cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Licenses on Airgapped Panorama

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Licenses on Airgapped Panorama

TSchepers
L1 Bithead

‎04-10-2019 08:39 AM

Hi guys,

 

I was wondering if anyone has any experience using a totally airgapped panorama/firewalls deployment.
At the moment I have a case where none of the devices are allowed any outside connections.

I thought it would be do-able since both software and content updates can be manually uploaded to panorama and deployed like this, and license keys can be downloaded and uploaded to the firewalls... That should cover all bases, right?

 

Now we realize that panorama isn't aware of licenses manually uploaded to firewalls. The only way to make panorama aware of the licenses present on a firewall is by letting it connect to the outside license server (updates.paloaltonetworks.com I suppose...). Since we need a valid suppport license to be known on the Panorama to push software updates and content packs, the whole thing falls apart.

It doesn't make sense to me. They implemented ways to do version and content updates in an airgapped system, but you still need to break the airgap to allow panorama to retrieve the licenses for the airgap solutions to work.

 

I must be missing something, right?

 

0 Likes Likes
7 REPLIES 7

jeremy.larsen
L4 Transporter

‎04-10-2019 09:33 AM

You have to have some kind of access for Panorama to retreive updates.  I run firewalls that have no internet access what-so-ever.  But, they can reach Panorama which does have internet access (licences/software/updates/etc).  This way, everything is managed exclusively from Panorama.

 

Are you wanting to run no internet access at all, even for Panorama?  If so, I'd be curious why?

0 Likes Likes

TSchepers
L1 Bithead
In response to jeremy.larsen

‎04-10-2019 10:03 AM - edited ‎04-10-2019 10:18 AM

Indeed, no Internet access whatsoever is the goal. It's required by a customer. Both firewalls and panorama are deployed in airgapped scada network segments that can't have any connections to the outside.

At the moment it seems like the only time we'd need an outside connection is when panorama retrieves license information. Updates can be uploaded to the airgapped network. This makes no sense, since there is a license key system in place for both firewall locally, but no way for the firewall to relay this information to the panorama, and no way to import the firewall's license key on panorama. But the fact that we can activate panorama using license keys and upload OS versions and content updates seems to point to support for a fully airgapped panorama.
So close...
0 Likes Likes

jeremy.larsen
L4 Transporter
In response to TSchepers

‎04-10-2019 01:34 PM

All I can say is... WOW!  Sounds like a security analyst got a little over zealous.  If you're air gapped and can't automate updates, what's the point of even running a PAN.  Go get yourself some dumb L3/L4 firewall and call it a day.  Sounds like a mess.

0 Likes Likes

TSchepers
L1 Bithead
In response to jeremy.larsen

‎04-11-2019 06:00 AM

All I'm going to say about that is that even without automated updates, PAN still won.

But regardless how anyone feels about airgapping an PAN deployment, fact is that PAN supports it:

 

*activation via uploadable license keys on both panorama and firewalls

*uploadable software updates

*uploadable content updates

 

It's quite frustrating to find out you then need to open a connection to the palo alto update server after all, because the firewalls can't report their license status to panorama.  At that point, everything you need is already present in the airgapped segment!

0 Likes Likes

LHenshaw
L0 Member
In response to TSchepers

‎08-02-2020 07:52 PM

Hi there,

Not sure if you ever received an answer to this but I just found the following while doing this same research for another client:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/panorama-features/automatic-conten...

 

"....To accomplish this, you must deploy an additional Panorama with internet access and an SCP server. After you deploy the Panorama with internet access, you configure the internet-connected Panorama to automatically download content updates to the SCP server. From the SCP server, the air-gapped Panorama is configured to automatically download and install dynamic updates as per your dynamic updates schedule."

 

Hope this helps others....

 

0 Likes Likes

xdauphin
L0 Member
In response to LHenshaw

‎04-09-2021 06:16 AM

I have not tested this new feature yet but it seems it does not solve the license issue. Panorama just can't deploy a dynamic updates if it is not aware of the licenses of each device. And unfortunately this new feature works only with dynamic updates, not software updates.

0 Likes Likes

Drew_Newton
L0 Member
In response to xdauphin

‎11-15-2021 02:29 PM

Solution here:
Airgapped Panorama and Licenses : paloaltonetworks (reddit.com)

 

We have an airgapped Panorama as well, and this is what lets us push updates when it doesn't know the license details...

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks