On boarding Large Numbers of Firewalls Using Panorama and Bootstrapping

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

On boarding Large Numbers of Firewalls Using Panorama and Bootstrapping

L1 Bithead

I am working on a project which will involve deploying a large number of PA220 firewalls to branch offices. This will happen over a period of time with probably around 30-50 branches per phase of work. These branch firewalls will be managed using Panorama.

 

I am looking to streamline the whole deployment process and to this point have completed the following.

 

I have configured a template stack and device group in Panorama which will be applied to all branches. I have used variables where IP addressing will be different per site in order to avoid local configuration on the firewalls.

 

I have used bootstrapping to apply a starting configuration and connect the firewalls to Panorama. This starting configuration has also been used to remove the default virtual wire configuration and to change the local admin account.

 

However I still have a number of challenges which are causing me a significant amount of manual processing. Any suggestions on how I could streamline these at scale would be gratefully received.

 

Firstly when purchasing a number of firewalls, these have to be registered in the support portal and then licence auth codes need to be added for each one. Previously I have called Palo Support and they have activated devices in bulk for me which saves a lot of time. Is there a way that I can register devices in bulk and activate all licences from an order of new devices?

*** Update *** Found bulk registration, see below.

 

Secondly when the PA220s are delivered they are nearly always on an older version of PANOS software. Two units I installed this week were running 8.0.7 out of the box. Therefore I have to push dynamic updates for Apps & Threats followed by the PANOS updates (major & minor versions). Some of my template configuration within Panorama is not recognised by the firewalls until these updates are carried out and causes the commit from Panorama to initially fail. Is there any way I can automatically apply dynamic updates and PANOS versions to new devices coming online? Software upgrades cannot be applied to hardware devices as part of the bootstrapping process.

 

Lastly I am currently still having to connect to the PA220s to apply a unique device name as you cannot use a variable in this field or others such as geo-location. Am I missing something here? I was hoping not to have to still be making local configurations.

 

Many thanks in advance for any suggestions or advice.

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

I'm sure the sales team should be able to help with the resitration part. As for the second question, have you heard about bootstrapping? Should help out with the base config as well as the upgrade of code.

 

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/firewall-administration/bootstrap-the-fire...

 

Cheers!

Thanks for your reply.

 

As mentioned above, I am using bootstrapping for settings which have to be made locally.

 

Software updates are supported for VMs only, not hardware devices.

L1 Bithead

I found how to do bulk registration.

You need to add the 'Bulk Registration' role in the support portal for the option to show up. The 'Superuser' role alone will not work.

 

BULK REGISTRATION USER GUIDE

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClNeCAK

 

  • 4683 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!