html
Palo Alto Networks Panorama Demo

1 Manage Log Collection Panorama Administrator s Guide Version 7.0

2 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA us About this Guide This guide describes how to set up and use Panorama for centralized management; it is intended for administrators who want the basic framework to quickly set up the Panorama virtual appliance or the M Series appliance for centralized administration of Palo Alto Networks firewalls. If you have an M Series appliance, this guide takes over after you finish rack mounting your M Series appliance. For more information, refer to the following sources: For information on how to configure other components in the Palo Alto Networks Next Generation Security Platform, go to the Technical Documentation portal: or search the documentation. For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to For contacting support, for information on support programs, to manage your account or devices, or to open a support case, refer to For the most current PAN OS and Panorama 7.0 release notes, go to os/pan os release notes.html. To provide feedback on the documentation, please write to us at: Palo Alto Networks, Inc Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at All other marks mentioned herein may be trademarks of their respective companies. Revision Date: May 27, Panorama 7.0 Administrator s Guide Palo Alto Networks, Inc.

3 Manage Log Collection All Palo Alto Networks next generation firewalls can generate logs that provide an audit trail of firewall activities. For Centralized Logging and Reporting, you must forward the logs generated on the firewalls to Panorama. You can then configure Panorama to aggregate the logs and forward them to remote logging destinations. If you forward logs to a Panorama virtual appliance, you don t need to perform any additional tasks to enable logging. If you will forward logs to an M Series appliance in Panorama mode or Log Collector mode, you must add the Log Collectors as managed collectors and assign them to Collector Groups to access, manage, and update the Log Collectors using Panorama. To determine which deployment best suits your needs, see Plan a Log Collection Deployment. To manage the System and Config logs that Panorama generates locally, see Monitor Panorama. Configure a Managed Collector Manage Collector Groups Configure Log Forwarding to Panorama Verify Log Forwarding to Panorama Modify Log Forwarding and Buffering Defaults. Configure Log Forwarding from Panorama to External Destinations Log Collection Deployments Palo Alto Networks, Inc. Panorama 7.0 Administrator s Guide 119

4 Configure a Managed Collector Manage Log Collection Configure a Managed Collector To enable the Panorama management server (Panorama virtual appliance or M Series appliance in Panorama mode) to manage a Log Collector, you must add it as a managed collector. The M Series appliance in Panorama mode has a predefined (default) local Log Collector. However, a Switch from Panorama Mode to Log Collector Mode would remove the local Log Collector and would require you to re configure the appliance as a Dedicated Log Collector (M Series appliance in Log Collector mode). When the Panorama management server has a high availability (HA) configuration, each HA peer can have a local Log Collector. Dedicated Log Collectors don t support HA. We recommend that you install the same Applications update on Panorama as on managed Collectors and firewalls. For details, see Panorama, Log Collector, and Firewall Version Compatibility. We recommend retaining a local Log Collector and local Collector Group on the M Series appliance in Panorama mode, regardless of whether it manages Dedicated Log Collectors. Configure a Managed Collector Step 1 Perform initial setup of the M Series appliance in Log Collector mode if you haven t already. Only Dedicated Log Collectors require this step. 1. Rack mount the M Series appliance. Refer to the M 100 or M 500 Hardware Reference Guide for instructions. 2. Perform Initial Configuration of the M Series Appliance. If the Log Collector will use the Eth1 and Eth2 interfaces for log collection and Collector Group communication, you must define those interfaces during initial configuration. By default, the Log Collector uses the management interface for these functions. 3. Register Panorama and Install Licenses. 4. Install Content and Software Updates for Panorama. 5. Switch from Panorama Mode to Log Collector Mode. Switching the mode of an M Series appliance deletes any existing log data and deletes all configurations except the management access settings. After the switch, the M Series appliance retains CLI access but loses web interface access. 6. (Optional) Increase Storage on the M Series Appliance. 120 Panorama 7.0 Administrator s Guide Palo Alto Networks, Inc.

5 Manage Log Collection Configure a Managed Collector Configure a Managed Collector (Continued) Step 2 Step 3 Step 4 Enable connectivity among the M Series appliances. Record the serial number of the Log Collector. You will need this when you add the Log Collector as a managed collector. Configure the general settings of the Log Collector. These steps vary by Log Collector type. For HA deployments, <IPaddress1> and <IPaddress2> are for the management interface of the primary and secondary Panorama management server respectively. For non HA deployments, specify only <IPaddress1>. Dedicated Log Collectors Run the following commands at the CLI of each Log Collector: > Configure # set deviceconfig system panorama-server <IPaddress1> # set deviceconfig system panorama-server-2 <IPaddress2> # commit Local Log Collectors These steps are required only for an HA deployment: a. Log into the CLI of the primary Panorama and enter: > Configure # set deviceconfig system panorama-server <IPaddress2> # commit b. Log into the CLI of the secondary Panorama and enter: > Configure # set deviceconfig system panorama-server <IPaddress1> # commit The steps to display the serial number vary by Log Collector type: Local Access the Panorama web interface and record the value on the Dashboard tab, General Information section, Serial # field. In an HA deployment, record the Serial # of each Panorama peer on which you will configure a Log Collector. Dedicated Access the Log Collector CLI, run the show system info command, and record the serial number. Use the web interface of the primary Panorama management server to perform these steps: 1. Select Panorama > Managed Collectors and Add a new Log Collector or edit the predefined local Log Collector (named default). Although the secondary Panorama HA peer has a predefined local Log Collector, you must manually add it on the primary Panorama. 2. In the General tab, Collector S/N field, enter the serial number you recorded for the Log Collector. Palo Alto Networks, Inc. Panorama 7.0 Administrator s Guide 121

6 Configure a Managed Collector Manage Log Collection Configure a Managed Collector (Continued) Step 5 Step 6 Step 7 Step 8 Configure network access for the Log Collector. Perform this step only for a Dedicated Log Collector or a local Log Collector on the secondary Panorama HA peer. Although you defined similar parameters during initial configuration of the Panorama management server, you must re define the parameters for the Log Collector. Configure administrative access to the Log Collector CLI. Only Dedicated Log Collectors require this step. The default CLI administrator is admin. You cannot modify this username nor add CLI administrators. Configure the Log Collector interfaces. Perform this step only for a Dedicated Log Collector or a local Log Collector on the secondary Panorama HA peer. The Eth1 or Eth2 interfaces are available only if you defined them during initial configuration of the Panorama management server. (Optional) Enable any additional RAID disk pairs for logging. 1. In the Panorama Server IP field, enter the IP address or FQDN of the solitary (non HA) or primary (HA) Panorama. For an HA deployment, enter the IP address or FQDN of the secondary Panorama peer in the Panorama Server IP 2 field. These fields are required. 2. Configure the IP addresses of the Primary DNS Server and Secondary DNS Server. 3. (Optional) Set the Timezone that Panorama will use to record log entries. 1. Select the Authentication tab, select the password Mode, and enter the Password (the default is admin). 2. Enter the number of Failed Attempts to log in that Panorama allows before locking out the administrator. Enter the Lockout Time in minutes. These settings can help protect the Log Collector from a brute force attack. 1. Configure one or both of the following field sets (depending on the IP protocols of your network) on each tab associated with an interface that the Log Collector will use: Management, Eth1, and/or Eth2. The Management interface is required. IPv4 IP Address, Netmask, and Default Gateway IPv6 IPv6 Address/Prefix Length and Default IPv6 Gateway 2. (Optional) In the Management tab, select the SNMP service if you will use SNMP to monitor the Log Collector. Using SNMP requires additional steps besides configuring the Log Collector. For details, see Monitor Panorama and Log Collector Statistics Using SNMP. 3. Return to the General tab and select the interfaces that the Log Collector will use for Device Log Collection and Collector Group Communication. The default is the management (mgmt) interface. In the Disks tab, Add each additional disk pair. To enable additional disk pairs, you must have performed the task Increase Storage on the M Series Appliance. Step 9 Commit and verify your changes. 1. Click OK and Commit, for the Commit Type select Panorama, and click Commit again. 2. Verify that the Panorama > Managed Collectors page lists the Log Collector you added. The Connected column displays a check mark icon to indicate that the Log Collector is connected to Panorama. 3. If you enabled additional disk pairs, click the Statistics link in the last column to see their status. Before a Log Collector can receive firewall logs, you must Configure Log Forwarding to Panorama and Configure a Collector Group. The predefined local Log Collector is preassigned to a predefined Collector Group. 122 Panorama 7.0 Administrator s Guide Palo Alto Networks, Inc.

7 Manage Log Collection Manage Collector Groups Manage Collector Groups After you Configure a Managed Collector, you must assign it to a Collector Group and assign managed firewalls to the managed collector. This enables Panorama to access, manage, and update the managed collectors. The M Series appliance in Panorama mode has a predefined (default) Collector Group that contains a predefined local managed collector. However, a Switch from Panorama Mode to Log Collector Mode would remove the local managed collector and Collector Group; you would have to re configure the appliance as a Dedicated Log Collector (M Series appliance in Log Collector mode) and manually add a managed collector and Collector Group. You can configure a Collector Group with multiple managed collectors to ensure log redundancy or to accommodate logging rates that exceed the capacity of a single managed collector (see Panorama Platforms). To understand the risks and recommended mitigations, see Caveats for a Collector Group with Multiple Log Collectors. If you delete a Collector Group, you will lose logs. We recommend retaining a local Log Collector and local Collector Group on the M Series appliance in Panorama mode, regardless of whether it manages Dedicated Log Collectors. Configure a Collector Group Move a Log Collector to a Different Collector Group Remove a Firewall from a Collector Group Configure a Collector Group Configure a Collector Group Step 1 Perform the following tasks before configuring the Collector Group. In these tasks, skip any steps that involve configuring or committing changes to the Collector Group; you will perform those steps later in the current procedure. 1. Add a Firewall as a Managed Device for each firewall that you will assign to the Collector Group. 2. (Optional) Configure Log Forwarding from Panorama to External Destinations. 3. Configure a Managed Collector for each Log Collector that you will assign to the Collector Group. You must manually add each Dedicated Log Collector (M Series appliance in Log Collector mode). The M Series appliance in Panorama mode has a predefined local Log Collector that you don t need to add. If you will use SNMP for monitoring, select the SNMP service when you configure the Management interface of a Log Collector. Using SNMP requires additional steps besides configuring the Collector Group. For details, see Monitor Panorama and Log Collector Statistics Using SNMP. Palo Alto Networks, Inc. Panorama 7.0 Administrator s Guide 123

8 Manage Collector Groups Manage Log Collection Configure a Collector Group (Continued) Step 2 Add the Collector Group. 1. Access the Panorama web interface, select Panorama > Collector Groups, and Add a Collector Group or edit an existing one. The M Series appliance in Panorama mode has a predefined Collector Group named default. 2. In the General tab, enter a Name for the Collector Group if you are adding one. You cannot rename an existing Collector Group. 3. Enter the Minimum Retention Period in days (1 2,000) for which the Collector Group will retain firewall logs. 4. (Optional) Select the Enable log redundancy across collectors check box to ensure that no logs are lost if any one Log Collector in the Collector Group becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. If you add multiple Log Collectors to a single Collector group, enabling redundancy is a best practice. Enabling redundancy creates more logs and therefore requires more storage capacity. When a Collector Group runs out of space, it deletes older logs. Enabling redundancy doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives. Step 3 (Optional) Configure SNMP monitoring. Select Monitoring, select the SNMP Version and enter the corresponding details: V2c Enter the SNMP Community String, which identifies a community of SNMP managers and monitored devices (Log Collectors, in this case), and serves as a password to authenticate the community members to each other. Don t use the default community string public; it is well known and therefore not secure. V3 Create at least one SNMP view group and one user. User accounts and views provide authentication, privacy, and access control when Log Collectors forward traps and SNMP managers get Log Collector statistics. Views Each view is a paired OID and bitwise mask: the OID specifies a MIB and the mask (in hexadecimal format) specifies which objects are accessible within (include matching) or outside (exclude matching) that MIB. Click Add in the first list and enter a Name for the group of views. For each view in the group, click Add and configure the view Name, OID, matching Option (include or exclude), and Mask. Users Click Add in the second list, enter a username in the Users column, select the View group from the drop down, enter the authentication password (Auth Password) used to authenticate to the SNMP manager, and enter the privacy password (Priv Password) used to encrypt SNMP messages to the SNMP manager. 124 Panorama 7.0 Administrator s Guide Palo Alto Networks, Inc.

9 Manage Log Collection Manage Collector Groups Configure a Collector Group (Continued) Step 4 Step 5 Step 6 Assign Log Collectors and firewalls to the Collector Group. Define the storage capacity (log quotas) and expiration period for each log type. (Optional) Configure log forwarding from the Collector Group to external services. To perform this step, you must have added server profiles for the external services in the task Configure Log Forwarding from Panorama to External Destinations. In a high availability (HA) deployment, you can configure each Panorama HA peer to forward logs to different external services. For details, see Deploy Panorama with Default Log Collectors. 1. Select the Device Log Forwarding tab. 2. In the Collector Group Members section, Add the Log Collectors. 3. In the Log Forwarding Preferences section, click Add. 4. In the Devices section, click Modify, select the firewalls, and click OK. You cannot assign PA 7050 firewalls to a Collector Group. However, when you monitor logs or generate reports for a device group that includes a PA 7050 firewall, Panorama queries the firewall in real time to display its log data. 5. In the Collectors section, Add the Log Collectors to which the firewalls will forward logs. If you assign multiple Log Collectors, the first one will be the primary; if the primary becomes unavailable, the firewalls send logs to the next Log Collector in the list. To change the priority of a Log Collector, select it and Move Up (higher priority) or Move Down (lower priority). 6. Click OK. 1. Return to the General tab and click the Log Storage value. If the field displays 0MB, verify that you enabled the disk pairs for logging and committed the changes (see Configure a Managed Collector, Disks tab). 2. Enter the log storage Quota(%) for each log type. 3. Enter the Max Days (expiration period) for each log type (range is 1 2,000). By default, the fields are blank for all log types, which means the logs never expire. 1. Select the Collector Log Forwarding tab. 2. For each log Severity level in the System, Threat, and Correlation tabs, click a cell in the SNMP Trap, Profile, or Syslog Profile column, and select the server profile. 3. In the Config, HIP Match, and Traffic tabs, select the SNMP Trap, , or Syslog server profile. 4. For each Verdict in the WildFire tab, click a cell in the SNMP Trap, Profile, or Syslog Profile column, and select the server profile. 5. Click OK to save the Collector Group. Palo Alto Networks, Inc. Panorama 7.0 Administrator s Guide 125

10 Manage Collector Groups Manage Log Collection Configure a Collector Group (Continued) Step 7 Commit the changes and verify that the Log Collectors you assigned to the Collector Group are connected to, and synchronized with, Panorama. 1. Click Commit, for the Commit Type select Panorama, and click Commit again. 2. Click Commit, for the Commit Type select Collector Group, select the Collector Group you added, and click OK. 3. Select Panorama > Managed Collectors. The Connected column displays a check mark icon to indicate that a Log Collector is connected to Panorama. The Configuration Status column indicates whether the configurations you committed to Panorama and the Log Collectors are synchronized (green icon) or are not synchronized (red icon) with each other. The Collector Group won t receive firewall logs until you Configure Log Forwarding to Panorama. Move a Log Collector to a Different Collector Group When you Plan a Log Collection Deployment, you assign Log Collectors to a Collector Group based on the logging rate and log storage requirements of that Collector Group. If the rates and required storage increase in a Collector Group, the best practice is to Increase Storage on the M Series Appliance or Configure a Collector Group with additional Log Collectors. However, in some deployments, it might be more economical to move Log Collectors between Collector Groups. The log data on a Log Collector becomes inaccessible after you remove it from a Collector Group. Also, you must perform a factory reset on the Log Collector before adding it to another Collector Group; a factory reset removes all configuration settings and logs. When a Log Collector is local to an M Series appliance in Panorama mode, move it only if the M Series appliance is the passive peer in a high availability (HA) configuration. HA synchronization will restore the configurations that the factory reset removes. Never move a Log Collector when it s local to an M Series appliance that is the active HA peer. 126 Panorama 7.0 Administrator s Guide Palo Alto Networks, Inc.

11 Manage Log Collection Manage Collector Groups Move a Log Collector to Different Collector Group Step 1 Step 2 Remove the Log Collector from Panorama management. Reset the Log Collector to its factory default settings. Do not interrupt the factory reset or reboot processes. Otherwise, you might render the M Series appliance unusable. 1. Select Panorama > Collector Groups and select the Collector Group that contains the Log Collector you will move. 2. Select the Device Log Forwarding tab and, in the Log Forwarding Preferences list, perform the following steps for each set of firewalls assigned to the Log Collector you will move: a. In the Devices column, click the link for the firewalls assigned to the Log Collector. b. In the Collectors column, select the Log Collector and click Delete. To reassign the firewalls, Add the new Log Collector to which they will forward logs. c. Click OK twice to save your changes. 3. Select Panorama > Managed Collectors, select the Log Collector you will move, and click Delete. 4. Click Commit, for the Commit Type select Panorama, and click Commit again. 5. Click Commit, for the Commit Type select Collector Group, select the Collector Group from which you deleted the Log Collector, and click Commit again. 1. Log in to the CLI of the Log Collector. 2. Enter the following CLI operational command: > debug system maintenance-mode The Log Collector takes approximately six minutes to reboot in maintenance mode. 3. After the Log Collector reboots, press Enter to access the maintenance mode menu. 4. Select Factory Reset and press Enter. 5. Select Factory Reset and press Enter again. The factory reset and subsequent reboot take approximately eight minutes in total, after which the Log Collector won t have any configuration settings or log data. The default username and password to log in to the Log Collector is admin/admin. Step 3 Reconfigure the Log Collector. 1. Perform Initial Configuration of the M Series Appliance. 2. Register Panorama and Install Licenses. 3. Install Content and Software Updates for Panorama. 4. Switch from Panorama Mode to Log Collector Mode. 5. Configure a Managed Collector. Palo Alto Networks, Inc. Panorama 7.0 Administrator s Guide 127

12 Manage Collector Groups Manage Log Collection Move a Log Collector to Different Collector Group (Continued) Step 4 Configure a Collector Group. Add the Log Collector to its new Collector Group and assign firewalls to the Log Collector. When you commit the Collector Group configuration, Panorama starts redistributing logs across the Log Collectors. This process can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. In the Panorama > Collector Groups page, the Redistribution State column indicates the completion status of the process as a percentage. Remove a Firewall from a Collector Group In a distributed log collection deployment, where you have Dedicated Log Collectors, if you need a device to send logs to Panorama instead of sending logs to the Collector Group, you must remove the device from the Collector group. When you remove the device from the Collector Group and commit the change, the device will automatically send logs to Panorama instead of sending them to a Log Collector. To temporarily remove the log forwarding preference list on the device, you can delete it using the CLI on the device. You must however, remove the assigned firewalls in the Collector Group configuration on Panorama. Otherwise, the next time you commit changes to the Collector Group, the device will be reconfigured to send logs to the assigned Log Collector. Remove a Firewall from a Collector Group Step 1 Step 2 Step 3 Step 4 Step 5 Select the Panorama > Collector Groups tab. Click the link for the desired Collector Group, and select the Log Forwarding tab. In the Log Forwarding Preferences section, select the device that you would like to remove from the list, click Delete, and click OK. Click Commit, for the Commit Type select Panorama, and click Commit again. Click Commit, for the Commit Type select Collector Group, select the Collector Group from which you removed the firewall, and click Commit again. 128 Panorama 7.0 Administrator s Guide Palo Alto Networks, Inc.

13 Manage Log Collection Configure Log Forwarding to Panorama Configure Log Forwarding to Panorama By default, firewalls store all log files locally. To aggregate logs on Panorama, you must configure the firewalls to forward logs to Panorama. Before starting this procedure, you must Add a Device Group and Add a Template for the firewalls that will forward logs. To forward firewall logs directly to external services (for example, a syslog server) and also to Panorama, see Configure Log Forwarding. For details about all the log collection deployments that Panorama supports, see Log Forwarding Options. The PA 7000 Series firewall can t forward logs to Panorama, only to external services. However, when you monitor logs or generate reports for a device group that includes a PA 7000 Series firewall, Panorama queries the firewall in real time to display its log data. If Panorama will manage firewalls running software versions earlier than PAN OS 7.0, specify a WildFire server from which Panorama can gather analysis information for WildFire samples that those firewalls submit. Panorama uses the information to complete WildFire Submissions logs that are missing field values introduced in PAN OS 7.0. Firewalls running earlier releases won t populate those fields. To specify the server, select Panorama > Setup > WildFire, edit the General Settings, and enter the WildFire Server name. The default is wildfire-public-cloud, which is the WildFire cloud hosted in the United States. Configure Log Forwarding to Panorama Step 1 Create a log forwarding profile. The profile defines the destination of Traffic, Threat, and WildFire logs. (Threat logs include URL Filtering and Data Filtering logs.) 1. Select Objects > Log Forwarding and select the Device Group of the firewalls that will forward logs. 2. Click Add and enter a Name to identify the profile. 3. For each log type and each severity level or WildFire verdict, select the Panorama check box. 4. Click OK to save the profile. Step 2 Assign the log forwarding profile to security rules. To trigger log generation and forwarding, the rules require certain security profiles according to log type: Traffic logs No security profile is necessary; the traffic only needs to match a specific security rule. Threat logs The traffic must match any security profile assigned to a security rule. WildFire logs The traffic must match a WildFire Analysis profile assigned to a security rule. Perform the following steps for each rule that will trigger log forwarding: 1. Select the rulebase of the rule that will trigger log forwarding (for example, Policies > Security > Pre Rules), select the Device Group of the firewalls that will forward logs, and select the rule. 2. Select the Actions tab and select the Log Forwarding profile you just created. 3. In the Profile Type drop down, select Profiles or Group, and then select the security profiles or Group Profile required to trigger log generation and forwarding. 4. For Traffic logs, select one or both of the Log At Session Start and Log At Session End check boxes, and click OK. Palo Alto Networks, Inc. Panorama 7.0 Administrator s Guide 129

14 Configure Log Forwarding to Panorama Manage Log Collection Configure Log Forwarding to Panorama (Continued) Step 3 Step 4 Configure the destination of System, Config, and HIP Match logs. You cannot forward Correlation logs (correlated events) from the firewalls to Panorama. On the logs that are forwarded from your managed firewalls, Panorama matches for the conditions specified in the correlation objects and automatically generates correlated event(s) when a match is observed. If you want, you can then forward these correlated events (Correlation logs) from Panorama to an external syslog server. (M Series appliances only) Configure Panorama to receive the logs. 1. Select Device > Log Settings and select the Template of the firewalls that will forward logs. 2. For System logs, click each Severity level, select the Panorama check box, and click OK. 3. For Config and HIP Match logs, click the edit icon, select the Panorama check box, and click OK. 1. For each Log Collector that will receive logs, Configure a Managed Collector. 2. Configure a Collector Group, in which you assign firewalls to specific Log Collectors for log forwarding. Step 5 Commit your configuration changes. 1. Click Commit, for the Commit Type select Panorama, and click Commit again. 2. Click Commit, for the Commit Type select Device Group, select the device group of the firewalls that will forward logs, select the Include Device and Network Templates check box, and click Commit again. 3. Click Commit, for the Commit Type select Collector Group, select the Collector Group you just configured to receive the logs, and click Commit again. 4. Verify Log Forwarding to Panorama to confirm that your configuration is successful. To change the log forwarding mode that the firewalls use to send logs to Panorama and to specify which Panorama HA peer can receive logs, you can Modify Log Forwarding and Buffering Defaults. You can also Manage Storage Quotas and Expiration Periods for Logs and Reports. 130 Panorama 7.0 Administrator s Guide Palo Alto Networks, Inc.

15 Manage Log Collection Verify Log Forwarding to Panorama Verify Log Forwarding to Panorama After you Configure Log Forwarding to Panorama, test that your configuration succeeded. Verify Log Forwarding to Panorama Step 1 Step 2 Step 3 Step 4 Access the firewall CLI. If you configured Log Collectors, verify that each firewall has a log forwarding preference list. > show log-collector preference-list If the Collector Group has only one Log Collector, the output will look something like this: Log collector Preference List Serial Number: IP Address: Verify that each firewall is forwarding logs. > show logging-status device <firewall-serial-number> For successful forwarding, the output indicates that the log forwarding agent is active. For a Panorama virtual appliance, the agent is Panorama. For an M Series appliance, the agent is a Log Collector. View the average logging rate. The displayed rate will be the average logs/second for the last five minutes. If Log Collectors receive the logs, access the Panorama web interface, select Panorama > Managed Collectors and click the Statistics link in the far right column. If a Panorama virtual appliance receives the logs, access the Panorama CLI and run the following command: debug log-collector log-collection-stats show incoming-logs This command also works on an M Series appliance. Palo Alto Networks, Inc. Panorama 7.0 Administrator s Guide 131

16 Modify Log Forwarding and Buffering Defaults Manage Log Collection Modify Log Forwarding and Buffering Defaults You can define the log forwarding mode that the firewalls use to send logs to Panorama and, when configured in a high availability (HA) configuration, specify which Panorama peer can receive logs. To access these options, select Panorama > Setup > Management, edit the Logging and Reporting Settings, and select the Log Export and Reporting tab. Define the log forwarding mode on the firewall: The firewalls can forward logs to Panorama (pertains to both the M Series appliance and the Panorama virtual appliance) in either Buffered Log Forwarding mode or in the Live Mode Log Forwarding mode. Logging Options Description Buffered Log Forwarding from Device Default: Enabled It is a best practice to select the Buffered Log Forwarding from Device option. Live Mode Log Forwarding from Device This option is enabled when the check box for Buffered Log Forwarding from Device is cleared. Allows each managed firewall to buffer logs and send the logs at 30 second intervals to Panorama (not user configurable). Buffered log forwarding is very valuable when the firewall loses connectivity to Panorama. The firewall buffers log entries to its local hard disk and keeps a pointer to record the last log entry that was sent to Panorama. When connectivity is restored the firewall resumes forwarding logs from where it left off. The disk space available for buffering depends on the log storage quota for the platform and the volume of logs that are pending roll over. If the firewall was disconnected for a long time and the last log forwarded was rolled over, all the logs from its local hard disk will be forwarded to Panorama on reconnection. If the available space on the local hard disk of the firewall is consumed, the oldest entries are deleted to allow logging of new events. In live mode, the managed firewall sends every log transaction to Panorama at the same time as it records it on the firewall. Define log forwarding preference on a Panorama virtual appliance that is in a high availability (HA) configuration: When logging to a virtual disk, enable logging to the local disk on the active primary Panorama peer only. By default, both Panorama peers in the HA configuration receive logs. When logging to an NFS, enable the firewalls to send only newly generated logs to a secondary Panorama peer, which is promoted to primary, after a failover. Logging Options Pertains to Description Only Active Primary Logs to Local Disk Default: Disabled Panorama virtual appliance that is logging to a virtual disk and is set up in a high availability (HA) configuration. Allows you to configure only the active primary Panorama peer to save logs to the local disk. 132 Panorama 7.0 Administrator s Guide Palo Alto Networks, Inc.

17 Manage Log Collection Modify Log Forwarding and Buffering Defaults Logging Options Pertains to Description Get Only New Logs on Convert to Primary Default: Disabled Panorama virtual appliance that is mounted to a Network File System (NFS) datastore and is set up in a high availability (HA) configuration With NFS logging, when you have a pair of Panorama servers configured in a high availability configuration, only the primary Panorama peer mounts the NFS datastore. Therefore, the firewalls can only send logs to the primary Panorama peer, which can write to the NFS datastore. When an HA failover occurs, the Get Only New Logs on Convert to Primary option allows an administrator to configure the managed firewalls to send only newly generated logs to Panorama. This event is triggered when the priority of the active secondary Panorama is promoted to primary and it can begin logging to the NFS. This behavior is typically enabled to prevent the firewalls from sending a large volume of buffered logs when connectivity to Panorama is restored after a significant period of time. Palo Alto Networks, Inc. Panorama 7.0 Administrator s Guide 133

18 Configure Log Forwarding from Panorama to External Destinations Manage Log Collection Configure Log Forwarding from Panorama to External Destinations Panorama enables you to forward logs to external servers, including syslog, , and SNMP trap servers. Forwarding firewall logs from Panorama reduces the load on the firewalls and provides a reliable and streamlined approach to forwarding logs to remote destinations. You can also forward logs that Panorama and its managed collectors generate. To forward firewall logs directly to external services and also to Panorama, see Configure Log Forwarding. For details about all the log collection deployments that Panorama supports, see Log Forwarding Options. On a Panorama virtual appliance running Panorama 5.1 or earlier releases, you can use Secure Copy (SCP) commands from the CLI to export the entire log database to an SCP server and import it to another Panorama virtual appliance. A Panorama virtual appliance running Panorama 6.0 or later releases, and M Series appliances running any release, do not support these options because the log database on those platforms is too large for an export or import to be practical. Configure Log Forwarding from Panorama to External Destinations Step 1 Configure the firewalls to forward logs to Panorama. Configure Log Forwarding to Panorama. Step 2 Configure a server profile for each external service that will receive log data. 1. Select Panorama > Server Profiles and select the type of server that will receive the log data: SNMP Trap, Syslog, or Configure the server profile. Optionally, you can configure separate profiles for different log types and severity levels or WildFire verdicts. Configure an SNMP Trap server profile. For details on how Simple Network Management Protocol (SNMP) works for Panorama and Log Collectors, refer to SNMP for Palo Alto Networks Devices. Configure a Syslog server profile. If the syslog server requires client authentication, use the Panorama > Certificate Management > Certificates page to create a certificate for securing syslog communication over SSL. Configure an server profile. Step 3 Configure the destinations for: Firewall logs that a Panorama virtual appliance collects. Logs that Panorama (a virtual appliance or M Series appliance) and managed collectors generate. 1. Select Panorama > Log Settings. 2. For System, Correlation, and Threat logs, click each Severity level, select the SNMP Trap, , or Syslog server profile you just created, and click OK. 3. For WildFire logs, click each Verdict, select the SNMP Trap, , or Syslog server profile you just created, and click OK. 4. For Config, HIP Match, and Traffic logs, click the edit icon, select the SNMP Trap, , or Syslog server profile you just created, and click OK. 134 Panorama 7.0 Administrator s Guide Palo Alto Networks, Inc.

19 Manage Log Collection Configure Log Forwarding from Panorama to External Destinations Configure Log Forwarding from Panorama to External Destinations (Continued) Step 4 Step 5 (M Series appliance only) Configure the destinations for firewall logs that an M Series appliance in Panorama or Log Collector mode collects. Each Collector Group can forward logs to different destinations. If the Log Collectors are local to a high availability (HA) pair of M Series appliances in Panorama mode, you must log into each HA peer to configure log forwarding for its Collector Group. (SNMP trap forwarding only) Enable your SNMP manager to interpret traps. 1. Select Panorama > Collector Groups and select the Collector Group that receives the firewall logs. 2. Select the Collector Log Forwarding tab. 3. For each log Severity level in the System, Threat, and Correlation tabs, click a cell in the SNMP Trap, Profile, or Syslog Profile column, and select the server profile you just created. 4. In the Config, HIP Match, and Traffic tabs, select the SNMP Trap, , or Syslog server profile you just created. 5. For each Verdict in the WildFire tab, click a cell in the SNMP Trap, Profile, or Syslog Profile column, and select the server profile you just created. 6. Click OK to save your changes to the Collector Group. Load the Supported MIBs for Palo Alto Networks devices and, if necessary, compile them. For the specific steps, refer to the documentation of your SNMP manager. Step 6 (Syslog forwarding only) If the syslog server requires client authentication, and the firewalls forward logs to M Series appliances in Log Collector mode, assign a certificate that secures syslog communication over SSL. Perform the following steps for each M Series appliance in Log Collector mode: 1. Select Panorama > Managed Collectors and select the Log Collector. 2. In the General tab, select the Certificate for Secure Syslog, and click OK. Step 7 Commit your configuration changes. 1. Click Commit, for the Commit Type select Panorama, and click Commit again. 2. Click Commit, for the Commit Type select Device Group, select all the device groups of the firewalls from which Panorama collects logs, select the Include Device and Network Templates check box, and click Commit again. 3. (M Series appliance only) Click Commit, for the Commit Type select Collector Group, select the Collector Group you just configured to forward logs, and click Commit again. Step 8 (Optional) Verify the external services are receiving logs from Panorama. server Verify that the specified recipients are receiving logs as notifications. Syslog server Refer to the documentation for your syslog server to verify it is receiving logs as syslog messages. SNMP manager Use an SNMP Manager to Explore MIBs and Objects to verify it is receiving logs as SNMP traps. Palo Alto Networks, Inc. Panorama 7.0 Administrator s Guide 135

20 Log Collection Deployments Manage Log Collection Log Collection Deployments The following topics describe how to configure log collection in the most typical deployments. The deployments in these topics all describe Panorama in a high availability (HA) configuration. Palo Alto Networks recommends HA because it enables automatic recovery (in case of server failure) of components that are not saved as part of configuration backups. In HA deployments, the Panorama management server only supports an active/passive configuration. Plan a Log Collection Deployment Deploy Panorama with Dedicated Log Collectors Deploy Panorama with Default Log Collectors Deploy Panorama Virtual Appliances with Local Log Collection Plan a Log Collection Deployment Panorama and Log Collector Platforms Collector Groups with Single or Multiple Log Collectors Log Forwarding Options Panorama and Log Collector Platforms Decide which Panorama Platforms to use for the Panorama management server and Log Collectors based on the logging rate and geographic distribution of managed firewalls. If you initially implement log collection using the default Log Collectors but later require more storage or higher logging rates than these support, you can switch to a deployment with Dedicated Log Collectors (M Series appliances in Log Collector mode). You can also implement a hybrid deployment that includes both default and Dedicated Log Collectors. However, if you initially implement log collection using Dedicated Log Collectors, you will lose logs if you later switch to a deployment that involves only the default Log Collectors because of the reduced storage capacity. If you deploy firewalls remotely, consider the bandwidth requirement for the connection between the firewalls and Panorama, in addition to whether Panorama supports the required logging rate. Deploying Dedicated Log Collectors close to the firewalls can increase the bandwidth for log forwarding. The following table summarizes your choice of Log Collector when considering the rate at which it receives firewall logs. Logging Rate Up to 10,000 logs/second Log Collector Depends on the Panorama management server: Virtual appliance Panorama collects logs without any Log Collector. M Series appliance Local default Log Collector 136 Panorama 7.0 Administrator s Guide Palo Alto Networks, Inc.

21 Manage Log Collection Log Collection Deployments Logging Rate Up to 30,000 logs/second Up to 60,000 logs/second Log Collector M 100 appliance in Log Collector Mode. Each M 100 appliance can process up to 30,000 logs/second and store up to 4TB of log data. M 500 appliance in Log Collector Mode. Each M 500 appliance can process up to 60,000 logs/second and store up to 8TB of log data. Collector Groups with Single or Multiple Log Collectors You can configure a Collector Group with multiple Log Collectors to ensure log redundancy or to accommodate logging rates that exceed the capacity of a single Log Collector (see Panorama Platforms). To understand the risks and recommended mitigations, see Caveats for a Collector Group with Multiple Log Collectors. Log Forwarding Options By default, each firewall stores its log files locally. To use Panorama for centralized log monitoring and report generation, you must Configure Log Forwarding to Panorama. You can also Configure Log Forwarding from Panorama to External Destinations for archiving, notification, or analysis. When forwarding from Panorama, you can include the System and Config logs that Panorama and its Log Collectors generate. External services include syslog servers, servers, or SNMP trap servers. The firewall, Panorama virtual appliance, or M Series appliance that forwards the logs to external services converts the logs to the appropriate format (syslog message, notification, or SNMP trap). Palo Alto Networks devices support the following log forwarding options: Forward logs from firewalls to Panorama and from Panorama to external services This configuration is best for deployments in which the connections between firewalls and external services have insufficient bandwidth to sustain the logging rate, which is often the case when the connections are remote. This configuration improves firewall performance by offloading some processing to Panorama. You can configure each Collector Group to forward logs to different destinations. Figure: Log Forwarding to Panorama and then to External Services Palo Alto Networks, Inc. Panorama 7.0 Administrator s Guide 137

22 Log Collection Deployments Manage Log Collection Forward logs from firewalls to Panorama and to external services in parallel In this configuration, both Panorama and the external services are endpoints of separate log forwarding flows; the firewalls don t rely on Panorama to forward logs to external services. This configuration is best for deployments in which the connections between firewalls and external services have sufficient bandwidth to sustain the logging rate, which is often the case when the connections are local. Figure: Log Forwarding to External Services and Panorama in Parallel Forward logs from firewalls directly to external services and also from Panorama to external services This configuration is a hybrid of the previous two and is best for deployments that require sending syslog messages to multiple Security Information and Event Management (SIEM) solutions, each with its own message format (for example, Splunk and ArcSight). This duplicate forwarding doesn t apply to SNMP traps or notifications. Deploy Panorama with Dedicated Log Collectors The following figures illustrate Panorama in a Distributed Log Collection Deployment. In these examples, the Panorama management server comprises two M Series appliances in Panorama mode that are deployed in an active/passive high availability (HA) configuration. Alternatively, you can use an HA pair of Panorama virtual appliances. The firewalls send logs to Dedicated Log Collectors (M Series appliances in Log Collector mode). This is the recommended configuration if the firewalls generate over 10,000 logs/second. (For details on deployment options, see Plan a Log Collection Deployment.) If you will assign more than one Log Collector to a Collector Group, see Caveats for a Collector Group with Multiple Log Collectors to understand the risks and recommended mitigations 138 Panorama 7.0 Administrator s Guide Palo Alto Networks, Inc.

23 Manage Log Collection Log Collection Deployments Figure: Single Dedicated Log Collector Per Collector Group Figure: Multiple Dedicated Log Collectors Per Collector Group Perform the following steps to deploy Panorama with Dedicated Log Collectors. Skip any steps you have already performed (for example, the initial setup). Palo Alto Networks, Inc. Panorama 7.0 Administrator s Guide 139

24 Log Collection Deployments Manage Log Collection Deploy Panorama with Dedicated Log Collectors Step 1 Perform the initial setup of the Panorama management server (virtual appliances or M Series appliances) and the Dedicated Log Collectors. For each M Series appliance: 1. Rack mount the M Series appliance. Refer to the M 100 or M 500 Hardware Reference Guide for instructions. 2. Perform Initial Configuration of the M Series Appliance. If the Log Collectors will use the Eth1 and Eth2 interfaces for log collection and Collector Group communication, you must define those interfaces during initial configuration. 3. Register Panorama and Install Licenses. 4. Install Content and Software Updates for Panorama. 5. Switch from Panorama Mode to Log Collector Mode on each M Series appliance that will serve as a Dedicated Log Collector. Switching the mode of an M Series appliance deletes any existing log data and deletes all configurations except the management access settings. After the switch, the M Series appliance retains CLI access but loses web interface access. For each virtual appliance (if any): 1. Install the Panorama Virtual Appliance. 2. Perform Initial Configuration of the Panorama Virtual Appliance. 3. Register Panorama and Install Licenses. 4. Install Content and Software Updates for Panorama. For the Panorama management server (virtual appliance or M Series appliance), you must also Set Up HA on Panorama. 140 Panorama 7.0 Administrator s Guide Palo Alto Networks, Inc.

25 Manage Log Collection Log Collection Deployments Deploy Panorama with Dedicated Log Collectors (Continued) Step 2 Perform the following steps to prepare Panorama for log collection. 1. Access the CLI of each Log Collector and enter the following commands to enable connectivity for distributed log collection. <IP address1> and <IP address2> represent the management interface of the primary and secondary Panorama HA peer respectively. > configure # set deviceconfig system panorama-server <IPaddress1> # set deviceconfig system panorama-server-2 <IPaddress2> # commit 2. Use the following CLI command to display the serial number of each Log Collector, and then record it. You will need the serial numbers when adding Log Collectors as managed collectors. > show system info 3. Add a Firewall as a Managed Device for each one that will forward logs to Panorama. 4. Configure log forwarding. Skip any steps that involve configuring or committing changes to Log Collectors or Collector Groups; you will perform those steps later in the current procedure. a. Configure Log Forwarding to Panorama. b. (Optional) Configure Log Forwarding from Panorama to External Destinations. Palo Alto Networks, Inc. Panorama 7.0 Administrator s Guide 141

View more

Sours: https://docplayer.net/19730056-Manage-log-collection-panorama-administrator-s-guide-version-7-0.html

Admin guide panorama

"The happy angel smiled, looking at the rapidly flaring flame at the entrance. Let this world burn. " to the continued screams in the street and the clash of blades.

Palo Alto Firewalls, Panorama Templates and Device groups configuration

I responded with a kiss. We kissed long and tender. It was as if I was drowned in space, and time ceased to exist for me. I dont know how long it lasted. His arms embraced me affectionately and gently stroked my back and shoulders.

You will also be interested:

Besides, I'm very tired, - She tried to give her voice an indifferent tone. Well, you puffed up, - Lily put Mexican sandals on her feet. - He invited you. - Jeannette filtered through her teeth.



1543 1544 1545 1546 1547