Palo Alto Networks

Panorama Administrators Guide

Version 6.1

Contact Information
Corporate Headquarters:

Palo Alto Networks

4401 Great America Parkway
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact-us.html

About this Guide

This guide describes how to set up and use Panorama for centralized management; it is intended for administrators who
want the basic framework to quickly set up the Panorama virtual appliance or the M-100 appliance for centralized
administration of Palo Alto Networks firewalls.
If you have an M-100 appliance, this guide takes over after you finish rack mounting your M-100 appliance.
For more information, refer to the following sources:

For instructions on configuring the features on the firewall, go to the PAN-OS Administrators Guide. The Palo Alto
Networks Administrator's Guide will also help you with Panorama configuration items that are similar to the firewall
and are not covered in this guide.

For information on the additional capabilities and for instructions on configuring additional features on the firewall,
refer to https://www.paloaltonetworks.com/documentation.

For access to the knowledge base, discussion forums, and videos, refer to https://live.paloaltonetworks.com.

For contacting support, for information on the support programs, or to manage your account or devices, refer to
https://www.paloaltonetworks.com/support/tabs/overview.html.

For the most current PAN-OS and Panorama 6.1 release notes, go to
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os-release-notes.html.

To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.

Palo Alto Networks, Inc.

www.paloaltonetworks.com
20142016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
Revision Date: January 15, 2016

2 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Table of Contents
Panorama Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
About Panorama. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Panorama Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Centralized Configuration and Deployment Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Context SwitchFirewall or Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Centralized Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Logging Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Managed Collectors and Collector Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Caveats for a Collector Group with Multiple Log Collectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Centralized Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Panorama Commit Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Role-Based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Administrative Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Authentication Profiles and Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Access Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Administrative Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Panorama Recommended Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Panorama for Centralized Management and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Panorama in a Distributed Log Collection Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Plan Your Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Deploy Panorama: Task Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Set Up Panorama. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Determine Panorama Log Storage Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Set Up the Panorama Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Setup Prerequisites for the Panorama Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Install Panorama on the ESX(i) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Perform Initial Configuration of the Panorama Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Expand Log Storage Capacity on the Panorama Virtual Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Complete the Panorama Virtual Appliance Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Set Up the M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Perform Initial Configuration of the M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Switch from Panorama Mode to Log Collector Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Increase Storage on the M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Migrate from a Panorama Virtual Appliance to an M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Prerequisites for Migrating to an M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Plan to Migrate to an M-100 Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Migrate to an M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Resume Firewall Management after Migrating to an M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . 50

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 3

Table of Contents

Register Panorama and Install Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Register Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Activate a Panorama Support License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Activate/Retrieve a Device Management License on the Panorama Virtual Appliance . . . . . . . . . . .
Activate/Retrieve a Device Management License on the M-100 Appliance. . . . . . . . . . . . . . . . . . . . .

51
51
52
53
53

Install Content and Software Updates for Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Content Update Dependencies for Panorama and Log Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install Updates for Panorama with Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install Updates for Panorama without Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

55
55
55
57

Access and Navigate Panorama Management Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Log in to the Panorama Web Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Navigate the Panorama Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Log in to the Panorama CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

59
59
59
60

Set Up Administrative Access to Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Create an Administrative Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Define an Access Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create an Authentication Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Define an Authentication Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure Administrative Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

62
62
64
65
65
66

Manage Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Add a Firewall as a Managed Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Manage Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a Device Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create Objects for Use in Shared or Device Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage Shared Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Select a URL Filtering Vendor on Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Push a Policy to a Subset of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage the Rule Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

75
75
76
77
78
79
81

Manage Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Template Capabilities and Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Override a Template Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disable/Remove Template Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

83
83
84
86
87

Transition a Firewall to Panorama Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Use Case: Configure Firewalls Using Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up Your Centralized Configuration and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

89
89
90
91

Manage Log Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Enable Log Forwarding to Panorama. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Log Forwarding to Panorama: Workflows by Log Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Configure Log Forwarding to Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Configure a Managed Collector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

4 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Table of Contents

Manage Collector Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Configure a Collector Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Move a Log Collector to a Different Collector Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Remove a Firewall from a Collector Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Verify Log Forwarding to Panorama. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Modify Log Forwarding and Buffering Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Enable Log Forwarding from Panorama to External Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Log Collection Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Plan a Log Collection Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Deploy Panorama with Dedicated Log Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Deploy Panorama with Default Log Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Deploy Panorama Virtual Appliances with Local Log Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Manage Licenses and Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

Panorama, Log Collector, and Firewall Version Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Manage Licenses on Firewalls Using Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Deploy Updates to Devices Using Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Supported Updates by Device Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Schedule Content Updates to Devices Using Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Install Software Updates on Firewall HA Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Deploy Updates to Devices when Panorama Has an Internet Connection. . . . . . . . . . . . . . . . . . . . . 151
Deploy Updates to Devices when Panorama Has No Internet Connection . . . . . . . . . . . . . . . . . . . . 153

Monitor Network Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157

Use Panorama for Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Monitor the Network with the ACC and AppScope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Analyze Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Generate, Schedule, and Email Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Use Case: Monitor Applications Using Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Use Case: Respond to an Incident Using Panorama. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Incident Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Review Threat Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Review WildFire Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Review Data Filtering Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Update Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Panorama High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173

Panorama HA Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Priority and Failover on Panorama in HA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Failover Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
HA Heartbeat Polling and Hello Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
HA Path Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Logging Considerations in Panorama HA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Logging Failover on a Panorama Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Logging Failover on an M-100 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 5

Table of Contents

Synchronization Between Panorama HA Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Manage a Panorama HA Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up HA on Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Test Panorama HA Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Switch Priority after Panorama Failover to Resume NFS Logging . . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade Panorama in HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Restore the Primary Panorama to the Active State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

182
182
184
184
185
186

Administer Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Manage Configuration Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Schedule Export of Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage Panorama Configuration Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the Number of Configuration Backups Panorama Stores . . . . . . . . . . . . . . . . . . . . . . . . .
Load a Configuration Backup on a Managed Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

188
189
190
191
191

Compare Changes in Panorama Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Restrict Access to Configuration Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of Locks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Locations for Taking a Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Take a Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View Lock Holders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable Automatic Acquisition of the Commit Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remove a Lock. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

193
193
193
194
194
194
195

Add Custom Logos to Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

View Panorama Task Completion History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Reallocate Log Storage Quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Monitor Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Panorama System and Configuration Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up Email Alerts for Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up SNMP to Monitor Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

200
200
201
202

Reboot or Shut Down Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Generate Diagnostic Files for Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Configure Panorama Password Profiles and Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Replace a Failed Disk on an M-100 Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Replace the Virtual Disk on a Panorama Virtual Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Troubleshoot Panorama System Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Diagnose Panorama Suspended State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Monitor the File System Integrity Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage Panorama Storage for Software and Content Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recover from Split Brain in Panorama HA Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

214
214
214
214
215

Troubleshoot Log Storage and Connection Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

What Ports are Used by Panorama? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resolve Zero Log Storage for a Collector Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Recover Logs after Failure/RMA of M-100 Appliance in Log Collector Mode. . . . . . . . . . . . . . . . .
Recover Logs after Failure/RMA of M-100 Appliance in Panorama Mode. . . . . . . . . . . . . . . . . . . .

217
217
218
218
221

6 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Table of Contents

Recover Logs after Panorama Failure/RMA in Non-HA Deployments . . . . . . . . . . . . . . . . . . . . . . . 226

Regenerate Metadata for M-100 Appliance RAID Pairs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Replace an RMA Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Partial Device State Generation for Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Before Starting RMA Firewall Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Restore the Firewall Configuration after Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Diagnose Template Commit Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
View Task Success or Failure Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 7

Table of Contents

8 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama Overview
Panorama provides centralized management and visibility of multiple Palo Alto Networks next-generation
firewalls. It allows you to oversee all applications, users, and content traversing the network from one location,
and then use this knowledge to create application enablement policies that protect and control the entire
network. Using Panorama for centralized policy and device management increases operational efficiency in
managing and maintaining a distributed network of firewalls.
The following sections describe Panorama and provide guidelines for planning your Panorama deployment:

About Panorama

Panorama Platforms

Centralized Configuration and Deployment Management

Centralized Logging and Reporting

Panorama Commit Operations

Role-Based Access Control

Panorama Recommended Deployments

Plan Your Deployment

Deploy Panorama: Task Overview

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 9

About Panorama

Panorama Overview

About Panorama
Panorama provides centralized management of the Palo Alto Networks next-generation firewalls, as the
following figure illustrates:

Panorama allows you to effectively configure, manage, and monitor your Palo Alto Networks firewalls using
central oversight with local control, as required. The three focal areas in which Panorama adds value are:

Centralized configuration and deploymentTo simplify central management and rapid deployment of
the firewalls on your network, use Panorama to pre-stage the firewalls for deployment. You can then
assemble the firewalls into groups, and create templates to apply a base network and device configuration
and use device groups to administer globally shared and local policies. See Centralized Configuration and
Deployment Management.

Aggregated logging with central oversight for analysis and reportingCollect information on activity
across all the managed firewalls on the network and centrally analyze, investigate and report on the data. This
comprehensive view of network traffic, user activity, and the associated risks empowers you to respond to
potential threats using the rich set of policies to securely enable applications on your network. See
Centralized Logging and Reporting.

Distributed administrationAllows you to delegate or restrict access to global and local firewall
configurations and policies. See Role-Based Access Control for delegating appropriate levels of access for
distributed administration.

Panorama is available in two platforms: as a virtual appliance and as a dedicated hardware appliance. For more
information, see Panorama Platforms.

10 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama Overview

Panorama Platforms

Panorama Platforms
Panorama is available in two platforms, each of which supports firewall management licenses for managing up
to 25, 100, or 1,000 firewalls:

Panorama virtual applianceThe Panorama virtual appliance is installed on a VMware server. It allows
for a simple installation and facilitates server consolidation for sites that need a virtual management
appliance. It also supports integration with a Network File System (NFS) for increased storage and (> 2TB)
log retention capabilities.
The Panorama virtual appliance best suits environments with logging rates of up to 10,000 logs/second.

M-100 applianceA dedicated hardware appliance intended for large scale deployments. In environments
with high logging rates and log retention requirements, this platform enables scaling of your log collection
infrastructure. The appliance supports RAID 1 mirroring to protect against disk failures, and the default
configuration ships with two 1TB drives; with additional RAID pairs, the M-100 appliance can support up
to 4TB of log storage.
The M-100 appliance allows for separation of the central management function from the log collection
function by supporting the following deployment modes:

Panorama mode: The appliance performs both the central management and the log collection
functions. This is the default mode.

Log Collector mode: The appliance functions as a dedicated Log Collector, which either an M-100
appliance in Panorama mode or a Panorama virtual appliance can manage.
When deployed in Log Collector mode, the appliance does not have a web interface; administrative
access is CLI only. However, you manage the appliance using the Panorama management server (M-100
appliance in Panorama mode or a Panorama virtual appliance). CLI access to an M-100 appliance in
Log Collector mode is only necessary for initial setup and debugging.

The platform choice depends on your need for a virtual appliance and your log collection requirements (see
Determine Panorama Log Storage Requirements):
Log Collection Rate

Platform

Up to 10,000 logs/second Panorama virtual appliance

Up to 30,000 logs/second M-100 appliance

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 11

Centralized Configuration and Deployment Management

Panorama Overview

Centralized Configuration and Deployment Management

Panorama uses Device Groups and Templates to group devices into smaller and more logical sets that require similar
configuration. All configuration elements, policies, and objects on the managed firewalls can be centrally
managed on Panorama using Device Groups and Templates. In addition to managing configuration and policies,
Panorama enables you to centrally manage licenses, software and associated content updates: SSL-VPN clients,
GlobalProtect agents, dynamic content updates (Applications, Threats, WildFire and Antivirus).

Context SwitchFirewall or Panorama

Templates

Device Groups

Context SwitchFirewall or Panorama

The Panorama web interface allows you to toggle between a Panorama-centric view and a firewall-centric view
using the context switch. You can choose to manage the firewall centrally using Panorama and then switch context
to a specific managed firewall to configure the firewall using the firewall user interface. The similarity of the user
interface on the managed firewalls and Panorama allows you to seamlessly move between the interfaces to
administer and monitor the firewall as required.
If you have configured Access Domains to restrict administrative access to specific managed firewalls, the
Panorama user interface displays only the firewalls/features for which the logged-in administrator has
permissions.

Templates
You use templates to configure the settings that managed firewalls require to operate on the network. Templates
enable you to define a common base configuration using the Network and Device tabs on Panorama. For
example, you can use templates to manage interface and zone configurations, server profiles for logging and
SNMP access, and network profiles for controlling access to zones and IKE gateways. When you group firewalls
to define Template settings, consider grouping firewalls that are alike in hardware model, and require access to
similar network resources, such as gateways and syslog servers.
Using templates, you can push a limited common base configuration to a group of firewalls and then configure
the rest of the settings manually on the firewall. Alternatively, you can push a larger common base configuration
and then override the template settings on the firewall to accommodate firewall-specific changes. When you
override a setting on the firewall, the setting is saved to the local configuration of the firewall and is no longer
managed by the Panorama template. You can, however, use Panorama to force the template configuration onto
the firewall or restore the template settings on the firewall. For example, you can define a common NTP server
in the template, but override the NTP server configuration on the firewall to accommodate for the local time
zone on the firewall. If you then decide to restore the template settings, you can easily undo or revert the local
changes that you implemented on the firewall.
Templates cannot be used to define an operational state change such as FIPS mode or to enable multi-vsys mode
on the firewalls. For more information, see Template Capabilities and Exceptions.

12 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama Overview

Centralized Configuration and Deployment Management

Device Groups
To use Panorama effectively, you must group the firewalls on your network into logical units called device groups.
A device group allows grouping based on network segmentation, geographic location, or by the need to
implement similar policy configurations. A device group can include physical firewalls, virtual firewalls and/or
a virtual system. By default, all managed devices belong to the Shared device group on Panorama.
Device Groups enable central management of policies and objects using the Policies and Objects tabs on
Panorama. Objects are configuration elements that are referenced in policies. Some of the objects that firewall
policies make use of are: IP addresses, URL categories, security profiles, users, services, and applications.
Using Device Groups you can create shared objects or device group-specific objects and then use these objects
to create a hierarchy of rules (and rulebases) to enforce how managed firewalls handle inbound and outbound
traffic. For example, a corporate acceptable use policy could be defined as a set of shared policies. Then, to allow
only the regional offices to access peer-to-peer traffic such as BitTorrent, you can create a security rule as a
shared policy and target it to the regional offices or make it a device group rule that is pushed to the regional
offices. See Use Case: Configure Firewalls Using Panorama.

Policies

Objects

Policies
Device groups provide a way to implement a layered approach for managing policies across a network of
managed firewalls. The following table lists the policy layers, the firewalls to which the policies apply, and the
platform where you administer the policies:
Policy

Scope

Administration Platform

Shared

All the firewalls in all device groups.

Panorama

Device group-specific

All the firewalls assigned to a single device group.

Panorama

Local (firewall-specific)

A single firewall.

Firewall

Default (security rules only) By default, the default rules are shared (apply to all firewalls in Panorama or Firewall
all device groups) and are part of the predefined configuration.
However, if you edit (override) the rules, their scope changes to
the level at which you performed the edits: device group or
local (firewall/virtual system).

Both shared policies and device group-specific policies allow you to craft pre-rules and post-rules to centrally
manage all the rulebases: Security, NAT, QoS, Policy Based Forwarding, Decryption, Application Override,
Captive Portal, and DoS Protection.

Pre-rulesRules you add to the top of the rule order and that PAN-OS evaluates first. You can use
pre-rules to enforce the Acceptable Use Policy for an organization; for example, to block access to specific
URL categories, or to allow DNS traffic for all users. Pre-rules can be shared or device group-specific.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 13

Centralized Configuration and Deployment Management

Panorama Overview

Post-rulesRules that PAN-OS evaluates after the pre-rules and the local firewall rules. Post-rules typically
include rules to deny access to traffic based on the App-ID, User-ID, or Service. Like pre-rules, post rules
can be shared or device group-specific.

The pre-rules and post-rules that Panorama pushes are visible on the managed firewalls but only editable in
Panorama. The local firewall administrator or a Panorama administrator who switches to a local firewall context
can edit local firewall rules.
Default policies apply only to the Security rulebase. The default rule interzone-default specifies that the firewall
denies all interzone (between zones) traffic that doesnt match another rule. The default rule intrazone-default
specifies that the firewall allows all intrazone (within a zone) traffic that doesnt match another rule. When you
preview rules in Panorama, the default rules appear below all other rules. Initially the default rules are read-only,
either because they are part of the predefined configuration settings or because Panorama pushed them to
devices. However, you can override the settings for tags, action (allow or deny), logging, and security profiles.
The device context determines the level at which you can edit (override) default rules:

On Panorama, you can edit default rules that are part of the predefined configuration. You can edit rules in
a device group or shared context.

On the firewall, you can edit default rules that are part of the predefined configuration, or pushed from a
Panorama shared or device group context. The default rules can be virtual system (vsys) specific.

The order of precedence for default rules runs from the lowest context to the highest: settings edited at the
firewall level override settings at the device group level, which override settings at the shared level.
The evaluation order (from top-first to bottom-last) of all rules is:

When traffic matches a policy rule, the defined action is triggered and the firewall disregards all subsequent
policies. This ability to layer policies creates a hierarchy of rules where local policies are between the pre- and
post-rules, and are editable by switching to the local firewall context, or by accessing the firewall locally. The
firewall web interface visually demarcates this cascade of rules for each device group (and managed firewall),
and provides the ability to scan through a large numbers of rules.

14 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama Overview

Centralized Configuration and Deployment Management

For details on rule management, refer to the PAN-OS Administrators Guide.

Objects
Objects are configuration elements that are referenced in policies. Some of the objects that firewall policies
make use of are: IP addresses, URL categories, security profiles, users, services, and applications. Because
objects can be reused across policies, creating shared objects or device group objects reduces duplication of these
configuration elements. For example, creating shared address objects and address groups or shared service
objects and service groups allows you to create one instance of the object and reference it in any rulebase to
manage the firewalls across multiple device groups. Because shared objects are defined once but used many
times, they reduce administrative overhead, and maintain consistency and accuracy everywhere the shared object
is used.
Pre-rules, post-rules and rules locally defined on a firewall can all use shared objects and device group objects.
When creating an object on Panorama, configure the behavior based on whether:

The device group object takes precedence over a shared object, when both objects have the same name. By
default, the Shared Object Takes Precedence option is disabled on Panorama. This behavior ensures that a
shared object only supersedes a device group object with the same name if you explicitly want the value of
a shared object to prevail. When you enable the option for shared objects to take precedence, Panorama
informs you of all the device group objects that will be shadowed. However, if a device has a locally created
object with the same name as a shared or a device group object that is pushed from Panorama, a commit
failure will occur.

All shared and device group objects that are defined on Panorama are pushed to the managed devices. By
default, all objectsthose that are and are not referenced in policiesare pushed to the managed devices.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 15

Centralized Logging and Reporting

Panorama Overview

Centralized Logging and Reporting

Panorama aggregates data from all managed firewalls and provides visibility across all the traffic on the network.
It also provides an audit trail for all policy modifications and configuration changes made to the managed
firewalls. In addition to aggregating logs, Panorama can aggregate and forward SNMP traps, email notifications,
and syslog messages to an external destination.
The Application Command Center (ACC) on Panorama provides a single pane for unified reporting across all
the firewalls; it allows you to centrally analyze, investigate, and report on network traffic and security incidents.
On Panorama, you can view logs and generate reports from logs forwarded to Panorama or to the managed Log
Collectors, if configured, or you can query the managed firewalls directly. For example, you can generate reports
about traffic, threat, and/or user activity in the managed network based on logs stored on Panorama (and the
managed Log Collectors) or by accessing the logs stored locally on the managed firewalls.
If you choose not to configure the managed firewalls to forward logs to Panorama, you can schedule reports to
be run on each managed firewall and forward the results to Panorama for a combined view of user activity and
network traffic. Although this view does not provide granular drill-down on specific data and activities, it still
provides a unified reporting approach.

Logging Options

Managed Collectors and Collector Groups

Caveats for a Collector Group with Multiple Log Collectors

Centralized Reporting

Logging Options
Both the Panorama virtual appliance and M-100 appliance can collect logs that the managed firewalls forward.
You can then configure Panorama to forward these aggregated logs to external services (Syslog server, email
server, or SNMP trap server). The logging options vary on each platform.
Panorama Platform

Logging Options

Virtual appliance

Offers three logging options:

Use the approximately 11GB of internal storage space allocated for logging as soon as
you install the virtual appliance.
Add a virtual disk that can support up to 2TB of storage.
Mount a Network File System (NFS) datastore in which you can configure the storage
capacity that is allocated for logging.

16 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama Overview

Centralized Logging and Reporting

Panorama Platform

Logging Options

M-100 appliance

The default shipping configuration includes 1TB disks in a RAID pair, which you can
increase to 4TB RAID storage (see Increase Storage on the M-100 Appliance). When the
M-100 appliance is in Panorama mode, you can enable the RAID disks and use these disks
as the default Log Collector. If you have M-100 appliance is in Log Collector mode
(dedicated Log Collectors), you use Panorama to assign firewalls to the dedicated Log
Collectors. In a deployment with multiple dedicated Log Collectors, Panorama queries all
managed Log Collectors to generate an aggregated view of traffic and cohesive reports. For
easy scaling, begin with a single Panorama and incrementally add dedicated Log Collectors
as your needs expand.

Managed Collectors and Collector Groups

A Log Collector can be local to an M-100 appliance in Panorama mode (default Log Collector) or can be an M-100
appliance in Log Collector mode (dedicated Log Collector). Because you use Panorama to configure and manage
Log Collectors, they are also known as Managed Collectors. An M-100 appliance in Panorama mode or a
Panorama virtual appliance can manage dedicated Log Collectors. To administer dedicated Log Collectors using
the Panorama web interface, you must add them as Managed Collectors. Otherwise, administrative access to a
dedicated Log Collector is only available through its CLI using the default administrative user (admin) account.
Dedicated Log Collectors do not support additional administrative user accounts.
A Collector Group is one or more Managed Collectors that operate as a single logical log collection unit. If the
group contains dedicated Log Collectors, the logs are uniformly distributed across all the disks in each Log
Collector and across all members in the Collector Group. This distribution maximizes the use of the available
storage space. To manage a Log Collector, you must add it to a Collector Group. Each Panorama can manage
up to 64 Log Collectors in a Collector Group. However, Palo Alto Networks recommends placing only one Log
Collector in a Collector Group unless more than 4TB of storage space is required in a Collector Group. For
details, see Caveats for a Collector Group with Multiple Log Collectors.
The Collector Group configuration specifies which managed firewalls can send logs to the Log Collectors in the
group. After you configure the Log Collectors and enable the firewalls to forward logs, each firewall forwards
its logs to the assigned Log Collector.
If you use Panorama to manage firewalls running both PAN-OS 5.0 and a PAN-OS version earlier
than 5.0, note the following compatibility requirements:
Only devices running PAN-OS v5.0 can send logs to a dedicated Log Collector.
Devices running PAN-OS versions earlier than 5.0 can only send logs to a Panorama virtual
appliance or to an M-100 appliance in Panorama mode.

Managed Collectors and Collector Groups are integral to a distributed log collection deployment on Panorama.
A distributed log collection deployment allows for easy scalability and incremental addition of dedicated Log
Collectors as your logging needs grow. The M-100 appliance in Panorama mode can log to its default Collector
Group and then be expanded to a distributed log collection deployment with one or more Collector Groups
that include dedicated Log Collectors.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 17

Centralized Logging and Reporting

Panorama Overview

Caveats for a Collector Group with Multiple Log Collectors

Although Palo Alto Networks recommends placing only one Log Collector in a Collector Group, if you have a
scenario where you need more than 4TB of log storage capacity in a Collector Group for the required log
retention period, you will need to add multiple Log Collectors to the group. For example, if a single managed
firewall generates 12 TB of logs, you will require at least three Log Collectors in the Collector Group that
receives those logs.
If a Collector Group contains multiple Log Collectors, the available storage space is used as one logical unit and
the logs are uniformly distributed across all the Log Collectors in the Collector Group. The log distribution is
based on the disk capacity of the Log Collectors (which ranges from 1TB to 4TB, depending on the number of
disk pairs) and a hash algorithm that dynamically decides which Log Collector owns the logs and writes to disk.
Although Panorama uses a preference list to prioritize the list of Log Collectors to which a managed firewall
can forward logs, Panorama does not necessarily write the logs to the first Log Collector specified in the
preference list. For example, consider the following preference list:
Managed Firewall

Log Forwarding Preference List Defined on a Collector Group

FW1

L1,L2,L3

FW2

L4,L5,L6

Using this list, FW1 will forward logs to L1, its primary Log Collector, but the hash algorithm could determine
that the logs will be written on L2. If L2 becomes inaccessible or has a chassis failure, FW1 will not know about
its failure because it is still able to connect to L1, its primary Log Collector.

In the case where a Collector Group has only one Log Collector and the Log Collector fails, the firewall stores
the logs to its HDD/SSD (the available storage space varies by hardware model), and resumes forwarding logs
to the Log Collector where it left off before the failure occurred as soon as connectivity is restored.
With multiple Log Collectors in a Collector Group, the firewall does not buffer logs to its local storage when
it can connect to its Primary Log Collector. Therefore, FW1 will continue sending logs to L1. Because L2 is
unavailable, the Primary Log Collector L1 buffers the logs to its HDD, which has 10GB of log space. If L2
remains unavailable and the logs pending for L2 exceed 10GB, L1 will overwrite the older log entries to continue
logging. In such an event, loss of logs is a risk. Therefore, Palo Alto Networks recommends the following
mitigations if using multiple Log Collectors in a Collector Group:

Obtain an On-Site-Spare (OSS) to enable prompt replacement if a Log Collector failure occurs.

18 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama Overview

Centralized Logging and Reporting

In addition to forwarding logs to Panorama, enable forwarding to an external service as backup storage. The
external service can be a Syslog server, email server, or Simple Network Management Protocol (SNMP) trap
server. For details, see Enable Log Forwarding to Panorama.

Centralized Reporting
Panorama aggregates logs from all managed firewalls and enables reporting on the aggregated data for a global
view of application use, user activity, and traffic patterns across the entire network infrastructure. As soon as the
firewalls are added to Panorama, the ACC can display all traffic traversing your network. With logging enabled,
clicking into a log entry in the ACC provides direct access to granular details about the application.
For generating reports, Panorama uses two sources: the local Panorama database and the remote firewalls that
it manages. The Panorama database refers to the local storage on Panorama that is allocated for storing both
summarized logs and some detailed logs. If you have a Distributed Log Collection deployment, the Panorama
database includes the local storage on Panorama and all the managed Log Collectors. Panorama summarizes the
informationtraffic, application, threat collected from all managed firewalls at 15-minute intervals. Using
the local Panorama database allows for faster response times, however, if you prefer to not forward logs to
Panorama, Panorama can directly access the remote firewall and run reports on data that is stored locally on the
managed firewalls.
Panorama offers more than 40 predefined reports that can be used as is, or they can be customized by
combining elements of other reports to generate custom reports and report groups that can be saved. Reports
can be generated on demand, on a recurring schedule, and can be scheduled for email delivery. These reports
provide information on the user and the context so that you correlate events and identify patterns, trends, and
potential areas of interest. With the integrated approach to logging and reporting, the ACC enables correlation
of entries from multiple logs relating to the same event.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 19

Panorama Commit Operations

Panorama Overview

Panorama Commit Operations

When editing the configuration on Panorama, you are changing the candidate configuration file. The candidate
configuration is a copy of the running configuration along with any changes you made since the last commit.
The Panorama web interface displays all the configuration changes immediately. However, Panorama wont
implement the changes until you commit them. The commit process validates the changes in the candidate
configuration file and saves it as the running configuration on Panorama.
After any system event or administrator action causes Panorama to reboot, all your changes
since the last commit will be lost. To preserve changes without committing them, periodically click
Save at the top right of the web interface to save a snapshot of the candidate configuration. If a
reboot occurs, you can then revert to the snapshot. For details on backing up and restoring
running and candidate configurations, see Manage Panorama Configuration Backups.

When initiating a commit on Panorama, select one of the following types:

Commit Options

Description

Panorama

Commits the changes on the current candidate configuration to the running configuration
on Panorama. You must first commit your changes on Panorama, before committing any
configuration updates (templates or device groups) to the managed firewalls or Collector
Groups.

Template

Commits network and device configurations from a Panorama template to the selected
firewalls.

Device Group

Commits policies and objects configured from Panorama to the selected firewalls/virtual
systems.

Collector Group

Commits changes to the specified Collector Groups that Panorama manages.

When you perform a commit, Panorama pushes the entire configuration to the managed firewalls. When the
commit completes, a result displays: Commit succeeded or Commit succeeded with warnings.
Some other commit choices are:

Preview ChangesThis

option is available when the Commit Type is Panorama. It enables you to compare
the candidate configuration with the running configuration in the same way as the Panorama > Config Audit
feature (see Compare Changes in Panorama Configurations). After clicking Preview Changes, select the
number of lines to include for context, and click OK. As a best practice, preview your configuration changes
before committing them.
Because the preview results display in a new window, your browser must allow pop-ups. If the
preview window does not open, refer to your browser documentation for the steps to unblock
pop-ups.

Include Device and Network TemplatesThis option is available when committing a device group from
Panorama. It allows you to commit both device group and template changes, to the pertinent firewalls, in a
single commit operation.
If you prefer to commit your changes as separate commit operations, do not select this check box.

20 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama Overview

Panorama Commit Operations

Force Template ValuesWhen

performing a Template commit, the Force Template Values option overrides

all local configuration and removes objects on the selected firewalls or virtual systems that do not exist in
the template or have been overridden by the local configuration. This is an override that reverts all existing
configuration on the managed firewall, and ensures that the firewall inherits the settings defined in the
template only.

Merge with Candidate ConfigWhen

enabled, this option allows you to merge and commit the Panorama
configuration changes with any pending configuration changes that were implemented locally on the target
firewall. If this option is not enabled, the candidate configuration on the firewall is not included in the
commit operation. As a best practice, leave this option disabled if you allow firewall administrators to modify
the configuration directly on a firewall and you dont want to include their changes when committing changes
from Panorama.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 21

Role-Based Access Control

Panorama Overview

Role-Based Access Control

Role-based access control (RBAC) allows you to specify the privileges and responsibilities accorded to every
administrative user. On Panorama, you can define administrative accounts with specific roles, profiles, or Access
Domains to regulate access to specific features on Panorama and the managed firewalls; these options allow you
to limit administrative access to only the firewalls and areas of the management interface that each administrator
requires to perform the job. By default, every Panorama server comes pre-configured with a default
administrative account (admin) that provides full read-write access (also known as superuser access). As a best
practice, create a separate administrative account for each person who needs access to the administrative or
reporting functions on Panorama. This provides better protection against unauthorized configuration (or
modification) and enables logging of the actions of each administrator.
For every administrative user, you can also define an authentication profile that determines how the users access
credentials are verified. To enforce more granular administrative access, use access domains to restrict
administrative access to a particular firewall, device group or template.

Administrative Roles

Authentication Profiles and Sequences

Access Domains

Administrative Authentication

Administrative Roles
The way you configure administrator accounts depends on the security requirements of your organization,
whether it has existing authentication services with which to integrate, and the administrative roles it requires.
A role defines the type of system access an administrator has. The role types are:

Dynamic RolesThese are built-in roles that provide access to Panorama and managed devices. When
new features are added, Panorama automatically updates the definitions of dynamic roles; you never need to
manually update them. The following table lists the access privileges associated with dynamic roles.

Dynamic Role

Privileges

Superuser

Full read-write access to Panorama

Superuser (read-only)

Read-only access to Panorama

Panorama administrator

Full access to Panorama except for the following actions:

Create, modify, or delete Panorama or device administrators and roles.
Export, validate, revert, save, load, or import a configuration in the Device > Setup >
Operations page.
Configure Scheduled Config Export functionality in the Panorama tab.

22 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama Overview

Role-Based Access Control

Admin Role ProfilesTo provide more granular access control over the functional areas of the web
interface, CLI, and XML API, you can create custom roles. When new features are added to the product,
you must update the roles with corresponding access privileges: Panorama does not automatically add new
features to custom role definitions. When creating a custom role (see Set Up Administrative Access to
Panorama), you select one of the following profiles:

Administrator Role
Profile

Description

Panorama

For these roles, you can assign read-write access, read-only access, or no access to all the
Panorama features that are available to the superuser dynamic role except the management
of Panorama administrators and Panorama roles. For the latter two features, you can assign
read-only access or no access, but you cannot assign read-write access.
An example use of a Panorama role would be for security administrators who require access
to security policy definitions, logs, and reports on Panorama.

Device Group and Template

For these roles, you can assign read-write access, read-only access, or no access to the device
groups and templates specified in the administrator account definition. Roles with this
profile have the following limitations:
No access to the CLI or XML API
No access to configuration or system logs
No access to App Scope or reports
No access to VM information sources
In the Panorama tab, access is limited to device deployment features (read-write,
read-only, or no access) and to the templates, managed devices, and device groups
specified in the administrator account (read-only or no access).
An example use of this role would be for administrators in your operations staff who require
access to the device and network configuration areas of the web interface for specific device
groups and/or templates.

Authentication Profiles and Sequences

Among its other uses, an authentication profile defines how an administrative user is authenticated on Panorama
upon login. If you create a local user account on Panorama, you can authenticate the user to the local database,
or use an external RADIUS, LDAP, or Kerberos server for authentication. If you do not want to create a local
user account, and want to manage both account administration and authentication using an external
authentication mechanism, you must use RADIUS. For a high-level overview of the process, see Use RADIUS
Vendor-Specific Attributes for Account Authentication.
To authenticate to multiple authentication sourceslocal, RADIUS, LDAP, and/or Kerberosdefine an
authentication sequence. An authentication sequence is a ranked order of authentication profiles that an
administrative user is matched against. Panorama checks against the local database first, and then each profile
in sequence until the user is successfully authenticated. The user is denied access to Panorama only if
authentication fails for all the profiles defined in the authentication sequence.
To create authentication profiles and sequences, see Create an Authentication Profile and Define an
Authentication Sequence.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 23

Role-Based Access Control

Panorama Overview

Access Domains
An access domain defines the features and permissions accorded to an administrative user, enabling granular
control over the administrative users ability to switch context and access the features on the user interface of
the managed firewalls. Access domains can also limit access to a subset of the device groups and/or templates
created on Panorama and therefore restrict the users ability to configure and manage firewalls.
The access domain is linked to RADIUS vendor-specific attributes (VSAs) and is supported only if a RADIUS
server is used for administrator authentication. If RADIUS is not used, the access domain settings are ignored.
For information on defining an access domain, see Define an Access Domain.

Administrative Authentication
There are four ways to authenticate administrative users:

Local administrator account with local authenticationBoth the administrator account credentials and
the authentication mechanisms are local to the firewall. To further secure the local administrator account,
create a password profile that defines a validity period for passwords and/or set firewall-wide password
complexity settings. For more information, see Create an Administrative Account.

Local administrator account with certificate- or key-based authenticationWith this option, the
administrator accounts are local to the firewall, but authentication is based on SSH keys (for CLI access) or
client certificates/common access cards (for the web interface). For details on how to configure this type of
administrative access, see Enable Certificate-Based Authentication for the Web Interface and Enable SSH
Key-Based Authentication for the CLI.

Local administrator account with external authenticationThe administrator accounts are managed
on the local firewall, but the authentication functions are offloaded to an existing LDAP, Kerberos, or
RADIUS service. To configure this type of account, you must first create an authentication profile that
defines how to access the external authentication service and then create an account for each administrator
that references the profile. For more information, see Create an Authentication Profile.

External administrator account and authenticationAccount administration and authentication are

handled by an external RADIUS server. To use this option, you must define Vendor Specific Attributes
(VSAs) on your RADIUS server that map to the admin role. For a high-level overview of the process, see
Use RADIUS Vendor-Specific Attributes for Account Authentication. For details on how to configure this
type of administrative access, refer to the Radius Vendor Specific Attributes (VSA) article.

24 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama Overview

Panorama Recommended Deployments

Panorama Recommended Deployments

A Panorama deployment comprises the Panorama management server (which has a browser-based interface),
optional Log Collectors, and the Palo Alto Networks firewalls that Panorama manages. The recommended
deployments are:

Panorama for Centralized Management and Reporting

Panorama in a Distributed Log Collection Deployment

For the procedures to configure the most typical log collection deployments, see Log Collection
Deployments.

Panorama for Centralized Management and Reporting

The following diagram illustrates how you can deploy the Panorama virtual appliance or M-100 appliance in a
redundant configuration for the following benefits:

Centralized managementCentralized policy and device management that allows for rapid deployment
and management of up to one thousand firewalls.

VisibilityCentralized logging and reporting to analyze and report on user-generated traffic and potential
threats.

Role-based access controlAppropriate levels of administrative control at the firewall level or global level
for administration and management.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 25

Panorama Recommended Deployments

Panorama Overview

Panorama in a Distributed Log Collection Deployment

The hardware-based Panoramathe M-100 appliancecan be deployed either as a Panorama management
server that performs management and log collection functions or as a dedicated Log Collector that provides a
comprehensive log collection solution for the firewalls on your network. Using the M-100 appliance as a Log
Collector allows for a more robust environment where the log collection process is offloaded to a dedicated
appliance. Using a dedicated appliance in a Distributed Log Collection (DLC) deployment provides redundancy,
improved scalability, and capacity for longer term log storage.
In a DLC deployment, the Panorama management server (Panorama virtual appliance or an M-100 appliance
in Panorama mode) manages the firewalls and the Log Collectors. Using Panorama, the firewalls are configured
to send logs to one or more Log Collectors; Panorama can then be used to query the Log Collectors and provide
an aggregated view of network traffic. In a DLC configuration, the logs stored on the Log Collectors are
accessible from both the primary and secondary Panorama peers in a high availability (HA) pair.
In the following topology, the Panorama peers in an HA configuration manage the deployment and
configuration of firewalls running PAN-OS 4.x and 5.x or 6.x. This solution provides the following benefits:

Allows for improved performance in the management functions on Panorama

Provides high-volume log storage on a dedicated hardware appliance

Provides horizontal scalability and redundancy with RAID 1 storage

26 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama Overview

Plan Your Deployment

Plan Your Deployment

Determine the management approach. Do you plan to use Panorama to centrally configure and manage
the policies, to centrally administer software, content and license updates, and/or centralize logging and
reporting across the managed devices in the network?
If you already deployed and configured the Palo Alto Networks firewalls on your network, determine
whether to transition the devices to centralized management. This process requires a migration of all
configuration and policies from your firewalls to Panorama. For details, see Transition a Firewall to
Panorama Management.

Verify that Panorama is on the same release version or a later version than the firewalls that it will manage.
For example, Panorama with version 4.0 cannot manage firewalls running PAN-OS 5.0. For versions
within the same feature release, although Panorama can manage firewalls running a later version of
PAN-OS, Palo Alto Networks recommends that Panorama run the same version or a later version. For
example, if Panorama runs 6.0.3, it is recommended that all managed firewalls run PAN-OS 6.0.3 or earlier
versions.

Plan to use the same URL filtering database (BrightCloud or PAN-DB) across all managed firewalls. If
some firewalls are using the BrightCloud database and others are using PAN-DB, Panorama can only
manage security policies for one or the other URL filtering database. URL filtering rules for the other
database must be managed locally on the firewalls that use that database.

Plan to use Panorama in a high availability configuration; set it up as an active/passive high availability pair.
See Panorama High Availability.

Estimate the log storage capacity your network needs to meet security and compliance requirements.
Consider such factors as the network topology, number of firewalls sending logs, type of log traffic (for
example, URL and threat logs versus traffic logs), the rate at which firewalls generate logs, and the number
of days for which you want to store logs on Panorama. For details, see Determine Panorama Log Storage
Requirements.

For meaningful reports on network activity, plan a logging solution:

Do you need to forward logs to a syslog server, in addition to Panorama?

If you need a long-term storage solution, do you have a Security Information and Event Management
(SIEM) solution, such as Splunk or ArcSight, to which you need to forward logs?

Do you need redundancy in logging? With Panorama virtual appliances in HA, each peer can log to its
virtual disk. The managed devices can send logs to both peers in the HA pair. This option provides
redundancy in logging and is best suited to support up to 2TB of log storage capacity.

Will you log to a Network File System (NFS)? Only the Panorama virtual appliance supports NFS.
Consider using NFS if more than 2TB of log storage capacity is required. If using NFS, note that the
managed devices can send logs only to the primary peer in the HA pair, and only the active-primary
Panorama is mounted to the NFS and can write to it.

If your logging solution includes M-100 appliances, by default they use the management (MGT) interface
for configuration, log collection, and Collector Group communication. However, it is a best practice to use
the Eth1 or Eth2 interfaces for log collection and Collector Group communication to improve security,
control traffic prioritization, performance, and scalability. Determine whether your solution would benefit
from using separate interfaces for these functions. For details, see Set Up the M-100 Appliance.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 27

Plan Your Deployment

Panorama Overview

Determine what access privileges, roles, and permissions administrators require to access to the managed
firewalls and Panorama. See Set Up Administrative Access to Panorama.

Plan the required Device Groups. To do this, determine whether to group firewalls based on function,
security policy, geographic location, or network segmentation. An example of a function-based device
group is one that contains all the firewalls that a Research and Development team uses. You might also
group firewalls by the function they perform, such as gateway firewalls, branch office firewalls or
datacenter firewalls.

Plan a layering strategy for administering policies. Think through how policies must be inherited and
evaluated and how to best implement shared rules, device-group rules, and device-specific rules to meet
your network needs.

For visibility and centralized policy management, consider using Panorama for administering policies,
even if you would like to create device-specific exceptions to shared/device-group policies. To apply a
rule to a subset of devices in a device group, you can target the rule(s) to the specific device(s), see Push
a Policy to a Subset of Firewalls.

Consider whether to create smaller device groups based on commonality or to create larger device
groups to scale more easily. See Use Case: Configure Firewalls Using Panorama.

Plan your device organization for how configuration settings (using templates) are inherited and enforced.
For example, think through how to assign devices to templates based on hardware platforms, geographic
proximity and similar network set up needs for time zones, DNS server, and interface settings. See Use
Case: Configure Firewalls Using Panorama.

28 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama Overview

Deploy Panorama: Task Overview

Deploy Panorama: Task Overview

The following task list summarizes the steps to get started with Panorama. For an example of how to use
Panorama for central management, see Use Case: Configure Firewalls Using Panorama.
Deploy Panorama: Task Overview

1.
2.
3.
4.
5.
6.
7.
8.
9.

(M-100 appliance only) Rack mount the appliance. Refer to the M-100 Hardware Reference Guide.
Perform initial configuration to enable network access to Panorama. See Set Up the Panorama Virtual Appliance or
Set Up the M-100 Appliance.
Register Panorama and Install Licenses.
Install Content and Software Updates for Panorama.
Add a Firewall as a Managed Device.
Add a Device Group and Add a Template.
(Optional) Configure log forwarding to Panorama and/or to external services. See Manage Log Collection.
Monitor network activity using the visibility and reporting tools on Panorama. See Monitor the Network with the
ACC and AppScope and Generate, Schedule, and Email Reports.
(Optional/recommended) Set up Panorama in a high availability configuration. See Panorama High Availability.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 29

Deploy Panorama: Task Overview

30 Panorama 6.1 Administrators Guide

Panorama Overview

Palo Alto Networks, Inc.

Set Up Panorama
For centralized reporting and cohesive policy management across all the firewalls on your network, Panorama
can be deployed as a virtual appliance or as a hardware appliance (the M-100 appliance).
The following topics describe how to set up Panorama on your network:

Determine Panorama Log Storage Requirements

Set Up the Panorama Virtual Appliance

Set Up the M-100 Appliance

Migrate from a Panorama Virtual Appliance to an M-100 Appliance

Register Panorama and Install Licenses

Install Content and Software Updates for Panorama

Access and Navigate Panorama Management Interfaces

Set Up Administrative Access to Panorama

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 31

Determine Panorama Log Storage Requirements

Set Up Panorama

Determine Panorama Log Storage Requirements

When you Plan Your Deployment, estimate how much log storage capacity Panorama requires to determine
which Panorama Platforms to deploy, whether to expand the storage on those platforms beyond their default
capacities, whether to deploy Dedicated Log Collectors, and whether to Enable Log Forwarding from Panorama
to External Destinations. When Panorama reaches the maximum capacity, it automatically deletes older logs to
create space for new ones. Therefore, to ensure that log retention meets your needs, you should configure any
additional storage during the Panorama setup stage. To expand log storage capacity during or after setup, see
Expand Log Storage Capacity on the Panorama Virtual Appliance or Increase Storage on the M-100 Appliance.
Determine Panorama Log Storage Requirements

Step 1

Determine the log retention

requirements of your organization.

You can Reallocate Log Storage Quota for each log type as a
percentage of the total space if you need to prioritize log
retention by type.

Step 2

Determine the average daily logging rates. 1.

Do this multiple times each day at peak
and non-peak times to estimate the
average. The more often you sample the
rates, the more accurate your estimate.

Display the current log generation rate in logs per second:

If Panorama is not yet collecting logs, access the CLI of each
firewall, run the following command, and calculate the total
rates for all the firewalls. This command displays the number
of logs received in the last second.
> debug

log-receiver statistics

If Panorama is already collecting logs, run the following

command at the CLI of each platform that receives logs
(Panorama management server or Dedicated Log Collector)
and calculate the total rates. This command gives the average
logging rate for the last five minutes.
> debug

log-collector log-collection-stats show

incoming-logs

You can also use an SNMP manager to determine the

logging rates of M-Series appliances by monitoring
the panLcLogRate object (OID
1.3.6.1.4.1.25461.2.3.30.1.1).
2.
3.
Step 3

Estimate the required storage capacity.

This formula provides only an
estimate; the exact amount of
required storage will differ from
the formula result.

Calculate the average of the sampled rates.

Calculate the daily logging rate by multiplying the average
logs-per-second by 86,400.

Use the formula:

<required storage duration> x <average log size> x <average
logging rate> / <compression factor>
The average log size and the log compression factor vary
considerably by log type. However, you can use 600 bytes as an
approximate average log size and 3 as an approximate compression
factor.
For example, if Panorama must store logs for 30 days and the
average total logging rate for all firewalls is 21,254,400 logs per day,
then the required log storage capacity is: 30 x 600 x 21,254,400 / 3
= 127,526,400,000 bytes (approximately 128GB).

32 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Set Up the Panorama Virtual Appliance

Set Up the Panorama Virtual Appliance

The Panorama virtual appliance consolidates the Panorama management and logging functions into a single
virtual appliance. This solution enables use of an existing VMware virtual infrastructure to easily deploy and
centrally administer and monitor the Palo Alto Networks firewalls in your network as described in the following
sections:

Setup Prerequisites for the Panorama Virtual Appliance

Install Panorama on the ESX(i) Server

Perform Initial Configuration of the Panorama Virtual Appliance

Expand Log Storage Capacity on the Panorama Virtual Appliance

Complete the Panorama Virtual Appliance Setup

You cannot use the Panorama virtual appliance as a dedicated Log Collector. Only an M-100
appliance in Log Collector mode provides dedicated log collection capabilities (see Set Up the
M-100 Appliance). However, you can use the Panorama virtual appliance to manage a dedicated
Log Collector.

Setup Prerequisites for the Panorama Virtual Appliance

To set up a Panorama virtual appliance efficiently, complete the following tasks before you begin:

Verify that your server meets the minimum system requirements for installing Panorama. These
requirements apply to Panorama 5.1 and later releases.

Prerequisites for the Panorama Virtual Appliance

64-bit kernel-based VMware ESX(i) 5.1 or 5.5

A client computer with one of the following: VMware vSphere Client or VMware Infrastructure Client that is
compatible with your ESX(i) server
Use the following guidelines for allocating CPU and memory:
Less than 10 managed firewalls: 4 cores and 4GB
Between 10 and 50 managed firewalls: 8 cores and 8GB
More than 50 managed firewalls: 8 cores and 16 GB
40GB disk space
Regardless of the total disk space, Panorama allocates approximately 11GB for log storage. Increasing the disk
space doesnt increase the log storage capacity. To Expand Log Storage Capacity on the Panorama Virtual
Appliance, you must add a virtual disk or set up access to a Network File System (NFS) datastore.
VMware concepts and terminology are not covered in this document. This guide assumes
familiarity with the VMware suite of products that are required to create the virtual appliance.

Register the Panorama serial number on the support site at https://support.paloaltonetworks.com (see
Register Panorama). Palo Alto Networks will have sent you the serial number by email. After registering
the serial number on the support site, you gain access to the Panorama software downloads page.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 33

Set Up the Panorama Virtual Appliance

Set Up Panorama

Install Panorama on the ESX(i) Server

Use these instructions to install a new Panorama virtual appliance. If you are upgrading your existing Panorama
virtual appliance, skip to Install Content and Software Updates for Panorama.
Install Panorama on the ESX(i) Server

Step 1

Download and extract the Panorama

1.
base image zip file to the server on which
you will be installing Panorama.
2.
The virtual appliance installation uses the
Open Virtual Machine Format (OVF)
template file, which is included in the base
image.

Step 2

Access the ESX(i) server.

Step 3

Install Panorama.

Go to https://support.paloaltonetworks.com and download

the Panorama Base Image zip file.
Unzip the Panorama base image zip file, and extract the
panorama-esx.ovf file.
This .ovf template file is required for installing Panorama.

Launch the VMware vSphere Client and connect to the VMware

server.

1.
Starting with Panorama 5.1, the Panorama 2.
virtual appliance is installed as a 64-bit
3.
virtual machine.
4.
5.

Choose File > Deploy OVF Template.

Browse to select the panorama-esx.ovf file from the recently
unzipped Panorama base image, and click Next.
Confirm that the product name and description match the
downloaded version, and click Next.
Enter a descriptive name for the Panorama virtual appliance,
and click Next.
Select a Datastore Location on which to install the Panorama
image, and click Next.
Adding additional disk space does not increase the available log
storage capacity on Panorama. To expand log capacity, you must
add a virtual disk or set up access to an NFS datastore. See

Expand Log Storage Capacity on the Panorama Virtual

Appliance.
6.
7.
8.
9.

Select Thick Provision Lazy Zeroed as the disk format, and

click Next.
Specify which networks in the inventory must be used for the
Panorama virtual appliance.
Confirm the selected options and then click Finish to begin the
installation process.
When the installation completes, select the Panorama virtual
appliance, and click Edit Settings... to define the following
settings:
a. Verify that you have allocated the appropriate amount of
memory: at least 4GB.
b. Select Linux as the Guest Operating System and for the
Version select Other Linux (64-bit).
c. For the SCSI controller, select LSI Logic Parallel.

34 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Set Up the Panorama Virtual Appliance

Install Panorama on the ESX(i) Server (Continued)

Step 4

Power on the Panorama virtual appliance. Click the Power On button.

When the Panorama virtual appliance boots, the installation process
is complete.

Continue with Perform Initial Configuration of the Panorama Virtual Appliance.

Perform Initial Configuration of the Panorama Virtual Appliance

Use the Panorama virtual appliance console on the ESX(i) server to set up network access to the Panorama
virtual appliance. To complete initial configuration, you must first configure the management interface, then
access the Panorama web interface to add the serial number for the virtual appliance, and define the time zone
for the Panorama virtual appliance. For unified reporting, consider using GMT or UTC as the uniform time
zone across all the managed devices and Panorama.
.

Configure the Management Interface of the Panorama Virtual Appliance

Step 1

Gather the required information from

your network administrator.

IP address for MGT port

Netmask
Default gateway
DNS server IP address

Step 2

Access the console of the Panorama

virtual appliance.

1.
2.
3.

Step 3

Select the Console tab on the ESX(i) server for the virtual
Panorama. Press enter to access the login screen.
Enter the default username/password (admin/admin) to log in.
Enter configure to switch to configuration mode.

Configure the network access settings for Enter the following command:
set deviceconfig system ip-address
the management interface.

<Panorama-IP>
netmask <netmask> default-gateway <gateway-IP>
dns-setting servers primary <DNS-IP>

The management interface is used for

where <Panorama-IP> is the IP address you want to assign to the
management traffic, HA connectivity
Panorama management interface, <netmask> is the subnet mask,
synchronization, log collection, and
communication within Collector Groups. <gateway-IP> is the IP address of the network gateway, and
<DNS-IP> is the IP address of the DNS server.
Step 4

Commit your changes and exit the

configuration mode.

Palo Alto Networks, Inc.

1.
2.

Enter commit.
Enter exit.

Panorama 6.1 Administrators Guide 35

Set Up the Panorama Virtual Appliance

Set Up Panorama

Configure the Management Interface of the Panorama Virtual Appliance (Continued)

Step 5

Verify network access to external services To verify that Panorama has external network access, use the ping
required for firewall management, such as utility. Verify connectivity to the default gateway, DNS server, and
the Palo Alto Networks Update Server. the Palo Alto Networks Update Server as shown in the following
example:
admin@Panorama-Corp> ping host updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (67.192.236.252) 56(84)
bytes of data.
64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=40.5 ms
64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=53.6 ms
64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=79.5 ms

After verifying connectivity, press Ctrl+C to stop the pings.

Configure the Serial Number and Time Zone of the Panorama Virtual Appliance

Step 1

Log in to the Panorama web interface.

Using a secure connection (https) from a web browser, log in using

the IP address and password you assigned to the management
interface (https://<IP address>).

Step 2

(Optional) Modify the management

interface settings.

1.
2.

3.
Step 3

Configure the general settings.

1.
2.

3.

4.
5.
6.

36 Panorama 6.1 Administrators Guide

Select Panorama > Setup > Management and edit the

Management Interface Settings.
Select which management services to allow on the interface.
For example, to enable SSH access, select SSH. As a best
practice, make sure Telnet and HTTP are not selected because
these services use plaintext and are not as secure as the other
services.
Click OK. Click Commit and select Panorama as the Type and
click OK.
Select Panorama > Setup > Management and edit the General
Settings.
Align the clock on Panorama and the managed firewalls to use
the same Time Zone, for example GMT or UTC.
Timestamps are recorded when the logs are received on
Panorama and when they were generated on the firewalls.
Aligning the time zones on both Panorama and the managed
firewalls ensures that the timestamps are in sync, and the
process of querying logs and generating reports on Panorama
is harmonious.
Enter a Hostname for the server and enter the network
Domain name. The domain name is just a label; it will not be
used to join the domain.
Enter the Latitude and Longitude to enable accurate
placement of the server on the world map.
Enter the Serial Number. This was sent to you with the order
fulfillment email.
Click OK.

Palo Alto Networks, Inc.

Set Up Panorama

Set Up the Panorama Virtual Appliance

Configure the Serial Number and Time Zone of the Panorama Virtual Appliance (Continued)

Step 4

Change the default admin password.

1.

To ensure that the management

interface remains secure, consider
2.
enforcing Minimum Password
Complexity and defining an
interval at which administrators 3.
must change their passwords.
Step 5

Save your configuration changes.

Click on the admin link in the lower left part of the

management console. A dialog to change the administrators
password displays.
Enter the Old Password and the New Password in the
appropriate fields and store the new password in a safe location.
Click OK.

Click Commit, select Panorama as the Commit Type, then click OK.

Expand Log Storage Capacity on the Panorama Virtual Appliance

By default, the Panorama virtual appliance has a single disk partition for all data in which, regardless of the total
disk size, approximately 11GB is allocated for log storage. Increasing the disk size doesnt increase the log
storage capacity. If you need up to 2TB of disk space, add a virtual disk. If you need more than 2TB, use an NFS
datastore. Before expanding log storage capacity, Determine Panorama Log Storage Requirements.
For additional log storage, you can also forward firewall logs to Dedicated Log Collectors (see
Configure a Managed Collector) or Enable Log Forwarding from Panorama to External
Destinations.

Add a Virtual Disk to the Panorama Virtual Appliance

Mount the Panorama Virtual Appliance to an NFS Datastore

Add a Virtual Disk to the Panorama Virtual Appliance

To expand log storage capacity beyond the approximately 11GB internal storage allocated by default on the
Panorama virtual appliance, you can add another virtual disk of up to 2TB.
If Panorama loses connectivity to the new virtual disk, Panorama might lose logs during the failure
interval.
To allow for redundancy, use the virtual disk in a RAID configuration. RAID10 provides the best
write performance for applications with high logging characteristics.
If necessary, you can Replace the Virtual Disk on a Panorama Virtual Appliance.

Add a Virtual Disk to the Panorama Virtual Appliance

Step 1

Power off the Panorama virtual

appliance.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 37

Set Up the Panorama Virtual Appliance

Set Up Panorama

Add a Virtual Disk to the Panorama Virtual Appliance (Continued)

Step 2

On the ESX(i) server, add the virtual disk 1.

to the Panorama virtual appliance.
2.
3.

Select the Panorama virtual appliance on the ESX(i) server.

Click Edit Settings.
Click Add to launch the Add Hardware wizard, and select the
following options when prompted:
a. Select Hard Disk for the hardware type.
b. Select Create a new virtual disk.
c. Select SCSI as the virtual disk type.
d. Select the Thick provisioning disk format.
e. In the location field, select Store with the virtual machine
option. The datastore does not have to reside on the ESX(i)
server.
f. Verify that the settings look correct and click Finish to exit
the wizard. The new disk is added to the list of devices for
the virtual appliance.

Step 3

Power on the Panorama virtual appliance. When powered on, the virtual disk is initialized for first-time use.
The time that the initialization process takes to complete varies by
the size of the new virtual disk.
When the virtual disk is initialized and ready, all existing logs on the
internal storage are moved over to the new virtual disk. All new
entries will now be written to the virtual disk.

Step 4

Verify the size of the virtual disk.

1.
2.

Select Panorama > Setup > Management.

In the Logging and Reporting Settings section, verify that the
Log Storage capacity accurately displays the new disk capacity.

Mount the Panorama Virtual Appliance to an NFS Datastore

Mounting the Panorama virtual appliance to an NFS datastore provides the ability to write logs to a centralized
location and offers the flexibility to expand the log storage capacity beyond 2TB. Before setting up an NFS
datastore in a Panorama high availability configuration, see Logging Considerations in Panorama HA.

38 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Set Up the Panorama Virtual Appliance

Mount the Panorama Virtual Appliance to an NFS Datastore

Step 1

Set up access to the datastore.

1.
2.
3.

Select Panorama > Setup > Operations.

Click Storage Partition Setup link in the Miscellaneous
section.
Select NFS V3.

4.
5.

Enter the IP address of the NFS Server.

Enter the location/path for storing the log files in the Log
Directory field. For example, export/panorama.
6. Select the protocolTCP or UDPand enter the Port for
accessing the NFS server.
To use NFS over TCP, the NFS server must support it.
Common NFS ports are UDP/TCP 111 for RPC and
UDP/TCP 2049 for NFS.
7. For optimal NFS performance, in the Read Size and Write
Size fields, specify the maximum size of the chunks of data that
the client and server pass back and forth to each other. Defining
a read/write size optimizes the data volume and speed in
transferring data between Panorama and the NFS datastore.
8. Select Test Logging Partition to verify that Panorama is able to
access the NFS server IP address and the directory location
specified above.
9. (Optional) Select the Copy on Setup option. This setting copies
the existing logs stored on Panorama to the NFS volume. If you
have a lot of existing logs, enabling the Copy on Setup option
might initiate the transfer of a large volume of data.
10. Click Commit and select Panorama as the Commit Type to
save the changes.
Step 2

Reboot the Panorama virtual appliance.

Until a reboot is initiated, logs will be
written to the local storage disk on the
Panorama virtual appliance.

To begin writing logs to the NFS datastore, reboot the virtual

Panorama.
1. Select Panorama > Setup > Operations.
2. In the Device Operations section, select Reboot Panorama.

Complete the Panorama Virtual Appliance Setup

Now that initial configuration is complete, continue with the following sections for additional configuration
instructions:

Activate a Panorama Support License

Activate/Retrieve a Device Management License on the Panorama Virtual Appliance

Install Content and Software Updates for Panorama

Access and Navigate Panorama Management Interfaces

Set Up Administrative Access to Panorama

Manage Firewalls

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 39

Set Up the M-100 Appliance

Set Up Panorama

Set Up the M-100 Appliance

The M-100 management appliance is a high performance hardware platform that you can deploy in two modes:

Panorama modeThe appliance performs both the central management and log collection functions. This
is the default mode.

Log Collector modeThe appliance functions as a dedicated Log Collector. If multiple firewalls forward
large volumes of log data, the M-100 appliance in Log Collector mode provides increased scale and
performance. In this mode, the appliance does not have a web interface, only a command-line interface
(CLI). However, you manage the appliance using the Panorama management server (M-100 appliance in
Panorama mode or a Panorama virtual appliance). CLI access to an M-100 appliance in Log Collector mode
is only necessary for initial setup and debugging.

The Panorama M-100 appliance supports separate interfaces for configuration (of firewalls, Log Collectors, and
Panorama itself), log collection, and communication within Collector Groups. By default, the M-100 appliance
uses the MGT (Eth0) interface for all three functions. Only the MGT interface can support the configuration
function. For the log collection and Collector Group communication functions, you can assign the Eth1 or Eth2
interface to perform either or both when you Perform Initial Configuration of the M-100 Appliance. You
cannot assign multiple interfaces to a single function. The M-100 Hardware Reference Guide explains where to
attach cables for the MGT, Eth1, and Eth2 interfaces on the M-100 appliance. To support separate interfaces,
the M-100 appliances (in Panorama or Log Collector mode) must have Panorama 6.1 or later installed and the
firewalls must have PAN-OS 6.0 or later installed.
Use the following workflows for setting up an M-100 appliance:
M-100 Appliance in Panorama Mode

M-100 Appliance in Log Collector Mode

Step 1

Rack mount the M-100 appliance. Refer to the

M-100 Hardware Reference Guide for
instructions.

Step 1

Rack mount the M-100 appliance. Refer to the

M-100 Hardware Reference Guide for
instructions.

Step 2

Perform Initial Configuration of the M-100

Appliance

Step 2

Perform Initial Configuration of the M-100

Appliance

Step 3

Register Panorama and Install Licenses

Step 3

Register Panorama and Install Licenses

Step 4

Install Content and Software Updates for

Panorama

Step 4

Install Content and Software Updates for

Panorama

Step 5

(Optional) Increase Storage on the M-100

Appliance

Step 5

(Optional) Increase Storage on the M-100

Appliance

Step 6

Set Up Administrative Access to Panorama

Step 6

Step 7

Manage Firewalls

Switch from Panorama Mode to Log Collector

Mode

Step 8

Manage Log Collection

Step 7

Manage Log Collection

40 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Set Up the M-100 Appliance

Perform Initial Configuration of the M-100 Appliance

By default, Panorama has an IP address of 192.168.1.1 and a username/password of admin/admin. For security
reasons, you must change these settings before continuing with other configuration tasks. You must perform
these initial configuration tasks either from the MGT interface or using a direct serial port connection to the
console port on the M-100 appliance.
Perform Initial Configuration of the M-100 Appliance

Step 1

Gather the required interface and server

information from your network
administrator.

Gather the IP address, netmask (for IPv4) or prefix length (for

IPv6), and default gateway for each interface (MGT, Eth1, and/or
Eth2) that Panorama will use for configuration, log collection, and
Collector Group communication. Only the MGT interface is
mandatory.

Panorama uses the Management (MGT)

interface for configuration (of firewalls,
Log Collectors, and Panorama itself) and Gather the IP addresses of the DNS servers.
for high availability (HA) synchronization
between peers.
It is a best practice to use the Eth1
and/or Eth2 interfaces for log collection
and/or Collector Group
communication. By default, the M-100
appliance uses the MGT interface for
these functions.
Step 2

Connect your computer to the M-100

appliance.

Connect to the M-100 appliance in one of the following ways:

Attach a serial cable from a computer to the Console port on the
M-100 appliance and connect using a terminal emulation
software (9600-8-N-1).
Attach an RJ-45 Ethernet cable from a computer to the MGT
port on the M-100 appliance. From a browser, go to
https://192.168.1.1. Enabling access to this URL might require
changing the IP address on the computer to an address in the
192.168.1.0 network (for example, 192.168.1.2).

Step 3

When prompted, log in to the appliance. Log in using the default username and password (admin/admin).
The appliance will begin to initialize.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 41

Set Up the M-100 Appliance

Set Up Panorama

Perform Initial Configuration of the M-100 Appliance (Continued)

Step 4

Configure the network access settings for 1.

each interface that Panorama will use for 2.
configuration, log collection, and
Collector Group communication.

Select Panorama > Setup > Management.

Edit the Interface Settings of each interface that Panorama will
use: Management, Eth1, and/or Eth2. Only the Management
interface is mandatory.
a. Complete one of the following field sets, depending on the
IP protocol of your network:
IPv4IP Address, Netmask, and Default Gateway
IPv6IPv6 Address/Prefix Length and Default IPv6
Gateway

b. (Optional) Select the check boxes for the management

services to allow on the interface. Ping is the only option for
Eth1 and Eth2. As a best practice, clear the Telnet and HTTP
check boxes for the Management interface: these services
use plaintext and so are less secure than others.
c. Click OK to save your changes.
Step 5

Configure the hostname, time zone, and

general settings.

1.
2.

3.

4.
5.

6.

42 Panorama 6.1 Administrators Guide

Select Panorama > Setup > Management and edit the General
Settings.
Align the clock on Panorama and the managed firewalls to use
the same Time Zone, for example GMT or UTC.
PAN-OS records timestamps when the firewalls generate logs
and when Panorama receives the logs. Aligning the time zones
ensures that the timestamps are synchronized and that the
process of querying logs and generating reports on Panorama
is harmonious.
Enter a Hostname for the server. Panorama uses this as the
display name/label for the appliance. For example, this is the
name that appears at the CLI prompt. It also appears in the
Collector Name field if you add the appliance as a Managed
Collector on the Panorama > Managed Collectors page.
Enter your network Domain name. The domain name is just a
label; Panorama does not use it to join the domain.
(Optional) Enter the Latitude and Longitude to enable
accurate placement of the server on the world map. The App
Scope > Traffic Maps and App Scope > Threat Maps use these
values.
Click OK.

Palo Alto Networks, Inc.

Set Up Panorama

Set Up the M-100 Appliance

Perform Initial Configuration of the M-100 Appliance (Continued)

Step 6

Configure the DNS and update servers.

1.
2.
3.

4.
Step 7

Change the default admin password.

To ensure that the management
interface remains secure, enforce

1.
2.

Minimum Password Complexity

and specify the interval at which

administrators must change their
passwords.
Step 8

3.

Select Panorama > Setup > Services and edit the settings.
Enter the IP address of the Primary DNS Server and
(optionally) of the Secondary DNS Server.
The default Update Server is updates.paloaltonetworks.com. If
you need to specify a particular update resource, refer to the
PAN-OS Administrators Guide (web resources for content
delivery) for a list of URLs and static addresses.
Select the Verify Update Server Identity check box if
you want Panorama to verify that the server from which
it downloads software or content packages has an SSL
certificate that a trusted authority signed. This option
adds an additional level of security for communication
between the Panorama management server and update
server.
Click OK to save your entries.
Click the admin link in the lower left part of the management
console.
Enter the old administrator password and new password in the
appropriate fields, then store the new password in a safe
location.
Click OK and Commit, select Panorama as the Commit Type,
then click OK.

Verify network access to external services To verify that Panorama has external network access, use the ping
required for firewall management, such as utility. Verify connectivity to the default gateway, DNS server, and
the Palo Alto Networks Update Server. the Palo Alto Networks Update Server as shown in the following
example:
admin@Panorama-Corp> ping host updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (67.192.236.252) 56(84)
bytes of data.
64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=40.5 ms
64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=53.6 ms
64 bytes from 67.192.236.252: icmp_seq=1 ttl=243 time=79.5 ms

After verifying connectivity, press Ctrl+C to stop the pings.

Continue with Register Panorama and Install Licenses and Install Content and Software Updates for Panorama,
regardless of whether you plan on using the M-100 appliance in Panorama mode or in Log Collector mode.

Switch from Panorama Mode to Log Collector Mode

Using an M-100 appliance as a Log Collector offloads the task of processing logs from the Panorama
management server to a dedicated appliance. Perform the steps below to convert an M-100 appliance from
Panorama mode to Log Collector mode. Ensure that the Panorama management server (virtual appliance or
M-100 appliance in Panorama mode) that will manage the firewalls and the Log Collector is already set up.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 43

Set Up the M-100 Appliance

Set Up Panorama

In Log Collector mode, the M-100 appliance does not support the web interface for configuration
tasks; it supports only SSH access. Therefore, before changing the mode on the M-100
appliance, Perform Initial Configuration of the M-100 Appliance and use the web interface in
Panorama mode to Activate/Retrieve a Device Management License on the M-100 Appliance.
To send logs to an M-100 appliance in Log Collector mode, the Palo Alto Networks firewalls must
run PAN-OS 5.0 or later versions. Palo Alto Networks firewalls running PAN-OS versions earlier
than 5.0 can only send logs to an M-100 appliance in Panorama mode or to a Panorama virtual
appliance.

Switch From Panorama Mode to Log Collector Mode

Step 1

Access the Command Line Interface

(CLI) on the M-100 appliance.

Connect to the M-100 appliance in one of the following ways:

Attach a serial cable from a computer to the Console port on the
M-100 appliance. Then, connect using a terminal emulation
software (9600-8-N-1).
Use a terminal emulation software such as PuTTY to open an
SSH session to the IP address assigned to the M-100 appliance
during initial configuration.

Step 2

When prompted, log in to the appliance. Use the default admin account and the password assigned during
initial configuration.

Step 3

Switch from Panorama mode to Log

Collector mode.

1.

To switch to Log Collector mode, enter the following

command:

2.

Enter Yes to confirm the change to Log Collector mode. The

appliance will reboot. If you see a CMS Login prompt, press
Enter without typing a username or password. When the
Panorama login prompt appears, enter the default admin
account and the password assigned during initial configuration.

1.
2.

Log back in to the CLI on the M-100 appliance.

Enter the following command:

request system logger-mode logger

Step 4

Verify that the appliance is in Log

Collector mode.

show system info | match logger_mode

The response printed on screen reads as

logger_mode: True
If the value displays as False, the M-100 appliance is still in
Panorama mode.
Step 5

Specify the IP address of the Panorama

appliance that is managing the Log
Collector.

Enter the following commands in the CLI:

configure
set deviceconfig system panorama-server <ip_address>
commit

Now that you have successfully set up your M-100 appliance, for further instructions on assigning a Log
Collector to a firewall, defining Collector Groups, and managing the Log Collector using Panorama, see Manage
Log Collection.

44 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Set Up the M-100 Appliance

Increase Storage on the M-100 Appliance

The M-100 appliance ships with two disks in a RAID1 configuration. Each M-100 appliance allows for the
addition of up to three additional disk pairs in RAID1, each with a storage capacity of 1TB, to reach a maximum
capacity of 4 TB RAID storage.
Before expanding log storage capacity, Determine Panorama Log Storage Requirements.
If you need more log storage than the Panorama virtual appliance supports, you can forward
firewall logs to Dedicated Log Collectors (see Configure a Managed Collector) or Enable Log
Forwarding from Panorama to External Destinations.
If adding disk pairs to an already deployed M-100 appliance, you do not need to take the system
offline to expand the storage capacity. When the additional disk pairs become available, the
M-100 appliance redistributes the logs among the disk pairs. This log redistribution process
happens in the background and does not impact uptime or the availability of the M-100 appliance.

Increase Storage on the M-100 Appliance

Step 1

Install the new disks in the appropriate

drive bays.

Make sure to add the drives sequentially in the next open disk bay
slot for the disk pair. For example, add B1/B2 before C1/C2.
For information on adding the physical drives, refer to the M-100
Hardware Reference Guide.

Step 2

Access the Command Line Interface

(CLI) on the M-100 appliance.

You can connect to the M-100 appliance in one of the following

ways:
Connect a serial cable from your computer to the Console port
and connect to the M-100 appliance using terminal emulation
software (9600-8-N-1).
Use a terminal emulation software such as PuTTY to open an
SSH session to the IP address of the M-100 appliance.

Step 3

When prompted, log in to the appliance. Use the default admin account and the password assigned.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 45

Set Up the M-100 Appliance

Set Up Panorama

Increase Storage on the M-100 Appliance (Continued)

Step 4

Set up each additional disk pair in a RAID This example uses the drives in the disk bays B1 and B2.
configuration.
1. Enter the following commands and confirm the request when
prompted:
The time required to mirror the
data on the drive may vary from
several minutes to a couple hours, 2.
depending on the amount of data
on the drive.

request system raid add B1

request system raid add B2

To monitor the progress of the RAID configuration, enter the

following command:
show system raid detail

When the RAID set up is complete, the following response

displays:
Disk Pair A
Status
Disk id A1
model
size
status
Disk id A2
model
size
status
Disk Pair B
Status
Disk id B1
model
size
status
Disk id B2
model
size
status

Step 5

Make the disk pair available for logging.

1.

To enable the disk pairs for logging, this

2.
appliance must have been added as a
Managed Collector on Panorama. If you
have not already added it, see Configure a
Managed Collector.
3.

Available
clean
Present
: ST91000640NS
: 953869 MB
: active sync
Present
: ST91000640NS
: 953869 MB
: active sync
Available
clean
Present
: ST91000640NS
: 953869 MB
: active sync
Present
: ST91000640NS
: 953869 MB
: active sync

Access the Panorama management server that is managing this

Log Collector (if it is a different appliance).
On the Panorama > Managed Collectors tab, select the Log
Collector and follow the instructions in Step 10 in Configure a
Managed Collector.
Click Commit, for the Commit Type select Panorama, then
click OK.

For further instructions on adding a Log Collector as a Managed Collector on Panorama, defining Collector
Groups, or assigning a Log Collector to a firewall, see Manage Log Collection.

46 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Migrate from a Panorama Virtual Appliance to an M-100 Appliance

Migrate from a Panorama Virtual Appliance to an M-100

Appliance
On a Panorama virtual appliance that has a logging rate of over 10,000 logs per second, migrating to the M-100
appliance will provide improved response time on the web interface and speedier execution of reports. The
M-100 appliance also provides up to 4TB of RAID storage. Use the instructions in the following topics to
migrate the configuration from the Panorama virtual appliance over to an M-100 appliance.

Prerequisites for Migrating to an M-100 Appliance

Plan to Migrate to an M-100 Appliance

Migrate to an M-100 Appliance

Resume Firewall Management after Migrating to an M-100 Appliance

Prerequisites for Migrating to an M-100 Appliance

The following are prerequisites for migrating your current subscription:

Purchase an M-100 appliance.

Obtain a migration upgrade and purchase a new subscription that includes software and hardware support.
Provide your sales representative the serial number of the Panorama virtual appliance you will phase out,
the desired support terms for the M-100 appliance, the auth-code you received when you purchased the
appliance, and the effective date for the migration. On the effective date, Palo Alto Networks will
automatically apply the associated authorization codes to the serial number of your management
appliance, phase out support for the Panorama virtual appliance, and trigger support for the M-100
appliance. Starting at the effective date, you will have a limited time to complete the migration. At the end
of the period, Palo Alto Networks terminates the support entitlement on the Panorama virtual appliance
and you can no longer receive software or threat updates. For details on the license migration process,
refer to the Knowledge Base article Panorama VM License Migration to the M-100 Platform.

Plan to Migrate to an M-100 Appliance

Plan on completing this migration during a maintenance window. Although the firewalls can buffer the
logs and forward them to Panorama when the connection is reestablished, completing the migration
during a maintenance window minimizes loss of log data during the transition time when the Panorama
virtual appliance goes offline and the M-100 appliance comes online.

Consider whether to maintain access to the Panorama virtual appliance after completing the migration.
Because the log format on the Panorama virtual appliance is incompatible with that on the M-100
appliance, existing log data cannot migrate over to the M-100 appliance. Therefore, to access the old logs
the Panorama virtual appliance must remain accessible.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 47

Migrate from a Panorama Virtual Appliance to an M-100 Appliance

Set Up Panorama

Decide whether to use the same IP address on the M-100 appliance or to assign a new one. Palo Alto
Networks recommends reusing the same management IP address to prevent the need to reconfigure each
managed firewall to point to a new IP address.
If you have log compliance requirements, plan to reconfigure a new IP address on the Panorama
virtual appliance to maintain access to the old logs for generating reports.

Keep a new IP address at hand for use in setting up connectivity to the M-100 appliance during initial
configuration. If you have decided to transfer the IP address that was assigned to the Panorama virtual
appliance, this new IP address will be used temporarily. When you restore the configuration file from the
Panorama virtual appliance on the M-100 appliance, this new IP address will be overwritten.

Migrate to an M-100 Appliance

To migrate the configuration from the Panorama virtual appliance to the M-100 appliance, you must perform
tasks on the Panorama virtual appliance and on the M-100 appliance.
Complete the following tasks on the Panorama virtual appliance:
Migrate to an M-100 Appliance: Tasks Performed on the Panorama Virtual Appliance

Step 1

Upgrade to the latest Panorama version.

See Install Content and Software Updates for Panorama.

Step 2

Export the running configuration on the 1.

virtual Panorama.
2.
3.

Step 3

Power off the VM or change the IP

address.

In the Panorama > Setup > Operations tab, Configuration

Management section, select Export named Panorama
configuration snapshot.
Select the active configuration (running-config.xml) and click
OK. The file is downloaded and saved to the local machine.
Rename the file.

If you plan on reusing the MGT interface IP address that was

configured on the Panorama virtual appliance on the M-100
appliance, you can either power off the virtual appliance or assign a
new IP address to the MGT port on the virtual appliance.
To change the IP address, on the Panorama > Setup tab, edit the
Management Interface Settings section and enter the new IP
address.

Complete the following tasks on the Panorama M-100 appliance:

Migrate to an M-100 Appliance: Tasks Performed on the M-100 Appliance

Step 1

Set up network access.

See Perform Initial Configuration of the M-100 Appliance for

instructions.
Consider assigning a new temporary IP address during initial
configuration on the M-100 appliance and reusing the IP address
that was assigned to the Panorama virtual appliance. The temporary
IP address will be overwritten when you import the configuration
later in this process.

48 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Migrate from a Panorama Virtual Appliance to an M-100 Appliance

Migrate to an M-100 Appliance: Tasks Performed on the M-100 Appliance (Continued)

Step 2

Install the same Panorama version as that Install the same Panorama version that you selected in Step 1 above.
running on the Panorama virtual
For instructions on performing the upgrade, see Install Content and
appliance.
Software Updates for Panorama.

Step 3

Register Panorama and retrieve the

license.

See Register Panorama and Install Licenses.

Step 4

Upgrade to the latest Panorama version.

See Install Content and Software Updates for Panorama.

Step 5

Import and load the configuration file.

1.

2.
3.

4.

Step 6

Review and modify the configuration on 1.

Panorama.

In the Panorama > Setup > Operations tab, Configuration

Management section, select Import named Panorama
configuration snapshot.
Browse to select the running-config.xml (or the renamed file)
and click OK.
Select the Load named Panorama configuration snapshot
link to load the configuration file you just imported.
Any errors that occur when loading the configuration file are
displayed onscreen.
If errors occurred, save them to a local file. Review and resolve
each error to ensure the migration included all configuration
components.
If you do not plan to reuse the same network access settings for
the MGT interface, modify the values:
a. Select Panorama > Setup and edit the Management
Interface Settings.
b. Enter the IP Address, Netmask, and Default Gateway.
c. Confirm that the list of IP addresses defined in the
Permitted IP Addresses list is accurate.

2.
3.

To change the hostname, edit the General Settings section of

the Panorama > Setup tab.
Confirm that the administrative access settings (administrators,
roles, and access domains) configured on the appliance are
accurate on the Panorama > Administrators tab, Panorama >
Admin Roles tab, and Panorama > Access Domains tab.

Step 7

Add the default Log Collector back to the When importing the configuration from the Panorama virtual
M-100 appliance.
appliance, the default Log Collector is removed from the M-100
appliance. To add the Log Collector back on the M-100 appliance,
use the instructions in Configure a Managed Collector.

Step 8

Save all your changes to Panorama.

Palo Alto Networks, Inc.

After reviewing the configuration changes, click Commit. Select

Panorama as the Commit Type and click OK.

Panorama 6.1 Administrators Guide 49

Migrate from a Panorama Virtual Appliance to an M-100 Appliance

Set Up Panorama

Resume Firewall Management after Migrating to an M-100 Appliance

To resume central management, you must restore connectivity to the managed firewalls. Complete this task
during a maintenance window to minimize network disruption.
Resume Firewall Management after Migrating to an M-100 Appliance

Step 1

Log in to Panorama.

Using a secure connection (HTTPS) from a web browser, log in

using the IP address (https://<IP address>), username, and
password assigned during initial configuration.

Step 2

Synchronize the configuration on

Panorama with those of the managed
firewalls.

1.

Select Panorama > Managed Devices, and verify that the

Connected status of each devices displays a check mark.
The status for the Templates and Device Groups will display an
Out of sync icon.

2.

To synchronize the device groups:

a. Click Commit and select Device Groups as the Commit
Type.
b. Select each device group and click OK.

3.

To synchronize the templates:

a. Click Commit and select Panorama as the Commit Type.
b. Click Commit and select Template as the Commit Type.

Step 3

Verify the connection and

synchronization status of the managed
firewalls.

1.
2.

Select Panorama > Managed Devices.

Verify the Status of the following for each firewall:
In the Connected column, a check mark indicates the firewall
is connected to Panorama.
In the Shared Policy column, the value In sync indicates the
firewall configuration is synchronized with the device group
in Panorama.
In the Template column, the value In sync indicates the
firewall configuration is synchronized with the template in
Panorama.

50 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Register Panorama and Install Licenses

Register Panorama and Install Licenses

Before you can begin using Panorama for centralized management, logging, and reporting, you must register,
activate, and retrieve the Panorama licenses. Every instance of Panorama requires valid licenses that entitle you
to manage devices and obtain support. The device management license enforces the maximum number of
devices that Panorama can manage. The support license enables Panorama software updates and dynamic
content updates for the latest Applications and Threats signatures, among other updates that Palo Alto
Networks publishes. To purchase licenses, contact your Palo Alto Networks Systems Engineer or reseller.

Register Panorama

Activate a Panorama Support License

Activate/Retrieve a Device Management License on the Panorama Virtual Appliance

Activate/Retrieve a Device Management License on the M-100 Appliance

If you are running an evaluation license for device management on your Panorama virtual
appliance and want to apply a Panorama license that you purchased, perform the tasks Register
Panorama and Activate/Retrieve a Device Management License on the Panorama Virtual
Appliance.

Register Panorama
Register Panorama

Step 1

Log in to the Panorama web interface.

Using a secure connection (https://<IP address>) from a web

browser, log in using the IP address and password you assigned
during initial configuration.

Step 2

Record the Panorama serial number or

For the authorization code, Sales Order Number, or Customer ID,
authorization code and record your Sales see the order fulfillment email that Palo Alto Networks Customer
Order Number or Customer ID.
Service sent when you placed your order for Panorama.
For the serial number, the location depends on the platform:
M-100 applianceSee the Dashboard tab, General Information
section, Serial # field.
Panorama virtual applianceSee the order fulfillment email.

Step 3

Go to the Palo Alto Networks Support

site.

Palo Alto Networks, Inc.

In a new browser tab or window, go to

https://support.paloaltonetworks.com.

Panorama 6.1 Administrators Guide 51

Register Panorama and Install Licenses

Set Up Panorama

Register Panorama (Continued)

Step 4

Register Panorama. The steps depend on If this is the first Palo Alto Networks appliance you are registering
whether you already have a login for the
and you do not yet have a login:
Support site.
a. Click Register on the right side of the page, enter your Email
Address, enter the code displayed on the page, and click
Submit.
b. Complete the fields in the Create Contact Details section.
c. Enter a Display Name, Confirm Email Address, and
Password/Confirm Password.
d. Enter the Panorama Device Serial Number or Auth Code.
e. Enter your Sales Order Number or Customer ID.
f. Click Submit.
If you already have a support account:
a. Log in to the Support site, click the Assets tab, and click
Register New Device.
b. Enter the Panorama Device Serial Number.
c. Enter your City, Postal Code, and Country.
d. Click Submit.

Activate a Panorama Support License

Before activating a Panorama support license on a Panorama M-100 appliance or Panorama virtual appliance,
you must Register Panorama.
Activate a Panorama Support License

1.
2.
3.

Select Panorama > Support and click Activate feature using authorization code.
Enter the Authorization Code and click OK.
Verify that the subscription is activated.

52 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Register Panorama and Install Licenses

Activate/Retrieve a Device Management License on the Panorama Virtual

Appliance
Before activating and retrieving a device management license on the Panorama virtual appliance, you must
Register Panorama. If you are running an evaluation license and want to apply a license that you purchased, you
must still register and activate/retrieve the purchased license.
Activate/Retrieve a Device Management License on the Panorama Virtual Appliance

1.
2.
3.

Select Panorama > Setup > Management and edit the General Settings.
Enter the Panorama Serial Number (included in the order fulfillment email) and click OK.
Click Commit, select Panorama as the Commit Type, then click OK.
To determine how many firewalls a license enables the Panorama virtual appliance to manage, log in to the
Palo Alto Support website (https://support.paloaltonetworks.com), select the Assets tab, find the Panorama
device, and view the Model Name. For example, a license for the PAN-PRA-25 model can manage 25 devices.
This page also displays the Expiration Date and other license information.

Activate/Retrieve a Device Management License on the M-100 Appliance

Before activating and retrieving a Panorama device management license on the M-100 appliance:

Register Panorama.
Locate the authorization codes for the product/subscription you purchased. When you placed your order,
Palo Alto Networks Customer Service sent you an email that listed the auth-code associated with the
purchase. If you cannot locate this email, contact Customer Support to obtain your codes before
proceeding.

After you activate and retrieve the license, the Panorama > Licenses page displays the associated issuance date,
expiration date, and the number of devices that the license enables Panorama to manage.

To activate and retrieve the license, the options are:

Activate/Retrieve a Device Management License on the M-100 Appliance

Use the web interface to activate and retrieve the 1.

license.
Select this option if Panorama is ready to connect 2.
to the Palo Alto Networks update server (you
completed the task Perform Initial Configuration
of the M-100 Appliance) but you have not
activated the license on the Palo Alto Networks
Support website.

Palo Alto Networks, Inc.

Select Panorama > Licenses and click Activate feature using

authorization code.
Enter the Authorization Code and click OK. Panorama retrieves
and activates the license.

Panorama 6.1 Administrators Guide 53

Register Panorama and Install Licenses

Set Up Panorama

Activate/Retrieve a Device Management License on the M-100 Appliance (Continued)

Retrieve the license key from the license server. 1.

If Panorama is not ready to connect to the update
server (for example, you have not completed the
initial M-100 appliance setup), you can activate
the license on the Support website so that, when
Panorama is ready to connect, you can then use
the web interface to retrieve the activated license.
The process of retrieving an activated license is
faster than the process of both retrieving and
activating.

b. In the Assets tab, find your M-100 appliance and, in the

Action column, click the edit icon.
c. Enter the Authorization Code and click Add to activate the
license.
2.
3.

Manually upload the license from a host to

Panorama. Panorama must have access to that
host.

Activate the license on the Palo Alto Networks Support

website.
a. On a host with Internet access, access the Palo Alto Support
website (https://support.paloaltonetworks.com) in a
browser and log in.

1.

If Panorama is set up (you completed the task

Perform Initial Configuration of the M-100
Appliance) but does not have a connection to the
update server, activate the license on the Support
website, download it to a host that has a
connection to the update server, then upload it to
Panorama.

Configure Panorama to connect to the update server: see

Perform Initial Configuration of the M-100 Appliance.
Select Panorama > Licenses and click Retrieve license keys
from the license server. Panorama retrieves the activated
license.
Activate and download the license from the Palo Alto
Networks Support website.
a. On a host with Internet access, access the Palo Alto Support
website (https://support.paloaltonetworks.com) in a
browser and log in.
b. In the Assets tab, find your M-100 appliance and, in the
Action column, click the edit icon.
c. Enter the Authorization Code and click Add to activate the
license.
d. In the Action column, click the download icon and save the
license key file to the host.

2.
3.
4.

54 Panorama 6.1 Administrators Guide

In the Panorama web interface, select Panorama > Licenses,

click Manually upload license key and click Browse.
Select the key file you downloaded to the host and click Open.
Click OK to upload the activated license key.

Palo Alto Networks, Inc.

Set Up Panorama

Install Content and Software Updates for Panorama

Install Content and Software Updates for Panorama

A valid support subscription enables access to the Panorama software image and Release Notes. To take
advantage of the latest fixes and security enhancements, it is a good idea to upgrade to the latest software update
or to the update version that your reseller or a Palo Alto Networks Systems Engineer recommends.
Depending on which content subscriptions the managed firewalls have, Panorama and the Log Collectors might
also require content updates. The procedure to install software and content updates depends on whether
Panorama has a direct connection to the Internet.

Content Update Dependencies for Panorama and Log Collectors

Install Updates for Panorama with Internet Connection

Install Updates for Panorama without Internet Connection

Content Update Dependencies for Panorama and Log Collectors

If managing firewalls with additional subscriptions, such as Threat Prevention or WildFire, Panorama also
requires content updates for the Applications and Threats database. Your support subscription allows you to
obtain these updates. Firewalls reference the Applications and Threats database in policy configurations and use
the databases when generating reports. Firewalls use the databases to match the identifiers recorded in the logs
with the corresponding threat, URL, or application names. Therefore, to prevent a mismatch, Palo Alto
Networks recommends that you install the same Applications and Threats database version on Panorama and
on the managed firewalls.
Dedicated Log Collectors (M-100 appliances in Log Collector mode) also require content updates. When you
generate a report from Panorama or the managed firewalls, the Applications and Threats database is used to
retrieve metadata for processing the request. If you do not install the content databases on the dedicated Log
Collectors, the complete dataset required for the report might not be available and can result in an incomplete
or inaccurate display of information.

Install Updates for Panorama with Internet Connection

If Panorama has a direct connection to the Internet, perform the following steps to install Install Content and
Software Updates for Panorama.
Before upgrading a Panorama virtual appliance, ensure the ESX(i) host meets the minimum
resource requirements listed under Setup Prerequisites for the Panorama Virtual Appliance.
If both Panorama and the firewalls it manages require upgrades, upgrade Panorama before
upgrading the firewalls.
Panorama 6.1 and later releases cannot push configurations to firewalls running PAN-OS 6.0.0
through 6.0.3.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 55

Install Content and Software Updates for Panorama

Set Up Panorama

Install Updates for Panorama with Internet Connection

Step 1

Check for, download, and install the

latest content updates.

1.
2.

You must install the content

updates before the software
3.
updates. Also, you must install the
Applications and Threats updates
before the Antivirus and WildFire
updates.

Step 2

Check for, download, and install the latest 1.

software update.
2.
3.
4.

5.
6.

Select Panorama > Dynamic Updates.

Click Check Now to check for the latest updates. If the value in
the Action column is Download, an update is available.
Perform the following steps for each content type
(Applications, Applications and Threats, Antivirus, and/or
WildFire) for which you have a subscription:
a. Click Download to obtain the desired version.
b. Click the Install link in the Action column. When the
installation completes, the Currently Installed column
displays a check mark.
Select Panorama > Software.
Click Check Now to check for the latest update. If an update is
available, the Action column displays a Download link.
Review the Version column to determine the version to which
you want to upgrade.
In the Action column of the desired version, click Download.
When the download completes, the value in the Action column
changes to Install.
Click Install.
Reboot Panorama:
If prompted to reboot, click Yes. If you see a CMS Login
prompt, press Enter without typing a username or password.
When the Panorama login prompt appears, enter the
username/password you set during initial configuration.
Otherwise, select Panorama > Setup > Operations and, in
the Device Operations section, click Reboot Panorama.

Step 3

After Panorama reboots, complete the following tasks:

(Only required for a Panorama virtual
appliance upgrading to Panorama 5.1 and 1. Power off the virtual appliance.
later) Modify the settings on the
2. Right click and select Edit Settings... to modify these
Panorama virtual appliance.
parameters:
Important: Before powering on a
a. On the Options tab, change the Guest Operating System
Panorama virtual appliance that runs
from Other Linux (32-bit) to Other Linux (64-bit).
Panorama 5.1 or later, ensure that the
b. On the Hardware tab, change the SCSI Controller from
ESX(i) host supports, and meets the
BusLogic Parallel to LSI Logic Parallel.
minimum system requirements for, a
c. On the Hardware tab, allocate Memory according to the
64-bit operating system (OS). See Setup
number of managed firewalls:
Prerequisites for the Panorama Virtual
Appliance for more information.
Less than 10 managed firewalls: and 4GB
Between 10 and 50 managed firewalls: 8GB
More than 50 managed firewalls: 16 GB
3.

56 Panorama 6.1 Administrators Guide

Power on the virtual appliance.

Palo Alto Networks, Inc.

Set Up Panorama

Install Content and Software Updates for Panorama

Install Updates for Panorama without Internet Connection

If Panorama does not have a direct connection to the Internet, perform the following steps to install Install
Content and Software Updates for Panorama.
Before upgrading a Panorama virtual appliance, ensure the ESX(i) host meets the minimum
resource requirements listed under Setup Prerequisites for the Panorama Virtual Appliance.
If both Panorama and the firewalls it manages require upgrades, upgrade Panorama before
upgrading the firewalls.
Panorama 6.1 and later releases cannot push configurations to firewalls running PAN-OS 6.0.0
through 6.0.3.

Install Updates for Panorama without Internet Connection

Step 1

Download the content and software

1.
updates to a host that has Internet access.
Panorama must have access to the host.
2.
3.

4.
5.

On a host with Internet access, access the Palo Alto Support

website (https://support.paloaltonetworks.com) in a browser
and log in.
In the Resources section, click Dynamic Updates.
In the section containing the desired content update, click
Download and save the file to the host. Perform this step for
each content type for which you have a subscription:
Applications, Applications and Threats, Antivirus, and/or
Wildfire.
Return to the main page of the Palo Alto Support website and,
in the Resources section, click Software Updates.
Review the Download column to determine the version to
install. The filename format of the update package depends on
the platform:
Panorama virtual appliance
Panorama-ESX-<release>.zip (for example,
Panorama-ESX-6.1.0.zip)
Panorama M-100 appliancePanorama-m-<release> (for
example, Panorama-m-6.1.0)

6.
Step 2

Upload the content updates to Panorama. 1.

2.

Click the filename and save the file to the host.

Log in to Panorama and select Panorama > Dynamic Updates.
Perform the following steps for each content type for which
you have a subscription:
a. Click Upload and select the Type of content update:
Applications
Applications and Threats
Antivirus
WildFire
b. Enter the path to the content update File on the host or click
Browse to find it, then click OK.
c. When the Status is Completed, click Close.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 57

Install Content and Software Updates for Panorama

Set Up Panorama

Install Updates for Panorama without Internet Connection (Continued)

Step 3

Install the content updates.

Perform these steps for each content type for which you have a
subscription.
You must install the content
1. In the Panorama > Dynamic Updates page, click Install From
updates before the software
File.
updates. Also, you must install the
Application and Threat updates 2. Select the Package Type:
before the Antivirus and WildFire
Applications
updates.
Applications and Threats
Antivirus
Wildfire

Step 4

Upload the software update.

3.

Click OK and, when the Result is Succeeded, click Close.

1.
2.

In the Panorama > Software page, click Upload.

Enter the path to the software update File on the host or click
Browse to find it, then click OK.
When the Result is Succeeded, click Close.

3.
Step 5

Install the software update.

1.
2.
3.

In the Panorama > Software page, click Install From File.

Select the Software File you just uploaded, then click OK.
Reboot Panorama:
If prompted to reboot, click Yes. If you see a CMS Login
prompt, press Enter without typing a username or password.
When the Panorama login prompt appears, enter the
username/password you set during initial configuration.
Otherwise, select Panorama > Setup > Operations and, in
the Device Operations section, click Reboot Panorama.

Step 6

After Panorama reboots, complete the following tasks:

(Only required for a Panorama virtual
appliance upgrading to Panorama version 1. Power off the virtual appliance.
5.1 and later) Modify the settings on the 2. Right click and select Edit Settings... to modify these
Panorama virtual appliance.
parameters:
Important: Before powering on a
a. On the Options tab, change the Guest Operating System
Panorama virtual appliance that runs
from Other Linux (32-bit) to Other Linux (64-bit).
version 5.1 or later, ensure that the ESX(i)
b. On the Hardware tab, change the SCSI Controller from
host supports, and meets the minimum
BusLogic Parallel to LSI Logic Parallel.
system requirements for, a 64-bit
c. On the Hardware tab, allocate Memory according to the
operating system (OS). See Setup
number of managed firewalls:
Prerequisites for the Panorama Virtual
Appliance for more information.
Less than 10 managed firewalls: and 4GB
Between 10 and 50 managed firewalls: 8GB
More than 50 managed firewalls: 16 GB
3.

58 Panorama 6.1 Administrators Guide

Power on the virtual appliance.

Palo Alto Networks, Inc.

Set Up Panorama

Access and Navigate Panorama Management Interfaces

Access and Navigate Panorama Management Interfaces

Panorama provides three management interfaces:

Web InterfaceThe Panorama web interface is purposefully designed with a similar look and feel to the
firewall web interface. If you are already familiar with the latter, you can navigate, complete administrative
tasks, and generate reports from the Panorama web interface with relative ease. This graphical interface
allows you to access Panorama using HTTPS and it is the best way to perform administrative tasks. See Log
in to the Panorama Web Interface and Navigate the Panorama Web Interface. If you need to enable HTTP
access to Panorama, edit the Management Interface Settings on the Panorama > Setup > Management tab.

Command Line InterfaceThe Command Line Interface is a no-frills interface that allows you to type
through the commands in rapid succession to complete a series of tasks. The CLI supports two command
modesoperational and configurationand each mode has its own hierarchy of commands and
statements. When you get familiar with the nesting structure and the syntax for the commands, the CLI
allows quick response times and offers administrative efficiency. See Log in to the Panorama CLI.

XML APIThe XML-based API is provided as a web service that is implemented using HTTP/HTTPS
requests and responses. It allows you to streamline your operations and integrate with existing, internally
developed applications and repositories. For information on how to use the Panorama API interface, refer
to the PAN-OS and Panorama XML API Usage Guide.

Log in to the Panorama Web Interface

Log in to the Panorama Web Interface

Step 1

Log in to the Panorama web interface.

Using a secure connection (https) from a web browser, log in using

the IP address and password you assigned during initial
configuration (https://<IP address>).

Step 2

(Optional) Enable HTTP and SSH access. 1.

2.
3.

Select Panorama > Setup > Management and edit the

Management Interface Settings.
Select which management services to allow on the interface.
For example, select HTTP and SSH.
Click OK.

Navigate the Panorama Web Interface

Use the Panorama web interface to configure Panorama, manage and monitor the managed firewalls and Log
Collectors, and to access the web interface of each managed firewall using the Device Context. Refer to the
online help on Panorama for details on the options in each tab in the web interface.
The Panorama web interface includes the following tabs:

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 59

Access and Navigate Panorama Management Interfaces

Set Up Panorama

Tab

Description

Dashboard

View general information about the Panorama model and network access settings.
This tab includes widgets that display information about applications, logs, system
resources, and system settings.

ACC

View the overall risk and threat level on the network, based on information that
Panorama gathered from the managed firewalls.

Monitor

View and manage logs and reports.

Panorama

Configure Panorama, manage licenses, set up high availability, access software updates
and security alerts, manage administrative access, and manage the deployed firewalls
and Log Collectors.

Device Groups > Policies

Create centralized policies and apply the configuration to multiple firewalls/device

groups.
You must Add a Device Group for this tab to display.

Device Groups > Objects

Define policy objects that can be referenced in policy and shared across all managed
firewalls/device groups.
You must Add a Device Group for this tab to display.

Templates > Network

Configure network setting, such as network profiles, that can be applied to the
managed firewalls.
You must Add a Template for this tab to display.

Templates > Device

Configure device configuration, such as server profiles and admin roles, that can be
applied to the managed firewalls.
You must Add a Template for this tab to display.

Log in to the Panorama CLI

You can log in to the Panorama CLI using a serial port connection or access remotely using an SSH client.

60 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Access and Navigate Panorama Management Interfaces

Log in to the Panorama CLI

Use SSH to log in to the Panorama CLI.

1.

The same instructions apply for an M-100

appliance in Log Collector mode.

Make sure that you have the following:

A computer with network access to Panorama
Panorama IP address
SSH is enabled on the Management interface. To enable SSH
access, see (Optional) Enable HTTP and SSH access.

2.

To access the CLI using SSH:

a. Enter the Panorama IP address in the SSH client and use
port 22.
b. Enter your administrative access credentials when
prompted. After successfully logging in, the CLI prompt
displays in operational mode. For example:
admin@ABC_Sydney>

To enable key-based authentication, see Enable SSH

Key-Based Authentication for the CLI.
Change to configuration mode.

To go into configuration mode, enter the following command at the

prompt:
admin@ABC_Sydney> configure

The prompt changes to admin@ABC_Sydney#

Use a serial port connection to log in to the
Panorama CLI.

1.

Make sure that you have the following:

A null-modem serial cable that connects Panorama to a
computer with a DB-9 serial port
A terminal emulation program running on the computer

2.

3.

Palo Alto Networks, Inc.

Use the following settings in the terminal emulation software to

connect: 9600 baud; 8 data bits; 1 stop bit; No parity; No
hardware flow control.
Enter your administrative access credentials when prompted.

Panorama 6.1 Administrators Guide 61

Set Up Administrative Access to Panorama

Set Up Panorama

Set Up Administrative Access to Panorama

By default, Panorama includes a default administrative account (admin), with full read-write access to all the
functionality on Panorama. As a best practice, create a separate administrative account for each person who
needs access to the administrative or reporting functions of Panorama. This prevents unauthorized
configuration (or modification) and enables logging of the actions of each individual administrator.
Panorama allows you to define and restrict access as broadly or granularly as required, depending on the security
requirements within your organization. For example, you may decide that a datacenter administrator can have
access to all the device and networking configuration, while a security administrator can have control over
security policy definition, the log viewer and reporting, and other key individuals can have limited CLI or XML
API access.
You cannot add an administrative account to an M-100 appliance in Log Collector mode. Only the
default administrative user account with the default username admin is available.

The following topics describe how to configure administrative accounts and set up basic administrative access.
For information on the different options available to authenticate administrative users, see Administrative
Authentication.

Create an Administrative Account

Define an Access Domain

Create an Authentication Profile

Define an Authentication Sequence

Configure Administrative Authentication

Create an Administrative Account

An administrative user must have an account and be assigned to a role. The role defines the type of access the
associated administrator has to Panorama; you can assign the administrative user to a built-in Dynamic Role or
to a custom role (Admin Role Profile) that you define. If you plan to use Admin Role Profiles rather than
Dynamic Roles, create the profiles that define what type of access, if any, to give to the different sections of the
web interface, the CLI, and XML API for each administrator assigned to the role. For more information on
roles, see Administrative Roles.
For each administrative user you can also define the minimum password complexity, a password profile, and use
an authentication profile to use an external authentication service to validate the administrators credentials.
If you are defining role-based administrative access on Panorama, read-only access to the Device Groups and
Templates nodes must be provided in order for the administrators to commit their changes to Panorama. If you
are upgrading from an earlier version of Panorama, the upgrade process provides read-only access to the Device
Groups and Templates nodes.
The following example explains how to create a local administrator account with local authentication:

62 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Set Up Administrative Access to Panorama

Create an Administrative Account: Local Account/Authentication

Step 1

Create an Admin Role profile.

Complete the following steps for each role you want to create:
This step is only required if using custom 1. Select Panorama > Admin Roles and then click Add.
2. Select Panorama or Device Group and Template to define the
roles instead of using the built-in
scope of administrative privileges to assign. The access
Dynamic Roles available on Panorama.
privileges defined for Panorama are enforced when the
administrator logs in to Panorama; the Device Group and
Template role enforces read-only access to the Managed
Devices, Templates, and Device Groups nodes on the
Panorama tab. Access to all other tabs can be modified as
required.
Read-only access to the Device Groups and/or
Templates node(s) must be provided for a role-based
administrator to commit device groups and/or
template changes to the managed firewalls.
3. For the Web UI and /or XML API tabs, set the access levels for
each functional area of the interface by clicking the adjacent
icon to toggle it to the desired setting (Enable, Read Only, or
Disable):
For Panorama access, define access to the Web UI, XML API,
and Command Line. The Command Line tab does not allow
granular access. You must select a predefined option:
superuser, superreader, Panorama-admin or None.
For access to firewalls (Device Group and Template), only
one tab is available: Web UI. From Panorama, you cannot
enable access to the CLI or XML API on a firewall because
no predefined roles restrict access. Therefore, to prevent
privilege-level escalation, the ability to manage access to the
CLI and XML API is not available from Panorama.
4.

Step 2

(Optional) Set requirements for local

user-defined passwords.

Enter a Name for the profile and then click OK to save it.

Create Password ProfilesDefine how often administrators

must change their passwords. Create multiple password profiles
and apply them to administrator accounts as required to enforce
security. To create a password profile, select Panorama >
Password Profiles and then click Add.
Configure minimum password complexity settingsDefine
rules that govern password complexity, which forces
administrators to create passwords that are harder to guess, crack,
or compromise. Unlike password profiles, which can be applied to
individual accounts, these rules are firewall-wide and apply to all
passwords. To configure the settings, select Panorama > Setup
and edit the Minimum Password Complexity.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 63

Set Up Administrative Access to Panorama

Set Up Panorama

Create an Administrative Account: Local Account/Authentication (Continued)

Step 3

Create an account for each administrator. 1.

2.
3.

4.

5.
6.
Step 4

Save the configuration changes.

Select Panorama > Administrators and then click Add.

Enter a user Name and Password for the administrator.
Select the Role to assign to this administrator. Select a
predefined Dynamic role or a custom role-based profile as
defined in Step 1.
(Optional) Select the Authentication Profile to use for
validating an administrative users credentials to an external
authentication server. See Create an Authentication Profile.
(Optional) Select a Password Profile. See Step 2.
Click OK to save the account.

Click Commit, and select Panorama in the Commit Type option.

Define an Access Domain

An access domain provides a way to limit administrative access to specified device groups (to manage policies and
objects) and templates (to manage network and device settings), and the ability to switch context to the web
interface on the managed firewalls. Access domain settings are only relevant if:

A custom Admin Role profile with a Device Group and Template role is defined.

A RADIUS server is used for administrator authentication. The access domain is linked to RADIUS
vendor-specific attributes (VSAs). On the RADIUS server, a VSA attribute number and value is defined for
each administrative user. The value defined must match the access domain configured on Panorama. When
an administrator attempts to log in Panorama, Panorama queries the RADIUS server for the administrators
access domain and attribute number. Based on the response from the RADIUS server, the administrator is
authorized for access and is restricted to the firewalls/virtual systems, device groups and templates specified
in the access domain. For details on the supported RADIUS VSAs, see Use RADIUS Vendor-Specific
Attributes for Account Authentication.

Define an Access Domain

Step 1

Create an access domain.

Step 2

Specify the device groups, templates and In the Device Groups, Templates, and Device Context tabs, click
firewall contexts that the user can
Add and pick from the filtered list or drop-down that displays.
administer.

Step 3

Save the configuration changes.

64 Panorama 6.1 Administrators Guide

1.
2.

Select Panorama > Access Domain and then click Add.

Enter a user Name to identify the domain.

Click Commit, and select Panorama in the Commit Type option.

Palo Alto Networks, Inc.

Set Up Panorama

Set Up Administrative Access to Panorama

Create an Authentication Profile

An authentication profile specifies the authentication service that validates the administrators credentials and
defines how to access that authentication service. Panorama can be configured to access the local database, a
RADIUS server, Kerberos server, or an LDAP server.
If you are using an external authentication server, create a server profile (Panorama > Server Profiles) before
creating an authentication profile. Panorama requires the server profile to access the authentication service.
Create an Authentication Profile

Step 1

Create an authentication profile.

1.
2.

Select Panorama > Authentication Profile and then click Add.

Enter a user Name to identify the authentication profile.

Step 2

Define the conditions for locking out the 1.

administrative user.

Enter the Lockout Time. This is the number of minutes that a

user is locked out upon reaching the maximum number of
failed attempts (0-60 minutes; default 0). 0 means that the
lockout is in effect until it is manually unlocked.
Enter the Failed Attempts count. This is the number of failed
login attempts that are allowed before the account is locked out
(1-10; default 0). By default, the failed attempt count is 0 and
the user is not locked out despite repeated failure to
authenticate.

2.

Step 3

Specify the users and groups that are

explicitly allowed to authenticate.

For the Allow List, pick one of the following:

Select the All check box to allow all users.

By adding an allow list to an

authentication profile, you can limit
access to specific users in a user
group/directory.
Step 4

Select the authentication service and

attach the server profile.

Click Add and enter the first few characters of a name in the
field to list all the users and user groups that start with those
characters. Repeat to add as many users/user groups as
required.
1.
2.

Step 5

Commit your changes.

In the Authentication drop-down, select the type of

authentication you will use.
Select the appropriate server profile in the Server Profile
drop-down.

Click Commit, and select Panorama in the Commit Type option.

Define an Authentication Sequence

An authentication sequence is an ordered list of authentication profiles that allows the use of more than one
authentication service. Authentication sequences provide flexibility in environments where multiple databases
exist for different users and user groups. When defining an authentication sequence, Panorama attempts to

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 65

Set Up Administrative Access to Panorama

Set Up Panorama

authenticate the administrator using each of the configured server profiles in sequence. For example, an
authentication sequence can instruct Panorama to check LDAP first, RADIUS next, and the local database last,
until a successful authentication occurs; if it fails, the administrator is denied access.
Define an Authentication Sequence

Step 1

Create an authentication sequence.

1.

Select Panorama > Authentication Sequence and then click

Add.

Step 2

(Optional) Define the conditions for

locking out the administrative user.

2.
3.

Enter a user Name to identify the authentication sequence.

Click Add to select the chronological sequence of
authentication profiles against which the administrators
credentials must be checked.

1.

Enter the Lockout Time. This is the number of minutes that a

user is locked out upon reaching the maximum number of
failed attempts (0-60 minutes; default 0). 0 means that the
lockout is in effect until it is manually unlocked.
Enter the Failed Attempts count. This is the number of failed
login attempts that are allowed before the account is locked out
(1-10; default 0). By default, the failed attempt count is 0 and
the user is not locked out despite repeated failure to
authenticate.

2.

Step 3

Save the configuration changes.

Click Commit, and select Panorama in the Commit Type option.

Configure Administrative Authentication

Administrators can authenticate locally to Panorama using passwords or certificates, or they can authenticate to
an external authentication server.
There are three options for setting up administrative authentication on Panorama:

Create a local user account and authenticate locally. Authentication can be password-based, certificate-based,
or key-based. See Create an Administrative Account, Enable Certificate-Based Authentication for the Web
Interface, and Enable SSH Key-Based Authentication for the CLI.

Create a local user account but authenticate to an external RADIUS/LDAP/Kerberos server using
authentication profiles:

Create a server profile using the Panorama > Server Profile pages. Each external service with which
Panorama must interact requires a server profile. The server details required to establish the connection
with Panorama depend on the authentication service you plan to use.

Create an authentication profile. See Create an Authentication Profile.

(Role-based access only) Define an Admin Role Profile that specifies whether the user has access to
Panorama or Device Groups and Templates; see Create an Admin Role profile. For dynamic roles, an
Admin Role Profile is not required.

66 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Set Up Administrative Access to Panorama

Use RADIUS Vendor Specific Attributes (VSAs) for managing administrative access to Panorama. Use this
option if you do not want to create a local account on Panorama for an administrative user, and would like
to use your current infrastructure to manage authentication and password management on a RADIUS
server. For a high-level overview of the process, see Use RADIUS Vendor-Specific Attributes for Account
Authentication.

Enable Certificate-Based Authentication for the Web Interface

As a more secure alternative to using a password to authenticate a user, enable certificate-based authentication
for securing access to Panorama. With certificate-based authentication, a digital signature is exchanged and
verified, in lieu of a password.
To enable certificate-based authentication, you must configure Panorama to use a client
certificate profile (as described in the following procedure). When you enable a client certificate
profile, each administrator must use a client certificate for access to Panorama.

Use the following instructions to enable certificate-based authentication. This example uses a CA certificate
generated on Panorama.
Enable Certificate-Based Authentication for the Web Interface

Step 1

Generate a CA certificate on Panorama.

To generate a CA certificate on Panorama:

To use a certificate from a trusted 1. Log in to the Panorama web interface.
third-party or enterprise CA, you 2. Select Panorama > Certificate Management > Certificates
and click Generate.
must import that CA certificate in
to Panorama.
3. Enter a Certificate Name. Add the IP address or FQDN of
Panorama for listing in the Common Name field of the
certificate. Optionally, you can change the cryptographic
settings, and define certificate options such as country,
organization, or state.
4. Make sure to leave the Signed By option blank and select the
Certificate Authority option.
5. Click Generate to create the certificate using the details you
specified above.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 67

Set Up Administrative Access to Panorama

Set Up Panorama

Enable Certificate-Based Authentication for the Web Interface (Continued)

Step 2

Create and export the client certificate

that will be used to authenticate an
administrator.

1.

Use the CA certificate to generate a client certificate for the

specified administrative user.
a. Select Panorama > Certificate Management > Certificates
and click Generate.
b. In the Common Name field, enter the name of the
administrator for whom you are generating the certificate.
The name syntax must match the format used by the local or
external authentication mechanism.
c. In the Signed by field, select the same CA certificate that you
created in Step 1.
d. Click Generate to create the certificate.

2.

Export the client certificate you just generated.

a. Select the certificate that you just generated and click
Export.

b. To encrypt the private key, select PKCS12 as the File

Format.
c. Enter a passphrase to encrypt the private key and confirm
the entry.
d. Click OK to export the certificate.
Step 3

Create or modify an administrator

account to enable client certificate
authentication on the account.

1.
2.
3.
4.

5.
6.
Step 4

Create the Client Certificate Profile that 1.

will be used for securing access to the web
interface.
2.

Select Panorama > Administrators and then click Add.

Enter a login name for the administrator; the name is
case-sensitive.
Select Use only client certificate authentication (Web) to
enable the use of the certificate for authentication.
Select the Role to assign to this administrator. You can either
select one of the predefined dynamic roles or select a custom
role and attach an authentication profile that specifies the
access privileges for this administrator.
(Optional) For custom roles, select the device groups, templates
and the firewall context that the administrative user can modify.
Click OK to save the account settings.
Select Panorama > Certificate Management > Certificate
Profile and click Add.
Enter a name for the certificate profile and in the Username
Field select Subject.

3.

Select Add in the CA Certificates section and from the CA

Certificate drop-down, select the CA certificate you just
created.

68 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Set Up Panorama

Set Up Administrative Access to Panorama

Enable Certificate-Based Authentication for the Web Interface (Continued)

Step 5

Configure Panorama to use the client

certificate profile for authentication.

1.
2.
3.

Step 6

Save the configuration changes.

On the Panorama > Setup tab, edit the Authentication Settings.

In the Certificate Profile field, select the client certificate
profile you just created.
Click OK to save your changes.

Click Commit and select Panorama as the Commit Type.

You will be logged out of the device.

Step 7

Import the administrator's client

For example, in Firefox:
certificate into the web browser on the
1. Select Tools > Options > Advanced.
client system that the administrator will 2. Click View Certificates.
use to access the Panorama web interface.
3. Select the Your Certificates tab and click Import. Browse to the
location where you saved the client certificate.
4. When prompted, enter the passphrase to decrypt the private
key.

Step 8

Verify that certificate-based

authentication is configured.

1.
2.
3.

From a client system that has the client certificate loaded,

access the Panorama IP address or hostname.
When prompted, select the client certificate you imported in
Step 7. A certificate warning will display.
Add the certificate to the exception list and log in to the
Panorama web interface.

Enable SSH Key-Based Authentication for the CLI

To enable SSH key-based authentication, complete the following workflow for every administrative user:
Enable SSH Key-Based Authentication for the CLI

Step 1

Use an SSH key generation tool to create For the commands required to generate the keypair, refer to the
an asymmetric keypair on the client
product documentation for your SSH client.
machine.
The public key and private key are two separate files; save both to a
location that can be accessed by Panorama. For added security, enter
The supported key formats are: IETF
a passphrase to encrypt the private key. The administrator will be
SECSH and Open SSH; the supported
algorithms are: DSA (1024 bits) and RSA prompted for this passphrase when logging in to Panorama.
(768-4096 bits).

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 69

Set Up Administrative Access to Panorama

Set Up Panorama

Enable SSH Key-Based Authentication for the CLI (Continued)

Step 2

Create an account for the administrator

and enable certificate-based
authentication.

1.
2.

3.
4.
5.
6.

7.
8.
Step 3

Verify that the SSH client uses the private 1.

key to authenticate the public key
presented by Panorama.
2.

3.

70 Panorama 6.1 Administrators Guide

Select Panorama > Administrators and then click Add.

Enter a user Name and Password for the administrator.
Make sure to enter a strong/complex password and record it in
safe location; Panorama will only prompt for this password in
the event that the certificates are corrupted or a system failure
occurs.
(Optional) Select an Authentication Profile.
Enable Use Public Key Authentication (SSH).
Click Import Key and browse to import the public key you just
created.
Select the Role to assign to this administrator. You can either
select one of the predefined Dynamic roles or a custom
Role-Based profile. For details, see Create an Administrative
Account.
Click OK to save the account.
Click Commit and select Panorama as the Commit Type
option.
Configure the SSH client to use the private key to authenticate
to Panorama.
Log in to the CLI on Panorama.

If prompted, enter the passphrase you defined when creating

the keys.

Palo Alto Networks, Inc.

Set Up Panorama

Set Up Administrative Access to Panorama

Use RADIUS Vendor-Specific Attributes for Account Authentication

To use RADIUS VSAs, complete the following tasks:
Use RADIUS Vendor-Specific Attributes for Account Authentication

Step 1

Configure Panorama.

1.

Configure a RADIUS server profile: select Panorama > Server

Profiles > RADIUS.

2.

3.
4.

5.

Step 2

Configure the RADIUS server.

1.
2.

Create an authentication profile that specifies RADIUS as the

protocol for authentication and attach the RADIUS server
profile (Panorama > Authentication Profiles).
Create an custom administrative role profile with a Device
Group and Template role (Panorama > Admin Roles).
Configure Panorama to use the authentication profile for
authentication (Setup > Management > Authentication
Settings > Authentication Profile).
(Required only if using the vendor-specific attribute
PaloAlto-Panorama-Admin-Access-Domain) If you want to
restrict administrative access to specific managed firewalls,
templates, and/or device groups, define an access domain
(Panorama > Access Domains).
Add the Panorama IP address or hostname as the RADIUS
client.
Define the VSAs supported by Panorama. To define an
attribute, use the vendor code (25461), attribute name (ensure
it matches the name of the admin role profile/access domain
defined on Panorama; it is case sensitive), number, and format
(string):
PaloAlto-Panorama-Admin-Role, attribute #3
PaloAlto-Panorama-Admin-Access-Domain, attribute #4

For detailed instructions on setting up authentication using RADIUS VSAs, refer to the following documents:

On Windows 2003 Server, Windows 2008 (and later), and Cisco ACS 4.0: RADIUS Vendor Specific
Attributes (VSA).

On Cisco ACS 5.2: Configuring Cisco ACS 5.2 for use with Palo Alto VSA.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 71

Set Up Administrative Access to Panorama

72 Panorama 6.1 Administrators Guide

Set Up Panorama

Palo Alto Networks, Inc.

Manage Firewalls
To use Panorama for managing Palo Alto Networks firewalls, you must add the firewalls as managed devices
and then assign them to device groups and templates. The following tasks best suit a first-time firewall
deployment. Before proceeding, review Plan Your Deployment to understand the deployment options.

Add a Firewall as a Managed Device

Manage Device Groups

Manage Templates

Use Case: Configure Firewalls Using Panorama

To view the Objects and Policies tabs on the Panorama web interface, you must first create at
least one Device Group and at least one Template for the Network and Device tabs to display.
These tabs include the configuration options required to configure and manage the firewalls on
your network.

If you have already configured and deployed firewalls on your network, the process of migrating the
configuration, local policies and objects from the firewalls to a centralized management approach requires an
understanding of scripting and the use of the XML API on the firewalls. To make this transition efficient, Palo
Alto Networks recommends using trained and certified partners who are familiar with the planning,
implementation, and verification stages of the migration process. Contact your authorized reseller or partner for
more information on the support offerings that are available to you. For a brief overview of the process, see
Transition a Firewall to Panorama Management and for more details refer to the article Panorama Device
Migration Tech Note.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 73

Add a Firewall as a Managed Device

Manage Firewalls

Add a Firewall as a Managed Device

To use Panorama for central management of firewalls, the first step is to add them as managed devices. Before
starting, collect the firewall serial numbers and prepare each firewall as follows:

Perform initial configuration on the firewall so that it is accessible and can communicate with Panorama
over the network. For details, refer to the PAN-OS Administrators Guide.

Add the Panorama IP address(es) (one server or two, if Panorama is configured in a high availability pair)
in the Panorama Settings section of the Device > Setup> Management tab and commit the changes.

Set up the data interfaces. For each interface you plan to use, select the interface type and attach it to a
security zone so that you can push configuration and policy from Panorama. For details, refer to the
PAN-OS Administrators Guide.

You can then add the firewalls as managed devices on Panorama:

Add a Firewall as a Managed Device

Step 1

Add device(s) to Panorama.

1.
2.

3.
4.

Select Panorama > Managed Devices.

Click Add and enter the serial number for each device that you
want to manage centrally using Panorama. Add only one entry
per line.
Click OK. The Managed Devices pane displays the new device.
(Optional) Add a Tag. Tags make it easier for you to find a
device from a large list; they help you to dynamically filter and
refine the list of firewalls that display. For example, if you add a
tag called branch office, you can filter for all branch office
devices across your network.
a. Select the check box beside the managed device and click
Tag.
b. Click Add, enter a string of up to 31 characters (no empty
spaces), and click OK.

5.
Step 2

Verify that the device is connected to

Panorama.

74 Panorama 6.1 Administrators Guide

Click Commit, for the Commit Type select Panorama, then

click OK.

If the firewall is accessible on the network and the Panorama IP

address is configured on the device, Panorama must be able to
connect to the device.

Palo Alto Networks, Inc.

Manage Firewalls

Manage Device Groups

Manage Device Groups

Add a Device Group

Create Objects for Use in Shared or Device Group Policy

Manage Shared Objects

Select a URL Filtering Vendor on Panorama

Push a Policy to a Subset of Firewalls

Manage the Rule Hierarchy

Add a Device Group

After you add the firewalls, you can group them into device groups. A device group can include one or more
firewalls or virtual systems that need similar policies and objects and can therefore be effectively managed as a
logical unit.
When managing firewalls that are configured in an active-passive high availability (HA) configuration, make sure
to place both firewalls in the same device group in Panorama. This is essential to make sure that the same
policies and objects are pushed to both firewalls in the HA pair. Panorama pushed policies are not synchronized
between firewall HA peers.
Add a Device Group

Step 1

Create Device Group(s).

A device can belong to only one
Device Group; for devices with
multiple virtual systems, each
virtual system can belong to a
different Device Group.

1.
2.
3.
4.

5.

6.
7.
8.

Palo Alto Networks, Inc.

Select Panorama > Device Groups, and click Add.

Enter a unique Name and a Description to identify the device
group.
Use the filters to select the devices that you would like to add
to the group.
(Optional) Select the Group HA Peers check box for firewalls
that are set up as an HA pair. Adding both firewalls or virtual
systems to the same device group allows you to push shared
policies and objects simultaneously to both peers.
To group HA peers, the firewalls must be running
PAN-OS 5.0 or later.
Assign a Master device for the device group, if you plan to use
users or groups in policy. The master device is the firewall (and
only device in the Device Group) from which Panorama
gathers username and user group information for policy
evaluation.
Click OK.
Click Commit, and select Panorama as the Commit Type. Save
the changes to the running configuration on Panorama.
Click Commit, and select Device Group as the Commit Type.
Push the changes to the devices in the device group.

Panorama 6.1 Administrators Guide 75

Manage Device Groups

Manage Firewalls

Add a Device Group (Continued)

Step 2

Begin centrally administering policies on

the devices in the device group(s).

Create Objects for Use in Shared or Device Group Policy

Manage Shared Objects
Select a URL Filtering Vendor on Panorama
Push a Policy to a Subset of Firewalls
Manage the Rule Hierarchy
For an example, see Transition a Firewall to Panorama Management

Create Objects for Use in Shared or Device Group Policy

An object is a container for grouping discrete identities such as IP addresses, URLs, applications, or users, for use
in policy enforcement. You can use Panorama to create and clone all objects in the Objects tab such as
Address/Address Group, Region or User/User Group. These policy objects can be shared across all managed
devices or be specific to a device group.

A shared object is a reusable component that is created on Panorama. It is shared across all device groups and
can be referenced in shared policies or in device group policies. It reduces administrative overhead and
ensures consistency in configuring multiple firewalls.

A device group object is specific to the device group in which it is defined. It can be used only in the device
group where it is created and is not visible when configuring other device groups or shared rules and objects.
For example, a device group object for a set of web server IP addresses that is created in the datacenter
device group is not available for use in any other device group or for use in shared policies.

Create Objects for Use in Shared or Device Group Policy

Create a shared object.

1.

In this example, we will add a shared object for

URL Filtering categories for which we want to be
trigger an alert.
2.
3.

4.

5.

76 Panorama 6.1 Administrators Guide

Select the Objects > Security Profiles > URL Filtering tab and
click Add.
If the Objects tab does not display, see Add a Firewall as a
Managed Device to add a device group. The Panorama web
interface displays the Objects tab only if you have created a
device group.
Enter a Name and a Description.
Select the Shared check box. If you do not select the check box,
the object will be a part of the device group that currently
displays in the Device Group drop-down.
Select the check box next to the URL Categories for which you
want to be notified and select Alert in the Action column, then
click OK.
Click Commit, and select Panorama as the Commit Type.

Palo Alto Networks, Inc.

Manage Firewalls

Manage Device Groups

Create Objects for Use in Shared or Device Group Policy (Continued)

Create a device group object.

1.

In this example, we will add a device group object

2.
for specific web servers on your network.
3.
4.
5.

6.
7.

Select the Device Group for which you plan to use this object
in the Device Group drop-down.
Select the Objects > Addresses tab.
Select Address and click Add.
Verify that the Shared check box is not selected.
Enter a Name, a Description, and select the Type of address
object from the drop-down. For example, select IP Range and
include the IP address range for the web servers for which you
would like to create an address object.
Click OK.
Commit your changes.
a. Click Commit, and select Panorama as the Commit Type.
This saves the changes to the running configuration on
Panorama.
b. Click Commit, and select Device Group as the Commit Type.
This pushes the changes to the devices included in the
Device Group.

View shared objects and device group objects in The Location column in the Objects tab displays whether an object
Panorama.
is shared or is specific to a device group.
To demonstrate the difference between a shared 1. Select the device group, for which you just created a device
group object, in the Device Group drop-down.
object and a device group object, the following
2.
Select the Objects > Addresses tab and verify that the device
screenshot includes a shared address object that
group object displays; note that the device group name in the
was created on Panorama.
Location column matches the selection in the Device Group
drop-down.
If a different device group is selected in the Device
Group drop-down, only the device group objects (and
shared objects) created for the selected device group
will display.

Manage Shared Objects

You can configure how Panorama handles shared objects. Consider whether you:

Would like to configure Panorama to push only shared objects that are referenced either in shared policies
or device group policies to the managed device. For example, say all objects in your deployment are defined
as shared objects, but you would like to push only the relevant objects for each device group. The Share
Unused Address and Service Objects check box enables you to limit the objects that Panorama pushes to the
managed devices.
By default, Panorama pushes all shared objects (used and unused) to the managed devices. On lower-end
platforms, such as the PA-200, consider pushing only the relevant shared objects to the managed devices.
This is because the number of objects that can be stored on the lower-end platforms is considerably lower

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 77

Manage Device Groups

Manage Firewalls

than that of the mid- to high-end platforms. Also, if you have many address and service objects that are
unused, clearing the Share Unused Address and Service Objects check box reduces the commit times
significantly on the devices because the configuration pushed to each device is smaller.
Disabling this option may, however, increase the commit time on Panorama. This is because Panorama has
to dynamically check whether a particular object is referenced in policy.
Perform the following steps to disable the sharing of unused address and service objects to devices.
Manage Unused Shared Objects

1.
2.

Select Panorama > Setup > Management, and edit the Panorama Settings.
Clear the Share Unused Address and Service Objects with Devices check box.

Would like to ensure that a shared object takes precedence over an object that has the same name as a device
group object.
By default, shared objects do not override any device group object with the same name as a shared object.
If you would like to prevent overrides to objects that have been defined as shared objects on Panorama, you
can enable the option for Shared Objects Take Precedence. When enabled, all device group objects with the
same name will be discarded and the shared object settings will be pushed to the managed devices.
Perform the following steps to ensure that shared objects always take priority over device group objects.

Manage Precedence of Shared Objects

1.
2.

Select Panorama > Setup > Management and edit the Panorama Settings.
Select the Shared Objects Take Precedence check box.

Select a URL Filtering Vendor on Panorama

URL Filtering enables you to configure firewalls to monitor and control web access for your users. The policies
(security, QoS, Captive Portal, and decryption) that enforce web access rules reference URL categories. The
URL filtering vendor you select on Panorama determines which URL categories are referenced in the policies
that you add to device groups and push to firewalls.
On any single device, Panorama or a firewall, only one URL Filtering vendor can be active: PAN-DB or
BrightCloud. To determine which vendor best suits your needs, consult Palo Alto Networks Customer Service.
When selecting a vendor for Panorama, you must consider the vendor and PAN-OS version of the managed
firewalls:

PAN-OS 5.0.x and earlier versionsPanorama and the firewalls require matching URL Filtering vendors.

PAN-OS 6.0 or later versionsPanorama and the firewalls do not require matching URL Filtering vendors.
If a vendor mismatch is detected, the firewall maps the URL categories in the URL Filtering profiles and
policies that it received from Panorama to categories that align with those of the vendor enabled on the
firewall. For details, refer to the article BrightCloud to PAN-DB Category Mapping.

78 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Firewalls

Manage Device Groups

Therefore, for a deployment in which some firewalls run PAN-OS 6.0 and some firewalls run earlier PAN-OS
versions, Panorama must use the same URL Filtering vendor as the firewalls that run earlier PAN-OS versions.
For example, if firewalls that run PAN-OS 5.0 use BrightCloud, and firewalls that run PAN-OS 6.0 use PAN-DB
(or BrightCloud), Panorama must use BrightCloud.
A firewall can have valid licenses for both BrightCloud and PAN-DB, but only one license can be
active. To view the valid URL Filtering licenses on a managed firewall, select Panorama >
Device Deployment > Licenses and check the vendors listed in the URL column for the
corresponding firewall. To determine which license is active (and therefore which URL Filtering
vendor is selected), log in to the firewall and select Device > Licenses. To change the active
URL Filtering vendor of a firewall, see the PAN-OS Administrators Guide.

Select a URL Filtering Vendor on Panorama

Step 1

Select a URL filtering vendor for

Panorama.

1.
2.

Step 2

(Optional) Verify that the categories are

available for referencing in policies.
Unlike firewalls, Panorama does
not download the URL database,
so you cannot view the database
download status.

Select Panorama > Setup > Management and edit the General
Settings.
Select the vendor in the URL Filtering Database drop-down:
brightcloud or paloaltonetworks (PAN-DB).

1.

Select Objects > Security Profiles > URL Filtering.

2.

Click Add and verify that the Categories tab of the URL
Filtering Profile dialog displays the categories.

Push a Policy to a Subset of Firewalls

A policy target allows you to specify the devices in a Device Group to which to push policy. It allows you to
exclude one or more devices or virtual systems, or to only apply the rule to specific devices or virtual systems
in a Device Group.
The ability to target a policy enables you to keep policies centralized on Panorama; it offers visibility and
efficiency in managing the rules. Instead of creating local rules on a device or virtual system, targeted policy rules
allow you to define the rules (as shared or device-group pre- or post-rules) on Panorama.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 79

Manage Device Groups

Manage Firewalls

Push a Policy to a Subset of Firewalls

Step 1

Create a policy.

1.
2.

Select the Device Group for which you want to define policy.
Select the Policies tab, and select the rulebase for which you
would like to create policy. For example, define a pre-rule in the
Security policies rulebase that permits users on the internal
network to access the servers in the DMZ:
a. Click Add in Policies > Security > Pre-Rules.
b. Give the rule a descriptive name in the General tab.
c. In the Source tab, set the Source Zone to Trust.
d. In the Destination tab, set the Destination Zone to DMZ.
e. In the Service/ URL Category tab, set the Service to
application-default.
f. In the Actions tab, set the Action to Allow.
g. Leave all the other options at the default values.

Step 2

Target the policy to include or exclude a

subset of devices.

To apply the policy to a selected set of devices.

1. Select the Target tab in the Policy Rule window.
2. Select the devices on which you would like the rule to apply.
If you do not select devices to target, the policy is added to all of
the (unchecked) devices in the device group.
By default, although the check box for the virtual
systems in the Device Group is unchecked, all the
virtual systems will inherit the rule on commit. Select
the check box for one or more virtual systems to which
you want the rule to apply.
3. (Optional) To exclude a subset of devices from inheriting the
policy rule, select the check box Install on all but specified
devices.
If you select Install on all but specified devices and do
not select any device, the policy is added to none of the
devices in the device group.
4. Click OK.
5. Save the configuration changes.
a. Click Commit, and select Panorama as the Commit Type to
save the changes to the running configuration on Panorama.
b. Click Commit, and select Device Group as the Commit Type
to push the changes to the devices selected in the Device
Group.

80 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Firewalls

Manage Device Groups

Manage the Rule Hierarchy

The ordering of policy rules is essential for securing your network. The firewall evaluates rules from top to
bottom in the order they appear in the Policies tab of the web interface. The firewall matches a packet against
the first rule that meets the defined criteria and does not evaluate subsequent rules. Therefore, the more specific
rules must precede more generic ones to enforce the most specific match.
When you display rules in preview mode on Panorama (Step 1 in the following procedure), all the shared, device
group, and default rules that the firewall inherits from Panorama appear in green, while the local firewall rules
appear in blue between the pre-rules and post-rules.
Figure: Rule Hierarchy

Use the following procedure to verify the ordering of rules and make changes as appropriate:
Manage the Rule Hierarchy

Step 1

View the rule hierarchy for each rulebase. 1.

2.

Select the Policies tab, and click Preview Rules.

Use the following filters for previewing rules in the Combined
Rules Preview window (see Figure: Rule Hierarchy):
RulebaseSelect a rulebase and view the rules defined for
that rulebase: Security, NAT, QoS, Policy Based Forwarding,
Decryption, Captive Portal, Application Override, or DoS
Protection.
Device GroupFor the selected rulebase, you can view all
Shared policies or select a specific Device Group for which
you want to view the combined list of policies inherited from
Panorama and those defined locally.
DeviceFor the selected Rulebase and Device Group, you
can view the list of policies that will be evaluated on a specific
firewall in the device group.

3.

Palo Alto Networks, Inc.

Close the Combined Rules Preview window to exit preview

mode.

Panorama 6.1 Administrators Guide 81

Manage Device Groups

Manage Firewalls

Manage the Rule Hierarchy (Continued)

Step 2

(Optional) Delete or disable rules.

Select the Policies tab to perform either of the following actions:

To delete an unused rule, select the rule and click Delete.

You must access the context of

individual firewalls to determine To disable a rule, select the rule and click Disable. The disabled
which rules they do not use. To do
rule appears in an italicized font.
this from Panorama, select a
firewall in the Context
drop-down, select the Policies
tab, and click Highlight Unused
Rules. A dotted orange
background indicates the rules
that the firewall does not
currently use.
Step 3

Rearrange the rules within a selected

1.
pre-rule or post-rule rulebase, if required. 2.

In a rulebase, select the rule you want to move.

Click the Move Up, Move Down, Move Top or Move Bottom
options to reorder the placement of the rule.
To rearrange local rules on the firewall, switch to the
local firewall context.

Step 4

If you modified the rules, save the

changes.

Click Commit, and select Panorama as the Commit Type to

save the changes to the running configuration on Panorama.
Click Commit, and select Device Group as the Commit Type to
push the changes to the firewalls selected in the device group.

1.
2.

82 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Firewalls

Manage Templates

Manage Templates
Panorama Templates allow you manage the configuration options on the Device and Network tabs on the
managed firewalls. Using templates you can define a base configuration for centrally staging new firewalls and
then make device-specific exceptions in configuration, if required. For example, you can use templates to define
administrative access to the device, set up User-ID, manage certificates, set up the firewalls in a high availability
pair, define log settings, and define server profiles on the managed firewalls.
When creating templates, make sure to assign similar devices to a template. For example, group devices with a
single virtual system in a one template and devices enabled for multiple virtual systems in another template, or
group devices that require very similar network interface and zone configuration in a template.
To delete/remove a template, you must first Disable/Remove Template Settings on the managed
firewall locally.

The following topics provide more information on working with templates:

Template Capabilities and Exceptions

Add a Template

Override a Template Setting

Disable/Remove Template Settings

Template Capabilities and Exceptions

Panorama templates have the following capabilities and exceptions, depending on the PAN-OS release running
on the managed firewalls:
Firewall PAN-OS Release Template Capabilities and Exceptions
PAN-OS 4.x

You can use Panorama templates only for the following tasks:
Create response pages
Define authentication profiles and sequences
Create self-signed certificates on Panorama or import certificates
Create client authentication certificates (known as Certificate Profiles in Panorama 5.0
and later)
Create server profiles: SNMP Trap, Syslog, Email, NetFlow, RADIUS, LDAP, and
Kerberos

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 83

Manage Templates

Manage Firewalls

Firewall PAN-OS Release Template Capabilities and Exceptions

PAN-OS 5.x and later

You can use templates to define a wide array of settings but you cannot perform the
following tasks. You must perform these tasks locally on each managed firewall:
Enable operational modes such as multi-vsys mode, FIPS mode, or CC mode using
templates.
Configure the IP addresses of a firewall HA pair: HA1 peer IP address, HA1 backup peer
IP address, HA2 peer IP address, and HA2 backup peer IP address.
Configure a master key and diagnostics.
Compare configuration files (Config Audit).
Configure virtual systems (vsys).
Configure shared gateways.
Clear logs.
To deploy software updates to firewalls or to manage firewall licenses, use Panorama
tab options, not templates.

Add a Template
Until you add a template on Panorama, the Device and Network tabs required to define the network set up
elements and device configuration elements on the firewall will not display. Use these instructions to add a new
template.
To delete/remove a template, you must disable the template on the managed device locally. You
must have superuser privileges on the device to disable the template.

84 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Firewalls

Manage Templates

Add a Template

Step 1

Add a new template.

Palo Alto Networks, Inc.

1.
2.

Select Panorama > Templates.

Click Add and enter a unique name and a description to identify
the template.
3. (Optional) Select the Virtual Systems check box if this
template will be used for devices that are multi-vsys capable and
are enabled for multi-vsys functionality.
A commit failure will occur if a template enabled for
devices with multi-vsys capability is pushed to devices
that are not multi-vsys capable or are not enabled for
the multi-vsys functionality.
4. Specify the Operational Mode for the devices to which the
template will be applied. The default is normal; change to cc or
fips, as required. The template commit will fail if there is a
mismatch in the operational mode specified on the template
with what is enabled on the devices included in the template.
5. (Optional) Select the VPN Disable Mode when creating
templates for hardware models that have the -NV indicator in
the model name; these models are hard coded to disallow VPN
configuration for countries that do not allow VPN connectivity.
6. Select the Devices (firewalls) for which you plan to use this
template. You must select the firewalls individually.
Whenever you add a new managed firewall to
Panorama, you must assign it to the appropriate
template; Panorama does not automatically assign new
firewalls. When you perform a template commit,
Panorama pushes the configuration to every firewall
assigned to the template.
7. (Optional) Select the Group HA Peers check box for firewalls
that are set up as a high availability (HA) pair.
PAN-OS synchronizes some, but not all, configurations
between HA peers. For active/passive HA, select Group
HA Peers so that both will receive the configurations.
For active/active HA, whether you select Group HA
Peers depends on whether each peer must receive the
same configurations. For a list of configurations that
HA synchronization includes and excludes, see High
Availability Synchronization.
8. Click OK.
9. Click Commit, and select Panorama as the Commit Type to
save the changes to the running configuration on Panorama.
10. Click Commit, and select Template as the Commit Type to
push the changes to the devices included in the template.

Panorama 6.1 Administrators Guide 85

Manage Templates

Manage Firewalls

Add a Template (Continued)

Step 2

Verify that the template is available.

After you add the first template, the Device and Network tabs will
display on Panorama.
In the Network and Device tabs, a Template drop-down displays.
Verify that the newly added template displays in the drop-down.

Step 3

Apply a configuration change using the

template.

Lets specify a base configuration that defines a Primary DNS server

for the devices in the template.
1. In the Template drop-down, select the template that you want
to configure.
2. Select Device > Setup > Services, and edit the Services section.
3. Enter an IP address for the Primary DNS Server.
4. Click Commit, and select Panorama as the Commit Type to
save the changes to the running configuration on Panorama.
5. Click Commit, and select Template as the Commit Type to
push the changes to the devices included in the selected
template.

Step 4

Verify that the device is configured with

the template settings that you pushed
from Panorama.

1.
2.

Switch to the device context for a firewall that you pushed the
setting to using the template.
Go to Device > Setup > Services.The IP address that you
pushed using the template appears. The template icon also
appears.

Override a Template Setting

While templates allows you to create a base configuration that can be applied to multiple firewalls, you might
want to configure device-specific settings that are not applicable to all the firewalls in a template. Template
overrides allow for exceptions or modifications to meet your deployment needs. If, for example, a template was
used to create a base configuration but a few firewalls in a test lab environment need different settings for the
DNS server IP address or the NTP server, you can override the settings defined in the template.
Override a Template Setting

Step 1

Access the web interface of the managed You can either directly launch the IP address of the firewall or you
device.
can switch to the device context on Panorama.

86 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Firewalls

Manage Templates

Override a Template Setting (Continued)

Step 2

Navigate to the setting that you need to 1.

modify on the device. In this example, we 2.
will override the DNS server IP address
that you assigned using a template in Add
3.
a Template.

4.
5.

Go to Device > Setup > Services and edit the Services section.
Click the template icon (green cog) to override the value
defined for the Primary DNS server IP address.
Enter a new value for the Primary DNS Server. Note that the
template override icon (yellow cog overlapping green) now
displays to indicate that the value that Panorama pushed using
a template has been modified on the firewall.

Click OK.
Click Commit to save your changes on the device.

Disable/Remove Template Settings

If you want to stop using templates for managing the configuration on a managed device, you can disable the
template. When disabling a template, you can choose to copy the template settings to the local device
configuration or to delete the values that were previously pushed using the template.
To disable template settings. you must have Superuser privileges.
Disable/Remove Template Settings

1.
2.
3.
4.
5.

Access the web interface of the managed firewall. You can directly access the firewall by entering its IP address in
the browser URL field or, in Panorama, select the firewall in the Context drop-down.
Select Device > Setup > Management and edit the Panorama Settings.
Select Disable Device and Network Template.
(Optional) Select Import Device and Network Template before disabling, to save the configuration settings locally
on the firewall. If you do not select this option, PAN-OS will delete all Panorama-pushed settings from the device.
Click OK twice and then click Commit to save the changes.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 87

Transition a Firewall to Panorama Management

Manage Firewalls

Transition a Firewall to Panorama Management

If you have already deployed Palo Alto Networks firewalls and configured them locally, but now want to start
using Panorama for centrally managing them, you have pre-migration planning, implementation and
post-migration verification tasks. This high-level overview does not address all the critical tasks required to plan,
implement, and validate the transition to centralized administration. Here are the high-level planning and
configuration activities.

On Panorama, add the devices and create device groups to logically assemble firewalls or virtual systems
that perform a similar role, or function or that have similar characteristics.

Create common zones for each device group. Decide on the common zone-naming strategy for all devices
and virtual systems in a device group. For example, if you have two zones called Branch LAN and WAN,
Panorama can centrally push policies that reference those zones without being aware of the variations in
port/media type, platform or the logical addressing schema. You must create the zones on each managed
device before you can commit the changes to the device group or template. Panorama cannot poll the
devices for zone name or configuration.

Configure each device to communicate with Panorama. You must define the Panorama IP addresses
(primary and secondary Panorama) on each device.

Use device groups to create common policies for devices with similar functionality and use templates to
define a common base configuration for the managed device.

Determine how you will manage local rules and device-specific exceptions to common policies and
configuration settings. If you plan to use locally configured rules on the devices, make sure that the names
of the rules are unique. A good way to ensure this would be to add a suffix or a prefix to all existing rules.

Consider removing all deny rules in local security policy and use Panorama post-rules. This approach
allows you to temporarily disable local rules and test the shared post-rules pushed from Panorama. You
can then test the post-rules, make adjustments as necessary and eliminate local administration on the
device.

Verify that the firewalls function as efficiently with Panorama-pushed configuration as they did with local
configuration.

For detailed information on using the XML API to perform the transition, refer to the document Panorama
Device Migration Tech Note. Because Palo Alto Networks Technical Support does not help troubleshoot issues
when using the XML API, if you do not have experience with scripting/using the XML API, contact Palo Alto
Networks Professional Services to learn about the firewall migration process.

88 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Firewalls

Use Case: Configure Firewalls Using Panorama

Use Case: Configure Firewalls Using Panorama

Lets say that you want to use Panorama in a high availability configuration to manage a dozen firewalls on your
network: you have six firewalls deployed across six branch offices, a pair of firewalls in a high availability
configuration at each of two datacenters, and a firewall in each of the two regional head offices.

The first step in creating your central management strategy is to determine how to group the firewalls into
device groups and templates to efficiently push configurations from Panorama. You can base the grouping on
the business functions, geographic locations, or administrative domains of the firewalls. In this example, you
create two device groups and three templates to administer the devices using Panorama:

Device Groups

Templates

Set Up Your Centralized Configuration and Policies

Device Groups
In this example, we decide to define two Device Groups based on the functions the firewalls will perform:

DG_BranchAndRegional for grouping devices that serve as the security gateways at the branch offices and
at the regional head offices. We placed the branch office firewalls and the regional office firewalls in the same
Device Group because devices with similar functions will require similar policy rulebases.

DG_DataCenter for grouping the devices that secure the servers at the datacenters.

We can then administer shared policies across both Device Groups as well as administer distinct Device Group
policies for the regional office and branch office groups. Then for added flexibility, the local administrator at a
regional or branch office can create local rules that match specific source, destination, and service flows for
accessing applications and services that are required for that office. In this example, we create the following
hierarchy for security policies; you can use a similar approach for any of the other rulebases:

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 89

Use Case: Configure Firewalls Using Panorama

Manage Firewalls

Templates
When grouping devices for templates, we must take into account the differences in the networking
configuration. For example, if the interface configuration is not the samethe interfaces are unlike in type, or
the interfaces used are not alike in the numbering scheme and link capacity, or the zone to interface mappings
are different the devices must be in separate templates. Further, the way the devices are configured to access
network resources might be different because the devices are spread geographically; for example, the DNS
server, syslog servers and gateways that they access might be different. So, to allow for an optimal base
configuration, you must place the devices in separate templates as follows:

T_Branch for the branch office devices

T_Regional for the regional office devices

T_DataCenter for the devices at the datacenter

90 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Firewalls

Use Case: Configure Firewalls Using Panorama

If you plan to deploy your firewalls in an Active/Active HA configuration, assign each firewall in the HA pair to a
separate template. Doing so gives you the flexibility to set up separate networking configurations for each peer.
For example, you can manage the networking configurations in a separate template for each peer so that each
can connect to different northbound and southbound routers, and can have different OSPF or BGP peering
configurations.

Set Up Your Centralized Configuration and Policies

Using the example described in the preceding topics (starting with Use Case: Configure Firewalls Using
Panorama), perform the following tasks to centrally deploy and administer firewalls:

TASK 1Add the firewalls as managed devices and deploy content updates and PAN-OS software updates
to those firewalls.

TASK 2Use Templates to administer a base configuration.

TASK 3Use Device Groups for managing the policies on your firewalls.

TASK 4Preview your rules and commit your changes to Panorama, Device Groups, and Templates.

Deploy Content Updates and PAN-OS Software Updates to the Managed Firewalls

TASK 1
Add the firewalls as managed devices and deploy content updates and PAN-OS software updates to those firewalls. First
install the Applications or Applications and Threats database, then the Antivirus, and finally update the Software
version. If you purchased a Threat Prevention subscription, the content and antivirus databases are available to you.
1.

For each firewall that Panorama will manage, perform the task Add a Firewall as a Managed Device.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 91

Use Case: Configure Firewalls Using Panorama

Manage Firewalls

Deploy Content Updates and PAN-OS Software Updates to the Managed Firewalls (Continued)

2.

Deploy the content updates to the firewalls.

a. Select Panorama > Device Deployment > Dynamic Updates.
b. Click Check Now to check for the latest updates. If the value in the Action column is Download, this indicates an
update is available.
c. Click Download. When the download completes, the value in the Action column changes to Install.
d. In the Action column, click Install. Use the filters or user-defined tags to select the managed firewalls on which
you would like to install this update.
e. Click OK, then monitor the status, progress, and result of the content update for each firewall. The Results
column displays the success or failure of the installation.

To review the status or progress for all tasks performed on Panorama, see View Panorama Task Completion
History.
3.

Deploy the software updates to the firewalls.

a. Select Panorama > Device Deployment > Software.
b. Click Check Now to check for the latest updates. If the value in the Action column is Download, this indicates an
update is available.
c. Locate the version that you need for each hardware model and click Download. When the download completes,
the value in the Action column changes to Install.
d. In the Action column, click the Install link. Use the filters or user-defined tags to select the managed firewalls on
which to install this version.
e. Enable the check box for Reboot device after install or Upload only to device (do not install) and click OK. The
Results column displays the success or failure of the installation.

Use Templates to Administer a Base configuration

TASK 2

Use Templates to administer a base configuration.

1.

For each template, perform the task Add a Template and assign the appropriate firewalls to each.

92 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Firewalls

Use Case: Configure Firewalls Using Panorama

Use Templates to Administer a Base configuration (Continued)

2.

Define a DNS server, NTP server, Syslog server, and login banner. Repeat this step for each template.
a. In the Device tab, select the Template from the drop-down.
b. Select Setup > Services and edit the Services section: enter an IP address for the Primary DNS Server and
Primary NTP Server.
c. To add a login banner, select Device > Setup > Management and edit the General Settings section: add the text
for the Login Banner and click OK.
d. To add a syslog server, select Device > Server Profiles > Syslog, click Add, enter a Name for the profile, and click
Add to specify the information (as follows) required to connect to the Syslog server. You can add up to four
servers to the same profile. After you finish adding servers, click OK to save the server profile.
NameUnique name for the server profile.
ServerIP address or fully qualified domain name (FQDN) of the Syslog server.
PortThe port number on which to send Syslog messages (default is 514); you must use the same port number
on Panorama and the Syslog server.
FacilitySelect one of the Syslog standard values, which is used to calculate the priority (PRI) field in your
Syslog server implementation. You must select the value that maps to how you use the PRI field to manage your
Syslog messages.

3.

Enable HTTPS, SSH, and SNMP access to the management interface of the managed firewalls. Repeat this step for
each template.
a. In the Device tab, select the Template from the drop-down.
b. Select Setup > Management, and edit the Management Interface Settings section.
c. Under Services, select the HTTPS, SSH, and SNMP check boxes, then click OK.

4.

Create a zone protection profile for the firewalls in the Datacenter Template (T_DataCenter).
a. Select the Network tab and, in the Template drop-down, select T_DataCenter.
b. Select Network Profiles > Zone Protection and click Add.
c. For this example, enable protection against a SYN floodIn the Flood Protection tab, select the SYN check box,
set the Action to SYN Cookies as, set the Alert packets/second to 100, set the Activate packets/second to 1000,
and set the Maximum packets/second to 10000.
d. For this example, enable alertsIn the Reconnaissance Protection tab, select the Enable check boxes for TCP
Port Scan, Host Sweep, and UDP Port Scan. Ensure the Action values are set to alert (the default value).
e. Click OK to save the zone protection profile.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 93

Use Case: Configure Firewalls Using Panorama

Manage Firewalls

Use Templates to Administer a Base configuration (Continued)

5.

Configure the interface and zone settings in the Datacenter Template (T_DataCenter), and then attach the zone
protection profile you just created.
Before performing this step, you must have configured the interfaces locally on the firewalls. At a minimum,
you must have defined the interface type, assigned it to a virtual router (if needed), and attached a security
zone.
a. Select the Network tab and, in the Template drop-down, select T_DataCenter.
b. Select Network > Interface and, in the Interface column, click the interface name.
c. Select the Interface Type from the drop-down.
d. In the Virtual Router drop-down, click New Virtual Router. When defining the router, ensure the Name matches
what is defined on the firewall.
e. In the Security Zone drop-down, click New Zone. When defining the zone, ensure that the Name matches what
is defined on the firewall.
f. Click OK to save your changes to the interface.
g. Select Network > Zones, and select the zone you just created. Verify that the correct interface is attached to the
zone.
h. In the Zone Protection Profile drop-down, select the profile you created, then click OK.

6.

Commit your template changes.

a. Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on
Panorama. Click OK.
b. Click Commit, and select Template as the Commit Type to push your changes to the firewalls included in the
selected template. Click OK.

Use Device Groups to Push Policies

TASK 3

Use Device Groups for managing the policies on your firewalls.

1.

Create device groups and assign the appropriate firewalls to each device group. For the steps, see Create Device
Group(s).

94 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Firewalls

Use Case: Configure Firewalls Using Panorama

Use Device Groups to Push Policies (Continued)

2.

Create a shared pre-rule to allow DNS and SNMP services.

a. Create a shared application group for the DNS and SNMP services.
Select Objects > Application Group and click Add.
Enter a name and select the Shared check box to create a shared Application Group object.
Click Add, type DNS, and select dns from the list. Repeat for SNMP and select snmp, snmp-trap.
Click OK to create the application group.
b. Create the shared policy.
Select the Policies tab and, in the Device Group drop-down, select Shared.
Select the Security > Pre-Rules policies rulebase.
Click Add and enter a Name for the security policy rule.
In the Source and Destination tabs for the rule, click Add and enter a Source Zone and a Destination Zone for
the traffic.
In the Applications tab, click Add, type the name of the applications group object you just created, and select it
from the drop-down.
In the Actions tab, set the Action to Allow, then click OK.

3.

Define the corporate acceptable use policy for all offices. In this example, create a shared policy that restricts access
to some URL categories and denies access to peer-to-peer traffic that is of risk level 3, 4, or 5.
a. Select the Policies tab and, in the Device Group drop-down, select Shared.
b. Select Security > Pre-Rules, click Add, and in the General tab enter a Name for the security policy rule.
c. In the Source and Destination tabs, click Add and select any for the traffic Source Zone and Destination Zone.
d. Define the application filter in the Application tabClick Add and click New Application Filter in the footer of
the drop-down. Enter a Name, and select the Shared check box. In the Risk column, select levels 3, 4, and 5. In
the Technology column, select peer-to-peer. Click OK to save the new filter.
e. In the Service/URL Category tab, URL Category section, click Add and select the categories you want to block
(for example, streaming-media, dating, and online-personal-storage).
f. You can also attach the default URL filtering profileIn the Actions tab, Profile Setting section, select the Profile
Type option Profiles, and select the URL Filtering option default.
g. Click OK to save the security pre-rule.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 95

Use Case: Configure Firewalls Using Panorama

Manage Firewalls

Use Device Groups to Push Policies (Continued)

4.

Allow Facebook for all users in the marketing group in the regional offices only.
To enable security policy based on user and/or group, you must enable User-ID for each zone that contains users
you want to identify. You must have set up User Identification on the firewall (refer to the PAN-OS Administrators
Guide) and have defined a master firewall for the Device Group. The master firewall is the only firewall in the Device
Group that gathers user and group mapping information for policy evaluation.
a. Select the Policies tab and, in the Device Group drop-down, select DG_BranchAndRegional.
b. Select the Security > Pre-Rules policies rulebase.
c. Click Add and enter a Name for the security policy rule.
d. In the User tab, select Select, click Add and, in the Source User section, select the marketing user group.
e. In the Application tab, click Add, type Facebook, and then select it from the drop-down.
f. In the Action tab, set the Action to Allow.
g. In the Target tab, select the regional office firewalls and click OK.

5.

Allow access to the Amazon cloud application for the specified hosts/servers in the datacenter.
a. Create an address group object for the servers/hosts in the datacenter that need access to the Amazon cloud
application.
Select the Objects tab and, in the Device Group drop-down, select DG_DataCenter.
Select Address Groups.
Click Add and enter a Name for the address group object.
Click Add and select New Address.
To define the address object, enter a Name, select the Type, and specify a host IP address, IP Netmask, IP range,
or FQDN. Click OK.
b. Select the Policies tab and, in the Device Group drop-down, select DG_DataCenter.
Select the Security > Pre-Rules policies rulebase.
Click Add and enter a Name for the security policy rule.
In the Source tab, Source Address section, click Add and select the address group you just defined.
In the Application tab, click Add, type amazon, and select the Amazon applications from the list.
In the Action tab, set the Action to Allow.
Click OK.

96 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Firewalls

Use Case: Configure Firewalls Using Panorama

Use Device Groups to Push Policies (Continued)

6.

To enable logging for all Internet-bound traffic on your network, create a rule that matches trust zone to untrust
zone.
a. Select the Policies tab and, in the Device Group drop-down, select Shared.
b. Select the Security > Pre-Rules policies rulebase.
c. Click Add and enter a Name for the security policy rule.
d. In the Source and Destination tabs for the rule, click Add and select trust_zone as the Source Zone and
untrust_zone as the Destination Zone.
e. In the Action tab, set the Action to Deny, set the Log Setting to Log at Session end, and click OK.

Preview the Rules and Commit Changes

TASK 4

Preview your rules and commit your changes to Panorama, Device Groups, and Templates.
1.
2.
3.
4.

Select the Policies tab, and click Preview Rules. This preview enables you to visually evaluate how rules are layered
for a particular rulebase.
Click Commit, select Panorama for the Commit Type, then click OK.
Click Commit, select Device Groups for the Commit Type, select the Include Device and Network Templates check
box, then click OK.
In the device Context drop-down, select the managed firewall to access its web interface and confirm that Panorama
applied the template and policy configurations.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 97

Use Case: Configure Firewalls Using Panorama

98 Panorama 6.1 Administrators Guide

Manage Firewalls

Palo Alto Networks, Inc.

Manage Log Collection

All Palo Alto Networks next-generation firewalls can generate logs that provide an audit trail of firewall
activities. To centrally monitor the logs and generate reports, you must forward the logs generated on the
managed firewalls to Panorama. You can then configure Panorama to aggregate the logs and forward them to
remote logging destinations. If you forward logs to a Panorama virtual appliance with a virtual disk or NFS
datastore, you do not need to perform any additional tasks to enable logging.
If you will forward logs to an M-100 applianceeither locally on an M-100 appliance in Panorama mode or to
a dedicated Log Collector (M-100 appliance in Log Collector mode)you must perform some additional tasks
to enable log collection. You must add each Log Collector as a Managed Collector and create Collector Groups
to access, manage, and update the Log Collectors using Panorama. After you add and configure the Log
Collectors on Panorama, Panorama pushes the necessary configuration to the managed devices.
To determine which deployment best suits your needs, see Plan a Log Collection Deployment. The following
topics describe how to configure log collection.

Enable Log Forwarding to Panorama

Configure a Managed Collector

Manage Collector Groups

Verify Log Forwarding to Panorama

Modify Log Forwarding and Buffering Defaults

Enable Log Forwarding from Panorama to External Destinations

Log Collection Deployments

To manage the system and configuration logs that Panorama generates locally for itself, see
Monitor Panorama.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 99

Enable Log Forwarding to Panorama

Manage Log Collection

Enable Log Forwarding to Panorama

Log Forwarding to Panorama: Workflows by Log Type

Configure Log Forwarding to Panorama

Log Forwarding to Panorama: Workflows by Log Type

The workflow to Configure Log Forwarding to Panorama depends on the log type and whether the firewalls
will also forward logs directly to external services or forward logs from Panorama and then to external services:

If the firewalls will directly forward Syslog messages, email notifications, or SNMP traps to external services,
use the template Device > Server Profiles options to define a server profile for each external service. If the
firewalls will only forward logs to Panorama or a Log Collector, template server profiles are unnecessary. If
Panorama will forward the logs to external services, define server profiles using the Panorama > Server
Profiles options when you Enable Log Forwarding from Panorama to External Destinations. (For details
about these options, see Log Forwarding Options.)

Configure each log type for forwarding. For each type, you can specify whether to forward directly to
external services in addition to Panorama. When forwarding to Panorama is enabled in a distributed log
collection deployment, the log forwarding preference list determines to which Log Collectors the firewalls
send logs. While you can configure log forwarding manually on each firewall (refer to the PAN-OS
Administrators Guide), use device groups and templates on Panorama for a more streamlined workflow.
The specific Panorama workflow to enable log forwarding depends on the log types:

Traffic, threat, and WildFire logsUse device groups to create a log forwarding profile (Objects > Log
for forwarding to Panorama and (if required) to an external service. For example, if you
will forward logs to a Syslog server, create a Syslog server profile using templates (Device > Server
Profiles > Syslog). The log forwarding profile uses the Syslog server profile to access the server. The
following table describes these logs and associated forwarding requirements.

Forwarding)

Log type

Description and Forwarding Requirements

Traffic Logs

To forward traffic logs, set up a log forwarding profile and add it to the security policies for
which you want forwarding to occur. Firewalls only log and forward traffic that matches a
specific rule.

Threat Logs

To forward threat logs, create a log forwarding profile that specifies which severity levels you
want to forward and then add it to the security policies for which you want forwarding to
occur. You must also attach a security profile (Antivirus, Anti-spyware, Vulnerability, URL
Filtering, File Blocking, Data Filtering, or DoS Protection) to the security policy. Firewalls
only create and forward a threat log entry if the associated traffic matches a security profile.

(includes URL Filtering

Logs, and Data Filtering
Logs)
WildFire Logs

To forward WildFire logs (files submitted to WildFire for analysis), specify whether to
forward results with a verdict of benign or malicious.

System, config, and HIP match logsConfigure a template and select the Panorama check box to
enable forwarding to Panorama in the corresponding Device > Log Settings tab. You can also forward
these logs to external services. For example, to forward logs directly to traditional Syslog servers or to
Security Information and Event Management (SIEM) servers (for example, Splunk, Arcsight, or

100 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Log Collection

Enable Log Forwarding to Panorama

Qradar) for archiving, use a template to define a Syslog server profile (Device > Server Profiles > Syslog).
The following table describes these logs and associated forwarding requirements.
Log type

Description and Forwarding Requirements

System Logs

System logs show system events such as HA failures, link status changes, and administrative
access to the firewall. For each severity level for which you want to forward logs, select
forwarding to Panorama and (if required) to an email server, SNMP trap server, or Syslog
server.

Config Logs

Configuration logs record changes to the firewall configurations. To enable forwarding of

config logs, you must select forwarding to Panorama and (if required) to an email server,
SNMP trap server, or Syslog server.

HIP Match Logs

To enable forwarding of Host Information Profile (HIP) match logs, you must select
forwarding to Panorama and (if required) to an email server, SNMP trap server, or Syslog
server.
PAN-OS uses HIP match logs to compile information on GlobalProtect clients. PAN-OS
generates a HIP match log when a firewall sends a HIP report and a HIP profile specifies
HIP objects (for example, OS version, patch level, disk encryption, and antivirus version)
that match on the firewall.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 101

Enable Log Forwarding to Panorama

Manage Log Collection

Configure Log Forwarding to Panorama

For details about the options and requirements associated with forwarding logs to Panorama, see Log
Forwarding to Panorama: Workflows by Log Type.
Configure Log Forwarding to Panorama

Step 1

(Optional) Create a server profile that

1.
contains the information for connecting
to the external service (a Syslog server, in 2.
this example).
3.
Skip this step if you will only Enable Log 4.
Forwarding from Panorama to External
Destinations instead of forwarding logs
5.
directly to external services.

Add a Template or, in the Device tab, select one in the

Template drop-down.
Select Device > Server Profiles > Syslog.
Click Add and enter a Name for the profile.
(Optional) Select the virtual system to which this profile applies
from the Location drop-down.
Click Add to add a new Syslog server entry and enter the
information required to connect to the Syslog server (you can
add up to four Syslog servers to the same profile):
NameUnique name for the server profile.
ServerIP address or fully qualified domain name (FQDN)
of the Syslog server.
TransportSelect UDP, TCP or SSL as the transport
medium. SSLv3 and TLSv1 are supported for Secure Syslog
transport.
PortThe port number on which to send Syslog messages
(default is 514 for UDP and 6514 for SSL); you must use the
same port number on the firewall and the Syslog server.
FormatTo separate individual syslog messages in a TCP
stream, the delimiter formats available are LF- Line Feed
(BSD Format, the default), and Message Length (IETF
Format).
FacilitySelect one of the Syslog standard values, which is
used to calculate the priority (PRI) field in your Syslog server
implementation. Select the value that maps to how you use
the PRI field to manage your Syslog messages. The available
facilities are: user, local0, local1, local2, local3, local4, local5,
local6, and local7.

6.

7.

102 Panorama 6.1 Administrators Guide

(Optional) To customize the format of the Syslog messages the

firewall sends, select the Custom Log Format tab. For details on
how to create custom formats for the various log types, refer to
the Common Event Format Configuration Guide.
Click OK to save the server profile.

Palo Alto Networks, Inc.

Manage Log Collection

Enable Log Forwarding to Panorama

Configure Log Forwarding to Panorama (Continued)

Step 2

Set up a log forwarding profile for traffic, 1.

threat, and WildFire logs.
Threat logs include URL Filtering 2.
and Data Filtering logs. Firewalls 3.
forward the logs based on the
4.
severity levels for which you
enable notification.
5.
6.

7.
Step 3

Enable log forwarding for System,

Config, and HIP Match logs.

Add a Device Group or, in the Objects tab, select one in the
Device Group drop-down.
Select Objects > Log Forwarding.
Click Add and enter a Name for the Log Forwarding Profile.
(Optional) Select the Shared check box to share this profile
across all managed firewalls.
Select the Panorama check box for the severity levels for which
you would like to enable log forwarding.
(Optional) Select the server profile for forwarding to a syslog
server.
Ensure the firewall (or virtual system) is included in the
device group and that the template in which you
configured a server profile is applied to the firewall (or
virtual system).
Click OK.

With the same template selected, optionally, select the log types that
you would like to forward.
For System logs, select Device > Log Settings > System and select
the link for each Severity and enable forwarding to Panorama
and select the server profile to use for forwarding to the Syslog
server.
For Config logs, select Device > Log Settings > Config and edit
the Log Settings - Config section to enable forwarding to
Panorama and select the server profile to use for forwarding to
the Syslog server.
For HIP Match logs, select Device > Log Settings > HIP Match
and edit the Log Settings - HIP Match section to enable
forwarding to Panorama and select the server profile to use for
forwarding to the Syslog server.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 103

Enable Log Forwarding to Panorama

Manage Log Collection

Configure Log Forwarding to Panorama (Continued)

Step 4

(Optional) Schedule log exports to an

SCP or an FTP server.

For Traffic, Threat, URL Filtering, Data Filtering, HIP Match, and
WildFire logs, you can schedule log export using Panorama
templates.
If you plan to use SCP, after
1. In the Device tab, select a Template from the drop-down.
pushing the template you must
2. Select Device > Scheduled Log Export and click Add.
log in to each managed device,
open the scheduled log export,
3. Enter a Name for the scheduled log export and Enable it.
and click the Test SCP server
4. Select the Log Type to export. To schedule exports for multiple
connection button. The
types, you must schedule a log export for each type.
connection is not established until
5. Select the daily Scheduled Export Start Time. The options are
the firewall accepts the host key
in 15-minute increments for a 24-hour clock (00:00 - 23:59).
for the SCP server.
6. Select the Protocol to export the logs: SCP (secure) or FTP. For
FTP, you have the option to Enable FTP Passive Mode.
7. Enter the Hostname or IP address of the server.
8. Define the following details if the server requires them for the
firewall to connect:
a. Enter the Port number. By default, FTP uses port 21 and
SCP uses port 22.
b. Enter the Path or directory in which to save the exported
logs.
c. Enter the Username and Password (and Confirm
Password) to access the server.

Step 5

Save all the configuration changes.

9.

Click OK.

1.

Click Commit, and select Panorama as the Commit Type to

save the changes to the running configuration on Panorama.
Click Commit, and select Template as the Commit Type to push
the changes to the firewalls included in the selected template.
Click Commit, and select Device Groups as the Commit Type to
push the changes to the firewalls included in the selected device
group.

2.
3.

104 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Log Collection

Configure a Managed Collector

Configure a Managed Collector

To enable Panorama (virtual appliance or an M-100 appliance in Panorama mode) to manage Log Collectors,
you must add each Log Collector as a Managed Collector.
If you forward logs to an M-100 appliance in Panorama mode, the default Log Collector that is local to the
appliance is added during the manufacturing process. However, if you Migrate from a Panorama Virtual
Appliance to an M-100 Appliance, the default Log Collector does not appear; you must re-configure the Log
Collector.
To configure a dedicated Log Collector (M-100 appliance in Log Collector mode), start at Step 1. To configure
a local Log Collector (local to the M-100 appliance in Panorama mode), start at Step 4. Skip any steps you have
already performed (for example, the initial setup).
Configure a Managed Collector

Step 1

Step 2

(Dedicated Log Collector only) Perform

initial setup of the M-100 appliance in
Log Collector mode.

(Dedicated Log Collector only) Switch

from Panorama Mode to Log Collector
Mode.
Switching the mode of an M-100
appliance removes all its existing
logs.

1.
2.
3.
4.
1.
2.

Rack mount the M-100 appliance. Refer to the M-100

Hardware Reference Guide for instructions.
Perform Initial Configuration of the M-100 Appliance.
Register Panorama and Install Licenses.
Install Content and Software Updates for Panorama.
Log in to the Panorama CLI of the M-100 appliance.
Enter the command request system logger-mode logger,
then enter Yes to confirm the change to Log Collector mode.
The appliance will reboot.

After the switch, the M-100

appliance retains CLI access but
loses its Panorama configuration
and has no web interface access.
Step 3

In the dedicated Log Collector CLI, enter the following commands

(Dedicated Log Collector only)
and confirm the request when prompted:
Optionally, Increase Storage on the
request system raid add B1
M-100 Appliance for each dedicated Log
request system raid add B2
Collector that requires more than the
default 1 TB of storage. This example
uses the drives in disk bays B1 and B2.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 105

Configure a Managed Collector

Manage Log Collection

Configure a Managed Collector (Continued)

Step 4

Enable connectivity among the M-100

appliances.

The commands you enter depend on the Log Collector type:

Dedicated Log Collectors
a. In the CLI of each Log Collector, enter the following
commands, where <IP address1> represents the
management interface of the primary (HA) or solitary
(non-HA) Panorama.
set deviceconfig system panorama-server <IPaddress1>
commit

b. In a high availability (HA) deployment, also enter the

following commands, where <IP address2> represents the
management interface of the secondary Panorama.
set deviceconfig system panorama-server-2 <IPaddress2>
commit

Local Log CollectorsPerform the following steps only if

Panorama has an HA configuration.
a. In the CLI of the primary Panorama, enter the following
commands, where <IP address2> represents the
management interface of the secondary Panorama.
set deviceconfig system panorama-server <IPaddress2>
commit

b. In the CLI of the secondary Panorama, enter the following

commands, where <IP address1> represents the
management interface of the primary Panorama.
set deviceconfig system panorama-server <IPaddress1>
commit

Step 5

Record the serial number of the Log

Collector. You will need this when you
add the Log Collector as a Managed
Collector.

The step to display the serial number depends on the Log Collector
type:
LocalUse the serial number of the M-100 appliance that is in
Panorama mode: access the Panorama web interface and record
the value on the Dashboard tab, General Information section,
Serial # field.
In a high availability (HA) deployment, you can configure
a local Log Collector on each peer M-100 appliance in
Panorama mode. Each peer will have a unique serial
number.
DedicatedUse the serial number of the M-100 appliance that is
in Log Collector mode: access the Log Collector CLI and enter
the show system info command.

106 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Log Collection

Configure a Managed Collector

Configure a Managed Collector (Continued)

Step 6

Configure the general parameters of the

Log Collector.

Use the web interface of the Panorama management server to

perform the following steps:
1. Select Panorama > Managed Collectors.
2. Click Add to define a new Log Collector or click the Name of
an existing one to edit it.
The M-100 appliance in Panorama mode has a
pre-configured Log Collector named default.
3.

In the General tab, Collector S/N field, enter the serial number
you recorded in Step 5.

The remaining steps depend on your deployment:

Proceed to Step 7 if you are adding a dedicated Log Collector
(M-100 appliance in Log Collector mode) or you are adding a Log
Collector that is local on the secondary M-100 appliance in
Panorama mode (in an HA deployment).
Skip to Step 10 if the Log Collector you are adding is local on the
solitary (non-HA) or primary (HA) M-100 appliance in Panorama
mode.
Step 7

Configure network access for the Log

Collector.

Although you specified the following details during initial

configuration of the M-100 appliance, you must re-enter the
information on the General tab; Panorama does not auto-populate
the fields.
1. In the Panorama Server IP field, enter the IP address or
FQDN of the Panorama management server that will manage
the Log Collector. If Panorama has an HA configuration, enter
the IP address or FQDN of the secondary peer in the
Panorama Server IP 2 field.
The preceding fields are required.
2. Configure the IP addresses of the Primary DNS Server and
Secondary DNS Server.
3. (Optional) Set the Timezone that Panorama will use to record
log entries.
The remaining steps depend on your deployment:
Proceed to Step 8 if you are adding a dedicated Log Collector.
Skip to Step 10 if the Log Collector you are adding is local on the
secondary M-100 appliance in Panorama mode.

Step 8

(Dedicated Log Collector only) Configure 1.

administrative access to the Log
Collector.
2.
The default user is admin. You
cannot modify this username nor
add administrative users on the
Log Collector.

Palo Alto Networks, Inc.

In the Authentication tab, select the password Mode, then

enter the Password (the default is admin).
Enter the number of Failed Attempts to log in that a user can
commit before Panorama locks out that user from accessing the
Log Collector, and enter the Lockout Time interval in minutes.

Panorama 6.1 Administrators Guide 107

Configure a Managed Collector

Manage Log Collection

Configure a Managed Collector (Continued)

Step 9

(Dedicated Log Collector only) Configure Configure the following settings on each tab associated with an
the Log Collector interfaces.
interface the Log Collector will use: Management (MGT), Eth1,
and/or Eth2. The Eth1 or Eth2 interfaces are only available if you
defined them during the task Perform Initial Configuration of the
M-100 Appliance. The MGT interface is required.
1. Complete one of the following field sets, depending on the IP
protocol of your network:
IPv4IP Address, Netmask, and Default Gateway
IPv6IPv6 Address/Prefix Length and Default IPv6
Gateway

2.

3.

4.
Step 10 (Optional) Enable any additional RAID
disk pairs for logging.

The preceding fields are required.

(Optional) Select the services that the interface supports. By
default, Ping is selected for the MGT, Eth1, and Eth2 interfaces.
The MGT interface also supports SSH (selected by default) and
SNMP (cleared by default).
(Optional) To restrict access to an interface, click Add and enter
one or more IP addresses in the Permitted IP Addresses list.
If you leave the list blank, Panorama does not restrict access.
If you add any entries, only the specified IP addresses
can access the interface so be sure to add the addresses
of the Panorama management server.
Click OK.

To enable additional disk pairs, you must have performed Step 3.

1. In the Disks tab, click Add.
2. Select each additional disk pair from the drop-down.
3. Click OK to make the disk pair available for logging.

Step 11 (Optional) Select the interfaces that the Return to the General tab and select the interfaces that the Log
Log Collector will use for Device Log
Collector will use for Device Log Collection and Collector Group
Collection and Collector Group
Communication.
Communication. The M-100 appliance
uses the MGT (Management) interface by
default.
The Eth1 or Eth2 interfaces are only
available if you configured them in the
corresponding tabs.

108 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Log Collection

Configure a Managed Collector

Configure a Managed Collector (Continued)

Step 12 Commit and (optionally) verify your

changes.

1.

Click Commit, select Panorama as the Commit Type, then click

OK.

2.

3.

In the Panorama > Managed Collectors page, verify that the

grid lists the Log Collector you added. The Connected column
displays a check mark icon to indicate that the Log Collector is
connected to Panorama.
If you enabled additional disk pairs, click the Statistics link in
the last column to open a window that displays the status of the
disks.
Palo Alto Networks recommends that you install the same
Applications and Threats database version on Panorama as
on the managed firewalls and Log Collectors. Panorama uses
the Applications and Threats database to retrieve metadata
for processing reports that you initiate from Panorama or
managed devices. If a Log Collector does not have the
database installed, the complete dataset required for the
report might not be available and the information displayed
might be incomplete or inaccurate. For details, see Deploy
Updates to Devices Using Panorama.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 109

Manage Collector Groups

Manage Log Collection

Manage Collector Groups

After adding Log Collectors as Managed Collectors, you must assign them to Collector Groups and assign
managed firewalls to the Log Collectors. This enables Panorama to access, manage, and update the Log
Collectors.
If you forward logs to an M-100 appliance in Panorama mode, Palo Alto Networks pre-configures a default
Collector Group that contains the default local Log Collector. However, if you Migrate from a Panorama Virtual
Appliance to an M-100 Appliance, the default Log Collector and Collector Group do not appear; you must
manually add the Log Collector and then the Collector Group.
While a Collector Group can have multiple Log Collectors, Palo Alto Networks recommends assigning only
one. However, if any firewall generates more than 4TB of logs for the required storage period, you must assign
multiple Log Collectors to the Collector Group that receives those logs. To understand the risks and
recommended mitigations, see Caveats for a Collector Group with Multiple Log Collectors.
If you delete a Collector Group, you will lose logs.

Configure a Collector Group

Move a Log Collector to a Different Collector Group

Remove a Firewall from a Collector Group

Configure a Collector Group

Configure a Collector Group

Step 1

(Optional) Configure the SNMP

management software for monitoring
Log Collectors.
You can use SNMP to collect the
following information about the Log
Collector: connection status, disk drive
statistics, software version, average CPU,
average logs/second, and log storage
duration for each log type.

110 Panorama 6.1 Administrators Guide

Load all the PAN-OS MIB files into your SNMP management
software and, if necessary, compile them. Refer to your Simple
Network Management Protocol (SNMP) manager documentation
for the specific steps.

Palo Alto Networks, Inc.

Manage Log Collection

Manage Collector Groups

Configure a Collector Group (Continued)

Step 2

(Optional) Enable Log Forwarding from 1.

Panorama to External Destinations.
2.

Log in to the Panorama Web Interface.

Create one or more server profiles, depending on the external
services to which you will forward logs:
SNMP: Panorama > Server Profiles > SNMP Trap
Syslog: Panorama > Server Profiles > Syslog
Email: Panorama > Server Profiles > Email

3.

4.

Step 3

Step 4

Add a Firewall as a Managed Device.

1.
Perform this step for all the firewalls you
will assign to the Collector Group.
2.

To forward system logs that Panorama and the dedicated Log

Collectors generate, select Panorama > Log Settings > System
and assign server profiles for each Severity level.
To forward configuration logs that Panorama and the dedicated
Log Collectors generate, select Panorama > Log Settings >
Config and assign the server profiles.
You assign server profiles to all the log types that
firewalls generate in Step 11.
In the Panorama web interface, select Panorama > Managed
Devices and click Add.

Enter the serial number of each firewall (one line per serial
number), then click OK.

Configure a Managed Collector. Perform If you forward logs to a dedicated Log Collector (M-100 appliance
this step for each Log Collector you will in Log Collector mode), you must manually add a Managed
assign to a Collector Group.
Collector before you add a Collector Group.
If you forward logs to a local Log Collector (local to an M-100
appliance in Panorama mode), Palo Alto Networks pre-configures a
default local Log Collector. However, if you Migrate from a
Panorama Virtual Appliance to an M-100 Appliance, the default Log
Collector does not appear; you must manually add the Log
Collector.
If you will use SNMP for monitoring, select the SNMP
service when you configure the MGT (Management)
interface of each Log Collector (see Step 9 under Configure
a Managed Collector).

Step 5

Add the Collector Group or edit an

existing one.

Palo Alto Networks, Inc.

1.

In the Panorama web interface, select Panorama > Collector

Groups.

2.

Click Add to define a new Collector Group or click the Name

of an existing group to edit it.
The M-100 appliance in Panorama mode has a
pre-configured Collector Group named default.

3.

In the General tab, if you are adding a new Collector Group,

enter a Name for it. You cannot edit the name of an existing
Collector Group.

Panorama 6.1 Administrators Guide 111

Manage Collector Groups

Manage Log Collection

Configure a Collector Group (Continued)

Step 6

Configure the log retention period.

In the General tab, Minimum Retention Period field, enter the

number of days (1-2000) for which Panorama will retain the logs of
the firewalls you assign to this Collector Group. When the current
date minus the oldest log date is less than the defined minimum
retention period, Panorama generates a system log. Panorama
generates an alert within a day of the logs reaching the retention
period.

Step 7

(Optional) Configure SNMP monitoring 1.

for the Log Collectors. Step 1 is a
prerequisite.
2.
3.

In the Monitoring tab, enter a text string to describe the

physical Location of the Collector Group.
Add the email address of an administrative Contact.
Select the SNMP Version and enter the corresponding details
as follows. The authentication settings (community string for
V2c or usernames and passwords for V3) you specify must
match the values configured in the SNMP manager.
V2cEnter the SNMP Community String that enables the
SNMP manager to access the SNMP agent on the Collector
Group. The default value is public. However, this is a
well-known community string, so it is a best practice to
change the value to one that is not easily guessed.
V3To use SNMPv3, you must add at least one view and
one user:
ViewSpecify which management information the
SNMP manager can access. To enable access to all
management information, enter the top-level OID of
.1.3.6.1 and specify the Option as include (you can also
create views that exclude certain objects). Use 0xf0 as the
Mask.
UserFor each View you added, specify the Auth
Password (authentication password) and Priv Password
(private password).

Step 8

Assign Log Collectors to the Collector

Group.

1.
2.

112 Panorama 6.1 Administrators Guide

In the Device Log Forwarding tab, Collector Group Members

section, click Add.
In the drop-down, select the Log Collectors you want to assign
to the group.

Palo Alto Networks, Inc.

Manage Log Collection

Manage Collector Groups

Configure a Collector Group (Continued)

Step 9

Assign the firewalls that will forward logs 1.

to the Collector Group.
2.
You cannot assign firewalls
running PAN-OS 4.x to a
dedicated Log Collector; they
3.
must send logs to a Panorama
virtual appliance or an M-100
appliance in Panorama mode.
Only firewalls running PAN-OS
5.x or later can send logs to a
dedicated Log Collector.
4.

In the Device Log Forwarding tab, Log Forwarding

Preferences section, click Add.
In the Devices section, click Modify, select the firewalls you
want to assign to the Collector Group, then click OK.
In the Collectors section, click Add and select the Log
Collectors to which the firewalls will forward logs. If you assign
multiple Log Collectors, the first one will be the primary; only
if the primary becomes unavailable will the firewalls send logs
to the next Log Collector in the list. To change the priority of a
Log Collector, select it and click Move Up (higher priority) or
Move Down (lower priority).
When you finish assigning Log Collectors to the firewalls, click
OK.

Step 10 Allocate the desired storage capacity (log 1.

quotas) for each log type (traffic, threat,
config, system, etc.).

Return to the General tab and click the Log Storage value.
This field does not display a value unless you assigned
Log Collectors to the Collector Group. If after
assigning Log Collectors the field reads 0MB, verify you
enabled the disk pairs for logging and committed the
changes (see Step 10 under Configure a Managed
Collector).
Enter the Quota(%) for each log type. When you change a
percentage value, the page refreshes to display the
corresponding absolute value (Quota GB/MB column) based
on the total storage allotted to the Collector Group.
If you must undo your changes and reset the quotas to the
factory defaults, click Restore Defaults at the bottom right of
the page.

2.

1.
Step 11 (Optional) Configure log forwarding
from the Collector Group to external
2.
services. Step 2 (create server profiles) is a
prerequisite.
Using device groups (Objects >
Log Forwarding) and templates
(Device > Log Settings), you can

Select the Collector Log Forwarding tab.

In the tab of each log type, select a server profile for each
desired service (SNMP Trap, Email Profile, or Syslog Profile)
to which you want to forward logs. In the System and Threat
tabs, select profiles for each Severity level. In the WildFire tab,
select profiles for each Verdict (Benign or Malicious).

also send firewall logs to external

services directly (before
aggregating the logs in Collector
Groups). For details, see Enable
Log Forwarding to Panorama.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 113

Manage Collector Groups

Manage Log Collection

Configure a Collector Group (Continued)

Step 12 Commit the changes and (optionally)

verify that the Log Collectors you
assigned to the Collector Group are
connected to, and synchronized with,
Panorama.

1.
2.
3.

Click OK and Commit, select Panorama as the Commit Type,

then click OK.
Click Commit, select Collector Group as the Commit Type,
select the Collector Group you added, then click OK.
Select Panorama > Managed Collectors. The Connected
column displays a check mark icon to indicate that a Log
Collector is connected to Panorama. The Configuration Status
column indicates whether the configurations you committed to
Panorama and the Log Collectors are (green icon) or are not
(red icon) synchronized with each other.
Palo Alto Networks recommends that you install the same
Applications and Threats database version on Panorama as
on the managed firewalls and Log Collectors. Panorama uses
the Applications and Threats database to retrieve metadata
for processing reports that you initiate from Panorama or
managed devices. If a Log Collector does not have the
database installed, the complete dataset required for the
report might not be available and the information displayed
might be incomplete or inaccurate. For details, see Deploy
Updates to Devices Using Panorama.

Move a Log Collector to a Different Collector Group

When you Plan a Log Collection Deployment, you assign Log Collectors to a Collector Group based on the
logging rate and log storage requirements of that Collector Group. If the rates and required storage increase in
a Collector Group, the best practice is to Increase Storage on the M-100 Appliance or Configure a Collector
Group with additional Log Collectors. However, in some deployments, it might be more economical to move
Log Collectors between Collector Groups.
The log data on a Log Collector becomes inaccessible after you remove it from a Collector Group.
Also, you must perform a factory reset on the Log Collector before adding it to another Collector
Group; a factory reset removes all configuration settings and logs.
When a Log Collector is local to an M-100 appliance in Panorama mode, move it only if the M-100
appliance is the passive peer in a high availability (HA) configuration. HA synchronization will
restore the configurations that the factory reset removes. Never move a Log Collector when its
local to an M-100 appliance that is the active HA peer.

114 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Log Collection

Manage Collector Groups

Move a Log Collector to Different Collector Group

Step 1

Remove the Log Collector from

Panorama management.

1.
2.

Select Panorama > Collector Groups and select the Collector

Group that contains the Log Collector you will move.
Select the Device Log Forwarding tab and, in the Log
Forwarding Preferences list, perform the following steps for
each set of firewalls assigned to the Log Collector you will
move:
a. In the Devices column, click the link for the firewalls
assigned to the Log Collector.
b. In the Collectors column, select the Log Collector and click
Delete.
To reassign the firewalls, Add the new Log Collector
to which they will forward logs.
c. Click OK twice to save your changes.

3.
4.
5.

Step 2

Reset the Log Collector to its factory

default settings.

1.
2.

Select Panorama > Managed Collectors, select the Log

Collector you will move, and click Delete.
Click Commit, for the Commit Type select Panorama, and
click OK.
Click Commit, for the Commit Type select Collector Group,
select the Collector Group from which you deleted the Log
Collector, and click OK.
Log in to the CLI of the Log Collector.
Enter the following CLI command:
debug system maintenance-mode

4.
5.

The Log Collector will reboot in maintenance mode.

After the Log Collector reboots, press Enter to access the
maintenance mode menu.
Select Factory Reset and press Enter.
Select Factory Reset and press Enter again.
The Log Collector will reboot, after which it wont have any
configuration settings or log data. The default username and
password to log in to the Log Collector is admin/admin.

1.
2.
3.
4.
5.

Perform Initial Configuration of the M-100 Appliance.

Register Panorama and Install Licenses.
Install Content and Software Updates for Panorama.
Switch from Panorama Mode to Log Collector Mode.
Configure a Managed Collector.

3.

Step 3

Reconfigure the Log Collector.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 115

Manage Collector Groups

Manage Log Collection

Move a Log Collector to Different Collector Group (Continued)

Step 4

Configure a Collector Group.

Add the Log Collector to its new Collector Group and assign
firewalls to the Log Collector.
When you commit the Collector Group configuration,
Panorama starts redistributing logs across the Log
Collectors. This process can take hours for each terabyte of
logs. During the redistribution process, the maximum
logging rate is reduced.

Remove a Firewall from a Collector Group

In a distributed log collection deployment, where you have dedicated Log Collectors, if you need a device to
send logs to Panorama instead of sending logs to the Collector Group, you must remove the device from the
Collector group.
When you remove the device from the Collector Group and commit the change, the device will automatically
send logs to Panorama instead of sending them to a Log Collector.
Remove a Firewall from a Collector Group

1.
2.
3.
4.
5.

Select the Panorama > Collector Groups tab.

Click the link for the desired Collector Group, and select the Log Forwarding tab.
In the Log Forwarding Preferences section, select the device that you would like to remove from the list, click Delete,
and click OK.
Click Commit, for the Commit Type select Panorama, and click OK.
Click Commit, for the Commit Type select Collector Group, and click OK.
To temporarily remove the log forwarding preference list on the device, you can delete it using the
CLI on the device. You must however, remove the assigned firewalls in the Collector Group
configuration on Panorama. Otherwise, the next time you commit changes to the Collector Group,
the device will be reconfigured to send logs to the assigned Log Collector.

116 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Log Collection

Verify Log Forwarding to Panorama

Verify Log Forwarding to Panorama

Now that you have added the Log Collector(s) as Managed Collectors, created and configured the Collector
Group and assigned the managed firewalls to forward logs to the specified Collector Group, you can test that
your configuration was successful.
Verify Log Forwarding to Panorama

Step 1

On the managed firewall, check that the

firewall has the Log Forwarding
Preference list and is forwarding logs to
the configured Log Collector.
You cannot view this information from
the web interface on the firewall.

1.
2.

Access the CLI on the firewall.

Enter the following commands:
show log-collector preference-list
If you have assigned only one Log Collector to the Collector
Group, the onscreen output will look something like this:
Log collector Preference List
Serial Number: 003001000024
IP Address:10.2.133.48

show logging-status
The onscreen output will look something like this:

Step 2

On Panorama, verify the log collection

rate.

Palo Alto Networks, Inc.

Click the Statistics link in the Panorama > Managed Collectors tab
to view the average logs/second being received by Panorama.

Panorama 6.1 Administrators Guide 117

Modify Log Forwarding and Buffering Defaults

Manage Log Collection

Modify Log Forwarding and Buffering Defaults

You can define the log forwarding mode that the firewalls use to send logs to Panorama and when configured
in a high availability configuration, specify which Panorama peer can receive logs. To access these options, select
Panorama > Setup > Management, edit the Logging and Reporting Settings, and select the Log Export and
Reporting tab.

Define the log forwarding mode on the firewall: The firewalls can forward logs to Panorama (pertains to
both the M-100 appliance and the Panorama virtual appliance) in either Buffered Log Forwarding mode or
in the Live Mode Log Forwarding mode.

Logging Options

Description

Buffered Log Forwarding from

Device

Allows each managed firewall to buffer logs and send the logs at 30-second
intervals to Panorama (not user configurable).

Default: Enabled

Buffered log forwarding is very valuable when the firewall loses connectivity to
Panorama. The firewall buffers log entries to its local hard disk and keeps a
pointer to record the last log entry that was sent to Panorama. When connectivity
is restored the firewall resumes forwarding logs from where it left off.
The disk space available for buffering depends on the log storage quota for the
platform and the volume of logs that are pending roll over. If the firewall was
disconnected for a long time and the last log forwarded was rolled over, all the
logs from its local hard disk will be forwarded to Panorama on reconnection. If
the available space on the local hard disk of the firewall is consumed, the oldest
entries are deleted to allow logging of new events.

Live Mode Log Forwarding from

Device

In live mode, the managed firewall sends every log transaction to Panorama at
the same time as it records it on the firewall.

This option is enabled when the check

box for Buffered Log Forwarding
from Device is cleared.

Define log forwarding preference on a Panorama virtual appliance that is in a high availability (HA)
configuration:

When logging to a virtual disk, enable logging to the local disk on the Active-Primary Panorama peer
only. By default, both Panorama peers in the HA configuration receive logs.

When logging to an NFS, enable the firewalls to send only newly generated logs to a secondary
Panorama peer, which is promoted to primary, after a failover.

Logging Options

Pertains to

Only Active Primary Logs to Local

Disk

Panorama virtual appliance that is Allows you to configure only the

logging to a virtual disk and is set Active-Primary Panorama peer to save logs
up in a high availability (HA)
to the local disk.
configuration.

Default: Disabled

118 Panorama 6.1 Administrators Guide

Description

Palo Alto Networks, Inc.

Manage Log Collection

Modify Log Forwarding and Buffering Defaults

Logging Options

Pertains to

Description

Get Only New Logs on Convert to

Primary

Panorama virtual appliance that is

mounted to a Network File
System (NFS) datastore and is set
up in a high availability (HA)
configuration

With NFS logging, when you have a pair of

Panorama servers configured in a high
availability configuration, only the primary
Panorama peer mounts the NFS datastore.
Therefore, the firewalls can only send logs to
the primary Panorama peer, which can write
to the NFS datastore.

Default: Disabled

When an HA failover occurs, the Get Only

New Logs on Convert to Primary option
allows an administrator to configure the
managed firewalls to send only newly
generated logs to Panorama. This event is
triggered when the priority of the
active-secondary Panorama is promoted to
primary and it can begin logging to the NFS.
This behavior is typically enabled to prevent
the firewalls from sending a large volume of
buffered logs when connectivity to
Panorama is restored after a significant
period of time.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 119

Enable Log Forwarding from Panorama to External Destinations

Manage Log Collection

Enable Log Forwarding from Panorama to External

Destinations
Panorama allows you to forward aggregated logs, email notifications, and SNMP traps to external servers.
Forwarding logs from Panorama reduces the load on the firewalls and provides a reliable and streamlined
approach to combine and forward syslogs/SNMP traps/email notifications to remote destinations.
Use the following table to configure log forwarding from Panorama:
Table: Log Forwarding from Panorama to External Destinations
Platform/Deployment

Forward Panorama Logs

Forward Firewall Logs

Panorama virtual appliance

To forward Panorama logs:

To forward firewall logs, select

Panorama > Log Settings and select
the tab for each log type: System,
Config, HIP Match, Traffic, Threat, and

Panorama > Log Settings > System

Panorama > Log Settings > Config

WildFire.

Distributed Log Collection

Deployment with:
Panorama M-100 appliance with
default Collector and/or Managed
Collectors
or
Panorama virtual appliance with
Managed Collectors

To forward both Panorama local logs To forward firewall logs that Panorama
and Managed Collector logs, select:
aggregates on a Collector Group, select
Panorama > Log Settings > System Panorama > Collector Groups, select a
Collector Group, select the Collector
Panorama > Log Settings > Config
Log Forwarding tab, and select the tab
for each log type: System, Config,
Traffic, Threat, HIP Match, and
WildFire.

To forward firewall logs from Panorama, you must have completed the task Enable Log
Forwarding to Panorama.
On a Panorama virtual appliance running Panorama 5.1 or earlier releases, you can use Secure
Copy (SCP) commands from the CLI to export the entire log database to an SCP server and
import it to another Panorama virtual appliance: refer to the PAN-OS Command Line Interface
(CLI) Reference Guide. A Panorama virtual appliance running Panorama 6.0 or later releases,
and M-Series appliances running any release, do not support these options because the log
database on those platforms is too large for an export or import to be practical.

120 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Log Collection

Enable Log Forwarding from Panorama to External Destinations

Enable Log Forwarding from Panorama to External Destinations

Step 1

Set up server profiles for each external

1.
destination to which you want to forward
logs.

Set up one or more of the following server profiles:

a. SNMP: Select Panorama > Server Profiles > SNMP Trap.
b. Email: Select Panorama > Server Profiles > Email.
c. Syslog: Select Panorama > Server Profiles > Syslog.
To forward logs to a syslog server, you can configure the
transport medium to use UDP, TCP or SSL.
By default, the header format for each syslog entry uses the
FQDN (hostname and domain name), if configured, of the
appliance that forwards the logs (Panorama or a Managed
Collector). The log data includes the unique identifier of the
firewall that generated the log entry. Choosing the header
format provides more flexibility in filtering and reporting on
the log data for some Security Information and Event
Management (SIEM) servers.
To change what is listed in the syslog header, select
Panorama > Setup > Management, edit the Logging and
Reporting section, select the Log Export and Reporting tab
and, in the Syslog HOSTNAME Format drop-down, select
FQDN, hostname, ipv4-address, or ipv6-address.
This is a global setting and applies to all syslog server
profiles configured on the appliance.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 121

Enable Log Forwarding from Panorama to External Destinations

Manage Log Collection

Enable Log Forwarding from Panorama to External Destinations (Continued)

Step 2

If the Syslog server requires client

To verify that the sending device (firewall or Panorama) is
authentication, generate the certificate for authorized to communicate with the syslog server, you must enable
secure communication.
the following:
The server and the sending device must have certificates that are
signed by the same trusted CA. Alternatively, you can generate a
self-signed certificate on Panorama or the firewall, export the
certificate from the firewall/Panorama and import it in to the
syslog server.
Use the trusted CA or the self-signed certificate to generate a
certificate with the IP address of the sending device (as the
Common Name) and enabled for use in secure syslog
communication. The syslog server uses this certificate to verify
that the firewall or Panorama is authorized to communicate with
the syslog server.
Use the following steps to generate the certificate on the firewall or
Panorama:
1. Select Panorama > Certificate Management > Certificates.
2. Click Generate to create a new certificate that will be signed by
a trusted CA or the self-signed CA.
3. Enter a name for the certificate.
4. In Common Name, enter the IP address of the device sending
logs to the syslog server.
5. Select Shared if you want the certificate to be a shared
certificate on Panorama or to be shared by all virtual systems in
a multiple virtual system firewall.
6. In Signed by, select the trusted CA or the self-signed CA that
is trusted by both the syslog server and the sending device.
7. Click Generate. The certificate and the keypair will be
generated.
8. Click the link with the name of the certificate and enable the
Certificate for Secure Syslog check box for secure access to
the syslog server.
9. In the Certificates page, verify the certificate details. In the
Usage column, verify that it is marked as Certificate for Secure
Syslog.

Step 3

1.
(Only for Managed Collectors) On
Panorama, select the certificate to use for 2.
secure syslog communication.
You must have imported the trusted CA 3.
certificate in to Panorama or generated it
on Panorama. The certificate must be
enabled for use as a Certificate for
Secure Syslog.

122 Panorama 6.1 Administrators Guide

Select Panorama > Managed Collectors.

Click Add to add a new Managed Collector or select the link to
edit the configuration for a Managed Collector.
Select General, and choose the certificate from the Certificate
for Secure Syslog drop-down.
You can only select from the certificate that are available
on Panorama > Certificate Management >
Certificates.

Palo Alto Networks, Inc.

Manage Log Collection

Enable Log Forwarding from Panorama to External Destinations

Enable Log Forwarding from Panorama to External Destinations (Continued)

Step 4

Configure Panorama to forward logs.

Palo Alto Networks, Inc.

To forward logs for your platform/deployment, see Table: Log

Forwarding from Panorama to External Destinations.

Panorama 6.1 Administrators Guide 123

Log Collection Deployments

Manage Log Collection

Log Collection Deployments

The following topics describe how to configure log collection in the most typical deployments.
The deployments in these topics all describe Panorama in a high availability (HA) configuration,
which Palo Alto Networks recommends.

Plan a Log Collection Deployment

Deploy Panorama with Dedicated Log Collectors

Deploy Panorama with Default Log Collectors

Deploy Panorama Virtual Appliances with Local Log Collection

Plan a Log Collection Deployment

To determine which log collection deployment best suits your requirements, review the following topics:

High Availability

Panorama and Log Collector Platforms

Collector Groups with Single or Multiple Log Collectors

Log Forwarding Options

High Availability
As a best practice, Palo Alto Networks recommends deploying the Panorama management server in a high
availability (HA) configuration to enable automatic recovery (in the event of server failure) of components that
are not saved as part of configuration backups. For details, see Recover Logs after Panorama Failure/RMA in
Non-HA Deployments. In HA deployments, the Panorama management server only supports an active/passive
configuration.

Panorama and Log Collector Platforms

Decide which platforms to use for the Panorama management server and Log Collectors based on the
geographic distribution of the managed firewalls and their logging rate. (See Panorama Platforms for more
platform specifications and recommendations.)
If you initially implement log collection using the default Log Collectors but later require more
storage or higher logging rates than these support, you can switch to a deployment with dedicated
Log Collectors (M-100 appliances in Log Collector mode). You can also implement a hybrid
deployment that includes both default and dedicated Log Collectors. However, if you initially
implement log collection using dedicated Log Collectors, you will lose logs if you later switch to a
deployment that involves only the default Log Collectors because of the reduced storage
capacity.

124 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Log Collection

Log Collection Deployments

Note that if the firewalls have a remote distribution, their connections with the Panorama management server
might lack sufficient bandwidth to support the required logging rate even if the server can process logs at that
rate. In such deployments, forwarding logs to dedicated Log Collectors that are located close to the firewalls
might resolve the bandwidth limitation.
The following table summarizes your choice of Log Collector when considering the firewall logging rate.
Logging Rate

Log Collector

10,000 logs/second Depends on the Panorama management server:

Virtual appliancePanorama collects logs without any Log Collector.
M-100 applianceLocal default Log Collector
> 10,000 logs/second M-100 appliance in Log Collector Mode. Each dedicated Log Collector can process up to 50,000
logs/second and store 4 TB of log data. Add dedicated Log Collectors as needed when the logging
output exceeds these thresholds.

Collector Groups with Single or Multiple Log Collectors

Palo Alto Networks recommends assigning only one Log Collector to a Collector Group. However, if any single
firewall will generate more than 4TB of logs (the maximum an M-100 appliance can store) for the required
retention period, you must assign multiple Log Collectors to the Collector Group that receives the logs. To
understand how logging works in the latter scenario, as well as the risks and recommended mitigations, see
Caveats for a Collector Group with Multiple Log Collectors.

Log Forwarding Options

By default, each firewall generates and stores log files locally. To use Panorama for centralized log monitoring
and report generation, you must forward the logs to Panorama. If you have compliance policies that require data
archival for extended durations, you can also forward logs to external services for archiving, notification, or
analysis. External services include Syslog servers, email servers, or SNMP trap servers. The device (firewall,
Panorama virtual appliance, or M-100 appliance) that forwards the logs to external services converts the logs to
the appropriate format (Syslog message, email notification, or SNMP trap). You must create a server profile for
each external service. A server profile defines how to access the remote server and authenticate to the service,
if necessary.
To forward the system and configuration logs that Panorama generates locally to external
destinations, see Monitor Panorama.

You can configure log forwarding in the following ways:

Forward logs from firewalls to Panorama and from Panorama to external servicesThis configuration suits
deployments in which the connections between firewalls and external services have insufficient bandwidth
to sustain the logging rate. (This is often the case when the connections are remote.) This configuration
improves firewall performance by offloading some processing to Panorama.
To Enable Log Forwarding to Panorama, you do not need server profiles. To configure log forwarding from
Panorama to external services, define server profiles using the Panorama > Server Profiles options (see
Enable Log Forwarding from Panorama to External Destinations).

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 125

Log Collection Deployments

Manage Log Collection

Figure: Log Forwarding to Panorama and then to External Services

Forward logs from firewalls to Panorama and to external services in parallelIn this configuration, both
Panorama and the external services are endpoints of separate log forwarding flows; the firewalls do not rely
on Panorama to forward logs to external services. This configuration suits deployments in which the
connections between firewalls and external services have sufficient bandwidth to sustain the logging rate.
(This is often the case when the connections are local.)
To forward logs from firewalls directly to external services, define server profiles using the template Device
> Server Profiles options. Enable Log Forwarding to Panorama describes how to forward logs from firewalls
to Panorama and to external services in parallel.

Figure: Log Forwarding to External Services and Panorama in Parallel

Forward logs from firewalls directly to external services and also from Panorama to external servicesThis
configuration is a hybrid of the previous two. It suits deployments that require sending duplicate Syslog
messages to multiple Security Information and Event Management (SIEM) solutions, each with its own
message format (for example, Splunk and ArcSight). (This duplication does not apply to SNMP traps or
email notifications.) For this configuration, you must define server profiles for:

Forwarding logs from the firewalls directly to the external servicesUse the template Device > Server
options.

Profiles

126 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Log Collection

Log Collection Deployments

Forwarding logs from Panorama to the external servicesUse the Panorama > Server Profiles options.

Deploy Panorama with Dedicated Log Collectors

The following figures illustrate Panorama in a Distributed Log Collection Deployment. In these examples, the
Panorama management server comprises two M-100 appliances in Panorama mode, configured for
active/passive high availability (HA). Alternatively, you can use a pair of Panorama virtual appliances. The
firewalls send logs to dedicated Log Collectors (M-100 appliances in Log Collector mode). This is the
recommended configuration if the firewalls generate logs at a rate exceeding 10,000 logs/second. (For details
on deployment options, see Plan a Log Collection Deployment.)
It is a best practice to assign only one Log Collector to each Collector Group (Figure: Single Dedicated Log
Collector Per Collector Group). However, if any single firewall generates more than 4 TB of logs for the required
log retention period, the Collector Group receiving the logs requires multiple Log Collectors (Figure: Multiple
Dedicated Log Collectors Per Collector Group). See Caveats for a Collector Group with Multiple Log
Collectors to understand the risks and recommended mitigations associated with the latter configuration.
Figure: Single Dedicated Log Collector Per Collector Group

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 127

Log Collection Deployments

Manage Log Collection

Figure: Multiple Dedicated Log Collectors Per Collector Group

Perform the following steps to deploy Panorama with dedicated Log Collectors. Skip any steps you have already
performed (for example, the initial setup).
Deploy Panorama with Dedicated Log Collectors

Step 1

Perform the initial setup of the Panorama For each M-100 appliance:
management server (virtual appliances or 1. Rack mount the M-100 appliance. Refer to the M-100
M-100 appliances) and the dedicated Log
Hardware Reference Guide for instructions.
Collectors.
2. Perform Initial Configuration of the M-100 Appliance.
For each virtual appliance (if any):
1. Install Panorama on the ESX(i) Server.
2. Perform Initial Configuration of the Panorama Virtual
Appliance.
For each Panorama appliance regardless of type:
3. Register Panorama and Install Licenses.
4. Install Content and Software Updates for Panorama.
For the Panorama management server:
5. Set Up HA on Panorama.

128 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Log Collection

Log Collection Deployments

Deploy Panorama with Dedicated Log Collectors (Continued)

Step 2

Switch from Panorama Mode to Log

1.
Collector Mode on each M-100 appliance 2.
that will serve as a dedicated Log
Collector.

Log in to the Panorama CLI of the dedicated Log Collector.

Enter the command request system logger-mode logger,
then enter Yes to confirm the change to Log Collector mode.
The appliance will reboot.

Switching the mode of an M-100

appliance removes all its existing
logs. After the switch, the M-100
appliance retains CLI access but
loses its Panorama configuration
and has no web interface access.
Step 3

(Optional) Increase Storage on the M-100 In the dedicated Log Collector CLI, enter the following commands
Appliance for each dedicated Log
and confirm the request when prompted:
request system raid add B1
Collector that requires more than the
request system raid add B2
default 1TB of storage. This example uses
the drives in disk bays B1 and B2.

Step 4

Enable connectivity for distributed log

collection on each dedicated Log
Collector.

In the dedicated Log Collector CLI, enter the following commands,

where <IP address1> and <IP address2> represent the
management interfaces of the primary and secondary Panorama
respectively.
set deviceconfig system panorama-server <IPaddress1>
set deviceconfig system panorama-server-2 <IPaddress2>
commit

Step 5

Record the serial number of each

dedicated Log Collector. You will need
this when you add the Log Collectors as
Managed Collectors.

In the dedicated Log Collector CLI, enter the following command

to display the serial number:

Step 6

(Optional) Configure the SNMP

management software for monitoring
Log Collectors.

Load all the PAN-OS MIB files into your SNMP management
software and, if necessary, compile them. Refer to your Simple
Network Management Protocol (SNMP) manager documentation
for the specific steps.

Step 7

1.
Add a Firewall as a Managed Device.
Perform this step for all the firewalls you
will assign to Log Collectors.
2.

Step 8

Assign the firewalls to device groups and Use the web interface of the primary Panorama management server
templates. This step is a prerequisite to
peer to perform the following tasks:
configure log forwarding to Panorama.
1. Add a Device Group.
2. Add a Template.

Palo Alto Networks, Inc.

show system info

If you have not already, perform the initial setup of each firewall
that you will assign to a Log Collector. For details, refer to the
PAN-OS Administrators Guide.
In the web interface of the primary Panorama management
server peer, select Panorama > Managed Devices, click Add,
enter the serial number of each firewall (one line per serial
number), then click OK.

Panorama 6.1 Administrators Guide 129

Log Collection Deployments

Manage Log Collection

Deploy Panorama with Dedicated Log Collectors (Continued)

Step 9

Configure Log Forwarding to Panorama. Use the web interface of the primary Panorama management server
peer to configure log forwarding. The specific tasks depend on the
log types:
Traffic, threat, and WildFire logs:
a. Select the device group you just added.
b. Select Objects > Log Forwarding and click Add.
c. Enter a Name for the Log Forwarding Profile, select the
Panorama check boxes for the desired log types, then click
OK.
d. Assign the log forwarding profile to the desired rules. For
example, select Policies > Security, select the rule, in the
Actions tab select the Log Forwarding profile you just
added, then click OK.
System:
a. Select the template you just added.
b. Select Device > Log Settings > System and select the
Severity level.
c. Select the Panorama check box and click OK.
Config:
a. Select the template you just added.
b. Select Device > Log Settings > Config and click the Edit
icon.
c. Select the Panorama check box, then click OK.

Step 10 (Optional) Enable Log Forwarding from Use the web interface of the primary Panorama management server
Panorama to External Destinations.
peer to perform the following steps:
1. Create one or more server profiles, depending on the external
services to which you will forward logs:
SNMP: Panorama > Server Profiles > SNMP Trap
Syslog: Panorama > Server Profiles > Syslog
Email: Panorama > Server Profiles > Email
2.

3.

130 Panorama 6.1 Administrators Guide

To forward system logs that Panorama and the dedicated Log

Collectors generate, select Panorama > Log Settings > System
and assign server profiles for each Severity level.
To forward configuration logs that Panorama and the dedicated
Log Collectors generate, select Panorama > Log Settings >
Config and assign the server profiles.
You assign server profiles to all the log types that
firewalls generate when you configure Collector Groups
(Step 13).

Palo Alto Networks, Inc.

Manage Log Collection

Log Collection Deployments

Deploy Panorama with Dedicated Log Collectors (Continued)

Step 11 (Optional) Modify Log Forwarding and

Buffering Defaults.

Use the web interface of the primary Panorama management server

peer to perform the following steps:
1. Select Panorama > Setup > Management and edit the Logging
and Reporting Settings.
2. Define the Log Export and Reporting parameters as desired.
It is a best practice to select the Buffered Log
Forwarding from Device option.
The Log Storage parameters (log quotas) in this page
only apply to the system and configuration logs that
Panorama generates locally. You set the storage
parameters for logs that the firewalls and Log Collectors
forward to Panorama in Step 13.

Step 12 Configure a Managed Collector for each

dedicated Log Collector.

Use the web interface of the primary Panorama management server

peer to perform the following steps:
1. Select Panorama > Managed Collectors and click Add.
2. In the General tab, Collector S/N field, enter the serial number
you recorded for the Log Collector.
3. Enter the IP address or FQDN of the primary Panorama
management server peer in the Panorama Server IP field.
Enter the IP address or FQDN of the secondary Panorama
management server peer in the Panorama Server IP 2 field.
The preceding fields are required.
4. In the Authentication tab, select the password Mode and enter
a Password (the default is admin).
5. In the Management tab, complete one of the following field
sets for the management interface:
IPv4IP Address, Netmask, and Default Gateway
IPv6IPv6 Address/Prefix Length and Default IPv6
Gateway

The preceding fields are required.

6.

7.

8.

9.

Palo Alto Networks, Inc.

If you configured Eth1 and/or Eth2 interfaces during the task

Perform Initial Configuration of the M-100 Appliance,
configure the settings in the Eth1 and/or Eth2 tabs. You must
select the Eth1/Eth2 check box in the corresponding tab
before you configure the settings.
Return to the General tab and select the interfaces to use for
Device Log Collection and Collector Group Communication.
Panorama uses the management (mgmt) interface by default.
Eth1 and Eth2 are only available if you configured them in the
corresponding tabs.
If you increased storage capacity on the Log Collector, select
the Disks tab, click Add, select each additional disk pair from
the drop-down, and click OK.
Click Commit, select Panorama as the Commit Type, then click
OK.

Panorama 6.1 Administrators Guide 131

Log Collection Deployments

Manage Log Collection

Deploy Panorama with Dedicated Log Collectors (Continued)

Step 13 Configure a Collector Group.

Use the web interface of the primary Panorama management server

peer to perform the following steps:
1. Select Panorama > Collector Groups, click Add, and enter a
Name for the Collector Group. After you save the Collector
Group, you cannot change its name.
2. If you configured the SNMP management software to monitor
Log Collectors, select the Monitoring tab and configure the
SNMP settings.
3. In the Device Log Forwarding tab, Collector Group Members
section, assign one or multiple Log Collectors to the group.
4. In the Device Log Forwarding tab, Log Forwarding
Preferences section, assign firewalls according to the number of
Log Collectors in this Collector Group:
Single Log CollectorAssign the firewalls that will forward
logs to that Log Collector, as illustrated in Figure: Single
Dedicated Log Collector Per Collector Group.
Multiple Log CollectorsAssign each firewall to both Log
Collectors for redundancy. When you configure the
preferences, make Log Collector 1 the first priority for half
the firewalls and make Log Collector 2 the first priority for
the other half, as illustrated in Figure: Multiple Dedicated
Log Collectors Per Collector Group.
5.

6.

7.

Return to the General tab, click the Log Storage value and
allocate the desired storage capacity (log quotas) for each log
type (System, Config, HIP Match, Traffic, Threat, and
WildFire). This applies to the logs that firewalls and Log
Collectors forward to Panorama.
If you created server profiles for forwarding firewall logs from
Panorama to external destinations, select the Collector Log
Forwarding tab and assign the profiles to the desired external
services. The profiles can be the same or different for each
Collector Group.
Click OK to save your changes.

The next step depends on your deployment:

If each Collector Group has only one Log Collector, repeat
Step 13 for each Collector Group before proceeding.
If you assigned all the Log Collectors to this Collector Group,
skip to Step 14.
Step 14 Commit your changes.

1.

Click Commit, select Panorama as the Commit Type, then click

OK.

2.

132 Panorama 6.1 Administrators Guide

Click Commit, select Collector Group as the Commit Type,

select the Collector Groups you added, then click OK.

Palo Alto Networks, Inc.

Manage Log Collection

Log Collection Deployments

Deploy Panorama with Default Log Collectors

The following figures illustrate Panorama in a centralized log collection deployment. In these examples, the
Panorama management server comprises two M-100 appliances in Panorama mode, configured for
active/passive high availability (HA). The firewalls send logs to the default (pre-configured) local Log Collector
on each Panorama M-100 appliance. This is the recommended deployment if the firewalls generate up to 10,000
logs/second. (For details on deployment options, see Plan a Log Collection Deployment.)
It is a best practice to assign only one Log Collector to each Collector Group (Figure: Single Default Log
Collector Per Collector Group). However, if any single firewall generates more than 4 TB of logs for the required
log retention period, the Collector Group receiving the logs requires multiple Log Collectors (Figure: Multiple
Default Log Collectors Per Collector Group). See Caveats for a Collector Group with Multiple Log Collectors
to understand the risks and recommended mitigations associated with the latter configuration.
After implementing this deployment, if the logging rate increases beyond 10,000 logs per second,
it is recommended that you add dedicated Log Collectors (M-100 appliances in Log Collector
mode) as described in Deploy Panorama with Dedicated Log Collectors. Such an expansion
might require reassigning firewalls from the default Log Collectors to dedicated Log Collectors.

Figure: Single Default Log Collector Per Collector Group

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 133

Log Collection Deployments

Manage Log Collection

Figure: Multiple Default Log Collectors Per Collector Group

Perform the following steps to deploy Panorama with default Log Collectors. Skip any steps you have already
performed (for example, the initial setup).
Deploy Panorama with Default Log Collectors

Step 1

Perform the initial setup of each M-100

appliance.

1.
2.
3.
4.

Step 2

(Optional) Increase Storage on the M-100 In the CLI of the M-100 appliance, enter the following commands
Appliance for each Panorama appliance and confirm the request when prompted:
request system raid add B1
(primary and secondary) that requires
request system raid add B2
more than the default 1TB of storage.
This example uses the drives in disk bays
B1 and B2.

Step 3

Enable connectivity between the M-100

appliances.

1.

Perform Initial Configuration of the M-100 Appliance.

Register Panorama and Install Licenses.
Install Content and Software Updates for Panorama.
Set Up HA on Panorama.

In the CLI of the primary Panorama, enter the following

commands, where <IP address2> represents the management
interface of the secondary Panorama.

set deviceconfig system panorama-server <IPaddress2>

commit

2.

In the CLI of the secondary Panorama, enter the following

commands, where <IP address1> represents the management
interface of the primary Panorama.

set deviceconfig system panorama-server <IPaddress1>

commit

134 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Log Collection

Log Collection Deployments

Deploy Panorama with Default Log Collectors (Continued)

Step 4

Record the serial number of the default 1.

Log Collector on the secondary
Panorama. This is the serial number of the 2.
M-100 appliance. You will need this when
you add the Log Collector as a Managed
Collector.

Step 5

(Optional) Configure the SNMP

management software for monitoring
Log Collectors.

Step 6

Add a Firewall as a Managed Device.

1.
Perform this step for all the firewalls you
will assign to Log Collectors.
2.

Step 7

Assign the firewalls to device groups and Use the web interface of the primary Panorama to perform the
templates. This step is a prerequisite to
following tasks:
configure log forwarding to Panorama.
1. Add a Device Group.
2. Add a Template.

Palo Alto Networks, Inc.

Log in to the Panorama Web Interface of the secondary

Panorama.
In the Dashboard tab, General Information section, record the
Serial # value.

Load all the PAN-OS MIB files into your SNMP management
software and, if necessary, compile them. Refer to your Simple
Network Management Protocol (SNMP) manager documentation
for the specific steps.
If you have not already, perform the initial setup of each firewall
that you will assign to a Log Collector. For details, refer to the
PAN-OS Administrators Guide.
In the web interface of the primary M-100 appliance, select
Panorama > Managed Devices, click Add, enter the serial
number of each firewall (one line per serial number), then click
OK.

Panorama 6.1 Administrators Guide 135

Log Collection Deployments

Manage Log Collection

Deploy Panorama with Default Log Collectors (Continued)

Step 8

Configure Log Forwarding to Panorama. Use the web interface of the primary Panorama to configure log
forwarding. The specific tasks depend on the log types:
Traffic, threat, and WildFire logs:
a. Select the device group you just added.
b. Select Objects > Log Forwarding and click Add.
c. Enter a Name for the Log Forwarding Profile, select the
Panorama check boxes for the desired log types, then click
OK.
d. Assign the log forwarding profile to the desired rules. For
example, select Policies > Security, select the rule, in the
Actions tab select the Log Forwarding profile you just
added, then click OK.
System:
a. Select the template you just added.
b. Select Device > Log Settings > System and select the
Severity level.
c. Select the Panorama check box and click OK.
Config:
a. Select the template you just added.
b. Select Device > Log Settings > Config and click the Edit
icon.
c. Select the Panorama check box, then click OK.

Step 9

(Optional) Enable Log Forwarding from Use the web interface of the primary Panorama to perform the
Panorama to External Destinations.
following steps:
1. Create one or more server profiles, depending on the external
services to which you will forward logs:
SNMP: Panorama > Server Profiles > SNMP Trap
Syslog: Panorama > Server Profiles > Syslog
Email: Panorama > Server Profiles > Email
2.

3.

136 Panorama 6.1 Administrators Guide

To forward system logs that the M-100 appliances generate,

select Panorama > Log Settings > System and assign server
profiles for each Severity level.
To forward configuration logs that the M-100 appliances
generate, select Panorama > Log Settings > Config and assign
the server profiles.
You assign server profiles to all the log types that
firewalls generate when you configure Collector Groups
(Step 13).

Palo Alto Networks, Inc.

Manage Log Collection

Log Collection Deployments

Deploy Panorama with Default Log Collectors (Continued)

Step 10 (Optional) Modify Log Forwarding and

Buffering Defaults.

Use the web interface of the primary Panorama to perform the

following steps:
1. Select Panorama > Setup > Management and edit the Logging
and Reporting Settings.
2. Define the Log Export and Reporting parameters as desired.
It is a best practice to select the Buffered Log
Forwarding from Device option.
The Log Storage parameters (log quotas) in this page
only apply to the system and configuration logs that
Panorama generates locally. You set the storage
parameters for logs that firewalls forward to Panorama
in Step 13.

Step 11 Configure a Managed Collector that is

local to the primary Panorama.

Use the web interface of the primary Panorama to perform the

following steps:
1. Select Panorama > Managed Collectors and select the default
Log Collector.
2. If you configured separate M-100 interfaces during the task
Perform Initial Configuration of the M-100 Appliance, in the
General tab select the interfaces to use for Device Log
Collection and Collector Group Communication. Otherwise,
Panorama uses the management (mgmt) interface by default.
3. If you increased storage capacity on the primary M-100
appliance, select the Disks tab, click Add, and select each
additional disk pair from the drop-down.
4. Click OK to save your changes.

Because the default Log Collector is

pre-configured on the M-100 appliance,
you do not need to add it, only edit it.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 137

Log Collection Deployments

Manage Log Collection

Deploy Panorama with Default Log Collectors (Continued)

Step 12 Configure a Managed Collector that is

local to the secondary Panorama.
Even though this Log Collector is
local to the secondary Panorama,
the Panorama management server
treats it as a remote Log Collector
because it is not local to the
primary Panorama. Therefore you
must manually add it using the
web interface of the primary
Panorama.

Use the web interface of the primary Panorama to perform the

following steps:
1. In the Panorama web interface, select Panorama > Managed
Collectors and click Add.
2. In the General tab, Collector S/N field, enter the serial number
you recorded for the default Log Collector on the secondary
Panorama.
3. Enter the IP address or FQDN of the primary Panorama in the
Panorama Server IP field and the IP address of the secondary
Panorama in the Panorama Server IP 2 field.
The preceding fields are required.
4. In the Authentication tab, enter a Password (the default is
admin).
5. In the Management tab, complete one of the following field
sets with the management interface values of the secondary
Panorama:
IPv4IP Address, Netmask, and Default Gateway
IPv6IPv6 Address/Prefix Length and Default IPv6
Gateway

6.

7.

8.

9.

138 Panorama 6.1 Administrators Guide

The preceding fields are required.

If you configured Eth1 and/or Eth2 interfaces during the task
Perform Initial Configuration of the M-100 Appliance,
configure the settings in the Eth1 and/or Eth2 tabs. You must
select the Eth1/Eth2 check box in the corresponding tab to
configure the settings.
Return to the General tab and select the interfaces to use for
Device Log Collection and Collector Group Communication.
Panorama uses the management (mgmt) interface by default.
Eth1 and Eth2 are only available if you configured them in the
corresponding tabs.
If you increased storage capacity on the secondary M-100
appliance, select the Disks tab, click Add, and select each
additional disk pair from the drop-down.
Click OK and Commit, select Panorama as the Commit Type,
then click OK. Wait until the HA synchronization finishes
before proceeding.

Palo Alto Networks, Inc.

Manage Log Collection

Log Collection Deployments

Deploy Panorama with Default Log Collectors (Continued)

Step 13 Configure a Collector Group.

Because the default Collector Group is
pre-configured on the M-100 appliance,
you do not need to add it, only edit it.

Use the web interface of the primary Panorama to perform the

following steps:
1. Select Panorama > Collector Groups and select the default
Collector Group on the primary Panorama.
2. If you configured the SNMP management software to monitor
Log Collectors, select the Monitoring tab and configure the
SNMP settings.
3. In the Device Log Forwarding tab, Collector Group Members
section, assign Log Collectors according to how many this
Collector Group will have:
Single Log CollectorBy default, the local Log Collector on
the primary Panorama is pre-assigned to the default
Collector Group so you do not need to assign any member.
Multiple Log CollectorsAssign the Log Collector that is
local on the secondary Panorama. The local Log Collector
on the primary Panorama is pre-assigned.
4.

In the Device Log Forwarding tab, Log Forwarding

Preferences section, assign firewalls according to the number of
Log Collectors in this Collector Group:
Single Log CollectorAssign the firewalls that will forward
logs to the default Log Collector of the primary Panorama,
as illustrated in Figure: Single Default Log Collector Per
Collector Group.
Multiple Log CollectorsAssign each firewall to both Log
Collectors for redundancy. When you configure the
preferences, make Log Collector 1 the first priority for half
the firewalls and make Log Collector 2 the first priority for
the other half, as illustrated in Figure: Multiple Default Log
Collectors Per Collector Group.

5.

6.

Return to the General tab, click the Log Storage value and
allocate the desired storage capacity (log quotas) for each
firewall log type (System, Config, HIP Match, Traffic, Threat,
and WildFire).
If you created server profiles for forwarding firewall logs from
Panorama to external destinations, select the Collector Log
Forwarding tab and assign server profiles for the desired
external services. The profiles can be the same or different for
each Collector Group.

The next step depends on your deployment:

If you assigned all the Log Collectors to this Collector Group,
skip to Step 15.
If each Collector Group has only one Log Collector, perform
Step 14 to add another Collector Group.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 139

Log Collection Deployments

Manage Log Collection

Deploy Panorama with Default Log Collectors (Continued)

Step 14 (Only if each Collector Group has one

Log Collector) Configure a Collector
Group for the Log Collector on the
secondary Panorama.

Use the web interface of the primary Panorama to perform the

following steps:
1. Select Panorama > Collector Groups, click Add, and enter a
Name for the Collector Group on the secondary Panorama.
After you save the Collector Group, you cannot change its
name.
2. If you configured the SNMP management software to monitor
Log Collectors, select the Monitoring tab and configure the
SNMP settings.
3. In the Device Log Forwarding tab, Collector Group Members
section, assign the default Log Collector of the secondary
Panorama.
4. In the Device Log Forwarding tab, Log Forwarding
Preferences section, assign the firewalls that will forward logs to
the default Log Collector of the secondary Panorama, as
illustrated in Figure: Single Default Log Collector Per Collector
Group.
5. In the General tab, click the Log Storage value and allocate the
desired storage capacity (log quotas) for each firewall log type
(System, Config, HIP Match, Traffic, Threat, and WildFire).
6. If you created server profiles for forwarding firewall logs from
Panorama to external destinations, select the Collector Log
Forwarding tab and assign the profiles to the desired external
services. The profiles can be the same or different for each
Collector Group.
7. Click OK to save your changes.

Step 15 Commit your changes.

Use the web interface of the primary Panorama to perform the

following steps:
1. Click Commit, select Panorama as the Commit Type, then click
OK.
2. Click Commit, select Collector Group as the Commit Type,
select the Collector Groups you added, then click OK.

Step 16 Manually fail over so that the secondary

Panorama becomes active.

Use the web interface of the primary Panorama to perform the

following steps:
1. Select Panorama > High Availability.
2. In the Operational Commands section, click Suspend local
Panorama.

140 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Log Collection

Log Collection Deployments

Deploy Panorama with Default Log Collectors (Continued)

Step 17 On the secondary Panorama, configure Use the web interface of the secondary Panorama to perform the
the network settings of the Log Collector following steps:
that is local to the primary Panorama.
1. In the Panorama web interface, select Panorama > Managed
Collectors and select the Log Collector that is local to the
primary Panorama.
2. In the General tab, enter the IP address or FQDN of the
secondary Panorama in the Panorama Server IP field. Enter
the IP address or FQDN of the primary Panorama in the
Panorama Server IP 2 field.
3. In the Management tab, complete one of the following field
sets with the management interface values of the primary
Panorama:
IPv4IP Address, Netmask, and Default Gateway
IPv6IPv6 Address/Prefix Length and Default IPv6
Gateway

4.

5.
Step 18 Manually fail back so that the primary
Panorama becomes active.

The preceding fields are required.

Click OK and Commit, select Panorama as the Commit Type,
then click OK. Wait until the HA synchronization finishes
before proceeding.
Click Commit, select Collector Group as the Commit Type,
select the Collector Groups you added, then click OK.

Use the web interface of the secondary Panorama to perform the

following steps:
1. Select Panorama > High Availability.
2. In the Operational Commands section, click Suspend local
Panorama.

Deploy Panorama Virtual Appliances with Local Log Collection

The following figure illustrates Panorama in a centralized log collection deployment. In this example, the
Panorama management server comprises two Panorama virtual appliances, configured for active/passive high
availability (HA). The firewalls send logs to the Panorama management server (to its virtual disk or NFS
datastore). By default, both the primary and secondary Panorama receive logs. This configuration suits firewall
management within a VMware virtual infrastructure in which Panorama processes up to 10,000 logs/second.
(For details on deployment options, see Plan a Log Collection Deployment.)
By default, the Panorama virtual appliance has a single disk partition for all data, and approximately 11GB of
this space is allocated for log storage. If you need another 2TB of disk space, Add a Virtual Disk to the Panorama
Virtual Appliance. If you need more than 2TB, Mount the Panorama Virtual Appliance to an NFS Datastore.
If the logging rate increases beyond 10,000 logs per second, it is recommended that you add
dedicated Log Collectors (M-100 appliances in Log Collector mode).
Deploy Panorama with Dedicated Log Collectors describes a deployment with dedicated Log
Collectors managed by Panorama virtual appliances or by M-100 appliances in Panorama mode.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 141

Log Collection Deployments

Manage Log Collection

Figure: Panorama Virtual Appliances with Local Log Collection

Perform the following steps to deploy Panorama virtual appliances with local log collection. Skip any steps you
have already performed (for example, the initial setup).
Deploy Panorama Virtual Appliances with Local Log Collection

Step 1

Perform the initial setup of each

Panorama virtual appliance.

1.
2.
3.
4.
5.
6.

Install Panorama on the ESX(i) Server.

Perform Initial Configuration of the Panorama Virtual
Appliance.
(Optional) Expand Log Storage Capacity on the Panorama
Virtual Appliance.
Register Panorama and Install Licenses.
Install Content and Software Updates for Panorama.
Set Up HA on Panorama.

Step 2

Add a Firewall as a Managed Device.

1.
Perform this step for all the firewalls that
will forward logs to Panorama.
2.

Step 3

Assign the firewalls to device groups and Use the Panorama web interface to perform the following tasks:
templates. This step is a prerequisite to
1. Add a Device Group.
enabling log forwarding to Panorama.
2. Add a Template.

142 Panorama 6.1 Administrators Guide

If you have not already, perform the initial setup of each firewall
that you will assign to a Log Collector. For details, refer to the
PAN-OS Administrators Guide.
In the Panorama web interface, select Panorama > Managed
Devices, click Add, enter the serial number of each firewall (one
line per serial number), then click OK.

Palo Alto Networks, Inc.

Manage Log Collection

Log Collection Deployments

Deploy Panorama Virtual Appliances with Local Log Collection (Continued)

Step 4

Configure Log Forwarding to Panorama. Use the Panorama web interface to configure log forwarding. The
specific tasks depend on the log types:
Traffic, threat, and WildFire logs:
a. Select the device group you just added.
b. Select Objects > Log Forwarding and click Add.
c. Enter a Name for the Log Forwarding Profile, select the
Panorama check boxes for the desired log types, then click
OK.
d. Assign the log forwarding profile to the desired rules. For
example, select Policies > Security, select the rule, in the
Actions tab select the Log Forwarding profile you just
added, then click OK.
System:
a. Select the template you just added.
b. Select Device > Log Settings > System and select the
Severity level.
c. Select the Panorama check box and click OK.
Config:
a. Select the template you just added.
b. Select Device > Log Settings > Config and click the Edit
icon.
c. Select the Panorama check box, then click OK.

Step 5

(Optional) Enable Log Forwarding from Use the Panorama web interface to perform the following steps:
Panorama to External Destinations.
1. Create one or more server profiles, depending on the external
services to which you will forward logs:
This step applies to logs that the
SNMP: Panorama > Server Profiles > SNMP Trap
Panorama virtual appliances generate
(system and config logs) and logs that the
Syslog: Panorama > Server Profiles > Syslog
firewalls generate (system, config, HIP
Email: Panorama > Server Profiles > Email
match, traffic, threat, and/or WildFire
logs).
2. Select Panorama > Log Settings and select the type of log you
want to forward: System, Config, HIP Match, Traffic, Threat,
and/or WildFire.
3. Assign the server profiles you configured. For System and
Threat logs, assign profiles for each desired Severity level. For
WildFire logs, assign profiles for each Verdict (benign and/or
malicious). For Config, HIP Match, and Traffic logs, click the
Edit icon to assign server profiles.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 143

Log Collection Deployments

Manage Log Collection

Deploy Panorama Virtual Appliances with Local Log Collection (Continued)

Step 6

(Optional) Modify Log Forwarding and

Buffering Defaults.

Use the Panorama web interface to perform the following steps:

1. Select Panorama > Setup > Management and edit the Logging
and Reporting Settings.
2. Define the Log Export and Reporting parameters as desired.
If you want only the primary Panorama to receive logs, select
the Only Active Primary Logs to Local Disk check box.
It is a best practice to select the Buffered Log
Forwarding from Device option.

Step 7

Commit your changes.

Click Commit, select Panorama as the Commit Type, then click OK.

144 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Licenses and Updates

As an administrator, you can use Panorama to centrally manage licenses and software/content updates on
managed devices (firewalls and Log Collectors). When you deploy licenses or updates, Panorama checks in with
the Palo Alto Networks licensing server or update server, verifies the request validity, and then allows retrieval
and installation of the license/update on the devices. This capability facilitates deployment by eliminating the
need to repetitively perform the tasks on each device. It is particularly useful for managing firewalls that do not
have direct Internet access or for managing M-100 appliances in Log Collector mode, which do not support a
web interface.
You must activate a support subscription directly on each firewall; you cannot use Panorama to
deploy support subscriptions.
To activate licenses or install updates on Panorama itself, see Register Panorama and Install
Licenses and Install Content and Software Updates for Panorama.

Panorama, Log Collector, and Firewall Version Compatibility

Manage Licenses on Firewalls Using Panorama

Deploy Updates to Devices Using Panorama

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 145

Panorama, Log Collector, and Firewall Version Compatibility

Manage Licenses and Updates

Panorama, Log Collector, and Firewall Version

Compatibility
The Panorama management server must run the same Panorama software version or a higher version than the
PAN-OS version that the managed firewalls run. Panorama can manage firewalls that are running an earlier and
still supported version of PAN-OS. When upgrades are required, upgrade Panorama before upgrading the
managed firewalls.
Panorama 6.1 and later releases cannot push configurations to firewalls running PAN-OS 6.0.0
through 6.0.3.

Palo Alto Networks highly recommends running the same Panorama software version on the Panorama
management server and its dedicated Log Collectors (M-100 appliances in Log Collector mode).
You cannot assign firewalls running PAN-OS 4.x to a dedicated Log Collector (M-100 appliance in Log
Collector mode); they must send logs to a Panorama virtual appliance or an M-100 appliance in Panorama mode.
Only firewalls running PAN-OS 5.x or later can send logs to a dedicated Log Collector.
Palo Alto Networks recommends that you install the same Applications and Threats database
version on Panorama as on the managed firewalls and Log Collectors. Panorama uses the
Applications and Threats database to retrieve metadata for processing reports that you initiate
from Panorama or managed devices. If a Log Collector does not have the database installed, the
complete dataset required for the report might not be available and the information displayed
might be incomplete or inaccurate.

146 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Licenses and Updates

Manage Licenses on Firewalls Using Panorama

Manage Licenses on Firewalls Using Panorama

The following steps describe how to retrieve new licenses using an authorization code and push the license keys
to managed firewalls. It also describes how to manually update (refresh) the license status of firewalls that do
not have direct Internet access. For firewalls with direct Internet access, the license update process is automatic.
You cannot use Panorama to activate the support license of firewalls. You must access the
firewalls individually to activate their support licenses.
To activate licenses for Panorama itself, see Register Panorama and Install Licenses.

Manage Licenses on Firewalls Using Panorama

Activate new licenses.

Palo Alto Networks, Inc.

1.

Select Panorama > Device Deployment > Licenses and click

Activate. This option allows you to activate a newly purchased

2.

subscription, for example, a Threat subscription.

Find or filter for the managed firewalls and enter the
authentication code(s) that Palo Alto Networks provided for
the device in the Auth Code column.

3.

Click Activate.

Panorama 6.1 Administrators Guide 147

Manage Licenses on Firewalls Using Panorama

Manage Licenses and Updates

Manage Licenses on Firewalls Using Panorama (Continued)

Update the license status of firewalls.

148 Panorama 6.1 Administrators Guide

1.

Select Panorama > Device Deployment > Licenses.

Each entry on the tab indicates whether the license is active or
inactive and displays the expiration date for active licenses.

2.

If you have previously activated the authorization code for the

support subscription directly on the firewall, click Refresh and
select one or more firewalls from the list. Panorama retrieves
the license(s), deploys it to the managed firewalls and updates
the licensing status on the Panorama web interface.

Palo Alto Networks, Inc.

Manage Licenses and Updates

Deploy Updates to Devices Using Panorama

Deploy Updates to Devices Using Panorama

You can use Panorama to qualify software and content updates by deploying them to a subset of the firewalls
or dedicated Log Collectors (M-100 appliances in Log Collector mode) before installing the updates on all
managed devices. If you want to schedule periodic content updates, Panorama requires a direct Internet
connection. To deploy software or content updates on demand (unscheduled), the procedure differs depending
on whether Panorama has an Internet connection.

Supported Updates by Device Type

Schedule Content Updates to Devices Using Panorama

Install Software Updates on Firewall HA Pairs

Deploy Updates to Devices when Panorama Has an Internet Connection

Deploy Updates to Devices when Panorama Has No Internet Connection

If both Panorama and the firewalls it manages require updates, upgrade Panorama (see Install
Content and Software Updates for Panorama) before upgrading the firewalls.
If you need to upgrade firewalls to a PAN-OS maintenance release for which the base release is
higher than the currently installed software, you must upload (without installing) the base release
to the firewalls before uploading and installing the maintenance release. For example, to upgrade
firewalls from PAN-OS 5.012 to PAN-OS 6.0.3, you must upload PAN-OS 6.0.0 to the firewalls
before you upload and install PAN-OS 6.0.3 on the firewalls.
You do not install SSL VPN client or GlobalProtect client software on firewalls; you activate the
software on firewalls so that users can download it onto client systems.
You cannot deploy GlobalProtect data file updates on demand; you can only schedule them
(Device > Dynamic Updates) using templates or directly through the web interface of a firewall.
Palo Alto Networks recommends that you install the same Applications and Threats database
version on Panorama as on the managed firewalls and Log Collectors. Panorama uses the
Applications and Threats database to retrieve metadata for processing reports that you initiate
from Panorama or managed devices. If a Log Collector does not have the database installed, the
complete dataset required for the report might not be available and the information displayed
might be incomplete or inaccurate.

Supported Updates by Device Type

The software and content updates you can install depend on which subscriptions are active on each device and
the device type:
Device

Software Updates

Content Updates

Dedicated Log Collectors

Panorama

Applications signatures
Antivirus signatures
WildFire

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 149

Deploy Updates to Devices Using Panorama

Manage Licenses and Updates

Device

Software Updates

Content Updates

Firewalls

PAN-OS

Applications signatures

SSL VPN client

Applications and Threats signatures

GlobalProtect client

Antivirus signatures
BrightCloud URL filtering
WildFire
GlobalProtect data files

Schedule Content Updates to Devices Using Panorama

For a list of content updates you can install on firewalls and Log Collectors, see Supported Updates by Device
Type. Panorama requires a direct Internet connection for scheduled updates. Otherwise, you can only perform
on-demand updates (see Deploy Updates to Devices when Panorama Has No Internet Connection). On each
firewall receiving the update, PAN-OS generates a log to indicate the installation succeeded (configuration log)
or failed (system log).
Panorama can only download one update at a time. If you schedule the updates to download
during the same time interval, only the first download will succeed. Therefore it is a best practice
to stagger the scheduled updates.
To install a content update on a Panorama virtual appliance or on an M-100 appliance in
Panorama mode, see Install Content and Software Updates for Panorama.

Perform the following steps for each update type you want to schedule.
Schedule Content Updates to Devices Using Panorama

1.
2.

Select Panorama > Device Deployment > Dynamic Updates, click Schedules, and click Add.
Specify a Name to describe the schedule, the update Type, and the update frequency (Recurrence). The available
frequency options depend on the update Type:
Wildfire: Select Every 15 Mins (minutes), Every 30 Mins, or Every Hour.
WF-Private: Select Every 5 Mins (minutes), Every 15 Mins, Every 30 Mins, or Every Hour.
Other update types:
DailySelect the Time of day when the update will start.
WeeklySelect the Day of the week and Time of day when the update will start.

3.

PAN-OS uses the Panorama timezone for update scheduling.

The WildFire Private (WF-Private) option is only available if the WildFire Server field (Panorama > Setup
> WildFire) is set to a WF-500 Wildfire appliance, not to the WildFire Public Cloud.
Specify the Action to schedule:
Download And Install (best practice)Select the Devices (for firewalls) or Log Collectors option, then select the
devices to which the update will apply.
Download OnlyPanorama downloads the update but does not install it on devices.

4.

Click OK and Commit, select Panorama as the Commit Type, then click OK.

150 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Licenses and Updates

Deploy Updates to Devices Using Panorama

Install Software Updates on Firewall HA Pairs

To avoid downtime when installing software updates on firewall peers in a high availability (HA) configuration,
install the updates in the following sequence.
PAN-OS synchronizes the sessions of HA peers even when you upgrade between major releases
(for example, from 6.0 to 6.1).

Install Software Updates on Firewall HA Pairs

Step 1

Install the software update on the

secondary firewall.

Log in to Panorama and perform one of the following procedures

on the secondary firewall:
Deploy Updates to Devices when Panorama Has an Internet
Connection
Deploy Updates to Devices when Panorama Has No Internet
Connection
For either procedure, in the Deploy Software File dialog, you
must clear the Group HA Peers check box.

Step 2

Trigger a manual failover on the primary 1.

firewall so that it becomes passive and the
secondary becomes active.
2.

Log in to the primary firewall, select Device > High Availability

> Operational Commands and click Suspend local device.
Log in to the secondary firewall and, on the Dashboard, High
Availability widget, verify that the Local firewall state is active
and the Peer firewall is suspended.

Step 3

Install the software update on the primary Repeat Step 1 for the primary firewall.
firewall.

Step 4

Restore the primary firewall to the active 1.

state.

Log in to the primary firewall, select Device > High Availability

> Operational Commands and click Make local device
functional.

2.

Wait two minutes and then, on the primary firewall Dashboard,

High Availability widget, verify that the Local firewall state is
active and the Peer firewall is passive.

Deploy Updates to Devices when Panorama Has an Internet Connection

For a list of software and content updates you can install on firewalls and dedicated Log Collectors (M-100
appliances in Log Collector mode), see Supported Updates by Device Type.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 151

Deploy Updates to Devices Using Panorama

Manage Licenses and Updates

If both Panorama and the firewalls it manages require updates, upgrade Panorama (see Install
Content and Software Updates for Panorama) before upgrading the firewalls.
If you need to upgrade firewalls to a PAN-OS maintenance release for which the base release is
higher than the currently installed software, you must upload (without installing) the base release
to the firewalls before uploading and installing the maintenance release. For example, to upgrade
firewalls from PAN-OS 5.012 to PAN-OS 6.0.3, you must upload PAN-OS 6.0.0 to the firewalls
before you upload and install PAN-OS 6.0.3 on the firewalls.
Panorama displays a warning if you request an unscheduled content update when an existing
schedule has started or is scheduled to start within five minutes. For details, see Schedule
Content Updates to Devices Using Panorama.
If you will deploy software updates to firewall pairs in a high availability (HA) configuration, install
the updates on one peer at a time as described in Install Software Updates on Firewall HA Pairs.

Deploy Updates to Devices when Panorama Has an Internet Connection

1.

Access the page for the desired software or content update:

PAN-OSSelect Panorama > Device Deployment > Software
SSL VPN clientSelect Panorama > Device Deployment > SSL VPN Client
GlobalProtect clientSelect Panorama > Device Deployment > GlobalProtect Client
ContentSelect Panorama > Device Deployment > Dynamic Updates.

2.

Click Check Now to check for the latest updates. If an update is available, the Action column displays Upgrade (for
BrightCloud URL Filtering) or Download (for all other content categories and software).

3.

Review the Version and File Name columns to determine the update you want to deploy.
The Dynamic Updates page lists the content updates by category: Antivirus, Applications and Threats, URL
Filtering, and Wildfire.
In the software update pages, the filename format of the update package depends on the software and device type:
PAN-OS for hardware-based firewallsPanOS_<hardware platform>-<release> (for example,
PanOS_200-6.1.0 for the PA-200 firewall running PAN-OS 6.1.0).
PAN-OS for VM-Series firewallsPanOS_vm-<release> (for example, PanOS_vm-6.1.0).
Panorama software for an M-100 appliance (Log Collector)Panorama_m-<release> (for example,
Panorama_m-6.1.0).
SSL VPN client for all firewallsPanVPN-<release> (for example, PanVPN-1.3.4)
GlobalProtect client for all firewallsPanGP-<release> (for example, PanGP-2.1.0)

4.

In the Action column of the desired update, click Upgrade or Download. After a successful upgrade/download, the
value Upgrade/Download changes to Install (for content and Panorama or PAN-OS software) or Activate (for SSL
VPN or GlobalProtect client software).
By default, you can download up to five software or content updates of each type to Panorama. When you
initiate any download beyond that maximum, Panorama deletes the oldest update of the selected type. To
change the maximum, see Manage Panorama Storage for Software and Content Updates

5.

Click Install or Activate and select the firewalls and/or Log Collectors on which to apply the update.
You must install content updates before software updates. Also, you must install the Applications and Threats
updates before the Antivirus and WildFire updates. URL Filtering updates have no restrictions in terms of
installation sequence.

152 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Manage Licenses and Updates

Deploy Updates to Devices Using Panorama

Deploy Updates to Devices when Panorama Has an Internet Connection (Continued)

6.

(PAN-OS software updates only) Clear the Group HA Peers check box (for firewalls that are in a high availability
configuration) to upgrade one HA peer at a time, then select one of the following check boxes depending on your
purpose:
Upload only to device (do not install)If the file you selected is for a base release (for example, 6.0.0) and you
will install a maintenance release (for example, 6.0.3) immediately after, select this option to create the libraries
and directories that are required for the maintenance release.
Reboot device after installSelect this option for all other scenarios. The installation cannot finish until the
device reboots.

7.

Click OK to start the installation or upload. The results of the installation attempt appear on screen.

8.

To verify the software and content update versions running on each managed firewall, select Panorama > Managed
Devices, locate the firewall (Device Name column) and review the values in the Software Version column.

9.

To verify the software and content update versions running on a dedicated Log Collector, Log in to the Panorama
CLI of the M-100 appliance and enter the show system info command. The output will resemble the following:
sw-version: 6.1.0
app-version: 366-1738
app-release-date: 2014/10/29 15:46:03
av-version: 1168-1550
av-release-date: 2014/10/21 14:31:27
threat-version: 366-1738
threat-release-date: 2014/10/29 15:46:03

Deploy Updates to Devices when Panorama Has No Internet Connection

For a list of software and content updates you can install on firewalls and dedicated Log Collectors (M-100
appliances in Log Collector mode), see Supported Updates by Device Type.
If both Panorama and the firewalls it manages require updates, upgrade Panorama (see Install
Content and Software Updates for Panorama) before upgrading the firewalls.
If you need to upgrade firewalls to a PAN-OS maintenance release for which the base release is
higher than the currently installed software, you must upload (without installing) the base release
to the firewalls before uploading and installing the maintenance release. For example, to upgrade
firewalls from PAN-OS 5.012 to PAN-OS 6.0.3, you must upload PAN-OS 6.0.0 to the firewalls
before you upload and install PAN-OS 6.0.3 on the firewalls.
If you will deploy software updates to firewall pairs in high availability (HA) configuration, install
the updates on one peer at a time as described in Install Software Updates on Firewall HA Pairs.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 153

Deploy Updates to Devices Using Panorama

Manage Licenses and Updates

Deploy Updates to Devices when Panorama Has No Internet Connection

Step 1

Download the software or content

1.
updates to a host that has Internet access.
Panorama must have access to the host. 2.

On a host with Internet access, go to the Palo Alto Support

website (https://support.paloaltonetworks.com) and log in.
In the Resources section, select Software Updates or (for
content) Dynamic Updates.
The Dynamic Updates page lists the content updates by
category: Apps, Apps + Threats, Antivirus, WildFire, and
BrightCloud Seed File (URL filtering).
In the Software Updates page, the filename format of the
update package depends on the software and device type:
PAN-OS for hardware-based firewallsPanOS_<hardware
platform>-<release> (for example, PanOS_200-6.1.0 for
the PA-200 firewall with PAN-OS 6.1.0).
PAN-OS for VM-Series firewallsPanOS_vm-<release>
(for example, PanOS_vm-6.1.0).
Panorama software for an M-100 appliance (Log
Collector)Panorama_m-<release> (for example,
Panorama_m-6.1.0).
SSL VPN client for all firewallsPanVPN-<release> (for
example, PanVPN-1.3.4)
GlobalProtect client for all firewallsPanGP-<release>
(for example, PanGP-2.1.0)

Step 2

Upload the update.

3.

In the Download column, click the desired software or content

update and save the file to the host.

1.

Log in to Panorama and access the page for the desired update:
PAN-OSSelect Panorama > Device Deployment >
Software.

By default, you can upload up to

five software or content updates
of each type to Panorama. When
you initiate any upload beyond
that maximum, Panorama deletes
the oldest update of the selected
type. To change the maximum, see
Manage Panorama Storage for
Software and Content Updates.

SSL VPN clientSelect Panorama > Device Deployment >

SSL VPN Client.
GlobalProtect clientSelect Panorama > Device
Deployment > GlobalProtect Client.
ContentSelect Panorama > Device Deployment >
Dynamic Updates.
2.
3.

Click Upload.
(Content updates only) Select the Type of content update:
Applications and Threats
Antivirus
WildFire
URL Filtering

4.
5.

154 Panorama 6.1 Administrators Guide

Enter the path to the update File on the host or click Browse
to find it, then click OK.
When the Result is Succeeded, click Close.

Palo Alto Networks, Inc.

Manage Licenses and Updates

Deploy Updates to Devices Using Panorama

Deploy Updates to Devices when Panorama Has No Internet Connection (Continued)

Step 3

Install the update.

1.

You must install content updates

before software updates. Also, you
must install the Applications and 2.
Threats updates before the
Antivirus and WildFire updates.
URL Filtering updates have no
restrictions in terms of installation
sequence.
3.
4.
5.

6.

Click Install From File (for a Panorama/PAN-OS or content

update) or Activate From File (for an SSL VPN client or
GlobalProtect client update).
(Content updates only) Select the Type of content update:
Applications and Threats
Antivirus
Wildfire
URL Filtering

In the File Name drop-down, select the file you just uploaded.
Select the firewalls and/or Log Collectors on which you want
to apply the update.
Clear the Group HA Peers check box (if some firewalls are in a
high availability configuration) to upgrade one HA peer at a
time.
(PAN-OS software update only) Select one of the following
check boxes depending on your purpose:
Upload only to device (do not install)If the file you
selected is for a base release (for example, 6.0.0) and you will
install a maintenance release (for example, 6.0.3)
immediately after, select this option to create the libraries
and directories that are required for the maintenance release.
Reboot device after installSelect this option for all other
scenarios. The installation cannot finish until the device
reboots.

7.

Click OK and, when the Result is Succeeded, click Close.

Select Panorama > Managed Devices.
Locate the firewall (Device Name column) and review the
values in the Software Version, Apps and Threat, Antivirus,
URL Filtering, and GlobalProtect Client columns.

Step 4

Verify the software or content version

running on each managed firewall.

1.
2.

Step 5

Verify the software or content version

running on each Log Collector.

show system info

Log in to the Panorama CLI of the M-100 appliance and enter the
command. The output will resemble the
following:
sw-version: 6.1.0
app-version: 366-1738
app-release-date: 2014/10/29 15:46:03
av-version: 1168-1550
av-release-date: 2014/10/21 14:31:27
threat-version: 366-1738
threat-release-date: 2014/10/29 15:46:03

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 155

Deploy Updates to Devices Using Panorama

156 Panorama 6.1 Administrators Guide

Manage Licenses and Updates

Palo Alto Networks, Inc.

Monitor Network Activity

Panorama provides a comprehensive, graphical view of network traffic. Using the visibility tools on Panorama
the Application Command Center (ACC), logs, and the report generation capabilitiesyou can centrally
analyze, investigate and report on all network activity, identify areas with potential security impact, and translate
them into secure application enablement policies.
This section covers the following topics:

Use Panorama for Visibility

Use Case: Monitor Applications Using Panorama

Use Case: Respond to an Incident Using Panorama

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 157

Use Panorama for Visibility

Monitor Network Activity

Use Panorama for Visibility

In addition to its central deployment and firewall configuration features, Panorama also allows you to monitor
and report on all traffic that traverses your network. While the reporting capabilities on Panorama and the
firewall are very similar, the advantage that Panorama provides is that it is a single pane view of aggregated
information across all your managed firewalls. This aggregated view provides actionable information on trends
in user activity, traffic patterns, and potential threats across your entire network.
Using the Application Command Center (ACC), the App-Scope, the log viewer, and the standard, customizable
reporting options on Panorama, you can quickly learn more about the traffic traversing the network. The ability
to view this information allows you to evaluate where your current policies are adequate and where they are
insufficient. You can then use this data to augment your network security strategy. For example, you can enhance
the security rules to increase compliance and accountability for all users across the network, or manage network
capacity and minimize risks to assets while meeting the rich application needs for the users in your network.
The following topics provide a high-level view of the reporting capabilities on Panorama, including a couple of
use cases to illustrate how you can use these capabilities within your own network infrastructure. For a complete
list of the available reports and charts and the description of each, refer to the online help.

Monitor the Network with the ACC and AppScope

Analyze Log Data

Generate, Schedule, and Email Reports

Monitor the Network with the ACC and AppScope

Both the ACC and the AppScope allow you to monitor and report on the data recorded from traffic that
traverses your network.
The ACC on Panorama displays a summary of network traffic. Panorama can dynamically query data from all
the managed firewalls on the network and display it in the ACC. This display allows you to monitor the traffic
by applications, users, and content activityURL categories, threats, data filtering, file blocking, HIP match for
GlobalProtectacross the entire network of Palo Alto Networks next-generation firewalls.
The AppScope helps identify unexpected or unusual behavior on the network at a glance. It includes an array
of charts and reportsSummary Report, Change Monitor, Threat Monitor, Threat Map, Network Monitor,
Traffic Mapthat allow you to analyze traffic flows by threat or application, or by the source or destination for
the flows. You can also sort by session or byte count.
Use the ACC and the AppScope to answer questions such as:
ACC

What are the top applications used on the network

and how many are high-risk applications? Who
are the top users of high-risk applications on the
network?

What are the top URL categories being viewed in

the last hour?

158 Panorama 6.1 Administrators Guide

Monitor > AppScope

What are the Application usage trendswhat are

the top five applications that have gained use and
the top five that have decreased in use?

How has user activity changed over the current

week as compared to last week or last month?

Palo Alto Networks, Inc.

Monitor Network Activity

ACC

What are the top bandwidth-using applications?

Who are the users/hosts that consume the highest
bandwidth?

What content or files are being blocked and are

there specific users who trigger this file
blocking/data filtering policy?

What is the amount of traffic exchanged between

two specific IP addresses or generated by a
specific user? Where is the destination server or
client located geographically?

Use Panorama for Visibility

Monitor > AppScope

Which users and applications take up most of the

network bandwidth? And how has this
consumption changed over the last 30 days?

What are the threats on the network, and how are

these incoming and outgoing traffic threats
distributed geographically?

You can then use the information to maintain or enforce changes to the traffic patterns on your network. See
Use Case: Monitor Applications Using Panorama for a glimpse into how the visibility tools on Panorama can
influence how you shape the acceptable use policies for your network.
Here are a few tips to help you navigate the ACC:

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 159

Use Panorama for Visibility

Monitor Network Activity

Switch from a Panorama view to a Device viewPanorama allows access to the web interface of any
managed firewall using the Context menu. The context switch is a toggle that provides direct firewall access;
it provides the ability to manage firewall-specific settings, such as firewall-specific policy, and/or override
network configuration pushed from a template on a specific firewall.

Change Data SourceThe default source used to display the statistics on the charts in the ACC is the
Panorama local data. With the exception of the data that displays in the Application chart, all other charts
require you to enable log forwarding to Panorama.
Using the local data on Panorama provides a quick load time for the charts. You can, however, change the
data source to Remote Device Data. When configured to use Remote Device Data, instead of using the local
Panorama data, Panorama will poll all the managed firewalls and present an aggregated view of the data. The
onscreen display indicates the total number of firewalls being polled and the number of firewalls that have
responded to the query for information.

Select the Charts to ViewThe ACC includes an array of charts in the areas of Application, URL Filtering,
Threat Prevention, Data Filtering, and HIP Match. With the exception of the Application charts and HIP
Match, all the other charts display only if the corresponding feature has been licensed on the firewall, and
you have enabled logging.

Tweak Time Frame and Sort DataThe reporting time period in the ACC ranges from the last 15
minutes to the last hour, day, week, month, or any custom-defined time. You can sort the data by sessions,
bytes, or threats and filter to view from 5-500 items.

Analyze Log Data

The Monitor tab on Panorama provides access to log data; these logs are an archived list of sessions that have
been processed by the managed firewalls and forwarded to Panorama.
Log data can be broadly grouped into two types: those that detail information on traffic flows on your network
such as applications, threats, host information profiles, URL categories, content/file types and those that record
system events, configuration changes and alarms.
Based on the log forwarding configuration on the managed firewalls, the Monitor > Logs tab can include logs for
traffic flows, threats, URL filtering, data filtering, Host Information Profile (HIP) matches, and WildFire
submissions. You can review the logs to verify a wealth of information on a given session or transaction. Some
examples of this information are the user who initiated the session, the action (allow or deny) that the firewall
performed on the session, and the source and destination ports, zones, and addresses. The system and
configuration logs can indicate a configuration change or an alarm that the firewall triggered when a configured
threshold was exceeded.

160 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Monitor Network Activity

Use Panorama for Visibility

Generate, Schedule, and Email Reports

Panorama allows you to generate reports manually as needed, or schedule reports to run at specific intervals.
You can save and export reports, or you can configure Panorama to email reports to specific recipients. The
ability to share reports using email is particularly useful if you want to share reporting information with
administrators who do not have access to Panorama.
It is recommended that you install matching software releases on Panorama and the firewalls for
which you will generate reports. For example, if the Panorama management server runs
Panorama 6.1, install PAN-OS 6.1 on its managed firewalls before generating the reports. This
practice avoids issues that might occur if you create reports that include fields supported in the
Panorama release but not supported in an earlier PAN-OS release on the firewalls.

You can create the following types of reports:

Report Type

Description

Predefined

A suite of predefined reports in the Monitor > Reports tab that are available in four
categories: Applications, Threats, URL Filtering, and Traffic.

User-activity

The user activity report is a predefined report that is used to create an on-demand
report to document the application use and URL activity broken down by URL
category for a specific user with estimated browse time calculations. This report is
available in the Monitor > PDF Reports > User Activity Reports tab.

Custom

Create and schedule custom reports that displays exactly the information you want to
see by filtering on conditions and columns to include. You can generate reports to
query data from a summary database on Panorama or on the remote devices (that is
the managed firewalls), or use the detailed reports on Panorama or on the remote
devices. To view the databases available for generating these reports, see the Monitor
> Manage Custom Reports tab. You can also create Report Groups (Monitor > PDF
Reports > Report Groups tab) to compile predefined reports and custom reports as a
single PDF.

PDF Summary

Aggregate up to 18 predefined reports, graphs, and custom reports into one PDF
document.

Use the following procedures to create and schedule reports:

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 161

Use Panorama for Visibility

Monitor Network Activity

Generate, Schedule, and Email Reports

Step 1

Generate reports.
You must set up a Report Group
to email report(s).

The steps to generate a report depend on the type:

Create a custom report.
a. Select Monitor > Manage Custom Reports.
b. Click Add and then enter a Name for the report.
c. Select the database, Panorama or Remote Device Data, that
you would like to use for the report. You can use the
summary database or the detailed logs on Panorama or on
the managed firewalls.
d. Select the Scheduled check box.
e. Define your filtering criteria. Select the Time Frame, the
Sort By order, Group By preference, and select the columns
that must display in the report.
f. (Optional) Select the Query Builder attributes, if you want to
further refine the selection criteria.
g. To test the report settings, select Run Now. Modify the
settings as required to change the information that is
displayed in the report.
h. Click OK to save the custom report.
Run a PDF Summary Report.
a. Select Monitor > PDF Reports > Manage PDF Summary.
b. Click Add and then enter a Name for the report.
c. Use the drop-down list for each report group and select one
or more of the elements to design the PDF Summary
Report. You can include a maximum of 18 report elements.
d. Click OK to save the settings.
Define the Report Group. It can include predefined reports, PDF
Summary reports, and custom reports. Panorama compiles all the
reports included into a single PDF.
a. Select Monitor > PDF Reports > Report Group.
b. Click Add and then enter a Name for the report group.
c. (Optional) Select Title Page and add a Title for the PDF
output.
d. Select from the Predefined Report, PDF Summary Report
and the Custom Report lists; click Add to include the
selected report(s) to the report group.
e. Click OK to save the settings.

162 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Monitor Network Activity

Use Panorama for Visibility

Generate, Schedule, and Email Reports (Continued)

Step 2

Set up Panorama to email reports.

1.
2.
3.

Select Panorama > Server Profiles > Email.

Click Add and then enter a Name for the profile.
Click Add to add a new email server entry and enter the
information required to connect to the Simple Mail Transport
Protocol (SMTP) server and send email (you can add up to four
email servers to the profile):
ServerName to identify the mail server (1-31 characters).
This field is just a label and does not have to be the host
name of an existing SMTP server.
Email Display NameThe name to display in the From
field of the email.
FromThe email address where notification emails will be
sent from.
ToThe email address to which notification emails will be
sent.
Additional RecipientTo send notifications to a second
account, enter the additional address here.
Email GatewayThe IP address or host name of the SMTP
gateway to use to send the emails.

4.
5.
Step 3

Schedule the report for delivery by email. 1.

2.
3.
4.
5.

Step 4

Save the configuration changes.

Palo Alto Networks, Inc.

Click OK to save the server profile.

Click Commit and select Panorama as the Commit Type to
save the changes to the running configuration.
Select Monitor > PDF Reports > Email Scheduler.
Click Add and then enter a Name for the email scheduler
profile.
Select the Report Group, the Email Profile, and the
Recurrence for the report.
To verify that the email settings are accurate, select Send test
email.
Click OK to save your settings.

Click Commit and select Panorama as the Commit Type to save the
changes to the running configuration.

Panorama 6.1 Administrators Guide 163

Use Case: Monitor Applications Using Panorama

Monitor Network Activity

Use Case: Monitor Applications Using Panorama

This example takes you through the process of assessing the efficiency of your current policies and determining
where you need to adjust them to fortify the acceptable use policies for your network.
When you log in to Panorama, the Top Applications widget on the Dashboard gives a preview of the most used
applications over the last hour. You can either glance over the list of top applications and mouse over each
application block that you want to review the details for, or you can navigate to the ACC tab to view the same
information as an ordered list. The following image is a view of the Top Applications widget on the Dashboard.

The data source for this display is the application statistics database; it does not use the traffic logs and is
generated whether or not you have enabled logging for security rules. This view into the traffic on your network
depicts everything that is allowed on your network and is flowing through unblocked by any policy rules that
you have defined.
You can select and toggle the Data Source to be local on Panorama or you can query the managed firewalls
(Remote Device Data) for the data; Panorama automatically aggregates and displays the information. For a
speedier flow, consider using Panorama as the data source (with log forwarding to Panorama enabled) because
the time to load data from the remote devices varies by the time period for which you choose to view data and
the volume of traffic that is generated on your network.
Going back to the list of top applications, we can see that bittorrent is very popular. If you now click into the
link for the bittorrent application, the ACC view filters the display to show information on the application, its
behavior, risk level, and the associated URL categorization details.

164 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Monitor Network Activity

Use Case: Monitor Applications Using Panorama

In the Top Sources table, you can also see how many users are using BitTorrent and the volume of traffic being
generated. If you have enabled User-ID, you will be able to view the names of the users who are generating this
traffic. You can now click on a source user and drill down to review all the activity for that user.
Using the ACC view to filter for BitTorrent traffic that the specific source address or user generated enables you
to verify the source and destination country for this traffic, the firewall that is processing this traffic, the ingress
and egress zones and the security rule that is letting this connection through.

For more detailed information, drill down into the traffic logs for a filtered view and review each log entry for
ports used, packets sent, bytes sent and received. Adjust the columns to view more information or less
information based on your needs.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 165

Use Case: Monitor Applications Using Panorama

Monitor Network Activity

The Monitor > App-Scope> Traffic Map tab displays a geographical map of the traffic flow and provides a view of
incoming versus outgoing traffic. You can also use the Monitor > App-Scope > Change Monitor tab to view changes
in traffic patterns. For example, compare the top applications used over this hour to the last week or month to
determine if there is a pattern or trend.
With all the information you have now uncovered, you can evaluate what changes to make to your policy
configurations. Here are some suggestions to consider:

Be restrictive and to create a pre-rule on Panorama to block all BitTorrent traffic. Then use Panorama device
groups to create and push this policy rule to one or more firewalls.

Enforce bandwidth use limits and create a QoS profile and policy that de-prioritizes non-business traffic.
Then use Panorama templates to push this policy to one or more firewalls. Use Panorama device groups and
templates to configure QoS and then push rules to one or more firewalls.

Reduce risk to your network assets and create an application filter that blocks all file sharing applications that
are peer-to-peer technology with a risk factor of 4 or 5. Make sure to verify that the bittorrent application is
included in that application filter, and will therefore be blocked.

Schedule a custom report group that pulls together the activity for the specific user and that of top
applications used on your network to observe that pattern for another week or two before taking action.

Besides checking for a specific application, you can also check for any unknown applications in the list of top
applications. These are applications that did not match a defined App-ID signature and display as unknown-udp
and unknown-tcp. To delve into these unknown applications, click on the name to drill down to the details for the
unclassified traffic.

166 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Monitor Network Activity

Use Case: Monitor Applications Using Panorama

Use the same process to investigate the top source IP addresses of the hosts that initiated the unknown traffic
along with the IP address of the destination host to which the session was established. For unknown traffic, the
traffic logs, by default, perform a packet capture (pcap) when an unknown application is detected. The green
arrow in the left column represents the packet capture snippet of the application data. Clicking on the green
arrow displays the pcap in the browser.
Having the IP addresses of the servers (destination IP in the logs), the destination port, and the packet captures,
you will be better positioned to identify the application and make a decision on how you would like to take action
on your network. For example, you can create a custom application that identifies this traffic instead of labeling
it as unknown TCP or UDP traffic. Refer to the article Identifying Unknown Applications for more information
on identifying unknown application and Custom Application Signatures for information on developing custom
signatures to discern the application.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 167

Use Case: Respond to an Incident Using Panorama

Monitor Network Activity

Use Case: Respond to an Incident Using Panorama

Network threats can originate from different vectors, including malware and spyware infections due to drive-by
downloads, phishing attacks, unpatched servers, and random or targeted denial of service (DoS) attacks, to name
a few methods of attack. The ability to react to a network attack or infection requires processes and systems that
alert the administrator to an attack and provide the necessary forensics evidence to track the source and
methods used to launch the attack.
The advantage that Panorama provides is a centralized and consolidated view of the patterns and logs collected
from the managed firewalls across your network. You can use the correlated attack information, alone or in
conjunction with the reports and logs generated from a Security Information Event Manager (SIEM), to
investigate how an attack was triggered and how to prevent future attacks and loss of damage to your network.
The questions that this use case probes are:

How are you notified of an incident?

How do you corroborate that the incident is not a false positive?

What is your immediate course of action?

How do you use the available information to reconstruct the sequence of events that preceded or followed
the triggering event?

What are the changes you need to consider for securing your network?

This use case traces a specific incident and shows how the visibility tools on Panorama can help you respond to
the report.

Incident Notification

Review Threat Logs

Review WildFire Logs

Review Data Filtering Logs

Update Security Policies

Incident Notification
There are several ways that you could be alerted to an incident depending on how youve configured the Palo
Alto Networks firewalls and which third-party tools are available for further analysis. You might receive an email
notification that was triggered by a log entry recorded to Panorama or to your syslog server, or you might be
informed through a specialized report generated on your SIEM solution, or a third-party paid service or agency
might notify you. For this example, lets say that you receive an email notification from Panorama. The email
informs you of an event that was triggered by an alert for a Zero Access gent.Gen Command And Control Traffic
that matched against a spyware signature. Also listed in the email are the IP address of the source and destination
for the session, a threat ID and the timestamp of when the event was logged.

168 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Monitor Network Activity

Use Case: Respond to an Incident Using Panorama

Review Threat Logs

To begin investigating the alert, use the threat ID to search the threat logs on Panorama (Monitor > Logs > Threat).
From the threat logs, you can find the IP address of the victim, export the packet capture (PCAP, has a green
arrow icon in the log entry) and use a network analyzer tool such as WireShark to review the packet details. In
the HTTP case, look for a malformed or bogus HTTP REFERER in the protocol, suspicious host, URL strings,
the user agent, the IP address and port in order to validate the incident. Data from these pcaps is also useful in
searching for similar data patterns and creating custom signatures or modifying security policy to better address
the threat in the future.

As a result of this manual review, if you feel confident about the signature, consider transitioning the signature
from an alert action to a block action for a more aggressive approach. In some cases, you may choose to add
the attacker IP to an IP block list to prevent further traffic from that IP address from reaching the internal
network.
If you see a DNS-based spyware signature, the IP address of your local DNS server might display
as the Victim IP address. Often this is because the firewall is located north of the local DNS
server, and so DNS queries show the local DNS server as the source IP rather than showing the
IP address of the client that originated the request.
If you see this issue, enable the DNS sinkholing action in the anti-spyware profile in security policy
in order to identify the infected hosts on your network. DNS sinkholing allows you to control
outbound connections to malicious domains and redirect DNS queries to an internal IP address
that is unused; the sinkhole that does not put out a response. When a compromised host initiates
a connection to a malicious domain, instead of going out to the Internet, the firewall redirects the
request to the IP address you defined and it is sinkholed. Now, reviewing the traffic logs for all
hosts that connected to the sinkhole allows you locate all compromised hosts and take remedial
action to prevent the spread.

To continue with the investigation on the incident, use the information on the attacker and the victim IP address
to find out more information, such as:

Where is the attacker located geographically? Is the IP address an individual IP address or a NATed IP
address?

Was the event caused by a user being tricked into going to a website, a download, or was it sent through an
email attachment?

Is the malware being propagated? Are there other compromised hosts/endpoints on the network?

Is it a zero-day vulnerability?

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 169

Use Case: Respond to an Incident Using Panorama

Monitor Network Activity

The log details

for each log entry display the Related Logs for the event. This information points you to the
traffic, threat, URL filtering or other logs that you can review and correlate the events that led to the incident.
For example, filter the traffic log (Monitor > Logs > Traffic) using the IP address as both the source and the
destination IP to get a complete picture of all the external and internal hosts/clients with which this victim IP
address has established a connection.

Review WildFire Logs

In addition to the threat logs, use the victim IP address to filter though the WildFire Submissions logs. The
WildFire Submissions logs contain information on files uploaded to the WildFire service for analysis. Because
spyware typically embeds itself covertly, reviewing the WildFire logs tells you whether the victim recently
downloaded a suspicious file. The WildFire forensics report displays information on the URL from which the
file or .exe was obtained, and the behavior of the content. It informs you if the file is malicious, if it modified
registry keys, read/wrote into files, created new files, opened network communication channels, caused
application crashes, spawned processes, downloaded files, or exhibited other malicious behavior. Use this
information to determine whether to block the application that caused the infection (web-browsing, SMTP,
FTP), make more stringent URL filtering policies, or restrict some applications/actions (for example, file
downloads to specific user groups).
Access to the WildFire logs from Panorama requires the following: a WildFire subscription, a file
blocking profile that is attached to a security policy, and threat log forwarding to Panorama.

If WildFire determines that a file is malicious, a new antivirus signature is created within 24-48 hours and made
available to you. If you have a WildFire subscription, the signature is made available within 30-60 minutes as part
of the next WildFire signature update. As soon as the Palo Alto Networks next-generation firewall has received
a signature for it, if your configuration is configured to block malware, the file will be blocked and the
information on the blocked file will be visible in your threat logs. This process is tightly integrated to protect
you from this threat and stems the spread of malware on your network.

170 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Monitor Network Activity

Use Case: Respond to an Incident Using Panorama

Review Data Filtering Logs

The data filtering log (Monitor > Logs > Data Filtering) is another valuable source for investigating malicious
network activity. While you can periodically review the logs for all the files that you are being alerted on, you can
also use the logs to trace file and data transfers to or from the victim IP address or user, and verify the direction
and flow of traffic: server to client or client to server. To recreate the events that preceded and followed an event,
filter the logs for the victim IP address as a destination, and review the logs for network activity.

Because Panorama aggregates information from all managed firewalls, it presents a good overview of all activity
in your network. Some of the other visual tools that you can use to survey traffic on your network are the Threat
Map, Traffic Map, and the Threat Monitor. The threat map and traffic map (Monitor > AppScope > Threat Map or
Traffic Map) allow you to visualize the geographic regions for incoming and outgoing traffic. It is particularly
useful for viewing unusual activity that could indicate a possible attack from outside, such as a DDoS attack. If,
for example, you do not have many business transactions with Eastern Europe, and the map reveals an
abnormal level of traffic to that region, click into the corresponding area of the map to launch and view the
ACC information on the top applications, traffic details on the session count, bytes sent and received, top
sources and destinations, users or IP addresses, and the severity of the threats detected, if any. The threat
monitor (Monitor > AppScope > Threat Monitor) displays the top ten threats on your network, or the list of top
attackers or top victims on the network.

Update Security Policies

With all the information you have now uncovered, you can sketch together how the threat impacts your
networkthe scale of the attack, the source, the compromised hosts, the risk factorand evaluate what
changes, if any, to follow through. Here are some suggestions to consider:

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 171

Use Case: Respond to an Incident Using Panorama

Monitor Network Activity

Forestall DDoS attacks by enhancing your DOS profile to configure random early drop or to drop SYN
cookies for TCP floods. Consider placing limits on ICMP and UDP traffic. Evaluate the options available
to you based on the trends and patterns you noticed in your logs, and implement the changes using Panorama
templates.
Create a dynamic block list (Objects > Dynamic Block Lists), to block specific IP addresses that you have
uncovered from several intelligence sources: analysis of your own threat logs, DDOS attacks from specific
IP addresses, or a third-party IP block list.
The list must be a text file that is located on a web server. Using device groups on Panorama, push the object
to the managed firewalls so that the firewalls can access the web server and import the list at a defined
frequency. After creating a dynamic block list object, define a security policy that uses the address object in
the source and destination fields to block traffic from or to the IP address, range, or subnet defined. This
approach allows you to block intruders until you resolve the issue and make larger policy changes to secure
your network.

Determine whether to create shared policies or device group policies to block specific applications that
caused the infection (web-browsing, SMTP, FTP), make more stringent URL filtering policies, or restrict
some applications/actions (for example, file downloads to specific user groups).

On Panorama, you can also switch to the device context and configure the firewall for botnet reports that
identify potential botnet-infected hosts on the network.

172 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama High Availability

Panorama High Availability (HA) is a configuration in which two Panorama servers are placed in a group
(two-device cluster) to provide redundancy in the event of a system or network failure. Panorama in HA
provides continuity in the task of centrally administering and monitoring the firewalls to secure your network.

Panorama HA Prerequisites

Priority and Failover on Panorama in HA

Failover Triggers

Logging Considerations in Panorama HA

Synchronization Between Panorama HA Peers

Manage a Panorama HA Pair

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 173

Panorama HA Prerequisites

Panorama High Availability

Panorama HA Prerequisites
To configure Panorama in HA, you require a pair of identical Panorama servers with the following requirements
on each:

The same form factorMust both be hardware-based appliances (M-100 appliances) or virtual appliances.
For HA, the M-100 appliances must be in Panorama mode; M-100 appliances in Log Collector mode do not
support HA.

The same Panorama OS versionMust be running the same version of Panorama in order to
synchronize configuration information and maintain parity for a seamless failover.

The same set of licensesMust purchase and install the same device management capacity license for
each Panorama.

(Panorama virtual appliance only) Unique serial numberMust have a unique serial number for each
Panorama virtual appliance; if the serial number is duplicated, both instances of Panorama will be placed in
a suspended mode until you resolve the issue.

The Panorama servers in the HA configuration are peers and you can use either (active-primary or
passive-secondary) to centrally manage the devices with a few exceptions (see Synchronization Between
Panorama HA Peers). The HA peers use the management port to synchronize the configuration elements
pushed to the managed devices and to maintain state information. Typically, Panorama HA peers are
geographically located in different sites, so you need to make sure that the management port IP address assigned
to each peer is routable through your network. HA connectivity uses TCP port 28 with encryption enabled. If
encryption is not enabled, ports 28769 and 28260 are used for HA connectivity and to synchronize
configuration between the HA peers. The maximum latency between the peers is 50ms. To determine the
latency, use Ping during a period of normal traffic.

174 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama High Availability

Priority and Failover on Panorama in HA

Priority and Failover on Panorama in HA

Each Panorama peer in the HA pair is assigned a priority value. The priority value of the primary or secondary
peer determines which will be eligible for being the main point of administration and log management. The peer
set as primary assumes the active state, and the secondary becomes passive. The active peer handles all the
configuration changes and pushes them to the managed firewalls; the passive peer cannot make any
configuration changes or push configuration to the managed firewalls. However, either peer can be used to run
reports or to perform log queries.
The passive peer is synchronized and ready to transition to the active state if a path, link, system, or network
failure occur on the active device.
When a failover occurs, only the state (active or passive) of the device changes; the priority (primary and
secondary) does not. For example, when the primary peer fails, its status changes from active-primary to passiveprimary.
A peer in the active-secondary state can perform all functions with two exceptions:

It cannot manage device deployment functions such as license updates or software upgrades on the managed
firewalls.

It cannot log to an NFS until you manually change its priority to primary. (Panorama virtual appliance only)

The following table lists the capabilities of Panorama based on its state and priority settings:

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 175

Priority and Failover on Panorama in HA

Panorama High Availability

For more information, see Panorama HA Prerequisites or Set Up HA on Panorama.

176 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama High Availability

Failover Triggers

Failover Triggers
When a failure occurs on the active device and the passive device takes over the task of managing the firewalls,
the event is called a failover. A failover is triggered when a monitored metric on the active device fails. This
failure transitions the state on the primary Panorama from active-primary to passive-primary, and the secondary
Panorama becomes active-secondary.
The conditions that trigger a failover are:

The Panorama peers cannot communicate with each other and the active peer does not respond to health
and status polls; the metric used is HA Heartbeat Polling and Hello Messages.
When the Panorama peers cannot communicate with each other, the active peer monitors whether the
devices are still connected to it before a failover is triggered. This check helps in avoiding a failover and
causing a split-brain scenario, where both Panorama peers are in an active state.

One or more of the destinations (IP addresses) specified on the active peer cannot be reached; the metric
used is HA Path Monitoring.

In addition to the failover triggers listed above, a failover also occurs when the administrator places the device
is a suspended state or if preemption occurs. Preemption is a preference for the primary Panorama to resume the
active role after recovering from a failure (or user-initiated suspension). By default, preemption is enabled and
when the primary Panorama recovers from a failure and becomes available, the secondary Panorama
relinquishes control and returns to the passive state. When preemption occurs, the event is logged in the system
log.
If you are logging to an NFS datastore, do not disable preemption because it allows the primary peer (that is
mounted to the NFS) to resume the active role and write to the NFS datastore. For all other deployments,
preemption is only required if you want to make sure that a specific device is the preferred active device.

HA Heartbeat Polling and Hello Messages

The HA peers use hello messages and heartbeats to verify that the peer is responsive and operational. Hello
messages are sent from one peer to the other at the configured Hello Interval to verify the state of the other.
The heartbeat is an ICMP ping to the HA peer, and the peer responds to the ping to establish that the devices
are connected and responsive. By default, the interval for the heartbeat is 1000 milliseconds and 8000ms for
hello messages.

HA Path Monitoring
Path monitoring checks for network connectivity and link state for a specified IP address. The active peer uses
ICMP pings to verify that one or more destination IP addresses can be reached. You can, for example, monitor
the availability of an interconnected networking devices like a router or a switch, connectivity to a server, or
some other vital device that is in the flow of traffic. Make sure that the node/device configured for monitoring
is not likely to be unresponsive, especially when it comes under load, as this could cause a path monitoring
failure and trigger a failover.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 177

Failover Triggers

Panorama High Availability

The default ping interval is 5000ms. An IP address is considered unreachable when three consecutive pings (the
default value) fail, and a device failure is triggered when any or all of the IP addresses monitored become
unreachable. By default, if any one of the IP addresses becomes unreachable, the HA state transitions to
non-functional.

178 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama High Availability

Logging Considerations in Panorama HA

Logging Considerations in Panorama HA

Setting up Panorama in an HA configuration provides redundancy for log collection. Because the managed
devices are connected to both Panorama peers over SSL, when a state change occurs, each Panorama sends a
message to the managed devices. The devices are notified of the Panorama HA state and can forward logs
accordingly.
By default, when the managed devices cannot connect to Panorama (M-100 appliance and the
Panorama virtual appliance), they buffer the logs; when the connection is restored, they resume
sending logs from where it was last left off.

The logging options on the hardware-based Panorama and on the Panorama virtual appliance differ:

Logging Failover on a Panorama Virtual Appliance

Logging Failover on an M-100 Appliance

Logging Failover on a Panorama Virtual Appliance

On the Panorama virtual appliance, you have the following log failover options:
Log Storage Type

Description

Virtual Disk

By default, the managed devices send logs as independent streams to each Panorama HA
peer. By default, if a peer becomes unavailable, the managed devices buffer the logs and
when the peer reconnects it resumes sending logs from where it had left off (subject to disk
storage capacity and duration of the disconnection).
Logging to a virtual disk provides redundancy in logging. However, the maximum log
storage capacity is 2TB.
The option to forward logs only to the active peer is configurable (see Modify Log
Forwarding and Buffering Defaults). However, Panorama does not support log
aggregation across the HA pair. So, if you log to a virtual disk or local disk, for
monitoring and reporting you must query the Panorama peer that collects the logs
from the managed devices.

Network File Share (NFS)

Palo Alto Networks, Inc.

When configured to use an NFS, only the active-primary device mounts to the NFS-based
log partition and can receive logs. On failover, the primary device goes into a
passive-primary state. In this scenario, until preemption occurs, the active-secondary
Panorama manages the devices, but it does not receive the logs and it cannot write to the
NFS. To allow the active-secondary peer to log to the NFS, you must manually switch it to
primary so that it can mount to the NFS partition. For instructions, see Switch Priority after
Panorama Failover to Resume NFS Logging.

Panorama 6.1 Administrators Guide 179

Logging Considerations in Panorama HA

Panorama High Availability

Logging Failover on an M-100 Appliance

If you are using a pair of M-100 appliances (must be in Panorama mode), the managed devices can send logs to
only one peer in the HA pair, either the active or the passive peer. Unlike the virtual Panorama deployment, you
cannot configure the devices to send logs to both peers, however, the RAID-enabled disks on the M-100
appliance protect against disk failure and loss of logs.
If you have a distributed log collection set up where the managed devices are sending logs to a dedicated Log
Collector, the Panorama peers in HA will query all the managed Log Collectors for aggregated log information.
For more information, see Panorama HA Prerequisites or Set Up HA on Panorama.

180 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama High Availability

Synchronization Between Panorama HA Peers

Synchronization Between Panorama HA Peers

The Panorama HA peers synchronize the running configuration each time you commit changes on the active
Panorama peer. The candidate configuration is synchronized between the peers each time you save the
configuration on the active peer or just before a failover occurs.
Settings that are common across the pair, such as shared objects and policies, device group objects and policies,
template configuration, and administrative access configuration, are synchronized between the Panorama HA
peers.
The settings that are not synchronized are those that are unique to each peer, such as the following:

Panorama HA configurationPriority setting, peer IP address, path monitoring groups and IP addresses

Panorama configurationManagement port IP address, FQDN settings, login banner, NTP server, time
zone, geographic location, DNS server, permitted IP addresses for accessing Panorama, and SNMP system
settings

Scheduled configuration exports

NFS partition configuration and all disk quota allocation for logging

Disk quota allocation for the different types of logs and databases on the Panorama local storage (SSD)
If you use a master key to encrypt the private keys and certificates on Panorama, you must use
the same master key on both HA peers. If the master keys differ, Panorama cannot synchronize
the HA peers.

For more information, see Panorama HA Prerequisites or Set Up HA on Panorama.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 181

Manage a Panorama HA Pair

Panorama High Availability

Manage a Panorama HA Pair

Set Up HA on Panorama

Test Panorama HA Failover

Switch Priority after Panorama Failover to Resume NFS Logging

Upgrade Panorama in HA

Restore the Primary Panorama to the Active State

Set Up HA on Panorama
Review the Panorama HA Prerequisites before performing the following steps:
Set Up HA on Panorama

Step 1

Set up connectivity between the MGT

ports on the HA peers.

The Panorama peers communicate with each other using the MGT
port. Make sure that the IP addresses you assign to the MGT port
on the Panorama servers in the HA pair are routable and that the
peers can communicate with each other across your network. To set
up the MGT port, see Set Up Panorama.
Pick a device in the pair and complete the remaining tasks.

Step 2

Enable HA and (optionally) enable

encryption for the HA connection.

1.
2.
3.
4.

5.

Select Panorama > High Availability and edit the Setup

section.
Select Enable HA.
In the Peer HA IP Address field, enter the IP address assigned
to the peer device.
In the Monitor Hold Time field, enter the length of time
(milliseconds) that the system will wait before acting on a
control link failure (range is 1000-60000, default is 3000).
If you do not want encryption, clear the Encryption Enabled
check box and click OK: no more steps are required. If you do
want encryption, select the Encryption Enabled check box,
click OK, and perform the following tasks:
a. Select Panorama > Certificate Management > Certificates.
b. Select Export HA key. Save the HA key to a network location
that the peer device can access.
c. On the peer device, navigate to Panorama > Certificate
Management > Certificates, select Import HA key, browse
to the location where you saved the key, and import it.

182 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama High Availability

Manage a Panorama HA Pair

Set Up HA on Panorama (Continued)

Step 3

Set the HA priority.

1.
2.

3.

Step 4

In Panorama > High Availability, edit the Election Settings

section.
Define the Device Priority as Primary or Secondary. Make
sure to set one peer as primary and the other as secondary.
If both peers have the same priority setting, the peer
with the higher serial number will be placed in a
suspended state.
Define the Preemptive behavior. By default preemption is
enabled. The preemption selection enabled or disabled
must be the same on both peers.
If you are using an NFS for logging and you have
disabled preemption, to resume logging to the NFS see
Switch Priority after Panorama Failover to Resume NFS
Logging.

To configure path monitoring, define one Perform the following steps for each path group that includes the
or more path groups.
nodes that you want to monitor.
1. Select Panorama > High Availability and, in the Path Group
The path group lists the destination IP
section, click Add.
addresses (nodes) that Panorama must
2. Enter a Name for the path group.
ping to verify network connectivity.
3. Select a Failure Condition for this group:
any triggers a link monitoring failure if any one of the IP
addresses becomes unreachable.
all triggers a link monitoring failure only when none of the
IP addresses are reachable.
4.
5.

Step 5

For each destination IP address you want to monitor, click Add

and type the IP address.
Click OK. The Path Group section displays the new group.

(Optional) Select the failure condition for Select Panorama > High Availability, edit the Path Monitoring
path monitoring on Panorama.
section, and select a Failure Condition:
all triggers a failover only when all monitored path groups fail.
any triggers a failover when any monitored path group fails.

Step 6

Save your configuration changes.

Click Commit, select Panorama in the Commit Type option, and

click OK.

Step 7

Configure the other Panorama peer.

Repeat Step 2 through Step 6 on the other peer in the HA pair.

Step 8

Verify that the Panorama servers are

paired in HA.

After you configure both Panorama servers for HA:

1. Access the Dashboard on each Panorama, and view the High
Availability widget.
2. Verify the Panorama servers are paired and synchronized:
Active PanoramaThe state of the Local peer must be
active and the Running Config must be synchronized.
Passive PanoramaThe state of the Local peer must be
passive and the Running Config must be synchronized.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 183

Manage a Panorama HA Pair

Panorama High Availability

Test Panorama HA Failover

To test that your HA configuration works properly, trigger a manual failover and verify that the peer transitions
states successfully.
Test Panorama HA Failover

Step 1

Log in to the active Panorama peer.

You can verify the state of the Panorama server in the bottom right
corner of the web interface.

Step 2

Suspend the active Panorama peer.

Select Panorama > High Availability, and then click the Suspend
local Panorama link in the Operational Commands section.

Step 3

Verify that the passive Panorama peer has On the Panorama Dashboard, High Availability widget, verify that
the state of the Local passive server is active and the state of the
taken over as active.
Peer is suspended.

Step 4

Restore the suspended peer to a

On the Panorama you previously suspended:
functional state. Wait for a couple
1. In the Operational Commands section of the Device > High
minutes, and then verify that preemption
Availability tab, click the Make local Panorama functional
has occurred, if preemptive is enabled.
link.
2. In the High Availability widget on the Dashboard, confirm that
this (Local) Panorama has taken over as the active peer and that
the other peer is now in a passive state.

Switch Priority after Panorama Failover to Resume NFS Logging

Support for a Network File Share (NFS) based logging mechanism is only available on the
Panorama virtual appliance.

When a Panorama HA pair is configured to use a Network File Share (NFS) based logging mechanism, only the
primary Panorama peer is mounted to the NFS-based log partition and can write to the NFS. When a failover
occurs, and the passive Panorama becomes active, its state is active-secondary. Although a secondary Panorama
peer can actively manage the devices, it cannot receive logs or write to the NFS because it does not own the
NFS partition. When the managed device cannot forward logs to the primary Panorama peer, the logs are
written to the local disk on each device. The devices maintain a pointer for the last set of log entries that were
forwarded to Panorama so that when the passive-primary Panorama becomes available again, they can resume
forwarding logs to it.
Use the instructions in this section to manually switch priority on the active-secondary Panorama peer so that
it can begin logging to the NFS partition. The typical scenarios in which you might need to trigger this change
are as follows:

Preemption is disabled. By default, preemption is enabled on Panorama and the primary peer resumes as
active when it becomes available again. When preemption is disabled, you need to switch the priority on the
secondary peer to primary so that it can mount the NFS partition, receive logs from the managed devices,
and write to the NFS partition.

184 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Panorama High Availability

Manage a Panorama HA Pair

The active Panorama fails and cannot recover from the failure in the short term. If you do not switch the
priority, when the maximum log storage capacity on the firewall is reached, the oldest logs will be overwritten
to enable it to continue logging to its local disk. This situation can lead to loss of logs.

Switch Priority after Panorama Failover to Resume NFS Logging

1.
2.
3.
4.
5.
6.

Log in to the currently passive-primary Panorama, select Panorama > Setup > Operations and, in the Device
Operations section, click Shutdown Panorama.
Log in to the active-secondary Panorama, select Panorama > High Availability, edit the Election Settings, and set the
Priority to Primary.
Click Commit, for the Commit Type select Panorama, and click OK. Do not reboot when prompted.
Log in to the Panorama CLI and enter the following command to change the ownership of the NFS partition to this
peer: request high-availability convert-to-primary
Select Panorama > Setup > Operations and, in the Device Operations section, click Reboot Panorama.
Power on the Panorama peer that you powered off in Step 1. This peer will now be in a passive-secondary state.

Upgrade Panorama in HA
To ensure a seamless failover, the primary and secondary Panorama peers in an HA pair must have the same
Panorama version and the same versions of the Applications and Threat databases.
The following example describes how to upgrade an HA pair with an active-primary peer named Primary_A
and the passive-secondary peer named Secondary_B.
Upgrade Panorama in HA

Step 1

Upgrade the Panorama software version

on Secondary_B, the passive-secondary
peer.

For upgrade instructions, see Install Content and Software Updates

for Panorama.

Step 2

Suspend Primary_A to trigger a failover.

In the Panorama > High Availability tab on Primary_A:

1. In the Operational Commands section, click the Suspend
local Panorama link to suspend this peer.
2. Verify that the state displays as suspended; the state displays in
the bottom-right corner of the web interface.
Placing Primary_A in a suspended mode triggers a failover and
Secondary_B transitions to active-secondary state.

Step 3

Upgrade the Panorama software version

on Primary_A.

For upgrade instructions, see Install Content and Software Updates

for Panorama.

On upgrade this Panorama will transition to a non-functional state

because the OS version does not match that of its peer.

On reboot, Primary_A first transitions to the passive-primary state.

Then, because preemption is enabled by default, Primary_A will
automatically transition to the active-primary state and Secondary_B
will revert to the passive-secondary state.
If you have disabled preemption, see Restore the Primary Panorama
to the Active State for restoring Primary_A to the active state.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 185

Manage a Panorama HA Pair

Panorama High Availability

Upgrade Panorama in HA (Continued)

Step 4

Verify that the Panorama software version On the Dashboard of each Panorama peer, verify that the Panorama
and other content database versions are software version, the Threat version, and the Application versions
the same on both peers.
are a Match and that the running configuration is synchronized with
the peer.

Restore the Primary Panorama to the Active State

By default, the preemptive capability on Panorama allows the primary Panorama to resume functioning as the
active peer as soon as it becomes available. However, if preemption is disabled, the only way to force the primary
Panorama to become active after recovering from a failure, a non-functional, or a suspended state, is by
suspending the secondary Panorama peer.
Before the active-secondary Panorama goes into a suspended state, it transfers the candidate configuration to
the passive device so that all your uncommitted configuration changes are saved and can be accessed on the
other peer.
Suspend the Secondary Panorama

Step 1

Suspend Panorama.

1.
2.

Step 2

Verify that the status displays that the

device was suspended at user request.

Log in to the Panorama peer that you want to place in a

suspended state.
Select Panorama > High Availability, and click the Suspend
local Panorama link in the Operational Commands section.

On the Dashboard, High Availability widget, verify that the Local

state is suspended.
A failover is triggered when you suspend a peer, and the other
Panorama takes over as the active peer.

Restore the Primary Panorama to a Functional State

Step 3

Restore the suspended Panorama to a

functional state.

1.

2.

186 Panorama 6.1 Administrators Guide

In the Panorama > High Availability tab, Operational

Commands section, click the Make local Panorama functional
link.
On the Dashboard, High Availability widget, confirm that the
device has transitioned to either the active or passive state.

Palo Alto Networks, Inc.

Administer Panorama
This section describes how to administer and maintain Panorama. It includes the following topics:

Manage Configuration Backups

Compare Changes in Panorama Configurations

Restrict Access to Configuration Changes

Add Custom Logos to Panorama

View Panorama Task Completion History

Reallocate Log Storage Quota

Monitor Panorama

Reboot or Shut Down Panorama

Generate Diagnostic Files for Panorama

Configure Panorama Password Profiles and Complexity

Replace a Failed Disk on an M-100 Appliance

Replace the Virtual Disk on a Panorama Virtual Appliance

For instructions on completing initial setup, including defining network access settings, licensing,
upgrading the Panorama software version, and setting up administrative access to Panorama,
see Set Up Panorama.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 187

Manage Configuration Backups

Administer Panorama

Manage Configuration Backups

A configuration backup is a snapshot of the system configuration. In case of a system failure or a
misconfiguration, a configuration backup allows you to restore Panorama to a previously saved version of the
configuration. On Panorama, you can manage configuration backups of the managed firewalls and that of
Panorama:

Manage configuration backups of the managed devicesPanorama automatically saves every

configuration change that is committed to a managed firewall running PAN-OS version 5.0 or later. By
default, Panorama stores up to 100 versions for each firewall. This value is configurable.

Manage Panorama configuration backupsYou can manually export the running configuration of
Panorama, as required.

Export a configuration file packageIn addition to its own running configuration, Panorama saves a
backup of the running configuration from all managed firewalls. You can generate a gzip package of the latest
version of the configuration backup of Panorama and that of each managed firewall either on-demand or
schedule an export using the Scheduled Config Export capability. The package can be scheduled for daily
delivery to an FTP server or a Secure Copy (SCP) server; the files in the package are in an XML format, and
each file name references the firewall serial number for easy identification.

You can perform the following tasks to manage configuration backups:

Schedule Export of Configuration Files

Manage Panorama Configuration Backups

Configure the Number of Configuration Backups Panorama Stores

Load a Configuration Backup on a Managed Firewall

188 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Administer Panorama

Manage Configuration Backups

Schedule Export of Configuration Files

Use these instructions to schedule daily exports of the configuration file package that contains the backup of
the running configuration of Panorama and the managed firewalls. You require superuser privileges to configure
the export.
If Panorama has a high availability (HA) configuration, you must perform these instructions on each peer to
ensure the scheduled exports continue after a failover. Panorama does not synchronize scheduled configuration
exports between HA peers.
Schedule the Export of Configuration Files

1.
2.
3.
4.
5.
6.
7.

8.

Select Panorama > Scheduled Configuration Export.

Click Add, and enter a Name and Description for the file export process.
Select Enable to allow the configuration file export.
Enter a time or select one from the drop-down for daily export of the configuration files. A 24-hour clock is used.
Select the protocol.
Enter the details for accessing the server. Provide the hostname or IP address, port, path for uploading the file, and
authentication credentials.
(SCP only) Click Test SCP server connection. To enable the secure transfer of data, you must verify and accept the
host key of the SCP server. The connection is not established until the host key is accepted. If Panorama has an HA
configuration, you must perform this step on each HA peer so that each one accepts the host key of the SCP server.
If Panorama can successfully connect to the SCP server, it creates and uploads the test file named
ssh-export-test.txt.
Save the changes. Click Commit, select Panorama as the Commit Type and click OK.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 189

Manage Configuration Backups

Administer Panorama

Manage Panorama Configuration Backups

Use these instructions to validate, revert, save, load, export, or import a Panorama configuration version.
Manage Panorama Configuration Backups: Validate, Revert, Save, Load, Export or Import

1.
2.

Select Panorama > Setup > Operations.

In the Configuration Management section, select from the following options:
Validate candidate Panorama configurationVerifies that the candidate configuration has no errors; validating
the configuration file allows you to resolve errors before you commit the changes.
Revert to last saved Panorama configurationOverwrites the current candidate configuration and restores the
last saved candidate configuration from disk.
Revert to running Panorama configurationReverts all changes saved to the candidate configuration; it
effectively allows you to undo all configuration changes that were made since the last commit operation.
Save named Panorama configuration snapshotSaves the candidate configuration to a file. Enter a file name
or select an existing file to overwrite. Note that the current active configuration file (running-config.xml) cannot
be overwritten.
Save candidate Panorama configurationSaves the candidate configuration to disk; it is the same as using the
Save link at the top of the page to save the changes to the candidate configuration file.
Load Panorama configuration versionLoads a configuration file from a list of previously committed versions.
Load named Panorama configuration snapshotLoads a selected candidate configuration; you can select a
previously imported or saved configuration. The current candidate configuration is overwritten.
Export named Panorama configuration snapshotExports the active configuration (running-config.xml) or a
previously saved or imported configuration. Select the configuration file to be exported. You can open the file
and/or save it in any network location.
Export Panorama configuration versionExports a previously committed version of the configuration file.
Select the version to export.
Export Panorama and devices config bundleThis option is used to manually generate and export the latest
version of the configuration backup of Panorama and that of each managed firewall. To automate the process of
creating and exporting the configuration bundle daily to an SCP or FTP server, see Schedule Export of
Configuration Files.
Import named Panorama configuration snapshotImports a previously exported configuration file. Click
Browse to locate the saved file and click OK to import.

190 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Administer Panorama

Manage Configuration Backups

Configure the Number of Configuration Backups Panorama Stores

Configure the Number of Configuration Backups Panorama Stores

1.
2.
3.

Select Panorama > Setup > Management and edit the Logging and Reporting Settings.
For the Number of Versions for Config Backups, enter a value between 1 and 1048576. The default is 100.
Click Commit, for the Commit Type select Panorama, and click OK.

Load a Configuration Backup on a Managed Firewall

Use Panorama to load a configuration backup on a managed firewall. You can choose to revert to a previously
saved or committed configuration on the firewall. Panorama pushes the selected version to the managed
firewall, and the current candidate configuration on the firewall is overwritten.
Load a Configuration Backup on a Managed Firewall

1.
2.
3.

Select Panorama > Managed Devices.

Select the Manage... link in the Backups column.
Select from the Saved Configurations or the Committed Configurations.
Click the link in the Version column to view the contents of the selected version.
Click Load to load a chosen configuration version.

4.

Save the changes. Click Commit and select Panorama as the Commit Type.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 191

Compare Changes in Panorama Configurations

Administer Panorama

Compare Changes in Panorama Configurations

To compare configuration changes on Panorama, you can select any two sets of configuration files: the
candidate configuration, the running configuration, or any other configuration version that has been previously
saved or committed on Panorama. The side-by-side comparison allows you to:

Preview the changes in configuration before committing them to Panorama. You can, for example, preview
the changes between the candidate configuration and the running configuration. As a best practice, select
the older version on the left pane and the newer version on the right pane, to easily compare and identify
modifications.

Perform a configuration audit to review and compare the changes between two sets of configuration files.

Compare Changes in Panorama Configurations

1.
2.
3.

Select Panorama > Config Audit.

For each drop-down, select a configuration for the comparison.
Select the number of lines that you want to include for Context, and click Go.
To easily compare versions, the changes are highlighted.

Configure the Number of Versions Panorama Stores for Configuration Audits

1.
2.
3.

Select Panorama > Setup > Management and edit the Logging and Reporting Settings.
For the Number of Versions for Config Audit, enter a value between 1 and 1048576. The default is 100.
Click Commit, for the Commit Type select Panorama, and click OK.

View and Compare Panorama Configuration Files Before Committing

1.
2.
3.

Click Commit.
Select Preview Changes and select the number of lines of context you want to see.
Click OK.

192 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Administer Panorama

Restrict Access to Configuration Changes

Restrict Access to Configuration Changes

Use locks to prevent multiple administrative users from making configuration changes or committing changes
on Panorama, shared policies, or to selected templates and/or device groups.

Types of Locks

Locations for Taking a Lock

Take a Lock

View Lock Holders

Enable Automatic Acquisition of the Commit Lock

Remove a Lock

Types of Locks
The available lock types are:

Config LockBlocks other administrators from making changes to the configuration. This type of lock
can be set globally or for a virtual system. It can be removed only by the administrator who set it or by a
superuser. The configuration lock is not released automatically.

Commit LockBlocks other administrators from committing changes until all of the locks have been
released. The commit lock ensures that partial configuration changes are not inadvertently committed to the
firewall or to Panorama when two administrators are making changes at the same time and the first
administrator finishes and commits changes before the second administrator has finished. The lock is
released automatically when the administrator who applied the lock commits the changes; the lock can be
removed manually by the administrator who took the lock or by the superuser.
If a commit lock is held on a firewall, and an administrator commits configuration changes or shared policies
to a template or device group that includes that firewall, the commit will fail with an error message indicating
that there is an outstanding lock on a firewall.
Read-only administrators who cannot make configuration changes to the firewall or Panorama
will not be able to take either lock.
Role-based administrators who cannot commit changes can take the config lock and save the
changes to the candidate configuration. They cannot, however, commit the changes themselves.
Because they cannot commit the changes, the lock is not automatically released on commit; the
administrator must manually remove the config lock after making the required changes.

Locations for Taking a Lock

The administrator can take a lock for any of the following categories, or locations:

Device GroupRestricts

TemplateRestricts

changes to the selected device group.

changes to the firewalls included in the selected template.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 193

Restrict Access to Configuration Changes

Administer Panorama

SharedRestricts changes to the centrally administered policiespre-rules and post-rulesthat are shared

across all device groups. For more information on shared policies, see Policies.

PanoramaRestricts

access to changes on Panorama.

Take a Lock
Take a Lock

1.
2.
3.
4.
5.
6.

Click the lock icon at the top right of the web interface.
Select Take Lock.
For the Type, based on your role/permissions, select Commit or Config.
Select the category for which you want to take the lock.
As a best practice, add a Comment to describe the reasons for taking the lock.
Click OK.

View Lock Holders

Before changing a particular area of the configuration, check whether another administrator has taken the lock
for the area.
.

View Lock Holders

Click the lock icon on the top right corner of the web interface and review the details.
The lock icon displays the total number of locks taken. It also includes information on the username of the lock holder,
type of lock, the category in which the lock is held, when it was taken, the last activity by the administrator, and whether
or not the administrator is still logged in.

Enable Automatic Acquisition of the Commit Lock

By default, you must manually take a lock before you start making changes on Panorama. If you would like to
enable automatic acquisition of the commit lock, use the following procedure.
.

Enable Automatic Acquisition of the Commit Lock

1.
2.
3.

Select Panorama > Setup > Management tab and edit the General Settings.
Select the Automatically Acquire Commit Lock check box.
Click OK and Commit, for the Commit Type select Panorama, and click OK.

194 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Administer Panorama

Restrict Access to Configuration Changes

Remove a Lock
Remove a Lock

1.
2.
3.

Click the lock icon at the top right of the web interface.
Select the lock that you want to release and click Remove Lock.
Unless you are a superuser, you can remove the only lock that you have previously taken.
Click OK.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 195

Add Custom Logos to Panorama

Administer Panorama

Add Custom Logos to Panorama

You can upload image files to customize the following areas on Panorama:

Background image on the login screen

Header on the top left corner of the web interface; you can also hide the Panorama default background

Title page and footer image in PDF reports

Supported image types include .jpg, .gif, and .png. Image files for use in PDF reports cannot contain an alpha
channel. The size of the image must be less than 128 Kilobytes (131,072 bytes); the recommended dimensions
are displayed on screen. If the dimension is larger than the recommended size, the image will be automatically
cropped.
Add Custom Logos to Panorama

1.
2.
3.
4.
5.
6.
7.

Select Panorama > Setup > Operations.

In the Miscellaneous section, click Custom Logos.
Click the Upload logo icon and select an image for any of the following options: the login screen, the left corner of
the main user interface, the PDF report title page and the PDF report footer.
Click Open to add the image. To preview the image, click the preview logo icon.
(Optional) To clear the green background header on the Panorama web interface, select the check box for Remove
Panorama background header.
Click Close to save your changes.
Click Commit and select Panorama as the Commit Type.

196 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Administer Panorama

View Panorama Task Completion History

View Panorama Task Completion History

Use the Task Manager to view currently-running tasks, historical task data, event success or failure information,
and related errors.
View Panorama Task Completion History

1.
2.

Click the Tasks icon on the bottom right corner of the web interface.
Select the list of tasks to review. By default All Tasks are displayed.

3.

You can filter by All or Running tasks and select Jobs, Reports, or Log Requests:
JobsLists commits, auto commits, downloads and installs for software and dynamic updates performed on
locally on Panorama or centrally pushed to the managed firewalls from Panorama. Each job is a link; click the link
in the Type column to view details on the firewalls, status, and review errors, if any.
ReportsDisplays the status and start time for scheduled reports.
Log RequestsLists the log queries triggered from the Monitor >Log Viewer tab or the Dashboard. For
example, to display the logs in the URL Filtering widget or the Data Filtering widget on the Dashboard, log
requests are generated on Panorama.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 197

Reallocate Log Storage Quota

Administer Panorama

Reallocate Log Storage Quota

You can edit the default storage quotas for each log type but not for reports. When a log quota reaches the
maximum size, Panorama starts overwriting the oldest log entries with the new log entries. The Panorama virtual
appliance and M-100 appliance have different locations for storing logs and different predefined storage
capacities for reports:

Panorama virtual appliancePanorama writes all logs to its assigned storage space. The storage space can
be the approximately 11GB storage allocated by default on the virtual disk that you created when installing
Panorama or it can be an additional virtual disk or a Network File System (NFS) that you added when
expanding the log storage capacity. The storage space for reports is 200MB.

M-100 appliancePanorama saves logs to its internal SSD and RAID-enabled disks. The M-100 appliance
uses its internal SSD to store the Config logs and System logs that Panorama and its Log Collectors generate,
and also to store the Application Statistics (App Stats) logs that Panorama automatically receives at 15 minute
intervals from all managed firewalls. Panorama saves all other log types to its RAID-enabled disks. The
RAID disks are either local to the M-100 appliance in Panorama mode or are in a Dedicated Log Collector
(M-100 appliance in Log Collector mode). The storage space for reports is 500MB for Panorama 6.1 or later
releases and 200MB for earlier releases.

Reallocate Log Storage Quota on the Panorama Virtual Appliance and the M-100 Appliance

Step 1

1.
Configure the storage quotas for:
Logs of all types that a Panorama
virtual appliance receives from
2.
firewalls.
App Stats logs that Panorama (a virtual
appliance or M-100 appliance) receives
from firewalls.
System and Config logs that Panorama
(a virtual appliance or M-100
3.
appliance) and its Log Collectors
generate locally.

Select Panorama > Setup > Management and edit the Logging
and Reporting Settings.
In the Log Storage tab, enter the storage Quota (%) for each log
type. When you change a percentage value, the page refreshes
to display the corresponding absolute value (Quota GB/MB
column) based on the total allotted storage on Panorama.
To reset the quotas to the factory defaults, click Restore
Defaults at the bottom right of the dialog.
Click OK to save your changes.

The Panorama management server stores

these logs.
If you reduce a storage quota such
that the current logs exceed it, after
you commit the change, Panorama
removes the oldest logs to fit the
quota.

198 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Administer Panorama

Reallocate Log Storage Quota

Reallocate Log Storage Quota on the Panorama Virtual Appliance and the M-100 Appliance (Continued)

Step 2

Configure the storage quotas for logs of

all types (except App Stats logs) that an
M-100 appliance receives from firewalls.

1.
2.

The Log Collectors store these logs.

You configure these storage
quotas at the Collector Group
level, not for individual Log
Collectors.
3.

4.
Step 3

Commit your changes.

1.
2.

Step 4

Verify that Panorama applied the storage 1.

quota changes.

2.

Palo Alto Networks, Inc.

Select Panorama > Collector Groups and select the Collector

Group.
In the General tab, click the Log Storage value.
This field doesnt display a value unless you assigned Log
Collectors to the Collector Group (Panorama >
Collector Groups > Device Log Forwarding). If the field
displays 0MB after you assign Log Collectors, verify that
you enabled the disk pairs when configuring the Log
Collector and that you committed the changes
(Panorama > Managed Collectors > Disks).
Enter the storage Quota(%) for each log type. When you change
a percentage value, the page refreshes to display the
corresponding absolute value (Quota GB/MB column) based
on the total storage allotted to the Collector Group.
To reset the quotas to the factory defaults, click Restore
Defaults at the bottom right of the dialog.
Click OK to save your changes.
Click Commit, for the Commit Type select Panorama, and
click OK.
(M-100 appliance only) Click Commit, for the Commit Type
select Collector Group, select the Collector Group you
modified, and click OK.
Select Panorama > Setup > Management and, in the Logging
and Reporting Settings, verify that the Log Storage values are
correct for the logs that the Panorama management server
stores.
Select Panorama > Collector Groups, select the Collector
Group you modified, and verify that the Log Storage values in
the General tab are correct for the logs that the Log Collectors
store.
You can also verify the Collector Group storage quotas
by logging in to a Log Collector CLI and entering the
operational command show log-diskquota-pct.

Panorama 6.1 Administrators Guide 199

Monitor Panorama

Administer Panorama

Monitor Panorama
To monitor Panorama, you can either periodically view the system and configuration logs on Panorama or
configure SNMP traps and/or email alerts that notify you when a monitored metric changes state or reaches a
threshold on Panorama. Email alerts and SNMP traps are useful for immediate notification about critical system
events that require your attention.

Panorama System and Configuration Logs

Set Up Email Alerts for Panorama

Set Up SNMP to Monitor Panorama

Panorama System and Configuration Logs

You can configure Panorama to send notifications if a system event occurs or any time a configuration change
is made. By default, Panorama logs every configuration change to the configuration log. On the system log, each
event has a severity level associated with it. The level indicates the urgency and the impact of the event, and you
can choose to record all or selected system events, depending on the severity levels that you want to monitor.
This section covers Panorama logs only. For information on forwarding logs from the managed
firewalls, see Enable Log Forwarding to Panorama.

Config LogsEnable forwarding of Configuration logs by specifying a server profile in the log settings
configuration (Panorama > Log Settings > Config Logs).

System LogsEnable forwarding of System logs by specifying a server profile in the log settings
configuration (Panorama > Log Settings > System Logs). Select a server profile for each severity level you want
to forward. The following table summarizes the system log severity levels:

Severity

Description

Critical

Indicates a failure and signals the need for immediate attention, such as a hardware failure,
including HA failover and link failures.

High

Serious issues that will impair the operation of the system, including disconnection of a Log
Collector or a commit failure.

Medium

Mid-level notifications, such as antivirus package upgrades, or a Collector Group commit.

Low

Minor severity notifications, such as user password changes.

Informational

Notification events such as log in/log off, any configuration change, authentication success and
failure notifications, commit success, and all other events not covered by the other severity levels.

The M-100 appliance stores configuration and system logs on the HDD. The Panorama virtual appliance stores
the logs on the assigned storage volume. If you need longer-term storage of logs for auditing, you can also
configure Panorama to forward the logs to a syslog server.

200 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Administer Panorama

Monitor Panorama

Set Up Email Alerts for Panorama

Set Up Email Alerts for Panorama

Step 1

Create a server profile for your email

server.

1.
2.
3.

Select Panorama > Server Profiles > Email.

Click Add and then enter a Name for the profile.
Click Add to add a new email server entry and enter the
information required to connect to the Simple Mail Transport
Protocol (SMTP) server and send email (you can add up to four
email servers to the profile):
ServerName to identify the mail server (1-31 characters).
This field is just a label and does not have to be the host
name of an existing SMTP server.
Display NameThe name to display in the From field of
the email.
FromThe email address where notification emails will be
sent from.
ToThe email address to which notification emails will be
sent.
Additional Recipient(s)To send notifications to a second
account, enter the additional address here.
GatewayThe IP address or host name of the SMTP
gateway to use to send the emails.

4.

Click OK to save the server profile.

Step 2

(Optional) Customize the format of the

logs Panorama sends.

Select the Custom Log Format tab. For details on how to create
custom formats for the various log types, refer to the Common
Event Format Configuration Guide.

Step 3

Save the server profile and commit your

changes.

1.
2.

Click OK to save the profile.

Click Commit, and select Panorama as the Commit Type.

Step 4

Enable email notification for specific

events in the system and config logs.

1.

Enable email notification.

For system events:
a. Select Panorama > Log Settings > System.
b. Click the link for each severity level for which to enable
notification, and then select the Email server profile you
created.
For configuration changes:
a. Select Panorama > Log Settings > Config and edit the Log
Settings - Config section.
b. Select the Email server profile you created.

2.

Palo Alto Networks, Inc.

Click Commit and select Panorama as the Commit Type.

Panorama 6.1 Administrators Guide 201

Monitor Panorama

Administer Panorama

Set Up SNMP to Monitor Panorama

Simple Network Management Protocol (SNMP) enables access from an SNMP management station to specific
Object Identifiers (OIDs) or ranges of OIDs that the Palo Alto Networks MIBs contain (for a complete list,
refer to PAN-OS MIB). You can use SNMP to query the state of Panorama (SNMP GETs) and trigger alerts
(SNMP traps) when events occurs. Panorama supports SNMP v2c and v3.
To set up SNMP for monitoring Log Collectors, see Configure a Collector Group.

Panorama initiates SNMP traps and sends them to the SNMP manager when a failure or change occurs (for
example, a system fan failure), disk drives are added, or an HA failover occurs. Panorama does not send traps
on a regular schedule, only when a triggering event occurs.
SNMP GETs allow pro-active monitoring. For example, you can poll Panorama for trending graphs that help
identify the following potential system issues before a fault occurs:

Monitor the incoming log rate on an M-100 appliance or the capacity of the logging disks on the appliance
to determine if a Log Collector is close to maximum capacity. This information will help you evaluate
whether you need to expand log storage capacity or add additional Log Collectors.

Monitor system information such as the state of Panorama and which software/content update versions are
installed (for example, Antivirus version, Applications and Threats database version, and Panorama software
version).

Set Up SNMP to Monitor Panorama

Step 1

Configure the management interface to

listen for the SNMP service.

202 Panorama 6.1 Administrators Guide

1.
2.

Select the Panorama > Setup > Management.

In the Management Interface Settings section, verify that
SNMP is enabled in Services. If SNMP is not enabled, edit the
Management Interface Settings, select the SNMP check box,
then click OK to save the changes.

Palo Alto Networks, Inc.

Administer Panorama

Monitor Panorama

Set Up SNMP to Monitor Panorama (Continued)

Step 2

Configure Panorama for SNMP

monitoring.
This screen shot is for SNMP v3.

1.
2.
3.
4.
5.

Select Panorama > Setup > Operations.

In the Miscellaneous section, select SNMP Setup.
Enter a text string to specify the physical Location of
Panorama.
Add the email address of one or more administrative Contact.
Select the SNMP Version and then enter the configuration
details as follows (depending on which SNMP version you are
using) and then click OK:
V2cEnter the SNMP Community String that will allow the
SNMP manager access to the SNMP agent on Panorama.
The default value is public. However because this is a
well-known community string, it is a best practice to use a
value that is not easily guessed.
V3You must create at least one View and one User in
order to use SNMPv3. The view specifies which
management information the manager has access to. If you
want to allow access to all management information, just
enter the top-level OID of .1.3.6.1 and specify the Option as
include (you can also create views that exclude certain
objects). Use 0xf0 as the Mask. Then when creating a user,
select the View you just created and specify the Auth
Password and Priv Password.
The authentication settings (the community string for V2c
or the username and passwords for V3) configured on
Panorama must match the values configured on the SNMP
manager.

6.
7.

Palo Alto Networks, Inc.

Click OK to save the settings.

Click Commit, and select Panorama as your Commit Type to
save the changes to the running configuration.

Panorama 6.1 Administrators Guide 203

Monitor Panorama

Administer Panorama

Set Up SNMP to Monitor Panorama (Continued)

Step 3

Create a server profile that contains the

information for connecting and
authenticating to the SNMP manager(s).

1.
2.
3.
4.

Select Panorama > Server Profiles > SNMP Trap.

Click Add and then enter a Name for the profile.
Specify the version of SNMP you are using (V2c or V3).
Click Add to add a new SNMP Trap Receiver entry (you can
add up to four trap receivers per server profile). The required
values depend on whether you are using SNMP V2c or V3 as
follows:
On SNMP V2c
ServerName to identify the SNMP manager (1-31
characters). This field is just a label and does not have to be
the hostname of an existing SNMP server.
ManagerThe IP address of the SNMP manager to which
to send traps.
CommunityThe community string required to
authenticate to the SNMP manager.
On SNMP V3
ServerName to identify the SNMP manager (1-31
characters). This field is just a label and does not have to be
the hostname of an existing SNMP server.
ManagerThe IP address of the SNMP manager to which
to sent traps.
UserThe username required to authenticate to the SNMP
manager.
EngineIDThe engine ID of Panorama. This is a
hexadecimal value from 5 to 64 bytes with a 0x prefix. Each
Panorama has a unique engine ID. In order to find out the
engine ID, configure the server for SNMP v3 and send a
GET message from the SNMP Manager or MIB browser to
Panorama.
Auth PasswordThe password to be used for authNoPriv
level messages to the SNMP manager. This password will be
hashed using Secure Hash Algorithm (SHA-1), but will not
be encrypted.
Priv PasswordThe password to be used for authPriv level
messages to the SNMP manager. This password be hashed
using SHA and will be encrypted using Advanced
Encryption Standard (AES 128).

5.

204 Panorama 6.1 Administrators Guide

Click OK to save the server profile.

Palo Alto Networks, Inc.

Administer Panorama

Monitor Panorama

Set Up SNMP to Monitor Panorama (Continued)

Step 4

Enable SNMP traps for config log and

syslog events.

For system events:

a. Select Panorama > Log Settings > System.
b. Click the link for each severity level for which to enable
notification, and then select the SNMP Trap server profile
you created in Step 3.
For configuration changes:
a. Select Panorama > Log Settings > Config and edit the Log
Settings - Config section.
b. Select the SNMP Trap server profile you created in Step 3.

Step 5

Save your changes.

Click Commit, and select Panorama as the Commit Type.

Step 6

Enable the SNMP manager to interpret

an SNMP trap.

To interpret a trap that Panorama sent, you must load the PAN-OS
MIB files into your SNMP management software and, if necessary,
compile them. The compiled MIBs allow the SNMP Manager to
map the object identifier (OID) to the event definition that the trap
defines.
Refer to the documentation for your SNMP manager for specific
instructions on how to do this.

Step 7

Identify the statistics to monitor.

Using a MIB browser, walk the PAN-OS MIB files to identify the
object identifiers (OIDs) that correspond to the statistics you want
to monitor. For example, suppose you want to monitor on the log
collection rate on the M-100 appliance. Using a MIB browser you
will see that this statistic corresponds to OID
1.3.6.1.4.1.25461.2.3.16.1.1.0 in the PAN-LC-MIB.

Step 8

Configure the SNMP management

software to monitor the OIDs you are
interested in.

Refer to the documentation for your SNMP manager for specific

instructions on how to do this.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 205

Reboot or Shut Down Panorama

Administer Panorama

Reboot or Shut Down Panorama

The reboot option initiates a graceful restart of Panorama. A shutdown halts the system and powers it off. To
restart Panorama, after a shutdown, manually disconnect and re-cable the power cord on the system.
Reboot or Shut Down Panorama

1.
2.

Select Panorama > Setup > Operations.

In the Device Operations section, select Reboot Panorama or Shutdown Panorama.

206 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Administer Panorama

Generate Diagnostic Files for Panorama

Generate Diagnostic Files for Panorama

Diagnostic files aid in monitoring system activity and in discerning potential causes for issues on Panorama. To
assist Palo Alto Networks Technical Support in troubleshooting an issue, the support representative might
request a tech support file. Perform the following steps to download a tech support file and upload it to your
support case.
Generate Diagnostic Files for Panorama

Step 1

Select Panorama > Support and click Generate Tech Support File.

Step 2

Download and save the file to your computer.

Step 3

Upload the file to your case on the Palo Alto Networks Support Portal.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 207

Configure Panorama Password Profiles and Complexity

Administer Panorama

Configure Panorama Password Profiles and Complexity

To secure the local administrator account, you can define password complexity requirements that are enforced
when administrators change or create new passwords. Unlike password profiles, which can be applied to
individual accounts, the password complexity rules are firewall-wide and apply to all passwords.
To enforce periodic password updates, create a password profile that defines a validity period for passwords.
Configure Panorama Password Profiles and Complexity

Step 1

Configure minimum password

complexity settings.

1.
2.
3.

4.

5.

208 Panorama 6.1 Administrators Guide

Select Panorama > Setup > Management and edit the

Minimum Password Complexity section.
Select Enabled.
Define the Password Format Requirements. You can enforce
the requirements for uppercase, lowercase, numeric, and special
characters that a password must contain.
To prevent the account username (or reversed version of the
name) from being used in the password, select Block
Username Inclusion (including reversed).

Define the password Functionality Requirements.

If you have configured a password profile for an administrator,
the values defined in the password profile will override the
values that you have defined in this section.

Palo Alto Networks, Inc.

Administer Panorama

Configure Panorama Password Profiles and Complexity

Configure Panorama Password Profiles and Complexity (Continued)

Step 2

Create Password Profiles.

1.
You can create multiple password profiles 2.
and apply them to administrator accounts
as required to enforce security.

Select Panorama > Password Profiles and then click Add.

Enter a Name for the password profile and define the
following:
a. Required Password Change Period: Frequency, in days, at
which the passwords must be changed.
b. Expiration Warning Period: Number of days before
expiration that the administrator will receive a password
reminder.
c. Post Expiration Grace Period: Number of days that the
administrator can still log in to the system after the password
expires.
d. Post Expiration Admin Login Count: Number of times that
the administrator can log in to the system after the password
has expired.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 209

Replace a Failed Disk on an M-100 Appliance

Administer Panorama

Replace a Failed Disk on an M-100 Appliance

If a disk fails on the M-100 appliance, you must replace the disk and reconfigure it in a RAID pair. This allows
the data to be mirrored and synchronized between the disks in the RAID pair.
Replace a Failed Disk

Step 1

Install the new disk in the appropriate

drive bay.

Refer to the M-100 Hardware Reference Guide for instructions to

replace the failed with the new disk.

Step 2

Set up the disk in a RAID pair.

This example uses the drives in the disk bays B1.

1. Enter the following commands to add the disk to the RAID
pair and confirm the request when prompted:

The time required to mirror the data on

the drive may vary from several minutes
to a couple hours, depending on the
amount of data on the drive.

request system raid add B1

2.

To monitor the progress of the RAID configuration and verify

that the disk is RAID enabled, enter the following command:
show system raid detail

210 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Administer Panorama

Replace the Virtual Disk on a Panorama Virtual Appliance

Replace the Virtual Disk on a Panorama Virtual Appliance

You cannot resize a virtual disk after adding it to a Panorama virtual appliance. Because the Panorama virtual
appliance allows only one log storage location, if you need to increase or decrease disk space for logging, you
must replace the virtual disk on the ESX(i) server to adjust the log storage capacity.
Replace the Virtual Disk on a Panorama Virtual Appliance

Step 1

Export the logs before detaching the

virtual disk from the Panorama virtual
appliance. The logs on the disk will no
longer be accessible after the disk is
detached.

1.
2.

Access the CLI on the Panorama virtual appliance.

Check the current disk usage:

3.

Export the logs. The command has the following syntax:

admin@Panorama> show system logdb-quota

admin@Panorama> scp export logdb to <user
account>@<IP of SCP server>: <directory path with
destination filename>

For example:
admin@Panorama> scp export logdb to
sabel@10.236.10.30:/Panorama/log_file_exportMay2013

You must specify a filename. The command saves a .tar

file with that filename to the SCP server. Because the
export process compresses the files, the size of the
exported file will be smaller than the size on disk.
Step 2

Replace the virtual disk.

Palo Alto Networks, Inc.

1.
2.

Power off the Panorama virtual appliance.

Edit the settings on the Panorama virtual appliance to add a
new virtual disk with the desired capacity. The virtual disk type
must be IDE and the maximum capacity is 2TB.

3.

Remove the virtual disk you want to replace.

Panorama 6.1 Administrators Guide 211

Replace the Virtual Disk on a Panorama Virtual Appliance

Administer Panorama

Replace the Virtual Disk on a Panorama Virtual Appliance (Continued)

Step 3

Import the logs into the new virtual disk. 1.

2.
3.

4.

Power on the Panorama virtual appliance. The reboot process

might take several minutes and the message cache data
unavailable will appear.
Log in to the Panorama virtual appliance.
Select Panorama > Setup > Management and verify that the
Logging and Reporting Settings section displays the modified
log storage capacity accurately.

Use the Panorama CLI to import the logs into the new virtual
disk:

admin@Panorama> scp import logdb from <user

account>@<IP of SCP server>: <directory path with
destination filename>

212 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Troubleshooting
The following topics address Panorama issues:

Troubleshoot Panorama System Issues

Troubleshoot Log Storage and Connection Issues

Replace an RMA Firewall

Diagnose Template Commit Failures

View Task Success or Failure Status

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 213

Troubleshoot Panorama System Issues

Troubleshooting

Troubleshoot Panorama System Issues

Diagnose Panorama Suspended State

Monitor the File System Integrity Check

Manage Panorama Storage for Software and Content Updates

Recover from Split Brain in Panorama HA Deployments

Diagnose Panorama Suspended State

If Panorama is in a suspended state, check for the following conditions:

Verify that the serial number on each Panorama virtual appliance is unique. If the same serial number is used
to create two or more instances of Panorama, all instances using the same serial number will be suspended.

Verify that you have set the HA priority setting on one peer as Primary and the other as Secondary. If the
priority setting is identical on both peers, the Panorama peer with a higher numerical value in serial number
is placed in a suspended state.

Verify that both Panorama HA peers are running the same Panorama version (major and minor version
number).

Monitor the File System Integrity Check

Panorama periodically performs a file system integrity check (FSCK) to prevent corruption of the Panorama
system files. This check occurs after eight reboots or at a reboot that occurs 90 days after the last FSCK was
executed. If Panorama is running a FSCK, the web interface and SSH login screens will display a warning to
indicate that an FSCK is in progress. You cannot log in until this process completes. The time to complete this
process varies by the size of the storage system; depending on the size, it can take several hours before you can
log back in to Panorama.
To view the progress on the FSCK, set up console access to Panorama and view the status.

Manage Panorama Storage for Software and Content Updates

On Panorama, you can download (or manually upload) software images and content updates to centrally manage
them on firewalls and M-100 appliances in Log Collector mode. Supported Updates by Device Type lists which
updates these devices support. For Panorama itself, you can also manage updates for Applications, Applications
and Threats, Antivirus, and Wildfire.
The amount of space available on Panorama to store these images and updates is not user configurable. When
the used capacity of the alloted storage reaches 90%, Panorama alerts you to free up space (delete stored images)
for new downloads/uploads.

214 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Troubleshooting

Troubleshoot Panorama System Issues

The maximum number of images is a global setting that applies to all the images and updates that Panorama
stores. You can use only the CLI to configure the setting. The default value is five images/updates of each type;
you cannot set the value for individual types.
Manage Panorama Storage for Software and Content Updates

Modify the maximum number of images stored Access the CLI on Panorama and enter the following
on Panorama.
command:
set max-num-images count x

(where x can be a number

between 2 and 64)

View the number of images that are stored on
Panorama.

Enter the following CLI command:

Delete images to free up space on Panorama.

Use the following commands:

show max-num_images

You can perform this task using the web interface To delete software images by filename or version:
or the CLI.
delete software image <filename>
delete software version <version_number>

To delete content updates:

delete content update <filename>

Recover from Split Brain in Panorama HA Deployments

When Panorama is configured in a high availability (HA) setup, the managed firewalls are connected to both the
active and passive Panorama HA peers. When the connection between the active and the passive Panorama
peers fails, before the passive Panorama takes over as the active peer it checks whether any firewall is connected
to both the active and the passive peer. If even one firewall is connected to both peers, the failover is not
triggered.
In the rare event that a failover is triggered when a set of firewalls are connected to the active peer and a set of
firewalls are connected to the passive peer, but none of the firewalls are connected to both peers, it is called a
split brain. When a split brain occurs, the following conditions occur:

Neither Panorama peer is aware of the state nor the HA role of the other peer.

Both Panorama peers become active and manage a unique set of firewalls.

To resolve a split brain, debug your network issues and restore connectivity between the Panorama HA peers.
However, if you need to make configuration changes to your firewalls without restoring the connection between
the peers, here are a couple of options:

Manually add the same configuration changes on both Panorama peers. This ensures that when the link is
reestablished the configuration is synchronized.

If you need to add/change the configuration at only one Panorama location, make the changes and sync the
configuration (make sure that you initiate the sync from the peer on which you made the changes) when the
link between the Panorama peers is re-established.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 215

Troubleshoot Panorama System Issues

Troubleshooting

If you need to add/change the configuration for only the connected firewalls at each location, you can make
configuration changes independently on each Panorama peer. Because the peers are disconnected, there is
no replication and each peer now has a completely different configuration file (they are out of sync).
Therefore, to ensure that the configuration changes on each peer are not lost when the connection is
restored, you cannot allow the configuration to be automatically re-synchronized. To solve this problem,
export the configuration from each Panorama peer and manually merge the changes using an external diff
and merge tool. After the changes are integrated, you can import the unified configuration file on the
primary Panorama and then synchronize the imported configuration file with the peer.

216 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Troubleshooting

Troubleshoot Log Storage and Connection Issues

Troubleshoot Log Storage and Connection Issues

What Ports are Used by Panorama?

Resolve Zero Log Storage for a Collector Group

Recover Logs after Failure/RMA of M-100 Appliance in Log Collector Mode

Recover Logs after Failure/RMA of M-100 Appliance in Panorama Mode

Recover Logs after Panorama Failure/RMA in Non-HA Deployments

Regenerate Metadata for M-100 Appliance RAID Pairs

What Ports are Used by Panorama?

To ensure that Panorama can communicate with managed firewalls, Log Collectors, and its high availability (HA)
peer, use the following table to verify the ports that you must open on your network.
On an M-100 appliance running Panorama 6.1 or later releases, you can optionally assign the log
collection and Collector Group communication functions to the Eth1 or Eth2 interfaces (instead
of to the default MGT interface). The ports listed in the following table apply regardless of which
function you assign to which interface. For example, if you assign log collection to MGT and
assign Collector Group communication to Eth2, then MGT will use port 3978 and Eth2 will use
port 28270. (The Panorama virtual appliance can only use the MGT interface for all these
functions.)

Communicating Devices & Direction Ports Used:

of Connection Establishment
5.0 and 5.1

Ports Used:
6.0 and 6.1

Description

Panorama and Panorama (HA)

28

For HA connectivity and

synchronization if encryption is
enabled.

28

Direction: Each peer initiates its own

connection to the other
Panorama and Panorama (HA)
Direction: Each peer initiates its own
connection to the other
Panorama and managed firewalls
Direction: Initiated by the firewall

Palo Alto Networks, Inc.

28769 and 28260 (5.1) 28260 and

28769 and 49160 (5.0) 28769

For HA connectivity and

synchronization if encryption is not
enabled.

3978

A bi-directional connection where

the logs are forwarded from the
firewall to Panorama; and
configuration changes are pushed
from Panorama to the managed
firewalls. Context switching
commands are sent over the same
connection.

3978

Panorama 6.1 Administrators Guide 217

Troubleshoot Log Storage and Connection Issues

Troubleshooting

Communicating Devices & Direction Ports Used:

of Connection Establishment
5.0 and 5.1

Ports Used:
6.0 and 6.1

Description

Panorama and Log Collector

3978

For management and log

collection/reporting.

3978

Direction: Initiated by the Log Collector

Used for communication between

the default Log Collector on a
Panorama in Panorama mode, and
for communicating with Log
Collectors in a DLC deployment.
Log Collector to Log Collector

49190

28270

Direction: Each Log Collector initiates a

connection to the other Log Collectors
in the Collector Group

For distributing blocks and all binary

data between Log Collectors.

Resolve Zero Log Storage for a Collector Group

The log storage capacity for the Collector Group might display as 0MB if the disk pairs are not enabled for
logging. You must select the Log Collector and enable the disk pairs for logging in the Panorama > Managed
Collectors tab; for instructions, see Step 10 in the Configure a Managed Collector topic.
To verify that the disks are enabled and available for log storage, select Panorama > Managed Collectors tab and
verify that the Log Collector displays as Connected and that the Configuration Status displays as In sync.

Recover Logs after Failure/RMA of M-100 Appliance in Log Collector Mode

If you need to replace an M-100 appliance in Log Collector mode (Dedicated Log Collector), you can migrate
the logs it collected from firewalls by moving its RAID disks to a new M-100 appliance. This enables you to
recover logs after a system failure on the M-100 appliance. This procedure applies whether the Panorama
management server that manages the Dedicated Log Collector is a Panorama virtual appliance or an M-100
appliance in Panorama mode.

218 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Troubleshooting

Troubleshoot Log Storage and Connection Issues

Recover Logs after Failure/RMA of M-100 Appliance in Log Collector Mode

Step 1

Perform initial setup of the new M-100

appliance in Log Collector mode.

1.
2.

3.
4.

Rack mount the M-100 appliance. Refer to the M-100

Appliance Hardware Reference Guide for instructions.
Perform Initial Configuration of the M-100 Appliance.
If the old M-100 appliance used the Eth1 and Eth2
interfaces for log collection and Collector Group
communication, you must define those interfaces during
initial configuration of the new M-100 appliance
(Panorama > Setup > Management).
Register Panorama.
Transfer licenses as follows:
a. Log in to the Customer Support Portal.
b. Select the Assets tab and click the Spares link.
c. Click the Serial Number of the new M-100 appliance.
d. Click Transfer Licenses.
e. Select the old M-100 appliance and click Submit.

5.
6.
7.
Step 2

On the Panorama management server,

1.
add the new Log Collector as a managed
collector.
For all steps with commands that
require a device serial number, you
must type the entire serial number;
pressing the Tab key wont
complete a partial serial number.

2.

Activate/Retrieve a Device Management License on the M-100

Appliance.
Install Content and Software Updates for Panorama.
Switch from Panorama Mode to Log Collector Mode.
Configure the Log Collector as a managed collector using the
Panorama web interface or using the following CLI commands:
configure
set log-collector <LC_serial_number> deviceconfig
system hostname <LC_hostname>
exit

If the old Log Collector used the Eth1 and Eth2

interfaces for log collection and Collector Group
communication, you must define those interfaces on the
new Log Collector when you configure it as a managed
collector (Panorama > Managed Collectors > Eth1 and
Eth2).
Verify that the Log Collector is connected to Panorama and that
the status of its disk pairs is present/available.
show log-collector serial-number <log-collector_SN>

3.

The disk pairs will display as disabled at this stage of the

restoration process.
Commit your changes to Panorama. Dont commit the changes
to the Collector Group just yet.
configure
commit
exit

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 219

Troubleshoot Log Storage and Connection Issues

Troubleshooting

Recover Logs after Failure/RMA of M-100 Appliance in Log Collector Mode (Continued)

Step 3

Remove the RAID disks from the old Log 1.

Collector.
2.

Power off the old Log Collector by pressing the Power button
until the system shuts down.
Remove the disk pairs. For details, refer to the disk replacement
procedure in the M-100 Appliance Hardware Reference Guide.

Step 4

Prepare the disks for migration.

Insert the disks into the new Log Collector. For details, refer to
the disk replacement procedure in the M-100 Appliance
Hardware Reference Guide.
You must maintain the disk pair association. Although
you can place a disk pair from slot A1/A2 on the old
appliance into slot B1/B2 on the new appliance, you
must keep the disks together in the same slot; otherwise,
Panorama might not restore the data successfully.

1.

Generating the metadata for each

disk pair rebuilds the indexes.
Therefore, depending on the data
size, this process can take a long
time to complete. To expedite the
process, you can launch multiple
CLI sessions and run the metadata
regeneration command in each
2.
session to complete the process
simultaneously for every pair. For
details, see Regenerate Metadata
for M-100 Appliance RAID Pairs.

3.

Enable the disk pairs by running the following CLI command

for each pair:
request system raid add <slot> force no-format

For example:
request system raid add A1 force no-format
request system raid add A2 force no-format

The force and no-format arguments are required. The force

argument associates the disk pair with the new Log Collector.
The no-format argument prevents reformatting of the drives
and retains the logs stored on the disks.
Generate the metadata for each disk pair.
request metadata-regenerate slot <slot_number>

For example:
request metadata-regenerate slot 1

You can ignore any unary operator

appears after entering this command.
Step 5

Migrate the logs.

1.

You must use the Panorama CLI

for this step, not the web interface.
You must assign the new Log
Collector to the Collector Group
that contains the old Log
Collector.

expected

error that

Assign the new Log Collector to the Collector Group and

commit your changes to Panorama.
configure
set log-collector-group <collector_group_name>
logfwd-setting collectors <new_LC_serial_number>
commit
exit

2.

For each disk pair, migrate the logs from the old Log Collector
to the new Log Collector and attach the disk pair to the new
Log Collector.
request log-migration from <old_LC_serial_number>
old-disk-pair <log_disk_pair> to
<new_LC_serial_number> new-disk-pair
<log_disk_pair>

For example:
request log-migration from 003001000010
old-disk-pair A to 00300100038 new-disk-pair A

220 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Troubleshooting

Troubleshoot Log Storage and Connection Issues

Recover Logs after Failure/RMA of M-100 Appliance in Log Collector Mode (Continued)

Step 6

Reconfigure the Collector Group.

1.

2.

Use the web interface to assign the new Log Collector to the
firewalls that forward logs (Panorama > Collector Groups >
Device Log Forwarding). Give the new Log Collector the same
priority in the firewall preference lists as the old Log Collector.
You use the web interface to perform this step because
no CLI command can change the priority assignments
of firewall preference lists.
Delete the old Log Collector from the Collector Group.
configure
delete log-collector-group <group_name>
logfwd-setting collectors <old_LC_serial_number>

For example:
delete log-collector-group DC-Collector-Group
logfwd-setting collectors 003001000010

3.

Delete the old Log Collector from the Panorama configuration

and commit your changes to Panorama.
delete log-collector <old_LC_serial_number>
commit
exit

4.

Commit the Collector Group changes so that the managed

firewalls can send logs to the new Log Collector.
commit-all log-collector-config
log-collector-group <collector_group_name>

For example:
commit-all log-collector-config
log-collector-group DC-Collector-Group

Recover Logs after Failure/RMA of M-100 Appliance in Panorama Mode

If you need to replace an M-100 appliance in Panorama mode (Panorama management server), you can migrate
the logs it collected from firewalls by moving its RAID disks to a new M-100 appliance, but only if Panorama
is deployed in a high availability (HA) configuration. Moving the disks enables you to recover logs after a system
failure on the M-100 appliance.
This migration procedure covers the following scenarios:

One Panorama in the pair is configured as a managed Log Collector and is receiving logs from the managed
firewalls.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 221

Troubleshoot Log Storage and Connection Issues

Troubleshooting

Both Panorama peers are managed Log Collectors that belong to one Collector Group (Note that this is not
a recommended deployment).

Each Panorama is configured as a Managed Collector and assigned to separate Collector Groups (Log
Collector Group1 and Log Collector Group2).

Recover Logs after Failure/RMA of M-100 Appliance in Panorama Mode

Step 1

Forward any logs on the SSD of the old Enable Log Forwarding from Panorama to External Destinations.
M-100 appliance to an external
destination if you want to preserve them.
The SSD stores only the System and
Config logs that Panorama and Log
Collectors generate. You cannot move the
SSD between M-100 appliances.

Step 2

Remove the RAID disks from the old

M-100 appliance.

1.
2.

222 Panorama 6.1 Administrators Guide

Power off the old M-100 appliance by pressing the Power

button until the system shuts down.
Remove the disk pairs. For details, refer to the disk replacement
procedure in the M-100 Appliance Hardware Reference Guide.

Palo Alto Networks, Inc.

Troubleshooting

Troubleshoot Log Storage and Connection Issues

Recover Logs after Failure/RMA of M-100 Appliance in Panorama Mode (Continued)

Step 3

Perform initial setup of the new M-100

appliance.

1.
2.

3.
4.

Rack mount the M-100 appliance. Refer to the M-100

Appliance Hardware Reference Guide for instructions.
Perform Initial Configuration of the M-100 Appliance.
If the old M-100 appliance used the Eth1 and Eth2
interfaces for log collection and Collector Group
communication, you must define those interfaces during
initial configuration of the new M-100 appliance
(Panorama > Setup > Management).
Register Panorama.
Transfer licenses as follows:
a. Log in to the Customer Support Portal.
b. Select the Assets tab and click the Spares link.
c. Click the Serial Number of the new M-100 appliance.
d. Click Transfer Licenses.
e. Select the old M-100 appliance and click Submit.

5.
6.
7.

Palo Alto Networks, Inc.

Activate/Retrieve a Device Management License on the M-100

Appliance.
Install Content and Software Updates for Panorama.
Set the HA priority. The new M-100 appliance must have the
same priority as the HA peer you are replacing.

Panorama 6.1 Administrators Guide 223

Troubleshoot Log Storage and Connection Issues

Troubleshooting

Recover Logs after Failure/RMA of M-100 Appliance in Panorama Mode (Continued)

Step 4

Prepare the disks for migration.

1.

Generating the metadata for each

disk pair rebuilds the indexes.
Therefore, depending on the data
size, this process can take a long
time to complete. To expedite the
process, you can launch multiple
CLI sessions and run the metadata
regeneration command in each
2.
session to complete the process
simultaneously for every pair. For
details, see Regenerate Metadata
for M-100 Appliance RAID Pairs.

3.

Insert the disks into the new M-100 appliance. For details, refer
to the disk replacement procedure in the M-100 Appliance
Hardware Reference Guide.
You must maintain the disk pair association. Although
you can place a disk pair from slot A1/A2 on the old
appliance into slot B1/B2 on the new appliance, you
must keep the disks together in the same slot; otherwise,
Panorama might not restore the data successfully.
Enable the disk pairs by running the following CLI command
for each pair:
request system raid add <slot> force no-format

For example:
request system raid add A1 force no-format
request system raid add A2 force no-format

The force and no-format arguments are required. The force

argument associates the disk pair with the new appliance. The
no-format argument prevents reformatting of the drives and
retains the logs stored on the disks.
Generate the metadata for each disk pair.
request metadata-regenerate slot <slot_number>

For example:
request metadata-regenerate slot 1

4.

You can ignore any unary operator expected error that

appears after entering this command.
Synchronize the configuration of the M-100 appliance HA
peers.
request high-availability sync-to-remote
running-config

Step 5

Configure the local Log Collector on the 1.

new M-100 appliance.
For all steps with commands that
require a device serial number, you
must type the entire serial number;
pressing the Tab key wont
complete a partial serial number.
Dont enable the disks on the new M-100
appliance at this point. When you
successfully migrate the logs, Panorama
automatically enables the disks.

Configure the local Log Collector as a managed collector using

the Panorama web interface or using the following CLI
commands:
configure
set log-collector <log-collector_SN> deviceconfig
system hostname <log-collector-hostname>
exit

2.

Verify that the local Log Collector is connected to Panorama

and that the status of its disk pairs is present/available.
show log-collector serial-number <log-collector_SN>

3.

The disk pairs will display as disabled at this stage of the

restoration process.
Commit your changes to Panorama. Dont commit the changes
to the Collector Group just yet.
configure
commit

224 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Troubleshooting

Troubleshoot Log Storage and Connection Issues

Recover Logs after Failure/RMA of M-100 Appliance in Panorama Mode (Continued)

Step 6

Migrate the logs.

1.

You must use the Panorama CLI

for this step, not the web interface.
You must assign the local Log
Collector of the new M-100
appliance to the Collector Group
that contains the local Log
Collector of the old M-100
appliance.

Add the new local Log Collector as a member of the Collector

Group and commit your changes to Panorama.
set log-collector-group <collector_group_name>
logfwd-setting collectors <SN_managed_collector>
commit

2.

The old local Log Collector still appears in the list of members,
because you didnt yet delete it from the configuration.
For each disk pair, migrate the logs to the new appliance.
request log-migration from <old_LC_serial_number>
old-disk-pair <log_disk_pair> to
<new_LC_serial_number> new-disk-pair
<log_disk_pair>

For example:
request log-migration from 003001000010
old-disk-pair A to 00300100038 new-disk-pair A

3.

Commit the changes to Panorama.

commit

Step 7

Reconfigure the Collector Group.

1.

2.

Use the web interface to assign the new Log Collector to the
firewalls that forward logs (Panorama > Collector Groups >
Device Log Forwarding). Give the new Log Collector the same
priority in the firewall preference lists as the old Log Collector.
You use the web interface to perform this step because
no CLI command can change the priority assignments
of firewall preference lists.
Delete the old Log Collector from the Collector Group.
delete log-collector-group <group_name>
logfwd-setting collectors <old_LC_serial_number>

For example:
delete log-collector-group DC-Collector-Group
logfwd-setting collectors 003001000010

3.

Delete the old Log Collector from the Panorama configuration

and commit your changes to Panorama.
delete log-collector <old_LC_serial_number>
commit
exit

4.

Commit the Collector Group changes so that the managed

firewalls can send logs to the new Log Collector.
commit-all log-collector-config
log-collector-group <collector_group_name>

For example:
commit-all log-collector-config
log-collector-group DC-Collector-Group

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 225

Troubleshoot Log Storage and Connection Issues

Troubleshooting

Recover Logs after Panorama Failure/RMA in Non-HA Deployments

If a system failure occurs on a Panorama server that is managing one or more dedicated Log Collectors and the
Panorama server is not deployed in a high availability (HA) configuration, use this procedure to restore the
configuration on the replacement Panorama and regain access to the logs on the managed Log Collectors.
To manage data, Panorama maintains a ring file that maps the segments and partitions used for storing logs on
the Log Collector. This ring file is stored to the internal SSD on an M-100 appliance or on the internal disk of
the Panorama virtual appliance that manages the Log Collector(s). When Panorama is not configured in HA and
a system failure occurs, the ring file cannot be automatically recovered. Therefore, when you replace Panorama,
in order to access the logs on the managed Collectors, you must restore the ring file.
As a best practice, Palo Alto Networks recommends deploying Panorama in an HA
configuration. When deployed in HA, the primary Panorama peer that manages the Log
Collectors stores the ring file to its internal storage (SSD of an M-100 appliance or the
internal disk of the Panorama virtual appliance). This ring file is then automatically
synchronized to the passive Panorama peer and the ability to access logs on the managed
Log Collectors is maintained automatically.
Recover Logs after Panorama Failure/RMA in Non-HA Deployments

Step 1

Perform initial setup of the new M-100

appliance.

1.
2.

3.
4.

Rack mount the M-100 appliance. Refer to the M-100

Appliance Hardware Reference Guide for instructions.
Perform Initial Configuration of the M-100 Appliance.
If the old M-100 appliance used the Eth1 and Eth2
interfaces for log collection and Collector Group
communication, you must define those interfaces during
initial configuration of the new M-100 appliance
(Panorama > Setup > Management).
Register Panorama.
Transfer licenses as follows:
a. Log in to the Customer Support Portal.
b. Select the Assets tab and click the Spares link.
c. Click the Serial Number of the new M-100 appliance.
d. Click Transfer Licenses.
e. Select the old M-100 appliance and click Submit.

5.
6.
7.

226 Panorama 6.1 Administrators Guide

Activate/Retrieve a Device Management License on the M-100

Appliance.
Install Content and Software Updates for Panorama.
Set the HA priority. The new M-100 appliance must have the
same priority as the HA peer you are replacing.

Palo Alto Networks, Inc.

Troubleshooting

Troubleshoot Log Storage and Connection Issues

Recover Logs after Panorama Failure/RMA in Non-HA Deployments (Continued)

Step 2

Restore the configuration from the old

Restore the configuration from the old Panorama server to the new
Panorama to the replacement Panorama. server.
Panorama > Setup > Operations.
This task assumes that you have followed 1. Select
2. Click Import named Panorama configuration snapshot,
the recommendation to back up and
Browse to locate the saved file, and click OK.
export your Panorama configuration in
order to recover from a system failure.
3. Click Load named Panorama configuration snapshot and
select the version you just imported.
4. Click Commit and in the Commit Type select Panorama. Click
OK.

Step 3

Verify that connections to the managed

collectors are restored.

Select Panorama > Managed Collectors and check that the

Managed Collectors are connected.
If the Managed Collectors dont appear, this indicates that you dont
have the most recent Panorama configuration. Your configuration
snapshot was taken before the managed Log Collector/Collector
Group configuration was implemented on Panorama. For
reconfiguring the managed Log Collector/Collector Group
configuration, see Step 5.

Step 4

Fetch the ring file to restore access to the 1.

logs stored on the Managed Collector.
2.

Access the CLI on Panorama.

Enter the following command to fetch the ring file:
request fetch ring from log-collector
<serial_number>

For example:
request fetch ring from log-collector 009201000343

3.

Commit your changes to the Collector Group.

commit-all log-collector-config
log-collector-group <log_collector_group_name>

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 227

Troubleshoot Log Storage and Connection Issues

Troubleshooting

Recover Logs after Panorama Failure/RMA in Non-HA Deployments (Continued)

Step 5

Add the default local managed collector.

1.

Required if the managed collector

configuration is missing on Panorama.

Access the CLI on the managed collector and enter the

following commands to view the last entries in the log. These
command allow you to verify the name of the managed
collector that you must define on Panorama.
a. Enter the command:
request fetch ring from log-collector
<serial_number>

The following error will display:

Server error: Failed to fetch ring info from
<serial_number>

b. Enter the command:

less mp-log ms.log

The following error will display:

Dec04 11:07:08 Error:
pan_cms_convert_resp_ring_to_file(pan_ops_cms.c:
3719): Current configuration does not contain
group CA-Collector-Group

The error message indicates that the missing Collector

Group has the name CA-Collector-Group.
2.

Create the Collector Group on Panorama, and add the

managed collector as a member of this Collector Group.
set log-collector-group CA-Collector-Group
set log-collector-group CA-Collector-Group
logfwd-setting collector 009201000343

3.
4.

Commit the changes to Panorama. Do not commit to Collector

group at this point.
Fetch the fetch the ring file from the Log Collector using the
command:
request fetch ring from log-collector
<serial_number>

5.

Commit the changes to the Collector Group.

commit-all log-collector-config
log-collector-group <log_collector_group_name>

Regenerate Metadata for M-100 Appliance RAID Pairs

When a system failure occurs on the M-100 appliance and you need to physically move the disks from one
appliance to another, regenerating the metadata is necessary. The metadata is required to locate logs on the disk;
when a user issues a log query, the query consults this metadata to access the requested log data.
For each configured RAID disk pair in the M-100 appliance, you must access the appliance CLI and run the
following command to regenerate the metadata:
request metadata-regenerate slot <slot_number>

For example:

228 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Troubleshooting

Troubleshoot Log Storage and Connection Issues

request metadata-regenerate slot 1

The size of the RAID disks determines how long metadata regeneration takes. On average, it takes an hour for
every 100GB. When you run the command, the CLI session is locked until the command is fully executed. You
can use multiple CLI sessions to save time. For example, to replace four RAID pairs with a total of 4TB of log
data, launch four CLI sessions and run the command in each session to regenerate metadata simultaneously for
all the pairs/slots in about 10 hours.
During metadata regeneration, the Collector Group to which these disks belong is not available and the disk
pair is not available for any logging or reporting operations (writes/queries). However, you can perform other
tasks such as handling new firewall connections or managing configuration changes on the managed firewalls.
All other Collector Groups that Panorama manages and that arent part of this RMA process can perform the
assigned logging and reporting functionality as normal.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 229

Replace an RMA Firewall

Troubleshooting

Replace an RMA Firewall

To minimize the effort required to restore the configuration on a managed firewall involving a Return
Merchandise Authorization (RMA), replace the serial number of the old firewall with that of the
new/replacement firewall on Panorama. To then restore the configuration on the replacement firewall, either
import a firewall state that you previously generated and exported from the firewall or use Panorama to generate
a partial device state for managed firewalls running PAN-OS 5.0 and later versions. By replacing the serial number
and importing the device state, you can resume using Panorama to manage the firewall.

Partial Device State Generation for Firewalls

Before Starting RMA Firewall Replacement

Restore the Firewall Configuration after Replacement

Partial Device State Generation for Firewalls

When you use Panorama to generate a partial device state, it replicates the configuration of the managed
firewalls with a few exceptions for Large Scale VPN (LSVPN) setups. You create the partial device state by
combining two facets of the configuration on a managed firewall:

Centralized configuration managed by PanoramaPanorama maintains a snapshot of the shared policies

and templates that it pushes to firewalls.

Local configuration on the firewallWhen a configuration change is committed, each firewall sends a copy
of its local configuration file to Panorama. Panorama stores this file and uses it to compile the partial device
state bundle.
In an LSVPN setup, the partial device state bundle that you generate on Panorama is not the
same as the version that you export from a firewall (by selecting Device > Setup > Operations
and clicking Export device state). If you manually ran the device state export or scheduled an
XML API script to export the file to a remote server, you can use the exported device state in your
firewall replacement workflow.
If you did not export the device state, the device state that you generate in the replacement
workflow will not include the dynamic configuration information, such as the certificate details and
registered firewalls, that is required to restore the complete configuration of a firewall functioning
as an LSVPN portal. See Before Starting RMA Firewall Replacement for more information.

Panorama does not store the device state; you generate it on request using the CLI commands listed in Restore
the Firewall Configuration after Replacement.

Before Starting RMA Firewall Replacement

The managed firewall (that was replaced) must have been on PAN-OS 5.0.4 and later version. Panorama
cannot generate the device state for firewalls running older PAN-OS versions.

Record the following details about the old firewall:

230 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Troubleshooting

Replace an RMA Firewall

Serial numberYou must enter the serial number on the Support portal to transfer the licenses from
the old firewall to your replacement firewall. You will also enter this information on Panorama, to
replace all references to the older serial number with the serial number of the replacement firewall.

(Recommended) PAN-OS version and the content database versionInstalling the same software
and content database versions, including the URL database vendor allows you to create the same state
on the replacement firewall. If you decide to install the latest version of the content database, you may
notice differences because of updates and additions to the database. To verify the versions installed on
the firewall, access the firewall system logs stored on Panorama.

Prepare the replacement firewall for deployment. Before you import the device state bundle and restore the
configuration, you must:

Verify that the replacement firewall is of the same model and is enabled for similar operational
capability. Consider the following operational features: does it need to be enabled for multi-virtual
systems, support jumbo frames, or be enabled to operate in CC or FIPS mode?

Configure network access, transfer the licenses, and install the appropriate PAN-OS version and the
content database version.

You must use the Panorama CLI to complete this firewall replacement process. This CLI-based workflow is
available for the superuser and panorama-admin user roles.

If you have an LSVPN configuration, and are replacing a Palo Alto Networks firewall deployed as a satellite
device or as an LSVPN portal, the dynamic configuration information that is required to restore LSVPN
connectivity will not be available when you restore the partial device state generated on Panorama. If you
have been following the recommendation to frequently generate and export the device state for firewalls in
an LSVPN configuration, use the device state that you have previously exported from the firewall itself
instead of generating one on Panorama.
If you have not manually exported the device state from the firewall, and need to generate a partial device
state on Panorama, the missing dynamic configuration impacts the firewall replacement process as follows:

If the firewall you are replacing is a portal device that is explicitly configured with the serial number
of the satellite devices (Network > GlobalProtect > Portals > Satellite Configuration), when
restoring the firewall configuration, although the dynamic configuration is lost, the portal firewall will
be able to authenticate the satellite devices successfully. The successful authentication will populate the
dynamic configuration information and LSVPN connectivity will be reinstated.

If you are replacing a satellite firewall, the satellite firewall will not be able to connect and
authenticate to the portal. This connection failure occurs either because the serial number was not
explicitly configured on the firewall (Network > GlobalProtect > Portals > Satellite Configuration)
or because although the serial number was explicitly configured, the serial number of the replaced
firewall does not match that of the old firewall. To restore connectivity, after importing the device state
bundle, the satellite administrator must log in to the firewall and enter the credentials (username and
password) for authenticating to the portal. When this authentication occurs, the dynamic configuration
required for LSVPN connectivity is generated on the portal.
However, if the firewall was configured in a high availability configuration, after restoring the configuration,
the firewall will automatically synchronize the running configuration with its peer and attain the latest
dynamic configuration required to function seamlessly.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 231

Replace an RMA Firewall

Troubleshooting

Restore the Firewall Configuration after Replacement

Restore the Firewall Configuration after Replacement
Tasks on the new firewall:

Use the CLI for a more streamlined workflow.

Step 1

Use a serial port connection or an SSH connection to add an IP

address, a DNS server IP address, and to verify that the firewall can
access the Palo Alto Networks updates server.

Perform initial configuration and verify

network connectivity.

For instructions, refer to the PAN-OS Administrators Guide.

Step 2

(Optional) Set the operational mode to

match that on the old firewall.
A serial port connection is required for
this task.

1.

Enter the following CLI command to access maintenance mode

on the firewall:

2.

To boot into the maintenance partition, enter maint during the

boot sequence.
Select the operational mode as Set FIPS Mode or Set
CCEAL 4 Mode from the main menu.

debug system maintenance-mode

3.
Step 3

Retrieve the license(s).

Enter the following command to retrieve your licenses:

request license fetch

Step 4

(Optional) Match the operational state of Enter the commands that pertain to your firewall settings:
set system setting multi-vsys on
the new firewall with that of the old
set system setting jumbo-frame on
firewall. For example, enable multi-virtual
system (multi-vsys) capability for a
firewall that was enabled for multi-vsys
capability.

Step 5

Upgrade the PAN-OS version on the

firewall.

Enter the following commands:

1. To upgrade the content database version:

request content upgrade download <xxx-xxxx>

You must upgrade to the same OS and
2. To install the content database version that you downloaded:
content database version that is installed
request content upgrade install version
on the old firewall.
<xxx-xxxx>
3. To upgrade the PAN-OS software version:
request system software download version 5.x.x

4.

To install the content database version that you downloaded:

request system software install version 5.x.x

Tasks on the Panorama CLI:

You cannot perform these tasks on the Panorama web interface.

(Skip this step if you have manually exported the

device state from your firewall.)

Enter one of the following commands:

Step 6

Export the device state bundle to a

computer using SCP or TFTP.
The export command generates the
device state bundle as a tar zipped file and
exports it to the specified location. This
device state will not include the LSVPN
dynamic configuration (satellite
information and certificate details).

232 Panorama 6.1 Administrators Guide

scp export device-state device <old serial#> to

<login> @ <serverIP>: <path>

or,
tftp export device-state device <old serial#> to
<login> @ <serverIP>: <path>

Palo Alto Networks, Inc.

Troubleshooting

Replace an RMA Firewall

Restore the Firewall Configuration after Replacement (Continued)

Step 7

Replace the serial number of the old

1.
firewall with that of the new replacement
firewall on Panorama.
2.
By replacing the serial number on
Panorama you allow the new firewall to
connect to Panorama after you restore
the configuration on the firewall.

Enter the following command in operational mode:

replace device old <old SN#> new <new SN#>

Go in to configuration mode and commit your changes.

configure
commit

3.

Exit configuration mode.

exit

Tasks on the new firewall:

You can use the firewall web interface to perform these tasks.

Step 8

1.
2.

Import the device state and commit the

changes on the firewall.

3.
4.
5.

Access the web interface of the firewall.

Select Device > Setup > Operations and click the Import Device
State link in the Configuration Management section.
Browse to locate the file and click OK.
Click Commit to save you changes to the running configuration
on the firewall.
To confirm that the device state restored includes the references
to Panorama pushed polices and objects, verify that a little green
icon appears beside the device name.

Tasks on Panorama:

You can now use the Panorama web interface to access and manage
the replaced firewall.

Step 9

1.

Verify that you successfully restored the

firewall configuration.

2.
Step 10 Synchronize the firewall with Panorama. 1.

2.

Access the Panorama web interface and select Panorama >

Managed Devices.
Verify that the Connected column for the new firewall has a
check mark.
Click Commit, set the Commit Type to Device Group, select the
device group that contains the firewall, select the Include
Device and Network Template check box, and click Commit
again.
(M-Series only) If your managed firewalls forward logs to Log
Collectors, click Commit, set the Commit Type to Collector
Group, select the Collector Group that contains the firewall, and
click Commit again.
If you need to generate reports for a period when the old
firewall was still functional after you installed the new
firewall, you must generate a separate query for each firewall
serial number because replacing the serial number on
Panorama does not overwrite the information in logs.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 233

Diagnose Template Commit Failures

Troubleshooting

Diagnose Template Commit Failures

A template commit could fail because of the following reasons:

Capability mismatch: When configuring a template, the following options are available: multiple virtual
systems capability, VPN mode, and operational mode.

If the multiple virtual systems capability is enabled (the Virtual systems check box is selected), a
template commit failure will occur when you push the template to firewalls that are not capable of, or
enabled for, multiple virtual systems functionality.
To resolve the error, select Panorama > Templates, click the template name to edit it, and clear the Virtual
systems check box.

If you push VPN-related configuration options to firewalls that are hard-coded to disallow VPN
configuration.
To resolve the error, select Panorama > Templates, click the template name to edit it, and select the VPN
Disable Mode check box.

If the operational mode on the firewall differs from that on the template. For example, the managed
firewall might be enabled for FIPS mode while the template is enabled for normal mode.
To resolve the error, select Panorama > Templates, click the template name to edit it, and verify that the
Operational mode selection is correct.

The managed firewall is not enabled for receiving template and device group changes from Panorama. This
happens when the ability to receive template and device groups configuration changes has been disabled on
the firewall.
To resolve the error, access the web interface of the firewall, select Device > Setup, edit the Panorama Settings
section, and then click Enable Device and Network Template and Enable Panorama Policy and Objects.

234 Panorama 6.1 Administrators Guide

Palo Alto Networks, Inc.

Troubleshooting

View Task Success or Failure Status

View Task Success or Failure Status

Use the Task Manager icon
at the bottom right of the Panorama web interface to view the success or
failure of a task. The Task Manager also displays a detailed message to help debug an issue. For details, see View
Panorama Task Completion History.

Palo Alto Networks, Inc.

Panorama 6.1 Administrators Guide 235

View Task Success or Failure Status

236 Panorama 6.1 Administrators Guide

Troubleshooting

Palo Alto Networks, Inc.