Panorama Administrator's Guide
Panorama Administrator's Guide
Panorama Administrator's Guide
Panorama
Administrators
Guide
Version7.0
ContactInformation
CorporateHeadquarters:
PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus
AboutthisGuide
ThisguidedescribeshowtosetupandusePanoramaforcentralizedmanagement;itisintendedforadministrators
whowantthebasicframeworktoquicklysetupthePanoramavirtualapplianceortheMSeriesappliancefor
centralizedadministrationofPaloAltoNetworksfirewalls.
IfyouhaveanMSeriesappliance,thisguidetakesoverafteryoufinishrackmountingyourMSeriesappliance.
Formoreinformation,refertothefollowingsources:
ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.
Foraccesstotheknowledgebase,completedocumentationset,discussionforums,andvideos,referto
https://live.paloaltonetworks.com.
Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.
ForthemostcurrentPANOSandPanorama7.0releasenotes,goto
https://www.paloaltonetworks.com/documentation/70/panos/panosreleasenotes.html.
Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.
PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:May27,2016
2 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
PanoramaprovidescentralizedmonitoringandmanagementofmultiplePaloAltoNetworksnextgeneration
firewalls.Itprovidesasinglelocationfromwhichyoucanoverseeallapplications,users,andcontent
traversingyournetwork,andthenusethisknowledgetocreateapplicationenablementpoliciesthatprotect
andcontrolthenetwork.UsingPanoramaforcentralizedpolicyanddevicemanagementincreases
operationalefficiencyinmanagingandmaintainingadistributednetworkoffirewalls.
AboutPanorama
PanoramaPlatforms
CentralizedConfigurationandDeploymentManagement
CentralizedLoggingandReporting
PanoramaCommitOperations
RoleBasedAccessControl
PanoramaRecommendedDeployments
PlanYourDeployment
DeployPanorama:TaskOverview
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 9
AboutPanorama
PanoramaOverview
AboutPanorama
PanoramaprovidescentralizedmanagementofPaloAltoNetworksnextgenerationfirewalls,asthe
followingfigureillustrates:
Panoramaallowsyoutoeffectivelyconfigure,manage,andmonitoryourPaloAltoNetworksfirewallsusing
centraloversightwithlocalcontrol,asrequired.ThethreefocalareasinwhichPanoramaaddsvalueare:
CentralizedconfigurationanddeploymentTosimplifycentralmanagementandrapiddeploymentof
thefirewallsonyournetwork,usePanoramatoprestagethefirewallsfordeployment.Youcanthen
assemblethefirewallsintogroups,andcreatetemplatestoapplyabasenetworkanddevice
configurationandusedevicegroupstoadministergloballysharedandlocalpolicyrules.SeeCentralized
ConfigurationandDeploymentManagement.
AggregatedloggingwithcentraloversightforanalysisandreportingCollectinformationonactivity
acrossallthemanagedfirewallsonthenetworkandcentrallyanalyze,investigateandreportonthedata.
Thiscomprehensiveviewofnetworktraffic,useractivity,andtheassociatedrisksempowersyouto
respondtopotentialthreatsusingtherichsetofpoliciestosecurelyenableapplicationsonyournetwork.
SeeCentralizedLoggingandReporting.
DistributedadministrationAllowsyoutodelegateorrestrictaccesstoglobalandlocalfirewall
configurationsandpolicies.SeeRoleBasedAccessControlfordelegatingappropriatelevelsofaccessfor
distributedadministration.
Panoramaisavailableintwoplatforms:asavirtualapplianceandasadedicatedhardwareappliance.For
moreinformation,seePanoramaPlatforms.
10 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
PanoramaPlatforms
PanoramaPlatforms
Panoramaisavailableinthefollowingplatforms,eachofwhichsupportslicensesformanagingupto25,100,
or1,000firewalls:
PanoramavirtualapplianceYoucaninstallthePanoramavirtualapplianceonaVMwareESXiserveror
inVMwarevCloudAir.Thevirtualapplianceallowsforasimpleinstallationandfacilitatesserver
consolidationforsitesthatneedavirtualmanagementappliance.Italsosupportsintegrationwitha
NetworkFileShare(NFS)systemforincreasedstorageandlogretentionbeyond2TB.ThePanorama
virtualapplianceworksbestinenvironmentswithloggingratesofupto10,000logspersecond.Youcan
forwardfirewalllogsdirectlytothePanoramavirtualappliance(seeDeployPanoramaVirtualAppliances
withLocalLogCollection)orusethePanoramavirtualappliancetomanageDedicatedLogCollectorsthat
areMSeriesappliances(seeDeployPanoramawithDedicatedLogCollectors).
MSeriesapplianceTheM100applianceandM500appliancearededicatedhardwareplatforms
intendedforlargescaledeployments.Inenvironmentswithhighloggingrates(over10,000logsper
second)andlogretentionrequirements,theseappliancesenablesscalingofyourlogcollection
infrastructure.BothappliancesuseRAIDdrivestostorefirewalllogsandsupportRAID1mirroringto
protectagainstdiskfailures.BothappliancesuseanSSDtostorethelogsthatPanoramaandLog
Collectorsgenerate.OnlytheM500appliancehasredundant,hotswappablepowersuppliesand
fronttobackairflow.TheM500appliancealsohasfasterprocessorsandgreatermemoryforbetter
performance(forexample,fastercommittimes).TheseattributesmaketheM500appliancemore
suitablefordatacentersthantheM100appliance.Thelogstoragecapacityandmaximumlogcollection
ratevariesbyappliance:
Appliance
SSDStorage
DefaultRAIDStorage
MaximumRAIDStorage
MaximumLoggingRate
M100
appliance
120GB
2drives(1TBtotal)
8drives(4TBtotal)
30,000logs/second
M500
appliance
240GB
8drives(4TBtotal)
16drives(8TBtotal)
60,000logs/second
YoucandeploytheMSeriesapplianceinthefollowingmodestoseparatethecentralmanagement
functionfromthelogcollectionfunction:
Panoramamode:Theapplianceperformsbothcentralmanagementandlogcollection.Thisisthe
defaultmode.Forconfigurationdetails,seeDeployPanoramawithDefaultLogCollectors.
LogCollectormode:TheappliancefunctionsasaDedicatedLogCollector.Ifmultiplefirewalls
forwardlargevolumesoflogdata,theMSeriesapplianceinLogCollectormodeprovidesincreased
scaleandperformance.Inthismode,theappliancehasnowebinterfaceforadministrativeaccess,
onlyacommandlineinterface(CLI).However,youcanmanagetheapplianceusingtheweb
interfaceofthePanoramamanagementserver(MSeriesapplianceinPanoramamodeora
Panoramavirtualappliance).CLIaccesstoanMSeriesapplianceinLogCollectormodeisonly
necessaryforinitialsetupanddebugging.Forconfigurationdetails,seeDeployPanoramawith
DedicatedLogCollectors.
Formoredetailsandspecifications,seetheM100andM500HardwareReferenceGuides.
Theplatformchoicedependsonyourneedforavirtualapplianceandyourlogcollectionrequirements(see
DeterminePanoramaLogStorageRequirements):
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 11
PanoramaPlatforms
PanoramaOverview
LogCollectionRate
Platform
Upto10,000
logs/second
Panoramavirtual
appliance
Upto30,000
logs/second
M100appliance
Upto60,000
logs/second
M500appliance
12 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
CentralizedConfigurationandDeploymentManagement
CentralizedConfigurationandDeploymentManagement
Panoramausesdevicegroupsandtemplatestogroupfirewallsintologicalsetsthatrequiresimilar
configuration.Youusethedevicegroupsandtemplatestocentrallymanageallconfigurationelements,
policies,andobjectsonthemanagedfirewalls.Panoramaalsoenablesyoutocentrallymanagelicenses,
software(PANOSsoftware,SSLVPNclientsoftware,GlobalProtectagent/appsoftware),andcontent
updates(Applications,Threats,WildFire,andAntivirus).
ContextSwitchFirewallorPanorama
TemplatesandTemplateStacks
DeviceGroups
ContextSwitchFirewallorPanorama
ThePanoramawebinterfaceenablesyoutotogglebetweenaPanoramacentricviewandafirewallcentric
viewbyusingtheContextdropdownatthetopleftofeverytab.YoucansettheContexttoPanoramato
managefirewallscentrallyorswitchcontexttothewebinterfaceofaspecificfirewalltoconfigureitlocally.
ThesimilarityofthePanoramaandfirewallwebinterfacesenablesyoutoseamlesslymovebetweenthem
toadministerandmonitorfirewalls.
TheContextdropdownlistsonlythefirewallsthatareconnectedtoPanorama.ForaDeviceGroupand
Templateadministrator,thedropdownlistsonlytheconnectedfirewallsthatarewithintheAccessDomains
assignedtothatadministrator.Tosearchalonglist,usetheFilterswithinthedropdown.
Forfirewallsthathaveahighavailability(HA)configuration,theiconshavecoloredbackgroundstoindicate
HAstate(asfollows).KnowingtheHAstateisusefulwhenselectingafirewallcontext.Forexample,you
generallymakefirewallspecificconfigurationchangesontheactivefirewall.
GreenActive.
YellowPassiveorthefirewallisinitiating(theinitiatingstatelastsforupto60secondsafterbootup).
RedThefirewallisnonfunctional(errorstate),suspended(anadministratordisabledthefirewall),or
tentative(foralinkorpathmonitoringeventinanactive/activeHAconfiguration).
TemplatesandTemplateStacks
Youusetemplatestoconfigurethesettingsthatenablefirewallstooperateonthenetwork.Templates
enableyoutodefineacommonbaseconfigurationusingtheNetworkandDevicetabsonPanorama.For
example,youcanusetemplatestomanageinterfaceandzoneconfigurations,serverprofilesforloggingand
syslogaccess,andnetworkprofilesforcontrollingaccesstozonesandIKEgateways.Whendefininga
template,considerassigningfirewallsthatarethesamehardwaremodelandrequireaccesstosimilar
networkresources,suchasgatewaysandsyslogservers.
Ifyournetworkhasgroupsoffirewallswithsomegroupspecificsettingsandsomesettingsthatarecommon
acrossgroups,youcansimplifymanagementbyassigningthefirewallstoatemplatestackforeachgroup.A
templatestackisacombinationoftemplates:theassignedfirewallsinheritthesettingsfromeverytemplate
inthestack.Thisenablesyoutoavoidtheredundancyofaddingeverysettingtoeverytemplate.The
followingfigureillustratesanexampledeploymentinwhichyouassigndatacenterfirewallsinthe
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 13
CentralizedConfigurationandDeploymentManagement
PanoramaOverview
AsiaPacific(APAC)regiontoastackthathasonetemplatewithglobalsettings,onetemplatewith
APACspecificsettings,andonetemplatewithdatacenterspecificsettings.TomanagefirewallsinanAPAC
branchoffice,youcanthenreusetheglobalandAPACspecifictemplatesbyaddingthemtoanotherstack
thatincludesatemplatewithbranchspecificsettings.Templatesinastackhaveaconfigurablepriorityorder
thatensuresPanoramapushesonlyonevalueforanyduplicatesetting.Panoramaevaluatesthetemplates
listedinastackconfigurationfromtoptobottom,withhighertemplateshavingpriority.Thefollowingfigure
illustratesadatacenterstackinwhichthedatacentertemplatehasahigherprioritythantheglobaltemplate:
Panoramapushestheidletimeoutvaluefromthedatacentertemplateandignoresthevaluefromtheglobal
template.
Figure:TemplateStacks
Toaccommodatefirewallsthathaveuniquesettings,youcanusetemplates(singleorstacked)topusha
limitedcommonbaseconfigurationtoallfirewalls,andinindividualfirewallsconfiguredevicespecific
settings.Alternatively,youcanpushabroadercommonbaseconfigurationandintheindividualfirewalls
overridecertainpushedsettingswithdevicespecificvalues.Whenyouoverrideasetting,thefirewallsaves
thatsettingtoitslocalconfiguration;Panoramanolongermanagesthesetting.Torestoretemplatevalues
afteroverridingthem,youcanusePanoramatoforcethetemplateconfigurationontoafirewall.For
example,afterdefiningacommonNTPserverinatemplateandoverridingtheNTPserverconfigurationon
afirewalltoaccommodateitslocaltimezone,youcanlaterreverttotheNTPserverdefinedinthetemplate.
Youcannotusetemplatestosetfirewallmodes:virtualprivatenetwork(VPN)mode,multiplevirtualsystems
mode(multivsysmode),andoperationalmode(normal,FederalInformationProcessingStandards[FIPS],or
CommonCriteria[CC]).Fordetails,seeTemplateCapabilitiesandExceptions.However,youcanassign
firewallsthathavenonmatchingmodestothesametemplateorstack.Insuchcases,Panoramapushes
modespecificsettingsonlytofirewallsthatsupportthosemodes.Asanexception,youcanconfigure
Panoramatopushthesettingsofthedefaultvsysinatemplatetofirewallsthatdontsupportvirtualsystems
orhavenoneconfigured.
Fortherelevantprocedures,seeManageTemplatesandTemplateStacks.
14 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
CentralizedConfigurationandDeploymentManagement
DeviceGroups
TousePanoramaeffectively,youhavetogroupthefirewallsinyournetworkintologicalunitscalleddevice
groups.Adevicegroupenablesgroupingbasedonnetworksegmentation,geographiclocation,
organizationalfunction,oranyothercommonaspectoffirewallsthatrequiresimilarpolicyconfigurations.
Usingdevicegroups,youcanconfigurepolicyrulesandtheobjectstheyreference.Youcanorganizedevice
grouphierarchically,withsharedrulesandobjectsatthetop,anddevicegroupspecificrulesandobjectsat
subsequentlevels.Thisenablesyoutocreateahierarchyofrulesthatenforcehowfirewallshandletraffic.
Forexample,youcandefineasetofsharedrulesasacorporateacceptableusepolicy.Then,toallowonly
regionalofficestoaccesspeertopeertrafficsuchasBitTorrent,youcandefineadevicegrouprulethat
Panoramapushesonlytotheregionaloffices(ordefineasharedsecurityruleandtargetittotheregional
offices).Fortherelevantprocedures,seeManageDeviceGroups.Thefollowingtopicsdescribedevice
groupconceptsandcomponentsinmoredetail:
DeviceGroupHierarchy
DeviceGroupPolicies
DeviceGroupObjects
DeviceGroupHierarchy
YoucanCreateaDeviceGroupHierarchytonestdevicegroupsinatreehierarchyofuptofourlevels,with
lowerlevelgroupsinheritingthesettings(policyrulesandobjects)ofhigherlevelgroups.Atthebottom
level,adevicegroupcanhaveparent,grandparent,andgreatgrandparentdevicegroups(ancestors).Atthe
toplevel,adevicegroupcanhavechild,grandchild,andgreatgrandchilddevicegroups(descendants).All
devicegroupsinheritingsettingsfromtheSharedlocationacontaineratthetopofthehierarchyfor
configurationsthatarecommontoalldevicegroups.
Creatingadevicegrouphierarchyenablesyoutoorganizedevicesbasedoncommonpolicyrequirements
withoutredundantconfiguration.Forexample,youcouldconfiguresharedsettingsthatareglobaltoall
firewalls,configuredevicegroupswithfunctionspecificsettingsatthefirstlevel,andconfiguredevice
groupswithlocationspecificsettingsatlowerlevels.Withoutahierarchy,youwouldhavetoconfigureboth
functionandlocationspecificsettingsforeverydevicegroupinasinglelevelunderShared.
Figure:DeviceGroupHierarchy
Fordetailsontheorderinwhichfirewallsevaluatepolicyrulesinadevicegrouphierarchy,seeDeviceGroup
Policies.Fordetailsonoverridingthevaluesofobjectsthatdevicegroupsinheritfromancestordevice
groups,seeDeviceGroupObjects.
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 15
CentralizedConfigurationandDeploymentManagement
PanoramaOverview
DeviceGroupPolicies
Devicegroupsprovideawaytoimplementalayeredapproachformanagingpoliciesacrossanetworkof
managedfirewalls.Afirewallevaluatespolicyrulesbylayer(shared,devicegroup,andlocal)andbytype
(prerules,postrules,anddefaultrules)inthefollowingorderfromtoptobottom.Whenthefirewall
receivestraffic,itperformstheactiondefinedinthefirstevaluatedrulethatmatchesthetrafficand
disregardsallsubsequentrules.Tochangetheevaluationorderforruleswithinaparticularlayer,type,and
rulebase(forexample,sharedSecurityprerules),seeManagetheRuleHierarchy.
EvaluationOrder
RuleScopeandDescription
Sharedprerules
Panoramapushessharedprerulestoallthe Theserulesarevisibleonfirewallsbutyou
canonlymanagetheminPanorama.
firewallsinalldevicegroups.Panorama
pushesdevicegroupspecificprerulestoall
thefirewallsinaparticulardevicegroupand
itsdescendantdevicegroups.
Ifafirewallinheritsrulesfromdevicegroups
atmultiplelevelsinthedevicegroup
hierarchy,itevaluatesprerulesintheorder
ofhighesttolowestlevel.Thismeansthe
firewallfirstevaluatessharedrulesandlast
evaluatestherulesofdevicegroupswithno
descendants.
Youcanuseprerulestoenforcethe
acceptableusepolicyofanorganization.For
example,aprerulemightblockaccessto
specificURLcategoriesorallowDomain
NameSystem(DNS)trafficforallusers.
Devicegroupprerules
Localfirewallrules
AdministrationPlatform
Localrulesarespecifictoasinglefirewallor Alocalfirewalladministrator,oraPanorama
administratorwhoswitchestoalocalfirewall
virtualsystem(vsys).
context,caneditlocalfirewallrules.
16 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
CentralizedConfigurationandDeploymentManagement
EvaluationOrder
RuleScopeandDescription
AdministrationPlatform
intrazonedefault
ThedefaultrulesapplyonlytotheSecurity
rulebase,andarepredefinedonPanorama(at
theSharedlevel)andthefirewall(ineach
vsys).TheserulesspecifyhowPANOS
handlestrafficthatdoesntmatchanyother
rule.
Theintrazonedefaultruleallowsalltraffic
withinazone.Theinterzonedefaultrule
deniesalltrafficbetweenzones.
Ifyouoverridedefaultrules,theirorderof
precedencerunsfromthelowestcontextto
thehighest:overriddensettingsatthefirewall
leveltakeprecedenceoversettingsatthe
devicegrouplevel,whichtakeprecedence
oversettingsattheSharedlevel.
Defaultrulesareinitiallyreadonly,either
becausetheyarepartofthepredefined
configurationorbecausePanoramapushed
themtofirewalls.However,youcanoverride
therulesettingsfortags,action,logging,and
securityprofiles.Thedevicecontext
determinesthelevelatwhichyoucan
overridetherules:
PanoramaAttheSharedordevicegroup
level,youcanoverridedefaultrulesthat
arepartofthepredefinedconfiguration.
FirewallYoucanoverridedefaultrules
thatarepartofthepredefined
configurationonthefirewallorvsys,or
thatPanoramapushedfromtheShared
locationoradevicegroup.
interzonedefault
WhetheryouviewrulesonafirewallorinPanorama,thewebinterfacedisplaystheminevaluationorder.
Alltheshared,devicegroup,anddefaultrulesthatthefirewallinheritsfromPanoramaappearingreen,while
localfirewallrulesappearinbluebetweentheprerulesandpostrules.
Figure:RuleHierarchy
DeviceGroupObjects
Objectsareconfigurationelementsthatpolicyrulesreference,forexample:IPaddresses,URLcategories,
securityprofiles,users,services,andapplications.Rulesofanytype(prerules,postrules,defaultrules,and
ruleslocallydefinedonafirewall)andanyrulebase(Security,NAT,QoS,PolicyBasedForwarding,
Decryption,ApplicationOverride,CaptivePortal,andDoSProtection)canreferenceobjects.Youcanreuse
anobjectinanynumberofrulesthathavethesamescopeasthatobjectintheDeviceGroupHierarchy.For
example,ifyouaddanobjecttotheSharedlocation,allrulesinthehierarchycanreferencethatsharedobject
becausealldevicegroupsinheritobjectsfromShared.Ifyouaddanobjecttoaparticulardevicegroup,only
therulesinthatdevicegroupanditsdescendantdevicegroupscanreferencethatdevicegroupobject.If
objectvaluesinadevicegroupmustdifferfromthoseinheritedfromanancestordevicegroup,youcan
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 17
CentralizedConfigurationandDeploymentManagement
PanoramaOverview
Overrideinheritedobjectvalues.YoucanalsoReverttoInheritedObjectValuesatanytime.Whenyou
CreateObjectsforUseinSharedorDeviceGroupPolicyonceandusethemmanytimes,youreduce
administrativeoverheadandensureconsistencyacrossfirewallpolicies.
YoucanconfigurehowPanoramahandlesobjectssystemwide:
PushingunusedobjectsBydefault,Panoramapushesallobjectstofirewallsregardlessofwhetherany
sharedordevicegrouppolicyrulesreferencetheobjects.Optionally,youcanconfigurePanoramato
pushonlyreferencedobjects.Fordetails,seeManageUnusedSharedObjects.
PrecedenceofancestoranddescendantobjectsBydefault,whendevicegroupsatmultiplelevelsinthe
hierarchyhaveanobjectwiththesamenamebutdifferentvalues(becauseofoverrides,asanexample),
policyrulesinadescendantdevicegroupusetheobjectvaluesinthatdescendantinsteadofobject
valuesinheritedfromancestordevicegroupsorShared.Optionally,youcanreversethisorderof
precedencetopushvaluesfromSharedorthehighestancestorcontainingtheobjecttoalldescendant
devicegroups.Fordetails,seeManagePrecedenceofInheritedObjects.
18 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
CentralizedLoggingandReporting
CentralizedLoggingandReporting
Panoramaaggregatesdatafromallmanagedfirewallsandprovidesvisibilityacrossallthetrafficonthe
network.Italsoprovidesanaudittrailforallpolicymodificationsandconfigurationchangesmadetothe
managedfirewalls.Inadditiontoaggregatinglogs,PanoramacanaggregateandforwardSimpleNetwork
ManagementProtocol(SNMP)traps,emailnotifications,andsyslogmessagestoanexternaldestination.
TheApplicationCommandCenter(ACC)onPanoramaprovidesasinglepaneforunifiedreportingacrossall
thefirewalls.ItenablesyoutocentrallyMonitorNetworkActivity,toanalyze,investigate,andreporton
trafficandsecurityincidents.OnPanorama,youcanviewlogsandgeneratereportsfromlogsforwardedto
PanoramaortothemanagedLogCollectors,ifconfigured,oryoucanquerythemanagedfirewallsdirectly.
Forexample,youcangeneratereportsabouttraffic,threat,and/oruseractivityinthemanagednetwork
basedonlogsstoredonPanorama(andthemanagedcollectors)orbyaccessingthelogsstoredlocallyon
themanagedfirewalls.
IfyouchoosenottoConfigureLogForwardingtoPanorama,youcanschedulereportstorunoneach
managedfirewallandforwardtheresultstoPanoramaforacombinedviewofuseractivityandnetwork
traffic.Althoughthisviewdoesnotprovideagranulardrilldownonspecificdataandactivities,itstill
providesaunifiedreportingapproach.
LoggingOptions
ManagedCollectorsandCollectorGroups
CaveatsforaCollectorGroupwithMultipleLogCollectors
CentralizedReporting
LoggingOptions
BoththePanoramavirtualapplianceandMSeriesappliancecancollectlogsthatthemanagedfirewalls
forward.YoucanthenConfigureLogForwardingfromPanoramatoExternalDestinations(syslogserver,
emailserver,orSimpleNetworkManagementProtocol[SNMP]trapserver).Theloggingoptionsvaryon
eachPanoramaplatform.
ThePA7000SeriesfirewallcantforwardlogstoPanorama,onlytoexternalservicesdirectly.
However,whenyoumonitorlogsorgeneratereportsforadevicegroupthatincludesaPA7000
Seriesfirewall,Panoramaqueriesthefirewallinrealtimetodisplayitslogdata.
PanoramaPlatform
LoggingOptions
Virtualappliance
Offersthreeloggingoptions:
Usetheapproximately11GBofinternalstoragespaceallocatedforloggingassoonas
youinstallthevirtualappliance.
Addavirtualdiskthatcansupportupto2TBofstorage.
MountaNetworkFileSystem(NFS)datastoreinwhichyoucanconfigurethestorage
capacitythatisallocatedforlogging.
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 19
CentralizedLoggingandReporting
PanoramaOverview
PanoramaPlatform
LoggingOptions
MSeriesappliance
ThedefaultshippingconfigurationfortheM100applianceincludestwodiskswithatotal
of1TBstoragecapacity.FortheM500appliance,thedefaultconfigurationincludeseight
disksfor4TBofstorage.BothappliancesuseRAID1toprotectagainstdiskfailures.You
canIncreaseStorageontheMSeriesApplianceto4TBontheM100applianceand8TB
ontheM500appliance.WhenanMSeriesapplianceisinPanoramamode,youcan
enabletheRAIDdiskstoserveasthedefaultLogCollector.IfyouhaveanMSeries
applianceisinLogCollectormode(DedicatedLogCollector),youusePanoramatoassign
firewallstotheDedicatedLogCollectors.InadeploymentwithmultipleDedicatedLog
Collectors,PanoramaqueriesallmanagedLogCollectorstogenerateanaggregatedview
oftrafficandcohesivereports.Foreasyscaling,beginwithasinglePanoramaand
incrementallyaddDedicatedLogCollectorsasyourneedsexpand.
ManagedCollectorsandCollectorGroups
ALogCollectorcanbelocaltoanMSeriesapplianceinPanoramamode(defaultLogCollector)orcanbean
MSeriesapplianceinLogCollectormode(DedicatedLogCollector).BecauseyouusePanoramatoconfigure
andmanageLogCollectors,theyarealsoknownasmanagedcollectors.AnMSeriesapplianceinPanorama
modeoraPanoramavirtualappliancecanmanageDedicatedLogCollectors.ToadministerDedicatedLog
CollectorsusingthePanoramawebinterface,youmustaddthemasmanagedcollectors.Otherwise,
administrativeaccesstoaDedicatedLogCollectorisonlyavailablethroughitsCLIusingthedefault
administrativeuser(admin)account.DedicatedLogCollectorsdonotsupportadditionaladministrativeuser
accounts.
ACollectorGroupisoneormoremanagedcollectorsthatoperateasasinglelogicallogcollectionunit.Ifthe
groupcontainsDedicatedLogCollectors,thelogsareuniformlydistributedacrossallthedisksineachLog
CollectorandacrossallmembersintheCollectorGroup.Thisdistributionmaximizestheuseoftheavailable
storagespace.TomanageaLogCollector,youmustaddittoaCollectorGroup.Ifyouassignmorethanone
LogCollectortoaCollectorGroup,seeCaveatsforaCollectorGroupwithMultipleLogCollectors.
TheCollectorGroupconfigurationspecifieswhichmanagedfirewallscansendlogstotheLogCollectorsin
thegroup.AfteryouconfiguretheLogCollectorsandenablethefirewallstoforwardlogs,eachfirewall
forwardsitslogstotheassignedLogCollector.
ManagedcollectorsandCollectorGroupsareintegraltoadistributedlogcollectiondeploymenton
Panorama.Adistributedlogcollectiondeploymentallowsforeasyscalabilityandincrementaladditionof
DedicatedLogCollectorsasyourloggingneedsgrow.TheMSeriesapplianceinPanoramamodecanlogto
itsdefaultCollectorGroupandthenbeexpandedtoadistributedlogcollectiondeploymentwithoneor
moreCollectorGroupsthatincludeDedicatedLogCollectors.
ToconfigureLogCollectorsandCollectorGroups,seeManageCollectorGroups.
CaveatsforaCollectorGroupwithMultipleLogCollectors
YoucanConfigureaCollectorGroupwithmultipleLogCollectorstoensurelogredundancyorto
accommodateloggingratesthatexceedthecapacityofasingleLogCollector(seePanoramaPlatforms).For
example,ifasinglemanagedfirewallgenerates16TBoflogs,theCollectorGroupthatreceivesthoselogs
willrequireatleastfourLogCollectorsthatareM100appliancesortwoLogCollectorsthatareM500
appliances.
20 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
CentralizedLoggingandReporting
ACollectorGroupwithmultipleLogCollectorsusestheavailablestoragespaceasonelogicalunitand
uniformlydistributesthelogsacrossallitsLogCollectors.Thelogdistributionisbasedonthediskcapacity
oftheLogCollectors(1TBto8TB,dependingonthenumberofdiskpairsandtheMSeriesplatform)anda
hashalgorithmthatdynamicallydecideswhichLogCollectorownsthelogsandwritestodisk.Although
PanoramausesapreferencelisttoprioritizethelistofLogCollectorstowhichamanagedfirewallcan
forwardlogs,PanoramadoesnotnecessarilywritethelogstothefirstLogCollectorspecifiedinthe
preferencelist.Forexample,considerthefollowingpreferencelist:
ManagedFirewall
LogForwardingPreferenceListDefinedonaCollectorGroup
FW1
L1,L2,L3
FW2
L4,L5,L6
Usingthislist,FW1willforwardlogstoL1,itsprimaryLogCollector,butthehashalgorithmcoulddetermine
thatthelogswillbewrittenonL2.IfL2becomesinaccessibleorhasachassisfailure,FW1willnotknow
aboutitsfailurebecauseitisstillabletoconnecttoL1,itsprimaryLogCollector.
InthecasewhereaCollectorGrouphasonlyoneLogCollectorandtheLogCollectorfails,thefirewallstores
thelogstoitsHDD/SSD(theavailablestoragespacevariesbyhardwaremodel),andresumesforwarding
logstotheLogCollectorwhereitleftoffbeforethefailureoccurredassoonasconnectivityisrestored.
WithmultipleLogCollectorsinaCollectorGroup, thefirewalldoesnotbufferlogstoitslocalstoragewhen
itcanconnecttoitsprimaryLogCollector.Therefore,FW1willcontinuesendinglogstoL1.BecauseL2is
unavailable,theprimaryLogCollectorL1buffersthelogstoitsHDD,whichhas10GBoflogspace.IfL2
remainsunavailableandthelogspendingforL2exceed10GB,L1willoverwritetheolderlogentriesto
continuelogging.Insuchanevent,lossoflogsisarisk.
PaloAltoNetworksrecommendsthefollowingmitigationsifusingmultipleLogCollectorsinaCollector
Group:
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 21
CentralizedLoggingandReporting
PanoramaOverview
EnablelogredundancywhenyouConfigureaCollectorGroup.Thisensuresthatnologsarelostifany
oneLogCollectorintheCollectorGroupbecomesunavailable.Eachlogwillhavetwocopiesandeach
copywillresideonadifferentLogCollector.
Becauseenablingredundancycreatesmorelogs,thisconfigurationrequiresmorestoragecapacity.Whena
CollectorGrouprunsoutofspace,itdeletesolderlogs.
EnablingredundancydoublesthelogprocessingtrafficinaCollectorGroup,whichreducesitsmaximumlogging
ratebyhalf,aseachLogCollectormustdistributeacopyofeachlogitreceives.
ObtainanOnSiteSpare(OSS)toenablepromptreplacementifaLogCollectorfailureoccurs.
InadditiontoforwardinglogstoPanorama,configureforwardingtoanexternalserviceasbackup
storage.Theexternalservicecanbeasyslogserver,emailserver,orSimpleNetworkManagement
Protocol(SNMP)trapserver.
CentralizedReporting
Panoramaaggregateslogsfromallmanagedfirewallsandenablesreportingontheaggregateddatafora
globalviewofapplicationuse,useractivity,andtrafficpatternsacrosstheentirenetworkinfrastructure.As
soonasthefirewallsareaddedtoPanorama,theACCcandisplayalltraffictraversingyournetwork.With
loggingenabled,clickingintoalogentryintheACCprovidesdirectaccesstogranulardetailsaboutthe
application.
Forgeneratingreports,Panoramausestwosources:thelocalPanoramadatabaseandtheremotefirewalls
thatitmanages.ThePanoramadatabasereferstothelocalstorageonPanoramathatisallocatedforstoring
bothsummarizedlogsandsomedetailedlogs.IfyouhaveadistributedLogCollectiondeployment,the
PanoramadatabaseincludesthelocalstorageonPanoramaandallthemanagedLogCollectors.Panorama
summarizestheinformationtraffic,application,threatcollectedfromallmanagedfirewallsat15minute
intervals.UsingthelocalPanoramadatabaseallowsforfasterresponsetimes,however,ifyouprefertonot
forwardlogstoPanorama,Panoramacandirectlyaccesstheremotefirewallandrunreportsondatathatis
storedlocallyonthemanagedfirewalls.
Panoramaoffersmorethan40predefinedreportsthatcanbeusedasis,ortheycanbecustomizedby
combiningelementsofotherreportstogeneratecustomreportsandreportgroupsthatcanbesaved.
Reportscanbegeneratedondemand,onarecurringschedule,andcanbescheduledforemaildelivery.
Thesereportsprovideinformationontheuserandthecontextsothatyoucorrelateeventsandidentify
patterns,trends,andpotentialareasofinterest.Withtheintegratedapproachtologgingandreporting,the
ACCenablescorrelationofentriesfrommultiplelogsrelatingtothesameevent.
Formoreinformation,seeMonitorNetworkActivity.
22 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
PanoramaCommitOperations
PanoramaCommitOperations
WheneditingtheconfigurationonPanorama,youarechangingthecandidateconfigurationfile.The
candidateconfigurationisacopyoftherunningconfigurationalongwithanychangesyoumadesincethe
lastcommit.ThePanoramawebinterfacedisplaysalltheconfigurationchangesimmediately.However,
Panoramawontimplementthechangesuntilyoucommitthem.Thecommitprocessvalidatesthechanges
inthecandidateconfigurationfileandsavesitastherunningconfigurationonPanorama.
AfteranysystemeventoradministratoractioncausesPanoramatoreboot,allyourchangessince
thelastcommitwillbelost.Topreservechangeswithoutcommittingthem,periodicallyclick
Saveatthetoprightofthewebinterfacetosaveasnapshotofthecandidateconfiguration.Ifa
rebootoccurs,youcanthenreverttothesnapshot.Fordetailsonbackingupandrestoring
runningandcandidateconfigurations,seeManagePanoramaandFirewallConfiguration
Backups.
WheninitiatingacommitonPanorama,selectoneofthefollowingtypes:
CommitOptions
Description
Panorama
Commitsthechangesonthecurrentcandidateconfigurationtotherunning
configurationonPanorama.YoumustfirstcommityourchangesonPanorama,before
committinganyconfigurationupdates(templatesordevicegroups)tothemanaged
firewallsorCollectorGroups.
Template
CommitsnetworkanddeviceconfigurationsfromaPanoramatemplateortemplate
stacktotheselectedfirewalls.
Device Group
CommitspoliciesandobjectsconfiguredfromPanoramatotheselectedfirewalls/virtual
systems.
Collector Group
CommitschangestothespecifiedCollectorGroupsthatPanoramamanages.
Whenyouperformacommit,PanoramapushestheentireconfigurationtothemanagedfirewallsorLog
Collectors.Whenthecommitcompletes,aresultdisplays:Commit succeededorCommit succeeded with
warnings.
Panoramacantperformadevicegrouportemplatecommittofirewallswhilealocalcommitisin
progressonthosefirewalls.Thelocalcommitcanbemanual(youclickCommit)orautomatic.
PANOSperformsanautomaticcommitwhenyoudowngradecontentversions(forexample,the
WildFireversion),orrefreshaddressobjects,FQDNs,ordynamicblocklists.
Someothercommitchoicesare:
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 23
PanoramaCommitOperations
PanoramaOverview
optionoverridesalllocalconfigurationandremovesobjectsontheselectedfirewallsorvirtualsystems
thatdontexistinthetemplateortemplatestack,orareoverriddeninthelocalconfiguration.Thisisan
overridethatrevertsallexistingconfigurationonthemanagedfirewall,andensuresthatthefirewall
inheritsonlythesettingsdefinedinthetemplateortemplatestack.
24 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
RoleBasedAccessControl
RoleBasedAccessControl
Rolebasedaccesscontrol(RBAC)enablesyoutodefinetheprivilegesandresponsibilitiesofadministrative
users(administrators). Everyadministratormusthaveauseraccountthatspecifiesaroleandauthentication
method.AdministrativeRolesdefineaccesstospecificconfigurationsettings,logs,andreportswithin
Panoramaandfirewallcontexts.ForDeviceGroupandTemplateadministrators,youcanmaprolesto
AccessDomains,whichdefineaccesstospecificdevicegroups,templates,andfirewalls(throughcontext
switching).Bycombiningeachaccessdomainwitharole,youcanenforcetheseparationofinformation
amongthefunctionalorregionalareasofyourorganization.Forexample,youcanlimitanadministratorto
monitoringactivitiesfordatacenterfirewallsbutallowthatadministratortosetpoliciesfortestlabfirewalls.
Bydefault,everyPanoramaappliance(virtualapplianceorMSeriesappliance)hasapredefined
administrativeaccount(admin)thatprovidesfullreadwriteaccess(superuseraccess)toallfunctionalareas
andtoalldevicegroups,templates,andfirewalls.Foreachadministrator,youcandefinetheminimum
passwordcomplexity,apasswordprofile,andanauthenticationprofilethatdetermineshowPanorama
verifiesuseraccesscredentials.
Insteadofusingthedefaultaccountforalladministrators,itisabestpracticetocreateaseparate
administrativeaccountforeachpersonwhoneedsaccesstotheadministrativeorreporting
functionsonPanorama.Thisprovidesbetterprotectionagainstunauthorizedconfiguration
changesandenablesPanoramatologandidentifytheactionsofeachadministrator.
AdministrativeRoles
AuthenticationProfilesandSequences
AccessDomains
AdministrativeAuthentication
AdministrativeRoles
Youconfigureadministratoraccountsbasedonthesecurityrequirementsofyourorganization,anyexisting
authenticationserviceswithwhichtointegrate,andtherequiredadministrativeroles.Aroledefinesthetype
ofsystemaccessthatisavailabletoanadministrator.Youcandefineandrestrictaccessasbroadlyor
granularlyasrequired,dependingonthesecurityrequirementsofyourorganization.Forexample,youmight
decidethatadatacenteradministratorcanhaveaccesstoalldeviceandnetworkingconfigurations,buta
securityadministratorcancontrolonlysecuritypolicydefinitions,whileotherkeyindividualscanhave
limitedCLIorXMLAPIaccess.Theroletypesare:
DynamicRolesThesearebuiltinrolesthatprovideaccesstoPanoramaandmanageddevices.When
newfeaturesareadded,Panoramaautomaticallyupdatesthedefinitionsofdynamicroles;younever
needtomanuallyupdatethem.Thefollowingtableliststheaccessprivilegesassociatedwithdynamic
roles.
DynamicRole
Privileges
Superuser
FullreadwriteaccesstoPanorama
Superuser(readonly)
ReadonlyaccesstoPanorama
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 25
RoleBasedAccessControl
PanoramaOverview
DynamicRole
Privileges
Panoramaadministrator
FullaccesstoPanoramaexceptforthefollowingactions:
Create,modify,ordeletePanoramaordeviceadministratorsandroles.
Export,validate,revert,save,load,orimportaconfigurationintheDevice > Setup >
Operationspage.
ConfigureScheduled Config ExportfunctionalityinthePanorama tab.
AdminRoleProfilesToprovidemoregranularaccesscontroloverthefunctionalareasoftheweb
interface,CLI,andXMLAPI,youcancreatecustomroles.Whennewfeaturesareaddedtotheproduct,
youmustupdatetheroleswithcorrespondingaccessprivileges:Panoramadoesnotautomaticallyadd
newfeaturestocustomroledefinitions.YouselectoneofthefollowingprofiletypeswhenyouConfigure
anAdminRoleProfile.
AdminRoleProfile
Description
Panorama
Fortheseroles,youcanassignreadwriteaccess,readonlyaccess,ornoaccesstoallthe
Panoramafeaturesthatareavailabletothesuperuserdynamicroleexceptthe
managementofPanoramaadministratorsandPanoramaroles.Forthelattertwofeatures,
youcanassignreadonlyaccessornoaccess,butyoucannotassignreadwriteaccess.
AnexampleuseofaPanoramarolewouldbeforsecurityadministratorswhorequire
accesstosecuritypolicydefinitions,logs,andreportsonPanorama.
DeviceGroupand
Template
Fortheseroles,youcanassignreadwriteaccess,readonlyaccess,ornoaccesstospecific
functionalareaswithindevicegroups,templates,andfirewallcontexts.Bycombining
theseroleswithAccessDomains,youcanenforcetheseparationofinformationamong
thefunctionalorregionalareasofyourorganization.DeviceGroupandTemplateroles
havethefollowinglimitations:
NoaccesstotheCLIorXMLAPI
Noaccesstoconfigurationorsystemlogs
NoaccesstoVMinformationsources
InthePanoramatab,accessislimitedto:
Devicedeploymentfeatures(readwrite,readonly,ornoaccess)
Thedevicegroupsspecifiedintheadministratoraccount(readwrite,readonly,or
noaccess)
Thetemplatesandmanageddevicesspecifiedintheadministratoraccount
(readonlyornoaccess)
Anexampleuseofthisrolewouldbeforadministratorsinyouroperationsstaffwho
requireaccesstothedeviceandnetworkconfigurationareasofthewebinterfacefor
specificdevicegroupsand/ortemplates.
AuthenticationProfilesandSequences
Anauthenticationprofilespecifiestheauthenticationservicethatvalidatesthecredentialsofan
administratorduringloginanddefineshowPanoramaaccessestheservice.Ifyoucreatealocaladministrator
accountonPanorama,youcanauthenticatetheadministratortothelocaldatabase,useanexternalservice
(RADIUS,TACACS+,LDAP,orKerberosserver),oruseKerberossinglesignon(SSO).Ifyouuseanexternal
service,youmustconfigureaserverprofilebeforeyouConfigureanAdminRoleProfile.Ifyouwanttouse
anexternalserviceforbothaccountadministration(insteadofcreatinglocalaccounts)andfor
authentication,youmustConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication.
26 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
RoleBasedAccessControl
Someenvironmentshavemultipledatabasesfordifferentusersandusergroups.Toauthenticatetomultiple
authenticationsources(forexample,localdatabaseandLDAP),configureanauthenticationsequence.An
authenticationsequenceisarankedorderofauthenticationprofilesthatanadministratorismatchedagainst
whenloggingin.Panoramachecksagainstthelocaldatabasefirst,andthencheckseachprofileinsequence
untiltheadministratorissuccessfullyauthenticated.TheadministratorisdeniedaccesstoPanoramaonlyif
authenticationfailsforalltheprofilesdefinedintheauthenticationsequence.
AccessDomains
Accessdomainscontroladministrativeaccesstospecificdevicegroups(tomanagepoliciesandobjects)and
templates(tomanagenetworkanddevicesettings),andalsocontroltheabilitytoswitchcontexttotheweb
interfaceofmanagedfirewalls.AccessdomainsapplyonlytoadministratorswithDeviceGroupand
Templateroles.BycombiningaccessdomainswithAdministrativeRoles,youcanenforcetheseparationof
informationamongthefunctionalorregionalareasofyourorganization.
YoucanmanageaccessdomainslocallyorbyusingRADIUSVendorSpecificAttributes(VSAs).Touse
RADIUSVSAs,yournetworkrequiresanexistingRADIUSserverandyoumustconfigureaRADIUSserver
profiletodefinehowPanoramaaccessestheserver.OntheRADIUSserver,youdefineaVSAattribute
numberandvalueforeachadministrator.Thevaluedefinedmustmatchtheaccessdomainconfiguredon
Panorama.WhenanadministratortriestologintoPanorama,PanoramaqueriestheRADIUSserverforthe
administratoraccessdomainandattributenumber.BasedontheresponsefromtheRADIUSserver,the
administratorisauthorizedforaccessandisrestrictedtothefirewalls,virtualsystems,devicegroups,and
templatesthatareassignedtotheaccessdomain.
Fortherelevantprocedures,see:
ConfigureanAccessDomain.
ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication.
AdministrativeAuthentication
ThefollowingmethodsareavailabletoauthenticatePanoramaadministrators:
LocaladministratoraccountwithlocalauthenticationBoththeadministratoraccountcredentialsand
theauthenticationmechanismsarelocaltoPanorama.Tofurthersecurethelocaladministratoraccount,
createapasswordprofilethatdefinesavalidityperiodforpasswordsandsetPanoramawidepassword
complexitysettings.Fordetailsonhowtoconfigurethistypeofadministrativeaccess,seeConfigurean
AdministratorwithKerberosSSO,External,orLocalAuthentication.
LocaladministratoraccountwithcertificateorkeybasedauthenticationWiththisoption,the
administratoraccountsarelocaltoPanorama,butauthenticationisbasedonSecureShell(SSH)keys(for
CLIaccess)orclientcertificates/commonaccesscards(forthewebinterface).Fordetailsonhowto
configurethistypeofadministrativeaccess,seeConfigureanAdministratorwithCertificateBased
AuthenticationfortheWebInterfaceandConfigureanAdministratorwithSSHKeyBased
AuthenticationfortheCLI.
LocaladministratoraccountwithexternalauthenticationTheadministratoraccountsaremanagedon
Panorama,butexistingexternalauthenticationservices(LDAP,Kerberos,TACACS+,orRADIUS)handle
theauthenticationfunctions.IfyournetworksupportsKerberossinglesignon(SSO),youcanconfigure
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 27
RoleBasedAccessControl
PanoramaOverview
externalauthenticationasanalternativeincaseSSOfails.Fordetailsonhowtoconfigurethistypeof
administrativeaccess,seeConfigureanAdministratorwithKerberosSSO,External,orLocal
Authentication.
ExternaladministratoraccountandauthenticationAnexternalRADIUSserverhandlesaccount
administrationandauthentication.Tousethisoption,youmustdefineVendorSpecificAttributes(VSAs)
onyourRADIUSserverthatmaptotheadministratorrolesandaccessdomains.Forahighleveloverview
oftheprocess,seeConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication.For
detailsonhowtoconfigurethistypeofadministrativeaccess,refertoRadiusVendorSpecificAttributes
(VSAs).
28 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
PanoramaRecommendedDeployments
PanoramaRecommendedDeployments
APanoramadeploymentcomprisesthePanoramamanagementserver(whichhasabrowserbased
interface),optionalLogCollectors,andthePaloAltoNetworksfirewallsthatPanoramamanages.The
recommendeddeploymentsare:
PanoramaforCentralizedManagementandReporting
PanoramainaDistributedLogCollectionDeployment
Fortheprocedurestoconfigurethemosttypicallogcollectiondeployments,seeLogCollection
Deployments.
PanoramaforCentralizedManagementandReporting
ThefollowingdiagramillustrateshowyoucandeploythePanoramavirtualapplianceorMSeriesappliance
inaredundantconfigurationforthefollowingbenefits:
CentralizedmanagementCentralizedpolicyanddevicemanagementthatallowsforrapiddeployment
andmanagementofuptoonethousandfirewalls.
VisibilityCentralizedloggingandreportingtoanalyzeandreportonusergeneratedtrafficandpotential
threats.
RolebasedaccesscontrolAppropriatelevelsofadministrativecontrolatthefirewalllevelorglobal
levelforadministrationandmanagement.
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 29
PanoramaRecommendedDeployments
PanoramaOverview
PanoramainaDistributedLogCollectionDeployment
YoucandeploythehardwarebasedPanoramatheMSeriesapplianceeitherasaPanoramamanagement
serverthatperformsmanagementandlogcollectionfunctionsorasaDedicatedLogCollectorthatprovides
acomprehensivelogcollectionsolutionforthefirewallsonyournetwork.UsingtheMSeriesapplianceas
aLogCollectorallowsforamorerobustenvironmentwherethelogcollectionprocessisoffloadedtoa
dedicatedappliance.Usingadedicatedapplianceinadistributedlogcollection(DLC)deploymentprovides
redundancy,improvedscalability,andcapacityforlongertermlogstorage.
InaDLCdeployment,thePanoramamanagementserver(PanoramavirtualapplianceoranMSeries
applianceinPanoramamode)managesthefirewallsandtheLogCollectors.UsingPanorama,youconfigure
thefirewallstosendlogstooneormoreLogCollectors.YoucanthenusePanoramatoquerytheLog
Collectorsandprovideanaggregatedviewofnetworktraffic.InaDLCconfiguration,youcanaccessthelogs
storedontheLogCollectorsfromboththeprimaryandsecondaryPanoramapeersinahighavailability(HA)
pair.
Inthefollowingtopology,thePanoramapeersinanHAconfigurationmanagethedeploymentand
configurationoffirewalls.Thissolutionprovidesthefollowingbenefits:
AllowsforimprovedperformanceinthemanagementfunctionsonPanorama
Provideshighvolumelogstorageonadedicatedhardwareappliance
ProvideshorizontalscalabilityandredundancywithRAID1storage
30 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
PlanYourDeployment
PlanYourDeployment
Determinethemanagementapproach.DoyouplantousePanoramatocentrallyconfigureandmanage
thepolicies,tocentrallyadministersoftware,contentandlicenseupdates,and/orcentralizeloggingand
reportingacrossthemanageddevicesinthenetwork?
IfyoualreadydeployedandconfiguredthePaloAltoNetworksfirewallsonyournetwork,determine
whethertotransitionthedevicestocentralizedmanagement.Thisprocessrequiresamigrationofall
configurationandpoliciesfromyourfirewallstoPanorama.Fordetails,seeTransitionaFirewallto
PanoramaManagement.
VerifythatPanoramaisonthesamereleaseversionoralaterversionthanthefirewallsthatitwill
manage.Forexample,Panoramawithversion6.0cannotmanagefirewallsrunningPANOS7.0.For
versionswithinthesamefeaturerelease,althoughPanoramacanmanagefirewallsrunningalater
versionofPANOS,PaloAltoNetworksrecommendsthatPanoramarunthesameversionoralater
version.Forexample,ifPanoramaruns6.0.3,itisrecommendedthatallmanagedfirewallsrunPANOS
6.0.3orearlierversions.
PlantousethesameURLfilteringdatabase(BrightCloudorPANDB)acrossallmanagedfirewalls.If
somefirewallsareusingtheBrightClouddatabaseandothersareusingPANDB,Panoramacanonly
managesecurityrulesforoneortheotherURLfilteringdatabase.URLfilteringrulesfortheother
databasemustbemanagedlocallyonthefirewallsthatusethatdatabase.
PlantousePanoramainahighavailabilityconfiguration;setitupasanactive/passivehighavailability
pair.SeePanoramaHighAvailability.
Estimatethelogstoragecapacityyournetworkneedstomeetsecurityandcompliancerequirements.
Considersuchfactorsasthenetworktopology,numberoffirewallssendinglogs,typeoflogtraffic(for
example,URLFilteringandThreatlogsversusTrafficlogs),therateatwhichfirewallsgeneratelogs,and
thenumberofdaysforwhichyouwanttostorelogsonPanorama.Fordetails,seeDeterminePanorama
LogStorageRequirements.
Formeaningfulreportsonnetworkactivity,planaloggingsolution:
Doyouneedtoforwardlogstoasyslogserver,inadditiontoPanorama?
Ifyouneedalongtermstoragesolution,doyouhaveaSecurityInformationandEvent
Management(SIEM)solution,suchasSplunkorArcSight,towhichyouneedtoforwardlogs?
Doyouneedredundancyinlogging?WithPanoramavirtualappliancesinHA,eachpeercanlogto
itsvirtualdisk.ThemanageddevicescansendlogstobothpeersintheHApair.Thisoptionprovides
redundancyinloggingandisbestsuitedtosupportupto2TBoflogstoragecapacity.Ifyouuse
DedicatedLogCollectors(MSeriesappliancesinLogCollectormode),youcanenableredundancy
toensurethatnologsarelostifanyoneLogCollectorintheCollectorGroupbecomesunavailable.
EachlogwillhavetwocopiesandeachcopywillresideonadifferentLogCollector.
WillyoulogtoaNetworkFileSystem(NFS)?OnlythePanoramavirtualappliancesupportsNFS.
ConsiderusingNFSifPanoramarequiresmorethan2TBoflogstoragecapacityandbutdoesnt
manageDedicatedLogCollectors.IfusingNFS,notethatthemanageddevicescansendlogsonly
totheprimarypeerintheHApair,andonlytheactiveprimaryPanoramaismountedtotheNFSand
canwritetoit.
IfyourloggingsolutionincludesMSeriesappliances,bydefaulttheyusethemanagement(MGT)
interfaceforconfiguration,logcollection,andCollectorGroupcommunication.However,itisabest
practicetousetheEth1orEth2interfacesforlogcollectionandCollectorGroupcommunicationto
improvesecurity,controltrafficprioritization,performance,andscalability.Determinewhetheryour
solutionwouldbenefitfromusingseparateinterfacesforthesefunctions.Fordetails,seeSetUpthe
MSeriesAppliance.
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 31
PlanYourDeployment
PanoramaOverview
Determinewhataccessprivileges,roles,andpermissionsadministratorsrequiretoaccesstothe
managedfirewallsandPanorama.SeeSetUpAdministrativeAccesstoPanorama.
PlantherequiredDeviceGroups.Considerwhethertogroupfirewallsbasedonfunction,security
policy,geographiclocation,ornetworksegmentation.Anexampleofafunctionbaseddevicegroupis
onethatcontainsallthefirewallsthataResearchandDevelopmentteamuses.Considerwhetherto
createsmallerdevicegroupsbasedoncommonality,largerdevicegroupstoscalemoreeasily,ora
DeviceGroupHierarchytosimplifycomplexlayersofadministration.
Planalayeringstrategyforadministeringpolicies.Considerhowfirewallsinheritandevaluatepolicy
ruleswithintheDeviceGroupHierarchy,andhowtobestimplementsharedrules,devicegrouprules,
andfirewallspecificrulestomeetyournetworkneeds.Forvisibilityandcentralizedpolicymanagement,
considerusingPanoramaforadministeringrulesevenifyouneedfirewallspecificexceptionsforshared
ordevicegrouprules.Ifnecessary,youcanPushaPolicyRuletoaSubsetofFirewallswithinadevice
group.
Plantheorganizationofyourfirewallsbasedonhowtheyinheritnetworkconfigurationsettingsfrom
TemplatesandTemplateStacks.Forexample,considerassigningfirewallstotemplatesbasedon
hardwareplatforms,geographicproximity,andsimilarnetworkneedsfortimezones,aDNSserver,and
interfacesettings.
32 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.
PanoramaOverview
DeployPanorama:TaskOverview
DeployPanorama:TaskOverview
ThefollowingtasklistsummarizesthestepstogetstartedwithPanorama.Foranexampleofhowtouse
Panoramaforcentralmanagement,seeUseCase:ConfigureFirewallsUsingPanorama.
DeployPanorama:TaskOverview
Step1
(MSeriesapplianceonly)Rackmounttheappliance.
Step2
PerforminitialconfigurationtoenablenetworkaccesstoPanorama.SeeSetUpthePanoramaVirtual
ApplianceorSetUptheMSeriesAppliance.
Step3
RegisterPanoramaandInstallLicenses.
Step4
InstallContentandSoftwareUpdatesforPanorama.
Step5
(Optional/recommended)SetupPanoramainahighavailabilityconfiguration.SeePanoramaHigh
Availability.
Step6
AddaFirewallasaManagedDevice.
Step7
AddaDeviceGrouporCreateaDeviceGroupHierarchy,AddaTemplate,and(ifapplicable)Configurea
TemplateStack.
Step8
(Optional)ConfigurelogforwardingtoPanoramaand/ortoexternalservices.SeeManageLogCollection.
Step9
MonitorNetworkActivityusingthevisibilityandreportingtoolsonPanorama.
PaloAltoNetworks,Inc.
Panorama7.0AdministratorsGuide 33
DeployPanorama:TaskOverview
PanoramaOverview
34 Panorama7.0AdministratorsGuide
PaloAltoNetworks,Inc.