Centralized Configuration and Deployment Management Panorama Overview Centralized Configuration and Deployment Management Panorama uses Device Groups and Templates to group devices into smaller and more logical sets that require similar configuration. All configuration elements, policies, and objects on the managed firewalls can be centrally managed on Panorama using Device Groups and Templates. In addition to managing configuration and policies, Panorama enables you to centrally manage licenses, software and associated content updates: SSL‐VPN clients, GlobalProtect agents, dynamic content updates (Applications, Threats, WildFire and Antivirus). Context Switch—Firewall or Panorama Templates Device Groups Context Switch—Firewall or Panorama The Panorama web interface allows you to toggle between a Panorama‐centric view and a firewall‐centric view using the context switch. You can choose to manage the firewall centrally using Panorama and then switch context to a specific managed firewall to configure the firewall using the firewall user interface. The similarity of the user interface on the managed firewalls and Panorama allows you to seamlessly move between the interfaces to administer and monitor the firewall as required. If you have configured Access Domains to restrict administrative access to specific managed firewalls, the Panorama user interface displays only the firewalls/features for which the logged‐in administrator has permissions. Templates You use templates to configure the settings that managed firewalls require to operate on the network. Templates enable you to define a common base configuration using the and tabs on Network Device Panorama. For example, you can use templates to manage interface and zone configurations, server profiles for logging and SNMP access, and network profiles for controlling access to zones and IKE gateways. When you group firewalls to define Template settings, consider grouping firewalls that are alike in hardware model, and require access to similar network resources, such as gateways and syslog servers. Using templates, you can push a limited common base configuration to a group of firewalls and then configure the rest of the settings manually on the firewall. Alternatively, you can push a larger common base configuration and then override the template settings on the firewall to accommodate firewall‐specific changes. When you override a setting on the firewall, the setting is saved to the local configuration of the firewall and is no longer managed by the Panorama template. You can, however, use Panorama to force the template configuration onto the firewall or restore the template settings on the firewall. For example, you ...
Panorama Overview Centralized Configuration and Deployment Management Device Groups To use Panorama effectively, you must group the firewalls on your network into logical units called device groups. A device group allows grouping based on network segmentation, geographic location, or by the need to implement similar policy configurations. A device group can include physical firewalls, virtual firewalls and/or a virtual system. By default, all managed devices belong to the Shared device group on Panorama. Device Groups enable central management of policies and objects using the and tabs on Policies Objects Panorama. Objects are configuration elements that are referenced in policies. Some of the objects that firewall policies make use of are: IP addresses, URL categories, security profiles, users, services, and applications. Using Device Groups you can create shared objects or device group‐specific objects and then use these objects to create a hierarchy of rules (and rulebases) to enforce how managed firewalls handle inbound and outbound traffic. For example, a corporate acceptable use policy could be defined as a set of shared policies. Then, to allow only the regional offices to access peer‐to‐peer traffic such as BitTorrent, you can create a security rule as a shared policy and target it to the regional offices or make it a device group rule that is pushed to the regional offices. See Use Case: Configure Firewalls Using Panorama. Policies Objects Policies Device groups provide a way to implement a layered approach for managing policies across a network of managed firewalls. The following table lists the policy layers, the firewalls to which the policies apply, and the platform where you administer the policies: Policy Scope Administration Platform Shared All the firewalls in all device groups. Panorama Device group‐specific All the firewalls assigned to a single device group. Panorama Local (firewall‐specific) A single firewall. Firewall Default (security rules ...
Centralized Logging and Reporting Panorama Overview Centralized Logging and Reporting Panorama aggregates data from all managed firewalls and provides visibility across all the traffic on the network. It also provides an audit trail for all policy modifications and configuration changes made to the managed firewalls. In addition to aggregating logs, Panorama can aggregate and forward SNMP traps, email notifications, and syslog messages to an external destination. The Application Command Center (ACC) on Panorama provides a single pane for unified reporting across all the firewalls; it allows you to centrally analyze, investigate, and report on network traffic and security incidents. On Panorama, you can view logs and generate reports from logs forwarded to Panorama or to the managed Log Collectors, if configured, or you can query the managed firewalls directly. For example, you can generate reports about traffic, threat, and/or user activity in the managed network based on logs stored on Panorama (and the managed Log Collectors) or by accessing the logs stored locally on the managed firewalls. If you choose not to configure the managed firewalls to forward logs to Panorama, you can schedule reports to be run on each managed firewall and forward the results to Panorama for a combined view of user activity and network traffic. Although this view does not provide granular drill‐down on specific data and activities, it still provides a unified reporting approach. Logging Options Managed Collectors and Collector Groups Caveats for a Collector Group with Multiple Log Collectors Centralized Reporting Logging Options Both the Panorama virtual appliance and M‐100 appliance can collect logs that the managed firewalls forward. You can then configure Panorama to forward these aggregated logs to external services (Syslog server, email server, or SNMP trap server). The logging options vary on each platform. Panorama Platform Logging Options Virtual appliance Offers three logging options: • Use the approximately 11GB of internal storage space allocated for logging as soon as you install the virtual appliance. • Add a virtual disk that can support up to 2TB of storage. • Mount a Network File System (NFS) datastore in which you can configure the storage capacity that is allocated for logging.
Panorama Overview Centralized Logging and Reporting Managed Collectors and Collector Groups A Log Collector can be local to an M‐100 appliance in Panorama mode (default Log Collector) or can be an M‐100 appliance in Log Collector mode (dedicated Log Collector). Because you use Panorama to configure and manage Log Collectors, they are also known as Managed Collectors. An M‐100 appliance in Panorama mode or a Panorama virtual appliance can manage dedicated Log Collectors. To administer dedicated Log Collectors using the Panorama web interface, you must add them as Managed Collectors. Otherwise, administrative access to a dedicated Log Collector is only available through its CLI using the default administrative user (admin) account. Dedicated Log Collectors do not support additional administrative user accounts. A Collector Group is 1 to 16 managed collectors that operate as a single logical log collection unit. If the group contains dedicated Log Collectors, the logs are uniformly distributed across all the disks in each Log Collector and across all members in the Collector Group. This distribution maximizes the use of the available storage space. To manage a Log Collector, you must add it to a Collector Group. Palo Alto Networks recommends placing only one Log Collector in a Collector Group unless more than 4TB of storage space is required in a Collector Group. For details, see Caveats for a Collector Group with Multiple Log Collectors. The Collector Group configuration specifies which managed firewalls can send logs to the Log Collectors in the group. After you configure the Log Collectors and enable the firewalls to forward logs, each firewall forwards its logs to the assigned Log Collector. If you use Panorama to manage firewalls running both PAN‐OS 5.0 and a PAN‐OS version earlier than 5.0, note the following compatibility requirements: • Only devices running PAN‐OS v5.0 can send logs to a dedicated Log Collector. • Devices running PAN‐OS versions earlier than 5.0 can only send logs to a Panorama virtual appliance or to an M‐100 appliance in Panorama mode. Managed Collectors and Collector Groups are integral to a distributed log collection deployment on Panorama. A distributed log collection deployment allows for easy scalability and incremental addition of dedicated Log Collectors as your logging needs grow. The M‐100 appliance in Panorama mode can log to its default Collector Group and then be expanded to a distributed log collection deployment with one or more Collector Groups that include dedicated Log Collectors. Caveats for a Collector Group with Multiple Log Collectors Although Palo Alto Networks recommends placing only one Log Collector in a Collector Group, if you have a scenario where you need more than 4TB of log storage capacity in a Collector Group for the required log retention period, you can add up to 16 Log Collectors to the group. For example, if a single managed firewall generates 12 TB of logs, you will require at least three Log Collectors in the Collector Group that receives those logs. If a Collector Group contains multiple Log Collectors, the available storage space is used as one logical unit and the logs are uniformly distributed across all the Log Collectors in the Collector Group. The log distribution is based on the disk capacity of the Log Collectors (which ranges from 1TB to 4TB, depending ...
Panorama Commit Operations Panorama Overview Panorama Commit Operations When editing the configuration on Panorama, you are changing the candidate configuration file. The candidate configuration is a copy of the running configuration along with any changes you made since the last commit. The Panorama web interface displays all the configuration changes immediately. However, Panorama won’t implement the changes until you commit them. The commit process validates the changes in the candidate configuration file and saves it as the running configuration on Panorama. After any system event or administrator action causes Panorama to reboot, all your changes since the last commit will be lost. To preserve changes without committing them, periodically click at the top right of the web interface to save a snapshot of the candidate configuration. If a Save reboot occurs, you can then revert to the snapshot. For details on backing up and restoring running and candidate configurations, see Manage Panorama Configuration Backups. When initiating a commit on Panorama, select one of the following types: Commit Options Description Commits the changes on the current candidate configuration to the running Panorama configuration on Panorama. You must first commit your changes on Panorama, before committing any configuration updates (templates or device groups) to the managed firewalls or Collector Groups. Commits network and device configurations from a Panorama template to the selected Template firewalls. Commits policies and objects configured from Panorama to the selected firewalls/virtual Device Group systems. Commits changes to the specified Collector Groups that Panorama manages. Collector Group When you perform a commit, Panorama pushes the entire configuration to the managed firewalls. When the commit completes, a result displays: or Commit succeeded Commit succeeded with warnings Some other commit choices are: —This option is available when the ...
Role‐Based Access Control Panorama Overview Role‐Based Access Control Role‐based access control (RBAC) allows you to specify the privileges and responsibilities accorded to every administrative user. On Panorama, you can define administrative accounts with specific roles, profiles, or Access Domains to regulate access to specific features on Panorama and the managed firewalls; these options allow you to limit administrative access to only the firewalls and areas of the management interface that each administrator requires to perform the job. By default, every Panorama server comes pre‐configured with a default administrative account (admin) that provides full read‐write access (also known as superuser access). As a best practice, create a separate administrative account for each person who needs access to the administrative or reporting functions on Panorama. This provides better protection against unauthorized configuration (or modification) and enables logging of the actions of each administrator. For every administrative user, you can also define an authentication profile that determines how the user’s access credentials are verified. To enforce more granular administrative access, use access domains to restrict administrative access to a particular firewall, device group or template. Administrative Roles Authentication Profiles and Sequences Access Domains Administrative Authentication Administrative Roles The way you configure administrator accounts depends on the security requirements of your organization, whether it has existing authentication services with which to integrate, and the administrative roles it requires. A role defines the type of system access an administrator has. The role types are: Dynamic Roles—These are built‐in roles that provide access to Panorama and managed devices. When new features are added, Panorama automatically updates the definitions of dynamic roles; you never need to manually update them. The following table lists the access privileges associated with dynamic roles. Dynamic Role Privileges Superuser Full read‐write access to Panorama Superuser (read‐only) Read‐only access to Panorama Panorama administrator Full access to Panorama except for the following actions: • ...
Panorama Overview Role‐Based Access Control Admin Role Profiles—To provide more granular access control over the functional areas of the web interface, CLI, and XML API, you can create custom roles. When new features are added to the product, you must update the roles with corresponding access privileges: Panorama does not automatically add new features to custom role definitions. When creating a custom role (see Set Up Administrative Access to Panorama), you select one of the following profiles: Administrator Role Profile Description Panorama For these roles, you can assign read‐write access, read‐only access, or no access to all the Panorama features that are available to the superuser dynamic role except the management of Panorama administrators and Panorama roles. For the latter two features, you can assign read‐only access or no access, but you cannot assign read‐write access. An example use of a Panorama role would be for security administrators who require access to security policy definitions, logs, and reports on Panorama. Device Group and For these roles, you can assign read‐write access, read‐only access, or no access to the Template device groups and templates specified in the administrator account definition. Roles with this profile have the following limitations: • No access to the CLI or XML API • No access to configuration or system logs • No access to App Scope or reports • No access to VM information sources • In the Panorama tab, access is limited to device deployment features (read‐write, read‐only, or no access) and to the templates, managed devices, and device groups specified in the administrator account (read‐only or no access). An example use of this role would be for administrators in your operations staff who require access to the device and network configuration areas of the web interface for specific device groups and/or templates. Authentication Profiles and Sequences Among its other uses, an authentication profile defines how an administrative user is authenticated on Panorama upon login. If you create a local user account on Panorama, you can authenticate the user to the local database, or use an external RADIUS, LDAP, or Kerberos server for authentication. If you do not want ...
Panorama Overview Plan Your Deployment Plan Your Deployment Determine the management approach. Do you plan to use Panorama to centrally configure and manage the policies, to centrally administer software, content and license updates, and/or centralize logging and reporting across the managed devices in the network? If you already deployed and configured the Palo Alto Networks firewalls on your network, determine whether to transition the devices to centralized management. This process requires a migration of all configuration and policies from your firewalls to Panorama. For details, see Transition a Firewall to Panorama Management. Verify that Panorama is on the same release version or a later version than the firewalls that it will manage. For example, Panorama with version 4.0 cannot manage firewalls running PAN‐OS 5.0. For versions within the same feature release, although Panorama can manage firewalls running a later version of PAN‐OS, Palo Alto Networks recommends that Panorama run the same version or a later version. For example, if Panorama runs 6.0.3, it is recommended that all managed firewalls run PAN‐OS 6.0.3 or earlier versions. Plan to use the same URL filtering database (BrightCloud or PAN‐DB) across all managed firewalls. If some firewalls are using the BrightCloud database and others are using PAN‐DB, Panorama can only manage security policies for one or the other URL filtering database. URL filtering rules for the other database must be managed locally on the firewalls that use that database. Plan to use Panorama in a high availability configuration; set it up as an active/passive high availability pair. See Panorama High Availability. Estimate the log storage capacity your network needs to meet security and compliance requirements. Consider such factors as the network topology, number of firewalls sending logs, type of log traffic (for example, URL and threat logs versus traffic logs), the rate at which firewalls generate logs, and the number of days for which you want to store logs on Panorama. For details, see Determine Panorama Log Storage Requirements. For meaningful reports on network activity, plan a logging solution: – Do you need to forward logs to a syslog server, in addition to Panorama? – If you need a long‐term storage solution, do you have a Security Information and Event Management (SIEM) solution, such as Splunk or ArcSight, to which you need to forward logs? – Do you need redundancy in logging? With Panorama virtual appliances in HA, each peer can log to ...
Determine Panorama Log Storage Requirements Set Up Panorama Determine Panorama Log Storage Requirements When you Plan Your Deployment, estimate how much log storage capacity Panorama requires to determine which Panorama Platforms to deploy, whether to expand the storage on those platforms beyond their default capacities, whether to deploy Dedicated Log Collectors, and whether to Enable Log Forwarding from Panorama to External Destinations. When Panorama reaches the maximum capacity, it automatically deletes older logs to create space for new ones. Therefore, to ensure that log retention meets your needs, you should configure any additional storage during the Panorama setup stage. To expand log storage capacity during or after setup, see Expand Log Storage Capacity on the Panorama Virtual Appliance or Increase Storage on the M‐100 Appliance. Perform the following steps to determine the approximate log storage that Panorama requires. For details and use cases, refer to Panorama Sizing and Design Guide. Determine Panorama Log Storage Requirements Step 1 Determine the log retention Factors that affect log retention requirements include: requirements of your organization. • IT policy of your organization • Regulatory requirements, such as those specified by the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes‐Oxley Act, and Health Insurance Portability and Accountability Act (HIPAA) You can Reallocate Log Storage Quota for each log type as a percentage of the total space if you need to prioritize log retention by type. Step 2 Determine the average daily logging Display the current log generation rate in logs per second: rates. • If Panorama is not yet collecting logs, access the CLI of each Do this multiple times each day at peak firewall, run the following command, and calculate the total and non‐peak times to estimate the rates for all the firewalls. This command displays the average. The more often you sample the number of logs received in the last second. rates, the more accurate your estimate.
Set Up the Panorama Virtual Appliance Set Up Panorama Set Up the Panorama Virtual Appliance The Panorama virtual appliance consolidates the Panorama management and logging functions into a single virtual appliance. This solution enables use of an existing VMware virtual infrastructure to easily deploy and centrally administer and monitor the Palo Alto Networks firewalls in your network as described in the following sections: Setup Prerequisites for the Panorama Virtual Appliance Install Panorama on the ESX(i) Server Perform Initial Configuration of the Panorama Virtual Appliance Expand Log Storage Capacity on the Panorama Virtual Appliance Increase CPUs and Memory on the Panorama Virtual Appliance Complete the Panorama Virtual Appliance Setup You cannot use the Panorama virtual appliance as a dedicated Log Collector. Only an M‐100 appliance in Log Collector mode provides dedicated log collection capabilities (see Set Up the M‐100 Appliance). However, you can use the Panorama virtual appliance to manage a dedicated Log Collector. These topics assume you are familiar with the VMware products required to create the virtual appliance, and don’t cover VMware concepts or terminology. Setup Prerequisites for the Panorama Virtual Appliance Complete the following tasks before you Install Panorama on the ESX(i) Server: Verify that your server meets the minimum system requirements for installing Panorama. These requirements apply to Panorama 5.1 and later releases. Prerequisites for the Panorama Virtual Appliance • 64‐bit kernel‐based VMware ESX(i) 5.1 or 5.5 • A client computer with one of the following: VMware vSphere Client or VMware Infrastructure Client that is compatible with your ESX(i) server • Use the following guidelines for allocating CPU and memory: – 1‐10 managed firewalls: 4 cores and 4GB – 11‐50 managed firewalls: 8 cores and 8GB – More than 50 managed firewalls: 8 cores and 16GB • ...
Set Up the Panorama Virtual Appliance Set Up Panorama Install Panorama on the ESX(i) Server (Continued) Step 3 Install Panorama. Choose File > Deploy OVF Template. Starting with Panorama 5.1, the Browse to select the panorama‐esx.ovf file from the recently Panorama virtual appliance is installed as unzipped Panorama base image, and click Next. a 64‐bit virtual machine. Confirm that the product name and description match the downloaded version, and click Next. Enter a descriptive name for the Panorama virtual appliance, and click Next. Select a Datastore Location on which to install the Panorama image, and click Next. Adding additional disk space does not increase the available log storage capacity on Panorama. To expand log capacity, you must add a virtual disk or set up access to an NFS datastore. See Expand Log Storage Capacity on the Panorama Virtual Appliance. Select Thick Provision Lazy Zeroed as the disk format, and click Next. Specify which networks in the inventory must be used for the Panorama virtual appliance. Confirm the selected options and then click Finish to begin the installation process. When the installation completes, right‐click the Panorama virtual appliance, select Edit Settings, and define the following settings: a. ...
Page 37
Set Up Panorama Set Up the Panorama Virtual Appliance Configure the Management Interface of the Panorama Virtual Appliance Step 1 Gather the required information from • IP address for MGT port your network administrator. • Netmask • Default gateway • DNS server IP address Step 2 Access the console of the Panorama Select the Console tab on the ESX(i) server for the virtual virtual appliance. Panorama. Press enter to access the login screen. Enter the default username/password (admin/admin) to log in. Enter configure to switch to configuration mode. Step 3 Configure the network access settings Enter the following command: for the management interface. set deviceconfig system ip-address The management interface is used for <Panorama-IP> netmask <netmask> management traffic, HA connectivity default-gateway <gateway-IP> dns-setting synchronization, log collection, and servers primary <DNS-IP> communication within Collector Groups.
Set Up the Panorama Virtual Appliance Set Up Panorama Configure the Serial Number and Time Zone of the Panorama Virtual Appliance (Continued) Step 3 Configure the general settings. Select Panorama > Setup > Management and edit the General Settings. Align the clock on Panorama and the managed firewalls to use the same Time Zone, for example GMT or UTC. Timestamps are recorded when the logs are received on Panorama and when they were generated on the firewalls. Aligning the time zones on both Panorama and the managed firewalls ensures that the timestamps are in sync, and the process of querying logs and generating reports on Panorama is harmonious. Enter a Hostname for the server and enter the network Domain name. The domain name is just a label; it will not be used to join the domain. Enter the Latitude and Longitude to enable accurate placement of the server on the world map. Enter the Serial Number. This was sent to you with the order fulfillment email. Click OK. Step 4 Change the default admin password. Click on the admin link in the lower left part of the management console. A dialog to change the administrator’s To ensure that the management password displays. interface remains secure, ...
Page 39
Set Up Panorama Set Up the Panorama Virtual Appliance Add a Virtual Disk to the Panorama Virtual Appliance To expand log storage capacity beyond the approximately 11GB internal storage allocated by default on the Panorama virtual appliance, you can add another virtual disk of up to 2TB. If Panorama loses connectivity to the new virtual disk, Panorama might lose logs during the failure interval. To allow for redundancy, use the virtual disk in a RAID configuration. RAID10 provides the best write performance for applications with high logging characteristics. If necessary, you can Replace the Virtual Disk on a Panorama Virtual Appliance. Add a Virtual Disk to Panorama on an ESXi Server Step 1 Access the VMware vSphere Client and select the Virtual Machines tab. Step 2 Right‐click the Panorama virtual appliance and select Power > Power Off. Step 3 Right‐click the Panorama virtual appliance and select Edit Settings. Step 4 Click Add in the Hardware tab to launch the Add Hardware wizard. Step 5 Select Hard Disk for the hardware type and click Next. Step 6 Select Create a new virtual disk and click Next. Step 7 Set the Disk Size to 2TB. Step 8 Select the Thick Provision Lazy Zeroed disk format. Step 9 Set the Location to Store with the virtual machine (the datastore doesn’t have to reside on the ESXi server) ...
Set Up the Panorama Virtual Appliance Set Up Panorama Mount the Panorama Virtual Appliance to an NFS Datastore Step 1 Set up access to the datastore. Select Panorama > Setup > Operations. Click Storage Partition Setup link in the Miscellaneous section. Select NFS V3. Enter the IP address of the NFS Server. Enter the location/path for storing the log files in the Log Directory field. For example, export/panorama. Select the protocol—TCP or UDP—and enter the Port for accessing the NFS server. To use NFS over TCP, the NFS server must support it. Common NFS ports are UDP/TCP 111 for RPC and UDP/TCP 2049 for NFS. For optimal NFS performance, in the Read Size and Write Size fields, specify the maximum size of the chunks of data that the client and server pass back and forth to each other. Defining a read/write size optimizes the data volume and speed in transferring data between Panorama and the NFS datastore. Select Test Logging Partition to verify that Panorama is able to access the NFS server IP address and the directory location specified above. (Optional) Select the Copy on Setup option. This setting copies the existing logs stored on Panorama to the NFS volume. If you have a lot of existing logs, enabling the Copy on Setup ...
Set Up Panorama Set Up the Panorama Virtual Appliance Increase CPUs and Memory for Panorama on an ESXi Server (Continued) Step 4 Select Memory and enter the new Memory Size based on the number of firewalls that Panorama manages: • 1‐10 firewalls—4GB memory • 11‐50 firewalls—8GB memory • 51‐1,000 firewalls—16GB memory Step 5 Select CPUs and specify the number of CPUs (the Number of virtual sockets multiplied by the Number of cores per socket) based on the number of firewalls that Panorama manages: • 1‐10 firewalls—4 CPUs • 11‐50 firewalls—8 CPUs • 51‐1,000 firewalls—8 CPUs Step 6 Click OK to save your changes. Step 7 Right‐click the Panorama virtual appliance and select Power > Power On. Complete the Panorama Virtual Appliance Setup Now that initial configuration is complete, continue with the following sections for additional configuration instructions: Activate a Panorama Support License Activate/Retrieve a Device Management License on the Panorama Virtual Appliance ...
Set Up the M‐100 Appliance Set Up Panorama Set Up the M‐100 Appliance The M‐100 appliance is a high performance hardware platform that you can deploy in Panorama mode or Log Collector mode. When you Perform Initial Configuration of the M‐100 Appliance, you can configure the following interfaces. The M‐100 Hardware Reference Guide explain where to attach cables for these interfaces. The M‐100 appliance does not support Link Aggregation Control Protocol (LACP) for aggregating these interfaces. The Eth1 and Eth2 interfaces are available only if the M‐100 appliance runs Panorama 6.1 or a later release and the managed firewalls run PAN‐OS 5.0 or a later release. Interface Description Management (MGT) This is the only interface that supports traffic for management and configuration of firewalls, Log Collectors, and Panorama. By default, Panorama also uses MGT for log collection and communication within Collector Groups, though you can reassign these functions to the Eth1 and Eth2 interfaces. Eth1 You can configure the M‐100 appliance to use Eth1 or Eth2 for log collection and Collector Group communication. Each interface can support either or both of these Eth2 functions—for example, you can configure Eth1 for both log collection and Collector Group communication. However, you cannot assign a single function to multiple interfaces—for example, you cannot configure all three interfaces (Eth1, Eth2, and MGT) for log collection. As a best practice, use Eth1 and/or Eth2 for log collection and Collector Group communication to improve security for management traffic and to reduce the traffic load on MGT. Eth3 Reserved for future use. Use the following workflows for setting up an M‐100 appliance: M‐100 Appliance in Panorama Mode M‐100 Appliance in Log Collector Mode Step 1 Rack mount the M‐100 appliance. Refer to the Step 1 Rack mount the M‐100 appliance. Refer to the M‐100 Hardware Reference Guide for M‐100 Hardware Reference Guide for instructions.
Set Up Panorama Set Up the M‐100 Appliance Perform Initial Configuration of the M‐100 Appliance By default, Panorama has an IP address of 192.168.1.1 and a username/password of admin/admin. For security reasons, you must change these settings before continuing with other configuration tasks. You must perform these initial configuration tasks either from the MGT interface or using a direct serial port connection to the console port on the M‐100 appliance. Perform Initial Configuration of the M‐100 Appliance Step 1 Gather the required interface and server Gather the IP address, netmask (for IPv4) or prefix length (for information from your network IPv6), and default gateway for each interface that you plan to administrator. configure (MGT, Eth1, and/or Eth2). Only the MGT interface is mandatory. If you plan to use the appliance as a Panorama management server, Palo Alto Networks recommends that you configure the Eth1 and/or Eth2 interfaces for log collection and Collector Group communication (see Set Up the M‐100 Appliance). You can improve the security of management traffic by defining a separate subnet for the MGT interface that is more private than the Eth1 and Eth2 subnets. Gather the IP addresses of the DNS servers. Step 2 Access the M‐100 appliance from your Connect to the M‐100 appliance in one of the following ways: computer. • Attach a serial cable from a computer to the Console port on the M‐100 appliance and connect using terminal emulation software (9600‐8‐N‐1). • Attach an RJ‐45 Ethernet cable from a computer to the MGT port on the M‐100 appliance. From a browser, go to https://192.168.1.1. Enabling access to this URL might require changing the IP address on the computer to an address in the 192.168.1.0 network (for example, ...
Page 44
Set Up the M‐100 Appliance Set Up Panorama Perform Initial Configuration of the M‐100 Appliance (Continued) Step 4 Configure the hostname, time zone, and Select Panorama > Setup > Management and edit the General general settings. Settings. Align the clock on Panorama and the managed firewalls to use the same Time Zone, for example GMT or UTC. The firewall records timestamps when it generate logs and Panorama records timestamps upon receiving the logs. Aligning the time zones ensures that the timestamps are synchronized and that the process of querying logs and generating reports on Panorama is harmonious. Enter a Hostname for the server. Panorama uses this as the display name/label for the appliance. For example, this is the name that appears at the CLI prompt. It also appears in the Collector Name field if you add the appliance as a managed collector (see Configure a Managed Collector). (Optional) Enter the Latitude and Longitude to enable accurate placement of the M‐100 appliance on the world map. The App Scope > Traffic Maps and App Scope > Threat Maps pages use these values.
Page 45
Set Up Panorama Set Up the M‐100 Appliance Perform Initial Configuration of the M‐100 Appliance (Continued) Step 7 Commit your configuration changes. Click OK and Commit, set the Commit Type to Panorama, and click If you plan to use the M‐100 appliance as a Panorama management server and you configured the Eth1 or Eth2 interfaces, you must assign them to the Device Log Collection or Collector Group Communication functions when you Configure a Managed Collector. To make the interfaces operational, you must then Configure a Collector Group for the managed collector and perform a Collector Group commit. Step 8 Verify network access to external Connect to the M‐100 appliance in one of the following ways: services required for Panorama • Attach a serial cable from your computer to the Console management, such as the Palo Alto port on the M‐100 appliance. Then use a terminal Networks Update Server. emulation software (9600‐8‐N‐1) to connect. • Use terminal emulation software such as PuTTY to open an SSH session to the IP address that you specified for the MGT interface of the M‐100 appliance during initial configuration. Log in to the CLI when prompted. Use the default admin account and the password that you specified during initial configuration. Use the ping utility to verify network connectivity to the Palo Alto Networks Update Server as shown in the following example. Verify that DNS resolution occurs and the response includes the IP address for the Update Server (10.101.16.13, in this example); the Update Server does not respond to a ping ...
Set Up the M‐100 Appliance Set Up Panorama Set up the M‐100 Appliance as a Log Collector If you want a dedicated appliance for log collection, configure an M‐100 appliance in Log Collector mode. To do this, you first perform the initial configuration of the appliance in Panorama mode, which includes licensing, installing software and content updates, and configuring the management (MGT) interface. You then switch the M‐100 appliance to Log Collector mode and complete the Log Collector configuration. Additionally, if you want to use dedicated interfaces (recommended) instead of the MGT interface for log collection and Collector Group communication, you must first configure the interfaces for the Panorama management server, then configure them for the Log Collector, and then perform a Panorama commit followed by a Collector Group commit. Perform the following steps to set up a new M‐100 appliance as a Log Collector or to convert an existing M‐100 appliance that was previously deployed as a Panorama management server. Switching the M‐100 appliance from Panorama mode to Log Collector mode reboots the appliance, deletes any existing log data, and deletes all configurations except the management access settings. Switching the mode does not delete licenses, software updates, or content updates. Set up the M‐100 Appliance as a Log Collector Step 1 Set up the Panorama management Perform one of the following tasks: server that will manage the Log • Set Up the Panorama Virtual Appliance Collector if you have not already done • Set Up the M‐100 Appliance Step 2 Record the management IP addresses of Log in to the web interface of the Panorama management the Panorama management server. server. If you deployed Panorama in a high Record the IP Address of the solitary (non‐HA) or active (HA) availability (HA) configuration, you need Panorama by selecting Panorama > Setup > Management and the IP address of each HA peer.
Page 47
Set Up Panorama Set Up the M‐100 Appliance Set up the M‐100 Appliance as a Log Collector (Continued) Step 4 Access the CLI of the M‐100 appliance. Connect to the M‐100 appliance in one of the following ways: • Attach a serial cable from your computer to the Console port on the M‐100 appliance. Then use terminal emulation software (9600‐8‐N‐1) to connect. • Use terminal emulation software such as PuTTY to open an SSH session to the IP address that you specified for the MGT interface of the M‐100 appliance during initial configuration. Log in to the CLI when prompted. Use the default admin account and the password that you specified during initial configuration. Step 5 Switch from Panorama mode to Log Switch to Log Collector mode by entering the following Collector mode. command: > request system logger-mode logger Enter Y to confirm the mode change. The M‐100 appliance reboots. If the reboot process terminates your terminal emulation software session, reconnect to the M‐100 appliance to see the Panorama login prompt. If you see a prompt, this means the Log CMS Login Collector has not finished rebooting. Press Enter at the prompt without typing a username or password. Log back in to the CLI. Verify that the switch to Log Collector mode succeeded: >...
Page 48
Set Up the M‐100 Appliance Set Up Panorama Set up the M‐100 Appliance as a Log Collector (Continued) Step 7 Record the serial number of the Log At the Log Collector CLI, enter the following command to Collector. display its serial number. You need the serial number to add the > show system info | match serial Log Collector as a managed collector on Record the serial number. the Panorama management server. Step 8 Add the Log Collector as a managed Select Panorama > Managed Collectors and Add a managed collector to the Panorama management collector. server. In the General tab, enter the serial number (Collector S/N) you recorded for the Log Collector. In the Panorama Server IP field, enter the IP address or FQDN of the solitary (non‐HA) or active (HA) Panorama. For HA deployments, enter the IP address or FQDN of the passive Panorama peer in the Panorama Server IP 2 field. Select Management and configure one or both of the ...
Page 49
Set Up Panorama Set Up the M‐100 Appliance Set up the M‐100 Appliance as a Log Collector (Continued) Step 11 (Optional) Configure the Eth1 and/or Configure Eth1 and/or Eth2 on the Panorama management server if you haven’t already: Eth2 interfaces if the Panorama management server and Log Collector a. Select Panorama > Setup > Management. will use them for log collection and b. Edit the Eth1 Interface Settings and/or Eth2 Interface Collector Group communication. Settings. For each interface, complete one or both of the If you previously deployed the Log following field sets based on the IP protocols of your Collector as a Panorama management network: server and configured the Eth1 and/or – IPv4—IP Address, Netmask, and Default Gateway Eth2 interfaces, you must reconfigure – IPv6—IPv6 Address/Prefix Length and Default IPv6 those interfaces because switching to Gateway Log Collector mode (Step 5) would have c. Click OK to save your changes. deleted all configurations except the management access settings.
Page 51
Set Up Panorama Set Up the M‐100 Appliance Increase Storage on the M‐100 Appliance (Continued) Step 4 Configure each logging disk pair. This example uses the drives in the disk bays B1 and B2. The time required to mirror the Enter the following commands and confirm the request when data on the drive may vary from prompted: several minutes to a couple request system raid add B1 hours, depending on the amount request system raid add B2 of data on the drive. To monitor the progress of the RAID configuration, enter the following command: show system raid detail When the RAID set up is complete, the following response displays: Disk Pair A Available Status clean Disk id A1 Present model : ST91000640NS...
Migrate from a Panorama Virtual Appliance to an M‐100 Appliance Set Up Panorama Migrate from a Panorama Virtual Appliance to an M‐100 Appliance On a Panorama virtual appliance that has a logging rate of over 10,000 logs per second, migrating to the M‐100 appliance will provide improved response time on the web interface and speedier execution of reports. The M‐100 appliance also provides up to 4TB of RAID storage. Use the instructions in the following topics to migrate the configuration from the Panorama virtual appliance over to an M‐100 appliance. Prerequisites for Migrating to an M‐100 Appliance Plan to Migrate to an M‐100 Appliance Migrate to an M‐100 Appliance Resume Firewall Management after Migrating to an M‐100 Appliance Prerequisites for Migrating to an M‐100 Appliance The following are prerequisites for migrating your current subscription: Purchase an M‐100 appliance. Obtain a migration upgrade and purchase a new subscription that includes software and hardware support. Provide your sales representative the serial number of the Panorama virtual appliance you will phase out, the desired support terms for the M‐100 appliance, the auth‐code you received when you purchased the appliance, and the effective date for the migration. On the effective date, Palo Alto Networks will automatically apply the associated authorization codes to the serial number of your management appliance, phase out support for the Panorama virtual appliance, and trigger support for the M‐100 appliance. Starting at the effective date, you will have a limited time to complete the migration. At the end of the period, Palo Alto Networks terminates the support entitlement on the Panorama virtual appliance and you can no longer receive software or threat updates. For details on the license migration process, refer to the Knowledge Base article Panorama VM License Migration to the M‐100 Platform. Plan to Migrate to an M‐100 Appliance Plan on completing this migration during a maintenance window. Although the firewalls can buffer the logs and forward them to Panorama when the connection is reestablished, completing the migration during a maintenance window minimizes loss of log data during the transition time when the Panorama virtual appliance goes offline and the M‐100 appliance comes online.
Set Up Panorama Migrate from a Panorama Virtual Appliance to an M‐100 Appliance If you have log compliance requirements, plan to reconfigure a new IP address on the Panorama virtual appliance to maintain access to the old logs for generating reports. Keep a new IP address at hand for use in setting up connectivity to the M‐100 appliance during initial configuration. If you have decided to transfer the IP address that was assigned to the Panorama virtual appliance, this new IP address will be used temporarily. When you restore the configuration file from the Panorama virtual appliance on the M‐100 appliance, this new IP address will be overwritten. Migrate to an M‐100 Appliance To migrate the configuration from the Panorama virtual appliance to the M‐100 appliance, you must perform tasks on the Panorama virtual appliance and on the M‐100 appliance. Complete the following tasks on the Panorama virtual appliance: Migrate to an M‐100 Appliance: Tasks Performed on the Panorama Virtual Appliance Step 1 Upgrade to the latest Panorama version. See Install Content and Software Updates for Panorama. Step 2 Export the running configuration on the In the Panorama > Setup > Operations tab, Configuration virtual Panorama. Management section, select Export named Panorama configuration snapshot. Select the active configuration (running‐config.xml) and click OK. The file is downloaded and saved to the local machine. Rename the file. Step 3 Power off the VM or change the IP If you plan on reusing the MGT interface IP address that was address. configured on the Panorama virtual appliance on the M‐100 appliance, you can either power off the virtual appliance or assign a new IP address to the MGT port on the virtual appliance. To change the IP address, on the Panorama >...
Migrate from a Panorama Virtual Appliance to an M‐100 Appliance Set Up Panorama Migrate to an M‐100 Appliance: Tasks Performed on the M‐100 Appliance (Continued) Step 3 Register Panorama and retrieve the See Register Panorama and Install Licenses. license. Step 4 Upgrade to the latest Panorama version. See Install Content and Software Updates for Panorama. Step 5 Import and load the configuration file. In the Panorama > Setup > Operations tab, Configuration Management section, select Import named Panorama configuration snapshot. Browse to select the running‐config.xml (or the renamed file) and click OK. Select the Load named Panorama configuration snapshot link to load the configuration file you just imported. Any errors that occur when loading the configuration file are displayed onscreen. If errors occurred, save them to a local file. Review and resolve each error to ensure the migration included all configuration components. Step 6 Review and modify the configuration on If you do not plan to reuse the same network access settings Panorama. for the MGT interface, modify the values: a. ...
Page 55
Set Up Panorama Migrate from a Panorama Virtual Appliance to an M‐100 Appliance Resume Firewall Management after Migrating to an M‐100 Appliance Step 1 Log in to Panorama. Using a secure connection (HTTPS) from a web browser, log in using the IP address (https://<IP address>), username, and password assigned during initial configuration. Step 2 Synchronize the configuration on Select Panorama > Managed Devices, and verify that the Panorama with those of the managed Connected status of each devices displays a check mark. firewalls. The status for the Templates and Device Groups will display an Out of sync icon. To synchronize the device groups: a. Click Commit and select Device Groups as the Commit Type. b. Select each device group and click OK. To synchronize the templates: a. Click Commit and select Panorama as the Commit Type. b. Click Commit and select Template as the Commit Type. Step 3 Verify the connection and Select Panorama > Managed Devices. synchronization status of the managed ...
Register Panorama and Install Licenses Set Up Panorama Register Panorama and Install Licenses Before you can begin using Panorama for centralized management, logging, and reporting, you must register, activate, and retrieve the Panorama licenses. Every instance of Panorama requires valid licenses that entitle you to manage devices and obtain support. The device management license enforces the maximum number of devices that Panorama can manage. The support license enables Panorama software updates and dynamic content updates for the latest Applications and Threats signatures, among other updates that Palo Alto Networks publishes. To purchase licenses, contact your Palo Alto Networks Systems Engineer or reseller. Register Panorama Activate a Panorama Support License Activate/Retrieve a Device Management License on the Panorama Virtual Appliance Activate/Retrieve a Device Management License on the M‐100 Appliance If you are running an evaluation license for device management on your Panorama virtual appliance and want to apply a Panorama license that you purchased, perform the tasks Register Panorama and Activate/Retrieve a Device Management License on the Panorama Virtual Appliance. Register Panorama Register Panorama Step 1 Log in to the Panorama web interface. Using a secure connection (https://<IP address>) from a web browser, log in using the IP address and password you assigned during initial configuration. Step 2 Record the Panorama serial number or For the authorization code, Sales Order Number, or Customer ID, authorization code and record your Sales see the order fulfillment email that Palo Alto Networks Customer Order Number or Customer ID. Service sent when you placed your order for Panorama. For the serial number, the location depends on the platform: • M‐100 appliance—See the Dashboard tab, General Information section, Serial # field. • ...
Set Up Panorama Register Panorama and Install Licenses Register Panorama (Continued) Step 4 Register Panorama. The steps depend on • If this is the first Palo Alto Networks appliance you are whether you already have a login for the registering and you do not yet have a login: Support site. a. Click Register on the right side of the page, enter your Email Address, enter the code displayed on the page, and click Submit. b. Complete the fields in the Create Contact Details section. c. Enter a Display Name, Confirm Email Address, and Password/Confirm Password. d. Enter the Panorama Device Serial Number or Auth Code. e. Enter your Sales Order Number or Customer ID. f. Click Submit. • If you already have a support account: a. ...
Register Panorama and Install Licenses Set Up Panorama Activate/Retrieve a Device Management License on the Panorama Virtual Appliance Select Panorama > Setup > Management and edit the General Settings. Enter the Panorama Serial Number (included in the order fulfillment email) and click OK. Click Commit, select Panorama as the Commit Type, then click OK. To determine how many firewalls a license enables the Panorama virtual appliance to manage, log in to the Palo Alto Support website (https://support.paloaltonetworks.com), select the Assets tab, find the Panorama device, and view the Model Name. For example, a license for the PAN‐PRA‐25 model can manage 25 devices. This page also displays the Expiration Date and other license information. Activate/Retrieve a Device Management License on the M‐100 Appliance Before activating and retrieving a Panorama device management license on the M‐100 appliance: Register Panorama. Locate the authorization codes for the product/subscription you purchased. When you placed your order, Palo Alto Networks Customer Service sent you an email that listed the auth‐code associated with the purchase. If you cannot locate this email, contact Customer Support to obtain your codes before proceeding. After you activate and retrieve the license, the page displays the associated issuance Panorama > Licenses date, expiration date, and the number of devices that the license enables Panorama to manage. To activate and retrieve the license, the options are: Activate/Retrieve a Device Management License on the M‐100 Appliance • Use the web interface to activate and retrieve Select Panorama > Licenses and click Activate feature using the license.
Page 59
Set Up Panorama Register Panorama and Install Licenses Activate/Retrieve a Device Management License on the M‐100 Appliance (Continued) • Retrieve the license key from the license server. Activate the license on the Palo Alto Networks Support website. If Panorama is not ready to connect to the update server (for example, you have not a. On a host with Internet access, access the Palo Alto completed the initial M‐100 appliance setup), Support website (https://support.paloaltonetworks.com) in you can activate the license on the Support a browser and log in. website so that, when Panorama is ready to b. In the Assets tab, find your M‐100 appliance and, in the connect, you can then use the web interface to Action column, click the edit icon. retrieve the activated license. The process of c. Enter the Authorization Code and click Add to activate the retrieving an activated license is faster than the license. process of both retrieving and activating. Configure Panorama to connect to the update server: see Perform Initial Configuration of the M‐100 Appliance. Select Panorama > Licenses and click Retrieve license keys from the license server. Panorama retrieves the activated license. • Manually upload the license from a host to Activate and download the license from the Palo Alto ...
Set Up Panorama Install Content and Software Updates for Panorama Install Updates for Panorama in an HA Configuration To ensure a seamless failover, the active and passive Panorama peers in a high availability (HA) pair must be running the same Panorama release with the same Applications database version. The following example describes how to upgrade an HA pair (active peer is Primary_A and passive peer is Secondary_B). Install Updates for Panorama with an HA Configuration Step 1 Upgrade the Panorama software version Perform one of the following tasks: on Secondary_B, the passive peer. • Install Updates for Panorama with an Internet Connection • Install Updates for Panorama without an Internet Connection After the upgrade, this Panorama transitions to a non‐functional state because the software version does not match that of its peer. Step 2 Suspend Primary_A to trigger a failover. On Primary_A: Select Panorama > High Availability. In the Operational Commands section, click Suspend local Panorama. Verify that the bottom‐right corner of the web interface displays the state as suspended. Upon failover, Secondary_B transitions to an active state. Step 3 Upgrade the Panorama software version Perform one of the following tasks: on Primary_A. • Install Updates for Panorama with an Internet Connection • Install Updates for Panorama without an Internet Connection After rebooting, Primary_A first transitions to the passive state. ...
Install Content and Software Updates for Panorama Set Up Panorama Install Updates for Panorama with an Internet Connection If Panorama has a direct connection to the Internet, perform the following steps to install Install Content and Software Updates for Panorama. If Panorama is deployed in a high availability (HA) configuration, you must upgrade each peer in the order described in Install Updates for Panorama in an HA Configuration. Before upgrading software on an M‐100 appliance, we recommend ensuring Panorama has a local Log Collector ( ) that is assigned to a Collector Group Panorama > Managed Collectors ). For details, see Configure a Managed Collector. Panorama > Collector Groups Install Updates for Panorama with an Internet Connection Step 1 Verify that the updates you plan to See Panorama, Log Collector, and Firewall Version install are appropriate for your Compatibility for critical details about update version Panorama deployment. compatibility. Refer to the Release Notes for the minimum content version you must install for a Panorama software release. If you will upgrade Log Collectors and firewalls to a particular release, you must first upgrade Panorama to that release. For a Panorama virtual appliance that runs on an ESXi server, ensure the server meets the requirements listed under Setup Prerequisites for the Panorama Virtual Appliance. Step 2 Save a backup of the current Panorama Log in to Panorama and select Panorama > Setup > configuration file.
Page 63
Set Up Panorama Install Content and Software Updates for Panorama Install Updates for Panorama with an Internet Connection (Continued) Step 4 Determine the software upgrade path. Check which version has a check mark in the Currently Installed column (Panorama > Software) and proceed as follows: You cannot skip installation of any major release versions in the path to your • If a Panorama 6.0 release is currently installed, skip ahead to target release. For example, if you intend Step 6 to upgrade to a Panorama 6.1 release. to upgrade from Panorama 5.0.11 to • If a release earlier than Panorama 6.0 is installed, proceed to Panorama 6.1.3, you must: Step 5 and follow the upgrade path to Panorama 6.0.0 before • Download and install a Panorama 5.1 you upgrade to a Panorama 6.1 release. release based on your platform: We highly recommend that you review the known issues – Panorama virtual appliance— and changes to default behavior in the Release Notes and Download and install Panorama upgrade/downgrade considerations in the New Features 5.1.0 and reboot. Guide for each release through which you pass as part of your upgrade path. – Panorama M‐100 appliance: ‐ Download Panorama 5.1.0 and upload it to the Log Collectors without installing or rebooting. ‐ Download and install a Panorama 5.1.x maintenance release and reboot.
Page 64
Install Content and Software Updates for Panorama Set Up Panorama Install Updates for Panorama with an Internet Connection (Continued) Step 5 Use the upgrade path identified in Step 4 Repeat the following procedure until the appliance is running a to upgrade to a Panorama 6.0 release. Panorama 6.0 release—do not skip installation of any major release version in the path to your target Panorama 6.1 release. Check Now (Panorama > Software) for the latest updates. If an update is available, the Action column displays a Download link. For each release in your upgrade path, Download the model‐specific file for the release version to which you are upgrading. For example, to upgrade an M‐100 appliance to Panorama 6.0.0, download the image; to Panorama_m-6.0.0 upgrade a Panorama virtual appliance to Panorama 6.0.0, download the image. Panorama_pc-6.0.0 After a successful download, the Action column changes from Download to Install for that image. Install the software update. • If prompted to reboot, click Yes. If you see a CMS Login prompt, press Enter without typing a username or password. When the Panorama login prompt appears, enter the username and password you specified during initial configuration.
Page 65
Set Up Panorama Install Content and Software Updates for Panorama Install Updates for Panorama with an Internet Connection (Continued) Step 6 Install Panorama 6.1. Check Now (Panorama > Software) for the latest updates. If an update is available, the Action column displays a Download link. If you are upgrading to a Panorama 6.1 maintenance release (a release other than the Panorama 6.1.0 base image), you must first download the Panorama 6.1.0 release. Locate and Download the model‐specific file for the release version to which you are upgrading. For example, to upgrade an M‐100 appliance to Panorama 6.1.3, download the image; to upgrade a Panorama virtual Panorama_m-6.1.3 appliance to Panorama 6.1.3, download the image. Panorama_pc-6.1.3 After a successful download, the Action column changes from Download to Install for that image. (Required for the target release; optional for the base‐image— PAN‐OS 6.1.0—release if upgrading to a maintenance release) a. Install the downloaded image and then reboot. As a best practice, when upgrading to a Panorama 6.1 maintenance release (Panorama 6.1.1 or later release), install the Panorama 6.1.0 base image and reboot the appliance before you download and install the maintenance release. b. After the installation completes successfully, reboot using one of the following methods: – If prompted to reboot, click Yes. If you see a ...
Install Content and Software Updates for Panorama Set Up Panorama Install Updates for Panorama with an Internet Connection (Continued) Step 8 (Only if upgrading from a release earlier After Panorama reboots, complete the following tasks: than Panorama 5.1 to a Panorama 5.1 or Access the VMware vSphere Client and select go to the later release running on an ESXi server) Virtual Machines tab. Configure the Panorama virtual Right‐click the Panorama virtual appliance and select Power > appliance settings on the VMware ESXi Power Off. server. Right‐click the Panorama virtual appliance again and Edit Settings as follows: a. Select the Hardware tab and allocate Memory based on how many firewalls Panorama manages: – 1–10 managed firewalls: 4GB – 11–50 managed firewalls: 8GB – 51–1,000 managed firewalls: 16GB b. Set the SCSI Controller to LSI Logic Parallel. c. Go to the Options tab, select General Options, set the Guest Operating System to Linux, and set the Version to Other Linux (64-bit). d. ...
Page 67
Set Up Panorama Install Content and Software Updates for Panorama Install Updates for Panorama without an Internet Connection (Continued) Step 2 Save a backup of the current Panorama Log in to Panorama and select Panorama > Setup > configuration file. Operations. You can use this backup to restore the Save named Panorama configuration snapshot, enter a configuration if you have problems with Name for the configuration, and click OK. the upgrade. Export named Panorama configuration snapshot, select the Although Panorama Name of the configuration you just saved, click OK, and save automatically creates a backup of the exported file to a location that is external to Panorama. the configuration, best practice is to create and externally store a backup before you upgrade. Step 3 Determine which content updates you For each content update, determine whether you need to install need to install. updates and which versions you will download in Step You must install content updates Panorama can run the same but not a later content version before software updates. than is running on managed firewalls and appliances.
Page 68
Install Content and Software Updates for Panorama Set Up Panorama Install Updates for Panorama without an Internet Connection (Continued) Step 6 Determine the software upgrade path. Check which version has a check mark in the Currently Installed column (Panorama > Software) and make a list of all versions in You cannot skip installation of any major your upgrade path that you need to download from the Palo Alto release versions in the path to your Networks update server so that you can upload each to the target release. For example, if you intend appliance as needed when you upgrade. to upgrade from Panorama 5.0.11 to Panorama 6.1.3, you must: We highly recommend that you review the known issues and changes to default behavior in the Release Notes and • Download and install a Panorama 5.1 upgrade/downgrade considerations in the New Features release based on your platform: Guide for each release through which you pass as part of – Panorama virtual appliance— your upgrade path. Download and install Panorama 5.1.0 and reboot. – Panorama M‐100 appliance: ‐ Download Panorama 5.1.0 and upload it to the Log Collectors without installing or rebooting. ‐ Download and install a Panorama 5.1.x maintenance release and reboot. • Download and install Panorama 6.0.0 and reboot. • Download Panorama 6.1.0. Optionally, install this base image and ...
Page 69
Set Up Panorama Install Content and Software Updates for Panorama Install Updates for Panorama without an Internet Connection (Continued) Step 8 Install the software updates. For each release in your upgrade path (starting with the earliest), perform the following steps: Click Upload (Panorama > Software). Browse to the update, Sync To Peer if Panorama is in an HA configuration (to push the software image to the secondary peer), and click OK. (Required for each base image release in the upgrade path except the base‐image—PAN‐OS 6.1.0—release if upgrading to a PAN‐OS 6.1 maintenance release) a. Install the downloaded image and then reboot. As a best practice, when upgrading to a Panorama 6.1 maintenance release (Panorama 6.1.1 or a later Panorama 6.1 release), install the Panorama 6.1.0 base image and reboot the appliance before you upload and install the maintenance release. b. After the installation completes successfully, reboot using one of the following methods: – If prompted to reboot, click Yes. If you see a CMS Login prompt, press Enter without typing a username or password. When the Panorama login prompt appears, enter the username and password you specified during initial configuration. – If you are not prompted to reboot, Reboot Panorama from the Device Operations section (Panorama > Setup > Operations).
Access and Navigate Panorama Management Interfaces Set Up Panorama Access and Navigate Panorama Management Interfaces Panorama provides three management interfaces: Web Interface—The Panorama web interface is purposefully designed with a similar look and feel to the firewall web interface. If you are already familiar with the latter, you can navigate, complete administrative tasks, and generate reports from the Panorama web interface with relative ease. This graphical interface allows you to access Panorama using HTTPS and it is the best way to perform administrative tasks. See Log in to the Panorama Web Interface and Navigate the Panorama Web Interface. If you need to enable HTTP access to Panorama, edit the Management Interface Settings on the tab. Panorama > Setup > Management Command Line Interface—The Command Line Interface is a no‐frills interface that allows you to type through the commands in rapid succession to complete a series of tasks. The CLI supports two command modes—operational and configuration—and each mode has its own hierarchy of commands and statements. When you get familiar with the nesting structure and the syntax for the commands, the CLI allows quick response times and offers administrative efficiency. See Log in to the Panorama CLI. XML API—The XML‐based API is provided as a web service that is implemented using HTTP/HTTPS requests and responses. It allows you to streamline your operations and integrate with existing, internally developed applications and repositories. For information on how to use the Panorama API interface, refer to the PAN‐OS and Panorama XML API Usage Guide. Log in to the Panorama Web Interface Log in to the Panorama Web Interface Step 1 Log in to the Panorama web interface. Using a secure connection (https) from a web browser, log in using the IP address and password you assigned during initial configuration (https://<IP address>). Step 2 (Optional) Enable HTTP and SSH access. Select Panorama > Setup > Management and edit the Management Interface Settings.
Set Up Panorama Access and Navigate Panorama Management Interfaces Description View general information about the Panorama model and network access settings. Dashboard This tab includes widgets that display information about applications, logs, system resources, and system settings. View the overall risk and threat level on the network, based on information that Panorama gathered from the managed firewalls. View and manage logs and reports. Monitor Configure Panorama, manage licenses, set up high availability, access software Panorama updates and security alerts, manage administrative access, and manage the deployed firewalls and Log Collectors. Create centralized policies and apply the configuration to multiple firewalls/device Device Groups > Policies groups. You must Add a Device Group for this tab to display. Define policy objects that can be referenced in policy and shared across all managed Device Groups > Objects firewalls/device groups. You must Add a Device Group for this tab to display. Configure network setting, such as network profiles, that can be applied to the Templates > Network managed firewalls. You must Add a Template for this tab to display. Configure device configuration, such as server profiles and admin roles, that can be Templates > Device applied to the managed firewalls. You must Add a Template for this tab to display.
Set Up Panorama Set Up Administrative Access to Panorama Set Up Administrative Access to Panorama By default, Panorama includes a default administrative account (admin), with full read‐write access to all the functionality on Panorama. As a best practice, create a separate administrative account for each person who needs access to the administrative or reporting functions of Panorama. This prevents unauthorized configuration (or modification) and enables logging of the actions of each individual administrator. Panorama allows you to define and restrict access as broadly or granularly as required, depending on the security requirements within your organization. For example, you may decide that a datacenter administrator can have access to all the device and networking configuration, while a security administrator can have control over security policy definition, the log viewer and reporting, and other key individuals can have limited CLI or XML API access. You cannot add an administrative account to an M‐100 appliance in Log Collector mode. Only the default administrative user account with the default username admin is available. The following topics describe how to configure administrative accounts and set up basic administrative access. For information on the different options available to authenticate administrative users, see Administrative Authentication. Create an Administrative Account Define an Access Domain Create an Authentication Profile Define an Authentication Sequence Configure Administrative Authentication Create an Administrative Account An administrative user must have an account and be assigned to a role. The role defines the type of access the associated administrator has to Panorama; you can assign the administrative user to a built‐in Dynamic Role or to a custom role (Admin Role Profile) that you define. If you plan to use Admin Role Profiles rather than Dynamic Roles, create the profiles that define what type of access, if any, to give to the different sections of the web interface, the CLI, and XML API for each administrator assigned to the role. For more information on roles, see Administrative Roles. For each administrative user you can also define the minimum password complexity, a password profile, and use an authentication profile to use an external authentication service to validate the administrator’s credentials. If you are defining role‐based administrative access on Panorama, read‐only access to the Device Groups and Templates nodes must be provided in order for the administrators to commit their changes to Panorama. If you are upgrading from an earlier version of Panorama, the upgrade process provides read‐only access to the Device Groups and Templates nodes.
Page 74
Set Up Administrative Access to Panorama Set Up Panorama Create an Administrative Account: Local Account/Authentication Step 1 Create an Admin Role profile. Complete the following steps for each role you want to create: This step is only required if using custom Select Panorama > Admin Roles and then click Add. roles instead of using the built‐in Select Panorama or Device Group and Template to define the Dynamic Roles available on Panorama. scope of administrative privileges to assign. The access privileges defined for Panorama are enforced when the administrator logs in to Panorama; the Device Group and Template role enforces read‐only access to the Managed Devices, Templates, and Device Groups nodes on the Panorama tab. Access to all other tabs can be modified as required. Read‐only access to the Device Groups and/or Templates node(s) must be provided for a role‐based administrator to commit device groups and/or template changes to the managed firewalls. For the Web UI and /or XML API tabs, set the access levels for each functional area of the interface by clicking the adjacent icon to toggle it to the desired setting (Enable, Read Only, or Disable): • For Panorama access, define access to the Web UI, XML API, and Command Line. The Command Line tab does not allow granular access. You must select a predefined option: ...
Set Up Panorama Set Up Administrative Access to Panorama Create an Administrative Account: Local Account/Authentication (Continued) Step 3 Create an account for each Select Panorama > Administrators and then click Add. administrator. Enter a user Name and Password for the administrator. Select the Role to assign to this administrator. Select a predefined Dynamic role or a custom role‐based profile as defined in Step (Optional) Select the Authentication Profile to use for validating an administrative user’s credentials to an external authentication server. See Create an Authentication Profile. (Optional) Select a Password Profile. See Step Click OK to save the account. Step 4 Save the configuration changes. Click Commit, and select Panorama in the Commit Type option. Define an Access Domain An access domain provides a way to limit administrative access to specified device groups (to manage policies and objects) and templates (to manage network and device settings), and the ability to switch context to the web interface on the managed firewalls. Access domain settings are only relevant if: A custom Admin Role profile with a role is defined. Device Group and Template A RADIUS server is used for administrator authentication. The access domain is linked to RADIUS vendor‐specific attributes (VSAs). On the RADIUS server, a VSA attribute number and value is defined for each administrative user. The value defined must match the access domain configured on Panorama. When an administrator attempts to log in Panorama, Panorama queries the RADIUS server for the administrator’s access domain and attribute number. Based on the response from the RADIUS server, the ...
Set Up Administrative Access to Panorama Set Up Panorama If you are using an external authentication server, create a server profile ( ) before Panorama > Server Profiles creating an authentication profile. Panorama requires the server profile to access the authentication service. Create an Authentication Profile Step 1 Create an authentication profile. Select Panorama > Authentication Profile and then click Add. Enter a user Name to identify the authentication profile. Step 2 Define the conditions for locking out the Enter the Lockout Time. This is the number of minutes that a administrative user. user is locked out upon reaching the maximum number of failed attempts (0‐60 minutes; default 0). 0 means that the lockout is in effect until it is manually unlocked. Enter the Failed Attempts count. This is the number of failed login attempts that are allowed before the account is locked out (1‐10; default 0). By default, the failed attempt count is 0 and the user is not locked out despite repeated failure to authenticate. Step 3 Specify the users and groups that are For the Allow List, pick one of the following: explicitly allowed to authenticate. • Select the All check box to allow all users. By adding an allow list to an ...
Set Up Panorama Set Up Administrative Access to Panorama Define an Authentication Sequence Step 1 Create an authentication sequence. Select Panorama > Authentication Sequence and then click Add. Enter a user Name to identify the authentication sequence. Click Add to select the chronological sequence of authentication profiles against which the administrator’s credentials must be checked. Step 2 (Optional) Define the conditions for Enter the Lockout Time. This is the number of minutes that a locking out the administrative user. user is locked out upon reaching the maximum number of failed attempts (0‐60 minutes; default 0). 0 means that the lockout is in effect until it is manually unlocked. Enter the Failed Attempts count. This is the number of failed login attempts that are allowed before the account is locked out (1‐10; default 0). By default, the failed attempt count is 0 and the user is not locked out despite repeated failure to authenticate. Step 3 Save the configuration changes. Click Commit, and select Panorama in the Commit Type option. Configure Administrative Authentication Administrators can authenticate locally to Panorama using passwords or certificates, or they can authenticate to an external authentication server. There are three options for setting up administrative authentication on Panorama: Create a local user account and authenticate locally. Authentication can be password‐based, certificate‐based, or key‐based. See Create an Administrative Account, Enable Certificate‐Based Authentication for the Web Interface, and Enable SSH Key‐Based Authentication for the CLI.
Page 78
Set Up Administrative Access to Panorama Set Up Panorama Enable Certificate‐Based Authentication for the Web Interface As a more secure alternative to using a password to authenticate a user, enable certificate‐based authentication for securing access to Panorama. With certificate‐based authentication, a digital signature is exchanged and verified, in lieu of a password. To enable certificate‐based authentication, you must configure Panorama to use a client certificate profile (as described in the following procedure). When you enable a client certificate profile, each administrator must use a client certificate for access to Panorama. Use the following instructions to enable certificate‐based authentication. This example uses a CA certificate generated on Panorama. Enable Certificate‐Based Authentication for the Web Interface Step 1 Generate a CA certificate on Panorama. To generate a CA certificate on Panorama: To use a certificate from a trusted Log in to the Panorama web interface. third‐party or enterprise CA, you Select Panorama > Certificate Management > Certificates must import that CA certificate in and click Generate. to Panorama. Enter a Certificate Name. Add the IP address or FQDN of Panorama for listing in the Common Name field of the certificate. Optionally, you can change the cryptographic settings, and define certificate options such as country, organization, or state. Make sure to leave the Signed By option blank and select the Certificate Authority option. Click Generate to create the certificate using the details you specified above.
Page 79
Set Up Panorama Set Up Administrative Access to Panorama Enable Certificate‐Based Authentication for the Web Interface (Continued) Step 3 Create or modify an administrator Select Panorama > Administrators and then click Add. account to enable client certificate Enter a login name for the administrator; the name is authentication on the account. case‐sensitive. Select Use only client certificate authentication (Web) to enable the use of the certificate for authentication. Select the Role to assign to this administrator. You can either select one of the predefined dynamic roles or select a custom role and attach an authentication profile that specifies the access privileges for this administrator. (Optional) For custom roles, select the device groups, templates and the firewall context that the administrative user can modify. Click OK to save the account settings. Step 4 Create the Client Certificate Profile that Select Panorama > Certificate Management > Certificate will be used for securing access to the Profile and click Add. web interface. Enter a name for the certificate profile and in the Username Field select Subject. Select Add in the CA Certificates section and from the CA Certificate drop‐down, select the CA certificate you just ...
Page 80
Set Up Administrative Access to Panorama Set Up Panorama Enable SSH Key‐Based Authentication for the CLI To enable SSH key‐based authentication, complete the following workflow for every administrative user: Enable SSH Key‐Based Authentication for the CLI Step 1 Use an SSH key generation tool to For the commands required to generate the keypair, refer to the create an asymmetric keypair on the product documentation for your SSH client. client machine. The public key and private key are two separate files; save both to The supported key formats are: IETF a location that can be accessed by Panorama. For added security, SECSH and Open SSH; the supported enter a passphrase to encrypt the private key. The administrator algorithms are: DSA (1024 bits) and RSA will be prompted for this passphrase when logging in to Panorama. (768‐4096 bits). Step 2 Create an account for the administrator Select Panorama > Administrators and then click Add. and enable certificate‐based Enter a user Name and Password for the administrator. authentication. Make sure to enter a strong/complex password and record it in safe location; Panorama will only prompt for this password in the event that the certificates are corrupted or a system failure occurs. (Optional) Select an Authentication Profile. Enable Use Public Key Authentication (SSH) Click Import Key and browse to import the public key you just created.
Page 81
Set Up Panorama Set Up Administrative Access to Panorama Use RADIUS Vendor‐Specific Attributes for Account Authentication Step 1 Configure Panorama. Configure a RADIUS server profile: select Panorama > Server Profiles > RADIUS. Create an authentication profile that specifies RADIUS as the protocol for authentication and attach the RADIUS server profile (Panorama > Authentication Profiles). Create an custom administrative role profile with a Device Group and Template role (Panorama > Admin Roles). Configure Panorama to use the authentication profile for authentication (Setup > Management > Authentication Settings > Authentication Profile). (Required only if using the vendor‐specific attribute PaloAlto‐Panorama‐Admin‐Access‐Domain) If you want to restrict administrative access to specific managed firewalls, templates, and/or device groups, define an access domain (Panorama > Access Domains). the RADIUS server.
Add a Firewall as a Managed Device Manage Firewalls Add a Firewall as a Managed Device To use Panorama for central management of firewalls, the first step is to add them as managed devices. Before starting, collect the firewall serial numbers and prepare each firewall as follows: Perform initial configuration on the firewall so that it is accessible and can communicate with Panorama over the network. For details, refer to the PAN‐OS Administrator’s Guide. Add the Panorama IP address(es) (one server or two, if Panorama is configured in a high availability pair) in the Panorama Settings section of the tab and commit the changes. Device > Setup> Management Set up the data interfaces. For each interface you plan to use, select the interface type and attach it to a security zone so that you can push configuration and policy from Panorama. For details, refer to the PAN‐OS Administrator’s Guide. You can then add the firewalls as managed devices on Panorama: When you add a firewall as a managed device, it uses an SSL connection with AES‐256 encryption to register with Panorama. Panorama and the firewall authenticate each other using 2,048‐bit certificates and use the SSL connection for configuration management and log collection. Add a Firewall as a Managed Device Step 1 Add device(s) to Panorama. Select Panorama > Managed Devices. Click Add and enter the serial number for each device that you want to manage centrally using Panorama. Add only one entry per line. Click OK. The Managed Devices pane displays the new device. (Optional) Add a Tag. Tags make it easier for you to find a device from a large list; they help you to dynamically filter and refine the list of firewalls that display. For example, if you add a tag called branch office, you can filter for all branch office devices across your network.
Manage Firewalls Manage Device Groups Manage Device Groups Add a Device Group Create Objects for Use in Shared or Device Group Policy Manage Shared Objects Select a URL Filtering Vendor on Panorama Push a Policy to a Subset of Firewalls Manage the Rule Hierarchy Add a Device Group After you add the firewalls, you can group them into device groups (up to 256). A device group can include one or more firewalls or virtual systems that need similar policies and objects and can therefore be effectively managed as a logical unit. When managing firewalls that are configured in an active‐passive high availability (HA) configuration, make sure to place both firewalls in the same device group in Panorama. This is essential to make sure that the same policies and objects are pushed to both firewalls in the HA pair. Panorama pushed policies are not synchronized between firewall HA peers. Add a Device Group Step 1 Create Device Group(s). Select Panorama > Device Groups, and click Add. A device can belong to only one Enter a unique Name and a Description to identify the device Device Group; for devices with group. multiple virtual systems, each Use the filters to select the devices that you would like to add virtual system can belong to a to the group. different Device Group. (Optional) Select the Group HA Peers check box for firewalls ...
Manage Device Groups Manage Firewalls Add a Device Group (Continued) Step 2 Begin centrally administering policies on • Create Objects for Use in Shared or Device Group Policy the devices in the device group(s). • Manage Shared Objects • Select a URL Filtering Vendor on Panorama • Push a Policy to a Subset of Firewalls • Manage the Rule Hierarchy For an example, see Transition a Firewall to Panorama Management Create Objects for Use in Shared or Device Group Policy An object is a container for grouping discrete identities such as IP addresses, URLs, applications, or users, for use in policy enforcement. You can use Panorama to create and clone all objects in the tab such as Objects . These policy objects can be shared across all managed Address/Address Group, Region or User/User Group devices or be specific to a device group. A shared object is a reusable component that is created on Panorama. It is shared across all device groups and can be referenced in shared policies or in device group policies. It reduces administrative overhead and ensures consistency in configuring multiple firewalls. A device group object is specific to the device group in which it is defined. It can be used only in the device group where it is created and is not visible when configuring other device groups or shared rules and objects. For example, a device group object for a set of web server IP addresses that is created in the datacenter device group is not available for use in any other device group or for use in shared policies. Create Objects for Use in Shared or Device Group Policy • ...
Manage Firewalls Manage Device Groups Create Objects for Use in Shared or Device Group Policy (Continued) • Create a device group object. Select the Device Group for which you plan to use this object in the Device Group drop‐down. In this example, we will add a device group object for specific web servers on your network. Select the Objects > Addresses tab. Select Address and click Add. Verify that the Shared check box is not selected. Enter a Name, a Description, and select the Type of address object from the drop‐down. For example, select IP Range and include the IP address range for the web servers for which you would like to create an address object. Click OK. Commit your changes. a. Click Commit, and select Panorama as the Commit Type. This saves the changes to the running configuration on Panorama. b. Click Commit, and select Device Group as the Commit Type. This pushes the changes to the devices included in the Device Group. • View shared objects and device group objects in The Location column in the Objects tab displays whether an object Panorama. is shared or is specific to a device group.
Manage Device Groups Manage Firewalls Disabling this option may, however, increase the commit time on Panorama. This is because Panorama has to dynamically check whether a particular object is referenced in policy. Perform the following steps to disable the sharing of unused address and service objects to devices. Manage Unused Shared Objects Select Panorama > Setup > Management, and edit the Panorama Settings. Clear the Share Unused Address and Service Objects with Devices check box. Would like to ensure that a shared object takes precedence over an object that has the same name as a device group object. By default, shared objects do not override any device group object with the same name as a shared object. If you would like to prevent overrides to objects that have been defined as shared objects on Panorama, you can enable the option for . When enabled, all device group objects with Shared Objects Take Precedence the same name will be discarded and the shared object settings will be pushed to the managed devices. Perform the following steps to ensure that shared objects always take priority over device group objects. Manage Precedence of Shared Objects Select Panorama > Setup > Management and edit the Panorama Settings. Select the Shared Objects Take Precedence check box. Select a URL Filtering Vendor on Panorama URL Filtering enables you to configure firewalls to monitor and control web access for your users. The ...
Manage Firewalls Manage Device Groups A firewall can have valid licenses for both BrightCloud and PAN‐DB, but only one license can be active. To view the valid URL Filtering licenses on a managed firewall, select Panorama > and check the vendors listed in the URL column for the Device Deployment > Licenses corresponding firewall. To determine which license is active (and therefore which URL Filtering vendor is selected), log in to the firewall and select . To change the active URL Device > Licenses Filtering vendor of a firewall, see the PAN‐OS Administrator’s Guide. Select a URL Filtering Vendor on Panorama Step 1 Select a URL filtering vendor for Select Panorama > Setup > Management and edit the General Panorama. Settings. Select the vendor in the URL Filtering Database drop‐down: brightcloud or paloaltonetworks (PAN‐DB). Step 2 (Optional) Verify that the categories are Select Objects > Security Profiles > URL Filtering. available for referencing in policies.
Manage Device Groups Manage Firewalls Push a Policy to a Subset of Firewalls Step 1 Create a policy. Select the Device Group for which you want to define policy. Select the Policies tab, and select the rulebase for which you would like to create policy. For example, define a pre‐rule in the Security policies rulebase that permits users on the internal network to access the servers in the DMZ: a. Click Add in Policies > Security > Pre-Rules. b. Give the rule a descriptive name in the General tab. c. In the Source tab, set the Source Zone to Trust. d. In the Destination tab, set the Destination Zone to DMZ. e. In the Service/ URL Category tab, set the Service to application-default. f. In the Actions tab, set the Action to Allow.
Page 91
Manage Firewalls Manage Device Groups When you display rules in preview mode on Panorama (Step 1 in the following procedure), all the shared, device group, and default rules that the firewall inherits from Panorama appear in green, while the local firewall rules appear in blue between the pre‐rules and post‐rules. Figure: Rule Hierarchy Use the following procedure to verify the ordering of rules and make changes as appropriate: Manage the Rule Hierarchy Step 1 View the rule hierarchy for each Select the Policies tab, and click Preview Rules. rulebase. Use the following filters for previewing rules in the Combined Rules Preview window (see Figure: Rule Hierarchy): • Rulebase—Select a rulebase and view the rules defined for that rulebase: Security, NAT, QoS, Policy Based Forwarding, Decryption, Captive Portal, Application Override, or DoS Protection. • Device Group—For the selected rulebase, you can view all Shared policies or select a specific Device Group for which you want to view the combined list of policies inherited from Panorama and those defined locally. • Device—For the selected Rulebase and Device Group, you can view the list of policies that will be evaluated on a specific firewall in the device group. Close the Combined Rules Preview window to exit preview mode. Step 2 (Optional) Delete or disable rules. Select the Policies tab to perform either of the following actions: You must access the context of • To delete an unused rule, select the rule and click Delete. individual firewalls to determine ...
Manage Firewalls Manage Templates Manage Templates Panorama Templates allow you manage the configuration options on the and tabs on the Device Network managed firewalls. Using templates you can define a base configuration for centrally staging new firewalls and then make device‐specific exceptions in configuration, if required. For example, you can use templates to define administrative access to the device, set up User‐ID, manage certificates, set up the firewalls in a high availability pair, define log settings, and define server profiles on the managed firewalls. When creating templates, make sure to assign similar devices to a template. For example, group devices with a single virtual system in a one template and devices enabled for multiple virtual systems in another template, or group devices that require very similar network interface and zone configuration in a template. To delete/remove a template, you must first Disable/Remove Template Settings on the managed firewall locally. The following topics provide more information on working with templates: Template Capabilities and Exceptions Add a Template Override a Template Setting Disable/Remove Template Settings Template Capabilities and Exceptions Panorama templates have the following capabilities and exceptions, depending on the PAN‐OS release running on the managed firewalls: Firewall PAN‐OS Release Template Capabilities and Exceptions PAN‐OS 4.x You can use Panorama templates only for the following tasks: • Create response pages • Define authentication profiles and sequences • Create self‐signed certificates on Panorama or import certificates • Create client authentication certificates (known as Certificate Profiles in Panorama 5.0 and later) • ...
Page 95
Manage Firewalls Manage Templates Add a Template Step 1 Add a new template. Select Panorama > Templates. Click Add and enter a unique name and a description to identify the template. (Optional) Select the Virtual Systems check box if this template will be used for devices that are multi‐vsys capable and are enabled for multi‐vsys functionality. A commit failure will occur if a template enabled for devices with multi‐vsys capability is pushed to devices that are not multi‐vsys capable or are not enabled for the multi‐vsys functionality. Specify the Operational Mode for the devices to which the template will be applied. The default is normal; change to cc or fips, as required. The template commit will fail if there is a mismatch in the operational mode specified on the template with what is enabled on the devices included in the template. (Optional) Select the VPN Disable Mode when creating templates for hardware models that have the ‐NV indicator in the model name; these models are hard coded to disallow VPN configuration for countries that do not allow VPN connectivity. Select the Devices (firewalls) for which you plan to use this template. You must select the firewalls individually. Whenever you add a new managed firewall to Panorama, you must assign it to the appropriate template; Panorama does not automatically assign new firewalls. When you perform a template commit, Panorama pushes the configuration to every firewall assigned to the template. (Optional) Select the Group HA Peers check box for firewalls ...
Manage Templates Manage Firewalls Add a Template (Continued) Step 3 Apply a configuration change using the Let’s specify a base configuration that defines a Primary DNS template. server for the devices in the template. In the Template drop‐down, select the template that you want to configure. Select Device > Setup > Services, and edit the Services section. Enter an IP address for the Primary DNS Server. Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama. Click Commit, and select Template as the Commit Type to push the changes to the devices included in the selected template. Step 4 Verify that the device is configured with Switch to the device context for a firewall that you pushed the the template settings that you pushed setting to using the template. from Panorama. Go to Device > Setup > Services.The IP address that you pushed using the template appears. The template icon also appears.
Manage Firewalls Manage Templates Override a Template Setting (Continued) Step 2 Navigate to the setting that you need to Go to Device > Setup > Services and edit the Services section. modify on the device. In this example, we Click the template icon (green cog) to override the value will override the DNS server IP address defined for the Primary DNS server IP address. that you assigned using a template in Enter a new value for the Primary DNS Server. Note that the Add a Template. template override icon (yellow cog overlapping green) now displays to indicate that the value that Panorama pushed using a template has been modified on the firewall. Click OK. Click Commit to save your changes on the device. Disable/Remove Template Settings If you want to stop using templates for managing the configuration on a managed device, you can disable the template. When disabling a template, you can choose to copy the template settings to the local device configuration or to delete the values that were previously pushed using the template. To disable template settings. you must have Superuser privileges. Disable/Remove Template Settings Access the web interface of the managed firewall. You can directly access the firewall by entering its IP address in the browser URL field or, in Panorama, select the firewall in the Context drop‐down. Select Device > Setup > Management and edit the Panorama Settings. Select Disable Device and Network Template. (Optional) Select Import Device and Network Template before disabling, to save the configuration settings locally ...
Transition a Firewall to Panorama Management Manage Firewalls Transition a Firewall to Panorama Management If you have already deployed Palo Alto Networks firewalls and configured them locally, but now want to start using Panorama for centrally managing them, you have pre‐migration planning, implementation and post‐migration verification tasks. This high‐level overview does not address all the critical tasks required to plan, implement, and validate the transition to centralized administration. Here are the high‐level planning and configuration activities. On Panorama, add the devices and create device groups to logically assemble firewalls or virtual systems that perform a similar role, or function or that have similar characteristics. Create common zones for each device group. Decide on the common zone‐naming strategy for all devices and virtual systems in a device group. For example, if you have two zones called Branch LAN and WAN, Panorama can centrally push policies that reference those zones without being aware of the variations in port/media type, platform or the logical addressing schema. You must create the zones on each managed device before you can commit the changes to the device group or template. Panorama cannot poll the devices for zone name or configuration. Configure each device to communicate with Panorama. You must define the Panorama IP addresses (primary and secondary Panorama) on each device. Use device groups to create common policies for devices with similar functionality and use templates to define a common base configuration for the managed device. Determine how you will manage local rules and device‐specific exceptions to common policies and configuration settings. If you plan to use locally configured rules on the devices, make sure that the names of the rules are unique. A good way to ensure this would be to add a suffix or a prefix to all existing rules. Consider removing all “deny rules” in local security policy and use Panorama post‐rules. This approach allows you to temporarily disable local rules and test the shared post‐rules pushed from Panorama. You can then test the post‐rules, make adjustments as necessary and eliminate local administration on the device. Verify that the firewalls function as efficiently with Panorama‐pushed configuration as they did with local configuration. For detailed information on using the XML API to perform the transition, refer to the document Panorama Device Migration Tech Note. Because Palo Alto Networks Technical Support does not help troubleshoot issues when using the XML API, if you do not have experience with scripting/using the XML API, contact Palo Alto Networks Professional Services to learn about the firewall migration process.
Manage Firewalls Use Case: Configure Firewalls Using Panorama If you plan to deploy your firewalls in an Active/Active HA configuration, assign each firewall in the HA pair to a separate template. Doing so gives you the flexibility to set up separate networking configurations for each peer. For example, you can manage the networking configurations in a separate template for each peer so that each can connect to different northbound and southbound routers, and can have different OSPF or BGP peering configurations. Set Up Your Centralized Configuration and Policies Using the example described in the preceding topics (starting with Use Case: Configure Firewalls Using Panorama), perform the following tasks to centrally deploy and administer firewalls: TASK 1—Add the firewalls as managed devices and deploy content updates and PAN‐OS software updates to those firewalls. TASK 2—Use Templates to administer a base configuration. TASK 3—Use Device Groups for managing the policies on your firewalls. TASK 4—Preview your rules and commit your changes to Panorama, Device Groups, and Templates. Deploy Content Updates and PAN‐OS Software Updates to the Managed Firewalls TASK 1 Add the firewalls as managed devices and deploy content updates and PAN‐OS software updates to those firewalls. First install the Applications or Applications and Threats database, then the Antivirus, and finally update the Software version. If you purchased a Threat Prevention subscription, the content and antivirus databases are available to you. For each firewall that Panorama will manage, perform the task Add a Firewall as a Managed Device. Deploy the content updates to the firewalls. a. Select Panorama > Device Deployment > Dynamic Updates. b. Click Check Now to check for the latest updates. If the value in the Action column is Download, this indicates an update is available. ...
Page 102
Use Case: Configure Firewalls Using Panorama Manage Firewalls Deploy Content Updates and PAN‐OS Software Updates to the Managed Firewalls (Continued) Deploy the software updates to the firewalls. a. Select Panorama > Device Deployment > Software. b. Click Check Now to check for the latest updates. If the value in the Action column is Download, this indicates an update is available. c. Locate the version that you need for each hardware model and click Download. When the download completes, the value in the Action column changes to Install. d. In the Action column, click the Install link. Use the filters or user‐defined tags to select the managed firewalls on which to install this version. e. Enable the check box for Reboot device after install or Upload only to device (do not install) and click OK. The Results column displays the success or failure of the installation. Use Templates to Administer a Base configuration TASK 2 Use Templates to administer a base configuration. For each template, perform the task Add a Template and assign the appropriate firewalls to each. Define a DNS server, NTP server, Syslog server, and login banner. Repeat this step for each template. a. In the Device tab, select the Template from the drop‐down. b. ...
Page 103
Manage Firewalls Use Case: Configure Firewalls Using Panorama Use Templates to Administer a Base configuration (Continued) Configure the interface and zone settings in the Datacenter Template (T_DataCenter), and then attach the zone protection profile you just created. Before performing this step, you must have configured the interfaces locally on the firewalls. At a minimum, you must have defined the interface type, assigned it to a virtual router (if needed), and attached a security zone. a. Select the Network tab and, in the Template drop‐down, select T_DataCenter. b. Select Network > Interface and, in the Interface column, click the interface name. c. Select the Interface Type from the drop‐down. d. In the Virtual Router drop‐down, click New Virtual Router. When defining the router, ensure the Name matches what is defined on the firewall. e. In the Security Zone drop‐down, click New Zone. When defining the zone, ensure that the Name matches what is defined on the firewall. f. Click OK to save your changes to the interface. g. Select Network > Zones, and select the zone you just created. Verify that the correct interface is attached to the zone. h. In the Zone Protection Profile drop‐down, select the profile you created, then click OK. Commit your template changes. a. ...
Page 104
Use Case: Configure Firewalls Using Panorama Manage Firewalls Use Device Groups to Push Policies (Continued) Create a shared pre‐rule to allow DNS and SNMP services. a. Create a shared application group for the DNS and SNMP services. – Select Objects > Application Group and click Add. – Enter a name and select the Shared check box to create a shared Application Group object. – Click Add, type , and select dns from the list. Repeat for SNMP and select snmp, snmp-trap. – Click OK to create the application group. b. Create the shared policy. – Select the Policies tab and, in the Device Group drop‐down, select Shared. – Select the Security > Pre-Rules policies rulebase. – Click Add and enter a Name for the security policy rule. – In the Source and Destination tabs for the rule, click Add and enter a Source Zone and a Destination Zone for the traffic. – In the Applications tab, click Add, type the name of the applications group object you just created, and select it from the drop‐down. – In the Actions tab, set the Action to Allow, then click OK. Define the corporate acceptable use policy for all offices. In this example, create a shared policy that restricts access to some URL categories and denies access to peer‐to‐peer traffic that is of risk level 3, 4, or 5. a. Select the Policies tab and, in the Device Group drop‐down, select Shared. b. Select Security > Pre-Rules, click Add, and in the General tab enter a Name for the security policy rule. c. ...
Page 105
Manage Firewalls Use Case: Configure Firewalls Using Panorama Use Device Groups to Push Policies (Continued) Allow Facebook for all users in the marketing group in the regional offices only. To enable security policy based on user and/or group, you must enable User‐ID for each zone that contains users you want to identify. You must have set up User Identification on the firewall (refer to the PAN‐OS Administrator’s Guide) and have defined a master firewall for the Device Group. The master firewall is the only firewall in the Device Group that gathers user and group mapping information for policy evaluation. a. Select the Policies tab and, in the Device Group drop‐down, select DG_BranchAndRegional. b. Select the Security > Pre-Rules policies rulebase. c. Click Add and enter a Name for the security policy rule. d. In the User tab, select Select, click Add and, in the Source User section, select the marketing user group. e. In the Application tab, click Add, type , and then select it from the drop‐down. Facebook f. In the Action tab, set the Action to Allow. g. In the Target tab, select the regional office firewalls and click OK. Allow access to the Amazon cloud application for the specified hosts/servers in the datacenter. a. Create an address group object for the servers/hosts in the datacenter that need access to the Amazon cloud application. – Select the Objects tab and, in the Device Group drop‐down, select DG_DataCenter. – Select Address Groups. – Click Add and enter a Name for the address group object. – Click Add and select New Address. – To define the address object, enter a Name, select the Type, and specify a host IP address, IP Netmask, IP ...
Enable Log Forwarding to Panorama Manage Log Collection Enable Log Forwarding to Panorama Log Forwarding to Panorama: Workflows by Log Type Configure Log Forwarding to Panorama Log Forwarding to Panorama: Workflows by Log Type The workflow to Configure Log Forwarding to Panorama depends on the log type and whether the firewalls will also forward logs directly to external services or forward logs from Panorama and then to external services: If the firewalls will directly forward Syslog messages, email notifications, or SNMP traps to external services, use the template options to define a server profile for each external Device > Server Profiles service. If the firewalls will only forward logs to Panorama or a Log Collector, template server profiles are unnecessary. If Panorama will forward the logs to external services, define server profiles using the options when you Enable Log Forwarding from Panorama to External Panorama > Server Profiles Destinations. (For details about these options, see Log Forwarding Options.) Configure each log type for forwarding. For each type, you can specify whether to forward directly to external services in addition to Panorama. When forwarding to Panorama is enabled in a distributed log collection deployment, the log forwarding preference list determines to which Log Collectors the firewalls send logs. While you can configure log forwarding manually on each firewall (refer to the PAN‐OS Administrator’s Guide), use device groups and templates on Panorama for a more streamlined workflow. The specific Panorama workflow to enable log forwarding depends on the log types: – Traffic, threat, and WildFire logs—Use device groups to create a log forwarding profile ( Objects > Log ) for forwarding to Panorama and (if required) to an external service. For example, if you Forwarding will forward logs to a Syslog server, create a Syslog server profile using templates ( Device >...
Page 110
Enable Log Forwarding to Panorama Manage Log Collection Configure Log Forwarding to Panorama Step 1 (Optional) Create a server profile that Add a Template or, in the Device tab, select one in the contains the information for connecting Template drop‐down. to the external service (a Syslog server, Select Device > Server Profiles > Syslog. in this example). Click Add and enter a Name for the profile. Skip this step if you will only Enable Log (Optional) Select the virtual system to which this profile Forwarding from Panorama to External applies from the Location drop‐down. Destinations instead of forwarding logs directly to external services. Click Add to add a new Syslog server entry and enter the information required to connect to the Syslog server (you can add up to four Syslog servers to the same profile): • Name—Unique name for the server profile. • Server—IP address or fully qualified domain name (FQDN) of the Syslog server. • Transport—Select UDP, TCP or SSL as the transport medium. SSLv3 and TLSv1 are supported for Secure Syslog transport. • Port—The port number on which to send Syslog messages (default is 514 for UDP and 6514 for SSL); you must use the ...
Page 111
Manage Log Collection Enable Log Forwarding to Panorama Configure Log Forwarding to Panorama (Continued) Step 2 Set up a log forwarding profile for traffic, Add a Device Group or, in the Objects tab, select one in the threat, and WildFire logs. Device Group drop‐down. Threat logs include URL Filtering Select Objects > Log Forwarding. and Data Filtering logs. Firewalls Click Add and enter a Name for the Log Forwarding Profile. forward the logs based on the (Optional) Select the Shared check box to share this profile severity levels for which you across all managed firewalls. enable notification. Select the Panorama check box for the severity levels for which you would like to enable log forwarding. (Optional) Select the server profile for forwarding to a syslog server. Ensure the firewall (or virtual system) is included in the device group and that the template in which you configured a server profile is applied to the firewall (or virtual system). Click OK. Step 3 Enable log forwarding for System, With the same template selected, optionally, select the log types Config, and HIP Match logs. that you would like to forward. • For System logs, select Device > Log Settings > System and select the link for each Severity and enable forwarding to ...
Page 112
Enable Log Forwarding to Panorama Manage Log Collection Configure Log Forwarding to Panorama (Continued) Step 4 (Optional) Schedule log exports to an For Traffic, Threat, URL Filtering, Data Filtering, HIP Match, and SCP or an FTP server. WildFire logs, you can schedule log export using Panorama templates. If you plan to use SCP, after pushing the template you must In the Device tab, select a Template from the drop‐down. log in to each managed device, Select Device > Scheduled Log Export and click Add. open the scheduled log export, Enter a Name for the scheduled log export and Enable it. and click the Test SCP server connection button. The Select the Log Type to export. To schedule exports for connection is not established multiple types, you must schedule a log export for each type. until the firewall accepts the host Select the daily Scheduled Export Start Time. The options are key for the SCP server. in 15‐minute increments for a 24‐hour clock (00:00 ‐ 23:59). Select the Protocol to export the logs: SCP (secure) or FTP. For FTP, you have the option to Enable FTP Passive Mode. Enter the Hostname or IP address of the server.
Manage Log Collection Configure a Managed Collector Configure a Managed Collector To enable the Panorama management server (Panorama virtual appliance or M‐100 appliance in Panorama mode) to manage a Log Collector, you must add it as a managed collector. The M‐100 appliance in Panorama mode has a predefined (default) local Log Collector. However, switching from Panorama Mode to Log Collector Mode would remove the local Log Collector and would require you to re‐configure the appliance as a Dedicated Log Collector (M‐100 appliance in Log Collector mode). When the Panorama management server has a high availability (HA) configuration, each HA peer can have a local Log Collector. Dedicated Log Collectors don’t support HA. We recommend that you install the same Applications update on Panorama as on managed Collectors and firewalls. For details, see Panorama, Log Collector, and Firewall Version Compatibility. We recommend retaining a local Log Collector and local Collector Group on the M‐100 appliance in Panorama mode, regardless of whether it manages Dedicated Log Collectors. Configure a Managed Collector Step 1 Perform initial setup of the M‐100 Rack mount the M‐100 appliance. Refer to the M‐100 appliance in Log Collector mode if you Hardware Reference Guide for instructions. haven’t already. Perform Initial Configuration of the M‐100 Appliance. Only Dedicated Log Collectors require When configuring interfaces, configure only the this step. Management (MGT) interface. Switching to Log Collector mode (in the next step) removes any Eth1 and Eth2 interface configurations. If the Log Collector will use Eth1 and Eth2, add them when configuring the Log Collector later in this procedure. Register Panorama and Install Licenses. Install Content and Software Updates for Panorama. Configure each logging disk pair. This task is required to make the RAID disks available for logging. Optionally, you can add disks to Increase Storage on the M‐100 Appliance. Step 2 Switch from Panorama mode to Log Access the CLI of the M‐100 appliance. Collector mode. Enter the following command to switch to Log Collector ...
Page 114
Configure a Managed Collector Manage Log Collection Configure a Managed Collector (Continued) Step 3 Enable connectivity among the M‐100 These steps vary by Log Collector type. For HA deployments, appliances. and are for the management <IPaddress1> <IPaddress2> interface of the primary and secondary Panorama management server respectively. For non‐HA deployments, specify only <IPaddress1> • Dedicated Log Collectors—Run the following commands at the CLI of each Log Collector: > Configure # set deviceconfig system panorama-server <IPaddress1> panorama-server-2 <IPaddress2> # commit • Local Log Collectors—These steps are required only for an HA deployment: a. Log into the CLI of the primary Panorama and enter: > Configure # ...
Page 115
Manage Log Collection Configure a Managed Collector Configure a Managed Collector (Continued) Step 6 Configure network access for the Log In the Panorama Server IP field, enter the IP address or Collector. FQDN of the solitary (non‐HA) or primary (HA) Panorama. For an HA deployment, enter the IP address or FQDN of the Perform this step only for a Dedicated secondary Panorama peer in the Panorama Server IP 2 field. Log Collector or a local Log Collector on These fields are required. the secondary Panorama HA peer. Although you defined similar Configure the IP addresses of the Primary DNS Server and parameters during initial Secondary DNS Server. configuration of the Panorama (Optional) Set the Timezone that Panorama will use to record management server, you must log entries. re‐define the parameters for the Log Collector. Step 7 Configure administrative access to the Select the Authentication tab, select the password Mode, and Log Collector CLI. enter the Password (the default is admin Only Dedicated Log Collectors require Enter the number of Failed Attempts to log in that Panorama ...
Manage Log Collection Manage Collector Groups Manage Collector Groups A Collector Group is 1 to 16 Log Collectors that operate as a single logical unit for collecting firewall logs. You can configure a Collector Group with multiple Log Collectors to ensure log redundancy or to accommodate logging rates that exceed the capacity of a single Log Collector (see Panorama Platforms). To understand the risks and recommended mitigations, see Caveats for a Collector Group with Multiple Log Collectors. The M‐100 appliance in Panorama mode (Panorama management server) has a predefined (default) local Collector Group that contains a predefined local Log Collector. However, switching to Log Collector mode would remove the local Log Collector and Collector Group; you would have to Set up the M‐100 Appliance as a Log Collector, add it as a managed collector to the Panorama management server, and configure a Collector Group to contain the managed collector. If you delete a Collector Group, you will lose logs. We recommend retaining a local Log Collector and local Collector Group on the M‐100 appliance in Panorama mode, regardless of whether it manages Dedicated Log Collectors. Configure a Collector Group Move a Log Collector to a Different Collector Group Remove a Firewall from a Collector Group Configure a Collector Group You can configure each Collector Group to include up to 16 Log Collectors that aggregate firewall logs. Configure a Collector Group Step 1 Perform the following tasks before In these tasks, skip any steps that involve configuring or configuring the Collector Group. committing changes to the Collector Group; you will perform those steps later in the current procedure. Add a Firewall as a Managed Device for each firewall that you will assign to the Collector Group. (Optional) Enable Log Forwarding from Panorama to External Destinations. Configure a Managed Collector for each Log Collector (1 to 16) that you will assign to the Collector Group. You must manually add each Dedicated Log Collector (M‐100 appliance in Log Collector mode). The M‐100 appliance in Panorama mode has a predefined local Log Collector that you don’t need to add.
Page 118
Manage Collector Groups Manage Log Collection Configure a Collector Group (Continued) Step 2 Add the Collector Group. Access the Panorama web interface, select Panorama > Collector Groups, and Add a Collector Group or edit an existing one. The M‐100 appliance in Panorama mode has a predefined Collector Group named default. In the General tab, enter a Name for the Collector Group if you are adding one. You cannot rename an existing Collector Group. Enter the Minimum Retention Period in days (1‐2,000) for which the Collector Group will retain firewall logs. Step 3 (Optional) Configure SNMP monitoring Select the Monitoring tab, select the SNMP Version and enter the for the Log Collectors. corresponding details: • V2c—Enter the SNMP Community String, which identifies a community of SNMP managers and monitored devices (Log Collectors, in this case), and serves as a password to authenticate the community members to each other. Don’t use the default community string ; it is well public known and therefore not secure. • V3—Create at least one SNMP view group and one user. User accounts and views provide authentication, privacy, and access control when Log Collectors forward traps and SNMP managers get Log Collector statistics.
Page 119
Manage Log Collection Manage Collector Groups Configure a Collector Group (Continued) Step 4 Assign Log Collectors and firewalls to the Select the Device Log Forwarding tab. Collector Group. In the Collector Group Members section, Add the Log Collectors. In the Log Forwarding Preferences section, click Add. In the Devices section, click Modify, select the firewalls, and click OK. You cannot assign PA‐7050 firewalls to a Collector Group. However, when you monitor logs or generate reports for a device group that includes a PA‐7050 firewall, Panorama queries the firewall in real‐time to display its log data. In the Collectors section, Add the Log Collectors to which the firewalls will forward logs. If you assign multiple Log Collectors, the first one will be the primary; if the primary becomes unavailable, the firewalls send logs to the next Log Collector in the list. To change the priority of a Log Collector, select it and Move Up (higher priority) or Move Down (lower priority). Click OK. Step 5 Define the storage capacity (log quotas) Return to the General tab and click the Log Storage value. for each log type. If the field displays 0MB, verify that you enabled the disk pairs for logging and committed the changes (see Configure a Managed Collector, Disks tab). Enter the log storage Quota(%) for each log type. Step 6 (Optional) Configure log forwarding from ...
Manage Collector Groups Manage Log Collection Move a Log Collector to a Different Collector Group When you Plan a Log Collection Deployment, you assign Log Collectors to a Collector Group based on the logging rate and log storage requirements of that Collector Group. If the rates and required storage increase in a Collector Group, the best practice is to Increase Storage on the M‐100 Appliance or Configure a Collector Group with additional Log Collectors. However, in some deployments, it might be more economical to move Log Collectors between Collector Groups. The log data on a Log Collector becomes inaccessible after you remove it from a Collector Group. Also, you must perform a factory reset on the Log Collector before adding it to another Collector Group; a factory reset removes all configuration settings and logs. When a Log Collector is local to an M‐100 appliance in Panorama mode, move it only if the M‐100 appliance is the passive peer in a high availability (HA) configuration. HA synchronization will restore the configurations that the factory reset removes. Never move a Log Collector when it’s local to an M‐100 appliance that is the active HA peer. Move a Log Collector to Different Collector Group Step 1 Remove the Log Collector from Select Panorama > Collector Groups and select the Collector Panorama management. Group that contains the Log Collector you will move. Select the Device Log Forwarding tab and, in the Log Forwarding Preferences list, perform the following steps for each set of firewalls assigned to the Log Collector you will move: a. In the Devices column, click the link for the firewalls assigned to the Log Collector. b. In the Collectors column, select the Log Collector and click Delete. To reassign the firewalls, Add the new Log Collector to which they will forward logs. c. Click OK twice to save your changes. Select Panorama >...
Manage Log Collection Manage Collector Groups Move a Log Collector to Different Collector Group (Continued) Step 3 Reconfigure the Log Collector. Perform Initial Configuration of the M‐100 Appliance. Register Panorama and Install Licenses. Install Content and Software Updates for Panorama. Set up the M‐100 Appliance as a Log Collector. Step 4 Configure a Collector Group. Add the Log Collector to its new Collector Group and assign firewalls to the Log Collector. When you commit the Collector Group configuration, Panorama starts redistributing logs across the Log Collectors. This process can take hours for each terabyte of logs. During the redistribution process, the maximum logging rate is reduced. Remove a Firewall from a Collector Group In a distributed log collection deployment, where you have dedicated Log Collectors, if you need a device to send logs to Panorama instead of sending logs to the Collector Group, you must remove the device from the Collector group. When you remove the device from the Collector Group and commit the change, the device will automatically send logs to Panorama instead of sending them to a Log Collector. Remove a Firewall from a Collector Group tab. Select the Panorama > Collector Groups Click the link for the desired Collector Group, and select the Log Forwarding tab. In the Log Forwarding Preferences section, select the device that you would like to remove from the list, click Delete, and click OK. Click Commit, for the Commit Type select Panorama, and click OK. Click Commit, for the Commit Type select Collector Group, and click OK. To temporarily remove the log forwarding preference list on the device, you can delete it using the CLI on the device. You must however, remove the assigned firewalls in the Collector Group ...
Verify Log Forwarding to Panorama Manage Log Collection Verify Log Forwarding to Panorama Now that you have added the Log Collector(s) as Managed Collectors, created and configured the Collector Group and assigned the managed firewalls to forward logs to the specified Collector Group, you can test that your configuration was successful. Verify Log Forwarding to Panorama Step 1 On the managed firewall, check that the Access the CLI on the firewall. firewall has the Log Forwarding Enter the following commands: Preference list and is forwarding logs to • show log‐collector preference‐list the configured Log Collector. If you have assigned only one Log Collector to the Collector You cannot view this information from Group, the onscreen output will look something like this: the web interface on the firewall. Log collector Preference List Serial Number: 003001000024 IP Address:10.2.133.48 • show logging‐status The onscreen output will look something like this: Step 2 On Panorama, verify the log collection Click the Statistics link in the Panorama > Managed Collectors tab rate. to view the average logs/second being received by Panorama. 122 ...
Manage Log Collection Modify Log Forwarding and Buffering Defaults Modify Log Forwarding and Buffering Defaults You can define the log forwarding mode that the firewalls use to send logs to Panorama and when configured in a high availability configuration, specify which Panorama peer can receive logs. To access these options, select , edit the Logging and Reporting Settings, and select the Panorama > Setup > Management Log Export and tab. Reporting Define the log forwarding mode on the firewall: The firewalls can forward logs to Panorama (pertains to both the M‐100 appliance and the Panorama virtual appliance) in either Buffered Log Forwarding mode or in the Live Mode Log Forwarding mode. Logging Options Description Allows each managed firewall to buffer logs and send the logs at 30‐second Buffered Log Forwarding from intervals to Panorama (not user configurable). Device Default: Enabled Buffered log forwarding is very valuable when the firewall loses connectivity to Panorama. The firewall buffers log entries to its local hard disk and keeps a pointer to record the last log entry that was sent to Panorama. When connectivity is restored the firewall resumes forwarding logs from where it left off. The disk space available for buffering depends on the log storage quota for the platform and the volume of logs that are pending roll over. If the firewall was disconnected for a long time and the last log forwarded was rolled over, all the logs from its local hard disk will be forwarded to Panorama on reconnection. If the available space on the local hard disk of the firewall is consumed, the oldest ...
Page 124
Modify Log Forwarding and Buffering Defaults Manage Log Collection Logging Options Pertains to Description Panorama virtual appliance that is With NFS logging, when you have a pair of Get Only New Logs on Convert to mounted to a Network File Panorama servers configured in a high Primary System (NFS) datastore and is set availability configuration, only the primary Default: Disabled up in a high availability (HA) Panorama peer mounts the NFS datastore. configuration Therefore, the firewalls can only send logs to the primary Panorama peer, which can write to the NFS datastore. When an HA failover occurs, the Get Only New Logs on Convert to Primary option allows an administrator to configure the managed firewalls to send only newly generated logs to Panorama. This event is triggered when the priority of the active‐secondary Panorama is promoted to primary and it can begin logging to the NFS. ...
Manage Log Collection Enable Log Forwarding from Panorama to External Destinations Enable Log Forwarding from Panorama to External Destinations Panorama allows you to forward aggregated logs, email notifications, and SNMP traps to external servers. Forwarding logs from Panorama reduces the load on the firewalls and provides a reliable and streamlined approach to combine and forward syslogs/SNMP traps/email notifications to remote destinations. Use the following table to configure log forwarding from Panorama: Table: Log Forwarding from Panorama to External Destinations Platform/Deployment Forward Panorama Logs Forward Firewall Logs Panorama virtual appliance To forward Panorama logs: To forward firewall logs, select Panorama > Log Settings and select Panorama > Log Settings > System the tab for each log type: System, Panorama > Log Settings > Config Config, HIP Match, Traffic, Threat, and WildFire Distributed Log Collection To forward both Panorama local logs To forward firewall logs that Panorama Deployment with: and Managed Collector logs, select: aggregates on a Collector Group, ...
Page 126
Enable Log Forwarding from Panorama to External Destinations Manage Log Collection Enable Log Forwarding from Panorama to External Destinations Step 1 Set up server profiles for each external Set up one or more of the following server profiles: destination to which you want to a. SNMP: Select Panorama > Server Profiles > SNMP Trap. forward logs. b. Email: Select Panorama > Server Profiles > Email. c. Syslog: Select Panorama > Server Profiles > Syslog. To forward logs to a syslog server, you can configure the transport medium to use UDP, TCP or SSL. By default, the header format for each syslog entry uses the FQDN (hostname and domain name), if configured, of the appliance that forwards the logs (Panorama or a Managed Collector). The log data includes the unique identifier of the firewall that generated the log entry. Choosing the header format provides more flexibility in filtering and reporting on the log data for some Security Information and Event Management (SIEM) servers. To change what is listed in the syslog header, select ...
Page 127
Manage Log Collection Enable Log Forwarding from Panorama to External Destinations Enable Log Forwarding from Panorama to External Destinations (Continued) Step 2 If the Syslog server requires client To verify that the sending device (firewall or Panorama) is authentication, generate the certificate authorized to communicate with the syslog server, you must for secure communication. enable the following: • The server and the sending device must have certificates that are signed by the same trusted CA. Alternatively, you can generate a self‐signed certificate on Panorama or the firewall, export the certificate from the firewall/Panorama and import it in to the syslog server. • Use the trusted CA or the self‐signed certificate to generate a certificate with the IP address of the sending device (as the Common Name) and enabled for use in secure syslog communication. The syslog server uses this certificate to verify that the firewall or Panorama is authorized to communicate with the syslog server. Use the following steps to generate the certificate on the firewall or Panorama: Select Panorama > Certificate Management > Certificates. Click Generate to create a new certificate that will be signed by a trusted CA or the self‐signed CA. Enter a name for the certificate. In Common Name, enter the IP address of the device sending logs to the syslog server. Select Shared if you want the certificate to be a shared certificate on Panorama or to be shared by all virtual systems in a multiple virtual system firewall. In Signed by, select the trusted CA or the self‐signed CA that ...
Log Collection Deployments Manage Log Collection Log Collection Deployments The following topics describe how to configure log collection in the most typical deployments. The deployments in these topics all describe Panorama in a high availability (HA) configuration, which Palo Alto Networks recommends. Plan a Log Collection Deployment Deploy Panorama with Dedicated Log Collectors Deploy Panorama with Default Log Collectors Deploy Panorama Virtual Appliances with Local Log Collection Plan a Log Collection Deployment To determine which log collection deployment best suits your requirements, review the following topics: High Availability Panorama and Log Collector Platforms Collector Groups with Single or Multiple Log Collectors Log Forwarding Options High Availability As a best practice, Palo Alto Networks recommends deploying the Panorama management server in a high availability (HA) configuration to enable automatic recovery (in the event of server failure) of components that are not saved as part of configuration backups. For details, see Recover Logs after Panorama Failure/RMA in Non‐HA Deployments. In HA deployments, the Panorama management server only supports an active/passive configuration. Panorama and Log Collector Platforms Decide which Panorama Platforms to use for the Panorama management server and Log Collectors based on the geographic distribution of the managed firewalls and their logging rate. If you initially implement log collection using the default Log Collectors but later require more storage or higher logging rates than these support, you can switch to a deployment with dedicated Log Collectors (M‐100 appliances in Log Collector mode). You can also implement a hybrid deployment that includes both default and dedicated Log Collectors. However, if you initially implement log collection using dedicated Log Collectors, you will lose logs if you later switch to a deployment that involves only the default Log Collectors because of the reduced storage capacity. 128 ...
Page 129
Manage Log Collection Log Collection Deployments Note that if the firewalls have a remote distribution, their connections with the Panorama management server might lack sufficient bandwidth to support the required logging rate even if the server can process logs at that rate. In such deployments, forwarding logs to dedicated Log Collectors that are located close to the firewalls might resolve the bandwidth limitation. The following table summarizes your choice of Log Collector when considering the firewall logging rate. Logging Rate Log Collector ≤ 10,000 Depends on the Panorama management server: logs/second • Virtual appliance—Panorama collects logs without any Log Collector. • M‐100 appliance—Local default Log Collector > 10,000 M‐100 appliance in Log Collector Mode. Each dedicated Log Collector can process up to 50,000 logs/second logs/second and store 4 TB of log data. Add dedicated Log Collectors as needed when the logging output exceeds these thresholds. Collector Groups with Single or Multiple Log Collectors Palo Alto Networks recommends assigning only one Log Collector to a Collector Group. However, if any single firewall will generate more than 4TB of logs (the maximum an M‐100 appliance can store) for the required retention period, you must assign multiple Log Collectors to the Collector Group that receives the logs. To understand how logging works in the latter scenario, as well as the risks and recommended mitigations, see Caveats for a Collector Group with Multiple Log Collectors. Log Forwarding Options By default, each firewall generates and stores log files locally. To use Panorama for centralized log monitoring and report generation, you must forward the logs to Panorama. If you have compliance policies that require data archival for extended durations, you can also forward logs to external services for archiving, notification, or analysis. External services include Syslog servers, email servers, or SNMP trap servers. The device (firewall, Panorama virtual appliance, or M‐100 appliance) that forwards the logs to external services converts the logs to the appropriate format (Syslog message, email notification, or SNMP trap). You must create a server profile for each external service. A server profile defines how to access the remote server and authenticate to the service, if necessary. To forward the system and configuration logs that Panorama generates locally to external destinations, see Monitor Panorama. You can configure log forwarding in the following ways: Forward logs from firewalls to Panorama and from Panorama to external services—This configuration ...
Page 134
Log Collection Deployments Manage Log Collection Deploy Panorama with Dedicated Log Collectors (Continued) Step 2 Switch from Panorama mode to Log Connect to the M‐100 appliance in one of the following ways: Collector mode on each M‐100 • Attach a serial cable from your computer to the Console appliance that will be a Dedicated Log port on the M‐100 appliance. Then use terminal emulation Collector. software (9600‐8‐N‐1) to connect. Switching the mode of an M‐100 • Use terminal emulation software such as PuTTY to open an appliance deletes any existing log SSH session to the IP address that you specified for the data and deletes all MGT interface of the M‐100 appliance during initial configurations except the configuration. management access settings. Log in to the CLI when prompted. Use the default admin After the switch, the M‐100 account and the password that you specified during initial appliance retains CLI access but configuration. loses web interface access. Switch to Log Collector mode by entering the following command: > request system logger-mode logger Enter Y to confirm the mode change. The M‐100 appliance reboots. If the reboot process terminates your terminal emulation software session, reconnect to the M‐100 appliance to see the Panorama login prompt. If you see a ...
Page 135
Manage Log Collection Log Collection Deployments Deploy Panorama with Dedicated Log Collectors (Continued) Step 4 Add each Log Collector as a managed Use the web interface of the primary Panorama management collector. server peer to Configure a Managed Collector: Select Panorama > Managed Collectors, click Add, and enter the serial number you recorded for the Log Collector in the General tab, Collector S/N field. Enter the IP address or FQDN of the primary and secondary Panorama HA peers in the Panorama Server IP field and Panorama Server IP 2 field respectively. These fields are required. Select the Management tab and complete one or both of the following field sets for the management interface, depending on the IP protocols of your network: • IPv4—IP Address, Netmask, and Default Gateway • IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway (Optional) Select the SNMP check box if you will use SNMP to monitor the Log Collector. Using SNMP requires additional steps besides configuring the Log Collector. For details, see Set Up SNMP to Monitor ...
Page 136
Log Collection Deployments Manage Log Collection Deploy Panorama with Dedicated Log Collectors (Continued) Step 7 (Optional) Configure the Eth1 and/or Use the web interface of the primary Panorama management server peer to perform these steps for each Log Collector: Eth2 interfaces if the Log Collectors will use them for log collection and Collector Select Panorama > Managed Collectors and edit the Log Group communication. Collector. These interfaces are available only if you Configure the network settings of the Eth1 and/or Eth2 configured them for the Panorama interfaces. For each interface, select the corresponding tab management server during initial and configure one or both of the following field sets based on configuration. the IP protocols of your network. Palo Alto Networks recommends • IPv4—IP Address, Netmask, and Default Gateway using Eth1 and/or Eth2 to reduce • IPv6—IPv6 Address/Prefix Length and Default IPv6 the traffic load on the MGT Gateway interface and to improve security for management traffic. Click OK and Commit, set the Commit Type to Panorama, and click OK. This step is required before you can assign the Eth1 ...
Manage Log Collection Log Collection Deployments Deploy Panorama with Dedicated Log Collectors (Continued) Step 9 Configure the Collector Group. Use the web interface of the primary Panorama management server to Configure a Collector Group: If each Collector Group will have one Log Collector, repeat this step for each Select Panorama > Collector Groups, click Add, and enter a Collector Group before continuing. Name for the Collector Group. If you will assign all the Log Collectors to (Optional) Select the Monitoring tab and configure the one Collector Group, perform this step settings if you will use SNMP to monitor Log Collectors. only once. Select the Device Log Forwarding tab and, in the Collector Group Members section, assign one or more Log Collectors. In the Log Forwarding Preferences section, assign firewalls according to the number of Log Collectors in this Collector Group: • Single—Assign the firewalls that will forward logs to that Log Collector, as illustrated in Figure: Single Dedicated Log Collector Per Collector Group. • Multiple—Assign each firewall to both Log Collectors for redundancy. When you configure the preferences, make Log Collector 1 the first priority for half the firewalls and make Log Collector 2 the first priority for the other half, as illustrated in Figure: Multiple Dedicated Log Collectors Per Collector Group. Click OK and Commit, set the Commit Type to Panorama, and click OK.
Page 140
Log Collection Deployments Manage Log Collection Deploy Panorama with Default Log Collectors (Continued) Step 2 Perform the following steps to prepare Connect to the primary Panorama in one of the following Panorama for log collection. ways: • Attach a serial cable from your computer to the Console port on the primary Panorama. Then use terminal emulation software (9600‐8‐N‐1) to connect. • Use terminal emulation software such as PuTTY to open an SSH session to the IP address that you specified for the MGT interface of the primary Panorama during initial configuration. Log in to the CLI when prompted. Use the default admin account and the password that you specified during initial configuration. Enable the primary Panorama to connect to the secondary Panorama by entering the following command, where represents the MGT interface of the secondary <IPaddress2> Panorama: > configure # set deviceconfig system panorama-server <IPaddress2> # commit Log in to the CLI of the secondary Panorama. Enable the secondary Panorama to connect to the primary Panorama by entering the following command, where represents the MGT interface of the primary <IPaddress1> Panorama: >...
Page 141
Manage Log Collection Log Collection Deployments Deploy Panorama with Default Log Collectors (Continued) Step 4 Configure the Log Collector that is local Use the web interface of the primary Panorama to Configure a to the secondary Panorama. Managed Collector: Panorama treats this Log Select Panorama > Managed Collectors and Add the Log Collector as remote because it’s Collector. not local to the primary Enter the serial number (Collector S/N) you recorded for the Panorama. Therefore you must Log Collector of the secondary Panorama. manually add it on the primary Enter the IP address or FQDN of the primary and secondary Panorama. Panorama HA peers in the Panorama Server IP field and Panorama Server IP 2 field respectively. These fields are required. Configure the network settings of each interface that the Log Collector will use. The Management interface is required. If you configured the Panorama management server to use the Eth1 and Eth2 interfaces, configure these interfaces on the Log Collector also. For each interface, select the corresponding tab and configure one or both of the following field sets based on the IP protocols of your network. • IPv4—IP Address, Netmask, and Default Gateway • ...
Page 142
Log Collection Deployments Manage Log Collection Deploy Panorama with Default Log Collectors (Continued) Step 6 Edit the default Collector Group that is Use the web interface of the primary Panorama to Configure a predefined on the primary Panorama. Collector Group: Select Panorama > Collector Groups and select the default Collector Group. (Optional) Select the Monitoring tab and configure the settings if you will use SNMP to monitor Log Collectors. Select the Device Log Forwarding tab. The Collector Group Members section displays the local Log Collector of the primary Panorama because it is pre‐assigned to the default Collector Group. If this Collector Group will contain multiple Log Collectors, assign the local Log Collector of the secondary Panorama. In the Log Forwarding Preferences section, assign firewalls according to the number of Log Collectors in this Collector Group: • Single—Assign the firewalls that will forward logs to the default Log Collector of the primary Panorama, as illustrated in Figure: Single Default Log Collector Per Collector Group. • Multiple—Assign each firewall to both Log Collectors for redundancy. When you configure the preferences, make Log Collector 1 the first priority for half the firewalls and make Log Collector 2 the first priority for the other half, as illustrated in Figure: Multiple Default Log Collectors Per Collector Group. Click OK to save your changes. Step 7 Configure a Collector Group that ...
Page 143
Manage Log Collection Log Collection Deployments Deploy Panorama with Default Log Collectors (Continued) Step 9 Manually fail over so that the secondary Use the web interface of the primary Panorama to perform the Panorama becomes active. following steps: Select Panorama > High Availability. Click Suspend local Panorama in the Operational Commands section. Step 10 On the secondary Panorama, configure Use the web interface of the secondary Panorama to perform the the network settings of the Log Collector following steps: that is local to the primary Panorama. In the Panorama web interface, select Panorama > Managed Collectors and select the Log Collector that is local to the primary Panorama. Enter the IP address or FQDN of the secondary Panorama in the Panorama Server IP field. Enter the IP address or FQDN of the primary Panorama in the Panorama Server IP 2 field. These fields are required. Select the Management tab and complete one or both of the following field sets (depending on the IP protocols of your network) with the management interface values of the primary Panorama: • ...
Page 145
Manage Log Collection Log Collection Deployments Deploy Panorama Virtual Appliances with Local Log Collection (Continued) Step 2 Add a Firewall as a Managed Device. If you have not already, perform the initial setup of each Perform this step for all the firewalls that firewall that you will assign to a Log Collector. For details, will forward logs to Panorama. refer to the PAN‐OS Administrator’s Guide. In the Panorama web interface, select Panorama > Managed Devices, click Add, enter the serial number of each firewall (one line per serial number), then click OK. Step 3 Assign the firewalls to device groups and Use the Panorama web interface to perform the following tasks: templates. This step is a prerequisite to Add a Device Group. enabling log forwarding to Panorama. Add a Template. Step 4 Configure Log Forwarding to Panorama. Use the Panorama web interface to configure log forwarding. The specific tasks depend on the log types: • Traffic, threat, and WildFire logs: a. Select the device group you just added. b. Select Objects > Log Forwarding and click Add. c. Enter a Name for the Log Forwarding Profile, select the Panorama check boxes for the desired log types, then click d. Assign the log forwarding profile to the desired rules. For ...
Manage Licenses on Firewalls Using Panorama Manage Licenses and Updates Manage Licenses on Firewalls Using Panorama The following steps describe how to retrieve new licenses using an authorization code and push the license keys to managed firewalls. It also describes how to manually update (refresh) the license status of firewalls that do not have direct Internet access. For firewalls with direct Internet access, the license update process is automatic. You cannot use Panorama to activate the support license of firewalls. You must access the firewalls individually to activate their support licenses. To activate licenses for Panorama itself, see Register Panorama and Install Licenses. Manage Licenses on Firewalls Using Panorama • Activate newly purchased licenses. Select Panorama > Device Deployment > Licenses and click Activate. Enter the Auth Code that Palo Alto Networks provided for each firewall that has a new license. Click Activate. (WildFire subscriptions only) Perform a commit on each firewall that has a new WildFire subscription to complete the activation: • Commit any pending changes. You must access each firewall web interface to do this. • Make a minor change and perform a commit. For example, update a rule description and commit the change. If the firewalls belong to the same device group, you can push the rule change from Panorama to initiate a commit on all those firewalls instead of accessing each firewall separately. Check that the file blocking rule used for WildFire forwarding includes the advanced file types that the WildFire subscription supports. If the rule is already set to forward any file type, or the rule requires no changes, make a minor edit to the rule description ...
Manage Licenses and Updates Deploy Updates to Devices Using Panorama Deploy Updates to Devices Using Panorama You can use Panorama to qualify software and content updates by deploying them to a subset of the firewalls or Dedicated Log Collectors before installing the updates on all managed devices. If you want to schedule periodic content updates, Panorama requires a direct Internet connection. To deploy software or content updates on demand (unscheduled), the procedure differs based on whether Panorama has an Internet connection. By default, you can download up to five software or content updates of each type to Panorama. When you start any download beyond that maximum, Panorama deletes the oldest update of the selected type. To change the maximum, see Manage Panorama Storage for Software and Content Updates. Panorama displays a warning if you manually deploy a content update when a scheduled update process has started or will start within five minutes. Supported Updates by Device Type Schedule Content Updates to Devices Using Panorama Deploy Updates to Devices when Panorama Has an Internet Connection Deploy Updates to Devices when Panorama Has No Internet Connection Supported Updates by Device Type The software and content updates you can install vary based on which subscriptions are active on each firewall or Log Collector: Platform Type Software Updates Content Updates Log Collectors Panorama Applications (Log Collectors don’t need Threats signatures) Antivirus WildFire Firewalls PAN‐OS Applications GlobalProtect agent/app Applications and Threats Antivirus BrightCloud URL filtering WildFire GlobalProtect data files...
Page 150
Deploy Updates to Devices Using Panorama Manage Licenses and Updates Applications content, not the Threats content (for details, see Panorama, Log Collector, and Firewall Version Compatibility). Each firewall or Log Collector receiving an update generates a log to indicate that the installation succeeded (Config log) or failed (System log). Panorama requires a direct Internet connection for scheduled updates. Otherwise, you can perform only on‐demand updates (see Deploy Updates to Devices when Panorama Has No Internet Connection).You cannot schedule content updates for the Panorama management server; to install updates on demand, see Install Content and Software Updates for Panorama. Before deploying updates, see Panorama, Log Collector, and Firewall Version Compatibility for important details about update version compatibility. Refer to the Release Notes for the minimum content release version you must install for a Panorama release. Panorama can download only one update at a time; stagger the updates to ensure they succeed. If you schedule multiple updates to download during the same time interval, only the first download will succeed. Perform the following steps for each update type you want to schedule. Schedule a Content Update Using Panorama Step 1 Select Panorama > Device Deployment > Dynamic Updates, click Schedules, and click Add. Step 2 Specify a Name to identify the schedule, the update Type, and the update frequency (Recurrence). The available frequency options depend on the update Type. PAN‐OS uses the Panorama timezone for update scheduling. The WildFire Private (WF-Private) type is available only if you set the WildFire Server field (Panorama > Setup > WildFire) to a WF‐500 appliance, not to the WildFire cloud. Step 3 Select one of the following schedule actions and then select the firewalls or Log Collectors: • Download And Install (best practice)—Select Devices (firewalls) or Log Collectors. •...
Manage Licenses and Updates Deploy Updates to Devices Using Panorama Deploy Updates to Devices when Panorama Has an Internet Connection Deploy an Update to Log Collectors when Panorama is Internet‐connected Deploy an Update to Firewalls when Panorama is Internet‐connected Deploy an Update to Log Collectors when Panorama is Internet‐connected For a list of software and content updates you can install on Log Collectors, see Supported Updates by Device Type. Deploy an Update to Log Collectors when Panorama is Internet‐connected Step 1 Before you upgrade Log Collectors, Panorama must be running the same (or later) release as the Log ensure that the Panorama software and Collectors but must have the same or an earlier content release content release versions on the version. Panorama management server are Palo Alto Networks highly recommends that Panorama and updated as needed. Log Collectors run the same Panorama release. If your Panorama management server is not running the appropriate software and content release versions, then Install Content and Software Updates for Panorama before you update Log Collectors. Step 2 Install content updates. Check Now (Panorama > Device Deployment > Dynamic You must install content updates Updates) for the latest updates. If an update is available, the Action column displays a Download link. before software updates. Refer ...
Page 152
Deploy Updates to Devices Using Panorama Manage Licenses and Updates Deploy an Update to Log Collectors when Panorama is Internet‐connected (Continued) Step 3 Determine the software upgrade path Check which Software Version is running on each Log Collector for each Log Collector that you intend to you intend to upgrade (Panorama > Managed Collectors) and take update. note of each release you need to download in your path to Panorama 6.1. You cannot skip installation of any major release versions in the path to your If upgrading more than one Log Collector, streamline the target Panorama release. For example, if process by determining the upgrade paths for all Log you intend to upgrade from Panorama Collectors you intend to upgrade before you start 5.0.11 to Panorama 6.1.3, you must: downloading images. • Download and install a Panorama 5.1 We highly recommend that you review the known issues release based on your platform: and changes to default behavior in the Release Notes and upgrade/downgrade considerations in the New Features – Panorama virtual appliance— Guide for each release through which you pass as part of Download and install Panorama your upgrade path. 5.1.0 and reboot. – Panorama M‐100 appliance: ‐ Download Panorama 5.1.0 and upload it to the Log Collectors without installing or rebooting. ‐ Download and install a Panorama 5.1.x maintenance release and reboot.
Page 153
Manage Licenses and Updates Deploy Updates to Devices Using Panorama Deploy an Update to Log Collectors when Panorama is Internet‐connected (Continued) Step 4 For all Log Collectors you intend to On Panorama, Check Now (Panorama > Device Deployment > update, use the upgrade path(s) Software) for the latest updates. If an update is available, the identified in Step 3 to upgrade all Log Action column displays a Download link. Collectors to your target Panorama For each release in your upgrade path, Download the release. model‐specific file for the release version to which you are upgrading. For example, to upgrade an M‐100 appliance to Panorama 6.1.3, download the image. Panorama_m-6.1.3 After a successful download, the Action column changes from Download to Install for that image. Click Install (for the next version in your upgrade path) and select the appropriate Log Collectors. Select one of the following depending on the version you are installing within your upgrade path (Step • Upload only to device (do not install) •...
Deploy Updates to Devices Using Panorama Manage Licenses and Updates Deploy Updates to Devices when Panorama Has No Internet Connection Deploy an Update to Log Collectors when Panorama is not Internet‐connected Deploy an Update to Firewalls when Panorama is not Internet‐connected Deploy an Update to Log Collectors when Panorama is not Internet‐connected For a list of software and content updates you can install on Log Collectors, see Supported Updates by Device Type. Deploy an Update to Log Collectors when Panorama is not Internet‐connected Step 1 Upgrade the software and content Install Content and Software Updates for Panorama versions on the Panorama management You must upgrade Panorama and then Log Collectors before server. upgrading firewalls. The software version must be the same as or higher than the version you will install on the Log Collectors. The content versions must be the same as or lower than the versions you will install on the Log Collectors. Step 2 Determine the software upgrade path. Log in to Panorama, select Panorama > Managed Collectors, and note the current Software Version for the Log Collectors you will Required for Panorama software upgrade. updates. You cannot skip any major Panorama release versions on the path between the current version and the target version. For example, to upgrade Log Collectors from Panorama 5.0.11 to Panorama 6.1.3: Upload and install a Panorama 5.1 release based on your platform: • ...
Page 155
Manage Licenses and Updates Deploy Updates to Devices Using Panorama Deploy an Update to Log Collectors when Panorama is not Internet‐connected (Continued) Step 3 Download the updates to a host that has Use a host with Internet access to log in to the Palo Alto Internet access. Panorama must have Networks Customer Support web site. access to the host. Download content updates: a. Click Dynamic Updates in the Resources section. b. Download the desired content update and save the file to the host. Perform this step for each content type you will update. Download software updates: a. Return to the main page of the Palo Alto Networks Customer Support web site and click Software Updates in the Resources section. b. Review the Download column to determine the version to install. The filename of the update package indicates the platform: Panorama_pc‐<release> for the Panorama virtual appliance or Panorama_m‐<release> for the Panorama M‐100 appliance. c. Click the filename and save the file to the host. Step 4 Install content updates. Install the Applications or Applications and Threats update first, and then install any other updates (Antivirus or WildFire) one at a You must install content updates time in any sequence. before software updates. Refer to the Release Notes for the Regardless of whether your subscription includes both minimum content release version ...
Page 156
Deploy Updates to Devices Using Panorama Manage Licenses and Updates Deploy an Update to Log Collectors when Panorama is not Internet‐connected (Continued) Step 6 Verify the software and content versions Log in to the Log Collector CLI and enter the show system info that are installed on each Log Collector. operational command. The output will resemble the following: sw-version: 6.1.0 app-version: 366-1738 app-release-date: 2014/10/29 15:46:03 av-version: 1168-1550 av-release-date: 2014/10/21 14:31:27 threat-version: 366-1738 threat-release-date: 2014/10/29 15:46:03 Deploy an Update to Firewalls when Panorama is not Internet‐connected For a list of software and content updates you can install on firewalls, see Supported Updates by Device Type. Deploy an Update to Firewalls when Panorama is not Internet‐connected Step 1 Upgrade the software and content You must upgrade Panorama and then Log Collectors before versions on the Panorama management upgrading firewalls. server. Install Content and Software Updates for Panorama The software version must be the same ...
Page 157
Manage Licenses and Updates Deploy Updates to Devices Using Panorama Deploy an Update to Firewalls when Panorama is not Internet‐connected (Continued) Step 3 Determine the software upgrade path. Select Panorama > Managed Devices, and note the current Software Version for the firewalls you will upgrade. Required for PAN‐OS software updates. You cannot skip any major PAN‐OS release versions on the path between the current version and the target version. For example, to upgrade firewalls from PAN‐OS 5.0.11 to PAN‐OS 6.1.3: Upload and install PAN‐OS 5.1.0 and reboot. Upload and install PAN‐OS 6.0.0 and reboot. Upload PAN‐OS 6.1.0. Optionally, install this base image and reboot before you install the target maintenance release. Upload and install PAN‐OS 6.1.3 and reboot. Step 4 Download the updates to a host that has Use a host with Internet access to log in to the Palo Alto Internet access. Panorama must have Networks Customer Support web site. access to the host. Download content updates: a. Click Dynamic Updates in the Resources section. b. Download the desired content update and save the file to the host. Perform this step for each content type you will update. Download software updates: a. Return to the main page of the Palo Alto Networks Customer Support web site and click Software Updates in the Resources section. b. ...
Page 158
Deploy Updates to Devices Using Panorama Manage Licenses and Updates Deploy an Update to Firewalls when Panorama is not Internet‐connected (Continued) Step 7 Upload PAN‐OS software updates. Select Panorama > Device Deployment > Software. lick Upload, Browse to the update file, and click OK. Step 8 Install PAN‐OS software updates. Perform the steps that apply to your firewall deployment. Remember that rebooting is necessary only for certain update To avoid downtime when versions within the upgrade path (see Step updating the software on high availability (HA) firewalls, update • Non‐HA firewalls—Click Install From File, select the File Name one HA peer at a time. of the update you just uploaded, select all the firewalls you are upgrading, select Reboot device after install, and click OK. For active/active firewalls, it doesn’t matter which peer you • Active/active HA firewalls: update first. a. Click Install From File, select the File Name of the update For active/passive firewalls, you ...
Use Panorama for Visibility Monitor Network Activity Use Panorama for Visibility In addition to its central deployment and firewall configuration features, Panorama also allows you to monitor and report on all traffic that traverses your network. While the reporting capabilities on Panorama and the firewall are very similar, the advantage that Panorama provides is that it is a single pane view of aggregated information across all your managed firewalls. This aggregated view provides actionable information on trends in user activity, traffic patterns, and potential threats across your entire network. Using the Application Command Center (ACC), the App‐Scope, the log viewer, and the standard, customizable reporting options on Panorama, you can quickly learn more about the traffic traversing the network. The ability to view this information allows you to evaluate where your current policies are adequate and where they are insufficient. You can then use this data to augment your network security strategy. For example, you can enhance the security rules to increase compliance and accountability for all users across the network, or manage network capacity and minimize risks to assets while meeting the rich application needs for the users in your network. The following topics provide a high‐level view of the reporting capabilities on Panorama, including a couple of use cases to illustrate how you can use these capabilities within your own network infrastructure. For a complete list of the available reports and charts and the description of each, refer to the online help. Monitor the Network with the ACC and AppScope Analyze Log Data Generate, Schedule, and Email Reports Monitor the Network with the ACC and AppScope Both the ACC and the AppScope allow you to monitor and report on the data recorded from traffic that traverses your network. The ACC on Panorama displays a summary of network traffic. Panorama can dynamically query data from all the managed firewalls on the network and display it in the ACC. This display allows you to monitor the traffic by applications, users, and content activity—URL categories, threats, data filtering, file blocking, HIP match for GlobalProtect—across the entire network of Palo Alto Networks next‐generation firewalls. The AppScope helps identify unexpected or unusual behavior on the network at a glance. It includes an array of charts and reports—Summary Report, Change Monitor, Threat Monitor, Threat Map, Network Monitor, Traffic Map—that allow you to analyze traffic flows by threat or application, or by the source or destination for the flows. You can also sort by session or byte count. Use the ACC and the AppScope to answer questions such as: Monitor > AppScope What are the top applications used on the What are the Application usage trends—what ...
Use Panorama for Visibility Monitor Network Activity Change Data Source—The default source used to display the statistics on the charts in the ACC is the Panorama local data. With the exception of the data that displays in the chart, all other charts Application require you to enable log forwarding to Panorama. Using the local data on Panorama provides a quick load time for the charts. You can, however, change the data source to . When configured to use Remote Device Data, instead of using the Remote Device Data local Panorama data, Panorama will poll all the managed firewalls and present an aggregated view of the data. The onscreen display indicates the total number of firewalls being polled and the number of firewalls that have responded to the query for information. Select the Charts to View—The ACC includes an array of charts in the areas of Application, URL Filtering, Threat Prevention, Data Filtering, and HIP Match. With the exception of the Application charts and HIP Match, all the other charts display only if the corresponding feature has been licensed on the firewall, and you have enabled logging. Tweak Time Frame and Sort Data—The reporting time period in the ACC ranges from the last 15 minutes to the last hour, day, week, month, or any custom‐defined time. You can sort the data by sessions, bytes, or threats and filter to view from 5‐500 items. Analyze Log Data The tab on Panorama provides access to log data; these logs are an archived list of sessions that have Monitor been processed by the managed firewalls and forwarded to Panorama. Log data can be broadly grouped into two types: those that detail information on traffic flows on your network such as applications, threats, host information profiles, URL categories, content/file types and those that record system events, configuration changes and alarms. Based on the log forwarding configuration on the managed firewalls, the tab can include logs Monitor > Logs for traffic flows, threats, URL filtering, data filtering, Host Information Profile (HIP) matches, and WildFire submissions. You can review the logs to verify a wealth of information on a given session or transaction. ...
Page 163
Monitor Network Activity Use Panorama for Visibility Report Type Description Predefined A suite of predefined reports in the Monitor > Reports tab that are available in four categories: Applications, Threats, URL Filtering, and Traffic. User‐activity The user activity report is a predefined report that is used to create an on‐demand report to document the application use and URL activity broken down by URL category for a specific user with estimated browse time calculations. This report is available in the Monitor > PDF Reports > User Activity Reports tab. Custom Create and schedule custom reports that displays exactly the information you want to see by filtering on conditions and columns to include. You can generate reports to query data from a summary database on Panorama or on the remote devices (that is the managed firewalls), or use the detailed reports on Panorama or on the remote devices. To view the databases available for generating these reports, see the Monitor > Manage Custom Reports tab. You can also create Report Groups (Monitor > PDF Reports > Report Groups tab) to compile predefined reports and custom reports as a single PDF. PDF Summary Aggregate up to 18 predefined reports, graphs, and custom reports into one PDF ...
Page 164
Use Panorama for Visibility Monitor Network Activity Generate, Schedule, and Email Reports Step 1 Generate reports. The steps to generate a report depend on the type: You must set up a Report Group • Create a custom report. to email report(s). a. Select Monitor > Manage Custom Reports. b. Click Add and then enter a Name for the report. c. Select the database, Panorama or Remote Device Data, that you would like to use for the report. You can use the summary database or the detailed logs on Panorama or on the managed firewalls. d. Select the Scheduled check box. e. Define your filtering criteria. Select the Time Frame, the Sort By order, Group By preference, and select the columns that must display in the report. f. (Optional) Select the Query Builder attributes, if you want to further refine the selection criteria. g. To test the report settings, select Run Now. Modify the ...
Page 165
Monitor Network Activity Use Panorama for Visibility Generate, Schedule, and Email Reports (Continued) Step 2 Set up Panorama to email reports. Select Panorama > Server Profiles > Email. Click Add and then enter a Name for the profile. Click Add to add a new email server entry and enter the information required to connect to the Simple Mail Transport Protocol (SMTP) server and send email (you can add up to four email servers to the profile): • Server—Name to identify the mail server (1‐31 characters). This field is just a label and does not have to be the host name of an existing SMTP server. • Email Display Name—The name to display in the From field of the email. • From—The email address where notification emails will be sent from. • To—The email address to which notification emails will be sent. • Additional Recipient—To send notifications to a second account, enter the additional address here. • Email Gateway—The IP address or host name of the SMTP gateway to use to send the emails. Click OK to save the server profile. Click Commit and select Panorama as the Commit Type to ...
Page 168
Use Case: Monitor Applications Using Panorama Monitor Network Activity The tab displays a geographical map of the traffic flow and provides a view Monitor > App-Scope> Traffic Map of incoming versus outgoing traffic. You can also use the tab to view Monitor > App-Scope > Change Monitor changes in traffic patterns. For example, compare the top applications used over this hour to the last week or month to determine if there is a pattern or trend. With all the information you have now uncovered, you can evaluate what changes to make to your policy configurations. Here are some suggestions to consider: Be restrictive and to create a pre‐rule on Panorama to block all BitTorrent traffic. Then use Panorama device groups to create and push this policy rule to one or more firewalls. Enforce bandwidth use limits and create a QoS profile and policy that de‐prioritizes non‐business traffic. Then use Panorama templates to push this policy to one or more firewalls. Use Panorama device groups and templates to configure QoS and then push rules to one or more firewalls. Reduce risk to your network assets and create an application filter that blocks all file sharing applications that are peer‐to‐peer technology with a risk factor of 4 or 5. Make sure to verify that the bittorrent application is included in that application filter, and will therefore be blocked. Schedule a custom report group that pulls together the activity for the specific user and that of top applications used on your network to observe that pattern for another week or two before taking action. Besides checking for a specific application, you can also check for any unknown applications in the list of top applications. These are applications that did not match a defined App‐ID signature and display as unknown‐udp and unknown‐tcp. To delve into these unknown applications, click on the name to drill down to the details for the unclassified traffic. Use the same process to investigate the top source IP addresses of the hosts that initiated the unknown traffic along with the IP address of the destination host to which the session was established. For unknown ...
Use Case: Respond to an Incident Using Panorama Monitor Network Activity Use Case: Respond to an Incident Using Panorama Network threats can originate from different vectors, including malware and spyware infections due to drive‐by downloads, phishing attacks, unpatched servers, and random or targeted denial of service (DoS) attacks, to name a few methods of attack. The ability to react to a network attack or infection requires processes and systems that alert the administrator to an attack and provide the necessary forensics evidence to track the source and methods used to launch the attack. The advantage that Panorama provides is a centralized and consolidated view of the patterns and logs collected from the managed firewalls across your network. You can use the correlated attack information, alone or in conjunction with the reports and logs generated from a Security Information Event Manager (SIEM), to investigate how an attack was triggered and how to prevent future attacks and loss of damage to your network. The questions that this use case probes are: How are you notified of an incident? How do you corroborate that the incident is not a false positive? What is your immediate course of action? How do you use the available information to reconstruct the sequence of events that preceded or followed the triggering event? What are the changes you need to consider for securing your network? This use case traces a specific incident and shows how the visibility tools on Panorama can help you respond to the report. Incident Notification Review Threat Logs Review WildFire Logs Review Data Filtering Logs Update Security Policies Incident Notification There are several ways that you could be alerted to an incident depending on how you’ve configured the Palo Alto Networks firewalls and which third‐party tools are available for further analysis. You might receive an email notification that was triggered by a log entry recorded to Panorama or to your syslog server, or you ...
Monitor Network Activity Use Case: Respond to an Incident Using Panorama Review Threat Logs To begin investigating the alert, use the threat ID to search the threat logs on Panorama ( Monitor > Logs > ). From the threat logs, you can find the IP address of the victim, export the packet capture (PCAP, has Threat a green arrow icon in the log entry) and use a network analyzer tool such as WireShark to review the packet details. In the HTTP case, look for a malformed or bogus HTTP REFERER in the protocol, suspicious host, URL strings, the user agent, the IP address and port in order to validate the incident. Data from these pcaps is also useful in searching for similar data patterns and creating custom signatures or modifying security policy to better address the threat in the future. As a result of this manual review, if you feel confident about the signature, consider transitioning the signature from an alert action to a block action for a more aggressive approach. In some cases, you may choose to add the attacker IP to an IP block list to prevent further traffic from that IP address from reaching the internal network. If you see a DNS‐based spyware signature, the IP address of your local DNS server might display as the address. Often this is because the firewall is located north of the local DNS Victim IP server, and so DNS queries show the local DNS server as the source IP rather than showing the IP address of the client that originated the request. If you see this issue, enable the DNS sinkholing action in the anti‐spyware profile in security policy in order to identify the infected hosts on your network. DNS sinkholing allows you to control outbound connections to malicious domains and redirect DNS queries to an internal IP address that is unused; the sinkhole that does not put out a response. When a compromised host initiates a connection to a malicious domain, instead of going out to the Internet, the firewall redirects the request to the IP address you defined and it is sinkholed. Now, reviewing the traffic logs for all hosts that connected to the sinkhole allows you locate all compromised hosts and take remedial action to prevent the spread. To continue with the investigation on the incident, use the information on the attacker and the victim IP address to find out more information, such as: Where is the attacker located geographically? Is the IP address an individual IP address or a NATed IP address? Was the event caused by a user being tricked into going to a website, a download, or was it sent through ...
Monitor Network Activity Use Case: Respond to an Incident Using Panorama Review Data Filtering Logs The data filtering log ( ) is another valuable source for investigating malicious Monitor > Logs > Data Filtering network activity. While you can periodically review the logs for all the files that you are being alerted on, you can also use the logs to trace file and data transfers to or from the victim IP address or user, and verify the direction and flow of traffic: server to client or client to server. To recreate the events that preceded and followed an event, filter the logs for the victim IP address as a destination, and review the logs for network activity. Because Panorama aggregates information from all managed firewalls, it presents a good overview of all activity in your network. Some of the other visual tools that you can use to survey traffic on your network are the , , and the . The threat map and traffic map ( Threat Map Traffic Map Threat Monitor Monitor > AppScope > or ) allow you to visualize the geographic regions for incoming and outgoing traffic. It Threat Map Traffic Map is particularly useful for viewing unusual activity that could indicate a possible attack from outside, such as a DDoS attack. If, for example, you do not have many business transactions with Eastern Europe, and the ...
Panorama High Availability Logging Considerations in Panorama HA Logging Considerations in Panorama HA Setting up Panorama in an HA configuration provides redundancy for log collection. Because the managed devices are connected to both Panorama peers over SSL, when a state change occurs, each Panorama sends a message to the managed devices. The devices are notified of the Panorama HA state and can forward logs accordingly. By default, when the managed devices cannot connect to Panorama (M‐100 appliance and the Panorama virtual appliance), they buffer the logs; when the connection is restored, they resume sending logs from where it was last left off. The logging options on the hardware‐based Panorama and on the Panorama virtual appliance differ: Logging Failover on a Panorama Virtual Appliance Logging Failover on an M‐100 Appliance Logging Failover on a Panorama Virtual Appliance On the Panorama virtual appliance, you have the following log failover options: Log Storage Type Description Virtual Disk By default, the managed devices send logs as independent streams to each Panorama HA peer. By default, if a peer becomes unavailable, the managed devices buffer the logs and when the peer reconnects it resumes sending logs from where it had left off (subject to disk storage capacity and duration of the disconnection). Logging to a virtual disk provides redundancy in logging. However, the maximum log storage capacity is 2TB. The option to forward logs only to the active peer is configurable (see Modify Log Forwarding and Buffering Defaults). However, Panorama does not support log aggregation across the HA pair. So, if you log to a virtual disk or local disk, for monitoring and reporting you must query the Panorama peer that collects the logs from the managed devices. Network File Share (NFS) When configured to use an NFS, only the active‐primary device mounts to the NFS‐based log partition and can receive logs. On failover, the primary device goes into a passive‐primary state. In this scenario, until preemption occurs, the active‐secondary Panorama manages the devices, but it does not receive the logs and it cannot write to the NFS. To allow the active‐secondary peer to log to the NFS, you must manually switch it to primary so that it can mount to the NFS partition. For instructions, see Switch Priority after Panorama Failover to Resume NFS Logging.
Manage a Panorama HA Pair Panorama High Availability Manage a Panorama HA Pair Set Up HA on Panorama Test Panorama HA Failover Switch Priority after Panorama Failover to Resume NFS Logging Restore the Primary Panorama to the Active State Set Up HA on Panorama Review the Panorama HA Prerequisites before performing the following steps: Set Up HA on Panorama Step 1 Set up connectivity between the MGT The Panorama peers communicate with each other using the MGT ports on the HA peers. port. Make sure that the IP addresses you assign to the MGT port on the Panorama servers in the HA pair are routable and that the peers can communicate with each other across your network. To set up the MGT port, see Set Up Panorama. Pick a device in the pair and complete the remaining tasks. Step 2 Enable HA and (optionally) enable Select Panorama > High Availability and edit the Setup encryption for the HA connection. section. Select Enable HA. In the Peer HA IP Address field, enter the IP address assigned to the peer device. In the Monitor Hold Time field, enter the length of time (milliseconds) that the system will wait before acting on a ...
Page 185
Panorama High Availability Manage a Panorama HA Pair Set Up HA on Panorama (Continued) Step 3 Set the HA priority. In Panorama > High Availability, edit the Election Settings section. Define the Device Priority as Primary or Secondary. Make sure to set one peer as primary and the other as secondary. If both peers have the same priority setting, the peer with the higher serial number will be placed in a suspended state. Define the Preemptive behavior. By default preemption is enabled. The preemption selection— enabled or disabled— must be the same on both peers. If you are using an NFS for logging and you have disabled preemption, to resume logging to the NFS see Switch Priority after Panorama Failover to Resume NFS Logging. Step 4 To configure path monitoring, define one Perform the following steps for each path group that includes the or more path groups. nodes that you want to monitor. The path group lists the destination IP Select Panorama > High Availability and, in the Path Group addresses (nodes) that Panorama must section, click Add. ping to verify network connectivity. Enter a Name for the path group. Select a Failure Condition for this group: • ...
Manage a Panorama HA Pair Panorama High Availability Test Panorama HA Failover To test that your HA configuration works properly, trigger a manual failover and verify that the peer transitions states successfully. Test Panorama HA Failover Step 1 Log in to the active Panorama peer. You can verify the state of the Panorama server in the bottom right corner of the web interface. Step 2 Suspend the active Panorama peer. Select Panorama > High Availability, and then click the Suspend local Panorama link in the Operational Commands section. Step 3 Verify that the passive Panorama peer On the Panorama Dashboard, High Availability widget, verify that has taken over as active. the state of the Local passive server is active and the state of the Peer is suspended. Step 4 Restore the suspended peer to a On the Panorama you previously suspended: functional state. Wait for a couple In the Operational Commands section of the Device > High minutes, and then verify that preemption Availability tab, click the Make local Panorama functional has occurred, if preemptive is enabled. link.
Panorama High Availability Manage a Panorama HA Pair Switch Priority after Panorama Failover to Resume NFS Logging Log in to the currently passive‐primary Panorama, select Panorama > Setup > Operations and, in the Device Operations section, click Shutdown Panorama. Log in to the active‐secondary Panorama, select Panorama > High Availability, edit the Election Settings, and set the Priority to Primary. Click Commit, for the Commit Type select Panorama, and click OK. Do not reboot when prompted. Log in to the Panorama CLI and enter the following command to change the ownership of the NFS partition to this peer: request high-availability convert-to-primary Select Panorama > Setup > Operations and, in the Device Operations section, click Reboot Panorama. Power on the Panorama peer that you powered off in Step 1. This peer will now be in a passive‐secondary state. Restore the Primary Panorama to the Active State By default, the preemptive capability on Panorama allows the primary Panorama to resume functioning as the active peer as soon as it becomes available. However, if preemption is disabled, the only way to force the primary Panorama to become active after recovering from a failure, a non‐functional, or a suspended state, is by suspending the secondary Panorama peer. Before the active‐secondary Panorama goes into a suspended state, it transfers the candidate configuration to the passive device so that all your uncommitted configuration changes are saved and can be accessed on the other peer. Suspend the Secondary Panorama Step 1 Suspend Panorama.
Manage Configuration Backups Administer Panorama Manage Configuration Backups A configuration backup is a snapshot of the system configuration. In case of a system failure or a misconfiguration, a configuration backup allows you to restore Panorama to a previously saved version of the configuration. On Panorama, you can manage configuration backups of the managed firewalls and that of Panorama: Manage configuration backups of the managed devices—Panorama automatically saves every configuration change that is committed to a managed firewall running PAN‐OS version 5.0 or later. By default, Panorama stores up to 100 versions for each firewall. This value is configurable. Manage Panorama configuration backups—You can manually export the running configuration of Panorama, as required. Export a configuration file package—In addition to its own running configuration, Panorama saves a backup of the running configuration from all managed firewalls. You can generate a gzip package of the latest version of the configuration backup of Panorama and that of each managed firewall either on‐demand or schedule an export using the capability. The package can be Scheduled Config Export scheduled for daily delivery to an FTP server or a Secure Copy (SCP) server; the files in the package are in an XML format, and each file name references the firewall serial number for easy identification. You can perform the following tasks to manage configuration backups: Schedule Export of Configuration Files Manage Panorama Configuration Backups Configure the Number of Configuration Backups Panorama Stores Load a Configuration Backup on a Managed Firewall Schedule Export of Configuration Files Use these instructions to schedule daily exports of the configuration file package that contains the backup of the running configuration of Panorama and the managed firewalls. You require superuser privileges to configure the export. If Panorama has a high availability (HA) configuration, you must perform these instructions on each peer to ensure the scheduled exports continue after a failover. Panorama does not synchronize scheduled configuration exports between HA peers.
Manage Configuration Backups Administer Panorama Manage Panorama Configuration Backups: Validate, Revert, Save, Load, Export or Import Select Panorama > Setup > Operations. In the Configuration Management section, select from the following options: • Validate candidate Panorama configuration—Verifies that the candidate configuration has no errors; validating the configuration file allows you to resolve errors before you commit the changes. • Revert to last saved Panorama configuration—Overwrites the current candidate configuration and restores the last saved candidate configuration from disk. • Revert to running Panorama configuration—Reverts all changes saved to the candidate configuration; it effectively allows you to undo all configuration changes that were made since the last commit operation. • Save named Panorama configuration snapshot—Saves the candidate configuration to a file. Enter a file name or select an existing file to overwrite. Note that the current active configuration file (running‐config.xml) cannot be overwritten. • Save candidate Panorama configuration—Saves the candidate configuration to disk; it is the same as using the Save link at the top of the page to save the changes to the candidate configuration file.
Compare Changes in Panorama Configurations Administer Panorama Compare Changes in Panorama Configurations To compare configuration changes on Panorama, you can select any two sets of configuration files: the candidate configuration, the running configuration, or any other configuration version that has been previously saved or committed on Panorama. The side‐by‐side comparison allows you to: Preview the changes in configuration before committing them to Panorama. You can, for example, preview the changes between the candidate configuration and the running configuration. As a best practice, select the older version on the left pane and the newer version on the right pane, to easily compare and identify modifications. Perform a configuration audit to review and compare the changes between two sets of configuration files. Compare Changes in Panorama Configurations Select Panorama > Config Audit For each drop‐down, select a configuration for the comparison. Select the number of lines that you want to include for Context, and click Go. To easily compare versions, the changes are highlighted. Configure the Number of Versions Panorama Stores for Configuration Audits Select Panorama > Setup > Management and edit the Logging and Reporting Settings. For the Number of Versions for Config Audit, enter a value between 1 and 1048576. The default is 100. Click Commit, for the Commit Type select Panorama, and click OK. View and Compare Panorama Configuration Files Before Committing Click Commit Select Preview Changes and select the number of lines of context you want to see. Click OK. 194 ...
Administer Panorama Restrict Access to Configuration Changes Restrict Access to Configuration Changes Use locks to prevent multiple administrative users from making configuration changes or committing changes on Panorama, shared policies, or to selected templates and/or device groups. Types of Locks Locations for Taking a Lock Take a Lock View Lock Holders Enable Automatic Acquisition of the Commit Lock Remove a Lock Types of Locks The available lock types are: Config Lock—Blocks other administrators from making changes to the configuration. This type of lock can be set globally or for a virtual system. It can be removed only by the administrator who set it or by a superuser. The configuration lock is not released automatically. Commit Lock—Blocks other administrators from committing changes until all of the locks have been released. The commit lock ensures that partial configuration changes are not inadvertently committed to the firewall or to Panorama when two administrators are making changes at the same time and the first administrator finishes and commits changes before the second administrator has finished. The lock is released automatically when the administrator who applied the lock commits the changes; the lock can be removed manually by the administrator who took the lock or by the superuser. If a commit lock is held on a firewall, and an administrator commits configuration changes or shared policies to a template or device group that includes that firewall, the commit will fail with an error message indicating that there is an outstanding lock on a firewall. Read‐only administrators who cannot make configuration changes to the firewall or Panorama will not be able to take either lock. Role‐based administrators who cannot commit changes can take the config lock and save the changes to the candidate configuration. They cannot, however, commit the changes themselves. Because they cannot commit the changes, the lock is not automatically released on commit; the administrator must manually remove the config lock after making the required changes. Locations for Taking a Lock The administrator can take a lock for any of the following categories, or locations: —Restricts changes to the selected device group.
Reallocate Log Storage Quota Administer Panorama Reallocate Log Storage Quota You can edit the default storage quotas for each log type but not for reports. When a log quota reaches the maximum size, Panorama starts overwriting the oldest log entries with the new log entries. The Panorama virtual appliance and M‐100 appliance have different locations for storing logs and different predefined storage capacities for reports: Panorama virtual appliance—Panorama writes all logs to its assigned storage space. The storage space can be the approximately 11GB storage allocated by default on the virtual disk that you created when installing Panorama or it can be an additional virtual disk or a Network File System (NFS) that you added when expanding the log storage capacity. The storage space for reports is 200MB. M‐100 appliance—Panorama saves logs to its internal SSD and RAID‐enabled disks. The M‐100 appliance uses its internal SSD to store the Config logs and System logs that Panorama and its Log Collectors generate, and also to store the Application Statistics (App Stats) logs that Panorama automatically receives at 15 minute intervals from all managed firewalls. Panorama saves all other log types to its RAID‐enabled disks. The RAID disks are either local to the M‐100 appliance in Panorama mode or are in a Dedicated Log Collector (M‐100 appliance in Log Collector mode). The storage space for reports is 500MB for Panorama 6.1 or later releases and 200MB for earlier releases. Reallocate Log Storage Quota on the Panorama Virtual Appliance and the M‐100 Appliance Step 1 Configure the storage quotas for: Select Panorama > Setup > Management and edit the Logging and Reporting Settings. • Logs of all types that a Panorama virtual appliance receives from In the Log Storage tab, enter the storage Quota (%) for each firewalls. log type. When you change a percentage value, the page • App Stats logs that Panorama (a virtual refreshes to display the corresponding absolute value (Quota appliance or M‐100 appliance) ...
Page 201
Administer Panorama Reallocate Log Storage Quota Reallocate Log Storage Quota on the Panorama Virtual Appliance and the M‐100 Appliance (Continued) Step 2 Configure the storage quotas for logs of Select Panorama > Collector Groups and select the Collector all types (except App Stats logs) that an Group. M‐100 appliance receives from firewalls. In the General tab, click the Log Storage value. The Log Collectors store these logs. This field doesn’t display a value unless you assigned You configure these storage Log Collectors to the Collector Group (Panorama > quotas at the Collector Group Collector Groups > Device Log Forwarding). If the field level, not for individual Log displays 0MB after you assign Log Collectors, verify that Collectors. you enabled the disk pairs when configuring the Log Collector and that you committed the changes (Panorama > Managed Collectors > Disks). Enter the storage Quota(%) for each log type. When you change a percentage value, the page refreshes to display the corresponding absolute value (Quota GB/MB column) based on the total storage allotted to the Collector Group.
Monitor Panorama Administer Panorama Monitor Panorama To monitor Panorama, you can either periodically view the system and configuration logs on Panorama or configure SNMP traps and/or email alerts that notify you when a monitored metric changes state or reaches a threshold on Panorama. Email alerts and SNMP traps are useful for immediate notification about critical system events that require your attention. Panorama System and Configuration Logs Set Up Email Alerts for Panorama Set Up SNMP to Monitor Panorama Panorama System and Configuration Logs You can configure Panorama to send notifications if a system event occurs or any time a configuration change is made. By default, Panorama logs every configuration change to the configuration log. On the system log, each event has a severity level associated with it. The level indicates the urgency and the impact of the event, and you can choose to record all or selected system events, depending on the severity levels that you want to monitor. This section covers Panorama logs only. For information on forwarding logs from the managed firewalls, see Enable Log Forwarding to Panorama. Config Logs—Enable forwarding of Configuration logs by specifying a server profile in the log settings configuration ( Panorama > Log Settings > Config Logs System Logs—Enable forwarding of System logs by specifying a server profile in the log settings configuration ( ). Select a server profile for each severity level you Panorama > Log Settings > System Logs want to forward. The following table summarizes the system log severity levels: Severity Description...
Administer Panorama Monitor Panorama Set Up Email Alerts for Panorama Set Up Email Alerts for Panorama Step 1 Create a server profile for your email Select Panorama > Server Profiles > Email. server. Click Add and then enter a Name for the profile. Click Add to add a new email server entry and enter the information required to connect to the Simple Mail Transport Protocol (SMTP) server and send email (you can add up to four email servers to the profile): • Server—Name to identify the mail server (1‐31 characters). This field is just a label and does not have to be the host name of an existing SMTP server. • Display Name—The name to display in the From field of the email. • From—The email address where notification emails will be sent from. • To—The email address to which notification emails will be sent. • Additional Recipient(s)—To send notifications to a second account, enter the additional address here. • Gateway—The IP address or host name of the SMTP gateway to use to send the emails. Click OK to save the server profile. Step 2 (Optional) Customize the format of the ...
Page 205
Administer Panorama Monitor Panorama Set Up SNMP to Monitor Panorama (Continued) Step 2 Configure Panorama for SNMP Select Panorama > Setup > Operations. monitoring. In the Miscellaneous section, select SNMP Setup. This screen shot is for SNMP v3. Enter a text string to specify the physical Location of Panorama. Add the email address of one or more administrative Contact. Select the SNMP Version and then enter the configuration details as follows (depending on which SNMP version you are using) and then click OK: • V2c—Enter the SNMP Community String that will allow the SNMP manager access to the SNMP agent on Panorama. The default value is public. However because this is a well‐known community string, it is a best practice to use a value that is not easily guessed. • V3—You must create at least one View and one User in order to use SNMPv3. The view specifies which management information the manager has access to. If you want to allow access to all management information, just enter the top‐level OID of .1.3.6.1 and specify the Option as include (you can also create views that exclude certain objects). Use 0xf0 as the Mask. Then when creating a user, ...
Page 206
Monitor Panorama Administer Panorama Set Up SNMP to Monitor Panorama (Continued) Step 3 Create a server profile that contains the Select Panorama > Server Profiles > SNMP Trap. information for connecting and Click Add and then enter a Name for the profile. authenticating to the SNMP manager(s). Specify the version of SNMP you are using (V2c or V3). Click Add to add a new SNMP Trap Receiver entry (you can add up to four trap receivers per server profile). The required values depend on whether you are using SNMP V2c or V3 as follows: On SNMP V2c • Server—Name to identify the SNMP manager (1‐31 characters). This field is just a label and does not have to be the hostname of an existing SNMP server. • Manager—The IP address of the SNMP manager to which to send traps. • Community—The community string required to authenticate to the SNMP manager. On SNMP V3 • Server—Name to identify the SNMP manager (1‐31 characters). This field is just a label and does not have to be the hostname of an existing SNMP server. • Manager—The IP address of the SNMP manager to which to sent traps.
Page 211
Administer Panorama Configure Panorama Password Profiles and Complexity Configure Panorama Password Profiles and Complexity (Continued) Step 2 Create Password Profiles. Select Panorama > Password Profiles and then click Add. You can create multiple password Enter a Name for the password profile and define the profiles and apply them to administrator following: accounts as required to enforce security. a. Required Password Change Period: Frequency, in days, at which the passwords must be changed. b. Expiration Warning Period: Number of days before expiration that the administrator will receive a password reminder. c. Post Expiration Grace Period: Number of days that the administrator can still log in to the system after the password expires. d. Post Expiration Admin Login Count: Number of times that the administrator can log in to the system after the ...
Administer Panorama Replace the Virtual Disk on a Panorama Virtual Appliance Replace the Virtual Disk on a Panorama Virtual Appliance You can’t resize a virtual disk after adding it to a Panorama virtual appliance on an ESXi server. Because the Panorama virtual appliance allows only one log storage location, if you need to increase or decrease disk space for logging, you must replace the virtual disk on the ESXi server to adjust the log storage capacity. You will lose the logs on the existing disk when you replace it. One way to preserve the logs is to set up a new Panorama virtual appliance for the new disk (see Set Up the Panorama Virtual Appliance) and maintain access to the Panorama containing the old disk for as long as you need its logs. A second way to preserve the logs is to copy them from the old disk to the new disk. Copying can take several hours, depending on how many logs the disk currently stores, and Panorama cannot collect logs during the process. Contact Palo Alto Networks Customer Support for instructions on how to copy logs between disks. A third way to preserve existing logs is to Enable Log Forwarding from Panorama to External Destinations before you replace the virtual disk. Replace the Virtual Disk on a Panorama Virtual Appliance Step 1 Remove the old virtual disk. Access the VMware vSphere Client and select the Virtual Machines tab. Right‐click the Panorama virtual appliance and select Power > Power Off. Right‐click the Panorama virtual appliance and select Edit Settings. Select the virtual disk in the Hardware tab and click Remove. Select one of the Removal Options and click OK. Step 2 Add the new virtual disk. Add a Virtual Disk to the Panorama Virtual Appliance This task involves powering on the Panorama virtual appliance. The reboot process might take several minutes and the message cache will display. data unavailable Step 3 Verify that the modified log storage Log in to the Panorama virtual appliance. capacity is correct. Select Panorama > Setup > Management and verify that the Logging and Reporting Settings section, Log Storage field, ...
Troubleshoot Panorama System Issues Troubleshooting Troubleshoot Panorama System Issues Diagnose Panorama Suspended State Monitor the File System Integrity Check Manage Panorama Storage for Software and Content Updates Recover from Split Brain in Panorama HA Deployments Diagnose Panorama Suspended State If Panorama is in a suspended state, check for the following conditions: Verify that the serial number on each Panorama virtual appliance is unique. If the same serial number is used to create two or more instances of Panorama, all instances using the same serial number will be suspended. Verify that you have set the HA priority setting on one peer as Primary and the other as Secondary. If the priority setting is identical on both peers, the Panorama peer with a higher numerical value in serial number is placed in a suspended state. Verify that both Panorama HA peers are running the same Panorama version (major and minor version number). Monitor the File System Integrity Check Panorama periodically performs a file system integrity check (FSCK) to prevent corruption of the Panorama system files. This check occurs after eight reboots or at a reboot that occurs 90 days after the last FSCK was executed. If Panorama is running a FSCK, the web interface and SSH login screens will display a warning to indicate that an FSCK is in progress. You cannot log in until this process completes. The time to complete this process varies by the size of the storage system; depending on the size, it can take several hours before you can log back in to Panorama. To view the progress on the FSCK, set up console access to Panorama and view the status. Manage Panorama Storage for Software and Content Updates On Panorama, you can download (or manually upload) software images and content updates to centrally manage them on firewalls and M‐100 appliances in Log Collector mode. Supported Updates by Device Type lists which updates these devices support. For Panorama itself, you can also manage updates for Applications, Applications and Threats, Antivirus, and Wildfire. The amount of space available on Panorama to store these images and updates is not user configurable. When the used capacity of the alloted storage reaches 90%, Panorama alerts you to free up space (delete stored images) for new downloads/uploads. 216 ...
Troubleshooting Troubleshoot Panorama System Issues The maximum number of images is a global setting that applies to all the images and updates that Panorama stores. You can use only the CLI to configure the setting. The default value is five images/updates of each type; you cannot set the value for individual types. Manage Panorama Storage for Software and Content Updates Access the CLI on Panorama and enter the following • Modify the maximum number of images stored on Panorama. command: (where x can be a number set max-num-images count x between 2 and 64) • View the number of images that are stored on Enter the following CLI command: Panorama. show max‐num_images Use the following commands: • Delete images to free up space on Panorama. You can perform this task using the web • To delete software images by filename or version: interface or the CLI. delete software image <filename> delete software version <version_number> • To delete content updates: delete content update <filename> Recover from Split Brain in Panorama HA Deployments When Panorama is configured in a high availability (HA) setup, the managed firewalls are connected to both ...
Troubleshooting Troubleshoot Log Storage and Connection Issues Troubleshoot Log Storage and Connection Issues What Ports are Used by Panorama? Resolve Zero Log Storage for a Collector Group Recover Logs after Failure/RMA of M‐100 Appliance in Log Collector Mode Recover Logs after Failure/RMA of M‐100 Appliance in Panorama Mode Recover Logs after Panorama Failure/RMA in Non‐HA Deployments Regenerate Metadata for M‐100 Appliance RAID Pairs What Ports are Used by Panorama? To ensure that Panorama can communicate with managed firewalls, Log Collectors, and its high availability (HA) peer, use the following table to verify the ports that you must open on your network. On an M‐100 appliance running Panorama 6.1 or later releases, you can optionally assign the log collection and Collector Group communication functions to the Eth1 or Eth2 interfaces (instead of to the default MGT interface). The ports listed in the following table apply regardless of which function you assign to which interface. For example, if you assign log collection to MGT and assign Collector Group communication to Eth2, then MGT will use port 3978 and Eth2 will use port 28270. (The Panorama virtual appliance can only use the MGT interface for all these functions.) Communicating Devices & Direction of Ports Used: Ports Used: Description Connection Establishment 5.0 and 5.1 6.0 and 6.1 Panorama and Panorama (HA) 28 28 For HA connectivity and synchronization if encryption is Direction: Each peer initiates its own enabled. connection to the other Panorama and Panorama (HA) 28769 and 28260 (5.1) 28260 and ...
Troubleshoot Log Storage and Connection Issues Troubleshooting Communicating Devices & Direction of Ports Used: Ports Used: Description Connection Establishment 5.0 and 5.1 6.0 and 6.1 Log Collector to Log Collector 49190 28270 For distributing blocks and all binary data between Log Collectors. Direction: Each Log Collector initiates a connection to the other Log Collectors in the Collector Group Resolve Zero Log Storage for a Collector Group The log storage capacity for the Collector Group might display as 0MB if the disk pairs are not enabled for logging. You must select the Log Collector and enable the disk pairs for logging in the Panorama > Managed tab; for instructions, see Step 9 in the Configure a Managed Collector topic. Collectors To verify that the disks are enabled and available for log storage, select tab Panorama > Managed Collectors and verify that the Log Collector displays as and that the Configuration Status displays as Connected In sync Recover Logs after Failure/RMA of M‐100 Appliance in Log Collector Mode If you need to replace an M‐100 appliance in Log Collector mode (Dedicated Log Collector), you can migrate the logs it collected from firewalls by moving its RAID disks to a new M‐100 appliance. This enables you to recover logs after a system failure on the M‐100 appliance. This procedure applies whether the Panorama ...
Page 221
Troubleshooting Troubleshoot Log Storage and Connection Issues Recover Logs after Failure/RMA of M‐100 Appliance in Log Collector Mode Step 1 Perform initial setup of the new M‐100 Rack mount the M‐100 appliance. Refer to the M‐100 appliance in Log Collector mode. Appliance Hardware Reference Guide for instructions. Perform Initial Configuration of the M‐100 Appliance. If the old M‐100 appliance used the Eth1 and Eth2 interfaces for log collection and Collector Group communication, you must define those interfaces during initial configuration of the new M‐100 appliance (Panorama > Setup > Management). Register Panorama. Transfer licenses as follows: a. Log in to the Customer Support Portal. b. Select the Assets tab and click the Spares link. c. Click the Serial Number of the new M‐100 appliance. d. Click Transfer Licenses. e. Select the old M‐100 appliance and click Submit. Activate/Retrieve a Device Management License on the M‐100 Appliance. Install Content and Software Updates for Panorama. Switch from Panorama mode to Log Collector mode: a. Access the Log Collector CLI and switch to Log Collector mode: > request system logger-mode logger b. ...
Page 222
Troubleshoot Log Storage and Connection Issues Troubleshooting Recover Logs after Failure/RMA of M‐100 Appliance in Log Collector Mode (Continued) Step 2 On the Panorama management server, Configure the Log Collector as a managed collector using the add the new Log Collector as a managed Panorama web interface or using the following CLI commands: collector. configure > For all steps with commands that set log‐collector <LC_serial_number> deviceconfig system require a device serial number, you hostname <LC_hostname> must type the entire serial number; exit pressing the Tab key won’t If the old Log Collector used the Eth1 and Eth2 complete a partial serial number. interfaces for log collection and Collector Group communication, you must define those interfaces on the new Log Collector when you configure it as a managed collector (Panorama > Managed Collectors > Eth1 and Eth2). Verify that the Log Collector is connected to Panorama and that the status of its disk pairs is present/available. show log‐collector serial‐number <log‐collector_SN> > The disk pairs will display as disabled at this stage of the restoration process. Commit your changes to Panorama. Don’t commit the changes to the Collector Group just yet. configure > commit exit Step 3...
Page 223
Troubleshooting Troubleshoot Log Storage and Connection Issues Recover Logs after Failure/RMA of M‐100 Appliance in Log Collector Mode (Continued) Step 4 Prepare the disks for migration. Insert the disks into the new Log Collector. For details, refer to the disk replacement procedure in the M‐100 Appliance Generating the metadata for each Hardware Reference Guide. disk pair rebuilds the indexes. Therefore, depending on the data You must maintain the disk pair association. Although size, this process can take a long you can place a disk pair from slot A1/A2 on the old time to complete. To expedite the appliance into slot B1/B2 on the new appliance, you process, you can launch multiple must keep the disks together in the same slot; CLI sessions and run the metadata otherwise, Panorama might not restore the data regeneration command in each successfully. session to complete the process Enable the disk pairs by running the following CLI command simultaneously for every pair. For for each pair: details, see Regenerate Metadata request system raid add <slot> force no‐format > for M‐100 Appliance RAID Pairs. For example: request system raid add A1 force no‐format > request system raid add A2 force no‐format > The and arguments are required. The force no-format force argument associates the disk pair with the new Log Collector. ...
Troubleshoot Log Storage and Connection Issues Troubleshooting Recover Logs after Failure/RMA of M‐100 Appliance in Log Collector Mode (Continued) Step 6 Reconfigure the Collector Group. Use the web interface to assign the new Log Collector to the firewalls that forward logs (Panorama > Collector Groups > Device Log Forwarding). Give the new Log Collector the same priority in the firewall preference lists as the old Log Collector. You use the web interface to perform this step because no CLI command can change the priority assignments of firewall preference lists. Delete the old Log Collector from the Collector Group. configure > delete log‐collector‐group <group_name> logfwd‐setting collectors <old_LC_serial_number> For example: delete log‐collector‐group DC‐Collector‐Group logfwd‐setting collectors 003001000010 Delete the old Log Collector from the Panorama configuration and commit your changes to Panorama. delete log‐collector <old_LC_serial_number> commit exit Commit the Collector Group changes so that the managed firewalls can send logs to the new Log Collector. commit‐all log‐collector‐config log‐collector‐group > <collector_group_name> For example: commit‐all log‐collector‐config log‐collector‐group > DC‐Collector‐Group Recover Logs after Failure/RMA of M‐100 Appliance in Panorama Mode If you need to replace an M‐100 appliance in Panorama mode (Panorama management server), you can ...
Page 227
Troubleshooting Troubleshoot Log Storage and Connection Issues Recover Logs after Failure/RMA of M‐100 Appliance in Panorama Mode (Continued) Step 4 Prepare the disks for migration. Insert the disks into the new M‐100 appliance. For details, refer to the disk replacement procedure in the M‐100 Generating the metadata for each Appliance Hardware Reference Guide. disk pair rebuilds the indexes. Therefore, depending on the data You must maintain the disk pair association. Although size, this process can take a long you can place a disk pair from slot A1/A2 on the old time to complete. To expedite the appliance into slot B1/B2 on the new appliance, you process, you can launch multiple must keep the disks together in the same slot; CLI sessions and run the metadata otherwise, Panorama might not restore the data regeneration command in each successfully. session to complete the process Enable the disk pairs by running the following CLI command simultaneously for every pair. For for each pair: details, see Regenerate Metadata request system raid add <slot> force no‐format > for M‐100 Appliance RAID Pairs. For example: request system raid add A1 force no‐format > request system raid add A2 force no‐format > The and arguments are required. The force no-format force argument associates the disk pair with the new appliance. The ...
Page 228
Troubleshoot Log Storage and Connection Issues Troubleshooting Recover Logs after Failure/RMA of M‐100 Appliance in Panorama Mode (Continued) Step 6 Migrate the logs. Add the new local Log Collector as a member of the Collector Group and commit your changes to Panorama. You must use the Panorama CLI for this step, not the web set log‐collector‐group <collector_group_name> interface. logfwd‐setting collectors <SN_managed_collector> You must assign the local Log commit Collector of the new M‐100 exit appliance to the Collector Group The old local Log Collector still appears in the list of members, that contains the local Log because you didn’t yet delete it from the configuration. Collector of the old M‐100 For each disk pair, migrate the logs to the new appliance. appliance. request log‐migration from <old_LC_serial_number> > old‐disk‐pair <log_disk_pair> to <new_LC_serial_number> new‐disk‐pair <log_disk_pair> For example: request log‐migration from 003001000010 old‐disk‐pair A > to 00300100038 new‐disk‐pair A Commit the changes to Panorama. configure > commit Step 7 Reconfigure the Collector Group. Use the web interface to assign the new Log Collector to the firewalls that forward logs (Panorama > Collector Groups > Device Log Forwarding). Give the new Log Collector the same ...
Troubleshooting Troubleshoot Log Storage and Connection Issues Recover Logs after Panorama Failure/RMA in Non‐HA Deployments If a system failure occurs on a Panorama server that is managing one or more dedicated Log Collectors and the Panorama server is not deployed in a high availability (HA) configuration, use this procedure to restore the configuration on the replacement Panorama and regain access to the logs on the managed Log Collectors. To manage data, Panorama maintains a ring file that maps the segments and partitions used for storing logs on the Log Collector. This ring file is stored to the internal SSD on an M‐100 appliance or on the internal disk of the Panorama virtual appliance that manages the Log Collector(s). When Panorama is not configured in HA and a system failure occurs, the ring file cannot be automatically recovered. Therefore, when you replace Panorama, in order to access the logs on the managed Collectors, you must restore the ring file. As a best practice, Palo Alto Networks recommends deploying Panorama in an HA configuration. When deployed in HA, the primary Panorama peer that manages the Log Collectors stores the ring file to its internal storage (SSD of an M‐100 appliance or the internal disk of the Panorama virtual appliance). This ring file is then automatically synchronized to the passive Panorama peer and the ability to access logs on the managed Log Collectors is maintained automatically. Recover Logs after Panorama Failure/RMA in Non‐HA Deployments Step 1 Perform initial setup of the new M‐100 Rack mount the M‐100 appliance. Refer to the M‐100 appliance. Appliance Hardware Reference Guide for instructions. Perform Initial Configuration of the M‐100 Appliance. If the old M‐100 appliance used the Eth1 and Eth2 interfaces for log collection and Collector Group communication, you must define those interfaces during initial configuration of the new M‐100 appliance (Panorama > Setup > Management). Register Panorama. Transfer licenses as follows: a. Log in to the Customer Support Portal. b. Select the Assets tab and click the Spares link. c. Click the Serial Number of the new M‐100 appliance.
Page 230
Troubleshoot Log Storage and Connection Issues Troubleshooting Recover Logs after Panorama Failure/RMA in Non‐HA Deployments (Continued) Step 2 Restore the configuration from the old Restore the configuration from the old Panorama server to the Panorama to the replacement Panorama. new server. This task assumes that you have Select Panorama > Setup > Operations. followed the recommendation to back up Click Import named Panorama configuration snapshot, and export your Panorama configuration Browse to locate the saved file, and click OK. in order to recover from a system failure. Click Load named Panorama configuration snapshot and select the version you just imported. Click Commit and in the Commit Type select Panorama. Click Step 3 Verify that connections to the managed Select Panorama > Managed Collectors and check that the collectors are restored. Managed Collectors are connected.
Troubleshooting Troubleshoot Log Storage and Connection Issues Recover Logs after Panorama Failure/RMA in Non‐HA Deployments (Continued) Step 5 Add the default local managed collector. Access the CLI on the managed collector and enter the following commands to view the last entries in the log. These Required if the managed collector command allow you to verify the name of the managed configuration is missing on Panorama. collector that you must define on Panorama. a. Enter the command: request fetch ring from log‐collector <serial_number> The following error will display: Server error: Failed to fetch ring info from <serial_number> b. Enter the command: less mp‐log ms.log The following error will display: Dec04 11:07:08 Error: pan_cms_convert_resp_ring_to_file(pan_ops_cms.c: 3719): Current configuration does not contain group CA-Collector-Group The error message indicates that the missing Collector ...
Troubleshooting Replace an RMA Firewall Replace an RMA Firewall To minimize the effort required to restore the configuration on a managed firewall involving a Return Merchandise Authorization (RMA), replace the serial number of the old firewall with that of the new/replacement firewall on Panorama. To then restore the configuration on the replacement firewall, either import a firewall state that you previously generated and exported from the firewall or use Panorama to generate a partial device state for managed firewalls running PAN‐OS 5.0 and later versions. By replacing the serial number and importing the device state, you can resume using Panorama to manage the firewall. Partial Device State Generation for Firewalls Before Starting RMA Firewall Replacement Restore the Firewall Configuration after Replacement Partial Device State Generation for Firewalls When you use Panorama to generate a partial device state, it replicates the configuration of the managed firewalls with a few exceptions for Large Scale VPN (LSVPN) setups. You create the partial device state by combining two facets of the configuration on a managed firewall: Centralized configuration managed by Panorama—Panorama maintains a snapshot of the shared policies and templates that it pushes to firewalls. Local configuration on the firewall—When a configuration change is committed, each firewall sends a copy of its local configuration file to Panorama. Panorama stores this file and uses it to compile the partial device state bundle. In an LSVPN setup, the partial device state bundle that you generate on Panorama is not the same as the version that you export from a firewall (by selecting and Device > Setup > Operations clicking ). If you manually ran the device state export or scheduled an XML Export device state API script to export the file to a remote server, you can use the exported device state in your firewall replacement workflow.
Page 234
Replace an RMA Firewall Troubleshooting – Serial number—You must enter the serial number on the Support portal to transfer the licenses from the old firewall to your replacement firewall. You will also enter this information on Panorama, to replace all references to the older serial number with the serial number of the replacement firewall. – (Recommended) PAN‐OS version and the content database version—Installing the same software and content database versions, including the URL database vendor allows you to create the same state on the replacement firewall. If you decide to install the latest version of the content database, you may notice differences because of updates and additions to the database. To verify the versions installed on the firewall, access the firewall system logs stored on Panorama. Prepare the replacement firewall for deployment. Before you import the device state bundle and restore the configuration, you must: – Verify that the replacement firewall is of the same model and is enabled for similar operational capability. Consider the following operational features: does it need to be enabled for multi‐virtual systems, support jumbo frames, or be enabled to operate in CC or FIPS mode? – Configure network access, transfer the licenses, and install the appropriate PAN‐OS version and the content database version. You must use the Panorama CLI to complete this firewall replacement process. This CLI‐based workflow is available for the superuser and panorama‐admin user roles. If you have an LSVPN configuration, and are replacing a Palo Alto Networks firewall deployed as a satellite device or as an LSVPN portal, the dynamic configuration information that is required to restore LSVPN connectivity will not be available when you restore the partial device state generated on Panorama. If you have been following the recommendation to frequently generate and export the device state for firewalls in an LSVPN configuration, use the device state that you have previously exported from the firewall itself instead of generating one on Panorama. If you have not manually exported the device state from the firewall, and need to generate a partial device state on Panorama, the missing dynamic configuration impacts the firewall replacement process as follows: – If the firewall you are replacing is a portal device that is explicitly configured with the serial number of the satellite devices (Network > GlobalProtect > Portals > Satellite Configuration), when restoring the firewall configuration, although the dynamic configuration is lost, the portal firewall will be able to authenticate the satellite devices successfully. The successful authentication will ...
Troubleshooting Replace an RMA Firewall Restore the Firewall Configuration after Replacement Restore the Firewall Configuration after Replacement Tasks on the new firewall: Use the CLI for a more streamlined workflow. Step 1 Perform initial configuration and verify Use a serial port connection or an SSH connection to add an IP network connectivity. address, a DNS server IP address, and to verify that the firewall can access the Palo Alto Networks updates server. For instructions, refer to the PAN‐OS Administrator’s Guide. Step 2 (Optional) Set the operational mode to Enter the following CLI command to access maintenance match that on the old firewall. mode on the firewall: A serial port connection is required for debug system maintenance-mode this task. To boot into the maintenance partition, enter maint during the boot sequence. Select the operational mode as Set FIPS Mode or Set CCEAL 4 Mode from the main menu. Step 3 Retrieve the license(s). Enter the following command to retrieve your licenses: request license fetch Step 4 (Optional) Match the operational state of ...
Page 236
Replace an RMA Firewall Troubleshooting Restore the Firewall Configuration after Replacement (Continued) Tasks on the Panorama CLI: You cannot perform these tasks on the Panorama web interface. (Skip this step if you have manually exported the Enter one of the following commands: device state from your firewall.) scp export device-state device <old Step 6 Export the device state bundle to a serial#> to <login> @ <serverIP>: <path> computer using SCP or TFTP. The export command generates the tftp export device-state device <old device state bundle as a tar zipped file serial#> to <login> @ <serverIP>: <path> and exports it to the specified location. This device state will not include the LSVPN dynamic configuration (satellite information and certificate details). Step 7 Replace the serial number of the old ...
Diagnose Template Commit Failures Troubleshooting Diagnose Template Commit Failures A template commit could fail because of the following reasons: Capability mismatch: When configuring a template, the following options are available: multiple virtual systems capability, VPN mode, and operational mode. – If the multiple virtual systems capability is enabled (the check box is selected), a Virtual systems template commit failure will occur when you push the template to firewalls that are not capable of, or enabled for, multiple virtual systems functionality. To resolve the error, select , click the template name to edit it, and clear the Panorama > Templates check box. Virtual systems – If you push VPN‐related configuration options to firewalls that are hard‐coded to disallow VPN configuration. To resolve the error, select , click the template name to edit it, and select the Panorama > Templates check box. VPN Disable Mode – If the operational mode on the firewall differs from that on the template. For example, the managed firewall might be enabled for FIPS mode while the template is enabled for normal mode. To resolve the error, select , click the template name to edit it, and verify that Panorama > Templates the ...