Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PANCast™ Episode 37: Device Onboarding Process to Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L4 Transporter
100% helpful (2/2)

 

Episode Transcript:

 

John: 

Hello PANCasters, today we have Olivier back to talk about device onboarding to Panorama.Olivier Zheng, PCNSE, is a Staff Support Engineer at Palo Alto Networks. As SME Management/Logging Reporting in Technical Assistance Centre Singapore, he is supporting customers and participating in multiple knowledge sharing initiatives by writing content in the Knowledge Base, by delivering training to internal engineers.  He is responsible for 1 issued patent.  Olivier holds a Master of Science Mobile and High Speed telecom networks from Oxford Brookes University, UK and a Master of Science in Computer Science and Information Technology from ESI SUPINFO Paris, France.Olivier Zheng, PCNSE, is a Staff Support Engineer at Palo Alto Networks. As SME Management/Logging Reporting in Technical Assistance Centre Singapore, he is supporting customers and participating in multiple knowledge sharing initiatives by writing content in the Knowledge Base, by delivering training to internal engineers. He is responsible for 1 issued patent. Olivier holds a Master of Science Mobile and High Speed telecom networks from Oxford Brookes University, UK and a Master of Science in Computer Science and Information Technology from ESI SUPINFO Paris, France.
 

Olivier:

Hi John,
Thank you for having back today to discuss about the device onboarding process to Panorama.

So let’s explain how this process works.

Before PAN-OS 10.1, the onboarding process was something quite simple : you used to configure the IP address of Panorama on the managed device, for instance a firewall, and on the Panorama side, you used to configure the serial number of the device added, so in this case the firewall’s serial number.
 
Once that was done, the communication between the managed device and the Panorama was set up using certificate to make sure no eavesdropping can happen. Nobody wants someone to sniff the traffic and see the configuration being transmitted in clear text, right?!
 
John: 
Very true Olivier! You mentioned before PAN-OS 10.1, so what is new with PAN-OS 10.1?
 

What is New in PAN-OS 10.1?

 
Olivier:
Yes, so as I said earlier, the onboarding was quite simple and a new onboarding process has been made to be more secure.
The new process involves an authentication key used by the managed device to authenticate itself to Panorama. With this authkey, there is a mutual authentication in place : the Panorama needs to know the device serial number, and the device needs to know the authkey.
 
The second change is about the certificate used to secure the communication between the Panorama and the managed device. Instead of using the default certificate on the system, the Panorama derives a new CA certificate, and it will use this CA certificate to issue a certificate for each managed device.
 
So the big change here is that a device associated with company A’s Panorama, if it needs to be managed by another company B’s Panorama, it will require a new certificate from company B’s Panorama.
There is really no common certificate between company A and company B.
 
Finally, you onboard your device to the Active Panorama : you only work on the Active Panorama and the device to onboard, if you have a High Availability Panorama setup, there is nothing to do on the Passive Panorama.
 
John: 
OK. So let's say I have an old device already managed by Panorama, do I need to re-onboard it to Panorama?
 

Need To Re-onboard Devices?

 
Olivier:
No John, the already connected devices do not need to be re-onboarded if they are running fine.
Keep in mind the onboarding process happens only for the first time a device connect to Panorama: if the device is running on a version lower than PAN-OS 10.1, it will be onboarded as per the legacy onboarding process. But if the device is running on PAN-OS 10.1 or above, it will go through the new onboarding process.
 
John: 
Great, so is there anything special with a Panorama or a firewall replacement?
 

What To Do With a Device Replacement?

 
Olivier:
Ah that’s the complicated part.
So if you are using the legacy mode, there is nothing new.
However if you are using the new onboarding process, there are 3 possibilities:
  • Case 1 : a managed device is replaced.
    In this case, you simply have to onboard the device as any new device to Panorama.
  • Case 2 : a Panorama in High Availability is replaced.
    In this case, make sure the remaining Panorama is Primary-Active, and you add the replacement Panorama as Secondary-Passive.
  • Case 3 : a standalone Panorama is replaced.
    In this case, you will have to re-onboard all the devices to the Panorama.
 
John: 
Great info Olivier, so what are the key takeaways for today?
 
Olivier:
So the key points to remember in this episode are:
  • There is a new onboarding process from PAN-OS 10.1.
  • This onboarding process is just for the first connection to Panorama.
  • The onboarding process is between the Active Panorama and the managed device.
And if possible, you should think about having a High Availability Panorama setup.
 
John: 
Thanks Olivier. Some great info on the onboarding process. PANCasters, remember to head to live.paloaltonetworks.com for the transcript and additional info.
 
Rate this article:
Comments
L1 Bithead

Hi, how do we validate if a NGFW is SC3?

L4 Transporter

@KengSeng on the firewall, the command "show system state filter cfg.ms.*" should return a cfg.ms.ca and cfg.ms.cc key.

  • 2769 Views
  • 2 comments
  • 1 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎02-28-2024 06:49 PM
Updated by: