Paloalto networks Panorama 6.1 Service manual

Panorama™

Administrator’s

Guide

Version6.1

2•Panorama6.1Administrator’sGuide ©PaloAltoNetworks,Inc.

ContactInformation

CorporateHeadquarters:

PaloAltoNetworks

4401GreatAmericaParkway

SantaClara,CA95054

www.paloaltonetworks.com/company/contact‐support

AboutthisGuide

ThisguidedescribeshowtosetupandusePanorama™forcentralizedmanagement;itisintendedforadministrators

whowantthebasicframeworktoquicklysetupthePanoramavirtualapplianceortheM‐100appliancefor

centralizedadministrationofPaloAltoNetworksfirewalls.

IfyouhaveanM‐100appliance,thisguidetakesoverafteryoufinishrackmountingyourM‐100appliance.

Formoreinformation,refertothefollowingsources:

ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNext‐GenerationSecurity

Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor

searchthedocumentation.

Foraccesstotheknowledgebase,completedocumentationset,discussionforums,andvideos,referto

https://live.paloaltonetworks.com.

Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena

supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.

ForthemostcurrentPAN‐OSandPanorama6.1releasenotes,goto

https://www.paloaltonetworks.com/documentation/61/pan‐os/pan‐os‐release‐notes.html.

Toprovidefeedbackonthedocumentation,pleasewritetousat:[email protected].

PaloAltoNetworks,Inc.

www.paloaltonetworks.com

©2014–2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbe

foundat

https://www.paloaltonetworks.com/company/trademarks.html

.Allothermarksmentionedhereinmaybetrademarksof

theirrespectivecompanies.

RevisionDate:June27,2017

©PaloAltoNetworks,Inc. Panorama6.1Administrator’sGuide•3

TableofContents

PanoramaOverview...................................................9

AboutPanorama..................................................................10

PanoramaPlatforms...............................................................11

CentralizedConfigurationandDeploymentManagement...............................12

ContextSwitch—FirewallorPanorama ...........................................12

Templates ....................................................................12

DeviceGroups ................................................................13

CentralizedLoggingandReporting ..................................................16

LoggingOptions ...............................................................16

ManagedCollectorsandCollectorGroups........................................17

CaveatsforaCollectorGroupwithMultipleLogCollectors .........................17

CentralizedReporting..........................................................19

PanoramaCommitOperations......................................................20

Role‐BasedAccessControl.........................................................22

AdministrativeRoles...........................................................22

AuthenticationProfilesandSequences...........................................23

AccessDomains ...............................................................24

AdministrativeAuthentication ...................................................24

PanoramaRecommendedDeployments ..............................................25

PanoramaforCentralizedManagementandReporting .............................25

PanoramainaDistributedLogCollectionDeployment .............................26

PlanYourDeployment .............................................................27

DeployPanorama:TaskOverview ...................................................29

SetUpPanorama....................................................31

DeterminePanoramaLogStorageRequirements......................................32

SetUpthePanoramaVirtualAppliance ..............................................34

SetupPrerequisitesforthePanoramaVirtualAppliance ............................34

InstallPanoramaontheESX(i)Server.............................................35

PerformInitialConfigurationofthePanoramaVirtualAppliance .....................36

ExpandLogStorageCapacityonthePanoramaVirtualAppliance ....................38

IncreaseCPUsandMemoryonthePanoramaVirtualAppliance.....................40

CompletethePanoramaVirtualApplianceSetup ..................................41

SetUptheM‐100Appliance........................................................42

PerformInitialConfigurationoftheM‐100Appliance..............................43

SetuptheM‐100ApplianceasaLogCollector ....................................46

IncreaseStorageontheM‐100Appliance ........................................50

MigratefromaPanoramaVirtualAppliancetoanM‐100Appliance......................52

PrerequisitesforMigratingtoanM‐100Appliance.................................52

PlantoMigratetoanM‐100Appliance...........................................52

MigratetoanM‐100Appliance .................................................53

ResumeFirewallManagementafterMigratingtoanM‐100Appliance................54

4•Panorama6.1Administrator’sGuide ©PaloAltoNetworks,Inc.

TableofContents

RegisterPanoramaandInstallLicenses...............................................56

RegisterPanorama.............................................................56

ActivateaPanoramaSupportLicense.............................................57

Activate/RetrieveaDeviceManagementLicenseonthePanoramaVirtualAppliance ...57

Activate/RetrieveaDeviceManagementLicenseontheM‐100Appliance ............58

InstallContentandSoftwareUpdatesforPanorama ...................................60

Panorama,LogCollector,andFirewallVersionCompatibility ........................60

InstallUpdatesforPanoramainanHAConfiguration ...............................61

InstallUpdatesforPanoramawithanInternetConnection ..........................62

InstallUpdatesforPanoramawithoutanInternetConnection .......................66

AccessandNavigatePanoramaManagementInterfaces ................................70

LogintothePanoramaWebInterface ............................................70

NavigatethePanoramaWebInterface............................................70

LogintothePanoramaCLI......................................................71

SetUpAdministrativeAccesstoPanorama ...........................................73

CreateanAdministrativeAccount ................................................73

DefineanAccessDomain .......................................................75

CreateanAuthenticationProfile.................................................75

DefineanAuthenticationSequence..............................................76

ConfigureAdministrativeAuthentication..........................................77

ManageFirewalls ....................................................83

AddaFirewallasaManagedDevice .................................................84

ManageDeviceGroups.............................................................85

AddaDeviceGroup ............................................................85

CreateObjectsforUseinSharedorDeviceGroupPolicy ...........................86

ManageSharedObjects.........................................................87

SelectaURLFilteringVendoronPanorama .......................................88

PushaPolicytoaSubsetofFirewalls .............................................89

ManagetheRuleHierarchy .....................................................90

ManageTemplates.................................................................93

TemplateCapabilitiesandExceptions.............................................93

AddaTemplate ................................................................94

OverrideaTemplateSetting.....................................................96

Disable/RemoveTemplateSettings ..............................................97

TransitionaFirewalltoPanoramaManagement .......................................98

UseCase:ConfigureFirewallsUsingPanorama ........................................99

DeviceGroups.................................................................99

Templates....................................................................100

SetUpYourCentralizedConfigurationandPolicies ...............................101

ManageLogCollection .............................................107

EnableLogForwardingtoPanorama................................................108

LogForwardingtoPanorama:WorkflowsbyLogType.............................108

ConfigureLogForwardingtoPanorama..........................................109

ConfigureaManagedCollector.....................................................113

©PaloAltoNetworks,Inc. Panorama6.1Administrator’sGuide•5

TableofContents

ManageCollectorGroups ......................................................... 117

ConfigureaCollectorGroup ................................................... 117

MoveaLogCollectortoaDifferentCollectorGroup .............................. 120

RemoveaFirewallfromaCollectorGroup....................................... 121

VerifyLogForwardingtoPanorama ................................................ 122

ModifyLogForwardingandBufferingDefaults....................................... 123

EnableLogForwardingfromPanoramatoExternalDestinations ....................... 125

LogCollectionDeployments ....................................................... 128

PlanaLogCollectionDeployment .............................................. 128

DeployPanoramawithDedicatedLogCollectors................................. 131

DeployPanoramawithDefaultLogCollectors.................................... 137

DeployPanoramaVirtualApplianceswithLocalLogCollection ..................... 144

ManageLicensesandUpdates........................................147

ManageLicensesonFirewallsUsingPanorama....................................... 148

DeployUpdatestoDevicesUsingPanorama ......................................... 149

SupportedUpdatesbyDeviceType ............................................. 149

ScheduleContentUpdatestoDevicesUsingPanorama............................ 149

DeployUpdatestoDeviceswhenPanoramaHasanInternetConnection ............ 151

DeployUpdatestoDeviceswhenPanoramaHasNoInternetConnection ........... 154

MonitorNetworkActivity............................................159

UsePanoramaforVisibility........................................................ 160

MonitortheNetworkwiththeACCandAppScope ............................... 160

AnalyzeLogData ............................................................. 162

Generate,Schedule,andEmailReports.......................................... 162

UseCase:MonitorApplicationsUsingPanorama..................................... 166

UseCase:RespondtoanIncidentUsingPanorama................................... 170

IncidentNotification.......................................................... 170

ReviewThreatLogs ........................................................... 171

ReviewWildFireLogs......................................................... 172

ReviewDataFilteringLogs..................................................... 173

UpdateSecurityPolicies ....................................................... 173

PanoramaHighAvailability...........................................175

PanoramaHAPrerequisites........................................................ 176

PriorityandFailoveronPanoramainHA ............................................ 177

FailoverTriggers ................................................................. 179

HAHeartbeatPollingandHelloMessages....................................... 179

HAPathMonitoring........................................................... 179

LoggingConsiderationsinPanoramaHA ............................................ 181

LoggingFailoveronaPanoramaVirtualAppliance ................................ 181

LoggingFailoveronanM‐100Appliance ........................................ 181

SynchronizationBetweenPanoramaHAPeers ....................................... 183

6•Panorama6.1Administrator’sGuide ©PaloAltoNetworks,Inc.

TableofContents

ManageaPanoramaHAPair .......................................................184

SetUpHAonPanorama.......................................................184

TestPanoramaHAFailover ....................................................186

SwitchPriorityafterPanoramaFailovertoResumeNFSLogging ....................186

RestorethePrimaryPanoramatotheActiveState ................................187

AdministerPanorama...............................................189

ManageConfigurationBackups.....................................................190

ScheduleExportofConfigurationFiles...........................................190

ManagePanoramaConfigurationBackups .......................................191

ConfiguretheNumberofConfigurationBackupsPanoramaStores ..................192

LoadaConfigurationBackuponaManagedFirewall ..............................192

CompareChangesinPanoramaConfigurations .......................................194

RestrictAccesstoConfigurationChanges............................................195

TypesofLocks................................................................195

LocationsforTakingaLock ....................................................195

TakeaLock ..................................................................196

ViewLockHolders............................................................196

EnableAutomaticAcquisitionoftheCommitLock ................................196

RemoveaLock ...............................................................197

AddCustomLogostoPanorama ....................................................198

ViewPanoramaTaskCompletionHistory ............................................199

ReallocateLogStorageQuota ......................................................200

MonitorPanorama ................................................................202

PanoramaSystemandConfigurationLogs........................................202

SetUpEmailAlertsforPanorama...............................................203

SetUpSNMPtoMonitorPanorama .............................................204

RebootorShutDownPanorama....................................................208

GenerateDiagnosticFilesforPanorama.............................................209

ConfigurePanoramaPasswordProfilesandComplexity ...............................210

ReplaceaFailedDiskonanM‐100Appliance........................................212

ReplacetheVirtualDiskonaPanoramaVirtualAppliance .............................213

Troubleshooting ...................................................215

TroubleshootPanoramaSystemIssues..............................................216

DiagnosePanoramaSuspendedState............................................216

MonitortheFileSystemIntegrityCheck.........................................216

ManagePanoramaStorageforSoftwareandContentUpdates .....................216

RecoverfromSplitBraininPanoramaHADeployments............................217

TroubleshootLogStorageandConnectionIssues .....................................219

WhatPortsareUsedbyPanorama?.............................................219

ResolveZeroLogStorageforaCollectorGroup...................................220

RecoverLogsafterFailure/RMAofM‐100ApplianceinLogCollectorMode .........220

RecoverLogsafterFailure/RMAofM‐100ApplianceinPanoramaMode ............224

RecoverLogsafterPanoramaFailure/RMAinNon‐HADeployments ................229

RegenerateMetadataforM‐100ApplianceRAIDPairs............................231

©PaloAltoNetworks,Inc. Panorama6.1Administrator’sGuide•7

TableofContents

ReplaceanRMAFirewall .......................................................... 233

PartialDeviceStateGenerationforFirewalls ..................................... 233

BeforeStartingRMAFirewallReplacement...................................... 233

RestoretheFirewallConfigurationafterReplacement ............................. 235

DiagnoseTemplateCommitFailures ................................................ 238

ViewTaskSuccessorFailureStatus ................................................ 239

8•Panorama6.1Administrator’sGuide ©PaloAltoNetworks,Inc.

TableofContents

©PaloAltoNetworks,Inc. Panorama6.1Administrator’sGuide•9

PanoramaOverview

PanoramaprovidescentralizedmanagementandvisibilityofmultiplePaloAltoNetworksnext‐generation

firewalls.Itallowsyoutooverseeallapplications,users,andcontenttraversingthenetworkfromone

location,andthenusethisknowledgetocreateapplicationenablementpoliciesthatprotectandcontrolthe

entirenetwork.UsingPanoramaforcentralizedpolicyanddevicemanagementincreasesoperational

efficiencyinmanagingandmaintainingadistributednetworkoffirewalls.

ThefollowingsectionsdescribePanoramaandprovideguidelinesforplanningyourPanoramadeployment:

AboutPanorama

PanoramaPlatforms

CentralizedConfigurationandDeploymentManagement

CentralizedLoggingandReporting

PanoramaCommitOperations

Role‐BasedAccessControl

PanoramaRecommendedDeployments

PlanYourDeployment

DeployPanorama:TaskOverview

10•Panorama6.1Administrator’sGuide ©PaloAltoNetworks,Inc.

AboutPanorama PanoramaOverview

AboutPanorama

PanoramaprovidescentralizedmanagementofthePaloAltoNetworksnext‐generationfirewalls,asthe

followingfigureillustrates:



Panoramaallowsyoutoeffectivelyconfigure,manage,andmonitoryourPaloAltoNetworksfirewallsusing

centraloversightwithlocalcontrol,asrequired.ThethreefocalareasinwhichPanoramaaddsvalueare:

Centralizedconfigurationanddeployment—Tosimplifycentralmanagementandrapiddeploymentof

thefirewallsonyournetwork,usePanoramatopre‐stagethefirewallsfordeployment.Youcanthen

assemblethefirewallsintogroups,andcreatetemplatestoapplyabasenetworkanddevice

configurationandusedevicegroupstoadministergloballysharedandlocalpolicies.SeeCentralized

ConfigurationandDeploymentManagement.

Aggregatedloggingwithcentraloversightforanalysisandreporting—Collectinformationonactivity

acrossallthemanagedfirewallsonthenetworkandcentrallyanalyze,investigateandreportonthedata.

Thiscomprehensiveviewofnetworktraffic,useractivity,andtheassociatedrisksempowersyouto

respondtopotentialthreatsusingtherichsetofpoliciestosecurelyenableapplicationsonyournetwork.

SeeCentralizedLoggingandReporting.

Distributedadministration—Allowsyoutodelegateorrestrictaccesstoglobalandlocalfirewall

configurationsandpolicies.SeeRole‐BasedAccessControlfordelegatingappropriatelevelsofaccessfor

distributedadministration.

Panoramaisavailableintwoplatforms:asavirtualapplianceandasadedicatedhardwareappliance.For

moreinformation,seePanoramaPlatforms.

©PaloAltoNetworks,Inc. Panorama6.1Administrator’sGuide•11

PanoramaOverview PanoramaPlatforms

PanoramaPlatforms

Panoramaisavailableintwoplatforms,eachofwhichsupportsfirewallmanagementlicensesformanaging

upto25,100,or1,000firewalls:

Panoramavirtualappliance—ThePanoramavirtualapplianceisinstalledonaVMwareserver.Itallows

forasimpleinstallationandfacilitatesserverconsolidationforsitesthatneedavirtualmanagement

appliance.ItalsosupportsintegrationwithaNetworkFileSystem(NFS)forincreasedstorageand(>2TB)

logretentioncapabilities.

ThePanoramavirtualappliancebestsuitsenvironmentswithloggingratesofupto10,000logs/second.

M‐100appliance—Adedicatedhardwareapplianceintendedforlargescaledeployments.In

environmentswithhighloggingratesandlogretentionrequirements,thisplatformenablesscalingof

yourlogcollectioninfrastructure.TheappliancesupportsRAID1mirroringtoprotectagainstdisk

failures,andthedefaultconfigurationshipswithtwo1TBdrives;withadditionalRAIDpairs,theM‐100

appliancecansupportupto4TBoflogstorage.

TheM‐100applianceallowsforseparationofthecentralmanagementfunctionfromthelogcollection

functionbysupportingthefollowingdeploymentmodes:

– Panoramamode:Theapplianceperformsboththecentralmanagementandthelogcollection

functions.Thisisthedefaultmode.

–LogCollectormode:TheappliancefunctionsasadedicatedLogCollector,whicheitheranM‐100

applianceinPanoramamodeoraPanoramavirtualappliancecanmanage.

WhendeployedinLogCollectormode,theappliancedoesnothaveawebinterface;administrative

accessisCLIonly.However,youmanagetheapplianceusingthePanoramamanagementserver

(M‐100applianceinPanoramamodeoraPanoramavirtualappliance).CLIaccesstoanM‐100

applianceinLogCollectormodeisonlynecessaryforinitialsetupanddebugging.

Theplatformchoicedependsonyourneedforavirtualapplianceandyourlogcollectionrequirements(see

DeterminePanoramaLogStorageRequirements):

LogCollectionRate Platform

Upto10,000logs/second Panoramavirtualappliance

Upto30,000logs/second M‐100appliance

12•Panorama6.1Administrator’sGuide ©PaloAltoNetworks,Inc.

CentralizedConfigurationandDeploymentManagement PanoramaOverview

CentralizedConfigurationandDeploymentManagement

PanoramausesDeviceGroupsandTemplatestogroupdevicesintosmallerandmorelogicalsetsthatrequire

similarconfiguration.Allconfigurationelements,policies,andobjectsonthemanagedfirewallscanbe

centrallymanagedonPanoramausingDeviceGroupsandTemplates.Inadditiontomanagingconfiguration

andpolicies,Panoramaenablesyoutocentrallymanagelicenses,softwareandassociatedcontentupdates:

SSL‐VPNclients,GlobalProtectagents,dynamiccontentupdates(Applications,Threats,WildFireand

Antivirus).

ContextSwitch—FirewallorPanorama

Templates

DeviceGroups

ContextSwitch—FirewallorPanorama

ThePanoramawebinterfaceallowsyoutotogglebetweenaPanorama‐centricviewandafirewall‐centric

viewusingthecontextswitch.YoucanchoosetomanagethefirewallcentrallyusingPanoramaandthen

switchcontexttoaspecificmanagedfirewalltoconfigurethefirewallusingthefirewalluserinterface.The

similarityoftheuserinterfaceonthemanagedfirewallsandPanoramaallowsyoutoseamlesslymove

betweentheinterfacestoadministerandmonitorthefirewallasrequired.

IfyouhaveconfiguredAccessDomainstorestrictadministrativeaccesstospecificmanagedfirewalls,the

Panoramauserinterfacedisplaysonlythefirewalls/featuresforwhichthelogged‐inadministratorhas

permissions.

Templates

Youusetemplatestoconfigurethesettingsthatmanagedfirewallsrequiretooperateonthenetwork.

TemplatesenableyoutodefineacommonbaseconfigurationusingtheNetworkandDevicetabson

Panorama.Forexample,youcanusetemplatestomanageinterfaceandzoneconfigurations,serverprofiles

forloggingandSNMPaccess,andnetworkprofilesforcontrollingaccesstozonesandIKEgateways.When

yougroupfirewallstodefineTemplatesettings,considergroupingfirewallsthatarealikeinhardwaremodel,

andrequireaccesstosimilarnetworkresources,suchasgatewaysandsyslogservers.

Usingtemplates,youcanpushalimitedcommonbaseconfigurationtoagroupoffirewallsandthen

configuretherestofthesettingsmanuallyonthefirewall.Alternatively,youcanpushalargercommonbase

configurationandthenoverridethetemplatesettingsonthefirewalltoaccommodatefirewall‐specific

changes.Whenyouoverrideasettingonthefirewall,thesettingissavedtothelocalconfigurationofthe

firewallandisnolongermanagedbythePanoramatemplate.Youcan,however,usePanoramatoforcethe

templateconfigurationontothefirewallorrestorethetemplatesettingsonthefirewall.Forexample,you

candefineacommonNTPserverinthetemplate,butoverridetheNTPserverconfigurationonthefirewall

toaccommodateforthelocaltimezoneonthefirewall.Ifyouthendecidetorestorethetemplatesettings,

youcaneasilyundoorrevertthelocalchangesthatyouimplementedonthefirewall.

TemplatescannotbeusedtodefineanoperationalstatechangesuchasFIPSmodeortoenablemulti‐vsys

modeonthefirewalls.Formoreinformation,seeTemplateCapabilitiesandExceptions.

©PaloAltoNetworks,Inc. Panorama6.1Administrator’sGuide•13

PanoramaOverview CentralizedConfigurationandDeploymentManagement

DeviceGroups

TousePanoramaeffectively,youmustgroupthefirewallsonyournetworkintologicalunitscalleddevice

groups.Adevicegroupallowsgroupingbasedonnetworksegmentation,geographiclocation,orbytheneed

toimplementsimilarpolicyconfigurations.Adevicegroupcanincludephysicalfirewalls,virtualfirewalls

and/oravirtualsystem.Bydefault,allmanageddevicesbelongtotheShareddevicegrouponPanorama.

DeviceGroupsenablecentralmanagementofpoliciesandobjectsusingthePoliciesandObjectstabson

Panorama.Objectsareconfigurationelementsthatarereferencedinpolicies.Someoftheobjectsthat

firewallpoliciesmakeuseofare:IPaddresses,URLcategories,securityprofiles,users,services,and

applications.

UsingDeviceGroupsyoucancreatesharedobjectsordevicegroup‐specificobjectsandthenusethese

objectstocreateahierarchyofrules(andrulebases)toenforcehowmanagedfirewallshandleinboundand

outboundtraffic.Forexample,acorporateacceptableusepolicycouldbedefinedasasetofsharedpolicies.

Then,toallowonlytheregionalofficestoaccesspeer‐to‐peertrafficsuchasBitTorrent,youcancreatea

securityruleasasharedpolicyandtargetittotheregionalofficesormakeitadevicegrouprulethatis

pushedtotheregionaloffices.SeeUseCase:ConfigureFirewallsUsingPanorama.

Policies

Objects

Policies

Devicegroupsprovideawaytoimplementalayeredapproachformanagingpoliciesacrossanetworkof

managedfirewalls.Thefollowingtableliststhepolicylayers,thefirewallstowhichthepoliciesapply,and

theplatformwhereyouadministerthepolicies:

Bothsharedpoliciesanddevicegroup‐specificpoliciesallowyoutocraftpre‐rulesandpost‐rulesto

centrallymanagealltherulebases:Security,NAT,QoS,PolicyBasedForwarding,Decryption,Application

Override,CaptivePortal,andDoSProtection.

Pre‐rules—RulesyouaddtothetopoftheruleorderandthatPAN‐OSevaluatesfirst.Youcanuse

pre‐rulestoenforcetheAcceptableUsePolicyforanorganization;forexample,toblockaccessto

specificURLcategories,ortoallowDNStrafficforallusers.Pre‐rulescanbesharedordevice

group‐specific.

Post‐rules—RulesthatPAN‐OSevaluatesafterthepre‐rulesandthelocalfirewallrules.Post‐rules

typicallyincluderulestodenyaccesstotrafficbasedontheApp‐ID,User‐ID,orService.Likepre‐rules,

postrulescanbesharedordevicegroup‐specific.

Policy Scope AdministrationPlatform

Shared Allthefirewallsinalldevicegroups. Panorama

Devicegroup‐specific Allthefirewallsassignedtoasingledevicegroup. Panorama

Local(firewall‐specific) Asinglefirewall.Firewall

Default(securityrules

only)

Bydefault,thedefaultrulesareshared(applytoallfirewallsin

alldevicegroups)andarepartofthepredefinedconfiguration.

However,ifyouedit(override)therules,theirscopechanges

tothelevelatwhichyouperformedtheedits:devicegroupor

local(firewall/virtualsystem).

PanoramaorFirewall

14•Panorama6.1Administrator’sGuide ©PaloAltoNetworks,Inc.

CentralizedConfigurationandDeploymentManagement PanoramaOverview

Thepre‐rulesandpost‐rulesthatPanoramapushesarevisibleonthemanagedfirewallsbutonlyeditablein

Panorama.ThelocalfirewalladministratororaPanoramaadministratorwhoswitchestoalocalfirewall

contextcaneditlocalfirewallrules.

DefaultpoliciesapplyonlytotheSecurityrulebase.Thedefaultruleinterzone‐defaultspecifiesthatthe

firewalldeniesallinterzone(betweenzones)trafficthatdoesn’tmatchanotherrule.Thedefaultrule

intrazone‐defaultspecifiesthatthefirewallallowsallintrazone(withinazone)trafficthatdoesn’tmatch

anotherrule.WhenyoupreviewrulesinPanorama,thedefaultrulesappearbelowallotherrules.Initially

thedefaultrulesareread‐only,eitherbecausetheyarepartofthepredefinedconfigurationsettingsor

becausePanoramapushedthemtodevices.However,youcanoverridethesettingsfortags,action(allow

ordeny),logging,andsecurityprofiles.Thedevicecontextdeterminesthelevelatwhichyoucanedit

(override)defaultrules:

OnPanorama,youcaneditdefaultrulesthatarepartofthepredefinedconfiguration.Youcaneditrules

inadevicegrouporsharedcontext.

Onthefirewall,youcaneditdefaultrulesthatarepartofthepredefinedconfiguration,orpushedfrom

aPanoramasharedordevicegroupcontext.Thedefaultrulescanbevirtualsystem(vsys)specific.

Theorderofprecedencefordefaultrulesrunsfromthelowestcontexttothehighest:settingseditedatthe

firewallleveloverridesettingsatthedevicegrouplevel,whichoverridesettingsatthesharedlevel.

Theevaluationorder(fromtop‐firsttobottom‐last)ofallrulesis:

Whentrafficmatchesapolicyrule,thedefinedactionistriggeredandthefirewalldisregardsallsubsequent

policies.Thisabilitytolayerpoliciescreatesahierarchyofruleswherelocalpoliciesarebetweenthepre‐

andpost‐rules,andareeditablebyswitchingtothelocalfirewallcontext,orbyaccessingthefirewalllocally.

Thefirewallwebinterfacevisuallydemarcatesthiscascadeofrulesforeachdevicegroup(andmanaged

firewall),andprovidestheabilitytoscanthroughalargenumbersofrules.

©PaloAltoNetworks,Inc. Panorama6.1Administrator’sGuide•15

PanoramaOverview CentralizedConfigurationandDeploymentManagement

Fordetailsonrulemanagement,refertothePAN‐OSAdministrator’sGuide.

Objects

Objectsareconfigurationelementsthatarereferencedinpolicies.Someoftheobjectsthatfirewallpolicies

makeuseofare:IPaddresses,URLcategories,securityprofiles,users,services,andapplications.Because

objectscanbereusedacrosspolicies,creatingsharedobjectsordevicegroupobjectsreducesduplicationof

theseconfigurationelements.Forexample,creatingsharedaddressobjectsandaddressgroupsorshared

serviceobjectsandservicegroupsallowsyoutocreateoneinstanceoftheobjectandreferenceitinany

rulebasetomanagethefirewallsacrossmultipledevicegroups.Becausesharedobjectsaredefinedoncebut

usedmanytimes,theyreduceadministrativeoverhead,andmaintainconsistencyandaccuracyeverywhere

thesharedobjectisused.

Pre‐rules,post‐rulesandruleslocallydefinedonafirewallcanallusesharedobjectsanddevicegroup

objects.WhencreatinganobjectonPanorama,configurethebehaviorbasedonwhether:

Thedevicegroupobjecttakesprecedenceoverasharedobject,whenbothobjectshavethesamename.

Bydefault,theSharedObjectTakesPrecedenceoptionisdisabledonPanorama.Thisbehaviorensures

thatasharedobjectonlysupersedesadevicegroupobjectwiththesamenameifyouexplicitlywantthe

valueofasharedobjecttoprevail.Whenyouenabletheoptionforsharedobjectstotakeprecedence,

Panoramainformsyouofallthedevicegroupobjectsthatwillbeshadowed.However,ifadevicehasa

locallycreatedobjectwiththesamenameasasharedoradevicegroupobjectthatispushedfrom

Panorama,acommitfailurewilloccur.

AllsharedanddevicegroupobjectsthataredefinedonPanoramaarepushedtothemanageddevices.

Bydefault,allobjects—thosethatareandarenotreferencedinpolicies—arepushedtothemanaged

devices.

16•Panorama6.1Administrator’sGuide ©PaloAltoNetworks,Inc.

CentralizedLoggingandReporting PanoramaOverview

CentralizedLoggingandReporting

Panoramaaggregatesdatafromallmanagedfirewallsandprovidesvisibilityacrossallthetrafficonthe

network.Italsoprovidesanaudittrailforallpolicymodificationsandconfigurationchangesmadetothe

managedfirewalls.Inadditiontoaggregatinglogs,PanoramacanaggregateandforwardSNMPtraps,email

notifications,andsyslogmessagestoanexternaldestination.

TheApplicationCommandCenter(ACC)onPanoramaprovidesasinglepaneforunifiedreportingacrossall

thefirewalls;itallowsyoutocentrallyanalyze,investigate,andreportonnetworktrafficandsecurity

incidents.OnPanorama,youcanviewlogsandgeneratereportsfromlogsforwardedtoPanoramaortothe

managedLogCollectors,ifconfigured,oryoucanquerythemanagedfirewallsdirectly.Forexample,youcan

generatereportsabouttraffic,threat,and/oruseractivityinthemanagednetworkbasedonlogsstoredon

Panorama(andthemanagedLogCollectors)orbyaccessingthelogsstoredlocallyonthemanagedfirewalls.

IfyouchoosenottoconfigurethemanagedfirewallstoforwardlogstoPanorama,youcanschedulereports

toberunoneachmanagedfirewallandforwardtheresultstoPanoramaforacombinedviewofuseractivity

andnetworktraffic.Althoughthisviewdoesnotprovidegranulardrill‐downonspecificdataandactivities,

itstillprovidesaunifiedreportingapproach.

LoggingOptions

ManagedCollectorsandCollectorGroups

CaveatsforaCollectorGroupwithMultipleLogCollectors

CentralizedReporting

LoggingOptions

BoththePanoramavirtualapplianceandM‐100appliancecancollectlogsthatthemanagedfirewalls

forward.YoucanthenconfigurePanoramatoforwardtheseaggregatedlogstoexternalservices(Syslog

server,emailserver,orSNMPtrapserver).Theloggingoptionsvaryoneachplatform.

PanoramaPlatform LoggingOptions

Virtualappliance Offersthreeloggingoptions:

•Usetheapproximately11GBofinternalstoragespaceallocatedforloggingassoonas

youinstallthevirtualappliance.

•Addavirtualdiskthatcansupportupto2TBofstorage.

•MountaNetworkFileSystem(NFS)datastoreinwhichyoucanconfigurethestorage

capacitythatisallocatedforlogging.

M‐100appliance Thedefaultshippingconfigurationincludes1TBdisksinaRAIDpair,whichyoucan

increaseto4TBRAIDstorage(seeIncreaseStorageontheM‐100Appliance).Whenthe

M‐100applianceisinPanoramamode,youcanenabletheRAIDdisksandusethesedisks

asthedefaultLogCollector.IfyouhaveM‐100applianceisinLogCollectormode

(dedicatedLogCollectors),youusePanoramatoassignfirewallstothededicatedLog

Collectors.InadeploymentwithmultiplededicatedLogCollectors,Panoramaqueriesall

managedLogCollectorstogenerateanaggregatedviewoftrafficandcohesivereports.

Foreasyscaling,beginwithasinglePanoramaandincrementallyadddedicatedLog

Collectorsasyourneedsexpand.

PanoramaOverview CentralizedLoggingandReporting

ManagedCollectorsandCollectorGroups

ALogCollectorcanbelocaltoanM‐100applianceinPanoramamode(defaultLogCollector)orcanbean

M‐100applianceinLogCollectormode(dedicatedLogCollector).BecauseyouusePanoramatoconfigure

andmanageLogCollectors,theyarealsoknownasManagedCollectors.AnM‐100applianceinPanorama

modeoraPanoramavirtualappliancecanmanagededicatedLogCollectors.ToadministerdedicatedLog

CollectorsusingthePanoramawebinterface,youmustaddthemasManagedCollectors.Otherwise,

administrativeaccesstoadedicatedLogCollectorisonlyavailablethroughitsCLIusingthedefault

administrativeuser(admin)account.DedicatedLogCollectorsdonotsupportadditionaladministrativeuser

accounts.

ACollectorGroupis1to16managedcollectorsthatoperateasasinglelogicallogcollectionunit.Ifthe

groupcontainsdedicatedLogCollectors,thelogsareuniformlydistributedacrossallthedisksineachLog

CollectorandacrossallmembersintheCollectorGroup.Thisdistributionmaximizestheuseoftheavailable

storagespace.TomanageaLogCollector,youmustaddittoaCollectorGroup.PaloAltoNetworks

recommendsplacingonlyoneLogCollectorinaCollectorGroupunlessmorethan4TBofstoragespaceis

requiredinaCollectorGroup.Fordetails,seeCaveatsforaCollectorGroupwithMultipleLogCollectors.

TheCollectorGroupconfigurationspecifieswhichmanagedfirewallscansendlogstotheLogCollectorsin

thegroup.AfteryouconfiguretheLogCollectorsandenablethefirewallstoforwardlogs,eachfirewall

forwardsitslogstotheassignedLogCollector.

ManagedCollectorsandCollectorGroupsareintegraltoadistributedlogcollectiondeploymenton

Panorama.Adistributedlogcollectiondeploymentallowsforeasyscalabilityandincrementaladditionof

dedicatedLogCollectorsasyourloggingneedsgrow.TheM‐100applianceinPanoramamodecanlogtoits

defaultCollectorGroupandthenbeexpandedtoadistributedlogcollectiondeploymentwithoneormore

CollectorGroupsthatincludededicatedLogCollectors.

CaveatsforaCollectorGroupwithMultipleLogCollectors

AlthoughPaloAltoNetworksrecommendsplacingonlyoneLogCollectorinaCollectorGroup,ifyouhave

ascenariowhereyouneedmorethan4TBoflogstoragecapacityinaCollectorGroupfortherequiredlog

retentionperiod,youcanaddupto16LogCollectorstothegroup.Forexample,ifasinglemanagedfirewall

generates12TBoflogs,youwillrequireatleastthreeLogCollectorsintheCollectorGroupthatreceives

thoselogs.

IfaCollectorGroupcontainsmultipleLogCollectors,theavailablestoragespaceisusedasonelogicalunit

andthelogsareuniformlydistributedacrossalltheLogCollectorsintheCollectorGroup.Thelog

distributionisbasedonthediskcapacityoftheLogCollectors(whichrangesfrom1TBto4TB,depending

onthenumberofdiskpairs)andahashalgorithmthatdynamicallydecideswhichLogCollectorownsthe

logsandwritestodisk.AlthoughPanoramausesapreferencelisttoprioritizethelistofLogCollectorsto

whichamanagedfirewallcanforwardlogs,PanoramadoesnotnecessarilywritethelogstothefirstLog

Collectorspecifiedinthepreferencelist.Forexample,considerthefollowingpreferencelist:

IfyouusePanoramatomanagefirewallsrunningbothPAN‐OS5.0andaPAN‐OSversionearlier

than5.0,notethefollowingcompatibilityrequirements:

•OnlydevicesrunningPAN‐OSv5.0cansendlogstoadedicatedLogCollector.

•DevicesrunningPAN‐OSversionsearlierthan5.0canonlysendlogstoaPanoramavirtual

applianceortoanM‐100applianceinPanoramamode.

CentralizedLoggingandReporting PanoramaOverview

Usingthislist,FW1willforwardlogstoL1,itsprimaryLogCollector,butthehashalgorithmcoulddetermine

thatthelogswillbewrittenonL2.IfL2becomesinaccessibleorhasachassisfailure,FW1willnotknow

aboutitsfailurebecauseitisstillabletoconnecttoL1,itsprimaryLogCollector.

InthecasewhereaCollectorGrouphasonlyoneLogCollectorandtheLogCollectorfails,thefirewallstores

thelogstoitsHDD/SSD(theavailablestoragespacevariesbyhardwaremodel),andresumesforwarding

logstotheLogCollectorwhereitleftoffbeforethefailureoccurredassoonasconnectivityisrestored.

WithmultipleLogCollectorsinaCollectorGroup,thefirewalldoesnotbufferlogstoitslocalstoragewhen

itcanconnecttoitsPrimaryLogCollector.Therefore,FW1willcontinuesendinglogstoL1.BecauseL2is

unavailable,thePrimaryLogCollectorL1buffersthelogstoitsHDD,whichhas10GBoflogspace.IfL2

remainsunavailableandthelogspendingforL2exceed10GB,L1willoverwritetheolderlogentriesto

continuelogging.Insuchanevent,lossoflogsisarisk.Therefore,PaloAltoNetworksrecommendsthe

followingmitigationsifusingmultipleLogCollectorsinaCollectorGroup:

ObtainanOn‐Site‐Spare(OSS)toenablepromptreplacementifaLogCollectorfailureoccurs.

InadditiontoforwardinglogstoPanorama,enableforwardingtoanexternalserviceasbackupstorage.

TheexternalservicecanbeaSyslogserver,emailserver,orSimpleNetworkManagementProtocol

(SNMP)trapserver.Fordetails,seeEnableLogForwardingtoPanorama.

ManagedFirewall LogForwardingPreferenceListDefinedonaCollectorGroup

FW1 L1,L2,L3

FW2 L4,L5,L6

PanoramaOverview CentralizedLoggingandReporting

CentralizedReporting

Panoramaaggregateslogsfromallmanagedfirewallsandenablesreportingontheaggregateddatafora

globalviewofapplicationuse,useractivity,andtrafficpatternsacrosstheentirenetworkinfrastructure.As

soonasthefirewallsareaddedtoPanorama,theACCcandisplayalltraffictraversingyournetwork.With

loggingenabled,clickingintoalogentryintheACCprovidesdirectaccesstogranulardetailsaboutthe

application.

Forgeneratingreports,Panoramausestwosources:thelocalPanoramadatabaseandtheremotefirewalls

thatitmanages.ThePanoramadatabasereferstothelocalstorageonPanoramathatisallocatedforstoring

bothsummarizedlogsandsomedetailedlogs.IfyouhaveaDistributedLogCollectiondeployment,the

PanoramadatabaseincludesthelocalstorageonPanoramaandallthemanagedLogCollectors.Panorama

summarizestheinformation—traffic,application,threat—collectedfromallmanagedfirewallsat15‐minute

intervals.UsingthelocalPanoramadatabaseallowsforfasterresponsetimes,however,ifyouprefertonot

forwardlogstoPanorama,Panoramacandirectlyaccesstheremotefirewallandrunreportsondatathatis

storedlocallyonthemanagedfirewalls.

Panoramaoffersmorethan40predefinedreportsthatcanbeusedasis,ortheycanbecustomizedby

combiningelementsofotherreportstogeneratecustomreportsandreportgroupsthatcanbesaved.

Reportscanbegeneratedondemand,onarecurringschedule,andcanbescheduledforemaildelivery.

Thesereportsprovideinformationontheuserandthecontextsothatyoucorrelateeventsandidentify

patterns,trends,andpotentialareasofinterest.Withtheintegratedapproachtologgingandreporting,the

ACCenablescorrelationofentriesfrommultiplelogsrelatingtothesameevent.

PanoramaCommitOperations PanoramaOverview

PanoramaCommitOperations

WheneditingtheconfigurationonPanorama,youarechangingthecandidateconfigurationfile.The

candidateconfigurationisacopyoftherunningconfigurationalongwithanychangesyoumadesincethe

lastcommit.ThePanoramawebinterfacedisplaysalltheconfigurationchangesimmediately.However,

Panoramawon’timplementthechangesuntilyoucommitthem.Thecommitprocessvalidatesthechanges

inthecandidateconfigurationfileandsavesitastherunningconfigurationonPanorama.

WheninitiatingacommitonPanorama,selectoneofthefollowingtypes:

Whenyouperformacommit,Panoramapushestheentireconfigurationtothemanagedfirewalls.Whenthe

commitcompletes,aresultdisplays:Commit succeededorCommit succeeded with warnings.

Someothercommitchoicesare:

Preview Changes—ThisoptionisavailablewhentheCommit TypeisPanorama.Itenablesyoutocompare

thecandidateconfigurationwiththerunningconfigurationinthesamewayasthePanorama > Config Audit

feature(seeCompareChangesinPanoramaConfigurations).AfterclickingPreview Changes,selectthe

numberoflinestoincludeforcontext,andclickOK.Asabestpractice,previewyourconfiguration

changesbeforecommittingthem.

Include Device and Network Templates—Thisoptionisavailablewhencommittingadevicegroupfrom

Panorama.Itallowsyoutocommitbothdevicegroupandtemplatechanges,tothepertinentfirewalls,in

asinglecommitoperation.

Ifyouprefertocommityourchangesasseparatecommitoperations,donotselectthischeckbox.

AfteranysystemeventoradministratoractioncausesPanoramatoreboot,allyourchangessince

thelastcommitwillbelost.Topreservechangeswithoutcommittingthem,periodicallyclick

Saveatthetoprightofthewebinterfacetosaveasnapshotofthecandidateconfiguration.Ifa

rebootoccurs,youcanthenreverttothesnapshot.Fordetailsonbackingupandrestoring

runningandcandidateconfigurations,seeManagePanoramaConfigurationBackups.

CommitOptions Description

Panorama Commitsthechangesonthecurrentcandidateconfigurationtotherunning

configurationonPanorama.YoumustfirstcommityourchangesonPanorama,before

committinganyconfigurationupdates(templatesordevicegroups)tothemanaged

firewallsorCollectorGroups.

Template CommitsnetworkanddeviceconfigurationsfromaPanoramatemplatetotheselected

firewalls.

Device Group CommitspoliciesandobjectsconfiguredfromPanoramatotheselectedfirewalls/virtual

systems.

Collector Group CommitschangestothespecifiedCollectorGroupsthatPanoramamanages.

Becausethepreviewresultsdisplayinanewwindow,yourbrowsermustallowpop‐upwindows.

Ifthepreviewwindowdoesnotopen,refertoyourbrowserdocumentationforthestepsto

unblockpop‐upwindows.

Table of contents

Other PaloAlto Networks Server manuals

PaloAlto Networks

PaloAlto Networks M-100 Operating and maintenance manual

PaloAlto Networks

PaloAlto Networks PA-7000 Series Application guide

Popular Server manuals by other brands

Hitachi

Hitachi Compute Blade 2500 Getting started guide

Siemens

Siemens SIMATIC NET SINEMA operating instructions

SSS Siedle

SSS Siedle AS 670-0 S Product information

Dell

Dell PowerEdge 1600SC Service manual

NEC

NEC NEC Express5800 Series Maintenance Guide

ASROCK

ASROCK E3C256D4ID2 user manual

Fujitsu

Fujitsu PRIMERGY BX960 S1 operating manual

Supermicro

Supermicro SUPERSERVER 6013A-T Hardware specifications

Digital Equipment

Digital Equipment DEC 10000 Service manual

Supermicro

Supermicro SUPERSERVER 6028TP-HC1R user manual

ANTAIRA

ANTAIRA STW-611C installation guide

Correlate

Correlate SmartSERVER installation guide

netAlly

netAlly Test Accessory user guide

Dell

Dell PowerEdge R300 datasheet

Lantronix

Lantronix EDS3000PR quick start guide

Supero

Supero Supero SUPERSERVER 5015A-EHF-D525 user manual

Lenovo

Lenovo ThinkServer TD200 Getting started guide

Dell

Dell POWEREDGE R515 Getting started guide

PaloAlto Networks Panorama 6.1 Service manual

Popular Server manuals by other brands