- DL manuals
- PaloAlto Networks
- Server
- Panorama 6.1
- Administrator's Manual
PaloAlto Networks Panorama 6.1 Administrator's Manual
Summary of Panorama 6.1
Page 1
Panorama™ administrator’s guide version 6.1.
Page 2
2 • panorama 6.1 administrator’s guide © palo alto networks, inc. Contact information corporate headquarters: palo alto networks 4401 great america parkway santa clara, ca 95054 www.Paloaltonetworks.Com/company/contact ‐ support about this guide this guide describes how to set up and use panorama™ f...
Page 3
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 3 table  of  contents panorama  overview.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  ....
Page 4
4 • panorama 6.1 administrator’s guide © palo alto networks, inc. Table of contents register panorama and install licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 register panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...
Page 5
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 5 table of contents manage collector groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 configure a collector group . . . . . . . . . . . . . . . . . . . . . . . ...
Page 6
6 • panorama 6.1 administrator’s guide © palo alto networks, inc. Table of contents manage a panorama ha pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184 set up ha on panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . ....
Page 7
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 7 table of contents replace an rma firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 partial device state generation for firewalls . . . . . . . . . . . . . ...
Page 8
8 • panorama 6.1 administrator’s guide © palo alto networks, inc. Table of contents.
Page 9
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 9 panorama overview panorama provides centralized management and visibility of multiple palo alto networks next ‐ generation firewalls. It allows you to oversee all applications, users, and content traversing the network from one locati...
Page 10
10 • panorama 6.1 administrator’s guide © palo alto networks, inc. About panorama panorama overview about panorama panorama provides centralized management of the palo alto networks next ‐ generation firewalls, as the following figure illustrates: panorama allows you to effectively configure, manage...
Page 11
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 11 panorama overview panorama platforms panorama platforms panorama is available in two platforms, each of which supports firewall management licenses for managing up to 25, 100, or 1,000 firewalls: panorama virtual appliance —the panor...
Page 12
12 • panorama 6.1 administrator’s guide © palo alto networks, inc. Centralized configuration and deployment management panorama overview centralized configuration and deployment management panorama uses device groups and templates to group devices into smaller and more logical sets that require simi...
Page 13
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 13 panorama overview centralized configuration and deployment management device groups to use panorama effectively, you must group the firewalls on your network into logical units called device groups. A device group allows grouping bas...
Page 14
14 • panorama 6.1 administrator’s guide © palo alto networks, inc. Centralized configuration and deployment management panorama overview the pre ‐ rules and post ‐ rules that panorama pushes are visible on the managed firewalls but only editable in panorama. The local firewall administrator or a pan...
Page 15
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 15 panorama overview centralized configuration and deployment management for details on rule management, refer to the pan ‐ os administrator’s guide . Objects objects are configuration elements that are referenced in policies. Some of t...
Page 16
16 • panorama 6.1 administrator’s guide © palo alto networks, inc. Centralized logging and reporting panorama overview centralized logging and reporting panorama aggregates data from all managed firewalls and provides visibility across all the traffic on the network. It also provides an audit trail ...
Page 17
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 17 panorama overview centralized logging and reporting managed collectors and collector groups a log collector can be local to an m ‐ 100 appliance in panorama mode (default log collector) or can be an m ‐ 100 appliance in log collector...
Page 18
18 • panorama 6.1 administrator’s guide © palo alto networks, inc. Centralized logging and reporting panorama overview using this list, fw1 will forward logs to l1, its primary log collector, but the hash algorithm could determine that the logs will be written on l2. If l2 becomes inaccessible or ha...
Page 19
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 19 panorama overview centralized logging and reporting centralized reporting panorama aggregates logs from all managed firewalls and enables reporting on the aggregated data for a global view of application use, user activity, and traff...
Page 20
20 • panorama 6.1 administrator’s guide © palo alto networks, inc. Panorama commit operations panorama overview panorama commit operations when editing the configuration on panorama, you are changing the candidate configuration file. The candidate configuration is a copy of the running configuration...
Page 21
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 21 panorama overview panorama commit operations force template values —when performing a template commit, the force template values option overrides all local configuration and removes objects on the selected firewalls or virtual system...
Page 22
22 • panorama 6.1 administrator’s guide © palo alto networks, inc. Role ‐ based access control panorama overview role ‐ based access control role ‐ based access control (rbac) allows you to specify the privileges and responsibilities accorded to every administrative user. On panorama, you can define...
Page 23
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 23 panorama overview role ‐ based access control admin role profiles —to provide more granular access control over the functional areas of the web interface, cli, and xml api, you can create custom roles. When new features are added to ...
Page 24
24 • panorama 6.1 administrator’s guide © palo alto networks, inc. Role ‐ based access control panorama overview access domains an access domain defines the features and permissions accorded to an administrative user, enabling granular control over the administrative user’s ability to switch context...
Page 25
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 25 panorama overview panorama recommended deployments panorama recommended deployments a panorama deployment comprises the panorama management server (which has a browser ‐ based interface), optional log collectors, and the palo alto ne...
Page 26
26 • panorama 6.1 administrator’s guide © palo alto networks, inc. Panorama recommended deployments panorama overview panorama in a distributed log collection deployment the hardware ‐ based panorama—the m ‐ 100 appliance—can be deployed either as a panorama management server that performs managemen...
Page 27
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 27 panorama overview plan your deployment plan your deployment determine the management approach. Do you plan to use panorama to centrally configure and manage the policies, to centrally administer software, content and license updates,...
Page 28
28 • panorama 6.1 administrator’s guide © palo alto networks, inc. Plan your deployment panorama overview group is one that contains all the firewalls that a research and development team uses. You might also group firewalls by the function they perform, such as gateway firewalls, branch office fire...
Page 29
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 29 panorama overview deploy panorama: task overview deploy panorama: task overview the following task list summarizes the steps to get started with panorama. For an example of how to use panorama for central management, see use case: co...
Page 30
30 • panorama 6.1 administrator’s guide © palo alto networks, inc. Deploy panorama: task overview panorama overview.
Page 31
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 31 set up panorama for centralized reporting and cohesive policy management across all the firewalls on your network, panorama can be deployed as a virtual appliance or as a hardware appliance (the m ‐ 100 appliance). The following topi...
Page 32
32 • panorama 6.1 administrator’s guide © palo alto networks, inc. Determine panorama log storage requirements set up panorama determine panorama log storage requirements when you plan your deployment , estimate how much log storage capacity panorama requires to determine which panorama platforms to...
Page 33
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 33 set up panorama determine panorama log storage requirements step 3 estimate the required storage capacity. This formula provides only an estimate; the exact amount of required storage will differ from the formula result. Use the form...
Page 34
34 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up the panorama virtual appliance set up panorama set up the panorama virtual appliance the panorama virtual appliance consolidates the panorama management and logging functions into a single virtual appliance. This solution enab...
Page 35
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 35 set up panorama set up the panorama virtual appliance register the panorama serial number on the support site at https://support.Paloaltonetworks.Com (see register panorama ). Palo alto networks will have sent you the serial number b...
Page 36
36 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up the panorama virtual appliance set up panorama perform initial configuration of the panorama virtual appliance use the panorama virtual appliance console on the esx(i) server to set up network access to the panorama virtual ap...
Page 37
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 37 set up panorama set up the panorama virtual appliance . Configure the management interface of the panorama virtual appliance step 1 gather the required information from your network administrator. • ip address for mgt port • netmask ...
Page 38
38 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up the panorama virtual appliance set up panorama expand log storage capacity on the panorama virtual appliance by default, the panorama virtual appliance has a single disk partition for all data in which, regardless of the total...
Page 39
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 39 set up panorama set up the panorama virtual appliance add a virtual disk to the panorama virtual appliance to expand log storage capacity beyond the approximately 11gb internal storage allocated by default on the panorama virtual app...
Page 40
40 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up the panorama virtual appliance set up panorama increase cpus and memory on the panorama virtual appliance when you perform initial configuration of the panorama virtual appliance , you specify the memory and number of cpus bas...
Page 41
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 41 set up panorama set up the panorama virtual appliance complete the panorama virtual appliance setup now that initial configuration is complete, continue with the following sections for additional configuration instructions: activate ...
Page 42
42 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up the m ‐ 100 appliance set up panorama set up the m ‐ 100 appliance the m ‐ 100 appliance is a high performance hardware platform that you can deploy in panorama mode or log collector mode . When you perform initial configurati...
Page 43
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 43 set up panorama set up the m ‐ 100 appliance perform initial configuration of the m ‐ 100 appliance by default, panorama has an ip address of 192.168.1.1 and a username/password of admin/admin. For security reasons, you must change t...
Page 44
44 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up the m ‐ 100 appliance set up panorama step 4 configure the hostname, time zone, and general settings. 1. Select panorama > setup > management and edit the general settings. 2. Align the clock on panorama and the managed firewa...
Page 45
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 45 set up panorama set up the m ‐ 100 appliance step 7 commit your configuration changes. Click ok and commit , set the commit type to panorama , and click ok . If you plan to use the m ‐ 100 appliance as a panorama management server an...
Page 46
46 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up the m ‐ 100 appliance set up panorama set up the m ‐ 100 appliance as a log collector if you want a dedicated appliance for log collection, configure an m ‐ 100 appliance in log collector mode. To do this, you first perform th...
Page 47
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 47 set up panorama set up the m ‐ 100 appliance step 4 access the cli of the m ‐ 100 appliance. 1. Connect to the m ‐ 100 appliance in one of the following ways: • attach a serial cable from your computer to the console port on the m ‐ ...
Page 48
48 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up the m ‐ 100 appliance set up panorama step 7 record the serial number of the log collector. You need the serial number to add the log collector as a managed collector on the panorama management server. 1. At the log collector ...
Page 49
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 49 set up panorama set up the m ‐ 100 appliance step 11 ( optional ) configure the eth1 and/or eth2 interfaces if the panorama management server and log collector will use them for log collection and collector group communication. If yo...
Page 50
50 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up the m ‐ 100 appliance set up panorama increase storage on the m ‐ 100 appliance the m ‐ 100 appliance ships with two disks in a raid1 configuration. Each m ‐ 100 appliance allows for the addition of up to three additional disk...
Page 51
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 51 set up panorama set up the m ‐ 100 appliance for further instructions on adding a log collector as a managed collector on panorama, defining collector groups, or assigning a log collector to a firewall, see manage log collection . St...
Page 52
52 • panorama 6.1 administrator’s guide © palo alto networks, inc. Migrate from a panorama virtual appliance to an m ‐ 100 appliance set up panorama migrate from a panorama virtual appliance to an m ‐ 100 appliance on a panorama virtual appliance that has a logging rate of over 10,000 logs per secon...
Page 53
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 53 set up panorama migrate from a panorama virtual appliance to an m ‐ 100 appliance keep a new ip address at hand for use in setting up connectivity to the m ‐ 100 appliance during initial configuration. If you have decided to transfer...
Page 54
54 • panorama 6.1 administrator’s guide © palo alto networks, inc. Migrate from a panorama virtual appliance to an m ‐ 100 appliance set up panorama resume firewall management after migrating to an m ‐ 100 appliance to resume central management, you must restore connectivity to the managed firewalls...
Page 55
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 55 set up panorama migrate from a panorama virtual appliance to an m ‐ 100 appliance resume firewall management after migrating to an m ‐ 100 appliance step 1 log in to panorama. Using a secure connection (https) from a web browser, log...
Page 56
56 • panorama 6.1 administrator’s guide © palo alto networks, inc. Register panorama and install licenses set up panorama register panorama and install licenses before you can begin using panorama for centralized management, logging, and reporting, you must register, activate, and retrieve the panor...
Page 57
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 57 set up panorama register panorama and install licenses activate a panorama support license before activating a panorama support license on a panorama m ‐ 100 appliance or panorama virtual appliance, you must register panorama . Activ...
Page 58
58 • panorama 6.1 administrator’s guide © palo alto networks, inc. Register panorama and install licenses set up panorama activate/retrieve a device management license on the m ‐ 100 appliance before activating and retrieving a panorama device management license on the m ‐ 100 appliance: register pa...
Page 59
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 59 set up panorama register panorama and install licenses • retrieve the license key from the license server. If panorama is not ready to connect to the update server (for example, you have not completed the initial m ‐ 100 appliance se...
Page 60
60 • panorama 6.1 administrator’s guide © palo alto networks, inc. Install content and software updates for panorama set up panorama install content and software updates for panorama a valid support subscription enables access to the panorama software image and release notes. To take advantage of th...
Page 61
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 61 set up panorama install content and software updates for panorama install updates for panorama in an ha configuration to ensure a seamless failover, the active and passive panorama peers in a high availability (ha) pair must be runni...
Page 62
62 • panorama 6.1 administrator’s guide © palo alto networks, inc. Install content and software updates for panorama set up panorama install updates for panorama with an internet connection if panorama has a direct connection to the internet, perform the following steps to install install content an...
Page 63
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 63 set up panorama install content and software updates for panorama step 4 determine the software upgrade path. You cannot skip installation of any major release versions in the path to your target release. For example, if you intend t...
Page 64
64 • panorama 6.1 administrator’s guide © palo alto networks, inc. Install content and software updates for panorama set up panorama step 5 use the upgrade path identified in step 4 to upgrade to a panorama 6.0 release. Repeat the following procedure until the appliance is running a panorama 6.0 rel...
Page 65
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 65 set up panorama install content and software updates for panorama step 6 install panorama 6.1. 1. Check now ( panorama > software ) for the latest updates. If an update is available, the action column displays a download link. If you...
Page 66
66 • panorama 6.1 administrator’s guide © palo alto networks, inc. Install content and software updates for panorama set up panorama install updates for panorama without an internet connection if panorama does not have a direct connection to the internet, perform the following steps to install conte...
Page 67
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 67 set up panorama install content and software updates for panorama step 2 save a backup of the current panorama configuration file. You can use this backup to restore the configuration if you have problems with the upgrade. Although p...
Page 68
68 • panorama 6.1 administrator’s guide © palo alto networks, inc. Install content and software updates for panorama set up panorama step 6 determine the software upgrade path. You cannot skip installation of any major release versions in the path to your target release. For example, if you intend t...
Page 69
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 69 set up panorama install content and software updates for panorama step 8 install the software updates. For each release in your upgrade path (starting with the earliest), perform the following steps: 1. Click upload ( panorama > soft...
Page 70
70 • panorama 6.1 administrator’s guide © palo alto networks, inc. Access and navigate panorama management interfaces set up panorama access and navigate panorama management interfaces panorama provides three management interfaces: web interface —the panorama web interface is purposefully designed w...
Page 71
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 71 set up panorama access and navigate panorama management interfaces log in to the panorama cli you can log in to the panorama cli using a serial port connection or access remotely using an ssh client. Tab description dashboard view ge...
Page 72
72 • panorama 6.1 administrator’s guide © palo alto networks, inc. Access and navigate panorama management interfaces set up panorama • change to configuration mode. To go into configuration mode, enter the following command at the prompt: admin@abc_sydney> configure the prompt changes to admin@abc_...
Page 73
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 73 set up panorama set up administrative access to panorama set up administrative access to panorama by default, panorama includes a default administrative account (admin), with full read ‐ write access to all the functionality on panor...
Page 74
74 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up administrative access to panorama set up panorama create an administrative account: local account/authentication step 1 create an admin role profile. This step is only required if using custom roles instead of using the built ...
Page 75
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 75 set up panorama set up administrative access to panorama define an access domain an access domain provides a way to limit administrative access to specified device groups (to manage policies and objects) and templates (to manage netw...
Page 76
76 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up administrative access to panorama set up panorama if you are using an external authentication server, create a server profile ( panorama > server profiles ) before creating an authentication profile. Panorama requires the serv...
Page 77
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 77 set up panorama set up administrative access to panorama configure administrative authentication administrators can authenticate locally to panorama using passwords or certificates, or they can authenticate to an external authenticat...
Page 78
78 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up administrative access to panorama set up panorama enable certificate ‐ based authentication for the web interface as a more secure alternative to using a password to authenticate a user, enable certificate ‐ based authenticati...
Page 79
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 79 set up panorama set up administrative access to panorama step 3 create or modify an administrator account to enable client certificate authentication on the account. 1. Select panorama > administrators and then click add . 2. Enter a...
Page 80
80 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up administrative access to panorama set up panorama enable ssh key ‐ based authentication for the cli to enable ssh key ‐ based authentication, complete the following workflow for every administrative user: use radius vendor ‐ s...
Page 81
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 81 set up panorama set up administrative access to panorama for detailed instructions on setting up authentication using radius vsas, refer to the following documents: on windows 2003 server, windows 2008 (and later), and cisco acs 4.0:...
Page 82
82 • panorama 6.1 administrator’s guide © palo alto networks, inc. Set up administrative access to panorama set up panorama.
Page 83
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 83 manage firewalls to use panorama for managing palo alto networks firewalls, you must add the firewalls as managed devices and then assign them to device groups and templates. The following tasks best suit a first ‐ time firewall depl...
Page 84
84 • panorama 6.1 administrator’s guide © palo alto networks, inc. Add a firewall as a managed device manage firewalls add a firewall as a managed device to use panorama for central management of firewalls, the first step is to add them as managed devices. Before starting, collect the firewall seria...
Page 85
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 85 manage firewalls manage device groups manage device groups add a device group create objects for use in shared or device group policy manage shared objects select a url filtering vendor on panorama push a policy to a subset of firewa...
Page 86
86 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage device groups manage firewalls create objects for use in shared or device group policy an object is a container for grouping discrete identities such as ip addresses, urls, applications, or users, for use in policy enforcement...
Page 87
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 87 manage firewalls manage device groups manage shared objects you can configure how panorama handles shared objects. Consider whether you: would like to configure panorama to push only shared objects that are referenced either in share...
Page 88
88 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage device groups manage firewalls disabling this option may, however, increase the commit time on panorama. This is because panorama has to dynamically check whether a particular object is referenced in policy. Perform the follow...
Page 89
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 89 manage firewalls manage device groups push a policy to a subset of firewalls a policy target allows you to specify the devices in a device group to which to push policy. It allows you to exclude one or more devices or virtual systems...
Page 90
90 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage device groups manage firewalls manage the rule hierarchy the ordering of policy rules is essential for securing your network. The firewall evaluates rules from top to bottom in the order they appear in the policies tab of the ...
Page 91
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 91 manage firewalls manage device groups when you display rules in preview mode on panorama ( step 1 in the following procedure), all the shared, device group, and default rules that the firewall inherits from panorama appear in green, ...
Page 92
92 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage device groups manage firewalls step 3 rearrange the rules within a selected pre ‐ rule or post ‐ rule rulebase, if required. 1. In a rulebase, select the rule you want to move. 2. Click the move up , move down , move top or mo...
Page 93
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 93 manage firewalls manage templates manage templates panorama templates allow you manage the configuration options on the device and network tabs on the managed firewalls. Using templates you can define a base configuration for central...
Page 94
94 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage templates manage firewalls add a template until you add a template on panorama, the device and network tabs required to define the network set up elements and device configuration elements on the firewall will not display. Pan...
Page 95
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 95 manage firewalls manage templates add a template step 1 add a new template. 1. Select panorama > templates. 2. Click add and enter a unique name and a description to identify the template. 3. (optional) select the virtual systems che...
Page 96
96 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage templates manage firewalls override a template setting while templates allows you to create a base configuration that can be applied to multiple firewalls, you might want to configure device ‐ specific settings that are not ap...
Page 97
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 97 manage firewalls manage templates disable/remove template settings if you want to stop using templates for managing the configuration on a managed device, you can disable the template. When disabling a template, you can choose to cop...
Page 98
98 • panorama 6.1 administrator’s guide © palo alto networks, inc. Transition a firewall to panorama management manage firewalls transition a firewall to panorama management if you have already deployed palo alto networks firewalls and configured them locally, but now want to start using panorama fo...
Page 99
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 99 manage firewalls use case: configure firewalls using panorama use case: configure firewalls using panorama let’s say that you want to use panorama in a high availability configuration to manage a dozen firewalls on your network: you ...
Page 100
100 • panorama 6.1 administrator’s guide © palo alto networks, inc. Use case: configure firewalls using panorama manage firewalls templates when grouping devices for templates, we must take into account the differences in the networking configuration. For example, if the interface configuration is n...
Page 101
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 101 manage firewalls use case: configure firewalls using panorama set up your centralized configuration and policies using the example described in the preceding topics (starting with use case: configure firewalls using panorama ), perf...
Page 102
102 • panorama 6.1 administrator’s guide © palo alto networks, inc. Use case: configure firewalls using panorama manage firewalls 3. Deploy the software updates to the firewalls. A. Select panorama > device deployment > software . B. Click check now to check for the latest updates. If the value in t...
Page 103
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 103 manage firewalls use case: configure firewalls using panorama 5. Configure the interface and zone settings in the datacenter template (t_datacenter), and then attach the zone protection profile you just created. Before performing th...
Page 104
104 • panorama 6.1 administrator’s guide © palo alto networks, inc. Use case: configure firewalls using panorama manage firewalls 2. Create a shared pre ‐ rule to allow dns and snmp services. A. Create a shared application group for the dns and snmp services. – select objects > application group and...
Page 105
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 105 manage firewalls use case: configure firewalls using panorama 4. Allow facebook for all users in the marketing group in the regional offices only. To enable security policy based on user and/or group, you must enable user ‐ id for e...
Page 106
106 • panorama 6.1 administrator’s guide © palo alto networks, inc. Use case: configure firewalls using panorama manage firewalls preview the rules and commit changes task 4 preview your rules and commit your changes to panorama, device groups, and templates. 1. Select the policies tab, and click pr...
Page 107
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 107 manage log collection all palo alto networks next ‐ generation firewalls can generate logs that provide an audit trail of firewall activities. To centrally monitor the logs and generate reports, you must forward the logs generated o...
Page 108
108 • panorama 6.1 administrator’s guide © palo alto networks, inc. Enable log forwarding to panorama manage log collection enable log forwarding to panorama log forwarding to panorama: workflows by log type configure log forwarding to panorama log forwarding to panorama: workflows by log type the w...
Page 109
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 109 manage log collection enable log forwarding to panorama qradar) for archiving, use a template to define a syslog server profile ( device > server profiles > syslog ). The following table describes these logs and associated forwardin...
Page 110
110 • panorama 6.1 administrator’s guide © palo alto networks, inc. Enable log forwarding to panorama manage log collection configure log forwarding to panorama step 1 (optional) create a server profile that contains the information for connecting to the external service (a syslog server, in this ex...
Page 111
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 111 manage log collection enable log forwarding to panorama step 2 set up a log forwarding profile for traffic, threat, and wildfire logs. Threat logs include url filtering and data filtering logs. Firewalls forward the logs based on th...
Page 112
112 • panorama 6.1 administrator’s guide © palo alto networks, inc. Enable log forwarding to panorama manage log collection step 4 (optional) schedule log exports to an scp or an ftp server. If you plan to use scp, after pushing the template you must log in to each managed device, open the scheduled...
Page 113
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 113 manage log collection configure a managed collector configure a managed collector to enable the panorama management server (panorama virtual appliance or m ‐ 100 appliance in panorama mode) to manage a log collector, you must add it...
Page 114
114 • panorama 6.1 administrator’s guide © palo alto networks, inc. Configure a managed collector manage log collection step 3 enable connectivity among the m ‐ 100 appliances. These steps vary by log collector type. For ha deployments, and are for the management interface of the primary and seconda...
Page 115
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 115 manage log collection configure a managed collector step 6 configure network access for the log collector. Perform this step only for a dedicated log collector or a local log collector on the secondary panorama ha peer. Although you...
Page 116
116 • panorama 6.1 administrator’s guide © palo alto networks, inc. Configure a managed collector manage log collection step 10 verify your changes. 1. Verify that the panorama > managed collectors page lists the log collector you added. The connected column displays a check mark to indicate that th...
Page 117
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 117 manage log collection manage collector groups manage collector groups a collector group is 1 to 16 log collectors that operate as a single logical unit for collecting firewall logs. You can configure a collector group with multiple ...
Page 118
118 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage collector groups manage log collection step 2 add the collector group. 1. Access the panorama web interface, select panorama > collector groups , and add a collector group or edit an existing one. The m ‐ 100 appliance in pan...
Page 119
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 119 manage log collection manage collector groups step 4 assign log collectors and firewalls to the collector group. 1. Select the device log forwarding tab. 2. In the collector group members section, add the log collectors. 3. In the l...
Page 120
120 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage collector groups manage log collection move a log collector to a different collector group when you plan a log collection deployment , you assign log collectors to a collector group based on the logging rate and log storage r...
Page 121
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 121 manage log collection manage collector groups remove a firewall from a collector group in a distributed log collection deployment, where you have dedicated log collectors, if you need a device to send logs to panorama instead of sen...
Page 122
122 • panorama 6.1 administrator’s guide © palo alto networks, inc. Verify log forwarding to panorama manage log collection verify log forwarding to panorama now that you have added the log collector(s) as managed collectors, created and configured the collector group and assigned the managed firewa...
Page 123
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 123 manage log collection modify log forwarding and buffering defaults modify log forwarding and buffering defaults you can define the log forwarding mode that the firewalls use to send logs to panorama and when configured in a high ava...
Page 124
124 • panorama 6.1 administrator’s guide © palo alto networks, inc. Modify log forwarding and buffering defaults manage log collection get only new logs on convert to primary default: disabled panorama virtual appliance that is mounted to a network file system (nfs) datastore and is set up in a high...
Page 125
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 125 manage log collection enable log forwarding from panorama to external destinations enable log forwarding from panorama to external destinations panorama allows you to forward aggregated logs, email notifications, and snmp traps to e...
Page 126
126 • panorama 6.1 administrator’s guide © palo alto networks, inc. Enable log forwarding from panorama to external destinations manage log collection enable log forwarding from panorama to external destinations step 1 set up server profiles for each external destination to which you want to forward...
Page 127
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 127 manage log collection enable log forwarding from panorama to external destinations step 2 if the syslog server requires client authentication, generate the certificate for secure communication. To verify that the sending device (fir...
Page 128
128 • panorama 6.1 administrator’s guide © palo alto networks, inc. Log collection deployments manage log collection log collection deployments the following topics describe how to configure log collection in the most typical deployments. Plan a log collection deployment deploy panorama with dedicat...
Page 129
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 129 manage log collection log collection deployments note that if the firewalls have a remote distribution, their connections with the panorama management server might lack sufficient bandwidth to support the required logging rate even ...
Page 130
130 • panorama 6.1 administrator’s guide © palo alto networks, inc. Log collection deployments manage log collection figure: log forwarding to panorama and then to external services forward logs from firewalls to panorama and to external services in parallel—in this configuration, both panorama and ...
Page 131
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 131 manage log collection log collection deployments deploy panorama with dedicated log collectors the following figures illustrate panorama in a distributed log collection deployment . In these examples, the panorama management server ...
Page 132
132 • panorama 6.1 administrator’s guide © palo alto networks, inc. Log collection deployments manage log collection figure: multiple dedicated log collectors per collector group perform the following steps to deploy panorama with dedicated log collectors. Skip any steps you have already performed (...
Page 133
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 133 manage log collection log collection deployments deploy panorama with dedicated log collectors step 1 perform the initial setup of the panorama management server (virtual appliances or m ‐ 100 appliances) and the dedicated log colle...
Page 134
134 • panorama 6.1 administrator’s guide © palo alto networks, inc. Log collection deployments manage log collection step 2 switch from panorama mode to log collector mode on each m ‐ 100 appliance that will be a dedicated log collector. Switching the mode of an m ‐ 100 appliance deletes any existin...
Page 135
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 135 manage log collection log collection deployments step 4 add each log collector as a managed collector. Use the web interface of the primary panorama management server peer to configure a managed collector : 1. Select panorama > mana...
Page 136
136 • panorama 6.1 administrator’s guide © palo alto networks, inc. Log collection deployments manage log collection step 7 ( optional ) configure the eth1 and/or eth2 interfaces if the log collectors will use them for log collection and collector group communication. These interfaces are available ...
Page 137
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 137 manage log collection log collection deployments deploy panorama with default log collectors the following figures illustrate panorama in a centralized log collection deployment. In these examples, the panorama management server com...
Page 138
138 • panorama 6.1 administrator’s guide © palo alto networks, inc. Log collection deployments manage log collection figure: single default log collector per collector group figure: multiple default log collectors per collector group perform the following steps to deploy panorama with default log co...
Page 139
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 139 manage log collection log collection deployments deploy panorama with default log collectors step 1 perform the initial setup of each m ‐ 100 appliance. 1. Rack mount the m ‐ 100 appliance. Refer to the m ‐ 100 hardware reference gu...
Page 140
140 • panorama 6.1 administrator’s guide © palo alto networks, inc. Log collection deployments manage log collection step 2 perform the following steps to prepare panorama for log collection. 1. Connect to the primary panorama in one of the following ways: • attach a serial cable from your computer ...
Page 141
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 141 manage log collection log collection deployments step 4 configure the log collector that is local to the secondary panorama. Panorama treats this log collector as remote because it’s not local to the primary panorama. Therefore you ...
Page 142
142 • panorama 6.1 administrator’s guide © palo alto networks, inc. Log collection deployments manage log collection step 6 edit the default collector group that is predefined on the primary panorama. Use the web interface of the primary panorama to configure a collector group : 1. Select panorama >...
Page 143
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 143 manage log collection log collection deployments step 9 manually fail over so that the secondary panorama becomes active. Use the web interface of the primary panorama to perform the following steps: 1. Select panorama > high availa...
Page 144
144 • panorama 6.1 administrator’s guide © palo alto networks, inc. Log collection deployments manage log collection deploy panorama virtual appliances with local log collection the following figure illustrates panorama in a centralized log collection deployment. In this example, the panorama manage...
Page 145
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 145 manage log collection log collection deployments step 2 add a firewall as a managed device . Perform this step for all the firewalls that will forward logs to panorama. 1. If you have not already, perform the initial setup of each f...
Page 146
146 • panorama 6.1 administrator’s guide © palo alto networks, inc. Log collection deployments manage log collection step 6 (optional) modify log forwarding and buffering defaults . Use the panorama web interface to perform the following steps: 1. Select panorama > setup > management and edit the lo...
Page 147
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 147 manage licenses and updates you can use panorama to centrally manage licenses, software updates, and content updates on firewalls and dedicated log collectors (m ‐ 100 appliances in log collector mode). When you deploy licenses or u...
Page 148
148 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage licenses on firewalls using panorama manage licenses and updates manage licenses on firewalls using panorama the following steps describe how to retrieve new licenses using an authorization code and push the license keys to m...
Page 149
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 149 manage licenses and updates deploy updates to devices using panorama deploy updates to devices using panorama you can use panorama to qualify software and content updates by deploying them to a subset of the firewalls or dedicated l...
Page 150
150 • panorama 6.1 administrator’s guide © palo alto networks, inc. Deploy updates to devices using panorama manage licenses and updates applications content, not the threats content (for details, see panorama, log collector, and firewall version compatibility ). Each firewall or log collector recei...
Page 151
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 151 manage licenses and updates deploy updates to devices using panorama deploy updates to devices when panorama has an internet connection deploy an update to log collectors when panorama is internet ‐ connected deploy an update to fir...
Page 152
152 • panorama 6.1 administrator’s guide © palo alto networks, inc. Deploy updates to devices using panorama manage licenses and updates step 3 determine the software upgrade path for each log collector that you intend to update. You cannot skip installation of any major release versions in the path...
Page 153
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 153 manage licenses and updates deploy updates to devices using panorama deploy an update to firewalls when panorama is internet ‐ connected before deploying updates to firewalls , you must upgrade panorama and then upgrade the log coll...
Page 154
154 • panorama 6.1 administrator’s guide © palo alto networks, inc. Deploy updates to devices using panorama manage licenses and updates deploy updates to devices when panorama has no internet connection deploy an update to log collectors when panorama is not internet ‐ connected deploy an update to...
Page 155
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 155 manage licenses and updates deploy updates to devices using panorama step 3 download the updates to a host that has internet access. Panorama must have access to the host. 1. Use a host with internet access to log in to the palo alt...
Page 156
156 • panorama 6.1 administrator’s guide © palo alto networks, inc. Deploy updates to devices using panorama manage licenses and updates deploy an update to firewalls when panorama is not internet ‐ connected for a list of software and content updates you can install on firewalls, see supported upda...
Page 157
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 157 manage licenses and updates deploy updates to devices using panorama step 3 determine the software upgrade path. Required for pan ‐ os software updates. Select panorama > managed devices , and note the current software version for t...
Page 158
158 • panorama 6.1 administrator’s guide © palo alto networks, inc. Deploy updates to devices using panorama manage licenses and updates step 7 upload pan ‐ os software updates. 1. Select panorama > device deployment > software . 2. C lick upload , browse to the update file, and click ok . Step 8 in...
Page 159
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 159 monitor network activity panorama provides a comprehensive, graphical view of network traffic. Using the visibility tools on panorama—the application command center (acc), logs, and the report generation capabilities—you can central...
Page 160
160 • panorama 6.1 administrator’s guide © palo alto networks, inc. Use panorama for visibility monitor network activity use panorama for visibility in addition to its central deployment and firewall configuration features, panorama also allows you to monitor and report on all traffic that traverses...
Page 161
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 161 monitor network activity use panorama for visibility you can then use the information to maintain or enforce changes to the traffic patterns on your network. See use case: monitor applications using panorama for a glimpse into how t...
Page 162
162 • panorama 6.1 administrator’s guide © palo alto networks, inc. Use panorama for visibility monitor network activity change data source —the default source used to display the statistics on the charts in the acc is the panorama local data. With the exception of the data that displays in the appl...
Page 163
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 163 monitor network activity use panorama for visibility use the following procedures to create and schedule reports: report type description predefined a suite of predefined reports in the monitor > reports tab that are available in fo...
Page 164
164 • panorama 6.1 administrator’s guide © palo alto networks, inc. Use panorama for visibility monitor network activity generate, schedule, and email reports step 1 generate reports. You must set up a report group to email report(s). The steps to generate a report depend on the type: • create a cus...
Page 165
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 165 monitor network activity use panorama for visibility step 2 set up panorama to email reports. 1. Select panorama > server profiles > email . 2. Click add and then enter a name for the profile. 3. Click add to add a new email server ...
Page 166
166 • panorama 6.1 administrator’s guide © palo alto networks, inc. Use case: monitor applications using panorama monitor network activity use case: monitor applications using panorama this example takes you through the process of assessing the efficiency of your current policies and determining whe...
Page 167
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 167 monitor network activity use case: monitor applications using panorama in the top sources table, you can also see how many users are using bittorrent and the volume of traffic being generated. If you have enabled user ‐ id, you will...
Page 168
168 • panorama 6.1 administrator’s guide © palo alto networks, inc. Use case: monitor applications using panorama monitor network activity the monitor > app-scope> traffic map tab displays a geographical map of the traffic flow and provides a view of incoming versus outgoing traffic. You can also us...
Page 169
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 169 monitor network activity use case: monitor applications using panorama having the ip addresses of the servers (destination ip in the logs), the destination port, and the packet captures, you will be better positioned to identify the...
Page 170
170 • panorama 6.1 administrator’s guide © palo alto networks, inc. Use case: respond to an incident using panorama monitor network activity use case: respond to an incident using panorama network threats can originate from different vectors, including malware and spyware infections due to drive ‐ b...
Page 171
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 171 monitor network activity use case: respond to an incident using panorama review threat logs to begin investigating the alert, use the threat id to search the threat logs on panorama ( monitor > logs > threat ). From the threat logs,...
Page 172
172 • panorama 6.1 administrator’s guide © palo alto networks, inc. Use case: respond to an incident using panorama monitor network activity review wildfire logs in addition to the threat logs, use the victim ip address to filter though the wildfire submissions logs. The wildfire submissions logs co...
Page 173
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 173 monitor network activity use case: respond to an incident using panorama review data filtering logs the data filtering log ( monitor > logs > data filtering ) is another valuable source for investigating malicious network activity. ...
Page 174
174 • panorama 6.1 administrator’s guide © palo alto networks, inc. Use case: respond to an incident using panorama monitor network activity forestall ddos attacks by enhancing your dos profile to configure random early drop or to drop syn cookies for tcp floods. Consider placing limits on icmp and ...
Page 175
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 175 panorama high availability panorama high availability (ha) is a configuration in which two panorama servers are placed in a group (two ‐ device cluster) to provide redundancy in the event of a system or network failure. Panorama in ...
Page 176
176 • panorama 6.1 administrator’s guide © palo alto networks, inc. Panorama ha prerequisites panorama high availability panorama ha prerequisites to configure panorama in ha, you require a pair of identical panorama servers with the following requirements on each: the same form factor —must both be...
Page 177
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 177 panorama high availability priority and failover on panorama in ha priority and failover on panorama in ha each panorama peer in the ha pair is assigned a priority value. The priority value of the primary or secondary peer determine...
Page 178
178 • panorama 6.1 administrator’s guide © palo alto networks, inc. Priority and failover on panorama in ha panorama high availability for more information, see panorama ha prerequisites or set up ha on panorama ..
Page 179
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 179 panorama high availability failover triggers failover triggers when a failure occurs on the active device and the passive device takes over the task of managing the firewalls, the event is called a failover. A failover is triggered ...
Page 180
180 • panorama 6.1 administrator’s guide © palo alto networks, inc. Failover triggers panorama high availability the default ping interval is 5000ms. An ip address is considered unreachable when three consecutive pings (the default value) fail, and a device failure is triggered when any or all of th...
Page 181
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 181 panorama high availability logging considerations in panorama ha logging considerations in panorama ha setting up panorama in an ha configuration provides redundancy for log collection. Because the managed devices are connected to b...
Page 182
182 • panorama 6.1 administrator’s guide © palo alto networks, inc. Logging considerations in panorama ha panorama high availability if you have a distributed log collection set up where the managed devices are sending logs to a dedicated log collector, the panorama peers in ha will query all the ma...
Page 183
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 183 panorama high availability synchronization between panorama ha peers synchronization between panorama ha peers the panorama ha peers synchronize the running configuration each time you commit changes on the active panorama peer. The...
Page 184
184 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage a panorama ha pair panorama high availability manage a panorama ha pair set up ha on panorama test panorama ha failover switch priority after panorama failover to resume nfs logging restore the primary panorama to the active ...
Page 185
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 185 panorama high availability manage a panorama ha pair step 3 set the ha priority. 1. In panorama > high availability , edit the election settings section. 2. Define the device priority as primary or secondary . Make sure to set one p...
Page 186
186 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage a panorama ha pair panorama high availability test panorama ha failover to test that your ha configuration works properly, trigger a manual failover and verify that the peer transitions states successfully. Switch priority af...
Page 187
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 187 panorama high availability manage a panorama ha pair restore the primary panorama to the active state by default, the preemptive capability on panorama allows the primary panorama to resume functioning as the active peer as soon as ...
Page 188
188 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage a panorama ha pair panorama high availability.
Page 189
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 189 administer panorama this section describes how to administer and maintain panorama. It includes the following topics: manage configuration backups compare changes in panorama configurations restrict access to configuration changes a...
Page 190
190 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage configuration backups administer panorama manage configuration backups a configuration backup is a snapshot of the system configuration. In case of a system failure or a misconfiguration, a configuration backup allows you to ...
Page 191
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 191 administer panorama manage configuration backups manage panorama configuration backups use these instructions to validate, revert, save, load, export, or import a panorama configuration version. Schedule the export of configuration ...
Page 192
192 • panorama 6.1 administrator’s guide © palo alto networks, inc. Manage configuration backups administer panorama configure the number of configuration backups panorama stores load a configuration backup on a managed firewall use panorama to load a configuration backup on a managed firewall. You ...
Page 193
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 193 administer panorama manage configuration backups load a configuration backup on a managed firewall 1. Select panorama > managed devices . 2. Select the manage... Link in the backups column. 3. Select from the saved configurations or...
Page 194
194 • panorama 6.1 administrator’s guide © palo alto networks, inc. Compare changes in panorama configurations administer panorama compare changes in panorama configurations to compare configuration changes on panorama, you can select any two sets of configuration files: the candidate configuration,...
Page 195
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 195 administer panorama restrict access to configuration changes restrict access to configuration changes use locks to prevent multiple administrative users from making configuration changes or committing changes on panorama, shared pol...
Page 196
196 • panorama 6.1 administrator’s guide © palo alto networks, inc. Restrict access to configuration changes administer panorama panorama —restricts access to changes on panorama. Take a lock view lock holders before changing a particular area of the configuration, check whether another administrato...
Page 197
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 197 administer panorama restrict access to configuration changes remove a lock remove a lock 1. Click the lock icon at the top right of the web interface. 2. Select the lock that you want to release and click remove lock . Unless you ar...
Page 198
198 • panorama 6.1 administrator’s guide © palo alto networks, inc. Add custom logos to panorama administer panorama add custom logos to panorama you can upload image files to customize the following areas on panorama: background image on the login screen header on the top left corner of the web int...
Page 199
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 199 administer panorama view panorama task completion history view panorama task completion history use the task manager to view currently ‐ running tasks, historical task data, event success or failure information, and related errors. ...
Page 200
200 • panorama 6.1 administrator’s guide © palo alto networks, inc. Reallocate log storage quota administer panorama reallocate log storage quota you can edit the default storage quotas for each log type but not for reports. When a log quota reaches the maximum size, panorama starts overwriting the ...
Page 201
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 201 administer panorama reallocate log storage quota step 2 configure the storage quotas for logs of all types (except app stats logs) that an m ‐ 100 appliance receives from firewalls. The log collectors store these logs. You configure...
Page 202
202 • panorama 6.1 administrator’s guide © palo alto networks, inc. Monitor panorama administer panorama monitor panorama to monitor panorama, you can either periodically view the system and configuration logs on panorama or configure snmp traps and/or email alerts that notify you when a monitored m...
Page 203
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 203 administer panorama monitor panorama set up email alerts for panorama set up email alerts for panorama step 1 create a server profile for your email server. 1. Select panorama > server profiles > email . 2. Click add and then enter ...
Page 204
204 • panorama 6.1 administrator’s guide © palo alto networks, inc. Monitor panorama administer panorama set up snmp to monitor panorama simple network management protocol (snmp) enables access from an snmp management station to specific object identifiers (oids) or ranges of oids that the palo alto...
Page 205
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 205 administer panorama monitor panorama step 2 configure panorama for snmp monitoring. This screen shot is for snmp v3. 1. Select panorama > setup > operations . 2. In the miscellaneous section, select snmp setup . 3. Enter a text stri...
Page 206
206 • panorama 6.1 administrator’s guide © palo alto networks, inc. Monitor panorama administer panorama step 3 create a server profile that contains the information for connecting and authenticating to the snmp manager(s). 1. Select panorama > server profiles > snmp trap . 2. Click add and then ent...
Page 207
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 207 administer panorama monitor panorama step 6 enable the snmp manager to interpret an snmp trap. To interpret a trap that panorama sent, you must load the pan ‐ os mib files into your snmp management software and, if necessary, compil...
Page 208
208 • panorama 6.1 administrator’s guide © palo alto networks, inc. Reboot or shut down panorama administer panorama reboot or shut down panorama the reboot option initiates a graceful restart of panorama. A shutdown halts the system and powers it off. To restart panorama, after a shutdown, manually...
Page 209
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 209 administer panorama generate diagnostic files for panorama generate diagnostic files for panorama diagnostic files aid in monitoring system activity and in discerning potential causes for issues on panorama. To assist palo alto netw...
Page 210
210 • panorama 6.1 administrator’s guide © palo alto networks, inc. Configure panorama password profiles and complexity administer panorama configure panorama password profiles and complexity to secure the local administrator account, you can define password complexity requirements that are enforced...
Page 211
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 211 administer panorama configure panorama password profiles and complexity step 2 create password profiles. You can create multiple password profiles and apply them to administrator accounts as required to enforce security. 1. Select p...
Page 212
212 • panorama 6.1 administrator’s guide © palo alto networks, inc. Replace a failed disk on an m ‐ 100 appliance administer panorama replace a failed disk on an m ‐ 100 appliance if a disk fails on the m ‐ 100 appliance, you must replace the disk and reconfigure it in a raid pair. This allows the d...
Page 213
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 213 administer panorama replace the virtual disk on a panorama virtual appliance replace the virtual disk on a panorama virtual appliance you can’t resize a virtual disk after adding it to a panorama virtual appliance on an esxi server....
Page 214
214 • panorama 6.1 administrator’s guide © palo alto networks, inc. Replace the virtual disk on a panorama virtual appliance administer panorama.
Page 215
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 215 troubleshooting the following topics address panorama issues: troubleshoot panorama system issues troubleshoot log storage and connection issues replace an rma firewall diagnose template commit failures view task success or failure ...
Page 216
216 • panorama 6.1 administrator’s guide © palo alto networks, inc. Troubleshoot panorama system issues troubleshooting troubleshoot panorama system issues diagnose panorama suspended state monitor the file system integrity check manage panorama storage for software and content updates recover from ...
Page 217
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 217 troubleshooting troubleshoot panorama system issues the maximum number of images is a global setting that applies to all the images and updates that panorama stores. You can use only the cli to configure the setting. The default val...
Page 218
218 • panorama 6.1 administrator’s guide © palo alto networks, inc. Troubleshoot panorama system issues troubleshooting if you need to add/change the configuration for only the connected firewalls at each location, you can make configuration changes independently on each panorama peer. Because the p...
Page 219
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 219 troubleshooting troubleshoot log storage and connection issues troubleshoot log storage and connection issues what ports are used by panorama? Resolve zero log storage for a collector group recover logs after failure/rma of m ‐ 100 ...
Page 220
220 • panorama 6.1 administrator’s guide © palo alto networks, inc. Troubleshoot log storage and connection issues troubleshooting resolve zero log storage for a collector group the log storage capacity for the collector group might display as 0mb if the disk pairs are not enabled for logging. You m...
Page 221
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 221 troubleshooting troubleshoot log storage and connection issues recover logs after failure/rma of m ‐ 100 appliance in log collector mode step 1 perform initial setup of the new m ‐ 100 appliance in log collector mode. 1. Rack mount ...
Page 222
222 • panorama 6.1 administrator’s guide © palo alto networks, inc. Troubleshoot log storage and connection issues troubleshooting step 2 on the panorama management server, add the new log collector as a managed collector. For all steps with commands that require a device serial number, you must typ...
Page 223
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 223 troubleshooting troubleshoot log storage and connection issues step 4 prepare the disks for migration. Generating the metadata for each disk pair rebuilds the indexes. Therefore, depending on the data size, this process can take a l...
Page 224
224 • panorama 6.1 administrator’s guide © palo alto networks, inc. Troubleshoot log storage and connection issues troubleshooting recover logs after failure/rma of m ‐ 100 appliance in panorama mode if you need to replace an m ‐ 100 appliance in panorama mode (panorama management server), you can m...
Page 225
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 225 troubleshooting troubleshoot log storage and connection issues both panorama peers are managed log collectors that belong to one collector group (note that this is not a recommended deployment). Each panorama is configured as a mana...
Page 226
226 • panorama 6.1 administrator’s guide © palo alto networks, inc. Troubleshoot log storage and connection issues troubleshooting step 3 perform initial setup of the new m ‐ 100 appliance. 1. Rack mount the m ‐ 100 appliance. Refer to the m ‐ 100 appliance hardware reference guide for instructions....
Page 227
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 227 troubleshooting troubleshoot log storage and connection issues step 4 prepare the disks for migration. Generating the metadata for each disk pair rebuilds the indexes. Therefore, depending on the data size, this process can take a l...
Page 228
228 • panorama 6.1 administrator’s guide © palo alto networks, inc. Troubleshoot log storage and connection issues troubleshooting step 6 migrate the logs. You must use the panorama cli for this step, not the web interface. You must assign the local log collector of the new m ‐ 100 appliance to the ...
Page 229
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 229 troubleshooting troubleshoot log storage and connection issues recover logs after panorama failure/rma in non ‐ ha deployments if a system failure occurs on a panorama server that is managing one or more dedicated log collectors and...
Page 230
230 • panorama 6.1 administrator’s guide © palo alto networks, inc. Troubleshoot log storage and connection issues troubleshooting step 2 restore the configuration from the old panorama to the replacement panorama. This task assumes that you have followed the recommendation to back up and export you...
Page 231
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 231 troubleshooting troubleshoot log storage and connection issues regenerate metadata for m ‐ 100 appliance raid pairs when a system failure occurs on the m ‐ 100 appliance and you need to physically move the disks from one appliance t...
Page 232
232 • panorama 6.1 administrator’s guide © palo alto networks, inc. Troubleshoot log storage and connection issues troubleshooting the size of the raid disks determines how long metadata regeneration takes. On average, it takes an hour for every 100gb. When you run the command, the cli session is lo...
Page 233
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 233 troubleshooting replace an rma firewall replace an rma firewall to minimize the effort required to restore the configuration on a managed firewall involving a return merchandise authorization (rma), replace the serial number of the ...
Page 234
234 • panorama 6.1 administrator’s guide © palo alto networks, inc. Replace an rma firewall troubleshooting – serial number —you must enter the serial number on the support portal to transfer the licenses from the old firewall to your replacement firewall. You will also enter this information on pan...
Page 235
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 235 troubleshooting replace an rma firewall restore the firewall configuration after replacement restore the firewall configuration after replacement tasks on the new firewall: use the cli for a more streamlined workflow. Step 1 perform...
Page 236
236 • panorama 6.1 administrator’s guide © palo alto networks, inc. Replace an rma firewall troubleshooting tasks on the panorama cli: you cannot perform these tasks on the panorama web interface. (skip this step if you have manually exported the device state from your firewall.) step 6 export the d...
Page 237
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 237 troubleshooting replace an rma firewall step 10 synchronize the firewall with panorama. 1. Click commit , set the commit type to device group , select the device group that contains the firewall, select the include device and networ...
Page 238
238 • panorama 6.1 administrator’s guide © palo alto networks, inc. Diagnose template commit failures troubleshooting diagnose template commit failures a template commit could fail because of the following reasons: capability mismatch: when configuring a template, the following options are available...
Page 239
© palo alto networks, inc. Panorama 6.1 administrator’s guide • 239 troubleshooting view task success or failure status view task success or failure status use the task manager icon at the bottom right of the panorama web interface to view the success or failure of a task. The task manager also disp...
Page 240
240 • panorama 6.1 administrator’s guide © palo alto networks, inc. View task success or failure status troubleshooting.