Paloalto networks Panorama 6.1 Service manual

Table of contents

Other PaloAlto Networks Server manuals

PaloAlto Networks

PaloAlto Networks M-100 Operating and maintenance manual

PaloAlto Networks

PaloAlto Networks PA-7000 Series Application guide

Popular Server manuals by other brands

HP Tc2120 - Server - 256 MB RAM installation guide

Lenovo

Lenovo ThinkServer RD230 manual

Avocent

Avocent CPS810 Installer/user guide

Dell

Dell PowerEdge R6615 Installation and service manual

FreeWave

FreeWave HT2+ installation guide

GIGA-BYTE TECHNOLOGY

GIGA-BYTE TECHNOLOGY G492-Z50 user manual

Lanner

Lanner HTCA-E400 user manual

Bull

Bull NovaScale T840 E2 user guide

Asus

Asus RS740-E70RS24-EG Configuration guide

Meinberg

Meinberg LANTIME M300/TCR manual 

HP ProLiant SL335s G7 Maintenance and service guide

ZyXEL Communications

ZyXEL Communications VANTAGE RADIUS 50 user guide

Lantronix

Lantronix xDirect-IAP quick start guide

Fujitsu

Fujitsu PRIMEQUEST 2400E3 General description

IBM

IBM 9040-MR9 manual

IBM

IBM 306m - eServer xSeries - 8849 user guide

green hippo

green hippo Hippotizer Nevis+ quick start guide

IBM

IBM 8203-E4A Brochure & specs

Panorama™

Administrator’s

Guide

Version6.1

2•Panorama6.1Administrator’sGuide ©PaloAltoNetworks,Inc.

ContactInformation

CorporateHeadquarters:

PaloAltoNetworks

4401GreatAmericaParkway

SantaClara,CA95054

www.paloaltonetworks.com/company/contact‐support

AboutthisGuide

ThisguidedescribeshowtosetupandusePanorama™forcentralizedmanagement;itisintendedforadministrators

whowantthebasicframeworktoquicklysetupthePanoramavirtualapplianceortheM‐100appliancefor

centralizedadministrationofPaloAltoNetworksfirewalls.

IfyouhaveanM‐100appliance,thisguidetakesoverafteryoufinishrackmountingyourM‐100appliance.

Formoreinformation,refertothefollowingsources:

ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNext‐GenerationSecurity

Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor

searchthedocumentation.

Foraccesstotheknowledgebase,completedocumentationset,discussionforums,andvideos,referto

https://live.paloaltonetworks.com.

Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena

supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.

ForthemostcurrentPAN‐OSandPanorama6.1releasenotes,goto

https://www.paloaltonetworks.com/documentation/61/pan‐os/pan‐os‐release‐notes.html.

Toprovidefeedbackonthedocumentation,pleasewritetousat:[email protected].

PaloAltoNetworks,Inc.

www.paloaltonetworks.com

©2014–2017PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbe

foundat

https://www.paloaltonetworks.com/company/trademarks.html

.Allothermarksmentionedhereinmaybetrademarksof

theirrespectivecompanies.

RevisionDate:June27,2017

©PaloAltoNetworks,Inc. Panorama6.1Administrator’sGuide•3

TableofContents

PanoramaOverview...................................................9

AboutPanorama..................................................................10

PanoramaPlatforms...............................................................11

CentralizedConfigurationandDeploymentManagement...............................12

ContextSwitch—FirewallorPanorama ...........................................12

Templates ....................................................................12

DeviceGroups ................................................................13

CentralizedLoggingandReporting ..................................................16

LoggingOptions ...............................................................16

ManagedCollectorsandCollectorGroups........................................17

CaveatsforaCollectorGroupwithMultipleLogCollectors .........................17

CentralizedReporting..........................................................19

PanoramaCommitOperations......................................................20

Role‐BasedAccessControl.........................................................22

AdministrativeRoles...........................................................22

AuthenticationProfilesandSequences...........................................23

AccessDomains ...............................................................24

AdministrativeAuthentication ...................................................24

PanoramaRecommendedDeployments ..............................................25

PanoramaforCentralizedManagementandReporting .............................25

PanoramainaDistributedLogCollectionDeployment .............................26

PlanYourDeployment .............................................................27

DeployPanorama:TaskOverview ...................................................29

SetUpPanorama....................................................31

DeterminePanoramaLogStorageRequirements......................................32

SetUpthePanoramaVirtualAppliance ..............................................34

SetupPrerequisitesforthePanoramaVirtualAppliance ............................34

InstallPanoramaontheESX(i)Server.............................................35

PerformInitialConfigurationofthePanoramaVirtualAppliance .....................36

ExpandLogStorageCapacityonthePanoramaVirtualAppliance ....................38

IncreaseCPUsandMemoryonthePanoramaVirtualAppliance.....................40

CompletethePanoramaVirtualApplianceSetup ..................................41

SetUptheM‐100Appliance........................................................42

PerformInitialConfigurationoftheM‐100Appliance..............................43

SetuptheM‐100ApplianceasaLogCollector ....................................46

IncreaseStorageontheM‐100Appliance ........................................50

MigratefromaPanoramaVirtualAppliancetoanM‐100Appliance......................52

PrerequisitesforMigratingtoanM‐100Appliance.................................52

PlantoMigratetoanM‐100Appliance...........................................52

MigratetoanM‐100Appliance .................................................53

ResumeFirewallManagementafterMigratingtoanM‐100Appliance................54

4•Panorama6.1Administrator’sGuide ©PaloAltoNetworks,Inc.

TableofContents

RegisterPanoramaandInstallLicenses...............................................56

RegisterPanorama.............................................................56

ActivateaPanoramaSupportLicense.............................................57

Activate/RetrieveaDeviceManagementLicenseonthePanoramaVirtualAppliance ...57

Activate/RetrieveaDeviceManagementLicenseontheM‐100Appliance ............58

InstallContentandSoftwareUpdatesforPanorama ...................................60

Panorama,LogCollector,andFirewallVersionCompatibility ........................60

InstallUpdatesforPanoramainanHAConfiguration ...............................61

InstallUpdatesforPanoramawithanInternetConnection ..........................62

InstallUpdatesforPanoramawithoutanInternetConnection .......................66

AccessandNavigatePanoramaManagementInterfaces ................................70

LogintothePanoramaWebInterface ............................................70

NavigatethePanoramaWebInterface............................................70

LogintothePanoramaCLI......................................................71

SetUpAdministrativeAccesstoPanorama ...........................................73

CreateanAdministrativeAccount ................................................73

DefineanAccessDomain .......................................................75

CreateanAuthenticationProfile.................................................75

DefineanAuthenticationSequence..............................................76

ConfigureAdministrativeAuthentication..........................................77

ManageFirewalls ....................................................83

AddaFirewallasaManagedDevice .................................................84

ManageDeviceGroups.............................................................85

AddaDeviceGroup ............................................................85

CreateObjectsforUseinSharedorDeviceGroupPolicy ...........................86

ManageSharedObjects.........................................................87

SelectaURLFilteringVendoronPanorama .......................................88

PushaPolicytoaSubsetofFirewalls .............................................89

ManagetheRuleHierarchy .....................................................90

ManageTemplates.................................................................93

TemplateCapabilitiesandExceptions.............................................93

AddaTemplate ................................................................94

OverrideaTemplateSetting.....................................................96

Disable/RemoveTemplateSettings ..............................................97

TransitionaFirewalltoPanoramaManagement .......................................98

UseCase:ConfigureFirewallsUsingPanorama ........................................99

DeviceGroups.................................................................99

Templates....................................................................100

SetUpYourCentralizedConfigurationandPolicies ...............................101

ManageLogCollection .............................................107

EnableLogForwardingtoPanorama................................................108

LogForwardingtoPanorama:WorkflowsbyLogType.............................108

ConfigureLogForwardingtoPanorama..........................................109

ConfigureaManagedCollector.....................................................113

©PaloAltoNetworks,Inc. Panorama6.1Administrator’sGuide•5

TableofContents

ManageCollectorGroups ......................................................... 117

ConfigureaCollectorGroup ................................................... 117

MoveaLogCollectortoaDifferentCollectorGroup .............................. 120

RemoveaFirewallfromaCollectorGroup....................................... 121

VerifyLogForwardingtoPanorama ................................................ 122

ModifyLogForwardingandBufferingDefaults....................................... 123

EnableLogForwardingfromPanoramatoExternalDestinations ....................... 125

LogCollectionDeployments ....................................................... 128

PlanaLogCollectionDeployment .............................................. 128

DeployPanoramawithDedicatedLogCollectors................................. 131

DeployPanoramawithDefaultLogCollectors.................................... 137

DeployPanoramaVirtualApplianceswithLocalLogCollection ..................... 144

ManageLicensesandUpdates........................................147

ManageLicensesonFirewallsUsingPanorama....................................... 148

DeployUpdatestoDevicesUsingPanorama ......................................... 149

SupportedUpdatesbyDeviceType ............................................. 149

ScheduleContentUpdatestoDevicesUsingPanorama............................ 149

DeployUpdatestoDeviceswhenPanoramaHasanInternetConnection ............ 151

DeployUpdatestoDeviceswhenPanoramaHasNoInternetConnection ........... 154

MonitorNetworkActivity............................................159

UsePanoramaforVisibility........................................................ 160

MonitortheNetworkwiththeACCandAppScope ............................... 160

AnalyzeLogData ............................................................. 162

Generate,Schedule,andEmailReports.......................................... 162

UseCase:MonitorApplicationsUsingPanorama..................................... 166

UseCase:RespondtoanIncidentUsingPanorama................................... 170

IncidentNotification.......................................................... 170

ReviewThreatLogs ........................................................... 171

ReviewWildFireLogs......................................................... 172

ReviewDataFilteringLogs..................................................... 173

UpdateSecurityPolicies ....................................................... 173

PanoramaHighAvailability...........................................175

PanoramaHAPrerequisites........................................................ 176

PriorityandFailoveronPanoramainHA ............................................ 177

FailoverTriggers ................................................................. 179

HAHeartbeatPollingandHelloMessages....................................... 179

HAPathMonitoring........................................................... 179

LoggingConsiderationsinPanoramaHA ............................................ 181

LoggingFailoveronaPanoramaVirtualAppliance ................................ 181

LoggingFailoveronanM‐100Appliance ........................................ 181

SynchronizationBetweenPanoramaHAPeers ....................................... 183

TableofContents

ManageaPanoramaHAPair .......................................................184

SetUpHAonPanorama.......................................................184

TestPanoramaHAFailover ....................................................186

SwitchPriorityafterPanoramaFailovertoResumeNFSLogging ....................186

RestorethePrimaryPanoramatotheActiveState ................................187

AdministerPanorama...............................................189

ManageConfigurationBackups.....................................................190

ScheduleExportofConfigurationFiles...........................................190

ManagePanoramaConfigurationBackups .......................................191

ConfiguretheNumberofConfigurationBackupsPanoramaStores ..................192

LoadaConfigurationBackuponaManagedFirewall ..............................192

CompareChangesinPanoramaConfigurations .......................................194

RestrictAccesstoConfigurationChanges............................................195

TypesofLocks................................................................195

LocationsforTakingaLock ....................................................195

TakeaLock ..................................................................196

ViewLockHolders............................................................196

EnableAutomaticAcquisitionoftheCommitLock ................................196

RemoveaLock ...............................................................197

AddCustomLogostoPanorama ....................................................198

ViewPanoramaTaskCompletionHistory ............................................199

ReallocateLogStorageQuota ......................................................200

MonitorPanorama ................................................................202

PanoramaSystemandConfigurationLogs........................................202

SetUpEmailAlertsforPanorama...............................................203

SetUpSNMPtoMonitorPanorama .............................................204

RebootorShutDownPanorama....................................................208

GenerateDiagnosticFilesforPanorama.............................................209

ConfigurePanoramaPasswordProfilesandComplexity ...............................210

ReplaceaFailedDiskonanM‐100Appliance........................................212

ReplacetheVirtualDiskonaPanoramaVirtualAppliance .............................213

Troubleshooting ...................................................215

TroubleshootPanoramaSystemIssues..............................................216

DiagnosePanoramaSuspendedState............................................216

MonitortheFileSystemIntegrityCheck.........................................216

ManagePanoramaStorageforSoftwareandContentUpdates .....................216

RecoverfromSplitBraininPanoramaHADeployments............................217

TroubleshootLogStorageandConnectionIssues .....................................219

WhatPortsareUsedbyPanorama?.............................................219

ResolveZeroLogStorageforaCollectorGroup...................................220

RecoverLogsafterFailure/RMAofM‐100ApplianceinLogCollectorMode .........220

RecoverLogsafterFailure/RMAofM‐100ApplianceinPanoramaMode ............224

RecoverLogsafterPanoramaFailure/RMAinNon‐HADeployments ................229

RegenerateMetadataforM‐100ApplianceRAIDPairs............................231

TableofContents

ReplaceanRMAFirewall .......................................................... 233

PartialDeviceStateGenerationforFirewalls ..................................... 233

BeforeStartingRMAFirewallReplacement...................................... 233

RestoretheFirewallConfigurationafterReplacement ............................. 235

DiagnoseTemplateCommitFailures ................................................ 238

ViewTaskSuccessorFailureStatus ................................................ 239

TableofContents

PanoramaOverview

PanoramaprovidescentralizedmanagementandvisibilityofmultiplePaloAltoNetworksnext‐generation

firewalls.Itallowsyoutooverseeallapplications,users,andcontenttraversingthenetworkfromone

location,andthenusethisknowledgetocreateapplicationenablementpoliciesthatprotectandcontrolthe

entirenetwork.UsingPanoramaforcentralizedpolicyanddevicemanagementincreasesoperational

efficiencyinmanagingandmaintainingadistributednetworkoffirewalls.

ThefollowingsectionsdescribePanoramaandprovideguidelinesforplanningyourPanoramadeployment:

AboutPanorama

PanoramaPlatforms

CentralizedConfigurationandDeploymentManagement

CentralizedLoggingandReporting

PanoramaCommitOperations

Role‐BasedAccessControl

PanoramaRecommendedDeployments

PlanYourDeployment

DeployPanorama:TaskOverview

AboutPanorama PanoramaOverview

AboutPanorama

PanoramaprovidescentralizedmanagementofthePaloAltoNetworksnext‐generationfirewalls,asthe

followingfigureillustrates:



Panoramaallowsyoutoeffectivelyconfigure,manage,andmonitoryourPaloAltoNetworksfirewallsusing

centraloversightwithlocalcontrol,asrequired.ThethreefocalareasinwhichPanoramaaddsvalueare:

Centralizedconfigurationanddeployment—Tosimplifycentralmanagementandrapiddeploymentof

thefirewallsonyournetwork,usePanoramatopre‐stagethefirewallsfordeployment.Youcanthen

assemblethefirewallsintogroups,andcreatetemplatestoapplyabasenetworkanddevice

configurationandusedevicegroupstoadministergloballysharedandlocalpolicies.SeeCentralized

ConfigurationandDeploymentManagement.

Aggregatedloggingwithcentraloversightforanalysisandreporting—Collectinformationonactivity

acrossallthemanagedfirewallsonthenetworkandcentrallyanalyze,investigateandreportonthedata.

Thiscomprehensiveviewofnetworktraffic,useractivity,andtheassociatedrisksempowersyouto

respondtopotentialthreatsusingtherichsetofpoliciestosecurelyenableapplicationsonyournetwork.

SeeCentralizedLoggingandReporting.

Distributedadministration—Allowsyoutodelegateorrestrictaccesstoglobalandlocalfirewall

configurationsandpolicies.SeeRole‐BasedAccessControlfordelegatingappropriatelevelsofaccessfor

distributedadministration.

Panoramaisavailableintwoplatforms:asavirtualapplianceandasadedicatedhardwareappliance.For

moreinformation,seePanoramaPlatforms.

PaloAlto Networks Panorama 6.1 Service manual

Popular Server manuals by other brands