Cody Casey
Palo Alto Networks' Panorama provides centralized management of Palo Alto products, including firewalls. Panorama can manage firewalls with different geographical configurations, and it is recommended to use the same PANOS on both Panorama and Firewall. When a new configuration is pushed from Panorama to a pair of firewalls, the passive firewall receives the configuration and then synchronizes with the active firewall. This process ensures that the firewalls are in sync and can be fully managed via Panorama.
| Characteristics | Values |
|---|---|
| Syncing after config push from Panorama | The passive firewall syncs with the active firewall; the active firewall does not sync with the passive firewall. |
| Syncing after config push from Panorama (HA pair) | Both firewalls will receive the configuration and will need to sync. |
| Syncing after config push from Panorama (no HA pair) | No sync is performed. |
| Panorama management | Panorama can manage 99% of the configuration. |
| Panorama configuration impact | The import does not impact the config; it makes a copy of the configuration to Panorama. |
| Panorama configuration push | Pushing the configuration to the firewall will remove all policy rules and objects from the local configuration. |
| Panorama configuration override | A template configuration will not override the local firewall configuration unless "Force Template values in the Push Scope selection" is clicked. |
| Panorama communication security | Communication between devices can be secured via a predefined or local certificate. |
| Panorama license management | Panorama can manage all licenses on managed devices. |
| Panorama software management | Panorama can manage software upgrades from a central location. |
| Panorama network and device configuration | By default, the network and device configuration are pushed to the firewall, but will not override the existing configuration on the firewall. |
Explore related products
What You'll Learn
Firewall configuration
Initial Setup and Requirements
Before initiating the configuration process, it's essential to ensure that the Panorama server and the firewalls are running compatible versions of PAN-OS. Palo Alto Networks recommends using the same PAN-OS version on both Panorama and the firewalls. However, it is acceptable to have a higher PAN-OS version on Panorama. Additionally, establish bidirectional connectivity over TCP/3389 between Panorama and the firewalls. If you're using a VM Series firewall, ensure that you have a valid serial number before beginning the integration process.
Authentication and Connection
To establish a secure connection between Panorama and the firewalls, create a unique device registration authentication key on the Panorama management server. This key will be used for mutual authentication during the initial connection. Add the Panorama IP address and the authentication key to each firewall. The authentication key ensures secure communication between Panorama and the firewalls.
Importing and Exporting Configurations
The next step involves importing the firewall configurations into Panorama. Navigate to Panorama > Setup > Operations, and select "Import device configuration to Panorama" under configuration management. This step makes a copy of the firewall configuration to Panorama without impacting the existing configuration. After importing, you can update the device group and template configurations as needed for standardization.
Once the configurations are imported, you can export the Panorama and Devices config bundle, which includes all firewall configurations. This step can be automated with a scheduled export for backup purposes. When a commit is performed on a local firewall, a backup is automatically sent to Panorama.
Pushing Configurations to Firewalls
After importing and standardizing configurations, you can push the updated configurations to the firewalls. Navigate to Panorama > Setup > Operations, and select "Export or Push device config bundle." Verify the Device Group and Template and click on "Push." This action triggers commit jobs on the firewalls for network and device configuration updates. It's important to note that pushing configurations to firewalls will remove all policy rules and objects from the local configuration.
Managing HA Firewalls
When dealing with High Availability (HA) firewalls, there are specific considerations to make. If the firewalls are configured as an active/passive HA pair, the device registration authentication key is only required for the primary peer. Panorama in HA configuration synchronizes the Certificate Authority (CA) certificate, enabling the secondary peer to manage firewalls in case of HA failover. To avoid configuration conflicts, disable config sync on each firewall before committing changes.
Final Verification
After completing the configuration process, it's crucial to verify the status of the firewalls. Navigate to Panorama > Managed Devices > Summary to ensure that the firewalls are connected and in sync. You may also check the managed device summary to confirm that the firewall policies and templates are synchronized. Green icons indicate that everything is functioning correctly.
Searing Sausage: Pan-Fry Chopped Meat
You may want to see also
Explore related products
Panorama management
Panorama™ is a network security management tool by Palo Alto Networks. It provides a single location for centralized policy and firewall management, increasing operational efficiency in managing and maintaining a distributed network of firewalls. Panorama can manage all licences on managed devices, and it can also manage software upgrades from a central location. Panorama helps you organize firewall management with hierarchical device groups, dynamic address and user groups, role-based access control, and policy tags. Preconfigured templates shorten the time needed to create new rulesets. Panorama scales easily as your firewall deployment grows—a single high-available pair of appliances can manage up to 5,000 virtual, container, and physical Palo Alto Networks firewalls. Panorama can be deployed as a virtual or physical appliance, or both, and used as a manager or Log Collector, or both.
When migrating a pair of PAN-OS firewalls to Panorama management, the HA firewalls' serial number is added to Panorama, and an auth key is generated and pasted into the firewalls' Panorama management settings. The Panorama IP address is set on the Active firewall, and the auth key is pasted. The Panorama IP will sync across to the passive firewall. The auth key only needs to be added to one of the HA firewalls. Next, config sync is disabled on each firewall to ensure that the High Availability template configuration on the active firewall does not overwrite the Passive firewall HA configuration. Then, a commit is performed on both firewalls. Both firewalls will receive the configuration and will need to sync.
Oil Pan Removal: Necessary for an Oil Change?
You may want to see also
Explore related products
Active/passive HA pair
Panorama is a network management solution that allows administrators to manage and monitor multiple firewalls from a central location. It provides a single pane of glass view of the entire network, enabling administrators to easily deploy and manage security policies, VPN configurations, and other network settings across all firewalls in the organization.
When it comes to managing an Active/Passive High Availability (HA) pair of firewalls using Panorama, there are a few key considerations and steps to follow:
Initial Configuration
When deploying Panorama for the first time, it is recommended to minimize local configuration on the firewalls and let Panorama manage most of the configuration. This ensures consistency and simplifies management. However, in some cases, local configurations such as Security Policies and IPSec settings may need to be imported into Panorama.
Adding the HA Pair to Panorama
To add an Active/Passive HA pair of firewalls to Panorama, follow these general steps:
- Generate an authentication key in Panorama and paste it into the firewalls' Panorama management settings.
- Set the Panorama IP address on the Active firewall.
- Verify that the Passive firewall receives the Panorama IP address. If not, manually paste the auth key into the Passive firewall.
- Disable Config Sync on each firewall to prevent the Active firewall's High Availability template configuration from overwriting the Passive firewall's configuration.
- Commit the changes to both firewalls.
- Import both firewall configurations into Panorama, ensuring that device-specific objects are handled appropriately to avoid duplication.
- Verify that the device group and templates are in synchronization on both Active and Passive Panorama under the devices summary page.
Pushing Configurations to the HA Pair
Once the HA pair is successfully added to Panorama, administrators can push configurations from Panorama to the firewalls. However, it is important to note that after a configuration push from Panorama, the firewalls do not automatically sync with each other. The passive firewall receives the configuration from Panorama and synchronizes it with the active firewall. Therefore, any local policies or configurations on the active firewall that are not managed by Panorama must be synced separately to the passive firewall.
Upgrading Panorama HA Pair
When upgrading the Panorama HA pair to a newer software version, follow the recommended upgrade path based on the SD-WAN plugin version. It is generally recommended to ensure that the Panorama software version is higher than the PAN-OS version. After upgrading, verify the HA states of the Active and Passive Panorama devices and perform a force switchover if necessary to maintain the desired HA state.
Granite Stone Pans: Are They Worth the Hype?
You may want to see also
Explore related products
Panorama policy
Panorama is a management tool that allows users to centrally manage firewall policies. It is designed to work with Palo Alto Networks' PAN-OS firewalls. Panorama can manage policies, objects, and network templates, as well as software upgrades and licenses on managed devices.
When setting up Panorama, it is recommended to minimise local configuration on the firewalls and allow Panorama to manage most of the configuration. This can be done by importing the firewall configurations into Panorama and then pushing the Panorama configuration to the firewalls. This process will remove all policy rules and objects from the local configuration of the firewalls.
On Panorama, policies are created as Pre Rules or Post Rules. Pre Rules are evaluated first, while Post Rules are evaluated after any locally defined rules on the firewall. Pre Rules can be used to enforce an organisation's Acceptable Use Policy, such as blocking access to specific URL categories or allowing DNS traffic for all users. Post Rules typically include rules to deny access based on App-ID, User-ID, or Service. These rules can be defined in a shared context for all managed firewalls or in a device group context for specific device groups. Once created and pushed to the managed firewalls, the Pre and Post Rules can only be edited on Panorama.
After pushing a rule in Panorama, the Rule Usage feature shows whether the rule is used by all, partially used, or unused by devices in the device group. Panorama also provides a Preview Rules feature that displays the Hit Count, Last Hit, and First Hit for each policy rule in the device group.
Steam-Baked Drumsticks: Water in the Pan?
You may want to see also
Explore related products
Local configuration
When migrating a pair of PAN-OS firewalls to Panorama, it is recommended to minimise local configuration on the firewalls and allow Panorama to manage most of the configuration. However, certain local configurations, such as unique management settings like hostname, IP address, and High-Availability (HA) settings, will remain in place.
To ensure a smooth migration, it is important to disable config sync on each firewall to prevent the High-Availability template configuration on the active firewall from overwriting the Passive firewall HA configuration. This is because high-availability settings are unique to each firewall. Additionally, the import process does not directly impact the local configuration; instead, it creates a copy of the configuration in Panorama.
After the migration, administrators can push selective configuration changes to the managed firewalls. This allows for greater control and reduces the risk of pushing incomplete configurations. Panorama administrators can include configuration changes committed by other Panorama administrators, ensuring multiple administrators can manage firewall configurations without disrupting each other.
It is important to note that local firewall configuration changes made independently of Panorama will merge with the Panorama configuration push by default. To prevent this, administrators can disable the "Merge with Device Candidate Config" setting. This setting allows administrators to push configuration changes independently and maintain their defined operational procedures.
Toxic Chemicals in Non-Stick Pans Harm Birds
You may want to see also
Frequently asked questions
Panorama provides centralized management of Palo Alto Networks products, such as firewalls and Prisma.
PANs come with a standard configuration, which can interfere with the configuration pushed from Panorama. To avoid this, the standard configuration must be deleted in the correct order to avoid dependency errors.
First, add the firewall to the Panorama summary. Then, import the configuration from the firewall to Panorama. Next, export the same configuration to the firewall. Finally, select the Force Template Value to complete the integration.
First, add the HA firewalls' serial number to Panorama and generate an auth key. Set the Panorama IP address on the active firewall and paste the auth key. The Panorama IP will sync across to the passive firewall. Finally, commit to both firewalls and import the firewall configurations into Panorama.
The configuration will remove all policy rules and objects from the local configuration. The firewall policies and templates should be checked to ensure they are in sync.
