Panorama Administrator's Guide

Version 10.1

docs.paloaltonetworks.com
 Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support.html

About the Documentaon

• For the most recent version of this guide or for access to related documentaon, visit the
Technical Documentaon portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or quesons for us? Leave a comment on any page in the portal, or write to us
at documenta[email protected].

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
©2021–2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve
companies.

Last Revised
February 22, 2022

Panorama Administrator's Guide Version Version 10.1 2 ©2022 Palo Alto Networks, Inc.
Table of Contents
Panorama Overview........................................................................................ 11
About Panorama........................................................................................................................ 12
Panorama Models......................................................................................................................14
Centralized Firewall Configuraon and Update Management........................................17
Context Switch—Firewall or Panorama.................................................................... 17
Total Configuraon Size for Panorama.....................................................................18
Templates and Template Stacks..................................................................................18
Device Groups................................................................................................................ 20
Centralized Logging and Reporng....................................................................................... 26
Managed Collectors and Collector Groups..............................................................26
Local and Distributed Log Collecon........................................................................27
Caveats for a Collector Group with Mulple Log Collectors...............................28
Log Forwarding Opons...............................................................................................30
Centralized Reporng................................................................................................... 31
Data Redistribuon Using Panorama................................................................................... 33
Role-Based Access Control..................................................................................................... 34
Administrave Roles......................................................................................................34
Authencaon Profiles and Sequences....................................................................36
Access Domains............................................................................................................. 36
Administrave Authencaon....................................................................................37
Panorama Commit, Validaon, and Preview Operaons................................................. 39
Plan Your Panorama Deployment..........................................................................................40
Deploy Panorama: Task Overview........................................................................................ 42

Set Up Panorama............................................................................................. 43
Determine Panorama Log Storage Requirements..............................................................44
Manage Large-Scale Firewall Deployments........................................................................ 46
Determine the Opmal Large-Scale Firewall Deployment Soluon.................. 46
Increased Device Management Capacity for M-600 and Panorama Virtual
Appliance..........................................................................................................................46
Set Up the Panorama Virtual Appliance.............................................................................. 50
Setup Prerequisites for the Panorama Virtual Appliance..................................... 50
Install the Panorama Virtual Appliance.................................................................... 54
Perform Inial Configuraon of the Panorama Virtual Appliance....................114
Set Up The Panorama Virtual Appliance as a Log Collector..............................118
Set Up the Panorama Virtual Appliance with Local Log Collector................... 125
Set up a Panorama Virtual Appliance in Panorama Mode................................. 130
Set up a Panorama Virtual Appliance in Management Only Mode..................131
Expand Log Storage Capacity on the Panorama Virtual Appliance..................132

Panorama Administrator's Guide Version Version 10.1 3 ©2022 Palo Alto Networks, Inc.
Table of Contents

Increase CPUs and Memory on the Panorama Virtual Appliance.................... 160

Increase the System Disk on the Panorama Virtual Appliance......................... 167
Complete the Panorama Virtual Appliance Setup............................................... 173
Convert Your Panorama Virtual Appliance............................................................173
Set Up the M-Series Appliance........................................................................................... 185
M-Series Appliance Interfaces................................................................................. 185
Perform Inial Configuraon of the M-Series Appliance...................................187
M-Series Setup Overview......................................................................................... 192
Set Up the M-Series Appliance as a Log Collector..............................................194
Increase Storage on the M-Series Appliance........................................................203
Configure Panorama to Use Mulple Interfaces..................................................209
Register Panorama and Install Licenses.............................................................................217
Register Panorama...................................................................................................... 217
Acvate a Panorama Support License................................................................... 219
Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is Internet-connected..............................................................................220
Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is not Internet-connected...................................................................... 221
Acvate/Retrieve a Firewall Management License on the M-Series
Appliance....................................................................................................................... 223
Install the Panorama Device Cerficate............................................................................226
Transion to a Different Panorama Model....................................................................... 228
Migrate from a Panorama Virtual Appliance to an M-Series Appliance..........228
Migrate a Panorama Virtual Appliance to a Different Hypervisor................... 231
Migrate from an M-Series Appliance to a Panorama Virtual Appliance..........236
Migrate from an M-100 Appliance to an M-500 Appliance..............................243
Access and Navigate Panorama Management Interfaces............................................. 247
Log in to the Panorama Web Interface..................................................................247
Navigate the Panorama Web Interface..................................................................247
Log in to the Panorama CLI......................................................................................248
Set Up Administrave Access to Panorama.....................................................................250
Configure an Admin Role Profile............................................................................. 250
Configure an Access Domain................................................................................... 251
Configure Administrave Accounts and Authencaon....................................251
Configure Tracking of Administrator Acvity....................................................... 265
Set Up Authencaon Using Custom Cerficates......................................................... 268
How Are SSL/TLS Connecons Mutually Authencated?................................ 268
Configure Authencaon Using Custom Cerficates on Panorama............... 269
Configure Authencaon Using Custom Cerficates on Managed
Devices........................................................................................................................... 271
Add New Client Devices........................................................................................... 273

Panorama Administrator's Guide Version Version 10.1 4 ©2022 Palo Alto Networks, Inc.
Table of Contents

Change Cerficates.....................................................................................................273

Manage Firewalls........................................................................................... 277

Add a Firewall as a Managed Device.................................................................................278
Install the Device Cerficate for Managed Firewalls..................................................... 286
Install the Device Cerficate for a Managed Firewall........................................ 286
Install the Device Cerficate for Mulple Managed Firewalls..........................288
Set Up Zero Touch Provisioning..........................................................................................292
ZTP Overview.............................................................................................................. 292
Install the ZTP Plugin................................................................................................. 294
Configure the ZTP Installer Administrator Account............................................302
Add ZTP Firewalls to Panorama.............................................................................. 303
Use the CLI for ZTP Tasks........................................................................................ 307
Uninstall the ZTP Plugin............................................................................................310
Manage Device Groups......................................................................................................... 311
Add a Device Group................................................................................................... 311
Create a Device Group Hierarchy........................................................................... 312
Create Objects for Use in Shared or Device Group Policy................................ 314
Revert to Inherited Object Values...........................................................................315
Manage Unused Shared Objects............................................................................. 316
Manage Precedence of Inherited Objects.............................................................316
Move or Clone a Policy Rule or Object to a Different Device Group..............317
Select a URL Filtering Vendor on Panorama........................................................ 318
Push a Policy Rule to a Subset of Firewalls.......................................................... 323
Device Group Push to a Mul-VSYS Firewall.......................................................326
Manage the Rule Hierarchy...................................................................................... 326
Manage Templates and Template Stacks...........................................................................329
Template Capabilies and Excepons.................................................................... 329
Add a Template............................................................................................................ 329
Configure a Template Stack...................................................................................... 332
Configure a Template or Template Stack Variable............................................... 336
Import and Overwrite Exisng Template Stack Variables..................................339
Override a Template or Template Stack Value..................................................... 341
Disable/Remove Template Sengs.........................................................................343
Manage the Master Key from Panorama.......................................................................... 345
Schedule a Configuraon Push to Managed Firewalls...................................................352
Redistribute Data to Managed Firewalls...........................................................................355
Transion a Firewall to Panorama Management............................................................. 358
Plan the Transion to Panorama Management.................................................... 358
Migrate a Firewall to Panorama Management..................................................... 359
Migrate a Firewall HA Pair to Panorama Management......................................363

Panorama Administrator's Guide Version Version 10.1 5 ©2022 Palo Alto Networks, Inc.
Table of Contents

Load a Paral Firewall Configuraon into Panorama..........................................368

Localize a Panorama Pushed Configuraon on a Managed Firewall............... 371
Device Monitoring on Panorama........................................................................................ 373
Monitor Device Health.............................................................................................. 373
Monitor Policy Rule Usage........................................................................................375
Use Case: Configure Firewalls Using Panorama.............................................................. 381
Device Groups in this Use Case.............................................................................. 381
Templates in this Use Case....................................................................................... 382
Set Up Your Centralized Configuraon and Policies........................................... 383

Manage Log Collecon.................................................................................391

Configure a Managed Collector...........................................................................................392
Configure Authencaon for a Dedicated Log Collector..............................................399
Configure an Administrave Account for a Dedicated Log Collector............. 399
Configure RADIUS Authencaon for a Dedicated Log Collector.................. 401
Configure TACACS+ Authencaon for a Dedicated Log Collector............... 405
Configure LDAP Authencaon for a Dedicated Log Collector.......................408
Manage Collector Groups..................................................................................................... 413
Configure a Collector Group.....................................................................................413
Configure Authencaon with Custom Cerficates Between Log
Collectors.......................................................................................................................416
Move a Log Collector to a Different Collector Group........................................ 418
Remove a Firewall from a Collector Group...........................................................419
Configure Log Forwarding to Panorama............................................................................421
Configure Syslog Forwarding to External Desnaons................................................. 426
Forward Logs to Cortex Data Lake.....................................................................................430
Verify Log Forwarding to Panorama...................................................................................431
Modify Log Forwarding and Buffering Defaults.............................................................. 433
Configure Log Forwarding from Panorama to External Desnaons......................... 435
Log Collecon Deployments................................................................................................ 438
Deploy Panorama with Dedicated Log Collectors...............................................438
Deploy Panorama M-Series Appliances with Local Log Collectors..................445
Deploy Panorama Virtual Appliances with Local Log Collectors...................... 451
Deploy Panorama Virtual Appliances in Legacy Mode with Local Log
Collecon.......................................................................................................................456

Manage WildFire Appliances......................................................................459

Add Standalone WildFire Appliances to Manage with Panorama............................... 460
Configure Basic WildFire Appliance Sengs on Panorama..........................................465
Configure Authencaon for a WildFire Appliance............................................465
Set Up Authencaon Using Custom Cerficates on WildFire Appliances and
Clusters...................................................................................................................................... 479

Panorama Administrator's Guide Version Version 10.1 6 ©2022 Palo Alto Networks, Inc.
Table of Contents

Configure a Custom Cerficate for a Panorama Managed WildFire

Appliance....................................................................................................................... 479
Configure Authencaon with a Single Custom Cerficate for a WildFire
Cluster............................................................................................................................ 481
Apply Custom Cerficates on a WildFire Appliance Configured through
Panorama....................................................................................................................... 483
Remove a WildFire Appliance from Panorama Management.......................................486
Manage WildFire Clusters.................................................................................................... 487
Configure a Cluster Centrally on Panorama..........................................................487
View WildFire Cluster Status Using Panorama.................................................... 511

Manage Licenses and Updates...................................................................513

Manage Licenses on Firewalls Using Panorama.............................................................. 514

Monitor Network Acvity...........................................................................517

Use Panorama for Visibility.................................................................................................. 518
Monitor the Network with the ACC and AppScope........................................... 518
Analyze Log Data........................................................................................................ 520
Generate, Schedule, and Email Reports................................................................. 521
Configure Key Limits for Scheduled Reports........................................................524
Ingest Traps ESM Logs on Panorama.................................................................................527
Use Case: Monitor Applicaons Using Panorama...........................................................529
Use Case: Respond to an Incident Using Panorama.......................................................532
Incident Noficaon................................................................................................... 532
Review the Widgets in the ACC..............................................................................533
Review Threat Logs.....................................................................................................533
Review WildFire Logs................................................................................................. 534
Review Data Filtering Logs....................................................................................... 534
Update Security Rules................................................................................................535

Panorama High Availability.........................................................................537

Panorama HA Prerequisites..................................................................................................538
Priority and Failover on Panorama in HA......................................................................... 540
Failover Triggers.......................................................................................................................541
HA Heartbeat Polling and Hello Messages........................................................... 541
HA Path Monitoring................................................................................................... 541
Logging Consideraons in Panorama HA..........................................................................543
Logging Failover on a Panorama Virtual Appliance in Legacy Mode............... 543
Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in
Panorama Mode...........................................................................................................544
Synchronizaon Between Panorama HA Peers...............................................................545
Manage a Panorama HA Pair...............................................................................................546

Panorama Administrator's Guide Version Version 10.1 7 ©2022 Palo Alto Networks, Inc.
Table of Contents

Set Up HA on Panorama........................................................................................... 546

Set Up Authencaon Using Custom Cerficates Between HA Peers.......... 549
Test Panorama HA Failover.......................................................................................551
Switch Priority aer Panorama Failover to Resume NFS Logging....................551
Restore the Primary Panorama to the Acve State............................................ 552

Administer Panorama................................................................................... 553

Preview, Validate, or Commit Configuraon Changes................................................... 554
Enable Automated Commit Recovery................................................................................557
Manage Panorama and Firewall Configuraon Backups............................................... 559
Schedule Export of Configuraon Files................................................................. 559
Save and Export Panorama and Firewall Configuraons................................... 560
Revert Panorama Configuraon Changes..............................................................563
Configure the Maximum Number of Configuraon Backups on
Panorama....................................................................................................................... 566
Load a Configuraon Backup on a Managed Firewall........................................ 567
Compare Changes in Panorama Configuraons.............................................................. 568
Manage Locks for Restricng Configuraon Changes................................................... 569
Add Custom Logos to Panorama........................................................................................ 571
Use the Panorama Task Manager....................................................................................... 572
Manage Storage Quotas and Expiraon Periods for Logs and Reports......................573
Log and Report Storage............................................................................................. 573
Log and Report Expiraon Periods......................................................................... 574
Configure Storage Quotas and Expiraon Periods for Logs and Reports....... 574
Configure the Run Time for Panorama Reports...................................................577
Monitor Panorama.................................................................................................................. 578
Panorama System and Configuraon Logs............................................................578
Monitor Panorama and Log Collector Stascs Using SNMP.......................... 579
Reboot or Shut Down Panorama........................................................................................ 582
Configure Panorama Password Profiles and Complexity...............................................583

Panorama Plugins.......................................................................................... 585

About Panorama Plugins.......................................................................................................586
Install Panorama Plugins............................................................................................588
VM-Series Plugin and Panorama Plugins.......................................................................... 590
Install the VM-Series Plugin on Panorama............................................................590

Troubleshoong..............................................................................................593
Troubleshoot Panorama System Issues..............................................................................594
Generate Diagnosc Files for Panorama............................................................... 594
Diagnose Panorama Suspended State....................................................................594
Monitor the File System Integrity Check.............................................................. 594

Panorama Administrator's Guide Version Version 10.1 8 ©2022 Palo Alto Networks, Inc.
Table of Contents

Manage Panorama Storage for Soware and Content Updates.......................595

Recover from Split Brain in Panorama HA Deployments...................................596
Troubleshoot Log Storage and Connecon Issues.......................................................... 597
Verify Panorama Port Usage.....................................................................................597
Resolve Zero Log Storage for a Collector Group................................................. 600
Replace a Failed Disk on an M-Series Appliance................................................. 600
Replace the Virtual Disk on an ESXi Server..........................................................600
Replace the Virtual Disk on vCloud Air................................................................. 601
Migrate Logs to a New M-Series Appliance in Log Collector Mode................602
Migrate Logs to a New M-Series Appliance in Panorama Mode......................608
Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High
Availability..................................................................................................................... 616
Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in
High Availability........................................................................................................... 625
Migrate Log Collectors aer Failure/RMA of Non-HA Panorama................... 632
Regenerate Metadata for M-Series Appliance RAID Pairs................................ 636
View Log Query Jobs................................................................................................. 637
Replace an RMA Firewall...................................................................................................... 639
Paral Device State Generaon for Firewalls...................................................... 639
Before Starng RMA Firewall Replacement......................................................... 639
Restore the Firewall Configuraon aer Replacement...................................... 641
Troubleshoot Commit Failures............................................................................................. 645
Troubleshoot Registraon or Serial Number Errors........................................................646
Troubleshoot Reporng Errors.............................................................................................647
Troubleshoot Device Management License Errors......................................................... 648
Troubleshoot Automacally Reverted Firewall Configuraons....................................649
View Task Success or Failure Status...................................................................................651
Test Policy Match and Connecvity for Managed Devices.......................................... 652
Troubleshoot Policy Rule Traffic Match................................................................. 652
Troubleshoot Connecvity to Network Resources............................................. 653
Generate a Stats Dump File for a Managed Firewall..................................................... 655
Recover Managed Device Connecvity to Panorama....................................................657

Panorama Administrator's Guide Version Version 10.1 9 ©2022 Palo Alto Networks, Inc.
Table of Contents

Panorama Administrator's Guide Version Version 10.1 10 ©2022 Palo Alto Networks, Inc.
Panorama Overview
The Panorama™ management server provides centralized monitoring and
management of mulple Palo Alto Networks next-generaon firewalls and of WildFire
appliances and appliance clusters. It provides a single locaon from which you can
oversee all applicaons, users, and content traversing your network, and then use
this knowledge to create applicaon enablement policies that protect and control the
network. Using Panorama for centralized policy and firewall management increases
operaonal efficiency in managing and maintaining a distributed network of firewalls.
Using Panorama for centralized WildFire appliance and WildFire appliance cluster
management increases the number of firewalls a single network supports, provides
high availability for fault tolerance, and increases management efficiency.

> About Panorama

> Panorama Models
> Centralized Firewall Configuraon and Update Management
> Centralized Logging and Reporng
> Data Redistribuon Using Panorama
> Role-Based Access Control
> Panorama Commit, Validaon, and Preview Operaons
> Plan Your Panorama Deployment
> Deploy Panorama: Task Overview

11
Panorama Overview

About Panorama
Panorama enables you to effecvely configure, manage, and monitor your Palo Alto Networks
firewalls with central oversight. The three main areas in which Panorama adds value are:
• Centralized configuraon and deployment—To simplify central management and rapid
deployment of the firewalls and WildFire appliances on your network, use Panorama to pre-
stage the firewalls and WildFire appliances for deployment. You can then assemble the firewalls
into groups, and create templates to apply a base network and device configuraon and use
device groups to administer globally shared and local policy rules. See Centralized Firewall
Configuraon and Update Management.
• Aggregated logging with central oversight for analysis and reporng—Collect informaon
on acvity across all the managed firewalls on the network and centrally analyze, invesgate
and report on the data. This comprehensive view of network traffic, user acvity, and the
associated risks empowers you to respond to potenal threats using the rich set of policies to
securely enable applicaons on your network. See Centralized Logging and Reporng.
• Distributed administraon—Enables you to delegate or restrict access to global and local
firewall configuraons and policies. See Role-Based Access Control for delegang appropriate
levels of access for distributed administraon.
Four Panorama Models are available: the Panorama virtual appliance, M-600 appliance,
M-500 appliance, and M-200 appliance are supported in PAN-OS 10.0. Panorama Centralized
Management illustrates how you can deploy Panorama in a high availability (HA) configuraon to
manage firewalls.

Panorama Administrator's Guide Version Version 10.1 12 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Figure 1: Panorama Centralized Management

Panorama Administrator's Guide Version Version 10.1 13 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Panorama Models
Panorama is available as one of the following virtual or physical appliances, each of which
supports licenses for managing up to 25, 100, or 1,000 firewalls. Addionally, M-600 appliances
support licenses for managing up to 5,000 firewalls and similarly resourced Panorama virtual
appliances support licenses for managing up to 2,500 firewalls:
• Panorama virtual appliance—This model provides simple installaon and facilitates server
consolidaon for sites that need a virtual management appliance. You can install Panorama on
Alibaba Cloud, Amazon Web Services (AWS), AWS GovCloud, Microso Azure, Google Cloud
Plaorm (GCP), KVM, Hyper-V, Oracle Cloud Infrastructure (OCI), a VMware ESXi server, or
on VMware vCloud Air. The virtual appliance can collect firewall logs locally at rates of up to
20,000 logs per second and can manage Dedicated Log Collectors for higher logging rates. The
virtual appliance can funcon as a dedicated management server, a Panorama management
server with local log collecon capabilies, or as a Dedicated Log Collector. For the supported
interfaces, log storage capacity, and maximum log collecon rates, see the Setup Prerequisites
for the Panorama Virtual Appliance. You can deploy the virtual appliance in the following
modes:
• Panorama mode—In this mode, the Panorama virtual appliance supports a local Log
Collector with 1 to 12 virtual logging disks (see Deploy Panorama Virtual Appliances with
Local Log Collectors). Each logging disk has 2TB of storage capacity for a total maximum of
24TB on a single virtual appliance and 48TB on a high availability (HA) pair. Only Panorama
mode enables you to add mulple virtual logging disks without losing logs on exisng disks.
Panorama mode also provides the benefit of faster report generaon. In Panorama mode,
the virtual appliance does not support NFS storage.

As a best pracce, deploy the virtual appliance in Panorama mode to opmize log
storage and report generaon.
• Legacy mode (ESXi and vCloud Air only)—In this mode, the Panorama virtual appliance
receives and stores firewall logs without using a local Log Collector (see Deploy Panorama
Virtual Appliances in Legacy Mode with Local Log Collecon). By default, the virtual
appliance in Legacy mode has one disk paron for all data. Approximately 11GB of the
paron is allocated to log storage. If you need more local log storage, you can add one
virtual disk of up to 8TB on ESXi 5.5 and later versions or on vCloud Air. Earlier ESXi
versions support one virtual disk of up to 2TB. If you need more than 8TB, you can mount
the virtual appliance in Legacy mode to an NFS datastore but only on the ESXi server, not in
vCloud Air. This mode is only available if your Panorama virtual appliance is in Legacy mode
on upgrade to PAN-OS 10.0. On upgrade to PAN-OS 9.0 and later releases, Legacy mode is
no longer available if you change to any other mode. If you change your Panorama virtual
appliance from Legacy mode to one of the available modes, you will no longer be able to
change back into Legacy mode.

While supported, Legacy mode is not recommended for producon environments

but may sll be used for lab or demo environments.
• Management Only mode—In this mode, the Panorama virtual appliance is a dedicated
management appliance for your managed devices and Dedicated Log Collectors.
Addionally, an appropriately resourced Panorama virtual appliance can manage up to 2,500
firewalls in this mode. The Panorama virtual appliance has no log collecon capabilies

Panorama Administrator's Guide Version Version 10.1 14 ©2022 Palo Alto Networks, Inc.
Panorama Overview

except for config and system logs and requires a Dedicated Log Collector to these store logs.
By default, the virtual appliance in Management Only mode has only one disk paron for
all data so all logs forwarded to a Panorama virtual appliance in Management Only mode
are dropped. Therefore, to store the log data from your managed appliances, you must
configure log forwarding in order to store the log data from your managed devices. For more
informaon, see Increased Device Management Capacity Requirements.
• Log Collector mode—The Panorama virtual appliance funcons as a Dedicated Log
Collector. If mulple firewalls forward large volumes of log data, a Panorama virtual
appliance in Log Collector mode provides increased scale and performance. In this mode, the
appliance does not have a web interface for administrave access; it has only a command
line interface (CLI). However, you can manage the appliance using the web interface of the
Panorama management server. CLI access to a Panorama virtual appliance in Log Collector
mode is necessary only for inial setup and debugging. For configuraon details, see Deploy
Panorama with Dedicated Log Collectors.
• M-Series appliance—The M-200, M-500, and M-600 appliances are dedicated hardware
appliances intended for large-scale deployments. In environments with high logging rates
(over 10,000 logs per second) and log retenon requirements, these appliances enable scaling
of your log collecon infrastructure. For the supported interfaces, log storage capacity, and
maximum log collecon rates, see M-Series Appliance Interfaces. All M-Series models share the
following aributes:
• RAID drives to store firewall logs and RAID 1 mirroring to protect against disk failures
• SSD to store the logs that Panorama and Log Collectors generate
• MGT, Eth1, Eth2, and Eth3 interfaces that support 1Gbps throughput
• Redundant, hot-swappable power supplies
• front-to-back airflow
The M-600 and M-500 appliances have the following addional aributes, which make them
more suitable for data centers:
• Eth4 and Eth5 interfaces that support 10Gbps throughput
Addionally, the following aribute makes the M-600 appliance more suitable for large-scale
firewall deployments:
• The M-600 appliance in Management Only mode can manage up to 5,000 firewalls.
You can deploy the M-Series appliances in the following modes:
• Panorama mode—The appliance funcons as a Panorama management server to manage
firewalls and Dedicated Log Collectors. The appliance also supports a local Log Collector to
aggregate firewall logs. Panorama mode is the default mode. For configuraon details, see
Deploy Panorama M-Series Appliances with Local Log Collectors.
• Management Only mode—The Panorama appliance is a dedicated management appliance
for your managed devices and Dedicated Log Collectors. The Panorama appliance has no
log collecon capabilies except for config and system logs and your deployment requires
a Dedicated Log Collector to store these logs. By default, the Panorama appliance in
Management Only mode has only one disk paron for all data so all logs forwarded to a
Panorama virtual appliance in Management Only mode are dropped. Therefore, to store the

Panorama Administrator's Guide Version Version 10.1 15 ©2022 Palo Alto Networks, Inc.
Panorama Overview

log data from your managed appliances, you must configure log forwarding in order to store
the log data from your managed devices.
• Log Collector mode—The appliance funcons as a Dedicated Log Collector. If mulple
firewalls forward large volumes of log data, an M-Series appliance in Log Collector mode
provides increased scale and performance. IIn this mode, the appliance does not have a web
interface for administrave access; it has only a command line interface (CLI). However, you
can manage the appliance using the web interface of the Panorama management server. CLI
access to an M-Series appliance in Log Collector mode is necessary only for inial setup and
debugging. For configuraon details, see Deploy Panorama with Dedicated Log Collectors.
For more details and specificaons for the M-Series appliances, see the M-Series Appliance
Hardware Reference Guides.

Panorama Administrator's Guide Version Version 10.1 16 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Centralized Firewall Configuraon and Update

Management
Panorama™ uses device groups and templates to group firewalls into logical sets that require
similar configuraon. You use device groups and templates to centrally manage all configuraon
elements, policies, and objects on the managed firewalls. Panorama also enables you to centrally
manage licenses, soware (PAN-OS® soware, SSL-VPN client soware, GlobalProtect™ agent/
app soware), and content updates (Applicaons, Threats, WildFire®, and Anvirus). All device
group, template, and template stack configuraon objects are required to have a unique name.
In the event an unforeseen restart of your managed firewall or Panorama occurs, all uncommied
configuraon changes in your device groups and templates are preserved locally unl you
successfully commit the changes. A restart can be the restart of the firewall or Panorama or of a
PAN-OS management process related to configuraon management. For firewalls or Panorama in
a high availability (HA) configuraon, the uncommied configuraon changes do not automacally
sync across the HA peers in the event of an unforeseen restart.
• Context Switch—Firewall or Panorama
• Total Configuraon Size for Panorama
• Templates and Template Stacks
• Device Groups

Context Switch—Firewall or Panorama

The Panorama™ web interface enables you to toggle between a Panorama-centric view and a
firewall-centric view using the Context drop-down at the top-le of every tab. Set the Context
to Panorama to manage firewalls centrally or switch context to the web interface of a specific
firewall to configure it locally. The similarity of the Panorama and firewall web interfaces enables
you to seamlessly move between them to monitor and manage firewalls.
The Context drop-down lists only the firewalls that are connected to Panorama. For a Device
Group and Template administrator, the drop-down lists only the connected firewalls that are
within the Access Domains assigned to that administrator. To search a long list, use the Filters
within the drop-down.
For firewalls in a high availability (HA) configuraon, the icons have colored backgrounds to
indicate the HA state (as follows). Knowing the HA state is useful when selecng a firewall
context. For example, you generally make firewall-specific configuraon changes on an acve
firewall.
• Green—Acve.
• Yellow—Passive or the firewall is iniang (the iniang state lasts for up to 60 seconds aer
boot up).
• Red—The firewall is non-funconal (error state), suspended (an administrator disabled the
firewall), or tentave (for a link or path monitoring event in an acve/acve HA configuraon).
When you configure an admin role profile for a Device Group and Template admin, you must
assign a Device Admin Role that is pushed to your managed firewalls to context switch between
the Panorama and firewall web interface.

Panorama Administrator's Guide Version Version 10.1 17 ©2022 Palo Alto Networks, Inc.
Panorama Overview

During the context switch, Panorama validates if the admin has access to a specific vsys or for all
vsys. If the admin has access to all vsys, then Panorama uses the device admin role context switch.
If the admin has access to one or some of the vsys, then Panorama uses the vsys admin role to
context switch.

Total Configuraon Size for Panorama

The total configuraon file size of Panorama™ M-Series and virtual appliances is an important
piece of the performance metric when determining which M-Series appliance or the minimum
amount of virtual resources you need to allocate on your Panorama virtual appliance to ensure
that you meet your Security requirements. Exceeding the supported total configuraon file size of
the Panorama management server results in reduced performance when performing configuraon
changes, commits, and pushes to managed firewalls.
The Panorama management server in Panorama mode supports a total configuraon file size
of 80MB for all template, device group, and Panorama-specific configuraons. Panorama in
Management Only mode supports up to 120MB or 150MB total configuraon file size depending
on the Panorama model or resources you allocate to the Panorama virtual appliance. Refer to the
table below for the recommended maximum configuraon file size based on the Panorama M-
Series appliance model or on the resources you allocate to the Panorama virtual appliance.

Panorama Model Virtual Resources Required Maximum Recommended

Panorama Configuraon File Size

M-200 N/A 120MB

M-500 120MB

M-600 150MB

Panorama Virtual • 16 vCPU 120MB

Appliance • 128GB memory
Refer to the Setup
Prerequisites for the • 56 vCPU 150MB
Panorama Virtual • 256GB memory
Appliance for addional
setup informaon.

Templates and Template Stacks

You use templates and template stacks to configure the sengs that enable firewalls to
operate on the network. Templates are the basic building blocks you use to configure the
Network and Device tabs on Panorama™. You can use templates to define interface and zone
configuraons, to manage the server profiles for logging and syslog access, or to define VPN
configuraons. Template stacks give you the ability to layer mulple templates and create a
combined configuraon. Template stacks simplify management because they allow you to define
a common base configuraon for all devices aached to the template stack and they give you the
ability to layer templates to create a combined configuraon. This enables you to define templates

Panorama Administrator's Guide Version Version 10.1 18 ©2022 Palo Alto Networks, Inc.
Panorama Overview

with locaon- or funcon-specific sengs and then stack the templates in descending order of
priority so that firewalls inherit the sengs based on the order of the templates in the stack.
Both templates and template stacks support variables. Variables allow you to create placeholder
objects with their value specified in the template or template stack based on your configuraon
needs. Create a template or template stack variable to replace IP addresses, Group IDs, and
interfaces in your configuraons. Template variables are inherited by the template stack and you
can override them to create a template stack variable. However, templates do not inherit variables
defined in the template stack. When a variable is defined in the template or template stack and
pushed to the firewall, the value defined for the variable is displayed on the firewall.
Use templates to accommodate firewalls that have unique sengs. Alternavely, you can push
a broader, common base configuraon and then override certain pushed sengs with firewall-
specific values on individual firewalls. When you override a seng on the firewall, the firewall
saves that seng to its local configuraon and Panorama no longer manages the seng. To
restore template values aer you override them, use Panorama to force the template or template
stack configuraon onto the firewall. For example, aer you define a common NTP server in a
template and override the NTP server configuraon on a firewall to accommodate a local me
zone, you can later revert to the NTP server defined in the template.
When defining a template stack, consider assigning firewalls that are the same hardware model
and require access to similar network resources, such as gateways and syslog servers. This enables
you to avoid the redundancy of adding every seng to every template stack. The following figure
illustrates an example configuraon in which you assign data center firewalls in the Asia-Pacific
(APAC) region to a stack with global sengs, one template with APAC-specific sengs, and one
template with data center-specific sengs. To manage firewalls in an APAC branch office, you can
then re-use the global and APAC-specific templates by adding them to another stack that includes
a template with branch-specific sengs. Templates in a stack have a configurable priority order
that ensures Panorama pushes only one value for any duplicate seng. Panorama evaluates the
templates listed in a stack configuraon from top to boom with higher templates having priority.
The following figure illustrates a data center stack in which the data center template has a higher
priority than the global template: Panorama pushes the idle meout value from the data center
template and ignores the value from the global template.

Panorama Administrator's Guide Version Version 10.1 19 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Figure 2: Template Stacks

You cannot use templates or template stacks to set firewall modes: virtual private network (VPN)
mode, mulple virtual systems (mul-vsys) mode, or operaonal modes (normal or FIPS-CC mode).
For details, see Template Capabilies and Excepons. However, you can assign firewalls that
have non-matching modes to the same template or stack. In such cases, Panorama pushes mode-
specific sengs only to firewalls that support those modes. As an excepon, you can configure
Panorama to push the sengs of the default vsys in a template to firewalls that don’t support
virtual systems or that don’t have any virtual systems configured.
For the relevant procedures, see Manage Templates and Template Stacks.

Device Groups
To use Panorama effecvely, you have to group the firewalls in your network into logical units
called device groups. A device group enables grouping based on network segmentaon, geographic
locaon, organizaonal funcon, or any other common aspect of firewalls that require similar
policy configuraons. Using device groups, you can configure policy rules and the objects they
reference. You can organize device group hierarchically, with shared rules and objects at the top,
and device group-specific rules and objects at subsequent levels. This enables you to create a
hierarchy of rules that enforce how firewalls handle traffic. For example, you can define a set of
shared rules as a corporate acceptable use policy. Then, to allow only regional offices to access
peer-to-peer traffic such as BitTorrent, you can define a device group rule that Panorama pushes
only to the regional offices (or define a shared security rule and target it to the regional offices).
For the relevant procedures, see Manage Device Groups. The following topics describe device
group concepts and components in more detail:
• Device Group Hierarchy
• Device Group Policies

Panorama Administrator's Guide Version Version 10.1 20 ©2022 Palo Alto Networks, Inc.
Panorama Overview

• Device Group Objects

Device Group Hierarchy

You can Create a Device Group Hierarchy to nest device groups in a tree hierarchy of up to four
levels, with lower-level groups inhering the sengs (policy rules and objects) of higher-level
groups. At the boom level, a device group can have parent, grandparent, and great-grandparent
device groups (ancestors). At the top level, a device group can have child, grandchild, and great-
grandchild device groups (descendants). All device groups inhering sengs from the Shared
locaon—a container at the top of the hierarchy for configuraons that are common to all device
groups.
Creang a device group hierarchy enables you to organize firewalls based on common policy
requirements without redundant configuraon. For example, you could configure shared sengs
that are global to all firewalls, configure device groups with funcon-specific sengs at the
first level, and configure device groups with locaon-specific sengs at lower levels. Without
a hierarchy, you would have to configure both funcon- and locaon-specific sengs for every
device group in a single level under Shared.

Figure 3: Device Group Hierarchy

For details on the order in which firewalls evaluate policy rules in a device group hierarchy, see
Device Group Policies. For details on overriding the values of objects that device groups inherit
from ancestor device groups, see Device Group Objects.
In a mulple Panorama plugin deployment to perform, a device group containing firewalls
deployed in a parcular hypervisor cannot be the child or parent of a device group containing
firewalls deployed in a different hypervisor. For example, if Panorama receives IP address updates
from VMware NSX-V and AWS, you cannot create a device group of NSX-V VM-Series firewalls
that is a child of an AWS VM-Series firewall device group.

Panorama Administrator's Guide Version Version 10.1 21 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Device Group Policies

Device groups provide a way to implement a layered approach for managing policies across a
network of managed firewalls. A firewall evaluates policy rules by layer (shared, device group,
and local) and by type (pre-rules, post-rules, and default rules) in the following order from top to
boom. When the firewall receives traffic, it performs the acon defined in the first evaluated
rule that matches the traffic and disregards all subsequent rules. To change the evaluaon order
for rules within a parcular layer, type, and rulebase (for example, shared Security pre-rules), see
Manage the Rule Hierarchy.
Whether you view rules on a firewall or in Panorama, the web interface displays them in
evaluaon order. All the shared, device group, and default rules that the firewall inherits from
Panorama are shaded orange. Local firewall rules display between the pre-rules and post-rules.

Panorama Administrator's Guide Version Version 10.1 22 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Evaluaon Order Rule Scope and Descripon Administraon Device

Shared pre-rules Panorama pushes shared pre-rules These rules are visible on firewalls
to all the firewalls in all device but you can only manage them in
Device group pre- groups. Panorama pushes device Panorama.
rules group-specific pre-rules to all the
firewalls in a parcular device group
and its descendant device groups.
If a firewall inherits rules from
device groups at mulple levels
in the device group hierarchy, it
evaluates pre-rules in the order of
highest to lowest level. This means
the firewall first evaluates shared
rules and last evaluates the rules of
device groups with no descendants.
You can use pre-rules to enforce
the acceptable use policy of an
organizaon. For example, a pre-
rule might block access to specific
URL categories or allow Domain
Name System (DNS) traffic for all
users.

Local firewall Local rules are specific to a single A local firewall administrator, or
rules firewall or virtual system (vsys). a Panorama administrator who
switches to a local firewall context,
can edit local firewall rules.

Device group Panorama pushes shared post- These rules are visible on firewalls
post-rules rules to all the firewalls in all device but you can only manage them in
groups. Panorama pushes device Panorama.
Shared post-rules group-specific post-rules to all the
firewalls in a parcular device group
and its descendant device groups.
If a firewall inherits rules from
device groups at mulple levels
in the device group hierarchy, it
evaluates post-rules in the order
of lowest to highest level. This
means the firewall first evaluates
the rules of device groups with no
descendants and last evaluates
shared rules.
Post-rules typically include rules
to deny access to traffic based on
the App-ID™ signatures, User-ID™

Panorama Administrator's Guide Version Version 10.1 23 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Evaluaon Order Rule Scope and Descripon Administraon Device

informaon (users or user groups),
or service.

intrazone-default The default rules apply only to Default rules are inially read-
the Security rulebase, and are only, either because they are part
interzone-default
predefined on Panorama (at the of the predefined configuraon
Shared level) and the firewall (in or because Panorama pushed
each vsys). These rules specify how them to firewalls. However, you
PAN-OS handles traffic that doesn’t can override the rule sengs for
match any other rule. tags, acon, logging, and security
profiles. The context determines
The intrazone-default rule allows all
the level at which you can override
traffic within a zone. The interzone-
the rules:
default rule denies all traffic
between zones. • Panorama—At the Shared or
device group level, you can
If you override default rules, their
override default rules that
order of precedence runs from
are part of the predefined
the lowest context to the highest:
configuraon.
overridden sengs at the firewall
level take precedence over sengs • Firewall—You can override
at the device group level, which default rules that are part of
take precedence over sengs at the predefined configuraon
the Shared level. on the firewall or vsys, or that
Panorama pushed from the
Shared locaon or a device
group.

Device Group Objects

Objects are configuraon elements that policy rules reference, for example: IP addresses, URL
categories, security profiles, users, services, and applicaons. Rules of any type (pre-rules, post-
rules, default rules, and rules locally defined on a firewall) and any rulebase (Security, NAT, QoS,
Policy Based Forwarding, Decrypon, Applicaon Override, Capve Portal, and DoS Protecon)
can reference objects. You can reuse an object in any number of rules that have the same scope
as that object in the Device Group Hierarchy. For example, if you add an object to the Shared
locaon, all rules in the hierarchy can reference that shared object because all device groups
inherit objects from Shared. If you add an object to a parcular device group, only the rules in that
device group and its descendant device groups can reference that device group object. If object
values in a device group must differ from those inherited from an ancestor device group, you can
Override inherited object values (see Step Override inherited object values.). You can also Revert
to Inherited Object Values at any me. When you Create Objects for Use in Shared or Device
Group Policy once and use them many mes, you reduce administrave overhead and ensure
consistency across firewall policies.
You can configure how Panorama handles objects system-wide:
• Pushing unused objects—By default, Panorama pushes all objects to firewalls regardless of
whether any shared or device group policy rules reference the objects. Oponally, you can

Panorama Administrator's Guide Version Version 10.1 24 ©2022 Palo Alto Networks, Inc.
Panorama Overview

configure Panorama to push only referenced objects. For details, see Manage Unused Shared
Objects.
• Precedence of ancestor and descendant objects—By default, when device groups at mulple
levels in the hierarchy have an object with the same name but different values (because of
overrides, as an example), policy rules in a descendant device group use the object values in
that descendant instead of object values inherited from ancestor device groups or Shared.
Oponally, you can reverse this order of precedence to push values from Shared or the highest
ancestor containing the object to all descendant device groups. For details, see Manage
Precedence of Inherited Objects.

Panorama Administrator's Guide Version Version 10.1 25 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Centralized Logging and Reporng

Panorama aggregates logs from all managed firewalls and provides visibility across all the traffic on
the network. It also provides an audit trail for all policy modificaons and configuraon changes
made to the managed firewalls. In addion to aggregang logs, Panorama can forward them as
SNMP traps, email noficaons, syslog messages, and HTTP payloads to an external server.
For centralized logging and reporng, you also have the opon to use the cloud-based Cortex
Data Lake that is architected to work seamlessly with Panorama. The Cortex Data Lake allows
your managed firewalls to forward logs to the Cortex Data Lake infrastructure instead of to
Panorama or to the managed Log Collectors, so you can augment your exisng distributed log
collecon setup or to scale your current logging infrastructure without having to invest me and
effort yourself.
The Applicaon Command Center (ACC) on Panorama provides a single pane for unified
reporng across all the firewalls. It enables you to centrally Monitor Network Acvity, to analyze,
invesgate, and report on traffic and security incidents. On Panorama, you can view logs and
generate reports from logs forwarded to the Cortex Data Lake, Panorama or to the managed Log
Collectors, if configured, or you can query the managed firewalls directly. For example, you can
generate reports about traffic, threat, and/or user acvity in the managed network based on logs
stored on Panorama (and the managed collectors) or by accessing the logs stored locally on the
managed firewalls, or in the Cortex Data Lake.
If you don’t Configure Log Forwarding to Panorama or the Cortex Data Lake, you can schedule
reports to run on each managed firewall and forward the results to Panorama for a combined
view of user acvity and network traffic. Although reports don’t provide a granular drill-down on
specific informaon and acvies, they sll provide a unified monitoring approach.
• Managed Collectors and Collector Groups
• Local and Distributed Log Collecon
• Caveats for a Collector Group with Mulple Log Collectors
• Log Forwarding Opons
• Centralized Reporng

Managed Collectors and Collector Groups

Panorama uses Log Collectors to aggregate logs from managed firewalls. When generang reports,
Panorama queries the Log Collectors for log informaon, providing you visibility into all the
network acvity that your firewalls monitor. Because you use Panorama to configure and manage
Log Collectors, they are also known as managed collectors. Panorama can manage two types of Log
Collectors:
• Local Log Collector—This type of Log Collector runs locally on the Panorama management
server. Only an M-600, M-500 appliance, M-200, M-100 appliance, or Panorama virtual
appliance in Panorama mode supports a local Log Collector.

If you forward logs to a Panorama virtual appliance in Legacy mode, it stores the logs
locally without a Log Collector.

Panorama Administrator's Guide Version Version 10.1 26 ©2022 Palo Alto Networks, Inc.
Panorama Overview

• Dedicated Log Collector—This is an M-600, M-500, M-200, M-100 appliance or Panorama

virtual appliance in Log Collector mode. You can use an M-Series appliance in Panorama mode
or a Panorama virtual appliance in Panorama or Legacy (ESXi and vCloud Air) mode to manage
Dedicated Log Collectors. To use the Panorama web interface for managing Dedicated Log
Collectors, you must add them as managed collectors. Otherwise, administrave access to a
Dedicated Log Collector is only available through its CLI using the predefined administrave
user (admin) account. Dedicated Log Collectors don’t support addional administrave user
accounts.
You can use either or both types of Log Collectors to achieve the best logging soluon for your
environment (see Local and Distributed Log Collecon).
A Collector Group is 1 to 16 managed collectors that operate as a single logical log collecon
unit. If the Collector Group contains Dedicated Log Collectors, Panorama uniformly distributes
the logs across all the disks in each Log Collector and across all Log Collectors in the group. This
distribuon opmizes the available storage space. To enable a Log Collector to receive logs,
you must add it to a Collector Group. You can enable log redundancy by assigning mulple Log
Collectors to a Collector Group (see Caveats for a Collector Group with Mulple Log Collectors).
The Collector Group configuraon specifies which managed firewalls can send logs to the Log
Collectors in the group.
To configure Log Collectors and Collector Groups, see Manage Log Collecon.

Local and Distributed Log Collecon

Before you Configure Log Forwarding to Panorama, you must decide whether to use local Log
Collectors, Dedicated Log Collectors, or both.
A local Log Collector is easy to deploy because it requires no addional hardware or virtual
machine instance. In a high availability (HA) configuraon, you can send logs to the local Log
Collector on both Panorama peers; the passive Panorama doesn’t wait for failover to start
collecng logs.

For local log collecon, you can also forward logs to a Panorama virtual appliance in
Legacy mode, which stores the logs without using a Log Collector as a logical container.

Dedicated Log Collectors are M-600, M-500, M-200, or Panorama virtual appliance in Log
Collector mode. Because they perform only log collecon, not firewall management, Dedicated
Log Collectors allow for a more robust environment than local Log Collectors. Dedicated Log
Collectors provide the following benefits:
• Enable the Panorama management server to use more resources for management funcons
instead of logging.
• Provide high-volume log storage on a dedicated hardware appliance.
• Enable higher logging rates.
• Provide horizontal scalability and redundancy with RAID 1 storage.
• Opmize bandwidth resources in networks where more bandwidth is available for firewalls to
send logs to nearby Log Collectors than to a remote Panorama management server.
• Enable you to meet regional regulatory requirements (for example, regulaons might not allow
logs to leave a parcular region).

Panorama Administrator's Guide Version Version 10.1 27 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Distributed Log Collecon illustrates a topology in which the Panorama peers in an HA

configuraon manage the deployment and configuraon of firewalls and Dedicated Log Collectors.

You can deploy the Panorama management server in an HA configuraon but not the
Dedicated Log Collectors.

Figure 4: Distributed Log Collection

Caveats for a Collector Group with Mulple Log Collectors

You can Configure a Collector Group with mulple Log Collectors (up to 16) to ensure log
redundancy, increase the log retenon period, and accommodate logging rates that exceed
the capacity of a single Log Collector (see Panorama Models for capacity informaon). In any
single Collector Group, all the Log Collectors must run on the same Panorama model: all M-600
appliances, all M-500 appliances, all, M-200 appliances all, or all Panorama virtual appliances. For
example, if a single managed firewall generates 48TB of logs, the Collector Group that receives
those logs will require at least six Log Collectors that are M-200 appliances or two Log Collectors
that are M-500 appliances or Panorama virtual appliances.
A Collector Group with mulple Log Collectors uses the available storage space as one logical
unit and uniformly distributes the logs across all its Log Collectors. The log distribuon is based
on the disk capacity of the Log Collectors (see Panorama Models) and a hash algorithm that
dynamically decides which Log Collector owns the logs and writes to disk. Although Panorama
uses a preference list to priorize the list of Log Collectors to which a managed firewall can
forward logs, Panorama does not necessarily write the logs to the first Log Collector specified in
the preference list. For example, consider the following preference list:

Managed Firewall Log Forwarding Preference List Defined in a Collector Group

FW1 L1,L2,L3

FW2 L4,L5,L6

Panorama Administrator's Guide Version Version 10.1 28 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Using this list, FW1 will forward logs to L1 so long as that primary Log Collector is available.
However, based on the hash algorithm, Panorama might choose L2 as the owner that writes the
logs to its disks. If L2 becomes inaccessible or has a chassis failure, FW1 will not know because it
can sll connect to L1.

Figure 5: Example - Typical Log Collector Group Setup

In the case where a Collector Group has only one Log Collector and the Log Collector fails, the
firewall stores the logs to its HDD/SSD (the available storage space varies by firewall model). As
soon as connecvity is restored to the Log Collector, the firewall resumes forwarding logs where it
le off before the failure occurred.
In the case of a Collector Group with mulple Log Collectors, the firewall does not buffer logs to
its local storage if only one Log Collector is down. In the example scenario where L2 is down, FW1
connues sending logs to L1, and L1 stores the log data that would be sent to L2. Once L2 is back
up, L1 no longer stores log data intended for L2 and distribuon resumes as expected. If one of
the Log Collectors in a Collector Group goes down, the logs that would be wrien to the down
Log Collector are redistributed to the next Log Collector in the preference list.

Palo Alto Networks recommends adding at least three Log Collectors to a Collector Group
to avoid split brain and log ingeson issues should one Log Collector go down. See the
changes to default Collector Group behavior for more informaon.

Figure 6: Example - When a Log Collector Fails

Palo Alto Networks recommends the following migaons if using mulple Log Collectors in a
Collector Group:
• Enable log redundancy when you Configure a Collector Group. This ensures that no logs are
lost if any one Log Collector in the Collector Group becomes unavailable. Each log will have

Panorama Administrator's Guide Version Version 10.1 29 ©2022 Palo Alto Networks, Inc.
Panorama Overview

two copies and each copy will reside on a different Log Collector. Log redundancy is available
only if each Log Collector has the same number of logging disks.

Because enabling redundancy creates more logs, this configuraon requires more
storage capacity. When a Collector Group runs out of space, it deletes older logs.
Enabling redundancy doubles the log processing traffic in a Collector Group, which
reduces its maximum logging rate by half, as each Log Collector must distribute a copy
of each log it receives.
• Obtain an On-Site-Spare (OSS) to enable prompt replacement if a Log Collector failure occurs.
• In addion to forwarding logs to Panorama, configure forwarding to an external service as
backup storage. The external service can be a syslog server, email server, SNMP trap server, or
HTTP server.

Log Forwarding Opons

By default, each firewall stores its log files locally. To use Panorama for centralized log monitoring
and report generaon, you must Configure Log Forwarding to Panorama. Panorama supports
forwarding logs to either a Log Collector, the Cortex Data Lake, or both in parallel. You can also
use external services for archiving, noficaon, or analysis by forwarding logs to the services
directly from the firewalls or from Panorama. External services include the syslog servers, email
servers, SNMP trap servers, or HTTP-based services. In addion to forwarding firewall logs, you
can forward the logs that the Panorama management server and Log Collectors generate. The
Panorama management server, Log Collector, or firewall that forwards the logs converts them to
a format that is appropriate for the desnaon (syslog message, email noficaon, SNMP trap, or
HTTP payload).
Palo Alto Networks firewalls and Panorama support the following log forwarding opons. Before
choosing an opon, consider the logging capacies of your Panorama Models and Determine
Panorama Log Storage Requirements.
• Forward logs from firewalls to Panorama and from Panorama to external services—This
configuraon is best for deployments in which the connecons between firewalls and external
services have insufficient bandwidth to sustain the logging rate, which is oen the case when
the connecons are remote. This configuraon improves firewall performance by offloading
some processing to Panorama.

You can configure each Collector Group to forward logs to different desnaons.

Panorama Administrator's Guide Version Version 10.1 30 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Figure 7: Log Forwarding to Panorama and then to External Services

• Forward logs from firewalls to Panorama and to external services in parallel—In this
configuraon, both Panorama and the external services are endpoints of separate log
forwarding flows; the firewalls don’t rely on Panorama to forward logs to external services. This
configuraon is best for deployments in which the connecons between firewalls and external
services have sufficient bandwidth to sustain the logging rate, which is oen the case when the
connecons are local.

Figure 8: Log Forwarding to External Services and Panorama in Parallel

Centralized Reporng
Panorama aggregates logs from all managed firewalls and enables reporng on the aggregated
data for a global view of applicaon use, user acvity, and traffic paerns across the enre
network. As soon as the firewalls are added to Panorama, the ACC can display all traffic traversing

Panorama Administrator's Guide Version Version 10.1 31 ©2022 Palo Alto Networks, Inc.
Panorama Overview

your network. With logging enabled, clicking into a log entry in the ACC provides direct access to
granular details about the applicaon.
For generang reports, Panorama uses two sources: the local Panorama database and the remote
firewalls that it manages. The Panorama database refers to the local storage on Panorama that
is allocated for storing both summarized logs and some detailed logs. If you have a distributed
Log Collecon deployment, the Panorama database includes the local storage on Panorama
and all the managed Log Collectors. Panorama summarizes the informaon—traffic, applicaon,
threat— collected from all managed firewalls at 15-minute intervals. Using the local Panorama
database allows for faster response mes, however, if you prefer to not forward logs to Panorama,
Panorama can directly access the remote firewall and run reports on data that is stored locally on
the managed firewalls.
Panorama offers more than 40 predefined reports that can be used as is, or they can be
customized by combining elements of other reports to generate custom reports and report groups
that can be saved. Reports can be generated on demand, on a recurring schedule, and can be
scheduled for email delivery. These reports provide informaon on the user and the context so
that you correlate events and idenfy paerns, trends, and potenal areas of interest. With the
integrated approach to logging and reporng, the ACC enables correlaon of entries from mulple
logs relang to the same event.
For more informaon, see Monitor Network Acvity.

Panorama Administrator's Guide Version Version 10.1 32 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Data Redistribuon Using Panorama

With data redistribuon, you only have to configure each source once, then you can redistribute
mulple data types to as many clients as needed. This helps you to scale your network so that you
can easily add or remove source and clients as your network needs change.
Data redistribuon also provides granularity by redistribung only the types of informaon to only
the firewalls or Panorama management systems that you specify. You can use subnets, ranges, and
regions to further reduce network traffic and maximize device capacity.
One of the key benefits of the Palo Alto Networks firewall is that it can enforce policies and
generate reports based on usernames and tags instead of IP addresses. The challenge for large-
scale networks is ensuring every firewall that enforces policies and generates reports has the
mappings and tags that apply for all of your policy rules. Addionally, every firewall that enforces
Authencaon Policy requires a complete, idencal set of authencaon mestamps for your
user base. Whenever users authencate to access services and applicaons, individual firewalls
record the associated mestamps but don’t automacally share them with other firewalls to
ensure consistency. Data redistribuon solves these challenges for large-scale networks by
enabling you to redistribute the necessary data. However, instead of seng up extra connecons
to redistribute the data between firewalls, you can leverage your Panorama infrastructure to
Redistribute Data to Managed Firewalls. The infrastructure has exisng connecons that enable
you to redistribute data in layers, from firewalls to Panorama. Panorama can then redistribute the
informaon to the firewalls that enforce policies and generate reports.
Each firewall or Panorama management server can receive data from up to 100 redistribuon
points. The redistribuon points can be other firewalls or Panorama management servers.
However, you can also use Windows-based User-ID agents to perform the mapping and
redistribute the informaon to firewalls. Only the firewalls record authencaon mestamps
when user traffic matches Authencaon policy rules.

Panorama Administrator's Guide Version Version 10.1 33 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Role-Based Access Control

Role-based access control (RBAC) enables you to define the privileges and responsibilies of
administrave users (administrators). Every administrator must have a user account that specifies
a role and authencaon method. Administrave Roles define access to specific configuraon
sengs, logs, and reports within Panorama and firewall contexts. For Device Group and Template
administrators, you can map roles to Access Domains, which define access to specific device
groups, templates, and firewalls (through context switching). By combining each access domain
with a role, you can enforce the separaon of informaon among the funconal or regional areas
of your organizaon. For example, you can limit an administrator to monitoring acvies for data
center firewalls but allow that administrator to set policies for test lab firewalls. By default, every
Panorama appliance (virtual appliance or M-Series appliance) has a predefined administrave
account (admin) that provides full read-write access (superuser access) to all funconal areas
and to all device groups, templates, and firewalls. For each administrator, you can define an
authencaon profile that determines how Panorama verifies user access credenals.

Instead of using the default account for all administrators, it is a best pracce to create a
separate administrave account for each person who needs access to the administrave
or reporng funcons on Panorama. This provides beer protecon against unauthorized
configuraon changes and enables Panorama to log and idenfy the acons of each
administrator.

• Administrave Roles
• Authencaon Profiles and Sequences
• Access Domains
• Administrave Authencaon

Administrave Roles
You configure administrator accounts based on the security requirements of your organizaon,
any exisng authencaon services that your network uses, and the required administrave roles.
A role defines the type of system access that is available to an administrator. You can define and
restrict access as broadly or granularly as required, depending on the security requirements of
your organizaon. For example, you might decide that a data center administrator can have access
to all device and networking configuraons, but a security administrator can control only security
policy definions, while other key individuals can have limited CLI or XML API access. The role
types are:
• Dynamic Roles—These are built-in roles that provide access to Panorama and managed
firewalls. When new features are added, Panorama automacally updates the definions of
dynamic roles; you never need to manually update them. The following table lists the access
privileges associated with dynamic roles.

Dynamic Role Privileges

Superuser Full read-write access to Panorama

Panorama Administrator's Guide Version Version 10.1 34 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Dynamic Role Privileges

Superuser (read- Read-only access to Panorama

only)

Panorama Full access to Panorama except for the following acons:

administrator
• Create, modify, or delete Panorama or firewall administrators and
roles.
• Export, validate, revert, save, load, or import a configuraon in the
Device > Setup > Operaons page.
• Configure Scheduled Config Export funconality in the Panorama
tab.
• Generate Tech Support File, Generate Stats Dump File, and
Download Core Files (Panorama > Support)

• Admin Role Profiles—To provide more granular access control over the funconal areas of the
web interface, CLI, and XML API, you can create custom roles. When new features are added
to the product, you must update the roles with corresponding access privileges: Panorama does
not automacally add new features to custom role definions. You select one of the following
profile types when you Configure an Admin Role Profile.

Admin Role Profile Descripon

Panorama For these roles, you can assign read-write access, read-only access,
or no access to all the Panorama features that are available to
the superuser dynamic role except the management of Panorama
administrators and Panorama roles. For the laer two features, you can
assign read-only access or no access, but you cannot assign read-write
access.
An example use of a Panorama role would be for security administrators
who require access to security policy definions, logs, and reports on
Panorama.
Custom Panorama admin roles have the following limitaons:
• No access to Reboot Panorama (Panorama > Setup > Operaons)
• No access to Generate Tech Support File, Generate Stats Dump File,
and Download Core Files (Panorama > Support)

Device Group and For these roles, you can assign read-write access, read-only access, or
Template no access to specific funconal areas within device groups, templates,
and firewall contexts. By combining these roles with Access Domains,
you can enforce the separaon of informaon among the funconal or
regional areas of your organizaon. Device Group and Template roles
have the following limitaons:
• No access to the CLI or XML API

Panorama Administrator's Guide Version Version 10.1 35 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Admin Role Profile Descripon

• No access to configuraon or system logs
• No access to VM informaon sources
• No access to Reboot Panorama (Panorama > Setup > Operaons)
• No access to Generate Tech Support File, Generate Stats Dump File,
and Download Core Files (Panorama > Support)
• In the Panorama tab, access is limited to:
• Device deployment features (read-write, read-only, or no access)
• The device groups specified in the administrator account (read-
write, read-only, or no access)
• The templates and managed firewalls specified in the
administrator account (read-only or no access)
An example use of this role would be for administrators in your
operaons staff who require access to the device and network
configuraon areas of the web interface for specific device groups and/
or templates.

Authencaon Profiles and Sequences

An authencaon profile defines the authencaon service that validates the login credenals
of administrators when they access Panorama. The service can be local authencaon or an
external authencaon service. Some services (SAML, TACACS+, and RADIUS) provide the opon
to manage both authencaon and authorizaon for administrave accounts on the external
server instead of on Panorama. In addion to the authencaon service, the authencaon profile
defines opons such as Kerberos single sign-on (SSO) and SAML single logout (SSO).
Some networks have mulple databases (such as TACACS+ and LDAP) for different users and user
groups. To authencate administrators in such cases, configure an authencaon sequence—a
ranked order of authencaon profiles that Panorama matches an administrator against during
login. Panorama checks against each profile in sequence unl one successfully authencates the
administrator. An administrator is denied access only if authencaon fails for all the profiles in
the sequence.

Access Domains
Access domains control administrave access to specific Device Groups and templates, and also
control the ability to switch context to the web interface of managed firewalls. Access domains
apply only to administrators with Device Group and Template roles. Mapping Administrave
Roles to access domains enables very granular control over the informaon that administrators
access on Panorama. For example, consider a scenario where you configure an access domain
that includes all the device groups for firewalls in your data centers and you assign that access
domain to an administrator who is allowed to monitor data center traffic but who is not allowed
to configure the firewalls. In this case, you would map the access domain to a role that enables
all monitoring privileges but disables access to device group sengs. Addionally, Device Group
and Template admins can perform administrave tasks for managed firewalls in their access

Panorama Administrator's Guide Version Version 10.1 36 ©2022 Palo Alto Networks, Inc.
Panorama Overview

domain such as viewing the configuraon and system logs, perform configuraon audits, review
pending tasks, and directly access firewall operaons such as reboot, generang a tech support
file, execung a stats dump, and exporng a core file.
You configure access domains in the local Panorama configuraon and then assign them to
administrave accounts and roles. You can perform the assignment locally or use an external
SAML, TACACS+, or RADIUS server. Using an external server enables you to quickly reassign
access domains through your directory service instead of reconfiguring sengs on Panorama.
To use an external server, you must define a server profile that enables Panorama to access the
server. You must also define Vendor-Specific Aributes (VSAs) on the RADIUS or TACACS+ server,
or SAML aributes on the SAML IdP server.
For example, if you use a RADIUS server, you would define a VSA number and value for each
administrator. The value defined has to match the access domain configured on Panorama.
When an administrator tries to log in to Panorama, Panorama queries the RADIUS server for the
administrator access domain and aribute number. Based on the response from the RADIUS
server, the administrator is authorized for access and is restricted to the firewalls, virtual systems,
device groups, and templates that are assigned to the access domain.
For the relevant procedures, see:
• Configure an Access Domain.
• Configure RADIUS Authencaon for Panorama Administrators.
• Configure TACACS+ Authencaon for Panorama Administrators.
• Configure SAML Authencaon for Panorama Administrators.

Administrave Authencaon
You can configure the following types of authencaon and authorizaon (Administrave Roles
and Access Domains) for Panorama administrators:

AuthencaonAuthorizaon Descripon
Method Method

Local Local The administrave account credenals and authencaon

mechanisms are local to Panorama. You use Panorama to assign
administrave roles and access domains to the accounts. To
further secure the accounts, you can create a password profile
that defines a validity period for passwords and set Panorama-
wide password complexity sengs. For details, see Configure
Local or External Authencaon for Panorama Administrators.

SSH Keys Local The administrave accounts are local to Panorama, but
authencaon to the CLI is based on SSH keys. You use Panorama
to assign administrave roles and access domains to the accounts.
For details, see Configure an Administrator with SSH Key-Based
Authencaon for the CLI.

Cerficates Local The administrave accounts are local to Panorama, but

authencaon to the web interface is based on client cerficates.

Panorama Administrator's Guide Version Version 10.1 37 ©2022 Palo Alto Networks, Inc.
Panorama Overview

AuthencaonAuthorizaon Descripon
Method Method
You use Panorama to assign administrave roles and access
domains to the accounts. For details, see Configure a Panorama
Administrator with Cerficate-Based Authencaon for the Web
Interface.

External Local The administrave accounts you define locally on Panorama

service serve as references to the accounts defined on an external Mul-
Factor Authencaon, SAML, Kerberos, TACACS+, RADIUS, or
LDAP server. The external server performs authencaon. You
use Panorama to assign administrave roles and access domains
to the accounts. For details, see Configure Local or External
Authencaon for Panorama Administrators.

External External The administrave accounts are defined only on an external

service SAML, TACACS+, or RADIUS server. The server performs both
authencaon and authorizaon. For authorizaon, you define
Vendor-Specific Aributes (VSAs) on the TACACS+ or RADIUS
server, or SAML aributes on the SAML server. Panorama maps
the aributes to administrator roles and access domains that you
define on Panorama. For details, see:
• Configure SAML Authencaon for Panorama Administrators
• Configure TACACS+ Authencaon for Panorama
Administrators
• Configure RADIUS Authencaon for Panorama
Administrators

Panorama Administrator's Guide Version Version 10.1 38 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Panorama Commit, Validaon, and Preview Operaons

When you are ready to acvate changes that you made to the candidate configuraon on
Panorama or to push changes to the devices that Panorama manages (firewalls, Log Collectors, and
WildFire appliances and appliance clusters), you can Preview, Validate, or Commit Configuraon
Changes. For example, if you add a Log Collector to the Panorama configuraon, firewalls cannot
send logs to that Log Collector unl you commit the change to Panorama and then push the
change to the Collector Group that contains the Log Collector.
You can filter changes by administrator or locaon and then commit, push, validate, or preview
only those changes. The locaon can be specific device groups, templates, Collector Groups, Log
Collectors, shared sengs, or the Panorama management server.
When you commit changes, they become part of the running configuraon. Changes that you
haven’t commied are part of the candidate configuraon. Panorama queues commit requests
so that you can iniate a new commit while a previous commit is in progress. Panorama performs
the commits in the order they are iniated but priorizes auto-commits that are iniated by
Panorama (such as FQDN refreshes). However, if the queue already has the maximum number of
administrator-iniated commits (10), you must wait for Panorama to finish processing a pending
commit before iniang a new one. You can Use the Panorama Task Manager ( ) to cancel
pending commits or to see details about commits that are pending, in progress, completed, or
failed. To check which changes a commit will acvate, you can run a commit preview.
When you iniate a commit, Panorama checks the validity of the changes before acvang them.
The validaon output displays condions that block the commit (errors) or that are important to
know (warnings). For example, validaon could indicate an invalid route desnaon that you need
to fix for the commit to succeed. The validaon process enables you to find and fix errors before
you commit (it makes no changes to the running configuraon). This is useful if you have a fixed
commit window and want to be sure the commit will succeed without errors.
Automated commit recovery is enabled by default, allowing the managed firewalls to locally
test the configuraon pushed from Panorama to verify that the new changes do not break the
connecon between Panorama and the managed firewall. If the commied configuraon breaks
the connecon between Panorama and a managed firewall then the firewall automacally fails
the commit and the configuraon is reverted to the previous running configuraon and the
Shared Policy or Template Status (Panorama > Managed Devices > Summary) gets out of sync
depending on which configuraon objects were pushed. Addionally, the managed firewalls test
their connecon to Panorama every 60 minutes and if a managed firewall detects that it can no
longer successfully connect to Panorama then it reverts its configuraon to the previous running
configuraon.

For details on candidate and running configuraons, see Manage Panorama and Firewall
Configuraon Backups.
To prevent mulple administrators from making configuraon changes during concurrent
sessions, see Manage Locks for Restricng Configuraon Changes.
When pushing configuraons to managed firewalls, Panorama pushes the running
configuraon. Because of this, Panorama does not let you push changes to managed
firewalls unl you first commit the changes to Panorama.

Panorama Administrator's Guide Version Version 10.1 39 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Plan Your Panorama Deployment

Determine the management approach. Do you plan to use Panorama to centrally configure
and manage the policies, to centrally administer soware, content and license updates, and/or
centralize logging and reporng across the managed firewalls in the network?
If you already deployed and configured the Palo Alto Networks firewalls on your network,
determine whether to transion the firewalls to centralized management. This process requires
a migraon of all configuraon and policies from your firewalls to Panorama. For details, see
Transion a Firewall to Panorama Management.
Verify the Panorama and firewall soware versions. Panorama can manage firewalls running
PAN-OS versions that match the Panorama version or are earlier than the Panorama version.
For example, Panorama 8.0 cannot manage firewalls running PAN-OS 8.1. Addionally,
Panorama 8.1 cannot manage firewalls running PAN-OS 6.0.0 through 6.0.3 and cannot
manage firewalls that run a later PAN-OS version than the Panorama version.
Plan to use the same URL filtering database (BrightCloud or PAN-DB) across all managed
firewalls. If some firewalls are using the BrightCloud database and others are using PAN-DB,
Panorama can only manage security rules for one or the other URL filtering database. URL
filtering rules for the other database must be managed locally on the firewalls that use that
database.
Determine your authencaon method between Panorama and its managed devices and
high availability peer. By default, Panorama uses predefined cerficates to authencate
the SSL connecons used for management and inter-device communicaon. However, you
can configure custom cerficate-based authencaon to enhance the security of the SSL
connecons between Panorama, firewalls, and log collectors. By using custom cerficates,
you can establish a unique chain of trust to ensure mutual authencaon between Panorama
and the devices it manages. You can import the cerficates from your enterprise public key
infrastructure (PKI) or generate it on Panorama.
Plan to use Panorama in a high availability configuraon; set it up as an acve/passive high
availability pair. See Panorama High Availability.
Plan how to accommodate network segmentaon and security requirements in a large-scale
deployment. By default, Panorama running on an M-Series appliance uses the management
(MGT) interface for administrave access to Panorama and for managing devices (firewalls,
Log Collectors, and WildFire appliances and appliance clusters), collecng logs, communicang
with Collector Groups, and deploying soware and content updates to devices. However, to
improve security and enable network segmentaon, you can reserve the MGT interface for
administrave access and use dedicated M-Series Appliance Interfaces (Eth1, Eth2, Eth3, Eth4,
and Eth5) for the other services.
For meaningful reports on network acvity, plan a logging soluon:
• Verify the resource allocaon for your Panorama virtual appliance deployed in Log Collector
mode on AWS or Azure. The Panorama virtual appliance does not retain Log Collector mode
if resized. This results in log data loss.
• Esmate the log storage capacity your network needs to meet security and compliance
requirements. Consider such factors as the logging capacies of your Panorama Models,
network topology, number of firewalls sending logs, type of log traffic (for example, URL
Filtering and Threat logs versus Traffic logs), the rate at which firewalls generate logs,

Panorama Administrator's Guide Version Version 10.1 40 ©2022 Palo Alto Networks, Inc.
Panorama Overview

and the number of days for which you want to store logs on Panorama. For details, see
Determine Panorama Log Storage Requirements.
• Do you need to forward logs to external services (such as a syslog server) in addion to
Panorama? See Log Forwarding Opons.
• Do you want to own or manage your own log storage on premises, or do you want to
leverage the Cortex Data Lake provided by Palo Alto Networks?
• If you need a long-term storage soluon, do you have a Security Informaon and Event
Management (SIEM) soluon, such as Splunk or ArcSight, to which you can forward logs?
• Do you need redundancy in logging?
If you configure a Collector Group with mulple Log Collectors, you can enable redundancy
to ensure that no logs are lost if any one Log Collector becomes unavailable (see Caveats for
a Collector Group with Mulple Log Collectors).
If you deploy Panorama virtual appliances in Legacy mode in an HA configuraon, the
managed firewalls can send logs to both HA peers so that a copy of each log resides on
each peer. This redundancy opon is enabled by default (see Modify Log Forwarding and
Buffering Defaults).
• Will you log to a Network File System (NFS)? If the Panorama virtual appliance is in Legacy
mode and does not manage Dedicated Log Collectors, NFS storage is the only opon for
increasing log storage capacity beyond 8TB. NFS storage is available only if Panorama runs
on an ESXi server. If you use NFS storage, keep in mind that the firewalls can send logs only
to the primary peer in the HA pair; only the primary peer is mounted to the NFS and can
write to it.
Determine which role-based access privileges administrators require to access managed
firewalls and Panorama. See Set Up Administrave Access to Panorama.
Plan the required Device Groups. Consider whether to group firewalls based on funcon,
security policy, geographic locaon, or network segmentaon. An example of a funcon-based
device group is one that contains all the firewalls that a Research and Development team uses.
Consider whether to create smaller device groups based on commonality, larger device groups
to scale more easily, or a Device Group Hierarchy to simplify complex layers of administraon.
Plan a layering strategy for administering policies. Consider how firewalls inherit and evaluate
policy rules within the Device Group Hierarchy, and how to best implement shared rules,
device-group rules, and firewall-specific rules to meet your network needs. For visibility and
centralized policy management, consider using Panorama for administering rules even if you
need firewall-specific excepons for shared or device group rules. If necessary, you can Push a
Policy Rule to a Subset of Firewalls within a device group.
Plan the organizaon of your firewalls based on how they inherit network configuraon
sengs from Templates and Template Stacks. For example, consider assigning firewalls to
templates based on hardware models, geographic proximity, and similar network needs for me
zones, a DNS server, and interface sengs.

Panorama Administrator's Guide Version Version 10.1 41 ©2022 Palo Alto Networks, Inc.
Panorama Overview

Deploy Panorama: Task Overview

The following task list summarizes the steps to get started with Panorama. For an example of how
to use Panorama for central management, see Use Case: Configure Firewalls Using Panorama.
STEP 1 | (M-Series appliance only) Rack mount the appliance.

STEP 2 | Perform inial configuraon to enable network access to Panorama. See Set Up the
Panorama Virtual Appliance or Set Up the M-Series Appliance.

STEP 3 | Register Panorama and Install Licenses.

STEP 4 | Install Content and Soware Updates for Panorama.

STEP 5 | (Recommended) Set up Panorama in a high availability configuraon. See Panorama High
Availability.

STEP 6 | Add a Firewall as a Managed Device.

STEP 7 | Add a Device Group or Create a Device Group Hierarchy, Add a Template, and (if applicable)
Configure a Template Stack.

STEP 8 | (Oponal) Configure log forwarding to Panorama and/or to external services. See Manage
Log Collecon.

STEP 9 | Monitor Network Acvity using the visibility and reporng tools on Panorama.

Panorama Administrator's Guide Version Version 10.1 42 ©2022 Palo Alto Networks, Inc.
Set Up Panorama
For centralized reporng and cohesive policy management across all the firewalls
on your network, you can deploy the Panorama™ management server as a virtual
appliance or as a hardware appliance (the M-200, M-500 or M-600 appliance).
The following topics describe how to set up Panorama on your network:
> Determine Panorama Log Storage > Install the Panorama Device
Requirements Cerficate
> Manage Large-Scale Firewall > Transion to a Different Panorama
Deployments Model
> Set Up the Panorama Virtual > Access and Navigate Panorama
Appliance Management Interfaces
> Set Up the M-Series Appliance > Set Up Administrave Access to
> Register Panorama and Install Panorama
Licenses > Set Up Authencaon Using Custom
Cerficates

43
Set Up Panorama

Determine Panorama Log Storage Requirements

When you Plan Your Panorama Deployment, esmate how much log storage capacity Panorama
requires to determine which Panorama Models to deploy, whether to expand the storage on those
appliances beyond their default capacies, whether to deploy Dedicated Log Collectors, and
whether to Configure Log Forwarding from Panorama to External Desnaons. When log storage
reaches the maximum capacity, Panorama automacally deletes older logs to create space for new
ones.
Perform the following steps to determine the approximate log storage that Panorama requires. For
details and use cases, refer to Panorama Sizing and Design Guide.
STEP 1 | Determine the log retenon requirements of your organizaon.
Factors that affect log retenon requirements include:
• IT policy of your organizaon
• Log redundancy—If you enable log redundancy when you Configure a Collector Group, each
log will have two copies, which doubles your required log storage capacity.
• Regulatory requirements, such as those specified by the Payment Card Industry Data
Security Standard (PCI DSS), Sarbanes-Oxley Act, and Health Insurance Portability and
Accountability Act (HIPAA).

If your organizaon requires the removal of logs aer a certain period, you can set the
expiraon period for each log type. You can also set a storage quota for each log type
as a percentage of the total space if you need to priorize log retenon by type. For
details, see Manage Storage Quotas and Expiraon Periods for Logs and Reports.

STEP 2 | Determine the average daily logging rates.

Do this mulple mes each day at peak and non-peak mes to esmate the average. The more
oen you sample the rates, the more accurate your esmate.
1. Display the current log generaon rate in logs per second:
• If Panorama is not yet collecng logs, access the CLI of each firewall, run the following
command, and calculate the total rates for all the firewalls. This command displays the
number of logs received in the last second.

> debug log-receiver statistics

• If Panorama is already collecng logs, run the following command at the CLI of
each appliance that receives logs (Panorama management server or Dedicated Log

Panorama Administrator's Guide Version Version 10.1 44 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Collector) and calculate the total rates. This command gives the average logging rate
for the last five minutes.

> debug log-collector log-collection-stats show incoming-logs

You can also use an SNMP manager to determine the logging rates of Log
Collectors (see the panLogCollector MIB, OID 1.3.6.1.4.1.25461.1.1.6) and
firewalls (see the panDeviceLogging, OID 1.3.6.1.4.1.25461.2.1.2.7).
2. Calculate the average of the sampled rates.
3. Calculate the daily logging rate by mulplying the average logs-per-second by 86,400.

STEP 3 | Esmate the required storage capacity.

This formula provides only an esmate; the exact amount of required storage will differ
from the formula result.

Use the formula:

<required_storage_duraon> x <average_log_size> x <average_logging_rate>
The average log size varies considerably by log type. However, you can use 500 bytes as an
approximate average log size.
For example, if Panorama must store logs for 30 days and the average total logging rate for
all firewalls is 21,254,400 logs per day, then the required log storage capacity is: 30 x 500 x
21,254,400 = 318,816,000,000 bytes (approximately 318GB).

STEP 4 | Next steps...

If you determine that Panorama requires more log storage capacity:
• Expand Log Storage Capacity on the Panorama Virtual Appliance.
• Increase Storage on the M-Series Appliance.

Panorama Administrator's Guide Version Version 10.1 45 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Manage Large-Scale Firewall Deployments

Panorama™ provides mulple opons to manage a large-scale firewall deployment. For
consolidaon of all management funcons, Panorama supports management of up to 5,000
firewalls using an M-600 appliance in Management Only mode or up to 2,500 firewalls with
a Panorama virtual appliance in Management Only mode. To simplify the deployment and
operaonal management of a large-scale firewall deployment greater than 5,000 firewalls, the
Panorama Interconnect plugin allows you to manage mulple Panorama management server
Nodes from a single Panorama Controller.
• Determine the Opmal Large-Scale Firewall Deployment Soluon
• Increased Device Management Capacity for M-600 and Panorama Virtual Appliance

Determine the Opmal Large-Scale Firewall Deployment Soluon

To ease the operaonal burden of managing the configuraon of your large-scale firewall
deployment, Palo Alto Networks provides different firewall management opons to best suit your
deployment scenario.
If your large-scale firewall deployment is composed of one or very few Panorama management
servers, you can deploy an M-600 appliance to manage up to 5,000 firewalls, or Panorama virtual
appliance to manage up to 2,500 firewalls, to leverage all Panorama capabilies from a single
Panorama management server. The Increased Device Management Capacity for M-600 and
Panorama Virtual Appliance is ideal for vercally scaled deployments where you manage a large
number of firewalls from a single Panorama management server rather than deploying mulple
Panorama management servers to manage fewer firewalls.
If your large-scale firewall deployment is composed of mulple Panorama management servers
with similar configuraons, the Panorama Interconnect plugin allows you to manage mulple
Panorama Nodes from a single Panorama Controller. This plugin simplifies the deployment and
operaonal management of large scale firewall deployments because you can centrally manage
policy and configuraon from a Panorama Controller. From the Panorama Controller, the device
group and template stack configuraon is synchronized to the Panorama Nodes and pushed
to managed devices. The Panorama Interconnect plugin is ideal for horizontally-scaled firewall
deployments with mulple distributed Panorama management servers.

Increased Device Management Capacity for M-600 and Panorama

Virtual Appliance
The M-600 appliance in Management Only mode can manage up to 5,000 firewalls or a Panorama
virtual appliance in Management Only mode can manage up to 2,500 firewalls in order to reduce
the management footprint of your large-scale firewall deployment.
• Increased Device Management Capacity Requirements
• Install Panorama for Increased Device Management Capacity

Increased Device Management Capacity Requirements

You can manage up to 5,000 firewalls using a single M-600 appliance in Management Only mode
or manage up to 2,500 firewalls using a single Panorama virtual appliance in Management Only

Panorama Administrator's Guide Version Version 10.1 46 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

mode. Managing such large deployments from a single Panorama management server alleviates
the operaonal complexity of configuraon management and reduces the security and compliance
risk of managing mulple Panorama management servers.
For log collecon, a single Panorama management server is ideal because it provides a centralized
locaon to view and analyze log data from managed devices rather than requiring you to access
each individual Panorama management server. To provide redundancy in the event of system or
network failure, Palo Alto Networks recommends deploying two Panorama management servers
in a high availability (HA) configuraon. For Panorama system and config logs, an addional disk
with a minimum 92GB capacity is required. This addional disk is automacally detected by the
Panorama virtual appliance when Panorama is rebooted and mounted as a paron for system
and config log storage.
For generang pre-defined reports, you must enable Panorama to use Panorama data for pre-
defined reports. This generates pre-defined reports using log data already collected by Panorama
or the Dedicated Log Collector, which reduces the resource ulizaon when generang reports.
Enabling this seng is required, otherwise Panorama performance may be impacted, and
Panorama may become unresponsive.
To manage up to 5,000 firewalls, the Panorama management server must meet the following
minimum requirements:

Requirement M-Series Appliance Panorama Virtual Appliance

Model M-600 All supported Panorama

hypervisors. For more
informaon, see Panorama
Models.

Panorama Mode Management Only Management Only

Number of managed 5,000 2,500

firewalls

System Disk 240GB SSD—Used to store • 81GB—Used to store the

the operang system files and operang system files and
system logs. system logs.
• Addional disk with a
minimum 92GB capacity
used for storing Panorama
system and config logs.

CPUs 56 28

Memory 256GB 128GB

Log Collecon Local log collecon is not supported.

See Deploy Panorama with Dedicated Log Collectors to set up log
collecon.

Panorama Administrator's Guide Version Version 10.1 47 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Requirement M-Series Appliance Panorama Virtual Appliance

Logging and Reporng Enable the Use Panorama Data for Pre-Defined Reports seng
(Panorama > Setup > Management > Logging and Reporng
Sengs > Log Export and Reporng)

Install Panorama for Increased Device Management Capacity

Acvate the device management license to manage more than 1,000 firewalls from a single M-600
Panorama™ management server or a single Panorama virtual appliance.
STEP 1 | Contact your Palo Alto Networks sales representave to obtain the Panorama device
management license that enables you to manage up to 5,000 firewalls.
• If you are deploying an M-600 appliance, obtain the PAN-M-600-P-1K device management
license.
• If you are deploying a Panorama virtual appliance, obtain the PAN-PRA-1000 device
management license.

STEP 2 | Set up the Panorama management server.

• (M-600 appliances only) Set Up the M-Series Appliance.
or
• Set Up the Panorama Virtual Appliance.

STEP 3 | Change the Panorama management server to Management Only mode if Panorama is not
already in this mode.
• Begin at Step 5 to Set Up an M-Series Appliance in Management Only Mode.
• Set up a Panorama Virtual Appliance in Management Only Mode.

STEP 4 | Register your Panorama management server and install licenses.

1. Register Panorama.
2. Acvate a Panorama Support License.
3. Acvate the device management license on the Panorama management server.
• Acvate/Retrieve a Firewall Management License on the M-Series Appliance.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is not Internet-connected.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is Internet-connected.

Panorama Administrator's Guide Version Version 10.1 48 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Select Panorama > Licenses and verify that the device management license is successfully
acvated.

If you are acvang a new device management license on a Panorama, you can
manage up to 5,000 firewalls with an M-600 appliance, or up to 2,500 firewalls with a
Panorama virtual appliance, but the Descripon sll displays Device management
license to manage up to 1000 devices or more.

Panorama Administrator's Guide Version Version 10.1 49 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Set Up the Panorama Virtual Appliance

The Panorama virtual appliance enables you to use your exisng VMware virtual infrastructure to
centrally manage and monitor Palo Alto Networks firewalls and Dedicated Log Collectors. You can
install the virtual appliance on an ESXi server, Alibaba Cloud, Amazon Web Services (AWS), AWS
GovCloud, Microso Azure, Google Cloud Plaorm (GCP), KVM, Hyper-V, or in vCloud Air. In
addion to or instead of deploying Dedicated Log Collectors, you can forward firewall logs directly
to the Panorama virtual appliance. For greater log storage capacity and faster reporng, you have
the opon to switch the virtual appliance from Legacy mode to Panorama mode and configure
a local Log Collector. For more details about the Panorama virtual appliance and its modes, see
Panorama Models.

These topics assume you are familiar with the public and private hypervisor products
required to create the virtual appliance, and don’t cover any related concepts or
terminology.

• Setup Prerequisites for the Panorama Virtual Appliance

• Install the Panorama Virtual Appliance
• Perform Inial Configuraon of the Panorama Virtual Appliance
• Set Up The Panorama Virtual Appliance as a Log Collector
• Set Up the Panorama Virtual Appliance with Local Log Collector
• Set up a Panorama Virtual Appliance in Panorama Mode
• Set up a Panorama Virtual Appliance in Management Only Mode
• Expand Log Storage Capacity on the Panorama Virtual Appliance
• Increase CPUs and Memory on the Panorama Virtual Appliance
• Increase the System Disk on the Panorama Virtual Appliance
• Complete the Panorama Virtual Appliance Setup
• Convert Your Panorama Virtual Appliance

Setup Prerequisites for the Panorama Virtual Appliance

Complete the following tasks before you Install the Panorama Virtual Appliance:
Use your browser to access the Palo Alto Networks Customer Support web site and Register
Panorama You will need the Panorama serial number that you received in the order fulfillment
email. Aer registering Panorama, you can access the Panorama soware downloads page.
Review the supported Panorama hypervisors to verify the hypervisor meets the minimum
version requirements to deploy Panorama.
If you will install Panorama on a VMware ESXi server, verify that the server meets the minimum
requirements as listed in the System Requirements for the Panorama Virtual Appliance. These
requirements apply to Panorama 5.1 and later releases. The requirements vary based on

Panorama Administrator's Guide Version Version 10.1 50 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

whether you will run the virtual appliance in Panorama mode or Management Only mode. For
details on the modes, see Panorama Models.

If you install Panorama on VMware vCloud Air, you set the system sengs during
installaon.
Review the minimum resource requirements for deploying the Panorama virtual appliance on
Alibaba Cloud, Amazon Web Services (AWS), AWS GovCloud, Microso Azure, Google Cloud
Plaorm (GCP), Hyper-V, KVM, Oracle Cloud Infrastructure (OCI), and VMware ESXi to ensure
that the virtual machine meets the minimum required resources for the desired mode (Panorama,
Management Only, or Log Collector). The minimum resource requirements for the Panorama
virtual appliance are designed to help you achieve the maximum number of logs per second (LPS)
for log collecon in Panorama and Log Collector mode. If you add or remove virtual logging disks
that results in a configuraon that does not meet or exceed the number of virtual logging disks
recommended (below), your LPS will be reduced.
If the minimum resource requirements are not met for Panorama mode when you Install the
Panorama Virtual Appliance, Panorama defaults to Management Only mode for all supported
public (Alibaba Cloud, AWS, AWS GovCloud, Azure, GCP, and OCI) and private (Hyper-V,
KVM, and VMware ESXi) hypervisors. If the minimum resource requirements are not met for
Management Only mode, Panorama defaults to Maintenance mode for all supported public
hypervisors, Hyper-V, and KVM. If the minimum resource requirements for Management Only
mode are not met when you Install Panorama on VMware, Panorama defaults to Legacy mode.

It is recommended to deploy the Panorama management server in Panorama mode for

both device management and log collecon capabilies. While sll supported, Legacy
mode is not recommended for producon environments. Addionally, you can no longer
switch Panorama to Legacy mode. For more informaon on supported modes, see
Panorama Models.

Table 1: System Requirements for the Panorama Virtual Appliance

RequirementsPanorama Virtual Panorama Virtual Panorama Virtual

Appliance in Appliance in Panorama Appliance in Log
Management Only Mode Mode Collector Mode

Virtual • VMware ESXi and vCloud Air—64-bit kernel-based VMware ESXi 6.0, 6.5, 6.7,
hardware or 7.0. The supported version of the virtual hardware family type (also known
version as the VMware virtual hardware version) on the ESXi server is vmx-10
• Hyper-V—Windows Server 2016 with Hyper-V role or Hyper-V 2016
• KVM—Ubuntu version 16.04 or CentOS7
In Panorama mode, the virtual appliance running on any ESXi version supports
up to 12 virtual logging disks with 2TB of log storage each, for a total maximum
capacity of 24TB.
(VMware ESXi and vCloud Air only) In Legacy mode, the virtual appliance
supports one virtual logging disk. ESXi 5.5 and later versions supports one disk of
up to 8TB. Earlier ESXi versions support one disk of up to 2TB.

Panorama Administrator's Guide Version Version 10.1 51 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

RequirementsPanorama Virtual Panorama Virtual Panorama Virtual

Appliance in Appliance in Panorama Appliance in Log
Management Only Mode Mode Collector Mode

(ESXi and To install the Panorama virtual appliance and manage its resources, you must
vCloud Air install a VMware vSphere Client or VMware Infrastructure Client that is
only) compable with your ESXi server.
Client
computer

System • Default—81GB • Default—81GB 81GB

disk • (ESXi and GCP only) • (ESXi and GCP only) For log storage,
Upgraded—224GB Upgraded—224GB Panorama uses virtual
An upgraded system An upgraded system logging disks instead of
disk is required for disk is required for SD- the system disk or an
SD-WAN. WAN. NFS datastore.

For log storage, Panorama

uses virtual logging disks
instead of the system disk
or an NFS datastore.

CPUs, • Manage up to 500 • Up to 10,000 logs/sec: • Up to 15,000 log/sec

memory, managed devices
• 16 CPUs • 16 CPUs
and
• 16 CPUs • 32GB memory • 32GB memory
logging
disks • 32GB memory • 4x2TB logging disks • 4x2TB logging
• Local log storage • Manage up to 500 disks
not supported managed devices • Up to 25,000 logs/
• Manage up to 1,000 • Up to 20,000 log/sec sec
managed devices
• 32 CPUs • 32 CPUs
• 32 CPUs • 128GB memory
• 128GB memory
• 128GB memory • 8x2TB logging
• 8x2TB logging disks
• Local log storage disks
not supported • Manage up to 1,000
managed devices
• To manage more
than 1,000 firewalls,
see Increased
Device Management
Capacity
Requirements.

Minimum • 16 CPUs The minimum resources below do not take LPS into
CPUs and • 32GB memory consideraon and are only required for the Panorama
memory virtual appliance to funcon based on the number of

Panorama Administrator's Guide Version Version 10.1 52 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

RequirementsPanorama Virtual Panorama Virtual Panorama Virtual

Appliance in Appliance in Panorama Appliance in Log
Management Only Mode Mode Collector Mode
logging disks added. Palo Alto Networks recommends
you refer to the recommended resources above.
For larger Panorama deployments, be aware that
you may be under-provisioning your Panorama. This
may lead to impacted performance and may cause
Panorama to become unresponsive depending on the
number of firewalls managed, the configuraon size,
the number of administrators logged in to Panorama,
and the volume of logs ingested.
• 2TB to 8TB—16 CPUs, 32GB memory
• 10TB to 24TB— 16 CPUs, 64GB memory

Log Panorama in 2TB to 24TB 2TB to 24TB

storage Management Only mode
capacity requires log forwarding
to a Dedicated Log
Collector.

Supported Interfaces
Interfaces can be used for device management, log collecon, Collector Group communicaon,
licensing and soware updates. The Panorama virtual appliance supports up to six interfaces
(MGT and Eth1 - Eth5).

Table 2: Supported interfaces for public hypervisors

Funcon Alibaba Amazon Web Services Microso Google OCI

Cloud (AWS) and AWS Azure Cloud
GovCloud Plaorm
(GCP)

Device Any Any Any Any Any Any

Management interface interface interface interface interface interface
supported supported supported supported supported supported

Device Log Any Any Any Any Any Any

Collecon interface interface interface interface interface interface
supported supported supported supported supported supported

Collector Any Any Any Any Any Any

Group interface interface interface interface interface interface
Communicaonsupported supported supported supported supported supported

Panorama Administrator's Guide Version Version 10.1 53 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Funcon Alibaba Amazon Web Services Microso Google OCI

Cloud (AWS) and AWS Azure Cloud
GovCloud Plaorm
(GCP)

Licensing MGT MGT MGT MGT MGT MGT

and interface interface interface interface interface interface
Soware only only only only only only
Updates

Table 3: Supported Interfaces for Private Hypervisors

Funcon KVM Hyper-V VMware (ESXi,

vCloud Air)

Device Management Any interface Any interface Any interface

supported supported supported

Device Log Collecon Any interface Any interface Any interface

supported supported supported

Collector Group Any interface Any interface Any interface

Communicaon supported supported supported

Licensing and Soware Any interface Any interface Any interface

Updates supported supported supported

Install the Panorama Virtual Appliance

Before installaon, decide whether to run the virtual appliance in Panorama mode, Management
Only mode, Log Collector mode, or Legacy mode (VMware only). Each mode has different resource
requirements, as described in Setup Prerequisites for the Panorama Virtual Appliance. You must
complete the prerequisites before starng the installaon.

As a best pracce, install the virtual appliance in Panorama mode to opmize log storage
and report generaon. For details on Panorama and Legacy mode, see Panorama Models.

• Install Panorama on VMware

• Set Up Panorama on Alibaba Cloud
• Install Panorama on AWS
• Install Panorama on AWS GovCloud
• Install Panorama on Azure
• Install Panorama on Google Cloud Plaorm
• Install Panorama on KVM
• Install Panorama on Hyper-V

Panorama Administrator's Guide Version Version 10.1 54 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

• Set Up Panorama on Oracle Cloud Infrastructure (OCI)

Install Panorama on VMware

You can install the Panorama virtual appliance on the ESXi and vCloud Air VMware plaorms.
• Install Panorama on an ESXi Server
• Install Panorama on vCloud Air
• Support for VMware Tools on the Panorama Virtual Appliance
Install Panorama on an ESXi Server
Use these instrucons to install a new Panorama virtual appliance on a VMware ESXi server. For
upgrades to an exisng Panorama virtual appliance, skip to Install Content and Soware Updates
for Panorama.
STEP 1 | Download the Panorama 10.1 base image Open Virtual Appliance (OVA) file.
1. Go to the Palo Alto Networks soware downloads site. (If you can’t log in, go to the Palo
Alto Networks Customer Support web site for assistance.)
2. In the Download column in the Panorama Base Images secon, download the latest
version of the Panorama release OVA file (Panorama-ESX-10.0.0.ova).

STEP 2 | Install Panorama.

1. Launch the VMware vSphere Client and connect to the VMware server.
2. Select File > Deploy OVF Template.
3. Browse to select the Panorama OVA file and click Next.
4. Confirm that the product name and descripon match the downloaded version, and click
Next.
5. Enter a descripve name for the Panorama virtual appliance, and click Next.
6. Select a datastore locaon (system disk) on which to install the Panorama image. See the
Setup Prerequisites for the Panorama Virtual Appliance for the supported system disk
sizes. Aer selecng the datastore, click Next.
7. Select Thick Provision Lazy Zeroed as the disk format, and click Next.
8. Specify which networks in the inventory to use for the Panorama virtual appliance, and
click Next.
9. Confirm the selected opons, click Finish to start the installaon process, and click Close
when it finishes. Do not power on the Panorama virtual appliance yet.

Panorama Administrator's Guide Version Version 10.1 55 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Configure resources on the Panorama virtual appliance.

1. Right-click the Panorama virtual appliance and Edit Sengs.
2. In the Hardware sengs, allocate the CPUs and memory as necessary.

The virtual appliance boots up in Panorama mode if you allocate sufficient CPUs
and Memory and add a virtual logging disk (later in this procedure). Otherwise,
the appliance boots up in Management Only mode. For details on the modes, see
Panorama Models.
3. Set the SCSI Controller to LSI Logic Parallel.
4. (Oponal) Add a virtual logging disk.

This step is required in the following scenarios:

• In Panorama mode to store logs on a dedicated logging disk.
• Manage your SD-WAN deployment in Management Only mode.

1. Add a disk, select Hard Disk as the hardware type, and click Next.
2. Create a new virtual disk and click Next.
3. Set the Disk Size to exactly 2TB.

In Panorama mode, you can later add addional logging disks (for a total
of 12) with 2TB of storage each. Expanding the size of a logging disk that is
already added to Panorama is not supported.
4. Select your preferred Disk Provisioning disk format.
Consider your business needs when selecng the disk provisioning format. For more
informaon regarding the disk provisioning performance consideraons, refer to the
VMware Thick vs Thin Disks and All Flash Arrays document, or addional VMware
documentaon.

When adding mulple logging disks, it is a best pracce to select the same
Disk Provisioning format for all disks to avoid any unexpected performance
issues that may arise.
5. Select Specify a datastore or datastore structure as the locaon, Browse to a
datastore that has sufficient storage, click OK, and click Next.
6. Select a SCSI Virtual Device Node (you can use the default selecon) and click Next.

Panorama will fail to boot if you select a format other than SCSI.

7. Verify that the sengs are correct and click Finish.

5. Click OK to save your changes.

Panorama Administrator's Guide Version Version 10.1 56 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Power on the Panorama virtual appliance.

1. In the vSphere Client, right-click the Panorama virtual appliance and select Power >
Power On. Wait for Panorama to boot up before connuing.
2. Verify that the virtual appliance is running in the correct mode:
1. Right-click the Panorama virtual appliance and select Open Console.
2. Enter your username and password to log in (default is admin for both).
3. Display the mode by running the following command:

> show system info

In the output, the system-mode indicates either panorama or management-only

mode.

STEP 5 | Register the Panorama virtual appliance and acvate the device management license and
support licenses.
1. (VM Flex Licensing Only) Provisioning the Panorama Virtual Appliance Serial Number.
When leveraging VM Flex licensing, this step is required to generate the Panorama
virtual appliance serial number needed to register the Panorama virtual appliance with
the Palo Alto Networks Customer Support Portal (CSP).
2. Register Panorama.
You must register the Panorama virtual appliance using the serial number provided by
Palo Alto Networks in the order fulfillment email.
This step is not required when leveraging VM Flex licensing as the serial number is
automacally registered with the CSP when generated.
3. Acvate the firewall management license.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is Internet-connected.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is not Internet-connected.
4. Acvate a Panorama Support License.

STEP 6 | Increase the System Disk for Panorama on an ESXi Server if you intend to use the Panorama
virtual appliance for the following:
• Manage your SD-WAN deployment in Panorama mode.
• Requires addional storage space for dynamic updates when managing large-scale firewall
deployments.

Panorama Administrator's Guide Version Version 10.1 57 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 7 | Complete configuring the Panorama virtual appliance for your deployment needs.
• For Panorama in Log Collector Mode.
1. Add a Virtual Disk to Panorama on an ESXi Server as needed.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Log Collector mode.
2. Begin at Step 6 to switch to Log Collector mode.

Enter the Public IP address of the Dedicated Log Collector when you add the
Log Collector as a managed collector to the Panorama management server. You
cannot specify the IP Address, Netmask, or Gateway.
• For Panorama in Panorama mode.
1. Add a Virtual Disk to Panorama on an ESXi Server.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Panorama mode.
2. Set up a Panorama Virtual Appliance in Panorama Mode.
3. Configure a Managed Collector.
• For Panorama in Management Only mode.
1. Set up a Panorama Virtual Appliance in Management Only Mode.
2. Configure a Managed Collector to add a Dedicated Log Collector to the Panorama virtual
appliance.
Management Only mode does not support local log collecon, and requires a Dedicated
Log Collector to store managed device logs.
• For SD-WAN deployments.
1. Increase the System Disk for Panorama on an ESXi Server
To leverage SD-WAN on Panorama deployed on ESXi, you must increase the system disk
to 224GB.

You cannot migrate back to a 81GB system disk aer successfully increasing the
system disk to 224GB.
2. Set up a Panorama Virtual Appliance in Management Only Mode.
3. Add a Virtual Disk to Panorama on an ESXi Server.
To leverage SD-WAN, you must add a single 2TB logging disk to Panorama in
Management Only mode.

Install Panorama on vCloud Air

Use these instrucons to install a new Panorama virtual appliance in VMware vCloud Air. If you
are upgrading a Panorama virtual appliance deployed in vCloud Air, skip to Install Content and
Soware Updates for Panorama.

Panorama Administrator's Guide Version Version 10.1 58 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | Download the Panorama 10.1 base image Open Virtual Appliance (OVA) file.
1. Go to the Palo Alto Networks soware downloads site. (If you can’t log in, go to the Palo
Alto Networks Customer Support web site for assistance.)
2. In the Download column in the Panorama Base Images secon, download the Panorama
10.1 release OVA file (Panorama-ESX-10.0.0.ova).

STEP 2 | Import the Panorama image to the vCloud Air catalog.

For details on these steps, refer to the OVF Tool User’s Guide.
1. Install the OVF Tool on your client system.
2. Access the client system CLI.
3. Navigate to the OVF Tool directory (for example, C:\Program Files\VMware\VMware
OVF Tool).
4. Convert the OVA file to an OVF package:

ovftool.exe <OVA‑file‑pathname> <OVF‑file‑pathname>

5. Use a browser to access the vCloud Air web console, select your Virtual
Private Cloud OnDemand locaon, and record the browser URL. You will
use the URL informaon to complete the next step. The URL format is:
https://<virtual‑cloud‑location>.vchs.vmware.com/compute/
cloud/org/<vCloud‑account‑number>/#/catalogVAppTemplateList?
catalog=<catalog‑ID>.
6. Import the OVF package, using the informaon from the vCloud Air URL to complete the
<virtual#cloud#locaon>, <vCloud#account#number>, and <catalog#ID> variables. The
other variables are your vCloud Air username and domain <user>@<domain>, a virtual
data center <datacenter>, and a vCloud Air template <template>.

ovftool.exe -st="OVF" "<OVF‑file‑pathname>"

"vcloud://<user>@<domain>:password@<virtual-cloud-
location>.vchs.vmware.com?vdc=<datacenter>&org=<vCloud-
account-number>&vappTemplate=<template>.ovf&catalog=default-
catalog"

STEP 3 | Install Panorama.

1. Access the vCloud Air web console and select your Virtual Private Cloud OnDemand
region.
2. Create a Panorama virtual machine. For the steps, refer to Add a Virtual Machine from
a Template in the vCloud Air Documentaon Center. Configure the CPU, Memory and
Storage as follows:
• Set the CPU and Memory based on whether the virtual appliance mode: see Setup
Prerequisites for the Panorama Virtual Appliance.
• Set the Storage to configure the Panorama virtual appliance system disk. See Setup
Prerequisites for the Panorama Virtual Appliance for the supported disk sizes

Panorama Administrator's Guide Version Version 10.1 59 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

based on the Panorama virtual appliance mode. For beer logging and reporng
performance, select the SSD-Accelerated opon.
To increase the log storage capacity, you must Add a Virtual Disk to Panorama on
vCloud Air. In Panorama mode, the virtual appliance does not use the system disk for
log storage; you must add a virtual logging disk.

STEP 4 | Create vCloud Air NAT rules on the gateway to allow inbound and outbound traffic for the
Panorama virtual appliance.
Refer to Add a NAT Rule in the vCloud Air Documentaon Center for the detailed instrucons:
1. Add a NAT rule that allows Panorama to receive traffic from the firewalls and allows
administrators to access Panorama.
2. Add a NAT rule that allows Panorama to retrieve updates from the Palo Alto Networks
update server and to access the firewalls.

STEP 5 | Create a vCloud Air firewall rule to allow inbound traffic on the Panorama virtual appliance.
Outbound traffic is allowed by default.
Refer to Add a Firewall Rule in the vCloud Air Documentaon Center for the detailed
instrucons.

STEP 6 | Power on the Panorama virtual appliance if it isn’t already on.

In the vCloud Air web console, select the Virtual Machines tab, select the Panorama virtual
machine, and click Power On.
You are now ready to Perform Inial Configuraon of the Panorama Virtual Appliance.

Support for VMware Tools on the Panorama Virtual Appliance

VMware Tools is bundled with the soware image (ovf) for the Panorama virtual appliance. The
support for VMware Tools allows you to use the vSphere environment—vCloud Director and
vCenter server—for the following:
• View the IP address assigned to the Panorama management interface.
• View resource ulizaon metrics on hard disk, memory, and CPU. You can use these metrics to
enable alarms or acons on the vCenter server or vCloud Director.
• Graceful shutdown and restart of Panorama using the power off funcon on the vCenter server
or vCloud Director.
• Enables a heartbeat mechanism between the vCenter server and Panorama for verifying that
Panorama is funconing, or if the firewall/Panorama is reboong. If the firewall goes into
maintenance mode, heartbeats are disabled so that the vCenter server does not shut down the
firewall. Disabling heartbeats allows the firewall to stay operaonal in maintenance mode when
it cannot not send heartbeats to the vCenter server.

Set Up Panorama on Alibaba Cloud

Set up a Panorama™ virtual appliance on Alibaba Cloud to centrally managed the configuraon of
physical and VM-Series firewalls.
• Upload the Panorama Virtual Appliance Image to Alibaba Cloud

Panorama Administrator's Guide Version Version 10.1 60 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

• Install Panorama on Alibaba Cloud

Upload the Panorama Virtual Appliance Image to Alibaba Cloud
Complete the following procedure to upload a Panorama™ management server qcow2 file
for KVM and create a custom image that you need to launch the Panorama virtual appliance.
Uploading and creang the image is required only once. You can use the same image for all
subsequent deployments of the Panorama virtual appliance.
STEP 1 | Download the Panorama qcow2 file for KVM from the Palo Alto Networks Customer Support
Portal (CSP).
1. Log in to the Palo Alto Networks CSP.
2. Select Updates > Soware Updates and select Panorama Base Images from the soware
updates filter drop-down.
3. Download the latest version of the Panorama-KVM qcow2 file.

STEP 2 | Log in to the Alibaba Cloud Console.

STEP 3 | Create an Object Storage Service (OSS) bucket for the Panorama virtual appliance image.
1. From the Alibaba Cloud menu, select Object Storage Service > Buckets and Create
Bucket.
2. Enter a descripve Bucket Name.
3. Select the bucket Region.
This region must be in the same region you plan on deploying your Panorama virtual
appliance and in the same region as the firewalls you plan to manage with Panorama.
4. Configure the remaining OSS bucket sengs as needed.
5. Click OK.
You are automacally taken to the OSS bucket Overview page aer successful creaon.

STEP 4 | Upload the qcow2 file to the OSS bucket.

1. In the OSS bucket Overview, select Files and Upload the qcow2 file you downloaded in
the previous step.
2. For Upload To target, select Current.
3. For the File ACL, select Inherited from Bucket.
4. Click Select Files and select the qcow2 file.
Alternavely, you can drag and drop the qcow2 file into the Files to Upload secon.
5. Upload the qcow2 file.
A Task List window appears displaying the upload Status. Connue to the next step aer
the qcow2 file upload Status displays Uploaded.

Panorama Administrator's Guide Version Version 10.1 61 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Make the qcow2 file a bootable image.

1. In the OSS bucket Overview, select Files and click the qcow2 file you uploaded to view
the file Details.
2. Click Copy File URL and exit the file Details.

3. From the Alibaba Cloud menu, select Elasc Compute Service > Instances & Images >
Images and Import Image.
4. Paste the OSS Object Address for the qcow2 file.
This the file URL you copied in the previous step.
5. Enter an Image Name.
6. For the Operang System/Plaorm, select Linux CentOS.
7. For the System Disk (GiB), enter 81.
8. For the System Architecture, select x86_64.
9. For the Image Format, select QCOW2.
10. Click OK.

Panorama Administrator's Guide Version Version 10.1 62 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Install Panorama on Alibaba Cloud

Use the Elasc Compute Service (ECS) to create a Panorama™ virtual appliance instance on
Alibaba Cloud. An ECS instance supports a single NIC by default and automacally aached an
Elasc Network Interface (ENI) to it. You must manually upload a Panorama virtual appliance
qcow2 image downloaded from the Palo Alto Networks Customer Supported Portal (CSP) to
Alibaba Cloud to successfully install the Panorama virtual appliance on Alibaba Cloud.
A Panorama virtual appliance deployed on Alibaba Cloud is Bring Your Own License (BYOL),
supports all deployment modes (Panorama, Log Collector, and Management Only), and shares the
same processes and funconality as the M-Series hardware appliances. For more informaon on
Panorama modes, see Panorama Models.
Review the Setup Prerequisites for the Panorama Virtual Appliance to determine the correct
Elasc Computer Service (ECS) instance type for your needs. The virtual resources requirement
for the Panorama virtual appliance is based on the total number of firewalls managed by the
Panorama virtual appliance and the required Logs Per Second (LPS) for forwarding logs from your
managed firewalls to your Log Collector.
Palo Alto Networks supports the following instance types.
• ecs.g5.xlarge, ecs.g5.2xlarge, ecs.g5.4xlarge
• ecs.sn2ne.xlarge, ecs.sn2ne.2xlarge, ecs.sn2ne.4xlarge

Under-provisioning the Panorama virtual appliance will impact management performance.

This includes the Panorama virtual appliance becoming slow or unresponsive depending on
how under-provisioning the Panorama virtual appliance is.

STEP 1 | Log in to the Alibaba Cloud Console.

Panorama Administrator's Guide Version Version 10.1 63 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Upload the Panorama Virtual Appliance Image to Alibaba Cloud.

STEP 3 | Set up the virtual private cloud (VPC) for your network needs.
Whether you launch the Panorama virtual appliance in an exisng VPC or you create a new
VPC, the Panorama virtual appliance must be able to receive traffic from other instances in the
VPC and perform inbound and outbound communicaon between the VPC and the internet as
needed.
Refer to the Alibaba Cloud VPC documentaon for more informaon.
1. Create a VPC and Configure Networks or use an exisng VPC.
2. Verify that the network and security components are appropriately defined.
• Create an internet gateway to enable internet access to the subnet of your Panorama
virtual appliance. Internet access is required to install soware and content updates,
acvate licenses, and leverage Palo Alto Networks cloud services. Otherwise, you
must manually install updates and acvate licenses.
• Create subnets. Subnets are segments of the IP address range assigned to the VPC in
which you can launch Alibaba Cloud instances. It is recommended that the Panorama
virtual appliance belong to the management subnet so that you can configure it to
access the internet if needed.
• Add routes to the route table for a private subnet to ensure traffic can be routed
across subnets in the VPC and from the internet if applicable.
Ensure you create routes between subnets to allow communicaon between:
• Panorama, managed firewalls, and Log Collectors.
• (Oponal) Panorama and the internet.
• Ensure that the following ingress security rules are allowed for the VPC to manage
VPC traffic. The ingress traffic source for each rule is unique to your deployment
topology.
See Ports Used for Panorama for more informaon.
• Allow SSH (port 22) traffic to enable access to the Panorama CLI.
• Allow HTTPS (port 443 and 27280) traffic to enable access to the Panorama web
interface.
• Allow traffic on port 3978 to enable communicaon between Panorama, manage
firewalls, and managed Log Collectors. This port is also used by Log Collectors to
forward logs to Panorama.
• Allow traffic on port 28443 to enable managed firewalls to get soware and
content updates from Panorama.

STEP 4 | Select Elasc Compute Service > Instances & Images > Instances and click Create Instance
in the upper right corner.

Panorama Administrator's Guide Version Version 10.1 64 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Create the Panorama virtual appliance instance.

1. Select Custom Launch.
2. Configure the Panorama virtual appliance instance.
• Billing Method—Select the desired subscripon method for the instance.
• Region—Select a region of your choice. The region you select must provide on of the
supported instance types.
• Instance Type—Select one of the supported instance types. You can select Type-based
Selecon to search for the instance type.
• Image— Select Custom Image and select the Panorama virtual appliance image you
uploaded.
• Storage—Choose a disk type and enter 81GiB as the system disk capacity.
• (Oponal) Add Disk—Add addional logging disks.
If you intend to use the Panorama virtual appliance in Panorama mode or as a
Dedicated Log Collector, add the virtual logging disks during the inial deployment.
By default, the Panorama virtual appliance is in Panorama mode for the inial
deployment when you meet the Panorama mode resource requirements and have
added at least one virtual logging disk. Otherwise, the Panorama virtual appliance
defaults to Management Only mode. Change the Panorama virtual appliance to
Management Only mode if you just want to manage devices and Dedicated Log
Collectors, and to not collect logs locally.
The Panorama virtual appliance on Alibaba Cloud only supports 2TB logging disks,
and in total supports up to 24TB of log storage. You are unable to add a logging disk
smaller than 2TB, or a logging disk with a size not divisible by the 2TB logging disk
requirement. The Panorama virtual appliance parons logging disks larger than 2TB
into 2TB parons.
• (Oponal) Snapshot—Specify how oen a snapshot is automacally taken of the
Panorama virtual appliance instance to prevent risks and accidental data deleon.
• Duraon—Specify the duraon for the Panorama virtual appliance instance.

STEP 6 | Configure the Panorama virtual appliance network sengs.

1. Select Next: Networking.
2. Configure the network sengs for the Panorama virtual appliance instance.
• Network Type—Select the VPC and management VSwitch you created.
• Public IP Address—If you do not have a public IP address, enable (check) Assign Public
IPv4 Address and a public IPv4 address is automacally assigned to the Panorama
virtual appliance instance.
If you must use a specific IP address, or an address in a specific range, you can request
a custom IP address. Refer to the Elasc IP Address User Guide.
• Security Group—Select the management security group you created and enable Port
443 (HTTPS), Port 22, and Port 3389.
• Elasc Network Interface—No configuraon needed. The Management interface is
already aached to eth0.

Panorama Administrator's Guide Version Version 10.1 65 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 7 | Configure the Panorama virtual appliance instance system sengs.

1. Select Next: System Configuraons.
2. Configure system sengs for the Panorama virtual appliance instance.
• Logon Credenals—Select Key Pair and select the key pair. If a key pair has not
already been created, select Create Key Pair to create an new key pair on Alibaba
Cloud or import an exisng key pair.

Password authencaon is not supported.

• Instance Name—Enter a descripve name for the Panorama virtual appliance. This the
name displayed for the instance throughout the Alibaba Cloud Console.
• Host—Enter a hostname for the Panorama virtual appliance instance.

STEP 8 | (Oponal) Select Next: Grouping to configuring grouping for all Alibaba Cloud resources
associated with the Panorama virtual appliance instance.

STEP 9 | Select Preview to view the configuraon before ordering.

STEP 10 | View and check the ECS Terms of Service and Product Terms of Service.

STEP 11 | Create Instance to create the Panorama virtual appliance instance.

When prompted, click Console to view the instance creaon status.

STEP 12 | Allocate Elasc IP (EIP) addresses.

The EIP is a public IP address used to connect to the Panorama virtual appliance.
This step is required only if you want to enable internet access for the Panorama virtual
appliance.
1. Select Elasc Compute Service > Network & Security > VPC > Elasc IP Addresses >
Elasc IP Addresses.
Select Create EIP if you do not have any exisng EIPs.
2. In the Acons column, select Bind Resource to bind an EIP to any interface exposed to
the Internet.

Panorama Administrator's Guide Version Version 10.1 66 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 13 | Log in to the Panorama CLI using the SSH to configure the Panorama virtual appliance
network sengs.
You must configure the system IP address , netmask, and default gateway. Addionally, you
must add the Alibaba Cloud DNS servers to successfully connect to the Palo Alto Networks
update server.

You can also access the Panorama CLI from the Alibaba console. To access the
Panorama CLI from the Alibaba console, select Elasc Compute Service > Instances &
Images > Instances and select the Panorama virtual appliance instance. In the Instance
Details, select Connect.
You are prompted to create a VCN password for the Panorama virtual appliance
instance on first connecon from the Alibaba VCN. Be sure to save this password as it
cannot be recovered and is required to connect using the VCN or update the password
in the future.

STEP 14 | Configure the inial network sengs for the Panorama virtual appliance.

admin> configure

admin# set deviceconfig system type static

admin# set deviceconfig system ip-address <instance-private-IP

address> netmask <netmask> default-gateway <default-gateway-IP>

The default gateway on Alibaba Cloud ends in .253. For example, if the private IP
address for your Panorama virtual appliance instance is 192.168.100.20, the default
gateway is 192.168.100.253.

admin# set deviceconfig system dns-setting servers primary

100.100.2.136

admin# set deviceconfig system dns-setting servers secondary

100.100.2.138

admin# commit

Panorama Administrator's Guide Version Version 10.1 67 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 15 | Register the Panorama virtual appliance and acvate the device management license and
support licenses.
1. (VM Flex Licensing Only) Provisioning the Panorama Virtual Appliance Serial Number.
When leveraging VM Flex licensing, this step is required to generate the Panorama
virtual appliance serial number needed to register the Panorama virtual appliance with
the Palo Alto Networks Customer Support Portal (CSP).
2. Register Panorama.
You must register the Panorama virtual appliance using the serial number provided by
Palo Alto Networks in the order fulfillment email.
This step is not required when leveraging VM Flex licensing as the serial number is
automacally registered with the CSP when generated.
3. Acvate the firewall management license.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is Internet-connected.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is not Internet-connected.
4. Acvate a Panorama Support License.

STEP 16 | Complete configuring the Panorama virtual appliance for your deployment needs.
• (Management Only mode) Set up a Panorama Virtual Appliance in Management Only Mode.
• (Log Collector mode) Begin at Step 6 to Switch from Panorama mode to Log Collector mode.

Enter the Public IP address of the Dedicated Log Collector when you Add the Log
Collector as a managed collector to the Panorama management server. You cannot
specify the IP Address, Netmask, or Gateway.
• (Panorama and Management Only mode) Configure a Managed Collector to add a Dedicated
Log Collector to the Panorama virtual appliance. Management Only mode does not support
local log collecon, and requires a Dedicated Log Collector to store managed device logs.

Panorama Administrator's Guide Version Version 10.1 68 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 17 | Complete configuring the Panorama virtual appliance for your deployment needs.
• For Panorama in Log Collector Mode.
1. Add a Virtual Disk to Panorama on Alibaba Cloud as needed.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Log Collector mode.
2. Begin at Step 6 to switch to Log Collector mode.

Enter the Public IP address of the Dedicated Log Collector when you add the
Log Collector as a managed collector to the Panorama management server. You
cannot specify the IP Address, Netmask, or Gateway.
• For Panorama in Panorama mode.
1. Add a Virtual Disk to Panorama on Alibaba Cloud as needed.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Panorama mode.
2. Set up a Panorama Virtual Appliance in Panorama Mode.
3. Configure a Managed Collector.
• For Panorama in Management Only mode.
1. Set up a Panorama Virtual Appliance in Management Only Mode.
2. Configure a Managed Collector to add a Dedicated Log Collector to the Panorama virtual
appliance.
Management Only mode does not support local log collecon, and requires a Dedicated
Log Collector to store managed device logs.

Install Panorama on AWS

You can now deploy Panorama™ and a Dedicated Log Collector on Amazon Web Services
(AWS). Panorama deployed on AWS is Bring Your Own License (BYOL), supports all deployment
modes (Panorama, Log Collector, and Management Only), and shares the same processes and
funconality as the M-Series hardware appliances. For more informaon on Panorama modes, see
Panorama Models.
STEP 1 | Log in to AWS Web Service console and select the EC2 Dashboard.
• Amazon Web Service Console
• AWS GovCloud Web Service Console

STEP 2 | Set up the virtual private cloud (VPC) for your network needs.
Whether you launch the Panorama virtual appliance in an exisng VPC or you create a new
VPC, the Panorama virtual appliance must be able to receive traffic from other instances in the

Panorama Administrator's Guide Version Version 10.1 69 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

VPC and perform inbound and outbound communicaon between the VPC and the internet as
needed.
Refer to the AWS VPC documentaon for instrucons on creang a VPC and seng it up for
access.
1. Create a new VPC or use an exisng VPC. Refer to the AWS Geng Started
documentaon
2. Verify that the network and security components are appropriately defined.
• Create an internet gateway to enable internet access to the subnet of your Panorama
virtual appliance. Internet access is required to install soware and content updates,
acvate licenses, and leverage Palo Alto Networks cloud services. Otherwise, you
must manually install updates and acvate licenses.
• Create subnets. Subnets are segments of the IP address range assigned to the VPC in
which you can launch AWS instances. It is recommended that the Panorama virtual
appliance belong to the management subnet so that you can configure it to access the
internet if needed.
• Add routes to the route table for a private subnet to ensure traffic can be routed
across subnets in the VPC and from the internet if applicable.
Ensure you create routes between subnets to allow communicaon between:
• Panorama, managed firewalls, and Log Collectors.
• (Oponal) Panorama and the internet.
• Ensure that the following inbound security rules are allowed for the VPC to manage
VPC traffic. The ingress traffic source for each rule is unique to your deployment
topology.
See Ports Used for Panorama for more informaon.
• Allow SSH (port 22) traffic to enable access to the Panorama CLI.
• Allow HTTPS (port 443) traffic to enable access to the Panorama web interface.
• Allow traffic on port 3978 to enable communicaon between Panorama, manage
firewalls, and managed Log Collectors. This port is also used by Log Collectors to
forward logs to Panorama.
• Allow traffic on port 28443 to enable managed firewalls to get soware and
content updates from Panorama.

Panorama Administrator's Guide Version Version 10.1 70 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Deploy Panorama on Amazon Web Services.

1. Select Services > EC2 > Instances and Launch Instance.
2. Select AWS Marketplace, search for Palo Alto Networks Panorama, and Select
the Panorama AMI and Connue.
3. Choose the EC2 instance type for allocang the resources required for the Panorama
virtual appliance, and click Next: Configure Instance Details. Review the Setup
Prerequisites for the Panorama Virtual Appliance for resource requirements.

If you plan to use the Panorama virtual appliance as a Dedicated Log Collector,
ensure that you configure the appliance with the required resources during inial
deployment. The Panorama virtual appliance does not remain in Log Collector
mode if you resize the virtual machine aer you deploy it, and this results in a
loss of log data.
4. Configure the instance details.
1. Select Next: Configure Instance Details.
2. For the Network, select the VPC.
3. Select the Subnet.
4. To Auto-assign Public IP select Enable.
This IP must be accessible by the firewalls you plan to manage using Panorama. This
allows you to obtain a publicly accessible IP address for the management interface
of the Panorama virtual appliance. You can later aach an Elasc IP address to the
management interface. Unlike the public IP address that is disassociated from the
virtual appliance when the instance is terminated, the Elasc IP address provides
persistence and you can the IP address to a new (or replacement) instance of the
Panorama virtual appliance without the need to reconfigure the IP address whenever
the Panorama virtual appliance instance is powered off.
5. Configure any addional instance details as needed.
5. (Oponal) Configure the Panorama virtual appliance storage.
1. Select Next: Add Storage.
2. Add New Volume to add addional log storage.
(SD-WAN only) If you plan on managing your SD-WAN deployment in Management
Only mode, you must add a 2TB logging disk.
If you intend to use the Panorama virtual appliance in Panorama mode or as a
Dedicated Log Collector, add the virtual logging disks during the inial deployment.
By default, the Panorama virtual appliance is in Panorama mode for the inial
deployment when you meet the Panorama mode resource requirements and have
added at least one virtual logging disk. Otherwise, the Panorama virtual appliance
defaults to Management Only mode. Change the Panorama virtual appliance to
Management Only mode if you just want to manage devices and Dedicated Log
Collectors, and to not collect logs locally.
The Panorama virtual appliance on AWS only supports 2TB logging disks, and in total
supports up to 24TB of log storage. You are unable to add a logging disk smaller than
2TB, or a logging disk with a size not divisible by the 2TB logging disk requirement.

Panorama Administrator's Guide Version Version 10.1 71 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

The Panorama virtual appliance parons logging disks larger than 2TB into 2TB
parons.
6. (Oponal) Select Next: Add Tags and add one or more tags as metadata to help you
idenfy and group the Panorama virtual appliance. For example, add a Name tag with a
Value that helps you idenfy which firewalls the Panorama virtual appliance manages.
7. Configure the instance security group.
1. Select Next: Configure Security Group.
2. Select an exisng security group to assign a security group for the Panorama virtual
appliance instance.
3. Select the security group you previously created.
You can select the default security group to allow all inbound and outbound traffic
types.
8. Review and Launch the Panorama virtual appliance instance to verify that your
selecons are accurate before you Launch.
9. Select an exisng key pair or create a new one and acknowledge the disclaimer.

If you created a new key from AWS, download and save the key to a safe
locaon. The file extension is .pem. You must load the public key into PuTTYgen
and save it in .ppk format. You cannot regenerate this key if lost.

It takes about 30 minutes to finish deploying the Panorama virtual appliance aer you
launch it on AWS. Deploying the Panorama virtual appliance may take longer depending

Panorama Administrator's Guide Version Version 10.1 72 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

on the number and size of the disks aached to the instance. View the Launch Time by
selecng the Panorama virtual appliance instance (Instances).

If you plan to use the Panorama virtual appliance as a Dedicated Log Collector,
ensure that you provision the appliance with the required resources. The
Panorama virtual appliance does not remain in Log Collector mode if you resize
the virtual machine aer you deploy it and this results in a loss of log data.

STEP 4 | Shut down the Panorama virtual appliance.

1. On the EC2 Dashboard, select Instances.
2. Select the Panorama virtual appliance and click Instance State > Stop Instance.

STEP 5 | Create or assign an Elasc IP (EIP) address to the management interface.

1. Select Services > EC2 > Elasc IPs and Allocate Elasc IP address.
2. Select a Network Border Group to specify the logical group of zones from where the
public IP4v address is adversed.
3. For the Public IPv4 address pool, select Amazon’s pool of IPv4 addresses.
4. Allocate the EIP.
5. Click the IPv4 address in the Allocated IPv4 address column and Associate Elasc IP
address.
6. Select the Panorama virtual appliance Instance.
7. Select the Panorama virtual appliance Private IP address to with which to associate the
EIP.

Panorama Administrator's Guide Version Version 10.1 73 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 6 | Power on the Panorama virtual appliance.

1. On the EC2 Dashboard, select Instance.
2. From the list, select the Panorama virtual appliance and click Acons > Instance State >
Start.

STEP 7 | Configure a new administrave password for the Panorama virtual appliance.
You must configure a unique administrave password before you can access the web interface
of the Panorama virtual appliance. To access the CLI, the private key used to launch the
Panorama virtual appliance is required.
• If you have an SSH service installed on your computer:
1. Enter the following command to log into the Panorama virtual appliance:

ssh -i <private_key.ppk> admin@<public-ip_address>

2. Configure a new password using the following commands and follow the on screen
prompts:

admin> configure

Panorama Administrator's Guide Version Version 10.1 74 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

admin# set mgt-config users admin password

3. If you need to acvate a BYOL, set the DNS server IP address so that the Panorama
virtual appliance can access the Palo Alto Networks licensing server. Enter the following
command to set the DNS server IP address:

admin# set deviceconfig system dns-setting servers

primary <ip_address>

4. Commit your changes with the command:

admin# commit

5. Terminate the SSH session.

• If you are using PuTTY to SSH into the Panorama virtual appliance:
1. If you are using an exisng key pair and have the .ppk file available, connue to the Step
7.3. If you created a new key pair or have only the .pem file of the exisng key pair, open
PuTTYgen and Load the .pem file.
2. Save the private key to a local accessible desnaon.
3. Open PuTTY and select SSH > Auth and then Browse to the .ppk file you saved in the
previous step.

4. Select Sessions and enter the public IP address of the Panorama virtual appliance. Click
Open and click Yes when the security prompt appears.
5. Log in as admin when prompted.
6. Configure a new password using the following commands and follow the onscreen
prompts:

admin> configure

Panorama Administrator's Guide Version Version 10.1 75 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

admin# set mgt-config users admin password

7. Set the DNS server IP address so that the Panorama virtual appliance can access the Palo
Alto Networks licensing server. Enter the following command to set the DNS server IP
address:

admin# set deviceconfig system dns-setting servers

primary <ip_address>

8. Commit your changes with the command:

admin# commit

9. Terminate the SSH session.

STEP 8 | Register the Panorama virtual appliance and acvate the device management license and
support licenses.
1. (VM Flex Licensing Only) Provisioning the Panorama Virtual Appliance Serial Number.
When leveraging VM Flex licensing, this step is required to generate the Panorama
virtual appliance serial number needed to register the Panorama virtual appliance with
the Palo Alto Networks Customer Support Portal (CSP).
2. Register Panorama.
You must register the Panorama virtual appliance using the serial number provided by
Palo Alto Networks in the order fulfillment email.
This step is not required when leveraging VM Flex licensing as the serial number is
automacally registered with the CSP when generated.
3. Acvate the firewall management license.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is Internet-connected.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is not Internet-connected.
4. Acvate a Panorama Support License.

Panorama Administrator's Guide Version Version 10.1 76 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 9 | Complete configuring the Panorama virtual appliance for your deployment needs.
• For Panorama in Log Collector Mode.
1. Add a Virtual Disk to Panorama on AWS as needed.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Log Collector mode.
2. Begin at Step 6 to switch to Log Collector mode.

Enter the Public IP address of the Dedicated Log Collector when you add the
Log Collector as a managed collector to the Panorama management server. You
cannot specify the IP Address, Netmask, or Gateway.
• For Panorama in Panorama mode.
1. Add a Virtual Disk to Panorama on AWS.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Panorama mode.
2. Set up a Panorama Virtual Appliance in Panorama Mode.
3. Configure a Managed Collector.
• For Panorama in Management Only mode.
1. Set up a Panorama Virtual Appliance in Management Only Mode.
2. Configure a Managed Collector to add a Dedicated Log Collector to the Panorama virtual
appliance.
Management Only mode does not support local log collecon, and requires a Dedicated
Log Collector to store managed device logs.

Install Panorama on AWS GovCloud

You can now deploy Panorama™ and a Dedicated Log Collector on Amazon Web Services (AWS)
GovCloud. AWS GovCloud is an isolated AWS region that meets the regulatory and compliance
requirements of the US government agencies and customers. Panorama deployed on AWS
GovCloud is Bring Your Own License (BYOL), supports all deployment modes (Panorama, Log
Collector, and Management Only). For more informaon on Panorama modes, see Panorama
Models.
To secure your workloads that contain all categories of Controlled Unclassified Informaon (CUI)
data and government-oriented, publicly available data in the AWS GovCloud (US) region, the
Panorama virtual appliance provides the same security features offered in the standard AWS
public cloud on AWS GovCloud. The Panorama virtual appliance on AWS GovCloud and the
standard AWS public cloud support the same features and capabilies.
Review the Setup Prerequisites for the Panorama Virtual Appliance to review the supported EC2
instance types. Once you are ready, refer to Install Panorama on AWS to install the Panorama
virtual appliance on AWS GovCloud.
See the following procedures to add addional logging storage to your Panorama virtual appliance,
or to increase the allocated CPU cores and memory:
• Add a Virtual Disk to Panorama on AWS

Panorama Administrator's Guide Version Version 10.1 77 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

• Increase CPUs and Memory for Panorama on AWS

Install Panorama on Azure

You can now deploy Panorama™ and a Dedicated Log Collector on Microso Azure. Panorama
deployed on Azure is Bring Your Own License (BYOL), supports all deployment modes (Panorama,
Log Collector, and Management Only), and shares the same processes and funconality as the M-
Series hardware appliances. For more informaon on Panorama modes, see Panorama Models.
STEP 1 | Log into to the Microso Azure portal.

STEP 2 | Set up the virtual network for your network needs.

Whether you launch the Panorama virtual appliance in an exisng virtual network or you
create a new virtual network, the Panorama virtual appliance must be able to receive
traffic from other instances in the virtual network and perform inbound and outbound
communicaon between the virtual network and the internet as needed.
Refer to the Micros Azure Virtual Network documentaon for more informaon.
1. Create a Virtual Network or use an exisng virtual network.
2. Verify that the network and security components are appropriately defined.
• Create a NAT gateway if you want to enable only outbound internet access for the
subnet to which the Panorama virtual appliance belongs.
• Create subnets. Subnets are segments of the IP address range assigned to the
VPC in which you can launch Microso Azure instances. It is recommended that
the Panorama virtual appliance belong to the management subnet so that you can
configure it to access the internet if needed.
• Add routes to the route table for a private subnet to ensure traffic can be routed
across subnets in the VPC and from the internet if applicable.
Ensure you create routes between subnets to allow communicaon between:
• Panorama, managed firewalls, and Log Collectors.
• (Oponal) Panorama and the internet.
• Ensure that the following ingress security rules are allowed for the VPC to manage
VPC traffic. The ingress traffic source for each rule is unique to your deployment
topology.
See Ports Used for Panorama for more informaon.
• Allow SSH (port 22) traffic to enable access to the Panorama CLI.
• Allow HTTPS (port 443) traffic to enable access to the Panorama web interface.
• Allow traffic on port 3978 to enable communicaon between Panorama, manage
firewalls, and managed Log Collectors. This port is also used by Log Collectors to
forward logs to Panorama.
• Allow traffic on port 28443 to enable managed firewalls to get soware and
content updates from Panorama.

Panorama Administrator's Guide Version Version 10.1 78 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Deploy the Panorama virtual appliance.

1. In the Azure Dashboard, select Virtual machines and Add a new virtual machine.
2. Search for Palo Alto Networks and select the latest Panorama virtual appliance image.
3. Create the Panorama virtual appliance.

Panorama Administrator's Guide Version Version 10.1 79 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Configure the Panorama virtual appliance.

1. Select your Azure Subscripon.
2. Select the Azure Resource Group to contain all your Azure instance resources.
3. Enter a Virtual machine name for the Panorama virtual appliance.
4. Select the Region for the Panorama virtual appliance to be deployed in.
5. (Oponal) Select the Availability opons. See How to use availability sets for more
informaon.
6. Select the Image used to deploy the Panorama management server. Browse all public
and private images to deploy the Panorama management server from the Panorama
image on the Azure marketplace.
7. Configure the Panorama virtual appliance size. Review the Setup Prerequisites for the
Panorama Virtual Appliance for sizing requirements.

If you plan to use the Panorama virtual appliance as a Dedicated Log Collector,
ensure that you configure the appliance with the required resources during inial
deployment. The Panorama virtual appliance does not remain in Log Collector
mode if you resize the virtual machine aer you deploy it, and this results in a
loss of log data.
8. Enter a Username for the Panorama virtual appliance administrator. To ensure that your
username is secure, admin is not a valid entry.
9. Enter a Password or copy and paste an SSH public key for securing administrave access
to the Panorama virtual appliance.

You must enable SSH key authencaon if you plan to use this instance of the
Panorama virtual appliance in FIPS-CC operaonal mode. Although you can
deploy the Panorama virtual appliance using a username and password, you will
be unable to authencate using the username and password aer changing the
operaonal mode to FIPS-CC. Aer reseng to FIPS-CC mode, you must use the
SSH key to log in and can then configure a username and password that you can
use for subsequently logging in to the Panorama web interface. For details on
creang the SSH key, refer to the Azure documentaon.
10. Configure the Panorama virtual appliance instance Networking
1. Select an exisng Virtual network or create a new virtual network.
2. Configure the Subnet. The subnet is dependent on the virtual network you selected
or created in the previous step. If you selected an exisng virtual network, you can
choose one of the subnets for the selected virtual network.
3. Select an exisng Public IP address or create a new one. This creates the
management interface used to access your Panorama virtual appliance.
4. Select an exisng NIC network security group or create a new security group.
Network security groups control traffic to the virtual machine. Make sure that HTTPS
and SSH are allowed for the Inbound rules.
11. Configure the instance Management sengs.
1. Select whether to enable Auto-shutdown. Auto-shutdown allows you to configure
a daily me to automacally shut down the virtual machine that you disable auto-
shutdown to avoid the possibility that a new public IP address gets assigned to the

Panorama Administrator's Guide Version Version 10.1 80 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

virtual machine, that logs are dropped, that logs are not or that you are unable to
manage your firewalls while the Panorama virtual appliance is shut down.
2. Select whether to enable boot Monitoring. Select the Diagnosc storage account if
enabled. Monitoring automacally sends boot-up diagnosc logs to your Diagnoscs
storage account. For more informaon, see Overview of Monitoring in Microso
Azure.
3. Configure any other sengs as needed.
12. Review the summary, accept the terms of use and privacy policy, and Create the
Panorama virtual appliance.

STEP 5 | Verify that you the Panorama virtual appliance has been successfully deployed.
1. Select Dashboard > Resource Groups and select the resource group containing the
Panorama virtual appliance.
2. Under Sengs, select Deployments for the virtual machine deployment status.

It takes about 30 minutes to deploy the Panorama virtual appliance. Launching

the Panorama virtual appliance may take longer depending on the resources
configured for the virtual machine. Microso Azure does not permit the ICMP
protocol to test whether it deployed successfully.

If you plan to use the Panorama virtual appliance as a Dedicated Log Collector,
ensure that you correctly configured the appliance the required resources. The
Panorama virtual appliance does not remain in Log Collector mode if you resize
the virtual machine aer you deploy it and this results in a loss of log data.

STEP 6 | Configure a stac Public IP address.

1. On the Azure portal, select Virtual machines and select the Panorama virtual machine.
2. Select Overview and click the Public IP address.
3. Under Assignment, select Stac and Save the new IP address configuraon.

STEP 7 | Log in to the web interface of the Panorama virtual appliance.

1. On the Azure portal, in All Resources, select the Panorama virtual appliance and view the
public IP address located in the Overview secon.

2. Use a secure (hps) connecon from your web browser to log in to the Panorama virtual
appliance using the public IP address.
3. Enter the username and password of the Panorama virtual appliance. You are prompted
with a cerficate warning. Accept the cerficate warning and connue to the web page.

Panorama Administrator's Guide Version Version 10.1 81 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 8 | Register the Panorama virtual appliance and acvate the device management license and
support licenses.
1. (VM Flex Licensing Only) Provisioning the Panorama Virtual Appliance Serial Number.
When leveraging VM Flex licensing, this step is required to generate the Panorama
virtual appliance serial number needed to register the Panorama virtual appliance with
the Palo Alto Networks Customer Support Portal (CSP).
2. Register Panorama.
You must register the Panorama virtual appliance using the serial number provided by
Palo Alto Networks in the order fulfillment email.
This step is not required when leveraging VM Flex licensing as the serial number is
automacally registered with the CSP when generated.
3. Acvate the firewall management license.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is Internet-connected.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is not Internet-connected.
4. Acvate a Panorama Support License.

STEP 9 | Complete configuring the Panorama virtual appliance for your deployment needs.
• For Panorama in Log Collector Mode.
1. Add a Virtual Disk to Panorama on Azure as needed.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Log Collector mode.
2. Begin at Step 6 to switch to Log Collector mode.

Enter the Public IP address of the Dedicated Log Collector when you add the
Log Collector as a managed collector to the Panorama management server. You
cannot specify the IP Address, Netmask, or Gateway.
• For Panorama in Panorama mode.
1. Add a Virtual Disk to Panorama on Azure.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Panorama mode.
2. Set up a Panorama Virtual Appliance in Panorama Mode.
3. Configure a Managed Collector.
• For Panorama in Management Only mode.
1. Set up a Panorama Virtual Appliance in Management Only Mode.
2. Configure a Managed Collector to add a Dedicated Log Collector to the Panorama virtual
appliance.
Management Only mode does not support local log collecon, and requires a Dedicated
Log Collector to store managed device logs.

Panorama Administrator's Guide Version Version 10.1 82 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Install Panorama on Google Cloud Plaorm

You can now deploy Panorama™ and a Dedicated Log Collector on Google Cloud Plaorm
(GCP). Panorama deployed on GCP is Bring Your Own License (BYOL), supports all deployment
modes (Panorama, Log Collector, and Management Only), and shares the same processes and
funconality as the M-Series hardware appliances. For more informaon on Panorama modes, see
Panorama Models.
To deploy the Panorama virtual appliance on GCP, you need to build a custom image. To begin
this process, you must download the Panorama tar.gz from the Palo Alto Networks Customer
Support portal and upload it to a GCP storage bucket. You can then create the custom image and
use the image to deploy the Panorama virtual appliance on GCP.
STEP 1 | Download the Panorama virtual appliance image.
1. Log in to the Palo Alto Networks Support Portal.
2. Select Updates > Soware Updates and filter by Panorama Base Images.
3. Download the latest version of the Panorama on GCP tar.gz image.

Panorama Administrator's Guide Version Version 10.1 83 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Upload the Panorama virtual appliance image to the Google Cloud Plaorm.
1. Log in to the Google Cloud Console.
2. From the Products and Services menu, select Storage.
3. Click Create Bucket, configure the new storage bucket and click Create.

4. Select the storage bucket you created in the previous step, click Upload files, and select
the Panorama virtual appliance image you downloaded.

5. From the Products and Services menu, select Compute Engine > Images.
6. Click Create Image and create the Panorama virtual appliance image:
1. Name the Panorama virtual appliance image.
2. In the Source field, select Cloud Storage file from the drop-down menu.
3. Click Browse and navigate to the storage bucket where you uploaded the Panorama
virtual appliance image, and Select the uploaded image.
4. Create the Panorama virtual appliance image.

Panorama Administrator's Guide Version Version 10.1 84 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Panorama Administrator's Guide Version Version 10.1 85 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Configure the Panorama virtual appliance.

1. From the Products and Services menu and select the Compute Engine.
2. Click Create Instance to begin deploying the Panorama virtual appliance.
3. Add a descripve Name to easily idenfy the Panorama virtual appliance.
4. Select the Region and Zone where you want to deploy the Panorama virtual appliance.
5. Allocate the Machine Type and Customize the CPU cores, memory and CPU plaorm.
Review the Setup Prerequisites for the Panorama Virtual Appliance for minimum
resource requirements.

If you plan to use the Panorama virtual appliance as a Dedicated Log Collector,
ensure that you configure the appliance with the required resources during inial
deployment. The Panorama virtual appliance does not remain in Log Collector
mode if you resize the virtual machine aer you deploy it, and this results in a
loss of log data.

The GCP zone selecon determines the CPU plaorms available to you. For more
informaon, refer to Regions and Zones for details.

6. Configure the Panorama boot disk.

1. For the Boot Disk, click Change > Custom image and select the Panorama image file
you uploaded in Step 2
2. Review the boot disk Size and verify the system disk is 81GB.
3. Click Select to save your configuraon.
7. Under Identy and API access, select Allow full access to all Cloud APIs.

8. Under Firewall, select Allow HTTPS traffic.

Panorama Administrator's Guide Version Version 10.1 86 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Expand Management, security, disks, networking, sole tenancy .

STEP 5 | Enable access to the serial port so you can manage the Panorama virtual appliance.
1. Select Management.
2. Enter the following name-value pair as Metadata:
serial-port-enable true

Panorama Administrator's Guide Version Version 10.1 87 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 6 | Reserve a stac IP address for the management interface.

Reserve stac internal and external IP addresses for the management interface in the
event that if the Panorama virtual appliance is rebooted, your managed devices do not lose
connecon to the Panorama virtual appliance when the IP addresses are reassigned.
For more informaon on how to reserve IP addresses, refer to Reserving a Stac Internal IP
Address and Reserving a Stac External IP Address.
1. Select Networking.
2. Edit the network interface.

3. Select the Panorama virtual appliance Network.

4. Select the Panorama virtual appliance Subnetwork. Instances in the same subnetwork
will communicate with each other using their internal IP addresses.
5. Set the Primary internal IP address.
• Ephemeral (Automac)— Automacally assign a primary internal IP address.
• Ephemeral (Custom)—Configure a custom IP range that GCP uses to assign a primary
internal IP address.
• Reserve a stac internal IP address—Manually configure a stac primary internal IP
address.
6. Set the External IP address.
• Ephemeral—Automacally assign an external IP address from a shared IP pool.
• Select an exisng reserved external IP address.
• Create IP address—Reserve an external IP address.
7. Set IP forwarding to On to allow the Panorama virtual appliance to receive packets from
non-matching desnaons or source IP addresses.

Panorama Administrator's Guide Version Version 10.1 88 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 7 | Configure the SSH key. You need an SSH key to access the Panorama virtual appliance CLI to
configure the administrave user password aer the inial deployment.
• PuTTY Users
1. Select Security.
2. Select the Block project-wide SSH keys box. Only instance keys are currently supported
for logging in to the Panorama virtual appliance aer inial deployment.
3. Paste the SSH key in the comment box. For informaon on the correct SSH key format
and how to generate SSH keys for GCP, refer to Managing SSH keys in Metadata.

When generang the SSH key, save the private key in .ppk format. The private
key is required to log in to the Panorama virtual appliance aer the inial
deployment before you can configure the administrave password.

• Linux and macOS Users

1. Generate the SSH key from the CLI of your Linux device.

ssh-keygen -C admin@panorama -f <panorama_key_name>

Where admin@panorama is a comment GCP requires and <panorama_key_name> is

the name of the key file being generated.
2. Create an output file for the SSH key.

cat <panorama_key_name>.pub

Aer the output file for the SSH key is created, manually copy the SSH key contents.
3. Paste the public key into the SSH Keys secon of the GCP instance creaon.

STEP 8 | (Oponal) Add addional storage for log collecon. Repeat this step as needed to add
addional virtual logging disks.
If you intend to use the Panorama virtual appliance in Panorama mode or as a Dedicated Log
Collector, add the virtual logging disks during inial deployment. By default, the Panorama
virtual appliance is in Panorama mode for the inial deployment when you meet the Panorama
mode resource requirements and have added at least one virtual logging disk. Otherwise, the

Panorama Administrator's Guide Version Version 10.1 89 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Panorama virtual appliance defaults to Management Only mode in which you can manage
devices and Dedicated Log Collectors, and cannot collect logs locally.
The Panorama virtual appliance on GCP only supports 2TB logging disks, and in total supports
up to 24TB of log storage. You are unable to add a logging disk smaller than 2TB, or a logging

Panorama Administrator's Guide Version Version 10.1 90 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

disk with a size not divisible by the 2TB logging disk requirement. The Panorama virtual
appliance parons logging disks larger than 2TB into 2TB parons.
1. Select Disks > Add new disk.

2. Enter the Name.

3. Expand the Type drop-down menu and select the desired type.
4. For the Source type, select Blank disk.
5. For the Mode, select Read/write.
6. Select the Deleon rule to configure whether to delete the virtual logging disk if the
Panorama virtual appliance instance is deleted. To
7. Set the Size (GB) of the virtual logging disk.
8. Set your preferred Encrypon soluon for the data on the virtual logging disk.
9. Click Done.

Panorama Administrator's Guide Version Version 10.1 91 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 9 | Create the Panorama virtual appliance. The Panorama virtual appliances takes roughly 10
minutes to boot up aer inial deployment.

STEP 10 | Configure a new administrave password for the Panorama virtual appliance.
You must configure a unique administrave password before you can access the web interface
of the Panorama virtual appliance. To access the CLI, use the private key to launch the
Panorama virtual appliance.
• If you have an SSH service installed on your computer:
1. Enter the following command to log into the Panorama virtual appliance:
• Windows Devices

ssh -i <private_key.ppk> admin@<public-ip_address>

• Linux Devices

ssh -i panorama <public-ip_address>

2. Configure a new password using the following commands and follow the onscreen
prompts:

admin> configure

Panorama Administrator's Guide Version Version 10.1 92 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

admin# set mgt-config users admin password

3. If you have a BYOL that you need to, set the DNS server IP address so that the
Panorama virtual appliance can access the Palo Alto Networks licensing server. Enter the
following command to set the DNS server IP address:

admin# set deviceconfig system dns-setting servers

primary <ip_address>

4. Commit your changes:

admin# commit

5. Terminate the SSH session.

• If you are using PuTTY to SSH into the Panorama virtual appliance:
1. If you are using an exisng key pair and have the .ppk file available, connue to Step
11.3. If you created a new key pair or only have the .pem file of the exisng key pair,
open PuTTYgen and Load the .pem file.
2. Save the private key to a local accessible desnaon.
3. Open PuTTY and select SSH > Auth and Browse for the .ppk file saved in the previous
step.

4. Select Sessions and enter the public IP address of the Panorama virtual appliance. Then
Open and click Yes when the security prompt appears.
5. Login as admin when prompted.
6. Configure a new password using the following commands and follow the on screen
prompts:

admin> configure

Panorama Administrator's Guide Version Version 10.1 93 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

admin# set mgt-config users admin password

7. Set the DNS server IP address so that the Panorama virtual appliance can access the Palo
Alto Networks licensing server. Enter the following command to set the DNS server IP
address:

admin# set deviceconfig system dns-setting servers

primary <ip_address>

8. Commit your changes with the command:

admin# commit

9. Terminate the SSH session.

STEP 11 | Register the Panorama virtual appliance and acvate the device management license and
support licenses.
1. (VM Flex Licensing Only) Provisioning the Panorama Virtual Appliance Serial Number.
When leveraging VM Flex licensing, this step is required to generate the Panorama
virtual appliance serial number needed to register the Panorama virtual appliance with
the Palo Alto Networks Customer Support Portal (CSP).
2. Register Panorama.
You must register the Panorama virtual appliance using the serial number provided by
Palo Alto Networks in the order fulfillment email.
This step is not required when leveraging VM Flex licensing as the serial number is
automacally registered with the CSP when generated.
3. Acvate the firewall management license.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is Internet-connected.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is not Internet-connected.
4. Acvate a Panorama Support License.

Panorama Administrator's Guide Version Version 10.1 94 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 12 | Complete configuring the Panorama virtual appliance for your deployment needs.
• For Panorama in Log Collector Mode.
1. Add a Virtual Disk to Panorama on Google Cloud Plaorm as needed.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Log Collector mode.
2. Begin at Step 6 to switch to Log Collector mode.

Enter the Public IP address of the Dedicated Log Collector when you add the
Log Collector as a managed collector to the Panorama management server. You
cannot specify the IP Address, Netmask, or Gateway.
• For Panorama in Panorama mode.
1. Add a Virtual Disk to Panorama on Google Cloud Plaorm.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Panorama mode.
2. Set up a Panorama Virtual Appliance in Panorama Mode.
3. Configure a Managed Collector.
• For Panorama in Management Only mode.
1. Set up a Panorama Virtual Appliance in Management Only Mode.
2. Configure a Managed Collector to add a Dedicated Log Collector to the Panorama virtual
appliance.
Management Only mode does not support local log collecon, and requires a Dedicated
Log Collector to store managed device logs.
• For SD-WAN deployments.
1. Increase the System Disk for Panorama on Google Cloud Plaorm
To leverage SD-WAN on Panorama deployed on GCP, you must increase the the system
disk to 224GB.

You cannot migrate back to a 81GB system disk aer successfully increasing the
system disk to 224GB.
2. Set up a Panorama Virtual Appliance in Management Only Mode.
3. Add a Virtual Disk to Panorama on Google Cloud Plaorm.
To leverage SD-WAN, you must add a single 2TB logging disk to Panorama in
Management Only mode.

Install Panorama on KVM

You can now deploy Panorama™ and a Dedicated Log Collector on KVM. Panorama deployed
on KVM is Bring Your Own License (BYOL), supports all deployment modes (Panorama, Log
Collector, and Management Only), and shares the same processes and funconality as the M-
Series hardware appliances. For more informaon on Panorama modes, see Panorama Models.

Panorama Administrator's Guide Version Version 10.1 95 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | Download the Panorama virtual appliance image for KVM.

1. Log in to the Palo Alto Networks Support Portal.
2. Select Soware Updates and find the Panorama for KVM Base image.
3. Download the latest available Panorama .qcow2 file.

STEP 2 | Create a new virtual machine image and add the Panorama virtual appliance image for KVM
to the Virtual Machine Manager.
1. On the Virtual Machine Manager, select Create a new virtual machine.
2. Select Import Exisng disk image and click Forward.

3. Browse and select the Panorama virtual appliance image volume and Choose volume.
4. Click Forward.

Panorama Administrator's Guide Version Version 10.1 96 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Configure the memory and CPU sengs.

Review the Setup Prerequisites for the Panorama Virtual Appliance for minimum resource
requirements.

If you plan to use the Panorama virtual appliance as a Dedicated Log Collector, ensure
that you configure the appliance with the required resources during inial deployment.
The Panorama virtual appliance does not remain in Log Collector mode if you resize the
virtual machine aer you deploy it, and this results in a loss of log data.

1. Configure the Memory based on the requirements for the desired operaonal mode.

The Virtual Machine Manager may use MiB (mebibyte) to allocate memory
depending on the version you are running. If MiB is used, be sure to correctly
convert your required memory allocaon to avoid under provisioning the
Panorama virtual appliance.
2. Configure the CPU based on the requirements for the desired operaonal mode.
3. Click Forward.

Panorama Administrator's Guide Version Version 10.1 97 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Name the Panorama virtual appliance, enable configuraon customizaon, and select the
management interface bridge.
1. Enter a descripve Name for the Panorama virtual appliance.
2. Customize configuraon before install.
3. Make a Network selecon—select the bridge for the management interface and accept
the default sengs.
4. Click Finish.

STEP 5 | Configure the virtual system disk sengs.

1. Select IDE Disk 1, go to Advanced opons, and select the following:
• Disk Bus—VirtIO or IDE, depending on your configuraon.
• Storage format—qcow2
2. Go to Performance opons and set Cache mode to writethrough. This seng improves
installaon me and execuon speed on the Panorama virtual appliance.
3. Click Apply.

Panorama Administrator's Guide Version Version 10.1 98 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 6 | Configure the virtual machine console display to use the VNC server to interact with the
virtual machine.
1. Select Display Spice.

Connue to the next step if Display VNC is listed in the Hardware list because
the virtual machine is already configured to use the VNC server for the display.
2. In the Type drop-down, select VNC server.
3. Click Apply.

STEP 7 | (Oponal) Add addional storage for log collecon. Repeat this step as needed to add
addional virtual logging disks.
If you intend to use the Panorama virtual appliance in Panorama mode or as a Dedicated Log
Collector, add the virtual logging disks during the inial deployment. By default, the Panorama
virtual appliance is in Panorama mode for the inial deployment when you meet the Panorama
mode resource requirements and have added at least one virtual logging disk. Otherwise, the
Panorama virtual appliance defaults to Management Only mode. Change the Panorama virtual
appliance to Management Only mode if you just want to manage devices and Dedicated Log
Collectors, and to not collect logs locally.
The Panorama virtual appliance on KVM only supports 2TB logging disks, and in total supports
up to 24TB of log storage. You are unable to add a logging disk smaller than 2TB, or a logging

Panorama Administrator's Guide Version Version 10.1 99 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

disk with a size not divisible by the 2TB logging disk requirement. The Panorama virtual
appliance parons logging disks larger than 2TB into 2TB parons.
1. Add Hardware.
2. Configure the new Storage disk:
1. Create a disk image for a virtual machine and configure the virtual disk storage
capacity to 14901.2 GiB (this is equivalent to 2TB).

The Virtual Machine Manager may use GiB (gibibyte) to allocate memory
depending on the version you are running. If GiB is used, be sure to correctly
convert the required storage capacity to avoid under provisioning the virtual
logging disk and sending the Panorama virtual appliance into maintenance
mode.
2. Set the Device type to Disk device.
3. Set the Bus type to VirtIO or IDE, depending on your configuraon.
4. Go to Advanced opons and set Cache mode to writethrough.
3. Click Finish.

STEP 8 | Begin Installaon ( ). The Panorama virtual appliances takes approximately 10

minutes to boot.

STEP 9 | Configure the network access sengs for the management interface.
1. Open a connecon to the console.
2. Log in to the firewall using the default username and password: admin/admin.
3. Enter configuraon mode using the following command:

admin> configure

4. Use the following commands to configure and enable access to the management
interface:

admin# set deviceconfig system type static

Panorama Administrator's Guide Version Version 10.1 100 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

admin# set deviceconfig system ip-address <Panorama-IP>

netmask <netmask> default-gateway <gateway-IP> dns-setting
servers primary <DNS-IP>

where <Panorama-IP> is the IP address you want to assign to the management interface,
<netmask> is the subnet mask, <gateway-IP> is the IP address of the network gateway,
and <DNS-IP> is the IP address of the DNS server.

admin# commit

STEP 10 | Register the Panorama virtual appliance and acvate the device management license and
support licenses.
1. (VM Flex Licensing Only) Provisioning the Panorama Virtual Appliance Serial Number.
When leveraging VM Flex licensing, this step is required to generate the Panorama
virtual appliance serial number needed to register the Panorama virtual appliance with
the Palo Alto Networks Customer Support Portal (CSP).
2. Register Panorama.
You must register the Panorama virtual appliance using the serial number provided by
Palo Alto Networks in the order fulfillment email.
This step is not required when leveraging VM Flex licensing as the serial number is
automacally registered with the CSP when generated.
3. Acvate the firewall management license.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is Internet-connected.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is not Internet-connected.
4. Acvate a Panorama Support License.

Panorama Administrator's Guide Version Version 10.1 101 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 11 | Complete configuring the Panorama virtual appliance for your deployment needs.
• For Panorama in Log Collector Mode.
1. Add a Virtual Disk to Panorama on KVM as needed.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Log Collector mode.
2. Begin at Step 6 to switch to Log Collector mode.

Enter the Public IP address of the Dedicated Log Collector when you add the
Log Collector as a managed collector to the Panorama management server. You
cannot specify the IP Address, Netmask, or Gateway.
• For Panorama in Panorama mode.
1. Add a Virtual Disk to Panorama on KVM.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Panorama mode.
2. Set up a Panorama Virtual Appliance in Panorama Mode.
3. Configure a Managed Collector.
• For Panorama in Management Only mode.
1. Set up a Panorama Virtual Appliance in Management Only Mode.
2. Configure a Managed Collector to add a Dedicated Log Collector to the Panorama virtual
appliance.
Management Only mode does not support local log collecon, and requires a Dedicated
Log Collector to store managed device logs.

Install Panorama on Hyper-V

You can now deploy Panorama™ and a Dedicated Log Collector on Hyper-V. Panorama deployed
on Hyper-V is Bring Your Own License (BYOL), supports all deployment modes (Panorama, Log
Collector, and Management Only), and shares the same processes and funconality as the M-
Series hardware appliances. For more informaon on Panorama modes, see Panorama Models.
Panorama virtual appliance and virtual Dedicated Log Collector on Hyper-V is available only on
PAN-OS 8.1.3 and later releases.
STEP 1 | Download the VHDX file.
1. Log in to the Palo Alto Networks Support Portal.
2. Select Updates > Soware Updates, filter by Panorama Base Images, and download the
VHDX file.

Panorama Administrator's Guide Version Version 10.1 102 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Set up any vSwitch(es) that you will need. For more informaon, review the Virtual Switch
Types for more informaon.
1. From Hyper-V Manager, select the host and select Acon > Virtual Switch Manager to
open the Virtual Switch Manager window.

2. Under Create virtual switch, select the type of vSwitch to create and click Create Virtual
Switch.

STEP 3 | Install the Panorama virtual appliance.

1. On the Hyper-V Manager, select the host and select Acon > New > Virtual Machine.
Configure the following sengs in the New Virtual Machine Wizard:

1. Choose a Name and Locaon for the Panorama virtual appliance. The Panorama
virtual appliance stores the VHDX file at the specified locaon.
2. Choose Generaon 1. This is the default opon and the only version supported.
3. For Startup Memory, assign the memory based on the intended system mode. See the
Setup Prerequisites for the Panorama Virtual Appliance for the memory requirements
for each mode.

Do not enable dynamic memory; the Panorama virtual appliance requires

stac memory allocaon.
4. Configure Networking. Select an external vSwitch to connect the management
interface on the firewall.
5. To connect the Virtual Hard Disk, select Use an exisng virtual hard disk and browse
to the VHDX file you downloaded earlier.
6. Review the summary and click Finish.

Panorama Administrator's Guide Version Version 10.1 103 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Allocate the Panorama virtual appliance CPU cores.

Review the Setup Prerequisites for the Panorama Virtual Appliance for minimum resource
requirements.

If you plan to use the Panorama virtual appliance as a Dedicated Log Collector, ensure
that you configure the appliance with the required resources during inial deployment.
The Panorama virtual appliance does not remain in Log Collector mode if you resize the
virtual machine aer you deploy it, and this results in a loss of log data.

1. In the Hardware list, select Processor.

2. Edit the currently allocated Number of virtual processors.

STEP 5 | Connect at least one network adapter for the dataplane interface on the firewall. Repeat this
to create addional network interfaces on the Panorama virtual appliance.
1. Select Sengs > Hardware > Add Hardware and select the Hardware type for your
network adapter.

Legacy Network Adapter and SR-IOV are not supported. If selected, the VM-
Series firewall will boot into maintenance mode.
2. Click OK.

STEP 6 | (Oponal) Add addional storage for log collecon. Repeat this step as needed to add
addional virtual logging disks. If you want to deploy the Panorama virtual appliance in
Management Only mode, connue to Step 6.
If you intend to use the Panorama virtual appliance in Panorama mode or as a Dedicated Log
Collector, add the virtual logging disks during the inial deployment. By default, the Panorama
virtual appliance is in Panorama mode for the inial deployment when you meet the Panorama
mode resource requirements and have added at least one virtual logging disk. Otherwise, the
Panorama virtual appliance defaults to Management Only mode. Change the Panorama virtual

Panorama Administrator's Guide Version Version 10.1 104 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

appliance to Management Only mode if you just want to manage devices and Dedicated Log
Collectors, and to not collect logs locally.
The Panorama virtual appliance on Hyper-V only supports 2TB logging disks, and in total
supports up to 24TB of log storage. You are unable to add a logging disk smaller than 2TB, or a
logging disk with a size not divisible by the 2TB logging disk requirement. The Panorama virtual
appliance parons logging disks larger than 2TB into 2TB parons.
1. On the Hyper-V Manager, select the host and select Acon > New > Hard Disk.
2. If you see the Before You Begin prompt, click Next to begin adding the virtual logging
disk.
3. For the Disk Format, select VHDX. Click Next. to connue
4. For the Disk Type, select Fixed Size or Dynamically Expanding based on your needs.
Click Next to connue.
5. Specify the Name and Locaon for the virtual logging disk file. Click Next to connue.
6. To configure the disk, select Create a new virtual hard disk and enter the disk size. Click
Next to connue.
7. Review the Summary and Finish adding the virtual hard logging disk.

STEP 7 | Power on the Panorama virtual appliance.

1. Select the Panorama virtual appliance instance from the list of Virtual Machines.
2. Select Acon > Start to power on the Panorama virtual appliance.

STEP 8 | Configure the IP address of the management interface.

1. In the Virtual Machines list, select the Panorama virtual appliance.
2. Select Acons > Connect and enter the username and password to log in (default is
admin for both).
3. Enter the following commands, where <Panorama-IP> is the IP address you want to
assign to the Panorama management interface, <netmask> is the subnet mask, <gateway-
IP> is the IP address of the network gateway, and <DNS-IP> is the IP address of the DNS
server:

admin> configure
admin# set deviceconfig system ip-address <Panorama-IP>
netmask <netmask> default-gateway <gateway-IP> dns-setting
servers primary <DNS-IP>
admin# commit

Panorama Administrator's Guide Version Version 10.1 105 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

admin# exit

4. Troubleshoot Connecvity to Network Resources to verify network access to external

services required for firewall management, such as the default gateway, DNS server, and
the Palo Alto Networks Update Server, as shown in the following example:

STEP 9 | Register the Panorama virtual appliance and acvate the device management license and
support licenses.
1. (VM Flex Licensing Only) Provisioning the Panorama Virtual Appliance Serial Number.
When leveraging VM Flex licensing, this step is required to generate the Panorama
virtual appliance serial number needed to register the Panorama virtual appliance with
the Palo Alto Networks Customer Support Portal (CSP).
2. Register Panorama.
You must register the Panorama virtual appliance using the serial number provided by
Palo Alto Networks in the order fulfillment email.
This step is not required when leveraging VM Flex licensing as the serial number is
automacally registered with the CSP when generated.
3. Acvate the firewall management license.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is Internet-connected.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is not Internet-connected.
4. Acvate a Panorama Support License.

Panorama Administrator's Guide Version Version 10.1 106 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 10 | Complete configuring the Panorama virtual appliance for your deployment needs.
• For Panorama in Log Collector Mode.
1. Add a Virtual Disk to Panorama on Hyper-V as needed.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Log Collector mode.
2. Begin at Step 6 to switch to Log Collector mode.

Enter the Public IP address of the Dedicated Log Collector when you add the
Log Collector as a managed collector to the Panorama management server. You
cannot specify the IP Address, Netmask, or Gateway.
• For Panorama in Panorama mode.
1. Add a Virtual Disk to Panorama on Hyper-V.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Panorama mode.
2. Set up a Panorama Virtual Appliance in Panorama Mode.
3. Configure a Managed Collector.
• For Panorama in Management Only mode.
1. Set up a Panorama Virtual Appliance in Management Only Mode.
2. Configure a Managed Collector to add a Dedicated Log Collector to the Panorama virtual
appliance.
Management Only mode does not support local log collecon, and requires a Dedicated
Log Collector to store managed device logs.

Set Up Panorama on Oracle Cloud Infrastructure (OCI)

Set up a Panorama™ virtual appliance on Oracle Cloud Infrastructure (OCI) to centrally managed
the configuraon of physical and VM-Series firewalls.
• Upload the Panorama Virtual Appliance Image to OCI
• Install Panorama on Oracle Cloud Infrastructure (OCI)
• Generate a SSH Key for Panorama on OCI
Upload the Panorama Virtual Appliance Image to OCI
Complete the following procedure to upload a Panorama qcow2 file for KVM and create a custom
image that you need to launch the Panorama virtual appliance. Uploading and creang the
image is required only once. You can use the same image for all subsequent deployments of the
Panorama virtual appliance.
STEP 1 | Download the Panorama qcow2 file for KVM from the Palo Alto Networks Customer Support
Portal (CSP).
1. Log in to the Palo Alto Networks CSP.
2. Select Updates > Soware Updates and select Panorama Base Images from the soware
updates filter drop-down.
3. Download the latest version of the Panorama-KVM qcow2 image.

Panorama Administrator's Guide Version Version 10.1 107 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Log in to the Oracle Cloud Infrastructure console.

STEP 3 | Create a storage bucket for the qcow2 file.

1. Select Object Storage > Object Storage and Create Bucket.
2. Enter a descripve Bucket Name.
3. For the Storage Tier, select Standard.
4. Create Bucket.

STEP 4 | Upload the qcow2 image to the OCI storage bucket.

1. Click the storage bucket you created in the previous step to view the bucket details.
2. Click Upload and select the qcow2 image you downloaded from the Palo Alto Networks
CSP.
3. Upload the image.

STEP 5 | Create a pre-authencated request for the qcow2 file.

This is required to create the object URL used in the creaon of the custom image for the
Panorama virtual appliance.
1. Select Object Storage > Object Storage and click the storage bucket you created in the
previous step.
2. Select Pre-Authencated Requests > Create Pre-Authencated Request.
3. Enter a descripve Name for your Pre-Authencated Request.
4. Select Object and enter the qcow2 image name for the Object Name.
5. Create Pre-Authencated Request.
6. For the Access Type, select Permit object reads and writes.
7. Enter an Expiraon date and me.
8. Create Pre-Authencated Request.
9. In the Pre-Authencated Request Details, copy the Pre-Authencated Request URL.

The Pre-Authencated Request URL is required to create the custom image and
must be copied when displayed to you.
The Pre-Authencated Request URL is only displayed aer the request is created
and is not shown again.
10. Close the Pre-Authencated Request Details aer you copy the URL.

STEP 6 | Import the qcow2 file and create a custom Panorama virtual appliance image.
1. Select Compute > Custom Images and Import Image.
2. Enter a descripve Name for your image.
3. Select Import from an Object Storage URL and paste the object storage URL.
4. For the Image type, select QCOW2.
5. For the Launch Mode, select Paravirtualized Mode.
6. Import Image.

Panorama Administrator's Guide Version Version 10.1 108 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Install Panorama on Oracle Cloud Infrastructure (OCI)

Create a Panorama™ virtual appliance instance on Oracle Cloud Infrastructure (OCI). An OCI
instance supports a single NIC by default. You must manually upload a Panorama virtual appliance
qcow2 image downloaded from the Palo Alto Networks Customer Supported Portal (CSP) to OCI
to successfully install the Panorama virtual appliance on OCI.
A Panorama virtual appliance deployed on OCI is Bring Your Own License (BYOL), supports
all deployment modes (Panorama, Log Collector, and Management Only), and shares the same
processes and funconality as the M-Series hardware appliances. For more informaon on
Panorama modes, see Panorama Models.
A machine running a Linux operang system is required successfully install the Panorama on
OCI. To successfully install Panorama on OCI, you must generate a .pub key using OpenSSH.
Addionally, you can only use a Linux machine to log into the Panorama CLI for the inial network
configuraon.
Review the Setup Prerequisites for the Panorama Virtual Appliance to determine the virtual
resources required for your needs. The virtual resources requirement for the Panorama virtual
appliance is based on the total number of firewalls managed by the Panorama virtual appliance
and the required Logs Per Second (LPS) for forwarding logs from your managed firewalls to your
Log Collector.

Under-provisioning the Panorama virtual appliance will impact management performance.

This includes the Panorama virtual appliance becoming slow or unresponsive depending on
how under-provisioning the Panorama virtual appliance is.

STEP 1 | Log in to the Oracle Cloud Infrastructure console.

STEP 2 | Upload the Panorama Virtual Appliance Image to OCI.

STEP 3 | Set up the Virtual Cloud Network (VCN) for your network needs.
Whether you launch the Panorama virtual appliance in an exisng VCN or you create a new
VCN, the Panorama virtual appliance must be able to receive traffic from other instances in the
VCN and perform inbound and outbound communicaon between the VCN and the internet
as needed.
Refer to the OCI VCN documentaon for more informaon.
1. Configure a VCN or use an exisng VCN.
2. Verify that the network and security components are appropriately defined.
• Create an internet gateway to enable internet access to the subnet of your Panorama
virtual appliance. Internet access is required to install soware and content updates,
acvate licenses, and leverage Palo Alto Networks cloud services. Otherwise, you
must manually install updates and acvate licenses.
If the Panorama virtual appliance instance is part of a private subnet, you can
configure a NAT gateway to enable only outbound internet access for the subnet.
• Create subnets. Subnets are segments of the IP address range assigned to the VCN
in which you can launch OCI instances. It is recommended that the Panorama virtual

Panorama Administrator's Guide Version Version 10.1 109 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

appliance belong to the management subnet so that you can configure it to access the
internet if needed.
• Add routes to the route table for a private subnet to ensure traffic can be routed
across subnets in the VCN and from the internet if applicable.
Ensure you create routes between subnets to allow communicaon between:
• Panorama, managed firewalls, and Log Collectors.
• (Oponal) Panorama and the internet.
• Ensure that the following ingress security rules are allowed for the VCN to manage
VCN traffic. The ingress traffic source for each rule is unique to your deployment
topology.
See Ports Used for Panorama for more informaon.
• Allow SSH (port 22) traffic to enable access to the Panorama CLI.
• Allow HTTPS (port 443 and 28270) traffic to enable access to the Panorama web
interface.
• Allow traffic on port 3978 to enable communicaon between Panorama, manage
firewalls, and managed Log Collectors. This port is also used by Log Collectors to
forward logs to Panorama.
• Allow traffic on port 28443 to enable managed firewalls to get soware and
content updates from Panorama.

STEP 4 | Select Compute > Instances and Create Instance.

STEP 5 | Enter a descripve Name for the Panorama virtual appliance image.

STEP 6 | Select the Availability domain.

STEP 7 | Select the custom Panorama image.

1. Under Image and shape, select Change Image.
2. For the Image Source, select Custom Image.
3. Select the custom Panorama image you created.
4. Select Image.

STEP 8 | Configure the instance resources.

Refer to the Setup Prerequisites for the Panorama Virtual Appliance for more informaon for
the minimum resources required based on your Panorama usage needs.
1. Under Image and shape, select Change Shape.
2. Select the shape with number of CPUs, amount of RAM, and number of interfaces you
require.
3. Select Shape.

Panorama Administrator's Guide Version Version 10.1 110 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 9 | Configure the instance Networking sengs.

1. For the Network, Select exisng virtual cloud network and select the VCN.
2. For the Subnet, Select exisng subnet and select the subnet.
It is recommended to deploy the Panorama virtual appliance instance in a management
subnet to safely allow internet access if needed.
3. (Oponal) For the Public IP Address, select Assign a public IPv4 address if you want to
make the Panorama virtual appliance accessible from outside the VCN.

STEP 10 | Configure the Panorama virtual appliance instance boot volume.

1. For the Boot volume, specify a custom boot volume size.
2. For the Boot volume size, enter 81.

STEP 11 | Create the Panorama virtual appliance image.

Panorama Administrator's Guide Version Version 10.1 111 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 12 | Configure a new administrave password and the system IP address sengs for the
Panorama virtual appliance.
1. Generate a SSH Key for Panorama on OCI.
2. In the OCI console, select Instances and select the Panorama virtual appliance instance.
3. Select Console Connecon and Create Console Connecon.
4. Select Upload public key files (.pub) and upload the public SSH key you generated to
Create Console Connecon.
5. In the Instance Details screen, expand the Console Connecon opons and Copy Serial
Connecon for Linux/Mac.
6. On your Linux machine, open a terminal and paste the serial connecon.
7. Create the new admin password when prompted.
8. Configure the inial network sengs for the Panorama virtual appliance.

admin> configure

admin# set deviceconfig system type static

admin# set deviceconfig system ip-address <instance-private-

IP address> netmask <netmask> default-gateway <default-
gateway-IP>

admin# set deviceconfig system dns-setting servers primary

<primary-dns-IP>

admin# set deviceconfig system dns-setting servers secondary

<secondary-dns-IP>

admin# commit

9. Verify you can log in to the Panorama web interface.

If you cannot log in to the Panorama web interface, review your route table and VCN
security rules to ensure the correct routes and security rules are created.

Panorama Administrator's Guide Version Version 10.1 112 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 13 | Register the Panorama virtual appliance and acvate the device management license and
support licenses.
1. (VM Flex Licensing Only) Provisioning the Panorama Virtual Appliance Serial Number.
When leveraging VM Flex licensing, this step is required to generate the Panorama
virtual appliance serial number needed to register the Panorama virtual appliance with
the Palo Alto Networks Customer Support Portal (CSP).
2. Register Panorama.
You must register the Panorama virtual appliance using the serial number provided by
Palo Alto Networks in the order fulfillment email.
This step is not required when leveraging VM Flex licensing as the serial number is
automacally registered with the CSP when generated.
3. Acvate the firewall management license.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is Internet-connected.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual
Appliance is not Internet-connected.
4. Acvate a Panorama Support License.

STEP 14 | Complete configuring the Panorama virtual appliance for your deployment needs.
• For Panorama in Log Collector Mode.
1. Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI) as needed.
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Log Collector mode.
2. Begin at Step 6 to switch to Log Collector mode.

Enter the Public IP address of the Dedicated Log Collector when you add the
Log Collector as a managed collector to the Panorama management server. You
cannot specify the IP Address, Netmask, or Gateway.
• For Panorama in Panorama mode.
1. Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI).
Adding at least one virtual logging disk is required before you can change the Panorama
virtual appliance to Panorama mode.
2. Set up a Panorama Virtual Appliance in Panorama Mode.
3. Configure a Managed Collector.
• For Panorama in Management Only mode.
1. Set up a Panorama Virtual Appliance in Management Only Mode.
2. Configure a Managed Collector to add a Dedicated Log Collector to the Panorama virtual
appliance.
Management Only mode does not support local log collecon, and requires a Dedicated
Log Collector to store managed device logs.

Panorama Administrator's Guide Version Version 10.1 113 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Generate a SSH Key for Panorama on OCI

To connect to the Panorama™ virtual appliance installed on Oracle Cloud Infrastructure (OCI), you
must generate a public and private SSH key on a Linux machine. You use the generated SSH key to
log in to the Panorama CLI to set up a new administrave password and configure the Panorama
network sengs.

A Linux machine is required to generate the SSH key and access the Panorama CLI for
the inial configuraon. Generang a SSH from OCI or third-party applicaons such as
PuTTygen is not supported.

STEP 1 | Open the terminal on your Linux machine.

STEP 2 | Navigate to the hidden .ssh directory.

admin:~$ cd ~/.ssh

STEP 3 | Generate an SSH key in the .ssh directory.

admin:~/.ssh$ ssh-keygen

When prompted, save the key in the default .ssh directory. A password for the key is
oponal.
The default name for the private key is id_rsa and the default name for the public key is
id_rsa.pub.

STEP 4 | Copy the public key from the .ssh directory to your home directory.
This step is required to upload the public key to OCI.

admin: ~/.ssh$ cp id_rsa.pub ~

Perform Inial Configuraon of the Panorama Virtual Appliance

Based on your Panorama model, use the Alibaba Cloud Console, AWS, Azure, GCP, or OCI web
interface, KVM Virtual Machine Manager, Hyper-V Manager, VMware vSphere Client, or vCloud
Air web console to set up network access to the Panorama virtual appliance. By default, the
Panorama virtual appliance is deployed in Panorama mode. For unified reporng, consider using
Greenwich Mean Time (GMT) or Coordinated Universal Time (UTC) as the uniform me zone
across Panorama and all the managed firewalls and Log Collectors.

Panorama Administrator's Guide Version Version 10.1 114 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | Gather the required informaon from your network administrator.

Collect the following informaon for the management (MGT) interface:
IP address for the management (MGT) interface

The default management interface IP address is 192.168.1.1. if you do not

configure the management interface as described when you install the Panorama
virtual appliance.
Netmask
Default gateway
DNS server IP address

To complete the configuraon of the MGT interface, you must specify the IP
address, netmask (for IPv4) or prefix length (for IPv6), and default gateway. If you
omit sengs (such as the default gateway), you can access Panorama only through
the console port for future configuraon changes. As a best pracce, always commit
a complete MGT interface configuraon.

STEP 2 | Access the console of the Panorama virtual appliance.

1. Access the console.
On an ESXi server:
1. Launch the VMware vSphere Client.
2. Select the Console tab for the Panorama virtual appliance and press enter to access
the login screen.
On vCloud Air:
1. Access the vCloud Air web console and select your Virtual Private Cloud OnDemand
region.
2. Select the Virtual Machines tab, right-click the Panorama virtual machine, and select
Open In Console.
2. Enter your username and password to log in (default is admin for both).
On Alibaba Cloud, AWS, Azure, GCP, KVM, Hyper-V, and OCI:
• Log in to the Panorama CLI.

Panorama Administrator's Guide Version Version 10.1 115 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Change the default administrator password.

Starng with PAN-OS 9.0.4, the predefined, default administrator password (admin/
admin) must be changed on the first login on a device. The new password must be
a minimum of eight characters and include a minimum of one lowercase and one
uppercase character, as well as one number or special character.
Be sure to use the best pracces for password strength to ensure a strict password
and review the password complexity sengs.

To ensure that the management interface remains secure, configure the Minimum
Password Complexity (Panorama > Setup > Management).

1. Click the admin link on the le side of the web interface footer.
2. Enter the Old Password and the New Password and record the new password in a safe
locaon.
3. Click OK.

STEP 4 | Configure the network access sengs for the MGT interface.
Panorama uses the MGT interface for management traffic, high availability synchronizaon, log
collecon, and communicaon within Collector Groups.
1. Enter the following commands, where <Panorama-IP> is the IP address you want to
assign to the Panorama management interface, <netmask> is the subnet mask, <gateway-
IP> is the IP address of the network gateway, and <DNS-IP> is the IP address of the DNS
server:

> configure
# set deviceconfig system ip-address <Panorama-IP>
netmask <netmask> default-gateway <gateway-IP> dns-setting
servers primary <DNS-IP>
# commit

Panorama Administrator's Guide Version Version 10.1 116 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

# exit

2. Troubleshoot Connecvity to Network Resources to verify network access to external

services required for firewall management, such as the default gateway, DNS server, and
the Palo Alto Networks Update Server, as shown in the following example:

STEP 5 | Configure the general sengs.

1. Using a secure connecon (HTTPS) from a web browser, log in to the Panorama web
interface using the IP address and password you assigned to the management interface
(hps://<IP address>).
2. Select Panorama > Setup > Management and edit the General Sengs.
3. Enter a Hostname for the server and enter the network Domain name. The domain name
is just a label; Panorama doesn’t use it to join the domain.
4. Align the clock on Panorama and the managed firewalls to use the same Time Zone, for
example GMT or UTC. If you plan to use the Cortex Data Lake, you must configure NTP
so that Panorama can stay in sync with the Cortex Data Lake.
Timestamps are recorded when Panorama receives the logs and the managed firewalls
generate the logs. Aligning the me zones on Panorama and the firewalls ensures that
the mestamps are synchronized and the process of querying logs and generang
reports on Panorama is harmonious.
5. Enter the Latude and Longitude to enable accurate placement of the Panorama
management server on the world map.
6. Enter the Serial Number you received in the order fulfillment email.
7. Click OK to save your changes.

Panorama Administrator's Guide Version Version 10.1 117 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 6 | (Oponal) Modify the management interface sengs.

To configure connecvity to Panorama using an IPv6 IP address, you must configure

both an IPv4 and IPv6 to successfully configure Panorama using an IPv6 IP address.
Panorama does not support configuring the management interface with only an IPv6 IP
address.

1. Select Panorama > Setup > Interfaces and click Management.

2. If your firewalls connect to the Panorama management server using a public IP address
that is translated to a private IP address (NAT), enter the public IP in the Public IP
Address field, and the private IP in the IP Address field to push both addresses to your
firewalls.
3. Select which Network Connecvity Services to allow on the interface (such as SSH
access).

Don’t select Telnet or HTTP. These services use plaintext and are less secure
than the other services.
4. Click OK to save your changes to the interface.

STEP 7 | Commit your configuraon changes.

Select Commit > Commit to Panorama and Commit your changes.

STEP 8 | Next steps...

1. If necessary, Expand Log Storage Capacity on the Panorama Virtual Appliance.
2. (Best Pracce) Replace the default cerficate that Panorama uses to secure HTTPS traffic
over the management (MGT) interface.
3. Acvate a Panorama Support License.
4. Acvate/Retrieve a Firewall Management License when the Panorama Virtual Appliance
is Internet-connected.
5. Install Content and Soware Updates for Panorama.
6. Set Up Administrave Access to Panorama

Set Up The Panorama Virtual Appliance as a Log Collector

If you want a dedicated virtual appliance for log collecon, configure a Panorama virtual appliance
on ESXi, Alibaba Cloud, AWS, AWS GovCloud, Azure, Google Cloud Plaorm, KVM, Hyper-
V, or Oracle Cloud Infrastructure (OCI) in Log Collector mode. To do this, you first perform
the inial configuraon of the virtual appliance in Panorama mode, which includes licensing,
installing soware and content updates, and configuring the management (MGT) interface.
You then switch the Panorama virtual appliance to Log Collector mode and complete the
Log Collector configuraon. Addionally, if you want to use dedicated M-Series Appliance
Interfaces (recommended) instead of the MGT interface for log collecon and Collector Group
communicaon, you must first configure the interfaces for the Panorama management server,
then configure them for the Log Collector, and then perform a Panorama commit followed by a
Collector Group commit.

Panorama Administrator's Guide Version Version 10.1 118 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Perform the following steps to set up a new virtual appliance as a Log Collector or to convert an
exisng virtual appliance that was previously deployed as a Panorama management server.

Switching the virtual appliance from Panorama mode to Log Collector mode reboots the
appliance, deletes the local Log Collector, deletes any exisng log data, and deletes all
configuraons except the management access sengs. Switching the mode does not
delete licenses, soware updates, or content updates.

STEP 1 | Set up the Panorama virtual appliance management server that will manage the Log Collector
if you have not already done so.
Perform one of the following tasks:
• Set Up the Panorama Virtual Appliance
• Set Up the M-Series Appliance

STEP 2 | Record the management IP addresses of the Panorama management server.

If you deployed Panorama in a high availability (HA) configuraon, you need the IP address of
each HA peer.
1. Log in to the web interface of the Panorama management server.
2. Record the IP Address of the solitary (non-HA) or acve (HA) Panorama by selecng
Panorama > Setup > Management and checking the Management Interface Sengs.
3. For an HA deployment, record the Peer HA IP Address of the passive Panorama by
selecng Panorama > High Availability and checking the Setup secon.

STEP 3 | Set up the Panorama virtual appliance that will serve as a Dedicated Log Collector.
If you previously deployed this appliance as a Panorama management server, you can skip this
step because the MGT interface is already configured and the licenses and updates are already
installed.
The Panorama virtual appliance in Log Collector mode does not have a web interface for
configuraon tasks, only a CLI. Therefore, before changing the mode on the Panorama virtual
appliance, use the web interface in Panorama mode to:
1. Set up the Panorama virtual appliance in one of the following supported hypervisors:
• Install Panorama on an ESXi Server
• Install Panorama on Alibaba Cloud
• Install Panorama on AWS
• Install Panorama on AWS GovCloud
• Install Panorama on Azure
• Install Panorama on Google Cloud Plaorm
• Install Panorama on Hyper-V
• Set Up Panorama on Oracle Cloud Infrastructure (OCI)
2. Perform Inial Configuraon of the Panorama Virtual Appliance.
3. Register Panorama and Install Licenses.
4. Install Content and Soware Updates for Panorama.

Panorama Administrator's Guide Version Version 10.1 119 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | (Panorama on Azure only) Modify the admin password.

The Dedicated Log Collector supports only the admin Administrator user in order to change
in to Log Collector mode. Modify the admin password to allow you to log in using the admin
Administrator user.
1. Log in to the Panorama Web Interface.
2. Select Panorama > Administrators and select admin.
3. Enter the Password, Confirm Password and click OK.
4. Select Commit > Commit to Panorama and Commit your changes.

STEP 5 | (Panorama on AWS and Azure only) Delete all users, except for the admin user.
1. Log in to the Panorama Web Interface as admin.
2. Select Panorama > Administrators.
3. Select the exisng Administrators, except admin, and Delete.
4. Select Commit > Commit to Panorama and Commit your changes.

STEP 6 | Log in to the Panorama CLI.

STEP 7 | Switch from Panorama mode to Log Collector mode.

1. Switch to Log Collector mode by entering the following command:

> request system system-mode logger

2. Enter Y to confirm the mode change. The virtual appliance reboots. If the reboot process
terminates your terminal emulaon soware session, reconnect to the virtual appliance
to see the Panorama login prompt.

If you see a CMS Login prompt, this means the Log Collector has not finished
reboong. Press Enter at the prompt without typing a username or password.
3. Log back in to the CLI.
4. Verify that the switch to Log Collector mode succeeded:

> show system info | match system-mode

If the mode change succeeded, the output displays:

system-mode: logger

STEP 8 | Enable connecvity between the Log Collector and Panorama management server.
Enter the following commands at the Log Collector CLI, where <IPaddress1> is for the MGT
interface of the solitary (non-HA) or acve (HA) Panorama and <IPaddress2> is for the MGT
interface of the passive (HA) Panorama, if applicable.

> configure

Panorama Administrator's Guide Version Version 10.1 120 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

# set deviceconfig system panorama-server <IPaddress1> panorama-

server-2 <IPaddress2>
# commit
# exit

STEP 9 | Record the serial number of the Log Collector.

You need the serial number to add the Log Collector as a managed collector on the Panorama
management server.
1. At the Log Collector CLI, enter the following command to display its serial number.

> show system info | match serial

2. Record the serial number.

STEP 10 | Add the Log Collector as a managed collector to the Panorama management server.
1. Select Panorama > Managed Collectors and Add a managed collector.
2. In the General sengs, enter the serial number (Collector S/N) you recorded for the Log
Collector.
3. In the Panorama Server IP field, enter the IP address or FQDN of the solitary (non-HA)
or acve (HA) Panorama. For HA deployments, enter the IP address or FQDN of the
passive Panorama peer in the Panorama Server IP 2 field.
These IP addresses must specify a Panorama interface that has Device Management and
Device Log Collecon services enabled. By default, these services are enabled only on
the MGT interface. However, you might have enabled the services on other interfaces
when you Set Up the M-Series Appliance that is a Panorama management server.
4. Select Interfaces, click Management, and enter the Public IP Addressof the Dedicated
Log Collector.
5. Click OK twice to save your changes to the Log Collector.
6. Select Commit > Commit to Panorama and Commit your changes to the Panorama
configuraon.
7. Verify that Panorama > Managed Collectors lists the Log Collector you added. The
Connected column displays a check mark to indicate that the Log Collector is connected
to Panorama. You might have to wait a few minutes before the page displays the updated
connecon status.

At this point, the Configuraon Status column displays Out of Sync and the Run
Time Status column displays disconnected. The status will change to In Sync and
connected aer you configure a Collector Group.

STEP 11 | Enable the logging disks.

1. Select Panorama > Managed Collectors and edit the Log Collector.
2. Select Disks and Add each disk.
3. Click OK to save your changes.
4. Select Commit > Commit to Panorama and Commit your changes to the Panorama
configuraon.

Panorama Administrator's Guide Version Version 10.1 121 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 12 | (Recommended) Configure the Ethernet1, Ethernet2, Ethernet3, Ethernet4, and Ethernet5
interfaces if the Panorama management server and Log Collector will use them for Device
Log Collecon (receiving logs from firewalls) and Collector Group Communicaon.
If you previously deployed the Log Collector as a Panorama management server and configured
these interfaces, you must reconfigure them because switching to Log Collector mode would
have deleted all configuraons except the management access sengs.
1. Configure each interface on the Panorama management server (other than the MGT
interface) if you haven’t already:
1. Select Panorama > Setup > Interfaces and click the Interface Name.
2. Select <interface-name> to enable the interface.
3. Complete one or both of the following field sets based on the IP protocols of your
network:
• For ESXi
• IPv4—Public IP Address, IP Address, Netmask, and Default Gateway
IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
• For Alibaba Cloud, AWS, Azure, GCP, and OCI
• Public IP address
4. Select the Device Management Services that the interface supports:
Device Management and Device Log Collecon—You can assign one or more
interfaces.
Collector Group Communicaon—You can assign only one interface.
Device Deployment (soware and content updates)—You can assign only one
interface.
5. Click OK to save your changes.
2. Configure each interface on the Log Collector (other than the MGT interface):
1. Select Panorama > Managed Collectors and edit the Log Collector.
2. Select Interfaces and click the name of the interface.
3. Select <interface-name> to enable the interface.
4. Complete one or both of the following field sets based on the IP protocols of your
network:
• For ESXi
• IPv4—Public IP Address, IP Address, Netmask, and Default Gateway
IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
• For Alibaba Cloud, AWS, Azure, GCP, and OCI
• Public IP address
5. Select the Device Management Services that the interface supports:
Device Log Collecon—You can assign one or more interfaces.
Collector Group Communicaon—You can assign only one interface.

Panorama Administrator's Guide Version Version 10.1 122 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

6. Click OK to save your changes to the interface.

3. Click OK to save your changes to the Log Collector.
4. Select Commit > Commit to Panorama and Commit your changes to the Panorama
configuraon.

STEP 13 | (Oponal) If your deployment is using custom cerficates for authencaon between
Panorama and managed devices, deploy the custom client device cerficate. For more
informaon, see Set Up Authencaon Using Custom Cerficates.
1. Select Panorama > Cerficate Management > Cerficate Profile and choose the
cerficate profile from the drop-down or click New Cerficate Profile to create one.
2. Select Panorama > Managed Collectors > Add > Communicaon for a Log Collector.
3. Select the Secure Client Communicaon check box.
4. Select the type of device cerficate the Type drop-down.
• If you are using a local device cerficate, select the Cerficate and Cerficate Profile
from the respecve drop-downs.
• If you are using SCEP as the device cerficate, select the SCEP Profile and Cerficate
Profile from the respecve drop-downs.
5. Click OK.

Panorama Administrator's Guide Version Version 10.1 123 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 14 | (Oponal) Configure Secure Server Communicaon Sn a Log Collector. For more informaon,
see Set Up Authencaon Using Custom Cerficates.
1. Select Panorama > Managed Collectors > Add > Communicaon.
2. Verify that the Custom Cerficate Only check box is not selected. This allows you to
connue managing all devices while migrang to custom cerficates.

When the Custom Cerficate Only check box is selected, the Log Collector
does not authencate and cannot receive logs from devices using predefined
cerficates.
3. Select the SSL/TLS service profile from the SSL/TLS Service Profile drop-down. This
SSL/TLS service profile applies to all SSL connecons between the Log Collector and
devices sending it logs.
4. Select the cerficate profile from the Cerficate Profile drop-down.
5. Select Authorize Client Based on Serial Number to have the server check clients against
the serial numbers of managed devices. The client cerficate must have the special
keyword $UDID set as the CN to authorize based on serial numbers.
6. In Disconnect Wait Time (min), enter the number of minutes Panorama should wait
before breaking and reestablishing the connecon with its managed devices. This field is
blank by default and the range is 0 to 44,640 minutes.

The disconnect wait me does not begin counng down unl you commit the
new configuraon.
7. (Oponal) Configure an authorizaon list.
1. Click Add under Authorizaon List.
2. Select the Subject or Subject Alt Name as the Idenfier type.
3. Enter an idenfier of the selected type.
4. Click OK.
5. Select Check Authorizaon List to enforce the authorizaon list.
8. Click OK.
9. Select Commit > Commit to Panorama.

STEP 15 | Assign the Log Collector to a Collector Group.

1. Configure a Collector Group. You must perform a Panorama commit and then a Collector
Group commit to synchronize the Log Collector configuraon with Panorama and to put

Panorama Administrator's Guide Version Version 10.1 124 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

the Eth1, Eth2, Eth3, Eth4, and Eth5 interfaces (if you configured them) in an operaonal
state on the Log Collector.

In any single Collector Group, all the Log Collectors must run on the same
Panorama model: all M-600 appliances, all M-500 appliances, all M-200
appliances, or all Panorama virtual appliances.

As a best pracce, Enable log redundancy across collectors if you add mulple
Log Collectors to a single Collector group. This opon requires each Log Collector
to have the same number of logging disks.
2. Select Panorama > Managed Collectors to verify that the Log Collector configuraon is
synchronized with Panorama.
The Configuraon Status column should display In Sync and the Run Time Status column
should display connected.
3. Access the Log Collector CLI and enter the following command to verify that its
interfaces are operaonal:

> show interface all

The output displays the state as up for each interface that is operaonal.
4. If the Collector Group has mulple Log Collectors, Troubleshoot Connecvity to Network
Resources to verify they can communicate with each other by performing a Ping
connecvity test for each interface that the Log Collectors use. For the source IP
address, specify the interface of one of the Log Collectors. For the host IP address,
specify the matching interface of another Log Collector in the same Collector Group.

STEP 16 | Next steps...

To enable the Log Collector to receive firewall logs:
1. Configure Log Forwarding to Panorama.
2. Verify Log Forwarding to Panorama.

Set Up the Panorama Virtual Appliance with Local Log Collector

If the Panorama virtual appliance is in Legacy mode aer you upgrade from a Panorama 8.0 or
earlier release to a Panorama 8.1 (or later) release, switch to Panorama mode in order to create a
local Log Collector, add mulple logging disks without losing exisng logs. increase log storage up
to 24TB, and enable faster report generaon.

Once you change from Legacy mode to Panorama mode, Legacy mode will no longer be
available.

Aer upgrading to Panorama 8.1, the first step is to increase the system resources on the virtual
appliance to the minimum required for Panorama mode. Panorama reboots when you increase
resources, so perform this procedure during a maintenance window. You must install a larger
system disk (81GB), increase CPUs and memory based on the log storage capacity, and add a
virtual logging disk. The new logging disk must have at least as much capacity as the appliance

Panorama Administrator's Guide Version Version 10.1 125 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

currently uses in Legacy mode and cannot be less than 2TB. Adding a virtual disk enables you to
migrate exisng logs to the Log Collector and enables the Log Collector to store new logs.
If Panorama is deployed in an HA configuraon, perform the following steps on the secondary
peer first and then on the primary peer.
STEP 1 | Determine which system resources you need to increase before the virtual appliance can
operate in Panorama mode.

You must run the command specified in this step even if you have determined that
Panorama already has adequate resources.

1. Access the Panorama CLI:

1. Use terminal emulaon soware such as PuTTY to open an SSH session to the IP
address that you specified for the Panorama MGT interface.
2. Log in to the CLI when prompted.
2. Check the resources you must increase by running the following command:

> request system system-mode panorama

Enter y when prompted to connue. The output specifies the resources you must
increase. For example:

Panorama mode not supported on current system disk of size

52.0 GB.
Please attach a disk of size 81.0 GB, then use 'request system
clone-system-disk' to migrate the current system disk
Please add a new virtual logging disk with more than 50.00 GB
of storage capacity.
Not enough CPU cores: Found 4 cores, need 8 cores

Panorama Administrator's Guide Version Version 10.1 126 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Increase the CPUs and memory, and replace the system disk with a larger disk.
1. Access the VMware ESXi vSphere Client, select Virtual Machines, right-click the
Panorama virtual appliance, and select Power > Power Off.
2. Right-click the Panorama virtual appliance and Edit Sengs.
3. Select Memory and enter the new Memory Size.
4. Select CPUs and specify the number of CPUs (the Number of virtual sockets mulplied
by the Number of cores per socket).
5. Add a virtual disk.
You will use this disk to replace the exisng system disk.
1. In the Hardware sengs, Add a disk, select Hard Disk as the hardware type, and click
Next.
2. Create a new virtual disk and click Next.
3. Set the Disk Size to exactly 81GB and select the Thick Provision Lazy Zeroed disk
format.
4. Select Specify a datastore or datastore structure as the locaon, Browse to a
datastore of at least 81GB, click OK, and click Next.
5. Select a SCSI Virtual Device Node (you can use the default selecon) and click Next.

Panorama will fail to boot if you select a format other than SCSI.

6. Verify that the sengs are correct and then click Finish and OK.
6. Right-click the Panorama virtual appliance and select Power > Power On. Wait for
Panorama to reboot before connuing.
7. Return to the Panorama CLI and copy the data from the original system disk to the new
system disk:

> request system clone-system-disk target sdb

Enter y when prompted to connue.

The copying process takes around 20 to 25 minutes, during which Panorama reboots.
When the process finishes, the output tells you to shut down Panorama.
8. Return to the vSphere Client console, right-click the Panorama virtual appliance, and
select Power > Power Off.
9. Right-click the Panorama virtual appliance and Edit Sengs.
10. Select the original system disk, click Remove, select Remove from virtual machine, and
click OK.
11. Right-click the Panorama virtual appliance and Edit Sengs.
12. Select the new system disk, set the Virtual Device Node to SCSI (0:0), and click OK.
13. Right-click the Panorama virtual appliance and select Power > Power On. Before
proceeding, wait for Panorama to reboot on the new system disk (around 15 minutes).

Panorama Administrator's Guide Version Version 10.1 127 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Add a virtual logging disk.

This is the disk to which you will migrate exisng logs.
1. In the VMware ESXi vSphere Client, right-click the Panorama virtual appliance and select
Power > Power Off.
2. Right-click the Panorama virtual appliance and Edit Sengs.
3. Repeat the steps to Add a virtual disk. Set the Disk Size to a mulple of 2TB based on
the amount of log storage you need. The capacity must be at least as large as the exisng
virtual disk or NFS storage that Panorama currently uses for logs. The disk capacity must
be a mulple of 2TB and can be up to 24TB. For example, if the exisng disk has 5TB of
log storage, you must add a new disk of at least 6TB.
Aer you switch to Panorama mode, Panorama will automacally divide the new disk
into 2TB parons, each of which will funcon as a separate virtual disk.
4. Right-click the Panorama virtual appliance and select Power > Power On. Wait for
Panorama to reboot before connuing.

STEP 4 | Switch from Legacy mode to Panorama mode.

Aer switching the mode, the appliance reboots again and then automacally creates a
local Log Collector and Collector Group. The exisng logs won’t be available for querying or
reporng unl you migrate them later in this procedure.
1. Return to the Panorama CLI and run the following command.

> request system system-mode panorama

Enter y when prompted to connue. Aer reboong, Panorama automacally creates a

local Log Collector (named Panorama) and creates a Collector Group (named default) to
contain it. Panorama also configures the virtual logging disk you added and divides it into
separate 2TB disks. Wait for the process to finish and for Panorama to reboot (around
five minutes) before connuing.
2. Log in to the Panorama web interface.
3. In the Dashboard, General Informaon sengs, verify that the Mode is now panorama.
In an HA deployment, the secondary peer is in a suspended state at this point because
its mode (Panorama) does not match the mode on the primary peer (Legacy). You will un-

Panorama Administrator's Guide Version Version 10.1 128 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

suspend the secondary peer aer switching the primary peer to Panorama mode later in
this procedure.
4. Select Panorama > Collector Groupsto verify that the default collector group has been
created, and that the local Log Collector is part of the default collector group.
5. Push the configuraon to the managed devices.
• If there are no pending changes:
1. Select Commit > Push to Devices and Edit Selecons.
2. Select Collector Group and make sure the default collector group is selected.
3. Click OK and Push.
• If you have pending changes:
1. Select Commit > Commit and Push and Edit Selecons.
2. Verify that your Device Group devices and Templates are included.
3. Select Collector Group and make sure the default collector group is selected.
4. Click OK and Commit and Push.
6. Select Panorama > Managed Collectors and verify that the columns display the following
informaon for the local Log Collector:
• Collector Name—This defaults to the Panorama hostname. It should be listed under
the default Collector Group.
• Connected—Check mark
• Configuraon Status—In sync
• Run Time Status—connected

STEP 5 | (HA only) Switch the primary Panorama from Legacy mode to Panorama mode.

This step triggers failover.

1. Repeat Step 1 through Step 4 on the primary Panorama.

Wait for the primary Panorama to reboot and return to an acve HA state. If preempon
is not enabled, you must manually fail back: select Panorama > High Availability and, in
the Operaonal Commands secon, Make local Panorama funconal.
2. On the primary Panorama, select Dashboard and, in the High Availability secon, Sync to
peer, click Yes, and wait for the Running Config to display Synchronized status.
3. On the secondary Panorama, select Panorama > High Availability and, in the Operaonal
Commands secon, Make local Panorama funconal.
This step is necessary to bring the secondary Panorama out of its suspended HA state.

Panorama Administrator's Guide Version Version 10.1 129 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 6 | Migrate exisng logs to the new virtual logging disks.

If you deployed Panorama in an HA configuraon, perform this only on the primary peer.

Palo Alto Networks recommends migrang exisng logs to the new virtual logging disks
during your maintenance window. The log migraon requires a large number of the
Panorama virtual appliance CPU cores to execute and impacts Panorama operaonal
performance.

1. Return to the Panorama CLI.

2. Start the log migraon:

> request logdb migrate vm start

The process duraon varies by the volume of log data you are migrang. To check the
status of the migraon, run the following command:

> request logdb migrate vm status

When the migraon finishes, the output displays: migrationhas been done.
3. Verify that the exisng logs are available.
1. Log in to the Panorama web interface.
2. Select Panorama > Monitor, select a log type that you know matches some exisng
logs (for example, Panorama > Monitor > System), and verify that the logs display.

STEP 7 | Next steps...

Configure log forwarding to Panorama so that the Log Collector receives new logs from
firewalls.

Set up a Panorama Virtual Appliance in Panorama Mode

Panorama mode allows the Panorama™ virtual appliance to operate as a Panorama management
server with local log collecon capabilies. By default, the Panorama virtual appliance is deployed
in Panorama mode when at least one virtual logging disk is aached to a Panorama virtual
appliance.

While sll supported, switching from Legacy mode with a 50GB logging disk to Panorama
mode is not recommended for producon environments. If you switch to Panorama mode
with a 50GB logging disk, you are unable to add addional logging disks.

STEP 1 | Log in to the Panorama CLI.

Panorama Administrator's Guide Version Version 10.1 130 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Switch to Panorama mode.

1. Change to Panorama mode:

> request system system-mode panorama

2. Enter Y to confirm the mode change. The Panorama virtual appliance reboots. If the
reboot process terminates your terminal emulaon soware session, reconnect to the
Panorama virtual appliance to see the Panorama login prompt.
If you see a CMS Login prompt, this means the Panorama virtual appliance has not
finished reboong. Press Enter at the prompt without typing a username or password.

STEP 3 | Verify that the switch to Panorama mode succeeded.

1. Log back in to the CLI.
2. Verify that the switch to Panorama mode succeeded:

> show system info | match system-mode

If the mode change succeeded, the output displays:

> system mode:panorama

Set up a Panorama Virtual Appliance in Management Only Mode

Management Only mode allows the Panorama virtual appliance to operate strictly as a Panorama
management server without local log collecon capabilies. By default, the Panorama virtual
appliance is in Panorama mode for the inial deployment. It is recommended to change the
Panorama virtual appliance to Management Only immediately aer the inial deployment because
changing to Management Only mode requires that there are no logs being forwarded to the
Panorama management server because the Panorama virtual appliance in Management Only mode
does not support log collecon. Aer you change to Management Only mode, any exisng log
data stored on the Panorama virtual appliance becomes inaccessible, and the ACC and reporng
features cannot query the logs stored on the Panorama virtual appliance.

If you configured a local Log Collector, the local Log Collector sll exists on Panorama
when you change to Management Only mode despite having no log collecon capabilies.
Deleng the local Log Collector (Panorama > Managed Collectors) deletes the Eth1/1
interface configuraon the local Log Collector uses by default. If you decide to delete the
local Log Collector, you must reconfigure the Eth1/1 interface.

STEP 1 | Log in to the Panorama CLI.

Panorama Administrator's Guide Version Version 10.1 131 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Switch to Management Only mode.

1. Change to Management Only mode:

> request system system-mode management-only

2. Enter Y to confirm the mode change. The Panorama virtual appliance reboots. If the
reboot process terminates your terminal emulaon soware session, reconnect to the
Panorama virtual appliance to see the Panorama login prompt.
If you see a CMS Login prompt, this means the Panorama virtual appliance has not
finished reboong. Press Enter at the prompt without typing a username or password.

STEP 3 | Verify that the switch to Management Only mode succeeded.

1. Log back in to the CLI.
2. Verify that the switch to Management Only mode succeeded:

> show system info | match system-mode

If the mode change succeeded, the output displays:

> system mode:management-only

Expand Log Storage Capacity on the Panorama Virtual Appliance

Aer you Perform Inial Configuraon of the Panorama Virtual Appliance, the available log
storage capacity and the opons for expanding it depend on the virtual plaorm (VMware ESXi,
vCloud Air, Alibaba Cloud, AWS, AWS GovCloud, Azure, Google Cloud Plaorm, KVM, Hyper-V,
or OCI) and mode (Legacy, Panorama, or Log Collector mode): see Panorama Models for details.
To expand the log storage capacity on the Panorama virtual appliance, you must add addional
logging disks. Expanding the log storage capacity of an exisng logging disk is not supported,
and Panorama does not recognize the addional storage capacity. For example; if you added a
2TB logging disk, and then expanded that exisng logging disk to 4TB, Panorama connues to
recognize the logging disk as having 2TB of storage capacity and ignores the addional 2TB of
storage capacity.

For addional log storage, you can also forward firewall logs to Dedicated Log Collectors
(see Configure a Managed Collector) or Configure Log Forwarding from Panorama to
External Desnaons.

Before expanding log storage capacity on Panorama, Determine Panorama Log Storage
Requirements.
• Preserve Exisng Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
• Add a Virtual Disk to Panorama on an ESXi Server
• Add a Virtual Disk to Panorama on vCloud Air
• Add a Virtual Disk to Panorama on Alibaba Cloud
• Add a Virtual Disk to Panorama on AWS

Panorama Administrator's Guide Version Version 10.1 132 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

• Add a Virtual Disk to Panorama on Azure

• Add a Virtual Disk to Panorama on Google Cloud Plaorm
• Add a Virtual Disk to Panorama on KVM
• Add a Virtual Disk to Panorama on Hyper-V
• Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
• Mount the Panorama ESXi Server to an NFS Datastore

Preserve Exisng Logs When Adding Storage on Panorama Virtual Appliance in Legacy
Mode
The Panorama virtual appliance in Legacy mode can use only one virtual disk for logging.
Therefore, if you add a virtual disk that is dedicated for logging, Panorama stops using the default
11GB log storage on the system disk and automacally copies any exisng logs to the new logging
disk. (Panorama connues using the system disk for data other than logs.)
If you replace an exisng dedicated logging disk of up to 2TB storage capacity with a disk of up to
8TB, you will lose the logs on the exisng disk. To preserve the logs, your choices are:

Configure log forwarding to external desnaons before you replace the virtual disk.

Set up a new Panorama virtual appliance for the new 8TB disk and maintain access to the
Panorama containing the old disk for as long as you need the logs. To forward firewall logs to
the new Panorama virtual appliance, one opon is to reconfigure the firewalls to connect with
the new Panorama IP address (select Device > Setup > Management and edit the Panorama
Sengs), add the firewalls as managed devices to the new Panorama, and Configure Log
Forwarding to Panorama. To reuse the old Panorama IP address on the new Panorama, another
opon is to export the configuraon of the old Panorama and then import and load the
configuraon on the new Panorama.

Copy logs from the old disk to the new disk. Copying can take several hours, depending on
how many logs the disk currently stores, and Panorama cannot collect logs during the process.
Contact Palo Alto Networks Customer Support for instrucons.

Add a Virtual Disk to Panorama on an ESXi Server

To expand log storage capacity on the Panorama virtual appliance, you can add virtual logging
disks. If the appliance is in Panorama mode, you can add 1 to 12 virtual logging disks of 2TB each
or 1 24TB logging disk, for a maximum total of 24TB. If the appliance is in Legacy mode, you can
add one virtual logging disk of up to 8TB on ESXi 5.5 and later versions or one disk of up to 2TB
on earlier ESXi versions. Addionally, it is recommended to add logging disks with the same disk
provisioning format to avoid any unexpected performance that may arise from having mulple
disk with different provisioning formats.

If Panorama loses connecvity to the new virtual disk, Panorama might lose logs during
the failure interval.
To allow for redundancy, use the virtual disk in a RAID configuraon. RAID10 provides the
best write performance for applicaons with high logging characteriscs.
If necessary, you can Replace the Virtual Disk on an ESXi Server.

Panorama Administrator's Guide Version Version 10.1 133 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | Add addional disks to Panorama

In all modes, the first logging disk on the Panorama VM must be at least 2TB in order
to add addional disks. If the first logging disk is smaller than 2TB, you will be unable
to add addional disk space.

1. Access the VMware vSphere Client and select Virtual Machines.

2. Right-click the Panorama virtual appliance and select Power > Power off.
3. Right-click the Panorama virtual appliance and select Edit Sengs.
4. Click Add in the Hardware tab to launch the Add Hardware wizard.
5. Select Hard Disk as the hardware type and click Next.
6. Create a new virtual disk and click Next.
7. Set the Disk Size. If the Panorama virtual appliance is in Panorama mode, set the size to
at least 2TB. If the appliance is in Legacy mode, you can set the size to as much as 8TB.

In Panorama mode, you can add disk sizes larger than 2TB and Panorama will
automacally create as many 2TB parons as possible. For example, if disk sdc
was 24TB, it will create 12 2TB parons. These disks will be named sdc1-12.
8. Select the Disk Provisioning format and click Next.
9. Specify a datastore or datastore structure, Browse to a datastore with enough space for
the specified Disk Size, click OK, and click Next.
10. Select a SCSI Virtual Device Node (you can use the default selecon) and click Next.

The selected node must be in SCSI format; Panorama will fail to boot if you
select another format.
11. Verify that the sengs are correct and then click Finish and OK.
The new disk appears in the list of devices for the virtual appliance.
12. Repeat Step 4 through Step 11 to add addional disks to the Panorama virtual appliance
if necessary.
13. Right click the Panorama virtual appliance and select Power > Power On. The virtual disk
inializes for first-me use. The size of the new disk determines how long inializaon
takes.

STEP 2 | Configure each disk.

The following example uses the sdc virtual disk.
1. Log in to the Panorama CLI.
2. Enter the following command to view the disks on the Panorama virtual appliance:
show system disk details
The user will see the following response:

Name
: sdb
State : Present
Size : 2048000 MB

Panorama Administrator's Guide Version Version 10.1 134 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Status : Available
Reason : Admin enabled
Name : sdc
State : Present
Size : 2048000 MB
Status : Available
Reason : Admin disabled

3. Enter the following command and confirm the request when prompted for all disks with
the Reason : Admin disabled response:
request system disk add sdc

The request system disk add command is not available on a Panorama

management server in Management Only mode because logging is not supported
in this mode. If you do not see the command, Set up a Panorama Virtual
Appliance in Panorama Mode to enable the logging disks. Once in Panorama
mode, Log in to the Panorama CLI and connue to Step 4 to verify the disk
addion.
4. Enter the show system disk details command to verify the status of the disk
addion. Connue to Step 3 when all newly added disk responses display Reason :
Admin enabled.

STEP 3 | Make disks available for logging.

1. Log in to the Panorama web interface.
2. Select Panorama > Managed Collectors and edit the Log Collector.
3. Select Disks and Add each newly added disk.
4. Click OK.
5. Select Commit > Commit to Panorama.

For Panorama in an Acve/Passive high availability (HA) configuraon, wait for

HA sync to complete before connuing.
6. Select Commit > Push to Devices and push the changes to the Collector Group the Log
Collector belongs to.

STEP 4 | Configure Panorama to receive logs.

This step is intended for new Panorama deployments in Panorama mode. If you are adding
logging disks to an exisng Panorama virtual appliance, connue to Step 5.
1. Configure a Managed Collector.
2. Configure a Collector Group.
3. Configure Log Forwarding to Panorama.

STEP 5 | Verify that the Panorama Log Storage capacity has been increased.
1. Log in to the Panorama web interface.
2. Select Panorama > Collector Groups and select the Collector Group that the Panorama
virtual appliance belongs to.
3. Verify that the Log Storage capacity accurately displays the disk capacity.

Panorama Administrator's Guide Version Version 10.1 135 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Add a Virtual Disk to Panorama on vCloud Air

You can add virtual logging disks to expand log storage capacity on the Panorama™ virtual
appliance. If the appliance is in Panorama mode, you can add 1 to 12 virtual logging disks of 2TB
each or 1 24TB logging disk, for a maximum total of 24TB. If the appliance is in Legacy mode, you
can add one virtual logging disk of up to 8TB.

If Panorama loses connecvity to the new virtual disk, Panorama might lose logs for the
duraon of the failure.
If necessary, you can Replace the Virtual Disk on vCloud Air.

STEP 1 | Add addional disks to Panorama.

In all modes, the first logging disk on the Panorama VM must be at least 2TB to add
addional disks. If the first logging disk is less than 2TB, you will be unable to add
addional disk space.

1. Access the vCloud Air web console and select your Virtual Private Cloud On Demand
region.
2. Select the Panorama virtual appliance in the Virtual Machines tab.
3. Add another disk (Acons > Edit Resources).
4. Set the Storage size. If the Panorama virtual appliance is in Panorama mode, set the size
to at least 2TB. If the appliance is in Legacy mode, you can set the size to as much as
8TB.

In Panorama mode, you can add disk sizes larger than 2TB and Panorama will
automacally create as many 2TB parons as possible. For example, if disk sdc
was 24TB, Panorama will create 12 2TB parons. These disks will be named
sdc1 through sdc12.
5. Set the storage er to Standard or SSD-Accelerated.
6. Repeat the previous steps to add addional disks to the Panorama virtual appliance as
needed.
7. Save your changes.

STEP 2 | Configure each disk.

The following example uses the sdc virtual disk.
1. Log in to the Panorama CLI.
2. Enter the following command to view the disks on the Panorama virtual appliance:
show system disk details
The user will see the following response:

Name
: sdb
State : Present
Size : 2048000 MB
Status : Available

Panorama Administrator's Guide Version Version 10.1 136 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Reason : Admin enabled

Name : sdc
State : Present
Size : 2048000 MB
Status : Available
Reason : Admin disabled

3. Enter the following command and confirm the request when prompted for all disks with
the Reason : Admin disabled response:
request system disk add sdc

The request system disk add command is not available on a Panorama

management server in Management Only mode because logging is not supported
in this mode. If you do not see the command, Set up a Panorama Virtual
Appliance in Panorama Mode to enable the logging disks. Once in Panorama
mode, Log in to the Panorama CLI and connue to Step 4 to verify the disk
addion.
4. Enter the show system disk details command to verify the status of the disk
addion. Connue to the next step when all newly added disk responses display
Reason : Admin enabled.

STEP 3 | Make disks available for logging.

1. Log in to the Panorama web interface.
2. Select Panorama > Managed Collectors and edit the Log Collector.
3. Select Disks and Add each new disk.
4. Click OK.
5. Select Commit > Commit to Panorama.

For Panorama in an Acve/Passive high availability (HA) configuraon, wait for

HA sync to complete before connuing.
6. Select Commit > Push to Devices and push the changes to the Collector Group the Log
Collector belongs to.

STEP 4 | Configure Panorama to receive logs.

This step is intended for new Panorama deployments in Panorama mode. If you are adding
logging disks to an exisng virtual Panorama appliance, connue to the next step.
1. Configure a Managed Collector.
2. Configure a Collector Group.
3. Configure Log Forwarding to Panorama.

STEP 5 | Verify that the Panorama Log Storage capacity has been increased.
1. Log in to the Panorama web interface.
2. Select Panorama > Collector Groups and select the Collector Group to which the virtual
Panorama appliance belongs.
3. Verify that the Log Storage capacity accurately displays your new disk capacity.

Panorama Administrator's Guide Version Version 10.1 137 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Add a Virtual Disk to Panorama on Alibaba Cloud

Aer you Install Panorama on Alibaba Cloud, add addional virtual logging disks to expand log
storage capacity on the Panorama™ virtual appliance for logs generated by managed firewalls. You
can add virtual disks to a local Log Collector for a Panorama virtual appliance in Panorama mode
or for a Dedicated Log Collector. To add virtual disks, you must have access to the Alibaba Cloud
Console, the Panorama command-line interface (CLI), and the Panorama web interface.
The Panorama virtual appliance on Alibaba Cloud supports only 2TB logging disks and, in total,
supports up to 24TB of log storage. You cannot add a logging disk smaller than 2TB or a logging
disk of a size that is not evenly divisible by 2TB because the Panorama virtual appliance parons
logging disks in to 2TB parons. For example, if you aach a 4TB logging disk, Panorama will
create two 2TB parons. However, you cannot add a 5TB logging disk because the leover 1TB
is not supported as a paron.
STEP 1 | Log in to the Alibaba Cloud Console.

STEP 2 | Select Elasc Compute Service > Instances & Images > Instances and navigate to the
Panorama virtual appliance instance.

STEP 3 | Add a virtual logging disk to Panorama.

In all modes, the first logging disk on the Panorama VM must be at least 2TB in order
to add addional disks. If the first logging disk is smaller than 2TB, you will be unable
to add addional disk space.

1. In the Acons column, select Manage.

2. Select Cloud Disk and Create Disk.
3. Configure the virtual logging disk.
• Aach—Select Aach to ECS Instance.
• ECS Instance—Select the region and the Panorama virtual appliance instance.
• Storage—Select type of virtual disk and enter the disk capacity.
• (Oponal) Quanty—Specify how many virtual disks to create. By default, 1 virtual
disk is created. When creang mulple logging disks, be sure that the sum of all
virtual disks does not exceed 24TB.
• Terms of Service—Review the Alibaba Cloud Terms of Service and check aer you
have reviewed.
4. Preview the virtual disk creaon.
5. Create the new virtual disk.
A status window displays aer you create the new virtual disk. Aer the virtual disk is
successfully created, Go to the Disk List to confirm the disk is successfully created.

Panorama Administrator's Guide Version Version 10.1 138 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Configure each disk.

The following example uses the sdc virtual disk.
1. Log in to the Panorama CLI.
2. Enter the following command to view the disks on the Panorama virtual appliance:
show system disk details
The user will see the following response:

Name : sdb
State : Present
Size : 2048000 MB
Status : Available
Reason : Admin disabled

3. Enter the following command and confirm the request when prompted for all disks with
the Reason : Admin disabled response:
request system disk add sdc

The request system disk add command is not available on a Panorama

management server in Management Only mode because logging is not supported
in this mode. If you do not see the command, Set up a Panorama Virtual
Appliance in Panorama Mode to enable the logging disks. Once in Panorama
mode, log in to the Panorama CLI and connue to the next step to verify the
disk addion.
4. Enter the show system disk details command to verify the status of the disk
addion. Connue to the next step when all newly added disk responses display
Reason : Admin enabled.

STEP 5 | Make disks available for logging.

1. Log in to the Panorama web interface.
2. Edit a Log Collector (Panorama > Managed Collectors).
3. Select Disks and Add each newly added disk.
4. Click OK.
5. Select Commit > Commit to Panorama.

For Panorama in an Acve/Passive high availability (HA) configuraon, wait for

HA sync to complete before connuing.
6. Select Commit > Push to Devices and push the changes to the Collector Group the Log
Collector belongs to.

STEP 6 | (New Panorama deployments in Panorama mode only) Configure Panorama to receive logs.
If you are adding logging disks to an exisng Panorama virtual appliance, skip to step 6.
1. Configure a Collector Group.
2. Configure Log Forwarding to Panorama.

Panorama Administrator's Guide Version Version 10.1 139 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 7 | Verify that the Panorama Log Storage capacity is increased.

1. Log in to the Panorama web interface.
2. Select the Collector Group to which the Panorama virtual appliance belongs (Panorama >
Collector Groups).
3. Verify that the Log Storage capacity accurately displays the disk capacity.

Add a Virtual Disk to Panorama on AWS

Aer you Install Panorama on AWS or Install Panorama on AWS GovCloud, add virtual logging
disks to the Panorama™ virtual appliance instance to provide storage for logs generated by
managed firewalls. You can add virtual disks to a local log Collector for a Panorama virtual
appliance in Panorama mode or for a Dedicated Log Collector. To add virtual disks, you must have
access to the Amazon Web Service Console, the Panorama command-line interface (CLI), and the
Panorama web interface.
The Panorama virtual appliance on AWS supports only 2TB logging disks and, in total, supports up
to 24TB of log storage. You cannot add a logging disk smaller than 2TB or a logging disk of a size
that is not evenly divisible by 2TB because the Panorama virtual appliance parons logging disks
in to 2TB parons. For example, if you aach a 4TB logging disk, Panorama will create two 2TB
parons. However, you cannot add a 5TB logging disk because the leover 1TB is not supported
as a paron.
STEP 1 | Log in to AWS Web Service console and select the EC2 Dashboard.
• Amazon Web Service Console
• AWS GovCloud Web Service Console

Panorama Administrator's Guide Version Version 10.1 140 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Add a virtual logging disk to Panorama.

In all modes, the first logging disk on the Panorama VM must be at least 2TB in order
to add addional disks. If the first logging disk is smaller than 2TB, you will be unable
to add addional disk space.

1. On the EC2 Dashboard, select Volumes and Create Volume:

• Select your preferred Volume Type. For general purpose use, select General Purpose
SSD (GP2).
• Configure the Size of the volume as 2048 GiB.
• Select the same Availability Zone that your Panorama virtual appliance instance is
located in.
• (Oponal) Encrypt the volume.
• (Oponal) Add tags to your volume.
2. Click Create Volume.

3. In the Volumes page, select the volume you, select Acons > Aach Volume.
4. Aach the Panorama virtual appliance Instance.

STEP 3 | Configure each disk.

The following example uses the sdc virtual disk.
1. Log in to the Panorama CLI.
2. Enter the following command to view the disks on the Panorama virtual appliance:
show system disk details
The user will see the following response:

Name

Panorama Administrator's Guide Version Version 10.1 141 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

: sdb
State : Present
Size : 2048000 MB
Status : Available
Reason : Admin enabled
Name : sdc
State : Present
Size : 2048000 MB
Status : Available
Reason : Admin disabled

3. Enter the following command and confirm the request when prompted for all disks with
the Reason : Admin disabled response:
request system disk add sdc

The request system disk add command is not available on a Panorama

management server in Management Only mode because logging is not supported
in this mode. If you do not see the command, Set up a Panorama Virtual
Appliance in Panorama Mode to enable the logging disks. Once in Panorama
mode, Log in to the Panorama CLI and connue to Step 4 to verify the disk
addion.
4. Enter the show system disk details command to verify the status of the disk
addion. Connue to the next step when all newly added disk responses display
Reason : Admin enabled.

STEP 4 | Make disks available for logging.

1. Log in to the Panorama web interface.
2. Edit a Log Collector (Panorama > Managed Collectors).
3. Select Disks and Add each newly added disk.
4. Click OK.
5. Select Commit > Commit to Panorama.

For Panorama in an Acve/Passive high availability (HA) configuraon, wait for

HA sync to complete before connuing.
6. Select Commit > Push to Devices and push the changes to the Collector Group the Log
Collector belongs to.

STEP 5 | (New Panorama deployments in Panorama mode only) Configure Panorama to receive logs.
If you are adding logging disks to an exisng Panorama virtual appliance, skip to step 6.
1. Configure a Collector Group.
2. Configure Log Forwarding to Panorama.

STEP 6 | Verify that the Panorama Log Storage capacity is increased.

1. Log in to the Panorama web interface.
2. Select the Collector Group to which the Panorama virtual appliance belongs (Panorama >
Collector Groups).
3. Verify that the Log Storage capacity accurately displays the disk capacity.

Panorama Administrator's Guide Version Version 10.1 142 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Add a Virtual Disk to Panorama on Azure

Aer you Install Panorama on Azure, add virtual logging disks to the Panorama™ virtual appliance
instance to provide storage for logs generated by managed firewalls. You can add virtual disks to
a local log Collector for a Panorama virtual appliance in Panorama mode or for a Dedicated Log
Collector. To add virtual disks, you must have access to the Microso Azure portal, the Panorama
command-line interface (CLI), and the Panorama web interface.
The Panorama virtual appliance on Azure supports only 2TB logging disks and, in total, supports
up to 24TB of log storage. You cannot add a logging disk smaller than 2TB or a logging disk of a
size that is not evenly divisible by 2TB because the Panorama virtual appliance paron logging
disks in to 2TB parons. For example, if you aach a 4TB logging disk, Panorama will create
two 2TB parons. However, you cannot add a 5TB logging disk because the leover 1TB is not
supported as a paron.
STEP 1 | Log in to the Microso Azure portal.

Panorama Administrator's Guide Version Version 10.1 143 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Add a virtual logging disk to Panorama.

In all modes, the first logging disk on the Panorama VM must be at least 2TB in order
to add addional disks. If the first logging disk is smaller than 2TB, you will be unable
to add addional disk space.

1. In the Azure Dashboard, select the Panorama Virtual Machines to which you want to add
a logging disk.
2. Select Disks.
3. +Add data disk.
4. In the drop-down for the new disk, Create disk.

5. Configure the logging disk.

1. Enter the disk Name.
2. Select the Resource group. If you Create new resource groups, enter the group name.
3. Verify the Account type (this field is automacally populated).
4. In the Source type drop-down, select None.
5. Select Change Size and select a 2048 GiB logging disk.
6. Create the new logging disk.

Panorama Administrator's Guide Version Version 10.1 144 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

7. For the Host caching, select Read/write.

STEP 3 | Enable each disk.

The following example uses the sdc virtual disk.
1. Log in to the Panorama CLI.
2. Enter the following command to view the disks on the Panorama virtual appliance:
show system disk details
The user will see the following response:

Name
: sdb
State : Present
Size : 2048000 MB
Status : Available
Reason : Admin enabled
Name : sdc
State : Present
Size : 2048000 MB
Status : Available

Panorama Administrator's Guide Version Version 10.1 145 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Reason : Admin disabled

3. Enter the following command and confirm the request when prompted for all disks with
the Reason : Admin disabled response:
request system disk add sdc

The request system disk add command is not available on a Panorama

management server in Management Only mode because logging is not supported
in this mode. If you do not see the command, Set up a Panorama Virtual
Appliance in Panorama Mode to enable the logging disks. Once in Panorama
mode, Log in to the Panorama CLI and connue to Step 4 to verify the disk
addion.
4. Enter the show system disk details command to verify the status of the disk
addion. Connue to the next step when all newly added disk responses display
Reason : Admin enabled.

STEP 4 | Make disks available for logging.

1. Log in to the Panorama web interface.
2. Edit a Log Collector (Panorama > Managed Collectors)
3. Select Disks and Add each newly added disk.
4. Click OK.
5. Select Commit > Commit to Panorama.

For Panorama in an Acve/Passive high availability (HA) configuraon, wait for

HA sync to complete before connuing.
6. Select Commit > Push to Devices and push the changes to the Collector Group the Log
Collector belongs to.

STEP 5 | (New Panorama deployments in Panorama mode only) Configure Panorama to receive logs.
If you are adding logging disks to an exisng Panorama virtual appliance, skip to step 6.
1. Configure a Collector Group.
2. Configure Log Forwarding to Panorama.

STEP 6 | Verify that the Panorama Log Storage capacity is increased.

1. Log in to the Panorama web interface.
2. Select the Collector Group to which the Panorama virtual appliance belongs (Panorama >
Collector Groups).
3. Verify that the Log Storage capacity accurately displays the disk capacity.

Add a Virtual Disk to Panorama on Google Cloud Plaorm

Aer you Install Panorama on Google Cloud Plaorm, add virtual logging disks to the Panorama™
virtual appliance instance to provide storage for logs generated by managed firewalls. You can
add virtual disks to a local log Collector for a Panorama virtual appliance in Panorama mode or for
a Dedicated Log Collector. The Panorama virtual appliance on Google Cloud Plaorm supports
only 2TB logging disks and, in total, supports up to 24TB of log storage. You cannot add a logging

Panorama Administrator's Guide Version Version 10.1 146 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

disk smaller than 2TB or a logging disk of a size that is not evenly divisible by 2TB because the
Panorama virtual appliance parons logging disks in to 2TB parons. For example, if you aach
a 4TB logging disk, Panorama will create two 2TB parons. However, you cannot add a 5TB
logging disk because the leover 1TB is not supported as a paron.
STEP 1 | Log in to the Google Cloud Console.

STEP 2 | Add the virtual logging disk.

In all modes, the first logging disk on the Panorama VM must be at least 2TB in order
to add addional disks. If the first logging disk is smaller than 2TB, you will be unable
to add addional disk space.

1. In the Products & Services menu, select and then Edit the Panorama virtual appliance
instance (Compute Engine > VM Instances).
2. In the Addional Disks secon, Add Item.
3. Create disk (Name drop-down).

Panorama Administrator's Guide Version Version 10.1 147 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Configure the virtual logging disks.

1. Enter the Name.
2. Expand the Disk Type drop-down menu and select the desired type.
3. For the Source type, select None (blank disk).
4. Set the Size (GB) of the virtual logging disk.
5. Click Create.

6. Save the changes to update the Panorama virtual appliance instance.

STEP 4 | Configure each disk.

The following example uses the sdc virtual disk.
1. Log in to the Panorama CLI.
2. Enter the following command to view the disks on the Panorama virtual appliance:
show system disk details
The user will see the following response:

Name
: sdb
State : Present
Size : 2048000 MB

Panorama Administrator's Guide Version Version 10.1 148 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Status : Available
Reason : Admin enabled
Name : sdc
State : Present
Size : 2048000 MB
Status : Available
Reason : Admin disabled

3. Enter the following command and confirm the request when prompted for all disks with
the Reason : Admin disabled response:
request system disk add sdc

The request system disk add command is not available on a Panorama

management server in Management Only mode because logging is not supported
in this mode. If you do not see the command, Set up a Panorama Virtual
Appliance in Panorama Mode to enable the logging disks. Once in Panorama
mode, Log in to the Panorama CLI and connue to Step 4 to verify the disk
addion.
4. Enter the show system disk details command to verify the status of the disk
addion. Connue to the next step when all newly added disk responses display
Reason : Admin enabled.

STEP 5 | Make disks available for logging.

1. Log in to the Panorama web interface.
2. Edit a Log Collector (Panorama > Managed Collectors).
3. Select Disks and Add each newly added disk.
4. Click OK.
5. Select Commit > Commit to Panorama.

For Panorama in an Acve/Passive high availability (HA) configuraon, wait for

HA sync to complete before connuing.
6. Select Commit > Push to Devices and push the changes to the Collector Group the Log
Collector belongs to.

STEP 6 | (New Panorama deployments in Panorama mode only) Configure Panorama to receive logs.
If you are adding logging disks to an exisng Panorama virtual appliance, skip to step 7.
1. Configure a Collector Group.
2. Configure Log Forwarding to Panorama.

STEP 7 | Verify that the Panorama Log Storage capacity is increased.

1. Log in to the Panorama web interface.
2. Select the Collector Group to which the Panorama virtual appliance belongs (Panorama >
Collector Groups).
3. Verify that the Log Storage capacity accurately displays the disk capacity.

Panorama Administrator's Guide Version Version 10.1 149 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Add a Virtual Disk to Panorama on KVM

Aer you Install Panorama on KVM, add virtual logging disks to the Panorama™ virtual appliance
instance to provide storage for logs generated by managed firewalls. You can add virtual disks to
a local log Collector for a Panorama virtual appliance in Panorama mode or for a Dedicated Log
Collector. The Panorama virtual appliance on KVM supports only 2TB logging disks and, in total,
supports up to 24TB of log storage. You cannot add a logging disk smaller than 2TB or a logging
disk of a size that is not evenly divisible by 2TB because the Panorama virtual appliance parons
logging disks in to 2TB parons. For example, if you aach a 4TB logging disk, Panorama will
create two 2TB parons. However, you cannot add a 5TB logging disk because the leover 1TB
is not supported as a paron.
STEP 1 | Shutdown the Panorama virtual appliance instance on the Virtual Machine Manager.

STEP 2 | Double-click the Panorama virtual appliance instance in the Virtual Machine Manager and
Show virtual hardware details .

STEP 3 | Add the virtual logging disk. Repeat this step as many mes as needed.

In all modes, the first logging disk on the Panorama VM must be at least 2TB in order
to add addional disks. If the first logging disk is smaller than 2TB, you will be unable
to add addional disk space.

1. Create a disk image for a virtual image (Add Hardware > Storage) and configure the
virtual disk storage capacity to the appropriate 2TB value:2000GB or 14901.2GiB
depending on your Virtual Machine Manager.

Depending on the version, some Virtual Machine Managers use GiB (gibibyte)
to allocate memory. Be sure you correctly convert the required storage capacity
to avoid under provisioning the virtual logging disk and sending the Panorama
virtual appliance into maintenance mode.
2. In the Device type drop-down, select Disk device.
3. In the Bus type drop-down, select VirtIO or IDE based on your configuraon.
4. Expand Advanced opons and, in the Cache mode drop-down, select writethrough.
5. Click Finish.

STEP 4 | Power on the Panorama virtual appliance instance.

Panorama Administrator's Guide Version Version 10.1 150 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Configure each disk.

The following example uses the sdc virtual disk.
1. Log in to the Panorama CLI.
2. Enter the following command to view the disks on the Panorama virtual appliance:
show system disk details
The user will see the following response:

Name
: sdb
State : Present
Size : 2048000 MB
Status : Available
Reason : Admin enabled
Name : sdc
State : Present
Size : 2048000 MB
Status : Available
Reason : Admin disabled

3. Enter the following command and confirm the request when prompted for all disks with
the Reason : Admin disabled response:
request system disk add sdc

The request system disk add command is not available on a Panorama

management server in Management Only mode because logging is not supported
in this mode. If you do not see the command, Set up a Panorama Virtual
Appliance in Panorama Mode to enable the logging disks. Once in Panorama
mode, Log in to the Panorama CLI and connue to Step 4 to verify the disk
addion.
4. Enter the show system disk details command to verify the status of the disk
addion. Connue to the next step when all newly added disk responses display
Reason : Admin enabled.

STEP 6 | Make disks available for logging.

1. Log in to the Panorama web interface.
2. Edit a Log Collector (Panorama > Managed Collectors).
3. Select Disks and Add each newly added disk.
4. Click OK.
5. Select Commit > Commit to Panorama.

For Panorama in an Acve/Passive high availability (HA) configuraon, wait for

HA sync to complete before connuing.
6. Select Commit > Push to Devices and push the changes to the Collector Group the Log
Collector belongs to.

Panorama Administrator's Guide Version Version 10.1 151 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 7 | (New Panorama deployments in Panorama mode only) Configure Panorama to receive logs.
If you are adding logging disks to an exisng Panorama virtual appliance, skip to step 8.
1. Configure a Collector Group.
2. Configure Log Forwarding to Panorama.

STEP 8 | Verify that the Panorama Log Storage capacity is increased.

1. Log in to the Panorama web interface.
2. Select the Collector Group to which the Panorama virtual appliance belongs (Panorama >
Collector Groups).
3. Verify that the Log Storage capacity accurately displays the disk capacity.

Add a Virtual Disk to Panorama on Hyper-V

Aer you Install Panorama on Hyper-V, add virtual logging disks to the Panorama™ virtual
appliance instance to provide storage for logs generated by managed firewalls. You can add
virtual disks to a local log Collector for a Panorama virtual appliance in Panorama mode or for a
Dedicated Log Collector. The Panorama virtual appliance on Hyper-V supports only 2TB logging
disks and, in total, supports up to 24TB of log storage. You cannot add a logging disk smaller
than 2TB or a logging disk of a size that is not evenly divisible by 2TB because the Panorama
virtual appliance parons logging disks in to 2TB parons. For example, if you aach a 4TB
logging disk, Panorama will create two 2TB parons. However, you cannot add a 5TB logging
disk because the leover 1TB is not supported as a paron.
STEP 1 | Power off the Panorama virtual appliance.
1. On the Hyper-V Manager, select the Panorama virtual appliance instance from the list of
Virtual Machines.
2. Select Acon > Turn Off to power off the Panorama virtual appliance.

Panorama Administrator's Guide Version Version 10.1 152 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Add the virtual logging disk. Repeat this step as many mes as needed.

In all modes, the first logging disk on the Panorama VM must be at least 2TB in order
to add addional disks. If the first logging disk is smaller than 2TB, you will be unable
to add addional disk space.

1. Select the Panorama virtual appliance from the list of Virtual Machines, and select
Acon > Sengs.
2. In the Hardware list, select IDE Controller 0.
3. From the IDE Controller drives list, select Hard Drive and Add the new virtual logging
disk.

4. Select the new Hard Drive created under IDE Controller 0.

5. Under Media, add a New hard disk.

Panorama Administrator's Guide Version Version 10.1 153 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Panorama Administrator's Guide Version Version 10.1 154 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Configure the new virtual logging disk.

1. If you see the Before You Begin prompt, click Next to begin adding the virtual logging
disk
2. For the Disk Format, select VHDX. Click Next to connue
3. For the Disk Type, select Fixed Size or Dynamically Expanding based on your needs.
Click Next to connue.
4. Specify the Name and Locaon for the virtual logging disk file. Click Next to connue.
5. To configure the disk, select Create a new virtual hard disk and enter the disk size. Click
Next to connue.
6. Review the Summary and Finish adding the virtual hard logging disk.
7. Apply the new hard disk addion.

STEP 4 | Power on the Panorama virtual appliance.

1. Select the Panorama virtual appliance instance from the list of Virtual Machines.
2. Select Acon > Start to power on the Panorama virtual appliance.

STEP 5 | Configure each disk.

The following example uses the sdc virtual disk.
1. Log in to the Panorama CLI.
2. Enter the following command to view the disks on the Panorama virtual appliance:
show system disk details
The user will see the following response:

Name
: sdb
State : Present

Panorama Administrator's Guide Version Version 10.1 155 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Size : 2048000 MB
Status : Available
Reason : Admin enabled
Name : sdc
State : Present
Size : 2048000 MB
Status : Available
Reason : Admin disabled

3. Enter the following command and confirm the request when prompted for all disks with
the Reason : Admin disabled response:
request system disk add sdc

The request system disk add command is not available on a Panorama

management server in Management Only mode because logging is not supported
in this mode. If you do not see the command, Set up a Panorama Virtual
Appliance in Panorama Mode to enable the logging disks. Once in Panorama
mode, Log in to the Panorama CLI and connue to Step 4 to verify the disk
addion.
4. Enter the show system disk details command to verify the status of the disk
addion. Connue to the next step when all newly added disk responses display
Reason : Admin enabled.

STEP 6 | Make disks available for logging.

1. Log in to the Panorama web interface.
2. Edit a Log Collector (Panorama > Managed Collectors).
3. Select Disks and Add each newly added disk.
4. Click OK.
5. Select Commit > Commit to Panorama.

For Panorama in an Acve/Passive high availability (HA) configuraon, wait for

HA sync to complete before connuing.
6. Select Commit > Push to Devices and push the changes to the Collector Group the Log
Collector belongs to.

STEP 7 | (New Panorama deployments in Panorama mode only) Configure Panorama to receive logs.
If you are adding logging disks to an exisng Panorama virtual appliance, skip to Step 8.
1. Configure a Collector Group.
2. Configure Log Forwarding to Panorama.

STEP 8 | Verify that the Panorama Log Storage capacity is increased.

1. Log in to the Panorama web interface.
2. Select the Collector Group to which the Panorama virtual appliance belongs (Panorama >
Collector Groups).
3. Verify that the Log Storage capacity accurately displays the disk capacity.

Panorama Administrator's Guide Version Version 10.1 156 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)

Aer you Install Panorama on Oracle Cloud Infrastructure (OCI), add addional virtual logging
disks to expand log storage capacity on the Panorama™ virtual appliance for logs generated
by managed firewalls. You can add virtual disks to a local Log Collector for a Panorama virtual
appliance in Panorama mode or for a Dedicated Log Collector. To add virtual disks, you must have
access to the OCI console, the Panorama command-line interface (CLI), and the Panorama web
interface.
The Panorama virtual appliance on OCI supports only 2TB logging disks and, in total, supports up
to 24TB of log storage. You cannot add a logging disk smaller than 2TB or a logging disk of a size
that is not evenly divisible by 2TB because the Panorama virtual appliance parons logging disks
in to 2TB parons. For example, if you aach a 4TB logging disk, Panorama will create two 2TB
parons. However, you cannot add a 5TB logging disk because the leover 1TB is not supported
as a paron.
STEP 1 | Log in to the Oracle Cloud Infrastructure console.

STEP 2 | Create a 2TB block volume.

1. Select Block Storage > Block Volumes and Create Block Volume.
2. Enter a descripve Name for the volume.
3. Select the same Availability Domain as the Panorama virtual appliance instance.
4. Select the Custom volume size.
5. For the Volume Size, enter 2000.
6. Create Block Volume.

STEP 3 | Aach a virtual logging disk to the Panorama virtual appliance instance.

In all modes, the first logging disk on the Panorama VM must be at least 2TB in order
to add addional disks. If the first logging disk is smaller than 2TB, you will be unable
to add addional disk space.

1. Select Compute > Instances and click the name of the Panorama virtual appliance
instance.
2. Under resources, select Aached Block Volumes and Aach Block Volume.
3. For the Volume, Select volume and select the virtual logging disk.
4. For the Access, select Read/Write.
5. Aach the virtual logging disk.

Panorama Administrator's Guide Version Version 10.1 157 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Configure each disk.

The following example uses the sdc virtual disk.
1. Log in to the Panorama CLI.
2. Enter the following command to view the disks on the Panorama virtual appliance:
show system disk details
The user will see the following response:

Name : sdb
State : Present
Size : 2048000 MB
Status : Available
Reason : Admin disabled

3. Enter the following command and confirm the request when prompted for all disks with
the Reason : Admin disabled response:
request system disk add sdc

The request system disk add command is not available on a Panorama

management server in Management Only mode because logging is not supported
in this mode. If you do not see the command, Set up a Panorama Virtual
Appliance in Panorama Mode to enable the logging disks. Once in Panorama
mode, Log in to the Panorama CLI and connue to the next step to verify the
disk addion.
4. Enter the show system disk details command to verify the status of the disk
addion. Connue to the next step when all newly added disk responses display
Reason : Admin enabled.

STEP 5 | Make disks available for logging.

1. Log in to the Panorama web interface.
2. Edit a Log Collector (Panorama > Managed Collectors).
3. Select Disks and Add each newly added disk.
4. Click OK.
5. Select Commit > Commit to Panorama.

For Panorama in an Acve/Passive high availability (HA) configuraon, wait for

HA sync to complete before connuing.
6. Select Commit > Push to Devices and push the changes to the Collector Group the Log
Collector belongs to.

STEP 6 | (New Panorama deployments in Panorama mode only) Configure Panorama to receive logs.
If you are adding logging disks to an exisng Panorama virtual appliance, skip to step 6.
1. Configure a Collector Group.
2. Configure Log Forwarding to Panorama.

Panorama Administrator's Guide Version Version 10.1 158 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 7 | Verify that the Panorama Log Storage capacity is increased.

1. Log in to the Panorama web interface.
2. Select the Collector Group to which the Panorama virtual appliance belongs (Panorama >
Collector Groups).
3. Verify that the Log Storage capacity accurately displays the disk capacity.

Mount the Panorama ESXi Server to an NFS Datastore

When the Panorama virtual appliance in Legacy mode runs on an ESXi server, mounng to a
Network File System (NFS) datastore enables logging to a centralized locaon and expanding
the log storage capacity beyond what a virtual disk supports. (ESXi 5.5 and later versions can
support a virtual disk of up to 8TB. Earlier ESXi versions support a virtual disk of up to 2TB.)
Before seng up an NFS datastore in a Panorama high availability (HA) configuraon, see Logging
Consideraons in Panorama HA.

The Panorama virtual appliance in Panorama mode does not support NFS.

STEP 1 | Select Panorama > Setup > Operaons and, in the Miscellaneous secon, click Storage
Paron Setup.

STEP 2 | Set the Storage Paron type to NFS V3.

STEP 3 | Enter the IP address of the NFS Server.

STEP 4 | Enter the Log Directory path for storing the log files. For example, export/panorama.

STEP 5 | For the Protocol, select TCP or UDP, and enter the Port for accessing the NFS server.

To use NFS over TCP, the NFS server must support it. Common NFS ports are UDP/TCP
111 for RPC and UDP/TCP 2049 for NFS.

STEP 6 | For opmal NFS performance, in the Read Size and Write Size fields, specify the maximum
size of the chunks of data that the client and server pass back and forth to each other.
Defining a read/write size opmizes the data volume and speed in transferring data between
Panorama and the NFS datastore.

STEP 7 | (Oponal) Select Copy On Setup to copy the exisng logs stored on Panorama to the NFS
volume. If Panorama has a lot of logs, this opon might iniate the transfer of a large volume
of data.

STEP 8 | Click Test Logging Paron to verify that Panorama can access the NFS Server and Log
Directory.

STEP 9 | Click OK to save your changes.

STEP 10 | Select Commit > Commit to Panorama and Commit your changes. Unl you reboot, the
Panorama virtual appliance writes logs to the local storage disk.

STEP 11 | Select Panorama > Setup > Operaons and select Reboot Panorama in the Device
Operaons secon. Aer reboong, Panorama starts wring logs to the NFS datastore.

Panorama Administrator's Guide Version Version 10.1 159 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Increase CPUs and Memory on the Panorama Virtual Appliance

When you Perform Inial Configuraon of the Panorama Virtual Appliance, you specify
the memory and number of CPUs based on whether the appliance is in Panorama mode or
Management Only mode and based on the log storage capacity or number of managed firewalls.
If you later add storage capacity or managed firewalls, you must also increase the memory and
CPUs. A Panorama virtual appliance in Log Collector mode must meet the system requirements,
and does not need to have the CPU and memory increased beyond the minimum requirement.
Review the Setup Prerequisites for the Panorama Virtual Appliance for the CPU and memory
requirements for each Panorama mode.
• Increase CPUs and Memory for Panorama on an ESXi Server
• Increase CPUs and Memory for Panorama on vCloud Air
• Increase CPUs and Memory for Panorama on Alibaba Cloud
• Increase CPUs and Memory for Panorama on AWS
• Increase CPUs and Memory for Panorama on Azure
• Increase CPUs and Memory for Panorama on Google Cloud Plaorm
• Increase CPUs and Memory for Panorama on KVM
• Increase CPUs and Memory for Panorama on Hyper-V
• Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)

Increase CPUs and Memory for Panorama on an ESXi Server

For the minimum CPUs and memory that Panorama requires, see Increase CPUs and Memory on
the Panorama Virtual Appliance.
STEP 1 | Access the VMware vSphere Client and select Virtual Machines.

STEP 2 | Right-click the Panorama virtual appliance and select Power > Power Off.

STEP 3 | Right-click the Panorama virtual appliance and select Edit Sengs.

STEP 4 | Select Memory and enter the new Memory Size.

STEP 5 | Select CPUs and specify the number of CPUs (the Number of virtual sockets mulplied by
the Number of cores per socket).

STEP 6 | Click OK to save your changes.

STEP 7 | Right-click the Panorama virtual appliance and select Power > Power On.

Increase CPUs and Memory for Panorama on vCloud Air

For the minimum CPUs and memory that Panorama requires, see Increase CPUs and Memory on
the Panorama Virtual Appliance.
STEP 1 | Access the vCloud Air web console and select your Virtual Private Cloud OnDemand region.

STEP 2 | In the Virtual Machines tab, select the Panorama virtual machine and Power Off.

Panorama Administrator's Guide Version Version 10.1 160 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Select Acons > Edit Resources.

STEP 4 | Set the CPU and Memory.

STEP 5 | Save your changes.

STEP 6 | Select the Panorama virtual machine and Power On.

Increase CPUs and Memory for Panorama on Alibaba Cloud

You can change the instance type of the Panorama™ virtual appliance to increase the CPUs and
memory allocated to the Panorama virtual appliance instance. Be sure to review the supported
Alibaba Cloud instance types and the Setup Prerequisites for the Panorama Virtual Appliance
before changing the instance type.
STEP 1 | Log in to the Alibaba Cloud Console.

STEP 2 | Select Elasc Compute Service > Instances & Images > Instances and navigate to the
Panorama virtual appliance instance.

STEP 3 | In the Acons column, select More > Instance Status > Stop.

STEP 4 | Change the Panorama virtual appliance instance type.

1. Select the Panorama virtual appliance if not already selected.
2. In the Acons column, select Change Instance Type.
3. Select the desired instance type and Change the instance type.
4. When prompted, select Console to view your Panorama virtual appliance instance.

STEP 5 | In the Acons column for the Panorama virtual appliance instance, select More > Instance
Status > Start.

STEP 6 | Verify the increased CPU and memory.

1. Log in to the Panorama CLI.
2. View the Panorma virtual appliance system informaon.

admin> show system info

3. Verify that the num-cpus and ram-in-gb display the correct number of CPUs and
amount of memory as per the instance type you selected.

Increase CPUs and Memory for Panorama on AWS

For the minimum CPUs and memory that Panorama™ requires, see Increase CPUs and Memory on
the Panorama Virtual Appliance.

A Panorama virtual appliance in Log Collector mode does not remain in Log Collector mode
if you resize the virtual machine aer you deploy it and this can result in a loss of log data.

Panorama Administrator's Guide Version Version 10.1 161 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | Log in to AWS Web Service console and select the EC2 Dashboard.
• Amazon Web Service Console
• AWS GovCloud Web Service Console

STEP 2 | On the EC2 Dashboard, select Instances and select the Panorama virtual appliance instance.

STEP 3 | Select Acons > Instance State > Stop to power off the Panorama virtual appliance instance.

STEP 4 | Select Acons > Instance Sengs > Change Instance Type to change the Panorama virtual
appliance instance type.

STEP 5 | Select the Instance Type to which you want to upgrade and Apply it.

STEP 6 | Select Acons > Instance State > Start to power on the Panorama virtual appliance instance.

Increase CPUs and Memory for Panorama on Azure

For the minimum CPUs and memory that Panorama™ requires, see Increase CPUs and Memory on
the Panorama Virtual Appliance.

A Panorama virtual appliance in Log Collector mode does not remain in Log Collector mode
if you resize the virtual machine aer you deploy it and this can result in a loss of log data.

STEP 1 | Log in to the Microso Azure portal.

STEP 2 | On the Azure Dashboard, under Virtual machines, select the Panorama virtual appliance.

STEP 3 | Select Overview and Stop the Panorama virtual appliance.

Panorama Administrator's Guide Version Version 10.1 162 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Choose the new virtual machine Size and then Select it.

STEP 5 | Select Overview and Start the Panorama virtual appliance.

Increase CPUs and Memory for Panorama on Google Cloud Plaorm

For the minimum CPUs and memory that Panorama™ requires, see Increase CPUs and Memory on
the Panorama Virtual Appliance.

A Panorama virtual appliance in Log Collector mode does not remain in Log Collector mode
if you resize the virtual machine aer you deploy it and this can result in a loss of log data.

STEP 1 | Log in to the Google Cloud Console.

STEP 2 | Stop the Panorama virtual appliance instance.

1. Select the Panorama virtual appliance instance in the Products & Services menu
(Compute Engine > VM Instances).
2. Stop the Panorama virtual appliance instance. It can take 2 to 3 minutes for the
Panorama virtual appliance to completely shut down.

Panorama Administrator's Guide Version Version 10.1 163 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Reconfigure the Panorama virtual appliance resources.

1. Edit the Panorama virtual appliance instance details.
2. Under Machine Type, Customize the Panorama virtual appliance CPU cores and memory.

STEP 4 | Save the changes to update the Panorama virtual appliance instance.

STEP 5 | Start the Panorama virtual appliance.

Increase CPUs and Memory for Panorama on KVM

For the minimum CPUs and memory that Panorama™ requires, see Increase CPUs and Memory on
the Panorama Virtual Appliance.

A Panorama virtual appliance in Log Collector mode does not remain in Log Collector mode
if you resize the virtual machine aer you deploy it and this can result in a loss of log data.

STEP 1 | Shutdown the Panorama virtual appliance instance on the Virtual Machine Manager.

STEP 2 | Double-click the Panorama virtual appliance instance in the Virtual Machine Manager and
Show virtual hardware details .

STEP 3 | Edit the allocated Panorama virtual appliance CPU cores.

1. Edit the currently allocated CPUs.
2. Apply the reconfigured CPU core allocaon.

STEP 4 | Edit the allocated Panorama virtual appliance memory.

1. Edit the currently allocated Memory.
2. Apply the reconfigured memory allocaon.

STEP 5 | Power on the Panorama virtual appliance instance.

Panorama Administrator's Guide Version Version 10.1 164 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Increase CPUs and Memory for Panorama on Hyper-V

For the minimum CPUs and memory that Panorama™ requires, see Increase CPUs and Memory on
the Panorama Virtual Appliance.

A Panorama virtual appliance in Log Collector mode does not remain in Log Collector mode
if you resize the virtual machine aer you deploy it and this can result in a loss of log data.

STEP 1 | Power off the Panorama virtual appliance.

1. On the Hyper-V Manager, select the Panorama virtual appliance instance from the list of
Virtual Machines.
2. Select Acon > Turn Off to power off the Panorama virtual appliance.

STEP 2 | On the Hyper-V Manager, select the Panorama virtual appliance instance form the list
of Virtual Machines, and select Acon > Sengs to edit the Panorama virtual appliance
resources.

STEP 3 | Edit the allocated Panorama virtual appliance memory.

1. In the Hardware list, select Memory.
2. Edit the currently allocated Startup RAM.

Panorama Administrator's Guide Version Version 10.1 165 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Edit the allocated Panorama virtual appliance CPU cores.

1. In the Hardware list, select Processor.
2. Edit the currently allocated Number of virtual processors.

STEP 5 | Apply the reallocated memory and CPU cores.

STEP 6 | Power on the Panorama virtual appliance.

1. Select the Panorama virtual appliance instance from the list of Virtual Machines.
2. Select Acon > Start to power on the Panorama virtual appliance.

Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
You can change the instance type of the Panorama™ virtual appliance to increase the CPUs
and memory allocated to the Panorama virtual appliance instance. Be sure to review the Setup
Prerequisites for the Panorama Virtual Appliance before modifying the Panorama virtual appliance
instance CPUs and memory.
STEP 1 | Log in to the Oracle Cloud Infrastructure console.

Panorama Administrator's Guide Version Version 10.1 166 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Power off the Panorama virtual appliance instance.

1. Select Compute > Instances and click the name of the Panorama virtual appliance
instance.
2. Stop the Panorama virtual appliance instance.

STEP 3 | Increase the CPUs and memory.

1. In the instance details, select Edit > Edit Shape.
2. Increase the number of CPUs and memory allocated to the instance.
3. Save Changes.

STEP 4 | In instance details, Start the Panorama virtual appliance.

STEP 5 | Verify the increased CPU and memory.

1. Log in to the Panorama CLI.
2. View the Panorma virtual appliance system informaon.

admin> show system info

3. Verify that the num-cpus and ram-in-gb display the correct number of CPUs and
amount of memory as per the instance type you selected.

Increase the System Disk on the Panorama Virtual Appliance

Expand the system disk capacity to 224GB for the Panorama virtual appliance to support large
datasets to allow for sufficient disk space for things such as dynamic updates when you Manage
Large-Scale Firewall Deployments. Addionally, a 224GB system disk expands storage for
monitoring and reporng data for managed firewall health if you intended to use the Panorama
virtual appliance in Panorama mode to manage your SD-WAN deployment
• Increase the System Disk for Panorama on an ESXi Server
• Increase the System Disk for Panorama on Google Cloud Plaorm

Increase the System Disk for Panorama on an ESXi Server

Add a 224GB system disk to replace the default 81GB system disk. For the minimum resource
requirements for the Panorama virtual appliance, see Setup Prerequisites for the Panorama Virtual
Appliance.

Decreasing the Panorama virtual appliance system disk back to 81GB is not supported.

STEP 1 | (Best Pracce) Save and Export Panorama and Firewall Configuraons.
Save and export your Panorama and firewall configuraon to ensure you can recover Panorama
if you encounter any issues.

STEP 2 | Access the VMware vSphere Client and navigate to your Panorama virtual appliance.

STEP 3 | Right-click the Panorama virtual appliance and select Power > Power Off.

Panorama Administrator's Guide Version Version 10.1 167 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Add the new 224GB system disk.

1. Right-click the Panorama virtual appliance and Edit Sengs.
2. Select New Hard Disk as the New Device and Add the new device.
3. Configure the new hard disk with 224GB and click OK.

STEP 5 | Right-click the Panorama virtual appliance and select Power > Power On.

Panorama may take up to 30 minutes to inialize the new system disk. During this me
the Panorama web interface and CLI are unavailable.

Panorama Administrator's Guide Version Version 10.1 168 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 6 | Migrate disk data from the old system disk to the new system disk.
In this example, we are migrang to the newly added system disk labeled sdb.
1. Log in to the Panorama CLI.
2. Enter the following command to view the available system disks for migraon:

admin> request system clone-system-disk target ?

3. Migrate the disk data to the new system disk using the following command:

admin> request system clone-system-disk target sdb

Enter Y when prompted to begin the disk migraon.

To begin the migraon, Panorama reboots and takes at least 20 minutes to

complete the disk migraon. During this me the Panorama web interface and
CLI are unavailable.
4. Monitor the disk migraon from the web Console. Connue to the next step only aer
Panorama displays the following message to indicate the disk migraon is complete.

STEP 7 | Delete the old system disk.

1. Access the VMware vSphere Client and navigate to your Panorama virtual appliance.
2. Right-click the Panorama virtual appliance and select Power > Power Off.
3. Right-click the Panorama virtual appliance and Edit Sengs.
4. Delete the old 81GB system disk and click OK.

Panorama Administrator's Guide Version Version 10.1 169 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 8 | Modify the Virtual Device Node for the new system disk.
1. Expand the sengs opons for the new system disk.
2. Select SCSI(0:0) as the Virtual Device Node.
3. Click OK to save your configuraon changes.

STEP 9 | Right-click the Panorama virtual appliance and select Power > Power On.

STEP 10 | Verify that you successfully migrated to the new system disk.
1. Log in to the Panorama CLI.
2. Enter the following command to view the system disk parons.
You must add the /dev/root, /dev/sda5, /dev/sda6, and /dev/sda8 parons to
confirm the disk size is increased.

admin> show system disk-space

Panorama Administrator's Guide Version Version 10.1 170 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Increase the System Disk for Panorama on Google Cloud Plaorm

Add a 224GB system disk to replace the default 81GB system disk. For the minimum resource
requirements for the Panorama virtual appliance, see Setup Prerequisites for the Panorama Virtual
Appliance.
STEP 1 | (Best Pracce) Save and Export Panorama and Firewall Configuraons.
Save and export your Panorama and firewall configuraon to ensure you can recover Panorama
if you encounter any issues.

STEP 2 | Log in to the Google Cloud Console.

STEP 3 | In VM Instances, Stop the Panorama VM instance.

STEP 4 | Add the new 224GB system disk.

1. Select the Panorama VM instance and select Edit.
2. In the Addional disks secon Add new disk.
3. Configure the new disk with 224GB and click OK.

STEP 5 | In VM Instances, Start the Panorama VM instance.

Panorama Administrator's Guide Version Version 10.1 171 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 6 | Migrate disk data from the old system disk to the new system disk.
In this example, we are migrang to the newly added system disk labeled sdb.
1. Log in to the Panorama CLI.
2. Enter the following command to view the available system disks for migraon:

admin> request system clone-system-disk target ?

3. Migrate the disk data to the new system disk using the following command:

admin> request system clone-system-disk target sdb

Enter Y when prompted to begin the disk migraon.

To begin the migraon, Panorama reboots and takes at least 20 minutes to

complete the disk migraon. During this me the Panorama web interface and
CLI are unavailable.
4. Monitor the disk migraon by aempng to log in to the Panorama CLI. The Panorama
management server is in maintenance mode aer the system disk migraon is completed
and will allow you to log in to the Panorama CLI while in maintenance mode.

STEP 7 | Aach the new 224GB system disk.

1. In VM Instances, Stop the Panorama VM instance.
2. Select the Panorama VM instance and select Edit.
3. In the Addional disks secon, detach the new 224GB system disk.
4. In the Boot Disk secon, detach the old 81GB system disk.
5. In the Boot Disk secon, Add item and select the new 224GB system disk.
6. Save your configuraon changes.

STEP 8 | In VM Instances, Start the Panorama VM instance.

Panorama Administrator's Guide Version Version 10.1 172 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 9 | Verify that you successfully migrated to the new system disk.
1. Log in to the Panorama CLI.
2. Enter the following command to view the system disk parons.
You must add the /dev/root, /dev/sda5, /dev/sda6, and /dev/sda8 parons to
confirm the disk size is increased.

admin> show system disk-space

Complete the Panorama Virtual Appliance Setup

Aer you Perform Inial Configuraon of the Panorama Virtual Appliance, connue with the
following tasks for addional configuraon:
• Acvate a Panorama Support License
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is
Internet-connected
• Install Content and Soware Updates for Panorama
• Access and Navigate Panorama Management Interfaces
• Set Up Administrave Access to Panorama
• Manage Firewalls

Convert Your Panorama Virtual Appliance

You can convert your evaluaon Panorama™ virtual appliance to a producon Panorama virtual
appliance to preserve its exisng configuraon and begin leveraging the management plaorm.
If you are ulizing Enterprise License Agreement (ELA) licensing, you can convert an exisng
producon Panorama virtual appliance to leverage the benefits of ELA licensing.
• Convert Your Evaluaon Panorama to a Producon Panorama with Local Log Collector
• Convert Your Evaluaon Panorama to a Producon Panorama without Local Log Collector
• Convert Your Evaluaon Panorama to VM-Flex Licensing with Local Log Collector
• Convert Your Evaluaon Panorama to VM-Flex Licensing without Local Log Collector
• Convert Your Producon Panorama to an ELA Panorama

Panorama Administrator's Guide Version Version 10.1 173 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Convert Your Evaluaon Panorama to a Producon Panorama with Local Log Collector
If you have an evaluaon Panorama™ virtual appliance in Panorama mode configured with a local
Log Collector, you can convert it to a producon Panorama by migrang the configuraon from
the evaluaon Panorama to the producon Panorama and modifying as needed.

Logs ingested by the Log Collector on a Panorama virtual appliance cannot be migrated.
If you need to maintain access to the logs stored on your evaluaon Panorama virtual
appliance, aer you migrate the evaluaon Panorama configuraon to the producon
Panorama, keep your evaluaon Panorama powered on to access the logs locally for
the remainder of the evaluaon license lifeme. Adding the evaluaon Panorama to the
producon Panorama as a managed collector is not supported.

STEP 1 | Plan the migraon.

Upgrade the soware on the Panorama virtual appliance before you convert your evaluaon
Panorama virtual appliance to a producon Panorama virtual appliance. Review the
Compability Matrix for the minimum PAN-OS version required for your hypervisor. For
important details about soware versions, see Panorama, Log Collector, Firewall, and
WildFire Version Compability.
Schedule a maintenance window for the migraon.

STEP 2 | Set up your producon Panorama virtual appliance.

1. Set Up the Panorama Virtual Appliance.
2. Register the Panorama virtual appliance with the Palo Alto Networks Customer Support
Portal (CSP).
The Panorama serial number and authorizaon code are found in the Order Summary
email from Palo Alto Networks.
3. Install Content and Soware Updates for Panorama.

STEP 3 | Acvate the device management license on the Palo Alto Networks Custer Support Portal
(CSP) for the producon Panorama virtual appliance.
1. Log in to the Palo Alto Networks CSP.
2. Select Assets > Devices and locate your Panorama virtual appliance.
3. In the Acon column, click the pencil icon to edit the device licenses.
4. Select Acvate Auth-Code and enter the Authorizaon Code.
5. Select Agree and Submit to acvate the device management license.

STEP 4 | Export the Panorama configuraon from the evaluaon Panorama virtual appliance.
1. Log in to the Panorama Web Interface.
2. Select Panorama > Setup > Operaons.
3. Click Export named Panorama configuraon snapshot, select running-config.xml
and click OK. Panorama exports the configuraon to your client system as an XML file.
4. Locate the running-config.xml file you exported and rename the XML file. This is
required to import the configuraon as Panorama does not support imporng an XML
file with the name running-config.xml.

Panorama Administrator's Guide Version Version 10.1 174 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Load the Panorama configuraon snapshot that you exported from the evaluaon Panorama
virtual appliance into the producon Panorama virtual appliance.
1. Log in to the Panorama Web Interface of the producon Panorama virtual appliance.
2. Select Panorama > Setup > Operaons.
3. Click Import named Panorama configuraon snapshot, Browse to the Panorama
configuraon file you exported from the Panorama virtual appliance, and click OK.
4. Click Load named Panorama configuraon snapshot, select the Name of the
configuraon you just imported, leave the Decrypon Key blank (empty), and click OK.
Panorama overwrites its current candidate configuraon with the loaded configuraon.
Panorama displays any errors that occur when loading the configuraon file.
5. If errors occurred, save them to a local file. Resolve each error to ensure the migrated
configuraon is valid.

STEP 6 | Modify the configuraon on the producon Panorama virtual appliance.

1. Select Panorama > Setup > Management.
2. Edit the General Sengs, modify the Hostname, and click OK.
3. Edit the Management Interface Sengs to configure the management IP address and
click OK.

The most efficient approach is to assign a new IP address to the evaluaon

Panorama virtual appliance and reuse its old IP address for the producon
Panorama virtual appliance. This ensures that the evaluaon Panorama virtual
appliance remains accessible and that firewalls can point to the producon
Panorama virtual appliance without you reconfiguring the Panorama IP address
on each firewall.
4. Remove the Log Collector configuraon imported from the evaluaon Panorama.
1. Select Panorama > Collector Group and Delete all configured collector groups.
2. Select Panorama > Managed Collectors and Delete all configured Log Collectors.
5. Select Commit > Commit to Panorama and Commit your changes to the Panorama
configuraon.

STEP 7 | Configure your Log Collectors and collector groups.

You must add the managed collectors, collector group configuraon, and log forwarding
configuraons you deleted in the previous step, as well as add the local Log Collector.
1. Configure a Managed Collector.
2. Configure a Collector Group.
3. Configure Log Forwarding to Panorama.

STEP 8 | Verify that the support and device management licenses are successfully acvated.
1. Select Panorama > Licenses and Retrieve license keys from license server.
2. Verify the Device Management License displays the correct number of devices.
3. Select Panorama > Support and verify that the correct support Level and Expiry Date are
displayed.

Panorama Administrator's Guide Version Version 10.1 175 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 9 | Synchronize the producon Panorama virtual appliance with the firewalls to resume firewall
management.

Complete this step during a maintenance window to minimize network disrupon.

1. On the producon Panorama virtual appliance, select Panorama > Managed Devices and
verify that the Device State column displays Connected for the firewalls.
At this point, the Shared Policy (device groups) and Template columns display Out of sync
for the firewalls.
2. Push your changes to device groups and templates:
1. Select Commit > Push to Devices and Edit Selecons.
2. Select Device Groups, select every device group, Include Device and Network
Templates, and click OK.
3. Push your changes.
3. In the Panorama > Managed Devices page, verify that the Shared Policy and Template
columns display In sync for the firewalls.

Convert Your Evaluaon Panorama to a Producon Panorama without Local Log

Collector
Change the serial number of your evaluaon Panorama virtual appliance in Management Only
mode or in Panorama mode with no local Log Collector configured to convert it to a producon
Panorama virtual appliance.
If a local Log Collector is configured, see Convert Your Evaluaon Panorama to a Producon
Panorama with Local Log Collector.
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Select Panorama > Setup > Management and edit the General Sengs.

STEP 3 | Enter the Serial Number provided by Palo Alto Networks.

The Panorama serial number and authorizaon code are obtained from the deployment profile
you created in the previous step.

STEP 4 | Click OK.

STEP 5 | Select Commit and Commit to Panorama.

STEP 6 | Restart management server on the Panorama virtual appliance.

1. Log in to the Panorama CLI.
2. Restart the management server.

admin> debug software restart process management-server

All administrators are logged out of the Panorama web interface and CLI when
you restart the management server.

Panorama Administrator's Guide Version Version 10.1 176 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 7 | Verify that the support and device management licenses are successfully acvated.
1. Log in to the Panorama web interface.
2. Select Panorama > Licenses and Retrieve license keys from license server.
3. Verify the Device Management License displays the correct number of devices.
4. Select Panorama > Support and verify that the correct support Level and Expiry Date are
displayed.

STEP 8 | Synchronize the producon Panorama virtual appliance with the firewalls to resume firewall
management.

Complete this step during a maintenance window to minimize network disrupon.

1. On the producon Panorama virtual appliance, select Panorama > Managed Devices and
verify that the Device State column displays Connected for the firewalls.
At this point, the Shared Policy (device groups) and Template columns display Out of sync
for the firewalls.
2. Push your changes to device groups and templates:
1. Select Commit > Push to Devices and Edit Selecons.
2. Select Device Groups, select every device group, Include Device and Network
Templates, and click OK.
3. Push your changes.
3. In the Panorama > Managed Devices page, verify that the Shared Policy and Template
columns display In sync for the firewalls.

Convert Your Evaluaon Panorama to VM-Flex Licensing with Local Log Collector
If you have an evaluaon Panorama™ virtual appliance in Panorama mode configured with a local
Log Collector, you can convert it to a producon Panorama with VM Flex licensing by migrang
the configuraon from the evaluaon Panorama to the producon Panorama and modifying as
needed.
If a local Log Collector is not configured, see Convert Your Evaluaon Panorama to VM-Flex
Licensing without Local Log Collector.

Logs ingested by the Log Collector on a Panorama virtual appliance cannot be migrated.
If you need to maintain access to the logs stored on your evaluaon Panorama virtual
appliance, aer you migrate the evaluaon Panorama configuraon to the producon
Panorama, keep your evaluaon Panorama powered on to access the logs locally for
the remainder of the evaluaon license lifeme. Adding the evaluaon Panorama to the
producon Panorama as a managed collector is not supported.

STEP 1 | Plan the migraon.

Upgrade the soware on the Panorama virtual appliance before you convert your evaluaon
Panorama virtual appliance to a producon Panorama virtual appliance. Review the
Compability Matrix for the minimum PAN-OS version required for your hypervisor. For

Panorama Administrator's Guide Version Version 10.1 177 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

important details about soware versions, see Panorama, Log Collector, Firewall, and
WildFire Version Compability.
Schedule a maintenance window for the migraon.

STEP 2 | Obtain the Panorama serial number and auth code from your flexible VM-Series licensing
deployment profile.
1. Log in to the Palo Alto Networks Customer Support Portal (CSP).
2. Create a deployment profile that enables a Panorama virtual appliance.
3. Provision Panorama to generate the a serial number for Panorama.
4. Copy the Serial Number and Auth Code.

STEP 3 | Set up your producon Panorama virtual appliance.

1. Log in to the Palo Alto Networks CSP.
2. Set Up the Panorama Virtual Appliance.
3. Register the Panorama virtual appliance with the Palo Alto Networks Customer Support
Portal (CSP).
The Panorama serial number and authorizaon code you generated in the previous step.
4. Install Content and Soware Updates for Panorama.

STEP 4 | Acvate the device management license on the Palo Alto Networks CSP for the producon
Panorama virtual appliance.
1. Select Assets > Devices and locate your Panorama virtual appliance.
2. In the Acon column, click the pencil icon to edit the device licenses.
3. Select Acvate Auth-Code and enter the Authorizaon Code.
4. Select Agree and Submit to acvate the device management license.

STEP 5 | Export the Panorama configuraon from the evaluaon Panorama virtual appliance.
1. Log in to the Panorama Web Interface.
2. Select Panorama > Setup > Operaons.
3. Click Export named Panorama configuraon snapshot, select running-config.xml
and click OK. Panorama exports the configuraon to your client system as an XML file.
4. Locate the running-config.xml file you exported and rename the XML file. This is
required to import the configuraon as Panorama does not support imporng an XML
file with the name running-config.xml.

STEP 6 | Load the Panorama configuraon snapshot that you exported from the evaluaon Panorama
virtual appliance into the producon Panorama virtual appliance.
1. Log in to the Panorama Web Interface of the producon Panorama virtual appliance.
2. Select Panorama > Setup > Operaons.
3. Click Import named Panorama configuraon snapshot, Browse to the Panorama
configuraon file you exported from the Panorama virtual appliance, and click OK.
4. Click Load named Panorama configuraon snapshot, select the Name of the
configuraon you just imported, leave the Decrypon Key blank (empty), and click OK.

Panorama Administrator's Guide Version Version 10.1 178 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Panorama overwrites its current candidate configuraon with the loaded configuraon.
Panorama displays any errors that occur when loading the configuraon file.
5. If errors occurred, save them to a local file. Resolve each error to ensure the migrated
configuraon is valid.

STEP 7 | Modify the configuraon on the producon Panorama virtual appliance.

1. Select Panorama > Setup > Management.
2. Edit the General Sengs, modify the Hostname, and click OK.
3. Edit the Management Interface Sengs to configure the management IP address and
click OK.

The most efficient approach is to assign a new IP address to the evaluaon

Panorama virtual appliance and reuse its old IP address for the producon
Panorama virtual appliance. This ensures that the evaluaon Panorama virtual
appliance remains accessible and that firewalls can point to the producon
Panorama virtual appliance without you reconfiguring the Panorama IP address
on each firewall.
4. Remove the Log Collector configuraon imported from the evaluaon Panorama.
1. Select Panorama > Collector Group and Delete all configured collector groups.
2. Select Panorama > Managed Collectors and Delete all configured Log Collectors.
5. Select Commit > Commit to Panorama and Commit your changes to the Panorama
configuraon.

STEP 8 | Reconfigure your Log Collectors and collector groups.

You must add the managed collectors, collector group configuraon, and log forwarding
configuraons you deleted in the previous step, as well as add the local Log Collector.
1. Configure a Managed Collector.
2. Configure a Collector Group.
3. Configure Log Forwarding to Panorama.

STEP 9 | Verify that the support and device management licenses are successfully acvated.
1. Select Panorama > Licenses and Retrieve license keys from license server.
2. Verify the Device Management License displays the correct number of devices.
3. Select Panorama > Support and verify that the correct support Level and Expiry Date are
displayed.

Panorama Administrator's Guide Version Version 10.1 179 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 10 | Synchronize the producon Panorama virtual appliance with the firewalls to resume firewall
management.

Complete this step during a maintenance window to minimize network disrupon.

1. On the producon Panorama virtual appliance, select Panorama > Managed Devices and
verify that the Device State column displays Connected for the firewalls.
At this point, the Shared Policy (device groups) and Template columns display Out of sync
for the firewalls.
2. Push your changes to device groups and templates:
1. Select Commit > Push to Devices and Edit Selecons.
2. Select Device Groups, select every device group, Include Device and Network
Templates, and click OK.
3. Push your changes.
3. In the Panorama > Managed Devices page, verify that the Shared Policy and Template
columns display In sync for the firewalls.

Convert Your Evaluaon Panorama to VM-Flex Licensing without Local Log Collector
Change the serial number of your evaluaon Panorama virtual appliance in Management Only
mode or in Panorama mode with no local Log Collector configured to convert it to a producon
Panorama virtual appliance.
If a local Log Collector is configured, see Convert Your Evaluaon Panorama to VM-Flex Licensing
with Local Log Collector.
STEP 1 | Obtain the Panorama serial number and auth code from your flexible VM-Series licensing
deployment profile.
1. Log in to the Palo Alto Networks Customer Support Portal (CSP).
2. Create a deployment profile that enables a Panorama virtual appliance.
3. Provision Panorama to generate the a serial number for Panorama.
4. Copy the Serial Number and Auth Code.

STEP 2 | Log in to the Panorama web interface.

STEP 3 | Select Panorama > Setup > Management and edit the General Sengs.

STEP 4 | Enter the Serial Number provided by Palo Alto Networks.

The Panorama serial number and authorizaon code you generated in the previous step.

STEP 5 | Click OK.

STEP 6 | Select Commit and Commit to Panorama.

Panorama Administrator's Guide Version Version 10.1 180 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 7 | Restart management server on the Panorama virtual appliance.

1. Log in to the Panorama CLI.
2. Restart the management server.

admin> debug software restart process management-server

All administrators are logged out of the Panorama web interface and CLI when
you restart the management server.

STEP 8 | Verify that the support and device management licenses are successfully acvated.
1. Log in to the Panorama web interface.
2. Select Panorama > Licenses and Retrieve license keys from license server.
3. Verify the Device Management License displays the correct number of devices.
4. Select Panorama > Support and verify that the correct support Level and Expiry Date are
displayed.

STEP 9 | Synchronize the producon Panorama virtual appliance with the firewalls to resume firewall
management.

Complete this step during a maintenance window to minimize network disrupon.

1. On the producon Panorama virtual appliance, select Panorama > Managed Devices and
verify that the Device State column displays Connected for the firewalls.
At this point, the Shared Policy (device groups) and Template columns display Out of sync
for the firewalls.
2. Push your changes to device groups and templates:
1. Select Commit > Push to Devices and Edit Selecons.
2. Select Device Groups, select every device group, Include Device and Network
Templates, and click OK.
3. Push your changes.
3. In the Panorama > Managed Devices page, verify that the Shared Policy and Template
columns display In sync for the firewalls.

Convert Your Producon Panorama to an ELA Panorama

You can convert your producon Panorama™ virtual appliance to connue leveraging your
Panorama with the benefits of ELA licensing. To convert your producon deployment, Panorama
must have out-bound Internet access.
Converng your producon Panorama to ELA licensing is supported in Management Only and
Panorama mode with or without a local Log Collector configured. If your Panorama has a local Log
Collector configured, you must submit a support cket with Palo Alto Networks to convert your
Panorama to ELA licensing.

Panorama Administrator's Guide Version Version 10.1 181 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

During conversion from a producon Panorama to ELA licensing, do not change the
Panorama serial number if a local Log Collector is configured.
The log on the local Log collector become inaccessible and other Log Collectors in the
Collector Group may become inaccessible and no longer ingest logs if the serial number of
a Log Collector is changed.

STEP 1 | Covert your Panorama to ELA licensing.

• Panorama virtual appliance in Panorama mode with a local Log Collector.
Submit support cket with Palo Alto Networks to convert your Panorama to ELA licensing.
This is required in order to preserve all exisng logs on the local Log Collector when
converng a Panorama with a local Log Collector to ELA licensing. An example is provided

Panorama Administrator's Guide Version Version 10.1 182 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

below to assist in filing the support cket. Create the cket exactly as displayed below, and
select the OS Release your Panorama is running.
Connue to the next step only aer Palo Alto Networks support successfully resolves your
support cket.

• Panorama virtual appliance in Management Only mode or Panorama mode with no local
Log Collector.
1. Generate a serial number from your ELA licensing pool.
1. Log in to the Palo Alto Networks CSP.
2. Select Assets > VM-Series Auth-Codes and locate your ELA licensing pool.
3. In the Acons column, select Panorama and Provision a new serial number.
Confirm the new serial number provision when prompted.
4. Copy the newly provisioned serial number.
2. Log in to the Panorama web interface.
3. Select Panorama > Setup > Management and edit the General Sengs.
4. Enter the Serial Number you provisioned.
5. Click OK.
6. Select Commit and Commit to Panorama.

STEP 2 | Log in to the Panorama web interface if not already logged in.

STEP 3 | Select Panorama > Licenses and Retrieve new licenses from the license server.

STEP 4 | Verify that Panorama retrieved the new licenses as per your ELA agreement.

Panorama Administrator's Guide Version Version 10.1 183 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Verify that the support and device management licenses are successfully acvated.
1. Select Panorama > Licenses and verify that the correct licenses are acvated.
2. Select Panorama > Support and verify that the correct support Level and Expiry Date are
displayed.

Panorama Administrator's Guide Version Version 10.1 184 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Set Up the M-Series Appliance

The M-600, M-500, and M-200 appliances are high performance hardware appliances that you
can deploy in Management Only mode (as Panorama management servers with no local log
collecon), Panorama mode (as Panorama management servers with local log collecon) or in Log
Collector mode (as Dedicated Log Collectors). The appliances provide mulple interfaces that
you can assign to various Panorama services such as firewall management and log collecon.
Before seng up the appliance, consider how you can configure the interfaces to opmize
security, enable network segmentaon (in large-scale deployments), and load balance the traffic
for Panorama services.
• M-Series Appliance Interfaces
• Perform Inial Configuraon of the M-Series Appliance
• M-Series Setup Overview
• Set Up the M-Series Appliance as a Log Collector
• Increase Storage on the M-Series Appliance
• Configure Panorama to Use Mulple Interfaces

M-Series Appliance Interfaces

The Panorama M-600, M-500, M-200 and M-100 appliances have several interfaces for
communicang with other systems such as managed firewalls and the client systems of Panorama
administrators. Panorama communicates with these systems to perform various services, including
managing devices (firewalls, Log Collectors, and WildFire appliances and appliance clusters),
collecng logs, communicang with Collector Groups, deploying soware and content updates
to devices, and providing administrave access to Panorama. By default, Panorama uses its
management (MGT) interface for all these services. However, you can improve security by
reserving the MGT interface for administrave access and dedicang separate interfaces for the
other services. In a large-scale network with mulple subnetworks and heavy log traffic, using
mulple interfaces for device management and log collecon also enables network segmentaon
and load balancing (see Configure Panorama to Use Mulple Interfaces).
When assigning Panorama services to various interfaces, keep in mind that only the MGT
interface allows administrave access to Panorama for configuraon and monitoring tasks. You
can assign any interface to the other services when you Perform Inial Configuraon of the M-
Series Appliance. The M-Series Appliance Hardware Reference Guides explain where to aach
cables for the interfaces. The M-100 appliance support 1Gbps throughput on all its interfaces:
MGT, Eth1, Eth2, and Eth3. In addion to these interfaces, the M-500 appliance supports 10Gbps
throughput on its Eth4 and Eth5 interfaces.

The M-Series appliances do not support Link Aggregaon Control Protocol (LACP) for
aggregang interfaces.

Supported Interfaces
Interfaces can be used for device management, log collecon, Collector Group communicaon,
licensing and soware updates. See Configure Panorama to Use Mulple Interfaces for more
informaon on network segmentaon.

Panorama Administrator's Guide Version Version 10.1 185 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Interface Maximum Speed M-600 Appliance M-500 Appliance M-200 Appliance

Management 1Gbps
(MGT)

Ethernet 1 1Gbps
(Eth1)

Ethernet 2 1Gbps
(Eth2)

Ethernet 3 1Gbps
(Eth3)

Ethernet 4 10Gbps —
(Eth4)

Ethernet 5 10Gbps —
(Eth5)

Logging Rates
Review the logging rates for the all M-Series appliance models. To achieve the logging rates listed
below, the M-Series appliance must be a single log collector in a collector group and you must
install all the logging disks for your M-Series model. For example, to achieve 30,000 logs/second
for the M-500 appliance, you must install all 12 logging disks with either 1TB or 2TB disks.

Model Capacies and M-600 Appliance M-500 Appliance M-200 Appliance

Features

Maximum Logging Local log storage is not supported

Rate for Panorama
in Management Only
mode

Maximum Logging 25,000 logs/second 20,000 logs/second 10,000 logs/second

Rate for Panorama in
Panorama Mode

Maximum Logging Rate 50,000 logs/second 30,000 logs/second 28,000 logs/second

for Panorama in Log
Collector Mode

Maximum Log Storage 48TB (12x8TB RAID • 24TB (24x2TB 16TB (4x8TB RAID
on Appliance disk) RAID disks) disk)
• 12TB (24x1TB
RAID Disk)

Panorama Administrator's Guide Version Version 10.1 186 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Model Capacies and M-600 Appliance M-500 Appliance M-200 Appliance

Features

Default Log Storage on 16TB (4x8TB RAID 4TB (4x2TB RAID 16TB (4x8TB RAID
Appliance disks) disks) disks)

SSD Storage on 240GB 240GB 240GB

Appliance (for logs that
M-Series appliances
generate)

NFS Aached Log Not available

Storage

Perform Inial Configuraon of the M-Series Appliance

By default, Panorama has an IP address of 192.168.1.1 and a username/password of admin/
admin. For security reasons, you must change these sengs before connuing with other
configuraon tasks. You must perform these inial configuraon tasks either from the
Management (MGT) interface or using a direct serial port connecon to the console port on the
M-600, M-500, or M-200 appliance.

If you are configuring an M-Series appliance in Log Collector mode with 10GB interfaces,
you must complete this enre configuraon procedure for the 10GB interfaces to display
as Up.

STEP 1 | Gather the required interface and server informaon from your network administrator.
• Gather the IP address, netmask (for IPv4) or prefix length (for IPv6), and default gateway for
each interface that you plan to configure (MGT, Eth1, Eth2, Eth3, Eth4, Eth5). Only the MGT
interface is mandatory.

Palo Alto Networks recommends that you specify all these sengs for the MGT
interface. If you omit values for some of these sengs (such as the default gateway),
you can access Panorama only through the console port for future configuraon
changes. You cannot commit the configuraons for other interfaces unless you
specify all these sengs.

If you plan to use the appliance as a Panorama management server, Palo Alto Networks
recommends using the MGT interface only for managing Panorama and using other
interfaces for managing devices, collecng logs, communicang with Collector Groups, and
deploying updates to devices (see M-Series Appliance Interfaces).
• Gather the IP addresses of the DNS servers.

Panorama Administrator's Guide Version Version 10.1 187 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Access the M-Series appliance from your computer.

1. Connect to the M-Series appliance in one of the following ways:
• Aach a serial cable from a computer to the Console port on the M-Series appliance
and connect using terminal emulaon soware (9600-8-N-1).
• Aach an RJ-45 Ethernet cable from a computer to the MGT port on the M-
Series appliance. From a browser, go to hps://192.168.1.1. Enabling access to this
URL might require changing the IP address on the computer to an address in the
192.168.1.0 network (for example, 192.168.1.2).
2. When prompted, log in to the appliance using the default username and password
(admin/admin). The appliance starts inializing.

STEP 3 | Change the default admin password.

Starng with PAN-OS 9.0.4, the predefined, default administrator password (admin/
admin) must be changed on the first login on a device. The new password must be
a minimum of eight characters and include a minimum of one lowercase and one
uppercase character, as well as one number or special character.
Be sure to use the best pracces for password strength to ensure a strict password
and review the password complexity sengs.

1. Click the admin link in the lower le of the web interface.
2. Enter the Old Password, New Password, and Confirm New Password, and then click OK.
Store the new password in a safe locaon.

To ensure that the MGT interface remains secure, configure Minimum Password
Complexity sengs (select Panorama > Setup > Management) and specify the
interval at which administrators must change their passwords.

Panorama Administrator's Guide Version Version 10.1 188 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Configure the network access sengs for each interface that you will use to manage
Panorama, manage devices, collect logs, communicate with Collector Groups, and deploy
updates to devices.

To configure connecvity to Panorama using an IPv6 IP address, you must configure

both an IPv4 and IPv6 to successfully configure Panorama using an IPv6 IP address.
Panorama does not support configuring the management interface with only an IPv6 IP
address.

1. Select Panorama > Setup > Interfaces and click the Interface Name.
2. (Non-MGT interfaces only) Enable the interface.
3. Edit the network access sengs of each interface that Panorama will use. Only the MGT
interface is required. The Eth1, Eth2, Eth3, Eth4, and Eth5 interfaces are oponal and
apply only if you plan to use the M-Series appliance as a Panorama management server.
1. Complete one or both of the following field sets based on the IP protocols of your
network:
IPv4—Public IP Address, IP Address, Netmask, and Default Gateway

If your firewalls connect to the Panorama management server using a public

IP address that is translated to a private IP address (NAT), enter the public
IP in the Public IP Address field, and the private IP in the IP Address field to
push both addresses to your firewalls.

IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway

2. Select the Device Management Services that the interface supports:
Device Management and Device Log Collecon—You can assign one or more
interfaces.
Collector Group Communicaon—You can assign only one interface.
Device Deployment (soware and content updates)—You can assign only one
interface.
3. (Oponal) Select the Network Connecvity Services that the interface supports.

(MGT interface only) Disable Telnet and HTTP; these services use plaintext
and so are less secure than other services.
4. Click OK to save your changes.

STEP 5 | Configure the hostname, me zone, and general sengs.

1. Select Panorama > Setup > Management and edit the General Sengs.
2. Align the clock on Panorama and the managed firewalls to use the same Time Zone, for
example GMT or UTC. If you plan to use the Cortex Data Lake, you must configure NTP
so that Panorama can stay in sync with the Cortex Data Lake.
The firewall records mestamps when it generate logs and Panorama records mestamps
upon receiving the logs. Aligning the me zones ensures that the mestamps are

Panorama Administrator's Guide Version Version 10.1 189 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

synchronized and that the process of querying logs and generang reports on Panorama
is harmonious.
3. Enter a Hostname for the server. Panorama uses this as the display name/label for the
appliance. For example, this is the name that appears at the CLI prompt. It also appears
in the Collector Name field if you add the appliance as a managed collector on the
Panorama > Managed Collectors page.
4. (Oponal) Enter the Latude and Longitude to enable accurate placement of the M-
Series appliance on the world map. The App Scope > Traffic Maps and App Scope >
Threat Maps use these values.
5. Click OK to save your entries.

STEP 6 | Configure the DNS servers and Palo Alto Networks Update Server.
1. Select Panorama > Setup > Services and edit the sengs.
2. Enter the IP address of the Primary DNS Server and (oponally) of the Secondary DNS
Server.
3. Enter the URL or stac address of the Update Server (default
updates.paloaltonetworks.com).

Select Verify Update Server Identy if you want Panorama to verify that the
Update Server from which it downloads soware or content packages has an SSL
cerficate that a trusted authority signed. This opon adds an addional level
of security for communicaon between the Panorama management server and
Update Server.
4. Click OK to save your entries.

STEP 7 | Commit your configuraon changes.

Select Commit > Commit to Panorama and Commit your changes.

If you plan to use the M-Series appliance as a Panorama management server and you
configured interfaces other than MGT, you must assign those interfaces to the Device
Log Collecon or Collector Group Communicaon funcons when you Configure a
Managed Collector. To make the interfaces operaonal, you must then Configure a
Collector Group for the managed collector and perform a Collector Group commit.

Panorama Administrator's Guide Version Version 10.1 190 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 8 | Verify network access to external services required for Panorama management, such as the
Palo Alto Networks Update Server.
1. Connect to the M-Series appliance in one of the following ways:
• Aach a serial cable from your computer to the Console port on the M-Series
appliance. Then use a terminal emulaon soware (9600-8-N-1) to connect.
• Use terminal emulaon soware such as PuTTY to open an SSH session to the IP
address that you specified for the MGT interface of the M-Series appliance during
inial configuraon.
2. Log in to the CLI when prompted. Use the default admin account and the password that
you specified during inial configuraon.
3. Use the Update Server Connecvity test to verify network connecvity to the Palo Alto
Networks Update Server as shown in the following example.
1. Select Panorama > Managed Devices > Troubleshoong, and select Updates Server
Connecvity from the Select Test drop-down.
2. Execute the update server connecvity test.

4. Use the following CLI command to retrieve informaon on the support entlement for
Panorama from the Update Server:

admin> request support check

If you have connecvity, the Update Server responds with the support status for
Panorama. Because Panorama is not registered, the Update Server returns the following
message:

Contact Us
https://www.paloaltonetworks.com/company/contact-us.html
Support Home

Panorama Administrator's Guide Version Version 10.1 191 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

https://www.paloaltonetworks.com/support/tabs/overview.html
Device not found on this update server

STEP 9 | Next steps...

1. Register Panorama and Install Licenses.
2. Install Content and Soware Updates for Panorama.

As a best pracce, replace the default cerficate that Panorama uses to secure
HTTPS traffic over the MGT interface.

M-Series Setup Overview

Use the following procedures to set up an M-Series appliance:
• Set Up an M-Series Appliance in Management Only Mode
• Set Up an M-Series Appliance in Panorama Mode
• Set Up an M-Series Appliance in Log Collector Mode

Set Up an M-Series Appliance in Management Only Mode

Set up the Panorama management server in Management Only mode to dedicate Panorama to
managing firewalls and Dedicated Log Collectors. Panorama in Management Only mode have
no log collecon capabilies, except for config and system logs, and requires a Dedicated Log
Collector to store logs.

If you configured a local Log Collector, the local Log Collector sll exists on Panorama
when you change to Management Only mode despite having no log collecon capabilies.
Deleng the local Log Collector (Panorama > Managed Collectors) deletes the Eth1/1
interface configuraon the local Log Collector uses by default. If you decide to delete the
local Log Collector, you must reconfigure the Eth1/1 interface.

STEP 1 | Rack mount the M-Series appliance. Refer to the M-Series Appliance Hardware Reference
Guide for instrucons.

STEP 2 | Perform Inial Configuraon of the M-Series Appliance.

STEP 3 | Register Panorama and Install Licenses.

STEP 4 | Install content and soware updates on Panorama.

Panorama Administrator's Guide Version Version 10.1 192 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Change to Management Only mode.

1. Log in to the Panorama CLI.
2. Switch from Panorama mode to Management Only mode:
request system system-mode management-only
3. Enter Y to confirm the mode change. The Panorama management server reboots. If the
reboot process terminates your terminal emulaon soware session, reconnect to the
Panorama management server to see the Panorama login prompt.
If you see a CMS Login prompt, this means the Panorama management server has not
finished reboong. Press Enter at the prompt without typing a username or password.
4. Log back in to the CLI.
5. Verify that the switch to Management Only mode succeeded:
show system info | match system-mode
If the mode change succeeded, the output displays:
system mode:management-only

STEP 6 | Set Up Administrave Access to Panorama

STEP 7 | Manage Firewalls

STEP 8 | Manage Log Collecon

Set Up an M-Series Appliance in Panorama Mode

STEP 1 | Rack mount the M-Series appliance. Refer to the M-Series Appliance Hardware Reference
Guide for instrucons.

STEP 2 | Perform Inial Configuraon of the M-Series Appliance.

STEP 3 | Register Panorama and Install Licenses.

STEP 4 | Install Content and Soware Updates for Panorama.

STEP 5 | Configure each array. This task is required to make the RAID disks available for logging.
Oponally, you can add disks to Increase Storage on the M-Series Appliance.

STEP 6 | Set Up Administrave Access to Panorama.

STEP 7 | Manage Firewalls.

STEP 8 | Manage Log Collecon.

Set Up an M-Series Appliance in Log Collector Mode

STEP 1 | Rack mount the M-Series appliance. Refer to the M-Series Appliance Hardware Reference
Guide for instrucons.

STEP 2 | Perform Inial Configuraon of the M-Series Appliance

Panorama Administrator's Guide Version Version 10.1 193 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Register Panorama and Install Licenses

STEP 4 | Install Content and Soware Updates for Panorama

STEP 5 | Configure each array. This task is required to make the RAID disks available for logging.
Oponally, you can add disks to Increase Storage on the M-Series Appliance.

STEP 6 | Set Up the M-Series Appliance as a Log Collector

STEP 7 | Manage Log Collecon

Set Up the M-Series Appliance as a Log Collector

If you want a dedicated appliance for log collecon, configure an M-200, M-500, or M-600
appliance in Log Collector mode. To do this, you first perform the inial configuraon of the
appliance in Panorama mode, which includes licensing, installing soware and content updates,
and configuring the management (MGT) interface. You then switch the M-Series appliance to Log
Collector mode and complete the Log Collector configuraon. Addionally, if you want to use
dedicated M-Series Appliance Interfaces (recommended) instead of the MGT interface for log
collecon and Collector Group communicaon, you must first configure the interfaces for the
Panorama management server, then configure them for the Log Collector, and then perform a
Panorama commit followed by a Collector Group commit.
Perform the following steps to set up a new M-Series appliance as a Log Collector or to convert an
exisng M-Series appliance that was previously deployed as a Panorama management server.

If you are configuring an M-Series appliance in Log Collector mode with 10GB interfaces,
you must complete this enre configuraon procedure for the 10GB interfaces to display
as Up.

Switching the M-Series appliance from Panorama mode to Log Collector mode reboots
the appliance, deletes the local Log Collector, deletes any exisng log data, and deletes
all configuraons except the management access sengs. Switching the mode does not
delete licenses, soware updates, or content updates.

STEP 1 | Set up the Panorama management server that will manage the Log Collector if you have not
already done so.
Perform one of the following tasks:
• Set Up the Panorama Virtual Appliance
• Set Up the M-Series Appliance

Panorama Administrator's Guide Version Version 10.1 194 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Record the management IP addresses of the Panorama management server.

If you deployed Panorama in a high availability (HA) configuraon, you need the IP address of
each HA peer.
1. Log in to the web interface of the Panorama management server.
2. Record the IP Address of the solitary (non-HA) or acve (HA) Panorama by selecng
Panorama > Setup > Management and checking the Management Interface Sengs.
3. For an HA deployment, record the Peer HA IP Address of the passive Panorama by
selecng Panorama > High Availability and checking the Setup secon.

STEP 3 | Set up the M-Series appliance that will serve as a Dedicated Log Collector.
If you previously deployed this appliance as a Panorama management server, you can skip this
step because the MGT interface is already configured and the licenses and updates are already
installed.
The M-Series appliance in Log Collector mode does not have a web interface for configuraon
tasks, only a CLI. Therefore, before changing the mode on the M-Series appliance, use the web
interface in Panorama mode to:
1. Perform Inial Configuraon of the M-Series Appliance.
2. Register Panorama and Install Licenses.
3. Install Content and Soware Updates for Panorama.

STEP 4 | Access the CLI of the M-Series appliance.

1. Connect to the M-Series appliance in one of the following ways:
• Aach a serial cable from your computer to the Console port on the M-Series
appliance. Then use terminal emulaon soware (9600-8-N-1) to connect.
• Use terminal emulaon soware such as PuTTY to open an SSH session to the IP
address that you specified for the MGT interface of the M-Series appliance during
inial configuraon.
2. Log in to the CLI when prompted. Use the default admin account and the password that
you specified during inial configuraon.

Panorama Administrator's Guide Version Version 10.1 195 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Switch from Panorama mode to Log Collector mode.

1. Switch to Log Collector mode by entering the following command:

> request system system-mode logger

2. Enter Y to confirm the mode change. The M-Series appliance reboots. If the reboot
process terminates your terminal emulaon soware session, reconnect to the M-Series
appliance to see the Panorama login prompt.

If you see a CMS Login prompt, this means the Log Collector has not finished
reboong. Press Enter at the prompt without typing a username or password.
3. Log back in to the CLI.
4. Verify that the switch to Log Collector mode succeeded:

> show system info | match system-mode

If the mode change succeeded, the output displays:

system-mode: logger

Panorama Administrator's Guide Version Version 10.1 196 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 6 | Configure the logging disks as RAID1 pairs.

If you previously deployed the appliance as a Panorama management server, you can skip this
step because the disk pairs are already configured and available.

The me required to configure the drives varies from several minutes to a couple of
hours, based on the amount of data on the drives.

1. Determine which disk pairs are present for configuring as RAID pairs on the M-Series
appliance:

> show system raid detail

Perform the remaining steps to configure each disk pair that has present disks. This
example uses disk pair A1/A2.
2. To add the first disk in the pair, enter the following command and enter y when
prompted to confirm the request:

> request system raid add A1

Wait for the process to finish before adding the next disk in the pair. To monitor the
progress of the RAID configuraon, re-enter:

> show system raid detail

Aer the process finishes for the first disk, the output displays the disk pair status as
Available but degraded.
3. Add the second disk in the pair:

> request system raid add A2

4. Verify that the disk setup is complete:

> show system raid detail

Aer the process finishes for the second disk, the output displays the disk pair status as
Available and clean:

Disk Pair A      Available

Status        clean

Panorama Administrator's Guide Version Version 10.1 197 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 7 | Enable connecvity between the Log Collector and Panorama management server.
Enter the following commands at the Log Collector CLI, where <IPaddress1> is for the MGT
interface of the solitary (non-HA) or acve (HA) Panorama and <IPaddress2> is for the MGT
interface of the passive (HA) Panorama, if applicable.

> configure
# set deviceconfig system panorama-server <IPaddress1> panorama-
server-2 <IPaddress2>
# commit
# exit

STEP 8 | Record the serial number of the Log Collector.

You need the serial number to add the Log Collector as a managed collector on the Panorama
management server.
1. At the Log Collector CLI, enter the following command to display its serial number.

> show system info | match serial

2. Record the serial number.

STEP 9 | Add the Log Collector as a managed collector to the Panorama management server.
1. Select Panorama > Managed Collectors and Add a managed collector.
2. In the General sengs, enter the serial number (Collector S/N) you recorded for the Log
Collector.
3. In the Panorama Server IP field, enter the IP address or FQDN of the solitary (non-HA)
or acve (HA) Panorama. For HA deployments, enter the IP address or FQDN of the
passive Panorama peer in the Panorama Server IP 2 field.
These IP addresses must specify a Panorama interface that has Device Management and
Device Log Collecon services enabled. By default, these services are enabled only on
the MGT interface. However, you might have enabled the services on other interfaces
when you Set Up the M-Series Appliance that is a Panorama management server.
4. Select Interfaces, click Management, and configure one or both of the following field
sets for the MGT interface based on the IP protocols of your network.
• IPv4—IP Address, Netmask, and Default Gateway
• IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
5. Click OK twice to save your changes to the Log Collector.
6. Select Commit > Commit to Panorama and Commit your changes to the Panorama
configuraon.
This step is required before you can enable logging disks.
7. Verify that Panorama > Managed Collectors lists the Log Collector you added. The
Connected column displays a check mark to indicate that the Log Collector is connected

Panorama Administrator's Guide Version Version 10.1 198 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

to Panorama. You might have to wait a few minutes before the page displays the updated
connecon status.

At this point, the Configuraon Status column displays Out of Sync and the Run
Time Status column displays disconnected. The status will change to In Sync and
connected aer you configure a Collector Group (Step Assign the Log Collector
to a Collector Group.).

STEP 10 | Enable the logging disks.

1. Select Panorama > Managed Collectors and edit the Log Collector.
2. Select Disks and Add each RAID disk pair.
3. Click OK to save your changes.
4. Select Commit > Commit to Panorama and Commit your changes to the Panorama
configuraon.

STEP 11 | (Recommended) Configure the Ethernet1, Ethernet2, Ethernet3, Ethernet4, and Ethernet5
interfaces if the Panorama management server and Log Collector will use them for Device
Log Collecon (receiving logs from firewalls) and Collector Group Communicaon.
If you previously deployed the Log Collector as a Panorama management server and configured
these interfaces, you must reconfigure them because switching to Log Collector mode (Switch

Panorama Administrator's Guide Version Version 10.1 199 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

from Panorama mode to Log Collector mode.) would have deleted all configuraons except the
management access sengs.
1. Configure each interface on the Panorama management server (other than the MGT
interface) if you haven’t already:
1. Select Panorama > Setup > Interfaces and click the Interface Name.
2. Select <interface-name> to enable the interface.
3. Complete one or both of the following field sets based on the IP protocols of your
network:
IPv4—IP Address, Netmask, and Default Gateway
IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
4. Select the Device Management Services that the interface supports:
Device Management and Device Log Collecon—You can assign one or more
interfaces.
Collector Group Communicaon—You can assign only one interface.
Device Deployment (soware and content updates)—You can assign only one
interface.
5. Click OK to save your changes.
2. Configure each interface on the Log Collector (other than the MGT interface):
1. Select Panorama > Managed Collectors and edit the Log Collector.
2. Select Interfaces and click the name of the interface.
3. Select <interface-name> to enable the interface.
4. Complete one or both of the following field sets based on the IP protocols of your
network:
IPv4—IP Address, Netmask, and Default Gateway
IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
5. Select the Device Management Services that the interface supports:
Device Log Collecon—You can assign one or more interfaces.
Collector Group Communicaon—You can assign only one interface.
6. Click OK to save your changes to the interface.
3. Click OK to save your changes to the Log Collector.
4. Select Commit > Commit to Panorama and Commit your changes to the Panorama
configuraon.

Panorama Administrator's Guide Version Version 10.1 200 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 12 | (Oponal) If your deployment is using custom cerficates for authencaon between
Panorama and managed devices, deploy the custom client device cerficate. For more
informaon, see Set Up Authencaon Using Custom Cerficates.
1. Select Panorama > Cerficate Management > Cerficate Profile and choose the
cerficate profile from the drop-down or click New Cerficate Profile to create one.
2. Select Panorama > Managed Collectors > Add > Communicaon for a Log Collector.
3. Select the Secure Client Communicaon check box.
4. Select the type of device cerficate the Type drop-down.
• If you are using a local device cerficate, select the Cerficate and Cerficate Profile
from the respecve drop-downs.
• If you are using SCEP as the device cerficate, select the SCEP Profile and Cerficate
Profile from the respecve drop-downs.
5. Click OK.

Panorama Administrator's Guide Version Version 10.1 201 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 13 | (Oponal) Configure Secure Server Communicaon on a Log Collector. For more informaon,
see Set Up Authencaon Using Custom Cerficates.
1. Select Panorama > Managed Collectors > Add > Communicaon.
2. Verify that the Custom Cerficate Only check box is not selected. This allows you to
connue managing all devices while migrang to custom cerficates.

When the Custom Cerficate Only check box is selected, the Log Collector
does not authencate and cannot receive logs from devices using predefined
cerficates.
3. Select the SSL/TLS service profile from the SSL/TLS Service Profile drop-down. This
SSL/TLS service profile applies to all SSL connecons between the Log Collector and
devices sending it logs.
4. Select the cerficate profile from the Cerficate Profile drop-down.
5. Select Authorize Client Based on Serial Number to have the server check clients against
the serial numbers of managed devices. The client cerficate must have the special
keyword $UDID set as the CN to authorize based on serial numbers.
6. In Disconnect Wait Time (min), enter the number of minutes Panorama should wait
before breaking and reestablishing the connecon with its managed devices. This field is
blank by default and the range is 0 to 44,640 minutes.

The disconnect wait me does not begin counng down unl you commit the
new configuraon.
7. (Oponal) Configure an authorizaon list.
1. Click Add under Authorizaon List.
2. Select the Subject or Subject Alt Name as the Idenfier type.
3. Enter an idenfier of the selected type.
4. Click OK.
5. Select Check Authorizaon List to enforce the authorizaon list.
8. Click OK.
9. Select Commit > Commit to Panorama.

STEP 14 | Assign the Log Collector to a Collector Group.

1. Configure a Collector Group. You must perform a Panorama commit and then a Collector
Group commit to synchronize the Log Collector configuraon with Panorama and to put

Panorama Administrator's Guide Version Version 10.1 202 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

the Eth1, Eth2, Eth3, Eth4, and Eth5 interfaces (if you configured them) in an operaonal
state on the Log Collector.

In any single Collector Group, all the Log Collectors must run on the same
Panorama model: all M-600 appliances, all M-500 appliances, all M-200
appliances, or all Panorama virtual appliances.

As a best pracce, Enable log redundancy across collectors if you add mulple
Log Collectors to a single Collector group. This opon requires each Log Collector
to have the same number of logging disks.
2. Select Panorama > Managed Collectors to verify that the Log Collector configuraon is
synchronized with Panorama.
The Configuraon Status column should display In Sync and the Run Time Status column
should display connected.
3. Access the Log Collector CLI and enter the following command to verify that its
interfaces are operaonal:

> show interface all

The output displays the state as up for each interface that is operaonal.
4. If the Collector Group has mulple Log Collectors, Troubleshoot Connecvity to Network
Resources to verify they can communicate with each other by performing a Ping
connecvity test for each interface that the Log Collectors use. For the source IP
address, specify the interface of one of the Log Collectors. For the host IP address,
specify the matching interface of another Log Collector in the same Collector Group.

STEP 15 | Next steps...

To enable the Log Collector to receive firewall logs:
1. Configure Log Forwarding to Panorama.
2. Verify Log Forwarding to Panorama.

Increase Storage on the M-Series Appliance

Aer you Perform Inial Configuraon of the M-Series Appliance, you can increase log storage
capacity of the appliance by upgrading the exisng drive pairs to larger capacity drives or by
installing addional drive pairs in empty drive bays. For example, you can choose to upgrade the
exisng 1TB drives to 2TB on an M-500 appliance, or you can add 2TB drives to the empty drive
bays (B1 through D2).

The M-Series appliances leverage RAID 1 for data redundancy in the event of disk failure.
Therefore, the pair of drives in a RAID 1 array need to be idencal. However, you are free
to mix drive capacies across different RAID 1 arrays. For example, the drives in the A1/
A2 RAID 1 array can be 1TB drives, and the drives in the B1/B2 RAID 1 array can be 2TB
drives.

The following table lists the maximum number of drive bays (disks) and the available drive
capacies supported on M-Series appliances.

Panorama Administrator's Guide Version Version 10.1 203 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Because each drive pair (A1/A2 for example) is in a RAID 1 array, the total storage
capacity is half of the total drives installed. For example, if an M-500 appliance has 2TB
drives installed in drive bays A1/A2 and B1/B2, the A1/A2 array provides 2TB total
storage and the B1/B2 array provides another 2TB for a total of 4TB.

Appliance Number of Supported Drive Supported Drive Capacity

Bays (Disks)

M-200 4 8TB
Appliance

M-500 24 1TB or 2TB

Appliance

M-600 12 8TB
Appliance

Before expanding log storage capacity, Determine Panorama Log Storage Requirements. If you
need more log storage than a single M-Series appliance supports, you can add Dedicated Log
Collectors (see Configure a Managed Collector) or you can Configure Log Forwarding from
Panorama to External Desnaons.

You don’t need to take the M-Series appliance offline to expand the storage when adding
drives to an M-Series appliance that is already deployed. When the addional drives
are configurable and available, the M-Series appliance redistributes the logs among all
available drives. This log redistribuon process happens in the background and does
not impact upme or the availability of the M-Series appliance. However, the process
does diminish the maximum logging rate. The Redistribuon State column (Panorama >
Collector Groups) indicates the compleon status of the process as a percentage.

• Add Addional Drives to an M-Series Appliance

• Upgrade Drives on an M-Series Appliance

Add Addional Drives to an M-Series Appliance

STEP 1 | Install the new drives in the appropriate drive bays.

Make sure to add the drives sequenally in the next open drive bays. For example, add drives
to B1 and B2 before adding drives to C1 and C2.

STEP 2 | Access the command line interface (CLI) on the M-Series appliance.
Connect to the M-Series appliance in one of two ways:
• Connect a serial cable from your computer to the Console port and connect to the M-Series
appliance using terminal emulaon soware (9600-8-N-1).
• Use terminal emulaon soware (such as PuTTY) to open a Secure Shell (SSH) session to the
IP address of the M-Series appliance.

Panorama Administrator's Guide Version Version 10.1 204 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | When prompted, log in to the appliance.

Use the default administrator account and the assigned password.

STEP 4 | Configure each array.

The me required to mirror the data on the drive can take minutes, a few hours, or
more than a day depending on the amount of data on the drive.

The following example uses the drives in bays B1 and B2.

1. Enter the following commands and confirm the request when prompted:

> request system raid add B1

> request system raid add B2

2. To monitor the progress of the RAID configuraon, enter the following command:

> show system raid detail

When the RAID set up is complete, the following response displays:

Disk Pair A       Available

Status         clean
Disk id A1     Present
model : ST91000640NS
size : 953869 MB
status : active sync
Disk id A2     Present
       model : ST91000640NS
size : 953869 MB
status : active sync
Disk Pair B        Available
Status          clean
Disk id B1      Present
model : ST91000640NS
size : 953869 MB
status : active sync
Disk id B2     Present
       model : ST91000640NS
size : 953869 MB
status : active sync

Panorama Administrator's Guide Version Version 10.1 205 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Make the array available for logging.

To enable the array for logging, you must first add the appliance as a managed collector on
Panorama. If not already added, see Configure a Managed Collector.
1. Log in to the web interface of the Panorama management server that manages this Log
Collector.
2. Select Panorama > Managed Collectors and edit the Log Collector.
3. Select Disks and Add each array.
4. Click OK to save your changes.
5. Select Commit > Commit to Panorama and Commit your changes.
6. Select Commit > Push to Devices, select the Collector Group, and Push your changes.

Upgrade Drives on an M-Series Appliance

STEP 1 | Access the command line interface (CLI) on the M-Series appliance.
Connect to the M-Series appliance in one of two ways:
• Connect a serial cable from your computer to the Console port and connect to the M-Series
appliance using terminal emulaon soware (9600-8-N-1).
• Use terminal emulaon soware (such as PuTTY) to open a Secure Shell (SSH) session to the
IP address of the M-Series appliance.

STEP 2 | When prompted, log in to the appliance.

Use the default administrator account and the assigned password.

STEP 3 | Verify that the RAID 1 status for the installed drives shows there are at least two funconing
RAID 1 arrays. During the upgrade, you will upgrade one RAID 1 array at a me and there
must be at least one other RAID 1 array that is available to the appliance. The appliance will
show an abort error if you try to remove the only funconing array from the configuraon.
Enter the following command to view RAID status:

> show system raid detail

For example, the following shows an output from an M-500 appliance with two available arrays
(Disk Pair A and Disk Pair B). If there is only one available array, you must add a second array as
described in Add Addional Drives to an M-Series Appliance before you upgrade the drives.

Disk Pair A                           Available

Status                                 clean
Disk id A1                           Present
model        : ST91000640NS
size         : 953869 MB
status       : active sync
Disk id A2 Present
model        : ST91000640NS
size         : 953869 MB
status       : active sync
Disk Pair B                           Available

Panorama Administrator's Guide Version Version 10.1 206 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Status                                 clean
Disk id B1                           Present
model        : ST91000640NS
size         : 953869 MB
status       : active sync
Disk id B2                           Present
model        : ST91000640NS
size         : 953869 MB
status       : active sync

STEP 4 | Remove the first 1TB drive and replace it with a 2TB drive.
1. To remove the first drive from the RAID 1 array configuraon (A1 in this example), enter
the following command and enter y when prompted to confirm the request:

> request system raid remove A1

2. Physically remove the first drive from the drive bay. Press the ejector buon on the drive
carrier in drive bay A1 to release the ejector handle. Then pull the handle toward you and
slide the drive out of the appliance.
3. Remove a 2TB drive from its packaging and place the drive on a table next to the drive
you just removed. Take note of how the drive is installed in the carrier because you will
install the 2TB drive in this same carrier.
4. Remove the four screws holding the 1TB drive in the carrier and remove the drive from
the carrier.
5. Aach the 2TB drive to the carrier using the same four screws you removed from the
1TB drive and then reinsert the carrier with the 2TB drive into drive bay A1.
6. Enter the following command to verify the 2TB drive is recognized:

show system raid detail

Verify that the A1 disk shows the correct model and size (about 2TB). If the model and
size are not correct, run the above command again unl the correct model and size are
shown.
If the wrong model and size are consistently shown, enter the following command:

request system raid remove A1

Wait for 30 seconds once you run the above command, then remove the disk and
reinsert it and repeat the show system raid detail command to verify the size and
model.

Panorama Administrator's Guide Version Version 10.1 207 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Copy the data from the remaining installed 1TB drive in the RAID 1 array to the newly
installed 2TB drive in that array.

The me required to copy the data may vary from several minutes to a few hours,
depending on the amount of data on the drive.

1. To copy the data from the 1TB drive in drive bay A2 to the newly installed 2TB drive in
drive bay A1, enter the following command and enter y when prompted:

> request system raid copy from A2 to A1

2. To view the status of the copy process, run the following command:

> show system raid detail

Connue running this command to view the RAID detail output unl you see that the
array (A1/A2 in this example) shows Available.

At this point, drive A2 will show not in use because there is a drive size
mismatch.

STEP 6 | Upgrade the second drive in the RAID 1 array to a 2TB drive.
1. Remove the second 1TB drive (from drive bay A2 in the current example) for the RAID 1
array configuraon:

> request system raid remove A2

2. Insert the carrier with the newly installed 2TB drive into drive bay A2 and add it to the
RAID 1 array configuraon:

> request system raid add A2

The system will copy the data from A2 to A1 to mirror the drives.
3. To view the status of the copy process, run the following command:

> show system raid detail

Connue to view the RAID detail output unl you see that the array (A1/A2 in this
example) shows Available and both disks show active sync.

Disk Pair A       Available

Status         clean
Disk id A1     Present
       model        : ST2000NX0253
size         : 1907138 MB
status       : active sync
Disk id A2     Present
       model        : ST2000NX0253

Panorama Administrator's Guide Version Version 10.1 208 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

size         : 1907138 MB
status       : active sync

STEP 7 | Upgrade drives for addional RAID 1 arrays as needed.

To upgrade addional RAID 1 arrays to 2TB drives, repeat this procedure replacing the drive
designators as applicable. For example, replace A1 with B1 and A2 with B2 to upgrade the
drives in the B1/B2 RAID 1 array.

Configure Panorama to Use Mulple Interfaces

In a large-scale network, you can improve security and reduce congeson by implemenng
network segmentaon, which involves segregang the subnetworks based on resource usage,
user roles, and security requirements. Panorama supports network segmentaon by enabling you
to use mulple M-Series Appliance Interfaces for managing devices (firewalls, Log Collectors, and
WildFire appliances and appliance clusters) and collecng logs; you can assign separate interfaces
to the devices on separate subnetworks.
Using mulple interfaces to collect logs also provides the benefit of load balancing, which is
parcularly useful in environments where the firewalls forward logs at high rates to the Log
Collectors. If you enable the forward to all Log Collectors seng in the Collector Group log
forwarding preference list, logs are sent on all configured interfaces configured. Otherwise, logs
are forwarded over a single interface, and if that interface goes down, log forwarding connues
over the next configured interface. For example, you configure Eth1/1, Eth1/2, and Eth1/3 for log
forwarding. In the event the Eth1/1 interface goes down, log forwarding connues over Eth1/2.
Because administrators access and manage Panorama over the MGT interface, securing that
interface is especially important. One method for improving the security of the MGT interface
is to offload Panorama services to other interfaces. In addion to device management and log
collecon, you can also offload Collector Group communicaon and deployment of soware and
content updates to firewalls, Log Collectors, and WildFire appliances and appliance clusters. By
offloading these services, you can reserve the MGT interface for administrave traffic and assign
it to a secure subnetwork that is segregated from the subnetworks where your firewalls, Log
Collectors, and WildFire appliances and appliance clusters reside.
• Mulple Interfaces for Network Segmentaon Example
• Configure Panorama for Network Segmentaon

Mulple Interfaces for Network Segmentaon Example

Figure 9: Mulple Panorama Interfaces illustrates a deployment that uses mulple interfaces on
M-500 appliances in Panorama mode and Log Collector mode. In this example, the interfaces
support network segmentaon as follows:
• Panorama management network—To protect the Panorama web interface, CLI, and XML API
from unauthorized access, the MGT interface on Panorama connects to a subnetwork that only
administrators can access.
• Internet—Panorama uses the MGT interface to communicate with external services such as the
Palo Alto Networks Update Server.
• Perimeter Gateway and Data Center—Panorama uses a separate pair of interfaces to manage
the firewalls and Log Collectors in each of these subnetworks. Managing firewalls typically
generates less traffic than querying Log Collectors for report informaon. Therefore, Panorama

Panorama Administrator's Guide Version Version 10.1 209 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

uses 1Gbps interfaces (Eth1 and Eth2) for managing the firewalls and uses 10Gbps interfaces
(Eth4 and Eth5) for querying and managing the Log Collectors. Each Log Collector uses its MGT
interface to respond to the queries but uses its Eth4 and Eth5 interfaces for the heavier traffic
associated with collecng logs from the firewalls.
• Soware and content updates—The firewalls and Log Collectors in both subnetworks retrieve
soware and content updates over the Eth3 interface on Panorama.

Figure 9: Multiple Panorama Interfaces

Configure Panorama for Network Segmentaon

To offload Panorama services from the MGT interface to other interfaces, start by configuring the
interfaces on the Panorama management server. If your network has heavy log traffic, remember
that the Eth4 and Eth5 interfaces on the M-500 and M-600 appliances support higher throughput
(10Gbps) than the other interfaces (1Gbps). Then, configure the Log Collectors in each subnetwork
to connect with specific interfaces on Panorama. For each Log Collector, you also select an
interface for Collector Group communicaon and one or more interfaces for collecng logs

Panorama Administrator's Guide Version Version 10.1 210 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

from firewalls. Finally, configure the firewalls in each subnetwork to connect with interfaces on
Panorama.

If you are configuring an M-Series appliance in Log Collector mode with 10GB interfaces,
you must complete this enre configuraon procedure for the 10GB interfaces to display
as Up.

Palo Alto Networks recommends that you specify the IP address, netmask (for IPv4) or
prefix length (for IPv6), and default gateway for the MGT interface. If you omit one of
these sengs (such as the default gateway), you can access the M-Series appliance only
through the console port for future configuraon changes.

Perform the following steps to configure Panorama and Dedicated Log Collectors to use mulple
interfaces:
STEP 1 | Verify that the Panorama appliances and firewalls support mulple interfaces, and have the
prerequisite soware versions and configuraons.
The M-Series appliances must run Panorama 8.0 or later to use a separate interface for
deploying updates and to use mulple interfaces for device management and log collecon.
The M-200 and M-600 appliances must run Panorama 8.1 or later. Panorama appliances
deployed on ESXi, vCloud, Air, Hyper-V and KVM must run Panorama 8.1 or later.
If you deployed a Panorama or Log Collector as a virtual appliance, verify the Supported
Interfaces for the Panorama Virtual Appliance.
The M-Series appliances must run Panorama 6.1 or later to use separate interfaces for log
collecon or Collector Group communicaon.
The inial configuraon of each Panorama management server is complete. This includes
configuraon of the MGT interface.

To configure an IPv6 IP address for the Panorama MGT interface, you must
configure both an IPv4 and IPv6 to successfully configure Panorama using an IPv6
IP address. Panorama does not support configuring the MGT interface with only an
IPv6 IP address.
Log Collectors and Collector Groups are configured. This includes configuraon of the MGT
interface on the Log Collectors.

To configure an IPv6 IP address for the MGT interface of a Log Collector, you must
configure both an IPv4 and IPv6 to successfully configure Panorama using an IPv6
IP address. Panorama does not support configuring the MGT interface with only an
IPv6 IP address.
The inial configuraon of the firewalls is complete, you have added the firewalls to
Panorama as managed devices, and the firewalls in each subnetwork are assigned to a
separate template.
The inial configuraon of WildFire appliances is complete and you have added WildFire
appliances to Panorama as managed devices.

Panorama Administrator's Guide Version Version 10.1 211 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Configure the interfaces on the solitary (non-HA) or acve (HA) Panorama management
server.

Because the MGT interface was configured during inial Panorama configuraon, you
don’t have to configure it again.

Perform these steps for each interface:

1. Log in to the Panorama Web Interface of the solitary (non-HA) or acve (HA) Panorama
management server.
2. Select Panorama > Setup > Interfaces.
3. Click an Interface Name to edit the interface.
4. Select <interface-name> to enable the interface.
5. Configure one or both of these field sets based on the IP protocols of your network:
• IPv4—IP Address, Netmask, and Default Gateway
• IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
6. Select the services that the interface supports:
• Device Management and Device Log Collecon—Manage firewalls, Log Collectors,
and WildFire appliances and appliance clusters, collect logs that the Log Collectors
generate, and query the Log Collectors for report informaon. To support a
segmented network, you can enable these services on mulple interfaces.
• Collector Group Communicaon—Communicate with the Collector Groups that
Panorama manages across all subnetworks.
• Device Deployment—Deploy soware and content updates to managed firewalls, Log
Collectors, and WildFire appliances and appliance clusters across all subnetworks.
7. Click OK to save your changes to the interface.
8. Click Commit > Commit to Panorama and Commit your changes.
9. Click Commit > Push to Devices and push the changes to the Collector Group that
contain the Log Collectors you modified.

STEP 3 | (HA only) Configure the interfaces on the passive Panorama management server.
1. Log in to the Panorama Web Interface of the acve Panorama management server.
2. Select Panorama > Managed Collectors and select the passive HA peer.
3. Select Interfaces and click an interface to edit.
4. Check the Enable Interface box to enable the interface.
5. Configure one or both of these field sets based on the IP protocols of your network:
• IPv4—IP Address, Netmask, and Default Gateway
• IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
6. Select the services that the interface supports:
• Device Management and Device Log Collecon—Manage firewalls, Log Collectors,
and WildFire appliances and appliance clusters, collect logs that the Log Collectors

Panorama Administrator's Guide Version Version 10.1 212 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

generate, and query the Log Collectors for report informaon. To support a
segmented network, you can enable these services on mulple interfaces.
• Collector Group Communicaon—Communicate with the Collector Groups that
Panorama manages across all subnetworks.
• Device Deployment—Deploy soware and content updates to managed firewalls, Log
Collectors, and WildFire appliances and appliance clusters across all subnetworks.
7. Click OK to save your changes to the interface.
8. Select Commit > Commit and Push to commit your changes to Panorama and to push
the changes to Collector Groups that contain the passive HA peer you modified.

STEP 4 | Configure each Log Collector to connect with a Panorama interface.

To support a segmented network, you can connect the Log Collectors in each subnetwork to
separate Panorama interfaces. The interfaces must have Device Management and Device Log
Collecon enabled, as described in the previous step.
1. Log in to the Panorama Web Interface of the solitary (non-HA) or acve (HA) Panorama
management server.
2. Select Panorama > Managed Collectors and edit the Log Collector.
3. In the Panorama Server IP field, enter the IP address of an interface on the solitary (non-
HA) or acve (HA) Panorama.
4. (HA only) In the Panorama Server IP 2 field, enter the IP address of an interface on the
passive Panorama that will support Device Management and Device Log Collecon if
failover occurs on the acve Panorama.
5. Click OK to save your changes.
6. Select Commit > Commit and Push to commit your changes to Panorama and to push
the changes to Collector Groups that contain the Log Collector you modified.
7. Perform the following steps on each Dedicated Log Collector:
1. Access the Log Collector CLI by using emulaon soware such as PuTTY to open a
SSH session to the Log Collector using its MGT interface IP address. When prompted,
log in using Panorama administrator credenals.
2. Run the following commands, where <IPaddress1> is for the solitary (non-HA) or
acve (HA) Panorama and <IPaddress2> is for the passive Panorama (if applicable).

> configure
# set deviceconfig system panorama-server <IPaddress1>
panorama-server-2 <IPaddress2>
# commit

Panorama Administrator's Guide Version Version 10.1 213 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | (HA only) Configure an interface on the passive Panorama management server to deploy
updates in case the acve Panorama fails over.
1. Log in to the Panorama Web Interface of the passive Panorama management server.
2. Select Panorama > Setup > Interfaces.
3. Click an Interface Name to edit the interface.
4. Select <interface-name> to enable the interface.
5. Configure one or both of these field sets based on the IP protocols of your network:
• IPv4—IP Address, Netmask, and Default Gateway
• IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
6. Select Device Deployment.
7. Click OK to save your changes.
8. Click Commit > Commit to Panorama and Commit your changes.

Panorama Administrator's Guide Version Version 10.1 214 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 6 | Configure the interfaces that the Log Collectors will use to collect logs from firewalls and
communicate with other Log Collectors.

Because the MGT interface was configured during inial configuraon of the Log
Collectors, you don’t have to configure it again.

1. Log in to the Panorama Web Interface of the solitary (non-HA) or acve (HA) Panorama
management server.
2. Select Panorama > Managed Collectors and edit the Log Collector.
3. Select Interfaces and perform the following steps for each interface:
1. Click an interface name to edit that interface.
2. Select <interface-name> to enable the interface.
3. Configure one or both of the following field sets based on the IP protocols of your
network.
IPv4—IP Address, Netmask, and Default Gateway
IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
4. Select the funcons that the interface supports:
Device Log Collecon—Collect logs from firewalls. You can load balance the logging
traffic by enabling mulple interfaces to perform this funcon.
Collector Group Communicaon—Communicate with other Log Collectors in the
Collector Group.
5. Click OK to save your changes to the interface.
4. Click OK to save your changes to the Log Collector.
5. Select Commit > Commit and Push to commit your changes to Panorama and to push
the changes to Collector Groups that contain the Log Collectors you modified.
6. Select Panorama > Managed Collectors to verify that the Log Collectors are
synchronized and connected with Panorama.
The Configuraon Status column should display InSync and the Run Time Status
column should display connected.

STEP 7 | Configure the firewalls to connect with a Panorama interface.

To support a segmented network, you can connect the firewalls in each subnetwork to
separate Panorama interfaces. The interfaces must have Device Management and Device

Panorama Administrator's Guide Version Version 10.1 215 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Log Collecon enabled. This step assumes that you use separate templates to configure the
firewalls in separate subnetworks.

In this example deployment, Panorama uses these interfaces to manage the firewalls
but not to collect firewall logs. You specify which Dedicated Log Collectors will collect
firewall logs when you configure Collector Groups.

1. Log in to the Panorama Web Interface of the solitary (non-HA) or acve (HA) Panorama
management server.
2. On Panorama, select Device > Setup > Management, select a Template and edit the
Panorama Sengs.
3. In the first Panorama Servers field, enter the IP address of an interface on the solitary
(non-HA) or acve (HA) Panorama.
4. (HA only) In the second Panorama Servers field, enter the IP address of an interface on
the passive Panorama that will support device management if failover occurs.
5. Click OK to save your changes.
6. Select Commit > Commit and Push to commit your changes to Panorama and push the
template changes to firewalls.
7. Select Panorama > Managed Devices to verify that the firewalls are synchronized and
connected with Panorama.
The Device State column should display Connected. The Shared Policy and Template
columns should display InSync.

Panorama Administrator's Guide Version Version 10.1 216 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Register Panorama and Install Licenses

Before you can begin using Panorama for centralized management, logging, and reporng, you are
required to register, acvate, and retrieve the Panorama device management and support licenses.
Every instance of Panorama requires valid licenses that entle you to manage firewalls and obtain
support. The firewall device management license enforces the maximum number of firewalls that
Panorama can manage. This license is based on firewall serial numbers, not on the number of
virtual systems on each firewall. The support license enables Panorama soware updates and
dynamic content updates (for the latest Applicaons and Threats signatures, as an example).
Addionally, Panorama virtual appliances on AWS and Azure must be purchased from Palo Alto
Networks, and cannot be purchased on the AWS or Azure marketplaces.
Aer upgrading your Panorama virtual appliance to PAN-OS 8.1, you are prompted if a capacity
license has not been successfully installed or if the total number of firewalls being managed by
Panorama exceeds the device management license. You have 180 days from the date of upgrade
to install a valid device management license if no license has been installed. If the number of
managed firewalls exceeds the device management license, you have 180 days to delete firewalls
to meet the device management license requirements or upgrade your device management
license. All commits fail if a valid device management license is not installed, or the exisng
device management license limit is not met, within 180 days of upgrade. To purchase a device
management license, contact your Palo Alto Networks sales representave or authorized reseller.
If you want to use the cloud-based Cortex Data Lake, you require a Cortex Data Lake license, in
addion to the firewall management license and premium support license. To purchase licenses,
contact your Palo Alto Networks Systems Engineer or reseller.

If you are running an evaluaon license for firewall management on your Panorama virtual
appliance and want to apply a Panorama license that you purchased, perform the tasks
Register Panorama and Acvate/Retrieve a Firewall Management License when the
Panorama Virtual Appliance is Internet-connected.

• Register Panorama
• Acvate a Panorama Support License
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is
Internet-connected
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not
Internet-connected
• Acvate/Retrieve a Firewall Management License on the M-Series Appliance

Register Panorama

Panorama Administrator's Guide Version Version 10.1 217 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | Record the Panorama serial number or auth-code and record your Sales Order Number or
Customer ID.
For the auth-code, Sales Order Number, or Customer ID, see the order fulfillment email that
Palo Alto Networks Customer Service sent when you placed your order for Panorama.
For the serial number, the locaon depends on the model:
• M-Series appliance—Log in to the Panorama web interface and record the Serial # value in
the Dashboard tab, General Informaon secon.
• Panorama virtual appliance—See the order fulfillment email or refer to the serial number
generated when provisioning Panorama using VM Flex licensing.

The Panorama virtual appliance is automacally registered when you allocate a

serial number using VM Flex licensing.

Panorama Administrator's Guide Version Version 10.1 218 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Register Panorama in the Palo Alto Networks Customer Support Portal (CSP).
The steps depend on whether you already have a login for the Palo Alto Networks CSP.
• If this is the first Palo Alto Networks appliance you are registering and you do not yet have a
CSP login:
1. Go to the Palo Alto Networks CSP.
2. Click Create my account.
3. Enter Your Email Address and respond to the reCAPTCHA prompt.
4. Click Submit aer you successfully respond to the reCAPTCHA prompt.
5. Select Register device using Serial Number or Authorizaon Code and click Submit
6. Complete the fields in the Create Contact Details and Create UserID and Password
secons.
7. Enter the Panorama Device Serial Number or Auth Code.
8. Enter your Sales Order Number or Customer ID.
9. Respond to the reCAPTCHA prompt.
10.Click Submit aer you successfully respond to the reCAPTCHA prompt.
• If you already have a CSP login:
1. Log in to the Palo Alto Networks CSP.
2. Click Assets > Devices > Register New Device.

You can also Register a Device in the CSP Support Home.

3. Select Register device using Serial Number and click Next.

4. Enter the Panorama Serial Number.
5. Enter the Device Name to apply a name to search for and idenfy your Panorama.
6. (Oponal) Select a Device Tag to group Panorama with any other devices for which you
have selected a device tag.
The device tag must first be created at the account level (Assets > Devices > Device Tag)
before it can be selected when you register Panorama.
7. If the Panorama management server is not internet-connected, check Device will be used
offline and select the OS Release version.
8. Enter the required Locaon Informaon (as indicated by the asterisks) if you have
purchased the 4 hour RMA.
9. Agree and Submit the EULA.
Aer you see the registraon complete message, close the Device Registraon dialog.

Acvate a Panorama Support License

Before acvang a Panorama support license on a Panorama M-Series appliance or Panorama
virtual appliance, you must Register Panorama.

Panorama Administrator's Guide Version Version 10.1 219 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

If the support license expires, Panorama can sll manage firewalls and collect logs, but
soware and content updates will be unavailable. The soware and content versions on
Panorama must be the same as or later than the versions on the managed firewalls, or
else errors will occur. For details, see Panorama, Log Collector, Firewall, and WildFire
Version Compability.

STEP 1 | Log in to the Palo Alto Networks customer support portal to acvate the auth-code.
1. Select Assets > Devices and enter your Panorama serial number to Filter by the Serial
Number.

2. Select the pencil icon in the Acon column, select Acvate Auth-Code and enter your
support license Authorizaon Code, and click Agree and Submit.

STEP 2 | Log in to the Panorama web interface, and select Panorama > Support > Acvate feature
using authorizaon code.

STEP 3 | Enter the Authorizaon Code and click OK.

STEP 4 | Verify that the subscripon is acvated. Check the details (for example, the Expiry Date,
support Level, and Descripon) in the Support secon of the page.

Acvate/Retrieve a Firewall Management License when the

Panorama Virtual Appliance is Internet-connected
In order to manage devices on Panorama, you need to acvate a firewall management license
generated by PAN-OS. The device management license you acvate determines the number of
devices Panorama can manage. Log Collectors and WildFire appliances are not treated as managed
devices and do not count toward the number of devices alloed by the device management
license.
Before acvang and retrieving a firewall management license on the Panorama virtual appliance,
you must Register Panorama. If you are running an evaluaon license and want to apply a
license that you purchased, you must sll register and acvate/retrieve the purchased license.
Addionally, you must then change the serial number of the Panorama from the evaluaon serial
number to the producon serial number.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Select Panorama > Setup > Management and edit the General Sengs.

STEP 3 | Enter the Panorama Serial Number (included in the order fulfillment email) and click OK.

Panorama Administrator's Guide Version Version 10.1 220 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Select Panorama > Licenses to acvate or retrieve the firewall management license:
• Retrieve license keys from license server—Panorama automacally retrieves and acvates
the firewall management license from the Panorama Update Server.
• Acvate feature using authorizaon code—Enter the firewall management license
authorizaon code and click OK to acvate the license. The authorizaon code can be
obtained from the order fulfillment email or by logging in to the Palo Alto Networks
Customer Support web site by finding the Panorama management server.
• Manually upload license key—Log in to the Palo Alto Networks Customer Support web site,
find your Panorama management server, and download the firewall management license
key to your local device. Aer you download the license key, click Choose File to select the
license key and click OK.

STEP 5 | Verify the firewall management license is acvated.

The Device Management License secon now appears displaying the date the license was
issued, when the license expires, and a descripon of the firewall management license.

Acvate/Retrieve a Firewall Management License when the

Panorama Virtual Appliance is not Internet-connected
Before acvang and retrieving a firewall management license on the Panorama virtual appliance,
you must Register Panorama. In order to manage devices on Panorama, you will need to acvate
a device management license. The device management license you acvate will determine the
number of devices Panorama can manage. Log Collectors and WildFire appliances are not treated
as managed devices and will not count toward the number of devices alloed by the device
management license. If you are running an evaluaon license and want to apply a license that you
purchased, you must sll register and acvate/retrieve the purchased license.
Aer upgrading to PAN-OS 8.1, you will be prompted to retrieve a valid Panorama management
license when you first log in to the Panorama web interface when Panorama has finished
reboong. To acvate or retrieve the valid management license if the Panorama virtual appliance
is offline or unable to reach the Palo Alto Networks update server, you must get the relevant
appliance informaon for the Panorama virtual appliance and upload it to the Customer Support
web site.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | (Inial Deployment only) Enter the Panorama Serial Number.

1. Select Panorama > Setup > Management and edit the General Sengs.
2. Enter the Panorama Serial Number (included in the order fulfillment email) and click OK.
3. Select Commit > Commit to Panorama and Commit your changes.

Panorama Administrator's Guide Version Version 10.1 221 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Upload the Panorama virtual appliance informaon to the Customer Support website.
1. On the Retrieve Management License dialogue, click the here link to gather the UUID,
CPUID, Panorama Version and Virtual Plaorm informaon. Click Download Link to
download a XML file of the required Panorama informaon that can be uploaded to the
Customer Support Portal.
On inial deployment, may need to log out and back in to the web interface to see the
dialogue.
2. Log in to the Palo Alto Networks Customer Support web site.
3. Click Get Support in the upper right-hand corner.
4. Select Assets > Devices, find your Panorama virtual appliance and in the Acon column,
click the edit icon ( ).
5. Select Is the Panorama Offline? and enter the Panorama informaon gathered in Step 2,
or click Select files... to upload the downloaded XML file.
6. Agree and Submit the EULA.

Panorama Administrator's Guide Version Version 10.1 222 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Install the device management license.

1. In the Acons column, download the device management license.

2. In the Panorama web interface, click Panorama > Licenses and Manually upload license
key.
3. Click Choose file, locate the downloaded device management license key and click OK.

STEP 5 | Confirm that the device management license was successfully uploaded by verify that the
Device Management License displays with the license informaon.

Acvate/Retrieve a Firewall Management License on the M-Series

Appliance
In order to manage devices on Panorama, you need to acvate a Capacity License. The Capacity
License determines the number of devices Panorama can manage. Log Collectors and WildFire
appliances are not treated as managed devices and do not count toward the number of devices
alloed by the Capacity License.
Before acvang and retrieving a Panorama firewall management license on the M-Series
appliance:
• Register Panorama.
• Locate the auth-codes for the product/subscripon you purchased. When you placed your
order, Palo Alto Networks Customer Service sent you an email that listed the auth-code
associated with the purchase. If you cannot locate this email, contact Palo Alto Networks
Customer Support to obtain your codes before proceeding.
Aer you acvate and retrieve the license, the Panorama > Licenses page displays the associated
issuance date, expiraon date, and the number of firewalls that the license enables Panorama to
manage.

Panorama Administrator's Guide Version Version 10.1 223 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

To acvate and retrieve the license, the opons are:

Use the web interface to acvate and retrieve the license.

Select this opon if Panorama is ready to connect to the Palo Alto Networks update server
(you completed the task Perform Inial Configuraon of the M-Series Appliance) but you have
not acvated the license on the Palo Alto Networks Customer Support web site.
1. Select Panorama > Licenses and click Acvate feature using authorizaon code.
2. Enter the Authorizaon Code and click OK. Panorama retrieves and acvates the license.

Retrieve the license key from the license server.

If Panorama is not ready to connect to the update server (for example, you have not completed
the inial M-Series appliance setup), you can acvate the license on the Support website so
that, when Panorama is ready to connect, you can then use the web interface to retrieve the
acvated license. The process of retrieving an acvated license is faster than the process of
both retrieving and acvang.
1. Acvate the license on the Palo Alto Networks Customer Support web site.
1. On a host with internet access, use a web browser to access the Palo Alto Networks
Customer Support web site and log in.
2. Select Assets > Devices, find your M-Series appliance and, in the Acon column, click
the edit icon ( ).
3. Select Acvate Auth-Code, enter the Authorizaon Code and click Agree and Submit
to acvate the license.
2. Configure Panorama to connect to the update server: see Perform Inial Configuraon of
the M-Series Appliance.
3. Select Panorama > Licenses and click Retrieve license keys from the license server.
Panorama retrieves the acvated license.

Manually upload the license from a host to Panorama. Panorama must have access to that host.
If Panorama is set up (you completed the task Perform Inial Configuraon of the M-Series
Appliance) but does not have a connecon to the update server, acvate the license on the

Panorama Administrator's Guide Version Version 10.1 224 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Support website, download it to a host that has a connecon to the update server, then upload
it to Panorama.
1. Acvate and download the license from the Palo Alto Networks Customer Support web
site.
1. On a host with internet access, use a web browser to access the Palo Alto Networks
Customer Support web site and log in.
2. Select Assets > Devices, find your M-Series appliance and, in the Acon column, click
the edit icon ( ).
3. Select Acvate Auth-Code, enter the Authorizaon Code and click Agree and Submit
to acvate the license.
4. In the Acon column, click the download icon and save the license key file to the host.
2. In the Panorama web interface, select Panorama > Licenses, click Manually upload
license key and click Browse.
3. Select the key file you downloaded to the host and click Open.
4. Click OK to upload the acvated license key.

Panorama Administrator's Guide Version Version 10.1 225 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Install the Panorama Device Cerficate

In PAN-OS 9.1.3 and later releases, you must install the device cerficate on the Panorama™
management server to successfully authencate Panorama with the Palo Alto Networks Customer
Support Portal (CSP) and leverage cloud services such as Zero Touch Provisioning (ZTP), Device
Telemetry, IoT, and Enterprise Data Loss Prevenon (DLP). Panorama must have internet access to
successfully install the device cerficate.

If you are leveraging the Cloud Services plugin, you must have Cloud Services plugin 1.5
or later release installed to successfully install the Panorama device cerficate.

STEP 1 | Register Panorama with the Palo Alto Networks Customer Support Portal (CSP).

STEP 2 | Configure the Network Time Protocol (NTP) server.

An NTP server is required validate the device cerficaon expiraon date, ensure the device
cerficate does not expire early or become invalid.
1. Log in to the Panorama Web Interface.
2. Select Panorama > Setup > Services.
3. Select NTP and enter the hostname pool.ntp.org as the Primary NTP Server or enter
the IP address of your primary NTP server.
4. (Oponal) Enter a Secondary NTP Server address.
5. (Oponal) To authencate me updates from the NTP server(s), for Authencaon Type,
select one of the following for each server.
• None (default)—Disables NTP authencaon.
• Symmetric Key—Firewall uses symmetric key exchange (shared secrets) to
authencate me updates.
• Key ID—Enter the Key ID (1-65534)
• Algorithm—Select the algorithm to use in NTP authencaon (MDS or SHA1)
6. Click OK to save your configuraon changes.
7. Select Commit and Commit to Panorama.

STEP 3 | Generate the One Time Password (OTP).

1. Log in to the Customer Support Portal.
2. Select Assets > Device Cerficates and Generate OTP.
3. For the Device Type, select Generate OTP for Panorama and Generate OTP.
4. Select the Panorama Device serial number.
5. Generate OTP and copy the OTP.

STEP 4 | Log in to the Panorama Web Interface as an admin user.

Panorama Administrator's Guide Version Version 10.1 226 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Select Panorama > Setup > Management > Device Cerficate Sengs and Get cerficate.

STEP 6 | Enter the One-me Password you generated and click OK.

STEP 7 | Panorama successfully retrieves and installs the cerficate.

Panorama Administrator's Guide Version Version 10.1 227 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Transion to a Different Panorama Model

When your network requirements change (for example, the logging rate increases), you can
migrate the Panorama management server and Dedicated Log Collectors to Panorama Models that
beer support those requirements.
• Migrate from a Panorama Virtual Appliance to an M-Series Appliance
• Migrate a Panorama Virtual Appliance to a Different Hypervisor
• Migrate from an M-Series Appliance to a Panorama Virtual Appliance
• Migrate from an M-100 Appliance to an M-500 Appliance

Migrate from a Panorama Virtual Appliance to an M-Series

Appliance
You can migrate the Panorama configuraon from a Panorama virtual appliance to an M-Series
appliance in Panorama mode. However, you cannot migrate the logs because the log format on
the Panorama virtual appliance is incompable with that on M-Series appliances. Therefore, if
you want to maintain access to the old logs stored on the Panorama virtual appliance, you must
connue running the Panorama virtual appliance aer the migraon. The M-Series appliance will
collect the new logs that firewalls forward aer the migraon. Aer the pre-migraon logs expire
or become irrelevant due to aging, you can shut down the Panorama virtual appliance.
Legacy mode is no longer supported in PAN-OS 8.1 or later releases. If the old Panorama
virtual appliance is in Legacy mode, you must change Panorama to Panorama mode before
migrang to the new hypervisor in order to preserve the log sengs and Log Collector forwarding
configuraons. Imporng the configuraon of the old Panorama in Legacy mode to a new
Panorama in Panorama mode causes all log and log forwarding sengs to be removed.
You cannot migrate logs between hypervisors. Therefore, if you want to maintain access to the
logs stored on the old Panorama virtual appliance, you must connue running the old Panorama
virtual appliance aer the migraon and add it as a managed Log Collector on the new Panorama
virtual appliance. This allows the new Panorama virtual appliance to collect the new logs that
firewalls forward aer the migraon, while maintaining access to the old log data. Aer the pre-
migraon logs expire or become irrelevant due to aging, you can shut down the Panorama virtual
appliance.

If you store firewall logs on Dedicated Log Collectors (M-Series appliances in Log Collector
mode) instead of on the Panorama virtual appliance, you can maintain access to the logs
by migrang the Dedicated Log Collectors to the M-Series appliance in Panorama mode.

STEP 1 | Plan the migraon.

Upgrade the soware on the Panorama virtual appliance before the migraon if the M-
Series appliance requires a later release of the current soware (the M-500 appliance
requires Panorama 7.0 or a later release. The M-600 and M-200 appliances require
Panorama 8.1 or later release). For important details about soware versions, see Panorama,
Log Collector, Firewall, and WildFire Version Compability.
Schedule a maintenance window for the migraon. Although firewalls can buffer logs aer
the Panorama virtual appliance goes offline and then forward the logs aer the M-Series

Panorama Administrator's Guide Version Version 10.1 228 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

appliance comes online, compleng the migraon during a maintenance window minimizes
the risk that logs will exceed the buffer capacies and be lost during the transion between
Panorama models.
Consider whether to maintain access to the Panorama virtual appliance aer the migraon
to access exisng logs. The most efficient approach is to assign a new IP address to the
Panorama virtual appliance and reuse its old IP address for the M-Series appliance. This
ensures that the Panorama virtual appliance remains accessible and that firewalls can point
to the M-Series appliance without you reconfiguring the Panorama IP address on each
firewall.

STEP 2 | Purchase the new M-Series appliance, and migrate your subscripons to the new appliance.
1. Purchase the new M-Series appliance.
2. Purchase the new support license and migraon license.
3. At the me you purchase the new M-Series appliance, provide your sales representave
the serial number and device management auth-code of the Panorama virtual appliance
you are phasing out, as well as a license migraon date of your choosing. On receipt of
your M-Series appliance, register the appliance and acvate the device management
and support licenses using the migraon and support auth-codes provided by Palo Alto
Networks. On the migraon date, the device management license on the Panorama
virtual appliance is decommissioned, and you can no longer manage devices or collect
logs using the Panorama virtual appliance. However, the support license is preserved and
the Panorama appliance remains under support. You can complete the migraon aer
the effecve date, but you are unable to commit any configuraon changes on the now
decommissioned Panorama virtual appliance.

STEP 3 | (Legacy mode only) On the old Panorama virtual appliance, change to Panorama mode .

This step is required to preserve the log data, sengs and log forwarding configuraon
of the Panorama virtual appliance. If you export the Panorama configuraon while in
Legacy mode, these sengs are lost. You must complete Step 9 if you do not change
Panorama to Panorama mode before connuing.
Connue to the next step if the Panorama virtual appliance is already in Panorama or
Management Only mode.

STEP 4 | Export the Panorama configuraon from the Panorama virtual appliance.
1. Log in to the Panorama virtual appliance and select Panorama > Setup > Operaons.
2. Click Save named Panorama configuraon snapshot, enter a Name to idenfy the
configuraon, and click OK.
3. Click Export named Panorama configuraon snapshot, select the Name of the
configuraon you just saved, and click OK. Panorama exports the configuraon to your
client system as an XML file.

Panorama Administrator's Guide Version Version 10.1 229 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Power off the Panorama virtual appliance if you won’t need to access to it aer the migraon
or assign a new IP address to its management (MGT) interface if you will need access to it.
To power off the Panorama virtual appliance, see the documentaon for your VMware product.
To change the IP address on the Panorama virtual appliance:
1. Select Panorama > Setup > Management, and edit the Management Interface Sengs.
2. Enter the new IP Address and click OK.
3. Select Commit > Commit to Panorama and Commit your changes.

STEP 6 | Perform the inial setup of the M-Series appliance.

1. Rack mount the M-Series appliance. Refer to the M-Series Appliance Hardware
Reference Guide for instrucons.
2. Perform Inial Configuraon of the M-Series Appliance to define the network
connecons required to acvate licenses and install updates.
3. Register Panorama.
4. Acvate a Panorama Support License.
5. Acvate/Retrieve a Firewall Management License on the M-Series Appliance. Use the
auth-code associated with the migraon license.
6. Install Content and Soware Updates for Panorama. Install the same versions as those on
the Panorama virtual appliance.

STEP 7 | Load the Panorama configuraon snapshot that you exported from the Panorama virtual
appliance into the M-Series appliance.

The Panorama Policy rule Creaon and Modified dates are updated to reflect the
date you commit the imported Panorama configuraon on the new Panorama. The
universially unique idenfier (UUID) for each policy rule persists when you migrate
the Panorama configuraon.
The Creaon and Modified for managed firewalls are not impacted when you monitor
policy rule usage for a managed firewall because this data is stored locally on the
managed firewall and not on Panorama.

1. On the M-Series appliance, select Panorama > Setup > Operaons.

2. Click Import named Panorama configuraon snapshot, Browse to the Panorama
configuraon file you exported from the Panorama virtual appliance, and click OK.
3. Click Load named Panorama configuraon snapshot, select the Name of the
configuraon you just imported, select a Decrypon Key (the master key for Panorama),
and click OK. Panorama overwrites its current candidate configuraon with the loaded
configuraon. Panorama displays any errors that occur when loading the configuraon
file.
4. If errors occurred, save them to a local file. Resolve each error to ensure the migrated
configuraon is valid.

Panorama Administrator's Guide Version Version 10.1 230 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 8 | Modify the configuraon on the M-Series appliance.

Required if the M-Series appliance will use different values than the Panorama virtual
appliance. If you will maintain access to the Panorama virtual appliance to access its logs, use a
different hostname and IP address for the M-Series appliance.
1. Select Panorama > Setup > Management.
2. Edit the General Sengs, modify the Hostname, and click OK.
3. Edit the Management Interface Sengs, modify the values as necessary, and click OK.

STEP 9 | Add the default managed collector and Collector Group back to the M-Series appliance.
Loading the configuraon from the Panorama virtual appliance (Step 7) removes the default
managed collector and Collector Group that are predefined on each M-Series appliance.
1. Configure a Managed Collector that is local to the M-Series appliance.
2. Configure a Collector Group for the default managed collector.
3. Select Commit > Commit to Panorama and Commit your changes to the Panorama
configuraon.

STEP 10 | Synchronize the M-Series appliance with the firewalls to resume firewall management.

Complete this step during a maintenance window to minimize network disrupon.

1. On the M-Series appliance, select Panorama > Managed Devices and verify that the
Device State column displays Connected for the firewalls.
At this point, the Shared Policy (device groups) and Template columns display Out of sync
for the firewalls.
2. Push your changes to device groups and templates:
1. Select Commit > Push to Devices and Edit Selecons.
2. Select Device Groups, select every device group, Include Device and Network
Templates, and click OK.
3. Push your changes.
3. In the Panorama > Managed Devices page, verify that the Shared Policy and Template
columns display In sync for the firewalls.

Migrate a Panorama Virtual Appliance to a Different Hypervisor

Migrate the Panorama configuraon of a Panorama virtual appliance from one supported
hypervisor to another supported hypervisor in Management Only mode or Panorama mode.
Before migrang to the Panorama virtual appliance to a new hypervisor, review the Panorama
Models to ensure that the new hypervisor you are migrang to is supported. Addionally, if your
Panorama configuraon has mulple interfaces configuraon for device management includes
mulple interfaces for device management, log collecon, Collector Group communicaon,
licensing and soware updates, review Setup Prerequisites for the Panorama Virtual Appliance to
verify that the hypervisor you are migrang to supports mulple interfaces.

Panorama Administrator's Guide Version Version 10.1 231 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Legacy mode is no longer supported in PAN-OS 8.1 or later releases. If the old Panorama
virtual appliance is in Legacy mode, you must change Panorama to Panorama mode before
migrang to the new hypervisor in order to preserve the log sengs and Log Collector forwarding
configuraons. Imporng the configuraon of the old Panorama in Legacy mode to a new
Panorama in Panorama mode causes all log and log forwarding sengs to be removed.
You cannot migrate logs from Panorama virtual appliance. Therefore, if you want to maintain
access to the logs stored on the old Panorama virtual appliance, you must connue running the
old Panorama virtual appliance in Log Collector mode aer the migraon and add it as a managed
Log Collector on the new Panorama virtual appliance. This allows the new Panorama virtual
appliance to collect the new logs that firewalls forward aer the migraon, while maintaining
access to the old log data. Aer the pre-migraon logs expire or become irrelevant due to aging,
you can shut down the Panorama virtual appliance.

If you store firewall logs on Dedicated Log Collectors (Panorama virtual appliance in Log
Collector mode) instead of on the Panorama virtual appliance, you can maintain access
to the logs by migrang the Dedicated Log Collectors to the new Panorama virtual
appliance in Panorama mode.

STEP 1 | Plan the migraon.

Upgrade the soware on the Panorama virtual appliance before the migraon if the new
Panorama virtual appliance requires a later release of the current soware. For the minimum
PAN-OS version for each hypervisor, see Panorama Hypervisor Support. For important
details about soware versions, see Panorama, Log Collector, Firewall, and WildFire Version
Compability.
Schedule a maintenance window for the migraon. Although firewalls can buffer logs
aer the Panorama virtual appliance goes offline and then forward the logs aer the new
Panorama virtual appliance comes online, compleng the migraon during a maintenance
window minimizes the risk that logs will exceed the buffer capacies and be lost during the
transion between hypervisors.
Consider whether to maintain access to the old Panorama virtual appliance aer the
migraon to access exisng logs. The most efficient approach is to assign a new IP address
to the old Panorama virtual appliance and reuse its old IP address for the Panorama virtual
appliance. This ensures that the old Panorama virtual appliance remains accessible and that
firewalls can point to the new Panorama virtual appliance without you reconfiguring the
Panorama IP address on each firewall.
If you to intend to maintain access to the old Panorama virtual appliance, you must purchase
a new device management license and support license for the new Panorama virtual
appliance before you can complete the migraon successfully.

STEP 2 | (Legacy mode only) On the old Panorama virtual appliance, Set up a Panorama Virtual
Appliance in Panorama Mode.

This step is required to preserve the log sengs (Panorama > Log Sengs) on the old
Panorama virtual appliance. If you export the Panorama configuraon while in Legacy
mode, these sengs are lost.
Connue to the next step if the Panorama virtual appliance is already in Panorama or
Management Only mode.

Panorama Administrator's Guide Version Version 10.1 232 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 3 | Export the Panorama configuraon from the old Panorama virtual appliance.
1. Log in to the Panorama Web Interface.
2. Select Panorama > Setup > Operaons.
3. Click Export named Panorama configuraon snapshot, select running-config.xml
and click OK. Panorama exports the configuraon to your client system as an XML file.
4. Locate the running-config.xml file you exported and rename the XML file. This is
required to import the configuraon as Panorama does not support imporng an XML
file with the name running-config.xml.

STEP 4 | Install the Panorama virtual appliance.

STEP 5 | Migrate the serial number of the old Panorama virtual appliance to the new Panorama virtual
appliance.

This step is required to migrate all subscripons and the device management license
ed to the Panorama serial number and only if you intend to shut down the old
Panorama virtual appliance. If you do intend on maintaining access to the old
Panorama virtual appliance, connue to the next step.

You have up to 90 days to shut down the old Panorama virtual appliance. Running
mulple Panorama virtual appliances with the same serial number violates the EULA.

1. Log in to the Panorama web interface of the old Panorama virtual appliance.
2. In the Dashboard, copy the Serial # of the old Panorama virtual appliance located in
the General Informaon widget.
3. Log in to the Panorama web interface of the new Panorama virtual appliance.
4. Add the serial number of the old Panorama virtual appliance to the new Panorama virtual
appliance.
1. Select Panorama > Setup > Management and edit the General Sengs.
2. Enter (paste) the Serial Number and click OK.
3. Select Commit and Commit to Panorama.

Panorama Administrator's Guide Version Version 10.1 233 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 6 | Perform the inial setup of the new Panorama virtual appliance.
1. Perform Inial Configuraon of the Panorama Virtual Appliance to define the network
connecons required to acvate licenses and install updates.
2. (For maintaining access to the old Panorama virtual appliance only) Register Panorama.
3. (For maintaining access to the old Panorama virtual appliance only) Acvate a Panorama
Support License.
4. (For maintaining access to the old Panorama virtual appliance only) Acvate/Retrieve
a Firewall Management License when the Panorama Virtual Appliance is Internet-
connected. Use the auth-code associated with the migraon license.
5. Install Content and Soware Updates for Panorama. Install the same versions as those on
the old Panorama virtual appliance.

This step is required before loading configuraon from the old Panorama virtual
appliance. Ensure that all required content updates are installed to avoid security
outages.
6. Select Panorama > Plugins and install all plugins that were installed on the old Panorama
virtual appliance.

STEP 7 | Power off the old Panorama virtual appliance if you won’t need to access to it aer the
migraon or assign a new IP address to its management (MGT) interface if you will need
access to it.
To power off the Panorama virtual appliance, see the supported documentaon for the
hypervisor on which the old Panorama virtual appliance has been deployed.
To change the IP address on the Panorama virtual appliance:
1. On the web interface of the old Panorama virtual appliance, select Panorama > Setup >
Management, and edit the Management Interface Sengs.
2. Enter the new IP Address and click OK.
3. Select Commit > Commit to Panorama and Commit your changes.

STEP 8 | (Prisma Access) Transfer the Prisma Access license from the old Panorama virtual appliance
to the new Panorama virtual appliance.

Panorama Administrator's Guide Version Version 10.1 234 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 9 | Load the Panorama configuraon snapshot that you exported from the old Panorama virtual
appliance into the new Panorama virtual appliance.

The Panorama Policy rule Creaon and Modified dates are updated to reflect the
date you commit the imported Panorama configuraon on the new Panorama. The
universially unique idenfier (UUID) for each policy rule persists when you migrate
the Panorama configuraon.
The Creaon and Modified for managed firewalls are not impacted when you monitor
policy rule usage for a managed firewall because this data is stored locally on the
managed firewall and not on Panorama.

1. Log in to the Panorama Web Interface of the new Panorama virtual appliance.
2. Select Panorama > Setup > Operaons.
3. Click Import named Panorama configuraon snapshot, Browse to the Panorama
configuraon file you exported from the Panorama virtual appliance, and click OK.
4. Click Load named Panorama configuraon snapshot, select the Name of the
configuraon you just imported, leave the Decrypon Key blank (empty), and click OK.
Panorama overwrites its current candidate configuraon with the loaded configuraon.
Panorama displays any errors that occur when loading the configuraon file.
5. If errors occurred, save them to a local file. Resolve each error to ensure the migrated
configuraon is valid.

STEP 10 | Modify the configuraon on the new Panorama virtual appliance.

Required if the new Panorama virtual appliance will use different values than the old Panorama
virtual appliance. If you will maintain access to the old Panorama virtual appliance to access its
logs, use a different hostname and IP address for the new Panorama virtual appliance.
1. Select Panorama > Setup > Management.
2. Edit the General Sengs, modify the Hostname, and click OK.
3. Edit the Management Interface Sengs, modify the values as necessary, and click OK.
4. Select Commit > Commit to Panorama and Commit your changes to the Panorama
configuraon.

Panorama Administrator's Guide Version Version 10.1 235 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 11 | Add the default managed collector and Collector Group to the new Panorama virtual
appliance.
Loading the configuraon from the old Panorama virtual appliance (Step 7) removes the default
managed collector and Collector Group that are predefined on each Panorama virtual appliance
in Panorama mode.
1. To maintain access to logs stored on the old Panorama virtual appliance, change to
Log Collector mode and add the Dedicated Log Collector to the new Panorama virtual
appliance.
1. Set Up The Panorama Virtual Appliance as a Log Collector.
2. Configure a Managed Collector.
2. Configure a Managed Collector that is local to the Panorama virtual appliance.
3. Configure a Collector Group for the default managed collector.
4. Select Commit > Commit to Panorama and Commit your changes to the Panorama
configuraon.

STEP 12 | Synchronize the new Panorama virtual appliance with the firewalls to resume firewall
management.

Complete this step during a maintenance window to minimize network disrupon.

1. On the new Panorama virtual appliance, select Panorama > Managed Devices and verify
that the Device State column displays Connected for the firewalls.
At this point, the Shared Policy (device groups) and Template columns display Out of sync
for the firewalls.
2. Push your changes to device groups and templates:
1. Select Commit > Push to Devices and Edit Selecons.
2. Select Device Groups, select every device group, Include Device and Network
Templates, and click OK.
3. Push your changes.
3. In the Panorama > Managed Devices page, verify that the Shared Policy and Template
columns display In sync for the firewalls.

Migrate from an M-Series Appliance to a Panorama Virtual

Appliance
You can migrate the Panorama configuraon from an M-100, M-200, M-500, M-600 appliance to
a Panorama virtual appliance in Panorama mode. However, you cannot migrate the logs because
the log format on the M-Series appliances is incompable with that on the Panorama virtual
appliances. Therefore, if you want to maintain access to the old logs stored on the M-Series
appliance, you must connue running the M-Series appliance as a Dedicated Log Collector aer
the migraon and add it to the Panorama virtual appliance as a managed collector.
If your Panorama management server is part of a high availability configuraon, you must deploy
a second Panorama virtual appliance of the same hypervisor or cloud environment, and purchase

Panorama Administrator's Guide Version Version 10.1 236 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

the required device management and support licenses. See Panorama HA Prerequisites for a full
list of HA requirements.
STEP 1 | Plan the migraon.
Upgrade the M-Series appliance to PAN-OS 10.1 or later release before the migrang to
the Panorama virtual appliance. To upgrade Panorama, see Install Content and Soware
Updates for Panorama. For important details about soware versions, see Panorama, Log
Collector, Firewall, and WildFire Version Compability.
Schedule a maintenance window for the migraon. Although firewalls can buffer logs aer
the M-Series appliance goes offline and then forward the logs aer the Panorama virtual
appliance comes online, compleng the migraon during a maintenance window minimizes
the risk that logs will exceed the buffer capacies during the transion to a different
Panorama model.

STEP 2 | Purchase management and support licenses for the new Panorama virtual appliance.
1. Contact your sales representave to purchase the new device management and support
licenses.
2. Provide your sales representave the serial number of the M-Series appliance you
to plan phase out, the serial number and support auth code you received when you
purchased the new Panorama virtual appliance, and the date when you expect your
migraon from the old device to the new virtual appliance to be completed. Before the
migraon date, register the serial number and acvate support auth code on the new
virtual appliance so that you can begin your migraon. The capacity auth code on the old
M-Series appliance is automacally removed on the expected migraon compleon date
you provided.

STEP 3 | Perform the inial setup of the Panorama virtual appliance.

1. Set Up the Panorama Virtual Appliance.
2. Perform Inial Configuraon of the Panorama Virtual Appliance to define the network
connecons required to acvate licenses and install updates.
3. Register Panorama.
4. Acvate a Panorama Support License.
5. Acvate/Retrieve a Firewall Management License when the Panorama Virtual Appliance
is Internet-connected
6. Install Content and Soware Updates for Panorama. Install the same versions as those on
the M-Series appliance.

Panorama Administrator's Guide Version Version 10.1 237 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Edit the M-Series appliance Panorama interface configuraon to only use the management
interface.
The Panorama virtual appliance supports only the management interface for device
management and log collecon.
1. Log in to the Panorama Web Interface of the M-Series appliance.
2. Select Panorama > Setup > Management.
3. Edit the General Sengs, modify the Hostname, and click OK.
4. Select Interfaces and edit the Management interface to enable the required services.
5. Disable services for the remaining interfaces.
6. Select Commit > Commit to Panorama.

STEP 5 | Add the IP address of the new Panorama virtual appliance.

On the M-Series appliance, add the Public IP address of the Panorama virtual appliance as the
second Panorama Server to manage devices from the new Panorama management server. If
the Panorama virtual appliance is deployed on Alibaba Cloud, AWS, Azure, GCP, or OCI, use
the public IP address.
1. Select Device > Setup.
2. In the Template context drop-down, select the template or template stack containing the
Panorama server configuraon.
3. Edit the Panorama Sengs.
4. Enter the Panorama virtual appliance public IP address and click OK.
5. Select Commit > Commit and Push.

STEP 6 | Export the configuraon from the M-Series appliance.

1. Select Panorama > Setup > Operaons.
2. Click Save named Panorama configuraon snapshot, enter a Name to idenfy the
configuraon, and click OK.
3. Click Export named Panorama configuraon snapshot, select the Name of the
configuraon you just saved, and click OK. Panorama exports the configuraon to
your client system as an XML file. Save the configuraon to a locaon external to the
Panorama appliance.

Panorama Administrator's Guide Version Version 10.1 238 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 7 | Power off the M-Series appliance or assign a new IP address to the management (MGT)
interface.

If the M-Series appliance is in Panorama mode and has logs stored on the local Log
Collector that you need access on the new Panorama virtual appliance, you must
change the IP address on the M-Series appliance in order to add it to the Panorama
virtual appliance as a managed Log Collector.

• To Power off the M-Series appliance:

1. Log in to the Panorama web interface.
2. Select Panorama > Setup > Operaons, and under Device Operaons, Shutdown
Panorama. Click Yes to confirm the shutdown.
• To change the IP address on the M-Series appliance:
1. Log in to the Panorama web interface.
2. Select Panorama > Setup > Management, and edit the Management Interface Sengs.
3. Enter the new IP Address and click OK.
4. Select Commit > Commit to Panorama and Commit your changes.

STEP 8 | Load the Panorama configuraon snapshot that you exported from the M-Series appliance
into the Panorama virtual appliance.

The Panorama Policy rule Creaon and Modified dates are updated to reflect the
date you commit the imported Panorama configuraon on the new Panorama. The
universially unique idenfier (UUID) for each policy rule persists when you migrate
the Panorama configuraon.
The Creaon and Modified for managed firewalls are not impacted when you monitor
policy rule usage for a managed firewall because this data is stored locally on the
managed firewall and not on Panorama.

1. Log in to the Panorama web interface of the Panorama virtual appliance, and select
Panorama > Setup > Operaons.
2. Click Import named Panorama configuraon snapshot, Browse to the Panorama
configuraon file you exported from the M-Series appliance, and click OK.
3. Click Load named Panorama configuraon snapshot, select the Name of the
configuraon you just imported, select a Decrypon Key (the master key for Panorama),
and click OK. Panorama overwrites its current candidate configuraon with the loaded
configuraon. Panorama displays any errors that occur when loading the configuraon
file.
If errors occurred, save them to a local file. Resolve each error to ensure the migrated
configuraon is valid. The configuraon has been loaded once the commit is successful.

Panorama Administrator's Guide Version Version 10.1 239 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 9 | Change the M-Series appliance to Log Collector mode to preserve exisng log data.

Logging data is erased if you change to Log Collector mode while the logging disks are
sll inserted in the M-Series appliance. Logging disks must be removed before changing
mode to avoid log data loss.

Generang the metadata for each disk pair rebuilds the indexes. Therefore, depending
on the data size, this process can take a long me to complete. To expedite the process,
you can launch mulple CLI sessions and run the metadata regeneraon command
in each session to complete the process simultaneously for every pair. For details, see
Regenerate Metadata for M-Series Appliance RAID Pairs.

1. Remove the RAID disks from the old M-Series appliance.

1. Power off the M-Series appliance by pressing the Power buon unl the system shuts
down.
2. Remove the disk pairs. For details, refer to the disk replacement procedure in the M-
Series Appliance Hardware Reference Guides.
2. Power on the M-Series appliance by pressing the Power buon.
3. Configure an admin superuser administrator account.
If an admin administrator account already is already created, connue to the next step.

An admin account with superuser privileges must be created before you

switch to Log Collector mode or you lose access to the M-Series appliance aer
switching modes.
4. Log in to the Panorama CLI on the old M-Series appliance.
5. Switch from Panorama mode to Log Collector mode.
• Switch to Log Collector mode by entering the following command:

> request system system-mode logger

• Enter Y to confirm the mode change. The M-Series appliance reboots. If the reboot
process terminates your terminal emulaon soware session, reconnect to the M-
Series appliance to see the Panorama login prompt.

If you see a CMS Login prompt, this means the Log Collector has not
finished reboong. Press Enter at the prompt without typing a username or
password.
• Log back in to the CLI.
• Verify that the switch to Log Collector mode succeeded:

> show system info | match system-mode

If the mode change succeeded, the output displays:

Panorama Administrator's Guide Version Version 10.1 240 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

> system-mode: logger

6. Insert the disks back into the old M-Series appliance. For details, refer to the disk
replacement procedure in the M-Series Appliance Hardware Reference Guides.
You must maintain the disk pair associaon. Although you can place a disk pair from
slot A1/A2 on the into slot B1/B2, you must keep the disks together in the same slot;
otherwise, Panorama might not restore the data successfully.
7. Enable the disk pairs by running the following CLI command for each pair:

> request system raid add <slot> force no-format

For example:

> request system raid add A1 force no-format

> request system raid add A2 force no-format

The force and no-format arguments are required. The force argument associates the disk
pair with the new appliance. The no-format argument prevents reformang of the drives
and retains the logs stored on the disks.
8. Generate the metadata for each disk pair.

> request metadata-regenerate slot <slot_number>

For example:

> request metadata-regenerate slot 1

9. Enable connecvity between the Log Collector and Panorama management server.
Enter the following commands at the Log Collector CLI, where <IPaddress1> is for the
MGT interface of the solitary (non-HA) or acve (HA) Panorama and <IPaddress2> is for
the MGT interface of the passive (HA) Panorama, if applicable.

> configure
# set deviceconfig system panorama-server <IPaddress1>
panorama-server-2 <IPaddress2>
# commit
# exit

Panorama Administrator's Guide Version Version 10.1 241 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 10 | Synchronize the Panorama virtual appliance with the firewalls to resume firewall
management.

Complete this step during a maintenance window to minimize network disrupon.

1. On the Panorama virtual appliance, select Panorama > Managed Devices and verify that
the Device State column displays the firewalls as Connected.
At this point, the Shared Policy (device groups) and Template columns display Out of sync
for the firewalls.
2. Push your changes to device groups and templates:
1. Select Commit > Push to Devices and Edit Selecons.
2. Select Device Groups, select every device group, and Include Device and Network
Templates.
3. Select Collector Groups, select every collector group, and click OK.
4. Push your changes.
3. In the Panorama > Managed Devices page, verify that the Shared Policy and Template
columns display In sync for the firewalls.

STEP 11 | (HA only) Set up the Panorama HA peer.

If the Panorama management servers are in a high availability configuraon, perform the steps
below on the HA peer.
1. Perform the inial setup of the Panorama virtual appliance.
2. Edit the M-Series appliance Panorama interface configuraon to only use the
management interface.
3. Add the IP address of the new Panorama virtual appliance.
4. Power off the M-Series appliance or assign a new IP address to the management (MGT)
interface.
5. Change the M-Series appliance to Log Collector mode to preserve exisng log data.

STEP 12 | (HA only) Modify the Panorama virtual appliance HA peer configuraon.
1. On an HA peer, Log in to the Panorama Web Interface, select Panorama > High
Availability and edit the Setup.
2. In the Peer HA IP Address field, enter the new IP address of the HA peer and click OK.
3. Select Commit > Commit to Panorama and Commit your change
4. Repeat these steps on the other peer in the HA peer.

Panorama Administrator's Guide Version Version 10.1 242 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 13 | (HA only) Synchronize the Panorama peers.

1. Access the Dashboard on one of the HA peers and select Widgets > System > High
Availability to display the HA widget.
2. Sync to peer, click Yes, and wait for the Running Config to display Synchronized.
3. Access the Dashboard on the remaining HA peer and select Widgets > System > High
Availability to display the HA widget.
4. Verify that the Running Config displays Synchronized.

Migrate from an M-100 Appliance to an M-500 Appliance

You can migrate the Panorama configuraon and firewall logs from an M-100 appliance to an
M-500 appliance in Panorama mode (Panorama management server). You can also migrate the
firewall logs from an M-100 appliance to an M-500 appliance in Log Collector mode (Dedicated
Log Collector). Because all the Log Collectors in a Collector Group must be the same Panorama
model, you must migrate all or none of the M-100 appliances in any Collector Group.
In the following procedure, the Panorama management server is deployed in an acve/passive
high availability (HA) configuraon, you will migrate both the configuraon and logs, and the
M-500 appliances will reuse the IP addresses from the M-100 appliances.

This procedure assumes you are no longer using the M-100 for device management or
log collecon. If you plan on using the decommissioned M-100 appliance as a Dedicated
Log Collector, a device management license is required on the M-100. Without a device
management license, you are unable to use the M-100 as a Dedicated Log Collector.
If you do not plan on using the M-100 appliance as a Dedicated Log Collector, but the
M-100 appliance contains log data that you must access at a later date, you may sll
query and generate reports using the exisng log data. Palo Alto Networks recommends
reviewing the log retenon policy before decommissioning the M-100 appliance.

If you will migrate only the logs and not the Panorama configuraon, perform the task
Migrate Logs to a New M-Series Appliance in Log Collector Mode or Migrate Logs to
a New M-Series Appliance in Panorama Mode.
If you will migrate to a new Panorama management server that is not deployed in an
HA configuraon and the new Panorama must access logs on exisng Dedicated Log
Collectors, perform the task Migrate Log Collectors aer Failure/RMA of Non-HA
Panorama.

STEP 1 | Plan the migraon.

• Upgrade the soware on the M-100 appliance if its current release is earlier than 7.0;
the M-500 appliance requires Panorama 7.0 or a later release. For important details
about soware versions, see Panorama, Log Collector, Firewall, and WildFire Version
Compability.
• Forward the System and Config logs that Panorama and Log Collectors generate to an
external desnaon before the migraon if you want to preserve those logs. The M-Series

Panorama Administrator's Guide Version Version 10.1 243 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

appliance in Panorama mode stores these log types on its SSD, which you cannot move
between models. You can move only the RAID drives, which store firewall logs.
• Schedule a maintenance window for the migraon. Although firewalls can buffer logs aer
the M-100 appliance goes offline and then forward the logs aer the M-500 appliance
comes online, compleng the migraon during a maintenance window minimizes the
risk that logs will exceed the buffer capacies and be lost during the transion between
Panorama models.

STEP 2 | Purchase the new M-500 appliance, and migrate your subscripons to the new appliance.
1. Purchase the new M-500 appliance.
2. Purchase the new support license and migraon license.
3. At the me you purchase the new M-500 appliance, provide your sales representave
the serial number and device management auth-code of the M-100 appliance you
are phasing out, as well as a license migraon date of your choosing. On receipt of
your M-500 appliance, register the appliance and acvate the device management
and support licenses using the migraon and support auth-codes provided by Palo
Alto Networks. On the migraon date, the device management license on the M-100
is decommissioned, and you can no longer manage devices or collect logs using the
M-100 appliance. However, the support license is preserved and the Panorama appliance
remains under support. You can complete the migraon aer the effecve date, but you
are unable to commit any configuraon changes on the now decommissioned M-100
appliance.

STEP 3 | Export the Panorama configuraon from each M-100 appliance in Panorama mode.
Perform this task on each M-100 appliance HA peer:
1. Log in to the M-100 appliance and select Panorama > Setup > Operaons.
2. Click Save named Panorama configuraon snapshot, enter a Name to idenfy the
configuraon, and click OK.
3. Click Export named Panorama configuraon snapshot, select the Name of the
configuraon you just saved, and click OK. Panorama exports the configuraon to your
client system as an XML file.

STEP 4 | Power off each M-100 appliance in Panorama mode.

1. Log in to the M-100 appliance HA peer that you will power off.
2. Select Panorama > Setup > Operaons, and click Shutdown Panorama.

Panorama Administrator's Guide Version Version 10.1 244 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Perform the inial setup of each M-500 appliance.

1. Rack mount the M-500 appliances. Refer to the M-500 Appliance Hardware Reference
Guide for instrucons.
2. Perform Inial Configuraon of the M-Series Appliance to define the network
connecons required to acvate licenses and install updates.
3. Register Panorama.
4. Acvate a Panorama Support License.
5. Acvate a firewall management license. Use the auth-code associated with the migraon
license.
6. Install Content and Soware Updates for Panorama. Install the same versions as those on
the M-100 appliance.
7. (Dedicated Log Collector only) Set Up the M-Series Appliance as a Log Collector.

STEP 6 | Load the Panorama configuraon snapshot that you exported from each M-100 appliance
into each M-500 appliance in Panorama mode (both HA peers).

The Panorama Policy rule Creaon and Modified dates are updated to reflect the
date you commit the imported Panorama configuraon on the new Panorama. The
universially unique idenfier (UUID) for each policy rule persists when you migrate
the Panorama configuraon.
The Creaon and Modified for managed firewalls are not impacted when you monitor
policy rule usage for a managed firewall because this data is stored locally on the
managed firewall and not on Panorama.

Perform this task on each M-500 appliance HA peer:

1. Log in to the M-500 appliance and select Panorama > Setup > Operaons.
2. Click Import named Panorama configuraon snapshot, Browse to the configuraon
file you exported from the M-100 appliance that has the same HA priority (primary or
secondary) as the M-500 appliance will have, and click OK.
3. Click Load named Panorama configuraon snapshot, select the Name of the
configuraon you just imported, select a Decrypon Key (the master key for Panorama),
and click OK. Panorama overwrites its current candidate configuraon with the loaded
configuraon. Panorama displays any errors that occur when loading the configuraon
file. If errors occurred, save them to a local file. Resolve each error to ensure the
migrated configuraon is valid.
4. Select Commit > Commit to Panorama and Validate Commit. Resolve any errors before
proceeding.
5. Commit your changes to the Panorama configuraon.

STEP 7 | Synchronize the configuraon between the M-500 appliance HA peers in Panorama mode.
1. On the acve M-500 appliance, select the Dashboard tab and, in the High Availability
widget, click Sync to peer.
2. In the High Availability widget, verify that the Local (primary M-500 appliance) is acve,
the Peer is passive, and the Running Config is synchronized.

Panorama Administrator's Guide Version Version 10.1 245 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 8 | Move the RAID drives from each M-100 appliance to its replacement M-500 appliance to
migrate the logs collected from firewalls.
In the following tasks, skip any steps that you already completed on the M-500 appliance.
• Migrate Logs to a New M-Series Appliance in Panorama Mode. Migrate logs from the
M-100 appliance only if it uses a default managed collector for log collecon.
• Migrate Logs to a New M-Series Appliance in Log Collector Mode.

STEP 9 | Synchronize the acve M-500 appliance in Panorama mode with the firewalls to resume
firewall management.

Complete this step during a maintenance window to minimize network disrupon.

1. In the acve M-500 appliance, select Panorama > Managed Devices, and verify that the
Device State column displays Connected for the firewalls.
At this point, the Shared Policy (device groups) and Template columns display Out of sync
for the firewalls.
2. Push your changes to device groups and templates:
1. Select Commit > Push to Devices and Edit Selecons.
2. Select Device Groups, select every device group, Include Device and Network
Templates, and click OK.
3. Push your changes.
3. In the Panorama > Managed Devices page, verify that the Shared Policy and Template
columns display In sync for the firewalls.

Panorama Administrator's Guide Version Version 10.1 246 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Access and Navigate Panorama Management Interfaces

Panorama provides three management interfaces:
• Web interface—The Panorama web interface has a look and feel similar to the firewall web
interface. If you are familiar with the laer, you can easily navigate, complete administrave
tasks, and generate reports from the Panorama web interface. This graphical interface enables
you to access Panorama using HTTPS and it is the best way to perform administrave tasks.
See Log in to the Panorama Web Interface and Navigate the Panorama Web Interface. If you
need to enable HTTP access to Panorama, edit the Management Interface Sengs on the
Panorama > Setup > Management tab.
• Command line interface (CLI)—The CLI is a no-frills interface that allows you to type commands
in rapid succession to complete a series of tasks. The CLI supports two command modes—
operaonal and configuraon—and each has its own hierarchy of commands and statements.
When you become familiar with the nesng structure and the syntax for the commands, the
CLI enables quick response mes and administrave efficiency. See Log in to the Panorama CLI.
• XML API—The XML-based API is provided as a web service that is implemented using HTTP/
HTTPS requests and responses. It enables you to streamline your operaons and integrate with
exisng, internally developed applicaons and repositories. For details on using the Panorama
API, refer to the PAN-OS and Panorama XML API Usage Guide.

Log in to the Panorama Web Interface

STEP 1 | Launch an internet browser and enter the Panorama IP address using a secure connecon
(hps://<IP address>).

STEP 2 | Log in to Panorama according to the type of authencaon used for your account. If logging
in to Panorama for the first me, use the default value admin for your username and
password.
• SAML—Click Use Single Sign-On (SSO). If Panorama performs authorizaon (role
assignment) for administrators, enter your Username and Connue. If the SAML identy
provider (IdP) performs authorizaon, Connue without entering a Username. In both cases,
Panorama redirects you to the IdP, which prompts you to enter a username and password.
Aer you authencate to the IdP, the Panorama web interface displays.
• Any other type of authencaon—Enter your user Name and Password. Read the login
banner and select I Accept and Acknowledge the Statement Below if the login page has the
banner and check box. Then click Login.

STEP 3 | Read and Close any messages of the day.

Navigate the Panorama Web Interface

Use the Panorama web interface to configure Panorama, manage and monitor firewalls, Log
Collectors, and WildFire appliances and appliance clusters, and access the web interface of each
firewall through the Context drop-down. Refer to the Panorama online help for details on the
opons and fields in each web interface tab. The following is an overview of the tabs:

Panorama Administrator's Guide Version Version 10.1 247 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Tab Descripon

Dashboard View general informaon about the Panorama model and network
access sengs. This tab includes widgets that display informaon
about applicaons, logs, system resources, and system sengs.

ACC View the overall risk and threat level on the network, based on
informaon that Panorama gathered from the managed firewalls.

Monitor View and manage logs and reports.

Device Groups > Policies Create centralized policy rules and apply them to mulple
firewalls/device groups.
You must Add a Device Group for this tab to display.

Device Groups > Objects Define policy objects that policy rules can reference and that
managed firewalls/device groups can share.
You must Add a Device Group for this tab to display.

Templates > Network Configure network seng, such as network profiles, and apply
them to mulple firewalls.
You must Add a Template for this tab to display.

Templates > Device Configure device sengs, such as server profiles and admin roles,
and apply them to mulple firewalls.
You must Add a Template for this tab to display.

Panorama Configure Panorama, manage licenses, set up high availability,

access soware updates and security alerts, manage administrave
access, and manage the deployed firewalls, Log Collectors, and
WildFire appliances and appliance clusters.

Log in to the Panorama CLI

You can log in to the Panorama CLI using a serial port connecon or remotely using a Secure Shell
(SSH) client.

Panorama Administrator's Guide Version Version 10.1 248 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Use SSH to log in to the Panorama CLI.

The same instrucons apply to an M-Series appliance in Log Collector mode.

Oponally, you can Configure an Administrator with SSH Key-Based

Authencaon for the CLI.

1. Ensure the following prerequisites are met:

• You have a computer with network access to Panorama.
• You know the Panorama IP address.
• The Management interface supports SSH, which is the default seng. If an
administrator disabled SSH and you want to re-enable it: select Panorama > Setup
> Interfaces, click Management, select SSH, click OK, select Commit > Commit to
Panorama, and Commit your changes to the Panorama configuraon.
2. To access the CLI using SSH:
1. Enter the Panorama IP address in the SSH client and use port 22.
2. Enter your administrave access credenals when prompted. Aer you log in, the
message of the day displays, followed by the CLI prompt in Operaonal mode. For
example:

admin@ABC_Sydney>

Use a serial port connecon to log in to the Panorama CLI.

1. Make sure that you have the following:
• A null-modem serial cable that connects Panorama to a computer with a DB-9 serial
port
• A terminal emulaon program running on the computer
2. Use the following sengs in the terminal emulaon soware to connect: 9600 baud; 8
data bits; 1 stop bit; No parity; No hardware flow control.
3. Enter your administrave access credenals when prompted. Aer you log in, the
message of the day displays, followed by the CLI prompt in Operaonal mode.

Change to Configuraon mode.

To switch to Configuraon mode, enter the following command at the prompt:

admin@ABC_Sydney> configure

The prompt changes to admin@ABC_Sydney#.

Panorama Administrator's Guide Version Version 10.1 249 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Set Up Administrave Access to Panorama

Panorama implements Role-Based Access Control (RBAC) to enable you to specify the privileges
and responsibilies of administrators. The following topics describe how to create administrator
roles, access domains, and accounts for accessing the Panorama web interface and command line
interface (CLI):
• Configure an Admin Role Profile
• Configure an Access Domain
• Configure Administrave Accounts and Authencaon
• Configure Tracking of Administrator Acvity

Configure an Admin Role Profile

Admin Role profiles are custom Administrave Roles that enable you to define granular
administrave access privileges to ensure protecon for sensive company informaon and
privacy for end users. As a best pracce, create Admin Role profiles that allow administrators to
access only the areas of the management interfaces required to perform their jobs.
STEP 1 | Select Device > Admin Roles and select the Template in which to configure a firewall admin
role profile.
You must create an Admin Role profile on the firewall and assign it to the Panorama
management server Admin Role profile to allow administrators to context switch between
Panorama and managed firewall web interfaces.

STEP 2 | Select Panorama > Admin Roles and click Add.

STEP 3 | Enter a Name for the profile and select the Role type: Panorama or Device Group and
Template.

STEP 4 | Configure access privileges to each funconal area of Panorama (Web UI) by toggling the
icons to the desired seng: Enable (read-write), Read Only, or Disable.

If administrators with custom roles will commit device group or template changes to
managed firewalls, you must give those roles read-write access to Panorama > Device
Groups and Panorama > Templates. If you upgrade from an earlier Panorama version,
the upgrade process provides read-only access to those nodes.

STEP 5 | If the Role type is Panorama, configure access to the XML API by toggling the Enabled/
Disabled icon for each funconal area.

STEP 6 | If the Role type is Panorama, select an access level for the Command Line interface: None
(default), superuser, superreader, or panorama-admin.

STEP 7 | (Oponal) To allow Panorama administrators to Context Switch between the Panorama and
firewall web interface, enter the name of Device Admin Role you configured in Step 1.

STEP 8 | Click OK to save the profile.

Panorama Administrator's Guide Version Version 10.1 250 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Configure an Access Domain

Use Access Domains to define access for Device Group and Template administrators for specific
device groups and templates, and also to control the ability of those administrators to switch
context to the web interface of managed firewalls. Panorama supports up to 4,000 access
domains.
STEP 1 | Select Panorama > Access Domain and click Add.

STEP 2 | Enter a Name to idenfy the access domain.

STEP 3 | Select an access privilege for Shared Objects:

• write—Administrators can perform all operaons on Shared objects. This is the default
value.
• read—Administrators can display and clone but cannot perform other operaons on Shared
objects. When adding non-Shared objects or cloning Shared objects, the desnaon must
be a device group within the access domain, not the Shared locaon.
• shared-only—Administrators can add objects only to the Shared locaon. Administrators
can display, edit, and delete Shared objects but cannot move or clone them.

A consequence of this opon is that administrators can’t perform any operaons

on non-Shared objects other than to display them. An example of why you might
select this opon is for an organizaon that requires all objects to be in a single, global
repository.

STEP 4 | Toggle the icons in the Device Groups tab to enable read-write or read-only access for device
groups in the access domain.

If you set the Shared Objects access to shared-only, Panorama applies read-only
access to the objects in any device groups for which you specify read-write access.

STEP 5 | Select the Templates tab and Add each template you want to assign to the access domain.

STEP 6 | Select the Device Context tab, select firewalls to assign to the access domain, and click OK.
Administrators can access the web interface of these firewalls by using the Context drop-
down in Panorama.

Configure Administrave Accounts and Authencaon

If you have already configured an authencaon profile or you don’t require one to authencate
administrators, you are ready to Configure a Panorama Administrator Account. Otherwise,
perform one of the other procedures listed below to configure administrave accounts for specific
types of authencaon.
• Configure a Panorama Administrator Account
• Configure Local or External Authencaon for Panorama Administrators
• Configure a Panorama Administrator with Cerficate-Based Authencaon for the Web
Interface
• Configure an Administrator with SSH Key-Based Authencaon for the CLI

Panorama Administrator's Guide Version Version 10.1 251 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

• Configure RADIUS Authencaon for Panorama Administrators

• Configure TACACS+ Authencaon for Panorama Administrators
• Configure SAML Authencaon for Panorama Administrators

Configure a Panorama Administrator Account

Administrave accounts specify Administrave Roles and authencaon for Panorama
administrators. The service that you use to assign roles and perform authencaon determines
whether you add the accounts on Panorama, on an external server, or both (see Administrave
Authencaon). For an external authencaon service, you must configure an authencaon
profile before adding an administrave account (see Configure Administrave Accounts
and Authencaon). If you already configured the authencaon profile or you will use the
authencaon mechanism that is local to Panorama, perform the following steps to add an
administrave account on Panorama.
STEP 1 | Modify the number of supported administrator accounts.
Configure the total number of supported concurrent administrave accounts sessions for
Panorama in the normal operaonal mode or in FIPS-CC mode. You can allow up to four
concurrent administrave account sessions or configure Panorama to support an unlimited
number of concurrent administrave account sessions.
1. Select Panorama > Setup > Management and edit the Authencaon Sengs.
2. Edit the Max Session Count to specify the number of supported concurrent sessions
(range is 0 to 4) allowed for all administrator and user accounts.
Enter 0 to configure Panorama to support an unlimited number of administrave
accounts.
3. Edit the Max Session Time in minutes for an administrave account. Default is 720
minutes.
4. Click OK.
5. Commit and Commit to Panorama.

You can also configure the total number of supported concurrent sessions by logging in
to the Panorama CLI.

admin> configure

admin# set deviceconfig setting management admin-session

max-session-count <0-4>

admin# set deviceconfig setting management admin-session

max-session-time <0, 60-1499>

admin# commit

STEP 2 | Select Panorama > Administrators and Add an account.

STEP 3 | Enter a user Name for the administrator.

Panorama Administrator's Guide Version Version 10.1 252 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Select an Authencaon Profile or sequence if you configured either for the administrator.
This is required if Panorama will use Kerberos SSO or an external service for authencaon.
If Panorama will use local authencaon, set the Authencaon Profile to None and enter a
Password and then Confirm Password.

STEP 5 | Select the Administrator Type:

• Dynamic—Select a predefined administrator role.
• Custom Panorama Admin—Select the Admin Role Profile you created for this administrator
(see Configure an Admin Role Profile).
• Device Group and Template Admin—Map access domains to administrave roles as
described in the next step.

STEP 6 | (Device Group and Template Admin only) In the Access Domain to Administrator Role
secon, click Add, select an Access Domain from the drop-down (see Configure an Access
Domain), click the adjacent Admin Role cell, and select an Admin Role profile.

STEP 7 | Click OK to save your changes.

STEP 8 | Select Commit > Commit to Panorama and Commit your changes.

Configure Local or External Authencaon for Panorama Administrators

You can use an external authencaon service or the service that is local to Panorama to
authencate administrators who access Panorama. These authencaon methods prompt
administrators to respond to one or more authencaon challenges, such as a login page for
entering a username and password.

If you use an external service to manage both authencaon and authorizaon (role and
access domain assignments), see:
• Configure RADIUS Authencaon for Panorama Administrators
• Configure TACACS+ Authencaon for Panorama Administrators
• Configure SAML Authencaon for Panorama Administrators
To authencate administrators without a challenge-response mechanism, you can
Configure a Panorama Administrator with Cerficate-Based Authencaon for the
Web Interface and Configure an Administrator with SSH Key-Based Authencaon
for the CLI.

Panorama Administrator's Guide Version Version 10.1 253 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | (External authencaon only) Enable Panorama to connect to an external server for
authencang administrators.
1. Select Panorama > Server Profiles, select the service type (RADIUS, TACACS+, SAML,
LDAP, or Kerberos), and configure a server profile:
• Configure RADIUS Authencaon for Panorama Administrators.

You can use a RADIUS server to support RADIUS authencaon services or

mul-factor authencaon(MFA) services.

• Configure TACACS+ Authencaon for Panorama Administrators.

• Add a SAML IdP server profile. You cannot combine Kerberos single sign-on (SSO)
with SAML SSO; you can use only one type of SSO service.
• Add a Kerberos server profile.
• Add a LDAP Server Profile.

STEP 2 | (Oponal) Define password complexity and expiraon sengs if Panorama uses local
authencaon.
These sengs help protect Panorama against unauthorized access by making it harder for
aackers to guess passwords.
1. Define global password complexity and expiraon sengs for all local administrators.
1. Select Panorama > Setup > Management and edit the Minimum Password Complexity
sengs.
2. Select Enabled.
3. Define the password sengs and click OK.
2. Define a Password Profile.
You assign the profile to administrator accounts for which you want to override the
global password expiraon sengs.
1. Select Panorama > Password Profiles and Add a profile.
2. Enter a Name to idenfy the profile.
3. Define the password expiraon sengs and click OK.

STEP 3 | (Kerberos SSO only) Create a Kerberos keytab.

A keytab is a file that contains Kerberos account informaon for Panorama. To support
Kerberos SSO, your network must have a Kerberos infrastructure.

Panorama Administrator's Guide Version Version 10.1 254 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Configure an authencaon profile.

If your administrave accounts are stored across mulple types of servers, you
can create an authencaon profile for each type and add all the profiles to an
authencaon sequence.

In the authencaon profile, specify the Type of authencaon service and related sengs:
• External service—Select the Type of external service and select the Server Profile you
created for it.
• Local authencaon—Set the Type to None.
• Kerberos SSO—Specify the Kerberos Realm and Import the Kerberos Keytab you created.

STEP 5 | (Device group and template administrators only) Configure an Access Domain.
Configure one or more access domains.

STEP 6 | (Custom roles only) Configure an Admin Role Profile.

Configure one or more Admin Role profiles.
For custom Panorama administrators, the profile defines access privileges for the account. For
device group and template administrators, the profile defines access privileges for one or more
access domains associated with the account.

STEP 7 | Configure an administrator.

1. Configure a Panorama Administrator Account.
• Assign the Authencaon Profile or sequence that you configured.
• (Device Group and Template Admin only) Map the access domains to Admin Role
profiles.
• (Local authencaon only) Select a Password Profile if you configured one.
2. Select Commit > Commit to Panorama and Commit your changes.
3. (Oponal) Test authencaon server connecvity to verify that Panorama can use the
authencaon profile to authencate administrators.

Configure a Panorama Administrator with Cerficate-Based Authencaon for the

Web Interface
As a more secure alternave to password-based authencaon to the Panorama web interface,
you can configure cerficate-based authencaon for administrator accounts that are local to
Panorama. Cerficate-based authencaon involves the exchange and verificaon of a digital
signature instead of a password.

Configuring cerficate-based authencaon for any administrator disables the username/

password logins for all administrators on Panorama and all administrators thereaer
require the cerficate to log in.

Panorama Administrator's Guide Version Version 10.1 255 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | Generate a cerficate authority (CA) cerficate on Panorama.

You will use this CA cerficate to sign the client cerficate of each administrator.
Create a self-signed root CA cerficate.

Alternavely, you can import a cerficate from your enterprise CA.

STEP 2 | Configure a cerficate profile for securing access to the web interface.
1. Select Panorama > Cerficate Management > Cerficate Profile and click Add.
2. Enter a Name for the cerficate profile and set the Username Field to Subject.
3. Select Add in the CA Cerficates secon and select the CA Cerficate you just created.
4. Click OK to save the profile.

STEP 3 | Configure Panorama to use the cerficate profile for authencang administrators.
1. Select the Panorama > Setup > Management and edit the Authencaon Sengs.
2. Select the Cerficate Profile you just created and click OK.

STEP 4 | Configure the administrator accounts to use client cerficate authencaon.

Configure a Panorama Administrator Account for each administrator who will access the
Panorama web interface. Select the Use only client cerficate authencaon (Web) check box.
If you have already deployed client cerficates that your enterprise CA generated, skip to Step
8. Otherwise, connue with Step 5.

STEP 5 | Generate a client cerficate for each administrator.

Generate a cerficate on Panorama. In the Signed By drop-down, select the CA cerficate you
created.

STEP 6 | Export the client cerficates.

1. Export the cerficates.
2. Select Commit > Commit to Panorama and Commit your changes.
Panorama restarts and terminates your login session. Thereaer, administrators can
access the web interface only from client systems that have the client cerficate you
generated.

STEP 7 | Import the client cerficate into the client system of each administrator who will access the
web interface.
Refer to your web browser documentaon as needed to complete this step.

Panorama Administrator's Guide Version Version 10.1 256 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 8 | Verify that administrators can access the web interface.

1. Open the Panorama IP address in a browser on the computer that has the client
cerficate.
2. When prompted, select the cerficate you imported and click OK. The browser displays
a cerficate warning.
3. Add the cerficate to the browser excepon list.
4. Click Login. The web interface should appear without prompng you for a username or
password.

Configure an Administrator with SSH Key-Based Authencaon for the CLI

For administrators who use Secure Shell (SSH) to access the Panorama CLI, SSH keys provide a
more secure authencaon method than passwords. SSH keys almost eliminate the risk of brute-
force aacks, provide the opon for two-factor authencaon (private key and passphrase), and
don’t send passwords over the network. SSH keys also enable automated scripts to access the CLI.
STEP 1 | Use an SSH key generaon tool to create an asymmetric key pair on the client system of the
administrator.
The supported key formats are IETF SECSH and Open SSH. The supported algorithms are DSA
(1024 bits) and RSA (768-4096 bits).
For the commands to generate the key pair, refer to your SSH client documentaon.
The public key and private key are separate files. Save both to a locaon that Panorama can
access. For added security, enter a passphrase to encrypt the private key. Panorama prompts
the administrator for this passphrase during login.

STEP 2 | Configure the administrator account to use public key authencaon.

1. Configure a Panorama Administrator Account.
• Configure one of two authencaon methods to use as a fallback if SSH key
authencaon fails:
External authencaon service—Select an Authencaon Profile.
Local authencaon—Set the Authencaon Profile to None and enter a Password
and Confirm Password.
• Select the Use Public Key Authencaon (SSH) check box, click Import Key, Browse
to the public key you just generated, and click OK.
2. Click OK to save the administrave account.
3. Select Commit > Commit to Panorama and Commit your changes.

STEP 3 | Configure the SSH client to use the private key to authencate to Panorama.
Perform this task on the client system of the administrator. Refer to your SSH client
documentaon as needed to complete this step.

Panorama Administrator's Guide Version Version 10.1 257 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Verify that the administrator can access the Panorama CLI using SSH key authencaon.
1. Use a browser on the client system of the administrator to go to the Panorama IP
address.
2. Log in to the Panorama CLI as the administrator. Aer entering a username, you will see
the following output (the key value is an example):
Authenticating with public key “dsa-key-20130415”
3. If prompted, enter the passphrase you defined when creang the keys.

Configure RADIUS Authencaon for Panorama Administrators

You can use a RADIUS server to authencate administrave access to the Panorama web
interface. You can also define Vendor-Specific Aributes (VSAs) on the RADIUS server to manage
administrator authorizaon. Using VSAs enables you to quickly change the roles, access domains,
and user groups of administrators through your directory service, which is oen easier than
reconfiguring sengs on Panorama.

You can use a RADIUS server to authencate administrave access to the Panorama web
interface. You can also define Vendor-Specific Aributes (VSAs) on the RADIUS server to
manage administrator authorizaon. Using VSAs enables you to quickly change the roles,
access domains, and user groups of administrators through your directory service, which is
oen easier than reconfiguring sengs on Panorama.
You can Import the Palo Alto Networks RADIUS diconary into RADIUS server to define
the authencaon aributes needed for communicaon between Panorama and the
RADIUS server.
You can also use a RADIUS server to implement mul-factor authencaon (MFA) for
administrators.

Panorama Administrator's Guide Version Version 10.1 258 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | Add a RADIUS server profile.

The profile defines how Panorama connects to the RADIUS server.
1. Select Panorama > Server Profiles > RADIUS and Add a profile.
2. Enter a Profile Name to idenfy the server profile.
3. Enter a Timeout interval in seconds aer which an authencaon request mes out
(default is 3; range is 1–20).

If you use the server profile to integrate Panorama with an MFA service, enter an
interval that gives administrators enough me to respond to the authencaon
challenge. For example, if the MFA service prompts for a one-me password
(OTP), administrators need me to see the OTP on their endpoint device and
then enter the OTP in the MFA login page.
4. Select the Authencaon Protocol (default is CHAP) that Panorama uses to authencate
to the RADIUS server.

Select CHAP if the RADIUS server supports that protocol; it is more secure than
PAP.
5. Add each RADIUS server and enter the following:
• Name to idenfy the server
• RADIUS Server IP address or FQDN
• Secret/Confirm Secret (a key to encrypt usernames and passwords)
• Server Port for authencaon requests (default is 1812)
6. Click OK to save the server profile.

STEP 2 | Assign the RADIUS server profile to an authencaon profile.

The authencaon profile defines authencaon sengs that are common to a set of
administrators.
1. Select Panorama > Authencaon Profile and Add a profile.
2. Enter a Name to idenfy the authencaon profile.
3. Set the Type to RADIUS.
4. Select the Server Profile you configured.
5. Select Retrieve user group from RADIUS to collect user group informaon from VSAs
defined on the RADIUS server.
Panorama matches the group informaon against the groups you specify in the Allow
List of the authencaon profile.
6. Select Advanced and, in the Allow List, Add the administrators that are allowed to
authencate with this authencaon profile.
7. Click OK to save the authencaon profile.

STEP 3 | Configure Panorama to use the authencaon profile for all administrators.
1. Select Panorama > Setup > Management and edit the Authencaon Sengs.
2. Select the Authencaon Profile you configured and click OK.

Panorama Administrator's Guide Version Version 10.1 259 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 4 | Configure the roles and access domains that define authorizaon sengs for administrators.
1. Configure an Admin Role Profile if the administrator uses a custom role instead of a
predefined (dynamic) role.
2. Configure an Access Domain if the administrator uses a Device Group and Template role.

STEP 5 | Commit your changes.

Select Commit > Commit to Panorama and Commit your changes.

STEP 6 | Configure the RADIUS server.

Refer to your RADIUS server documentaon for the specific instrucons to perform these
steps:
1. Add the Panorama IP address or hostname as the RADIUS client.
2. Add the administrator accounts.

If the RADIUS server profile specifies CHAP as the Authencaon Protocol, you
must define accounts with reversibly encrypted passwords. Otherwise, CHAP
authencaon will fail.
3. Define the vendor code for Panorama (25461) and define the RADIUS VSAs for the role,
access domain, and user group of each administrator.
When you predefine dynamic administrator roles for users, use lower-case to specify the
role (for example, enter superuser, not SuperUser).

STEP 7 | Verify that the RADIUS server performs authencaon and authorizaon for administrators.
1. Log in the Panorama web interface using an administrator account that you added to the
RADIUS server.
2. Verify that you can access only the web interface pages that are allowed for the role you
associated with the administrator.
3. In the Monitor, Policies, and Objects tabs, verify that you can access only the device
groups that are allowed for the access domain you associated with the administrator.

Configure TACACS+ Authencaon for Panorama Administrators

You can use a TACACS+ server to authencate administrave access to the Panorama web
interface. You can also define Vendor-Specific Aributes (VSAs) on the TACACS+ server to
manage administrator authorizaon. Using VSAs enables you to quickly change the roles, access
domains, and user groups of administrators through your directory service, which is oen easier
than reconfiguring sengs on Panorama.

Panorama Administrator's Guide Version Version 10.1 260 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | Add a TACACS+ server profile.

The profile defines how Panorama connects to the TACACS+ server.
1. Select Panorama > Server Profiles > TACACS+ and Add a profile.
2. Enter a Profile Name to idenfy the server profile.
3. Enter a Timeout interval in seconds aer which an authencaon request mes out
(default is 3; range is 1–20).
4. Select the Authencaon Protocol (default is CHAP) that Panorama uses to authencate
to the TACACS+ server.

Select CHAP if the TACACS+ server supports that protocol; it is more secure
than PAP.
5. Add each TACACS+ server and enter the following:
• Name to idenfy the server
• TACACS+ Server IP address or FQDN
• Secret/Confirm Secret (a key to encrypt usernames and passwords)
• Server Port for authencaon requests (default is 49)
6. Click OK to save the server profile.

STEP 2 | Assign the TACACS+ server profile to an authencaon profile.

The authencaon profile defines authencaon sengs that are common to a set of
administrators.
1. Select Panorama > Authencaon Profile and Add a profile.
2. Enter a Name to idenfy the profile.
3. Set the Type to TACACS+.
4. Select the Server Profile you configured.
5. Select Retrieve user group from TACACS+ to collect user group informaon from VSAs
defined on the TACACS+ server.
Panorama matches the group informaon against the groups you specify in the Allow
List of the authencaon profile.
6. Select Advanced and, in the Allow List, Add the administrators that are allowed to
authencate with this authencaon profile.
7. Click OK to save the authencaon profile.

STEP 3 | Configure Panorama to use the authencaon profile for all administrators.
1. Select Panorama > Setup > Management and edit the Authencaon Sengs.
2. Select the Authencaon Profile you configured and click OK.

STEP 4 | Configure the roles and access domains that define authorizaon sengs for administrators.
1. Configure an Admin Role Profile if the administrator will use a custom role instead of a
predefined (dynamic) role.
2. Configure an Access Domain if the administrator uses a Device Group and Template role.

Panorama Administrator's Guide Version Version 10.1 261 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Commit your changes.

Select Commit > Commit to Panorama and Commit your changes.

STEP 6 | Configure the TACACS+ server to authencate and authorize administrators.

Refer to your TACACS+ server documentaon for the specific instrucons to perform these
steps:
1. Add the Panorama IP address or hostname as the TACACS+ client.
2. Add the administrator accounts.

If you selected CHAP as the Authencaon Protocol, you must define accounts
with reversibly encrypted passwords. Otherwise, CHAP authencaon will fail.
3. Define TACACS+ VSAs for the role, access domain, and user group of each administrator.

When you predefine dynamic administrator roles for users, use lower-case to
specify the role (for example, enter superuser, not SuperUser).

STEP 7 | Verify that the TACACS+ server performs authencaon and authorizaon for
administrators.
1. Log in the Panorama web interface using an administrator account that you added to the
TACACS+ server.
2. Verify that you can access only the web interface pages that are allowed for the role you
associated with the administrator.
3. In the Monitor, Policies, and Objects tabs, verify that you can access only the virtual
systems that are allowed for the access domain you associated with the administrator.

Configure SAML Authencaon for Panorama Administrators

You can use Security Asseron Markup Language (SAML) 2.0 for administrave access to
the Panorama web interface (but not the CLI). You can also use SAML aributes to manage
administrator authorizaon. SAML aributes enable you to quickly change the roles, access
domains, and user groups of administrators through your directory service instead of reconfiguring
sengs on Panorama.
To configure SAML single sign-on (SSO) and single logout (SLO), you must register Panorama and
the identy provider (IdP) with each other to enable communicaon between them. If the IdP
provides a metadata file containing registraon informaon, you can import it onto Panorama to
register the IdP and to create an IdP server profile. The server profile defines how to connect to
the IdP and specifies the cerficate that the IdP uses to sign SAML messages. You can also use a
cerficate for Panorama to sign SAML messages. Using cerficates is oponal but recommended
to secure communicaons between Panorama and the IdP.

Panorama Administrator's Guide Version Version 10.1 262 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | (Recommended) Obtain the cerficates that the IdP and Panorama will use to sign SAML
messages.
If the cerficates don’t specify key usage aributes, all usages are allowed by default, including
signing messages. In this case, you can obtain cerficates by any method.
If the cerficates do specify key usage aributes, one of the aributes must be Digital
Signature, which is not available on cerficates that you generate on Panorama. In this case,
you must import the cerficates:
• Cerficate Panorama uses to sign SAML messages—Import the cerficate from your
enterprise cerficate authority (CA) or a third-party CA.
• Cerficate the IdP uses to sign SAML messages—Import a metadata file containing the
cerficate from the IdP (see the next step). The IdP cerficate is limited to the following
algorithms:
• Public key algorithms—RSA (1,024 bits or larger) and ECDSA (all sizes).
• Signature algorithms—SHA1, SHA256, SHA384, and SHA512.

STEP 2 | Add a SAML IdP server profile.

The server profile registers the IdP with Panorama and defines how they connect.
In this example, you import a SAML metadata file from the IdP so that Panorama can
automacally create a server profile and populate the connecon, registraon, and IdP
cerficate informaon.

If the IdP doesn’t provide a metadata file, select Panorama > Server Profiles > SAML
Identy Provider, Add the server profile, and manually enter the informaon (consult
your IdP administrator for the values).

1. Export the SAML metadata file from the IdP to a client system that Panorama can access.
The cerficate specified in the file must meet the requirements listed in the preceding
step. Refer to your IdP documentaon for instrucons on exporng the file.
2. Select Panorama > Server Profiles > SAML Identy Provider and Import the metadata
file onto Panorama.
3. Enter a Profile Name to idenfy the server profile.
4. Browse to the Identy Provider Metadata file.
5. (Recommended) Select Validate Identy Provider Cerficate (default) to have Panorama
validate the Identy Provider Cerficate.
Validaon occurs only aer you assign the server profile to an authencaon profile and
Commit. Panorama uses the Cerficate Profile in the authencaon profile to validate
the cerficate.

Validang the cerficate is a best pracce for improved security.

6. Enter the Maximum Clock Skew, which is the allowed difference in seconds between
the system mes of the IdP and Panorama at the moment when Panorama validates

Panorama Administrator's Guide Version Version 10.1 263 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

IdP messages (default is 60; range is 1 to 900). If the difference exceeds this value,
authencaon fails.
7. Click OK to save the server profile.
8. Click the server profile Name to display the profile sengs. Verify that the imported
informaon is correct and edit it if necessary.

STEP 3 | Configure an authencaon profile.

The authencaon profile specifies a SAML IdP server profile and defines opons for the
authencaon process, such as SLO.
1. Select Panorama > Authencaon Profile and Add a profile.
2. Enter a Name to idenfy the profile.
3. Set the Type to SAML.
4. Select the IdP Server Profile you configured.
5. Select the Cerficate for Signing Requests.
Panorama uses this cerficate to sign messages it sends to the IdP.
6. (Oponal) Enable Single Logout (disabled by default).
7. Select the Cerficate Profile that Panorama will use to validate the Identy Provider
Cerficate.
8. Enter the Username Aribute that IdP messages use to idenfy users (default
username).

When you predefine dynamic administrator roles for users, use lower-case
to specify the role (for example, enter superuser, not SuperUser). If you
manage administrator authorizaon through the IdP identy store, specify the
Admin Role Aribute and Access Domain Aribute also.
9. Select Advanced and Add the administrators who are allowed to authencate with this
authencaon profile.
10. Click OK to save the authencaon profile.

STEP 4 | Configure Panorama to use the authencaon profile for all administrators.
1. Select Panorama > Setup > Management, edit the Authencaon Sengs, and select
the Authencaon Profile you configured.
2. Select Commit > Commit to Panorama to acvate your changes on Panorama and to
validate the Identy Provider Cerficate that you assigned to the SAML IdP server
profile.

STEP 5 | Create a SAML metadata file to register Panorama on the IdP.

1. Select Panorama > Authencaon Profile and, in the Authencaon column for the
authencaon profile you configured, click Metadata.
2. Set the Management Choice to Interface (default is selected) and select the management
(MGT) interface.
3. Click OK and save the metadata file to your client system.
4. Import the metadata file into the IdP server to register Panorama. Refer to your IdP
documentaon for instrucons.

Panorama Administrator's Guide Version Version 10.1 264 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 6 | Verify that administrators can authencate using SAML SSO.

1. Go to the URL of the Panorama web interface.
2. Click Use Single Sign-On.
3. Click Connue.
Panorama redirects you to authencate to the IdP, which displays a login page. For
example:

4. Log in using your SSO username and password.

Aer you successfully authencate on the IdP, it redirects you back to Panorama, which
displays the web interface.
5. Use your Panorama administrator account to request access to another SSO applicaon.
Successful access indicates SAML SSO authencaon succeeded.

Configure Tracking of Administrator Acvity

Track administrator acvity on the web interface and CLI of your Panorama™ management
server, managed firewalls, and Log Collectors to achieve real me reporng of acvity across your
deployment. If you have reason to believe an administrator account is compromised, you have a
full history of where this administrator account navigated throughout the web interface or what
operaonal commands they executed so you can analyze in detail and respond to all acons the
compromised administrator took.
When an event occurs, an audit log is generated and forwarded to the specified syslog server each
me an administrator navigates through the web interface or when an operaonal command is
executed in the CLI. An audit log is generated for each navigaon or commend executed. Take for
example if you want to create a new address object. An audit log is generated when you click on
Objects, and a second audit log is generated when you then click on Addresses.
Audit logs are only visible as syslogs forwarded to your syslog server and cannot be viewed in
the Panorama or managed firewall web interface. Audit logs can only be forwarded to a syslog
server, cannot be forwarded to Cortex Data Lake (CDL), and are not stored locally on the firewall,
Panorama, or Log Collector.

Panorama Administrator's Guide Version Version 10.1 265 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | Configure a syslog server profile to forward audit logs of administrator acvity for Panorama,
managed firewalls, and Log Collectors.
This step is required to successfully store audit logs for tracking administrator acvity.
1. Select Panorama > Server Profiles > Syslog and Add a new syslog server profile.
2. Configure a syslog server profile.

STEP 2 | Configure administrator acvity tracking for your managed firewalls.

This step is required to successfully store audit logs for tracking administrator acvity on
managed firewalls.
1. Select Device > Setup > Management and edit the Logging and Reporng Sengs.
2. Configure Tracking of Administrator Acvity.
3. Select Commit and Commit and Push.

STEP 3 | Configure administrator acvity tracking for Panorama.

1. Select Panorama > Setup > Management and edit the Logging and Reporng Sengs.
2. Select Log Export and Reporng.
3. In the Log Admin Acvity secon, configure what administrator acvity to track.
• Operaonal Commands—Generate an audit log when an administrator executes an
operaonal or debug command in the CLI or an operaonal command triggered from

Panorama Administrator's Guide Version Version 10.1 266 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

the web interface. See the CLI Operaonal Command Hierarchy for a full list of PAN-
OS operaonal and debug commands.
• UI Acons—Generate an audit log when an administrator navigates throughout
the web interface. This includes navigaon between configuraon tabs, as well as
individual objects within a tab.
For example, an audit log is generated when an administrator navigates from the
ACC to the Policies tab. Addionally, an audit log is generated when an administrator
navigates from Objects > Addresses to Objects > Tags.
• Syslog Server—Select a target syslog server profile to forward audit logs.
4. Click OK

5. Select Commit and Commit to Panorama.

STEP 4 | Configure administrator acvity tracking for a Log Collector.

1. Select Panorama > Managed Collectors and select a Log Collector.
2. Select Audit.
3. In the Log Admin Acvity secon, configure audit tracking for CLI acvity.

You can only track CLI acvity for Log Collectors because Log Collectors you can
only access Log Collectors through the CLI.

• Operaonal Commands—Generate an audit log when an administrator executes

an operaonal or debug command in the CLI. See the CLI Operaonal Command
Hierarchy for a full list of PAN-OS operaonal and debug commands.
• Syslog Server—Select a target syslog server profile to forward audit logs.
4. Click OK.
5. Select Commit and Commit to Panorama.

Panorama Administrator's Guide Version Version 10.1 267 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Set Up Authencaon Using Custom Cerficates

By default, Palo Alto Networks devices use predefined cerficates for mutual authencaon to
establish the SSL connecons used for management access and inter-device communicaon.
However, you can configure authencaon using custom cerficates instead. Addionally,
you can use custom cerficates to secure the High Availability (HA) connecons between
Panorama HA peers. Custom cerficates allow you to establish a unique chain of trust to ensure
mutual authencaon between Panorama and the managed firewalls and log collectors. See
Cerficate Management for detailed informaon about the cerficates and how to deploy them
on Panorama, Log Collectors, and firewalls.
The following topics describe how to configure and manage custom cerficates using Panorama.
• How Are SSL/TLS Connecons Mutually Authencated?
• Configure Authencaon Using Custom Cerficates on Panorama
• Configure Authencaon Using Custom Cerficates on Managed Devices
• Add New Client Devices
• Change Cerficates

How Are SSL/TLS Connecons Mutually Authencated?

In a regular SSL connecon, only the server needs to idenfy itself to the client by presenng
its cerficate. However, in mutual SSL authencaon, the client presents its cerficate to the
server as well. Panorama, the primary Panorama HA peer, Log Collectors, WildFire appliances, and
PAN-DB appliances can act as the server. Firewalls, Log Collectors, WildFire appliances, and the
secondary Panorama HA peer can act as the client. The role that a device takes on depends the
deployment. For example, in the diagram below, Panorama manages a number of firewalls and a
collector group and acts as the server for the firewalls and Log Collectors. The Log Collector acts
as the server to the firewalls that send logs to it.
To deploy custom cerficates for mutual authencaon in your deployment, you need:
• SSL/TLS Service Profile—An SSL/TLS service profile defines the security of the connecons by
referencing your custom cerficate and establishing the SSL/TLS protocol versions used by the
server device to communicate with client devices.
• Server Cerficate and Profile—Devices in the server role require a cerficate and cerficate
profile to idenfy themselves to the client devices. You can deploy this cerficate from your
enterprise public key infrastructure (PKI), purchase one from a trusted third-party CA, or
generate a self-signed cerficate locally. The server cerficate must include the IP address or
FQDN of the device’s management interface in the cerficate common name (CN) or Subject
Alt Name. The client firewall or Log Collector matches the CN or Subject Alt Name in the
cerficate the server presents against the server’s IP address or FQDN to verify the server’s
identy.
Addionally, use the cerficate profile to define cerficate revocaon status (OCSP/CRL) and
the acons taken based on the revocaon status.
• Client Cerficates and Profile—Each managed device requires a client cerficate and cerficate
profile. The client device uses its cerficate to idenfy itself to the server device. You can

Panorama Administrator's Guide Version Version 10.1 268 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

deploy cerficates from your enterprise PKI, using Simple Cerficate Enrollment Protocol
(SCEP), purchase one from a trusted third-party CA, or generate a self-signed cerficate locally.
Custom cerficates can be unique to each client device or common across all devices. The
unique device cerficates uses a hash of the serial number of the managed device and CN. The
server matches the CN or the subject alt name against the configured serial numbers of the
client devices. For client cerficate validaon based on the CN to occur, the username must be
set to Subject common-name. The client cerficate behavior also applies to Panorama HA peer
connecons.
You can configure the client cerficate and cerficate profile on each client device or push the
configuraon from Panorama to each device as part of a template.

Figure 10: SSL/TLS Authentication

Configure Authencaon Using Custom Cerficates on Panorama

Complete the following procedure to configure the server side (Panorama) to use custom
cerficates instead of predefined cerficates for mutual authencaon with managed devices in
your deployment. See Set Up Authencaon Using Custom Cerficates Between HA Peers to
configure custom cerficates on a Panorama HA pair.
STEP 1 | Deploy the server cerficate.
You can deploy cerficates on Panorama or a server Log Collector by generang a self-signed
cerficate on Panorama or obtaining a cerficate from your enterprise cerficate authority
(CA) or a trusted third-party CA.

Panorama Administrator's Guide Version Version 10.1 269 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | On Panorama, configure a cerficate profile This cerficate profile defines what cerficate to
use and what cerficate field to look for the IP address or FQDN in.
1. Select Panorama > Cerficate Management > Cerficate Profile.
2. Configure a cerficate profile.

If you configure an intermediate CA as part of the cerficate profile, you must

include the root CA as well.

STEP 3 | Configure an SSL/TLS service profile.

1. Select Panorama > Cerficate Management > SSL/TLS Service Profile.
2. Configure an SSL/TLS profile to define the cerficate and protocol that Panorama and its
managed devices use for SSL/TLS services.

STEP 4 | Configure Secure Server Communicaon on Panorama or a Log Collector in the server role.
1. Select one of the following navigaon paths:
• For Panorama: Panorama > Setup > Management and Edit the Secure
Communicaons Sengs
• For a Log Collector: Panorama > Managed Collectors > Add > Communicaon
2. Select the Customize Secure Server Communicaon opon.
3. Verify that the Allow Custom Cerficate Only check box is not selected. This allows you
to connue managing all devices while migrang to custom cerficates.

When the Custom Cerficate Only check box is selected, Panorama does not
authencate and cannot manage devices using predefined cerficates.
4. Select the SSL/TLS Service Profile. This SSL/TLS service profile applies to all SSL
connecons between Panorama, firewalls, Log Collectors, and Panorama HA peers.
5. Select the Cerficate Profile that idenfies the cerficate to use to establish secure
communicaon with clients such as firewalls.
6. (Oponal) Configure an authorizaon list. The authorizaon list adds an addional
layer of security beyond cerficate authencaon. The authorizaon list checks the
client cerficate Subject or Subject Alt Name. If the Subject or Subject Alt Name

Panorama Administrator's Guide Version Version 10.1 270 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

presented with the client cerficate does not match an idenfier on the authorizaon
list, authencaon is denied.
You can also authorize client devices based on their serial number.
1. Add an Authorizaon List.
2. Select the Subject or Subject Alt Name configured in the cerficate profile as the
Idenfier type.
3. Enter the Common Name if the idenfier is Subject or and IP address, hostname or
email if the idenfier is Subject Alt Name.
4. Click OK.
5. Select Check Authorizaon List to enforce the authorizaon list.
7. Select Authorize Client Based on Serial Number to have the server authencate
client based on the serial numbers of managed devices. The CN or subject in the client
cerficate must have the special keyword $UDID to enable this type of authencaon.
8. Select the Data Redistribuon opon in the Customize Communicaon secon to use a
custom cerficate to secure outgoing communicaon with data redistribute clients.
9. In Disconnect Wait Time (min), specify how long Panorama should wait before
terminang the current session and reestablishing the connecon with its managed
devices. This field is blank by default and the range is 0 to 44,640 minutes. Leaving this
field blank is the same as seng it to 0.

The disconnect wait me does not begin counng down unl you commit the
new configuraon.
10. Click OK.
11. Commit your changes.

Configure Authencaon Using Custom Cerficates on Managed

Devices
Complete the following procedure to configure the client side (firewall or Log Collector) to use
custom cerficates instead of predefined cerficates for mutual authencaon with managed
devices in your deployment.
STEP 1 | Upgrade each managed firewall or Log Collector. All managed devices must be running PAN-
OS 8.0 or later to enforce custom cerficate authencaon.
Upgrade the firewall. Aer upgrade, each firewall connects to Panorama using the default
predefined cerficates.

Panorama Administrator's Guide Version Version 10.1 271 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 2 | Obtain or generate the device cerficate.

You can deploy cerficates on Panorama or a server Log Collector by generang a self-signed
cerficate on Panorama or obtaining a cerficate from your enterprise cerficate authority
(CA) or a trusted third-party CA.
Set the common name to $UDID or subject to CN=$UDID (in the SCEP profile) if authorizing
client devices based on serial number.
• You can generate a self-signed cerficate on Panorama or obtain a cerficate from your
enterprise CA or a trusted third-party CA.
• If you are using SCEP for the device cerficate, configure a SCEP profile. SCEP allows you
to automacally deploy cerficates to managed devices. When a new client devices with
a SCEP profile aempts to authencate with Panorama, the cerficate is sent by the SCEP
server to the device.

STEP 3 | Configure the cerficate profile for the client device.

You can configure this on each client device individually or you can push this configuraon to
the managed device as part of a template.
1. Select one of the following navigaon paths:
• For firewalls—Select Device > Cerficate Management > Cerficate Profile.
• For Log Collectors—Select Panorama > Cerficate Management > Cerficate Profile.
2. Configure the cerficate profile.

STEP 4 | Deploy custom cerficates on each firewall or Log Collector.

1. Select one of the following navigaon paths:
• For firewalls: Select Device > Setup > Management and Edit the Panorama Sengs
• For Log Collectors: Select Panorama > Managed Collectors and Add a new Log
Collector or select an exisng one. Select Communicaon.
2. Select the Secure Client Communicaon check box (firewall only).
3. Select the Cerficate Type.
• If you are using a local device cerficate, select the Cerficate and Cerficate Profile.
• If you are using SCEP to deploy device cerficate, select the SCEP Profile and
Cerficate Profile.
• If you are using the default Panorama cerficate, select Predefined.
4. (Oponal) Enable Check Server Identy. The firewall or Log Collector checks the CN in
the server cerficate against Panorama’s IP address or FQDN to verify its identy.
5. Click OK.
6. Commit your changes.
Aer comming your changes, the managed device does not terminate its current
session with Panorama unl the Disconnect Wait Time is complete.

Panorama Administrator's Guide Version Version 10.1 272 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 5 | Select the incoming communicaon types for which you want to use a custom cerficate:
• HA Communicaon
• WildFire Communicaon
• Data Redistribuon

STEP 6 | Aer deploying custom cerficates on all managed devices, enforce authencaon using
custom cerficates.

The WildFire appliance does not currently support custom cerficates. If your
Panorama is managing a WildFire appliance, do not select Allow Custom Cerficates
Only.

1. Select Panorama > Setup > Management and Edit the Panorama sengs.
2. Select Allow Custom Cerficate Only.
3. Click OK.
4. Commit your changes.
Aer comming this change, all devices managed by Panorama must use custom
cerficates. If not, authencaon between Panorama and the device fails.

Add New Client Devices

When adding a new firewall or Log Collector to Panorama, the workflow depends on whether or
not these devices are configured to use custom cerficates only for mutual authencaon.
• If the Custom Cerficates Only is not selected on Panorama, you can add the device to
Panorama and then deploy the custom cerficate by following the process beginning in step
Configure Authencaon Using Custom Cerficates on Managed Devices.
• If the Custom Cerficates Only is selected on Panorama, you must deploy the custom
cerficates on the firewall before adding it to Panorama. If not, the managed device will not
be able to authncate with Panorama. This can be done manually through the firewall web
interface or through bootstrapping as part of the bootstrap.xml file.

Change Cerficates
If a custom cerficate in your deployment has expired or been revoked and needs to be replaced,
you can complete one of the tasks below.
• Change a Server Cerficate
• Change a Client Cerficate
• Change a Root or Intermediate CA Cerficate

Change a Server Cerficate

Complete the following task to replace a server cerficate.

Panorama Administrator's Guide Version Version 10.1 273 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | Deploy the new server cerficate.

You can deploy cerficates on Panorama or a server Log Collector by generang a self-signed
cerficate on Panorama or obtaining a cerficate from your enterprise CA or a trusted third-
party CA.

STEP 2 | Change the cerficate in the SSL/TLS Service Profile.

1. Select Panorama > Cerficate Management > SSL/TLS Service Profile and select the
SSL/TLS service profile.
2. Select the Cerficate.
3. Click OK.

STEP 3 | Reestablish the connecon between the server (Panorama or a Log Collector) and client
devices.
1. Select Panorama > Setup > Management and Edit the Panorama Sengs for Panorama
or select Panorama > Managed Collectors > Add > Communicaon for a Log Collector.
2. Set the Disconnect Wait Time.
3. Click OK.
4. Commit your changes.

Change a Client Cerficate

Complete the following task to replace a client cerficate.
STEP 1 | Obtain or generate the device cerficate.
You can deploy cerficates on Panorama or a server Log Collector by generang a self-signed
cerficate on Panorama or obtaining a cerficate from your enterprise CA or a trusted third-
party CA.
Set the common name to $UDID or subject to CN=$UDID (in the SCEP profile) if authorizing
client devices based on serial number.
• You can generate a self-signed cerficate on Panorama or obtain a cerficate from your
enterprise CA or a trusted third-party CA.
• If you are using SCEP for the device cerficate, configure a SCEP profile. SCEP allows you
to automacally deploy cerficates to managed devices. When a new client devices with
a SCEP profile aempts to authencate with Panorama, the cerficate is sent by the SCEP
server to the device.

STEP 2 | Change the cerficate in the cerficate profile.

1. Select Device > Cerficate Management > Cerficate Profile and select the cerficate
profile.
2. Under CA Cerficates, Add the new cerficate to assign to the cerficate profile.
3. Click OK.
4. Commit your changes.

Change a Root or Intermediate CA Cerficate

Complete the following task to replace a root or intermediate CA cerficate.

Panorama Administrator's Guide Version Version 10.1 274 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

STEP 1 | Configure the server to accept predefined cerficates from clients.

1. Select Panorama > Setup > Management and Edit the Panorama Sengs.
2. Uncheck Custom Cerficate Only.
3. Select None from the Cerficate Profile drop-down.
4. Click OK.
5. Commit your changes.

STEP 2 | Deploy the new root or intermediate CA cerficate.

You can deploy cerficates on Panorama or a server Log Collector by generang a self-signed
cerficate on Panorama or obtaining a cerficate from your enterprise CA or a trusted third-
party CA.

STEP 3 | Update the CA cerficate in the server cerficate profile.

1. Select Panorama > Cerficate Management > Cerficate Profile and select the
cerficate profile to update.
2. Delete the old CA cerficate.
3. Add the new CA Cerficate.
4. Click OK.

STEP 4 | Generate or import the new client cerficate.

1. Select Device > Cerficate Management > Cerficates.
2. Create a self-signed root CA cerficate or import a cerficate from your enterprise CA.

STEP 5 | Update the CA cerficate in the client cerficate profile.

1. Select Device > Setup > Management and click the Edit icon in Panorama Sengs for
a firewall or Select Panorama > Managed Collectors > Add > Communicaon for a Log
Collector and select the cerficate profile to update.
2. Delete the old CA cerficate.
3. Add the new CA Cerficate.
4. Click OK.

STEP 6 | Aer updang the CA cerficates on all managed devices, enforce custom-cerficate
authencaon.
1. Select Panorama > Setup > Management and Edit the Panorama Sengs.
2. Select Custom Cerficate Only.
3. Click OK.
4. Commit your changes.
Aer comming this change, all devices managed by Panorama must use custom
cerficates. If not, authencaon between Panorama and the device fails.

Panorama Administrator's Guide Version Version 10.1 275 ©2022 Palo Alto Networks, Inc.
Set Up Panorama

Panorama Administrator's Guide Version Version 10.1 276 ©2022 Palo Alto Networks, Inc.
Manage Firewalls
To use the Panorama™ management server for managing Palo Alto Networks firewalls,
you must add the firewalls as managed devices and then assign them to device
groups and to templates or template stacks. The following tasks best suit a first-me
firewall deployment. Before proceeding, review Plan Your Panorama Deployment to
understand the deployment opons.
> Add a Firewall as a Managed Device > Schedule a Configuraon Push to
> Install the Device Cerficate for Managed Firewalls
Managed Firewalls > Redistribute Data to Managed
> Set Up Zero Touch Provisioning Firewalls

> Manage Device Groups > Transion a Firewall to Panorama

Management
> Manage Templates and Template
Stacks > Device Monitoring on Panorama

> Manage the Master Key from > Use Case: Configure Firewalls Using
Panorama Panorama

To view the Objects and Policies tabs on the Panorama web interface, you must first
create at least one device group. To view the Network and Device tabs, you must
create at least one template. These tabs contain the opons by which you configure
and manage the firewalls on your network.

277
Manage Firewalls

Add a Firewall as a Managed Device

To use a Panorama™ management server to manage your firewalls, you need to enable a
connecon between the firewall and the Panorama management server. To strengthen your
Security posture when onboarding a new firewall, you must create a unique device registraon
authencaon key on the Panorama management server for mutual authencaon between the
new firewall and the server on first connecon. A successful first connecon requires that you add
the Panorama IP address on each firewall the server will manage, add the serial number on the
server for each firewall, and specify the device registraon authencaon key on both the server
and the firewall. When you add a firewall as a managed device, you can also associate the new
firewall with a device group, template stack, collector group, and Log Collector during the inial
deployment. Addionally, you have the opon to automacally push the configuraon to your
newly added firewall when the firewall first connects to the Panorama server, which ensures that
firewalls are immediately configured and ready to secure your network.

You can bulk import only single-vsys firewalls to the Panorama management server.

The firewall uses the Panorama management server IP address for registraon with the server.
The Panorama server and the firewall authencate with each other using 2,048-bit cerficates
and AES-256 encrypted SSL connecons for configuraon management and log collecon.
To configure the device registraon authencaon key, specify the key lifeme and the number of
mes you can use the authencaon key to onboard new firewalls. Addionally, you can specify
one or more firewall serial numbers for which the authencaon key is valid.
The authencaon key expires 90 days aer the key lifeme expires. Aer 90 days, you are
prompted to re-cerfy the authencaon key to maintain its validity. If you do not re-cerfy,
then the authencaon key becomes invalid. A system log is generated each me a firewall
uses the Panorama-generated authencaon key. The firewall uses the authencaon key to
authencate the Panorama server when it delivers the device cerficate that is used for all
subsequent communicaons.

(PAN-OS 10.1 only) For firewalls running a PAN-OS 10.1 release, Panorama running PAN-
OS 10.1.3 or later release supports onboarding firewalls running PAN-OS 10.1.3 or later
release only. You cannot add a firewall running PAN-OS 10.1.2 or earlier PAN-OS 10.1
release to Panorama management if Panorama is running PAN-OS 10.1.3 or later release.
Panorama supports onboarding firewalls running the following releases:
• Panorama running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release— Firewalls running
PAN-OS 10.1.2 or earlier PAN-OS 10.1 release, and firewalls running PAN-OS 10.0 or
earlier PAN-OS release.
• Panorama running PAN-OS 10.1.3 or later release— Firewalls running PAN-OS 10.1.3
or later release, and firewalls running PAN-OS 10.0 or earlier PAN-OS release.
There is no impact to firewalls already managed by Panorama on upgrade to PAN-OS
10.1.

Panorama Administrator's Guide Version Version 10.1 278 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 1 | Set up the firewall.

1. Perform inial configuraon on the firewall so that it is accessible and can communicate
with the Panorama server over the network.
2. Configure each data interface you plan to use on the firewall and aach it to a security
zone so that you can push configuraon sengs and policy rules from the Panorama
server.

STEP 2 | Create a device registraon authencaon key.

1. Log in to the Panorama Web Interface.
2. Select Panorama > Device Registraon Auth Key and Add a new authencaon key.
3. Configure the authencaon key.
• Name—Add a descripve name for the authencaon key.
• Lifeme—Specify the key lifeme to limit how long you can use the authencaon
key to onboard new firewalls.
• Count—Specify how many mes you can use the authencaon key to onboard new
firewalls.
• Device Type—Specify that this authencaon key is used to authencate only a
Firewall.

You can select Any to use the device registraon authencaon key to
onboard firewalls, Log Collectors, and WildFire appliances.
• (Oponal) Devices—Enter one or more device serial numbers to specify for which
firewalls the authencaon key is valid.
4. Click OK.

5. Copy Auth Key and Close.

Panorama Administrator's Guide Version Version 10.1 279 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 3 | Add firewalls to a Panorama management server. You can manually add one or more firewalls
or bulk import firewalls using a CSV file.

You cannot bulk import firewalls with more than one virtual system (vsys).

• Add one or more firewalls manually.

1. Select Panorama > Managed Devices > Summary and Add a new firewall.
2. Enter the firewall Serial number. If you are adding mulple firewalls, enter each serial
number on a separate line.
3. (Oponal) Select Associate Devices to associate the firewall with a device group,
template stack, Log Collector, or Collector group when the firewall first connect to the
Panorama management server.
4. Enter the device registraon authencaon key you created.

5. Click OK.
6. Associate your managed firewalls as needed.
If you did not select Associate Devices, skip this step and connue to configure the
firewall to communicate with Panorama.
1. Assign the Device Group, Template Stack, Collector Group, and Log Collector as
needed from the drop-down in each column.
2. Enable Auto Push on 1st connect to automacally push the device group and
template stack configuraon to the new devices when they first successfully connect
to the Panorama server.

The Auto Push on 1st Connect opon is supported only on firewalls running
PAN-OS® 8.1 and later releases. The commit all job executes from
Panorama to managed devices running PAN-OS 8.1 and later releases.

Panorama Administrator's Guide Version Version 10.1 280 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

3. (Oponal) Select a PAN-OS release version (To SW Version column) to begin

automacally upgrading the managed firewall to the specified PAN-OS version upon
successful connecon to the Panorama management server.

To upgrade a managed firewall to a target PAN-OS release on first

connecon, you must install the minimum content release version required
for that PAN-OS release before adding the firewall as a managed device.
To do this, you must register the firewall, acvate the support license,
and install the content update before adding the firewall to Panorama
management.

Leave this column empty if you do not want to automacally upgrade the managed
firewall.
4. Click OK to add the devices.

• Bulk import mulple firewalls using a CSV file.

1. Select Panorama > Managed Devices > Summary and Add your new firewalls.
2. Add the device registraon authencaon key you created.
3. Click Import.

Panorama Administrator's Guide Version Version 10.1 281 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

4. Download Sample CSV and edit the downloaded CSV file with the firewalls you are
adding. You can choose to assign the firewalls to a device group, template stack,

Panorama Administrator's Guide Version Version 10.1 282 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Collector Group, and Log Collector from the CSV or enter only the firewall serial numbers
and assign them from the web interface. Save the CSV aer you finish eding.
5. Browse to and select the CSV file you edited in the previous step.

6. If not already assigned in the CSV, assign the firewalls a Device Group, Template Stack,
Collector Group, and Log Collector as needed from the drop-down in each column
7. If not already enabled in the CSV, enable Auto Push on 1st connect to automacally
push the device group and template stack configuraon to the new devices when they
first successfully connect to the Panorama server.
8. (Oponal) Select a PAN-OS release version (To SW Version column) to begin
automacally upgrading the managed firewall to the specified PAN-OS version upon
successful connecon to the Panorama server.

To upgrade a managed firewall to a target PAN-OS release on first connecon,

you must install the minimum content release version required for that PAN-
OS release before adding the firewall as a managed device. To do this, you must
register the firewall, acvate the support license, and install the content
update before adding the firewall to Panorama management.

Leave this column empty if you do not want to automacally upgrade the managed
firewall.
9. Click OK to add the firewalls.

Panorama Administrator's Guide Version Version 10.1 283 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | Configure the firewall to communicate with the Panorama management server.
Repeat this step for each firewall the Panorama server will manage.
1. Log in to the firewall web interface.
2. Configure the Panorama Sengs for the firewall.
1. Select Device > Setup > Management and edit the Panorama Sengs.
2. Enter the Panorama IP address in the first field.

Panorama issues a single IP address for device management, log collecon,

reporng, and dynamic updates. Enter the external, Internet-bound IP
address to ensure Panorama can successfully access exisng and new
managed devices and Log Collectors. If an internal Panorama IP address is
configured, you may be unable to manage some devices. For example, if you
Install Panorama on AWS and enter the internal IP address, Panorama is
unable to manage devices or Log Collectors outside of the AWS security
group.
3. (Oponal) If you have configured a high availability (HA) pair in Panorama, enter the IP
address of the secondary Panorama in the second field.
4. Enter the Auth key you created on Panorama.
5. Click OK.

6. Commit your changes.

STEP 5 | (Oponal) Add a Tag. Tags make it easier for you to find a firewall from a large list; they help
you dynamically filter and refine the list of firewalls in your display. For example, if you add a
tag called branch office, you can filter for all branch office firewalls across your network.
1. Select each firewall and click Tag.
2. Click Add, enter a string of up to 31 characters (no empty spaces), and click OK.

STEP 6 | If your deployment is using custom cerficates for authencaon between Panorama and
managed devices, deploy the custom client device cerficate. For more informaon, see Set
Up Authencaon Using Custom Cerficates and Add New Client Devices.

Panorama Administrator's Guide Version Version 10.1 284 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 7 | Select Commit > Commit to Panorama and Commit your changes.

STEP 8 | Verify that the firewall is connected to Panorama.

1. Click Panorama > Managed Devices > Summary.
2. Verify that the Device State for the new device shows as Connected.

Panorama Administrator's Guide Version Version 10.1 285 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Install the Device Cerficate for Managed Firewalls

In PAN-OS 10.1 and later releases, you must install the device cerficate on your managed
firewalls to successfully authencate your managed firewalls to leverage Palo Alto Networks cloud
services such as Device Telemetry, IoT, and Enterprise Data Loss Prevenon (DLP). You can install
the device cerficate for a single managed firewall or mulple managed firewalls at once.

See Device Cerficates to install the firewall device cerficate locally.

• Install the Device Cerficate for a Managed Firewall

• Install the Device Cerficate for Mulple Managed Firewalls

Install the Device Cerficate for a Managed Firewall

In PAN-OS 10.1 and later releases, you must install the device cerficate for a managed firewall
from the Panorama management server. The managed firewall must have internet access to
successfully install the device cerficate.
STEP 1 | Register Panorama and managed firewalls with the Palo Alto Networks Customer Support
Portal (CSP).

STEP 2 | Log in to the Panorama Web Interface as an admin user.

STEP 3 | Configure the Network Time Protocol (NTP) server.

An NTP server is required validate the device cerficaon expiraon date, ensure the device
cerficate does not expire early or become invalid.
1. Select Device > Setup > Services and select the Template.
2. Select one of the following depending on your plaorm:
• For mul-virtual system plaorms, select Global and edit the Services secon.
• For single virtual system plaorms, edit the Services secon.
3. Select NTP and enter the hostname pool.ntp.org as the Primary NTP Server or enter
the IP address of your primary NTP server.
4. (Oponal) Enter a Secondary NTP Server address.
5. (Oponal) To authencate me updates from the NTP server(s), for Authencaon Type,
select one of the following for each server.
• None (default)—Disables NTP authencaon.
• Symmetric Key—Firewall uses symmetric key exchange (shared secrets) to
authencate me updates.
• Key ID—Enter the Key ID (1-65534)
• Algorithm—Select the algorithm to use in NTP authencaon (MDS or SHA1)
6. Click OK to save your configuraon changes.
7. Select Commit and Commit and Push your configuraon changes to your managed
firewalls.

Panorama Administrator's Guide Version Version 10.1 286 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | Select Panorama > Managed Devices > Summary and select a managed firewall.

STEP 5 | Select Request OTP From CSP > Custom selected devices.

STEP 6 | Copy the enre OTP request token.

STEP 7 | Generate the One Time Password (OTP) for managed firewalls.
1. Log in to the Customer Support Portal.
2. Select Assets > Device Cerficates and Generate OTP.
3. For the Device Type, select Generate OTP for Panorama managed firewalls.
4. Paste the OTP request you copied in the previous step and Generate OTP.
5. Click Done and wait a few minutes for the OTP to successfully generate. You can refresh
the page if the new OTP does not display.
6. Copy to Clipboard or Download the OTP.

STEP 8 | Log in to the Panorama Web Interface as an admin user.

STEP 9 | Select Panorama > Managed Devices > Summary and Upload OTP.

STEP 10 | Paste the OTP you generated and click Upload.

Panorama Administrator's Guide Version Version 10.1 287 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 11 | Verify that the Device Cerficate column displays as Valid and that the Device Cerficate
Expiry Date displays an expiraon date.

Install the Device Cerficate for Mulple Managed Firewalls

In PAN-OS 10.1 and later releases, you must install the device cerficate for managed firewalls
from the Panorama management server. The managed firewalls must have internet access to
successfully install the device cerficate.
STEP 1 | Register Panorama and managed firewalls with the Palo Alto Networks Customer Support
Portal (CSP).

STEP 2 | Log in to the Panorama Web Interface as an admin user.

Panorama Administrator's Guide Version Version 10.1 288 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 3 | Configure the Network Time Protocol (NTP) server.

An NTP server is required validate the device cerficaon expiraon date, ensure the device
cerficate does not expire early or become invalid.
1. Select Device > Setup > Services and select the Template.
2. Select one of the following depending on your plaorm:
• For mul-virtual system plaorms, select Global and edit the Services secon.
• For single virtual system plaorms, edit the Services secon.
3. Select NTP and enter the hostname pool.ntp.org as the Primary NTP Server or enter
the IP address of your primary NTP server.
4. (Oponal) Enter a Secondary NTP Server address.
5. (Oponal) To authencate me updates from the NTP server(s), for Authencaon Type,
select one of the following for each server.
• None (default)—Disables NTP authencaon.
• Symmetric Key—Firewall uses symmetric key exchange (shared secrets) to
authencate me updates.
• Key ID—Enter the Key ID (1-65534)
• Algorithm—Select the algorithm to use in NTP authencaon (MDS or SHA1)
6. Click OK to save your configuraon changes.
7. Select Commit and Commit and Push your configuraon changes to your managed
firewalls.

STEP 4 | Select Panorama > Managed Devices > Summary.

STEP 5 | Select Request OTP From CSP > Select all devices without a cerficate.

STEP 6 | Copy the enre OTP request token.

Panorama Administrator's Guide Version Version 10.1 289 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 7 | Generate the One Time Password (OTP) for managed firewalls.
1. Log in to the Customer Support Portal.
2. Select Assets > Device Cerficates and Generate OTP.
3. For the Device Type, select Generate OTP for Panorama managed firewalls.
4. Paste the OTP request you copied in the previous step and Generate OTP.
5. Click Done and wait a few minutes for the OTP to successfully generate. You can refresh
the page if the new OTP is not displayed.
6. Copy to Clipboard or Download the OTP.

STEP 8 | Log in to the Panorama Web Interface as an admin user.

STEP 9 | Select Panorama > Managed Devices > Summary and Upload OTP.

STEP 10 | Paste the OTP you generated and click Upload.

Panorama Administrator's Guide Version Version 10.1 290 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 11 | Verify that the Device Cerficate column displays as Valid and that the Device Cerficate
Expiry Date displays an expiraon date.

Panorama Administrator's Guide Version Version 10.1 291 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Set Up Zero Touch Provisioning

Set up Zero Touch Provisioning (ZTP) to simplify and streamline inial firewall deployments by
automang the new managed firewall on-boarding without the need for network administrators to
manually provision the firewall.

To successfully leverage the ZTP service, on-board your ZTP firewalls with the factory
default PAN-OS version before upgrading to PAN-OS 10.0.0 or later release.
The ZTP plugin is supported on PAN-OS 10.0.1 and later releases.

• ZTP Overview
• Install the ZTP Plugin
• Configure the ZTP Installer Administrator Account
• Add ZTP Firewalls to Panorama
• Use the CLI for ZTP Tasks
• Uninstall the ZTP Plugin

ZTP Overview
Learn more about Zero Touch Provisioning (ZTP) and its configuraon elements.
• About ZTP
• ZTP Configuraon Elements

About ZTP
Zero Touch Provisioning (ZTP) is designed to simplify and automate the on-boarding of new
firewalls to the Panorama™ management server. ZTP streamlines the inial firewall deployment
process by allowing network administrators to ship managed firewalls directly to their branches
and automacally add the firewall to the Panorama™ management server aer the ZTP firewall
successfully connects to the Palo Alto Networks ZTP service. This allows businesses to save on
me and resources when deploying new firewalls at branch locaons by removing the need for
IT administrators to manually provision the new managed firewall. Aer successful on-boarding,
Panorama provides the means to configure and manage your ZTP configuraon and firewalls.

Review and subscribe to ZTP Service Status events to be nofied about scheduled
maintenance windows, outages, and workarounds.

ZTP is supported on the following ZTP firewalls:

• PA-220-ZTP and PA-220R-ZTP
• PA-410, PA-440, PA-450, and PA-460
• PA-820-ZTP and PA-850-ZTP
• PA-3220-ZTP, PA-3250-ZTP, and PA-3260-ZTP
• PA-5450

Panorama Administrator's Guide Version Version 10.1 292 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Before you begin seng up ZTP on Panorama, review the Firewall Hardware Quick Start and
Reference Guides to understand how to correctly install your firewall to successfully leverage ZTP.

ZTP Configuraon Elements

The following elements work together to allow you to quickly on-board newly deployed ZTP
firewalls by automacally adding them to the Panorama management server using the ZTP
service.
• ZTP Plugin—The ZTP plugin allows Panorama to connect to the ZTP service and claim a ZTP
firewall for simplified on-boarding.
• Customer Support Portal (CSP)—The Palo Alto Networks Customer Support Portal is used
to register your Panorama to connect to the CSP to automacally register newly added ZTP
firewalls.
• One-me Password (OTP)—A one-me password provided by Palo Alto Networks used to
retrieve and install a cerficate on Panorama for it to communicate with the CSP and ZTP
service.
• Installer—An administrator user created using the installeradmin admin role for ZTP
firewall on-boarding. This admin user has limited access to the Panorama web interface, only
allowing access to enter the ZTP firewall serial number and claim key to register firewalls on the
CSP and Panorama. The installer admin can be created on Panorama or created using remote
authencaon such as RADIUS, SAML, or TACACS+.
• Claim Key—Eight digit numeric key physically aached to the ZTP firewall used to register the
ZTP firewall with the CSP.
• To-SW-Version—Designate the PAN-OS soware version of the ZTP firewall (Panorama >
Managed Devices > Summary). Select the target PAN-OS release, and if the firewall is running
an earlier release than the indicated version, the firewall begins an upgrade loop unl the target
release is successfully installed.

Panorama can only manage firewalls running a PAN-OS release equal to or less than
that installed on the Panorama.
Aer you successfully install the ZTP plugin on Panorama and register Panorama with the ZTP
service, the ZTP on boarding process connues as follows:
1. Installer or IT administrator registers ZTP firewalls by adding them to Panorama using the
firewall serial number and claim key.
2. Panorama registers the firewalls with the CSP. Aer the firewalls are successfully registered,
the firewall is associated with the same ZTP tenant as the Panorama in the ZTP service.
ZTP firewalls successfully registered with the ZTP service are automacally added as managed
firewalls (Panorama > Managed Devices) on Panorama.
3. When the firewall connects to the Internet, the ZTP firewall requests a device cerficate from
the CSP in order to connect to the ZTP service.
4. The ZTP service pushes the Panorama IP or FQDN to the ZTP firewalls.
5. The ZTP firewalls connect to Panorama and the device group and template configuraons are
pushed from Panorama to the ZTP firewalls.

Panorama Administrator's Guide Version Version 10.1 293 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Install the ZTP Plugin

Install the ZTP plugin on your Panorama™ management server to register Panorama with the ZTP
service in order to claim ZTP firewalls for simplified on-boarding.
If your Panorama is in a high availability (HA) configuraon, install the ZTP plugin and register both
Panorama HA peers with the ZTP service.
• Install the ZTP Plugin on Panorama
• Register Panorama with the ZTP Service

Install the ZTP Plugin on Panorama

Simplify the on-boarding and management of ZTP firewalls by installing the ZTP plugin on your
Panorama management server.
STEP 1 | Install the Panorama Device Cerficate.

STEP 2 | Log in to the Panorama web interface as a superuser or Panorama administrator with access
to Panorama plugins (Panorama > Plugins).

STEP 3 | Select Panorama > Plugins and search for the ztp plugin.

STEP 4 | Download and Install the most recent version of the ZTP plugin.

Register Panorama with the ZTP Service

Register the Panorama™ management server with the ZTP service for new and exisng
deployments.
• Register Panorama with the ZTP Service for New Deployments
• Register Panorama with the ZTP Service for Exisng Deployments
Register Panorama with the ZTP Service for New Deployments
Aer you install the ZTP plugin on the Panorama™ management server, you must register
the Panorama with the ZTP service to enable the ZTP service to associate firewalls with the
Panorama. As part of the registraon process for ZTP new deployment, automacally generate

Panorama Administrator's Guide Version Version 10.1 294 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

the device group and template configuraons required to connect your ZTP firewalls to the ZTP
service. Aer the device group and template are automacally generated, you must add your ZTP
firewalls to the device group and template so they can connect to the ZTP service aer they first
connect to Panorama.
STEP 1 | Install the Panorama Device Cerficate.

STEP 2 | Log in to the Palo Alto Networks Customer Support Portal (CSP).

STEP 3 | Associate your Panorama with the ZTP Service on the Palo Alto Networks CSP.
The ZTP Service supports associang up to two Panoramas only if they are in a high availability
(HA) configuraon. If Panorama is not in an HA configuraon, only a single Panorama can be
associated.
1. Select Assets > ZTP Service and Associate Panorama(s).
2. Select the serial number of the Panorama managing your ZTP firewalls.
3. (HA only) Select the serial number of the Panorama HA peer.
4. Click OK.

STEP 4 | Log in to the Panorama Web Interface.

STEP 5 | Select Panorama > Zero Touch Provisioning > Setup and edit the General ZTP sengs.

Panorama Administrator's Guide Version Version 10.1 295 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 6 | Register Panorama with the ZTP service.

1. Enable ZTP Service.
2. Enter the Panorama FQDN or IP Address.
This is the FQDN or public IP address of the Panorama the ZTP plugin is installed on and
that the CSP pushes to the ZTP firewalls.

(Managed firewalls running PAN-OS 10.1.4 and earlier releases) Enter the
Panorama IP address to avoid the managed firewall disconnecng from
Panorama on reboot or aer a successful PAN-OS upgrade.
If you need to use the Panorama FQDN, configure a stac desnaon route to
avoid the managed firewall disconnecng from Panorama on reboot or aer a
successful PAN-OS upgrade.
3. (HA only) Enter the Peer FQDN or IP Address.
This is the FQDN or public IP address of the Panorama peer on which the ZTP plugin is
installed and that the CSP pushes to the ZTP firewalls in case of failover.

(Managed firewalls running PAN-OS 10.1.4 and earlier releases) Enter the
Panorama IP address to avoid the managed firewall disconnecng from
Panorama on reboot or aer a successful PAN-OS upgrade.
If you need to use the Panorama FQDN, configure a stac desnaon route to
avoid the managed firewall disconnecng from Panorama on reboot or aer a
successful PAN-OS upgrade.
4. Click OK to save your configuraon changes.

Panorama Administrator's Guide Version Version 10.1 296 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 7 | Create the default device group and template to automacally generate the required
configuraon to connect your ZTP firewalls to Panorama.
Adding the device group and template automacally generates a new device group and
template that contain the default configuraon to connect the Panorama and the ZTP firewalls.
1. Add Device Group and Template.
2. Enter the Device Group name.
3. Enter the Template name.
4. Click OK to save your configuraon changes.

STEP 8 | Add your ZTP firewalls to the device group and template specified in the previous step.
1. Select Panorama > Device Groups and select the device group that was automacally
created.
2. Select the ZTP Devices.
3. Click OK to save your configuraon changes.
4. Select Panorama > Templates and Add Stack.
5. In the Templates secon, Add the template that was automacally generated.
6. Select the ZTP Devices.
7. Click OK to save your configuraon changes.

STEP 9 | Verify that the required device group and template configuraons generated successfully.
1. Select Network > Interfaces > Ethernet and select the Template you created in the
previous step.
2. Verify that ethernet1/1 is configured with an IP Address, Virtual Router, and Security
Zone.
3. Select Network > Interfaces > Loopback and select the Template you created in the
previous step.
4. Verify that the loopback.900 interface is successfully created.
5. Select Policies > Security > Pre Rules and select the Device Group you created in the
previous step.
6. Verify that rule1 is successfully created.
7. Select Policies > NAT > Pre Rules and select the Device Group you created in the
previous step.
8. Verify that ztp-nat is successfully created.

Panorama Administrator's Guide Version Version 10.1 297 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 10 | Modify your device groups and templates as needed.

Create and configure new or exisng device groups and templates to complete your
deployment.
When considering your device group hierarchy and template priority in your template
stack, ensure that the device group and template containing the required ZTP configuraon
that allows the ZTP firewall and Panorama to communicate have priority such that the
configuraon is not overridden in the event of conflicng configuraons.

Do not modify the IP address, virtual router, and Security zone of the ethernet1/1
interface, the loopback.900 loopback interface, the rule1 Security policy rule,
or ztp-nat NAT policy rule. These configuraons are required to connect your ZTP
firewall to Panorama.

STEP 11 | Select Commit and Commit to Panorama

STEP 12 | Sync to ZTP Service and verify that the Panorama Sync Status displays as In Sync.

Register Panorama with the ZTP Service for Existing Deployments

Aer you install the ZTP plugin on the Panorama™ management server, you must register
Panorama with the ZTP service to enable the ZTP service to associate firewalls with the
Panorama. As part of the registraon process, add your ZTP firewalls to a device group and
template that contain the required ZTP configuraon to connect your ZTP firewalls with the ZTP
service aer they first connect to Panorama.
STEP 1 | Install the Panorama Device Cerficate.

STEP 2 | Log in to the Palo Alto Networks Customer Support Portal (CSP).

Panorama Administrator's Guide Version Version 10.1 298 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 3 | Associate your Panorama with the ZTP Service on the Palo Alto Networks CSP.
The ZTP Service supports associang up to two Panoramas only if they are in a high availability
(HA) configuraon. If Panorama is not in an HA configuraon, only a single Panorama can be
associated.
1. Select Assets > ZTP Service and Modify Associaon.
2. Select the serial number of the Panorama managing your ZTP firewalls.
3. (HA only) Select the serial number of the Panorama HA peer.
4. Click OK.

STEP 4 | Log in to the Panorama Web Interface.

STEP 5 | Select Panorama > Zero Touch Provisioning > Setup and edit the General ZTP sengs.

Panorama Administrator's Guide Version Version 10.1 299 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 6 | Register Panorama with the ZTP service.

1. Enable ZTP Service.
2. Enter the Panorama FQDN or IP Address.
This is the FQDN or public IP address of the Panorama the ZTP plugin is installed on and
that the CSP pushes to the ZTP firewalls.

(Managed firewalls running PAN-OS 10.1.4 and earlier releases) Enter the
Panorama IP address to avoid the managed firewall disconnecng from
Panorama on reboot or aer a successful PAN-OS upgrade.
If you need to use the Panorama FQDN, configure a stac desnaon route to
avoid the managed firewall disconnecng from Panorama on reboot or aer a
successful PAN-OS upgrade.
3. (HA only) Enter the Peer FQDN or IP Address.
This is the FQDN or public IP address of the Panorama peer on which the ZTP plugin is
installed and that the CSP pushes to the ZTP firewalls in case of failover.

(Managed firewalls running PAN-OS 10.1.4 and earlier releases) Enter the
Panorama IP address to avoid the managed firewall disconnecng from
Panorama on reboot or aer a successful PAN-OS upgrade.
If you need to use the Panorama FQDN, configure a stac desnaon route to
avoid the managed firewall disconnecng from Panorama on reboot or aer a
successful PAN-OS upgrade.
4. Click OK to save your configuraon changes.

STEP 7 | Add your ZTP firewalls to the device group and template that will contain the required ZTP
configuraon.
1. Select Panorama > Device Groups and select the device group that will contain the
required ZTP configuraon.
2. Select the ZTP Devices.
3. Click OK to save your configuraon changes.
4. Select Panorama > Templates and select the template stack that contains the template
that will have the required ZTP configuraon.
5. Select the ZTP Devices.
6. Click OK to save your configuraon changes.

Panorama Administrator's Guide Version Version 10.1 300 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 8 | Modify your device groups and templates as needed.

When considering your device group hierarchy and template priority in your template
stack, ensure that the device group and template containing the required ZTP configuraon
that allows the ZTP firewall and Panorama to communicate have priority such that the
configuraon is not overridden in the event of conflicng configuraons.
1. Configure the Ethernet1/1 interface.
1. Select Network > Interfaces > Ethernet, select a Template to contain your ZTP
configuraon and select ethernet1/1.
2. For Interface Type, select Layer3.
3. Select Config and configure a Virtual Router and set the Security Zone to Untrust.
4. Select IPv4 and for the Type, select DHCP Client.

A DHCP client is required for the ZTP firewalls to communicate with the ZTP
service.
5. Press OK to save your configuraon changes.
2. Create the loopback interface
1. Select Network > Interfaces > Loopback, select a Template to contain your ZTP
configuraon and Add a loopback interface.
2. For the Interface Name, enter loopback and enter the 900 suffix.
3. Select Config, select a Virtual Router, and set the Security Zone to Trust.
4. Press OK to save your configuraon changes.
3. Create the Security policy rule to allow the ZTP firewall and Panorama to communicate.
1. Select Policies > Security > Pre Rules, select the Device Group to contain your ZTP
policy rules, and Add a new rule.
2. Enter a descripve Name for the policy rule.
3. Select Source > Source Zone and Add the Trust zone.
4. Select Desnaon > Desnaon Zone and Add the Untrust zone.
5. Select Acon > Acon Sengs > Acon and select Allow.
4. Create the NAT policy rule to allow the ZTP firewall and Panorama to communicate.
1. Select Policies > NAT > Pre Rules, select the Device Group to contain your ZTP policy
rules, and Add a new rule.
2. Enter a descripve Name for the policy rule.
3. Select Original Packet and configure the following:
1. For the Source Zone, Add the Trust zone.
2. For the Desnaon Zone, select the Untrust zone.
3. For the Desnaon Interface, select the ethernet1/1 interface.
4. Click OK to save your configuraon changes.

STEP 9 | Select Commit and Commit to Panorama

Panorama Administrator's Guide Version Version 10.1 301 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 10 | Sync to ZTP Service and verify that the Panorama Sync Status displays as In Sync.

Configure the ZTP Installer Administrator Account

The ZTP installer admin user is an administrator account created for non-IT staff or installaon
contractor to on-board new ZTP firewalls. The installer admin uses an automacally created
installeradmin admin role to limit visibility into the Panorama web interface and only allow
the installer the ability to enter the ZTP firewall claim key and serial number on Panorama.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Select Panorama > Admin Roles and verify that the installeradmin admin role is created.
The installeradmin is automacally created aer you successfully install the ZTP plugin on
Panorama.

Panorama Administrator's Guide Version Version 10.1 302 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 3 | Configure the ZTP installer administrator user.

1. Select Panorama > Administrators and Add a new admin user.
2. Enter a descripve Name for the ZTP installer admin user.
3. Enter a secure Password and Confirm Password.
4. For the Administrator Type, select Custom Panorama Admin.
5. For the Profile, select installeradmin
6. Click OK to save your configuraon changes.

STEP 4 | Select Commit and Commit to Panorama.

Add ZTP Firewalls to Panorama

You can add a single ZTP firewall or import mulple ZTP firewalls to the Panorama™ management
server.
• Add a ZTP Firewall to Panorama
• Import Mulple ZTP Firewalls to Panorama

Add a ZTP Firewall to Panorama

Log in to the web interface of the Panorama™ management server as a Superuser, Panorama
admin, or as the ZTP installer admin to add a ZTP firewall to Panorama. To add the ZTP firewall,
you must enter the firewall serial number and claim key provided by Palo Alto Networks and then
register the firewall with the ZTP service. Registering the firewall claims the firewall as an asset in
your account in the Customer Support Portal and allows the ZTP service to associate the firewall
with the Panorama.

While adding ZTP firewalls to Panorama, do not perform any commits on the ZTP firewall
before you verify that the firewall is successfully added to Panorama in Step 4. Performing
a local commit on the ZTP firewall disables ZTP funconality and results in the failure to
successfully add the firewall to Panorama.

STEP 1 | Log in to the Panorama Web Interface.

Panorama Administrator's Guide Version Version 10.1 303 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 2 | Add a ZTP firewall to Panorama.

You must connect the Eth1/1 interface on ZTP firewalls to successfully register ZTP
firewalls with the CSP and push the policy and network configuraons.

1. Select Firewall Registraon and Add a new ZTP firewall.

2. Enter the Serial Number of the ZTP firewall.
3. Enter the Claim Key for the ZTP firewall provided by Palo Alto Networks.
The eight digit numeric claim key is printed on a physical label aached to the back of
the ZTP firewall you received from Palo Alto Networks.

4. Click OK to save your configuraon changes.

STEP 3 | Register the ZTP firewall.

1. Select the newly added ZTP firewall and Register the firewall.
2. When prompted, click Yes to confirm registering the ZTP firewall.

Panorama Administrator's Guide Version Version 10.1 304 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | Verify the firewall successfully registered with the CSP.

The firewall must successfully register with the CSP to successfully obtain device
cerficate.

1. Select Registraon Status and verify that the ZTP firewall successfully registered with
the CSP.

2. Log in to the Panorama Web Interface using admin credenals.

3. Select Panorama > Managed Devices > Summary and verify that the ZTP firewall is
successfully added as a managed firewall.

Ensure that the To SW Version column is configured to the correct PAN-OS

version so that the firewall does not upgrade or downgrade unintenonally.
ZTP funconality is supported only for PAN-OS 10.0.1 and later releases.
Addionally, the PAN-OS version must be the same or an earlier version of the
PAN-OS version running on Panorama.
For more informaon, see Upgrade a ZTP Firewall.

STEP 5 | Add the ZTP firewall to device group and template stack.
You must add the ZTP firewall to a device group and template stack for your firewalls to display
as Connected to push policy and network configuraons.
1. Log in to the Panorama Web Interface using admin credenals.
2. Select Panorama > Device Groups, add a device group, and the ZTP firewall to the device
group.
Add a device group to create and configure a new device group to contain the policy
objects and rules for your ZTP firewalls.
3. Select Panorama > Templates, configure a template stack, and the ZTP firewall to the
template stack.
Configure a template stack to create and configure a new template stack to contain the
network configuraon for your ZTP firewalls.

Panorama Administrator's Guide Version Version 10.1 305 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Import Mulple ZTP Firewalls to Panorama

Log in to the web interface of the Panorama™ management server as a Superuser, Panorama
admin, or as the ZTP installer admin to import mulple ZTP firewalls to Panorama. To import
mulple ZTP firewalls, you must import a CSV file of the ZTP firewall serial number and
corresponding claim key provided by Palo Alto Networks and then register the firewalls with the
ZTP service. Registering the firewall claims the firewalls as assets in your account in the Customer
Support Portal and allows the ZTP service to associate the firewalls with the Panorama.

While adding ZTP firewalls to Panorama, do not perform any commits on the ZTP firewall
before you verify that the firewall is successfully added to Panorama in Step 5. Performing
a local commit on the ZTP firewall disables ZTP funconality and results in the failure to
successfully add the firewall to Panorama.

STEP 1 | Gather the serial numbers and claim keys for your ZTP firewalls.
The eight digit numeric claim key is printed on a physical label aached to the back of the ZTP
firewall you received from Palo Alto Networks.

STEP 2 | Create a CSV file containing the ZTP firewall serial numbers and claim keys. The first column
must contain the serial numbers and the second column must contain the corresponding
claim key for that firewall. Refer to the following example for reference.

STEP 3 | Import the ZTP firewalls to Panorama.

You must connect the Eth1/1 interface on ZTP firewalls to successfully register ZTP
firewalls with the CSP and push the policy and network configuraons.

1. Log in to the Panorama Web Interface using the ZTP installer admin credenals.
2. Select Panorama > Zero Touch Provisioning > Firewall Registraon and Import the ZTP
firewalls.
3. Browse and select the CSV file containing the ZTP firewall informaon and click OK.

STEP 4 | Register the ZTP firewalls.

1. Select the newly added ZTP firewalls and Register the firewalls.
2. When prompted, click Yes to confirm registering the ZTP firewalls.

Panorama Administrator's Guide Version Version 10.1 306 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 5 | Verify the firewall successfully registered with the ZTP service.
1. Select Registraon Status and verify that the ZTP firewalls successfully registered with
the ZTP service.
2. Log in to the Panorama Web Interface using admin credenals.
3. Select Panorama > Managed Devices > Summary and verify that the ZTP firewalls are
successfully added as a managed firewall.

Ensure that the To SW Version column is configured to the correct PAN-OS

version so that the firewall does not upgrade or downgrade unintenonally.
ZTP funconality is supported only for PAN-OS 10.0.1 and later releases.
Addionally, the PAN-OS version must be the same or an earlier version of the
PAN-OS version running on Panorama.
For more informaon, see Upgrade a ZTP Firewall.

STEP 6 | Add the ZTP firewalls to a device group and template stack.
You must add the ZTP firewall to a device group and template stack for your firewalls to display
as Connected to push policy and network configuraons.
1. Log in to the Panorama Web Interface using admin credenals.
2. Select Panorama > Device Groups and assign the firewalls to the appropriate device
group.
Add a device group to create and configure a new device group to contain the policy
objects and rules for your ZTP firewalls.
3. Select Panorama > Templates and assign the firewalls to the appropriate template stack.
Configure a template stack to create and configure a new template stack to contain the
network configuraon for your ZTP firewalls.

Use the CLI for ZTP Tasks

Use the following CLI commands to perform Zero Touch Provisioning (ZTP) tasks and view the
ZTP service status.

If you want to ... Use ...

Administer the firewall from the firewall CLI

Display the connecon status to the ZTP

service. > show system ZTP status

Display the connecon status to the

Panorama management server. > show panorama status

Display the ZTP model number and firewall

system informaon. > show system info

Panorama Administrator's Guide Version Version 10.1 307 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

If you want to ... Use ...

Disable the ZTP state machine on the firewall.

> request disable-ztp
Running this command does not delete any
exisng ZTP configuraon.

You cannot re-enable the ZTP

state machine on the firewall aer
it is disabled from the CLI.
To re-enable, you must reset
the firewall to factory default
sengs.

Register, configure, and manage your ZTP firewalls from Panorama

Create a device group or template containing

the necessary configuraons to connect > request plugins ztp create dgr
managed firewalls with Panorama using the oup-template device-group <devic
ZTP service on the Eth1/1 interface. e group name>

> request plugins ztp create dgr

oup-template template <template
name>

Add a ZTP firewall to the list of firewalls for

future registraon with the ZTP service. > request plugins ztp firewall-a
dd <serial number> claim-key <cl
aim key>

Modify the serial number of a ZTP firewall

that has already been added to the list of > request plugins ztp firewall-a
firewalls for future registraon with the ZTP dd-modify firewall <old serial n
service. umber> claim-key <claim key> new
-serial <new serial number>

Delete a ZTP firewall from the list of firewalls

for future registraon with the ZTP service. > request plugins ztp firewall-d
elete firewall <serial number>

Add a ZTP firewall to the list of firewalls for

future re-registraon with the ZTP service. > request plugins ztp firewall-r
e-enter-info firewall <serial nu
Use this command when a ZTP firewall mber> claim-key <claim key>
inially fails registraon with the ZTP service
and needs.

Panorama Administrator's Guide Version Version 10.1 308 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

If you want to ... Use ...

Register your Panorama™ management server

with the ZTP service. > request plugins ztp panorama-r
egistration

Register a ZTP firewall with the ZTP service.

> request plugins ztp firewall-r
egistration firewall <serial num
ber> claim-key <claim key>

Re-register ZTP firewalls with the ZTP service.

> request plugins ztp firewall-r
Use this command to start the re-registraon egister-retry firewall <serial n
process for a ZTP firewall that failed inial umber> claim-key <claim key>
registraon with the ZTP service.

Import ZTP firewall serial number and claim

key informaon. > request plugins ztp ztp-add-im
port import-path <file path>
The specified file must be in CSV format.

View ZTP firewall informaon and ZTP service status from Panorama

Retrieve the list of ZTP firewalls registered to

the Panorama from the ZTP service. > request plugins ztp ztp-servic
e-info

The following details are displayed:

• first-firewall-connect-time—
Timestamp of when the ZTP firewall first
connected to the ZTP service.
• last-firewall-connect-time—
Timestamp of when the ZTP firewall last
connected to the ZTP service.
• registration-time—Timestamp of
when the ZTP firewall registered with the
ZTP service.
• isZTPFirewall—Whether the firewall is
a ZTP firewall.
• created_by—Administrave user that
added the ZTP firewall.
• IP address—IP address of the ZTP
firewall.

Panorama Administrator's Guide Version Version 10.1 309 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

If you want to ... Use ...

View the list of ZTP firewalls in the list of

firewalls to be registered with the ZTP service. > show plugins ztp device-add-l
ist

View the registraon status of your ZTP

firewalls. > show plugins ztp device-reg-st
atus

View the ZTP service synchronizaon status

for ZTP firewalls. > request plugins ztp ztp-sync-s
tatus

Show the full management plane ZTP

connecvity history. > tail follow yes mp-log ms.log
This is helpful for troubleshoong
connecvity to the ZTP service.

Uninstall the ZTP Plugin

Follow the procedure to remove the ZTP configuraon from your Panorama™ management server
and uninstall the ZTP plugin. If your Panorama is in a high availability (HA) configuraon, repeat
these steps on both Panorama HA peers.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Delete the ZTP installer administrator account.

1. Select Panorama > Administrators and select the ZTP installer administrator account you
previously configured.
2. Delete the ZTP installer administrator account.
3. Select Panorama > Administrators and select the installeradmin admin role.
4. Delete the installeradmin admin role.
5. Select Commit and Commit to Panorama.

STEP 3 | Uninstall the ZTP plugin

1. Select Panorama > Plugins and navigate to the ZTP plugin installed on Panorama.
2. In the Acons column, Remove Config to delete ZTP related configuraons from
Panorama
3. Click OK when prompted to confirm removing the ZTP configuraon from Panorama.
4. Select Commit and Commit to Panorama.
5. Uninstall the ZTP plugin.
6. Click OK when prompted to uninstall the ZTP plugin from Panorama.

Panorama Administrator's Guide Version Version 10.1 310 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Manage Device Groups

• Add a Device Group
• Create a Device Group Hierarchy
• Create Objects for Use in Shared or Device Group Policy
• Revert to Inherited Object Values
• Manage Unused Shared Objects
• Manage Precedence of Inherited Objects
• Move or Clone a Policy Rule or Object to a Different Device Group
• Select a URL Filtering Vendor on Panorama
• Push a Policy Rule to a Subset of Firewalls
• Device Group Push to a Mul-VSYS Firewall
• Manage the Rule Hierarchy

Add a Device Group

Aer adding firewalls (see Add a Firewall as a Managed Device), you can group them into Device
Groups (up to 1,024), as follows. Be sure to assign both firewalls in an acve-passive high
availability (HA) configuraon to the same device group so that Panorama will push the same
policy rules and objects to those firewalls. PAN-OS doesn’t synchronize pushed rules across HA
peers. To manage rules and objects at different administrave levels in your organizaon, Create a
Device Group Hierarchy.
STEP 1 | Select Panorama > Device Groups, and click Add.

STEP 2 | Enter a unique Name and a Descripon to idenfy the device group.

STEP 3 | In the Devices secon, select check boxes to assign firewalls to the group. To search a long
list of firewalls, use the Filters.

You can assign any firewall to only one device group. You can assign each virtual
system on a firewall to a different device group.

STEP 4 | In the Reference Template secon, Add any templates or template stacks with objects
referenced by the device group configuraon.
You must assign the appropriate template or template stack references to the device group
in order to successfully associate the template or template stack to the device group. This
allows you to reference objects configured in a template or template stack without adding an
unrelated device to a template stack.
Skip this step if the device group configuraon does not reference any objects configured in a
template or template stack.

Panorama Administrator's Guide Version Version 10.1 311 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 5 | (Oponal) Select Group HA Peers for firewalls that are HA peers.
You can only group managed firewall HA peers if they are in the same device group.

The firewall name of the passive or acve-secondary peer is in parentheses. Grouping

HA peers is a visual change and no configuraon change occurs.

STEP 6 | Select the Parent Device Group (default is Shared) that will be just above the device group
you are creang in the device group hierarchy.

STEP 7 | If your policy rules will reference users and groups, assign a Master firewall.
This will be the only firewall in the device group from which Panorama gathers username and
user group informaon.

STEP 8 | Click OK to save your changes.

STEP 9 | Select Commit > Commit and Push and then Commit and Push your changes to the
Panorama configuraon and to the device group you added.

Create a Device Group Hierarchy

STEP 1 | Plan the Device Group Hierarchy.
1. Decide the device group levels, and which firewalls and virtual systems you will assign
to each device group and the Shared locaon. You can assign any one firewall or virtual
system (vsys) to only one device group. If a device group will be just an organizaonal
container for lower level device groups, you don’t need to assign firewalls to it.
2. Remove firewall or vsys assignments from exisng device groups if those assignments
don’t fit your planned hierarchy.
1. Select Panorama > Device Groups and select the device group.
2. In the Devices secon, clear the check boxes of firewalls and virtual systems you want
to remove, and click OK.
3. If necessary, add more firewalls that you will assign to device groups: see Add a Firewall
as a Managed Device.
4. If you are using mulple Panorama plugins to perform endpoint monitoring, a device
group containing firewalls deployed in a parcular hypervisor cannot be the child or
parent of a device group containing firewalls deployed in a different hypervisor. See
Device Group Hierarchy for more informaon.

STEP 2 | For each top-level device group, Add a Device Group.

1. In the Panorama > Device Groups page, click Add and enter a Name to idenfy the
device group.
2. In the Devices secon, select check boxes to assign firewalls and virtual systems to the
device group.
3. Leave the Parent Device Group opon at Shared (the default) and click OK.

Panorama Administrator's Guide Version Version 10.1 312 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 3 | For each lower-level device group, Add a Device Group.

• For new device groups at each lower level, repeat the previous step, but set the Parent
Device Group to a device group at the next level above.
• For each exisng device group, in the Device Groups page, select the device group to edit it,
select a Parent Device Group, and click OK.

If you move a device group to a different parent, all its descendant device groups move
with it, along with all firewalls, policy rules, and objects associated with the device
group and its descendants. If the new parent is in another access domain, the moved
device group will no longer have membership in the original access domain. If the new
access domain has read-write access for the parent device group, it will also have
read-write access for the moved device group. If the new access domain has read-only
access for the parent, it will have no access for the moved device group. To reconfigure
access for device groups, see Configure an Access Domain.

STEP 4 | Configure, move, and clone objects and policy rules as needed to account for inheritance in
the device group hierarchy.
• Create Objects for Use in Shared or Device Group Policy, or edit exisng objects.
You can edit objects only at their locaon: the device group to which they are assigned.
Descendant device groups inherit read-only instances of the objects from that locaon.
However, you can oponally see Step Override inherited object values.
• Create or edit policies.
• Move or Clone a Policy Rule or Object to a Different Device Group.

STEP 5 | Override inherited object values.

Applicable only if object values in a parcular device group must differ from the values
inherited from an ancestor device group.
Aer overriding an object, you can override it again in descendant device groups. However,
you can never override shared or predefined (default) objects.
In the Objects tab, inherited objects have a green icon in the Name column, and the Locaon
column displays the ancestor device group.
1. In the Objects tab, select the object type (for example, Objects > Addresses).
2. Select the Device Group that will have the override instance.
3. Select the object and click Override.
4. Edit the values. You can’t edit the Name or Shared sengs.
5. Click OK. The Name column displays a yellow-overlapping-green icon for the object to
indicate it is overridden.

If necessary, you can later Revert to Inherited Object Values.

Panorama Administrator's Guide Version Version 10.1 313 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 6 | Save and commit your changes.

Commit to Panorama and push to device groups aer any change to the hierarchy.

You must also push changes to templates if a template references objects in a device group
(such as interfaces referencing addresses), and a firewall assigned to the template is no longer
assigned to that device group because of a hierarchy change.
Select Commit > Commit and Push and then Commit and Push your changes to the Panorama
configuraon and to the device groups you added or changed.

Create Objects for Use in Shared or Device Group Policy

You can use an object in any policy rule that is in the Shared locaon, or in the same device group
as the object, or in descendants of that device group (for details, see Device Group Objects).
Shared device group objects can be viewed and referenced in a specific device group. Changing
the name of a Shared device group object in one device group changes the name of the Shared
object in all device groups. This includes any configuraon the Shared object is referenced, such
as in Policy rules. Changing the name of a Shared device group object may cause the configuraon
push to managed firewalls to fail.
For example, you create a Shared object named ObjectA and create a Security policy rule in the
DG1 device group where ObjectA is referenced. This configuraon is pushed to your managed
firewalls. Later in the DG1 device group, you change the name of ObjectA to ObjectB and try to
push the configuraon to your managed firewalls. This push fails because your managed firewalls
have the Shared object with the name ObjectA as part of their configuraon, and are expecng
that configuraon object to have the same name.

See Use Dynamic Address Groups in Policy to verify the number of supported registered
IP addresses on Panorama if you intended to leverage dynamic address groups in order to
create policies that automacally adapt to changes in your network.

Create a shared object.

In this example, we add a shared object for URL Filtering categories for which we want to
trigger alerts.
1. Select the Objects > Security Profiles > URL Filtering tab and click Add.
The Objects tab appears only aer you Add a Device Group (at least one).
2. Enter a Name and a Descripon.
3. Select Shared.
4. The Disable Override opon is cleared by default, which means you can override
inherited instances of the object in all device groups. To disable overrides for the object,
select the check box.
5. In the Categories tab, select every Category for which you want noficaon.
6. In the Acon column, select Alert.
7. Click OK to save your changes to the object.
8. Select Commit > Commit to Panorama and Commit your changes.

Panorama Administrator's Guide Version Version 10.1 314 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Create a device group object.

In this example, we add an address object for specific web servers on your network.
1. Select Objects > Addresses and select the Device Group in which you will use the
object.
2. Click Add and enter a Name to idenfy the object.
3. Be sure to leave the Shared opon cleared.
4. The Disable Override opon is cleared by default, which means you can override
inherited instances of the object in device groups that are descendants of the selected
Device Group. To disable overrides for the object, select the Disable Override opon.
5. Select the Type of address object and the associated value. For example, select IP Range
and enter the IP address range for the web servers.
6. Click OK to save your changes to the object.
7. Select Commit > Commit and Push and then Commit and Push your changes to the
Panorama configuraon and to the device group where you added the object.

When you acvate an anvirus license on a firewall, a list of predefined IP lists

are automacally added to the firewall. As a result, this reduces the total number
of individual address objects, dynamic groups, external IP lists, predefined IP
block lists, and external predefined IP lists you can push from Panorama.

View shared objects and device group objects in Panorama.

In the pages of the Objects tab, the Locaon column indicates whether an object is shared or is
specific to a device group.
1. In the Objects tab, select the object type (Objects > Addresses, in this example).
2. Select the Device Group to which you added the object.

The Objects tab only displays objects that are in the selected Device Group or
are inherited from an ancestor device group or the Shared locaon.
3. Verify that the device group object appears. Note that the device group name in the
Locaon column matches the selecon in the Device Group drop-down.

Revert to Inherited Object Values

Aer overriding the values that a device group object inherits from an ancestor device group, you
can revert the object to its ancestor values at any me. In the Objects tab, overridden objects
have a yellow-overlapping-green icon ( ) in the Name column.

If you want to push ancestor values to all overridden objects instead of reverng a specific
object, see Manage Precedence of Inherited Objects.
For the steps to override values, see Step 5
For details on object inheritance and overrides, see Device Group Objects.

STEP 1 | In the Objects tab, select the object type (for example, Objects > Addresses) and select the
Device Group that has an override instance of the object.

Panorama Administrator's Guide Version Version 10.1 315 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 2 | Select the object, click Revert, and click Yes. The Name column displays a green icon for the
object, indicang that it now inherits all values from an ancestor device group.

STEP 3 | Select Commit > Commit and Push and then Commit and Push your changes to the
Panorama configuraon and to the device group where you reverted the object.

Manage Unused Shared Objects

When you push configuraon changes Device Groups, by default Panorama pushes all shared
objects to firewalls whether or not any shared or device group policy rules reference the objects.
However, you can configure Panorama to push only the shared objects that rules reference in the
device groups. The Share Unused Address and Service Objects with Devices opon enables you
to limit the objects that Panorama pushes to the managed firewalls.

When Share Unused Address and Service Objects with Devices is disabled, Panorama
ignores the Target firewalls when you Push a Policy Rule to a Subset of Firewalls. This
means that all objects referenced by any rules are pushed to all firewalls in the device
group.
To limit the number of objects pushed to a set of managed firewalls, add the policy rules to
a child device group and reference shared objects as needed. See Create a Device Group
Hierarchy for more informaon on creang a child device group.

On lower-end models, such as the PA-220, consider pushing only the relevant shared objects to
the managed firewalls. This is because the number of objects that can be stored on the lower-end
models is considerably lower than that of the mid- to high-end models. Also, if you have many
address and service objects that are unused, clearing Share Unused Address and Service Objects
with Devices reduces the commit mes significantly on the firewalls because the configuraon
pushed to each firewall is smaller. However, disabling this opon might increase the commit
me on Panorama because Panorama has to dynamically check whether policy rules reference a
parcular object.
STEP 1 | Select Panorama > Setup > Management, and edit the Panorama Sengs.

STEP 2 | Clear the Share Unused Address and Service Objects with Devices opon to push only
the shared objects that rules reference, or select the opon to re-enable pushing all shared
objects.

STEP 3 | Click OK to save your changes.

STEP 4 | Select Commit > Commit to Panorama and Commit your changes.

Manage Precedence of Inherited Objects

By default, when device groups at different levels in the Device Group Hierarchy have an object
with the same name but different values (because of overrides, as an example), policy rules in a
descendant device group use the object values in that descendant instead of using object values
inherited from ancestor device groups. Oponally, you can reverse this order of precedence to
push values from the highest ancestor containing the object to all descendant device groups. Aer
you enable this opon, the next me you push configuraon changes to device groups, the values

Panorama Administrator's Guide Version Version 10.1 316 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

of inherited objects replace the values of any overridden objects in the descendant device groups.
The figure below demonstrates the precedence of inherited objects in a device group:

If a firewall has locally defined objects with the same name as shared or device group
objects that Panorama pushes, a commit failure occurs.
If you want to revert a specific overridden object to its ancestor values instead of pushing
ancestor values to all overridden objects, see Revert to Inherited Object Values.

STEP 1 | Select Panorama > Setup > Management and edit the Panorama Sengs.

STEP 2 | If you want to reverse the default order of precedence, select Objects defined in ancestors
will take higher precedence. The dialog then displays the Find Overridden Objects link,
which provides the opon to see how many overridden (shadowed) objects will have
ancestor values aer you commit this change. You can hover over the quanty message to
display the object names.
If you want to revert to the default order of precedence, clear Objects defined in ancestors will
take higher precedence.

Find Overridden Objects only detects a Shared device group object that shares a name
with another object in the device group.

STEP 3 | Click OK to save your changes.

STEP 4 | Select Commit > Commit to Panorama and Commit your changes.

STEP 5 | (Oponal) If you selected Objects defined in ancestors will take higher precedence,
Panorama does not push the ancestor objects unl you push configuraon changes to device
groups: select Commit > Push to Devices and Push your changes.

Move or Clone a Policy Rule or Object to a Different Device Group

On Panorama, if a policy rule or object that you will move or clone from a device group has
references to objects that are not available in the target device group (Desnaon), you must
move or clone the referenced objects and the referencing rule or object in the same operaon.
In a Device Group Hierarchy, remember that referenced objects might be available through
inheritance. For example, shared objects are available in all device groups. You can perform
a global find to check for references. If you move or clone an overridden object, be sure that
overrides are enabled for that object in the parent device group of the Desnaon (see Create
Objects for Use in Shared or Device Group Policy).

Panorama Administrator's Guide Version Version 10.1 317 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

When cloning mulple policy rules, the order by which you select the rules will determine
the order they are copied to the device group. For example, if you have rules 1-4 and your
selecon order is 2-1-4-3, the device group where these rules will be cloned will display
the rules in the same order you selected. However, you can reorganize the rules as you see
fit once they have been successfully copied.

STEP 1 | Log in to Panorama and select the rulebase (for example, Policy > Security > Pre Rules) or
object type (for example, Objects > Addresses).

STEP 2 | Select the Device Group and select one or more rules or objects.

STEP 3 | Perform one of the following steps:

• (Rules only) Move > Move to other device group
• (Objects only) Move
• (Rules or objects) Clone

STEP 4 | In the Desnaon drop-down, select the new device group or Shared. The default is
previously selected Device Group.

STEP 5 | (Rules only) Select the Rule order:

• Move top (default)—The rule will come before all other rules.
• Move boom—The rule will come aer all other rules.
• Before rule—In the adjacent drop-down, select the rule that comes aer the Selected Rules.
• Aer rule—In the adjacent drop-down, select the rule that comes before the Selected Rules.

STEP 6 | The Error out on first detected error in validaon check box is selected by default, which
means Panorama will display the first error it finds and stop checking for more errors.
For example, an error occurs if the Desnaon device group doesn't have an object that
is referenced in the rule you are moving. When you move or clone many items at once,
selecng this check box can simplify troubleshoong. If you clear the check box, Panorama
will find all the errors before displaying them. Regardless of this seng, Panorama won’t
move or clone anything unl you fix all the errors for all the selected items.

STEP 7 | Click OK to start the error validaon. If Panorama finds errors, fix them and retry the move or
clone operaon. If Panorama doesn't find errors, it performs the operaon.

STEP 8 | Select Commit > Commit and Push, Edit Selecons in the Push Scope, select Device Groups,
select the original and desnaon device groups, click OK, and then Commit and Push your
changes to the Panorama configuraon and to the device groups.

Select a URL Filtering Vendor on Panorama

URL filtering enables firewalls to monitor and control web access for your users. The policy rules
that you configure to control web access (Security, QoS, Capve Portal, and Decrypon rules)
reference URL categories. The URL filtering vendor you select on Panorama determines which
URL categories are available for referencing in the rules that you add to device groups and push to
firewalls.

Panorama Administrator's Guide Version Version 10.1 318 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

By default, Panorama uses PAN-DB, a URL filtering database that is ghtly integrated into PAN-
OS and the Palo Alto Networks threat intelligence cloud. PAN-DB provides high-performance
local caching to maximize in-line performance for URL lookups. The other vendor opon is
BrightCloud, a third-party URL database.

Unlike firewalls, Panorama does not download the URL database and does not require a
URL filtering license.

The following topics describe how to change the URL filtering vendor on Panorama or on both
Panorama and managed firewalls. You can also change the URL filtering vendor on just the
firewalls.
• Must Panorama and Firewalls Have Matching URL Filtering Vendors?
• Change the URL Filtering Vendor on HA Panorama
• Change the URL Filtering Vendor on non-HA Panorama
• Migrate Panorama and HA Firewalls from BrightCloud to PAN-DB
• Migrate Panorama and non-HA Firewalls from BrightCloud to PAN-DB

Must Panorama and Firewalls Have Matching URL Filtering Vendors?

On any single Panorama management server or firewall, only one URL filtering vendor can be
acve: PAN-DB or BrightCloud. When selecng a vendor for Panorama, you must consider the
vendor and PAN-OS version of the managed firewalls:
• PAN-OS 5.0.x and earlier versions—Panorama and the firewalls require matching URL filtering
vendors.
• PAN-OS 6.0 or later versions—Panorama and the firewalls do not require matching URL
filtering vendors. If a vendor mismatch is detected, the firewall maps the URL categories in the
URL Filtering profiles and rules that it received from Panorama to URL categories that align
with those of the vendor enabled on the firewall.
Therefore, for a deployment in which some firewalls run PAN-OS 6.0 or later and some firewalls
run earlier PAN-OS versions, Panorama must use the same URL filtering vendor as the firewalls
that run earlier PAN-OS versions. For example, if firewalls that run PAN-OS 5.0 use PAN-DB, and
firewalls that run PAN-OS 7.0 use BrightCloud, Panorama must use PAN-DB.

Change the URL Filtering Vendor on HA Panorama

In a high availability (HA) deployment, each Panorama peer must be in a non-funconal state
when you change the URL filtering vendor. Therefore, to avoid disrupng Panorama operaons,
change the URL filtering vendor on the passive Panorama (Panorama2 in this example) and then
trigger failover before changing the vendor on the acve Panorama (Panorama1 in this example).

Panorama Administrator's Guide Version Version 10.1 319 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 1 | Change the URL filtering vendor on each Panorama HA peer.

Complete this task on Panorama2 (passive peer) before Panorama1 (acve peer).

1. Log in to the Panorama web interface.

2. Select Panorama > High Availability and Suspend local Panorama.
When you perform this step on Panorama1, failover occurs and Panorama2 becomes
acve.
3. Select Panorama > Setup > Management and edit the General Sengs.
4. Select the URL Filtering Database vendor: paloaltonetworks (PAN-DB) or brightcloud.
5. Select Panorama > High Availability and Make local Panorama funconal.
When you perform this step on Panorama1 with preempon enabled on both HA peers,
Panorama1 automacally reverts to acve status and Panorama2 reverts to passive
status.

STEP 2 | Verify that the URL categories are available for referencing in policies.
1. Select Objects > Security Profiles > URL Filtering.
2. Click Add and verify that the Categories tab of the URL Filtering profile dialog displays
the URL categories associated with the selected vendor.

Change the URL Filtering Vendor on non-HA Panorama

Perform this procedure to change the URL filtering vendor on a Panorama management server
that is not deployed in a high availability (HA) configuraon.
STEP 1 | Change the URL filtering vendor.
1. Select Panorama > Setup > Management and edit the General Sengs.
2. Select the URL Filtering Database vendor: paloaltonetworks (PAN-DB) or brightcloud.

STEP 2 | Verify that the URL categories are available for referencing in policies.
1. Select Objects > Security Profiles > URL Filtering.
2. Click Add and verify that the Categories tab of the URL Filtering profile dialog displays
the URL categories associated with the selected vendor.

Migrate Panorama and HA Firewalls from BrightCloud to PAN-DB

Perform this procedure to migrate the URL filtering vendor from BrightCloud to PAN-DB on
Panorama and firewalls when the firewalls are deployed in a high availability (HA) configuraon.
In this example, the acve (or acve-primary) firewall is named fw1 and the passive (or acve-
secondary) firewall is named fw2. The migraon automacally maps BrightCloud URL categories
to PAN-DB URL categories.

Panorama Administrator's Guide Version Version 10.1 320 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 1 | Determine which firewalls require new PAN-DB URL filtering licenses.
1. Log in to Panorama and select Panorama > Device Deployment > Licenses.
2. Check the URL column to determine which firewalls have PAN-DB licenses and whether
the licenses are valid or expired.
A firewall can have valid licenses for both BrightCloud and PAN-DB, but only one license
can be acve.

If you’re not sure whether a PAN-DB URL filtering license is acve, access the
firewall web interface, select Device > Licenses, and verify that the Acve field
displays Yes in the PAN-DB URL Filtering secon.
3. Purchase a new license for each firewall that does not have a valid PAN-DB license.
In HA deployments, each firewall peer needs a disnct PAN-DB license and authorizaon
code. Palo Alto Networks sends an email containing acvaon codes for the licenses you
purchase. If you can’t find this email, contact Customer Support before proceeding.

STEP 2 | Change the URL filtering vendor to PAN-DB on Panorama.

Access the Panorama web interface and perform one of the following tasks:
• Change the URL Filtering Vendor on HA Panorama
• Change the URL Filtering Vendor on non-HA Panorama

STEP 3 | Configure the TCP session sengs on both firewall HA peers to ensure sessions that are not
yet synchronized will fail over when you suspend a peer.
Log in to the CLI of each firewall and run the following command:

> set session tcp-reject-non-syn no

Panorama Administrator's Guide Version Version 10.1 321 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | Migrate the URL filtering vendor to PAN-DB on each firewall HA peer.

Complete this task on fw2 (passive or acve-secondary peer) before fw1 (acve or
acve-primary peer).

1. Access the firewall web interface, select Device > High Availability > Operaonal
Commands, and Suspend local device.
Performing this step on fw1 triggers failover to fw2.
2. Select Device > Licenses.
3. In the License Management secon, select Acvate feature using authorizaon code,
enter the Authorizaon Code and click OK.
Acvang the PAN-DB license automacally deacvates the BrightCloud license.
4. In the PAN-DB URL Filtering secon, Download the seed file, select your region, and
click OK.
5. Commit and push your configuraon changes:
1. Access the Panorama web interface.
2. Select Commit > Commit and Push and Edit Selecons in the Push Scope
3. Select Device Groups, select the firewall, and click OK.
4. Commit and Push your changes to the Panorama configuraon and to device groups.
6. Access the firewall web interface, select Device > High Availability > Operaonal
Commands, and Make local device funconal.
When you perform this step on fw1 with preempon enabled on both firewalls, fw1
automacally reverts to acve (or acve-primary) status and fw2 reverts to passive (or
acve-secondary) status.

STEP 5 | Revert both firewall HA peers to the original TCP session sengs.
Run the following command at the CLI of each firewall:

> set session tcp-reject-non-syn yes

Migrate Panorama and non-HA Firewalls from BrightCloud to PAN-DB

Perform this procedure to migrate the URL filtering vendor from BrightCloud to PAN-DB
on Panorama and firewalls when the firewalls are not deployed in a high availability (HA)
configuraon. The migraon automacally maps BrightCloud URL categories to PAN-DB URL
categories.

Panorama Administrator's Guide Version Version 10.1 322 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 1 | Determine which firewalls require new PAN-DB URL filtering licenses.
1. Log in to Panorama and select Panorama > Device Deployment > Licenses.
2. Check the URL column to determine which firewalls have PAN-DB licenses and whether
the licenses are valid or expired.
A firewall can have valid licenses for both BrightCloud and PAN-DB, but only one license
can be acve.

If you’re not sure whether a PAN-DB URL filtering license is acve, access the
firewall web interface, select Device > Licenses, and verify that the Acve field
displays Yes in the PAN-DB URL Filtering secon.
3. Purchase new licenses for the firewalls that don’t have valid PAN-DB licenses.
Palo Alto Networks sends an email containing acvaon codes for the licenses you
purchase. If you can’t find this email, contact Customer Support before proceeding.

STEP 2 | Change the URL filtering vendor to PAN-DB on Panorama.

Access the Panorama web interface and perform one of the following tasks:
• Change the URL Filtering Vendor on HA Panorama
• Change the URL Filtering Vendor on non-HA Panorama

STEP 3 | Migrate the URL filtering vendor to PAN-DB on each firewall.

1. Access the firewall web interface and select Device > Licenses.
2. In the License Management secon, select Acvate feature using authorizaon code,
enter the Authorizaon Code, and click OK.
Acvang the PAN-DB license automacally deacvates the BrightCloud license.
3. In the PAN-DB URL Filtering secon, Download the seed file, select your region, and
click OK.
4. Commit and push your configuraon changes:
1. Access the Panorama web interface.
2. Select Commit > Commit and Push and Edit Selecons in the Push Scope
3. Select Device Groups, select the firewall, and click OK.
4. Commit and Push your changes to the Panorama configuraon and to device groups.

Push a Policy Rule to a Subset of Firewalls

A policy target allows you to specify the firewalls in a device group to which to push policy rules.
It allows you to exclude one or more firewalls or virtual systems, or to apply a rule only to specific
firewalls or virtual systems in a device group.
As your rulebase evolves and you push new or modified rules to firewalls, changes and audit
informaon get lost over me unless they are archived at the me the rule is created or modified.
Use the audit comment archive to view the audit comment and configuraon log history of a
selected rule, as well to compare two policy rule versions to see how the rule changed. The
audit comment history for a rule pushed from Panorama is viewable only from the Panorama
management server. However, you can view the audit comments in the configuraons logs

Panorama Administrator's Guide Version Version 10.1 323 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

forwarded to Panorama from managed firewalls. However, the audit comment archive is not
viewable for rules created or modified locally on the firewall. To ensure that audit comments are
captured at the me a rule is created or modified, Enforce Policy Rule, Descripon, Tag and Audit
Comment.
The ability to target a rule enables you to keep policies centralized on Panorama. Targeted rules
allow you to define the rules (as either shared or device group pre- or post-rules) on Panorama and
improve visibility and efficiency when managing the rules (see Device Group Policies). The audit
comment archive adds further visibility by allowing you to track how and why your policy rules
change over me so you can audit the rule evoluon over the course of the rule lifecycle.
STEP 1 | (Best Pracce) Enforce audit comments for policy rules.
Although this step is oponal, it is a best pracce to enforce audit comments for policy rules to
ensure that you capture the reason for creang or modifying the rule. This also helps maintain
an accurate rule history for auding purposes.
1. Select Panorama > Setup > Management and edit the Policy Rulebase Sengs.
2. Enable the opon to Require audit comment on policies.
3. Configure the Audit Comment Regular Expression to specify the audit comment format.
When creang or modifying a rule, require audit comments to adhere to a specific format
based on your business and auding needs by specifying leer and number expressions.
For example, you can use this seng to specify regular expressions to match your
ckeng number formats:
• [0-9]{<Number of digits>}—Requires the audit comment to contain a
minimum number of digits ranging from 0 to 9. For example, [0-9]{6} requires a
minimum of 6 digit numerical expression with numbers 0 to 9. Configure the minimum
number of digits as needed.
• <Letter Expression>—Requires the audit comment to contain a leer expression.
For example, Reason for Change- requires that the administrator to begin the
audit comment with this leer expression.
• <Letter Expression>-[0-9]{<Number of digits>}—Requires the audit
comment to contain a set character prefix with a minimum number of digits ranging
from 0 to 9. For example, SB-[0-9]{6} requires the audit comment format to begin
with SB-, followed by a minimum 6 digit numerical expression with numbers 0 to 9
such as SB-012345.
• (<Letter Expression>)|(<Letter Expression>)|(<Letter
Expression>)|-[0-9]{<Number of digits>}—Requires the audit comment to
contain a prefix using one of the configured set of leer expressions with a minimum
number of digits ranging from 0 to 9. For example, (SB|XY|PN)-[0-9]{6} requires
the audit comment format begin with SB-, XY-, or PN- followed by a minimum 6

Panorama Administrator's Guide Version Version 10.1 324 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

digit numerical expression with numbers 0 to 9 such as SB-012345, XY-654321, or

PN-012543.
4. Click OK to apply the new policy rulebase sengs.

5. Select Commit and Commit to Panorama.

STEP 2 | Create a rule.

In this example, we define a pre-rule in the Security rulebase that permits users on the internal
network to access the servers in the DMZ.
1. On the Policies tab and select the Device Group for which you want to define a rule.
2. Select the rulebase. For this example, select Policies > Security > Pre-Rules and Add a
rule.
3. In the General tab, enter a descripve rule Name and enter an Audit Comment.
4. In the Source tab, set the Source Zone to Trust.
5. In the Desnaon tab, set the Desnaon Zone to DMZ.
6. In the Service/ URL Category tab, set the Service to applicaon-default.
7. In the Acons tab, set the Acon to Allow.
8. Leave all the other opons set to their default values.

STEP 3 | Target the rule to include or exclude a subset of firewalls.

To apply the rule to a selected set of firewalls:
1. Select the Target tab in the Policy Rule dialog.
2. Select the firewalls to which you want to apply the rule.
If you do not select firewalls to target, the rule is added to all of the (unchecked) firewalls
in the device group.

By default, although the check box for the virtual systems in the device group is
disabled, all virtual systems will inherit the rule on commit unless you select one
or more virtual systems to which you want the rule to apply.
3. (Oponal) To exclude a subset of firewalls from inhering the rule, Install on all but
specified devices and select the firewalls you want to exclude.

If you Install on all but specified devices and do not select any firewalls, the rule
is not added to any of the firewalls in the device group.
4. Click OK to add the rule.

Panorama Administrator's Guide Version Version 10.1 325 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | Commit and push the configuraon changes.

1. Select Commit > Commit and Push and Edit Selecons in the Push Scope.
2. Select Device Groups, select the device group where you added the rule, and click OK.
3. Commit and Push your changes to the Panorama configuraon and to device groups.

STEP 5 | Troubleshoot Policy Rule Traffic Match to verify that the rules allow and deny traffic as the
intended.

Device Group Push to a Mul-VSYS Firewall

Device group configuraon changes pushed manually or from a scheduled configuraon push of a
device groups from the Panorama™ management server to a mul-vsys firewall are automacally
bundled into a single job. When a push is executed from Panorama to managed firewalls,
Panorama inspects the managed firewalls associated with the device group push. If Panorama
detects that mulple vsys belonging to the same mul-vsys firewall are associated with a device
group push, it bundles the commit job for each vsys into a single commit job on the managed
firewall to reduce the overall commit job compleon me.
If one of the bundled commit jobs fails, then the enre push fails and you need to push enre
the device group configuraon changes from Panorama again. Addionally, if mulple mul-vsys
firewalls are included in a push from Panorama and one push fails, then the enre push fails to all
firewalls included in the push from Panorama. When you monitor the device group push locally
on the firewall, a single job is displayed rather than mulple individual jobs. If any warnings are
failures occur, an error descripon indicang the impacted vsys is displayed.
This funconality is supported for mul-vsys firewalls managed by Panorama running PAN-OS
10.1 and later releases by default.

Manage the Rule Hierarchy

The order of policy rules is crical for the security of your network. Within any policy layer
(shared, device group, or locally defined rules) and rulebase (for example, shared Security pre-
rules), the firewall evaluates rules from top to boom in the order they appear in the pages of the
Policies tab. The firewall matches a packet against the first rule that meets the defined criteria and
ignores subsequent rules. Therefore, to enforce the most specific match, move the more specific
rules above more generic rules.

To understand the order in which the firewall evaluates rules by layer and by type (pre-
rules, post-rules, and default rules) across the Device Group Hierarchy, see Device
Group Policies.

Panorama Administrator's Guide Version Version 10.1 326 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 1 | View the rule hierarchy for each rulebase.

1. Select the Policies tab and click Preview Rules.
2. Filter the preview by Rulebase (for example, Security or QoS).
3. Filter the preview to display the rules of a specific Device Group and the rules it inherits
from the Shared locaon and ancestor device groups. You must select a device group
that has firewalls assigned to it.
4. Filter the preview by Device to display its locally defined rules.
5. Click the green arrow icon to apply your filter selecons to the preview (see Device
Group Policies).
6. Close the Combined Rules Preview dialog when you finish previewing rules.

STEP 2 | Delete or disable rules, if necessary.

To determine which rules a firewall doesn’t currently use, select that firewall in the
Context drop-down on Panorama, select the rulebase (for example, Policies > Security),
and select the Highlight Unused Rules check box. A doed orange background
indicates the rules that the firewall doesn’t use.

1. Select the rulebase (for example, Policies > Security > Pre Rules) that contains the rule
you will delete or disable.
2. Select the Device Group that contains the rule.
3. Select the rule, and click Delete or Disable as desired. Disabled rules appear in italicized
font.

STEP 3 | Reposion rules within a rulebase, if necessary.

To reposion local rules on a firewall, access its web interface by selecng that firewall
in the Context drop-down before performing this step.

1. Select the rulebase (for example, Policies > Security > Pre Rules) that contains the rule
you will move.
2. Select the Device Group that contains the rule.
3. Select the rule, select Move, and select:
• Move Top—Moves the rule above all other rules in the device group (but not above
rules inherited from Shared or ancestor device groups).
• Move Up—Moves the rule above the one that precedes it (but not above rules
inherited from Shared or ancestor device groups).
• Move Down—Moves the rule below the one that follows it.
• Move Boom—Moves the rule below all other rules.
• Move to other device group—See Move or Clone a Policy Rule or Object to a
Different Device Group.

Panorama Administrator's Guide Version Version 10.1 327 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | If you modified the rules, commit and push the changes.
1. Select Commit > Commit and Push and Edit Selecons in the Push Scope
2. Select Device Groups, select the device group that contains the rules you changed or
deleted, and click OK.
3. Commit and Push your changes to the Panorama configuraon and to device groups.

Panorama Administrator's Guide Version Version 10.1 328 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Manage Templates and Template Stacks

Use templates and template stacks to define the common base configuraons that enable firewalls
to operate in your network. See Templates and Template Stacks for an overview of the issues you
should consider when deciding which firewalls to add to which templates, ordering templates in
a stack to manage layers of common and firewall group-specific sengs, and overriding template
sengs with firewall-specific values.

To delete a template, you must first locally Disable/Remove Template Sengs on the
firewall. Only administrators with the superuser role can disable a template.

• Template Capabilies and Excepons

• Add a Template
• Configure a Template Stack
• Configure a Template or Template Stack Variable
• Import and Overwrite Exisng Template Stack Variables
• Override a Template Seng
• Disable/Remove Template Sengs

Template Capabilies and Excepons

You can use Templates and Template Stacks to define a wide array of sengs but you can perform
the following tasks only locally on each managed firewall:
• Configure a device block list.
• Clear logs.
• Enable operaonal modes such as normal mode, mul-vsys mode, or FIPS-CC mode.
• Configure the IP addresses of firewalls in an HA pair.
• Configure a master key and diagnoscs.
• Compare configuraon files (Config Audit).

To Manage Licenses and Updates (soware or content) for firewalls, use the
Panorama > Device Management tab opons; do not use templates.
• Renaming a vsys on a mul-vsys firewall.

Add a Template
You must add at least one template before Panorama™ displays the Device and Network tabs
required to define the network setup and device configuraon elements for firewalls. Panorama
supports up to 1,024 templates. Every managed firewall must belong to a template stack. While
templates contain managed device configuraons, template stacks allow you to manage and push
the template configuraons to all managed firewalls assigned to the template stack.

Combine templates in to a template stack to avoid duplicang many configuraons among

templates (see Templates and Template Stacks and Configure a Template Stack).

Panorama Administrator's Guide Version Version 10.1 329 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 1 | Add a template.

1. Select Panorama > Templates.
2. Click Add and enter a unique Name to idenfy the template.
3. (Oponal) Enter a Descripon for the template.
4. Click OK to save the template.
5. If the template has a virtual system (vsys) with configuraons (for example, interfaces)
that you want Panorama to push to firewalls that don’t have virtual systems, select the
template you created, select the vsys from the Default VSYS drop-down and click OK.
6. Select Commit > Commit and Push and then Commit and Push your changes to the
Panorama configuraon and to the template.

STEP 2 | Verify that the template is available.

Aer you add the first template, Panorama displays the Device and Network tabs. These
tabs display a Template drop-down. Check that the drop-down displays the template you just
added.

STEP 3 | Configure a Template Stack and add the template to the template stack.

Panorama Administrator's Guide Version Version 10.1 330 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | Use the template to push a configuraon change to firewalls.

Renaming a vsys is allowed only on the local firewall, not on Panorama the result is an
enrely new vsys or the new vsys name gets mapped to the wrong vsys on the firewall.

For example, define a primary Domain Name System (DNS) server for the firewalls in the
template.

You can also Configure a Template or Template Stack Variable to push device-
specific values to managed devices.

1. In the Device tab, select the Template from the drop-down.

2. Select Device > Setup > Services > Global, and edit the Services secon.
3. Enter an IP address for the Primary DNS Server.

4. Select Commit > Commit and Push and then Commit and Push your changes to the
Panorama configuraon and to the template.

Panorama Administrator's Guide Version Version 10.1 331 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 5 | Verify that the firewall is configured with the template sengs that you pushed from
Panorama.
1. In the Context drop-down, select one of the firewalls to which you pushed the template
seng.
2. Select Device > Setup > Services > Global. The IP address that you pushed from the
template appears. The Services secon header displays a template icon ( ) to indicate
that sengs in the secon have values pushed from a template.

STEP 6 | Troubleshoot Connecvity to Network Resources to verify your firewalls can access your
network resources.

Configure a Template Stack

A template stack is configurable and allows you to combine mulple templates to push full
configuraons to your managed firewalls. While templates are modular porons of your firewall
configuraon that you can reuse across different stacks, you can also configure the template stack
to fill in the remaining configuraons that you need to apply across all firewalls assigned to the
stack. Panorama supports up to 1,024 template stacks and each stack can have up to 8 templates
assigned to it. You can reference objects configured in a template stack from a template belonging
to the temple stack. The template stack inherits configuraon objects from the templates you add
and is based on how you order templates in the template stack. You can also override template
seng in the template stack to create a template stack configuraon object. For details and
planning, see Templates and Template Stacks.

Add a Template to configure interfaces, VLANs, Virtual Wires, IPSec Tunnels, DNS Proxy
and Virtual Systems. These objects must be configured and pushed from a template, and
not a template stack. Once pushed from a template, you can override these objects, except
for Virtual Systems, in the template stack.

Panorama Administrator's Guide Version Version 10.1 332 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 1 | Plan the templates and their order in the stack.

Add a Template you plan to assign to the template stack.

When planning the priority order of templates within the stack (for overlapping
sengs), you must check the order to prevent misconfiguraon. For example, consider
a stack in which the ethernet1/1 interface is of type Layer 3 in Template_A but of type
Layer 2 with a VLAN in Template_B. If Template_A has a higher priority, Panorama will
push ethernet1/1 as type Layer 3 but assigned to a VLAN.

Also note that a template configuraon can’t reference a configuraon in another template
even if both templates are in the same stack. For example, a zone configuraon in Template_A
can’t reference a zone protecon profile in Template_B.

STEP 2 | Create a template stack.

1. Select Panorama > Templates and Add Stack.

Panorama supports only Add Stack to create a new template stack. You cannot
clone an exisng template stack.
2. Enter a unique Name to idenfy the stack.
3. For each of the templates the stack will combine (up to 8), Add and select the template.
The dialog lists the added templates in order of priority with respect to duplicate

Panorama Administrator's Guide Version Version 10.1 333 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

sengs, where values in the higher templates override those that are lower in the list. To
change the order, select a template and Move Up or Move Down.

4. In the Devices secon, select firewalls to assign them to the stack. For firewalls with
mulple virtual systems, you can’t assign individual virtual systems, only an enre
firewall. You can assign any firewall to only one template stack.

Whenever you add a new managed firewall to Panorama, you must assign it to
the appropriate template stack; Panorama does not automacally assign new
firewalls to a template or template stack. When you push configuraon changes
to a template, Panorama pushes the configuraon to every firewall assigned to
the template stack.
5. (Oponal) Select Group HA Peers to display a single check box for firewalls that are in
a high availability (HA) configuraon. Icons indicate the HA state: green for acve and
yellow for passive. The firewall name of the secondary peer is in parentheses.
For acve/passive HA, add both peers to the same template so that both will receive
the configuraons. For acve/acve HA, whether you add both peers to the same
template depends on whether each peer requires the same configuraons. For a list of
the configuraons that PAN-OS synchronizes between HA peers, see High Availability
Synchronizaon.
6. Click OK to save the template stack.

STEP 3 | (Oponal) Configure a Template or Template Stack Variable.

Panorama Administrator's Guide Version Version 10.1 334 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | Edit the Network and Device sengs, as necessary.

Renaming a vsys is allowed only on the local firewall. If you rename a vsys on
Panorama, the result is an enrely new vsys or the new vsys name gets mapped to the
wrong vsys on the firewall.

In an individual firewall context, you can override sengs that Panorama pushes from a stack
in the same way you override sengs pushed from a template, see Override a Template or
Template Stack Value.
1. Filter the tabs to display only the mode-specific sengs you want to edit:

While Panorama pushes mode-specific sengs only to firewalls that support

those modes, this selecve push doesn’t adjust mode-specific values. For
example, if a template has firewalls in Federal Informaon Processing Standards
(FIPS) mode and an IKE Crypto profile that uses non-FIPS algorithms, the
template push will fail. To avoid such errors, use the Mode drop-down in the
Network and Device tabs to filter mode-specific features and value opons.

• In the Mode drop-down, select or clear the Mul VSYS, Operaonal Mode, and VPN
Mode filter opons.
• Set all the Mode opons to reflect the mode configuraon of a parcular firewall by
selecng it in the Device drop-down.
2. Set up your interfaces and network connecvity. For example, Configure Zones and
Interfaces to segment your network to manage and control traffic passing through your
firewall.
3. Edit the sengs as needed.
4. Select Commit > Commit and Push, Edit Selecons in the Push Scope, select Templates,
select the firewalls assigned to the template stack, and then Commit and Push your
changes to the Panorama configuraon and to the template stack.

Panorama Administrator's Guide Version Version 10.1 335 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 5 | Verify that the template stack works as expected.

1. Select a device assigned to the template stack from the Context drop-down.
2. Select a tab to which you pushed configuraon changes using the template stack.
3. Values pushed from the template stack display a template icon ( ) to indicate that
sengs in the secon have values pushed from a template stack. Hover your mouse over
the stack to view which template stack from which the value was pushed.

STEP 6 | Troubleshoot Connecvity to Network Resources to verify your firewalls can access your
network resources.

Configure a Template or Template Stack Variable

To enable you to more easily reuse templates or template stacks, you can use template and
template stack variables to replace IP addresses, Group IDs, and interfaces in your configuraons.
Template variables are defined at either the template or template stack level and you can use
variables to replace IP addresses, IP ranges, FQDN, interfaces in IKE, VPN and HA configuraons,
and group IDs. If mulple templates in the template stack use different variables for the same
configuraon object, the variable value inherited by the template stack is based on the order of
inheritance described in Templates and Template Stacks. Addionally, you can override a template
value using a template stack variable to manage a configuraon object from the template stack.
Variables allow you to reduce the total number of templates and template stacks you need to
manage, while allowing you to keep any firewall- or appliance-specific values. For example, if you
have a template stack with a base configuraon, you can use variables to create values that do
not apply to all firewalls in the template or template stack. This allows you to manage and push
configuraons from fewer templates and template stacks while accounng for any firewall- or
appliance specific values that you would otherwise need before you can create a new template or
template stack.
To create a template or template stack variable:
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Create a template and template stack.

1. Add a Template
2. Configure a Template Stack.

Panorama Administrator's Guide Version Version 10.1 336 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 3 | Select Panorama > Templates and Manage (Variables column) the template or template stack
for which you want to create a variable.

STEP 4 | Add the new variable.

A variable name must start with the dollar ( $ ) symbol.
1. Name the new variable. In this example, the variables are named $DNS-primary and
$DNS-secondary.
2. Select the variable Type and enter the corresponding value for the selected variable type.
For this example, select IP Netmask.
3. (Oponal) Enter a descripon for the variable.
4. Click OK and Close

Variables can also be created inline where variables are supported.

STEP 5 | From the Template drop-down, select the template or template stack to which the variable
belongs.

Panorama Administrator's Guide Version Version 10.1 337 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 6 | Enter the variable in the appropriate locaon.

For this example, reference the previously defined DNS value.
1. Select Device > Setup > Services and edit Services.
2. Type $DNS-primary or select it from the drop-down for Primary DNS Server.
3. Type $DNS-secondary or select it from the drop-down for Secondary DNS Server.
4. Click OK.

STEP 7 | Click Commit and Commit and Push your changes to managed firewalls.

When you push a device group configuraon with references to template or template
stack variables, you must Edit Selecons and Include Device and Network Templates.

STEP 8 | Verify that the values for all variables were pushed to the managed devices.
1. From the Context drop-down, select a firewall that belongs to the template stack for
which the variable was created.
2. Select Device > Setup > Services.
3. Sengs with values defined by a template or template stack are indicated by a template
symbol ( ). Hover over the indicator to view to which template or template stack the

Panorama Administrator's Guide Version Version 10.1 338 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

variable definion belongs. When viewing from the firewall context, the variables display
as the IP address you configured for the variable.

STEP 9 | Troubleshoot Connecvity to Network Resources to verify your firewalls can access your
network resources.

Import and Overwrite Exisng Template Stack Variables

Use template stack variables to replace IP addresses, IP ranges, FQDN, interfaces, or group ID
in your firewall configuraons. Variables allow you to reduce the total number of templates and
template stacks you need to manage, while allowing you to preserve any firewall-specific values.
Imporng template stack variables allows you to overwrite the values of mulple exisng
variables, and you cannot create new template stack variables when imporng. For more
informaon how on how to create new template or template stack variable, see Configure a
Template or Template Stack Variable.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Export the exisng template stack variables.

1. Select Panorama > Templates and select a template or template stack.
2. Select Variable CSV > Export. The configured template stack variables are downloaded
locally as a CSV file.
3. Open the exported CSV.

Panorama Administrator's Guide Version Version 10.1 339 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 3 | Edit the CSV file containing the template stack variables to import to Panorama in the
following format:
Values that display as #inherited# are values that are defined in the template stack.
1. Correct the number of the cells containing the firewall serial number. Repeat this step for
all firewalls in the CSV file.
1. Right-click the cell containing the firewall serial number and select Format Cells.
2. Select Number > Text and click OK.
3. Add a 0 at the beginning of the serial number.

2. Enter a new value for the desired template variable.

3. Select File > Save As and save the file in CSV UTF-8 format.

STEP 4 | Import the CSV file to the template stack.

1. Log in to the Panorama Web Interface.
2. Select Panorama > Templates and select the template stack for which you exported the
variables in Step 2.
3. Select Variable CSV > Import and Browse for the CSV file edited in Step 3.
4. Click OK to import the template stack variables.

STEP 5 | Select Commit > Commit to Panorama and Commit your changes.

STEP 6 | Enter the variables in the appropriate locaons.

Panorama Administrator's Guide Version Version 10.1 340 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 7 | Click Commit and Commit and Push your changes to managed firewalls.

When you push a device group configuraon with references to template or template
stack variables, you must Edit Selecons and Include Device and Network Templates.

Override a Template or Template Stack Value

While Templates and Template Stacks enable you to apply a base configuraon to mulple
firewalls, you might want to configure firewall-specific sengs that don’t apply to all the firewalls
in a template or template stack. Conversely, you may want to override the template sengs
to create a template stack configuraon that you can apply as a base configuraon to all your
managed firewalls. Overrides allow for excepons or modificaons to meet your configuraon
needs. For example, if you use a template to create a base configuraon but a few firewalls in a
test lab environment need different sengs for the Domain Name System (DNS) server IP address
or the Network Time Protocol (NTP) server, you can override the template and template stack
sengs.

If you want to disable or remove all the template or stack sengs on a firewall instead of
overriding a single value, see Disable/Remove Template Sengs.

You can override a template or template stack value in one of the following ways:
• Override a Template Value on the Firewall or Override a Template or Template Stack Value
Using Variables—There are two ways to override values pushed from a template or template
stack. The first is to define a value locally on the firewall to override a value pushed from a
template or template stack. The second is to define firewall-specific variables to override values
pushed from a template or template stack.
• Override a Template Value Using a Template Stack—Define values or variables on the template
stack to override values pushed from a template.

Override a Template Value on the Firewall

Override a seng on the local firewall that was pushed from a template or template stack to
create firewall-specific configuraons. This allows you to manage the base template or template
stack configuraon from Panorama™, while maintaining any firewall-specific configuraons that
do not apply to other firewalls.
STEP 1 | Access the firewall web interface.
Directly access the firewall by entering its IP address in the URL field of your browser or use
the Context drop-down in Panorama to switch to the firewall context.

Panorama Administrator's Guide Version Version 10.1 341 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 2 | Override a value pushed from a template or template Stack.

In this example, you override the DNS server IP address that you assigned using a template in
Add a Template
1. Select Device > Setup > Services and edit the Services secon.
2. Click the template icon ( ) for the Primary DNS Server to enable overrides for that
field.
3. Enter the new IP address for the Primary DNS Server. A template override symbol ( )
indicates that the template value wasoverridden.
4. Click OK and Commit your changes.

Override a Template Value Using a Template Stack

You can use template stack values to override configuraons pushed to the managed firewall
from a template to create a template stack configuraon that you can use to manage the base
configuraon of your managed firewalls from Panorama™. This enables you to leverage the
management capabilies of Panorama to push configuraon changes to mulple devices from a
single locaon. In this example, you will use a template stack to override the Primary DNS server
IP address variable called $DNS that was pushed from a template.

Panorama supports using a template stack to override interfaces configured in a template

except for Layer2 sub-interfaces of an aggregated interface.

STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | From the Template drop-down, select the template stack that will override the template
configuraon.

STEP 3 | Override the pushed template configuraon.

1. Select Device > Setup > Services and edit the Services secon.
2. Configure the Primary DNS with the IP address to override the pushed template
configuraon and click OK.

STEP 4 | Commit and Push the configuraon change.

Override a Template Value Using a Template Stack Variable

You can use template stack values and variables to override configuraons pushed to the managed
firewall from a template to create a template stack configuraon that you can use to manage the
base configuraon of your managed firewalls from Panorama™. This enables you to leverage the
management capabilies of Panorama to push configuraon changes to mulple firewalls from a
single locaon. In this example, you will create a template stack variable by overriding the Primary
DNS server IP address variable called $DNS that was pushed from a template.

Panorama supports using a template stack to override interfaces configured in a template

except for Layer2 sub-interfaces of an aggregated interface.

STEP 1 | Log in to the Panorama Web Interface.

Panorama Administrator's Guide Version Version 10.1 342 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 2 | Override the template variable.

1. Select Panorama > Templates.
2. Manage (Variables column) the template stack containing the template variable you need
to override.
3. Locate and select the $DNS variable.
4. Select Override.
5. Enter the new variable value and click OK.

STEP 3 | Commit and Push your changes.

Override a Template or Template Stack Value Using Variables

You can use firewall-specific variables to override variables pushed to the managed firewall
from a template or template stack to create firewall-specific configuraons. This allows you
to manage the base template or template stack configuraon while maintaining any firewall-
specific configuraons that do not apply to other firewalls—all from Panorama™. This allows
you to leverage the management capabilies of Panorama while accounng for any specific
configuraons required for individual firewalls. In this example, the Primary DNS server IP address
variable called $DNS that has been pushed from a template will be overridden to create a firewall-
specific variable.

You can override template or template stack variables that have not been overridden. If a
template or template stack variable is already overridden, Revert the override to create a
firewall-specific variable.

STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Override the template or template stack variable.

1. Select Panorama > Managed Devices > Summary.
2. Edit (Variables column) the firewall containing the variable you need to override.
3. Locate and select the $DNS variable.
4. Select Override.
5. Enter the new firewall-specific IP address and click OK.

STEP 3 | Commit and Push your changes.

Disable/Remove Template Sengs

If you want to stop using a template or template stack for managing the configuraon on a
managed firewall, you can disable the template or stack. When disabling, you can copy the
template/stack values to the local configuraon of the firewall or delete the values.

If you want to override a single seng instead of disabling or removing every template or
stack seng, see Override a Template Seng.
See Templates and Template Stacks for details on how to use these for managing
firewalls.

Panorama Administrator's Guide Version Version 10.1 343 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 1 | Access the web interface of the managed firewall as an administrator with the Superuser
role. You can directly access the firewall by entering its IP address in the browser URL field
or, in Panorama, select the firewall in the Context drop-down.

STEP 2 | Select Device > Setup > Management and edit the Panorama Sengs.

STEP 3 | Click Disable Device and Network Template.

STEP 4 | (Oponal) Select Import Device and Network Template before disabling, to save the
configuraon sengs locally on the firewall. If you do not select this opon, PAN-OS will
delete all Panorama-pushed sengs from the firewall.

STEP 5 | Click OK twice and then Commit the changes.

Panorama Administrator's Guide Version Version 10.1 344 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Manage the Master Key from Panorama

Panorama, firewalls, Log Collectors, and WF-500 appliances use a master key to encrypt sensive
elements in the configuraon and they have a default master key they use to encrypt passwords
and configuraon elements. As part of a standard security pracce, you should replace the default
master key and change the key on each individual firewall, Log Collector, WildFire appliance, and
Panorama before it expires.
To strengthen your security posture, configuring a unique master key for Panorama and for
each managed firewall. By configuring unique master keys, you can ensure that a compromised
master key does not compromise the configuraon encrypon of your enre deployment. Unique
master keys are supported only for Panorama and managed firewalls. Log Collectors and WildFire
appliances must share the same master key as Panorama. For Panorama or managed firewalls in
a high availability (HA) configuraon, you must deploy the same master key for both HA peers as
the master key is not synchronized across HA peers.
Configuring a unique master key also eases the operaonal burden of updang your master
keys. By configuring a unique master key for a managed firewall, you can update each master key
individually without the need to coordinate changing the master key across a large number of
managed firewalls.
To update the master key for managed firewalls from Panorama, the configuraon pushed from
Panorama and the local firewall configuraon must not contain any cross references to each other
in their configuraon objects.

Palo Alto Networks recommends updang the master key from Panorama during a
planned maintenance window and with the help of Palo Alto Networks Support to avoid
network disrupons for your organizaon.
If your managed firewalls contain both local and Panorama pushed configuraon that
reference one another, you are required to either localize the configuraon to the firewall.
This removes any local overrides of a Panorama pushed configuraon which may lead to
network disrupons if not restored correctly.
For managed firewalls in a high availability (HA) configuraon, you are required to disable
HA as well.

When a master key expires, you must enter the current master key in order to configure a
new master key.
Be sure to keep track of the master key you deploy to your managed firewalls, Log
Collectors, and WildFire appliances because master keys cannot be recovered. you must
reset to factory default if you cannot provide the current master key when it expires.

STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | (Best Pracce) Select Commit and Commit and Push any pending configuraon changes.
Panorama must re-encrypt data using the new master key. To ensure all configuraon elements
are encrypted with the new master key, you should commit all pending changes before
deploying the new master key.

Panorama Administrator's Guide Version Version 10.1 345 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 3 | Localize the managed firewall configuraon.

This step is required only if the managed firewall has a local and Panorama pushed
configuraon that reference each other or local overrides of a Panorama pushed
configuraon.
Skip this step if your managed firewall configuraon is enrely pushed from Panorama,
or if the managed firewall configuraon contains both a local and Panorama pushed
configuraon contains no references to each other or local overrides.

1. Log in to the firewall web interface.

2. Locate and document all local overrides of the Panorama pushed configuraon.
This step is required when you restore configuraon objects pushed from Panorama
to the managed firewall configuraon. Localizing the managed firewall configuraon
removes all local overrides and converts them into local configuraon objects. When
you restore the managed firewall configuraon, these objects may be overridden with
a Panorama pushed configuraon objects of the same name and not have the firewall
specific values.
3. Select Device > Setup > Management and edit the Panorama Sengs.
4. Disable Panorama Policy and Objects and Import Panorama Policy and Objects before
disabling.
Import Panorama Policy and Objects before disabling to import the Panorama pushed
policy and device group objects to the local firewall configuraon. Otherwise, the firewall
deletes these Panorama pushed policy and device sengs from the managed firewall.
5. Click OK.
6. Disable Device and Network Templates and Import Device and Network Templates
before disabling.
Import Device and Network Templates before disabling to import the Panorama pushed
device and template objects to the local firewall configuraon. Otherwise, the firewall
deletes these Panorama pushed device and template sengs from the managed firewall.
7. Click OK.
8. Commit.

Panorama Administrator's Guide Version Version 10.1 346 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | Configure a unique master key for a managed firewall.

1. (HA only) Disable Config Sync for managed firewalls.
This step is required before deploying a new master key to a firewall HA pair
1. Log in to the Panorama Web Interface.
2. Select Device > High Availability > General and select the Template containing the
managed firewall HA configuraon.
3. Edit the HA Pair Sengs Setup.
4. Disable (clear) Enable Config Sync and click OK.
5. Commit and Commit and Push your configuraon changes.
2. Select Panorama > Managed Devices > Summary and Deploy Master Key.
3. Select a managed firewall and Change the master key.

If you want to deploy a unique master key for a specific set of managed firewalls,
you can select those specific managed firewalls as well.

4. Configure the master key:

1. If renewing a master key, enter the Current Master Key. If you are replacing the
default master key with a new master key, do not specify a Current Master Key.
2. (Oponal) Enable (check) Stored on HSM if the master key is encrypted on a
Hardware Security Module (HSM).
3. Specify the New Master Key and Confirm Master Key.
4. Configure the master key Lifeme and Time for Reminder.
5. Click OK.

Panorama Administrator's Guide Version Version 10.1 347 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

5. Verify that the master key was deployed successfully to all selected managed firewalls.
A System log generates when you deploy a new master key from Panorama.
6. (Oponal) Configure the master key to automacally renew for your managed firewalls.
Configure this seng to automacally renew the master key deployed on the managed
firewalls associated with the selected template. Otherwise, the master key expires per
the configured master key lifeme and you must deploy a new master key.
1. Select Device > Master Key and Diagnosc and select the Template containing the
target managed firewalls.
2. Edit the Master Key sengs and configure the Auto Renew With Same Master Key
seng.
3. Click OK.
4. Commit and Commit and Push your configuraon changes.

Panorama Administrator's Guide Version Version 10.1 348 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 5 | Configure the master key on Panorama.

1. (HA only) Disable the HA configuraon for Panorama.
This step is required to successfully change the master for both Panorama HA peers. You
are unable to commit configuraon changes on the secondary HA peer when Panorama
is in an HA configuraon.
1. Log in to the Panorama Web Interface.
2. Select Panorama > High Availability > General and edit the HA Setup.
3. Disable (uncheck) Enable HA and click OK.
4. Commit and Commit to Panorama.
2. Select Panorama > Master Key and Diagnoscs and configure the master key.
1. If renewing a master key, enter the Current Master Key. If you are replacing the
default master key with a new master key, o not specify a Current Master Key.
2. Configure the New Master Key and Confirm Master Key.
3. Configure the master key Lifeme and Time for Reminder.
4. Click OK.
3. (Oponal) Configure the Panorama master key to automacally renew.
Configure this seng to automacally renew the master key deployed on Panorama.
Otherwise, the master key expires per the configured master key lifeme and you must
deploy a new master key.
1. Select Panorama > Master Key and Diagnosc and edit the Master Key seng.
2. Configure the Auto Renew With Same Master Key seng.
3. Click OK.
4. Select Commit > Commit to Panorama and Commit your changes.
5. (HA only) Repeat this step to configure an idencal master key on the secondary HA
peer.
You must manually configure an idencal master key on the primary and secondary HA
peers when Panorama is in an HA configuraon. The master key is not synchronized
between the primary and secondary HA peers.

Panorama Administrator's Guide Version Version 10.1 349 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 6 | Deploy the master key to Log Collectors.

The master key configured for your Log Collectors must be idencal to the master key
configured for Panorama.
1. Select Panorama > Managed Collectors and Deploy Master Key.
2. Select all devices and Change the master key.
3. Configure the master key:
1. If renewing a master key, enter the Current Master Key. If you are replacing the
default master key with a new master key, do not specify a Current Master Key.
2. Specify the New Master Key and Confirm Master Key.
3. Configure the master key Lifeme and Time for Reminder.
4. Click OK.
4. Verify that the master key was deployed successfully to all selected devices.
A System log generates when you deploy a new master key from Panorama.

STEP 7 | Deploy the master key to managed WildFire appliances.

The master key configured your WildFire appliances must be idencal to the master key
configured for Panorama.
1. Select Panorama > Managed WildFire Appliances and Deploy Master Key.
2. Select all devices and Change the master key.
3. Configure the master key:
1. If renewing a master key, enter the Current Master Key. If you are replacing the
default master key with a new master key, do not specify a Current Master Key.
2. Specify the New Master Key and Confirm Master Key.
3. Configure the master key Lifeme and Time for Reminder.
4. Click OK.
4. Verify that the master key was deployed successfully to all selected devices.
A System log generates when you deploy a new master key from Panorama.

STEP 8 | (HA Panorama only) Reconfigure the Panorama HA configuraon.

Repeat this step for both the primary and secondary Panorama HA peers.
1. Select Panorama > High Availability > General and edit the HA Setup.
2. Enable (check) Enable HA and click OK.
3. Commit and Commit to Panorama.

STEP 9 | (HA Firewalls only) Enable config sync for managed firewalls.
1. Select Device > High Availability > General and select the Template containing the
managed firewall HA configuraon.
2. Edit the HA Pair Sengs Setup.
3. Enable (check) Enable Config Sync and click OK.
4. Commit and Commit and Push your configuraon changes.

Panorama Administrator's Guide Version Version 10.1 350 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 10 | Enable Panorama to push configuraon objects to the managed firewall.

1. Log in to the firewall web interface.
2. Select Device > Setup > Management and edit the Panorama Sengs.
3. Enable Panorama Policy and Objects and click OK.
4. Enable Device and Network Templates and click OK.
5. Click OK.
6. Commit.

STEP 11 | Push the Panorama configuraon back to managed firewalls for which you localized the
configuraon.

Perform this step with Palo Alto Networks Support and ensure you have a complete
list of all local overrides on your managed firewalls. Failure to preserve important local
firewall configuraons or restore any local overrides or references can result in network
disrupons.

1. Log in to the Panorama Web Interface.

2. Select Commit > Push to Devices and Edit Selecons.
3. Check (enable) Include Device and Network Templates and Force Template Values.
This is required to convert the localized Panorama configuraon on the managed firewall
back to a Panorama pushed configuraon.
4. Select Device Groups or Templates to select the managed firewall that required localizing
the Panorama pushed configuraon.
5. Click OK.
6. Push to the selected managed firewalls.
7. Log in to the firewall web interface of the impacted managed firewalls to modify the local
firewall configuraon as needed.

Panorama Administrator's Guide Version Version 10.1 351 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Schedule a Configuraon Push to Managed Firewalls

Reduce the operaonal overhead of pushing configuraon changes to managed firewalls by
creang a scheduled configuraon push to automacally push changes to your managed firewalls
on a specified date and me. You can configure a scheduled configuraon push to either occur
once or on a regularly occurring schedule. This allows you to push configuraon made by mulple
administrators to mulple firewalls without the need for involvement of any administrator. A
scheduled configuraon push is supported for a target managed firewall running any PAN-OS
release.
Superusers and custom Panorama admins with an appropriately defined admin role profile can
create a scheduled configuraon push to managed firewalls. To create a scheduled configuraon
push, you set the schedule parameters of when and how frequently a push occurs and to which
managed firewalls to push to. For a Panorama in a high availability (HA) configuraon, the
scheduled configuraon push is synchronized across the HA peers.

If you create mulple scheduled configuraon pushes, you must create them at a minimum
of a 5 minute interval to allow for the Panorama management server to validate the
configuraon. Scheduled configuraon pushes that are within 5 minutes of each other
may fail due to Panorama being unable to validate the first scheduled configuraon push
changes.

Aer a successful scheduled configuraon push occurs, you can view the scheduled configuraon
push execuon history to understand when the last push for a specific schedule occurred, and
how many managed firewalls were impacted. From the total number of impacted managed
firewalls, you can view how many configuraon pushes to managed firewalls were successful
and how many failed. Of the failed pushes, you can view the total number of managed firewalls
with automacally reverted configuraons due to a configuraon change that interrupted the
connecon between the managed firewall and Panorama.
STEP 1 | Log in to the Panorama Web Interface.

Panorama Administrator's Guide Version Version 10.1 352 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 2 | Create a scheduled configuraon push.

1. Select Panorama > Scheduled Config Push and Add a new scheduled configuraon push.

You can also schedule a configuraon push to managed firewalls when you push
to devices (Commit > Push to Devices).
2. Configure name and frequency of the scheduled configuraon push.
• Name—Name of the configuraon push schedule.
• Date—Date on which the configuraon push is scheduled to occur next.
• Time—Time (hh:mm:ss) at which the configuraon push is scheduled to occur on the
scheduled configuraon push Date.
• Recurrence—Whether the scheduled configuraon push is a one me push or a
recurring scheduled push (monthly, weekly, or daily).
3. In the Push Scope Selecon, select one or more device groups, templates, or template
stacks.
You must select at least one device group, template, or template stack to successfully
schedule a config push.
All managed firewalls associated with the selected device groups, templates, or template
stacks are included in the scheduled config push.
1. Select one or more Device Groups you want to schedule to push.
2. Select one or more Templates you want to schedule to push.

Up to 64 templates are supported for a single scheduled configuraon push.

3. Verify whether to Merge with Device Candidate config to merge the configuraon
changes pushed from Panorama with any pending configuraon changes implemented
locally on the firewall.
This seng is enabled by default.
4. Verify whether to Include Device and Network Templates to push both device group
changes and the associate template changes in a single operaon.
This seng is enabled by default. If disabled, Panorama pushes the device group and
associated template changes as separate operaons.

Force Template Values is not supported for a scheduled configuraon push to

prevent outages during off hours caused by a configuraon push that overwrites
the local firewall configuraon.
4. Click OK.
5. Click Commit and Commit to Panorama.

Panorama Administrator's Guide Version Version 10.1 353 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 3 | View the execuon history to verify that the scheduled configuraon push for all managed
firewalls was successful.
1. Select Panorama > Scheduled Config Push and click the Last Executed me stamp in the
Status column.
2. View the execuon history for the scheduled configuraon push.
This includes the last me the scheduled configuraon push occurred and the total
number of impacted managed firewalls. Of the total number of impacted firewalls, you
can view how many scheduled configuraon pushes were successful, how many failed,
and how many of the managed firewalls automacally reverted their configuraon due
to a configuraon change that caused a disconnect between the managed firewall on
Panorama.
3. Click Tasks to view the full operaon details for the latest scheduled configuraon push.

Panorama Administrator's Guide Version Version 10.1 354 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Redistribute Data to Managed Firewalls

To ensure all the firewalls that enforce policies and generate reports have the required data and
authencaon mestamps for your policy rules, you can leverage your Panorama infrastructure to
redistribute the mappings and mestamps.

Configure the Panorama management server to redistribute data.

1. Add firewalls, virtual systems, or Windows User-ID agents as redistribuon agents to
Panorama:
1. Select Panorama > Data Redistribuon and Add each redistribuon agent.
2. Enter a Name to idenfy the redistribuon agent.
3. Confirm that the agent is Enabled.
4. Enter the Host name or IP address of the MGT interface on firewall.
5. Enter the Port number on which the firewall will listen for data redistribuon queries
(default is 5007).
6. If the redistribuon agent is a firewall or virtual system, enter the Collector Name and
Collector Pre-Shared Key.
7. Select the Data type that you want to redistribute. You can select all data types, but
you must select at least one of the following data types:
• IP User Mappings
• IP Tags
• User Tags
• HIP
• Quaranne List
8. Click OK to save the configuraon.
2. Enable the Panorama MGT interface to respond to data redistribuon queries from
firewalls:

If the Panorama management server has a high availability (HA) configuraon,

perform this step on each HA peer as a best pracce so that redistribuon
connues if Panorama fails over.

1. Select Panorama > Setup > Interfaces and Management.

2. Select User-ID in the Network Services secon and click OK.
3. Select Commit > Commit to Panorama to acvate your changes on Panorama.

Panorama Administrator's Guide Version Version 10.1 355 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Configure firewalls to receive data that Panorama redistributes.

1. Select Device > Data Redistribuon > Agents then select the Template to which the
firewalls are assigned.
2. Add an agent and enter a Name.
3. Select how you want to add the agent:
• Serial Number—Select the Serial Number of the Panorama you want to use from the
list:
• panorama—The acve or solitary Panorama
• panorama2—(HA only) The passive Panorama
• Host and Port—Specify the following informaon:
• Select the Host name or IP address of the MGT interface on firewall.
• Select whether the host is an LDAP Proxy.
• Enter the Port number on which the firewall will listen for data redistribuon
queries (default is 5007).
• If the redistribuon agent is a firewall or virtual system, enter the Collector Name
and Collector Pre-Shared Key.
• Select the Data type that you want to redistribute.
4. Confirm that the agent is Enabled and click OK to save the configuraon.
5. Select Commit > Commit and Push to acvate your changes on Panorama and push the
changes to the firewalls.

Verify that Panorama and firewalls receive redistributed data.

1. View the agent stascs Panorama > Data Redistribuon > Agents and select Status
to view a summary of the acvity for the redistribuon agent, such as the number of
mappings that the client firewall has received.
2. Confirm the Source Name in the User-ID logs (Monitor > Logs > User-ID) to verify that
the firewall receives the mappings from the redistribuon agents.
3. View the IP-Tag log (Monitor > Logs > IP-Tag) to confirm that the client firewall receives
data.
4. Access the CLI of a firewall or Panorama management server that redistributes data.
5. Display all the user mappings by running the following command:

> show user ip-user-mapping all

6. Record the IP address associated with any one username.

7. Access the CLI of a firewall or Panorama management server that receives redistributed
data.
8. Display the mapping informaon and authencaon mestamp for the <IP-address> you
recorded:

> show user ip-user-mapping ip <IP-address>

IP address:    192.0.2.0 (vsys1)

Panorama Administrator's Guide Version Version 10.1 356 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

User:          corpdomain\username1
From:          UIA
Idle Timeout:  10229s
Max. TTL:      10229s
MFA Timestamp: first(1) - 2016/12/09 08:35:04
Group(s): corpdomain\groupname(621)

This example output shows the mestamp for a response to one authencaon
challenge (factor). For Authencaon rules that use mul-factor authencaon
(MFA), the output shows mulple mestamps.

Panorama Administrator's Guide Version Version 10.1 357 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Transion a Firewall to Panorama Management

If you have already deployed Palo Alto Networks firewalls and configured them locally, but now
want to use Panorama for centrally managing them, you must perform pre-migraon planning. The
migraon involves imporng firewall configuraons into Panorama and verifying that the firewalls
funcon as expected aer the transion. If some sengs are unique to individual firewalls, you
can connue accessing the firewalls to manage the unique sengs. You can manage any given
firewall seng by pushing its value from Panorama or by configuring it locally on the firewall, but
you cannot manage the seng through both Panorama and the firewall. If you want to exclude
certain firewall sengs from Panorama management, you can either:
• Migrate the enre firewall configuraon and then, on Panorama, delete the sengs that you
will manage locally on firewalls. You can also Override a Template or Template Stack Value that
Panorama pushes to a firewall instead of deleng the seng on Panorama.
• Load a paral firewall configuraon, including only the sengs that you will use Panorama to
manage.

Firewalls do not lose logs during the transion to Panorama management.

• Plan the Transion to Panorama Management

• Migrate a Firewall to Panorama Management
• Migrate a Firewall HA Pair to Panorama Management
• Load a Paral Firewall Configuraon into Panorama
• Localize a Panorama Pushed Configuraon on a Managed Firewall

Plan the Transion to Panorama Management

The following tasks are a high-level overview of the planning required to migrate firewalls to
Panorama management:
Decide which firewalls to migrate.
Plan a maintenance window and ensure there are no pending configuraon changes on
Panorama or the firewalls.
If you are migrang the firewall from one Panorama to another, localize the Panorama pushed
configuraon on the firewall.
Preserve your known working Panorama and firewall configuraons prior to migraon.
• Export the device state of your firewalls.
• Export a named Panorama configuraon shapshot of the running Panorama configuraon.
Determine the Panorama and firewall soware and content versions, and how you will manage
licenses and soware upgrades. For important details, see Panorama, Log Collector, Firewall,
and WildFire Version Compability.
Plan Your Panorama Deployment with respect to the URL filtering database (BrightCloud or
PAN-DB), log collecon, and administrator roles.

Panorama Administrator's Guide Version Version 10.1 358 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Plan how to manage shared sengs.

Plan the Device Group Hierarchy, Templates and Template Stacks in a way that will reduce
redundancy and streamline the management of sengs that are shared among all firewalls or
within firewall sets. During the migraon, you can select whether to import objects from the
Shared locaon on the firewall into Shared on Panorama, with the following excepons:
• If a shared firewall object has the same name and value as an exisng shared Panorama
object, the import excludes that firewall object.
• If the name or value of the shared firewall object differs from an exisng shared Panorama
object, Panorama imports the firewall object into each new device group that is created for
the import.
• If a configuraon imported into a template references a shared firewall object, or if a shared
firewall object references a configuraon imported into a template, Panorama imports
the object as a shared object regardless of whether you select the Import devices' shared
objects into Panorama's shared context check box.
Determine if the firewall has configuraon elements (policies, objects, and other sengs)
that you don’t want to import, either because Panorama already contains similar elements or
because those elements are firewall-specific (for example, mezone sengs) and you won’t use
Panorama to manage them. You can perform a global find to determine if similar elements exist
on Panorama.
Decide the common zones for each device group. This includes a zone-naming strategy for
the firewalls and virtual systems in each device group. For example, if you have zones called
Branch LAN and WAN, Panorama can push policy rules that reference those zones without
being aware of the variaons in port or media type, model, or logical addressing schema.
Create a post-migraon test plan.
You will use the test plan to verify that the firewalls work as efficiently aer the migraon as
they did before. The plan might include tasks such as:
• Monitor the firewalls for at least 24 hours aer the migraon.
• Monitor Panorama and firewall logs for anomalies.
• Check administrator logins on Panorama.
• Test various types of traffic from mulple sources. For example, check bandwidth graphs,
session counts, and deny-rule traffic log entries (see Use Panorama for Visibility). The tesng
should cover a representave sample of policy configuraons.
• Check with your network operaons center (NOC) and security operaons center (SOC) for
any user-reported issues.
• Include any other test criteria that will help verify firewall funconality.

Migrate a Firewall to Panorama Management

When you import a firewall configuraon, Panorama automacally creates a template to contain
the imported network and device sengs. To contain the imported policies and objects, Panorama
automacally creates one device group for each firewall or one device group for each virtual
system (vsys) in a mul-vsys firewall.
When you perform the following steps, Panorama imports the enre firewall configuraon.
Alternavely, you can Load a Paral Firewall Configuraon into Panorama.

Panorama Administrator's Guide Version Version 10.1 359 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

To migrate a firewall HA pair to Panorama management, see Migrate a Firewall HA Pair to

Panorama Management.

Panorama can import configuraons from firewalls that run PAN-OS 5.0 or later releases
and can push configuraons to those firewalls. The excepon is that Panorama 6.1 and
later releases cannot push configuraons to firewalls running PAN-OS 6.0.0 through 6.0.3.
Panorama can import configuraons from firewalls that are already managed devices but
only if they are not already assigned to device groups or templates.

STEP 1 | Plan the migraon.

See the checklist in Plan the Transion to Panorama Management.

STEP 2 | Add the firewall as a managed device.

Add a Firewall as a Managed Device:
1. Log in to the Panorama Web Interface and select Panorama > Managed Devices >
Summary to Add a firewall as a managed device.
2. Enter the serial number of the firewall and click OK.

If you will import mulple firewall configuraons, enter the serial number of each
one on a separate line. Oponally, you can copy and paste the serial numbers
from a Microso Excel worksheet.
3. Select Commit > Commit to Panorama and Commit your changes.

STEP 3 | Set up a connecon from the firewall to Panorama.

1. Log in to the firewall web interface and select Device > Setup to edit the Panorama
Sengs.
2. In the Panorama Servers fields, enter the IP addresses of the Panorama management
server.
3. Click OK and Commit.

Panorama Administrator's Guide Version Version 10.1 360 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | Import the firewall configuraon into Panorama.

If you later decide to re-import a firewall configuraon, first remove the firewall device
groups and template to which it is a member. If the device group and template names
are the same as the firewall hostname, then you can delete the device group and
template before re-imporng the firewall configuraon or use the Device Group Name
Prefix fields to define new names for the device group and template created by the
re-import. Addionally, firewalls don’t lose logs when you remove them from device
groups or templates.

1. From Panorama, select Panorama > Setup > Operaons, click Import device
configuraon to Panorama, and select the Device.

Panorama can’t import a configuraon from a firewall that is assigned to an

exisng device group or template.
2. (Oponal) Edit the Template Name. The default value is the firewall name. You can’t use
the name of an exisng template or template stack.
3. (Oponal) Edit the Device Group names. For a mul-vsys firewall, each device group
has a vsys name by default, so add a character string as a Device Group Name Prefix
for each. Otherwise, the default value is the firewall name. You can’t use the names of
exisng device groups.

The Import devices' shared objects into Panorama's shared context check
box is selected by default, which means Panorama compares imports objects
that belong to the Shared locaon in the firewall to Shared in Panorama. If an
imported object is not in the Shared context of the firewall, it is applied to each
device group being imported. If you clear the check box, Panorama copies will
not compare imported objects, and apply all shared firewall objects into device
groups being imported instead of Shared. This could create duplicate objects,
so selecng the check box is a best pracce in most cases. To understand the
consequences of imporng shared or duplicate objects into Panorama, see Plan
how to manage shared sengs.
4. Select a Rule Import Locaon for the imported policy rules: Pre Rulebase or Post
Rulebase. Regardless of your selecon, Panorama imports default security rules
(intrazone-default and interzone-default) into the post-rulebase.

If Panorama has a rule with the same name as a firewall rule that you import,
Panorama displays both rules. Delete one of the rules before performing a
Panorama commit to prevent a commit error.
5. Click OK. Panorama displays the import status, result, details about your selecons,
details about what was imported, and any warnings. Click Close.
6. Select Commit > Commit to Panorama and Commit your changes.

Panorama Administrator's Guide Version Version 10.1 361 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 5 | Push the configuraon bundle from Panorama to the newly added firewall to remove all
policy rules and objects from its local configuraon.
This step is necessary to prevent duplicate rule or object names, which would cause commit
errors when you push the device group configuraon from Panorama to the firewall in the next
step.

Pushing the imported firewall configuraon from Panorama to remove local firewall
configuraon updates Policy rule Creaon and Modified dates to reflect the date you
pushed to your newly managed firewalls when you monitor policy rule usage for a
managed firewall. Addionally, a new universially unique idenfier (UUID) for each
policy rule is created.

This step is required to successfully migrate firewall management to the Panorama

management server. Failure to perform this step successfully causes configuraon
errors and commit failures.

1. Log in to the Panorama Web Interface.

2. Select Panorama > Setup > Operaons and Export or push device config bundle.
3. Select the Device from which you imported the configuraon and click OK.

If a master key is configured, Use Master Key and enter the master key before
you click OK.
4. Select Push & Commit. Panorama pushes the bundle and iniates a commit on the
firewall.
5. Click Close aer the push has commied successfully.
6. Launch the Web Interface of the firewall and ensure that the configuraon has been
successfully commied. If not, Commit the changes locally on the firewall.
7. Select Commit > Commit to Panorama and Commit your changes.

STEP 6 | Push the device group and template configuraons to complete the transion to centralized
management.
This step overwrites any local Network and Device sengs configured on the firewall.
If you are migrang mulple firewalls, perform all the preceding steps—including this one—for
each firewall before connuing.
1. Select Commit > Commit and Push and Edit Selecons in the Push Scope.
2. Select Device Groups and select the device groups that contain the imported firewall
configuraons.
3. Select Merge with Device Candidate Config, Include Device and Network Templates,
and Force Template Values.
4. Click OK to save your changes to the Push Scope.
5. Commit and Push your changes.

STEP 7 | On the Panorama web interface, select Panorama > Managed Devices > Summary and
verify that the device group and template stack are in sync for the firewall. On the firewall

Panorama Administrator's Guide Version Version 10.1 362 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

web interface, verify that configuraon objects display a green cog ( ), signifying that the
configuraon object is pushed from Panorama.

STEP 8 | Fine-tune the imported configuraon.

1. In Panorama, select Panorama > Config Audit, select the Running config and Candidate
config for the comparison, click Go, and review the output.
2. Update the device group and template configuraons as needed based on the
configuraon audit and any warnings that Panorama displayed aer the import. For
example:
• Delete redundant objects and policy rules.
• Move or Clone a Policy Rule or Object to a Different Device Group.
• Move firewalls to different device groups or templates.
• Move a device group that Panorama created during the import to a different parent
device group: Select Panorama > Device Groups, select the device group you want to
move, select a new Parent Device Group, and click OK.

STEP 9 | Consolidate all the imported firewall configuraons.

This step is required if you are migrang mulple firewalls.
1. Aer imporng all the firewall configuraons, update the device groups and templates
as needed to eliminate redundancy and streamline configuraon management: see Fine-
tune the imported configuraon. (You don’t need to push firewall configuraon bundles
again.)
2. Configure any firewall-specific sengs.
If the firewalls will have local zones, you must create them before performing a device
group or template commit; Panorama can’t poll the firewalls for zone name or zone
configuraon. If you will use local firewall rules, ensure their names are unique (not
duplicated in Panorama). If necessary, you can Override a Template or Template Stack
Value with a firewall-specific value.
3. Commit and push your changes:
1. Select Commit > Commit and Push and Edit Selecons in the Push Scope.
2. Select Device Groups, select the device groups you changed, and Include Device and
Network Templates.
3. Click OK to save your changes to the Push Scope.
4. Commit and Push your changes.

STEP 10 | Perform your post-migraon test plan.

Perform the verificaon tasks that you devised during the migraon planning to confirm that
the firewalls work as efficiently with the Panorama-pushed configuraon as they did with their
original local configuraon: see Create a post-migraon test plan.

Migrate a Firewall HA Pair to Panorama Management

If you have a pair of firewalls in an HA configuraon that you want to manage using Panorama,
you have the opon to import the configuraon local to your firewall HA pair to Panorama

Panorama Administrator's Guide Version Version 10.1 363 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

without needing to recreate any configuraons or policies. You first import the firewall
configuraons to Panorama, which are used to create a new device group and template. You
will perform a special configuraon push of the device group and template to the firewalls to
overwrite the local firewall configuraons and synchronize the firewalls with Panorama.
STEP 1 | Plan the migraon.
See the checklist in Plan the Transion to Panorama Management.

STEP 2 | Disable configuraon synchronizaon between the HA peers.

Repeat these steps for both firewalls in the HA pair.
1. Log in to the web interface on each firewall, select Device > High Availability > General
and edit the Setup secon.
2. Clear Enable Config Sync and click OK.
3. Commit the configuraon changes on each firewall.

STEP 3 | Connect each firewall to Panorama.

If Panorama is already receiving logs from these firewalls, you do not need to perform
this step. Connue to Step 5.

Repeat these steps for both firewalls in the HA pair.

1. Log in to the web interface on each firewall, select Device > Setup > Management and
edit the Panorama Sengs.
2. In the Panorama Servers fields, enter the IP addresses of the Panorama management
servers, confirm Panorama Policy and Objects and Device and Network Template are
enabled and select OK.
3. Commit the configuraon changes on each firewall.

Panorama Administrator's Guide Version Version 10.1 364 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | Add each firewall as a managed device.

If Panorama is already receiving logs from these firewalls, you do not need to perform
this step. Connue to Step 5.

Add a Firewall as a Managed Device.

1. Log in to the Panorama Web Interface, select Panorama > Managed Devices and click
Add.
2. Enter the serial number of each firewall and click OK.
3. Select Commit > Commit to Panorama and Commit your changes.
4. Verify that the Device State for each firewall is Connected.

STEP 5 | Import each firewall configuraon into Panorama.

Do no push any device group or template stack configuraon to your managed firewalls
in this step. Pushing the device group and template stack configuraon during this step
wipes the local firewall HA configuraon in the next steps.

If you later decide to re-import a firewall configuraon, first remove the firewall device
groups and template to which it is a member. If the device group and template names
are the same as the firewall hostname, then you can delete the device group and
template before re-imporng the firewall configuraon or use the Device Group Name
Prefix fields to enter a new name for the device group and template created by the
re-import. Addionally, firewalls don’t lose logs when you remove them from device
groups or templates.

1. From Panorama, select Panorama > Setup > Operaons, click Import device
configuraon to Panorama, and select the Device.

Panorama can’t import a configuraon from a firewall that is assigned to an

exisng device group or template stack.
2. (Oponal) Edit the Template Name. The default value is the firewall name. You can’t use
the name of an exisng template or template stack.
3. (Oponal) Edit the Device Group names. For a mul-vsys firewall, each device group
has a vsys name by default, so add a character string as a Device Group Name Prefix

Panorama Administrator's Guide Version Version 10.1 365 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

for each. Otherwise, the default value is the firewall name. You can’t use the names of
exisng device groups.

The Imported devices’ shared objects into Panorama’s shared context check
box is selected by default, which means Panorama compares imports objects
that belong to the Shared locaon in the firewall to Shared in Panorama. If an
imported object is not in the Shared context of the firewall, it is applied to each
device group being imported. If you clear the check box, Panorama copies will
not compare imported objects, and apply all shared firewall objects into device
groups being imported instead of Shared. This could create duplicate objects,
so selecng the check box is a best pracce in most cases. To understand the
consequences of imporng shared or duplicate objects into Panorama, see Plan
how to manage shared sengs.
4. Commit to Panorama.
5. Select Panorama > Setup > Operaons and Export or push device config bundle. Select
the Device, select OK and Push & Commit the configuraon.

The Enable Config Sync seng in Step 2 must be cleared on both firewalls before
you push the device group and template stack.
6. Launch the Web Interface of the firewall HA peer and ensure that the configuraon
pushed in the previous step commied successfully. If not, Commit the changes locally
on the firewall.
7. Repeat Step 1-6 above on the second firewall. The process creates a device group and
template stack per each firewall.

Panorama Administrator's Guide Version Version 10.1 366 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 6 | Add the HA firewall pair into the same device group and template stack.

(Firewalls in acve/acve configuraon) It is recommended to add HA peers to

the same device group but not to the same template stack because firewalls in
an acve/acve HA configuraon typically need unique network configuraons.
This simplifies policy management for the HA peers while reducing the operaonal
burden of managing the network configuraon of each HA peer when their network
configuraons are independent of each other. For example, firewalls in an acve/acve
HA configuraon oen mes need unique network configuraons, such as unique
floang IP that are used as the default gateway for hosts.
Ulmately, deciding whether to add firewalls in an acve/acve HA configuraon to
the same device group and template stack is a design decision you must make when
designing your configuraon hierarchy.

1. Select Panorama > Device Group, select the device group of the second firewall, and
remove the second firewall from the device group.
2. Select the device group from which you removed the second firewall and Delete it.
3. Select the device group for the first firewall, select the second firewall, click OK and
Commit to Panorama to add it to the same device group as the HA peer.
4. Select Panorama > Templates, select the template stack of the second firewall, and
remove the second firewall from the template stack.
5. Select the template stack from which you removed the second firewall and Delete it.
6. Select the template stack for the first firewall, add the second firewall, select OK and
Commit to Panorama to add it to the same template stack as the HA peer.
7. Remove the HA sengs in the template associated with the newly migrated firewalls.
1. Select Device > High Availability and select the Template containing the HA
configuraon.
2. Select Remove All.
3. Commit to Panorama.
8. Push the device group and template stack configuraons to your managed firewalls.

First push the device group and template stack configuraon to your passive HA
peer and then to the acve HA peer.

Pushing the imported firewall configuraon from Panorama to remove local

firewall configuraon updates Policy rule Creaon and Modified dates to reflect
the date you pushed to your newly managed firewalls when you monitor policy
rule usage for a managed firewall. Addionally, a new universially unique
idenfier (UUID) for each policy rule is created.

1. Select Commit > Push to Devices and Edit Selecons.

2. Enable (select) Merge Device Candidate Config, Include Device and Network
Templates, and Force Template Values.
3. Click OK.
4. Push to your managed firewalls.

Panorama Administrator's Guide Version Version 10.1 367 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

5. Launch the Web Interface of the acve HA peer and select Device > High Availability
> Operaonal Commands to Suspend local device.
Fail over to the passive HA peer before modifying the acve HA peer to maintain your
security posture while compleng the configuraon migraon.
6. Repeat steps 1-4 for the now passive HA peer.
7. Launch the Web Interface of the now acve HA peer and select Device > High
Availability > Operaonal Commands to Suspend local device.
This restores the original acve/passive HA peer roles.
9. Select Panorama > Managed Devices > Summary, and verify that the device group and
template are in sync for the passive firewall. Verify policy rules, objects and network
sengs on the passive firewall match the acve firewall.

STEP 7 | Enable configuraon synchronizaon between the HA peers.

Repeat these steps for both firewalls in the HA pair if you plan on maintaining a local
configuraon that needs to be synchronized.
1. Log in to the web interface on each firewall, select Device > High Availability > General
and edit the Setup secon.
2. Select Enable Config Sync and click OK.
3. Commit the configuraon changes on each firewall.

Load a Paral Firewall Configuraon into Panorama

If some configuraon sengs on a firewall are common to other firewalls, you can load those
specific sengs into Panorama and then push them to all the other firewalls or to the firewalls in
parcular device groups and templates.
Loading a configuraon into a Panorama management server requires a full commit and must
be performed by a superuser. Full commits are required when performing certain Panorama
operaons, such as reverng and loading a configuraon snapshot, and are not supported for
custom Admin Role profiles.
STEP 1 | Plan the transion to Panorama.
See the checklist in Plan the Transion to Panorama Management.

Panorama Administrator's Guide Version Version 10.1 368 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 2 | Resolve how to manage duplicate sengs, which are those that have the same names in
Panorama as in a firewall.
Before you load a paral firewall configuraon, Panorama and that firewall might already have
duplicate sengs. Loading a firewall configuraon might also add sengs to Panorama that are
duplicates of sengs in other managed firewalls.

If Panorama has policy rules or objects with the same names as those on a firewall, a
commit failure will occur when you try to push device group sengs to that firewall.
If Panorama has template sengs with the same names as those on a firewall, the
template values will override the firewall values when you push the template.

1. On Panorama, perform a global find to determine if duplicate sengs exist.

2. Delete or rename the duplicate sengs on the firewall if you will use Panorama to
manage them, or delete or rename the duplicate sengs on Panorama if you will use
the firewall to manage them. If you will use the firewall to manage device or network
sengs, instead of deleng or renaming the duplicates on Panorama, you can also push
the sengs from Panorama (Step 6) and then Override a Template or Template Stack
Value on the firewall with firewall-specific values.

STEP 3 | Export the enre firewall configuraon to your local computer.

1. On the firewall, select Device > Setup > Operaons.
2. Click Save named configuraon snapshot, enter a Name to idenfy the configuraon,
and click OK.
3. Click Export named configuraon snapshot, select the Name of the configuraon you
just saved, and click OK. The firewall exports the configuraon as an XML file.

STEP 4 | Import the firewall configuraon snapshot into Panorama.

1. On Panorama, select Panorama > Setup > Operaons.
2. Click Import named Panorama configuraon snapshot, Browse to the firewall
configuraon file you exported to your computer, and click OK.

Aer using this opon to import a firewall configuraon file, you can’t use
the Panorama web interface to load it. You must use the XML API or CLI, as
described in the next step.

Panorama Administrator's Guide Version Version 10.1 369 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 5 | Load the desired part of the firewall configuraon into Panorama.
To specify a part of the configuraon (for example, all applicaon objects), you must idenfy
the:
• Source xpath—The XML node in the firewall configuraon file from which you are loading.
• Desnaon xpath—The node in the Panorama configuraon to which you are loading.
Use the XML API or CLI to idenfy and load the paral configuraon:
1. Use the firewall XML API or CLI to idenfy the source xpath.
For example, the xpath for applicaon objects in vsys1 of the firewall is:

/config/devices/entry[@name='localhost.localdomain']/vsys/
entry[@name='vsys1']/application

2. Use the Panorama XML API or CLI to idenfy the desnaon xpath.
For example, to load applicaon objects into a device group named US-West, the xpath
is:

/config/devices/entry[@name='localhost.localdomain']/device-
group/entry[@name='US-West']/application

3. Use the Panorama CLI to load the configuraon and commit the change:

# load config partial mode [append|merge|replace]

from-xpath <source-xpath> to-xpath <destination-xpath>
from <filename>
# commit

For example, enter the following to load the applicaon objects from vsys1 on an
imported firewall configuraon named fw1-config.xml into a device group named US-
West on Panorama:

# load config partial mode merge from-xpath

devices/entry[@name='localhost.localdomain']/vsys/
entry[@name='vsys1']/application to-xpath /config/
devices/entry[@name='localhost.localdomain']/device-group/
entry[@name='US-West']/application from fw1-config.xml
# commit

STEP 6 | Push the paral configuraon from Panorama to the firewall to complete the transion to
centralized management.
1. On the firewall, delete any rules or objects that have the same names as those in
Panorama. If the device group for that firewall has other firewalls with rules or objects

Panorama Administrator's Guide Version Version 10.1 370 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

that are duplicated in Panorama, perform this step on those firewalls also. For details, see
Step 2.
2. On Panorama, push the paral configuraon to the firewall.
1. Select Commit > Commit and Push and Edit Selecons in the Push Scope.
2. Select Device Groups and select the device groups that contain the imported firewall
configuraons.
3. Select Merge with Device Candidate Config, Include Device and Network Templates,
and Force Template Values.
4. Click OK to save your changes to the Push Scope.
5. Commit and Push your changes.
3. If the firewall has a device or network seng that you won’t use Panorama to manage,
Override a Template or Template Stack Value on the firewall.

STEP 7 | Perform your post-migraon test plan.

Perform the verificaon tasks that you devised during the migraon planning to confirm that
the firewall works as efficiently with the Panorama-pushed configuraon as it did with its
original local configuraon: see Create a post-migraon test plan.

Localize a Panorama Pushed Configuraon on a Managed Firewall

You can localize the template and device group configuraons pushed from the Panorama™
management server to:
• Remove the firewall from Panorama management.
• Migrate firewall management to a different Panorama.
• In the case of an emergency where Panorama is not accessible, ensure administrators can
modify the managed firewall configuraon locally.
STEP 1 | Launch the web interface of the managed firewall as an administrator with the Superuser
role. You can directly access the firewall by entering its IP address in the browser URL field
or, in Panorama, select the firewall in the Context drop-down.

STEP 2 | (Best Pracce) Select Device > Setup > Operaons and Export device state.
Save a copy of the firewall system state, including device group and template sengs pushed
from Panorama, in the event you need to reload a known working configuraon on the
managed firewall.

STEP 3 | Disable the template configuraon to stop using template and template stacks to manage the
network configuraon objects of the managed firewall.
1. Select Device > Setup > Management and edit the Panorama Sengs.
2. Click Disable Device and Network Template.
3. (Oponal) Select Import Device and Network Template before disabling to save the
template configuraon sengs locally on the firewall. If you do not select this opon,
PAN-OS deletes all Panorama-pushed sengs from the firewall.
4. Click OK twice to connue.

Panorama Administrator's Guide Version Version 10.1 371 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | Disable the device group configuraon to stop using a device group to manage the policy and
object configuraons of the managed firewall.
1. Select Device > Setup > Management and edit the Panorama Sengs.
2. (Oponal) Select Import Panorama Policy Objects before disabling to save the policy
and object configuraons locally on the firewall. If you do not select this opon, PAN-OS
deletes all Panorama-pushed configuraons from the firewall.
3. Click OK to connue.

Do not aempt to commit your configuraon changes on the managed firewall yet as
all commits fail unl the following steps are successfully completed.

STEP 5 | Select Device > Setup > Operaons and Save named configuraon snapshot.

STEP 6 | Load named configuraon snapshot and enable (check) Regenerate Rule UUIDs for selected
named configuraon to generate new policy rule UUIDs.
This step is required to successfully localize the Panorama-pushed policy rules on the managed
firewalls.

STEP 7 | Click OK to load the named configuraon snapshot.

STEP 8 | Commit the named configuraon snapshot load.

Panorama Administrator's Guide Version Version 10.1 372 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Device Monitoring on Panorama

Aer adding your firewalls and configuring policy rules, you can monitor the health status to
ensure that your firewalls are operang within healthy parameters. For policy rules, monitor rule
traffic matches to idenfy which rules match your traffic enforcement needs.
• Monitor Device Health
• Monitor Policy Rule Usage

Monitor Device Health

Monitor the health informaon of your managed firewalls to idenfy and resolve hardware
issues before they impact your network security. Both Panorama™ and the managed firewalls
must be running PAN-OS® 8.1 or later releases but firewalls do not need to be part of a device
group or template stack to monitor their summary session, logging, resource, and environmental
performance. Panorama stores the last 90 days of health monitoring stascs of your managed
firewalls so when you select a firewall, you can view the me-trended graphs and tables for
sessions, environmentals, interfaces, logging, resources, and high availability performance.
Panorama calculates the baseline performance of each metric using seven-day averages and
standard deviaon to determine a normal operang range for the specific firewall. In addion to
tracking the baseline and comparing me-trended performance, you can view which firewalls have
deviang metrics and isolate performance-related issues before they impact your network. When
Panorama idenfies that a metric is outside the normal operang range, it marks the metric and
populates the Deviang Devices tab with the deviang firewall.
The health monitoring data is stored on Panorama, and is preserved in the event a firewall
is removed. When a firewall is removed from Panorama management, the health monitoring
data no longer display but are preserved for 90 days. Aer 90 days, all health monitoring data
of the removed firewall are removed from Panorama. If a firewall is added back to Panorama
management, the latest health monitoring data from when the firewall was removed is displayed.
STEP 1 | Log in to the Panorama Web Interface.

Panorama Administrator's Guide Version Version 10.1 373 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 2 | Select Panorama > Managed Devices > Health to monitor the health of managed firewalls.
View All Devices to see a list of all managed firewalls and the monitored health metrics. Select
an individual firewall to view Detailed Device View with me-trended graphs and tables of
monitored metrics.

Figure 11: Managed Firewall Health Monitoring

Figure 12: Detailed Device View

Panorama Administrator's Guide Version Version 10.1 374 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 3 | Select Deviang Devices to view firewalls with health metrics that deviated outside of the
calculated baseline.
Panorama lists all firewalls that are reporng metrics that deviate from the calculated baseline
and displays deviang metrics in red.

Monitor Policy Rule Usage

As your policies change, tracking rule usage on Panorama helps you evaluate whether your policy
implementaon connues to match your enforcement needs. This visibility helps you idenfy
and remove unused rules to reduce security risks and keep your policy rule base organized.
Addionally, rule usage tracking allows you to quickly validate new rule addions and rule changes
and to monitor rule usage for operaons and troubleshoong tasks. On Panorama, you can view
the rule usage of firewalls in a device group—to which you pushed policies—to determine if all,
some, or none of the firewalls have traffic matches instead of being able to monitor only the total
number of hits across all firewalls in a device group. You can quickly filter rules using the rule
usage data, such as Created and Modified dates, within a customizable me frame. The displayed
rule usage informaon persists across reboot, dataplane restarts, and upgrades.
On Panorama, you can view the rule usage details for managed firewalls that are running a PAN-
OS 8.1 or later release, that have policy rule hit count enabled (default), and for which you have
defined and pushed policy rules using device groups. Panorama cannot retrieve rule usage details
for policy rules configured locally on the firewall so you must log in to the firewall to view rule
usage informaon for locally configured rules.
Aer filtering your policy rulebase, administrators can take acon to delete, disable, enable, and
tag policy rules directly from the policy opmizer. For example, you can filter for unused rules
and then tag them for review to determine whether they can be safely deleted or kept in the
rulebase. By enabling administrators to take acon directly from the policy opmizer, you reduce
the management overhead required to further assist in simplifying your rule lifecycle management
and ensure that your firewalls are not over-provisioned.

Policy rule usage data may also be useful when using Policy Opmizer to priorize which
rules to migrate or clean up first.

To view the rule usage across any Shared rule or for a specific device group:
STEP 1 | Log in to the Panorama Web Interface.

Panorama Administrator's Guide Version Version 10.1 375 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 2 | Verify that the Policy Rule Hit Count is enabled.

1. Navigate to Policy Rulebase Sengs (Panorama > Setup > Management.
2. Verify that Policy Rule Hit Count is enabled.

STEP 3 | Select Policies > <policy rule> to view a rule.

STEP 4 | Change the Device Group context to Shared or to the specific device group you want to
view.

Panorama Administrator's Guide Version Version 10.1 376 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 5 | Determine whether the rule is being used (Rule Usage). The policy rule usage status is one of
the following:
Firewalls must run PAN-OS 8.1 or later release with Policy Rule Hit Count enabled for
Panorama to determine rule usage.
• Used—When all firewalls in the device group—to which you pushed the policy rule—have
traffic matches for the policy rule.
• Parally Used—When some of the firewalls in the device group—to which you pushed the
policy rule—have traffic matches for the policy rule.
• Unused—When no firewalls in the device group—to which you pushed the policy rule—have
traffic matches for the policy rule.
• Em-dash (—)—When no firewalls in the device group—to which you pushed the policy rule—
have Policy Rule Hit Count enabled or available for Panorama to determine the rule usage.
• Modified—The date and me the policy rule was last modified.
• Created—The date and me the policy rule was created.

If the rule was created when Panorama was running PAN-OS 8.1 and the Policy
Rule Hit Count seng is enabled, the First Hit date and me is used as the Created
date and me on upgrade to PAN-OS 9.0 or later releases. If the rule was created in
PAN-OS 8.1 when the Policy Rule Hit Count seng was disabled or if the rule was
created when Panorama was running PAN-OS 8.0 or an earlier release, the Created
date for the rule will be the date and me you successfully upgraded Panorama to
PAN-OS 9.0 or later releases.

Panorama Administrator's Guide Version Version 10.1 377 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 6 | Click the Rule Usage status to view the list of firewalls using the rule and the hit-count data
for traffic that matches that rule on each firewall.

STEP 7 | (Oponal) View the policy rule hit-count data for individual firewalls in the device group.
1. Click Preview Rules.
2. From the Device context, select the firewall for which you want to view the policy rule
usage data.

STEP 8 | Select Policies and, in the Policy Opmizer dialog, view the Rule Usage filter.

STEP 9 | Filter rules in the selected rulebase.

You can filter the rule usage for rules pushed to firewalls from Panorama. Panorama cannot
filter rule usage for rules configured locally on the firewall.

Use the rule usage filter to evaluate the rule usage within a specified period of me. For
example, filter the selected rulebase for Unused rules within the last 30 days. You can
also evaluate rule usage with other rule aributes, such as the Created and Modified
dates, which enables you to filter for the correct set of rules to review. You can use this
data to help manage your rule lifecycle and to determine if a rule needs to be removed
to reduce your network aack surface.

1. Select the Timeframe you want to filter on, or specify a Custom me frame.
2. Select the rule Usage on which you want to filter.
3. (Oponal) If you have reset the rule usage data for any rules, check for Exclude rules
reset during the last <number of days> days and decide when to exclude a rule based

Panorama Administrator's Guide Version Version 10.1 378 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

on the number of days you specify since the rule was reset. Only rules that were reset
before your specified number of days are included in the filtered results.

4. (Oponal) Specify search filters based on addional rule data, other than the rule usage.
1. Hover your mouse over the column header, and from the drop-down select Columns.
2. Add any addional columns you want to filter with or to display.

3. Hover your mouse over the column data that you would like to filter, and select Filter
from the drop-down. For data that contain dates, select whether to filter using This
date, This date or earlier, or This date or later.
4. Click Apply Filter ( ).

Panorama Administrator's Guide Version Version 10.1 379 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 10 | Take acon on one or more unused policy rules.

1. Select one or more unused policy rules.
2. Perform one of the following acons:
• Delete—Delete one or more selected policy rules.
• Enable—Enable one or more selected policy rules when disabled.
• Disable—Disable one or more selected policy rules.
• Tag—Apply one or more group tags to one or more selected policy rules. The group
tag must already exist in order to tag policy rule.
• Untag—Remove one or more group tags from one or more selected policy rules.
3. Select Commit and Commit and Push your changes.

Panorama Administrator's Guide Version Version 10.1 380 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Use Case: Configure Firewalls Using Panorama

Let’s say that you want to use Panorama in a high availability configuraon to manage a dozen
firewalls on your network: you have six firewalls deployed across six branch offices, a pair of
firewalls in a high availability configuraon at each of two data centers, and a firewall in each of
the two regional head offices.

Figure 13: Firewall Distribution Example

The first step in creang your central management strategy is to determine how to group the
firewalls into device groups and templates to efficiently push configuraons from Panorama. You
can base the grouping on the business funcons, geographic locaons, or administrave domains
of the firewalls. In this example, you create two device groups and three templates to administer
the firewalls using Panorama:
• Device Groups in this Use Case
• Templates in this Use Case
• Set Up Your Centralized Configuraon and Policies

Device Groups in this Use Case

In Use Case: Configure Firewalls Using Panorama, we need to define two device groups based on
the funcons the firewalls will perform:

Panorama Administrator's Guide Version Version 10.1 381 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

• DG_BranchAndRegional for grouping firewalls that serve as the security gateways at the
branch offices and at the regional head offices. We placed the branch office firewalls and the
regional office firewalls in the same device group because firewalls with similar funcons will
require similar policy rulebases.
• DG_DataCenter for grouping the firewalls that secure the servers at the data centers.
We can then administer shared policy rules across both device groups as well as administer
disnct device group rules for the regional office and branch office groups. Then for added
flexibility, the local administrator at a regional or branch office can create local rules that match
specific source, desnaon, and service flows for accessing applicaons and services that are
required for that office. In this example, we create the following hierarchy for security rules. you
can use a similar approach for any of the other rulebases.

Figure 14: Security Rules Hierarchy

Templates in this Use Case

When grouping firewalls for templates, we must take into account the differences in the
networking configuraon. For example, if the interface configuraon is not the same—the
interfaces are unlike in type, or the interfaces used are not alike in the numbering scheme and
link capacity, or the zone to interface mappings are different—the firewalls must be in separate
templates. Further, the way the firewalls are configured to access network resources might be
different because the firewalls are spread geographically; for example, the DNS server, syslog
servers and gateways that they access might be different. So, to allow for an opmal base
configuraon, in Use Case: Configure Firewalls Using Panorama we must place the firewalls in
separate templates as follows:
• T_Branch for the branch office firewalls
• T_Regional for the regional office firewalls

Panorama Administrator's Guide Version Version 10.1 382 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

• T_DataCenter for the data center firewalls

Figure 15: Device Group Example

If you plan to deploy your firewalls in an acve/acve HA configuraon, assign each

firewall in the HA pair to a separate template. Doing so gives you the flexibility to set
up separate networking configuraons for each peer. For example, you can manage
the networking configuraons in a separate template for each peer so that each can
connect to different northbound and southbound routers, and can have different OSPF
or BGP peering configuraons.

Set Up Your Centralized Configuraon and Policies

In Use Case: Configure Firewalls Using Panorama, we would need to perform the following tasks
to centrally deploy and administer firewalls:
• Add the Managed Firewalls and Deploy Updates
• Use Templates to Administer a Base Configuraon
• Use Device Groups to Push Policy Rules
• Preview the Rules and Commit Changes

Add the Managed Firewalls and Deploy Updates

The first task in Use Case: Configure Firewalls Using Panorama is to add the firewalls as managed
devices and deploy content updates and PAN-OS soware updates to those firewalls.
STEP 1 | For each firewall that Panorama will manage, Add a Firewall as a Managed Device.
In this example, add 12 firewalls.

Panorama Administrator's Guide Version Version 10.1 383 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 2 | Deploy the content updates to the firewalls. If you purchased a Threat Prevenon
subscripon, the content and anvirus databases are available to you. First install the
Applicaons or Applicaons and Threats database, then the Anvirus.

To review the status or progress for all tasks performed on Panorama, see Use the
Panorama Task Manager.

1. Select Panorama > Device Deployment > Dynamic Updates.

2. Click Check Now to check for the latest updates. If the value in the Acon column is
Download, this indicates an update is available.
3. Click Download. When the download completes, the value in the Acon column changes
to Install.
4. In the Acon column, click Install. Use the filters or user-defined tags to select the
managed firewalls on which you would like to install this update.
5. Click OK, then monitor the status, progress, and result of the content update for each
firewall. The Result column displays the success or failure of the installaon.

STEP 3 | Deploy the soware updates to the firewalls.

1. Select Panorama > Device Deployment > Soware.
2. Click Check Now to check for the latest updates. If the value in the Acon column is
Download, this indicates an update is available.
3. Locate the version that you need for each hardware model and click Download. When
the download completes, the value in the Acon column changes to Install.
4. In the Acon column, click the Install link. Use the filters or user-defined tags to select
the managed firewalls on which to install this version.
5. Enable the check box for Reboot device aer install or Upload only to device (do
not install) and click OK. The Results column displays the success or failure of the
installaon.

Use Templates to Administer a Base Configuraon

The second task in Use Case: Configure Firewalls Using Panorama is to create the templates you
will need to push the base configuraon to the firewalls.
STEP 1 | For each template you will use, Add a Template and assign the appropriate firewalls to each.
In this example, create templates named T_Branch, T_Regional, and T_DataCenter.

Panorama Administrator's Guide Version Version 10.1 384 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 2 | Define a DNS server, NTP server, syslog server, and login banner. Repeat this step for each
template.
1. In the Device tab, select the Template from the drop-down.
2. Define the DNS and NTP servers:
1. Select Device > Setup > Services > Global and edit the Services.
2. In the Services tab, enter an IP address for the Primary DNS Server.

For any firewall that has more than one virtual system (vsys), for each vsys,
add a DNS server profile to the template (Device > Server Profiles > DNS).
3. In the NTP tab, enter an IP address for the Primary NTP Server.
4. Click OK to save your changes.
3. Add a login banner: select Device > Setup > Management, edit the General Sengs,
enter text for the Login Banner and click OK.
4. Configure a Syslog server profile (Device > Server Profiles > Syslog).

STEP 3 | Enable HTTPS, SSH, and SNMP access to the management interface of the managed
firewalls. Repeat this step for each template.
1. In the Device tab, select the Template from the drop-down.
2. Select Setup > Management, and edit the Management Interface Sengs.
3. Under Services, select the HTTPS, SSH, and SNMP check boxes, and click OK.

STEP 4 | Create a Zone Protecon profile for the firewalls in the data center template (T_DataCenter).
1. Select the Network tab and, in the Template drop-down, select T_DataCenter.
2. Select Network Profiles > Zone Protecon and click Add.
3. For this example, enable protecon against a SYN flood—In the Flood Protecon tab,
select the SYN check box, set the Acon to SYN Cookies as, set the Alert packets/
second to 100, set the Acvate packets/second to 1000, and set the Maximum packets/
second to 10000.
4. For this example, enable alerts—In the Reconnaissance Protecon tab, select the Enable
check boxes for TCP Port Scan, Host Sweep, and UDP Port Scan. Ensure the Acon
values are set to alert (the default value).
5. Click OK to save the Zone Protecon profile.

Panorama Administrator's Guide Version Version 10.1 385 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 5 | Configure the interface and zone sengs in the data center template (T_DataCenter), and
then aach the Zone Protecon profile you just created.

Before performing this step, you must have configured the interfaces locally on the
firewalls. As a minimum, for each interface, you must have defined the interface type,
assigned it to a virtual router (if needed), and aached a security zone.

1. Select the Network tab and, in the Template drop-down, select T_DataCenter.
2. Select Network > Interface and, in the Interface column, click the interface name.
3. Select the Interface Type from the drop-down.
4. In the Virtual Router drop-down, click New Virtual Router. When defining the router,
ensure the Name matches what is defined on the firewall.
5. In the Security Zone drop-down, click New Zone. When defining the zone, ensure that
the Name matches what is defined on the firewall.
6. Click OK to save your changes to the interface.
7. Select Network > Zones, and select the zone you just created. Verify that the correct
interface is aached to the zone.
8. In the Zone Protecon Profile drop-down, select the profile you created, and click OK.

STEP 6 | Push your template changes.

1. Select Commit > Commit and Push and Edit Selecons in the Push Scope.
2. Select Templates and select the firewalls assigned to the templates where you made
changes.
3. Commit and Push your changes to the Panorama configuraon and to the template.

Use Device Groups to Push Policy Rules

The third task in Use Case: Configure Firewalls Using Panorama is to create the device groups to
manage policy rules on the firewalls.
STEP 1 | Create device groups and assign the appropriate firewalls to each device group: see Add a
Device Group.
In this example, create device groups named DG_BranchAndRegional and DG_DataCenter.
When configuring the DG_BranchAndRegional device group, you must assign a Master firewall.
This is the only firewall in the device group that gathers user and group mapping informaon
for policy evaluaon.

Panorama Administrator's Guide Version Version 10.1 386 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 2 | Create a shared pre-rule to allow DNS and SNMP services.

1. Create a shared applicaon group for the DNS and SNMP services.
1. Select Objects > Applicaon Group and click Add.
2. Enter a Name and select the Shared check box to create a shared applicaon group
object.
3. Click Add, type DNS, and select dns from the list. Repeat for SNMP and select snmp,
snmp-trap.
4. Click OK to create the applicaon group.
2. Create the shared rule.
1. Select the Policies tab and, in the Device Group drop-down, select Shared.
2. Select the Security > Pre-Rules rulebase.
3. Click Add and enter a Name for the security rule.
4. In the Source and Desnaon tabs for the rule, click Add and enter a Source Zone
and a Desnaon Zone for the traffic.
5. In the Applicaons tab, click Add, type the name of the applicaons group object you
just created, and select it from the drop-down.
6. In the Acons tab, set the Acon to Allow, and click OK.

STEP 3 | Define the corporate acceptable use policy for all offices. In this example, create a shared rule
that restricts access to some URL categories and denies access to peer-to-peer traffic that is
of risk level 3, 4, or 5.
1. Select the Policies tab and, in the Device Group drop-down, select Shared.
2. Select Security > Pre-Rules and click Add.
3. In the General tab, enter a Name for the security rule.
4. In the Source and Desnaon tabs, click Add and select any for the traffic Source Zone
and Desnaon Zone.
5. In the Applicaon tab, define the applicaon filter:
1. Click Add and click New Applicaon Filter in the footer of the drop-down.
2. Enter a Name, and select the Shared check box.
3. In the Risk column, select levels 3, 4, and 5.
4. In the Technology column, select peer-to-peer.
5. Click OK to save the new filter.
6. In the Service/URL Category tab, URL Category secon, click Add and select the
categories you want to block (for example, streaming-media, dang, and online-
personal-storage).
7. You can also aach the default URL Filtering profile—In the Acons tab, Profile Seng
secon, select the Profile Type opon Profiles, and select the URL Filtering opon
default.
8. Click OK to save the security pre-rule.

Panorama Administrator's Guide Version Version 10.1 387 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 4 | Allow Facebook for all users in the Markeng group in the regional offices only.
Enabling a security rule based on user and group has the following prerequisite tasks:
• Set up User-ID on the firewalls.
• Enable User-ID for each zone that contains the users you want to idenfy.
• Define a master firewall for the DG_BranchAndRegional device group (see step 1).
1. Select the Policies tab and, in the Device Group drop-down, select
DG_BranchAndRegional.
2. Select the Security > Pre-Rules rulebase.
3. Click Add and enter a Name for the security rule.
4. In the Source tab, Add the Source Zone that contains the Markeng group users.
5. In the Desnaon tab, Add the Desnaon Zone.
6. In the User tab, Add the Markeng user group to the Source User list.
7. In the Applicaon tab, click Add, type Facebook, and then select it from the drop-down.
8. In the Acon tab, set the Acon to Allow.
9. In the Target tab, select the regional office firewalls and click OK.

STEP 5 | Allow access to the Amazon cloud applicaon for the specified hosts/servers in the data
center.
1. Create an address object for the servers/hosts in the data center that need access to the
Amazon cloud applicaon.
1. Select Objects > Addresses and, in the Device Group drop-down, select
DG_DataCenter.
2. Click Add and enter a Name for the address object.
3. Select the Type, and specify an IP address and netmask (IP Netmask), range of IP
addresses (IP Range), or FQDN.
4. Click OK to save the object.
2. Create a security rule that allows access to the Amazon cloud applicaon.
1. Select Policies > Security > Pre-Rules and, in the Device Group drop-down, select
DG_DataCenter.
2. Click Add and enter a Name for the security rule.
3. Select the Source tab, Add the Source Zone for the data center, and Add the address
object (Source Address) you just defined.
4. Select the Desnaon tab and Add the Desnaon Zone.
5. Select the Applicaon tab, click Add, type amazon, and select the Amazon
applicaons from the list.
6. Select the Acon tab and set the Acon to Allow.
7. Click OK to save the rule.

Panorama Administrator's Guide Version Version 10.1 388 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

STEP 6 | To enable logging for all internet-bound traffic on your network, create a rule that matches
trust zone to untrust zone.
1. Select the Policies tab and, in the Device Group drop-down, select Shared.
2. Select the Security > Pre-Rules rulebase.
3. Click Add and enter a Name for the security rule.
4. In the Source and Desnaon tabs for the rule, Add trust_zone as the Source Zone
and untrust_zone as the Desnaon Zone.
5. In the Acon tab, set the Acon to Deny, set the Log Seng to Log at Session end, and
click OK.

Preview the Rules and Commit Changes

The final task in Use Case: Configure Firewalls Using Panorama is to review the rules and commit
the changes you have made to Panorama, device groups, and templates.
STEP 1 | Preview the rules.
This preview enables you to visually evaluate how rules are layered for a parcular rulebase.
1. Select Policies and Preview Rules.
2. Select a Rulebase, Device Group, and Device.
3. Close the preview dialog when you finish.

STEP 2 | Commit and push your configuraon changes.

1. Select Commit > Commit and Push and Edit Selecons in the Push Scope.
2. Select Device Groups, select the device groups you added, and Include Device and
Network Templates.
3. Click OK to save your changes to the Push Scope.
4. Commit and Push your changes.

STEP 3 | Verify that Panorama applied the template and policy configuraons.
1. In the Panorama header, set the Context to the firewall to access its web interface.
2. Review the template and policy configuraons to ensure your changes are there.

Panorama Administrator's Guide Version Version 10.1 389 ©2022 Palo Alto Networks, Inc.
Manage Firewalls

Panorama Administrator's Guide Version Version 10.1 390 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon
All Palo Alto Networks firewalls can generate logs that provide an audit trail of firewall
acvies. For Centralized Logging and Reporng, you must forward the logs generated
on the firewalls to your on-premise infrastructure that includes the Panorama™
management server or Log Collectors or send the logs to the cloud-based Cortex Data
Lake. Oponally, you can then configure Panorama to forward the logs to external
logging desnaons (such as syslog servers).
If you forward logs to a Panorama virtual appliance in Legacy mode, you don’t
need to perform any addional tasks to enable logging. If you forward logs to Log
Collectors, you must configure them as managed collectors and assign them to
Collector Groups. A managed collector can be local to an M-Series appliance, or
Panorama virtual appliance in Panorama mode. Addionally, an M-Series appliance,
or Panorama virtual appliance in Log Collector mode can be Dedicated Log Collectors.
To determine whether to deploy either or both types of managed collectors, see Local
and Distributed Log Collecon.
To manage the System and Config logs that Panorama generates locally, see Monitor
Panorama.
> Configure a Managed Collector > Forward Logs to Cortex Data Lake
> Configure Authencaon for a > Verify Log Forwarding to Panorama
Dedicated Log Collector > Modify Log Forwarding and Buffering
> Manage Collector Groups Defaults
> Configure Log Forwarding to > Configure Log Forwarding from
Panorama Panorama to External Desnaons
> Configure Syslog Forwarding to > Log Collecon Deployments
External Desnaons

391
Manage Log Collecon

Configure a Managed Collector

To enable the Panorama management server to manage a Log Collector, you must add it as a
managed collector. Log Collectors support communicaon using a public or private IPv4 or IPv6
address only, including when you configure custom cerficates for mutual authencaon.
You can add two types of managed collectors:
• Dedicated Log Collector—To set up a new M-600, M-500, or M-200 appliance or a Panorama
virtual appliance as a Log Collector to switch an exisng M-Series appliance or Panorama
virtual appliance from Panorama mode to Log Collector mode, you must Set Up the M-
Series Appliance as a Log Collector. Keep in mind that switching from Panorama Mode to Log
Collector Mode removes the local Log Collector that is predefined on the M-Series appliance in
Panorama mode.
• Local Log Collector—A Log Collector can run locally on a M-600, M-500, or M-200 appliance or
a Panorama virtual appliance in Panorama mode. On the M-Series appliances, the Log Collector
is predefined; on the virtual appliance, you must add the Log Collector. When the Panorama
management server has a high availability (HA) configuraon, each HA peer can have a local
Log Collector. However, relave to the primary Panorama, the Log Collector on the secondary
Panorama is remote, not local. Therefore, to use the Log Collector on the secondary Panorama,
you must manually add it to the primary Panorama (for details, see Deploy Panorama M-Series
Appliances with Local Log Collectors or Deploy Panorama Virtual Appliances with Local Log
Collectors). If you delete a local Log Collector, you can later add it back. The following steps
describe how to add a local Log Collector.
If the Panorama virtual appliance is in Legacy mode, you must switch to Panorama mode to create
a Log Collector. For details, see Set Up the Panorama Virtual Appliance with Local Log Collector.
A device registraon authencaon key is used to securely authencate and connect the
Panorama management server and the managed collector on first connect. To configure the device
registraon authencaon key, specify the key lifeme and the number of mes you can use the
authencaon key to onboard new Log Collectors. Addionally, you can specify one or more Log
Collector serial numbers for which the authencaon key is valid.
The authencaon key expires 90 days aer the key lifeme expires. Aer 90 days, you are
prompted to re-cerfy the authencaon key to maintain its validity. If you do not re-cerfy,
then the authencaon key becomes invalid. A system log is generated each me a Log Collector
uses the Panorama-generated authencaon key. The Log Collector uses the authencaon key
to authencate Panorama when it delivers the device cerficate that is used for all subsequent
communicaons.

As a best pracce, retain a local Log Collector and Collector Group on the Panorama
management server, regardless whether it manages Dedicated Log Collectors.

(Panorama evaluaon only) If you are evaluang a Panorama virtual appliance with a local
Log Collector, Configure Log Forwarding from Panorama to External Desnaons to
preserve logs generated during your evaluaon period.
Logs stored on the local Log Collector cannot be preserved when you Convert Your
Evaluaon Panorama Instance to a Producon Panorama Instance with a Local Log
Collector.

Panorama Administrator's Guide Version Version 10.1 392 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

(PAN-OS 10.1 only) For Dedicated Log Collectors running a PAN-OS 10.1 release,
Panorama running PAN-OS 10.1.3 or later release supports onboarding a Dedicated
Log Collector running PAN-OS 10.1.3 or later release only. You cannot add a Dedicated
Log Collector running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release to Panorama
management if Panorama is running PAN-OS 10.1.3 or later release.
Panorama supports onboarding Dedicated Log Collectors running the following releases:
• Panorama running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release— Dedicated Log
Collectors running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release, and Dedicated Log
Collectors running PAN-OS 10.0 or earlier PAN-OS release.
• Panorama running PAN-OS 10.1.3 or later release— Dedicated Log Collectors running
PAN-OS 10.1.3 or later release, and Dedicated Log Collectors running PAN-OS 10.0 or
earlier PAN-OS release.
There is no impact to Dedicated Log Collectors already managed by Panorama on upgrade
to PAN-OS 10.1.

STEP 1 | Record the serial number of the Log Collector.

You will need the serial number when you add the Log Collector as a managed collector.
1. Access the Panorama web interface.
2. Select Dashboard and record the Serial # in the General Informaon secon.

STEP 2 | Log in to the Panorama Web Interface.

Panorama Administrator's Guide Version Version 10.1 393 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 3 | Create a device registraon authencaon key.

1. Select Panorama > Device Registraon Auth Key and Add a new authencaon key.
2. Configure the authencaon key.
• Name—Add a descripve name for the authencaon key.
• Lifeme—Specify the key lifeme for how long you can use the authencaon key to
onboard new Log Collectors.
• Count—Specify how many mes you can use the authencaon key to onboard new
Log Collectors.
• Device Type—Specify that this authencaon key is used to authencate only a Log
Collector.

You can select Any to use the device registraon authencaon key to
onboard firewalls, Log Collectors, and WildFire appliances.
• (Oponal) Devices—Enter one or more device serial numbers to specify for which Log
Collectors the authencaon key is valid.
3. Click OK.

4. Copy Auth Key and Close.

Panorama Administrator's Guide Version Version 10.1 394 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 4 | (Dedicated Log Collector only) Add the device registraon authencaon key to the Log
Collector.
Add the device registraon authencaon key only to a Dedicated Log Collector. A Panorama
in Panorama mode does not need to authencate its own local Log Collector.
1. Log in to the Log Collector CLI.
2. Add the device registraon authencaon key.

admin> request authkey set <auth-key>

STEP 5 | Add the Log Collector as a managed collector.

1. In the Panorama web interface, select Panorama > Managed Collectors and Add a new
Log Collector.
2. In the General sengs, enter the serial number (Collector S/N) you recorded for the Log
Collector.
3. Click OK to save your changes.
4. Select Commit > Commit to Panorama.

STEP 6 | (Oponal) Configure the Log Collector admin authencaon.

1. Select Panorama > Managed Collectors and edit the Log Collector by clicking its name.
2. Configure the Log Collector admin password:
1. Select the password Mode.
2. If you selected Password mode, enter a plaintext Password and Confirm Password.
If you selected Password Hash mode, enter a hashed password string of up to 63
characters.
3. Configure the admin login security requirements:

If you set the Failed Aempts to a value other than 0 but leave the Lockout
Time at 0, then the admin user is indefinitely locked out unl another
administrator manually unlocks the locked out admin. If no other administrator
has been created, you must reconfigure the Failed Aempts and Lockout Time
sengs on Panorama and push the configuraon change to the Log Collector. To
ensure that an admin is never locked out, use the default 0 value for both Failed
Aempts and Lockout Time.

1. Enter the number of login Failed Aempts value. The range is between the default
value 0 to the maximum of 10 where the value 0 specifies unlimited login aempts.
2. Enter the Lockout Time value between the default value 0 to the maximum of 60
minutes.
4. Click OK to save your changes.

Panorama Administrator's Guide Version Version 10.1 395 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 7 | Enable the logging disks.

1. Select Panorama > Managed Collectors and edit the Log Collector by clicking its name.
The Log Collector name has the same value as the hostname of the Panorama
management server.
2. Select Disks and Add each disk pair.
3. Click OK to save your changes.
4. Select Commit > Commit to Panorama.

STEP 8 | (Oponal) If your deployment is using custom cerficates for authencaon between
Panorama and managed devices, deploy the custom client device cerficate. For more
informaon, see Set Up Authencaon Using Custom Cerficates.
1. Select Panorama > Cerficate Management > Cerficate Profile and choose the
cerficate profile from the drop-down or click New Cerficate Profile to create one.
2. Select Panorama > Managed Collectors and Add a new Log Collector or select an
exisng one. Select Communicaon.
3. Select the type of device cerficate the Type drop-down.
• If you are using a local device cerficate, select the Cerficate and Cerficate Profile
from the respecve drop-downs.
• If you are using SCEP as the device cerficate, select the SCEP Profile and Cerficate
Profile from the respecve drop-downs.
4. Click OK.

Panorama Administrator's Guide Version Version 10.1 396 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 9 | (Oponal) Configure Secure Server Communicaon on a Log Collector. For more informaon,
see Set Up Authencaon Using Custom Cerficates.
1. Select Panorama > Managed Collectors and click Add. Select Communicaon.
2. Verify that the Custom Cerficate Only check box is not selected. This allows you to
connue managing all devices while migrang to custom cerficates.

When the Custom Cerficate Only check box is selected, the Log Collector
does not authencate and cannot receive logs from devices using predefined
cerficates.
3. Select the SSL/TLS service profile from the SSL/TLS Service Profile drop-down. This
SSL/TLS service profile applies to all SSL connecons between the Log Collector and
devices sending it logs.
4. Select the cerficate profile from the Cerficate Profile drop-down.
5. Select Authorize Client Based on Serial Number to have the server check clients against
the serial numbers of managed devices. The client cerficate must have the special
keyword $UDID set as the CN to authorize based on serial numbers.
6. In Disconnect Wait Time (min), enter the number of minutes Panorama should before
breaking and reestablishing the connecon with its managed devices. This field is blank
by default and the range is 0 to 44,640 minutes.

The disconnect wait me does not begin counng down unl you commit the
new configuraon.
7. (Oponal) Configure an authorizaon list.
1. Add an Authorizaon List.
2. Select the Subject or Subject Alt Name as the Idenfier type.
3. Specify an idenfier of the selected type.
4. Click OK.
5. Enable the Log Collector to Check Authorizaon List to enforce the authorizaon list.
8. Click OK.
9. Select Commit > Commit to Panorama.

STEP 10 | Verify your changes.

1. Verify that the Panorama > Managed Collectors page lists the Log Collector you added.
The Connected column displays a check mark to indicate that the Log Collector is
connected to Panorama. You might have to wait a few minutes before the page displays
the updated connecon status.

Unl you Configure a Collector Group and push configuraon changes to the
Collector Group, the Configuraon Status column displays Out of Sync, the
Run Time Status column displays disconnected, and the CLI command show
interface all displays the interfaces as down.
2. Click Stascs in the last column to verify that the logging disks are enabled.

Panorama Administrator's Guide Version Version 10.1 397 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 11 | Next steps...

Before a Log Collector can receive firewall logs, you must:
1. Configure Log Forwarding to Panorama.
2. Configure a Collector Group—On the M-Series appliances, a default Collector Group is
predefined and already contains the local Log Collector as a member. On the Panorama
virtual appliance, you must add the Collector Group and add the local Log Collector as a
member. On both models, assign firewalls to the local Log Collector for log forwarding.

Panorama Administrator's Guide Version Version 10.1 398 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Configure Authencaon for a Dedicated Log Collector

Create and configure enhanced authencaon for your Dedicated Log Collector by configuring
local administrave users with granular authencaon parameters, as well as leveraging RADIUS,
TACAS+, or LDAP for authorizaon and authencaon.
When you Configure and push administrators from Panorama, you overwrite the exisng
administrators on the Dedicated Log Collectors with those you configure on Panorama.
• Configure an Administrave Account for a Dedicated Log Collector
• Configure RADIUS Authencaon for a Dedicated Log Collector
• Configure TACACS+ Authencaon for a Dedicated Log Collector
• Configure LDAP Authencaon for a Dedicated Log Collector

Configure an Administrave Account for a Dedicated Log Collector

Create one or more administrators with granular authencaon parameters for your Dedicated
Log Collector to manage from the Panorama™ management server. Addionally, you can
configure local administrators from Panorama that can be configured directly on the CLI of
the Dedicated Log Collector. However, pushing new configuraon changes to a Dedicated Log
Collector overwrites exisng local administrators with the administrators configured for the
Dedicated Log Collector.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Configure a Managed Collector.

STEP 3 | (Oponal) Configure an authencaon profile to define the authencaon service that
validates the login credenals of the administrators who access the Dedicated Log Collector
CLI.

STEP 4 | Configure one or more administrator accounts as needed.

The administrator accounts created on Panorama are later imported to the Dedicated Log
Collector and managed from Panorama.

You must configure the administrave account with Superuser admin role privileges to
successfully configure authencaon for the Dedicated Log Collector.

Panorama Administrator's Guide Version Version 10.1 399 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 5 | Configure the authencaon for the Dedicated Log Collector.

1. Select Panorama > Managed Collectors and select the Dedicated Log Collector you
previously added.
2. (Oponal) Select the Authencaon Profile you configured in the previous step.
3. Configure the authencaon Timeout Configuraon for the Dedicated Log Collector.
1. Enter the number of Failed Aempts before a user is locked out of the Dedicated Log
Collector CLI.
2. Enter the Lockout Time, in minutes, for which the Dedicated Log Collector locks out a
user account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access the Dedicated Log Collector.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
4. Add the Dedicated Log Collector administrators.
Administrators may either be added as a local administrator or as an imported Panorama
administrator—but not both. Adding the same administrator as both a local administrator
and as an imported Panorama administrator is not supported and causes the Panorama

Panorama Administrator's Guide Version Version 10.1 400 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

commit to fail. For example, the commit to Panorama fails if you add admin1 as both a
local and Panorama administrator.
1. Add and configure new administrators unique to the Dedicated Log Collector. These
administrators are specific to the Dedicated Log Collector for which they are created
and you manage these administrators from this table.
2. Add any administrators configured on Panorama. These administrators are created on
Panorama and imported to the Dedicated Log Collector.
5. Click OK to save the Dedicated Log Collector authencaon configuraon.

STEP 6 | Commit and then Commit and Push your configuraon changes.

STEP 7 | Log in to the Panorama CLI of the Dedicated Log Collector to verify you can successfully
access the Dedicated Log Collector using the local admin user.

Configure RADIUS Authencaon for a Dedicated Log Collector

Use a RADIUS server to authencate administrave access to the Dedicated Log Collector
CLI. You can also define Vendor-Specific Aributes (VSAs) on the RADIUS server to manage
administrator authorizaon. Using VSAs enables you to quickly change the roles, access domains,
and user groups of administrators through your directory service, which is oen easier than
reconfiguring sengs on the Panorama™ management server.

Panorama Administrator's Guide Version Version 10.1 401 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

You can Import the Palo Alto Networks RADIUS diconary into RADIUS server to define
the authencaon aributes needed for communicaon between Panorama and the
RADIUS server.

STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Configure a Managed Collector.

Panorama Administrator's Guide Version Version 10.1 402 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 3 | Configure RADIUS authencaon.

Administrator accounts configured for RADIUS authencaon are required to have

Superuser admin role privileges to successfully configure authencaon for the
Dedicated Log Collector.

1. Add a RADIUS server profile.

The profile defines how the Dedicated Log Collector connects to the RADIUS server.
1. Select Panorama > Server Profiles > RADIUS and Add a profile.
2. Enter a Profile Name to idenfy the server profile.
3. Enter a Timeout interval in seconds aer which an authencaon request mes out
(default is 3; range is 1–20).
4. Select the Authencaon Protocol (default is CHAP) that the Dedicated Log Collector
uses to authencate to the RADIUS server.

Select CHAP if the RADIUS server supports that protocol; it is more secure
than PAP.
5. Add each RADIUS server and enter the following:
1. Name to idenfy the server.
2. RADIUS Server IP address or FQDN.
3. Secret/Confirm Secret (a key to encrypt usernames and passwords).
4. Server Port for authencaon requests (default is 1812).
6. Click OK to save the server profile.
2. Assign the RADIUS server profile to an authencaon profile.
The authencaon profile defines authencaon sengs that are common to a set of
administrators.
1. Select Panorama > Authencaon Profile and Add a profile.
2. Enter a Name to idenfy the authencaon profile.
3. Set the Type to RADIUS.
4. Select the Server Profile you configured.
5. Select Retrieve user group from RADIUS to collect user group informaon from VSAs
defined on the RADIUS server.
Panorama matches the group informaon against the groups you specify in the Allow
List of the authencaon profile.
6. Select Advanced and, in the Allow List, Add the administrators that are allowed to
authencate with this authencaon profile.
7. Click OK to save the authencaon profile.

Panorama Administrator's Guide Version Version 10.1 403 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 4 | Configure the authencaon for the Dedicated Log Collector.

1. Select Panorama > Managed Collectors and select the Dedicated Log Collector you
previously added.
2. Select the Authencaon Profile you configured in the previous step.
If a global authencaon profile is not assigned you must assign an authencaon profile
to each individual local administrator to leverage remote authencaon.
3. Configure the authencaon Timeout Configuraon for the Dedicated Log Collector.
1. Enter the number of Failed Aempts before a user is locked out of the Dedicated Log
Collector CLI.
2. Enter the Lockout Time, in minutes, for which the Dedicated Log Collector locks out a
user account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access the Dedicated Log Collector.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
4. Add the Dedicated Log Collector administrators.
Administrators may either be added as a local administrator or as an imported Panorama
administrator—but not both. Adding the same administrator as both a local administrator
and as an imported Panorama administrator is not supported and causes the Panorama

Panorama Administrator's Guide Version Version 10.1 404 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

commit to fail. For example, the commit to Panorama fails if you add admin1 as both a
local and Panorama administrator.
1. Add and configure new administrators unique to the Dedicated Log Collector. These
administrators are specific to the Dedicated Log Collector for which they are created
and you manage these administrators from this table.
2. Add any administrators configured on Panorama. These administrators are created on
Panorama and imported to the Dedicated Log Collector.
5. Click OK to save the Dedicated Log Collector authencaon configuraon.

STEP 5 | Commit and then Commit and Push your configuraon changes.

STEP 6 | Log in to the Panorama CLI of the Dedicated Log Collector to verify you can successfully
access the Dedicated Log Collector using the local admin user.

Configure TACACS+ Authencaon for a Dedicated Log Collector

You can use a TACACS+ server to authencate administrave access to the Dedicated Log
Collector CLI. You can also define Vendor-Specific Aributes (VSAs) on the TACACS+ server to
manage administrator authorizaon. Using VSAs enables you to quickly change the roles, access
domains, and user groups of administrators through your directory service, which is oen easier
than reconfiguring sengs on Panorama.
STEP 1 | Log in to the Panorama Web Interface.

Panorama Administrator's Guide Version Version 10.1 405 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 2 | Configure a Managed Collector.

STEP 3 | Configure TACACS+ authencaon.

Administrator accounts configured for TACACS+ authencaon are required to have

Superuser admin role privileges to successfully configure authencaon for the
Dedicated Log Collector.

1. Add a TACACS+ server profile.

The profile defines how the Dedicated Log Collector connects to the TACACS+ server.
1. Select Panorama > Server Profiles > TACACS+ and Add a profile.
2. Enter a Profile Name to idenfy the server profile.
3. Enter a Timeout interval in seconds aer which an authencaon request mes out
(default is 3; range is 1–20).
4. Select the Authencaon Protocol (default is CHAP) that Panorama uses to
authencate to the TACACS+ server.
5. Select CHAP if the TACACS+ server supports that protocol; it is more secure than
PAP.
6. Add each TACACS+ server and enter the following:
1. Name to idenfy the server.
2. TACACS+ Server IP address or FQDN.
3. Secret/Confirm Secret (a key to encrypt usernames and passwords).
4. Server Port for authencaon requests (default is 49).
7. Click OK to save the server profile.
2. Assign the TACACS+ server profile to an authencaon profile.
The authencaon profile defines authencaon sengs that are common to a set of
administrators.
1. Select Panorama > Authencaon Profile and Add a profile.
2. Enter a Name to idenfy the profile.
3. Set the Type to TACACS+.
4. Select the Server Profile you configured.
5. Select Retrieve user group from TACACS+ to collect user group informaon from
VSAs defined on the TACACS+ server.
Panorama matches the group informaon against the groups you specify in the Allow
List of the authencaon profile.
6. Select Advanced and, in the Allow List, Add the administrators that are allowed to
authencate with this authencaon profile.
7. Click OK to save the authencaon profile.

Panorama Administrator's Guide Version Version 10.1 406 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 4 | Configure the authencaon for the Dedicated Log Collector.

1. Select Panorama > Managed Collectors and select the Dedicated Log Collector you
previously added.
2. Select the Authencaon Profile you configured in the previous step.
If a global authencaon profile is not assigned you must assign an authencaon profile
to each individual local administrator to leverage remote authencaon.
3. Configure the authencaon Timeout Configuraon for the Dedicated Log Collector.
1. Enter the number of Failed Aempts before a user is locked out of the Dedicated Log
Collector CLI.
2. Enter the Lockout Time, in minutes, for which the Dedicated Log Collector locks out a
user account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access the Dedicated Log Collector.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
4. Add the Dedicated Log Collector administrators.
Administrators may either be added as a local administrator or as an imported Panorama
administrator—but not both. Adding the same administrator as both a local administrator
and as an imported Panorama administrator is not supported and causes the Panorama

Panorama Administrator's Guide Version Version 10.1 407 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

commit to fail. For example, the commit to Panorama fails if you add admin1 as both a
local and Panorama administrator.
1. Add and configure new administrators unique to the Dedicated Log Collector. These
administrators are specific to the Dedicated Log Collector for which they are created
and you manage these administrators from this table.
2. Add any administrators configured on Panorama. These administrators are created on
Panorama and imported to the Dedicated Log Collector.
5. Click OK to save the Dedicated Log Collector authencaon configuraon.

STEP 5 | Commit and then Commit and Push your configuraon changes.

STEP 6 | Log in to the Panorama CLI of the Dedicated Log Collector to verify you can successfully
access the Dedicated Log Collector using the local admin user.

Configure LDAP Authencaon for a Dedicated Log Collector

You can use LDAP to authencate end users who access Dedicated Log Collector web interface.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Configure a Managed Collector.

Panorama Administrator's Guide Version Version 10.1 408 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 3 | Add an LDAP server profile.

The profile defines how the Dedicated Log Collector connects to the LDAP server.

Administrator accounts configured for LDAP authencaon are required to have

Superuser admin role privileges to successfully configure authencaon for the
Dedicated Log Collector.

1. Select Panorama > Server Profiles > LDAP and Add a server profile.
2. Enter a Profile Name to idenfy the server profile.
3. Add the LDAP servers (up to four). For each server, enter a Name (to idenfy the server),
LDAP Server IP address or FQDN, and server Port (default 389).

If you use an FQDN address object to idenfy the server and you subsequently
change the address, you must commit the change for the new server address to
take effect.
4. Select the server Type.
5. Select the Base DN.
To idenfy the Base DN of your directory, open the Acve Directory Domains and
Trusts Microso Management Console snap-in and use the name of the top-level
domain.
6. Enter the Bind DN and Password to enable the authencaon service to authencate
the firewall.

The Bind DN account must have permission to read the LDAP directory.

7. Enter the Bind Timeout and Search Timeout in seconds (default is 30 for both).
8. Enter the Retry Interval in seconds (default is 60).
9. (Oponal) If you want the endpoint to use SSL or TLS for a more secure connecon with
the directory server, enable the opon to Require SSL/TLS secured connecon (enabled
by default). The protocol that the endpoint uses depends on the server port:
• 389 (default)—TLS (Specifically, the Dedicated Log Collector uses the StartTLS
operaon, which upgrades the inial plaintext connecon to TLS.)
• 636—SSL
• Any other port—The Dedicated Log Collector first aempts to use TLS. If the directory
server doesn’t support TLS, the Dedicated Log Collector falls back to SSL.
10. (Oponal) For addional security, enable to the opon to Verify Server Cerficate
for SSL sessions so that the endpoint verifies the cerficate that the directory server
presents for SSL/TLS connecons. To enable verificaon, you must also enable the

Panorama Administrator's Guide Version Version 10.1 409 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

opon to Require SSL/TLS secured connecon. For verificaon to succeed, the

cerficate must meet one of the following condions:
• It is in the list of Panorama cerficates: Panorama > Cerficate Management >
Cerficates > Device Cerficates. If necessary, import the cerficate into Panorama.
• The cerficate signer is in the list of trusted cerficate authories: Panorama >
Cerficate Management > Cerficates.
11. Click OK to save the server profile.

STEP 4 | Configure the authencaon for the Dedicated Log Collector.

1. Select Panorama > Managed Collectors and select the Dedicated Log Collector you
previously added.
2. Configure the authencaon Timeout Configuraon for the Dedicated Log Collector.
1. Enter the number of Failed Aempts before a user is locked out of the Dedicated Log
Collector CLI.
2. Enter the Lockout Time, in minutes, for which the Dedicated Log Collector locks out a
user account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access the Dedicated Log Collector.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
3. Add the Dedicated Log Collector administrators.
Administrators may either be added as a local administrator or as an imported Panorama
administrator—but not both. Adding the same administrator as both a local administrator
and as an imported Panorama administrator is not supported and causes the Panorama

Panorama Administrator's Guide Version Version 10.1 410 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

commit to fail. For example, the commit to Panorama fails if you add admin1 as both a
local and Panorama administrator.
• Configure the local administrators.
Configure new administrators unique to the Dedicated Log Collector. These
administrators are specific to the Dedicated Log Collector for which they are created
and you manage these administrators from this table.
1. Add one or more new local administrator.
2. Enter a Name for the local administrator.
3. Assign an Authencaon Profile you previously created.

LDAP authencaon profiles are supported only for individual local

administrators.
4. Enable (check) Use Public Key Authencaon (SSH) to import a public key file for
authencaon.
5. Select a Password Profile to set the expiraon parameters.
• Import exisng Panorama administrators
Import exisng administrators configured on Panorama. These administrators are
configured and managed on Panorama and imported to Dedicated Log Collector.
1. Add an exisng Panorama administrator
4. Click OK to save the Dedicated Log Collector authencaon configuraon.

STEP 5 | Configure the authencaon for the Dedicated Log Collector.

1. Select Panorama > Managed Collectors and select the Dedicated Log Collector you
previously added.
2. Select the Authencaon Profile you configured in the previous step.
3. Configure the authencaon Timeout Configuraon for the Dedicated Log Collector.
1. Enter the number of Failed Aempts before a user is locked out of the Dedicated Log
Collector CLI.
2. Enter the Lockout Time, in minutes, for which the Dedicated Log Collector locks out a
user account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access the Dedicated Log Collector.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
4. Add the Dedicated Log Collector administrators.
You must add the administrator (admin) as either a local administrator or as an imported
Panorama administrator—but not both. The push to managed collectors fails if an

Panorama Administrator's Guide Version Version 10.1 411 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

administrator is not added or if the administrator is added as both a local administrator

and as an imported Panorama administrator.
1. Add and configure new administrators unique to the Dedicated Log Collector. These
administrators are specific to the Dedicated Log Collector for which they are created
and you manage these administrators from this table.
2. Add any administrators configured on Panorama. These administrators are created on
Panorama and imported to the Dedicated Log Collector.
5. Click OK to save the Dedicated Log Collector authencaon configuraon.

STEP 6 | Commit and then Commit and Push your configuraon changes.

STEP 7 | Log in to the Panorama CLI of the Dedicated Log Collector to verify you can successfully
access the Dedicated Log Collector using the local admin user.

Panorama Administrator's Guide Version Version 10.1 412 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Manage Collector Groups

A Collector Group is 1 to 16 Log Collectors that operate as a single logical unit for collecng
firewall logs. You must assign at least one Log Collector to a Collector Group for firewalls to
successfully send logs to a Log Collector. Firewall logs are dropped if there is no Collector Group
configured or none of the Log Collectors are assigned to a Collector Group. You can configure a
Collector Group with mulple Log Collectors to ensure log redundancy or to accommodate logging
rates that exceed the capacity of a single Log Collector (see Panorama Models). To understand
the risks and recommended migaons, see Caveats for a Collector Group with Mulple Log
Collectors.
The M-600, M-500, and M-200 appliances in Panorama mode have a predefined Collector Group
that contains a predefined local Log Collector. You can edit all the sengs of the predefined
Collector Group except its name (default).

If you delete a Collector Group, you will lose logs.

Palo Alto Networks recommends preserving the predefined Log Collector and Collector
Group on the Panorama management server, regardless of whether Panorama also
manages Dedicated Log Collectors.
If you switch an M-Series appliance from Panorama mode to Log Collector mode, the
appliance will lose its predefined Collector Group and Log Collector. You would then have
to Set Up the M-Series Appliance as a Log Collector, add it as a managed collector to
Panorama, and configure a Collector Group to contain the managed collector.

• Configure a Collector Group

• Configure Authencaon with Custom Cerficates Between Log Collectors
• Move a Log Collector to a Different Collector Group
• Remove a Firewall from a Collector Group

Configure a Collector Group

Before configuring Collector Groups, decide whether each one will have a single Log Collector or
mulple Log Collectors (up to 16). A Collector Group with mulple Log Collectors supports higher
logging rates and log redundancy but has the following requirements:
• In any single Collector Group, all the Log Collectors must run on the same Panorama model:
all M-600 appliances, all M-500 appliances, all M-200 appliances, or all Panorama virtual
appliances.
• Log redundancy is available only if each Log Collector has the same number of logging disks. To
add disks to a Log Collector, see Increase Storage on the M-Series Appliance.
• (Best Pracce) All Log Collectors in the same Collector Group should be in the same local
area network (LAN). Avoid adding Log Collectors in the same or different wide area networks
(WAN) to the same Collector Group as network disrupon are much more common and may
result in log data loss. Addionally, it is recommended that Log Collectors in the same Collector
Group be in close physical proximity to each other to allow Panorama to quickly query the Log
Collectors when needed.

Panorama Administrator's Guide Version Version 10.1 413 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 1 | Perform the following tasks before configuring the Collector Group.
1. Add a Firewall as a Managed Device for each firewall that you will assign to the Collector
Group.
2. Configure a Managed Collector for each Log Collector that you will assign to the
Collector Group.

STEP 2 | Add the Collector Group.

1. Access the Panorama web interface, select Panorama > Collector Groups, and Add a
Collector Group or edit an exisng one.
2. Enter a Name for the Collector Group if you are adding one.
You cannot rename an exisng Collector Group.
3. Enter the Minimum Retenon Period in days (1 to 2,000) for which the Collector Group
will retain firewall logs.
By default, the field is blank, which means the Collector Group retains logs indefinitely.
4. Add Log Collectors (1 to 16) to the Collector Group Members list.
5. (Recommended) Enable log redundancy across collectors if you are adding mulple Log
Collectors to a single Collector group.
Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable.
Each log will have two copies and each copy will reside on a different Log Collector. For
example, if you have two Log Collectors in the collector group the log is wrien to both
Log Collectors.
Enabling redundancy creates more logs and therefore requires more storage capacity,
reducing storage capability in half. When a Collector Group runs out of space, it deletes
older logs. Redundancy also doubles the log processing traffic in a Collector Group,
which reduces its maximum logging rate by half, as each Log Collector must distribute a
copy of each log it receives.

Panorama Administrator's Guide Version Version 10.1 414 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 3 | Assign Log Collectors and firewalls to the Collector Group.

1. Select Device Log Forwarding and Add log forwarding preference lists for the firewalls.
Log data is forwarded over a separate TCP channel. By adding a log forwarding
preference, list you enable the creaon of separate TCP connecons for forwarding log
data.

A preference list determines the order in which Log Collectors receive logs from
a firewall. If a log forwarding preference list is not assigned, you may encounter
one of the following scenarios:
• If Panorama is in Management Only mode, Panorama drops all incoming logs.
• If the local Log Collector is not configured as a managed collector when
Panorama is in Panorama mode, Panorama drops all incoming logs.
• If the local Log Collector is configured as a managed collector when Panorama
is in Panorama mode, incoming logs are received but the Panorama may act
as a boleneck because all managed firewalls are forwarding logs to the local
Log Collector first before being redistributed to other available Log Collectors.

1. In the Devices secon, Modify the list of firewalls and click OK.
2. In the Collectors secon, Add Log Collectors to the preference list.
If you enabled redundancy in Step 2, it is recommended to add at least two Log
Collectors. If you assign mulple Log Collectors, the first one will be the primary; if the
primary becomes unavailable, the firewalls send logs to the next Log Collector in the
list. To change the priority of a Log Collector, select it and Move Up (higher priority) or
Move Down (lower priority).
3. Click OK.

STEP 4 | Define the storage capacity (log quotas) and expiraon period for each log type.
1. Return to the General tab and click the Log Storage value.

If the field displays 0MB, verify that you enabled the disk pairs for logging and
commied the changes (see Configure a Managed Collector, Disks tab).
2. Enter the log storage Quota(%) for each log type.
3. Enter the Max Days (expiraon period) for each log type (1 to 2,000).
By default, the fields are blank, which means the logs never expire.

STEP 5 | Commit and verify your changes.

1. Select Commit > Commit and Push and then Commit and Push your changes to
Panorama and the Collector Group you configured.
2. Select Panorama > Managed Collectors to verify the Log Collectors in the Collector
Group are:
• Connected to Panorama—The Connected column displays a check mark icon to
indicate that a Log Collector is connected to Panorama.
• Synchronized with Panorama—The Configuraon Status column indicates whether a
Log Collector is In Sync (green icon) or Out of Sync (red icon) with Panorama.

Panorama Administrator's Guide Version Version 10.1 415 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 6 | Troubleshoot Connecvity to Network Resources to verify your firewalls successfully

connected to the Log Collector.

STEP 7 | Next steps...

1. Configure Log Forwarding to Panorama.
The Collector Group won’t receive firewall logs unl you configure the firewalls to
forward to Panorama.
2. (Oponal) Configure Log Forwarding from Panorama to External Desnaons.
You can configure each Collector Group to forward logs to separate desnaons (such as
a syslog server).

Configure Authencaon with Custom Cerficates Between Log

Collectors
Complete the following procedure to configure custom cerficates for communicaon between
Log Collectors. You must configure secure server communicaon and secure client communicaon
on each Log Collector in a Collector Group because the server and client roles are chosen
dynamically. Use custom cerficates to create a unique chain of trust that ensures mutual
authencaon between the members of your Log Collector Group.
For more informaon about using custom cerficates, see How Are SSL/TLS Connecons
Mutually Authencated?
STEP 1 | Obtain key pairs and cerficate authority (CA) cerficates for each Log Collector.

STEP 2 | Import the CA cerficate to validate the identy of the client Log Collector, the server key
pair, and the client key pair for each Log Collector in the Collector Group.
1. Select Panorama > Cerficate Management > Cerficates > Import.
2. Import the CA cerficate, server key pair, and client key pair.
3. Repeat th step for the each Log Collector.

STEP 3 | Configure a cerficate profile that includes the root CA and intermediate CA for secure
server communicaon. This cerficate profile defines the authencaon between Log
Collectors.
1. Select Panorama > Cerficate Management > Cerficate Profile.
2. Configure a cerficate profile.
If you configure an intermediate CA as part of the cerficate profile, you must also
include the root CA.

Panorama Administrator's Guide Version Version 10.1 416 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 4 | Configure the cerficate profile for secure client communicaon. You can configure this
profile on each client Log Collector individually or you can push the configuraon from
Panorama™ to managed Log Collectors.

If you are using SCEP for the client cerficate, configure a SCEP profile instead of a
cerficate profile.

1. Select Panorama > Cerficate Management > Cerficate Profile.

2. Configure a Cerficate Profile.

STEP 5 | Configure an SSL/TLS service profile.

1. Select Panorama > Cerficate Management > SSL/TLS Service Profile.
2. Configure an SSL/TLS service profile to define the cerficate and protocol that the Log
Collectors use for SSL/TLS services.

STEP 6 | Aer deploying custom cerficates on all Log Collectors, enforce custom-cerficate
authencaon.
1. Select Panorama > Collector Groups and select the Collector Group.
2. On the General tab, Enable secure inter LC Communicaon.
If you enable secure inter LC communicaon and your Collector Group includes a local
Log Collector, a link should appear that stang that the Log Collector on local Panorama
is using the secure client configuraon from Panorama > Secure Communicaon
Sengs. You can click this link to open the Secure Communicaon Sengs dialog and
configure the secure server and secure client sengs for the Local Log Collector from
there.
3. Click OK.
4. Commit your changes.

STEP 7 | Configure secure server communicaon on each Log Collector.

1. Select Panorama > Managed Collectors for Dedicated Log Collectors or Panorama
> Setup > Management and Edit the Secure Communicaon Sengs for a Local Log
Collector.
2. For Dedicated Log Collectors, click the Log Collector and select Communicaons.
3. Enable the Customize Secure Server Communicaon feature.
4. Select the SSL/TLS service profile from the SSL/TLS Service Profile drop-down. This
SSL/TLS service profile applies to all SSL connecons between Log Collectors.
5. Select the Cerficate Profile from the drop-down.
6. Verify that the Custom Cerficates Only is disabled (cleared). This allows the inter Log
Collector communicaon to connue with the predefined cerficate while configuring to
custom cerficates.
7. Set the disconnect wait me—the number of minutes Log Collectors wait before
breaking and reestablishing the connecon with other Log Collectors. This field is empty
by default (range is 0 to 44,640).
8. (Oponal) Configure an authorizaon list. The authorizaon list adds an addional
layer of security beyond cerficate authencaon. The authorizaon list checks the

Panorama Administrator's Guide Version Version 10.1 417 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

client cerficate Subject or Subject Alt Name. If the Subject or Subject Alt Name
presented with the client cerficate does not match an idenfier in the authorizaon list,
authencaon is denied.
1. Add an Authorizaon List.
2. Select the Subject or Subject Alt Name configured in the cerficate profile as the
Idenfier type.
3. Enter the Common Name if the idenfier is Subject or an IP address, hostname, or
email if the idenfier is Subject Alt Name.
4. Click OK.
5. Enable the Check Authorizaon List opon to configure Panorama to enforce the
authorizaon list.
9. Click OK.
10. Commit your changes.
Aer comming these changes, the disconnect wait me countdown begins. When the
wait me ends, Log Collectors in the Collector Group cannot connect without the configured
cerficates.

STEP 8 | Configure secure client communicaon on each Log Collector.

1. Select Panorama > Managed Collectors for Dedicated Log Collectors or Panorama
> Setup > Management and Edit the Secure Communicaon Sengs for a Local Log
Collector.
2. For Dedicated Log Collectors, click the Log Collector and select Communicaons.
3. Under Secure Client Communicaons, select the Cerficate Type, Cerficate, and
Cerficate Profile from the respecve drop-downs.
4. Click OK.
5. Commit your changes.

Move a Log Collector to a Different Collector Group

M-600, M-500, M-200, and Panorama virtual appliances can have one or more Log Collectors in
each Collector Group. You assign Log Collectors to a Collector Group based on the logging rate
and log storage requirements of that Collector Group. If the rates and required storage increase in
a Collector Group, the best pracce is to Increase Storage on the M-Series Appliance or Configure
a Collector Group with addional Log Collectors. However, in some deployments, it might be more
economical to move Log Collectors between Collector Groups.

When a Log Collector is local to an M-600, M-500, or M-200 in Panorama mode, move
it only if the appliance is the passive peer in a high availability (HA) configuraon. HA
synchronizaon applies the configuraons associated with the new Collector Group. Never
move a Log Collector that is local to the acve HA peer.
In any single Collector Group, all the Log Collectors must run on the same Panorama
model: all M-600 appliances, all M-500 appliances, all M-200 appliances, or all Panorama
virtual appliances.
Log redundancy is available only if each Log Collector has the same number of logging
disks. To add disks to a Log Collector, see Increase Storage on the M-Series Appliance.

Panorama Administrator's Guide Version Version 10.1 418 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 1 | Remove the Log Collector from Panorama management.

1. Select Panorama > Collector Groups and edit the Collector Group that contains the Log
Collector you will move.
2. In the Collector Group Members list, select and Delete the Log Collector.
3. Select Device Log Forwarding and, in the Log Forwarding Preferences list, perform the
following steps for each set of firewalls assigned to the Log Collector you will move:
1. In the Devices column, click the link for the firewalls assigned to the Log Collector.
2. In the Collectors column, select and Delete the Log Collector.

To reassign the firewalls, Add the new Log Collector to which they will
forward logs.
3. Click OK twice to save your changes.
4. Select Panorama > Managed Collectors and then select and Delete the Log Collector
you will move.

STEP 2 | Configure a Collector Group.

Add the Log Collector to its new Collector Group and assign firewalls to the Log Collector.

When you push changes to the Collector Group configuraon, Panorama starts
redistribung logs across the Log Collectors. This process can take hours for each
terabyte of logs. During the redistribuon process, the maximum logging rate is
reduced. In the Panorama > Collector Groups page, the Log Redistribuon State
column indicates the compleon status of the process as a percentage.

STEP 3 | Configure Log Forwarding to Panorama for the new Collector Group you configured.

STEP 4 | Select Commit > Commit and Push to commit your changes to Panorama and push the
changes to device groups, templates, and Collector Groups if you have not already done so.

Remove a Firewall from a Collector Group

If you use a Panorama virtual appliance in Legacy mode to manage Dedicated Log Collectors, you
have the opon to forward firewall logs to Panorama instead of forwarding to the Log Collectors.
For such cases, you must remove the firewall from the Collector Group; the firewall will then
automacally forward its logs to Panorama.

To temporarily remove the log forwarding preference list on the firewall, you can delete
it using the CLI on the firewall. You must however, remove the assigned firewalls in the
Collector Group configuraon on Panorama. Otherwise, the next me you push changes
to the Collector Group, the firewall will be reconfigured to send logs to the assigned Log
Collector.

STEP 1 | Select Panorama > Collector Groups and edit the Collector Group.

STEP 2 | Select Device Log Forwarding, click the firewall in the Devices list, Modify the Devices list,
clear the check box of the firewall, and click OK three mes.

Panorama Administrator's Guide Version Version 10.1 419 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 3 | Select Commit > Commit and Push and then Commit and Push your changes to Panorama
and the Collector Group from which you removed the firewall.

Panorama Administrator's Guide Version Version 10.1 420 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Configure Log Forwarding to Panorama

Each firewall stores its log files locally by default and cannot display the logs that reside on other
firewalls. Therefore, to achieve global visibility into the network acvity that all your firewalls
monitor, you must forward all firewall logs to Panorama and Use Panorama for Visibility. In cases
where some teams in your organizaon can achieve greater efficiency by monitoring only the logs
that are relevant to their operaons, you can create forwarding filters based on any log aributes
(such as threat type or source user). For example, a security operaons analyst who invesgates
malware aacks might be interested only in Threat logs with the type aribute set to wildfire-
virus.
The following steps describe how to use Panorama templates and device groups for configuring
mulple firewalls to forward logs.

If Panorama manages firewalls running soware versions earlier than PAN-OS 7.0, specify
a WildFire® server from which Panorama can gather analysis informaon for WildFire
samples that those firewalls submit. Panorama uses the informaon to complete WildFire
Submissions logs that are missing field values introduced in PAN-OS 7.0. Firewalls running
earlier releases won’t populate those fields. To specify the server, select Panorama > Setup
> WildFire, edit the General Sengs, and enter the WildFire Private Cloud name. The
default is wildfire-public-cloud, which is the WildFire cloud hosted in the United States.
You can also forward firewall logs to external services (such as a syslog server). For details,
see Log Forwarding Opons.

STEP 1 | Add a Device Group for the firewalls that will forward logs.
Panorama requires a device group to push a Log Forwarding profile to firewalls. Create a new
device group or assign the firewalls to an exisng device group.

STEP 2 | Add a Template for the firewalls that will forward logs.
Panorama requires a template to push log sengs to firewalls. Create a new template or assign
the firewalls to an exisng template.

Panorama Administrator's Guide Version Version 10.1 421 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 3 | Create a Log Forwarding profile.

The profile defines the desnaons for Traffic, Threat, WildFire Submission, URL Filtering, Data
Filtering, Tunnel and Authencaon logs.
1. Select Objects > Log Forwarding, select the Device Group of the firewalls that will
forward logs, and Add a profile.
2. Enter a Name to idenfy the Log Forwarding profile.
3. Add one or more match list profiles.
The profiles specify log query filters, forwarding desnaons, and automac acons such
as tagging. For each match list profile:
1. Enter a Name to idenfy the profile.
2. Select the Log Type.
3. In the Filter drop-down, select Filter Builder. Specify the following and then Add each
query:
Connector logic (and/or)
Log Aribute
Operator to define inclusion or exclusion logic
Aribute Value for the query to match
4. Select Panorama.
4. Click OK to save the Log Forwarding profile.

STEP 4 | Assign the Log Forwarding profile to policy rules and network zones.
Security, Authencaon, and DoS Protecon rules support log forwarding. In this example, you
assign the profile to a Security rule.
Perform the following steps for each rule that will trigger log forwarding:
1. Select the rulebase (for example, Policies > Security > Pre Rules), select the Device
Group of the firewalls that will forward logs, and edit the rule.
2. Select Acons and select the Log Forwarding profile you created.
3. Set the Profile Type to Profiles or Group, and then select the security profiles or Group
Profile required to trigger log generaon and forwarding for:
• Threat logs—Traffic must match any security profile assigned to the rule.
• WildFire logs—Traffic must match a WildFire Analysis profile assigned to the rule.
4. For Traffic logs, select Log At Session Start and/or Log At Session End.
5. Click OK to save the rule.

Panorama Administrator's Guide Version Version 10.1 422 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 5 | Configure the desnaons for System logs, Configuraon logs, User-ID™ logs, and HIP
Match logs.

Panorama generates Correlaon logs based on the firewall logs it receives, rather than
aggregang Correlaon logs from firewalls.

1. Select Device > Log Sengs and select the Template of the firewalls that will forward
logs.
2. For each log type that the firewall will forward, see step Add one or more match list
profiles.

STEP 6 | (PA-7000 Series firewalls only) Configure a log card interface to perform log forwarding.
When you configure a data port on one of the PA-7000 Series Network Processing Cards
(NPCs) as a Log Card interface, the firewall will automacally begin using this interface to
forward logs to the logging desnaons you configure and forward files for WildFire analysis.

Panorama Administrator's Guide Version Version 10.1 423 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Make sure that the interface you configure can reach the log forwarding desnaons and the
WildFire cloud, WildFire appliance, or both.

Because PA-7000 Series firewall can now forward logs to Panorama, Panorama no
longer treats the PA-7000 Series firewalls it manages as Log Collectors. If you have
not configured the PA-7000 Series firewalls to forward logs to Panorama, all logs a
managed PA-7000 Series firewall generates are only viewable from the local firewall
and not from Panorama. If you do not yet have a log forwarding infrastructure that is
capable of handling the logging rate and volume from the PA-7000 Series firewalls,
starng with PAN-OS 8.0.8 you can enable Panorama to directly query PA-7000
Series firewalls when monitoring logs. To use this funconality, both Panorama and the
PA-7000 Series firewalls must be running PAN-OS 8.0.8 or later. Enable Panorama to
directly query PA-7000 Series firewalls by entering the following command from the
Panorama CLI:

> debug reportd send-request-to-7k yes

Aer running this command, you will be able to view logs for managed PA-7000 Series
firewalls on the Panorama Monitor tab. Addionally, as with all managed devices, you
can also generate reports that include PA-7000 Series log data by selecng Remote
Device Data as the Data Source. If you later decide to enable the PA-7000 Series
firewalls to forward logs to Panorama, you must first disable this opon using the
debug reportd send-request-to-7k no command.

1. Select Network > Interfaces > Ethernet, select the Template of the firewalls that will
forward logs, and Add Interface.
2. Select the Slot and Interface Name.
3. Set the Interface Type to Log Card.
4. Enter the IP Address, Default Gateway, and (for IPv4 only) Netmask.
5. Select Advanced and specify the Link Speed, Link Duplex, and Link State.

These fields default to auto, which specifies that the firewall automacally
determines the values based on the connecon. However, the minimum
recommended Link Speed for any connecon is 1000 (Mbps).
6. Click OK to save your changes.

STEP 7 | Configure Panorama to receive the logs.

If you will forward logs to a Panorama virtual appliance in Legacy mode, you can skip
this step.

1. For each Log Collector that will receive logs, Configure a Managed Collector.
2. Configure a Collector Group to assign firewalls to specific Log Collectors for log
forwarding.

Panorama Administrator's Guide Version Version 10.1 424 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 8 | Commit your configuraon changes.

1. Select Commit > Commit and Push and Edit Selecons.
2. Select Merge with Device Candidate Config and Include Device and Network Templates,
and click OK.

3. Commit and Push your changes to Panorama and push the changes to the device groups,
templates, and Collector Groups.
4. Verify Log Forwarding to Panorama to confirm that your configuraon is successful.

To change the log forwarding mode that the firewalls use to send logs to
Panorama, you can Modify Log Forwarding and Buffering Defaults. You can
also Manage Storage Quotas and Expiraon Periods for Logs and Reports.

Panorama Administrator's Guide Version Version 10.1 425 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Configure Syslog Forwarding to External Desnaons

In the case of a deployment with a high rate of log generaon, you can forward syslogs over an
Ethernet interface to prevent loss of logs and reduce the load on the management interface, which
opmizes management operaons.
Syslog forwarding using an Ethernet interface is supported only for a Panorama™ management
server in Panorama mode or in Log Collector mode. Addionally, you can enable syslog forwarding
on only a single interface regardless whether Panorama is in Panorama mode or Log Collector
mode.
STEP 1 | Log in to the Panorama web interface.

STEP 2 | Configure a Managed Collector.

STEP 3 | Configure a Collector Group.

On the M-Series appliance, a default Collector Group is predefined and already contains the
local Log Collector as a member. However on the Panorama virtual appliance, you must add
the Collector Group and add the local Log Collector as a member. For both configuraons, you
need to assign firewalls to a Log Collector for log forwarding.

STEP 4 | Configure a Syslog server profile.

1. Select Panorama > Server Profiles > Syslog and Add a new syslog server profile.
2. Enter a Name for the syslog server profile.
3. For each syslog server, Add the informaon that Panorama or the Dedicated Log
Collector requires to connect to it:
• Name—Unique name for the syslog server.
• Syslog Server—IP address or fully qualified domain name (FQDN) of the syslog server.
• Transport—Select UDP, TCP, or SSL as the method of communicaon with the syslog
server.
• Port—The port number to use when sending syslog messages (default is UDP on port
514); you must use the same port number on Panorama and on the Dedicated Log
Collector.
• Format—Select the syslog message format to use: BSD (default) or IETF. Tradionally,
BSD format is over UDP and IETF format is over TCP or SSL.
• Facility—Select the syslog standard value (default is LOG_USER) to calculate the
priority (PRI) field in your syslog server implementaon. Select the value that maps to
how you use the PRI field to manager your syslogs.
4. (Oponal) To customize which format of syslog messages that Panorama or the
Dedicated Log Collector sends, select Custom Log Format. For details about how to
create custom formats for the various log types, refer to the Common Event Format
Configurauon Guide.
5. Click OK to save the syslog server profile.

Panorama Administrator's Guide Version Version 10.1 426 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 5 | Configure an Ethernet interface for forwarding syslogs.

By default, syslog forwarding is enabled on the management interface and is supported on only
one interface at a me.
• Configure an Ethernet interface on the local Log Collector from the Panorama web
interface.
1. Select Panorama > Setup > Interfaces and select an Ethernet interface.
2. Enable Interface.
3. Configure the Ethernet interface as appropriate.
4. In the Device Management Services secon, enable Syslog Forwarding.
5. Select Yes to confirm your syslog forwarding change.

You can only on a single Ethernet interface on the local Log Collector.

6. Click OK to save your changes.

7. Commit and then Commit and Push your configuraon changes.

• Configure an Ethernet interface on a Dedicated Log Collector.

1. Select Panorama > Managed Collectors and select a Dedicated Log Collector.
2. Enable Interface.
3. Configure the Ethernet interface as appropriate.
4. In the Log Collecon Services secon, enable Syslog Forwarding.
5. Select Yes to confirm your syslog forwarding change.

You can only on a single Ethernet interface on the Dedicated Log Collector.

Panorama Administrator's Guide Version Version 10.1 427 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

6. Click OK to save your changes.

7. Commit and then Commit and Push your configuraon changes.

• Configure an Ethernet interface on the local Log Collector or Dedicated Log Collector from
the Panorama CLI.
To successfully configure syslog forwarding over an Ethernet interface from the CLI, you
must first disable syslog forwarding on the management interface and then enable syslog
forwarding on the Ethernet interface from the CLI; Panorama does not automacally disable
syslog forwarding over the management interface you enable syslog forwarding on an

Panorama Administrator's Guide Version Version 10.1 428 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Ethernet interface from the CLI so syslog forwarding connues over the management
interface if you enable it on both the management and Ethernet interfaces.
1. Log in to the Panorama CLI
2. Disable syslog forwarding on the management interface:

admin@Panorama> configure

admin@Panorama> set log-collector <Log Collector Serial Number>

deviceconfig system service disable-syslog-forwarding yes

3. Enable syslog forwarding on the Ethernet interface:

admin@Panorama> configure

admin@Panorama> set log-collector <Log Collector Serial Number>

deviceconfig system eth<Interface Number> service disable-
syslog-forwarding no

admin@Panorama> commit

4. Commit your configuraon changes:

admin@Panorama> run commit-all log-collector-config log-

collector-group <Collector Group name>

STEP 6 | Configure Log Forwarding to Panorama.

STEP 7 | Configure syslog forwarding from Panorama to a syslog server.

Panorama Administrator's Guide Version Version 10.1 429 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Forward Logs to Cortex Data Lake

Cortex Data Lake is Palo Alto Networks’ cloud-based logging infrastructure. Before you can
configure your managed firewalls to send logs to Cortex Data Lake (previously called the Logging
Service), you need to purchase a license for the volume of logs in your deployment, and install the
cloud services plugin. If you already have on premise Log Collectors, you can use Cortex Data Lake
to complement and augment your exisng setup.
You can view logs forwarded to Cortex Data Lake in the last 30 days on Panorama. You are unable
to view logs forwarded to Cortex Data Lake if forwarded logs are more than 30 days old or if you
Enable Duplicate Logging. To view these logs, log in to the the hub and navigate to the Cortex
Data Lake app to use the Explore tab to view the logs older than 30 days.
STEP 1 | Install Panorama Plugins.

STEP 2 | Configure the firewalls to send logs to Cortex Data Lake.

For firewalls running PAN-OS 8.1 or later releases, you can opt to send logs to both the Cortex
Data Lake and to your Panorama and on premise log collecon setup when you select Enable
Duplicate Logging (Cloud and On-Premise). When enabled, the firewalls that belong to the
selected Template will save a copy of the logs to both locaons. You may select either Enable
Duplicate Logging (Cloud and On-Premise) or Enable Cortex Data Lake, but not both.

Panorama Administrator's Guide Version Version 10.1 430 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Verify Log Forwarding to Panorama

Verify log forwarding to Panorama once you Configure Log Forwarding to Panorama or to the
Cortex Data Lake to test that your configuraon succeeded.
Aer you configure log forwarding to Log Collectors, managed firewalls open a TCP connecon
to all configured Log Collectors. These connecons meout every sixty (60) seconds and do
not indicate that the firewall has lost connecon to the Log Collectors. When you configure log
forwarding to a local or Dedicated Log Collector over a supported ethernet interface, the firewall
traffic logs show incomplete sessions despite the firewall being able to successfully connect
to the Log Collectors. If you configure log forwarding over the management port, no traffic logs
showing incomplete sessions are generated. Traffic logs showing incomplete sessions are
generated by all firewalls except for the PA-5200 and PA-7000 series firewalls.
STEP 1 | Access the firewall CLI.

STEP 2 | If you configured Log Collectors, verify that each firewall has a log forwarding preference list.

> show log-collector preference-list

If the Collector Group has only one Log Collector, the output will look something like this:

Forward to all: No
Log collector Preference List
Serial Number: 003001000024
IP Address: 10.2.133.48
IPV6 Address: unknown

STEP 3 | Verify that each firewall is forwarding logs.

> show logging-status

For successful forwarding, the output indicates that the log forwarding agent is acve.
• For a Panorama virtual appliance, the agent is Panorama.
• For an M-Series appliance, the agent is a LogCollector.
• For the Cortex Data Lake, the agent is Log CollectionService.. And the

‘Log Collection log forwarding agent’ is active and connected

to <IP_address>.

Panorama Administrator's Guide Version Version 10.1 431 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 4 | View the average logging rate. The displayed rate will be the average logs/second for the last
five minutes.
• If Log Collectors receive the logs, access the Panorama web interface, select Panorama >
Managed Collectors and click the Stascs link in the far-right column.
• If a Panorama virtual appliance in Legacy mode receives the logs, access the Panorama CLI
and run the following command: debug log-collector log-collection-stats
show incoming-logs

This command also works on an M-Series appliance.

Panorama Administrator's Guide Version Version 10.1 432 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Modify Log Forwarding and Buffering Defaults

You can define the log forwarding mode that the firewalls use to send logs to Panorama and, when
configured in a high availability (HA) configuraon, specify which Panorama peer can receive logs.
To access these opons, select Panorama > Setup > Management, edit the Logging and Reporng
Sengs, and select Log Export and Reporng.
• Define the log forwarding mode on the firewall: The firewalls can forward logs to Panorama
(pertains to both the M-Series appliance and the Panorama virtual appliance) in either Buffered
Log Forwarding mode or in the Live Mode Log Forwarding mode.

Logging Opons Descripon

(Best Pracce) Buffered Log Allows each managed firewall to buffer logs and send the logs
Forwarding from Device at 30-second intervals to Panorama (not user configurable).
Default: Enabled Buffered log forwarding is very valuable when the firewall loses
connecvity to Panorama. The firewall buffers log entries to its
local hard disk and keeps a pointer to record the last log entry
that was sent to Panorama. When connecvity is restored the
firewall resumes forwarding logs from where it le off.
The disk space available for buffering depends on the log
storage quota for the firewall model and the volume of logs
that are pending roll over. If the firewall was disconnected for
a long me and the last log forwarded was rolled over, all the
logs from its local hard disk will be forwarded to Panorama on
reconnecon. If the available space on the local hard disk of
the firewall is consumed, the oldest entries are deleted to allow
logging of new events.

Live Mode Log Forwarding In live mode, the managed firewall sends every log transacon
from Device to Panorama at the same me as it records it on the firewall.
This opon is enabled when
the check box for Buffered
Log Forwarding from Device
is cleared.

• Define log forwarding preference on a Panorama virtual appliance in Legacy mode that is
deployed in a high availability (HA) configuraon:
• When logging to a virtual disk, enable logging to the local disk on the primary Panorama
peer only. By default, both Panorama peers in the HA configuraon receive logs.

For the 5200 and 7000 series firewalls, only the acve peer receive logs.

• When logging to an NFS (ESXi server only), enable the firewalls to send only newly
generated logs to a secondary Panorama peer, which is promoted to primary, aer a failover.

Panorama Administrator's Guide Version Version 10.1 433 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Logging Opons Pertains to Descripon

Only Acve Primary Logs to Panorama virtual Allows you to configure only the
Local Disk appliance in Legacy mode primary Panorama peer to save
that is logging to a virtual logs to the local disk.
Default: Disabled
disk and is deployed in an
HA configuraon.

Get Only New Logs on Panorama virtual With NFS logging, when you
Convert to Primary appliance in Legacy mode have a pair of Panorama servers
that is mounted to a configured in a high availability
Default: Disabled
Network File System configuraon, only the primary
(NFS) datastore, runs on Panorama peer mounts the NFS
a VMware ESXi server, datastore. Therefore, the firewalls
and is deployed in an HA can only send logs to the primary
configuraon Panorama peer, which can write
to the NFS datastore.
When an HA failover occurs,
the Get Only New Logs on
Convert to Primary opon allows
an administrator to configure
the managed firewalls to send
only newly generated logs to
Panorama. This event is triggered
when the priority of the acve-
secondary Panorama is promoted
to primary and it can begin
logging to the NFS. This behavior
is typically enabled to prevent
the firewalls from sending a large
volume of buffered logs when
connecvity to Panorama is
restored aer a significant period
of me.

Panorama Administrator's Guide Version Version 10.1 434 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Configure Log Forwarding from Panorama to External

Desnaons
Panorama enables you to forward logs to external services, including syslog, email, SNMP trap,
and HTTP-based services. Using an external service enables you to receive alerts for important
events, archive monitored informaon on systems with dedicated long-term storage, and integrate
with third-party security monitoring tools. In addion to forwarding firewall logs, you can forward
the logs that the Panorama management server and Log Collectors generate. The Panorama
management server or Log Collector that forwards the logs converts them to a format that is
appropriate for the desnaon (syslog message, email noficaon, SNMP trap, or HTTP payload).

If your Panorama management server is a Panorama virtual appliance in Legacy mode, it

converts and forwards logs to external services without using Log Collectors.
You can also forward logs directly from firewalls to external services: see Log Forwarding
Opons.
On a Panorama virtual appliance running Panorama 5.1 or earlier releases, you can use
Secure Copy (SCP) commands from the CLI to export the enre log database to an SCP
server and import it to another Panorama virtual appliance. A Panorama virtual appliance
running Panorama 6.0 or later releases, and M-Series appliances running any release, do
not support these opons because the log database on those models is too large for an
export or import to be praccal.

To forward logs to external services, start by configuring the firewalls to forward logs to Panorama.
Then you must configure the server profiles that define how Panorama and Log Collectors connect
to the services. Lastly, you assign the server profiles to the log sengs of Panorama and to
Collector Groups.
STEP 1 | Configure the firewalls to forward logs to Panorama.
Configure Log Forwarding to Panorama.

STEP 2 | Configure a server profile for each external service that will receive log informaon.
1. Select Panorama > Server Profiles and select the type of server that will receive the log
data: SNMP Trap, Syslog, Email, or HTTP.
2. Configure the server profile:
• Configure an SNMP Trap server profile. For details on how SNMP works for Panorama
and Log Collectors, refer to SNMP Support.
• Configure a Syslog server profile. If the syslog server requires client authencaon,
use the Panorama > Cerficate Management > Cerficates page to create a
cerficate for securing syslog communicaon over SSL.
• Configure an Email server profile.
• Configure an HTTP server profile.

Panorama Administrator's Guide Version Version 10.1 435 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 3 | Configure desnaons for:

• Logs that the Panorama management server and Log Collectors generate.
• Firewall logs that a Panorama virtual appliance in Legacy mode collects.
1. Select Panorama > Log Sengs.
2. Add one or more match list profiles for each log type.
The profiles specify log query filters, forwarding desnaons, and automac acons such
as tagging. For each match list profile:
1. Enter a Name to idenfy the profile.
2. Select the Log Type.
3. In the Filter drop-down, select Filter Builder. Specify the following and then Add each
query:
Connector logic (and/or)
Log Aribute
Operator to define inclusion or exclusion logic
Aribute Value for the query to match
4. Add the server profiles you configured for each external service.
5. Click OK to save the profile.

STEP 4 | Configure desnaons for firewall logs that Log Collectors receive.

Each Collector Group can forward logs to different desnaons. If the Log Collectors
are local to a high availability (HA) pair of Panorama management servers, you must
log into each HA peer to configure log forwarding for its Collector Group.

1. Select Panorama > Collector Groups and edit the Collector Group that receives the
firewall logs.
2. (Oponal, SNMP trap forwarding only) Select Monitoring and configure the SNMP
sengs.
3. Select Collector Log Forwarding and Add configured match list profiles as necessary.
4. Click OK to save your changes to the Collector Group.

STEP 5 | (Syslog forwarding only) If the syslog server requires client authencaon and the
firewalls forward logs to Dedicated Log Collectors, assign a cerficate that secures syslog
communicaon over SSL.
Perform the following steps for each Dedicated Log Collector:
1. Select Panorama > Managed Collectors and edit the Log Collector.
2. Select the Cerficate for Secure Syslog and click OK.

STEP 6 | (SNMP trap forwarding only) Enable your SNMP manager to interpret traps.
Load the Supported MIBs and, if necessary, compile them. For the specific steps, refer to the
documentaon of your SNMP manager.

Panorama Administrator's Guide Version Version 10.1 436 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 7 | Commit and verify your configuraon changes.

1. Select Commit > Commit and Push to commit your changes to Panorama and push the
changes to device groups, templates, and Collector Groups.
2. Verify that the external services are receiving the log informaon:
• Email server—Verify that the specified recipients are receiving logs as email
noficaons.
• Syslog server—Refer to the documentaon for your syslog server to verify it’s
receiving logs as syslog messages.
• SNMP manager—Refer to the documentaon for your SNMP trap server to verify it’s
receiving logs as SNMP traps.
• HTTP server—Verify that the HTTP-based server is receiving logs in the correct
payload format.

Panorama Administrator's Guide Version Version 10.1 437 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Log Collecon Deployments

The following topics describe how to configure log collecon in the most typical deployments.
Before starng, Plan Your Panorama Deployment according to your current and future logging
needs.

The deployments in these topics all describe Panorama in a high availability (HA)
configuraon. Palo Alto Networks recommends HA because it enables automac recovery
(in case of server failure) of components that are not saved as part of configuraon
backups. In HA deployments, the Panorama management server only supports an acve/
passive configuraon.

• Deploy Panorama with Dedicated Log Collectors

• Deploy Panorama M-Series Appliances with Local Log Collectors
• Deploy Panorama Virtual Appliances with Local Log Collectors
• Deploy Panorama Virtual Appliances in Legacy Mode with Local Log Collecon

Deploy Panorama with Dedicated Log Collectors

The following figures illustrate Panorama in a distributed log collecon deployment. In these
examples, the Panorama management server comprises two M-Series or Panorama virtual
appliances in Panorama mode that are deployed in an acve/passive high availability (HA)
configuraon. The firewalls send logs to Dedicated Log Collectors (M-Series or Panorama virtual
appliances in Log Collector mode). This is the recommended configuraon if the firewalls generate
over 10,000 logs/second.

If you will assign more than one Log Collector to a Collector Group, see Caveats for a
Collector Group with Mulple Log Collectors to understand the requirements, risks, and
recommended migaons.

Panorama Administrator's Guide Version Version 10.1 438 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Figure 16: Single Dedicated Log Collector Per Collector Group

Figure 17: Multiple Dedicated Log Collectors Per Collector Group

Perform the following steps to deploy Panorama with Dedicated Log Collectors. Skip any steps
you have already performed (for example, the inial setup).

Panorama Administrator's Guide Version Version 10.1 439 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 1 | Perform the inial setup of the Panorama management server (virtual appliances or M-Series
appliances) and the Dedicated Log Collectors.
For each M-Series appliance:
1. Rack mount the M-Series appliance. Refer to the M-Series Hardware Reference Guide for
instrucons.
2. Perform Inial Configuraon of the M-Series Appliance.

Palo Alto Networks recommends reserving the management (MGT) interface for
administrave access to Panorama and dedicang separate M-Series Appliance
Interfaces to other Panorama services.
3. Configure each array. This task is required to make the RAID disks available for logging.
Oponally, you can add disks to Increase Storage on the M-Series Appliance.
4. Register Panorama and Install Licenses.
5. Install Content and Soware Updates for Panorama.
For each virtual appliance (if any):
1. Install the Panorama Virtual Appliance.
2. Perform Inial Configuraon of the Panorama Virtual Appliance.
3. Register Panorama and Install Licenses.
4. Install Content and Soware Updates for Panorama.
For the Panorama management server (virtual appliance or M-Series appliance), you must also
Set Up HA on Panorama.

Panorama Administrator's Guide Version Version 10.1 440 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 2 | Switch from Panorama mode to Log Collector mode on each Panorama management server
that will be a Dedicated Log Collector.

Switching the mode of an M-Series or Panorama virtual appliance deletes any exisng
log data and deletes all configuraons except the management access sengs. Aer
the switch, the M-Series or Panorama virtual appliance retains CLI access but loses
web interface access.

1. Connect to Panorama in one of the following ways:

• (M-Series appliances only) Aach a serial cable from your computer to the Console
port on the M-Series appliance. Then use terminal emulaon soware (9600-8-N-1)
to connect.
• Use terminal emulaon soware such as PuTTY to open an SSH session to the IP
address that you specified for the MGT interface of the Panorama management server
during inial configuraon.
2. Log in to the CLI when prompted. Use the default admin account and the password that
you specified during inial configuraon.
3. Switch to Log Collector mode by entering the following command:

> request system system-mode logger

4. Enter Y to confirm the mode change. The Panorama management server reboots. If
the reboot process terminates your terminal emulaon soware session, reconnect to
Panorama to see the Panorama login prompt.

If you see a CMS Login prompt, this means the Log Collector has not finished
reboong. Press Enter at the prompt without typing a username or password.
5. Log back in to the CLI.
6. Verify that the switch to Log Collector mode succeeded:

> show system info | match system-mode

If the mode change succeeded, the output displays:

system-mode: logger

STEP 3 | Enable connecvity between each Log Collector and the Panorama management server.
This step is required before you can enable logging disks on the Log Collectors.
Enter the following commands at the CLI of each Log Collector. <IPaddress1> is for the MGT
interface of the acve Panorama and <IPaddress2> is for the MGT interface of the passive
Panorama.

> configure
# set deviceconfig system panorama-server <IPaddress1> panorama-
server-2 <IPaddress2>
# commit

Panorama Administrator's Guide Version Version 10.1 441 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

# exit

STEP 4 | Record the serial number of each Log Collector.

You need the serial numbers to add the Log Collectors as managed collectors on the Panorama
management server.
1. At the CLI of each Log Collector, enter the following command to display its serial
number.

> show system info | match serial

2. Record the serial number.

STEP 5 | Add each Log Collector as a managed collector.

Use the web interface of the primary Panorama management server peer to Configure a
Managed Collector:
1. Select Panorama > Managed Collectors and Add the managed collector.
2. In the General tab, enter the serial number (Collector S/N) you recorded for the Log
Collector.
3. Enter the IP address or FQDN of the acve and passive Panorama HA peers in the
Panorama Server IP field and Panorama Server IP 2 field respecvely. These fields are
required.
4. Select Interfaces, click Management, and configure one or both of the following field
sets for the MGT interface based on the IP protocols of your network.

If you configure a Public IP Address for the interface, Log Collectors in the
Collector Group always use the public IP address for communicaon within
the Collector Group. To ensure Log Collectors in a Collector use the private IP
address to communicate, do not configure a public IP address.

• IPv4—IP Address, Netmask, and Default Gateway

• IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
5. (Oponal) Select SNMP if you will use an SNMP manager to monitor Log Collector
stascs.
Using SNMP requires addional steps besides configuring the Log Collector (see Monitor
Panorama and Log Collector Stascs Using SNMP).
6. Click OK to save your changes.
7. Select Commit > Commit to Panorama and Commit your changes.
This step is required before you can enable logging disks on the Log Collectors.
8. Verify that the Panorama > Managed Collectors page lists the Log Collector you added.
The Connected column displays a check mark to indicate that the Log Collector is

Panorama Administrator's Guide Version Version 10.1 442 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

connected to Panorama. You might have to wait a few minutes before the page displays
the updated connecon status.

At this point, the Configuraon Status column displays Out of Sync and the Run
Time Status column displays disconnected. The status will change to In Sync and
connected aer you configure a Collector Group (Step 9).

STEP 6 | Enable the logging disks on each Log Collector.

Use the web interface of the primary Panorama management server peer to perform these
steps:
1. Select Panorama > Managed Collectors and edit the Log Collector.
2. Select Disks, Add each disk pair, and click OK.
3. Select Commit > Commit to Panorama and Commit your changes.

STEP 7 | (Recommended) Configure the Ethernet1, Ethernet2, Ethernet3, Ethernet4, and Ethernet5
interfaces if the Log Collector will use them for Device Log Collecon (receiving logs from
firewalls) and Collector Group Communicaon.
By default, the Log Collector uses the MGT interface for log collecon and Collector Group
communicaon. Assigning other interfaces to these funcons enables you to reserve the MGT
interface for management traffic. In an environment with heavy log traffic, consider using the
10Gbps interfaces (Ethernet4 and Ethernet5) on the M-500 appliance for log collecon and
Collector Group communicaon. To load balance the logging traffic across interfaces, you can
enable Device Log Collecon on mulple interfaces.
Use the web interface of the primary Panorama management server peer to perform these
steps for each Log Collector:
1. Select Panorama > Managed Collectors, edit the Log Collector, and select Interfaces.
2. Perform the following steps for each interface:
1. Click the name of the interface to edit it.
2. Select <interface-name> to enable the interface.
3. Complete one or both of the following field sets based on the IP protocols of your
network:
IPv4—IP Address, Netmask, and Default Gateway
IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
4. Select the Device Management Services that the interface supports:
Device Log Collecon—You can assign one or more interfaces.
Collector Group Communicaon—You can assign only one interface.
5. Click OK to save your changes to the interface.
3. Click OK to save your changes to the Log Collector.
4. Select Commit > Commit to Panorama and Commit your changes to the Panorama
configuraon.

Panorama Administrator's Guide Version Version 10.1 443 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 8 | Add a Firewall as a Managed Device.

Use the web interface of the primary Panorama management server peer to perform this task
for each firewall that will forward logs to Log Collectors.

STEP 9 | Configure the Collector Group.

If each Collector Group will have one Log Collector, repeat this step for each Collector Group
before connuing.
If you will assign all the Log Collectors to one Collector Group, perform this step only once.
Use the web interface of the primary Panorama management server peer to Configure a
Collector Group:
1. Select Panorama > Collector Groups and Add the Collector Group.
2. Enter a Name to idenfy the Collector Group.
3. Add one or more Log Collectors to the Collector Group Members list.

In any single Collector Group, all the Log Collectors must run on the same
Panorama model: all M-600 appliances, all M-500 appliances, all M-200
appliances, or all Panorama virtual appliances.
4. (Best Pracce) Enable log redundancy across collectors if you add mulple Log
Collectors to a single Collector group. This opon requires each Log Collector to have the
same number of logging disks.
5. (Oponal) Select Monitoring and configure the sengs if you will use SNMP to monitor
Log Collector stascs and traps.
6. Select Device Log Forwarding and configure the Log Forwarding Preferences list. This list
defines which firewalls forward logs to which Log Collectors. Assign firewalls according
to the number of Log Collectors in this Collector Group:
• Single—Assign the firewalls that will forward logs to that Log Collector, as illustrated in
Single Dedicated Log Collector Per Collector Group.
• Mulple—Assign each firewall to both Log Collectors for redundancy. When you
configure the preferences, make Log Collector 1 the first priority for half the firewalls
and make Log Collector 2 the first priority for the other half, as illustrated in Mulple
Dedicated Log Collectors Per Collector Group.
7. Click OK to save your changes to the Collector Group.
8. Select Commit > Commit and Push and then Commit and Push your changes to
Panorama and to the Collector Groups you added.
9. Select Panorama > Managed Collectors to verify that the Log Collector configuraon is
synchronized with Panorama.
The Configuraon Status column should display In Sync and the Run Time Status column
should display connected.

Panorama Administrator's Guide Version Version 10.1 444 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 10 | Configure log forwarding from firewalls to Panorama.

Use the web interface of the primary Panorama management server peer to:
1. Configure Log Forwarding to Panorama.
2. Verify Log Forwarding to Panorama.
3. (Oponal) Configure Log Forwarding from Panorama to External Desnaons.

Deploy Panorama M-Series Appliances with Local Log Collectors

The following figures illustrate Panorama in a centralized log collecon deployment. In these
examples, the Panorama management server comprises two M-Series appliances in Panorama
mode that are deployed in an acve/passive high availability (HA) configuraon. The firewalls send
logs to the predefined (default) local Log Collector on each Panorama M-Series appliance. This is
the recommended deployment if the firewalls generate up to 10,000 logs/second.

If you will assign more than one Log Collector to a Collector Group, see Caveats for a
Collector Group with Mulple Log Collectors to understand the requirements, risks, and
recommended migaons.
Aer implemenng this deployment, if the logging rate increases beyond 10,000 logs per
second, Palo Alto Networks recommends that you add Dedicated Log Collectors (M-Series
appliances in Log Collector mode) as described in Deploy Panorama with Dedicated
Log Collectors. Such an expansion might require reassigning firewalls from the local Log
Collectors to Dedicated Log Collectors.

Figure 18: Single Local Log Collector Per Collector Group

Panorama Administrator's Guide Version Version 10.1 445 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Figure 19: Multiple Local Log Collectors Per Collector Group

Perform the following steps to deploy Panorama with local Log Collectors. Skip any steps you have
already performed (for example, the inial setup).
STEP 1 | Perform the inial setup of each M-Series appliance.
1. Rack mount the M-Series appliance. Refer to the M-Series Hardware Reference Guides
for instrucons.
2. Perform Inial Configuraon of the M-Series Appliance.

Palo Alto Networks recommends reserving the management (MGT) interface for
administrave access to Panorama and dedicang separate M-Series Appliance
Interfaces to other Panorama services.
3. Configure each array. This task is required to make the RAID disks available for logging.
Oponally, you can add disks to Increase Storage on the M-Series Appliance.
4. Register Panorama and Install Licenses.
5. Install Content and Soware Updates for Panorama.
6. Set Up HA on Panorama.

Panorama Administrator's Guide Version Version 10.1 446 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 2 | Perform the following steps to prepare Panorama for log collecon.
1. Connect to the primary Panorama in one of the following ways:
• Aach a serial cable from your computer to the Console port on the primary
Panorama. Then use terminal emulaon soware (9600-8-N-1) to connect.
• Use terminal emulaon soware such as PuTTY to open an SSH session to the IP
address that you specified for the MGT interface of the primary Panorama during
inial configuraon.
2. Log in to the CLI when prompted. Use the default admin account and the password that
you specified during inial configuraon.
3. Enable the primary Panorama to connect to the secondary Panorama by entering the
following command, where <IPaddress2> represents the MGT interface of the secondary
Panorama:

> configure
# set deviceconfig system panorama-server <IPaddress2>
# commit

4. Log in to the CLI of the secondary Panorama.

5. Enable the secondary Panorama to connect to the primary Panorama by entering the
following command, where <IPaddress1> represents the MGT interface of the primary
Panorama:

> configure
# set deviceconfig system panorama-server <IPaddress1>
# commit
# exit

6. In the CLI of the secondary Panorama, enter the following command to display the serial
number, and then record it:

> show system info | match serial

You need the serial number to add the Log Collector of the secondary Panorama as a
managed collector to the primary Panorama.

STEP 3 | Edit the Log Collector that is local to the primary Panorama.
Use the web interface of the primary Panorama to perform these steps:
1. Select Panorama > Managed Collectors and select the default (local) Log Collector.
2. Select Disks and Add each logging disk pair.
3. Click OK to save your changes.

Panorama Administrator's Guide Version Version 10.1 447 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 4 | Configure the Log Collector that is local to the secondary Panorama.

Panorama treats this Log Collector as remote because it’s not local to the primary
Panorama. Therefore you must manually add it on the primary Panorama.

Use the web interface of the primary Panorama to Configure a Managed Collector:
1. Select Panorama > Managed Collectors and Add the Log Collector.
2. Enter the serial number (Collector S/N) you recorded for the Log Collector of the
secondary Panorama.
3. Enter the IP address or FQDN of the primary and secondary Panorama HA peers in the
Panorama Server IP field and Panorama Server IP 2 field respecvely.
Both of these fields are required.
4. Select Interfaces and configure each interface that the Log Collector will use. The
Management interface is required. Perform the following steps for each interface:
1. Click the interface name.
2. Configure one or both of the following field sets based on the IP protocols of your
network.
IPv4—IP Address, Netmask, and Default Gateway
IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
3. (Management interface only) Select SNMP if you will use an SNMP manager to
monitor Log Collector stascs.
Using SNMP requires addional steps besides configuring the Log Collector (see
Monitor Panorama and Log Collector Stascs Using SNMP).
4. Click OK to save your changes to the interface.
5. Click OK to save your changes to the Log Collector.
6. Select Commit > Commit to Panorama and Commit your changes.
This step is required before you can enable logging disks.
7. Edit the Log Collector by clicking its name.
8. Select Disks, Add each RAID disk pair, and click OK.
9. Select Commit > Commit to Panorama and Commit your changes.

STEP 5 | Add a Firewall as a Managed Device.

Use the web interface of the primary Panorama to perform this task for each firewall that will
forward logs to the Log Collectors.

STEP 6 | Edit the default Collector Group that is predefined on the primary Panorama.
Use the web interface of the primary Panorama to Configure a Collector Group:
1. Select Panorama > Collector Groups and edit the default Collector Group.
2. Add the local Log Collector of the secondary Panorama to the Collector Group Members
list if you are adding mulple Log Collectors to a single Collector group. By default, the

Panorama Administrator's Guide Version Version 10.1 448 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

list displays the local Log Collector of the primary Panorama because it is pre-assigned to
the default Collector Group.

In any single Collector Group, all the Log Collectors must run on the same
Panorama model: all M-600 appliances, all M-500 appliances, all M-200
appliances, or all Panorama virtual appliances.
3. (Best Pracce) Enable log redundancy across collectors if you add mulple Log
Collectors to a single Collector group. This opon requires each Log Collector to have the
same number of logging disks.
4. (Oponal) Select Monitoring and configure the sengs if you will use SNMP to monitor
Log Collector stascs and traps.
5. Select Device Log Forwarding and configure the Log Forwarding Preferences list. This list
defines which firewalls forward logs to which Log Collectors. Assign firewalls according
to the number of Log Collectors in this Collector Group:
• Single—Assign the firewalls that will forward logs to the local Log Collector of the
primary Panorama, as illustrated in Single Local Log Collector Per Collector Group.
• Mulple—Assign each firewall to both Log Collectors for redundancy. When you
configure the preferences, make Log Collector 1 the first priority for half the firewalls
and make Log Collector 2 the first priority for the other half, as illustrated in Mulple
Local Log Collectors Per Collector Group.
6. Click OK to save your changes.

STEP 7 | Configure a Collector Group that contains the Log Collector of the secondary Panorama.
Required if each Collector Group has only one Log Collector.
Use the web interface of the primary Panorama to Configure a Collector Group:
1. Select Panorama > Collector Groups and Add the Collector Group.
2. Enter a Name to idenfy the Collector Group.
3. Add the local Log Collector of the secondary Panorama to the Collector Group Members
list.
4. (Oponal) Select Monitoring and configure the sengs if you will use an SNMP manager
to monitor Log Collector stascs and traps.
5. Select Device Log Forwarding and Add an entry to the Log Forwarding Preferences list:
1. Modify the Devices list, select the firewalls that will forward logs to the local Log
Collector of the secondary Panorama (see Single Local Log Collector Per Collector
Group), and click OK.
2. Add the local Log Collector of the secondary Panorama to the Collectors list and click
OK.
6. Click OK to save your changes.

STEP 8 | Commit and push your changes to the Panorama configuraon and the Collector Groups.
In the web interface of the primary Panorama, select Commit > Commit and Push and then
Commit and Push your changes to Panorama and the Collector Groups you added.

Panorama Administrator's Guide Version Version 10.1 449 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 9 | Manually fail over so that the secondary Panorama becomes acve.
Use the web interface of the primary Panorama to perform the following steps:
1. Select Panorama > High Availability.
2. Click Suspend local Panorama in the Operaonal Commands secon.

STEP 10 | On the secondary Panorama, configure the network sengs of the Log Collector that is local
to the primary Panorama.
Use the web interface of the secondary Panorama to perform the following steps:
1. In the Panorama web interface, select Panorama > Managed Collectors and select the
Log Collector that is local to the primary Panorama.
2. Enter the IP address or FQDN of the primary and secondary Panorama HA peers in the
Panorama Server IP field and Panorama Server IP 2 field respecvely.
Both of these fields are required.
3. Select Interfaces, click Management, and complete one or both of the following field
sets (based on the IP protocols of your network) with the MGT interface values of the
primary Panorama:
• IPv4—IP Address, Netmask, and Default Gateway
• IPv6—IPv6 Address/Prefix Length and Default IPv6 Gateway
4. Click OK to save your changes.
5. Select Commit > Commit and Push and then Commit and Push your changes to
Panorama and the Collector Groups you added.

STEP 11 | Manually fail back so that the primary Panorama becomes acve.
Use the web interface of the secondary Panorama to perform the following steps:
1. Select Panorama > High Availability.
2. Click Suspend local Panorama in the Operaonal Commands secon.

STEP 12 | Configure log forwarding from firewalls to Panorama.

Use the web interface of the primary Panorama to:
1. Configure Log Forwarding to Panorama.
2. Verify Log Forwarding to Panorama.
3. (Oponal) Configure Log Forwarding from Panorama to External Desnaons.

You can assign separate external server profiles to each Panorama HA peer. For
example, you might want each peer to forward logs to a different syslog server.
To make each Panorama peer forward logs to different external services, log in to
the web interface of each peer, select Panorama > Collector Groups, select the
Collector Group, select Collector Log Forwarding, assign the server profiles, and
click OK.

Panorama Administrator's Guide Version Version 10.1 450 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Deploy Panorama Virtual Appliances with Local Log Collectors

You can configure firewalls to send logs to a Log Collector that runs locally on a Panorama virtual
appliance in Panorama mode. In a high availability (HA) configuraon, each Panorama HA peer can
have a local Log Collector. You can assign the local Log Collectors on the HA peers to the same
Collector Group or to separate Collector Groups, as illustrated in the following figures. Refer to the
Setup Prerequisites for the Panorama Virtual Appliance to review the supported logs per second
when deploying the Panorama virtual appliance with local Log Collectors in a VMware virtual
infrastructure.

If you will assign more than one Log Collector to a Collector Group, see Caveats for a
Collector Group with Mulple Log Collectors to understand the requirements, risks, and
recommended migaons.

Figure 20: Single Log Collector Per Collector Group

Panorama Administrator's Guide Version Version 10.1 451 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Figure 21: Multiple Log Collectors Per Collector Group

Perform the following steps to deploy Panorama with local Log Collectors. Skip any steps you have
already performed (such as the inial setup).
STEP 1 | Perform the inial setup of each Panorama virtual appliance.
1. Install the Panorama Virtual Appliance. You must configure the following resources to
ensure the virtual appliance starts in Panorama mode:
• System disk with exactly 81GB of storage.
• CPUs and memory that are sufficient for the quanty of logs that Panorama will
receive and store.
• Virtual logging disk with 2–24TB of storage.

Panorama automacally divides the new disk into 2TB parons, each of which
will funcon as a separate virtual disk.
2. Perform Inial Configuraon of the Panorama Virtual Appliance.
3. Register Panorama and Install Licenses.
4. Install Content and Soware Updates for Panorama.

STEP 2 | Set up the Panorama virtual appliances in an HA configuraon.

1. Set Up HA on Panorama.
2. Test Panorama HA Failover.

Panorama Administrator's Guide Version Version 10.1 452 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 3 | Add a Log Collector that is local to the primary Panorama.

On the primary Panorama:
1. Record the Panorama serial number.
1. Access the Panorama web interface.
2. Select Dashboard and record the Serial # in the General Informaon secon.
2. Add the Log Collector as a managed collector.
1. Select Panorama > Managed Collectors and Add a new Log Collector.
2. In the General sengs, enter the serial number (Collector S/N) you recorded for
Panorama.
3. Click OK to save your changes.
4. Select Commit > Commit to Panorama.
This step is required before you can add the virtual logging disks.
3. Add the virtual logging disks.
1. Select Panorama > Managed Collectors and edit the Log Collector by clicking its
name.
The Log Collector name has the same value as the hostname of the primary
Panorama.
2. Select Disks and Add the virtual logging disks.
3. Click OK to save your changes.
4. Select Commit > Commit to Panorama.

Panorama Administrator's Guide Version Version 10.1 453 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 4 | Add a Log Collector that is local to the secondary Panorama.

Panorama treats this Log Collector as remote because it does not run locally on the
primary Panorama.

1. Record the serial number of the secondary Panorama.

1. Access the web interface of the secondary Panorama.
2. Select Dashboard and record the Serial # in the General Informaon secon.
2. Access the web interface of the primary Panorama.
3. Select Panorama > Managed Collectors and Add the Log Collector.
4. In the General sengs, enter the serial number (Collector S/N) you recorded for the
secondary Panorama.
5. Enter the IP address or FQDN of the primary and secondary Panorama HA peers in the
Panorama Server IP field and Panorama Server IP 2 field respecvely.
Both of these fields are required.
6. Click OK to save your changes to the Log Collector.
7. Select Commit > Commit to Panorama and Commit your changes.
This step is required before you can add the virtual logging disks.
8. Edit the Log Collector by clicking its name.
The Log Collector name has the same value as the hostname of the secondary Panorama.
9. Select Disks, Add the virtual logging disks, and click OK.
10. Select Commit > Commit to Panorama and Commit your changes.

STEP 5 | Add a Firewall as a Managed Device.

Use the primary Panorama to perform this task for each firewall that will forward logs to the
Log Collectors.

Panorama Administrator's Guide Version Version 10.1 454 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 6 | Configure the Collector Group.

Perform this step once if you will assign both Log Collectors to the same Collector Group.
Otherwise, configure a Collector Group for each Log Collector.
On the primary Panorama:
1. Select Panorama > Collector Groups and Add a Collector Group.
2. Add one or both Log Collectors as Collector Group Members.

In any single Collector Group, all the Log Collectors must run on the same
Panorama model: all M-600 appliances, all M-500 appliances, all M-200
appliances, or all Panorama virtual appliances.
3. (Best Pracce) Enable log redundancy across collectors if you add mulple Log
Collectors to a single Collector group. This opon requires each Log Collector to have the
same number of virtual logging disks.

Enabling redundancy doubles the amount of logs and log processing traffic in a
Collector Group. If necessary, Expand Log Storage Capacity on the Panorama
Virtual Appliance.
4. Select Device Log Forwarding and configure the Log Forwarding Preferences list. This list
defines which firewalls forward logs to which Log Collectors. Assign firewalls according
to the number of Log Collectors in this Collector Group:
• Single—Assign the firewalls that will forward logs to the Log Collector that is local to
the primary Panorama, as illustrated in Single Log Collector Per Collector Group.
• Mulple—Assign each firewall to both Log Collectors for redundancy. When you
configure the preference list, make Log Collector 1 the first priority for half the
firewalls and make Log Collector 2 the first priority for the other half, as illustrated in
Mulple Log Collectors Per Collector Group.
5. Click OK to save your changes.
6. Select Commit > Commit and Push and then Commit and Push your changes to
Panorama and the Collector Groups you added.

STEP 7 | Trigger failover on the primary Panorama so that the secondary Panorama becomes acve.
On the primary Panorama:
1. Select Panorama > High Availability.
2. Click Suspend local Panorama in the Operaonal Commands secon.

Panorama Administrator's Guide Version Version 10.1 455 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

STEP 8 | Configure the connecon from the secondary Panorama to the Log Collector that is local to
the primary Panorama.
On the secondary Panorama:
1. In the Panorama web interface, select Panorama > Managed Collectors and select the
Log Collector that is local to the primary Panorama.
2. Enter the IP address or FQDN of the primary and secondary Panorama HA peers in the
Panorama Server IP field and Panorama Server IP 2 field respecvely.
Both of these fields are required.
3. Click OK to save your changes.
4. Select Commit > Commit and Push and then Commit and Push your changes to
Panorama and the Collector Groups.

STEP 9 | Trigger fail-back on the secondary Panorama so that the primary Panorama becomes acve.
On the secondary Panorama:
1. Select Panorama > High Availability.
2. Click Suspend local Panorama in the Operaonal Commands secon.

STEP 10 | Configure log forwarding from the firewalls to Panorama.

On the primary Panorama to:
1. Configure Log Forwarding to Panorama from firewalls.
2. Verify Log Forwarding to Panorama.

Deploy Panorama Virtual Appliances in Legacy Mode with Local

Log Collecon
The following figure illustrates Panorama in a centralized log collecon deployment. In this
example, the Panorama management server comprises two Panorama virtual appliances in Legacy
mode that are deployed in an acve/passive high availability (HA) configuraon. This configuraon
suits firewall management within a VMware virtual infrastructure in which Panorama processes up
to 10,000 logs/second. The firewalls send logs to the NFS datastore (ESXi server only) or virtual
disk on the Panorama management server. By default, the acve and passive peers both receive
logs, though you can Modify Log Forwarding and Buffering Defaults so that only the acve peer
does. For the 5200 and 7000 series firewalls, only the acve peer receive logs. By default, the
Panorama virtual appliance in Legacy mode uses approximately 11GB on its internal disk paron
for log storage, though you can Expand Log Storage Capacity on the Panorama Virtual Appliance if
necessary.

If the logging rate increases beyond 10,000 logs per second, it is recommended that you
Deploy Panorama with Dedicated Log Collectors.

Panorama Administrator's Guide Version Version 10.1 456 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Figure 22: Panorama Virtual Appliances in Legacy Mode with Local Log Collection

Perform the following steps to deploy Panorama virtual appliances with local log collecon. Skip
any steps you have already performed (for example, the inial setup).
STEP 1 | Perform the inial setup of each Panorama virtual appliance.
1. Install the Panorama Virtual Appliance. To ensure the virtual appliance starts in Panorama
mode, do not add a virtual logging disk during installaon.

By default, Panorama uses an 11GB paron on its system disk for log storage.
If you want more storage, you can add a dedicated virtual logging disk of up to
8TB aer the installaon.
2. Perform Inial Configuraon of the Panorama Virtual Appliance.
3. Register Panorama and Install Licenses.
4. Install Content and Soware Updates for Panorama.

STEP 2 | Set up the Panorama virtual appliances in an HA configuraon.

1. Set Up HA on Panorama.
2. Test Panorama HA Failover.

STEP 3 | Perform the following steps to prepare Panorama for log collecon.
1. Add a Firewall as a Managed Device for each one that will forward logs to Panorama.
2. Configure Log Forwarding to Panorama.

STEP 4 | Commit your changes.

Select Commit > Commit to Panorama and Commit your changes.

Panorama Administrator's Guide Version Version 10.1 457 ©2022 Palo Alto Networks, Inc.
Manage Log Collecon

Panorama Administrator's Guide Version Version 10.1 458 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances
You can manage up to 200 standalone WildFire appliances and WildFire appliance
cluster nodes centrally using a Panorama M-Series or virtual appliance. Compared
to managing WildFire appliances and appliance clusters individually using the local
CLI, using Panorama provides centralized management and monitoring of mulple
appliances and appliance clusters. Centralized management enables you to push
common configuraons, configuraon updates, and soware upgrades to all or
a subset of the managed WildFire appliances, which makes it easy to ensure that
WildFire appliances and appliance clusters have consistent configuraons.
When you use Panorama to manage WildFire appliance clusters, Panorama must run
an equal or later version than the WildFire appliances being managed.

> Add Standalone WildFire Appliances to Manage with Panorama

> Configure Basic WildFire Appliance Sengs on Panorama
> Set Up Authencaon Using Custom Cerficates on WildFire Appliances and
Clusters
> Remove a WildFire Appliance from Panorama Management
> Manage WildFire Clusters

459
Manage WildFire Appliances

Add Standalone WildFire Appliances to Manage with

Panorama
You can manage up to 200 WildFire® appliances with a Panorama® M-Series or virtual appliance.
The WildFire 200-appliance limit is a combined total of standalone appliances and WildFire
appliance cluster nodes (if you also Configure a Cluster and Add Nodes on Panorama).
Ensure that your Panorama server is running PAN-OS® 8.1.0 or a later PAN-OS version, and that
any WildFire appliance you add to your Panorama management server is also running PAN-OS
8.1.0 or a later release.
A device registraon authencaon key is used to securely authencate and connect the
Panorama management server and the WildFire appliance on first connect. To configure the device
registraon authencaon key, specify the key lifeme and the number of mes you can use the
authencaon key to onboard new WildFire appliances. Addionally, you can specify one or more
WildFire appliance serial numbers for which the authencaon key is valid.
The authencaon key expires 90 days aer the key lifeme expires. Aer 90 days, you are
prompted to re-cerfy the authencaon key to maintain its validity. If you do not re-cerfy,
then the authencaon key becomes invalid. A system log is generated each me a WildFire
appliance uses the Panorama-generated authencaon key. The WildFire appliance uses the
authencaon key to authencate Panorama when it delivers the device cerficate that is used
for all subsequent communicaons.

(PAN-OS 10.1 only) For WildFire appliances running a PAN-OS 10.1 release, Panorama
running PAN-OS 10.1.3 or later release supports onboarding a WildFire appliance running
PAN-OS 10.1.3 or later release only. You cannot add a WildFire appliance running PAN-
OS 10.1.2 or earlier PAN-OS 10.1 release to Panorama management if Panorama is
running PAN-OS 10.1.3 or later release.
Panorama supports onboarding WildFire appliances running the following releases:
• Panorama running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release— WildFire
appliances running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release, and WildFire
appliances running PAN-OS 10.0 or earlier PAN-OS release.
• Panorama running PAN-OS 10.1.3 or later release— WildFire appliances running PAN-
OS 10.1.3 or later release, and WildFire appliances running PAN-OS 10.0 or earlier
PAN-OS release.
There is no impact to WildFire appliances already managed by Panorama on upgrade to
PAN-OS 10.1.

STEP 1 | Using the local CLI, verify that each WildFire appliance that you want to manage on a
Panorama management server is running PAN-OS 8.1.0 or a later release.

admin@qa16> show system info | match version

sw-version: 8.0.1-c45
wf-content-version: 702-283
logdb-version: 8.0.15

Panorama Administrator's Guide Version Version 10.1 460 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 2 | On each Panorama appliance you want to use to manage WildFire appliances, verify that the
Panorama management server is running PAN-OS 8.1.0 or a later release.
Dashboard > General Informaon > Soware Version displays the running soware version.

STEP 3 | If you aren’t sure whether a WildFire appliance belongs to a WildFire appliance cluster or is
a standalone appliance on the local WildFire appliance CLI, check the Node mode to ensure
that the status is stand_alone and check the Applicationstatus to ensure that the
global-db-service and global-queue-service indicate ReadyStandalone.

admin@WF-500> show cluster membership

Service Summary: wfpc signature
Cluster name:
Address: 10.10.10.100
Host name: WF-500
Node name: wfpc-012345678901-internal
Serial number: 012345678901
Node mode: stand_alone
Server role: True
HA priority:
Last changed: Mon, 06 Mar 2017 16:34:25 -0800
Services: wfcore signature wfpc infra
Monitor status:
Serf Health Status: passing
Agent alive and reachable
Application status:
global-db-service: ReadyStandalone
wildfire-apps-service: Ready
global-queue-service: ReadyStandalone
wildfire-management-service: Done
siggen-db: ReadyMaster
Diag report:
10.10.10.100: reported leader '10.10.10.100', age
0.
10.10.10.100: local node passed sanity check.

STEP 4 | If the WildFire appliances you want to manage with Panorama are new, check Get
Started with WildFire to ensure that you complete basic steps such as confirming your
WildFire license is acve, enabling logging, connecng firewalls to WildFire appliances, and
configuring basic WildFire features.

Panorama Administrator's Guide Version Version 10.1 461 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 5 | Create a device registraon authencaon key.

1. Select Panorama > Device Registraon Auth Key and Add a new authencaon key.
2. Configure the authencaon key.
• Name—Add a descripve name for the authencaon key.
• Lifeme—Specify the key lifeme for how long you can use the authencaon key
used to onboard new WildFire appliances.
• Count—Specify how many mes you can use the authencaon key to onboard new
WildFire appliances.
• Device Type—Specify that the authencaon key is used to authencate Any device.
• (Oponal) Devices—Enter one or more device serial numbers to specify for which
WildFire appliances the authencaon key is valid.
3. Click OK.

4. Copy Auth Key and Close.

STEP 6 | On the local CLI of each WildFire appliance the Panorama server will manage, configure the
IP address of the Panorama server and add the device registraon authencaon key.
Before you register standalone WildFire appliances to a Panorama appliance, you must first
configure the Panorama IP address or FQDN and add the device registraon authencaon
key on each WildFire appliance. This enables each WildFire appliance to securely connect

Panorama Administrator's Guide Version Version 10.1 462 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

to the Panorama appliance that manages the WildFire appliance. The device registraon
authencaon key is used only for the inial connecon to the Panorama server.
1. Configure the IP address or FQDN of the management interface for the primary
Panorama server.

admin@WF-500# set deviceconfig system panorama-server <ip-

address | FQDN>

2. If you use a backup Panorama appliance for high availability (recommended), configure
the IP address or FQDN of the management interface for the backup Panorama server:

admin@WF-500# set deviceconfig system panorama-server-2 <ip-

address | FQDN>

3. Add the device registraon authencaon key.

admin> request authkey set <auth-key>

STEP 7 | Register WildFire appliances on the primary Panorama appliance.

1. From the Panorama web interface, Panorama > Managed WildFire Appliances and Add
Appliance.
2. Enter the serial number of each WildFire appliance on a separate line. If you do not have
a list of serial numbers, on each WildFire appliance, run:

admin@WF-500> show system info | match serial

serial: 012345678901

Several local CLI commands display the WildFire appliance serial number, including show
cluster membership.
3. Click OK.
If it is available, informaon about configuraon that is already commied on the
WildFire appliances displays, such as IP address and soware version.

STEP 8 | (Oponal) Import WildFire appliance configuraons into the Panorama appliance.
1. Select the appliances that have configuraons you want to import from the list of
managed WildFire appliances.
2. Import Config.
3. Select Yes.
Imporng configuraons updates the displayed informaon and makes the imported
configuraons part of the Panorama appliance candidate configuraon.
4. Commit to Panorama to make the imported WildFire appliance configuraons part of the
Panorama running configuraon.

Panorama Administrator's Guide Version Version 10.1 463 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 9 | Configure or confirm the configuraon of the WildFire appliance interfaces.

Each WildFire appliance has four interfaces: Management (Ethernet0), Analysis Network
Environment (Ethernet1), Ethernet2, and Ethernet3.
1. Select Panorama > Managed WildFire Appliances and select a WildFire appliance.
2. Select Interfaces.
3. Select an interface to configure or edit it. You can enable the interface, set the speed
and duplex, and configure the IP address and netmask, the default gateway, the MTU,
the DNS server, the link state, and the Management Services for each interface. You can
also Add permied IP addresses so that an interface accepts traffic only from specified
addresses.
The Analysis Network Environment, Ethernet2, and Ethernet3 interfaces support only
Ping as a Management Services opon.
The Management interface supports Ping, SSH, and SNMP as Management Services
opons. In addion, the Management interface supports proxy server configuraon in
case a direct connecon to the internet is not possible.
4. Click OK save your changes.

STEP 10 | Commit the configuraon on the Panorama appliance and push it to the appliance or to
mulple appliances.
1. Commit and Push.
2. If there are configuraons on the Panorama appliance that you do not want to push,
Edit Selecons to choose the appliances to which you want to push configuraons. The
pushed configuraon overwrites the running configuraon on a WildFire appliance.

STEP 11 | Verify the configuraon.

1. Select Panorama > Managed WildFire Appliances.
2. Check the following fields:
• Connected—The state is Connected.
• Role—The role of each WildFire appliance is Standalone.
• Config Status—The status is InSync.
• Last Commit State—Commitsucceeded.

Panorama Administrator's Guide Version Version 10.1 464 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

Configure Basic WildFire Appliance Sengs on

Panorama
Configuring basic sengs such as content update and WildFire cloud servers, WildFire cloud
services, logging, authencaon, and so on, is similar to how you Configure General Cluster
Sengs on Panorama. Instead of selecng a cluster and configuring sengs on the cluster, select
a WildFire appliance and configure the individual sengs for that appliance. Select and configure
each WildFire appliance that you add to Panorama.
Configure the WildFire Appliance describes how to integrate a WildFire appliance into a network
and perform basic setup with the CLI, but the concepts are the same as performing basic setup
using Panorama.

Many sengs are pre-populated with either defaults, informaon from previously exisng
sengs on the WildFire appliance, or the sengs you configured when adding the
WildFire appliance to Panorama.

• Configure Authencaon for a WildFire Appliance

Configure Authencaon for a WildFire Appliance

Create and configure enhanced authencaon for your WildFire appliance by configuring local
administrave users with granular authencaon parameters, as well as leveraging RADIUS,
TACAS+, or LDAP for authorizaon and authencaon.
When you Configure and push administrators from Panorama, you overwrite the exisng
administrators on the WildFire appliance with those you configure on Panorama.
• Configure An Administrave Account for a WildFire Appliance
• Configure RADIUS Authencaon for a WildFire Appliance
• Configure TACACS+ Authencaon for a WildFire Appliance
• Configure LDAP Authencaon for a WildFire Appliance

Configure An Administrave Account for a WildFire Appliance

Create one or more administrators with granular authencaon parameters for your WildFire
appliance to manage from the Panorama™ management server. Addionally, you can configure
local administrators from Panorama that can be configured directly on the CLI of the WildFire
appliance. However, pushing new configuraon changes to the WildFire appliance will overwrites
local administrators with the administrators configured for the WildFire appliance.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Add Standalone WildFire Appliances to Manage with Panorama.

STEP 3 | (Oponal) Configure an authencaon profile to define the authencaon service that
validates the login credenals of the administrators who access the WildFire appliance CLI.

Panorama Administrator's Guide Version Version 10.1 465 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 4 | Configure one or more administrator accounts as needed.

The administrator accounts created on Panorama are later imported to the WildFire appliance
and managed from Panorama.

You must configure the administrave account with Superuser admin role privileges to
successfully configure authencaon for the WildFire appliance.

STEP 5 | Configure the authencaon for the WildFire appliance.

1. Select Panorama > Managed WildFire Appliance and select the WildFire appliance you
previously added.
2. (Oponal) Select the Authencaon Profile you configured in the previous step.
3. Configure the authencaon Timeout Configuraon for the WildFire appliance.
1. Enter the number of Failed Aempts before a user is locked out of the WildFire
appliance CLI.
2. Enter the Lockout Time, in minutes, for which the WildFire appliance locks out a user
account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access the WildFire appliance.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
4. Add the WildFire appliance administrators.
Administrators may either be added as a local administrator or as an imported Panorama
administrator—but not both. Adding the same administrator as both a local administrator
and as an imported Panorama administrator is not supported and causes the Panorama

Panorama Administrator's Guide Version Version 10.1 466 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

commit to fail. For example, the commit to Panorama fails if you add admin1 as both a
local and Panorama administrator.
1. Add and configure new administrators unique to the WildFire appliancer. These
administrators are specific to the WildFire appliance for which they are created and
you manage these administrators from this table.
2. Add any administrators configured on Panorama. These administrators are created on
Panorama and imported to the WildFire appliance.
5. Click OK to save the WildFire appliance authencaon configuraon.

STEP 6 | Commit and then Commit and Push your configuraon changes.

STEP 7 | Access the WildFire appliance CLI to verify you can successfully access the WildFire
appliance using the local admin user.

Configure RADIUS Authencaon for a WildFire Appliance

Use a RADIUS server to authencate administrave access to the WildFire appliance CLI. You
can also define Vendor-Specific Aributes (VSAs) on the RADIUS server to manage administrator
authorizaon. Using VSAs enables you to quickly change the roles, access domains, and user
groups of administrators through your directory service, which is oen easier than reconfiguring
sengs on the Panorama™ management server.

Panorama Administrator's Guide Version Version 10.1 467 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

You can Import the Palo Alto Networks RADIUS diconary into RADIUS server to define
the authencaon aributes needed for communicaon between Panorama and the
RADIUS server.

STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Add Standalone WildFire Appliances to Manage with Panorama.

Panorama Administrator's Guide Version Version 10.1 468 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 3 | Configure RADIUS authencaon.

Administrator accounts configured for RADIUS authencaon are required to have

Superuser admin role privileges to successfully configure authencaon for the
Wildfire appliance.

1. Add a RADIUS server profile.

The profile defines how the WildFire appliance connects to the RADIUS server.
1. Select Panorama > Server Profiles > RADIUS and Add a profile.
2. Enter a Profile Name to idenfy the server profile.
3. Enter a Timeout interval in seconds aer which an authencaon request mes out
(default is 3; range is 1–20).
4. Select the Authencaon Protocol (default is CHAP) that the WildFire appliance uses
to authencate to the RADIUS server.

Select CHAP if the RADIUS server supports that protocol; it is more secure
than PAP.
5. Add each RADIUS server and enter the following:
1. Name to idenfy the server.
2. RADIUS Server IP address or FQDN.
3. Secret/Confirm Secret (a key to encrypt usernames and passwords).
4. Server Port for authencaon requests (default is 1812).
6. Click OK to save the server profile.
2. Assign the RADIUS server profile to an authencaon profile.
The authencaon profile defines authencaon sengs that are common to a set of
administrators.
1. Select Panorama > Authencaon Profile and Add a profile.
2. Enter a Name to idenfy the authencaon profile.
3. Set the Type to RADIUS.
4. Select the Server Profile you configured.
5. Select Retrieve user group from RADIUS to collect user group informaon from VSAs
defined on the RADIUS server.
Panorama matches the group informaon against the groups you specify in the Allow
List of the authencaon profile.
6. Select Advanced and, in the Allow List, Add the administrators that are allowed to
authencate with this authencaon profile.
7. Click OK to save the authencaon profile.

Panorama Administrator's Guide Version Version 10.1 469 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 4 | Configure the authencaon for the WildFire appliance.

1. Select Panorama > Managed WildFire Appliance and select the WildFire appliance you
previously added.
2. Select the Authencaon Profile you configured in the previous step.
If a global authencaon profile is not assigned you must assign an authencaon profile
to each individual local administrator to leverage remote authencaon.
3. Configure the authencaon Timeout Configuraon for the WildFire appliance.
1. Enter the number of Failed Aempts before a user is locked out of the WildFire
appliance CLI.
2. Enter the Lockout Time, in minutes, for which the WildFire appliance locks out a user
account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access the WildFire appliance.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
4. Add the WildFire appliance administrators.
Administrators may either be added as a local administrator or as an imported Panorama
administrator—but not both. Adding the same administrator as both a local administrator
and as an imported Panorama administrator is not supported and causes the Panorama

Panorama Administrator's Guide Version Version 10.1 470 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

commit to fail. For example, the commit to Panorama fails if you add admin1 as both a
local and Panorama administrator.
1. Add and configure new administrators unique to the WildFire appliance. These
administrators are specific to the WildFire appliance for which they are created and
you manage these administrators from this table.
2. Add any administrators configured on Panorama. These administrators are created on
Panorama and imported to the WildFire appliance.
5. Click OK to save the WildFire appliance authencaon configuraon.

STEP 5 | Commit and then Commit and Push your configuraon changes.

STEP 6 | Access the WildFire appliance CLI to verify you can successfully access the WildFire
appliance using the local admin user.

Configure TACACS+ Authencaon for a WildFire Appliance

You can use a TACACS+ server to authencate administrave access to the WildFire appliance
CLI. You can also define Vendor-Specific Aributes (VSAs) on the TACACS+ server to manage
administrator authorizaon. Using VSAs enables you to quickly change the roles, access domains,
and user groups of administrators through your directory service, which is oen easier than
reconfiguring sengs on Panorama.

Panorama Administrator's Guide Version Version 10.1 471 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Add Standalone WildFire Appliances to Manage with Panorama.

STEP 3 | Configure TACACS+ authencaon.

Administrator accounts configured for TACACS+ authencaon are required to have

Superuser admin role privileges to successfully configure authencaon for the
Wildfire appliance.

1. Add a TACACS+ server profile.

The profile defines how the WildFire appliance connects to the TACACS+ server.
1. Select Panorama > Server Profiles > TACACS+ and Add a profile.
2. Enter a Profile Name to idenfy the server profile.
3. Enter a Timeout interval in seconds aer which an authencaon request mes out
(default is 3; range is 1–20).
4. Select the Authencaon Protocol (default is CHAP) that Panorama uses to
authencate to the TACACS+ server.
5. Select CHAP if the TACACS+ server supports that protocol; it is more secure than
PAP.
6. Add each TACACS+ server and enter the following:
1. Name to idenfy the server.
2. TACACS+ Server IP address or FQDN.
3. Secret/Confirm Secret (a key to encrypt usernames and passwords).
4. Server Port for authencaon requests (default is 49).
7. Click OK to save the server profile.
2. Assign the TACACS+ server profile to an authencaon profile.
The authencaon profile defines authencaon sengs that are common to a set of
administrators.
1. Select Panorama > Authencaon Profile and Add a profile.
2. Enter a Name to idenfy the profile.
3. Set the Type to TACACS+.
4. Select the Server Profile you configured.
5. Select Retrieve user group from TACACS+ to collect user group informaon from
VSAs defined on the TACACS+ server.
Panorama matches the group informaon against the groups you specify in the Allow
List of the authencaon profile.
6. Select Advanced and, in the Allow List, Add the administrators that are allowed to
authencate with this authencaon profile.
7. Click OK to save the authencaon profile.

Panorama Administrator's Guide Version Version 10.1 472 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 4 | Configure the authencaon for the WildFire appliance.

1. Select Panorama > Managed WildFire Appliance and select the WildFire appliance you
previously added.
2. Select the Authencaon Profile you configured in the previous step.
If a global authencaon profile is not assigned you must assign an authencaon profile
to each individual local administrator to leverage remote authencaon.
3. Configure the authencaon Timeout Configuraon for the WildFire appliance.
1. Enter the number of Failed Aempts before a user is locked out of the WildFire
appliance CLI.
2. Enter the Lockout Time, in minutes, for which the WildFire appliance locks out a user
account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access the WildFire appliance.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
4. Add the WildFire appliance administrators.
Administrators may either be added as a local administrator or as an imported Panorama
administrator—but not both. Adding the same administrator as both a local administrator
and as an imported Panorama administrator is not supported and causes the Panorama

Panorama Administrator's Guide Version Version 10.1 473 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

commit to fail. For example, the commit to Panorama fails if you add admin1 as both a
local and Panorama administrator.
1. Add and configure new administrators unique to the WildFire appliancer. These
administrators are specific to the WildFire appliance for which they are created and
you manage these administrators from this table.
2. Add any administrators configured on Panorama. These administrators are created on
Panorama and imported to the WildFire appliance.
5. Click OK to save the WildFire appliance authencaon configuraon.

STEP 5 | Commit and then Commit and Push your configuraon changes.

STEP 6 | Access the WildFire appliance CLI to verify you can successfully access the WildFire
appliance using the local admin user.

Configure LDAP Authencaon for a WildFire Appliance

You can use LDAP to authencate end users who access the WildFire appliance CLI.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Add Standalone WildFire Appliances to Manage with Panorama.

Panorama Administrator's Guide Version Version 10.1 474 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 3 | Add an LDAP server profile.

The profile defines how the WildFire appliance connects to the LDAP server.

Administrator accounts configured for LDAP authencaon are required to have

Superuser admin role privileges to successfully configure authencaon for the
WildFire appliance.

1. Select Panorama > Server Profiles > LDAP and Add a server profile.
2. Enter a Profile Name to idenfy the server profile.
3. Add the LDAP servers (up to four). For each server, enter a Name (to idenfy the server),
LDAP Server IP address or FQDN, and server Port (default 389).

If you use an FQDN address object to idenfy the server and you subsequently
change the address, you must commit the change for the new server address to
take effect.
4. Select the server Type.
5. Select the Base DN.
To idenfy the Base DN of your directory, open the Acve Directory Domains and
Trusts Microso Management Console snap-in and use the name of the top-level
domain.
6. Enter the Bind DN and Password to enable the authencaon service to authencate
the firewall.

The Bind DN account must have permission to read the LDAP directory.

7. Enter the Bind Timeout and Search Timeout in seconds (default is 30 for both).
8. Enter the Retry Interval in seconds (default is 60).
9. (Oponal) If you want the endpoint to use SSL or TLS for a more secure connecon with
the directory server, enable the opon to Require SSL/TLS secured connecon (enabled
by default). The protocol that the endpoint uses depends on the server port:
• 389 (default)—TLS (Specifically, the WildFire appliance uses the StartTLS operaon,
which upgrades the inial plaintext connecon to TLS.)
• 636—SSL
• Any other port—The WildFire appliance first aempts to use TLS. If the directory
server doesn’t support TLS, the WildFire appliance falls back to SSL.
10. (Oponal) For addional security, enable to the opon to Verify Server Cerficate
for SSL sessions so that the endpoint verifies the cerficate that the directory server
presents for SSL/TLS connecons. To enable verificaon, you must also enable the

Panorama Administrator's Guide Version Version 10.1 475 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

opon to Require SSL/TLS secured connecon. For verificaon to succeed, the

cerficate must meet one of the following condions:
• It is in the list of Panorama cerficates: Panorama > Cerficate Management >
Cerficates > Device Cerficates. If necessary, import the cerficate into Panorama.
• The cerficate signer is in the list of trusted cerficate authories: Panorama >
Cerficate Management > Cerficates.
11. Click OK to save the server profile.

STEP 4 | Configure the authencaon for the WildFire appliance.

1. Select Panorama > Managed WildFire Appliance and select the WildFire appliance you
previously added.
2. Configure the authencaon Timeout Configuraon for the WildFire appliance.
1. Enter the number of Failed Aempts before a user is locked out of the WildFire
appliance CLI.
2. Enter the Lockout Time, in minutes, for which the WildFire appliance locks out a user
account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access the WildFire appliance.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
3. Add the WildFire appliance administrators.
Administrators may either be added as a local administrator or as an imported Panorama
administrator—but not both. Adding the same administrator as both a local administrator
and as an imported Panorama administrator is not supported and causes the Panorama

Panorama Administrator's Guide Version Version 10.1 476 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

commit to fail. For example, the commit to Panorama fails if you add admin1 as both a
local and Panorama administrator.
• Configure the local administrators.
Configure new administrators unique to the WildFire appliances. These administrators
are specific to the WildFire appliance for which they are created and you manage
these administrators from this table.
1. Add one or more new local administrator.
2. Enter a Name for the local administrator.
3. Assign an Authencaon Profile you previously created.

LDAP authencaon profiles are supported only for individual local

administrators.
4. Enable (check) Use Public Key Authencaon (SSH) to import a public key file for
authencaon.
5. Select a Password Profile to set the expiraon parameters.
• Import exisng Panorama administrators
Import exisng administrators configured on Panorama. These administrators are
configured and managed on Panorama and imported to WildFire appliance.
1. Add an exisng Panorama administrator
4. Click OK to save the WildFire appliance authencaon configuraon.

Panorama Administrator's Guide Version Version 10.1 477 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 5 | Commit and then Commit and Push your configuraon changes.

STEP 6 | Access the WildFire appliance CLI to verify you can successfully access the WildFire
appliance using the local admin user.

Panorama Administrator's Guide Version Version 10.1 478 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

Set Up Authencaon Using Custom Cerficates on

WildFire Appliances and Clusters
By default, a WildFire® appliance uses predefined cerficates for mutual authencaon with
other Palo Alto Networks® firewalls and appliances to establish the SSL connecons used for
management access and inter-device communicaon. However, you can configure authencaon
using custom cerficates instead. Custom cerficates allow you to establish a unique chain
of trust to ensure mutual authencaon betweenyour WildFire appliance or WildFire cluster
managed by Panorama™ and firewalls. You can generate these cerficates locally on Panorama or
the firewall, obtain them from a trusted third-party cerficate authority (CA), or obtain cerficates
from enterprise private key infrastructure (PKI).
For more informaon about using custom cerficates, see How Are SSL/TLS Connecons
Mutually Authencated?
• Configure a Custom Cerficate for a Panorama Managed WildFire Appliance
• Configure Authencaon with a Single Custom Cerficate for a WildFire Cluster
• Apply Custom Cerficates on a WildFire Appliance Configured through Panorama

Configure a Custom Cerficate for a Panorama Managed WildFire

Appliance
If you use Panorama™ to manage your WildFire® appliance or WildFire cluster, you can configure
custom cerficate authencaon through the Panorama web interface instead of using WildFire
appliance CLI. The firewall or Panorama uses this connecon to forward samples to WildFire for
analysis.
This procedure describes how to install a unique cerficate on a single WildFire appliance. If the
WildFire appliance is part of a cluster, that device and each cluster member has a unique client
cerficate. To deploy a single cerficate to all WildFire appliances in the cluster, see Configure
Authencaon with a Single Custom Cerficate for a WildFire Cluster.
STEP 1 | Obtain key pairs and cerficate authority (CA) cerficates for the WildFire appliance and the
firewall.

STEP 2 | Import the CA cerficate to validate the identy of the firewall and the key pair for the
WildFire appliance.
1. Select Panorama > Cerficate Management > Cerficates > Import.
2. Import the CA cerficate and the key pair on Panorama.

STEP 3 | Configure a cerficate profile that includes the root CA and intermediate CA. This cerficate
profile defines how the WildFire appliance and the firewalls authencate mutually.
1. Select Panorama > Cerficate Management > Cerficate Profile.
2. Configure a cerficate profile.
If you configure an intermediate CA as part of the cerficate profile, you must also
include the root CA.

Panorama Administrator's Guide Version Version 10.1 479 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 4 | Configure an SSL/TLS profile for the WildFire appliance.

PAN-OS 8.0 and later releases support only TLS 1.2 and higher so ou must set the max
version to TLS 1.2 or max.

1. Select Panorama > Cerficate Management > SSL/TLS Service Profile.

2. Configure an SSL/TLS service profile to define the cerficate and protocol that the
WildFire appliance and its the firewalls use for SSL/TLS services.

STEP 5 | Configure Secure Server Communicaon on WildFire.

1. Select Panorama > Managed WildFire Clusters or Panorama > Managed WildFire
Appliances and select a cluster or appliance.
2. Select Communicaon.
3. Enable the Customize Secure Server Communicaon feature.
4. Select the SSL/TLS Service Profile. This SSL/TLS service profile applies to all SSL
connecon between the WildFire appliance and the firewall or Panorama.
5. Select the Cerficate Profile you configured for communicaon between the WildFire
appliance and the firewall or Panorama.
6. Verify that Custom Cerficates Only is disabled (cleared). This allows the WildFire
appliance to connue communicang with the firewalls with the predefined cerficate
while migrang to custom cerficates.
7. (Oponal) Configure an authorizaon list.
1. Add an Authorizaon List.
2. Select the Subject or Subject Alt Name configured in the cerficate profile as the
Idenfier type.
3. Enter the Common Name if the idenfier is Subject or enter an IP address, hostname,
or email if the idenfier is Subject Alt Name.
4. Click OK.
5. Enable Check Authorizaon List to enforce the list.
8. Click OK.
9. Commit your changes.

STEP 6 | Import the CA cerficate to validate the cerficate for the WildFire appliance.
1. Log in to the firewall web interface.
2. Import the CA cerficate.

STEP 7 | Configure a local or SCEP cerficate for the firewall.

• If you are using a local cerficate, import the key pair for the firewall.
• If you are using SCEP for the firewall cerficate, configure a SCEP profile.

Panorama Administrator's Guide Version Version 10.1 480 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 8 | Configure the cerficate profile for the firewall or Panorama. You can configure this profile on
each client firewall or Panorama appliance individually or you can use a template to push the
configuraon from Panorama to managed firewalls.
1. Select Device > Cerficate Management > Cerficate Profile for firewalls or Panorama >
Cerficate Management > Cerficate Profile for Panorama.
2. Configure a Cerficate Profile.

STEP 9 | Deploy custom cerficates on each firewall or Panorama appliance.

1. Log in to the firewall web interface.
2. Select Device > Setup > Management for a firewall or Panorama > Setup > Management
for Panorama and Edit the Secure Communicaon Sengs.
3. Select the Cerficate Type, Cerficate, and Cerficate Profile.
4. In the Customize Communicaon sengs, select WildFire Communicaon.
5. Click OK.
6. Commit your changes.

STEP 10 | Aer deploying custom cerficates on all managed devices, enforce custom-cerficate
authencaon.
1. Log in to Panorama.
2. Select Panorama > Managed WildFire Clusters or Panorama > Managed WildFire
Appliances and select a cluster or appliance.
3. Select Communicaon.
4. Select Custom Cerficate Only.
5. Click OK.
6. Commit your changes.
Aer comming this change, WildFire immediately begins the enforcement of custom
cerficates.

Configure Authencaon with a Single Custom Cerficate for a

WildFire Cluster
Instead of assigning unique cerficates to each WildFire® appliance in a cluster, you can assign
a single, shared client cerficate to the enre WildFire cluster, which, in turn, allows you to
push a single cerficate to all WildFire appliances in the cluster instead of configuring separate
cerficates for each cluster member. Because the individual WildFire appliances share a client
cerficate, you must configure a unique hostname (DNS name) for each WildFire appliance.
Then you can add all the hostnames as cerficate aributes to the shared cerficate or use a
one-wildcard string that matches all the custom hostnames on all the WildFire appliances in the
cluster.
To configure a single custom cerficate for your WildFire cluster to use when communicang with
the Panorama™, complete the following procedure.
STEP 1 | Obtain a server key pair and CA cerficate for Panorama.

Panorama Administrator's Guide Version Version 10.1 481 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 2 | Configure a cerficate profile that includes the root cerficate authority (CA) and the
intermediate CA. This cerficate profile defines the authencaon between the WildFire
cluster (client) and the Panorama appliance (server).
1. Select Panorama > Cerficate Management > Cerficate Profile.
2. Configure a cerficate profile.
If you configure an intermediate CA as part of the cerficate profile, you must also
include the root CA.

STEP 3 | Configure an SSL/TLS service profile.

1. Select Panorama > Cerficate Management > SSL/TLS Service Profile.
2. Configure an SSL/TLS service profile to define the cerficate and protocol that the
WildFire cluster and Panorama appliance use for SSL/TLS services.

STEP 4 | Connect each node in the cluster to Panorama.

STEP 5 | Configure a unique hostname (DNS name) on each node in the cluster or use a string with
a single wildcard that matches all custom DNS names set on the WildFire appliances in the
cluster.
If using a single-wildcard string, see RFC-6125,Secon 6.4.3 for requirements and limitaons
of wildcard string values. Make sure you understand these requirements and limitaons when
configuring your custom DNS names.
1. Log in to the WildFire CLI on a node.
2. Use the following command to assign a unique custom DNS name to the node.

admin@WF-500> configure

admin@WF-500# set deviceconfig setting wildfire custom-dns-

name <dns-name>

3. Commit your change.

4. Repeat this process for each node in the cluster.

STEP 6 | On Panorama, generate a client cerficate for all nodes in the cluster. Under Cerficate
Aributes, add a hostname entry for each custom DNS name you assigned to the cluster
nodes or add one hostname entry with a one-wildcard string that matches all of the node
hostnames, such as *.example.com; you can do this only if each custom DNS name shares a
common string.

STEP 7 | On Panorama, configure the cerficate profile for the cluster client cerficate.
1. Select Panorama > Cerficate Management > Cerficate Profile for Panorama.
2. Configure a Cerficate Profile.

Panorama Administrator's Guide Version Version 10.1 482 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 8 | Deploy custom cerficates on each node. This cerficate profile must contain the CA
cerficate that signed the Panorama server cerficate.
1. Select Panorama > Managed WildFire Clusters and click on the cluster name.
2. Select Communicaons.
3. Under Secure Client Communicaons, select the Cerficate Type, Cerficate, and
Cerficate Profile.
4. Click OK.
5. Commit your changes.

STEP 9 | Configure secure server communicaon on Panorama.

1. Select Panorama > Setup > Management and Edit to select Customize Secure Server
Communicaon.
2. Enable Customize Secure Server Communicaon.
3. Select the SSL/TLS Service Profile. This SSL/TLS service profile applies to all SSL
connecon between WildFire and Panorama.
4. Select the Cerficate Profile for Panorama.
5. Enable Custom Cerficates Only.
6. Click OK.
7. Commit your changes.

Apply Custom Cerficates on a WildFire Appliance Configured

through Panorama
By default, Panorama™ uses a predefined cerficate when communicang with a WildFire®
appliance to push configuraons. You can alternavely configure custom cerficates to establish
mutual authencaon for the connecon Panorama uses to push configuraons to a managed
WildFire appliance or cluster. Complete the following procedure to configure the server cerficate
on Panorama and the client cerficate on the WildFire appliance.
STEP 1 | Obtain key pairs and cerficate authority (CA) cerficates for Panorama and the WildFire
appliance.

STEP 2 | Import the CA cerficate to validate the idenfy of the WildFire appliance and the key pair
for Panorama.
1. Select Panorama > Cerficate Management > Cerficates > Import.
2. Import the CA cerficate and the key pair on Panorama.

STEP 3 | Configure a cerficate profile that includes the root CA and intermediate CA. This cerficate
profile defines the authencaon between the WildFire appliance (client) and the Panorama
virtual or M-Series appliance (server).
1. Select Panorama > Cerficate Management > Cerficate Profile.
2. Configure a cerficate profile.
If you configure an intermediate CA as part of the cerficate profile, you must also
include the root CA.

Panorama Administrator's Guide Version Version 10.1 483 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 4 | Configure an SSL/TLS service profile.

1. Select Panorama > Cerficate Management > SSL/TLS Service Profile.
2. Configure an SSL/TLS service profile to define the cerficate and protocol that the
WildFire and Panorama appliances use for SSL/TLS services.

STEP 5 | Configure secure server communicaon on the Panorama appliance.

1. Select Panorama > Setup > Management and Edit to select Customize Secure Server
Communicaon.
2. Enable the Customize Secure Server Communicaon feature.
3. Select the SSL/TLS Service Profile.
4. Select the cerficate profile from the Cerficate Profile drop-down.
5. Verify that Custom Cerficates Only is disabled (cleared). This allows Panorama to
connue communicang with WildFire with the predefined cerficate while migrang to
custom cerficates.
6. (Oponal) Configure an authorizaon list.
1. Add an Authorizaon List.
2. Select the Subject or Subject Alt Name configured in the cerficate profile as the
Idenfier type.
3. Enter the Common Name if the idenfier is Subject or an IP address, hostname, or
email if the idenfier is Subject Alt Name.
4. Click OK.
5. Enable the Check Authorizaon List opon to configure Panorama to enforce the
authorizaon list.
7. Click OK.
8. Commit your changes.

STEP 6 | Import the CA cerficate to validate the cerficate on Panorama.

1. Log in to the Panorama user interface.
2. Import the CA cerficate.

STEP 7 | Configure a local or a SCEP cerficate for the WildFire appliance.

1. If you are using a local cerficate, import the key pair for the WF-500 appliance.
2. If you are using SCEP for the WildFire appliance cerficate, configure a SCEP profile.

STEP 8 | Configure the cerficate profile for the WildFire appliance.

1. Select Panorama > Cerficate Management > Cerficate Profile.
2. Configure a cerficate profile.

Panorama Administrator's Guide Version Version 10.1 484 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 9 | Deploy custom cerficates on each managed WildFire appliance.

1. Log in to Panorama.
2. Select Panorama > Managed WildFire Appliances and click on a cluster or appliance
name.
3. Select Communicaons.
4. Under Secure Client Communicaons, select the Cerficate Type, Cerficate, and
Cerficate Profile from the respecve drop-downs.
5. Click OK.
6. Commit your changes.

STEP 10 | Aer deploying custom cerficates on all managed WildFire appliances, enforce custom-
cerficate authencaon.
1. Select Panorama > Setup > Management and Edit the Secure Communicaons Sengs.
2. Allow Custom Cerficate Only.
3. Click OK.
4. Commit your changes.
Aer comming this change, the disconnect wait me begins counng down. When the
wait me ends, Panorama and its managed WildFire appliances cannot connect without the
configured cerficates.

Panorama Administrator's Guide Version Version 10.1 485 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

Remove a WildFire Appliance from Panorama

Management
You can remove WildFire standalone appliances from Panorama management. When you remove
a standalone WildFire appliance from Panorama management, you no longer enjoy the benefits of
centralized management and must manage the appliance using its local CLI and scripts.
STEP 1 | Select Panorama > Managed WildFire Appliances.

STEP 2 | Select the WildFire appliance or appliances you want to remove from Panorama management
by selecng the checkbox next to each appliance or by clicking in an appliance’s row.

STEP 3 | Remove the selected WildFire appliances from Panorama management.

Panorama Administrator's Guide Version Version 10.1 486 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

Manage WildFire Clusters

A WildFire appliance cluster is an interconnected group of WildFire appliances that pool resources
to increase sample analysis and storage capacity, support larger groups of firewalls and simplify
configuraon and management of mulple WildFire appliances. For enhanced security and to
maintain confidenality of transmied content, you can also encrypt communicaons between
WildFire appliances in a cluster. For more informaon about WildFire clusters and deployment
processes, refer to WildFire Appliance Clusters.
The following tasks can be performed using Panorama to manage your WildFire cluster.
• Configure a Cluster Centrally on Panorama
• View WildFire Cluster Status Using Panorama
• Configure Appliance-to-Appliance Encrypon Using Predefined Cerficates Centrally on
Panorama
• Configure Appliance-to-Appliance Encrypon Using Custom Cerficates Centrally on Panorama

Configure a Cluster Centrally on Panorama

Before you configure a WildFire appliance cluster on a Panorama M-Series or virtual appliance,
have two WildFire appliances available to configure as a high availability controller node pair and
any addional WildFire appliances needed to serve as worker nodes to increase the analysis,
storage capacity, and resiliency of the cluster.
If the WildFire appliances are new, check Get Started with WildFire to ensure that you complete
basic steps such as confirming your WildFire license is acve, enabling logging, connecng
firewalls to WildFire appliances, and configuring basic WildFire features.

To create WildFire appliance clusters, you must upgrade all of the WildFire appliances
that you want to place in a cluster to PAN-OS 8.0.1 or later. If you use Panorama to
manage WildFire appliance clusters, Panorama also must run PAN-OS 8.0.1 or later. On
each WildFire appliance that you want to add to a cluster, run show system info |
match version on the WildFire appliance CLI to ensure that the appliance is running
PAN-OS 8.0.1 or later. On each Panorama appliance you use to manage clusters (or
standalone appliances), Dashboard > General Informaon > Soware Version displays
the running soware version.

When your WildFire appliances are available, perform the appropriate tasks:
• Configure a Cluster and Add Nodes on Panorama
• Configure General Cluster Sengs on Panorama
• Configure Authencaon for a WildFire Cluster
• Remove a Cluster from Panorama Management

Removing a node from a cluster using Panorama is not supported. Instead, Remove a
Node from a Cluster Locally using the local WildFire CLI.

Panorama Administrator's Guide Version Version 10.1 487 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

Configure a Cluster and Add Nodes on Panorama

Before configuring a WildFire appliance cluster from Panorama, you must upgrade Panorama to
8.0.1 or later and upgrade all WildFire appliances you plan to add to the cluster to 8.0.1 or later.
All WildFire appliances must run the same version of PAN-OS.
You can manage up to 200 WildFire appliances with a Panorama M-Series or virtual appliance. The
200 WildFire appliance limit is the combined total of standalone appliances and WildFire appliance
cluster nodes (if you also Add Standalone WildFire Appliances to Manage with Panorama). Except
where noted, configuraon takes place on Panorama.

Each WildFire appliance cluster node must have a stac IP address in the same subnet and
have low-latency connecons.

STEP 1 | Using the local CLI, configure the IP address of the Panorama server that will manage the
WildFire appliance cluster.
Before you register cluster or standalone WildFire appliances to a Panorama appliance, you
must first configure the Panorama IP address or FQDN on each WildFire appliance using the
local WildFire CLI. This is how each WildFire appliance knows which Panorama appliance
manages it.
1. On each WildFire appliance, configure the IP address or FQDN of the primary Panorama
appliance’s management interface:

admin@WF-500# set deviceconfig system panorama-server <ip-

address | FQDN>

2. On each WildFire appliance, if you use a backup Panorama appliance for high availability
(recommended), configure the IP address or FQDN of the backup Panorama appliance’s
management interface:

admin@WF-500# set deviceconfig system panorama-server-2 <ip-

address | FQDN>

3. Commit the configuraon on each WildFire appliance:

admin@WF-500# commit

STEP 2 | On the primary Panorama appliance, Register the WildFire appliances.

The newly registered appliances are in standalone mode unless they already belong to a cluster
due to local cluster configuraon.
1. Select Panorama > Managed WildFire Appliances and Add Appliance.
2. Enter the serial number of each WildFire appliance on a separate line. If you do not have
a list of WildFire appliance serial numbers, using the local CLI, run show system info
on each WildFire appliance to obtain the serial number.
3. Click OK.
If it is available, informaon about configuraon that is already commied on the
WildFire appliances displays, such as IP address and soware version. WildFire

Panorama Administrator's Guide Version Version 10.1 488 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

appliances that already belong to a cluster (for example, because of local cluster
configuraon) display their cluster informaon and connecon status.

STEP 3 | (Oponal) Import WildFire appliance configuraons into the Panorama appliance.
Imporng configuraons saves me because you can reuse or edit the configuraons on
Panorama and then push them to one or more WildFire appliance clusters or standalone
WildFire appliances. If there are no configuraons you want to import, skip this step. When
you push a configuraon from Panorama, the pushed configuraon overwrites the local
configuraon.
1. Select Panorama > Managed WildFire Appliances, and select the appliances that have
configuraons you want to import from the list of managed WildFire appliances.
2. Import Config.
3. Select Yes.
Imporng configuraons updates the displayed informaon and makes the imported
configuraons part of the Panorama appliance candidate configuraon.
4. Commit to Panorama to make the imported WildFire appliance configuraons part of the
Panorama running configuraon.

STEP 4 | Create a new WildFire appliance cluster.

1. Select Managed WildFire Clusters.
Appliance > No Cluster Assigned displays standalone WildFire appliances (nodes) and
indicates how many available nodes are not assigned to a cluster.
2. Create Cluster.
3. Enter an alphanumeric cluster Name of up to 63 characters in length. The Name can
contain lower-case characters and numbers, and hyphens and periods if they are not the
first or last character. No spaces or other characters are allowed.
4. Click OK.
The new cluster name displays but has no assigned WildFire nodes.

STEP 5 | Add WildFire appliances to the new cluster.

The first WildFire appliance added to the cluster automacally becomes the controller node,
and the second WildFire appliance added to the cluster automacally becomes the controller
backup node. All subsequent WildFire appliances added to the cluster become worker
nodes. Worker nodes use the controller node sengs so that the cluster has a consistent
configuraon.
1. Select the new cluster.
2. Select Clustering.
3. Browse the list of WildFire appliances that do not belong to clusters.
4. Add ( ) each WildFire appliance you want to include in the cluster. You can add up
to twenty nodes to a cluster. Each WildFire appliance that you add to the cluster is
displayed along with its automacally assigned role.
5. Click OK.

Panorama Administrator's Guide Version Version 10.1 489 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 6 | Configure the Management, Analysis Environment Network, HA, and cluster management
interfaces.
Configure the Management, Analysis Environment Network, and cluster management
interfaces on each cluster member (controller and worker nodes) if they are not already
configured. The cluster management interface is a dedicated interface for management and
communicaon within the cluster and is not the same as the Management interface.
Configure the HA interfaces individually on both the controller node and the controller backup
node. The HA interfaces connect the primary and backup controller nodes and enable them to
remain in sync and ready to respond to a failover.

Cluster nodes need IP addresses for each of the four WildFire appliance interfaces. You
cannot configure HA services on worker nodes.

1. Select the new cluster.

2. Select Clustering.
3. If the management interface is not configured on a cluster node, select Interface Name >
Management and enter the IP address, netmask, services, and other informaon for the
interface.
4. If the interface for the Analysis Environment Network is not configured on a cluster
node, select Interface Name > Analysis Environment Network and enter the IP address,
netmask, services, and other informaon for the interface.
5. On both the controller node and controller backup node, select the interface to use for
the HA control link. You must configure the same interface on both controller nodes for
the HA service. For example, on the controller node and then on the controller backup
node, select Ethernet3.
6. For each controller node, select Clustering Services > HA. (The HA opon is not available
for worker nodes.) If you also want the ability to ping the interface, select Management
Services > Ping.
7. Click OK.
8. (Recommended) Select the interface to use as the backup HA control link between the
controller node and the controller backup node. You must use the same interface on both
nodes for the HA backup service. For example, on both nodes, select Management.
Select Clustering Services > HA Backup for both nodes. You can also select Ping, SSH,
and SNMP if you want those Management Services on the interface.

The Analysis Environment Network interface cannot be an HA or HA Backup

interface or a cluster management interface.
9. Select the dedicated interface to use for management and communicaon within the
cluster. You must use the same interface on both nodes, for example, Ethernet2.
10. Select Clustering Services > Cluster Management for both nodes. If you also want the
ability to ping on the interface, select Management Services > Ping.

Worker nodes in the cluster automacally inherit the controller node’s sengs
for the dedicated management and communicaon interface.

Panorama Administrator's Guide Version Version 10.1 490 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 7 | Commit the configuraon on the Panorama appliance and push it to the cluster.
1. Commit and Push.
2. If there are configuraons on the Panorama appliance that you do not want to push,
Edit Selecons to choose the appliances to which you push configuraons. The pushed
configuraon overwrites the running configuraon on the cluster nodes so that all
cluster nodes run the same configuraon.

STEP 8 | Verify the configuraon.

1. Select Panorama > Managed WildFire Clusters.
2. Check the following fields:
• Appliance—Instead of displaying as standalone appliances, the WildFire nodes added
to the cluster display under the cluster name.
• Cluster Name—The cluster name displays for each node.
• Role—The appropriate role (Controller, Controller Backup, or Worker) displays for
each node.
• Config Status—Status is InSync.
• Last Commit State—Commitsucceeded.

STEP 9 | Using the local CLI on the primary controller node (not the Panorama web interface), check
to ensure that the configuraons are synchronized.
If they are not synchronized, manually synchronize the high availability configuraons on the
controller nodes and commit the configuraon.
Even though you can perform most other configuraon on Panorama, synchronizing the
controller node high availability configuraons must be done on the primary controller node’s
CLI.
1. On the primary controller node, check to ensure that the configuraons are
synchronized:

admin@WF-500(active-controller)> show high-availability all

At the end of the output, look for the ConfigurationSynchronization output:

Configuration Synchronization:
Enabled: yes

Panorama Administrator's Guide Version Version 10.1 491 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

Running Configuration: synchronized

If the running configuraon is synchronized, you do not need to manually synchronize

the configuraon. However, if the configuraon is not synchronized, you need to
synchronize the configuraon manually.
2. If the configuraon is not synchronized, on the primary controller node, synchronize the
high availability configuraon to the remote peer controller node:

admin@WF-500(active-controller)> request high-availability

sync-to-remote running-config

If there is a mismatch between the primary controller node’s configuraon and the
configuraon on the controller backup node, the configuraon on the primary controller
node overrides the configuraon on the controller backup node.
3. Commit the configuraon:

admin@WF-500# commit

Configure General Cluster Sengs on Panorama

Some general sengs are oponal and some general sengs are pre-populated with default
values. It’s best to at least check these sengs to ensure that the cluster configuraon matches
your needs. General sengs include:
• Connecng to the WildFire public cloud and subming samples to the public cloud.
• Configuring data retenon policies.
• Configuring logging.
• Seng the analysis environment (the VM image that best matches your environment) and
customizing the analysis environment to best service the types of samples the firewalls submit
to WildFire.
• Set IP addresses for the DNS server, NTP server, and more.
STEP 1 | Configure sengs for the WildFire appliance cluster nodes.
Many sengs are pre-populated with either defaults, informaon from previously exisng
sengs on the controller node, or the sengs you just configured.
1. Select the cluster.
2. Select Appliance.
3. Enter new informaon, keep the pre-populated informaon from the cluster controller
node, or edit the pre-populated informaon, including:
• Domain name.
• IP address of the Primary DNS Server and the Secondary DNS Server.
• NTP Server Address and Authencaon Type of the Primary NTP Server and the
Secondary NTP Server. The Authencaon Type opons are None, Symmetric Key,
and AutoKey.

Panorama Administrator's Guide Version Version 10.1 492 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 2 | Configure general cluster sengs.

Many sengs are pre-populated with either defaults, informaon from previously exisng
sengs on the controller node, or the sengs you just configured.
1. Select the new cluster > General.
2. (Oponal) Enable DNS for the controller node to adverse the service status using
DNS protocol. The cluster controller provides DNS services on the management (MGT)
interface port.
3. Register Firewall To the use the service adversed by the cluster controller(s). Palo Alto
Networks recommends adding both controllers as authority servers as this provides the
benefit of high-availability. Use the form:

wfpc.service.<cluster-name>.<domain>

For example, a cluster named mycluster in the paloaltonetworks.com domain would have
the domain name:

wfpc.service.mycluster.paloaltonetworks.com

4. Enter the Content Update Server for the cluster. Use the default
updates.paloaltonetworks.com FQDN to connect to the closest server. Check
Server Identy to confirm the update server identy by matching the common name
(CN) in the cerficate with the IP address or FQDN of the server (this is checked by
default).
5. (Oponal) Enter the public WildFire Cloud Server locaon or use the default
wildfire.paloaltonetworks.com so that the cluster (or standalone appliance
managed by Panorama) can send informaon to the closest WildFire cloud server. If you
leave this field blank and do not connect to a WildFire cloud server, the cluster can’t
receive signature updates directly from the WildFire public cloud, and can’t send samples
for analysis or contribute data to the public cloud.
6. If you connect the cluster to the public WildFire cloud, select the cloud services you
want to enable:
• Send Analysis Data—Send an XML report about local malware analysis. If you send
the actual samples, the cluster doesn’t send reports.
• Send Malicious Samples—Send malware samples.
• Send Diagnoscs—Send diagnosc data.
• Verdict Lookup—Automacally query the WildFire public cloud for verdicts before
performing local analysis to reduce the load on the local WildFire appliance cluster.
7. Select the Sample Analysis Image to use, based on the types of samples the cluster will
analyze.
8. Configure the amount of me for the cluster to retain Benign/Grayware sample
data (1-90 day range, 14 day default) and Malicious sample data (minimum 1 day, no

Panorama Administrator's Guide Version Version 10.1 493 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

maximum (indefinite), default is indefinite). Malicious sample data includes phishing

verdicts.
9. (Oponal) Select Preferred Analysis Environment to allocate more resources to
Executables or Documents, depending on your environment. The Default allocaon is
balanced between Executables and Documents. The available resource amount depends
on the number of WildFire nodes in the cluster.

STEP 3 | Check to ensure that the primary and backup Panorama servers are configured.
If you did not configure a backup Panorama server and want to do so, you can add the backup
Panorama server.
1. Select the cluster.
2. Select Appliance.
3. Check (or enter) the IP address or FQDN of the primary Panorama Server and of
the backup Panorama Server 2 if you are using a high availability configuraon for
centralized cluster management.

STEP 4 | (Oponal) Configure system and configuraon log sengs for the cluster, including log
forwarding.
1. Select the cluster.
2. Select Logging.
3. Select System or Configuraon to configure a system or configuraon log, respecvely.
The process for configuring them is similar.
4. Add ( ) and Name the log forwarding instance, select the Filter, and configure the
Forward Method (SNMP, Email, Syslog, or HTTP).

STEP 5 | Configure administrator authencaon.

1. Select the cluster.
2. Select Authencaon.
3. Select the Authencaon Profile, either None or radius. RADIUS is the only supported
external authencaon method.
4. Set the Local Authencaon mode for admin users as either Password or Password
Hash, and enter the Password.

STEP 6 | Commit the configuraon on the Panorama appliance and push it to the cluster.
1. Commit and Push.
2. If there are configuraons on the Panorama appliance that you do not want to push,
Edit Selecons to choose the appliances to which you push configuraons. The pushed
configuraon overwrites the running configuraon on the cluster nodes so that all
cluster nodes run the same configuraon.

Configure Authencaon for a WildFire Cluster

Create and configure enhanced authencaon for all WildFire appliances in a WildFire cluster
by configuring local administrave users with granular authencaon parameters, as well as
leveraging RADIUS, TACAS+, or LDAP for authorizaon and authencaon.

Panorama Administrator's Guide Version Version 10.1 494 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

When you Configure and push administrators from Panorama, you overwrite the exisng
administrators for all WildFire appliances in the WildFire cluster with those you configure on
Panorama.
• Configure an Administrave Account for a WildFire Cluster
• Configure RADIUS Authencaon for a WildFire Cluster
• Configure TACACS+ Authencaon for a WildFire Cluster
• Configure LDAP Authencaon for a WildFire Cluster
Configure an Administrative Account for a WildFire Cluster
Create one or more administrators with granular authencaon parameters for all WildFire
appliances in a WildFire cluster to manage from the Panorama™ management server. Addionally,
you can configure local administrators from Panorama that can be configured directly on the CLI
of the WildFire appliance. However, pushing new configuraon changes to the WildFire appliance
will overwrites local administrators with the administrators configured for the WildFire appliance.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Configure a Cluster Centrally on Panorama.

STEP 3 | (Oponal) Configure an authencaon profile to define the authencaon service that
validates the login credenals of the administrators who access the WildFire appliance CLI.

STEP 4 | Configure one or more administrator accounts as needed.

The administrator accounts created on Panorama are later imported to the WildFire appliances
in the WildFire Cluster and managed from Panorama.

You must configure the administrave account with Superuser admin role privileges to
successfully configure authencaon for Wildfire appliances in the WildFire cluster.

Panorama Administrator's Guide Version Version 10.1 495 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 5 | Configure the authencaon for the WildFire appliances in the WildFire cluster.
1. Select Panorama > Managed WildFire Clusters and select the WildFire cluster you
previously configured.
2. (Oponal) Select the Authencaon Profile you configured in the previous step.
3. Configure the authencaon Timeout Configuraon for the WildFire appliances.
1. Enter the number of Failed Aempts before a user is locked out of the WildFire
appliance CLI.
2. Enter the Lockout Time, in minutes, for which a WildFire appliance locks out a user
account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access a WildFire appliance.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
4. Add the WildFire appliance administrators.
Administrators may either be added as a local administrator or as an imported Panorama
administrator—but not both. Adding the same administrator as both a local administrator
and as an imported Panorama administrator is not supported and causes the Panorama
commit to fail. For example, the commit to Panorama fails if you add admin1 as both a
local and Panorama administrator.
1. Add and configure new administrators unique to the WildFire appliances in the
WildFire cluster. These administrators are specific to the WildFire appliances in the

Panorama Administrator's Guide Version Version 10.1 496 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

WildFire cluster for which they are created and you manage these administrators from
this table.
2. Add any administrators configured on Panorama. These administrators are created on
Panorama and imported to the WildFire appliances in the WildFire cluster.
5. Click OK to save the WildFire cluster authencaon configuraon.

STEP 6 | Commit and then Commit and Push your configuraon changes.

STEP 7 | Access the WildFire appliance CLI to verify you can successfully access a WildFire appliance
using the local admin user.

Configure RADIUS Authentication for a WildFire Cluster

Use a RADIUS server to authencate administrave access to the CLI of the WildFire appliances
in a WildFire cluster. You can also define Vendor-Specific Aributes (VSAs) on the RADIUS server
to manage administrator authorizaon. Using VSAs enables you to quickly change the roles,
access domains, and user groups of administrators through your directory service, which is oen
easier than reconfiguring sengs on the Panorama™ management server.

You can Import the Palo Alto Networks RADIUS diconary into RADIUS server to define
the authencaon aributes needed for communicaon between Panorama and the
RADIUS server.

Panorama Administrator's Guide Version Version 10.1 497 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Configure a Cluster Centrally on Panorama.

STEP 3 | Configure RADIUS authencaon.

Administrator accounts configured for RADIUS authencaon are required to have

Superuser admin role privileges to successfully configure authencaon for Wildfire
appliances in the WildFire cluster.

1. Add a RADIUS server profile.

The profile defines how the WildFire appliances in the WildFire clust connect to the
RADIUS server.
1. Select Panorama > Server Profiles > RADIUS and Add a profile.
2. Enter a Profile Name to idenfy the server profile.
3. Enter a Timeout interval in seconds aer which an authencaon request mes out
(default is 3; range is 1–20).
4. Select the Authencaon Protocol (default is CHAP) that a WildFire appliance uses to
authencate to the RADIUS server.

Select CHAP if the RADIUS server supports that protocol; it is more secure
than PAP.
5. Add each RADIUS server and enter the following:
1. Name to idenfy the server.
2. RADIUS Server IP address or FQDN.
3. Secret/Confirm Secret (a key to encrypt usernames and passwords).
4. Server Port for authencaon requests (default is 1812).
6. Click OK to save the server profile.
2. Assign the RADIUS server profile to an authencaon profile.
The authencaon profile defines authencaon sengs that are common to a set of
administrators.
1. Select Panorama > Authencaon Profile and Add a profile.
2. Enter a Name to idenfy the authencaon profile.
3. Set the Type to RADIUS.
4. Select the Server Profile you configured.
5. Select Retrieve user group from RADIUS to collect user group informaon from VSAs
defined on the RADIUS server.
Panorama matches the group informaon against the groups you specify in the Allow
List of the authencaon profile.
6. Select Advanced and, in the Allow List, Add the administrators that are allowed to
authencate with this authencaon profile.
7. Click OK to save the authencaon profile.

Panorama Administrator's Guide Version Version 10.1 498 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 4 | Configure the authencaon for the WildFire cluster.

1. Select Panorama > Managed WildFire Clusters and select the WildFire cluster you
previously added.
2. Select the Authencaon Profile you configured in the previous step.
If a global authencaon profile is not assigned you must assign an authencaon profile
to each individual local administrator to leverage remote authencaon.
3. Configure the authencaon Timeout Configuraon for a WildFire appliance.
1. Enter the number of Failed Aempts before a user is locked out of a WildFire
appliance CLI.
2. Enter the Lockout Time, in minutes, for which a WildFire appliance locks out a user
account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access a WildFire appliance.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
4. Add the WildFire appliance administrators.
Administrators may either be added as a local administrator or as an imported Panorama
administrator—but not both. Adding the same administrator as both a local administrator
and as an imported Panorama administrator is not supported and causes the Panorama
commit to fail. For example, the commit to Panorama fails if you add admin1 as both a
local and Panorama administrator.
1. Add and configure new administrators unique to the WildFire appliances in the
WildFire cluster. These administrators are specific to the WildFire appliances in the

Panorama Administrator's Guide Version Version 10.1 499 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

WildFire cluster for which they are created and you manage these administrators from
this table.
2. Add any administrators configured on Panorama. These administrators are created on
Panorama and imported to the WildFire appliances in the WildFire cluster.
5. Click OK to save the WildFire cluster authencaon configuraon.

STEP 5 | Commit and then Commit and Push your configuraon changes.

STEP 6 | Access the WildFire appliance CLI to verify you can successfully access a WildFire appliance
using the local admin user.

Configure TACACS+ Authentication for a WildFire Cluster

You can use a TACACS+ server to authencate administrave access to the CLI of the WildFire
appliances in a WildFire cluster. You can also define Vendor-Specific Aributes (VSAs) on the
TACACS+ server to manage administrator authorizaon. Using VSAs enables you to quickly
change the roles, access domains, and user groups of administrators through your directory
service, which is oen easier than reconfiguring sengs on Panorama.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Configure a Cluster Centrally on Panorama.

Panorama Administrator's Guide Version Version 10.1 500 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 3 | Configure TACACS+ authencaon.

Administrator accounts configured for TACACS+ authencaon are required to have

Superuser admin role privileges to successfully configure authencaon for Wildfire
appliances in the WildFire cluster.

1. Add a TACACS+ server profile.

The profile defines how a WildFire appliance connects to the TACACS+ server.
1. Select Panorama > Server Profiles > TACACS+ and Add a profile.
2. Enter a Profile Name to idenfy the server profile.
3. Enter a Timeout interval in seconds aer which an authencaon request mes out
(default is 3; range is 1–20).
4. Select the Authencaon Protocol (default is CHAP) that Panorama uses to
authencate to the TACACS+ server.
5. Select CHAP if the TACACS+ server supports that protocol; it is more secure than
PAP.
6. Add each TACACS+ server and enter the following:
1. Name to idenfy the server.
2. TACACS+ Server IP address or FQDN.
3. Secret/Confirm Secret (a key to encrypt usernames and passwords).
4. Server Port for authencaon requests (default is 49).
7. Click OK to save the server profile.
2. Assign the TACACS+ server profile to an authencaon profile.
The authencaon profile defines authencaon sengs that are common to a set of
administrators.
1. Select Panorama > Authencaon Profile and Add a profile.
2. Enter a Name to idenfy the profile.
3. Set the Type to TACACS+.
4. Select the Server Profile you configured.
5. Select Retrieve user group from TACACS+ to collect user group informaon from
VSAs defined on the TACACS+ server.
Panorama matches the group informaon against the groups you specify in the Allow
List of the authencaon profile.
6. Select Advanced and, in the Allow List, Add the administrators that are allowed to
authencate with this authencaon profile.
7. Click OK to save the authencaon profile.

Panorama Administrator's Guide Version Version 10.1 501 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 4 | Configure the authencaon for the WildFire cluster.

1. Select Panorama > Managed WildFire Clusters and select the WildFire cluster you
previously added.
2. Select the Authencaon Profile you configured in the previous step.
If a global authencaon profile is not assigned you must assign an authencaon profile
to each individual local administrator to leverage remote authencaon.
3. Configure the authencaon Timeout Configuraon for a WildFire appliance.
1. Enter the number of Failed Aempts before a user is locked out of a WildFire
appliance CLI.
2. Enter the Lockout Time, in minutes, for which a WildFire appliance locks out a user
account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access a WildFire appliance.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
4. Add the WildFire appliance administrators.
Administrators may either be added as a local administrator or as an imported Panorama
administrator—but not both. Adding the same administrator as both a local administrator
and as an imported Panorama administrator is not supported and causes the Panorama
commit to fail. For example, the commit to Panorama fails if you add admin1 as both a
local and Panorama administrator.
1. Add and configure new administrators unique to the WildFire appliances in the
WildFire cluster. These administrators are specific to the WildFire appliances in the

Panorama Administrator's Guide Version Version 10.1 502 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

WildFire cluster for which they are created and you manage these administrators from
this table.
2. Add any administrators configured on Panorama. These administrators are created on
Panorama and imported to the WildFire appliances in the WildFire cluster.
5. Click OK to save the WildFire cluster authencaon configuraon.

STEP 5 | Commit and then Commit and Push your configuraon changes.

STEP 6 | Access the WildFire appliance CLI to verify you can successfully access a WildFire appliance
using the local admin user.

Configure LDAP Authentication for a WildFire Cluster

You can use LDAP to authencate end users to access the CLI of the WildFire appliances in a
WildFire cluster.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Configure a Cluster Centrally on Panorama.

Panorama Administrator's Guide Version Version 10.1 503 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 3 | Add an LDAP server profile.

The profile defines how a WildFire appliance connects to the LDAP server.

Administrator accounts configured for LDAP authencaon are required to have

Superuser admin role privileges to successfully configure authencaon for WildFire
appliances in the WildFire cluster.

1. Select Panorama > Server Profiles > LDAP and Add a server profile.
2. Enter a Profile Name to idenfy the server profile.
3. Add the LDAP servers (up to four). For each server, enter a Name (to idenfy the server),
LDAP Server IP address or FQDN, and server Port (default 389).

If you use an FQDN address object to idenfy the server and you subsequently
change the address, you must commit the change for the new server address to
take effect.
4. Select the server Type.
5. Select the Base DN.
To idenfy the Base DN of your directory, open the Acve Directory Domains and
Trusts Microso Management Console snap-in and use the name of the top-level
domain.
6. Enter the Bind DN and Password to enable the authencaon service to authencate
the firewall.

The Bind DN account must have permission to read the LDAP directory.

7. Enter the Bind Timeout and Search Timeout in seconds (default is 30 for both).
8. Enter the Retry Interval in seconds (default is 60).
9. (Oponal) If you want the endpoint to use SSL or TLS for a more secure connecon with
the directory server, enable the opon to Require SSL/TLS secured connecon (enabled
by default). The protocol that the endpoint uses depends on the server port:
• 389 (default)—TLS (Specifically, the WildFire appliance uses the StartTLS operaon,
which upgrades the inial plaintext connecon to TLS.)
• 636—SSL
• Any other port—The WildFire appliance first aempts to use TLS. If the directory
server doesn’t support TLS, the WildFire appliance falls back to SSL.
10. (Oponal) For addional security, enable to the opon to Verify Server Cerficate
for SSL sessions so that the endpoint verifies the cerficate that the directory server
presents for SSL/TLS connecons. To enable verificaon, you must also enable the

Panorama Administrator's Guide Version Version 10.1 504 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

opon to Require SSL/TLS secured connecon. For verificaon to succeed, the

cerficate must meet one of the following condions:
• It is in the list of Panorama cerficates: Panorama > Cerficate Management >
Cerficates > Device Cerficates. If necessary, import the cerficate into Panorama.
• The cerficate signer is in the list of trusted cerficate authories: Panorama >
Cerficate Management > Cerficates.
11. Click OK to save the server profile.

STEP 4 | Configure the authencaon for the WildFire cluster.

1. Select Panorama > Managed WildFire Clusters and select the WildFire cluster you
previously added.
2. Configure the authencaon Timeout Configuraon for a WildFire appliance.
1. Enter the number of Failed Aempts before a user is locked out of a WildFire
appliance CLI.
2. Enter the Lockout Time, in minutes, for which a WildFire appliance locks out a user
account aer that user reaches the configured number of Failed Aempts.
3. Enter the Idle Timeout, in minutes, before the user account is automacally logged
out due to inacvity.
4. Enter the Max Session Count to set how many user accounts can simultaneously
access a WildFire appliance.
5. Enter the Max Session Time the administrator can be logged in before being
automacally logged out.
3. Add the WildFire appliance administrators.
Administrators may either be added as a local administrator or as an imported Panorama
administrator—but not both. Adding the same administrator as both a local administrator
and as an imported Panorama administrator is not supported and causes the Panorama
commit to fail. For example, the commit to Panorama fails if you add admin1 as both a
local and Panorama administrator.
• Configure the local administrators.
Configure new administrators unique to the WildFire appliances in the WildFire
cluster. These administrators are specific to the WildFire appliances in the WildFire

Panorama Administrator's Guide Version Version 10.1 505 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

cluster for which they are created and you manage these administrators from this
table.
1. Add one or more new local administrator.
2. Enter a Name for the local administrator.
3. Assign an Authencaon Profile you previously created.

LDAP authencaon profiles are supported only for individual local

administrators.
4. Enable (check) Use Public Key Authencaon (SSH) to import a public key file for
authencaon.
5. Select a Password Profile to set the expiraon parameters.
• Import exisng Panorama administrators
Import exisng administrators configured on Panorama. These administrators are
configured and managed on Panorama and imported to all WildFire appliances in the
WildFire cluster.
1. Add an exisng Panorama administrator
4. Click OK to save the WildFire cluster authencaon configuraon.

Panorama Administrator's Guide Version Version 10.1 506 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 5 | Commit and then Commit and Push your configuraon changes.

STEP 6 | Access the WildFire appliance CLI to verify you can successfully access the WildFire
appliance using the local admin user.

Remove a Cluster from Panorama Management

To remove a cluster from Panorama management, Panorama > Managed WildFire Clusters and
select the row of the cluster you want to remove (do not click the cluster name) and Remove From
Panorama.
If you remove a WildFire appliance cluster from Panorama management, the Panorama web
interface places the WildFire appliances in that cluster into read-only mode. Although the WildFire
appliances in the removed cluster display in the Panorama web interface, when in read-only mode,
you can’t push configuraons to the WildFire appliances or manage them with Panorama. Aer
being removed from Panorama management, the WildFire appliance cluster members use the local
cluster configuraon and you can manage the cluster using the local CLI.
To manage the WildFire appliances in the cluster with Panorama aer you remove the cluster from
Panorama management, import the cluster back into Panorama (Panorama > Managed WildFire
Clusters > Import Cluster Config).
STEP 1 | Select the cluster’s controller node. The cluster name populates Cluster automacally.

STEP 2 | Click OK. The cluster backup controller node and worker nodes populate automacally.

STEP 3 | Click OK to import the cluster.

STEP 4 | Commit the changes.

Configure Appliance-to-Appliance Encrypon Using Predefined Cerficates Centrally

on Panorama
STEP 1 | Upgrade each managed WildFire appliance to PAN-OS 8.1.x. All managed appliances must be
running PAN-OS 8.1 or later to enable appliance-to-appliance encrypon.

STEP 2 | Verify that your WildFire appliance cluster has been properly configured and is operang in a
healthy state.

STEP 3 | On Panorama, select Panorama > Managed WildFire Clusters > WF_cluster_name>
Communicaon.

Panorama Administrator's Guide Version Version 10.1 507 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 4 | Enable Secure Cluster Communicaon.

STEP 5 | (Recommended) Enable HA Traffic Encrypon. This oponal seng encrypts the HA traffic
between the HA pair and is a Palo Alto Networks recommended best pracce.

HA Traffic Encrypon cannot be disabled when operang in FIPS/CC mode.

STEP 6 | Click OK to save the WildFire Cluster sengs.

STEP 7 | Commit your changes.

Configure Appliance-to-Appliance Encrypon Using Custom Cerficates Centrally on

Panorama
STEP 1 | Upgrade each managed WildFire appliance to PAN-OS 8.1.x. All managed appliances must be
running PAN-OS 8.1 or later to enable appliance-to-appliance encrypon.

STEP 2 | Verify that your WildFire appliance cluster has been properly configured and is operang in a
healthy state.

STEP 3 | Review your exisng WildFire secure communicaons configuraon. Keep in mind,
if you previously configured the WildFire appliance and the firewall for secure

Panorama Administrator's Guide Version Version 10.1 508 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

communicaons using a custom cerficate, you can also use that custom cerficate for
secure communicaons between WildFire appliances.
1. Select Panorama >Managed WildFire Clusters> WF_cluster_name> Communicaon.
2. If Customize Secure Server Communicaon has been enabled and you would like to
use that cerficate, idenfy the details of the custom cerficate being used. Otherwise
proceed to Step 5 to begin the process of installing a new custom cerficate.
3. Determine the custom cerficate FQDN (DNS name) that will be used to define the
firewall registraon address in Step 4.

Make sure to note the custom cerficate name and the associated FQDN. These
are referenced several mes during the configuraon process.

STEP 4 | Configure the firewall registraon address on Panorama.

1. On Panorama, select Panorama >Managed WildFire Clusters> WF_cluster_name>
General.
2. In the Register Firewall To field, specify the DNS name used for authencaon found in
the custom cerficate (typically the SubjectName or the SubjectAltName). For example,
the default domain name is wfpc.service.mycluster.paloaltonetworks.com

STEP 5 | Configure WildFire Secure Server Communicaon sengs on Panorama. If you already
configured secure communicaons between the firewall and the WildFire cluster and are
using the exisng custom cerficate, proceed to Step 4 below.
1. On Panorama, select Panorama> Managed WildFire Clusters> WF_cluster_name>
Communicaon.
2. Click Customize Secure Server Communicaon.
3. Configure and deploy custom cerficates used by the WildFire appliances and the
associated firewall. The SSL/TLS service profile defines the custom cerficate used by
WildFire appliances to communicate with WildFire appliance peers and to the firewall.

Panorama Administrator's Guide Version Version 10.1 509 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

You must also configure the custom cerficate sengs on the firewall associated with
the WildFire appliance cluster. This is configured later in Step 9.
1. Open the SSL/TLS Service Profile drop-down and click SSL/TLS Service Profile.
Configure an SSL/TLS service profile with the custom cerficate that you want to use.
Aer you configure the SSL/TLS service profile, click OK and select the newly created
SSL/TLS Service profile.
2. Open the Cerficate Profile drop-down and click Cerficate Profile. Configure a
Cerficate Profile that idenfies the custom cerficate used to establish secure
connecons between the firewall and WildFire appliances, as well as between peer
WildFire appliances. Aer you configure the Cerficate Profile, click OK and select the
newly created profile.
4. Select the Custom Cerficate Only check box. This allows you to use the custom
cerficates that you configured instead of the default preconfigured cerficates.
5. (Oponal) Configure an authorizaon list. The authorizaon list checks the custom
cerficate Subject or Subject Alt Name; if the Subject or Subject Alt Name presented
with the custom cerficate does not match an idenfier on the authorizaon list,
authencaon is denied.
1. Add an Authorizaon List.
2. Select the Subject or Subject Alt Name configured in the custom cerficate profile as
the Idenfier type.
3. Enter the Common Name if the idenfier is Subject or and IP address, hostname or
email if the idenfier is Subject Alt Name.
4. Click OK.
5. Select Check Authorizaon List to enforce the authorizaon list.
6. Click OK.

STEP 6 | Enable Secure Cluster Communicaon.

Panorama Administrator's Guide Version Version 10.1 510 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 7 | (Recommended) Enable HA Traffic Encrypon. This oponal seng encrypts the HA traffic
between the HA pair and is a Palo Alto Networks recommended best pracce.

HA Traffic Encrypon cannot be disabled when operang in FIPS/CC mode.

STEP 8 | Click OK to save the WildFire Cluster sengs.

STEP 9 | Configure the firewall Secure Communicaon Sengs on Panorama to associate the
WildFire appliance cluster with the firewall custom cerficate. This provides a secure
communicaons channel between the firewall and WildFire appliance cluster. If you already
configured secure communicaons between the firewall and the WildFire appliance cluster
and are using the exisng custom cerficate, proceed to the next step.
1. Select Device > Setup > Management > Secure Communicaon Sengs and click the
Edit icon in Secure Communicaon Sengs to configure the firewall custom cerficate
sengs.
2. Select the Cerficate Type, Cerficate, and Cerficate Profile from the respecve drop-
downs and configure them to use the custom cerficate.
3. Under Customize Communicaon, select WildFire Communicaon.
4. Click OK.

STEP 10 | Commit your changes.

View WildFire Cluster Status Using Panorama

To confirm that a configured WildFire appliance cluster is operang correctly, you can view the
current status using the Panorama appliance.

Palo Alto Networks recommends using the WildFire appliance CLI to verify the status of
your WildFire cluster. Addional status details that are not visible from Panorama are
displayed in the command output.

STEP 1 | On the primary Panorama appliance, select Panorama > Managed WildFire Clusters.

STEP 2 | In the Cluster Status column, verify that:

1. The wfpc and signature services are running.
2. No other operaons are present. Abnormal operaons and their status condions
include:
• Decommission [requested / ongoing / denied / success / fail]
• Suspend [requested / ongoing / denied / success / fail]
• Reboot [requested / ongoing / denied / success / fail]
• Cluster [offline / splitbrain / unready]
• Service [suspended / none]
• HA [peer-offline / cfg-not-sync / cfg-sync-off]

Panorama Administrator's Guide Version Version 10.1 511 ©2022 Palo Alto Networks, Inc.
Manage WildFire Appliances

STEP 3 | In the Config Status column, verify that:

1. The appliance configuraon is In Sync with the configuraon stored on the Panorama
appliance.
2. No other status is present. Abnormal status condions include:
• Out of Sync [The appliance configuraon is not in sync with its saved configuraon on
Panorama. You can mouse over the magnifying glass to display the cause of the sync
failure].

STEP 4 | In the Connected column, verify that the configured WildFire appliances show a status of
Connected.

Panorama Administrator's Guide Version Version 10.1 512 ©2022 Palo Alto Networks, Inc.
Manage Licenses and Updates
You can use the Panorama™ management server to centrally manage licenses,
soware updates, and content updates on firewalls and Dedicated Log Collectors.
When you deploy licenses or updates, Panorama checks in with the Palo Alto
Networks® licensing server or update server, verifies the request validity, and then
allows retrieval and installaon of the license or update. This capability facilitates
deployment by eliminang the need to repeat the same tasks on each firewall or
Dedicated Log Collector. It is parcularly useful for managing firewalls that don’t have
direct internet access or for managing Dedicated Log Collectors, which don’t have a
web interface.
Before deploying updates, see Panorama, Log Collector, Firewall, and WildFire Version
Compability for important details about update version compability.
You must acvate a support subscripon directly on each firewall; you cannot use
Panorama to deploy support subscripons.
To acvate licenses or install updates on the Panorama management server, see
Register Panorama and Install Licenses and Install Content and Soware Updates for
Panorama.

> Manage Licenses on Firewalls Using Panorama

513
Manage Licenses and Updates

Manage Licenses on Firewalls Using Panorama

The following steps describe how to retrieve new licenses using an authencaon (auth) code and
push the license keys to managed firewalls. It also describes how to manually update (refresh) the
license status of firewalls that do not have direct internet access. For firewalls that have direct
internet access, Panorama™ automacally performs a daily check-in with the licensing server,
retrieves license updates and renewals, and pushes them to the firewalls. The check-in is hard-
coded to occur between 1 a.m. and 2 a.m.; you cannot change this schedule.

You cannot use Panorama to acvate the support license for firewalls. You must access the
firewalls individually to acvate their support licenses.
To acvate licenses for Panorama, see Register Panorama and Install Licenses.

Acvate newly purchased licenses.

1. Select Panorama > Device Deployment > Licenses and Acvate.
2. Enter the Auth Code that Palo Alto Networks® provided for each firewall that has a new
license.
3. Acvate the license.
4. (WildFire® subscripons only) Perform a commit on each firewall that has a new WildFire
subscripon to complete the acvaon:
• Commit any pending changes. You must access each firewall web interface to do this.
• If no configuraon changes are pending, make a minor change and Commit. For
example, update a rule descripon and commit the change. If the firewalls belong
to the same device group, you can push the rule change from Panorama to iniate a
commit on all those firewalls instead of accessing each firewall separately.

Check that the WildFire Analysis profile rules include the advanced file types
that the WildFire subscripon supports.

Update the license status of firewalls.

1. Select Panorama > Device Deployment > Licenses.
Each entry on the page indicates whether the license is acve or inacve and displays
the expiraon date for acve licenses.
2. If you previously acvated auth codes for the support subscripon directly on the
firewalls, click Refresh and select the firewalls from the list. Panorama retrieves the

Panorama Administrator's Guide Version Version 10.1 514 ©2022 Palo Alto Networks, Inc.
Manage Licenses and Updates

license, deploys it to the firewalls, and updates the licensing status on the Panorama web
interface.
3. (Enterprise Data Loss Prevenon (DLP) license only) Push the updated license to the
managed firewalls leveraging Enterprise DLP.
1. Select Commit and Commit to Panorama.
2. Select Commit > Push to Devices and Edit Selecons.
3. Select Templates and select the template stack associated with the managed firewalls
leveraging Enterprise DLP.
Click OK to connue.
4. Push the template configuraon to successfully update the Enterprise DLP license.

Panorama Administrator's Guide Version Version 10.1 515 ©2022 Palo Alto Networks, Inc.
Manage Licenses and Updates

Panorama Administrator's Guide Version Version 10.1 516 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity
The Panorama™ management server provides a comprehensive, graphical view of
network traffic. Using the visibility tools on Panorama—the Applicaon Command
Center (ACC), logs, and report generaon capabilies—you can centrally analyze,
invesgate and report on all network acvity, idenfy areas with potenal security
impact, and translate them into secure applicaon enablement policies.
This secon covers the following topics:

> Use Panorama for Visibility

> Ingest Traps ESM Logs on Panorama
> Use Case: Monitor Applicaons Using Panorama
> Use Case: Respond to an Incident Using Panorama

517
Monitor Network Acvity

Use Panorama for Visibility

In addion to its central deployment and firewall configuraon features, Panorama also allows you
to monitor and report on all traffic that traverses your network. While the reporng capabilies
on Panorama and the firewall are very similar, the advantage that Panorama provides is that it is
a single pane view of aggregated informaon across all your managed firewalls. This aggregated
view provides aconable informaon on trends in user acvity, traffic paerns, and potenal
threats across your enre network.
Using the Applicaon Command Center (ACC), the App-Scope, the log viewer, and the standard,
customizable reporng opons on Panorama, you can quickly learn more about the traffic
traversing the network. The ability to view this informaon allows you to evaluate where your
current policies are adequate and where they are insufficient. You can then use this data to
augment your network security strategy. For example, you can enhance the security rules to
increase compliance and accountability for all users across the network, or manage network
capacity and minimize risks to assets while meeng the rich applicaon needs for the users in your
network.
The following topics provide a high-level view of the reporng capabilies on Panorama, including
a couple of use cases to illustrate how you can use these capabilies within your own network
infrastructure. For a complete list of the available reports and charts and the descripon of each,
refer to the online help.
• Monitor the Network with the ACC and AppScope
• Analyze Log Data
• Generate, Schedule, and Email Reports
• Configure Key Limits for Scheduled Reports

Monitor the Network with the ACC and AppScope

Both the ACC and the AppScope allow you to monitor and report on the data recorded from
traffic that traverses your network.
The ACC on Panorama displays a summary of network traffic. Panorama can dynamically query
data from all the managed firewalls on the network and display it in the ACC. This display allows
you to monitor the traffic by applicaons, users, and content acvity—URL categories, threats,
security policies that effecvely block data or files—across the enre network of Palo Alto
Networks next-generaon firewalls.
The AppScope helps idenfy unexpected or unusual behavior on the network at a glance. It
includes an array of charts and reports—Summary Report, Change Monitor, Threat Monitor,
Threat Map, Network Monitor, Traffic Map—that allow you to analyze traffic flows by threat or
applicaon, or by the source or desnaon for the flows. You can also sort by session or byte
count.

Device Group and Template admins can only network and ACC data for device groups
within their access domains.

Use the ACC and the AppScope to answer quesons such as:

Panorama Administrator's Guide Version Version 10.1 518 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

ACC Monitor > AppScope

• What are the top applicaons used on • What are the applicaon usage trends
the network and how many are high-risk —what are the top five applicaons that
applicaons? Who are the top users of have gained use and the top five that have
high-risk applicaons on the network? decreased in use?
• What are the top URL categories being • How has user acvity changed over the
viewed in the last hour? current week as compared to last week or
last month?

• What are the top bandwidth-using • Which users and applicaons take up most
applicaons? Who are the users/hosts of the network bandwidth? And how has
that consume the highest bandwidth? this consumpon changed over the last 30
• What content or files are being blocked days?
and are there specific users who trigger • What are the threats on the network, and
this File Blocking/Data Filtering rule? how are these incoming and outgoing traffic
• What is the amount of traffic exchanged threats distributed geographically?
between two specific IP addresses or
generated by a specific user? Where is
the desnaon server or client located
geographically?

You can then use the informaon to maintain or enforce changes to the traffic paerns on your
network. See Use Case: Monitor Applicaons Using Panorama for a glimpse into how the visibility
tools on Panorama can influence how you shape the acceptable use policies for your network.
Here are a few ps to help you navigate the ACC:

Figure 23: ACC Navigation Tips

Panorama Administrator's Guide Version Version 10.1 519 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

• Switch from a Panorama view to a Device view—Use the Context drop-down to access the
web interface of any managed firewall. For details, see Context Switch—Firewall or Panorama.
• Change Device Group and Data Source—The default Data Source used to display the stascs
on the charts in the ACC is Panorama local data, and the default Device Group seng is All.
Using the local data on Panorama provides a quick load me for the charts. You can, however,
change the data source to Remote Device Data if all the managed firewalls are on PAN-OS
7.0 or a later release. If the managed firewalls have a mix of PAN-OS 7.0 and earlier releases,
you can only view Panorama data. When configured to use Remote Device Data, Panorama
will poll all the managed firewalls and present an aggregated view of the data. The onscreen
display indicates the total number of firewalls being polled and the number of firewalls that
have responded to the query for informaon.
• Select the Tabs and Widgets to View—The ACC includes three tabs and an array of widgets
that allow you to find the informaon that you care about. With the excepon of the
applicaon usage widget and host informaon widget, all the other widgets display data only if
the corresponding feature has been licensed on the firewall, and you have enabled logging.
• Tweak Time Frame and Refine Data—The reporng me period in the ACC ranges from the
last 15 minutes to the last hour, day, week, month, or any custom-defined me. By default,
each widget displays the top 10 items and aggregates all the remaining items as others. You
can sort the data in each widget using various aributes—for example, sessions, bytes, threats,
content, and URLs. You can also set local filters to filter the display within the table and graph
in a widget, and then promote the widget filter as a global filter to pivot the view across all the
widgets in the ACC.

Analyze Log Data

The Monitor tab on Panorama provides access to log data; these logs are an archived list of
sessions that have been processed by the managed firewalls and forwarded to Panorama.
Log data can be broadly grouped into two types: those that detail informaon on traffic flows on
your network such as applicaons, threats, host informaon profiles, URL categories, content/
file types and those that record system events, configuraon changes, and User-ID™ mapping
informaon.
Based on the log forwarding configuraon on the managed firewalls, the Monitor > Logs tab can
include logs for traffic flows, threats, URL filtering, data filtering, host informaon profile (HIP)
matches, and WildFire™ submissions. You can review the logs to verify a wealth of informaon on
a given session or transacon. Some examples of this informaon are the user who iniated the
session, the acon (allow or deny) that the firewall performed on the session, and the source and
desnaon ports, zones, and addresses. The System and Config logs can indicate a configuraon
change or an alarm that the firewall triggered when a configured threshold was exceeded.

If Panorama will manage firewalls running soware versions earlier than PAN-OS 7.0,
specify a WildFire server from which Panorama can gather analysis informaon for
WildFire samples that those firewalls submit. Panorama uses the informaon to complete
WildFire Submissions logs that are missing field values introduced in PAN-OS 7.0. Firewalls
running earlier releases won’t populate those fields. To specify the server, select Panorama
> Setup > WildFire, edit the General Sengs, and enter the WildFire Private Cloud name.
The default is wildfire-public-cloud, which is the WildFire cloud hosted in the United
States.

Panorama Administrator's Guide Version Version 10.1 520 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

Generate, Schedule, and Email Reports

You can configure reports to run immediately or schedule them to run at specific intervals. You can
save and export the reports or email them to specific recipients. Emailing is parcularly useful if
you want to share reports with administrators who do not have access to Panorama. Panorama
supports the same report types as the Palo Alto Networks firewall.
Beginning with Panorama 10.0.2 and Cloud Services plugin version 1.8.0, you can generate
scheduled reports on Cortex Data Lake data.

In PAN-OS 10.0.3 and later, this feature is enabled by default.

To do this, you must first enable the feature from the Panorama CLI by entering

admin@Panorama> request plugins cloud_services logging-service sched-

report-enable

A regular commit will not enable this change. Instead, you must switch to configuraon
mode:

admin@Panorama> configure

and enter

admin@Panorama# commit force

Then, follow the steps below for generang scheduled reports.

It is recommended that you install matching soware releases on Panorama and the
firewalls for which you will generate reports. For example, if the Panorama management
server runs Panorama 10.0, install PAN-OS 10.1 on its managed firewalls before
generang the reports. This pracce avoids issues that might occur if you create reports
that include fields supported in the Panorama release but not supported in an earlier PAN-
OS release on the firewalls.

Panorama Administrator's Guide Version Version 10.1 521 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

STEP 1 | Configure Panorama predefined reports.

1. Select Panorama > Setup > Management and edit Logging and Reporng.
2. (Oponal) Select Log Export and Reporng and enable (check) Use Data for Pre-Defined
Reports to offload hourly report aggregaon to Log Collectors.

Enabling this seng is recommended for VM-50, VM-50 Lite and PA-200
firewalls.
3. Select Pre-Defined Reports and enable (check) predefined reports to push from
Panorama.
4. Select Commit > Commit to Panorama and Commit your configuraon changes.
5. (VM-50, VM-50 Lite, and PA-200 firewalls only) Access the firewall CLI to enable
predefined reports..
This command must be run on each VM-50, VM-50 Lite, and PA-200 firewall.

admin> debug run-panorama-predefined-report yes

STEP 2 | Configure Panorama to receive and store user and user group informaon that it receives
from firewalls.
Required to generate reports based on usernames and groups instead of just IP addresses.
1. If you want Panorama to include user group informaon in reports, upgrade the
managed firewalls to PAN-OS 8.1 or a later release. Panorama cannot synchronize group
informaon from firewalls running earlier releases.
2. Select Panorama > Setup > Management, edit the Panorama Sengs, and Enable
reporng and filtering on groups.
3. Add a Device Group if you haven’t already. For each device group:
• Select a Master Device, which is the firewall that provides user and user group
informaon to Panorama.
• Enable Panorama to Store users and groups from Master Device.

Panorama Administrator's Guide Version Version 10.1 522 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

STEP 3 | Generate reports.

Scheduled and Run Now summary reports for the same database and meframe have
discrepancies in the data displayed in each report. This is due to how Log Collectors
and firewalls aggregate logs during hourly aggregaon.

The steps to generate a report depend on the type.

• Custom report:
1. Select Monitor > Manage Custom Reports and Add the report.
2. Enter a Name to idenfy the report.
3. Select a Database for the report.
You can base the report on Summary Databases or Detailed Logs databases.
To base the report on logs stored on the Panorama management server and Log
Collectors, select Panorama Data (recommended for faster performance).
To base the reports on logs stored on the managed firewalls, select Remote Device Data.
This opon is for cases where the firewalls might have logs that were not yet forwarded
to Panorama. However, because Panorama must query the firewalls directly, this opon
is slower.
4. Select Scheduled.
5. Define your log filtering criteria by selecng the Time Frame, Sort By order, Group By
preference, and the columns (log aributes) that the report will display.

Selecng the Sort By order is required in order to generate an accurate report. If

you do not select a Sort By order, the generated custom report is populated with
the most recent log matches for the selected database.
6. (Oponal) Use the Query Builder to further refine the log filtering criteria based on log
aributes.
7. To test the report sengs, select Run Now. If necessary, modify the sengs to change
the informaon that the report displays.
8. Click OK to save the custom report.
• PDF Summary Report:
1. Select Monitor > PDF Reports > Manage PDF Summary and add the report.
2. Enter a Name to idenfy the report.
3. Use the drop-down for each report group and select one or more of the elements to
design the PDF Summary Report. You can include up to 18 elements.
4. Click OK to save the sengs.

Panorama Administrator's Guide Version Version 10.1 523 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

STEP 4 | Configure a Report Group.

It can include predefined reports, PDF Summary reports, and custom reports. Panorama
compiles all the included reports into a single PDF.
1. Select Monitor > PDF Reports > Report Groups and Add a report group.
2. Enter a Name to idenfy the report group.
3. (Oponal) Select Title Page and add a Title for the PDF output.
4. Select reports in the Predefined Report, Custom Report, and PDF Summary Report lists.
5. Add the selected reports to the report group.
6. Click OK to save the sengs.

STEP 5 | Configure an Email server profile.

The profile defines how the firewall connects to the server and sends email.
1. Select Panorama > Server Profiles > Email and Add a server profile.
2. Enter a Name to idenfy the profile.
3. Add up to four SMTP servers and Add the following informaon for each one:
• Name—A name to idenfy the SMTP server (1 to 31 characters). This field is just a
label and doesn’t have to be the hostname of an exisng server.
• Email Display Name—The name to display in the From field of the email.
• From—The email address where noficaon emails will be sent from.
• To—The email address to which noficaon emails will be sent.
• Addional Recipient—To send noficaons to a second account, enter the addional
address here.
• Email Gateway—The IP address or hostname of the SMTP gateway to use to send the
emails.
4. Click OK to save the profile.

STEP 6 | Schedule the report for email delivery.

1. Select Monitor > PDF Reports > Email Scheduler and Add an email scheduler profile.
2. Enter a Name to idenfy the profile.
3. Select the Report Group, the Email server profile you just created (Email Profile), and the
Recurrence for the report (default is Disable).
4. Send test email to verify that the email sengs are accurate.
5. Click OK to save your changes.
6. Select Commit > Commit to Panorama and Commit your changes.

Configure Key Limits for Scheduled Reports

The Panorama™ management server and the PA-7000 Series firewall reports ulize keys (unique
values on which you can aggregate) from one or more Log Collector to build and generate reports.
To improve the accuracy of scheduled reports, you can now configurable the maximum and
minimum key limits. By increasing the number of keys supported, scheduled reports can now
include more data that can be aggregated, sorted, and grouped.

Panorama Administrator's Guide Version Version 10.1 524 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

The default minimum key limit is based on the Sort By and Group By values configured for the
scheduled report using the following calculaon:
<Sort By value> x 100 x <Group By value>
For example, if Sort By is configured as Top 25 and Group By is configured as 5 Groups, the
default minimum key limit is 12,500 keys. The Group By value is not factored into the calculaon
when set to None. The default minimum key limit is limited to and cannot exceed the maximum
key limit.

You can only configure the key limits for the M-Series appliances and Panorama virtual
appliances. The PA-7000 series key limits are not configurable.

The supported maximum and minimum keys are increased for the following Panorama models:

Panorama Model Minimum Key Limit Maximum Key Limit

PA-7000 Series 1,000 - Default, not 25,000 - Default, not

configurable configurable

M-200 15,000 50,000

M-500 15,000 50,000

M-600 15,000 50,000

Panorama Virtual Appliance in 5,000 25,000

Legacy mode

Panorama Virtual Appliance (all 15,000 50,000

supported models)

STEP 1 | Log in to the Panorama CLI.

STEP 2 | Configure the maximum key limit using the following command:
You can set the maximum key limit between 0 and 50, where 50 equals 50,000 keys. In this
example, we are seng the maximum key limit for the Panorama virtual appliance to 30,000
keys.

admin@Panorama> request max-report-keys set limit <Key Limit>

Panorama Administrator's Guide Version Version 10.1 525 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

STEP 3 | Configure the minimum key limit using the following command:
You can set the minimum key limit between 0 and 15, where 15 equals 15,000 keys. In this
example, we are seng the minimum key limit for the Panorama virtual appliance to 15,000
keys.

admin@Panorama> request min-report-keys set limit <Key Limit>

STEP 4 | (Oponal) Set the minimum key limit to the default seng.

admin@Panorama> request min-report-keys set limit 0

STEP 5 | Commit the new maximum and minimum key limits to Panorama using the following
command:

admin@Panorama> commit-all

Panorama Administrator's Guide Version Version 10.1 526 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

Ingest Traps ESM Logs on Panorama

Visibility is a crical first step in prevenng and reducing the impact of an aack. To help you meet
this challenge, Panorama provides an integrated view of firewall logs (events on the network) and
Traps™ ESM Server logs (security events on the endpoints) so that you can trace any suspicious or
malicious acvity.
For awareness and context on the events observed on the network and on your endpoints,
forward security events that the Traps agents report to the ESM Server on to Panorama.
Panorama can serve as a Syslog receiver that ingests these logs from the Traps ESM components
using Syslog over TCP, UDP, or SSL. Then, Panorama can correlate discrete security events that
occur on the endpoints with what’s happening on the network and generate match evidence. This
evidence gives you more context on the chronology and flow of events to invesgate issues and
fix security gaps in your network.
STEP 1 | Define the log ingeson profile on Panorama and aach it to a Collector Group.

Panorama virtual appliance in legacy mode cannot ingest Traps logs.

1. Select Panorama > Log Ingeson Profile, and click Add.

2. Enter a Name for the profile.
3. Click Add and enter the details for the ESM Server. You can add up to four ESM Servers
to a profile.
1. Enter a Source Name.
2. Specify the Port on which Panorama will be listening for syslog messages. The range is
23000 to 23999.
3. Select the Transport layer protocol—TCP, UDP, or SSL.
4. Select Traps_ESM for External Log type and your Traps ESM Version. For example, for
Traps ESM 4.0 or 4.1, select 3.4.1+.
As Traps log formats are updated, the updated log definions will be available through
content updates on Panorama.
4. Select Panorama > Collector Groups > Log Ingeson and Add the log ingeson profile so
that the Collector Group can receive logs from the ESM Server(s) listed in the profile.
If you are enabling SSL for secure syslog communicaon between Panorama and the
ESM Server(s), you must aach a cerficate to the Managed Collectors that belong to the
Collector Group (Panorama > Managed Collectors > General, and select the cerficate to
use for Inbound Cerficate for Secure Syslog).
5. Commit changes to Panorama and the Collector Group.

STEP 2 | Configure Panorama as a Syslog receiver on the ESM Server.

Traps ESM 4.0 and later supports log forwarding to both an external syslog receiver and
Panorama. Because earlier Traps ESM releases do not support log forwarding to mulple syslog

Panorama Administrator's Guide Version Version 10.1 527 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

receivers, you must configure Panorama as a syslog receiver in the Syslog sengs (for Traps
ESM 3.4, see Enable Log Forwarding to an External Logging Plaorm).
For Traps ESM 4.0 and later releases:
1. From the ESM Console, select Sengs > ESM > Panorama, and Enable log forwarding to
Panorama.
2. Enter the Panorama hostname or IP address as the Panorama Server and the Panorama
Server Port on which Panorama is listening. Repeat this step for an oponal Panorama
Failover Server.
3. Select the Transport layer Communicaon Protocol: TCP, TCP with SSL, or UDP. If
you select TCP with SSL, the ESM Server requires a server cerficate to enable client
authencaon.
From Panorama, you must export the root CA cerficate for the Inbound Cerficate for
Secure Syslog, and import the cerficate in to the trusted root cerficate store of the
host on which you have installed the ESM Server.

STEP 3 | View ESM logs and correlated events.

1. Select Monitor > External Logs > Traps ESM to view the logs ingested in to Panorama.
2. Select Monitor > Automated Correlaon Engine > Correlated Events, and filter on
the Wildfire and Traps ESM Correlated C2 correlaon object name to find correlated
events. Panorama generates correlated events when a host on your network exhibits
command and control acvity that matches the behavior observed for a malicious file in
the WildFire virtual environment. This correlated event alerts you to suspicious acvity
that a Traps agent and the firewall have observed from one or more infected hosts on
your network.

Panorama Administrator's Guide Version Version 10.1 528 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

Use Case: Monitor Applicaons Using Panorama

This example takes you through the process of assessing the efficiency of your current policies
and determining where you need to adjust them to forfy the acceptable use policies for your
network.
When you log in to Panorama, the Top Applicaons widget on the Dashboard gives a preview of
the most used applicaons over the last hour. To display the widget, select Widgets > Applicaon
> Top Applicaons in the toolbar. You can either glance over the list of top applicaons and mouse
over each applicaon block for which you want to review the details, or you can select the ACC
tab to view the same informaon as an ordered list. The following image is a view of the Top
Applicaons widget on the Dashboard.

Figure 24: Top Applications Widget

The data source for this display is the applicaon stascs database; it does not use the Traffic
logs and is generated whether or not you have enabled logging for security rules. This view into
the traffic on your network depicts everything that is allowed on your network and is flowing
through unblocked by any policy rules that you have defined.
In the ACC tab, you can select and toggle the Data Source to be local on Panorama or you
can query the managed firewalls (Remote Device Data) for the data; Panorama automacally
aggregates and displays the informaon. For a speedier flow, consider using Panorama as the
data source (with log forwarding to Panorama enabled) because the me to load data from the
managed firewalls varies by the me period for which you choose to view data and the volume of
traffic that is generated on your network. If your managed firewalls have a combinaon of PAN-
OS 7.0 and earlier versions, Remote Device Data is not available.
The Dashboard example in Figure 24: Top Applicaons Widget shows DNS as a popular
applicaon. If you click the DNS applicaon block, Panorama opens the ACC > Network Acvity
tab with DNS applied as a global filter and shows informaon on the applicaon, users who
accessed the applicaon, and the details on the risk level and characteriscs of the applicaon.

Panorama Administrator's Guide Version Version 10.1 529 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

Figure 25: Network Activity Tab

In the User Acvity widget, you can see how many users are using DNS and the volume of traffic
being generated. If you have enabled User-ID, you can view the names of the users who are
generang this traffic, and drill in to review all the sessions, content or threats associated with
each user.
In the Threat Acvity tab, view the Compromised Hosts widget to see what correlaon objects
were matched on, and view the match evidence associated with the user and applicaon. You can
also view the threat name, category and ID in the Threat Acvity widget.
With DNS set as a global filter, use the Desnaon IP Acvity and the Desnaon Regions
widgets to verify where the traffic was desned. You can also view the ingress and egress zones
and the security rule that is leng this connecon through.
For more detailed informaon, jump into the Traffic logs for a filtered view and review each
log entry for ports used, packets sent, bytes sent and received. Adjust the columns to view more
informaon or less informaon based on your needs.
The Monitor > App-Scope > Traffic Map tab displays a geographical map of the traffic flow and
provides a view of incoming versus outgoing traffic. You can also use the Monitor > App-Scope >
Change Monitor tab to view changes in traffic paerns. For example, compare the top applicaons
used over this hour to the last week or month to determine if there is a paern or trend.
With all the informaon you have now uncovered, you can evaluate what changes to make to your
policy configuraons. Here are some suggesons to consider:
• Be restricve and create a pre-rule on Panorama to block or allow all DNS traffic. Then use
Panorama device groups to create and push this policy rule to one or more firewalls.

Panorama Administrator's Guide Version Version 10.1 530 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

• Enforce bandwidth use limits and create a QoS profile and policy rule that de-priorizes non-
business traffic. Use Panorama device groups and templates to configure QoS and then push
rules to one or more firewalls.
• Schedule a custom report group that pulls together the acvity for the specific user and that of
top applicaons used on your network to observe that paern for another week or two before
taking acon.
Besides checking for a specific applicaon, you can also check for any unknown applicaons in
the list of top applicaons. These are applicaons that did not match a defined App-ID™ signature
and display as unknown-udp and unknown-tcp. To delve into these unknown applicaons, click on
the name to drill down to the details for the unclassified traffic.
Use the same process to invesgate the top source IP addresses of the hosts that iniated the
unknown traffic along with the IP address of the desnaon host to which the session was
established. For unknown traffic, the traffic logs, by default, perform a packet capture (pcap) when
an unknown applicaon is detected. The green arrow in the le column represents the packet
capture snippet of the applicaon data. Clicking on the green arrow displays the pcap in the
browser.
Having the IP addresses of the servers (desnaon IP), the desnaon port, and the packet
captures, you will be beer posioned to idenfy the applicaon and make a decision on how
you would like to take acon on your network. For example, you can create a custom applicaon
that idenfies this traffic instead of labeling it as unknown TCP or UDP traffic. Refer to the arcle
Idenfying Unknown Applicaons for more informaon on idenfying unknown applicaon and
Custom Applicaon Signatures for informaon on developing custom signatures to discern the
applicaon.

Panorama Administrator's Guide Version Version 10.1 531 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

Use Case: Respond to an Incident Using Panorama

Network threats can originate from different vectors, including malware and spyware infecons
due to drive-by downloads, phishing aacks, unpatched servers, and random or targeted denial of
service (DoS) aacks, to name a few methods of aack. The ability to react to a network aack or
infecon requires processes and systems that alert the administrator to an aack and provide the
necessary forensics evidence to track the source and methods used to launch the aack.
The advantage that Panorama provides is a centralized and consolidated view of the paerns and
logs collected from the managed firewalls across your network. You can use the informaon from
the automated correlaon engine alone or in conjuncon with the reports and logs generated
from a Security Informaon Event Manager (SIEM), to invesgate how an aack was triggered and
how to prevent future aacks and loss of damage to your network.
The quesons that this use case probes are:
• How are you nofied of an incident?
• How do you corroborate that the incident is not a false posive?
• What is your immediate course of acon?
• How do you use the available informaon to reconstruct the sequence of events that preceded
or followed the triggering event?
• What are the changes you need to consider for securing your network?
This use case traces a specific incident and shows how the visibility tools on Panorama can help
you respond to the report.
• Incident Noficaon
• Review the Widgets in the ACC
• Review Threat Logs
• Review WildFire Logs
• Review Data Filtering Logs
• Update Security Rules

Incident Noficaon
There are several ways that you could be alerted to an incident depending on how you’ve
configured the Palo Alto Networks firewalls and which third-party tools are available for further
analysis. You might receive an email noficaon that was triggered by a log entry recorded
to Panorama or to your syslog server, or you might be informed through a specialized report
generated on your SIEM soluon, or a third-party paid service or agency might nofy you. For this
example, let’s say that you receive an email noficaon from Panorama. The email informs you of
an event that was triggered by an alert for a Zero Access gent.Gen Command And Control Traffic
that matched against a spyware signature. Also listed in the email are the IP address of the source
and desnaon for the session, a threat ID and the mestamp of when the event was logged.

Panorama Administrator's Guide Version Version 10.1 532 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

Review the Widgets in the ACC

In the ACC > Threat Acvity tab, check the Compromised Hosts widget and Threat Acvity
widget for any crical or high severity threats. In the Compromised Hosts widget, look into the
Matching Objects and click a Match Count value to view the match evidence for the associated
incident.

Review Threat Logs

To begin invesgang the alert, use the threat ID to search the Threat logs on Panorama (Monitor
> Logs > Threat). From the Threat logs, you can find the IP address of the vicm, export the packet
capture (PCAP) by clicking the download icon in the log entry, and use a network analyzer tool
such as WireShark to review the packet details. In the HTTP case, look for a malformed or bogus
HTTP REFERER in the protocol, suspicious host, URL strings, the user agent, the IP address and
port in order to validate the incident. Data from these pcaps is also useful in searching for similar
data paerns and creang custom signatures or modifying security policy to beer address the
threat in the future.
As a result of this manual review, if you feel confident about the signature, consider transioning
the signature from an alert acon to a block acon for a more aggressive approach. In some cases,
you may choose to add the aacker IP to an IP block list to prevent further traffic from that IP
address from reaching the internal network.

If you see a DNS-based spyware signature, the IP address of your local DNS server might
display as the Vicm IP address. Oen this is because the firewall is located north of the
local DNS server, and so DNS queries show the local DNS server as the source IP rather
than showing the IP address of the client that originated the request.
If you see this issue, enable the DNS sinkholing acon in the An-Spyware profile in
security rules to idenfy the infected hosts on your network. DNS sinkholing allows you
to control outbound connecons to malicious domains and redirect DNS queries to an
internal IP address that is unused; the sinkhole that does not put out a response. When a
compromised host iniates a connecon to a malicious domain, instead of going out to the
internet, the firewall redirects the request to the IP address you defined and it is sinkholed.
Now, reviewing the traffic logs for all hosts that connected to the sinkhole allows you
locate all compromised hosts and take remedial acon to prevent the spread.

To connue with the invesgaon on the incident, use the informaon on the aacker and the
vicm IP address to find out more informaon, such as:
• Where is the aacker located geographically? Is the IP address an individual IP address or a
NATed IP address?
• Was the event caused by a user being tricked into going to a website, a download, or was it
sent through an email aachment?
• Is the malware being propagated? Are there other compromised hosts/endpoints on the
network?
• Is it a zero-day vulnerability?
The log details for each log entry display the related logs for the event. This informaon points
you to the Traffic, Threat, URL Filtering or other logs that you can review and correlate the events
that led to the incident. For example, filter the Traffic log (Monitor > Logs > Traffic) using the IP

Panorama Administrator's Guide Version Version 10.1 533 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

address as both the source and the desnaon IP to get a complete picture of all the external and
internal hosts/clients with which this vicm IP address has established a connecon.

Review WildFire Logs

In addion to the Threat logs, use the vicm IP address to filter though the WildFire Submissions
logs. The WildFire Submissions logs contain informaon on files uploaded to the WildFire service
for analysis. Because spyware typically embeds itself covertly, reviewing the WildFire Submissions
logs tells you whether the vicm recently downloaded a suspicious file. The WildFire forensics
report displays informaon on the URL from which the file or .exe was obtained, and the behavior
of the content. It informs you if the file is malicious, if it modified registry keys, read/wrote into
files, created new files, opened network communicaon channels, caused applicaon crashes,
spawned processes, downloaded files, or exhibited other malicious behavior. Use this informaon
to determine whether to block the applicaon that caused the infecon (web-browsing, SMTP,
FTP), make more stringent URL Filtering rules, or restrict some applicaons/acons (for example,
file downloads to specific user groups).

Access to the WildFire logs from Panorama requires the following: a WildFire subscripon,
a File Blocking profile that is aached to a Security rule, and Threat log forwarding to
Panorama.
If Panorama will manage firewalls running soware versions earlier than PAN-OS 7.0,
specify a WildFire server from which Panorama can gather analysis informaon for
WildFire samples that those firewalls submit. Panorama uses the informaon to complete
WildFire Submissions logs that are missing field values introduced in PAN-OS 7.0. Firewalls
running earlier releases won’t populate those fields. To specify the server, select Panorama
> Setup > WildFire, edit the General Sengs, and enter the WildFire Private Cloud name.
The default is wildfire-public-cloud, which is the WildFire cloud hosted in the United
States.

If WildFire determines that a file is malicious, a new anvirus signature is created within 24-48
hours and made available to you. If you have a WildFire subscripon, the signature is made
available within 30-60 minutes as part of the next WildFire signature update. As soon as the Palo
Alto Networks next-generaon firewall has received a signature for it, if your configuraon is
configured to block malware, the file will be blocked and the informaon on the blocked file will
be visible in your threat logs. This process is ghtly integrated to protect you from this threat and
stems the spread of malware on your network.

Review Data Filtering Logs

The Data Filtering log (Monitor > Logs > Data Filtering) is another valuable source for
invesgang malicious network acvity. While you can periodically review the logs for all the files
that you are being alerted on, you can also use the logs to trace file and data transfers to or from
the vicm IP address or user, and verify the direcon and flow of traffic: server to client or client
to server. To recreate the events that preceded and followed an event, filter the logs for the vicm
IP address as a desnaon, and review the logs for network acvity.
Because Panorama aggregates informaon from all managed firewalls, it presents a good overview
of all acvity in your network. Some of the other visual tools that you can use to survey traffic on
your network are the Threat Map, Traffic Map, and the Threat Monitor. The threat map and traffic
map (Monitor > AppScope > Threat Map or Traffic Map) allow you to visualize the geographic

Panorama Administrator's Guide Version Version 10.1 534 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

regions for incoming and outgoing traffic. It is parcularly useful for viewing unusual acvity that
could indicate a possible aack from outside, such as a DDoS aack. If, for example, you do not
have many business transacons with Eastern Europe, and the map reveals an abnormal level of
traffic to that region, click into the corresponding area of the map to launch and view the ACC
informaon on the top applicaons, traffic details on the session count, bytes sent and received,
top sources and desnaons, users or IP addresses, and the severity of the threats detected, if
any. The threat monitor (Monitor > AppScope > Threat Monitor) displays the top ten threats on
your network, or the list of top aackers or top vicms on the network.

Update Security Rules

With all the informaon you have now uncovered, you can sketch together how the threat
impacts your network—the scale of the aack, the source, the compromised hosts, the risk factor
—and evaluate what changes, if any, to follow through. Here are some suggesons to consider:
• Forestall DDoS aacks by enhancing your DoS Protecon profile to configure random early
drop or to drop SYN cookies for TCP floods. Consider placing limits on ICMP and UDP traffic.
Evaluate the opons available to you based on the trends and paerns you noced in your logs,
and implement the changes using Panorama templates.
Create a dynamic block list (Objects > Dynamic Block Lists), to block specific IP addresses that
you have uncovered from several intelligence sources: analysis of your own threat logs, DDoS
aacks from specific IP addresses, or a third-party IP block list.
The list must be a text file that is located on a web server. Using device groups on Panorama,
push the object to the managed firewalls so that the firewalls can access the web server and
import the list at a defined frequency. Aer creang a dynamic block list object, define a
Security rule that uses the address object in the source and desnaon fields to block traffic
from or to the IP address, range, or subnet defined. This approach allows you to block intruders
unl you resolve the issue and make larger policy changes to secure your network.
• Determine whether to create shared policy rules or device group rules to block specific
applicaons that caused the infecon (web-browsing, SMTP, FTP), make more stringent URL
Filtering rules, or restrict some applicaons/acons (for example, file downloads to specific
user groups).
• On Panorama, you can also switch to the firewall context and configure the firewall for Botnet
reports that idenfy potenal botnet-infected hosts on the network.

Panorama Administrator's Guide Version Version 10.1 535 ©2022 Palo Alto Networks, Inc.
Monitor Network Acvity

Panorama Administrator's Guide Version Version 10.1 536 ©2022 Palo Alto Networks, Inc.
Panorama High Availability
To provide redundancy in case of a system or network failure, you can deploy two
Panorama™ management servers in a high availability (HA) configuraon. Panorama
supports an HA configuraon in which one peer is the acve-primary and the other
is the passive-secondary. If a failure occurs on the primary peer, it automacally fails
over and the secondary peer becomes acve.

> Panorama HA Prerequisites

> Priority and Failover on Panorama in HA
> Failover Triggers
> Logging Consideraons in Panorama HA
> Synchronizaon Between Panorama HA Peers
> Manage a Panorama HA Pair

537
Panorama High Availability

Panorama HA Prerequisites
To configure Panorama in HA, you require a pair of idencal Panorama servers with the following
requirements on each:
• The same form factor—The peers must be the same model: both M-600 appliances, M-500
appliances, M-200 appliances, or both deployed on the same supported hypervisor for
Panorama virtual appliances. For example, to successfully configure HA for a Panorama virtual
appliance deployed on AWS in Panorama mode, the HA peer must also be deployed on AWS
and be in Panorama mode.
• The same mode—The peers must be in the same Panorama mode: both running in Panorama
mode, Management Only mode, or Legacy mode (ESXi and vCloud Air only).
Panorama appliances in Log Collector mode do not support HA.
• The same Panorama OS version—Must run the same Panorama version to synchronize
configuraon informaon and maintain parity for a seamless failover.
• The same set of licenses—Must have the same firewall management capacity license.
• (Panorama virtual appliance only) FIPCS-CC Mode—FIPS-CC mode must be enabled or disabled
on both Panorama HA peers.
• (Panorama virtual appliance only) Virtual Appliance Resources—Must have the same number of
vCPU cores and memory allocated to successfully synchronize configuraon informaon.
• (Panorama virtual appliance only) Unique serial number—Must have unique serial numbers; if
the serial number is the same for both Panorama instances, they will be in suspended mode
unl you resolve the issue.

While it is recommended to match the number of logging disk and the logging disk
capacies between the Panorama HA peers, having a different number logging disks
or different logging disk capacies between the Panorama HA peers does not impact
configuraon synchronizaon or HA failover
.

Panorama Administrator's Guide Version Version 10.1 538 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

Figure 26: Panorama HA Organization

The Panorama servers in the HA configuraon are peers and you can use either (acve or passive)
to centrally manage the firewalls, Log Collectors, and WildFire appliances and appliance clusters,
with a few excepons (see Synchronizaon Between Panorama HA Peers). The HA peers use
the management (MGT) interface to synchronize the configuraon elements pushed to the
managed firewalls, Log Collectors, and WildFire appliances and appliance clusters to maintain state
informaon. Typically, Panorama HA peers are geographically located in different sites, so you
need to make sure that the MGT interface IP address assigned to each peer is routable through
your network. HA connecvity uses TCP port 28 with encrypon enabled. If encrypon is not
enabled, ports 28769 and 28260 are used for HA connecvity and to synchronize configuraon
between the HA peers. We recommend less than 500ms latency between the peers. To determine
the latency, use Ping during a period of normal traffic.

Panorama Administrator's Guide Version Version 10.1 539 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

Priority and Failover on Panorama in HA

Each Panorama peer in the HA pair is assigned a priority value. The priority value of the primary or
secondary peer determines which will be eligible for being the main point of administraon and
log management. The peer set as primary assumes the acve state, and the secondary becomes
passive. The acve peer handles all the configuraon changes and pushes them to the managed
firewalls; the passive peer cannot make any configuraon changes or push configuraon to the
managed firewalls. However, either peer can be used to run reports or to perform log queries.
The passive peer is synchronized and ready to transion to the acve state if a path, link, system,
or network failure occur on the acve Panorama.
When a failover occurs, only the state (acve or passive) of the Panorama peer changes; the
priority (primary and secondary) does not. For example, when the primary peer fails, its status
changes from acve-primary to passive-primary.
A peer in the acve-secondary state can perform all funcons with two excepons:
• It cannot manage firewall or Log Collector deployment funcons such as license updates or
soware upgrades.
• It cannot log to an NFS unl you manually change its priority to primary. Only the Panorama
virtual appliance in Legacy mode supports NFS.
The following table lists the capabilies of Panorama based on its state and priority sengs:

Figure 27: Panorama HA Capabilities

For more informaon, see Panorama HA Prerequisites or Set Up HA on Panorama.

Panorama Administrator's Guide Version Version 10.1 540 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

Failover Triggers
When a failure occurs on the acve Panorama and the passive Panorama takes over the task of
managing the firewalls, the event is called a failover. A failover is triggered when a monitored
metric on the acve Panorama fails. This failure transions the state on the primary Panorama
from acve-primary to passive-primary, and the secondary Panorama becomes acve-secondary.
The condions that trigger a failover are:
• The Panorama peers cannot communicate with each other and the acve peer does not
respond to health and status polls; the metric used is HA Heartbeat Polling and Hello
Messages.
When the Panorama peers cannot communicate with each other, the acve one monitors
whether the peers are sll connected before a failover is triggered. This check helps in avoiding
a failover and causing a split-brain scenario, where both Panorama peers are in an acve state.
• One or more of the desnaons (IP addresses) specified on the acve peer cannot be reached;
the metric used is HA Path Monitoring.
In addion to the failover triggers listed above, a failover also occurs when the administrator
places the Panorama peer in a suspended state or when preempon occurs. Preempon is a
preference for the primary Panorama to resume the acve role aer recovering from a failure (or
user-iniated suspension). By default, preempon is enabled and when the primary Panorama
recovers from a failure and becomes available, the secondary Panorama relinquishes control and
returns to the passive state. When preempon occurs, the event is logged in the System log.
If you are logging to an NFS datastore, do not disable preempon because it allows the primary
peer (that is mounted to the NFS) to resume the acve role and write to the NFS datastore. For all
other deployments, preempon is only required if you want to make sure that a specific Panorama
is the preferred acve peer.

HA Heartbeat Polling and Hello Messages

The HA peers use hello messages and heartbeats to verify that the peer is responsive and
operaonal. Hello messages are sent from one peer to the other at the configured Hello Interval to
verify the state of the other. The heartbeat is an ICMP ping to the HA peer, and the peer responds
to the ping to establish that the peers are connected and responsive. By default, the interval is
1,000 milliseconds for the heartbeat and 8,000ms for hello messages.

HA Path Monitoring
Path monitoring checks the network connecvity and link state for an IP address or group of IP
addresses (path group). The acve peer uses ICMP pings to verify that one or more desnaon
IP addresses can be reached. For example, you can monitor the availability of interconnected
networking devices like a router or a switch, connecvity to a server, or some other vital device
that is in the flow of traffic. Make sure that the node/device configured for monitoring is not likely
to be unresponsive, especially when it comes under load, as this could cause a path monitoring
failure and trigger a failover.
The default ping interval is 5,000ms. An IP address is considered unreachable when three
consecuve pings (the default value) fail, and a peer failure is triggered when any or all of the IP

Panorama Administrator's Guide Version Version 10.1 541 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

addresses monitored become unreachable. By default, if any one of the IP addresses becomes
unreachable, the HA state transions to non-funconal.

Panorama Administrator's Guide Version Version 10.1 542 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

Logging Consideraons in Panorama HA

Seng up Panorama in an HA configuraon provides redundancy for log collecon. Because
the managed firewalls are connected to both Panorama peers over SSL, when a state change
occurs, each Panorama sends a message to the managed firewalls. The firewalls are nofied of the
Panorama HA state and can forward logs accordingly.

By default, when the managed firewalls cannot connect to Panorama, they buffer the logs;
when the connecon is restored, they resume sending logs from where it was last le off.

The logging opons on the hardware-based Panorama and on the Panorama virtual appliance
differ:
• Logging Failover on a Panorama Virtual Appliance in Legacy Mode
• Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode

Logging Failover on a Panorama Virtual Appliance in Legacy Mode

The Panorama virtual appliance in Legacy mode provides the following log failover opons:

Log Storage Type Descripon

Virtual disk By default, the managed firewalls send logs as independent streams
to each Panorama HA peer. By default, if a peer becomes unavailable,
the managed firewalls buffer the logs and when the peer reconnects it
resumes sending logs from where it had le off (subject to disk storage
capacity and duraon of the disconnecon).
The maximum log storage capacity depends on the virtual plaorm
(VMware ESXi or vCloud Air); see Panorama Models for details.

You can choose whether to forward logs only to the acve

peer (see Modify Log Forwarding and Buffering Defaults).
However, Panorama does not support log aggregaon
across the HA pair. Therefore, if you log to a virtual disk, for
monitoring and reporng you must query the Panorama peer
that collects the logs from the managed firewalls.

Network File System You can mount NFS storage only to a Panorama virtual appliance that
(NFS) runs on a VMware ESXi server. Only the acve-primary Panorama
mounts to the NFS-based log paron and can receive logs. On failover,
the primary device goes into a passive-primary state. In this scenario,
unl preempon occurs, the acve-secondary Panorama manages the
firewalls, but it does not receive the logs and it cannot write to the
NFS. To allow the acve-secondary peer to log to the NFS, you must
manually switch it to primary so that it can mount to the NFS paron.
For instrucons, see Switch Priority aer Panorama Failover to Resume
NFS Logging.

Panorama Administrator's Guide Version Version 10.1 543 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

Logging Failover on an M-Series Appliance or Panorama Virtual

Appliance in Panorama Mode
If you forward firewall logs to the local Log Collectors on an HA pair of M-600 appliances, M-500
appliances, M-200 appliances, or Panorama virtual appliances in Panorama mode, you specify
which firewalls send logs to which Log Collectors when you Configure a Collector Group. You can
configure a separate Collector Group for the Log Collector of each Panorama peer or configure
a single Collector Group to contain the Log Collectors of both peers. In a Collector Group that
contains both local Log Collectors, the log forwarding preference list determines which Log
Collector receives logs from firewalls. For all managed firewalls, you have the opon to send logs
to all the Log Collectors in the Collector Group, in which case Panorama uses round-robin load
balancing to select which Log Collector receives the logs at any given moment.
In a Collector Group that contains both Log Collectors, you can also enable redundancy so
that each log will have two copies and each copy will reside on a different Log Collector. This
redundancy ensures that, if any one Log Collector becomes unavailable, no logs are lost: you can
see all the logs forwarded to the Collector Group and run reports for all the log informaon. Log
redundancy is available only if each Log Collector in the Collector Group has the same number of
disks.

All the Log Collectors for any parcular Collector Group must be the same model: all
M-200 appliances all M-500 appliances, all M-600 appliances or all Panorama virtual
appliances in Panorama mode.
Because enabling redundancy creates more logs, this configuraon requires more storage
capacity. Enabling redundancy doubles the log processing traffic in a Collector Group,
which reduces its maximum logging rate by half, as each Log Collector must distribute a
copy of each log it receives. (When a Collector Group runs out of space, it deletes older
logs.)

Panorama Administrator's Guide Version Version 10.1 544 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

Synchronizaon Between Panorama HA Peers

The Panorama HA peers synchronize the running configuraon each me you commit changes on
the acve Panorama peer. The candidate configuraon is synchronized between the peers each
me you save the configuraon on the acve peer or just before a failover occurs.
Sengs that are common across the pair, such as shared objects and policy rules, device
group objects and rules, template configuraon, cerficates and SSL/TLS service profiles, and
administrave access configuraon, are synchronized between the Panorama HA peers.
When you Enable Automated Commit Recovery, HA synchronizaon occurs only aer the firewall
successfully tests the connecon between itself and Panorama aer a push from Panorama.
The sengs that are not synchronized are those that are unique to each peer, such as the
following:
• Panorama HA configuraon—Priority seng, peer IP address, path monitoring groups and IP
addresses
• Panorama configuraon—Management interface IP address, FQDN sengs, login banner,
NTP server, me zone, geographic locaon, DNS server, permied IP addresses for accessing
Panorama, SNMP system sengs, and dynamic content update schedules
• Scheduled configuraon exports
• NFS paron configuraon and all disk quota allocaon for logging. This applies only to a
Panorama virtual appliance in Legacy mode that runs on a VMware ESXi server
• Disk quota allocaon for the different types of logs and databases on the Panorama local
storage (SSD)

If you use a master key to encrypt the private keys and cerficates on Panorama, you
must use the same master key on both HA peers. If the master keys differ, Panorama
cannot synchronize the HA peers.
• Password for the Panorama admin administrator
For more informaon, see Panorama HA Prerequisites or Set Up HA on Panorama.

Panorama Administrator's Guide Version Version 10.1 545 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

Manage a Panorama HA Pair

• Set Up HA on Panorama
• Set Up Authencaon Using Custom Cerficates Between HA Peers
• Test Panorama HA Failover
• Switch Priority aer Panorama Failover to Resume NFS Logging
• Restore the Primary Panorama to the Acve State

To install soware or content updates, see Install Updates for Panorama in an HA

Configuraon.

Set Up HA on Panorama
Review the Panorama HA Prerequisites before performing the following steps.

If you configure Secure Communicaon Sengs between Panorama HA peers, the

Panorama HA peers use the custom cerficate specified for authencaon one another.
Otherwise, the Panorama HA peers use the predefined cerficate for authencaon.
Regardless of how you configure the Panorama HA peers to authencate communicaon,
neither will impact the ability for the Panorama HA peers to communicate with one
another.

STEP 1 | Set up connecvity between the MGT ports on the HA peers.

The Panorama peers communicate with each other using the MGT port. Make sure that the
IP addresses you assign to the MGT port on the Panorama servers in the HA pair are routable
and that the peers can communicate with each other across your network. To set up the MGT
port, see Perform Inial Configuraon of the Panorama Virtual Appliance or Perform Inial
Configuraon of the M-Series Appliance.
Pick a Panorama peer in the pair and complete the remaining tasks.

Panorama Administrator's Guide Version Version 10.1 546 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

STEP 2 | Enable HA and (oponally) enable encrypon for the HA connecon.

1. Select Panorama > High Availability and edit the Setup secon.
2. Select Enable HA.
3. In the Peer HA IP Address field, enter the IP address assigned to the peer Panorama.
4. In the Peer HA Serial field, enter the serial number of the peer Panorama.
Enter the Panorama HA peer serial number to reduce your aack surface against brute
force aacks on the Panorama IP.
5. In the Monitor Hold Time field, enter the length of me (milliseconds) that the system
will wait before acng on a control link failure (range is 1000-60000, default is 3000).
6. If you do not want encrypon, clear the Encrypon Enabled check box and click OK: no
more steps are required. If you do want encrypon, select the Encrypon Enabled check
box, click OK, and perform the following tasks:
1. Select Panorama > Cerficate Management > Cerficates.
2. Select Export HA key. Save the HA key to a network locaon that the peer Panorama
can access.
3. On the peer Panorama, navigate to Panorama > Cerficate Management >
Cerficates, select Import HA key, browse to the locaon where you saved the key,
and import it.

STEP 3 | Set the HA priority.

1. In Panorama > High Availability, edit the Elecon Sengs secon.
2. Define the Device Priority as Primary or Secondary. Make sure to set one peer as
primary and the other as secondary.

If both peers have the same priority seng, the peer with the higher serial
number will be placed in a suspended state.
3. Define the Preempve behavior. By default preempon is enabled. The preempon
selecon—enabled or disabled—must be the same on both peers.

If you are using an NFS for logging and you have disabled preempon, to resume
logging to the NFS see Switch Priority aer Panorama Failover to Resume
NFS Logging.

Panorama Administrator's Guide Version Version 10.1 547 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

STEP 4 | To configure path monitoring, define one or more path groups.

The path group lists the desnaon IP addresses (nodes) that Panorama must ping to verify
network connecvity.
Perform the following steps for each path group that includes the nodes that you want to
monitor.
1. Select Panorama > High Availability and, in the Path Group secon, click Add.
2. Enter a Name for the path group.
3. Select a Failure Condion for this group:
• any triggers a path monitoring failure if any one of the IP addresses becomes
unreachable.
• all triggers a path monitoring failure only when none of the IP addresses are
reachable.
4. Add each desnaon IP address you want to monitor.
5. Click OK. The Path Group secon displays the new group.

STEP 5 | (Oponal) Select the failure condion for path monitoring on Panorama.
1. Select Panorama > High Availability and edit the Path Monitoring secon.
2. Select a Failure Condion:
• all triggers a failover only when all monitored path groups fail.
• any triggers a failover when any monitored path group fails.
3. Click OK.

STEP 6 | Commit your configuraon changes.

Select Commit > Commit to Panorama and Commit your changes.

STEP 7 | Configure the other Panorama peer.

Repeat Step 2 through Step 6 on the other peer in the HA pair.

STEP 8 | Synchronize the Panorama peers.

1. Access the Dashboard on the acve Panorama and select Widgets > System > High
Availability to display the HA widget.
2. Sync to peer, click Yes, and wait for the Running Config to display Synchronized.
3. Access the Dashboard on the passive Panorama and select Widgets > System > High
Availability to display the HA widget.
4. Verify that the Running Config displays Synchronized.

STEP 9 | (Oponal) Set Up Authencaon Using Custom Cerficates Between HA Peers.

You must configure the Secure Communicaon Sengs for both Panorama HA peers.
Configuring Secure Communicaon Sengs for Panorama in HA configuraon does not impact
HA connecvity between the HA peers. However, funconality that goes over the Secure
Communicaon link may fail if the Secure Communicaon Sengs are configured incorrectly,

Panorama Administrator's Guide Version Version 10.1 548 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

or if the HA peer or managed firewalls do not have the correct cerficate, or have an expired
cerficate.
All traffic on the link established by configuring the Secure Communicaon Sengs is always
encrypted.

If you configure Secure Communicaon Sengs for Panorama in a HA configuraon, it

is required to Customize Secure Server Communicaon as well. Otherwise, managed
firewalls and WildFire appliances are unable to connect to Panorama and PAN-OS
funconality is impacted.

Set Up Authencaon Using Custom Cerficates Between HA

Peers
You can Set Up Authencaon Using Custom Cerficates for securing the HA connecon
between Panorama HA peers.
STEP 1 | Generate a cerficate authority (CA) cerficate on Panorama.
1. Select Panorama > Cerficate Management > Cerficates.
2. Create a self-signed root CA cerficate or import a cerficate from your enterprise CA.

STEP 2 | Configure a cerficate profile that includes the root CA and intermediate CA.
1. Select Panorama > Cerficate Management > Cerficate Profile.
2. Configure a cerficate profile.

STEP 3 | Configure an SSL/TLS service profile.

1. Select Panorama > Cerficate Management > SSL/TLS Service Profile.
2. Configure an SSL/TLS profile to define the cerficate and protocol that Panorama and its
manage devices use for SSL/TLS services.

Panorama Administrator's Guide Version Version 10.1 549 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

STEP 4 | Configure Secure Communicaon Sengs on Panorama on the primary HA peer.

If you configure Secure Communicaon Sengs on Panorama for Panorama in a

HA configuraon, it is required to Customize Secure Server Communicaon as well.
Otherwise, managed firewalls, Dedicated Log Collectors, and WildFire appliances are
unable to connect to Panorama and PAN-OS funconality is impacted.

1. Select Panorama > Setup > Management and Edit the Secure Communicaon Sengs.
2. For the Cerficate Type, select Local.
3. Select the Cerficate and Cerficate Profile you configured in the previous steps.
4. Check (enable) HA Communicaon, WildFire Communicaon, and Data Redistribuon.
5. Check (enable) Customize Secure Server Communicaon.
6. Select the SSL/TLS service profile from the SSL/TLS Service Profile drop-down. This
SSL/TLS service profile applies to all SSL connecons between Panorama, firewalls, Log
Collectors, and Panorama’s HA peers.
7. Select the cerficate profile from the Cerficate Profile drop-down.
8. Configure an authorizaon list.

When you configure Secure Communicaon Seng for Panorama in a

HA configuraon, you are required to add the Panorama HA peer to the
authorizaon list.

1. Click Add under Authorizaon List.

2. Select the Subject or Subject Alt Name as the Idenfier type.
3. Enter the Common Name
9. (Oponal) Verify that Allow Custom Cerficate Only check box is not selected. This
allows you to connue managing all devices while migrang to custom cerficates.

When Allow Custom Cerficate Only check box is selected, Panorama does not
authencate and cannot manage devices using predefined cerficates.
10. In Disconnect Wait Time (min), enter the number of minutes Panorama should before
breaking and reestablishing the connecon with its managed devices. This field is blank
by default and the range is 0 to 44,640 minutes.

The disconnect wait me does not begin counng down unl you commit the
new configuraon.
1. Click OK.
2. Commit and Commit to Panorama.
3. Repeat this step on the secondary Panorama HA peer.
When you configure Secure Communicaon Sengs on the secondary Panorama HA
peer, add the primary HA peer to the authorizaon list as described above.

STEP 5 | Upgrade the client-side Panorama to PAN-OS 10.1.

Upgrade Panorama.

Panorama Administrator's Guide Version Version 10.1 550 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

Test Panorama HA Failover

To test that your HA configuraon works properly, trigger a manual failover and verify that the
peer transions states successfully.
STEP 1 | Log in to the acve Panorama peer.
You can verify the state of the Panorama server in the boom right corner of the web
interface.

STEP 2 | Suspend the acve Panorama peer.

Select Panorama > High Availability, and then click the Suspend local Panorama link in the
Operaonal Commands secon.

STEP 3 | Verify that the passive Panorama peer has taken over as acve.
On the Panorama Dashboard, High Availability widget, verify that the state of the Local
passive server is acve and the state of the Peer is suspended.

STEP 4 | Restore the suspended peer to a funconal state. Wait for a couple minutes, and then verify
that preempon has occurred, if preempve is enabled.
On the Panorama you previously suspended:
1. Select Panorama > High Availability and, in the Operaonal Commands secon, click
Make local Panorama funconal.
2. In the High Availability widget on the Dashboard, confirm that this (Local) Panorama has
taken over as the acve peer and that the other peer is now in a passive state.

Switch Priority aer Panorama Failover to Resume NFS Logging

The Panorama virtual appliance in Legacy mode running on an ESXi server can use an NFS
datastore for logging. In an HA configuraon, only the primary Panorama peer is mounted to
the NFS-based log paron and can write to the NFS. When a failover occurs and the passive
Panorama becomes acve, its state becomes acve-secondary. Although a secondary Panorama
peer can acvely manage the firewalls, it cannot receive logs or write to the NFS because it does
not own the NFS paron. When the firewalls cannot forward logs to the primary Panorama peer,
each firewall writes the logs to its local disk. The firewalls maintain a pointer for the last set of log
entries that they forwarded to Panorama so that when the passive-primary Panorama becomes
available again, they can resume forwarding logs to it.
Use the instrucons in this secon to manually switch priority on the acve-secondary Panorama
peer so that it can begin logging to the NFS paron. The typical scenarios in which you might
need to trigger this change are as follows:
• Preempon is disabled. By default, preempon is enabled on Panorama and the primary peer
resumes as acve when it becomes available again. When preempon is disabled, you need to
switch the priority on the secondary peer to primary so that it can mount the NFS paron,
receive logs from the managed firewalls, and write to the NFS paron.
• The acve Panorama fails and cannot recover from the failure in the short term. If you do not
switch the priority, when the maximum log storage capacity on the firewall is reached, the
oldest logs will be overwrien to enable it to connue logging to its local disk. This situaon
can lead to loss of logs.

Panorama Administrator's Guide Version Version 10.1 551 ©2022 Palo Alto Networks, Inc.
Panorama High Availability

STEP 1 | Log in to the currently passive-primary Panorama, select Panorama > Setup > Operaons
and, in the Device Operaons secon, click Shutdown Panorama.

STEP 2 | Log in to the acve-secondary Panorama, select Panorama > High Availability, edit the
Elecon Sengs, and set the Priority to Primary.

STEP 3 | Click OK to save your changes.

STEP 4 | Select Commit > Commit to Panorama and Commit your changes.
Do not reboot when prompted.

STEP 5 | Log in to the Panorama CLI and enter the following command to change the ownership of the
NFS paron to this peer: request high-availability convert-to-primary

STEP 6 | Select Panorama > Setup > Operaons and, in the Device Operaons secon, click Reboot
Panorama.

STEP 7 | Power on the Panorama peer that you powered off in step 1. This peer will now be in a
passive-secondary state.

Restore the Primary Panorama to the Acve State

By default, the preempve capability on Panorama allows the primary Panorama to resume
funconing as the acve peer as soon as it becomes available. However, if preempon is disabled,
the only way to force the primary Panorama to become acve aer recovering from a failure, a
non-funconal, or a suspended state, is by suspending the secondary Panorama peer.
Before the acve-secondary Panorama goes into a suspended state, it transfers the candidate
configuraon to the passive Panorama so that all your uncommied configuraon changes are
saved and can be accessed on the other peer.
STEP 1 | Suspend Panorama.
1. Log in to the Panorama peer that you want to place in a suspended state.
2. Select Panorama > High Availability, and click the Suspend local Panorama link in the
Operaonal Commands secon.

STEP 2 | Verify that the status indicates that the Panorama was suspended at user request.
On the Dashboard, High Availability widget, verify that the Local state is suspended.
A failover is triggered when you suspend a peer, and the other Panorama takes over as the
acve peer.

STEP 3 | Restore the suspended Panorama to a funconal state.

1. In the Panorama > High Availability tab, Operaonal Commands secon, click the Make
local Panorama funconal link.
2. On the Dashboard, High Availability widget, confirm that the Panorama has transioned
to either the acve or passive state.

Panorama Administrator's Guide Version Version 10.1 552 ©2022 Palo Alto Networks, Inc.
Administer Panorama
This secon describes how to administer and maintain the Panorama™ management
server. It includes the following topics:
> Preview, Validate, or Commit > Use the Panorama Task Manager
Configuraon Changes > Manage Storage Quotas and
> Enable Automated Commit Recovery Expiraon Periods for Logs and
> Manage Panorama and Firewall Reports
Configuraon Backups > Monitor Panorama
> Compare Changes in Panorama > Reboot or Shut Down Panorama
Configuraons > Configure Panorama Password
> Manage Locks for Restricng Profiles and Complexity
Configuraon Changes
> Add Custom Logos to Panorama
For instrucons on compleng inial setup, including defining network access sengs,
licensing, upgrading the Panorama soware version, and seng up administrave
access to Panorama, see Set Up Panorama.

553
Administer Panorama

Preview, Validate, or Commit Configuraon Changes

You can perform Panorama Commit, Validaon, and Preview Operaons on pending changes to
the Panorama configuraon and then push those changes to the devices that Panorama manages,
including firewalls, Log Collectors, and WildFire appliances and appliance clusters. You can filter
the pending changes by administrator or locaon and then commit, push, validate, or preview
only those changes. The locaons can be specific device groups, templates, Collector Groups, Log
Collectors, shared sengs, or the Panorama management server.
Because Panorama pushes its running configuraon, you cannot push changes to devices unl
you first commit them to Panorama. If the changes are not ready to acvate on devices, you can
select Commit > Commit to Panorama to commit the changes to the Panorama configuraon
without pushing them to devices. Later, when the changes are ready to acvate on devices, you
can select Commit > Push to Devices. If the changes are ready to acvate on both Panorama and
the devices, select Commit > Commit and Push as described in the following procedure.
STEP 1 | Configure the scope of configuraon changes that you will commit, validate, or preview.
1. Click Commit at the top of the web interface.
2. Select one of the following opons:
• Commit All Changes (default)—Applies the commit to all changes for which you have
administrave privileges. You cannot manually filter the commit scope when you
select this opon. Instead, the administrator role assigned to the account you used to
log in determines the commit scope.
• Commit Changes Made By—Enables you to filter the commit scope by administrator
or locaon. The administrave role assigned to the account you used to log in
determines which changes you can filter.

To commit the changes of other administrators, the account you used to log in
must be assigned the Superuser role or an Admin Role profile with the Commit
For Other Admins privilege enabled.
3. (Oponal) To filter the commit scope by administrator, select Commit Changes Made By,
click the adjacent link, select the administrators, and click OK.
4. (Oponal) To filter by locaon, select Commit Changes Made By and clear any changes
that you want to exclude from the Commit Scope.

If dependencies between the configuraon changes you included and excluded

cause a validaon error, perform the commit with all the changes included. For
example, when you commit changes to a device group, you must include the
changes of all administrators who added, deleted, or reposioned rules for the
same rulebase in that device group.

Panorama Administrator's Guide Version Version 10.1 554 ©2022 Palo Alto Networks, Inc.
Administer Panorama

STEP 2 | Preview the changes that the commit will acvate.

When you preview changes aer you delete and then re-add the same device to
a policy rule, Panorama displays that same device as both deleted in the running
configuraon and as added in the candidate configuraon. Addionally, the order of
devices in the device target list in the running configuraon may then be different from
the candidate configuraon and display as a change when you preview changes even
when there aren't any configuraon changes.

This can be useful if, for example, you don’t remember all your changes and you’re not sure you
want to acvate all of them.
Panorama compares the configuraons you selected in the Commit Scope to the running
configuraon. The preview window displays the configuraons side-by-side and uses color
coding to indicate which changes are addions (green), modificaons (yellow), or deleons
(red).
Preview Changes and select the Lines of Context, which is the number of lines from the
compared configuraon files to display before and aer the highlighted differences. These
lines help you correlate the preview output to sengs in the web interface. Close the preview
window when you finish reviewing the changes.

Because the preview results display in a new window, your browser must allow pop-up
windows. If the preview window does not open, refer to your browser documentaon
for the steps to unblock pop-up windows.

STEP 3 | Preview the individual sengs for which you are comming changes.
This can be useful if you want to know details about the changes, such as the types of sengs
and who changed them.
1. Click Change Summary.
2. (Oponal) Group By a column name (such as the Type of seng).
3. Close the Change Summary dialog when you finish reviewing the changes.

STEP 4 | Validate the changes before comming to ensure the commit will succeed.
1. Validate Changes.
The results display all the errors and warnings that an actual commit would display.
2. Resolve any errors that the validaon results idenfy.

Panorama Administrator's Guide Version Version 10.1 555 ©2022 Palo Alto Networks, Inc.
Administer Panorama

STEP 5 | (Oponal) Modify the Push Scope.

By default, the Push Scope includes all locaons with changes that require a Panorama commit.

If you select Commit > Push to Devices, the push scope includes all locaons
associated with devices that are out of sync with the Panorama running configuraon.

1. No Default Selecons to manually select specific devices. The default devices Panorama
pushes to are based on the impacted device group and template configuraon changes.
2. Edit Selecons and select:
• Device Groups—Select device groups or individual firewalls or virtual systems.
• Templates—Select templates, template stacks, or individual firewalls.
• Collector Groups—Select Collector Groups.
3. Click OK to save your changes to the Push Scope.

STEP 6 | Validate the changes you will push to device groups or templates.
1. Validate Device Group Push or Validate Template Push.
The results display all the errors and warnings that an actual push operaon would
display.
2. Resolve any errors that the validaon results idenfy.

STEP 7 | Commit your changes to Panorama and push the changes to devices.
Commit and Push the configuraon changes.

Use the Panorama Task Manager to see details about commits that are pending
(oponally, you can cancel these), in progress, completed, or failed.

Panorama Administrator's Guide Version Version 10.1 556 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Enable Automated Commit Recovery

To ensure that broken configuraons caused by configuraon changes pushed from the
Panorama™ management server to managed firewalls, or commied locally on the firewall, enable
Automated Commit Recovery to enable managed firewalls to test configuraon changes for
each commit and to verify that the changes did not break the connecon between Panorama
and the managed firewall. You can configure the number of tests that each managed firewall
performs and the interval at which each test occurs before the managed firewall automacally
reverts its configuraon back to the previous running configuraon. When you enable automated
commit recovery, the managed firewall configuraon reverts and not the Panorama configuraon.
Addionally, the managed firewall tests its connecon to Panorama every 60 minutes to ensure
connued communicaon in the event unrelated network configuraon changed disrupted
connecvity between the firewall and Panorama or if impacts from a past commied configuraon
affected connecvity. For high availability (HA) configuraons, HA synchronizaon between the
HA peers aer a push from Panorama occurs only aer a connecvity test.
Automated commit recovery is enabled by default. However, if you disabled automated commit
recovery and then want to re-enable this feature in an exisng producon environment, first verify
that there are no policy rules that will break the connecon between Panorama and the managed
firewall. For example, in the event where management traffic traverses the dataplane, it is possible
there is a policy rule that restricts traffic from the firewall to Panorama.
The firewall generates a config log aer the firewall configuraon successfully reverts to the last
running configuraon. Addionally, the firewall generates a system log when the administrator
disables this feature, when a configuraon revert event begins due to a connecvity test that fails
aer a configuraon push, and when the Panorama connecvity test that is performed every 60
minutes fails and causes the firewall configuraon to revert.

Enable Automated Commit Recovery independent of any other configuraon change.

If enabled alongside any other configuraon changes that result in a connecon break
between Panorama and managed firewalls, the firewall configuraon cannot automacally
revert.

STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Select Device > Setup > Management and select the desired Template or Template Stack
from the Template context drop-down.

Panorama Administrator's Guide Version Version 10.1 557 ©2022 Palo Alto Networks, Inc.
Administer Panorama

STEP 3 | Enable automated commit recovery.

1. Edit ( ) the Panorama Sengs.
2. Enable automated commit recovery.
3. Configure the Number of aempts to check for Panorama connecvity (default is 1
aempt).
4. Configure the Interval between retries (default is 10 seconds).
5. Click OK to save your changes.

STEP 4 | Commit > Commit and Push and Commit and Push your changes.

STEP 5 | Verify that the automated commit recovery feature is enabled on your managed firewalls.
1. Launch the Firewall Web Interface.
2. Select Device > Setup > Management and, in the Panorama Sengs, verify that Enable
automated commit recovery is enabled (checked).

Panorama Administrator's Guide Version Version 10.1 558 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Manage Panorama and Firewall Configuraon Backups

The running configuraon on Panorama comprises all the sengs that you have commied and
that are therefore acve. The candidate configuraon is a copy of the running configuraon plus
any inacve changes that you made since the last commit. Saving backup versions of the running
or candidate configuraon enables you to later restore those versions. For example, if a commit
validaon shows that the current candidate configuraon has more errors than you want to fix,
you can restore a previous candidate configuraon. You can also revert to the current running
configuraon without saving a backup first.

See Panorama Commit, Validaon, and Preview Operaons for more informaon on
comming configuraon changes to Panorama and pushing the changes to managed
devices.

Aer a commit on a local firewall that runs PAN-OS 5.0 or later, a backup is sent of its running
configuraon to Panorama. Any commits performed on the local firewall will trigger the backup,
including commits that an administrator performs locally on the firewall or automac commits that
PAN-OS iniates (such as an FQDN refresh). By default, Panorama stores up to 100 backups for
each firewall, though this is configurable. To store Panorama and firewall configuraon backups
on an external host, you can schedule exports from Panorama or export on demand. You can also
import configuraons from firewalls into Panorama device groups and templates to Transion a
Firewall to Panorama Management.
(VMware ESXi and vCloud Air only) VMware snapshot funconality is not supported for a
Panorama virtual appliance deployed on VMware ESXi and vCloud Air. Taking snapshots of a
Panorama virtual appliance can impact performance, result in intermient and inconsistent packet
loss, and Panorama may become unresponsive. Addionally, you may lose access to the Panorama
CLI and web interface and switching to Panorama mode is not supported. Instead, save and export
your named configuraon snapshot to any network locaon.
• Schedule Export of Configuraon Files
• Save and Export Panorama and Firewall Configuraons
• Revert Panorama Configuraon Changes
• Configure the Maximum Number of Configuraon Backups on Panorama
• Load a Configuraon Backup on a Managed Firewall

Schedule Export of Configuraon Files

Panorama saves a backup of its running configuraon as well as the running configuraons of
all managed firewalls. The backups are in XML format with file names that are based on serial
numbers (of Panorama or the firewalls). Use these instrucons to schedule daily exports of
the backups to a remote host. Panorama exports the backups as a single gzip file. You require
superuser privileges to schedule the export.

Panorama Administrator's Guide Version Version 10.1 559 ©2022 Palo Alto Networks, Inc.
Administer Panorama

If Panorama has a high availability (HA) configuraon, you must perform these instrucons
on each peer to ensure the scheduled exports connue aer a failover. Panorama does not
synchronize scheduled configuraon exports between HA peers.
To export backups on demand, see Save and Export Panorama and Firewall
Configuraons.

STEP 1 | Select Panorama > Scheduled Config Export and click Add.

STEP 2 | Enter a Name and Descripon for the scheduled file export and Enable it.

STEP 3 | Using the 24-hour clock format, enter a daily Scheduled Export Start Time or select one from
the drop-down.

If you are configuring a scheduled export to two or more servers, stagger the start me
of the scheduled exports. Scheduling mulple exports at the same start me results in
discrepancies between the exported configuraons.

STEP 4 | Set the export Protocol to Secure Copy (SCP) or File Transfer Protocol (FTP).

Export to devices running Windows support only FTP.

STEP 5 | Enter the details for accessing the server, including: Hostname or IP address, Port, Path for
uploading the file, Username, and Password.
The Path supports the following characters: .(period), +, { and }, /, -, _, 0-9, a-z, and A-Z.
Spaces are not supported in the file Path.

If you are exporng to an FTP server using an IPv6 address as the Hostname,
you must enter the address enclosed in square brackets ([ ]). For example,
[2001:0db8:0000:0000:0000:8a2e:0370:7334].
If you are exporng to a BSD server, you will need to modify the SSHD password
prompt to <username>@<hostname> <password>: .

STEP 6 | (SCP only) Click Test SCP server connecon. To enable the secure transfer of data, you must
verify and accept the host key of the SCP server. Panorama doesn’t establish the connecon
unl you accept the host key. If Panorama has an HA configuraon, perform this step on
each HA peer so that each one accepts the host key of the SCP server. If Panorama can
successfully connect to the SCP server, it creates and uploads the test file named ssh-export-
test.txt.

STEP 7 | Click OK to save your changes.

STEP 8 | Select Commit > Commit to Panorama and Commit your changes.

Save and Export Panorama and Firewall Configuraons

Saving a backup of the candidate configuraon to persistent storage on Panorama enables
you to later restore that backup (see Revert Panorama Configuraon Changes). Addionally,
Panorama allows you to save and export the device group, template, and template stack
configuraons that you specify. This is useful for preserving changes that would otherwise be lost

Panorama Administrator's Guide Version Version 10.1 560 ©2022 Palo Alto Networks, Inc.
Administer Panorama

if a system event or administrator acon causes Panorama to reboot. Aer reboong, Panorama
automacally reverts to the current version of the running configuraon, which Panorama stores
in a file named running-config.xml. Saving backups is also useful if you want to revert to
a Panorama configuraon that is earlier than the current running configuraon. Panorama does
not automacally save the candidate configuraon to persistent storage. You must manually save
the candidate configuraon as a default snapshot file (.snapshot.xml) or as a custom-named
snapshot file. Panorama stores the snapshot file locally but you can export it to an external host.

You don’t have to save a configuraon backup to revert the changes made since the
last commit or reboot; just select Config > Revert Changes (see Revert Panorama
Configuraon Changes).
Palo Alto Networks recommends that you back up any important configuraons to an
external host.

STEP 1 | Save changes to the candidate configuraon.

• To overwrite the default snapshot file (.snapshot.xml) with all the changes that all
administrators made, perform one of the following steps:
• Select Panorama > Setup > Operaons and Save candidate Panorama configuraon.
• Log in to Panorama with an administrave account that is assigned the Superuser role
or an Admin Role profile with the Save For Other Admins privilege enabled. Then select

Panorama Administrator's Guide Version Version 10.1 561 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Config > Save Changes at the top of the web interface, select Save All Changes and
Save.
• To overwrite the default snapshot (.snapshot.xml) with changes made by administrators
to specific device group, template, or template stack configuraons:
1. Select Panorama > Setup > Operaons, Save candidate Panorama configuraon, and
Select Device Group & Templates.
2. Select the specific device groups, templates, or template stacks to revert.
3. Click OK to confirm the operaon.
4. (Oponal) Select Commit > Commit to Panorama and Commit your changes to overwrite
the running configuraon with the snapshot.
• To create a snapshot that includes all the changes that all administrators made but without
overwring the default snapshot file:
1. Select Panorama > Setup > Operaons and Save named Panorama configuraon
snapshot.
2. Specify the Name of a new or exisng configuraon file.
3. Click OK and Close.
• To save only specific changes to the candidate configuraon without overwring any part of
the default snapshot file:
1. Log in to Panorama with an administrave account that has the role privileges required to
save the desired changes.
2. Select Config > Save Changes at the top of the web interface.
3. Select Save Changes Made By.
4. To filter the Save Scope by administrator, click <administrator-name>, select the
administrators, and click OK.
5. To filter the Save Scope by locaon, clear any locaons that you want to exclude. The
locaons can be specific device groups, templates, Collector Groups, Log Collectors,
shared sengs, or the Panorama management server.
6. Click Save, specify the Name of a new or exisng configuraon file, and click OK.
• To save a specific device group, template, or template stack configuraon:
1. Select Panorama > Setup > Operaons, Save named Panorama configuraon snapshot,
and Select Device Group & Templates.
2. Select the specific device groups, templates, or template stacks to save.
3. Click OK to confirm the operaon.

STEP 2 | Export a candidate or running configuraon to a host external to Panorama or to a firewall.

You can schedule daily exports to an SCP or FTP server (see Schedule Export of Configuraon
Files) or export configuraons on demand. To export on demand, select Panorama > Setup >
Operaons and select one of the following opons:
• Export named Panorama configuraon snapshot—Export the current running configuraon,
a named candidate configuraon snapshot, or a previously imported configuraon
(candidate or running). Panorama exports the configuraon as an XML file with the Name

Panorama Administrator's Guide Version Version 10.1 562 ©2022 Palo Alto Networks, Inc.
Administer Panorama

you specify. Select Device Group & Templates to specify the device group, template, or
template stack configuraons to export.
• Export Panorama configuraon version—Select a Version of the running configuraon
to export as an XML file. Select Device Group & Templates to specify the device group,
template, or template stack configuraons to export as an XML file.
• Export Panorama and devices config bundle—Generate and export the latest version of the
running configuraon backup of Panorama and of each managed firewall. To automate the
process of creang and exporng the configuraon bundle daily to a Secure Copy (SCP) or
FTP server, see Schedule Export of Configuraon Files.
• Export or push device config bundle—Aer you import a firewall configuraon
into Panorama, Panorama creates a firewall configuraon bundle named
<firewall_name>_import.tgz, in which all local policies and objects are removed. You can
then Export or push device config bundle to perform one of the following acons:
• Push & Commit the configuraon bundle to the firewall to remove any local
configuraon from it, enabling you to manage the firewall from Panorama.
• Export the configuraon to the firewall without loading it. When you are ready to load
the configuraon, log in to the firewall CLI and run the configuraon mode command
load device-state. This command cleans the firewall in the same way as the Push &
Commit opon.

The full procedure to Transion a Firewall to Panorama Management requires

addional steps.

Revert Panorama Configuraon Changes

When you revert changes, you are replacing sengs in the current candidate configuraon with
sengs from another configuraon. Reverng changes is useful when you want to undo changes
to mulple sengs as a single operaon instead of manually reconfiguring each seng.
You can revert pending changes that were made to the Panorama configuraon since the last
commit. You can revert all pending changes on Panorama or select specific device groups,
templates, or template stacks. Panorama provides the opon to filter the pending changes by
administrator or locaon. The locaons can be specific device groups, templates, Collector
Groups, Log Collectors, shared sengs, or the Panorama management server. If you saved a
snapshot file for a candidate configuraon that is earlier than the current running configuraon
(see Save and Export Panorama and Firewall Configuraons), you can also revert to that candidate
configuraon snapshot. Reverng to a snapshot enables you to restore a candidate configuraon
that existed before the last commit. Panorama automacally saves a new version of the running
configuraon whenever you commit changes and you can restore any of those versions.
Reverng a Panorama management server configuraon requires a full commit and must
be performed by a superuser. Full commits are required when performing certain Panorama
operaons, such as reverng and loading a Panorama configuraon, and are not supported for
custom Admin Role profiles.

Panorama Administrator's Guide Version Version 10.1 563 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Revert to the current Panorama running configuraon (file named running-config.xml).

This operaon undoes changes you made to the candidate configuraon since the last commit.
• To revert all the changes that all administrators made, perform one of the following steps:
• Select Panorama > Setup > Operaons, Revert to running Panorama configuraon, and
click Yes to confirm the operaon.
• Log in to Panorama with an administrave account that is assigned the Superuser role or
an Admin Role profile with the Commit For Other Admins privilege enabled. Then select
Config > Revert Changes, select Revert All Changes, and Revert.
• To revert only specific changes to the candidate configuraon:
1. Log in to Panorama with an administrave account that has the role privileges required to
revert the desired changes.

The privileges that control commit operaons also control revert operaons.

2. Select Config > Revert Changes.

3. Select Revert Changes Made By.
4. To filter the Revert Scope by administrator, click <administrator-name>, select the
administrators, and click OK.
5. To filter the Revert Scope by locaon, clear any locaons that you want to exclude.
6. Revert the changes.
• To revert specific device group, template, or template stack changes to the running
configuraon:
1. Select Panorama > Setup > Operaons, Revert to running Panorama configuraon, and
Select Device Group & Templates.
2. Select the specific device groups, templates, or template stacks to revert.
3. Click OK to confirm the operaon.
4. (Oponal) Select Commit > Commit to Panorama and Commit your changes to overwrite
the running configuraon.

Panorama Administrator's Guide Version Version 10.1 564 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Revert to the default snapshot (.snapshots.xml) of the Panorama candidate configuraon.

• To revert all the changes that all administrators made:
1. Select Panorama > Setup > Operaons and Revert to last saved Panorama
configuraon.
2. Click Yes to confirm the operaon.
3. (Oponal) Select Commit > Commit to Panorama and Commit your changes to overwrite
the running configuraon with the snapshot.
• To revert specific device group, template, or template stack changes to the running
configuraon:
1. Select Panorama > Setup > Operaons, Revert to last saved Panorama configuraon,
and Select Device Group & Templates.
2. Select the specific device groups, templates, or template stacks to revert.
3. Click OK to confirm the operaon.
4. (Oponal) To overwrite the running configuraon, select Commit > Commit to Panorama
and Commit your changes with the snapshot.

Revert to a previous version of the running configuraon that is stored on Panorama.

• To revert all changes that administrators made:
1. Select Panorama > Setup > Operaons, Load Panorama configuraon version, and
Select Device Group & Templates.
2. Select a configuraon Version and click OK.
3. (Oponal) To overwrite the running configuraon with the version you just restored,
select Commit > Commit to Panorama and Commit your changes.
• To revert specific device group, template, or template changes to the running configuraon:
1. Select Panorama > Setup > Operaons, Load Panorama configuraon version, and
select a configuraon version Name.
2. Select Device Group & Templates and select the specific device groups, templates, or
template stacks to revert.
3. Click OK to confirm the operaon.
4. (Oponal) To overwrite the running configuraon with the snapshot, select Commit >
Commit to Panorama and Commit your changes.

Panorama Administrator's Guide Version Version 10.1 565 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Revert to one of the following:

• Custom-named version of the Panorama running configuraon that you previously
imported.
• Custom-named Panorama candidate configuraon snapshot (instead of the default
snapshot).
1. Select Panorama > Setup > Operaons, Load named Panorama configuraon snapshot,
and select the Name of the configuraon file you just imported.
2. (Oponal) Load Shared Objects or Load Shared Policies to load all shared objects or
policies. You can load all shared objects and policies, as well as load all objects and
policies configured in the device groups and templates you specify in the next step.
3. (Oponal) Select Device Group & Templates, and select the specific device group,
template, or template stack configuraons to load. Skip this step if you want to revert the
enre Panorama configuraon.
4. Click OK to confirm the operaon.
5. (Oponal) To overwrite the running configuraon with the snapshot, select Commit >
Commit to Panorama and Commit your changes.

Restore a Panorama running or candidate configuraon that you previously exported to an

external host.
1. Select Panorama > Setup > Operaons, Import named Panorama configuraon
snapshot, Browse to the configuraon file on the external host, and click OK.
2. Load named Panorama configuraon snapshot and select the Name of the configuraon
file you just imported.
3. (Oponal) Load Shared Objects or Load Shared Policies to load all shared objects or
policies. You can load all shared objects and policies, as well as load all objects and or
policies configured in the device groups and templates you specify in the next step.
4. (Oponal) Select Device Group & Templates and select the specific device group,
template, or template stack configuraons to load. Skip this step if you want to revert the
enre Panorama configuraon.
5. Click OK to confirm the operaon.
6. (Oponal) To overwrite the running configuraon with the snapshot you just imported,
select Commit > Commit to Panorama and Commit your changes.

Configure the Maximum Number of Configuraon Backups on

Panorama
STEP 1 | Select Panorama > Setup > Management and edit the Logging and Reporng Sengs.

STEP 2 | Select Log Export and Reporng and enter the Number of Versions for Config Backups
(default is 100; range is 1 to 1,048,576).

STEP 3 | Click OK to save your changes.

STEP 4 | Select Commit > Commit to Panorama and Commit your changes.

Panorama Administrator's Guide Version Version 10.1 566 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Load a Configuraon Backup on a Managed Firewall

Use Panorama to load a configuraon backup on a managed firewall. You can choose to revert
to a previously saved or commied configuraon on the firewall. Panorama pushes the selected
version to the managed firewall, thereby overwring the current candidate configuraon on the
firewall.
STEP 1 | Select Panorama > Managed Devices > Summary.

STEP 2 | Select Manage in the Backups column.

STEP 3 | Select from the Saved Configuraons or Commied Configuraons.

• Click a version number to view the contents of that version.
• Load a configuraon version.

STEP 4 | Log in to the firewall web interface and Commit your changes.

Panorama Administrator's Guide Version Version 10.1 567 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Compare Changes in Panorama Configuraons

To compare configuraon changes on Panorama, you can select any two sets of configuraon files:
the candidate configuraon, the running configuraon, or any other configuraon version that has
been previously saved or commied on Panorama. The side-by-side comparison enables you to:
• Preview the configuraon changes before comming them to Panorama. You can, for example,
preview the changes between the candidate configuraon and the running configuraon. As a
best pracce, select the older version on the le pane and the newer version on the right pane,
to easily compare and idenfy modificaons.
• Perform a configuraon audit to review and compare the changes between two sets of
configuraon files.

Device Group and Template admins can only compare configuraons for device groups and
templates within their access domains.

Compare changes in Panorama configuraons.

1. Select Panorama > Config Audit.
2. In each drop-down, select a configuraon for the comparison.
3. Select the number of lines that you want to include for Context and click Go.
Panorama uses color shading to highlight items you added (green), modified (yellow), or
deleted (red).

Configure the number of versions Panorama stores for configuraon audits.

1. Select Panorama > Setup > Management and edit the Logging and Reporng Sengs.
2. Enter the Number of Versions for Config Audit (range is 1–1,048,576; default is 100).
3. Click OK to save your changes.
4. Select Commit > Commit to Panorama and Commit your changes.

View and compare Panorama configuraon files before comming.

1. Select Commit > Commit to Panorama and Preview Changes.
2. Select the number of Lines of Context you want to see, and click OK.

Panorama Administrator's Guide Version Version 10.1 568 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Manage Locks for Restricng Configuraon Changes

Locking the candidate or running configuraon prevents other administrators from changing the
configuraon unl you manually remove the lock or Panorama removes it automacally (aer a
commit). Locks ensure that administrators don’t make conflicng changes to the same sengs or
interdependent sengs during concurrent login sessions.

If you are changing sengs that are unrelated to the sengs other administrators are
changing in concurrent sessions, you don’t need configuraon locks to prevent commit
conflicts. Panorama queues commit operaons and performs them in the order that
administrators iniate the commits. For details, see Panorama Commit, Validaon, and
Preview Operaons.
A template or device group configuraon push will fail if a firewall assigned to the template
or device group has a commit or config lock that an administrator set locally on that
firewall.

View details about current locks.

For example, you can check whether other administrators have set locks and read comments
they entered to explain the locks.
Click the locked padlock ( ) at the top of the web interface. The adjacent number indicates
the number of current locks.

Panorama Administrator's Guide Version Version 10.1 569 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Lock a configuraon.
Read-only administrators who cannot modify firewall or Panorama configuraons cannot set
locks.
1. Click the padlock icon at the top of the web interface.
The icon varies based on whether exisng locks are ( ) or are not ( ) set.
2. Take a Lock and select the lock Type:
• Config—Blocks other administrators from changing the candidate configuraon.

A custom role administrator who cannot commit changes can set a Config lock
and save the changes to the candidate configuraon. However, because that
administrator cannot commit the changes, Panorama does not automacally
release the lock aer a commit; the administrator must manually remove the
Config lock aer making the required changes.

• Commit—Blocks other administrators from changing the running configuraon.

3. Select the Locaon to determine the scope of the lock:
• Shared—Restricts changes to the enre Panorama configuraon, including all device
groups and templates.
• Template—Restricts changes to the firewalls included in the selected template. (You
can’t take a lock for a template stack, only for individual templates within the stack.)
• Device group—Restricts changes to the selected device group but not its descendant
device groups.
4. (Oponal) As a best pracce, enter a Comment to describe your reason for seng the
lock.
5. Click OK and Close.

Unlock a configuraon.
Only a superuser or the administrator who locked the configuraon can manually unlock it.
However, Panorama automacally removes a lock aer compleng the commit operaon that
the administrator who set the lock iniated.
1. Click the locked padlock ( ) at the top of the web interface.
2. Select the lock entry in the list.
3. Click Remove Lock, OK, and Close.

Configure Panorama to automacally lock the running configuraon when you change the
candidate configuraon. This seng applies to all Panorama administrators.
1. Select Panorama > Setup > Management and edit the General Sengs.
2. Select Automacally Acquire Commit Lock and click OK.
3. Select Commit > Commit to Panorama and Commit your changes.

Panorama Administrator's Guide Version Version 10.1 570 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Add Custom Logos to Panorama

You can upload image files to customize the following areas on Panorama:
• Background image on the login screen
• Header on the top le corner of the web interface; you can also hide the Panorama default
background
• Title page and footer image in PDF reports
Supported image types include .jpg, .gif, and .png. Image files for use in PDF reports cannot
contain an alpha channel. The size of the image must be less than 128 Kilobytes (131,072
bytes); the recommended dimensions are displayed on screen. If the dimension is larger than the
recommended size, the image will be automacally cropped.
STEP 1 | Select Panorama > Setup > Operaons.

STEP 2 | In the Miscellaneous secon, click Custom Logos.

STEP 3 | Click the Upload logo icon and select an image for any of the following opons: the login
screen, the le corner of the main user interface, the PDF report tle page and the PDF
report footer.

STEP 4 | Click Open to add the image. To preview the image, click the preview logo icon.

STEP 5 | (Oponal) To clear the green background header on the Panorama web interface, select the
check box for Remove Panorama background header.

STEP 6 | Click Close to save your changes.

STEP 7 | Select Commit > Commit to Panorama and Commit your changes.

Panorama Administrator's Guide Version Version 10.1 571 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Use the Panorama Task Manager

Click Tasks ( ) at the boom of the web interface to open the Task Manager, which displays
details about all the operaons that administrators iniated (for example, manual commits) or that
Panorama or a managed firewall iniated (for example, scheduled report generaon) since the
last Panorama or firewall reboot. You can use the Task Manager to troubleshoot failed operaons,
invesgate warnings associated with completed commits, or cancel pending commits.

Device Group and Template admins can only view tasks for tasks within their access
domains.

STEP 1 | Click Tasks.

STEP 2 | Show the Running (in progress) tasks or All tasks (the default), oponally filter by type
(Reports; Log Requests; or commit, download, and installaon Jobs), and select Panorama
(default) or the firewall for which you want to see the tasks.

STEP 3 | Perform any of the following acons:

• Display or hide task details—By default, the Task Manager displays the Type, Status, Start
Time, and Messages for each task. To see the End Time and Job ID for a task, you must
manually display those columns. To display or hide a column, open the drop-down in any
column header, select Columns, and select or clear the columns as desired.
• Invesgate warnings or failures—Read the entries in the Messages column for task details.
If the column says Toomany messages, click the entry in the Type column to see more
informaon.
• Display a commit descripon—If an administrator entered a descripon for a commit, click
Commit Descripon in the Messages column to display it.
• Check the posion of a commit in the queue—The Messages column indicates the queue
posion of commits that are in progress.
• Cancel pending commits—Clear Commit Queue to cancel all pending commits (available
only to predefined administrave roles). To cancel an individual commit, click x in the Acon
column (the commit remains in the queue unl Panorama dequeues it). You cannot cancel
commits that are in progress.

Panorama Administrator's Guide Version Version 10.1 572 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Manage Storage Quotas and Expiraon Periods for Logs

and Reports
• Log and Report Storage
• Log and Report Expiraon Periods
• Configure Storage Quotas and Expiraon Periods for Logs and Reports
• Configure the Run Time for Panorama Reports

Log and Report Storage

You can edit the default storage quotas for each log type. When a log quota reaches the maximum
size, Panorama starts overwring the oldest log entries with the new log entries.The storage
capacity for reports is not configurable. The Log storage locaons and report storage capacies
vary by Panorama model:
• Panorama virtual appliance in Panorama mode—The storage space for reports is 200MB. The
appliance uses its virtual system disk to store the System and Config logs that Panorama and
Log Collectors generate. The virtual system disk also stores the Applicaon Stascs (App
Stats) logs that Panorama automacally receives at 15-minute intervals from all managed
firewalls. Panorama stores all other log types to its virtual logging disks (1 to 12).
• Panorama virtual appliance in Management Only mode—The storage space for reports is
500MB. The appliance uses its virtual system disk to store the System and Config logs that
Panorama and Log Collectors generate. The virtual system disk also stores the Applicaon
Stascs (App Stats) logs that Panorama automacally receives at 15-minute intervals from
all managed firewalls. You must Configure a Managed Collector to forward logs from managed
firewalls as Panorama in Management Only mode cannot store any other log type.
• Panorama virtual appliance in Legacy mode—The storage space for reports is 200MB for
Panorama 8.0 or earlier releases and 500MB for Panorama 8.0.1 and later releases. Panorama
writes all logs to its assigned storage space, which can be any of one the following:
• Virtual system disk—By default, approximately 11GB is allocated for log storage on the
virtual system disk that you created when installing Panorama. If you add a virtual logging
disk or NFS paron, Panorama sll uses the system disk to store the System and Config
logs that Panorama and Log Collectors generate and to store the App Stats logs collected
from firewalls.
• Dedicated virtual logging disk—Stores all log types except those that reside on the system
disk.
• NFS paron—This opon is available only to Panorama running on a VMware ESXi server.
The NFS paron stores all log types except those that reside on the system disk.
• M-600, M-500, or M-200 appliance—The storage space for reports is 500MB for Panorama
6.1 or later releases and 200MB for earlier releases. The M-Series appliances use their internal
SSD to store the Config logs and System logs that Panorama and Log Collectors generate and
to store the App Stats logs collected from firewalls. Panorama saves all other log types to its
RAID-enabled disks. The RAID disks are either local to the M-Series appliance in Panorama

Panorama Administrator's Guide Version Version 10.1 573 ©2022 Palo Alto Networks, Inc.
Administer Panorama

mode or are in a Dedicated Log Collector (M-Series appliance in Log Collector mode). You edit
the log storage quotas on the RAID disks when you Configure a Collector Group.

For details on the log storage opons and capacies, see Panorama Models. You can
Expand Log Storage Capacity on the Panorama Virtual Appliance by adding virtual
logging disks or NFS storage. You can Increase Storage on the M-Series Appliance by
adding RAID drives or by upgrading from 1TB drives to 2TB drives.

Log and Report Expiraon Periods

You can configure automac deleon based on me for the logs that the Panorama management
server and Log Collectors collect from firewalls, as well as the logs and reports that Panorama
and the Log Collectors generate locally. This is useful in deployments where periodically deleng
monitored informaon is desired or necessary. For example, deleng user informaon aer a
certain period might be mandatory in your organizaon for legal reasons. You configure separate
expiraon periods for:
• Reports—Panorama deletes expired reports at the same it generates new reports (see
Configure the Run Time for Panorama Reports).
• Each log type—Panorama evaluates logs as it receives them, and deletes logs that exceed the
configured expiraon period.
• Panorama synchronizes expiraon periods across high availability (HA) pairs. Because
only the acve HA peer generates logs, the passive peer has no logs or reports to delete
unless failover occurs and it starts generang logs.
Even if you don’t set expiraon periods, when a log quota reaches the maximum size,
Panorama starts overwring the oldest log entries with the new log entries.

Configure Storage Quotas and Expiraon Periods for Logs and

Reports

Panorama Administrator's Guide Version Version 10.1 574 ©2022 Palo Alto Networks, Inc.
Administer Panorama

STEP 1 | Configure the storage quotas and expiraon periods for:

• Logs of all types that a Panorama virtual appliance in Legacy mode receives from firewalls.
• App Stats logs that Panorama receives from firewalls.
• System and Config logs that Panorama and Log Collectors generate locally.
The Panorama management server stores these logs locally.

If you reduce a storage quota such that the current logs exceed it, aer you commit the
change, Panorama removes the oldest logs to fit the quota.

1. Select Panorama > Setup > Management and edit the Logging and Reporng Sengs.
2. In the Log Storage sengs, enter the storage Quota (%) for each log type.
When you change a percentage value, the page refreshes to display the corresponding
absolute value (Quota GB/MB column) based on the total alloed storage on Panorama.
3. Enter the Max Days (expiraon period) for each log type (range is 1 to 2,000).
By default, the fields are blank, which means the logs never expire.

Restore Defaults if you want to reset the quotas and expiraon periods to the
factory defaults.

STEP 2 | Configure the expiraon period for reports that Panorama generates.
1. Select Log Export and Reporng and enter the Report Expiraon Period in days (range is
1 to 2,000).
By default, the field is blank, which means reports never expire.
2. Click OK to save your changes.

Panorama Administrator's Guide Version Version 10.1 575 ©2022 Palo Alto Networks, Inc.
Administer Panorama

STEP 3 | Configure the storage quotas and expiraon periods for logs of all types (except App Stats
logs) that M-600, M-500, M-200 appliances, or Panorama virtual appliance in Panorama
mode receives from firewalls.
The local or Dedicated Log Collectors store these logs.

You configure these storage quotas at the Collector Group level, not for individual Log
Collectors.

1. Select Panorama > Collector Groups and edit the Collector Group.
2. In the General sengs, click the Log Storage value.

A value doesn’t display unless you assigned Log Collectors to the Collector
Group. If the field displays 0MB aer you assign Log Collectors, verify that you
enable the disk pairs when you Configure a Managed Collector and that you
commied the changes (Panorama > Managed Collectors > Disks).
3. Enter the storage Quota(%) for each log type.
When you change a percentage value, the page refreshes to display the corresponding
absolute value (Quota GB/MB column) based on the total storage alloed to the
Collector Group.
4. Enter the Max Days (expiraon period) for each log type (range is 1 to 2,000).
By default, the fields are blank, which means the logs never expire.

Restore Defaults if you want to reset the quotas and expiraon periods to the
factory defaults.
5. Click OK to save your changes.

STEP 4 | Commit the changes to Panorama and push the changes to the Collector Group.
1. Select Commit > Commit and Push and Edit Selecons in the Push Scope.
2. Select Collector Groups, select the Collector Group you modified, and click OK.
3. Commit and Push your changes.

STEP 5 | Verify that Panorama applied the storage quota changes.

1. Select Panorama > Setup > Management and, in the Logging and Reporng Sengs,
verify that the Log Storage values are correct for the logs that the Panorama
management server stores.
2. Select Panorama > Collector Groups, select the Collector Group you modified, and
verify that the Log Storage values in the General tab are correct for the logs that the Log
Collectors store.

You can also verify the Collector Group storage quotas by logging in to a Log
Collector CLI and entering the operaonal command show log-diskquota-
pct.

Panorama Administrator's Guide Version Version 10.1 576 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Configure the Run Time for Panorama Reports

Panorama generates reports daily at the me you specify. Panorama deletes any expired reports
aer generang the new reports.
STEP 1 | Select Panorama > Setup > Management and edit the Logging and Reporng Sengs.

STEP 2 | Select Log Export and Reporng and set the Report Runme to an hour in the 24-hour clock
schedule (default is 02:00; range is 00:00 [midnight] to 23:00).

STEP 3 | Select Commit > Commit to Panorama and Commit your changes.

Panorama Administrator's Guide Version Version 10.1 577 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Monitor Panorama
To monitor Panorama and its managed collectors, you can periodically view their System and
Config logs (filter logs by type), configure an SNMP manager to collect (GET) Panorama stascs
on a regular basis, or configure SNMP traps or email alerts that nofy you when a monitored
metric changes state or reaches a threshold on Panorama. Email alerts and SNMP traps are
useful for immediate noficaon about crical system events that need your aenon. To
configure email alerts or SNMP traps, see Configure Log Forwarding from Panorama to External
Desnaons.
• Panorama System and Configuraon Logs
• Monitor Panorama and Log Collector Stascs Using SNMP

Panorama System and Configuraon Logs

You can configure Panorama to send noficaons when a system event or configuraon change
occurs. By default, Panorama records every configuraon change in the Config logs. In the System
logs, each event has a severity level to indicate its urgency and impact. When you Configure Log
Forwarding from Panorama to External Desnaons, you can forward all System and Config logs
or filter the logs based on aributes such as the receive me or severity level (System logs only).
The following table summarizes the severity levels for System logs.

Panorama regularly connects to the IoT Edge Service to download policy recommendaons
for IoT based policies. This connecon is aempted by Panorama regardless of whether the
IoT license is acve on any managed firewalls..
A high severity gRPC connecon failure system log is generated in the event of connecon
failure or if Panorama manages no IoT licensed firewall. No acon is needed regarding
these system logs if you are not leveraging the policy recommendaon capabilies of IoT or
if you are not managing any IoT licensed firewalls.
If you are leveraging the policy recommendaon capabilies of IoT, review the gRPC
connecon failure system log to understand what is causing the connecon issue between
Panorama and the IoT Edge Service.

Panorama does not support querying configuraon logs in the ACC or when monitoring
configuraon logs (Monitor > Logs) using the filters:
before-change-preview-contains
after-change-preview-contains

Severity Descripon

Crical Indicates a failure and the need for immediate aenon, such as a hardware
failure, including high availability (HA) failover and link failures.

High Serious issues that will impair the operaon of the system, including
disconnecon of a Log Collector or a commit failure.

Panorama Administrator's Guide Version Version 10.1 578 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Severity Descripon

Medium Mid-level noficaons, such as Anvirus package upgrades, or a Collector

Group configuraon push.

Low Minor severity noficaons, such as user password changes.

Informaonal Noficaon events such as log in or log out, any configuraon change,
authencaon success and failure noficaons, commit success, and all
other events that the other severity levels don’t cover.

Panorama stores the System and Config logs locally; the exact locaon and storage capacity varies
by Panorama model (see Log and Report Storage). Upon reaching the capacity limit, Panorama
deletes the oldest logs to create space for new logs. If you need to store the logs for longer
periods than what the local storage allows, you can Configure Log Forwarding from Panorama to
External Desnaons.

For informaon on using Panorama to monitor firewall logs, see Monitor Network
Acvity.

Monitor Panorama and Log Collector Stascs Using SNMP

You can configure an SNMP manager to request informaon from a Panorama management
server and configure Panorama to respond. For example, the SNMP manager can request the
high availability (HA) mode, Panorama state, and Panorama version. If the Panorama management
server has a local Log Collector, then Panorama can also provide logging stascs: average
logs per second, storage duraon, retenon periods, log disk usage, log forwarding status from
individual firewalls to Panorama and external servers, and the status of firewall-to-Log Collector
connecons. Panorama doesn’t synchronize SNMP configuraons between HA peers; you must
enable SNMP requests and responses on each peer.
You can also configure a Dedicated Log Collector to respond to requests for the same logging
stascs as the Panorama management server. This informaon is useful when evaluang
whether you need to expand log storage capacity.

You can’t configure an SNMP manager to control Panorama or Log Collectors (using SET
messages); an SNMP manager can only collect stascs (using GET messages).
For details on how Panorama implements SNMP, see SNMP Support.

Panorama Administrator's Guide Version Version 10.1 579 ©2022 Palo Alto Networks, Inc.
Administer Panorama

STEP 1 | Configure the SNMP Manager to get stascs from Panorama and the Log Collectors.
The following steps are an overview of the tasks you perform on the SNMP manager. For the
specific steps, refer to the documentaon of your SNMP manager.
1. To enable the SNMP manager to interpret stascs, load the Supported MIBs and, if
necessary, compile them.
2. For each Panorama appliance that the SNMP manager will monitor, define its connecon
sengs (IP address and port) and authencaon sengs (SNMPv2c community string or
SNMPv3 username and password). All Panorama appliances use port 161.
The SNMP manager can use the same or different connecon and authencaon
sengs for mulple Panorama management servers and Log Collectors. The sengs
must match those you define when you configure SNMP on Panorama (see Configure the
Panorama management server to respond to stascs requests from an SNMP manager.
and Configure the Panorama management server to respond to stascs requests from
an SNMP manager.). For example, if you use SNMPv2c, the community string you define
when configuring Panorama must match the community string you define in the SNMP
manager for Panorama.
3. Determine the object idenfiers (OIDs) of the stascs you will monitor. For example,
to monitor the logging rate, a MIB browser shows that this stasc corresponds to OID
1.3.6.1.4.1.25461.2.3.30.1.1 in PAN-PRODUCT-MIB.my. For details, see Use an SNMP
Manager to Explore MIBs and Objects.
4. Configure the SNMP manager to monitor the desired OIDs.

STEP 2 | Enable SNMP traffic on the management (MGT) interface of the Panorama management
server.
1. Select Panorama > Setup > Management and edit the Management Interface Sengs.
2. In the Services secon, select the SNMP check box and click OK.

STEP 3 | Enable SNMP traffic on the management (MGT) interface of any M-Series appliances in Log
Collector mode:
1. Select Panorama > Managed Collectors and select the Log Collector.
2. Select the Management tab, select the SNMP check box, and click OK.

Panorama Administrator's Guide Version Version 10.1 580 ©2022 Palo Alto Networks, Inc.
Administer Panorama

STEP 4 | Configure the Panorama management server to respond to stascs requests from an SNMP
manager.
1. Select Panorama > Setup > Operaons and, in the Miscellaneous secon, click SNMP
Setup.
2. Select the SNMP Version and configure the authencaon values as follows. For version
details, see SNMP Support.
• V2c—Enter the SNMP Community String, which idenfies a community of SNMP
managers and monitored devices (Panorama, in this case), and serves as a password to
authencate the community members to each other.

Don’t use the default community string public; it is well known and
therefore not secure.
• V3—Create at least one SNMP view group and one user. User accounts and views
provide authencaon, privacy, and access control when SNMP managers get
stascs.
Views—Each view is a paired OID and bitwise mask: the OID specifies a MIB, and the
mask (in hexadecimal format) specifies which objects are accessible inside (include
matching) or outside (exclude matching) that MIB. Click Add in the first list and enter a
Name for the group of views. For each view in the group, click Add and configure the
view Name, OID, matching Opon (include or exclude), and Mask.
Users—Click Add in the second list, enter a username in the Users column, select the
View group from the drop-down, enter the authencaon password (Auth Password)
used to authencate to the SNMP manager, and enter the privacy password (Priv
Password) used to encrypt SNMP messages to the SNMP manager.
3. Click OK to save the sengs.

STEP 5 | Configure the Dedicated Log Collectors (if any) to respond to SNMP requests.
For each Collector Group:
1. Select Panorama > Collector Groups and select the Collector Group.
2. Select the Monitoring tab, configure the same sengs as in Step Configure the
Panorama management server to respond to stascs requests from an SNMP manager.,
and click OK.

STEP 6 | Commit the changes to Panorama and push the changes to Collector Groups.
1. Select Commit > Commit and Push and Edit Selecons in the Push Scope.
2. Select Collector Groups you, select the Collector Groups you edited, and click OK.
3. Commit and Push your changes.

STEP 7 | Monitor the Panorama and Log Collector stascs in an SNMP manager.
Refer to the documentaon of your SNMP manager.

Panorama Administrator's Guide Version Version 10.1 581 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Reboot or Shut Down Panorama

The reboot opon iniates a graceful restart of Panorama. A shutdown halts the system and
powers it off. To restart Panorama, aer a shutdown, manually disconnect and re-cable the power
cord on the system.
STEP 1 | Select Panorama > Setup > Operaons.

STEP 2 | In the Device Operaons secon, select Reboot Panorama or Shutdown Panorama.

Panorama Administrator's Guide Version Version 10.1 582 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Configure Panorama Password Profiles and Complexity

To secure the local administrator account, you can define password complexity requirements that
are enforced when administrators change or create new passwords. Unlike password profiles,
which can be applied to individual accounts, the password complexity rules are firewall-wide and
apply to all passwords.
To enforce periodic password updates, create a password profile that defines a validity period for
passwords.
STEP 1 | Configure minimum password complexity sengs.
1. Select Panorama > Setup > Management and edit the Minimum Password Complexity
secon.
2. Select Enabled.
3. Define the Password Format Requirements. You can enforce the requirements for
uppercase, lowercase, numeric, and special characters that a password must contain.
4. To prevent the account username (or reversed version of the name) from being used in
the password, select Block Username Inclusion (including reversed).
5. Define the password Funconality Requirements.
If you have configured a password profile for an administrator, the values defined in the
password profile will override the values that you have defined in this secon.

STEP 2 | Create password profiles.

You can create mulple password profiles and apply them to administrator accounts as
required to enforce security.
1. Select Panorama > Password Profiles and click Add.
2. Enter a Name for the password profile and define the following:
1. Required Password Change Period—Frequency, in days, at which the passwords must
be changed.
2. Expiraon Warning Period—Number of days before expiraon that the administrator
will receive a password reminder.
3. Post Expiraon Grace Period—Number of days that the administrator can sll log in
to the system aer the password expires.
4. Post Expiraon Admin Login Count—Number of mes that the administrator can log
in to the system aer the password has expired.

Panorama Administrator's Guide Version Version 10.1 583 ©2022 Palo Alto Networks, Inc.
Administer Panorama

Panorama Administrator's Guide Version Version 10.1 584 ©2022 Palo Alto Networks, Inc.
Panorama Plugins
The Panorama extensible plugin architecture enables support for third-party
integraon plugins, such as VMware NSX, and other Palo Alto Networks products,
such as the GlobalProtect cloud service. With this modular architecture, you can take
advantage of new capabilies without waing for a new PAN-OS version.
You can also configure the VM-Series plugin from Panorama. The VM-Series plugin
is a single plugin that enables integraon with public cloud environments such as
Google Cloud Plaorm (GCP), Azure, AWS and private cloud hypervisors such as
KVM, ESXi and others. The VM-Series plugin enables you to publish metrics from VM-
Series firewalls deployed in public clouds. You can use Panorama to configure the VM-
Series plugin sengs for public clouds and push your configuraon to your managed
firewalls.

> About Panorama Plugins

> VM-Series Plugin and Panorama Plugins

585
Panorama Plugins

About Panorama Plugins

Panorama supports an extensible plugin architecture that enables the integraon and
configuraon of the following capabilies:
• AWS—The AWS plugin enables you to monitor your EC2 workloads on AWS. With the
plugin, you can enable communicaon between Panorama (running PAN-OS 8.1.3 or a later
release) and your AWS VPCs so that Panorama can collect a predefined set of aributes (or
metadata elements) as tags for your EC2 instances and register the informaon to your Palo
Alto Networks firewalls. When you reference these tags in Dynamic Address Groups and match
against them in Security policy rules, you can consistently enforce policy across all assets
deployed within your VPCs.
• Azure—The Azure plugin enables you to monitor your virtual machines on the Azure public
cloud. With the plugin, you can enable communicaon between Panorama (running PAN-OS
8.1.6 or a later release) and your Azure subscripons so that Panorama can collect a predefined
set of aributes (or metadata elements) as tags for your Azure virtual machines and register the
informaon to your Palo Alto Networks firewalls. When you reference these tags in Dynamic
Address Groups and match against them in Security policy rules, you can consistently enforce
policy across all assets deployed within VNets in your subscripons.
• Cisco ACI—The Cisco ACI plugin enables you to monitor endpoints in your Cisco ACI fabric.
With the plugin, you enable communicaon between Panorama (8.1.6 and later) and your Cisco
APIC so that Panorama can collect endpoint informaon as tags for your Endpoint Groups and
register the informaon to you Palo Alto Networks firewalls. When you reference these tags in
Dynamic Address Groups and match against them in Security policy rules, you can consistently
enforce policy across all assets deployed within your Cisco ACI fabric.
• Cisco TrustSec—The Cisco TrustSec Plugin enables monitoring of endpoints in your Cisco
TrustSec environment. With the plugin, you enable communicaon between Panorama and
your Cisco pxGrid server so that Panorama can collect endpoint informaon as tags for
your endpoints and register the informaon to you Palo Alto Networks firewalls. When you
reference these tags in Dynamic Address Groups and match against them in security policy
rules, you can consistently enforce policy across all assets deployed within your Cisco TrustSec
environment.

Not supported on Panorama in FIPS-CC mode.

• Cloud Services—The Cloud Services plugin enables the use of the Cortex Data Lake and Prisma
Access. The Cortex Data Lake solves operaonal logging challenges and the Prisma Access
cloud service extends your security infrastructure to your remote network locaons and mobile
workforce.
• Enterprise Data Loss Prevenon (DLP)— Enterprise DLP is a set of tools and processes that
allow you to protect sensive informaon against unauthorized access, misuse, extracon, or
sharing. Enterprise DLP is enabled through a cloud service to help you inspect content and
analyze the data in the correct context so that you can accurately idenfy sensive data and
secure it to prevent incidents. Enterprise DLP is supported on Panorama and managed firewalls
running PAN-OS 10.0.2 and later releases.

Not supported on Panorama in FIPS-CC mode.

Panorama Administrator's Guide Version Version 10.1 586 ©2022 Palo Alto Networks, Inc.
Panorama Plugins

• GCP—Enables you to secure Kubernetes services in a Google Kubernetes Engine (GKE) cluster.
Configure the Panorama plugin for Google Cloud Plaorm (GCP) to connect to your GKE
cluster and learn about the services that are exposed to the internet.
• Panorama Interconnect—The Panorama Interconnect plugin enables you to manage large-scale
firewall deployments. Use the Interconnect plugin to set up a two-er Panorama deployment
(on Panorama running PAN-OS 8.1.3 or a later release) for a horizontal scale-out architecture.
With the Interconnect plugin, you can deploy a Panorama Controller with up to 64 Panorama
Nodes or 32 Panorama HA pairs to centrally manage a large number of firewalls.
• Nutanix—The Panorama plugin for Nutanix enables VM monitoring in your Nutanix
environment. It allows you to track the virtual machine inventory within your Nutanix Prism
Central so that you can consistently enforce security policy that automacally adapts to
changes within your Nutanix environment. As virtual machines are provisioned, de-provisioned
or moved, this soluon allows you to collect the IP addresses and associated sets of aributes
(or metadata elements) as tags. You can then use the tags to define Dynamic Address Groups
and use them in Security policy. The Panorama plugin for Nutanix requires Panorama 9.0.4 or
later.
• SD-WAN—The Soware-Defined Wide Area Network (SD-WAN) plugin allows you to use
mulple internet and private services to create an intelligent and dynamic WAN, which helps
lower costs and maximize applicaon quality and usability. Instead of using costly and me-
consuming MPLS with components such as routers, firewalls, WAN path controllers, and WAN
opmizers to connect your WAN to the internet, SD-WAN on a Palo Alto Networks firewall
allows you to use less expensive internet services and fewer pieces of equipment.
• VMware NSX—The VMware NSX plugin enables integraon between the VM-Series firewall
on VMware NSX with VMware NSX Manager. This integraon allows you to deploy the VM-
Series firewall as a service on a cluster of ESXi servers.
• VMware vCenter—The Panorama plugin for VMware vCenter allows you to monitor the virtual
machines in your vCenter environment. The plugin retrieves IP addresses of virtual machines
in your vCenter environment and converts them to tags that you can use to build policy using
dynamic address groups.
• Zero Touch Provisioning—Zero Touch Provisioning (ZTP) is designed to simplify and automate
the on-boarding of new firewalls to Panorama. ZTP streamlines the inial firewall deployment
process by allowing network administrators to ship managed firewalls directly to their branches
and automacally add the firewall to Panorama, allowing business to save on me and
resources when deploying new firewalls. ZTP is supported on PAN-OS 9.1.3 and later releases.

Not supported on Panorama in FIPS-CC mode.

• IPS Signature Converter—The IPS Signature Converter plugin for Panorama provides an
automated soluon for converng rules from third-party intrusion prevenon systems—Snort
and Suricata—into custom Palo Alto Networks threat signatures. You can then register these
signatures on firewalls that belong to device groups you specify and use them to enforce policy
in Vulnerability Protecon and An-Spyware Security Profiles.
You can install mulple plugins and retrieve IP address updates from mulple sources on a single
Panorama instance. This allows you to create and enforce consistent security policy to secure
applicaons and workloads across mulple cloud environments. Retrieved IP addresses are used
in security policy through dynamic address groups; when a workload is added or removed from
your environment, Panorama registers the change and pushes the update to the firewalls. When

Panorama Administrator's Guide Version Version 10.1 587 ©2022 Palo Alto Networks, Inc.
Panorama Plugins

deploying mulple plugins on Panorama, you must carefully plan your device group hierarchy to
ensure that updates are passed to your firewalls correctly.
Refer to the Palo Alto Networks Compability Matrix for details on the different plugin versions
and compability informaon.

Install Panorama Plugins

You can install one or more of the available plugins on Panorama to enable the integraon the
GlobalProtect cloud service and Cortex Data Lake,VMware NSX, or for monitoring your virtual
machines on AWS or Azure public cloud.
For the cloud services plugin, you must acvate a valid auth code on the Customer Support Portal
and select the region—Americas or Europe—to which you want to send logs.

If you have a version of a plugin currently installed and you Install a new version of the
plugin, Panorama replaces the currently installed version.

STEP 1 | Download the plugin.

1. Select Panorama > Plugins.

2. Select Check Now to retrieve a list of available updates.

3. Select Download in the Acon column to download the plugin.
Refer to the Compatability Matrix for the minimum supported PAN-OS version for each
Panorama plugin.

Panorama Administrator's Guide Version Version 10.1 588 ©2022 Palo Alto Networks, Inc.
Panorama Plugins

STEP 2 | Install the plugin.

Select the version of the plugin and click Install in the Acon column to install the plugin.
Panorama will alert you when the installaon is complete. For more details, refer to install the
VMware NSX plugin or the Cloud Services plugin.

When installing the plugin for the first me on a Panorama HA pair, install the plugin
on the passive peer before the acve peer. On installing the plugin on the passive peer,
it transions to a non-funconal state. Then, aer you successfully install the plugin on
the acve peer, the passive peer returns to a funconal state.

Panorama Administrator's Guide Version Version 10.1 589 ©2022 Palo Alto Networks, Inc.
Panorama Plugins

VM-Series Plugin and Panorama Plugins

What is the difference between the VM-Series Plugin and various plugins for Panorama?
The VM-Series Plugin is for the VM-Series firewalls, and is a single plugin that enables integraon
with public cloud environments such as Google Cloud Plaorm (GCP), Azure and AWS, and private
cloud hypervisors such as KVM, ESXi and others. When you deploy the firewall, the built-in plugin
automacally detects the virtual environment on which the firewall is deployed and loads up
the plugin components that enable you to manage interacons with that cloud environment.
For example, when you deploy the VM-Series firewall on GCP, the VM-Series firewall loads the
plugin components that enable the integraon with GCP. You can then use the VM-Series plugin
to configure the VM-Series firewall on GCP to publish metrics to Google Stackdriver Monitoring.
Similarly, the VM-Series plugin on the VM-Series firewall on Azure enables you to configure the
firewall to publish metrics Azure Applicaon Insights or set up the details that the firewalls need
to funcon as an HA pair. The VM-Series Plugin is pre-installed on the VM-Series firewall, and you
can upgrade or downgrade but cannot delete it. On Panorama the VM-Series plugin is available
but it is not pre-installed. If you choose to use Panorama to manage the integraons on your
firewalls, install the VM-Series plugin on Panorama to establish communicaon with the VM-
Series plugin on your firewalls.
The Panorama plugins are for both hardware-based firewalls and the VM-Series firewalls. Since
Panorama plugins are oponal, you can add, remove, reinstall, or upgrade them on Panorama.
The Panorama plugin is not built-in, and you must install the plugin to enable communicaon
with the managing the environment you need. For example, you use the Cloud Services plugin on
Panorama to enable the set up between the Panorama/firewalls and the Cortex Data Lake. The
GCP plugin on Panorama enables communicaon between Panorama and your GCP deployment
so that you can secure traffic entering or exing a service deployed in a Google Kubernetes Engine
(GKE) cluster.

Install the VM-Series Plugin on Panorama

To view and configure cloud integraons deployed on your VM-Series firewalls, the VM-Series
plugin must be installed on both Panorama and the VM-Series firewall. The plugin is automacally
installed on the firewall, but you must manually install the plugin on Panorama before you can
push configuraons to your device groups.

The VM-Series plugin supports all clouds, so an upgrade might not apply to your VM-
Series firewalls. Before upgrading the plugin, consult the release notes. Update the plugin
only when there are changes relevant to your cloud.

STEP 1 | Download the VM-Series plugin.

1. Select Panorama > Plugins and use Check Now to look for new plugin packages. The
VM-Series plugin name is vm_series.
2. Consult the plugin release notes to determine which version provides upgrades useful to
you.
3. Select a version of the plugin and select Download in the Acon column.

Panorama Administrator's Guide Version Version 10.1 590 ©2022 Palo Alto Networks, Inc.
Panorama Plugins

STEP 2 | Install the VM-Series plugin.

1. Click Install in the Acon column. Panorama alerts you when the installaon is complete.
2. To view the plugin, select Device > VM-Series.
• If your firewall is installed on a private cloud and the hypervisor or service does not
have an integraon, you see a tab named VM-Series and the default message, VM
Series plugin infrastructure support is installed to allow
the firewall's functionality to be enhanced in response to new
features launched by hypervisor, or to meet new security needs.
• If your firewall is deployed on a public cloud, Panorama displays tabs for all supported
clouds.

STEP 3 | (Oponal) Save your configuraon and push it to your managed firewalls.

STEP 4 | (Oponal) On the VM-Series firewall, select Device > VM-Series. If you have configured
the integraon for your plaorm, you see a single tab for the cloud in which the firewall is
deployed. If you have not configured an integraon, you see the default message about the
VM-Series plugin infrastructure.

Panorama Administrator's Guide Version Version 10.1 591 ©2022 Palo Alto Networks, Inc.
Panorama Plugins

Panorama Administrator's Guide Version Version 10.1 592 ©2022 Palo Alto Networks, Inc.
Troubleshoong
The following topics address issues for the Panorama™ management server and
Dedicated Log Collectors:
> Troubleshoot Panorama System > Troubleshoot Device Management
Issues License Errors
> Troubleshoot Log Storage and > Troubleshoot Automacally Reverted
Connecon Issues Firewall Configuraons
> Replace an RMA Firewall > View Task Success or Failure Status
> Troubleshoot Commit Failures > Test Policy Match and Connecvity
> Troubleshoot Registraon or Serial for Managed Devices
Number Errors > Generate a Stats Dump File for a
> Troubleshoot Reporng Errors Managed Firewall
> Recover Managed Device
Connecvity to Panorama

593
Troubleshoong

Troubleshoot Panorama System Issues

• Generate Diagnosc Files for Panorama
• Diagnose Panorama Suspended State
• Monitor the File System Integrity Check
• Manage Panorama Storage for Soware and Content Updates
• Recover from Split Brain in Panorama HA Deployments

Generate Diagnosc Files for Panorama

Diagnosc files aid in monitoring system acvity and in discerning potenal causes for issues
on Panorama. To assist Palo Alto Networks Technical Support in troubleshoong an issue, the
support representave might request a tech support file. The following procedure describes how
to download a tech support file and upload it to your support case.
STEP 1 | Select Panorama > Support and click Generate Tech Support File.

STEP 2 | Download and save the file to your computer.

STEP 3 | Upload the file to your case on the Palo Alto Networks Customer Support web site.

Diagnose Panorama Suspended State

If Panorama is in a suspended state, check for the following condions:
• Serial numbers—Verify that the serial number on each Panorama virtual appliance is unique. If
the same serial number is used to create two or more instances of Panorama, all instances using
the same serial number will be suspended.
• Mode—If you deploy the Panorama virtual appliance in a high availability (HA) configuraon,
verify that both HA peers are in the same mode: Panorama mode or Legacy mode.
• HA priority—Verify that you have set the HA priority seng on one peer as Primary and the
other as Secondary. If the priority seng is idencal on both peers, the Panorama peer with a
higher numerical value in serial number is placed in a suspended state.
• Panorama soware version—Verify that both Panorama HA peers are running the same
Panorama soware version (major and minor version number).

Monitor the File System Integrity Check

Panorama periodically performs a file system integrity check (FSCK) to prevent corrupon of the
Panorama system files. This check occurs aer eight reboots or at a reboot that occurs 90 days
aer the last FSCK was executed. If Panorama is running a FSCK, the web interface and Secure
Shell (SSH) login screens will display a warning to indicate that an FSCK is in progress. You cannot
log in unl this process completes. The me to complete this process varies by the size of the
storage system; depending on the size, it can take several hours before you can log back in to
Panorama.
Aer you successfully download and install a PAN-OS soware update on Panorama or a
managed firewall, the soware update is validated aer Panorama or the managed firewall reboots

Panorama Administrator's Guide Version Version 10.1 594 ©2022 Palo Alto Networks, Inc.
Troubleshoong

as part of the soware installaon process to ensure the PAN-OS soware integrity. This ensures
that the now running soware update is known good and that the Panorama or managed firewall
are not compromised to due remote or physical exploitaon.
To view the progress on the FSCK, set up console access to Panorama and view the status.

Manage Panorama Storage for Soware and Content Updates

You can Install Content and Soware Updates for Panorama, upgrade firewalls, and upgrade
upgrade Log Collectors using the Panorama™ management server. You cannot configure the
amount of space available on Panorama to store updates. When the alloted storage capacity
reaches 90%, Panorama alerts you to free up space (delete stored updates) for new downloads
or uploads. The maximum number of updates is a global seng that applies to all the updates
that Panorama stores. You must access the CLI to configure this seng. The default value is two
updates of each type.

Modify the maximum number of updates of each type.

Access the Panorama CLI and enter the following, where <number> can be between 2 and 64:

> set max-num-images count <number>

View the number of updates that Panorama currently stores.

Enter:

> show max-num-images

Use the web interface to delete updates to free up space on Panorama.

1. Select the type of update to delete:
• Firewall or Log Collector updates:
PAN-OS/Panorama soware images—Select Panorama > Device Deployment >
Soware.
GlobalProtect™ agent/app soware updates—Select Panorama > Device
Deployment > GlobalProtect Client.
Content updates—Select Panorama > Device Deployment > Dynamic Updates.
• Panorama soware images—Select Panorama > Soware.
• Panorama content updates—Select Panorama > Dynamic Updates.
2. Click the X icon in the far right column for the image or update.

Panorama Administrator's Guide Version Version 10.1 595 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Use the CLI to delete updates to free up space on Panorama.

Delete soware images by version:

> delete software version <version_number>

Delete content updates:

> delete content update <filename>

Recover from Split Brain in Panorama HA Deployments

When Panorama is configured in a high availability (HA) setup, the managed firewalls are
connected to both the acve and passive Panorama HA peers. When the connecon between the
acve and the passive Panorama peers fails, before the passive Panorama takes over as the acve
peer it checks whether any firewall is connected to both the acve and the passive peer. If even
one firewall is connected to both peers, the failover is not triggered.
In the rare event that a failover is triggered when a set of firewalls are connected to the acve
peer and a set of firewalls are connected to the passive peer, but none of the firewalls are
connected to both peers, it is called a split brain. When a split brain occurs, the following
condions occur:
• Neither Panorama peer is aware of the state nor the HA role of the other peer.
• Both Panorama peers become acve and manage a unique set of firewalls.
To resolve a split brain, debug your network issues and restore connecvity between the
Panorama HA peers.
However, if you need to make configuraon changes to your firewalls without restoring the
connecon between the peers, here are a couple of opons:
• Manually add the same configuraon changes on both Panorama peers. This ensures that when
the link is reestablished the configuraon is synchronized.
• If you need to add/change the configuraon at only one Panorama locaon, make the changes
and synchronize the configuraon (make sure that you iniate the synchronizaon from
the peer on which you made the changes) when the link between the Panorama peers is re-
established. To synchronize the peers, select the Dashboard tab and click the Sync to peer link
in the High Availability widget.
• If you need to add/change the configuraon for only the connected firewalls at each locaon,
you can make configuraon changes independently on each Panorama peer. Because the
peers are disconnected, there is no replicaon and each peer now has a completely different
configuraon file (they are out of sync). Therefore, to ensure that the configuraon changes
on each peer are not lost when the connecon is restored, you cannot allow the configuraon
to be automacally re-synchronized. To solve this problem, export the configuraon from
each Panorama peer and manually merge the changes using an external diff and merge tool.
Aer the changes are integrated, you can import the unified configuraon file on the primary
Panorama and then synchronize the imported configuraon file with the peer.

Panorama Administrator's Guide Version Version 10.1 596 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Troubleshoot Log Storage and Connecon Issues

Migrang logs is supported only for M-Series appliance. Refer to Migrate a Panorama
Virtual Appliance to a Different Hypervisor to migrate a Panorama virtual appliance.

• Verify Panorama Port Usage

• Resolve Zero Log Storage for a Collector Group
• Replace a Failed Disk on an M-Series Appliance
• Replace the Virtual Disk on an ESXi Server
• Replace the Virtual Disk on vCloud Air
• Migrate Logs to a New M-Series Appliance in Log Collector Mode
• Migrate Logs to a New M-Series Appliance in Panorama Mode
• Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
• Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
• Migrate Log Collectors aer Failure/RMA of Non-HA Panorama
• Regenerate Metadata for M-Series Appliance RAID Pairs
• View Log Query Jobs

Verify Panorama Port Usage

To ensure that Panorama can communicate with managed firewalls, Log Collectors, and WildFire
appliances and appliance clusters, and its high availability (HA) peer, use the following table to
verify the ports that you must open on your network. Panorama uses TCP protocol for port
communicaons.
By default, Panorama uses the management (MGT) interface to manage devices (firewalls, Log
Collectors, and WildFire appliances and appliance clusters), collect logs, communicate with
Collector Groups, and deploy soware and content updates to devices. However, you can
oponally assign the log collecon and Collector Group communicaon funcons to the Eth1 or
Eth2 interfaces on an M-600, M-500 or M-200 appliance running Panorama 6.1 through 7.1. If
the appliance runs Panorama 8.0 or a later release, you can assign any funcon to the Eth1, Eth2,
Eth3, Eth4, or Eth5 interfaces on the M-600, M-500, or M-200 appliance. The ports listed in the
following table apply regardless of which funcon you assign to which interface. For example, if
you assign log collecon to MGT and assign Collector Group communicaon to Eth2, then MGT
will use port 3978 and Eth2 will use port 28270. (The Panorama virtual appliance can only use the
MGT interface for all these funcons.)

Panorama Administrator's Guide Version Version 10.1 597 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Communicang Systems Ports Ports Ports Descripon

& Direcon of Connecon Used in Used in Used in
Establishment Panorama Panorama Panorama
5.x 6.x to 7.x 8.x and
later

Panorama and Panorama 28 28 28 For HA connecvity

(HA) and synchronizaon if
encrypon is enabled.
Direcon: Each peer
iniates its own Used for communicaon
connecon to the other between Log Collectors in
a Collector Group for log
distribuon.

Panorama and Panorama 28769 28260 and 28260 For HA connecvity

(HA) and 28769 and and synchronizaon if
28260 28769 encrypon is not enabled.
Direcon: Each peer
(5.1)
iniates its own
connecon to the other 28769
and
49160
(5.0)

Panorama and managed 3978 3978 3978 A bi-direconal

firewalls connecon where the logs
are forwarded from the
Direcon: Iniated by the
firewall to Panorama; and
firewall
configuraon changes are
pushed from Panorama
to the managed firewalls.
Context switching
commands are sent over
the same connecon.

Panorama and Log 3978 3978 3978 For management and log
Collector collecon/reporng.
Direcon: Iniated by the Used for communicaon
Log Collector between the local Log
Collector on a Panorama
in Panorama mode,
and for communicang
with Log Collectors in a
distributed log collecon
deployment.

Panorama and managed 3978 3978 28443 Devices running PAN-

devices (firewalls, Log OS 8.x or later releases
Collectors, and WildFire use port 28443 to

Panorama Administrator's Guide Version Version 10.1 598 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Communicang Systems Ports Ports Ports Descripon

& Direcon of Connecon Used in Used in Used in
Establishment Panorama Panorama Panorama
5.x 6.x to 7.x 8.x and
later
appliances and appliance retrieve soware and
clusters) content update files from
Panorama.
Direcon:
Devices running 7.x or
• Iniated by managed
earlier releases do not
devices running PAN-
retrieve update files from
OS 8.x or later releases.
Panorama; Panorama
• Iniated by Panorama pushes the update files
for devices running to the devices over port
PAN-OS 7.x or earlier 3978.
releases.
Support for Panorama
management of WildFire
appliances and appliance
clusters requires PAN-
OS 8.0.1 or later
installed on the managed
WildFire appliances.
We recommend that
Panorama runs 8.0.1 or
later to manage WildFire
appliances and appliance
clusters.

Log Collector to Log 49190 28270 28270 For distribung blocks and
Collector all binary data between
Log Collectors.
Direcon: Each Log
Collector iniates a
connecon to the other
Log Collectors in the
Collector Group

Panorama to Cortex Data NA NA 444 For seng up a secure

Lake communicaon channel
Versionwith the Cortex Data Lake.
8.0.5
The managed firewalls use
and
port 3978 to
later.
communicate with the
Cortex Data Lake.

Panorama Administrator's Guide Version Version 10.1 599 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Resolve Zero Log Storage for a Collector Group

The log storage capacity for the Collector Group might display as 0MB if the disk pairs are not
enabled for logging in the Log Collectors. To enable the disk pairs, perform the following steps for
each Log Collector in the Collector Group.
STEP 1 | Add the RAID disk pairs.
1. Select Panorama > Managed Collectors and click the Collector Name.
2. Select Disks, Add each RAID disk pair, and click OK.

STEP 2 | Commit the changes to Panorama and push the changes to the Collector Group.
1. Select Commit > Commit and Push and Edit Selecons in the Push Scope.
2. Select Collector Groups, select the Collector Group you modified, and click OK.
3. Commit and Push your changes.

STEP 3 | Verify the state of the Log Collectors and disk pairs.
1. Select Panorama > Managed Collectors and verify that the configuraon of each Log
Collector is synchronized with Panorama.
The Configuraon Status column should display In Sync and the Run Time Status column
should display connected.
2. Click Stascs in the last column for each Log Collector and verify that the disk pairs are
Enabled and Available.

Replace a Failed Disk on an M-Series Appliance

If a disk fails on the M-Series appliance, you must replace the disk and reconfigure it in a RAID 1
array. For details, refer to the M-Series appliance Hardware Reference Guides.

Replace the Virtual Disk on an ESXi Server

You cannot resize a virtual disk aer adding it to the Panorama virtual appliance running on a
VMware ESXi server. Because the Panorama virtual appliance in Legacy mode allows only one log
storage locaon, you must replace the virtual disk as follows to modify the log storage capacity.
In Panorama mode, you can simply add another disk (up to the maximum of 12) to Expand Log
Storage Capacity on the Panorama Virtual Appliance.

On the Panorama virtual appliance in Legacy mode, you will lose the logs on the exisng
disk when you replace it. For the opons to preserve exisng logs, see Preserve Exisng
Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode.

STEP 1 | Remove the old virtual disk.

1. Access the VMware vSphere Client and select the Virtual Machines tab.
2. Right-click the Panorama virtual appliance and select Power > Power Off.
3. Right-click the Panorama virtual appliance and select Edit Sengs.
4. Select the virtual disk in the Hardware tab and click Remove.
5. Select one of the Removal Opons and click OK.

Panorama Administrator's Guide Version Version 10.1 600 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 2 | Add the new virtual disk.

1. Add a Virtual Disk to Panorama on an ESXi Server.
Panorama running on ESXi 5.5 and later versions supports a virtual disk of up to 8TB.
Panorama running on an earlier ESXi version supports a virtual disk of up to 2TB.
2. In the vSphere Client, right-click the Panorama virtual appliance and select Power >
Power On.
The reboot process might take several minutes and the message cache data
unavailable will display.

STEP 3 | Verify that the modified log storage capacity is correct.

1. Log in to the Panorama virtual appliance.
2. Select Panorama > Setup > Management and verify that the Logging and Reporng
Sengs secon, Log Storage field, displays the modified log storage capacity accurately.

Replace the Virtual Disk on vCloud Air

You cannot resize a virtual disk aer adding it to the Panorama virtual appliance running on
VMware vCloud Air. Because the Panorama virtual appliance in Legacy mode allows only one log
storage locaon, you must replace the virtual disk as follows to modify the log storage capacity.
In Panorama mode, you can simply Add a Virtual Disk to Panorama on vCloud Air (up to the
maximum of 12).

On the Panorama virtual appliance in Legacy mode, you will lose the logs on the exisng
disk when you replace it. For the opons to preserve exisng logs, see Preserve Exisng
Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode.

STEP 1 | Remove the old virtual disk.

1. Access the vCloud Air web console and select your Virtual Private Cloud OnDemand
region.
2. Select the Panorama virtual appliance in the Virtual Machines tab.
3. Select Acons > Edit Resources.
4. Click x for the virtual disk you are removing.

STEP 2 | Add the new virtual disk.

1. Add another disk.
2. Set the Storage to up to 8TB and set the storage er to Standard or SSD-Accelerated.
3. Save your changes.

STEP 3 | Reboot Panorama.

1. Log in to the Panorama virtual appliance.
2. Select Panorama > Setup > Operaons and Reboot Panorama.

Panorama Administrator's Guide Version Version 10.1 601 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 4 | Verify that the modified log storage capacity is correct.

1. Log in to the Panorama virtual appliance aer it reboots.
2. Select Panorama > Setup > Management and verify that the Logging and Reporng
Sengs secon, Log Storage field, displays the modified log storage capacity accurately.

Migrate Logs to a New M-Series Appliance in Log Collector Mode

If you need to replace an M-600, M-500, M-200 or M-100 appliance in Log Collector mode
(Dedicated Log Collector), you can migrate the logs it collected from firewalls by moving its RAID
disks to a new M-Series appliance. This procedure enables you to recover logs aer a system
failure on the M-Series appliance or to migrate logs as part of a hardware upgrade (from an M-100
appliance to a M-500 appliance).

Migrang logs by removing the logging disks from any M-Series appliance and loading
them into an M-600 Panorama management server is not supported. To migrate to an
M-600 appliance, set up the M-600 appliance, configure log forwarding to the new
M-600 appliance and configure the M-Series appliance as a managed Log Collector
unl you no longer needed access to the logs stored on the M-Series appliance.

STEP 1 | Perform inial setup of the new M-Series appliance that will be a Dedicated Log Collector.
1. Rack mount the M-Series appliance. Refer to the M-Series Appliance Hardware
Reference Guides for instrucons.
2. Perform Inial Configuraon of the M-Series Appliance.

When configuring interfaces, configure only the Management (MGT) interface.

Switching to Log Collector mode (later in this procedure) removes the
configuraons for any other interfaces. If the Log Collector will use interfaces
other than MGT, add them when configuring the Log Collector (see Step 2).
3. Register Panorama.
4. Purchase and acvate the Panorama support license or transfer licenses as follows only
if the new M-Series appliance is the same hardware model as the old M-Series appliance.

Panorama Administrator's Guide Version Version 10.1 602 ©2022 Palo Alto Networks, Inc.
Troubleshoong

If the new M-Series appliance is a different model than the old M-Series appliance, you
must purchase new licenses.
1. Log in to the Palo Alto Networks Customer Support web site.
2. Select the Assets tab and click the Spares link.
3. Click the Serial Number of the new M-Series appliance.
4. Click Transfer Licenses.
5. Select the old M-Series appliance and click Submit.
5. Acvate a firewall management license. If you are migrang from an M-100 appliance to
a M-500 appliance, enter the auth-code associated with the migraon license.
6. Install Content and Soware Updates for Panorama. For important details about
soware versions, see Panorama, Log Collector, Firewall, and WildFire Version
Compability.
7. Switch from Panorama mode to Log Collector mode:
1. Access the Log Collector CLI and switch to Log Collector mode:

> request system system-mode logger

2. Enter Y to confirm the mode change. The M-Series appliance reboots. If the reboot
process terminates your terminal emulaon soware session, reconnect to the M-
Series appliance to display the Panorama login prompt.

If you see a CMS Login prompt, press Enter without typing a username or
password.
8. Use the Log Collector CLI to enable connecvity between the Log Collector and
Panorama management server. <IPaddress1 is for the MGT interface of the primary
Panorama and <IPaddress2> is for the MGT interface of the secondary Panorama.

> configure
# set deviceconfig system panorama-server <IPaddress1>
panorama-server-2 <IPaddress2>
# commit
# exit

STEP 2 | On the Panorama management server, add the new Log Collector as a managed collector.

For all steps with commands that require a serial number, you must type the enre
serial number; pressing the Tab key won’t complete a paral serial number.

1. Configure the Log Collector as a managed collector using the Panorama web interface or
using the following CLI commands:

> configure
# set log-collector <LC_serial_number> deviceconfig system
hostname <LC_hostname>

Panorama Administrator's Guide Version Version 10.1 603 ©2022 Palo Alto Networks, Inc.
Troubleshoong

# exit

If the old Log Collector used interfaces other than the MGT interface for log
collecon and Collector Group communicaon, you must define those interfaces
on the new Log Collector when you configure it as a managed collector
(Panorama > Managed Collectors > Interfaces).
2. Verify that the Log Collector is connected to Panorama and that the status of its disk
pairs is present/available.

> show log-collector serial-number <log-collector_SN>

The disk pairs will display as disabled at this stage of the restoraon process.
3. Commit your changes to Panorama. Don’t commit the changes to the Collector Group
just yet.

> configure
# commit
# exit

STEP 3 | Remove the RAID disks from the old Log Collector.
1. Power off the old Log Collector by pressing the Power buon unl the system shuts
down.
2. Remove the disk pairs. For details, refer to the disk replacement procedure in the M-
Series Appliance Hardware Reference Guides.

STEP 4 | Prepare the disks for migraon.

Generang the metadata for each disk pair rebuilds the indexes. Therefore, depending
on the data size, this process can take a long me to complete. To expedite the process,
you can launch mulple CLI sessions and run the metadata regeneraon command
in each session to complete the process simultaneously for every pair. For details, see
Regenerate Metadata for M-Series Appliance RAID Pairs.

1. Insert the disks into the new Log Collector. For details, refer to the disk replacement
procedure in the M-Series Appliance Hardware Reference Guides.

The disk carriers of the M-100 appliance are incompable with those of the
M-500 appliance. Therefore, when migrang between these hardware models,
you must unscrew each disk from its old carrier and insert the disk in the new
carrier before inserng the disk in the new appliance.

You must maintain the disk pair associaon. Although you can place a disk pair from
slot A1/A2 on the old appliance into slot B1/B2 on the new appliance, you must keep

Panorama Administrator's Guide Version Version 10.1 604 ©2022 Palo Alto Networks, Inc.
Troubleshoong

the disks together in the same slot; otherwise, Panorama might not restore the data
successfully.
2. Enable the disk pairs by running the following CLI command for each pair:

> request system raid add <slot> force no-format

For example:

> request system raid add A1 force no-format

> request system raid add A2 force no-format

The force and no-format arguments are required. The force argument associates
the disk pair with the new Log Collector. The no-format argument prevents
reformang of the drives and retains the logs stored on the disks.
3. Generate the metadata for each disk pair.

> request metadata-regenerate slot <slot_number>

For example:

> request metadata-regenerate slot 1

STEP 5 | Add a Log Collector with no disks to a Collector Group.

From this point, only commits that are required to complete the migraon process on
Panorama and the Log Collectors. Hold off making any other changes.

1. Access the Panorama CLI.

2. Overwrite Panorama restricon to allow Log Collector with no disk to be added to a
Collector Group: request log-migration-set-start

STEP 6 | Migrate the logs.

You must use the Panorama CLI for this step, not the web interface.

You must assign the new Log Collector to the Collector Group that contains the old Log
Collector.
1. Assign the new Log Collector to the Collector Group and commit your changes to
Panorama.

> configure
# set log-collector-group <collector_group_name> logfwd-
setting collectors <new_LC_serial_number>
# commit

Panorama Administrator's Guide Version Version 10.1 605 ©2022 Palo Alto Networks, Inc.
Troubleshoong

# exit

2. For each disk pair, migrate the logs from the old Log Collector to the new Log Collector
and aach the disk pair to the new Log Collector.

> request log-migration from <old_LC_serial_number> old-

disk-pair <log_disk_pair> to <new_LC_serial_number> new-disk-
pair <log_disk_pair>

For example:

> request log-migration from 003001000010 old-disk-pair A to

00300100038 new-disk-pair A

STEP 7 | Reconfigure the Collector Group.

1. Use the web interface to assign the new Log Collector to the firewalls that forward logs
(Panorama > Collector Groups > Device Log Forwarding). Give the new Log Collector the
same priority in the firewall preference lists as the old Log Collector.

You cannot use the CLI change the priority assignments of firewall preference
lists.
2. Delete the old Log Collector from the Collector Group.

> configure
# delete log-collector-group <group_name> logfwd-setting
collectors <old_LC_serial_number>

For example:

# delete log-collector-group DC-Collector-Group logfwd-setting

collectors 003001000010

3. Delete the old Log Collector from the Panorama configuraon and commit your changes
to Panorama.

# delete log-collector <old_LC_serial_number>

# commit

Panorama Administrator's Guide Version Version 10.1 606 ©2022 Palo Alto Networks, Inc.
Troubleshoong

# exit

4. Commit the Collector Group changes so that the managed firewalls can send logs to the
new Log Collector.

> commit-all log-collector-config log-collector-

group <collector_group_name>

For example:

> commit-all log-collector-config log-collector-group DC-

Collector-Group

STEP 8 | Generate new keys on the new Dedicated Log Collector.

This command is required in order to add the new Log Collector to the Collector Group
and should only be run for the Collector Group of the Log Collector being replaced. This
step deletes the exisng RSA keys and allows Panorama to create new RSA keys.

1. Access the Panorama CLI.

2. Delete all RSA keys on new Log Collector:
request logdb update-collector-group-after-replace collector-
group <collector-group-name>
The process can take up to 10 minutes to completed.

Panorama Administrator's Guide Version Version 10.1 607 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 9 | Confirm that SearchEngine Status is Acve for all Log Collectors in the Collector Group.

Do not connue unl SearchEngine Status is Acve for all Log Collectors in the
Collector Group. This will result in purging of logs from the Log Collector being replaced.

1. Access the Panorama CLI.

2. Show the Log Collector details by running the following commands either:
• On Panorama for all Log Collectors:
show log-collector all

Alternavely, you can run the following command on each Dedicated Log
Collector:

show log-collector detail

3. Confirm that SearchEngine Status is Acve.

Redistribution status: none

Last commit-all: commit succeeded, current ring version 1

SearchEngine status: Active

md5sum 4e5055a359f7662fab8f8c4f57e24525 updated at 2017/06/14

09:58:19

STEP 10 | On the new Log Collector, replace previous Log Collector serial number with the new Log
Collector serial number.
You must replace the old Log Collector serial number with the new Log Collector serial number
so that the new Log Collector will not run in to purging issues, resulng in the Log Collector
being unable to purge old data from the migrated logs when necessary.
1. Access the Log Collector CLI.
2. Replace old Log Collector serial number with new Log Collector serial number:
request log-migration-update-logger from <old-log-collector-
serial-number> to <new-log-collector-serial-number>

Migrate Logs to a New M-Series Appliance in Panorama Mode

If you need to replace an M-600, M-500, M-200 or M-100 appliance in Panorama mode
(Panorama management server), you can migrate the logs it collected from firewalls by moving its
RAID disks to the new M-Series appliance. Moving the disks enables you to recover logs aer a
system failure on the M-Series appliance or to migrate logs as part of a hardware upgrade (from an
M-100 appliance to an M-500 appliance).

Panorama Administrator's Guide Version Version 10.1 608 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Migrang logs by removing the logging disks from any M-Series appliance and loading
them into an M-600 Panorama management server is not supported. To migrate to an
M-600 appliance, set up the M-600 appliance, configure log forwarding to the new
M-600 appliance and configure the M-Series appliance as a managed Log Collector
unl you no longer needed access to the logs stored on the M-Series appliance.

This migraon procedure covers the following scenarios where you are replacing a single M-Series
appliance, not in a HA configuraon, with a managed collector (Log Collector) in a Collector Group.
STEP 1 | Forward any logs on the SSD of the old M-Series appliance to an external desnaon if you
want to preserve them.
The SSD stores the System and Config logs that Panorama and Log Collectors generate. You
cannot move the SSD between M-Series appliances.
Configure Log Forwarding from Panorama to External Desnaons.

STEP 2 | Export the Panorama configuraon from the decommissioned M-Series appliance in
Panorama mode.
1. Log in to the Panorama appliance and select Panorama > Setup > Operaons.
2. Click Save named Panorama configuraon snapshot, enter a Name to idenfy the
configuraon, and click OK.
3. Click Export named Panorama configuraon snapshot, select the Name of the
configuraon you just saved, and click OK. Panorama exports the configuraon to your
client system as an XML file.

STEP 3 | Remove the RAID disks from the old M-Series appliance.
1. Power off the old M-Series appliance by pressing the Power buon unl the system
shuts down.
2. Remove the disk pairs. For details, refer to the disk replacement procedure in the M-
Series Appliance Hardware Reference Guides.

STEP 4 | Perform inial setup of the new M-Series appliance.

1. Rack mount the M-Series appliance. Refer to the M-Series Appliance Hardware
Reference Guides for instrucons.
2. Perform Inial Configuraon of the M-Series Appliance.
3. Register Panorama.
4. Purchase and acvate a Panorama support license or transfer licenses as follows only if
the new M-Series appliance is the same hardware model as the old M-Series appliance.

Panorama Administrator's Guide Version Version 10.1 609 ©2022 Palo Alto Networks, Inc.
Troubleshoong

If the new M-Series appliance is a different model than the old M-Series appliance, you
must purchase new licenses.
1. Log in to the Palo Alto Networks Customer Support web site.
2. Select the Assets tab and click the Spares link.
3. Click the Serial Number of the new M-Series appliance.
4. Click Transfer Licenses.
5. Select the old M-Series appliance and click Submit.
5. Acvate a firewall management license. If you are migrang from an M-100 appliance to
an M-500 appliance, enter the auth-code associated with the migraon license.
6. Install Content and Soware Updates for Panorama. For important details about
soware versions, see Panorama, Log Collector, Firewall, and WildFire Version
Compability.

STEP 5 | Load the Panorama configuraon snapshot that you exported from the decommissioned M-
Series appliance into the new M-Series appliance in Panorama mode.
1. Log in to the Panorama Web Interface of the new M-Series appliance and select
Panorama > Setup > Operaons.
2. Click Import named Panorama configuraon snapshot, Browse to the configuraon file
you exported from the decommissioned M-Series appliance, and click OK.
3. Click Load named Panorama configuraon snapshot, select the Name of the
configuraon you just imported, select a Decrypon Key (the master key for Panorama),
and click OK. Panorama overwrites its current candidate configuraon with the loaded
configuraon. Panorama displays any errors that occur when loading the configuraon
file. If errors occurred, save them to a local file. Resolve each error to ensure the
migrated configuraon is valid.

To replace an RMA Panorama, make sure you Retain Rule UUIDs when you load
the named Panorama configuraon snapshot. If you do not select this opon,
Panorama removes all previous rule UUIDs from the configuraon snapshot and
assigns new UUIDs to the rules on Panorama, which means it does not retain
informaon associated with the previous UUIDs, such as the policy rule hit
count.
4. Perform any addional configuraon changes as needed.

If the old M-Series appliance used interfaces other than the MGT interface for
Panorama services (such as log collecon), you must define those interfaces on
the new M-Series appliance (Panorama > Setup > Interfaces).
5. Select Commit > Commit to Panorama and Validate Commit. Resolve any errors before
proceeding.
6. Commit your changes to the Panorama configuraon.

Panorama Administrator's Guide Version Version 10.1 610 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 6 | Insert the disks into the new M-Series appliance. For details, refer to the disk replacement
procedure in the M-Series Appliance Hardware Reference Guides.

The disk carriers of the M-100 appliance are incompable with those of the M-500
appliance. Therefore, when migrang between these hardware models, you must
unscrew each disk from its old carrier and insert the disk in the new carrier before
inserng the disk in the new appliance.

You must maintain the disk pair associaon. Although you can place a disk pair from slot A1/A2
on the old appliance into slot B1/B2 on the new appliance, you must keep the disks together in
the same slot; otherwise, Panorama might not restore the data successfully.

STEP 7 | Contact Palo Alto Networks Customer Support to copy log collector group metadata from
the decommissioned M-Series appliance to the new M-Series appliance and restart the
mgmtsrvr process.

STEP 8 | If the M-Series appliance was part of a Collector Group, verify that the decommissioned M-
Series appliance serial number is sll part of the correct Collector Group:
debug log-collector-group show name <Log Collector Group name>
If the decommissioned M-Series appliance serial number is no longer a part of the correct
Collector Group, then the Tech Support folders were incorrectly copied in the previous step.
Contact Palo Alto Networks Customer Support again to copy the Tech Support folders to the
correct locaon.

STEP 9 | Prepare the disks for migraon.

Generang the metadata for each disk pair rebuilds the indexes. Therefore, depending
on the data size, this process can take a long me to complete. To expedite the process,
you can launch mulple CLI sessions and run the metadata regeneraon command
in each session to complete the process simultaneously for every pair. For details, see
Regenerate Metadata for M-Series Appliance RAID Pairs.

1. Insert the disks into the new M-Series appliance. For details, refer to the disk
replacement procedure in the M-Series Appliance Hardware Reference Guides.

The disk carriers of the M-100 appliance are incompable with those of the
M-500 appliance. Therefore, when migrang between these hardware models,
you must unscrew each disk from its old carrier and insert the disk in the new
carrier before inserng the disk in the new appliance.

You must maintain the disk pair associaon. Although you can place a disk pair from
slot A1/A2 on the old appliance into slot B1/B2 on the new appliance, you must keep

Panorama Administrator's Guide Version Version 10.1 611 ©2022 Palo Alto Networks, Inc.
Troubleshoong

the disks together in the same slot; otherwise, Panorama might not restore the data
successfully.
2. Enable the disk pairs by running the following CLI command for each pair:

admin> request system raid add <slot> force no-format

For example:

admin> request system raid add A1 force no-format

admin> request system raid add A2 force no-format

The force and no-format arguments are required. The force argument associates the disk
pair with the new appliance. The no-format argument prevents reformang of the drives
and retains the logs stored on the disks.
3. Generate the metadata for each disk pair.

This step may take up to 6 hours depending on the volume of log data on the
disks.

admin> request metadata-regenerate slot <slot_number>

For example:

admin> request metadata-regenerate slot 1

STEP 10 | Configure the local Log Collector on the new M-Series appliance.

For all steps with commands that require a serial number, you must type the enre
serial number; pressing the Tab key won’t complete a paral serial number.

Don’t enable the disks on the new M-Series appliance at this point. When you successfully
migrate the logs, Panorama automacally enables the disks.
1. Configure the local Log Collector as a managed collector using the Panorama web
interface or using the following CLI commands:

admin> configure
admin# set log-collector <log-collector_SN> deviceconfig
system hostname <log-collector-hostname>

Panorama Administrator's Guide Version Version 10.1 612 ©2022 Palo Alto Networks, Inc.
Troubleshoong

admin# exit

2. Verify that the local Log Collector is connected to Panorama and that the status of its
disk pairs is present/available.

admin> show log-collector serial-number <log-collector_SN>

The disk pairs will display as disabled at this stage of the restoraon process.
3. Commit your changes to Panorama. Don’t commit the changes to the Collector Group
just yet.

admin> configure
admin# commit

STEP 11 | Add a Log Collector with no disks to a Collector Group.

From this point, only commits that are required to complete the migraon process on
Panorama and the Log Collectors. Hold off making any other changes.

1. Access the Panorama CLI of the new M-Series appliance.

2. Overwrite Panorama restricon to allow Log Collector with no disk to be added to a
Collector Group: request log-migration-set-start
3. Commit the overwrien restricon:

admin> configure
admin# commit force

STEP 12 | Migrate the logs.

1. Access the Panorama CLI of the new M-Series appliance.
2. Add the new local Log Collector as a member of the Collector Group and commit your
changes to Panorama.

admin# set log-collector-group <collector_group_name> logfwd-

setting collectors <SN_managed_collector>
admin# commit

Panorama Administrator's Guide Version Version 10.1 613 ©2022 Palo Alto Networks, Inc.
Troubleshoong

admin# exit

The old local Log Collector sll appears in the list of members, because you haven’t
deleted it from the configuraon.
3. For each disk pair, migrate the logs to the new appliance.

admin> request log-migration from <old_LC_serial_number> old-

disk-pair <log_disk_pair> to <new_LC_serial_number> new-disk-
pair <log_disk_pair>

For example:

admin> request log-migration from 003001000010 old-disk-pair A

to 00300100038 new-disk-pair A

4. Commit the changes to Panorama.

admin> configure
admin# commit

STEP 13 | Reconfigure the Collector Group.

1. Log in to the Panorama Web Interface of the new M-Series appliance to assign the new
Log Collector to the firewalls that forward logs (Panorama > Collector Groups > Device
Log Forwarding). Give the new Log Collector the same priority in the firewall preference
lists as the old Log Collector.

You cannot use the CLI change the priority assignments of firewall preference
lists.
2. Access the Panorama CLI of the new M-Series appliance.
3. Delete the old Log Collector from the Collector Group.

admin# delete log-collector-group <group_name> logfwd-setting

collectors <old_LC_serial_number>

For example:

admin# delete log-collector-group DC-Collector-Group logfwd-

setting collectors 003001000010

4. Delete the old Log Collector from the Panorama configuraon and commit your changes
to Panorama.

admin# delete log-collector <old_LC_serial_number>

admin# commit

Panorama Administrator's Guide Version Version 10.1 614 ©2022 Palo Alto Networks, Inc.
Troubleshoong

admin# exit

5. Commit the Collector Group changes so that the managed firewalls can send logs to the
new Log Collector.

admin> commit-all log-collector-config log-collector-

group <collector_group_name>

For example:

admin> commit-all log-collector-config log-collector-group DC-

Collector-Group

STEP 14 | Generate new keys on the new Log Collector.

This command is required in order to add the new Log Collector to the Collector Group
and should only be run for the Collector Group of the Log Collector being replaced. This
step deletes the exisng RSA keys and allows Panorama to create new RSA keys.

1. Access the Panorama CLI of the new M-Series appliance.

2. Delete all RSA keys on the new Log Collector:
request logdb update-collector-group-after-replace collector-
group <collector-group-name>
The process can take up to 10 minutes to completed.

Panorama Administrator's Guide Version Version 10.1 615 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 15 | Confirm that SearchEngine Status is Acve for all Log Collectors in the Collector Group.

Do not connue unl SearchEngine Status is Acve for all Log Collectors in the
Collector Group. This will result in purging of logs from the Log Collector being replaced.

1. Access the Panorama CLI of the new M-Series appliance.

2. Show the Log Collector details by running the following commands either:
• On Panorama for all Log Collectors:
show log-collector all

Alternavely, you can run the following command on each Dedicated Log
Collector:

show log-collector detail

3. Confirm that SearchEngine Status is Acve.

Redistribution status: none

Last commit-all: commit succeeded, current ring version 1

SearchEngine status: Active

md5sum 4e5055a359f7662fab8f8c4f57e24525 updated at 2017/06/14

09:58:19

STEP 16 | On the new Log Collector, replace previous Log Collector serial number with the new Log
Collector serial number.
You must replace the old Log Collector serial number with the new Log Collector serial number
so that the new Log Collector will not run in to purging issues, resulng in the Log Collector
being unable to purge old data from the migrated logs when necessary.
1. Access the Log Collector CLI.
2. Replace old Log Collector serial number with new Log Collector serial number:
request log-migration-update-logger from <old-log-collector-
serial-number> to <new-log-collector-serial-number>

Migrate Logs to a New M-Series Appliance Model in Panorama

Mode in High Availability
If you need to replace an M-600, M-500, M-200 or M-100 appliance in Panorama mode
(Panorama management server) with a different M-Series appliance than the M-Series appliance
being replaced, you can migrate the logs it collected from firewalls by moving its RAID disks to
the new M-Series appliance. Moving the disks enables you to migrate logs as part of a hardware
upgrade (from an M-100 appliance to an M-500 appliance). You can migrate an M-100 appliance

Panorama Administrator's Guide Version Version 10.1 616 ©2022 Palo Alto Networks, Inc.
Troubleshoong

to and from an M-500 appliance. M-100 and M-500 appliances cannot be migrated to or from
M-200 or M-600 appliances.

Migrang logs by removing the logging disks from any M-Series appliance and loading
them into an M-600 Panorama management server is not supported. To migrate to an
M-600 appliance, set up the M-600 appliance, configure log forwarding to the new
M-600 appliance and configure the M-Series appliance as a managed Log Collector
unl you no longer needed access to the logs stored on the M-Series appliance.

This migraon procedure covers the following scenarios:

• One Panorama HA peer has a managed collector (Log Collector) in a Collector Group.

Figure 28: Panorama HA Peer with Collector Group

• Both Panorama HA peers have managed collectors that belong to a single Collector Group. For
details, see Mulple Local Log Collectors Per Collector Group.
• Both Panorama HA peers have a managed collector and each is assigned to a separate
Collector Group. For details, see Single Local Log Collector Per Collector Group.
STEP 1 | Forward any logs on the SSD of the old M-Series appliance to an external desnaon if you
want to preserve them.
The SSD stores the System and Config logs that Panorama and Log Collectors generate. You
cannot move the SSD between M-Series appliances.
Configure Log Forwarding from Panorama to External Desnaons.

Panorama Administrator's Guide Version Version 10.1 617 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 2 | Export the Panorama configuraon from the Primary decommissioned M-Series appliance in
Panorama mode.
1. Log in to the Panorama Web Interface of the M-Series appliance you are replacing and
select Panorama > Setup > Operaons.
2. Click Save named Panorama configuraon snapshot, enter a Name to idenfy the
configuraon, and click OK.
3. Click Export named Panorama configuraon snapshot, select the Name of the
configuraon you just saved, and click OK. Panorama exports the configuraon to your
client system as an XML file.

STEP 3 | Remove the RAID disks from the old M-Series appliance.
1. Power off the old M-Series appliance by pressing the Power buon unl the system
shuts down.
2. Remove the disk pairs. For details, refer to the disk replacement procedure in the M-
Series Appliance Hardware Reference Guides.

STEP 4 | Perform inial setup of the new M-Series appliance.

Repeat this step for each of the new M-Series appliances in the HA configuraon.
1. Rack mount the M-Series appliance. Refer to the M-Series Appliance Hardware
Reference Guides for instrucons.
2. Perform Inial Configuraon of the M-Series Appliance.
3. Register Panorama.
4. Purchase and acvate a Panorama support license or transfer licenses as follows only if
the new M-Series appliance is the same hardware model as the old M-Series appliance.
If the new M-Series appliance is a different model than the old M-Series appliance, you
must purchase new licenses.
1. Log in to the Palo Alto Networks Customer Support web site.
2. Select the Assets tab and click the Spares link.
3. Click the Serial Number of the new M-Series appliance.
4. Click Transfer Licenses.
5. Select the old M-Series appliance and click Submit.
5. Acvate a firewall management license. If you are migrang from an M-100 appliance to
an M-500 appliance, enter the auth-code associated with the migraon license.
6. Install Content and Soware Updates for Panorama. For important details about
soware versions, see Panorama, Log Collector, Firewall, and WildFire Version
Compability.
7. Set Up HA on Panorama. The new M-Series appliance must have the same priority as the
HA peer you are replacing.

Panorama Administrator's Guide Version Version 10.1 618 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 5 | Load the Panorama configuraon snapshot that you exported from the Primary
decommissioned M-Series appliance into the new Primary M-Series appliance in Panorama
mode.
1. Log in to the Panorama Web Interface of the new M-Series appliance and select
Panorama > Setup > Operaons.
2. Click Import named Panorama configuraon snapshot, Browse to the configuraon file
you exported from the decommissioned M-Series appliance, and click OK.
3. Click Load named Panorama configuraon snapshot, select the Name of the
configuraon you just imported, select a Decrypon Key (the master key for Panorama),
and click OK. Panorama overwrites its current candidate configuraon with the loaded
configuraon. Panorama displays any errors that occur when loading the configuraon
file. If errors occurred, save them to a local file. Resolve each error to ensure the
migrated configuraon is valid.

To replace an RMA Panorama, make sure you Retain Rule UUIDs when you load
the named Panorama configuraon snapshot. If you do not select this opon,
Panorama removes all previous rule UUIDs from the configuraon snapshot and
assigns new UUIDs to the rules on Panorama, which means it does not retain
informaon associated with the previous UUIDs, such as the policy rule hit
count.
4. Perform any addional configuraon changes as needed.

If the old M-Series appliance used interfaces other than the MGT interface for
Panorama services (such as log collecon), you must define those interfaces on
the new M-Series appliance (Panorama > Setup > Interfaces).
5. Select Commit > Commit to Panorama and Validate Commit. Resolve any errors before
proceeding.
6. Commit your changes to the Panorama configuraon. Once commied, the Panorama
configuraon is synced across the HA peers.

STEP 6 | Insert the disks into the new M-Series appliance. For details, refer to the disk replacement
procedure in the M-Series Appliance Hardware Reference Guides.
Repeat this step for each of the new M-Series appliances in the HA configuraon.

The disk carriers of the M-100 appliance are incompable with those of the M-500
appliance. Therefore, when migrang between these hardware models, you must
unscrew each disk from its old carrier and insert the disk in the new carrier before
inserng the disk in the new appliance.

You must maintain the disk pair associaon. Although you can place a disk pair from slot A1/A2
on the old appliance into slot B1/B2 on the new appliance, you must keep the disks together in
the same slot; otherwise, Panorama might not restore the data successfully.

STEP 7 | Contact Palo Alto Networks Customer Support to copy log collector group metadata from
the decommissioned M-Series appliance to the new M-Series appliance and restart the
mgmtsrvr process.

Panorama Administrator's Guide Version Version 10.1 619 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 8 | If the M-Series appliance was part of a Collector Group, verify that the decommissioned M-
Series appliance serial number is sll part of the correct Collector Group:
debug log-collector-group show name <Log CollectorGroup name>
If the decommissioned M-Series appliance serial number is no longer a part of the correct
Collector Group, then the Tech Support folders were incorrectly copied in the previous step.
Contact Palo Alto Networks Customer Support again to copy the Tech Support folders to the
correct locaon.

STEP 9 | Prepare the disks for migraon.

Generang the metadata for each disk pair rebuilds the indexes. Therefore, depending
on the data size, this process can take a long me to complete. To expedite the process,
you can launch mulple CLI sessions and run the metadata regeneraon command
in each session to complete the process simultaneously for every pair. For details, see
Regenerate Metadata for M-Series Appliance RAID Pairs.

1. Enable the disk pairs by running the following CLI command for each pair:

admin> request system raid add <slot> force no-format

For example:

admin> request system raid add A1 force no-format

admin> request system raid add A2 force no-format

The force and no-format arguments are required. The force argument associates the disk
pair with the new appliance. The no-format argument prevents reformang of the drives
and retains the logs stored on the disks.
2. Generate the metadata for each disk pair.

This step may take up to 6 hours depending on the volume of log data on the
disks.

admin> request metadata-regenerate slot <slot_number>

For example:

admin> request metadata-regenerate slot 1

Panorama Administrator's Guide Version Version 10.1 620 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 10 | Configure the local Log Collector on the new M-Series appliance.

For all steps with commands that require a serial number, you must type the enre
serial number; pressing the Tab key won’t complete a paral serial number.

Don’t enable the disks on the new M-Series appliance at this point. When you successfully
migrate the logs, Panorama automacally enables the disks.
1. Configure the local Log Collector as a managed collector using the Panorama web
interface or using the following CLI commands:

admin> configure
admin# set log-collector <log-collector_SN> deviceconfig
system hostname <log-collector-hostname>
admin# exit

2. Commit your changes to Panorama. Don’t commit the changes to the Collector Group
just yet.

admin> configure
admin# commit

3. Verify that the local Log Collector is connected to Panorama and that the status of its
disk pairs is present/available.

admin> show log-collector serial-number <log-collector_SN>

The disk pairs will display as disabled at this stage of the restoraon process.

STEP 11 | Add a Log Collector with no disks to a Collector Group.

From this point, only commits that are required to complete the migraon process on
Panorama and the Log Collectors. Hold off making any other changes.

1. Access the Panorama CLI of the new M-Series appliance.

2. Overwrite Panorama restricon to allow Log Collector with no disk to be added to a
Collector Group: requestlog-migration-set-start
3. Commit the changes to Panorama.

admin> configure
admin# commit force

Panorama Administrator's Guide Version Version 10.1 621 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 12 | Migrate the logs.

1. Access the Panorama CLI of the new M-Series appliance.
2. Add the new local Log Collector as a member of the Collector Group and commit your
changes to Panorama.

admin# set log-collector-group <collector_group_name> logfwd-

setting collectors <SN_managed_collector>
admin# commit
admin# exit

The old local Log Collector sll appears in the list of members, because you haven’t
deleted it from the configuraon.
3. For each disk pair, migrate the logs to the new appliance.

admin> request log-migration from <old_LC_serial_number> old-

disk-pair <log_disk_pair> to <new_LC_serial_number> new-disk-
pair <log_disk_pair>

For example:

admin> request log-migration from 003001000010 old-disk-pair A

to 00300100038 new-disk-pair A

4. Commit the changes to Panorama.

admin> configure
admin# commit

STEP 13 | Reconfigure the Collector Group.

1. Log in to the Panorama Web Interface of the new M-Series appliance to assign the new
Log Collector to the firewalls that forward logs (Panorama > Collector Groups > Device

Panorama Administrator's Guide Version Version 10.1 622 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Log Forwarding). Give the new Log Collector the same priority in the firewall preference
lists as the old Log Collector.

You cannot use the CLI change the priority assignments of firewall preference
lists.
2. Access the Panorama CLI of the new M-Series appliance.
3. Delete the old Log Collector from the Collector Group.

admin# delete log-collector-group <group_name> logfwd-setting

collectors <old_LC_serial_number>

For example:

admin# delete log-collector-group DC-Collector-Group logfwd-

setting collectors 003001000010

4. Delete the old Log Collector from the Panorama configuraon and commit your changes
to Panorama.

admin# delete log-collector <old_LC_serial_number>

admin# commit
admin# exit

5. Commit the Collector Group changes so that the managed firewalls can send logs to the
new Log Collector.

admin> commit-all log-collector-config log-collector-

group <collector_group_name>

For example:

admin> commit-all log-collector-config log-collector-group DC-

Collector-Group

STEP 14 | Generate new keys on the new Log Collector.

This command is required in order to add the new Log Collector to the Collector Group
and should only be run for the Collector Group of the Log Collector being replaced. This
step deletes the exisng RSA keys and allows Panorama to create new RSA keys.

1. Access the Panorama CLI of the new M-Series appliance.

2. Delete all RSA keys on the new Log Collector:
request logdb update-collector-group-after-replacecollector-
group <collector-group-name>
The process can take up to 10 minutes to completed.

Panorama Administrator's Guide Version Version 10.1 623 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 15 | Confirm that SearchEngine Status is Acve for all Log Collectors in the Collector Group.

Do not connue unl SearchEngine Status is Acve for all Log Collectors in the
Collector Group. This will result in purging of logs from the Log Collector being replaced.

1. Access the Panorama CLI of the new M-Series appliance.

2. Show the Log Collector details by running the following commands either:
• On Panorama for all Log Collectors:
show log-collector all

Alternavely, you can run the following command on each Dedicated Log
Collector:

show log-collector detail

3. Confirm that SearchEngine Status is Acve.

Redistribution status: none

Last commit-all: commit succeeded, current ring version 1

SearchEngine status: Active

md5sum 4e5055a359f7662fab8f8c4f57e24525 updated at 2017/06/14

09:58:19

STEP 16 | On the new Log Collector, replace previous Log Collector serial number with the new Log
Collector serial number.
You must replace the old Log Collector serial number with the new Log Collector serial number
so that the new Log Collector will not run in to purging issues, resulng in the Log Collector
being unable to purge old data from the migrated logs when necessary.
1. Access the Log Collector CLI.
2. Replace old Log Collector serial number with new Log Collector serial number:
request log-migration-update-logger from <old-log-collector-
serial-number> to <new-log-collector-serial-number>

Panorama Administrator's Guide Version Version 10.1 624 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 17 | Set up the new secondary Panorama high availability peer.

1. Forward any logs on the SSD of the old M-Series appliance to an external desnaon if
you want to preserve them.
2. Remove the RAID disks from the old M-Series appliance.
3. Perform inial setup of the new M-Series appliance.
4. Insert the disks into the new M-Series appliance.
5. Repeat Steps 7 through 16 to migrate the logs from the old M-Series appliance to the
new M-Series appliance.
6. Set Up HA on Panorama. The new M-Series appliance must have the same priority as the
HA peer you are replacing.
7. Log in to the Panorama Web Interface of the primary HA peer and click Dashboard
> High Availability > Sync to peer to synchronize the configuraon of the M-Series
appliance HA peers.

Migrate Logs to the Same M-Series Appliance Model in Panorama

Mode in High Availability
If you need to replace an M-600, M-500, M-200, or M-100 appliance deployed in high availability
(HA) configuraon in Panorama mode (Panorama management server) with the same M-Series
appliance as the M-Series appliance being replaced, you can migrate the logs it collected from
firewalls by moving its RAID disks to the new M-Series appliance. Moving the disks enables you to
recover logs aer a system failure on the M-Series appliance.
This migraon procedure covers the following scenarios:
• One Panorama HA peer has a managed collector (Log Collector) in a Collector Group.

Figure 29: Panorama HA Peer with Collector Group

Panorama Administrator's Guide Version Version 10.1 625 ©2022 Palo Alto Networks, Inc.
Troubleshoong

• Both Panorama HA peers have managed collectors that belong to a single Collector Group. For
details, see Mulple Local Log Collectors Per Collector Group.
• Both Panorama HA peers have a managed collector and each is assigned to a separate
Collector Group. For details, see Single Local Log Collector Per Collector Group.
STEP 1 | Forward any logs on the SSD of the old M-Series appliance to an external desnaon if you
want to preserve them.
The SSD stores the System and Config logs that Panorama and Log Collectors generate. You
cannot move the SSD between M-Series appliances.
Configure Log Forwarding from Panorama to External Desnaons.

STEP 2 | Remove the RAID disks from the old M-Series appliance.
1. Power off the old M-Series appliance by pressing the Power buon unl the system
shuts down.
2. Remove the disk pairs. For details, refer to the disk replacement procedure in the M-
Series Appliance Hardware Reference Guides.

STEP 3 | Perform inial setup of the new M-Series appliance.

1. Rack mount the M-Series appliance. Refer to the M-Series Appliance Hardware
Reference Guides for instrucons.
2. Perform Inial Configuraon of the M-Series Appliance.

If the old M-Series appliance used interfaces other than the MGT interface for
Panorama services (such as log collecon), you must define those interfaces
during inial configuraon of the new M-Series appliance (Panorama > Setup >
Interfaces).
3. Register Panorama.
4. Purchase and acvate a Panorama support license or transfer licenses as follows only if
the new M-Series appliance is the same hardware model as the old M-Series appliance.

Panorama Administrator's Guide Version Version 10.1 626 ©2022 Palo Alto Networks, Inc.
Troubleshoong

If the new M-Series appliance is a different model than the old M-Series appliance, you
must purchase new licenses.
1. Log in to the Palo Alto Networks Customer Support web site.
2. Select the Assets tab and click the Spares link.
3. Click the Serial Number of the new M-Series appliance.
4. Click Transfer Licenses.
5. Select the old M-Series appliance and click Submit.
5. Acvate a firewall management license. If you are migrang from an M-100 appliance to
an M-500 appliance, enter the auth-code associated with the migraon license.
6. Install Content and Soware Updates for Panorama. For important details about
soware versions, see Panorama, Log Collector, Firewall, and WildFire Version
Compability.
7. Perform any addional configuraon changes as needed.

If the old M-Series appliance used interfaces other than the MGT interface for
Panorama services (such as log collecon), you must define those interfaces on
the new M-Series appliance (Panorama > Setup > Interfaces).
8. Set Up HA on Panorama. The new M-Series appliance must have the same priority as the
HA peer you are replacing.

STEP 4 | Insert the disks into the new M-Series appliance. For details, refer to the disk replacement
procedure in the M-Series Appliance Hardware Reference Guides.

The disk carriers of the M-100 appliance are incompable with those of the M-500
appliance. Therefore, when migrang between these hardware models, you must
unscrew each disk from its old carrier and insert the disk in the new carrier before
inserng the disk in the new appliance.

You must maintain the disk pair associaon. Although you can place a disk pair from slot A1/A2
on the old appliance into slot B1/B2 on the new appliance, you must keep the disks together in
the same slot; otherwise, Panorama might not restore the data successfully.

STEP 5 | If the M-Series appliance was part of a Collector Group, verify that the decommissioned M-
Series appliance serial number is sll part of the correct Collector Group:
debug log-collector-group show name <Log CollectorGroup name>

Panorama Administrator's Guide Version Version 10.1 627 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 6 | Prepare the disks for migraon.

Generang the metadata for each disk pair rebuilds the indexes. Therefore, depending
on the data size, this process can take a long me to complete. To expedite the process,
you can launch mulple CLI sessions and run the metadata regeneraon command
in each session to complete the process simultaneously for every pair. For details, see
Regenerate Metadata for M-Series Appliance RAID Pairs.

1. Enable the disk pairs by running the following CLI command for each pair:

admin> request system raid add <slot> force no-format

For example:

admin> request system raid add A1 force no-format

admin> request system raid add A2 force no-format

The force and no-format arguments are required. The force argument associates the disk
pair with the new appliance. The no-format argument prevents reformang of the drives
and retains the logs stored on the disks.
2. Generate the metadata for each disk pair.

admin> request metadata-regenerate slot <slot_number>

For example:

admin> request metadata-regenerate slot 1

STEP 7 | Configure the local Log Collector on the new M-Series appliance.

For all steps with commands that require a serial number, you must type the enre
serial number; pressing the Tab key won’t complete a paral serial number.

Don’t enable the disks on the new M-Series appliance at this point. When you successfully
migrate the logs, Panorama automacally enables the disks.
1. Configure the local Log Collector as a managed collector using the Panorama web
interface or using the following CLI commands:

admin> configure
admin# set log-collector <log-collector_SN> deviceconfig
system hostname <log-collector-hostname>
admin# exit

2. Commit your changes to Panorama. Don’t commit the changes to the Collector Group
just yet.

admin> configure

Panorama Administrator's Guide Version Version 10.1 628 ©2022 Palo Alto Networks, Inc.
Troubleshoong

admin# commit

3. Verify that the local Log Collector is connected to Panorama and that the status of its
disk pairs is present/available.

admin> show log-collector serial-number <log-collector_SN>

The disk pairs will display as disabled at this stage of the restoraon process.

STEP 8 | Add a Log Collector with no disks to a Collector Group.

From this point, only commits that are required to complete the migraon process on
Panorama and the Log Collectors. Hold off making any other changes.

1. Access the Panorama CLI.

2. Overwrite Panorama restricon to allow Log Collector with no disk to be added to a
Collector Group: request log-migration-set-start
3. Commit the overwrien restricon:

admin> configure
admin# commit force

STEP 9 | Migrate the logs.

1. Access the Panorama CLI.
2. Add the new local Log Collector as a member of the Collector Group and commit your
changes to Panorama.

admin# set log-collector-group <collector_group_name> logfwd-

setting collectors <SN_managed_collector>
admin# commit

Panorama Administrator's Guide Version Version 10.1 629 ©2022 Palo Alto Networks, Inc.
Troubleshoong

admin# exit

The old local Log Collector sll appears in the list of members, because you haven’t
deleted it from the configuraon.
3. For each disk pair, migrate the logs to the new appliance.

admin> request log-migration from <old_LC_serial_number> old-

disk-pair <log_disk_pair> to <new_LC_serial_number> new-disk-
pair <log_disk_pair>

For example:

admin> request log-migration from 003001000010 old-disk-pair A

to 00300100038 new-disk-pair A

4. Commit the changes to Panorama.

admin> configure
admin# commit

STEP 10 | Reconfigure the Collector Group.

1. Use the web interface to assign the new Log Collector to the firewalls that forward logs
(Panorama > Collector Groups > Device Log Forwarding). Give the new Log Collector the
same priority in the firewall preference lists as the old Log Collector.

You cannot use the CLI change the priority assignments of firewall preference
lists.
2. Delete the old Log Collector from the Collector Group.

admin# delete log-collector-group <group_name> logfwd-setting

collectors <old_LC_serial_number>

For example:

admin# delete log-collector-group DC-Collector-Group logfwd-

setting collectors 003001000010

3. Delete the old Log Collector from the Panorama configuraon and commit your changes
to Panorama.

admin# delete log-collector <old_LC_serial_number>

admin# commit

Panorama Administrator's Guide Version Version 10.1 630 ©2022 Palo Alto Networks, Inc.
Troubleshoong

admin# exit

4. Synchronize the configuraon of the M-Series appliance HA peers.

admin> request high-availability sync-to-remote running-config

5. Commit the Collector Group changes so that the managed firewalls can send logs to the
new Log Collector.

admin> commit-all log-collector-config log-collector-

group <collector_group_name>

For example:

admin> commit-all log-collector-config log-collector-group DC-

Collector-Group

STEP 11 | Generate new keys on the new Log Collector.

This command is required in order to add the new Log Collector to the Collector Group
and should only be run for the Collector Group of the Log Collector being replaced. This
step deletes the exisng RSA keys and allows Panorama to create new RSA keys.

1. Access the Panorama CLI.

2. Delete all RSA keys on the new Log Collector:
request logdb update-collector-group-after-replacecollector-
group <collector-group-name>
The process can take up to 10 minutes to completed.

Panorama Administrator's Guide Version Version 10.1 631 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 12 | Confirm that SearchEngine Status is Acve for all Log Collectors in the Collector Group.

Do not connue unl SearchEngine Status is Acve for all Log Collectors in the
Collector Group. This will result in purging of logs from the Log Collector being replaced.

1. Access the Panorama CLI.

2. Show the Log Collector details by running the following commands either:
• On Panorama for all Log Collectors:
show log-collector all

Alternavely, you can run the following command on each Dedicated Log
Collector:

show log-collector detail

3. Confirm that SearchEngine Status is Acve.

Redistribution status: none

Last commit-all: commit succeeded, current ring version 1

SearchEngine status: Active

md5sum 4e5055a359f7662fab8f8c4f57e24525 updated at 2017/06/14

09:58:19

STEP 13 | On the new Log Collector, replace previous Log Collector serial number with the new Log
Collector serial number.
You must replace the old Log Collector serial number with the new Log Collector serial number
so that the new Log Collector will not run in to purging issues, resulng in the Log Collector
being unable to purge old data from the migrated logs when necessary.
1. Access the Log Collector CLI.
2. Replace old Log Collector serial number with new Log Collector serial number:
request log-migration-update-logger from <old-log-collector-
serial-number> to <new-log-collector-serial-number>

Migrate Log Collectors aer Failure/RMA of Non-HA Panorama

If a system failure occurs on a Panorama management server that is not deployed in a high
availability (HA) configuraon, use this procedure to restore the configuraon on the replacement
Panorama and restore access to the logs on the Dedicated Log Collectors that it manages. The
allowed migraon scenarios vary by Panorama management server model:

Panorama Administrator's Guide Version Version 10.1 632 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Old/Failed Panorama New/Replacement Panorama

Panorama virtual appliance • Panorama virtual appliance

• M-200 appliance
• M-500 appliance
• M-600 appliance

M-100 appliance • Panorama virtual appliance

• M-200 appliance
• M-500 appliance
• M-600 appliance

M-500 appliance • Panorama virtual appliance

• M-200 appliance
• M-500 appliance
• M-600 appliance

Panorama maintains a ring file that maps the segments and parons that Dedicated Log
Collectors use to store logs. An M-Series appliance in Panorama mode stores the ring file on its
internal SSD; a Panorama virtual appliance stores the ring file on its internal disk. When a system
failure occurs, a non-HA Panorama cannot automacally recover the ring file. Therefore, when
you replace Panorama, you must restore the ring file to access the logs on the Dedicated Log
Collectors.

This procedure requires that you backed up and exported your Panorama configuraon
before the system failure occurred.
Palo Alto Networks recommends deploying Panorama in an HA configuraon. The acve
Panorama peer automacally synchronizes the ring file to the passive peer in an HA
configuraon, thereby maintaining access to logs on the Dedicated Log Collectors even if
you must replace one of the peers.

STEP 1 | Perform inial setup of the new Panorama appliance.

1. Set Up the M-Series Appliance or Set Up the Panorama Virtual Appliance based on your
needs. If you are seng up a new M-Series appliance, refer to the M-Series Appliance

Panorama Administrator's Guide Version Version 10.1 633 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Hardware Reference Guides for instrucons on how to rack mount the new M-Series
appliance.
2. Perform Inial Configuraon of the M-Series Appliance or Perform Inial Configuraon
of the Panorama Virtual Appliance.

If the old M-Series appliance used interfaces other than the MGT interface for
Panorama services (such as log collecon), you must define those interfaces
during inial configuraon of the new M-Series appliance (Panorama > Setup
> Interfaces). The Panorama virtual appliance does not support interfaces other
than MGT.
3. Register Panorama.
4. Transfer licenses as follows only if the new Panorama appliance is the same model as the
old appliance. Otherwise, you must purchase new licenses.
1. Log in to the Palo Alto Networks Customer Support web site.
2. Select the Assets tab and click the Spares link.
3. Click the Serial Number of the new M-Series appliance.
4. Click Transfer Licenses.
5. Select the old appliance and click Submit.
5. Acvate a Panorama Support License.
6. Acvate a firewall management license.
7. Install Content and Soware Updates for Panorama.

The M-500 appliance requires Panorama 7.0 or a later release. M-200 and
M-600 appliances require Panorama 8.1. For important details about soware
versions, see Panorama, Log Collector, Firewall, and WildFire Version
Compability.

Panorama Administrator's Guide Version Version 10.1 634 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 2 | Restore the configuraon from the old Panorama to the replacement Panorama.
1. Log in to the new Panorama and select Panorama > Setup > Operaons.
2. Click Import named Panorama configuraon snapshot, Browse to the backup
configuraon file, and click OK.
3. Click Load named Panorama configuraon snapshot, select the Name of the file you just
imported, and click OK.

To replace an RMA Panorama, make sure you Retain Rule UUIDs when you load
the named Panorama configuraon snapshot. If you do not select this opon,
Panorama removes all previous rule UUIDs from the configuraon snapshot and
assigns new UUIDs to the rules on Panorama, which means it does not retain
informaon associated with the previous UUIDs, such as the policy rule hit
count.
4. Select Commit > Commit to Panorama and Commit your changes.
5. Select Panorama > Managed Collectors and verify that the Connected column displays a
check mark for the Dedicated Log Collector.
If the Dedicated Log Collector doesn’t appear, you must reconfigure it and its Collector
Group as described in the next step. Otherwise, skip the following step to Fetch the ring
file to restore access to the logs stored on the Dedicated Log Collector.

STEP 3 | Reconfigure the Dedicated Log Collector and Collector Group if they are missing on
Panorama.
1. Access the CLI of the Dedicated Log Collector and enter the following commands to
display the name of its Collector Group.
1. Enter the command:

> request fetch ring from log-collector <serial_number>

The following error will display:

Server error: Failed to fetch ring info from <serial_number>

2. Enter the command:

> less mp-log ms.log

The following error will display:

Dec04 11:07:08 Error:

pan_cms_convert_resp_ring_to_file(pan_ops_cms.c:3719):

Panorama Administrator's Guide Version Version 10.1 635 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Current configuration does not contain group CA-Collector-

Group

In this example, the error message indicates that the missing Collector Group has the
name CA-Collector-Group.
2. Configure the Collector Group and assign the Dedicated Log Collector to it.

> configure
# set log-collector-group <collector-group-name>
# set log-collector-group <collector-group-name> logfwd-
setting
collector <serial-number>

3. Commit the changes to Panorama but not to the Collector Group.

# commit
# exit

STEP 4 | Fetch the ring file to restore access to the logs stored on the Dedicated Log Collector.
1. Access the CLI of the new Panorama.
2. Fetch the ring file:

> request fetch ring from log-collector <serial-number>

For example:

> request fetch ring from log-collector 009201000343

If you don’t know the serial number of the Dedicated Log Collector, log in to its
CLI and enter the show system info operaonal command.
3. Commit your changes to the Collector Group.

> commit-all log-collector-config log-collector-

group <collector-group-name>

Regenerate Metadata for M-Series Appliance RAID Pairs

When a system failure occurs on the M-600, M-500, or M-200 appliance and you need to
physically move the disks from one appliance to another, regenerang the metadata is necessary.
The metadata is required to locate logs on the disk; when a user issues a log query, the query
consults this metadata to access the requested log data.
For each configured RAID disk pair in the M-Series appliance, you must access the appliance CLI
and run the following command to regenerate the metadata:

> request metadata-regenerate slot <slot_number>

Panorama Administrator's Guide Version Version 10.1 636 ©2022 Palo Alto Networks, Inc.
Troubleshoong

For example:

> request metadata-regenerate slot 1

The size of the RAID disks determines how long metadata regeneraon takes. On average, it
takes an hour for every 100GB. When you run the command, the CLI session is locked unl the
command is fully executed. You can use mulple CLI sessions to save me. For example, to replace
four RAID pairs of 1TB drives with a total of 4TB of log data, launch four CLI sessions and run the
command in each session to regenerate metadata simultaneously for all the pairs/slots in about 10
hours.
During metadata regeneraon, the Collector Group to which these disks belong is not available
and the disk pair is not available for any logging or reporng operaons (writes/queries). However,
you can perform other tasks such as handling new firewall connecons or managing configuraon
changes on the managed firewalls. All other Collector Groups that Panorama manages and that
aren’t part of this RMA process can perform the assigned logging and reporng funconality as
normal.

View Log Query Jobs

You can view your log query jobs to invesgate and beer understand why querying log data
is taking a longer than expected. To begin, you must first show all log query jobs run on the
Panorama. Aer you idenfy the log query job that you need to invesgate, use the job ID to view
detailed informaon about the query to beer understand why your log query is running into
issues. When querying log data on Panorama the detailed job ID informaon is overwrien as new
log query jobs are executed.
STEP 1 | Log in to the Panorama CLI.

STEP 2 | View the log query jobs executed on Panorama.

The CLI output includes general informaon about each executed log query such as the jod
ID, when the query was run, the query state, the log database that was queried, the number of

Panorama Administrator's Guide Version Version 10.1 637 ©2022 Palo Alto Networks, Inc.
Troubleshoong

logs queried, how long (in ms) it took for the query to return results, the admin that executed
the query. and any filters applied to the query.

admin@Panorama> show query jobs

STEP 3 | View details log query informaon about a specific job using the job ID.

admin@Panorama> show query jobid <Job ID>

Panorama Administrator's Guide Version Version 10.1 638 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Replace an RMA Firewall

To minimize the effort required to restore the configuraon on a managed firewall involving a
Return Merchandise Authorizaon (RMA), replace the serial number of the old firewall with that
of the new firewall on Panorama. To then restore the configuraon on the replacement firewall,
either import a firewall state that you previously generated and exported from the firewall or use
Panorama to generate a paral device state for managed firewalls running PAN-OS 5.0 and later
versions. By replacing the serial number and imporng the firewall state, you can resume using
Panorama to manage the firewall.
• Paral Device State Generaon for Firewalls
• Before Starng RMA Firewall Replacement
• Restore the Firewall Configuraon aer Replacement

Paral Device State Generaon for Firewalls

When you use Panorama to generate a paral device state, it replicates the configuraon of the
managed firewalls with a few excepons for Large Scale VPN (LSVPN) setups. You create the
paral device state by combining two facets of the firewall configuraon:
• Centralized configuraon that Panorama manages—Panorama maintains a snapshot of the
shared policy rules and templates that it pushes to firewalls.
• Local configuraon on the firewall—When you commit a configuraon change on a firewall, it
sends a copy of its local configuraon file to Panorama. Panorama stores this file and uses it to
compile the paral device state bundle.

In an LSVPN setup, the paral device state bundle that you generate on Panorama is
not the same as the version that you export from a firewall (by selecng Device > Setup
> Operaons and clicking Export device state). If you manually ran the device state
export or scheduled an XML API script to export the file to a remote server, you can use
the exported device state in your firewall replacement workflow.
If you did not export the device state, the device state that you generate in the
replacement workflow will not include the dynamic configuraon informaon, such as
the cerficate details and registered firewalls, that is required to restore the complete
configuraon of a firewall funconing as an LSVPN portal. See Before Starng RMA
Firewall Replacement for more informaon.
Panorama does not store the device state; you generate it on request using the CLI commands
listed in Restore the Firewall Configuraon aer Replacement.

Before Starng RMA Firewall Replacement

The firewall you will replace must have PAN-OS 5.0.4 or a later version. Panorama cannot
generate the device state for firewalls running older PAN-OS versions.
Record the following details about the firewall you will replace:
• Serial number—You must enter the serial number on the Palo Alto Networks Customer
Support web site to transfer the licenses from the old firewall to the replacement firewall.

Panorama Administrator's Guide Version Version 10.1 639 ©2022 Palo Alto Networks, Inc.
Troubleshoong

You will also enter this informaon on Panorama, to replace all references to the old serial
number with the new serial number of the replacement firewall.
• (Recommended) PAN-OS version and the content database version—Installing the same
soware and content database versions, including the URL database vendor, enables you to
create the same state on the replacement firewall. If you decide to install the latest version
of the content database, you might noce differences because of updates and addions to
the database. To determine the versions installed on the firewall, access the firewall System
logs stored on Panorama.
Prepare the replacement firewall for deployment. Before you import the device state bundle
and restore the configuraon, you must:
• Verify that the replacement firewall is the same model as the old firewall and is enabled
for similar operaonal capability. Consider the following operaonal features: must the
replacement firewall have mulple virtual systems, support jumbo frames support, or
operate in CC or FIPS mode?
• Configure network access, transfer the licenses, and install the appropriate PAN-OS and
content database versions.
You must use the Panorama CLI to complete this firewall replacement process, and therefore
your administrator account must have the superuser or panorama-admin user role.
If you have an LSVPN configuraon, and are replacing a Palo Alto Networks firewall deployed
as a satellite or as an LSVPN portal, the dynamic configuraon informaon that is required
to restore LSVPN connecvity will not be available when you restore the paral device state
generated on Panorama. If you followed the recommendaon to frequently generate and
export the device state for firewalls in an LSVPN configuraon, use the device state that you
previously exported from the firewall itself instead of generang one on Panorama.
If you have not manually exported the device state from the firewall, and need to generate
a paral device state on Panorama, the missing dynamic configuraon impacts the firewall
replacement process as follows:
• If the firewall you are replacing is a GlobalProtect portal that is explicitly configured
with the serial number of the satellites (Network > GlobalProtect > Portals > Satellite
Configuraon), when restoring the firewall configuraon, although the dynamic
configuraon is lost, the portal firewall will be able to authencate the satellites successfully.
The successful authencaon will populate the dynamic configuraon informaon and
LSVPN connecvity will be reinstated.
• If you are replacing a satellite firewall, it will not be able to connect and authencate to the
portal. This failure occurs either because the serial number was not explicitly configured
on the firewall (Network > GlobalProtect > Portals > Satellite Configuraon) or, if the
serial number was explicitly configured, because the serial number of the replaced firewall
does not match that of the old firewall. To restore connecvity aer imporng the device
state bundle, the satellite administrator must log in to the firewall and enter the credenals
(username and password) for authencang to the portal. Aer authencaon, the dynamic
configuraon required for LSVPN connecvity is generated on the portal.
However, if the firewall was configured in a high availability configuraon, aer restoring the
configuraon, the firewall will automacally synchronize the running configuraon with its peer
and aain the latest dynamic configuraon required to funcon seamlessly.

Panorama Administrator's Guide Version Version 10.1 640 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Restore the Firewall Configuraon aer Replacement

To restore the firewall configuraon on the new firewall, you will first perform inial configuraon
on the new firewall, including seng the operaonal mode, upgrading the PAN-OS soware and
content release version to match what was installed on the old firewall. You will then export the
device state of the old firewall from Panorama and import it onto the new firewall. Finally, you
will go back to Panorama to validate that the new firewall has connected and then sync it with
Panorama.
STEP 1 | Perform inial configuraon on the new firewall and verify network connecvity.
Use a serial port connecon or a Secure Shell (SSH) connecon to add an IP address, a DNS
server IP address, and to verify that the new firewall can access the Palo Alto Networks
updates server.

STEP 2 | (Oponal) Set the Operaonal mode on the new firewall to match that on the old firewall.
A serial port connecon is required for this task.
1. Enter the following CLI command to access maintenance mode on the firewall:

> debug system maintenance-mode

2. For Operaonal mode, select Set FIPS Mode or Set CCEAL 4 Mode from the main
menu.

STEP 3 | Retrieve the license(s) on the new firewall.

Enter the following command to retrieve the licenses:

> request license fetch

STEP 4 | (Oponal) Match the operaonal state of the new firewall with that of the old firewall. For
example, enable mul-virtual system (mul-vsys) capability for a firewall that was enabled for
mul-vsys capability.
Enter the commands that pertain to your firewall sengs:

> set system setting multi-vsys on

> set system setting jumbo-frame on

STEP 5 | Upgrade the PAN-OS version on the new firewall.

You must upgrade to the same PAN-OS installed on the old firewall. You must upgrade the
content release versions to the same or later version that is installed on the old firewall.
Enter the following commands:
1. To upgrade the content release version:

> request content upgrade download latest

Panorama Administrator's Guide Version Version 10.1 641 ©2022 Palo Alto Networks, Inc.
Troubleshoong

> request content upgrade install version latest

2. To upgrade the an-virus release version:

> request anti-virus upgrade download latest

> request anti-virus upgrade install version latest

3. To upgrade the PAN-OS soware version:

> request system software download version <version>

> request system software install version <version>

STEP 6 | Go to the Panorama CLI and export the device state bundle from the old firewall to a
computer using Secure Copy (SCP) or TFTP (you cannot do this from the web interface).

If you manually exported the device state from the firewall, you can skip this step.

The export command generates the device state bundle as a tar zipped file and exports it to
the specified locaon. This device state will not include the LSVPN dynamic configuraon
(satellite informaon and cerficate details).
Enter one of the following commands:

> scp export device-state device <old serial#> to <login>

@ <serverIP>: <path>

or

> tftp export device-state device <old serial#> to <serverIP>

STEP 7 | Replace the serial number of the old firewall with that of the new replacement firewall on
Panorama.
By replacing the serial number on Panorama you allow the new firewall to connect to
Panorama aer you restore the configuraon on the firewall.
1. Enter the following command in Operaonal mode:

> replace device old <old SN#> new <new SN#>

2. Enter Configuraon mode and commit your changes.

> configure
# commit

3. Exit Configuraon mode.

# exit

Panorama Administrator's Guide Version Version 10.1 642 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 8 | (Oponal) Create a device registraon auth key on Panorama.

This step is required if no valid device registraon auth key is created on Panorama. Skip this
step if a valid device registraon auth key is already created on Panorama.

Exporng the device state bundle does not export the device registraon auth key
used to add the firewall to Panorama management. When you restore the firewall
configuraon aer replacement, you must create a new device registraon auth key to
add the new firewall to Panorama.

1. Log in to the Panorama Web Interface.

2. Select Panorama > Device Registraon Auth Key and Add a new authencaon key.
3. Configure the authencaon key.
• Name—Enter a descripve name for the authencaon key.
• Lifeme—Enter the key lifeme to specify how long the authencaon key may be
used to onboard new firewalls.
• Count—Specify how many mes the authencaon key may be used to onboard new
firewalls.
• Device Type—Specify that the authencaon key is used to authencate a Firewall.

Select Any to use the device registraon auth key to onboard both firewalls
and Log Collectors.
• (Oponal) Devices—Enter one or more device serial numbers to specify for which
firewalls the authencaon key is valid.
4. Click OK.

5. Copy Auth Key and Close.

Panorama Administrator's Guide Version Version 10.1 643 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 9 | On the new firewall, import the device state and add the device registraon auth key.
1. Log in to the firewall web interface.
2. Select Device > Setup > Operaons and click the Import Device State link in the
Configuraon Management secon.
3. Browse to locate the file and click OK.
4. Select Device > Setup > Management and edit the Panorama Sengs
5. Enter the Auth key you created on Panorama and click OK.

6. Commit your changes to the running configuraon on the firewall.

STEP 10 | From Panorama, verify that you successfully restored the firewall configuraon.
1. Access the Panorama web interface and select Panorama > Managed Devices.
2. Verify that the Connected column for the new firewall has a check mark.

STEP 11 | Synchronize the firewall with Panorama.

1. Access the Panorama web interface, select Commit > Commit and Push and Edit
Selecons in the Push Scope.
2. Select Device Groups, select the device group that contains the firewall, and Include
Device and Network Templates.
3. Select Collector Groups and select the Collector Group that contains the firewall.
4. Click OK to save your changes to the Push Scope.
5. Commit and Push your changes.

If you need to generate reports for a period when the old firewall was sll
funconal aer you installed the new firewall, you must generate a separate
query for each firewall serial number because replacing the serial number on
Panorama does not overwrite the informaon in logs.

Panorama Administrator's Guide Version Version 10.1 644 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Troubleshoot Commit Failures

If commit or push operaon failures occur on Panorama, check for the following condions:

Symptom Condion Resoluon

Template or device The ability to receive template Access the firewall web interface,
group push failure and device groups configuraon select Device > Setup, edit the
changes from Panorama is disabled Panorama Sengs, and then
on the firewall. click Enable Device and Network
Template and Enable Panorama
Policy and Objects.

Panorama commit The Panorama management server Upgrade the Panorama

failure or template, has an earlier soware version management server to the same or
device group, or than the Dedicated Log Collectors a higher soware version than the
Collector Group or firewalls that it manages. managed firewalls, Log Collectors,
push failure and WildFire appliances and
appliance clusters. For details,
see Panorama, Log Collector,
Firewall, and WildFire Version
Compability.

Panorama Administrator's Guide Version Version 10.1 645 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Troubleshoot Registraon or Serial Number Errors

On the M-600, M-500, or M-200 appliance, if the Panorama > Support page doesn’t display
support license details or the Panorama > Setup > Management page displays Unknown for the
Serial Number even aer you Register Panorama, perform the following steps:
STEP 1 | Record the Panorama serial number from the order fulfillment email that Palo Alto Networks
sent when you placed your order for Panorama.

STEP 2 | Select Panorama > Setup > Management and edit the General Sengs.

STEP 3 | Enter the Serial Number and click OK.

STEP 4 | Select Commit > Commit to Panorama and Commit your changes.

Panorama Administrator's Guide Version Version 10.1 646 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Troubleshoot Reporng Errors

If Panorama fails to generate a report, or the report is missing expected data, its content versions
(such as the Applicaons database) might differ from those on the managed collectors and
firewalls. The content versions on Panorama must be the same as or lower than the content
versions on the managed collectors and firewalls. For details, see Panorama, Log Collector,
Firewall, and WildFire Version Compability.

Panorama Administrator's Guide Version Version 10.1 647 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Troubleshoot Device Management License Errors

Aer upgrading to PAN-OS 8.1, the Panorama virtual appliance will check if a device management
licenses has been successfully installed. If a device management license has not been successfully
installed, or the number of firewalls managed by the Panorama virtual appliance exceeds the
device management license limit, you have 180 days to install a valid device management license.
If no valid device management license has been installed, the following alert appears each me
you log in to the Panorama web interface:

If the number of firewalls managed by the Panorama virtual appliance exceeds the device
management license limit, the following alerts appears each me you log in to the Panorama web
interface:

To resolve, install a valid device management license:

STEP 1 | Contact your Palo Alto Networks sales representave or your authorized reseller to purchase
the appropriate device management license.

STEP 2 | Log in to the Panorama Web Interface.

STEP 3 | Acvate/Retrieve a device management license based on whether the Panorama virtual
appliance is online or offline.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is
Internet-connected.
• Acvate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is
not Internet-connected.

Panorama Administrator's Guide Version Version 10.1 648 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Troubleshoot Automacally Reverted Firewall

Configuraons
If your managed firewall automacally reverts its configuraon due to a configuraon change
that caused a connecon to break between the Panorama™ management server and the firewall,
you can troubleshoot the out-of-sync firewalls to determine what changes were made and to
determine what aspects of that last configuraon push caused the firewall revert its configuraon.
STEP 1 | Verify that the managed firewall automacally reverted to the last running configuraon.
• On the firewall
1. Launch the Firewall Web Interface.
2. Click Tasks (boom-right hand corner of the web interface).
3. Verify that the last commit operaon (either pushed from Panorama or commied locally)
shows a Reverted status.

• On Panorama
1. Log in to the Panorama Web Interface.
2. Select Panorama > Managed Devices > Summary.
3. View the Shared Policy and Template sync status. If you have recently pushed a
configuraon from Panorama to your managed firewalls and it reverted, the Shared
Policy or Template display as Out of Sync (depending on what configuraon changes
were made).

STEP 2 | In the Last Merged Diff column for a managed firewall, Show Last Merged Config Diff ( )
to compare the current running configuraon and the reverted configuraon. In this example,

Panorama Administrator's Guide Version Version 10.1 649 ©2022 Palo Alto Networks, Inc.
Troubleshoong

a policy rule pushed from Panorama denied all traffic between the managed firewall and
Panorama, which caused the firewall configuraon to automacally revert.

STEP 3 | Modify configuraon objects as needed as to not break the connecon between the
managed firewalls and Panorama before you re-push the configuraon.

Panorama Administrator's Guide Version Version 10.1 650 ©2022 Palo Alto Networks, Inc.
Troubleshoong

View Task Success or Failure Status

Click the Task Manager icon at the boom right of the Panorama web interface to view the
success or failure of a task. The Task Manager also displays a detailed message to help debug an
issue. For details, see Use the Panorama Task Manager.

Panorama Administrator's Guide Version Version 10.1 651 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Test Policy Match and Connecvity for Managed

Devices
Aer you successfully push the device group and template stack configuraons to your
firewalls, Log Collectors, and WF-500 appliances, test that the correct traffic matches the policy
rules pushed to your managed devices and that your firewalls can successfully connect to all
appropriate network resources.
• Troubleshoot Policy Rule Traffic Match
• Troubleshoot Connecvity to Network Resources

Troubleshoot Policy Rule Traffic Match

To perform policy match tests for managed firewalls, test the policy rule configuraon for your
managed devices to ensure that the running configuraon appropriately secures your network
by allowing and denying the correct traffic. Aer the results are generated for traffic that was
matched to configured rules, you can Export to PDF for auding purposes.
STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Select Panorama > Managed Devices > Troubleshoong to perform a policy match.

You may also run a policy match test from the Policies tab.

STEP 3 | Enter the required informaon to perform the policy match test. In this example, a Security
policy match test is run.
1. Select Security Policy Match from the Select Test drop-down.
2. Select device/VSYS and select the managed firewalls to test.
3. Enter the Source IP address from which traffic originated.
4. Enter the Desnaon IP address of the target device for the traffic.
5. Enter the Protocol IP used for the traffic.
6. If necessary, enter any addional informaon relevant for your Security policy rule
tesng.

STEP 4 | Execute the Security policy match test.

Panorama Administrator's Guide Version Version 10.1 652 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 5 | Select the Security policy match Results to review the policy rules that match the test
criteria.

Troubleshoot Connecvity to Network Resources

Perform connecvity tests for managed firewalls to ensure that your managed devices can
connect to all appropriate network resources. Test the device configuraon for your managed
devices to ensure the running configuraon appropriately secures your network by allowing you
to verify that the configuraons pushed to your managed devices sll allow those devices to
connect to resources such as your Log Collectors, configured External Dynamic Lists, and the Palo
Alto Networks Update Server. Addionally, you can execute roung, WildFire®, Threat Vault, ping,
and traceroute connecvity tests to verify that Panorama™ and managed devices can access any
external network resources crical to the operaon and security of your network. Aer the results
are generated, you can Export to PDF for auding purposes.

The Ping connecvity test is only supported for firewalls running PAN-OS 9.0 or later
releases.

STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Select Panorama > Managed Devices > Troubleshoong to perform a connecvity test.

You may also run a policy match test from the Policies tab.

STEP 3 | Enter the required informaon to perform the connecvity test. In this example, a Log
Collector Connecvity test is run.
1. Select Log Collector Connecvity from the Select Test drop-down.
2. Select device/VSYS and select the managed firewalls to test.
3. If necessary, enter any addional informaon relevant for your connecvity tesng.

STEP 4 | Execute the Log Collector connecvity test.

Panorama Administrator's Guide Version Version 10.1 653 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 5 | Select the log collector connecvity Results to review the Log Collector connecvity status
for the selected devices.

Panorama Administrator's Guide Version Version 10.1 654 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Generate a Stats Dump File for a Managed Firewall

Generate a set of XML reports that summarize the network traffic over the last seven days for
a single firewall managed by the Panorama™ management server or for all firewalls managed
by Panorama. Aer you select a managed firewall and generate the stats dump file, you can
download the stats dump file locally to your device.
The Palo Alto Networks or Authorized Partner systems engineer use the stat dump file to create
a Security Lifecycle Review (SLR) and to perform security checkups aer you successfully deploy
your managed firewalls to help strength your security posture. The SLR highlights acvity found
on the network and the associated business or security risks that may be present. For more
informaon on the SLR, contact your Palo Alto Networks or Authorized Partner systems engineer.

Stats dump file generaon for mulple managed firewalls can take mulple hours to
complete. During this me, you are unable to navigate from the stats dump file generaon
user interface so it is recommended to generate the stats dump file from the CLI so you
can connue using the Panorama web interface.
Palo Alto Networks recommends generang a stats dump file for all managed firewalls
from the Panorama CLI using the following command. Panorama must be able to reach
your SCP or TFTP server to successfully export the stats dump file.
• SCP Server

admin> scp export stats-dump to

<username@hostname:SCP_export_path>

• TFTP Server

admin> tftp export stats-dump to <tftp_host_address>

STEP 1 | Log in to the Panorama Web Interface.

STEP 2 | Select Panorama > Support and navigate to the Stats Dump File.

Panorama Administrator's Guide Version Version 10.1 655 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 3 | Select a managed firewall for which to generate a stats dump file.
It is recommended that you generate a stats dump file for a single managed firewall from the
Panorama web interface.
A stats dump file is generated for All devices by default if you do not select a managed firewall.

STEP 4 | Generate Stats Dump File.

Click Yes when prompted to proceed generang the stats dump file.
A progress bar of the stats dump file generaon status is displayed.
Generaon may take up to an hour for a single managed firewall depending on the volume of
log data. You are unable to navigate from the stats dump file generaon status window during
this me.

STEP 5 | Click Download Stats Dump File to download the stats dump file to your local device.
The downloaded stat dumps file is in a tar.gz file format.

Panorama Administrator's Guide Version Version 10.1 656 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Recover Managed Device Connecvity to Panorama

PAN-OS 10.1 introduced the device registraon authencaon key to securely onboard managed
firewalls, Dedicated Log Collectors, and WildFire appliance to the Panorama™ management
server. The steps below describe how to recover the managed device connecvity to Panorama in
the following scenarios:
• If a managed device disconnects from Panorama without reason and is not able to reconnect.
• You want to transion firewall management from a Panorama running PAN-OS 10.1 or later
release to a different Panorama running PAN-OS 10.1 or a later release.
• If you reset Panorama or the managed firewall to factory default sengs but the managed
firewall is unable to connect to Panorama.
Recovering the managed device connecvity to Panorama applies only to managed devices that
are running PAN-OS 10.1 when onboarded to Panorama. The behavior described does not apply
to managed devices running PAN-OS 10.0 and earlier releases or managed devices that were
upgraded to PAN-OS 10.1 while already managed by Panorama.

The following firewall plaorms are not impacted by the described connecvity issues to
Panorama.
• Managed firewalls onboarded to Panorama using Zero Touch Provisioning (ZTP).
• CN-Series firewalls.
• Managed firewalls deployed on VMware NSX.
• VM-Series firewalls purchases from a public hypervisor marketplace. See PAYG
firewalls for more informaon.

STEP 1 | Reset the secure connecon state of the managed device.

1. Log in to the managed device CLI.
• Log in to the firewall CLI.
• Log in to the Dedicated Log Collector CLI.
• Log in to the WildFire appliance CLI.
2. Reset the secure connecon state.

This command resets the managed device connecon and is irreversible.

admin> request sc3 reset

3. Restart the management server on the managed device.

admin> debug software restart process management-server

Panorama Administrator's Guide Version Version 10.1 657 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 2 | Clear the secure connecon state a managed device on Panorama and generate a new device
registraon authencaon key.

Clearing the secure connecon state for a managed device on Panorama is irreversible.
This means that the managed device is disconnect and must be added back to
Panorama.

1. Log in to the Panorama CLI.

2. Reset the secure connecon state of a managed device on Panorama.

This command resets the managed device connecon to Panorama and is

irreversible.

admin> clear device-status deviceid <device_SN>

Where <device_SN> is the serial number of the managed device you want to clear the
connecon state for.
3. Create a new device registraon authencaon key on Panorama.

admin> request authkey add devtype <fw_or_lc) count

<device_count> lifetime <key_lifetime> name <key_name> serial
<device_SN>

The devtype and serial arguments are oponal. Omit these two arguments
to make a general use device registraon authencaon key that is not specific
to a device type or device serial number.
4. Verify the device registraon authencaon key is successfully created and copy the Key
value.

admin> request authkey list <key_name>

STEP 3 | Add the device registraon authencaon key you created to the managed device.
1. Log in to the managed device CLI.
• Log in to the firewall CLI.
• Log in to the Dedicated Log Collector CLI.
• Log in to the WildFire appliance CLI.
2. Add the device registraon authencaon key you created in the previous step.

admin> request authkey set <auth_key>

For <auth_key>, enter the Key value you copied in the previous step.

Panorama Administrator's Guide Version Version 10.1 658 ©2022 Palo Alto Networks, Inc.
Troubleshoong

STEP 4 | Verify the managed device connecvity to Panorama.

admin> show panorama-status

Verify that the Panorama server Connected status displays yes.

If this procedure does not resolve the connecvity issue for your managed device, you
must contact Palo Alto Networks Customer Support for further assistance as a full
reset of all managed device connecons on Panorama may be required.

Panorama Administrator's Guide Version Version 10.1 659 ©2022 Palo Alto Networks, Inc.
Troubleshoong

Panorama Administrator's Guide Version Version 10.1 660 ©2022 Palo Alto Networks, Inc.