Configuration Articles

Featured Article
QRADAR LEEF syntax for your Syslog needs in PAN-OS 8.0
View full article
taddair ‎09-11-2018 01:14 AM
6,943 Views
2 Replies
1 Like
PAN-OS 6.0 and after   Overview Color Coded Tags was introduced in PAN-OS 6.0 and enables the categorization of many types of objects to be visually distinguishable. Administrators can easily determine if their policy was created correctly by scanning a policy and confirming that the color coding of their objects follows their desired scheme.   Details On the Device/Panorama GUI, navigate to the Objects tab. As shown below, the objects tree panel on the left side has a new tree node called "Tags" for color coded tags administration.   A tag objects has three fields: Name Color Comments The Name cannot contain a comma (,) since it is used as a separation character when assigning tags. The Color value of the tag object can be selected from a color palette of 16 predefined colors. The default value is "None," which is no color. The selection of a color is not required when creating a tag.   The following objects in the Palo Alto Networks Device/Panorama can be used with the new tag attribute: Objects > Address Objects > Address Groups Objects > Services Objects > Service Groups Network > Zones Note: When using Tags and Zones the drop down must be used instead of a generic name because the Tag is not selectable while editing the Zone.   Policies already have tags, but will be leveraged to use the new tag object. The above objects will all have a new tag column in their top level grid. Only the first tag in an object may have color.   During the Add/Edit of any of the above objects the tags attribute can be specified, as shown below:   Tags can be selected from existing tags. Also, tag completion is case-insensitive. If the administrator adds a new tag, it is added as a tag object after "ok." The user can select a tag as the "colored tag" for an object while in the object/rule editor. The "colored tag" is saved as the first tag after "ok."   From policy tables, the user will see rule tags. Only the first tag in a rule may have color.   The following is an example of Security Rulebase with no color tags used:   The following is an example of a Security Rulebase with color tags used for Zones and inside of the objects:   Notice that the use of Color Tags makes the policy much easier to read.   Additional Details Tag name length is limited to 127 characters. There are 16 colors only, cannot create custom colors. Multiple tags can use same color. If an item has multiple tags with different colors, then first tag color will be displayed. So, order matters. Config will show in CLI as color# (1-16) (For example, set tag test1 color color4 ) Panorama can push tag color configs. If conflicting with the existing tag on the firewall, then the device config should take priority. Likewise, if there is a conflict between shared and VSYS specific object then VSYS takes precedence.   Logging Configuration logs are generated for add/edit/delete of tag objects and setting of tags to other objects.   Feature Interaction with infrastructure components: High-availability - Tag configuration will be synced, similar to the other object configurations Virtual system - Tag administration and tag assignment can be done per VSYS Panorama - Tag administration and tag assignment is available on Panorama   Panorama The specified objects and zones in Network templates will have configuration for tags. The tag configuration will be pushed to the device groups and devices along with the objects and device templates. If it is conflicting with an existing tag on the firewall, then the device config should take priority. In the Network template on Panorama zones can have tags specified, but no completion (drop down) is available. Users can only type tag names.   Tags can belong to VSYS or shared in a device and a device group, or shared in Panorama.   owner: jdelio
View full article
‎10-10-2017 07:46 AM
16,675 Views
3 Replies
3 Likes
Symptom Panorama, deployed as either the Palo Alto Networks M-100 device or as a virtual appliance, stops receiving logs from Palo Alto Networks firewalls. The traffic and threat logs can be viewed when looking directly on the firewalls, but are not visible on Panorama.   Details The Palo Alto Networks firewall keeps track of the logs forwarded to Panorama with a sequence number. When the logs are received, Panorama acknowledges the sequence number. If the firewall is connected to a different Panorama (for example, to an HA peer of a Panorama), these sequence numbers can become out of sync causing the firewall not to forward any logs. The log upload process can also become stuck by a large volume of logs being sent to Panorama.   Resolution   Panorama 6.1, 7.0, 7.1, 8.0 Check current logging status > show logging-status device < serial number > Start log forwarding with buffering, starting from last ack'ed log ID > request log-fwd-ctrl device <serial number> action start-from-lastack Verify if logs are being forwarded > show logging-status device <serial number> If logs are not being forwarded, do the following: Make sure that log forwarding is stopped > request log-fwd-ctrl device <serial number> action stop Start log forwarding with no buffering  (leave in this state for about a minute) > request log-fwd-ctrl device <serial number> action live Start log forwarding with buffering > request log-fwd-ctrl device < serial number > action start   Important! The alphabet characters in the serial number must be all upper case. For example: > request log-fwd-ctrl device 0000C123456 action live scheduled a job with jobid 12   If lower case characters are used, then the following error message is returned: > request log-fwd-ctrl device 0011c123456 action live Server error : failed to schedule a job to do log fwd ctrl from panorama to device 0000c123456   Confirm that the device policies are set with log action forward to Panorama. If the logging gets stuck, restart the log-receiver service with the following command: > debug software restart log-receiver Alternatively, restart the management server (which also restarts the log-receiver service) with the following command: > debug software restart management-server   On PAN-OS 7.0, 7.1 and 8.0 , please use the following command to restart the management server process: > debug software restart process management-server   owner: swhyte
View full article
npare ‎08-08-2017 02:52 AM
57,871 Views
14 Replies
2 Likes
Overview(Configuration template support in Panorama) When a virtual system (VSYS) configuration is pushed from a Panorama template to a managed Palo Alto Networks device, the following algorithm is applied on the device: The device first attempts a name match. If successful, then the configuration for the matching vsys on the device will receive the configuration pushed from Panorama. If the name match fails, the device will perform a VSYS ID match on an unnamed vsys If an ID match succeeds on an unnamed VSYS, then it will receive the name and configuration pushed from Panorama Finally, if the VSYS ID match fails, a new vsys will be created on the device with the name and configuration pushed from Panorama. The new vsys will be assigned the next available ID   For example, a templated VSYS is created as vsys3 (ID of 3), and pushed to a managed Palo Alto Networks device. If the name, vsys3, is not found, then the device will attempt to find an unnamed VSYS with ID of 3. If an unnamed vsys with ID 3 does not exist, then a new vsys will be created with the name vsys3 (and assigned the next available ID).   Note: In general, it is recommended to apply meaningful names to virtual systems (for example: Finance, Marketing, etc.) instead of the label name “vsys3”, which may be assumed to mean the same as ID = VSYS 3.   owner: apasupulati
View full article
apasupulati ‎04-21-2017 12:10 PM
12,549 Views
2 Replies
Overview When configuring a template on the M-100/Panorama, the UI for Group Include List does not display a list of available groups to select from.   Details On the Palo Alto Networks firewall, the group mapping list can be pulled directly once the LDAP Profile has been configured:   However, when configuring templates on the Panorama/M-100 for the Group Mapping Include list, the available groups are not displayed. Instead, the groups for the Group Include List must be manually added using the correct syntax:       Available Groups are not visible as Panorama is not equipped with pulling the User-Group  info directly from the LDAP Active Directory. The User-ID information is pulled up on the Panorama using Master Device in the device group.   Under template the administrator will have to manually configure LDAP settings and push to the device. It will not self populate. Administrator will need base and bind information handy before configuring. When pushing those templates to device and information is correct, then Panorama will be able to pull group information. Group mapping settings templates are different on Panorama and device by design. While pushing it as a template, Administrator will need to have group information ready. Once it is pushed to the device, the group information will appear in same format as device's group mapping setting.       owner: dwhyte
View full article
panagent ‎10-13-2016 02:34 AM
9,843 Views
3 Replies
2 Likes
PAN-OS 5.0 and later   Overview This document describes how to change the zone name on Panorama and push the updates to the managed firewalls without running into commit errors. If there are no policies referencing the zone, then the name can be changed directly on the template and committed without errors. However, this document covers a scenario where the zone requiring the name change is currently applied in one or more security policies. Note: Panorama OS: 5.0 and later   Details As an example scenario, the test_zone zone needs to be renamed to test_zone_1. The following image shows the original zone: Here is a policy referencing test_zone:   If the administrator directly modifies the zone name and issues a template commit, the commit fails with the error: Last Push State Details Details: rulebase -> security > rules > test_rule -> from 'test_zone' is not an allowed keyword rulebase -> security > rules > test_rule -> from 'test_zone' is not a valid reference   Steps The following prerequisites should be met before continuing with the zone name change: Device is connected to the panorama and is part of a template There are policies associated with the zone name and are already pushed to the device   The steps below will use the sample scenario described earlier in this document. Rename the existing test_zone zone to test_zone_1 . This will cause the name change to automatically occur for the policies referencing the zone. Add a new zone with the old zone name ( test_zone ). This step is required so that we don't run into commit issues due to policy dependency on the device. At this point, the config should look like this: Issue a Panorama commit. Issue a template commit. Issue a device group commit. Once the commit is successful, delete the 'test_zone' zone, and then perform another panorama commit, template commit and a device group commit. This procedure will only work as listed above if the zone and interface configuration are both managed through a template on Panorama     See also Is There an Impact on Active Sessions when Changing the Name of a Zone?   owner: sdarapuneni
View full article
zarina ‎05-24-2016 03:26 AM
11,286 Views
7 Replies
2 Likes
Issue After upgrading Panorama to PAN-OS 7.0, the ACC (Application Command Center) Summary data is no longer being populated.   Cause In PAN-OS 7.0, the ACC uses summary data rather than appstats data.   Prior to PAN-OS 7.0, the appstat data was forwarded to Panorama to populate the ACC, even if logs were not explicitly configured to forward.   Resolution Under the new system, managed firewalls need to be running PAN-OS 7.0, as well as Panorama. The datasource can then be changed to the remote device. If a managed firewall is a pre PAN-OS 7.0, then log forwarding must be turned on. If you would like to view ACC log source as "Panorama" and not "Remote Device" then log forwarding must be turned on.    
View full article
jperry1 ‎05-13-2016 02:24 PM
4,003 Views
0 Replies
1 Like
PAN-OS 6.0, 6.1, 7.0   Overview This document is for customers who use Panorama for log collection and want to forward logs to a third-party Syslog Server or SIEM system from Panorama. The alternative is to forward logs via syslog from each firewall individually.   This scenario assumes logging has have been configured on the firewalls to forward to Panorama and Panorama is receiving the traffic, threat, and system logs as configured. If the firewalls have not been configured to forward logs to Panorama, please refer to the following document: How to Create a Profile to Forward Logs to Panorama   Steps To create a Syslog Server Profile, go to Panorama > Server Profiles > Syslog and click Add: Assign the Syslog Server Profile: For Panorama running as a virtual machine, assign the Syslog Server Profile to the various log types through Panorama > Log Settings > Traffic > Device Log Settings - Traffic > Syslog. Each log type can be configured individually as shown below. After defining Syslog Server Profiles, designate the corresponding log types. For an M-100, assign the Syslog Server Profile to the various log types through Panorama > Collector Groups > Collector Group > Collector Log Forwarding > Traffic > Syslog.                        Optionally, multiple collectors can be added under "Collector Group Members".             By default, the local Log Collector on the primary Panorama is pre-assigned to the default Collector Group                 3. Perform a "Panorama" commit followed by a "Log collector" commit.   NOTE: On current version of PAN-OS PA-7000 series devices do not forward logs to Panorama, these devices would need to be configured to send syslog via their Log interface.    owner: dbraswell
View full article
DavePATS ‎05-13-2016 12:58 PM
20,622 Views
2 Replies
2 Likes
Overview The M-100 management device can operate in Panorama (where Log Collector functionality is available) mode or Log Collector mode. This document shows the CLI command to use to switch the operational mode from Log Collector to Panorama mode. Note: For Panorama 7.0, see the M-500 Appliance Quick Start for the steps to Change the Mode of Operation on the M-500 appliance or M-100 appliance.   Details Use the following CLI command to change the M-100 device from Log Collector mode to Panorama mode: > request system logger-mode panorama Executing this command will change the system to panorama mode, current configuration and logs will be removed. The system will restart and then reset the data. Are you sure you want to continue? (y/n) (y or n)   Broadcast message from root (Tue Oct 22 00:00:27 2013):   The system is going down for reboot NOW!   Note: On a production device that has collected a large amount of logs, the system may require additional amount of time to clear the logs before it can be reached on the Web UI or CLI. During this time, a Telnet connection may appear to succeed, but authentication will fail.   > show system info hostname: 100-M-100 ip-address: 10.66.22.100 netmask: 255.255.254.0 default-gateway: 10.66.22.1 ipv6-address: ipv6-link-local-address: fe80::221:ccff:fe61:3f8/64 ipv6-default-gateway: mac-address: 00:21:cc:61:03:f8 time: Tue Oct 22 00:00:08 2013 uptime: 0 days, 0:12:14 family: m model: M-100 serial: 009201000352 sw-version: 5.1.2 app-version: 398-1984 app-release-date: 2013/10/08  12:56:18 av-version: 1122-1568 av-release-date: 2013/10/14  04:00:02 threat-version: 398-1984 threat-release-date: 2013/10/08  12:56:18 logdb-version: 5.0.2 platform-family: m logger_mode: False   Note:  A filter can be applied to the above command to display only the logger_mode status: > show system info | match logger_mode logger_mode: False   owner: gchandrasekaran
View full article
gchandrasekaran ‎04-22-2016 07:57 AM
8,388 Views
2 Replies
PAN-OS 6.0   Details This document describes how to setup log forwarding from Log Collector in logger mode to Syslog Server. An M-100 log collector is always managed by a Panorama managment server. The Panorama managment server can either be a VM or an M-100 in Panorama mode.   To access the Panorama Management server, perform the steps outlined below: Create a Syslog Profile, go to Panorama > Server Profiles > Syslog, click Add and create a syslog profile, as shown below: Add a Collector Group, go to Panorama > Collector Groups and click Add. There are four tabs in the Collector Group window, but for this configuration go to Collector Log Forwarding. For details on adding devices to Collector Group and adding collectors to the group, please refer to this document How to Configure an M-100 to Function as Both a Log Collector and Panorama. The Syslog Server profile can also be associated with Config, HIP Match, Traffic, Threat and WildFire. After the above step is done, proceed with the commit. First commit the changes to Panorama and then commit to the Collector Group. This is shown in the screenshot below.            owner: sodhegba
View full article
sodhegba ‎04-20-2016 02:17 AM
11,864 Views
4 Replies
2 Likes
Access domains allow restricting access for administrator accounts to specific Vsys(on Firewall) and specific Device Group, Templates and Context Switch (on Panorama).   When you are managing a Vsys-enabled firewall from Panorama, you might want to create Panorama Administrators, allowing access to only particular Vsys on the Managed Firewall.   In that case, you must have the target Vsys bound to a unique Device Group. You cannot control per Vsys Administration for Panorama administrators if Multiple Vsys from the firewall are part of same Device Group.   Steps:   Create Specific Device Groups for Specific Vsys under: Managed Multi-VSYS Firewall Create Access Domain for Managing Vsys1 Device Group and corresponding context switch Create Administrator for Administrator Type "Device Group and Template Admin" and bind the access domain created above: Do a Panorama commit and log in using the Vsys1Admin user account Verify that you are able to access only Device Group 1, and do context switch to Vsys1 of the firewall:    
View full article
abjain ‎04-14-2016 07:52 AM
11,136 Views
0 Replies
1 Like
At times you may want to duplicate/reconfigure Network or Device tab settings for multiple templates. For example, if you have N number of templates but want to share the same Administrator accounts, LDAP servers, etc among all of them you can duplicate or reconfigure settings.    There are two options to do so, besides the GUI option of configuring everything manually.   Duplicate configuration between templates on the CLI using set commands or load configuration partial. Use template stacks to combine common elements. This option is only available if you are running PAN-OS 7.0+. Method 1: Duplicate configuration between templates using set commands from the CLI:   Go to configuration mode on the Panorama CLI, and set the configuration output mode to set: admin@Panorama# run set cli config-output-format set Find the configuration that you want to copy. For example: admin@Panorama# show | match Template1 set template Template1 settings operational-mode normal set template Template1 config devices localhost.localdomain vsys vsys1 set template Template1 config mgt-config users Admin1 permissions role-based superuser yes set template Template1 config mgt-config users Admin1 phash $1$jhtkhsba$D6q7Bu38KMpOBd.V.FlhX1 set template Template1 config mgt-config users Admin2 permissions role-based superuser yes set template Template1 config mgt-config users Admin2 phash $1$cpqxckno$FhbxH9tTxwgeIaeKc.pOa1 set template Template1 config mgt-config users Admin3 permissions role-based superuser yes set template Template1 config mgt-config users Admin3 phash $1$sykssmec$kst3ufkcj9.Htg9zAXvDy0 Copy the required configuration on a notepad, in this all configuration under mgt-config and edit the template name to target template. Then copy and paste the same back on the CLI after enabling scripting-mode: admin@Panorama# run set cli scripting-mode on                                        admin@Panorama# (Paste the commands now)   set template Template2 config mgt-config users Admin1 permissions role-based superuser yes set template Template2 config mgt-config users Admin1 phash $1$jhtkhsba$D6q7Bu38KMpOBd.V.FlhX1 set template Template2 config mgt-config users Admin2 permissions role-based superuser yes set template Template2 config mgt-config users Admin2 phash $1$cpqxckno$FhbxH9tTxwgeIaeKc.pOa1 set template Template2 config mgt-config users Admin3 permissions role-based superuser yes set template Template2 config mgt-config users Admin3 phash $1$sykssmec$kst3ufkcj9.Htg9zAXvDy0 admin@Panorama# run set cli scripting-mode off            Method 2: Duplicate configuration between templates using the load command on the CLI:   Take backup of current configuration: Panorama > Operations > Save named Panorama configuration snapshot, for example, ConfigBackup. Open a new browser tab to view the XML browser: https://<panorama-ip>/api, and simultaneously open a CLI session. Navigate to the required configuration:   Note the highlighted XML Path. On the CLI session go into the configuration mode and execute the following command: # load config partial from ConfigBackup mode merge from-xpath devices/entry[@name='localhost.localdomain']/template/entry[@name='Template1']/config/mgt-config to-xpath /config/devices/entry[@name='localhost.localdomain']/template/entry[@name='Template2']/config/mgt-config Notice the path used in from-xpath, which doesn't include /config/ in the beginning since /config/ indicates the current device configuration.  Also, notice the changed template name (target template) in the to-xpath.   Method 3: Use template stacks (When running PAN-OS 7.0.X only)   Create a Common Template, TemplateCommon for example. Do not assign any devices to this template. Configure admin accounts to be shared on this template. Create a Template Stack called TemplateStack1, and add two templates to it: TemplateCommon and Template1, in that order.  Unassign Firewall1 from Template1 and assign it to TemplateStack1. Similarly, create a Template Stack called as TemplateStack2, and add two templates to it: TemplateCommon and Template2, in that order. Unassign Firewall2 from Template2 and assign it to TemplateStack2. Commit the changes locally to Panorama, and perform a Template commit to Firewall1 and Firewall2. Check the GUI of both firewalls to make sure admin accounts are pushed properly. In the future, any common changes can be just made in TemplateCommon, and then pushed to all devices by doing a commit on the corresponding Template Stack.
View full article
abjain ‎03-29-2016 01:48 PM
35,638 Views
5 Replies
Overview This document describes the steps to configure a Palo Alto Networks M-100 to function as both Panorama and Log Collector.   Steps To configure Panorama to manage devices follow the instructions below: Navigate to Panorama > Managed Devices Click 'Add' to add devices that will be managed by the M-100 Navigate to Panorama > Device Groups Click 'Add' to create a device group Add the device into the group Note: The devices can be managed the same way as other Panorama deployments.   To configure the Log Collector functionality follow the instructions below: Add the M-100 as the collector Go to Panorama > Managed Collectors Enter the Serial Number (S/N) of the M-100 into the Collector S/N field Note: The S/N and hostname for this example are 009201000347 and panomgmt-a Perform a local commit before adding the disk from the Disks TAB. Otherwise you won't be able to see it. Under Panorama > Managed Collectors> Disks tab, define the RAID 1 disk pair that will be used to store logs. Note: Additional disk pairs can be added as needed to expand storage capacity. By default, the M-100 is shipped with the first RAID 1 pair enabled with drives installed in bays A1 and A2. To set up RAID, issue the > request system raid add command from CLI: > request system raid add A1 Executing this command may delete all data on the drive being added. Do you want to continue? (y or n) > request system raid add A2 Executing this command may delete all data on the drive being added. Do you want to continue? (y or n) Perform a local commit on the Panorama Configure Log Collection Navigate to Panorama > Collector Groups: Go to the Log Forwarding tab: Under collectors, add the M-100 hostname Note: This adds the M-100 into its own configuration Under Log forwarding preferences, add the device from which the log needs to be forwarded Perform a local commit on the Panorama Perform a Collector Group commit Note: if you skip step 5, you will see this error: "Ring version mismatch."  The Collector should appear connected and the Configuration Status field should be "In sync": Note: If step 5 is not performed, then the Collector Configuration state will be "Out of sync" as shown below: Note : While viewing the disk space of the system, show system logdb-quota does not display the usage of RAID disks. The command displays only the statistics of logs in the SSD. If the log quota settings of RAID disks needs to be configured or checked, go to Panorama > Collector Groups > ( Name of the collector Group) > General tab and select the link next to the Log Storage.   See Also M-100 Log Collector Configuration How to Change the Operational Mode from Log Collector to Panorama on the M-100 Device   owner: sraghunandan
View full article
sraghunandan ‎12-03-2015 03:59 PM
16,146 Views
6 Replies
2 Likes
Overview This document describes how to delete the default configuration of a Palo Alto Networks firewall using a forced Panorama template. A Palo Alto Networks firewall is preconfigured with a default Virtual Wire (vwire) configuration using the ethernet1/1 and ethernet1/2 interfaces. The following examples show the default vwire configuration:   Steps On the managed firewall, delete the default-vwire configuration under Network > Virtual Wires. Under the template configuration in Panorama, configure the ethernet1/1 and ethernet1/2 as Layer3.  Assign zones, respectively. Keep the Virtual Wires section empty in the same template Commit the configuration on the firewall from the Panorama with the 'Force Template Values' option checked. The commit should be successful and the interfaces on the firewall should now be changed to Layer3.   Warning: If the default-vwire configuration on the firewall is not deleted (step 1 above) before the Panorama push, the commit fails with the following error:   owner: kadak
View full article
kadak ‎09-09-2015 03:25 PM
13,109 Views
0 Replies
1 Like
The number of device configurations retained is configurable.  Go to:   Panorama > Setup > Management > Logging and Reporting Settings >   Number of Versions for Config Audit (1-1048576) Panorama > Setup > Management > Logging and Reporting Settings > Number of Versions for Config Backups (1-1048576)   owner: bryan
View full article
panagent ‎09-07-2015 05:22 AM
1,520 Views
0 Replies
Overview This document describes how to disable Panorama shared configuration from the WebUI and optionally import it into the local configuration of the managed firewall.   Details Go Device > Setup > Management > Panorama Settings and click "Disable Panorama Policy and Objects" or "Disable Device and Network Template" to disable their respective configurations.   In the edit dialog check the "Import Panorama Policy and Objects before disabling" before selecting "OK" to import the configuration pushed from Panorama into the local configuration of the firewall.   Similarly, when disabling the Device and Network Template select "Import Device and Network Template before disabling" to import the configuration pushed from Panorama into the local configuration of the firewall.   Alternatively, to disable Panorama shared configuration on the CLI, r un the following command: > set system setting shared-policy disable   Command options: > set system setting shared-policy <option> disable                           Discard and disallow shared policy. enable                             Allow shared policy. import-and-disable   Import and disallow shared policy.   PAN-OS 5.0 introduced templates. Device and network template configurations pushed from Panorama can be disabled with the following command: > set system setting template disable   Command options: > set system setting template <option> disable                    Discard and disallow template to be pushed from Panorama enable                    Allow template to be pushed from Panorama import-and-disable   Import and disallow template to be pushed from Panorama   owner: acamacho
View full article
acamacho ‎09-03-2015 06:29 AM
7,149 Views
1 Reply
2 Likes
To configure Panorama to schedule the export of running configurations from all managed devices in addition to its own running configurations: Select protocol type (Version 5.0 introduced the option for the SCP protocol, which supports encryption). Configure  server for the export. Schedule configuration export profile. Commit the changes. The configurations are exported to an FTP/SCP server and should be reachable from the management interface of panorama since the communications occurs via that interface. From the WebGUI, go to Panorama > Scheduled Configuration Export. Name : Enter a name to identify the configuration bundle export job. Description: Optional description. Enable: Select the check box to enable the export job. Scheduled export start time (daily): Specify the time of day to start the export. Hostname: IP address/host name of the target FTP server. Protocol:  SCP to export logs securely, or  FTP which is not a secure protocol. Path: Specify the path to the folder or directory. Port: Port number on the target server. Passive Mode: Select the check box to use FTP passive mode (visible when FTP protocol is selected). Username: Specify the user name on the target system. Password: Confirm Password. Commit the changes.   For  Panorama versions 4.1 and earlier, only FTP is available to schedule configuration export From the WebGUI, go to Panorama > Scheduled Configuration Export.   owner: ppatel
View full article
ppatel ‎09-02-2015 06:47 PM
8,447 Views
1 Reply
Issue The dynamic update schedule configuration (Device > Dynamic Updates) pushed from Panorama to the managed Palo Alto Networks firewall does not show up on the firewall. Instead, the managed device maintains the locally configured schedule for dynamic updates.   1. Dynamic updates scheduled time is locally configured on the managed device. 2. Schedule for dynamic updates is configured on Panorama for the managed device. 3. The configuration is pushed to the managed device. 4. The dynamic updates scheduled time "Wednesday at 01.02 (download only)" locally on managed firewall will take preference over the one pushed from panorama.   Cause Locally defined dynamic updates setting on a managed Palo Alto Networks firewall take preference over the Panorama pushed setting.   Resolution Set the dynamic updates scheduled time on the managed firewall to "none." Then, push the "Dynamic updates scheduled time" configuration from Panorama.   owner: saryan
View full article
saryan ‎08-26-2015 03:32 PM
9,893 Views
7 Replies
Details There are many warnings related to the admin role when pushing the configuration from Panorama 6.0 to a managed Palo Alto Networks firewall running PAN-OS 5.0 (and above), as shown in the example below:   In Panorama 6.0, a few extra Web UI roles were added. When Panorama tries to push this configuration to a firewall running PAN-OS 5.0, the admin roles are discarded because the firewall does not know about the roles. Below, is an example of the admin roles: The following screenshot is a Panorama 5.0 example of the admin roles:   As shown in the example comparisons above, there are a few WebGUI roles missing, such as, Tags and Custom Objects.   owner: achalla
View full article
achalla ‎08-26-2015 05:20 AM
2,450 Views
0 Replies
Summary When the firewall is added to a Panorama for management, the administrative users can connect to the firewall with changing the context on the Panorama. From there, all the changes can be done the same way as when the user is locally connected to the Firewall. Usually there is a concern that when a change is made from the Panorama via the context change, the user that makes the change will not create a audit trail and the change can not be tracked. On the Palo Alto devices, there is always a correct audit trail and this is true even in these scenarios when the changes are “proxyed” via the Panorama. If a user changes a configuration on a firewall context from the Panorama we will see the Panorama logged user as the user who made the change. Details Log in with a user other than an admin user on the Panorama. Make sure that the user has rights to make changes to the given firewall. Verify the user has rights to make changes to the given firewall. In this case, the user is called "emea" and is a RADIUS user. Change the context to point to the firewall where the change is needed. Make a change on the firewall. Navigate to Config Audit on the firewall itself and verify that the change is properly done and the user who made it is properly identified as the "emea" user. owner: ialeksov
View full article
ialeksov ‎11-21-2014 01:15 PM
4,610 Views
0 Replies
Overview This document contains steps to configure a combination of Panorama and Log Collectors in High Availability mode. Steps On the primary Panorama (active): On the primary Panorama (active), use the following CLI command to set the Panorama-server, which should be the IP address of the secondary panorama: admin1# set deviceconfig system panorama-server <ip address of secondary panorama> Commit the change. On the secondary panorama, use the following CLI command to set the Panorama-server, which should be the IP address of the primary panorama: admin1# set deviceconfig system panorama-server <ip address of primary panorama> . Commit the change. On the GUI of primary Panorama: Add the two log collectors and add the disks to each log collector. Select the log collector which is in the secondary Panorama. In the general tab, put the primary Panorama IP address into the Panorama Server IP field and the secondary Panorama IP address into the Panorama Server IP 2 field. In the management tab, put the secondary Panorama IP address/Netmask/Default address into the corresponding fields. Create collector group(s), and add the log-collectors to the group(s). Commit the changes to the Panorama and wait until the HA-sync is done. Push the config to the collect-group(s). In the High Availability setting, disable the primary Panorama so the secondary Panorama will become active. On the GUI of the secondary Panorama: Select the log collector in the primary Panorama. In the general tab, put the secondary Panorama IP address into the Panorama Server IP field and the primary Panorama IP address into the Panorama Server IP 2 field. In the management tab, put the primary Panorama IP address/Netmask/Default address into the corresponding field. Commit the changes to the Panorama and wait until the HA-sync is done. Push the configuration to the collect-group(s). Restore the Panorama HA back to the desired state. owner: mbutt
View full article
mbutt ‎10-16-2014 05:03 PM
14,287 Views
5 Replies
2 Likes
Overview Panorama automatically backs up configurations from managed devices. In many circumstances, such as configuration rollback or device restoration, the device configuration needs to be restored with a backup configuration saved on Panorama. This document describes how to restore a device from a configuration backed up on Panorama. Steps On Panorama, go to Panorama > Managed Devices and identify which device to restore configuration. Choose a device and go to the Backups row. Click on Manage. A window will appear with all available configurations backed up since the device has been registered on Panorama. Note: Configuration versions or saved configurations that appear locally on device prior to registration will not be synced. Choose the configuration to push on the device and click on Load, which is in the action row. The selected configuration is being loaded on device and will replace candidate configuration. Trigger a commit locally on the device or directly from Panorama by switching the context from Panorama to Device. owner: nbilly
View full article
nbilly ‎10-14-2014 09:05 AM
7,523 Views
0 Replies
1 Like
PAN-OS 6.0 Details Sometime it requires that traffic and threat logs are forwarded to Panorama and a syslog server. When this has to be done over a WAN link with bandwidth limitation, it is necessary to consider reducing the number of log streams that are sent over the link. When Palo Alto Networks firewalls are configured to forward traffic and threat logs to Panorama and syslog server separately, this can cause issues with the link especially when there are several firewalls. For example, see on the diagram below that with separate profiles configured on the firewalls for log forwarding to Panorama and syslog server, Fig I will be the result: However, the firewalls can be configured to forward these logs to Panorama only while the syslog profile is created in Panorama to forward the traffic and threat logs to the syslog server. This is represented by Fig II, as shown below: Prior to PAN-OS 6.0, only configuration and system logs could be forwarded from Panorama to a syslog server. On Panorama running PAN-OS 6.0, in addition to configuration and system logs; threat, traffic, HIP Match and WildFire logs can be forwarded from Panorama to a syslog server. Steps To configure Panorama to forward threat and traffic to syslog server, follow the steps below: Create the Syslog Server Profile, go to the Panorama Tab under Server Profile Go to Device Log Settings - Traffic and click on the Log Type desired to forward to the syslog server Select the profile that was created in the first step under Syslog, as shown in the screenshot below: With this configuration, firewalls will forward logs to Panorama, assuming that log forwarding was configured correctly on the firewall. The logs are forwarded to the syslog server, thus reducing the number of log streams significantly. owner: sodhegba
View full article
sodhegba ‎07-07-2014 11:55 PM
7,187 Views
2 Replies
Details A factory reset is to be performed on a Panorama managed Palo Alto Networks firewall that is in a High Availability (HA) cluster. This document describes the steps to restore the firewall to its original configuration and managed by Panorama without creating an outage. Steps Before a factory reset of the firewall, make sure that the peer has taken over the 'Active' role. This can be achieved by suspending the problematic firewall using the following command: > request high-availability state suspend After a factory reset, configure the management interface settings using the following command: > configure # set deviceconfig system ip-address <ip address> netmask <netmask> default-gateway <default gateway> dns-setting servers primary <DNS ip address> service disable-https no disable-ssh no # commit Log into the firewall web UI and go to Device > Licensing. Then, update the licenses on the firewall. Configure the HA settings under Device > High Availability. During the configuration, make sure that the device's priority is set higher than its peer. Connect the HA cables (if disconnected), and commit the configuration. Allow the device to initialize and take the 'Passive' role, since it has a higher device priority. [  Note: If the firewall's local configuration is referencing an object or a template settings such as locally configured security policy referencing a log forwarding profile pushed from Panoroma or locally configured log forwarding profile referencing a syslog server profile which is pushed from Panorama then performing a commit on the device will throw validation error like below. In order to avoid this from happening . Load the config in the local firewall but do not perform commit, then initiate a commit from Panorama for this device as below. ]     5.Configure Panorama settings under Device > Setup > Management > Panorama Settings. Make sure that Panorama Policy and Objects, and Device and Network Templates are enabled as shown below:     6. Commit the configuration and allow some time for Panorama to reconnect to the the firewall on port 3978. This can be verified under Panorama > Managed device.     7. Once the device shows connected, push the Template and Device Group configuration on the 'Passive' firewall. Make sure to check Include Device and Network Templates.       The configuration should get committed and be 'In sync' with the Panorama, as shown below:     8. Once the firewall is 'In sync' with Panorama, synchronize the configuration from the active firewall to the passive firewall using the following command:     > request high-availability sync-to-remote running-config Steps 7 and 8 will ensure that the passive device ends up with a merged configuration (local + panorama-pushed). Note: The high-availability state between peers can be changed as desired. owner: kadak
View full article
kadak ‎05-22-2014 04:31 PM
8,704 Views
1 Reply
Overview This document describes how to configure and push LDAP and Group Mapping Settings from Panorama to the managed Palo Alto Networks firewalls. Steps Panorama does not have the ability to list the LDAP groups and cannot select which groups to add to the list, but is possible on the Palo Alto Networks device. Therefore, the following steps will use a combination of Panorama and the device to achieve the desired scenario: Create the LDAP profile configuration on Panorama and push that profile to the device Create a Group Mapping Settings on Panorama, which will filter the needed groups and push that configuration to the device On Panorama, go to Device > Server Profiles > LDAP Server Profile and create the LDAP Profile. Use the known parameters for the desired LDAP server. Commit the configuration to Panorama and push the Template configuration down to one managed device. After Commit is completed, check the device to see if the LDAP profile is shown: Go to Device > User Identification > Group Mapping Settings and generate a new Group Mapping Profile. During the process, select the LDAP Server Profile that was pushed from Panorama. In the Group Include List, add the groups needed that will be used on the firewalls for different reasons, (for example, creating security policies or allowing GlobalProtect access for users). Copy the groups Distinguished Names for the groups needed in a list as listed below: cn=marketing,cn=users,DC=al,DC=com cn=sales,cn=users,DC=al,DC=com cn=it,cn=users,DC=al,DC=com cn=hr,cn=users,DC=al,DC=com Cancel the creation of the Group Mapping on the device. The list will be pushed again from Panorama. Paste the group names in the Group Include List under the Group Mapping on Panorama: Commit the configuration change on Panorama and push down the template to the devices: Verify that the Group Mapping Settings is pushed down to the device: Verify that the groups are listed in the Group Mappings Include List: Based on the pushed groups from Panorama, create security rules on the firewalls or allow GlobalProtect users from those groups to connect: For example, Security Policy: - For example, GlobalProtect Portal: From this point on, any new device that uses the same template configuration, will have the LDAP and the Group Mapping Settings already preconfigured. The firewall administrators has the option to override the Group Included List in the Group Mapping and add locally significant groups by selecting them from the LDAP profile, (in this case that is the "al\vpn_users"). owner: ialeksov
View full article
ialeksov ‎04-19-2014 12:33 PM
19,915 Views
1 Reply
Option One: Steps Go into the Maintenance mode and export the log files to an SCP or a TFTP server The exported file will be in the form of a tar file (for example: 009401000552_maint_logs.tar) Untar the file that has been exported and open Go to the Management folder and click on saved-configs. There will be a "techsupport-saved-currcfg" file and rename it as "recovered_config.xml." The "techsupport-saved-currcfg" file will have the current configuration. Import and load this configuration into a test device and make sure it is not malformed Factory reset the device (see: How to Factory Reset a Palo Alto Networks Device) Import the "recovered_config.xml" and load it to the device Create a new superuser admin account Commit the changes Login to the Palo Alto Networks firewall with the new admin account and change the password Note: On the Palo Alto Networks firewall, a factory reset is required for password recovery. Option Two: If the firewall is connected to Panorama, then access the managed firewall through the Context switch from Panorama, create a new administrator account and commit the changes. owner: achalla
View full article
achalla ‎03-07-2014 05:04 AM
15,049 Views
0 Replies
Overview This document describes how to modify log quota settings for a collector group on Panorama/M-100. Steps Add Disk Pairs to the managed collectors under Panorama > Managed Collectors > Collector > Disks Perform a commit for Panorama only Navigate to Panorama > Collector Groups > (Click on one of the collectors) > General tab. Click on the value for Log Storage, as indicated below: Update the quota percentages for each log, according to need. Click OK when finished. Perform a commit on the Collector group owner: kadak
View full article
kadak ‎11-26-2013 07:39 AM
3,654 Views
1 Reply
Overview In Panorama, the settings for management interface is located under Device > Setup > Management Interface Settings, as shown here: Details If the IP Address field is empty and a commit operation is performed with the "Force Template Values" option checked, the management IP address on the managed Palo Alto Networks firewall will not be cleared out. The management IP address on the firewall will be retained. If a management IP address is configured in the template, a commit with the "Force Template Values" option checked will cause the management IP on the managed firewall to be overridden with the value in the template. owner: kadak
View full article
kadak ‎07-05-2013 01:45 PM
3,648 Views
0 Replies
Issue If managed Palo Alto Networks firewalls are migrated from BrightCloud to PAN-DB but Panorama still has BrightCloud, an error may occur when trying to commit from Panorama to the firewalls. The commit error that may appear is: template > Shared Template > config > devices > localhost.localdomain > deviceconfig > system > update-schedule > url-database Not available for PAN-DB. Resolution Disable the shared policies/object and templates settings on the managed devices Go to Device > Setup > Management tab Edit Panorama Settings and click 'Disable Panorama Policy and Objects' and 'Disable Device and Network Template' Do a local commit on the manage devices Change the URL-Filtering database on Panorama and managed devices by running the following command (on Panorama and the devices): > set system setting url-database (data base name) On Panorama, run the following commands: > configure # delete template <template name> config deviceconfig system update-schedule url-database # commit Enable the shared policies/object and templates on the managed devices and commit Push the template from Panorama to the managed devices. owner: shasnain
View full article
shasnain ‎05-15-2013 03:13 PM
13,503 Views
3 Replies
There is no maximum limit on Panorama. The managed Palo Alto Networks firewalls enforce the maximum number based on their capacity limits. To determine the maximum number of address, address groups, and addresses per group on a Palo Alto Networks firewall enter the following CLI command: show system state | match cfg.general.max-address For example: admin@PA-500> show system state | match cfg.general.max-address cfg.general.max-address: 0x9c4 cfg.general.max-address-group: 0xfa cfg.general.max-address-per-group: 0x1f4 owner: shasnain
View full article
shasnain ‎02-27-2013 07:54 AM
11,718 Views
6 Replies
1 Like
Ask Questions Get Answers Join the Live Community