Managing single pair of VM firewall with and without Panorama

Showing results for 
Search instead for 
Did you mean: 

Managing single pair of VM firewall with and without Panorama

L1 Bithead

Hi Palo Alto Community


I wanted to ask what are the pro's and cons of not using a Panorama for managing a single pair of VM-300 firewalls. From reading documentations etc, the main benefit of Panorama would only be if this was a distrbuted deployment managing 10's or 100's of firewalls.


If in this case it was only 2 VM's to be managed a Panorama would not serve any benefits from what I gather. But wanted to open up to the community to see if I will lose out on any features by not using the Panorama. We would like to use the API and code directly the VM-300 for provisioning policies etc. 


Thanks for any advice on this.




L1 Bithead

On the back of this, would it be possible to have panorama just push updates to the VM's while we can use the API's directly to the VM-300 to provision policies?

Cyber Elite
Cyber Elite


So one thing that you actually miss out on completely, although I've been campaigning for the requirement to be lifted, is the ability to utilize the logging service. The way that its constructed this service isn't functional without Panorama for the time being. 

I think you're right in the assumption that utilizing Panorama for two firewalls would likely be overkill; but keep in mind that utilizing Panorama at all is something that is going to depend on the enviroment and such. I've managed an enviroment where we had upwards of 75 remote offices without utilizing Panorama as I could mimic the features I actually needed with the API. Not something that I would really recommend most people do, but it worked well for what I needed. 


All of the other features available in Panorama that I actually care anything about I've simply duplicated with the API or setup an expect script and stored the output. Panorama for me is mostly a conviencance thing; you can duplicate almost all of it's features but is the time you spend doing so actually worth it over simply purchasing Panorama? 

@BPry thanks for your information. What we had in mind was to have an overarching Panorama just for centrally monitoring all the VM-300 pairs and to provision content updates etc.


But majority of the policy provisioning would be done by the users locally on the VM-300. 


In this scenario, hopefully we get a single pane of glass of seeing what traffic is passing through the VM-300 while allowing users to manage their own policies locally.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!