This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PANCast™ Episode 37: Device Onboarding Process to Panorama

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PANCast™ Episode 37: Device Onboarding Process to Panorama

ozheng
L4 Transporter

on ‎02-28-2024 12:17 PM - edited on ‎02-28-2024 06:49 PM by

100% helpful (2/2)

 

Episode Transcript:

 

John: 

Hello PANCasters, today we have Olivier back to talk about device onboarding to Panorama.Olivier Zheng, PCNSE, is a Staff Support Engineer at Palo Alto Networks. As SME Management/Logging Reporting in Technical Assistance Centre Singapore, he is supporting customers and participating in multiple knowledge sharing initiatives by writing content in the Knowledge Base, by delivering training to internal engineers. He is responsible for 1 issued patent. Olivier holds a Master of Science Mobile and High Speed telecom networks from Oxford Brookes University, UK and a Master of Science in Computer Science and Information Technology from ESI SUPINFO Paris, France.Olivier Zheng, PCNSE, is a Staff Support Engineer at Palo Alto Networks. As SME Management/Logging Reporting in Technical Assistance Centre Singapore, he is supporting customers and participating in multiple knowledge sharing initiatives by writing content in the Knowledge Base, by delivering training to internal engineers. He is responsible for 1 issued patent. Olivier holds a Master of Science Mobile and High Speed telecom networks from Oxford Brookes University, UK and a Master of Science in Computer Science and Information Technology from ESI SUPINFO Paris, France.
 

Olivier:

Hi John,
Thank you for having back today to discuss about the device onboarding process to Panorama.

So let’s explain how this process works.

Before PAN-OS 10.1, the onboarding process was something quite simple : you used to configure the IP address of Panorama on the managed device, for instance a firewall, and on the Panorama side, you used to configure the serial number of the device added, so in this case the firewall’s serial number.
 
Once that was done, the communication between the managed device and the Panorama was set up using certificate to make sure no eavesdropping can happen. Nobody wants someone to sniff the traffic and see the configuration being transmitted in clear text, right?!
 
John: 
Very true Olivier! You mentioned before PAN-OS 10.1, so what is new with PAN-OS 10.1?
 

What is New in PAN-OS 10.1?

 
Olivier:
Yes, so as I said earlier, the onboarding was quite simple and a new onboarding process has been made to be more secure.
The new process involves an authentication key used by the managed device to authenticate itself to Panorama. With this authkey, there is a mutual authentication in place : the Panorama needs to know the device serial number, and the device needs to know the authkey.
 
The second change is about the certificate used to secure the communication between the Panorama and the managed device. Instead of using the default certificate on the system, the Panorama derives a new CA certificate, and it will use this CA certificate to issue a certificate for each managed device.
 
So the big change here is that a device associated with company A’s Panorama, if it needs to be managed by another company B’s Panorama, it will require a new certificate from company B’s Panorama.
There is really no common certificate between company A and company B.
 
Finally, you onboard your device to the Active Panorama : you only work on the Active Panorama and the device to onboard, if you have a High Availability Panorama setup, there is nothing to do on the Passive Panorama.
 
John: 
OK. So let's say I have an old device already managed by Panorama, do I need to re-onboard it to Panorama?
 

Need To Re-onboard Devices?

 
Olivier:
No John, the already connected devices do not need to be re-onboarded if they are running fine.
Keep in mind the onboarding process happens only for the first time a device connect to Panorama: if the device is running on a version lower than PAN-OS 10.1, it will be onboarded as per the legacy onboarding process. But if the device is running on PAN-OS 10.1 or above, it will go through the new onboarding process.
 
John: 
Great, so is there anything special with a Panorama or a firewall replacement?
 

What To Do With a Device Replacement?

 
Olivier:
Ah that’s the complicated part.
So if you are using the legacy mode, there is nothing new.
However if you are using the new onboarding process, there are 3 possibilities:
  • Case 1 : a managed device is replaced.
    In this case, you simply have to onboard the device as any new device to Panorama.
  • Case 2 : a Panorama in High Availability is replaced.
    In this case, make sure the remaining Panorama is Primary-Active, and you add the replacement Panorama as Secondary-Passive.
  • Case 3 : a standalone Panorama is replaced.
    In this case, you will have to re-onboard all the devices to the Panorama.
 
John: 
Great info Olivier, so what are the key takeaways for today?
 
Olivier:
So the key points to remember in this episode are:
  • There is a new onboarding process from PAN-OS 10.1.
  • This onboarding process is just for the first connection to Panorama.
  • The onboarding process is between the Active Panorama and the managed device.
And if possible, you should think about having a High Availability Panorama setup.
 
John: 
Thanks Olivier. Some great info on the onboarding process. PANCasters, remember to head to live.paloaltonetworks.com for the transcript and additional info.
 
Panorama
Thumbnail of Panorama
Palo Alto Networks
Panorama
Network Security
View on Product Page
NGFW
Thumbnail of NGFW
Palo Alto Networks
NGFW
Network Security
View on Product Page
Rate this article:
Comments
KengSeng
L1 Bithead
‎02-28-2024 09:23 PM

Hi, how do we validate if a NGFW is SC3?

ozheng
L4 Transporter
‎02-29-2024 01:45 AM

@KengSeng on the firewall, the command "show system state filter cfg.ms.*" should return a cfg.ms.ca and cfg.ms.cc key.

  • 2812 Views
  • 2 comments
  • 1 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎02-28-2024 06:49 PM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks