Panorama Overview

Panorama
Administrators
Guide
Version7.0

ContactInformation
CorporateHeadquarters:

PaloAltoNetworks
4401GreatAmericaParkway
SantaClara,CA95054
www.paloaltonetworks.com/company/contactus

AboutthisGuide
ThisguidedescribeshowtosetupandusePanoramaforcentralizedmanagement;itisintendedforadministrators
whowantthebasicframeworktoquicklysetupthePanoramavirtualapplianceortheMSeriesappliancefor
centralizedadministrationofPaloAltoNetworksfirewalls.
IfyouhaveanMSeriesappliance,thisguidetakesoverafteryoufinishrackmountingyourMSeriesappliance.
Formoreinformation,refertothefollowingsources:

ForinformationonhowtoconfigureothercomponentsinthePaloAltoNetworksNextGenerationSecurity
Platform,gototheTechnicalDocumentationportal:https://www.paloaltonetworks.com/documentationor
searchthedocumentation.

Foraccesstotheknowledgebase,completedocumentationset,discussionforums,andvideos,referto
https://live.paloaltonetworks.com.

Forcontactingsupport,forinformationonsupportprograms,tomanageyouraccountordevices,ortoopena
supportcase,refertohttps://www.paloaltonetworks.com/support/tabs/overview.html.

ForthemostcurrentPANOSandPanorama7.0releasenotes,goto
https://www.paloaltonetworks.com/documentation/70/panos/panosreleasenotes.html.

Toprovidefeedbackonthedocumentation,pleasewritetousat:documentation@paloaltonetworks.com.

PaloAltoNetworks,Inc.
www.paloaltonetworks.com
2016PaloAltoNetworks,Inc.PaloAltoNetworksisaregisteredtrademarkofPaloAltoNetworks.Alistofourtrademarkscanbefound
athttp://www.paloaltonetworks.com/company/trademarks.html.Allothermarksmentionedhereinmaybetrademarksoftheir
respectivecompanies.
RevisionDate:May27,2016

2 Panorama7.0AdministratorsGuide

PaloAltoNetworks,Inc.

PanoramaOverview
PanoramaprovidescentralizedmonitoringandmanagementofmultiplePaloAltoNetworksnextgeneration
firewalls.Itprovidesasinglelocationfromwhichyoucanoverseeallapplications,users,andcontent
traversingyournetwork,andthenusethisknowledgetocreateapplicationenablementpoliciesthatprotect
andcontrolthenetwork.UsingPanoramaforcentralizedpolicyanddevicemanagementincreases
operationalefficiencyinmanagingandmaintainingadistributednetworkoffirewalls.

AboutPanorama

PanoramaPlatforms

CentralizedConfigurationandDeploymentManagement

CentralizedLoggingandReporting

PanoramaCommitOperations

RoleBasedAccessControl

PanoramaRecommendedDeployments

PlanYourDeployment

DeployPanorama:TaskOverview

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 9

Copyright 2007-2015 Palo Alto Networks

AboutPanorama

PanoramaOverview

AboutPanorama
PanoramaprovidescentralizedmanagementofPaloAltoNetworksnextgenerationfirewalls,asthe
followingfigureillustrates:

Panoramaallowsyoutoeffectivelyconfigure,manage,andmonitoryourPaloAltoNetworksfirewallsusing
centraloversightwithlocalcontrol,asrequired.ThethreefocalareasinwhichPanoramaaddsvalueare:

CentralizedconfigurationanddeploymentTosimplifycentralmanagementandrapiddeploymentof
thefirewallsonyournetwork,usePanoramatoprestagethefirewallsfordeployment.Youcanthen
assemblethefirewallsintogroups,andcreatetemplatestoapplyabasenetworkanddevice
configurationandusedevicegroupstoadministergloballysharedandlocalpolicyrules.SeeCentralized
ConfigurationandDeploymentManagement.
AggregatedloggingwithcentraloversightforanalysisandreportingCollectinformationonactivity
acrossallthemanagedfirewallsonthenetworkandcentrallyanalyze,investigateandreportonthedata.
Thiscomprehensiveviewofnetworktraffic,useractivity,andtheassociatedrisksempowersyouto
respondtopotentialthreatsusingtherichsetofpoliciestosecurelyenableapplicationsonyournetwork.
SeeCentralizedLoggingandReporting.
DistributedadministrationAllowsyoutodelegateorrestrictaccesstoglobalandlocalfirewall
configurationsandpolicies.SeeRoleBasedAccessControlfordelegatingappropriatelevelsofaccessfor
distributedadministration.

Panoramaisavailableintwoplatforms:asavirtualapplianceandasadedicatedhardwareappliance.For
moreinformation,seePanoramaPlatforms.

10 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.

PanoramaOverview

PanoramaPlatforms

PanoramaPlatforms
Panoramaisavailableinthefollowingplatforms,eachofwhichsupportslicensesformanagingupto25,100,
or1,000firewalls:

PanoramavirtualapplianceYoucaninstallthePanoramavirtualapplianceonaVMwareESXiserveror
inVMwarevCloudAir.Thevirtualapplianceallowsforasimpleinstallationandfacilitatesserver
consolidationforsitesthatneedavirtualmanagementappliance.Italsosupportsintegrationwitha
NetworkFileShare(NFS)systemforincreasedstorageandlogretentionbeyond2TB.ThePanorama
virtualapplianceworksbestinenvironmentswithloggingratesofupto10,000logspersecond.Youcan
forwardfirewalllogsdirectlytothePanoramavirtualappliance(seeDeployPanoramaVirtualAppliances
withLocalLogCollection)orusethePanoramavirtualappliancetomanageDedicatedLogCollectorsthat
areMSeriesappliances(seeDeployPanoramawithDedicatedLogCollectors).
MSeriesapplianceTheM100applianceandM500appliancearededicatedhardwareplatforms
intendedforlargescaledeployments.Inenvironmentswithhighloggingrates(over10,000logsper
second)andlogretentionrequirements,theseappliancesenablesscalingofyourlogcollection
infrastructure.BothappliancesuseRAIDdrivestostorefirewalllogsandsupportRAID1mirroringto
protectagainstdiskfailures.BothappliancesuseanSSDtostorethelogsthatPanoramaandLog
Collectorsgenerate.OnlytheM500appliancehasredundant,hotswappablepowersuppliesand
fronttobackairflow.TheM500appliancealsohasfasterprocessorsandgreatermemoryforbetter
performance(forexample,fastercommittimes).TheseattributesmaketheM500appliancemore
suitablefordatacentersthantheM100appliance.Thelogstoragecapacityandmaximumlogcollection
ratevariesbyappliance:

Appliance

SSDStorage

DefaultRAIDStorage

MaximumRAIDStorage

MaximumLoggingRate

M100
appliance

120GB

2drives(1TBtotal)

8drives(4TBtotal)

30,000logs/second

M500
appliance

240GB

8drives(4TBtotal)

16drives(8TBtotal)

60,000logs/second

YoucandeploytheMSeriesapplianceinthefollowingmodestoseparatethecentralmanagement
functionfromthelogcollectionfunction:

Panoramamode:Theapplianceperformsbothcentralmanagementandlogcollection.Thisisthe
defaultmode.Forconfigurationdetails,seeDeployPanoramawithDefaultLogCollectors.
LogCollectormode:TheappliancefunctionsasaDedicatedLogCollector.Ifmultiplefirewalls
forwardlargevolumesoflogdata,theMSeriesapplianceinLogCollectormodeprovidesincreased
scaleandperformance.Inthismode,theappliancehasnowebinterfaceforadministrativeaccess,
onlyacommandlineinterface(CLI).However,youcanmanagetheapplianceusingtheweb
interfaceofthePanoramamanagementserver(MSeriesapplianceinPanoramamodeora
Panoramavirtualappliance).CLIaccesstoanMSeriesapplianceinLogCollectormodeisonly
necessaryforinitialsetupanddebugging.Forconfigurationdetails,seeDeployPanoramawith
DedicatedLogCollectors.
Formoredetailsandspecifications,seetheM100andM500HardwareReferenceGuides.
Theplatformchoicedependsonyourneedforavirtualapplianceandyourlogcollectionrequirements(see
DeterminePanoramaLogStorageRequirements):

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 11

Copyright 2007-2015 Palo Alto Networks

PanoramaPlatforms

PanoramaOverview

LogCollectionRate

Platform

Upto10,000
logs/second

Panoramavirtual
appliance

Upto30,000
logs/second

M100appliance

Upto60,000
logs/second

M500appliance

12 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.

PanoramaOverview

CentralizedConfigurationandDeploymentManagement

CentralizedConfigurationandDeploymentManagement
Panoramausesdevicegroupsandtemplatestogroupfirewallsintologicalsetsthatrequiresimilar
configuration.Youusethedevicegroupsandtemplatestocentrallymanageallconfigurationelements,
policies,andobjectsonthemanagedfirewalls.Panoramaalsoenablesyoutocentrallymanagelicenses,
software(PANOSsoftware,SSLVPNclientsoftware,GlobalProtectagent/appsoftware),andcontent
updates(Applications,Threats,WildFire,andAntivirus).

ContextSwitchFirewallorPanorama

TemplatesandTemplateStacks

DeviceGroups

ContextSwitchFirewallorPanorama
ThePanoramawebinterfaceenablesyoutotogglebetweenaPanoramacentricviewandafirewallcentric
viewbyusingtheContextdropdownatthetopleftofeverytab.YoucansettheContexttoPanoramato
managefirewallscentrallyorswitchcontexttothewebinterfaceofaspecificfirewalltoconfigureitlocally.
ThesimilarityofthePanoramaandfirewallwebinterfacesenablesyoutoseamlesslymovebetweenthem
toadministerandmonitorfirewalls.
TheContextdropdownlistsonlythefirewallsthatareconnectedtoPanorama.ForaDeviceGroupand
Templateadministrator,thedropdownlistsonlytheconnectedfirewallsthatarewithintheAccessDomains
assignedtothatadministrator.Tosearchalonglist,usetheFilterswithinthedropdown.
Forfirewallsthathaveahighavailability(HA)configuration,theiconshavecoloredbackgroundstoindicate
HAstate(asfollows).KnowingtheHAstateisusefulwhenselectingafirewallcontext.Forexample,you
generallymakefirewallspecificconfigurationchangesontheactivefirewall.

GreenActive.

YellowPassiveorthefirewallisinitiating(theinitiatingstatelastsforupto60secondsafterbootup).

RedThefirewallisnonfunctional(errorstate),suspended(anadministratordisabledthefirewall),or
tentative(foralinkorpathmonitoringeventinanactive/activeHAconfiguration).

TemplatesandTemplateStacks
Youusetemplatestoconfigurethesettingsthatenablefirewallstooperateonthenetwork.Templates
enableyoutodefineacommonbaseconfigurationusingtheNetworkandDevicetabsonPanorama.For
example,youcanusetemplatestomanageinterfaceandzoneconfigurations,serverprofilesforloggingand
syslogaccess,andnetworkprofilesforcontrollingaccesstozonesandIKEgateways.Whendefininga
template,considerassigningfirewallsthatarethesamehardwaremodelandrequireaccesstosimilar
networkresources,suchasgatewaysandsyslogservers.
Ifyournetworkhasgroupsoffirewallswithsomegroupspecificsettingsandsomesettingsthatarecommon
acrossgroups,youcansimplifymanagementbyassigningthefirewallstoatemplatestackforeachgroup.A
templatestackisacombinationoftemplates:theassignedfirewallsinheritthesettingsfromeverytemplate
inthestack.Thisenablesyoutoavoidtheredundancyofaddingeverysettingtoeverytemplate.The
followingfigureillustratesanexampledeploymentinwhichyouassigndatacenterfirewallsinthe

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 13

Copyright 2007-2015 Palo Alto Networks

CentralizedConfigurationandDeploymentManagement

PanoramaOverview

AsiaPacific(APAC)regiontoastackthathasonetemplatewithglobalsettings,onetemplatewith
APACspecificsettings,andonetemplatewithdatacenterspecificsettings.TomanagefirewallsinanAPAC
branchoffice,youcanthenreusetheglobalandAPACspecifictemplatesbyaddingthemtoanotherstack
thatincludesatemplatewithbranchspecificsettings.Templatesinastackhaveaconfigurablepriorityorder
thatensuresPanoramapushesonlyonevalueforanyduplicatesetting.Panoramaevaluatesthetemplates
listedinastackconfigurationfromtoptobottom,withhighertemplateshavingpriority.Thefollowingfigure
illustratesadatacenterstackinwhichthedatacentertemplatehasahigherprioritythantheglobaltemplate:
Panoramapushestheidletimeoutvaluefromthedatacentertemplateandignoresthevaluefromtheglobal
template.
Figure:TemplateStacks

Toaccommodatefirewallsthathaveuniquesettings,youcanusetemplates(singleorstacked)topusha
limitedcommonbaseconfigurationtoallfirewalls,andinindividualfirewallsconfiguredevicespecific
settings.Alternatively,youcanpushabroadercommonbaseconfigurationandintheindividualfirewalls
overridecertainpushedsettingswithdevicespecificvalues.Whenyouoverrideasetting,thefirewallsaves
thatsettingtoitslocalconfiguration;Panoramanolongermanagesthesetting.Torestoretemplatevalues
afteroverridingthem,youcanusePanoramatoforcethetemplateconfigurationontoafirewall.For
example,afterdefiningacommonNTPserverinatemplateandoverridingtheNTPserverconfigurationon
afirewalltoaccommodateitslocaltimezone,youcanlaterreverttotheNTPserverdefinedinthetemplate.
Youcannotusetemplatestosetfirewallmodes:virtualprivatenetwork(VPN)mode,multiplevirtualsystems
mode(multivsysmode),andoperationalmode(normal,FederalInformationProcessingStandards[FIPS],or
CommonCriteria[CC]).Fordetails,seeTemplateCapabilitiesandExceptions.However,youcanassign
firewallsthathavenonmatchingmodestothesametemplateorstack.Insuchcases,Panoramapushes
modespecificsettingsonlytofirewallsthatsupportthosemodes.Asanexception,youcanconfigure
Panoramatopushthesettingsofthedefaultvsysinatemplatetofirewallsthatdontsupportvirtualsystems
orhavenoneconfigured.
Fortherelevantprocedures,seeManageTemplatesandTemplateStacks.

14 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.

PanoramaOverview

CentralizedConfigurationandDeploymentManagement

DeviceGroups
TousePanoramaeffectively,youhavetogroupthefirewallsinyournetworkintologicalunitscalleddevice
groups.Adevicegroupenablesgroupingbasedonnetworksegmentation,geographiclocation,
organizationalfunction,oranyothercommonaspectoffirewallsthatrequiresimilarpolicyconfigurations.
Usingdevicegroups,youcanconfigurepolicyrulesandtheobjectstheyreference.Youcanorganizedevice
grouphierarchically,withsharedrulesandobjectsatthetop,anddevicegroupspecificrulesandobjectsat
subsequentlevels.Thisenablesyoutocreateahierarchyofrulesthatenforcehowfirewallshandletraffic.
Forexample,youcandefineasetofsharedrulesasacorporateacceptableusepolicy.Then,toallowonly
regionalofficestoaccesspeertopeertrafficsuchasBitTorrent,youcandefineadevicegrouprulethat
Panoramapushesonlytotheregionaloffices(ordefineasharedsecurityruleandtargetittotheregional
offices).Fortherelevantprocedures,seeManageDeviceGroups.Thefollowingtopicsdescribedevice
groupconceptsandcomponentsinmoredetail:

DeviceGroupHierarchy

DeviceGroupPolicies

DeviceGroupObjects

DeviceGroupHierarchy
YoucanCreateaDeviceGroupHierarchytonestdevicegroupsinatreehierarchyofuptofourlevels,with
lowerlevelgroupsinheritingthesettings(policyrulesandobjects)ofhigherlevelgroups.Atthebottom
level,adevicegroupcanhaveparent,grandparent,andgreatgrandparentdevicegroups(ancestors).Atthe
toplevel,adevicegroupcanhavechild,grandchild,andgreatgrandchilddevicegroups(descendants).All
devicegroupsinheritingsettingsfromtheSharedlocationacontaineratthetopofthehierarchyfor
configurationsthatarecommontoalldevicegroups.
Creatingadevicegrouphierarchyenablesyoutoorganizedevicesbasedoncommonpolicyrequirements
withoutredundantconfiguration.Forexample,youcouldconfiguresharedsettingsthatareglobaltoall
firewalls,configuredevicegroupswithfunctionspecificsettingsatthefirstlevel,andconfiguredevice
groupswithlocationspecificsettingsatlowerlevels.Withoutahierarchy,youwouldhavetoconfigureboth
functionandlocationspecificsettingsforeverydevicegroupinasinglelevelunderShared.
Figure:DeviceGroupHierarchy

Fordetailsontheorderinwhichfirewallsevaluatepolicyrulesinadevicegrouphierarchy,seeDeviceGroup
Policies.Fordetailsonoverridingthevaluesofobjectsthatdevicegroupsinheritfromancestordevice
groups,seeDeviceGroupObjects.

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 15

Copyright 2007-2015 Palo Alto Networks

CentralizedConfigurationandDeploymentManagement

PanoramaOverview

DeviceGroupPolicies
Devicegroupsprovideawaytoimplementalayeredapproachformanagingpoliciesacrossanetworkof
managedfirewalls.Afirewallevaluatespolicyrulesbylayer(shared,devicegroup,andlocal)andbytype
(prerules,postrules,anddefaultrules)inthefollowingorderfromtoptobottom.Whenthefirewall
receivestraffic,itperformstheactiondefinedinthefirstevaluatedrulethatmatchesthetrafficand
disregardsallsubsequentrules.Tochangetheevaluationorderforruleswithinaparticularlayer,type,and
rulebase(forexample,sharedSecurityprerules),seeManagetheRuleHierarchy.
EvaluationOrder

RuleScopeandDescription

Sharedprerules

Panoramapushessharedprerulestoallthe Theserulesarevisibleonfirewallsbutyou
canonlymanagetheminPanorama.
firewallsinalldevicegroups.Panorama
pushesdevicegroupspecificprerulestoall
thefirewallsinaparticulardevicegroupand
itsdescendantdevicegroups.
Ifafirewallinheritsrulesfromdevicegroups
atmultiplelevelsinthedevicegroup
hierarchy,itevaluatesprerulesintheorder
ofhighesttolowestlevel.Thismeansthe
firewallfirstevaluatessharedrulesandlast
evaluatestherulesofdevicegroupswithno
descendants.
Youcanuseprerulestoenforcethe
acceptableusepolicyofanorganization.For
example,aprerulemightblockaccessto
specificURLcategoriesorallowDomain
NameSystem(DNS)trafficforallusers.

Devicegroupprerules

Localfirewallrules

AdministrationPlatform

Localrulesarespecifictoasinglefirewallor Alocalfirewalladministrator,oraPanorama
administratorwhoswitchestoalocalfirewall
virtualsystem(vsys).
context,caneditlocalfirewallrules.

Devicegrouppostrules Panoramapushessharedpostrulestoallthe Theserulesarevisibleonfirewallsbutyou

firewallsinalldevicegroups.Panorama
canonlymanagetheminPanorama.
Sharedpostrules
pushesdevicegroupspecificpostrulestoall
thefirewallsinaparticulardevicegroupand
itsdescendantdevicegroups.
Ifafirewallinheritsrulesfromdevicegroups
atmultiplelevelsinthedevicegroup
hierarchy,itevaluatespostrulesintheorder
oflowesttohighestlevel.Thismeansthe
firewallfirstevaluatestherulesofdevice
groupswithnodescendantsandlast
evaluatessharedrules.
Postrulestypicallyincluderulestodeny
accesstotrafficbasedontheAppID,
UserID,orservice.

16 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.

PanoramaOverview

CentralizedConfigurationandDeploymentManagement

EvaluationOrder

RuleScopeandDescription

AdministrationPlatform

intrazonedefault

ThedefaultrulesapplyonlytotheSecurity
rulebase,andarepredefinedonPanorama(at
theSharedlevel)andthefirewall(ineach
vsys).TheserulesspecifyhowPANOS
handlestrafficthatdoesntmatchanyother
rule.
Theintrazonedefaultruleallowsalltraffic
withinazone.Theinterzonedefaultrule
deniesalltrafficbetweenzones.
Ifyouoverridedefaultrules,theirorderof
precedencerunsfromthelowestcontextto
thehighest:overriddensettingsatthefirewall
leveltakeprecedenceoversettingsatthe
devicegrouplevel,whichtakeprecedence
oversettingsattheSharedlevel.

Defaultrulesareinitiallyreadonly,either
becausetheyarepartofthepredefined
configurationorbecausePanoramapushed
themtofirewalls.However,youcanoverride
therulesettingsfortags,action,logging,and
securityprofiles.Thedevicecontext
determinesthelevelatwhichyoucan
overridetherules:
PanoramaAttheSharedordevicegroup
level,youcanoverridedefaultrulesthat
arepartofthepredefinedconfiguration.
FirewallYoucanoverridedefaultrules
thatarepartofthepredefined
configurationonthefirewallorvsys,or
thatPanoramapushedfromtheShared
locationoradevicegroup.

interzonedefault

WhetheryouviewrulesonafirewallorinPanorama,thewebinterfacedisplaystheminevaluationorder.
Alltheshared,devicegroup,anddefaultrulesthatthefirewallinheritsfromPanoramaappearingreen,while
localfirewallrulesappearinbluebetweentheprerulesandpostrules.
Figure:RuleHierarchy

DeviceGroupObjects
Objectsareconfigurationelementsthatpolicyrulesreference,forexample:IPaddresses,URLcategories,
securityprofiles,users,services,andapplications.Rulesofanytype(prerules,postrules,defaultrules,and
ruleslocallydefinedonafirewall)andanyrulebase(Security,NAT,QoS,PolicyBasedForwarding,
Decryption,ApplicationOverride,CaptivePortal,andDoSProtection)canreferenceobjects.Youcanreuse
anobjectinanynumberofrulesthathavethesamescopeasthatobjectintheDeviceGroupHierarchy.For
example,ifyouaddanobjecttotheSharedlocation,allrulesinthehierarchycanreferencethatsharedobject
becausealldevicegroupsinheritobjectsfromShared.Ifyouaddanobjecttoaparticulardevicegroup,only
therulesinthatdevicegroupanditsdescendantdevicegroupscanreferencethatdevicegroupobject.If
objectvaluesinadevicegroupmustdifferfromthoseinheritedfromanancestordevicegroup,youcan

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 17

Copyright 2007-2015 Palo Alto Networks

CentralizedConfigurationandDeploymentManagement

PanoramaOverview

Overrideinheritedobjectvalues.YoucanalsoReverttoInheritedObjectValuesatanytime.Whenyou
CreateObjectsforUseinSharedorDeviceGroupPolicyonceandusethemmanytimes,youreduce
administrativeoverheadandensureconsistencyacrossfirewallpolicies.
YoucanconfigurehowPanoramahandlesobjectssystemwide:

PushingunusedobjectsBydefault,Panoramapushesallobjectstofirewallsregardlessofwhetherany
sharedordevicegrouppolicyrulesreferencetheobjects.Optionally,youcanconfigurePanoramato
pushonlyreferencedobjects.Fordetails,seeManageUnusedSharedObjects.
PrecedenceofancestoranddescendantobjectsBydefault,whendevicegroupsatmultiplelevelsinthe
hierarchyhaveanobjectwiththesamenamebutdifferentvalues(becauseofoverrides,asanexample),
policyrulesinadescendantdevicegroupusetheobjectvaluesinthatdescendantinsteadofobject
valuesinheritedfromancestordevicegroupsorShared.Optionally,youcanreversethisorderof
precedencetopushvaluesfromSharedorthehighestancestorcontainingtheobjecttoalldescendant
devicegroups.Fordetails,seeManagePrecedenceofInheritedObjects.

18 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.

PanoramaOverview

CentralizedLoggingandReporting

CentralizedLoggingandReporting
Panoramaaggregatesdatafromallmanagedfirewallsandprovidesvisibilityacrossallthetrafficonthe
network.Italsoprovidesanaudittrailforallpolicymodificationsandconfigurationchangesmadetothe
managedfirewalls.Inadditiontoaggregatinglogs,PanoramacanaggregateandforwardSimpleNetwork
ManagementProtocol(SNMP)traps,emailnotifications,andsyslogmessagestoanexternaldestination.
TheApplicationCommandCenter(ACC)onPanoramaprovidesasinglepaneforunifiedreportingacrossall
thefirewalls.ItenablesyoutocentrallyMonitorNetworkActivity,toanalyze,investigate,andreporton
trafficandsecurityincidents.OnPanorama,youcanviewlogsandgeneratereportsfromlogsforwardedto
PanoramaortothemanagedLogCollectors,ifconfigured,oryoucanquerythemanagedfirewallsdirectly.
Forexample,youcangeneratereportsabouttraffic,threat,and/oruseractivityinthemanagednetwork
basedonlogsstoredonPanorama(andthemanagedcollectors)orbyaccessingthelogsstoredlocallyon
themanagedfirewalls.
IfyouchoosenottoConfigureLogForwardingtoPanorama,youcanschedulereportstorunoneach
managedfirewallandforwardtheresultstoPanoramaforacombinedviewofuseractivityandnetwork
traffic.Althoughthisviewdoesnotprovideagranulardrilldownonspecificdataandactivities,itstill
providesaunifiedreportingapproach.

LoggingOptions

ManagedCollectorsandCollectorGroups

CaveatsforaCollectorGroupwithMultipleLogCollectors

CentralizedReporting

LoggingOptions
BoththePanoramavirtualapplianceandMSeriesappliancecancollectlogsthatthemanagedfirewalls
forward.YoucanthenConfigureLogForwardingfromPanoramatoExternalDestinations(syslogserver,
emailserver,orSimpleNetworkManagementProtocol[SNMP]trapserver).Theloggingoptionsvaryon
eachPanoramaplatform.
ThePA7000SeriesfirewallcantforwardlogstoPanorama,onlytoexternalservicesdirectly.
However,whenyoumonitorlogsorgeneratereportsforadevicegroupthatincludesaPA7000
Seriesfirewall,Panoramaqueriesthefirewallinrealtimetodisplayitslogdata.

PanoramaPlatform

LoggingOptions

Virtualappliance

Offersthreeloggingoptions:
Usetheapproximately11GBofinternalstoragespaceallocatedforloggingassoonas
youinstallthevirtualappliance.
Addavirtualdiskthatcansupportupto2TBofstorage.
MountaNetworkFileSystem(NFS)datastoreinwhichyoucanconfigurethestorage
capacitythatisallocatedforlogging.

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 19

Copyright 2007-2015 Palo Alto Networks

CentralizedLoggingandReporting

PanoramaOverview

PanoramaPlatform

LoggingOptions

MSeriesappliance

ThedefaultshippingconfigurationfortheM100applianceincludestwodiskswithatotal
of1TBstoragecapacity.FortheM500appliance,thedefaultconfigurationincludeseight
disksfor4TBofstorage.BothappliancesuseRAID1toprotectagainstdiskfailures.You
canIncreaseStorageontheMSeriesApplianceto4TBontheM100applianceand8TB
ontheM500appliance.WhenanMSeriesapplianceisinPanoramamode,youcan
enabletheRAIDdiskstoserveasthedefaultLogCollector.IfyouhaveanMSeries
applianceisinLogCollectormode(DedicatedLogCollector),youusePanoramatoassign
firewallstotheDedicatedLogCollectors.InadeploymentwithmultipleDedicatedLog
Collectors,PanoramaqueriesallmanagedLogCollectorstogenerateanaggregatedview
oftrafficandcohesivereports.Foreasyscaling,beginwithasinglePanoramaand
incrementallyaddDedicatedLogCollectorsasyourneedsexpand.

ManagedCollectorsandCollectorGroups
ALogCollectorcanbelocaltoanMSeriesapplianceinPanoramamode(defaultLogCollector)orcanbean
MSeriesapplianceinLogCollectormode(DedicatedLogCollector).BecauseyouusePanoramatoconfigure
andmanageLogCollectors,theyarealsoknownasmanagedcollectors.AnMSeriesapplianceinPanorama
modeoraPanoramavirtualappliancecanmanageDedicatedLogCollectors.ToadministerDedicatedLog
CollectorsusingthePanoramawebinterface,youmustaddthemasmanagedcollectors.Otherwise,
administrativeaccesstoaDedicatedLogCollectorisonlyavailablethroughitsCLIusingthedefault
administrativeuser(admin)account.DedicatedLogCollectorsdonotsupportadditionaladministrativeuser
accounts.
ACollectorGroupisoneormoremanagedcollectorsthatoperateasasinglelogicallogcollectionunit.Ifthe
groupcontainsDedicatedLogCollectors,thelogsareuniformlydistributedacrossallthedisksineachLog
CollectorandacrossallmembersintheCollectorGroup.Thisdistributionmaximizestheuseoftheavailable
storagespace.TomanageaLogCollector,youmustaddittoaCollectorGroup.Ifyouassignmorethanone
LogCollectortoaCollectorGroup,seeCaveatsforaCollectorGroupwithMultipleLogCollectors.
TheCollectorGroupconfigurationspecifieswhichmanagedfirewallscansendlogstotheLogCollectorsin
thegroup.AfteryouconfiguretheLogCollectorsandenablethefirewallstoforwardlogs,eachfirewall
forwardsitslogstotheassignedLogCollector.
ManagedcollectorsandCollectorGroupsareintegraltoadistributedlogcollectiondeploymenton
Panorama.Adistributedlogcollectiondeploymentallowsforeasyscalabilityandincrementaladditionof
DedicatedLogCollectorsasyourloggingneedsgrow.TheMSeriesapplianceinPanoramamodecanlogto
itsdefaultCollectorGroupandthenbeexpandedtoadistributedlogcollectiondeploymentwithoneor
moreCollectorGroupsthatincludeDedicatedLogCollectors.
ToconfigureLogCollectorsandCollectorGroups,seeManageCollectorGroups.

CaveatsforaCollectorGroupwithMultipleLogCollectors
YoucanConfigureaCollectorGroupwithmultipleLogCollectorstoensurelogredundancyorto
accommodateloggingratesthatexceedthecapacityofasingleLogCollector(seePanoramaPlatforms).For
example,ifasinglemanagedfirewallgenerates16TBoflogs,theCollectorGroupthatreceivesthoselogs
willrequireatleastfourLogCollectorsthatareM100appliancesortwoLogCollectorsthatareM500
appliances.

20 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.

PanoramaOverview

CentralizedLoggingandReporting

ACollectorGroupwithmultipleLogCollectorsusestheavailablestoragespaceasonelogicalunitand
uniformlydistributesthelogsacrossallitsLogCollectors.Thelogdistributionisbasedonthediskcapacity
oftheLogCollectors(1TBto8TB,dependingonthenumberofdiskpairsandtheMSeriesplatform)anda
hashalgorithmthatdynamicallydecideswhichLogCollectorownsthelogsandwritestodisk.Although
PanoramausesapreferencelisttoprioritizethelistofLogCollectorstowhichamanagedfirewallcan
forwardlogs,PanoramadoesnotnecessarilywritethelogstothefirstLogCollectorspecifiedinthe
preferencelist.Forexample,considerthefollowingpreferencelist:
ManagedFirewall

LogForwardingPreferenceListDefinedonaCollectorGroup

FW1

L1,L2,L3

FW2

L4,L5,L6

Usingthislist,FW1willforwardlogstoL1,itsprimaryLogCollector,butthehashalgorithmcoulddetermine
thatthelogswillbewrittenonL2.IfL2becomesinaccessibleorhasachassisfailure,FW1willnotknow
aboutitsfailurebecauseitisstillabletoconnecttoL1,itsprimaryLogCollector.

InthecasewhereaCollectorGrouphasonlyoneLogCollectorandtheLogCollectorfails,thefirewallstores
thelogstoitsHDD/SSD(theavailablestoragespacevariesbyhardwaremodel),andresumesforwarding
logstotheLogCollectorwhereitleftoffbeforethefailureoccurredassoonasconnectivityisrestored.
WithmultipleLogCollectorsinaCollectorGroup, thefirewalldoesnotbufferlogstoitslocalstoragewhen
itcanconnecttoitsprimaryLogCollector.Therefore,FW1willcontinuesendinglogstoL1.BecauseL2is
unavailable,theprimaryLogCollectorL1buffersthelogstoitsHDD,whichhas10GBoflogspace.IfL2
remainsunavailableandthelogspendingforL2exceed10GB,L1willoverwritetheolderlogentriesto
continuelogging.Insuchanevent,lossoflogsisarisk.

PaloAltoNetworksrecommendsthefollowingmitigationsifusingmultipleLogCollectorsinaCollector
Group:

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 21

Copyright 2007-2015 Palo Alto Networks

CentralizedLoggingandReporting

PanoramaOverview

EnablelogredundancywhenyouConfigureaCollectorGroup.Thisensuresthatnologsarelostifany
oneLogCollectorintheCollectorGroupbecomesunavailable.Eachlogwillhavetwocopiesandeach
copywillresideonadifferentLogCollector.
Becauseenablingredundancycreatesmorelogs,thisconfigurationrequiresmorestoragecapacity.Whena
CollectorGrouprunsoutofspace,itdeletesolderlogs.
EnablingredundancydoublesthelogprocessingtrafficinaCollectorGroup,whichreducesitsmaximumlogging
ratebyhalf,aseachLogCollectormustdistributeacopyofeachlogitreceives.

ObtainanOnSiteSpare(OSS)toenablepromptreplacementifaLogCollectorfailureoccurs.
InadditiontoforwardinglogstoPanorama,configureforwardingtoanexternalserviceasbackup
storage.Theexternalservicecanbeasyslogserver,emailserver,orSimpleNetworkManagement
Protocol(SNMP)trapserver.

CentralizedReporting
Panoramaaggregateslogsfromallmanagedfirewallsandenablesreportingontheaggregateddatafora
globalviewofapplicationuse,useractivity,andtrafficpatternsacrosstheentirenetworkinfrastructure.As
soonasthefirewallsareaddedtoPanorama,theACCcandisplayalltraffictraversingyournetwork.With
loggingenabled,clickingintoalogentryintheACCprovidesdirectaccesstogranulardetailsaboutthe
application.
Forgeneratingreports,Panoramausestwosources:thelocalPanoramadatabaseandtheremotefirewalls
thatitmanages.ThePanoramadatabasereferstothelocalstorageonPanoramathatisallocatedforstoring
bothsummarizedlogsandsomedetailedlogs.IfyouhaveadistributedLogCollectiondeployment,the
PanoramadatabaseincludesthelocalstorageonPanoramaandallthemanagedLogCollectors.Panorama
summarizestheinformationtraffic,application,threatcollectedfromallmanagedfirewallsat15minute
intervals.UsingthelocalPanoramadatabaseallowsforfasterresponsetimes,however,ifyouprefertonot
forwardlogstoPanorama,Panoramacandirectlyaccesstheremotefirewallandrunreportsondatathatis
storedlocallyonthemanagedfirewalls.
Panoramaoffersmorethan40predefinedreportsthatcanbeusedasis,ortheycanbecustomizedby
combiningelementsofotherreportstogeneratecustomreportsandreportgroupsthatcanbesaved.
Reportscanbegeneratedondemand,onarecurringschedule,andcanbescheduledforemaildelivery.
Thesereportsprovideinformationontheuserandthecontextsothatyoucorrelateeventsandidentify
patterns,trends,andpotentialareasofinterest.Withtheintegratedapproachtologgingandreporting,the
ACCenablescorrelationofentriesfrommultiplelogsrelatingtothesameevent.
Formoreinformation,seeMonitorNetworkActivity.

22 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.

PanoramaOverview

PanoramaCommitOperations

PanoramaCommitOperations
WheneditingtheconfigurationonPanorama,youarechangingthecandidateconfigurationfile.The
candidateconfigurationisacopyoftherunningconfigurationalongwithanychangesyoumadesincethe
lastcommit.ThePanoramawebinterfacedisplaysalltheconfigurationchangesimmediately.However,
Panoramawontimplementthechangesuntilyoucommitthem.Thecommitprocessvalidatesthechanges
inthecandidateconfigurationfileandsavesitastherunningconfigurationonPanorama.
AfteranysystemeventoradministratoractioncausesPanoramatoreboot,allyourchangessince
thelastcommitwillbelost.Topreservechangeswithoutcommittingthem,periodicallyclick
Saveatthetoprightofthewebinterfacetosaveasnapshotofthecandidateconfiguration.Ifa
rebootoccurs,youcanthenreverttothesnapshot.Fordetailsonbackingupandrestoring
runningandcandidateconfigurations,seeManagePanoramaandFirewallConfiguration
Backups.

WheninitiatingacommitonPanorama,selectoneofthefollowingtypes:
CommitOptions

Description

Panorama

Commitsthechangesonthecurrentcandidateconfigurationtotherunning
configurationonPanorama.YoumustfirstcommityourchangesonPanorama,before
committinganyconfigurationupdates(templatesordevicegroups)tothemanaged
firewallsorCollectorGroups.

Template

CommitsnetworkanddeviceconfigurationsfromaPanoramatemplateortemplate
stacktotheselectedfirewalls.

Device Group

CommitspoliciesandobjectsconfiguredfromPanoramatotheselectedfirewalls/virtual
systems.

Collector Group

CommitschangestothespecifiedCollectorGroupsthatPanoramamanages.

Whenyouperformacommit,PanoramapushestheentireconfigurationtothemanagedfirewallsorLog
Collectors.Whenthecommitcompletes,aresultdisplays:Commit succeededorCommit succeeded with
warnings.
Panoramacantperformadevicegrouportemplatecommittofirewallswhilealocalcommitisin
progressonthosefirewalls.Thelocalcommitcanbemanual(youclickCommit)orautomatic.
PANOSperformsanautomaticcommitwhenyoudowngradecontentversions(forexample,the
WildFireversion),orrefreshaddressobjects,FQDNs,ordynamicblocklists.

Someothercommitchoicesare:

Preview ChangesThisoptionisavailablewhentheCommit TypeisPanorama.Itenablesyoutocompare

thecandidateconfigurationwiththerunningconfigurationinthesamewayasthePanorama > Config Audit
feature(seeCompareChangesinPanoramaConfigurations).AfterclickingPreview Changes,selectthe
numberoflinestoincludeforcontext,andclickOK.Asabestpractice,previewyourconfiguration
changesbeforecommittingthem.
Becausethepreviewresultsdisplayinanewwindow,yourbrowsermustallowpopupwindows.
Ifthepreviewwindowdoesnotopen,refertoyourbrowserdocumentationforthestepsto
unblockpopupwindows.

Validate ChangesThisoptionisavailablewhentheCommit TypeisPanorama,Template,orDevice Group.It

enablesyoutoValidateaPanoramaConfigurationbeforecommittingit.

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 23

Copyright 2007-2015 Palo Alto Networks

PanoramaCommitOperations

PanoramaOverview

Include Device and Network TemplatesThisoptionisavailablewhencommittingadevicegroupfrom

Panorama.Itallowsyoutocommitbothdevicegroupandtemplateortemplatestackchangestothe
selectedfirewallsinasinglecommitoperation.Thecheckboxisselectedbydefault.Ifyoupreferto
committhesechangesasseparateoperations,clearthischeckbox.
Force Template ValuesWhenperformingatemplateordevicegroupcommit,theForce Template Values

optionoverridesalllocalconfigurationandremovesobjectsontheselectedfirewallsorvirtualsystems
thatdontexistinthetemplateortemplatestack,orareoverriddeninthelocalconfiguration.Thisisan
overridethatrevertsallexistingconfigurationonthemanagedfirewall,andensuresthatthefirewall
inheritsonlythesettingsdefinedinthetemplateortemplatestack.

Merge with Candidate ConfigWhenenabled,thisoptionallowsyoutomergeandcommitthePanorama

configurationchangeswithanypendingconfigurationchangesthatwereimplementedlocallyonthe
targetfirewall.Ifthisoptionisnotenabled,thecandidateconfigurationonthefirewallisnotincludedin
thecommitoperation.Asabestpractice,leavethisoptiondisabledifyouallowfirewalladministratorsto
modifytheconfigurationdirectlyonafirewallandyoudontwanttoincludetheirchangeswhen
committingchangesfromPanorama.

24 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.

PanoramaOverview

RoleBasedAccessControl

RoleBasedAccessControl
Rolebasedaccesscontrol(RBAC)enablesyoutodefinetheprivilegesandresponsibilitiesofadministrative
users(administrators). Everyadministratormusthaveauseraccountthatspecifiesaroleandauthentication
method.AdministrativeRolesdefineaccesstospecificconfigurationsettings,logs,andreportswithin
Panoramaandfirewallcontexts.ForDeviceGroupandTemplateadministrators,youcanmaprolesto
AccessDomains,whichdefineaccesstospecificdevicegroups,templates,andfirewalls(throughcontext
switching).Bycombiningeachaccessdomainwitharole,youcanenforcetheseparationofinformation
amongthefunctionalorregionalareasofyourorganization.Forexample,youcanlimitanadministratorto
monitoringactivitiesfordatacenterfirewallsbutallowthatadministratortosetpoliciesfortestlabfirewalls.
Bydefault,everyPanoramaappliance(virtualapplianceorMSeriesappliance)hasapredefined
administrativeaccount(admin)thatprovidesfullreadwriteaccess(superuseraccess)toallfunctionalareas
andtoalldevicegroups,templates,andfirewalls.Foreachadministrator,youcandefinetheminimum
passwordcomplexity,apasswordprofile,andanauthenticationprofilethatdetermineshowPanorama
verifiesuseraccesscredentials.
Insteadofusingthedefaultaccountforalladministrators,itisabestpracticetocreateaseparate
administrativeaccountforeachpersonwhoneedsaccesstotheadministrativeorreporting
functionsonPanorama.Thisprovidesbetterprotectionagainstunauthorizedconfiguration
changesandenablesPanoramatologandidentifytheactionsofeachadministrator.

AdministrativeRoles

AuthenticationProfilesandSequences

AccessDomains

AdministrativeAuthentication

AdministrativeRoles
Youconfigureadministratoraccountsbasedonthesecurityrequirementsofyourorganization,anyexisting
authenticationserviceswithwhichtointegrate,andtherequiredadministrativeroles.Aroledefinesthetype
ofsystemaccessthatisavailabletoanadministrator.Youcandefineandrestrictaccessasbroadlyor
granularlyasrequired,dependingonthesecurityrequirementsofyourorganization.Forexample,youmight
decidethatadatacenteradministratorcanhaveaccesstoalldeviceandnetworkingconfigurations,buta
securityadministratorcancontrolonlysecuritypolicydefinitions,whileotherkeyindividualscanhave
limitedCLIorXMLAPIaccess.Theroletypesare:

DynamicRolesThesearebuiltinrolesthatprovideaccesstoPanoramaandmanageddevices.When
newfeaturesareadded,Panoramaautomaticallyupdatesthedefinitionsofdynamicroles;younever
needtomanuallyupdatethem.Thefollowingtableliststheaccessprivilegesassociatedwithdynamic
roles.

DynamicRole

Privileges

Superuser

FullreadwriteaccesstoPanorama

Superuser(readonly)

ReadonlyaccesstoPanorama

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 25

Copyright 2007-2015 Palo Alto Networks

RoleBasedAccessControl

PanoramaOverview

DynamicRole

Privileges

Panoramaadministrator

FullaccesstoPanoramaexceptforthefollowingactions:
Create,modify,ordeletePanoramaordeviceadministratorsandroles.
Export,validate,revert,save,load,orimportaconfigurationintheDevice > Setup >
Operationspage.
ConfigureScheduled Config ExportfunctionalityinthePanorama tab.

AdminRoleProfilesToprovidemoregranularaccesscontroloverthefunctionalareasoftheweb
interface,CLI,andXMLAPI,youcancreatecustomroles.Whennewfeaturesareaddedtotheproduct,
youmustupdatetheroleswithcorrespondingaccessprivileges:Panoramadoesnotautomaticallyadd
newfeaturestocustomroledefinitions.YouselectoneofthefollowingprofiletypeswhenyouConfigure
anAdminRoleProfile.

AdminRoleProfile

Description

Panorama

Fortheseroles,youcanassignreadwriteaccess,readonlyaccess,ornoaccesstoallthe
Panoramafeaturesthatareavailabletothesuperuserdynamicroleexceptthe
managementofPanoramaadministratorsandPanoramaroles.Forthelattertwofeatures,
youcanassignreadonlyaccessornoaccess,butyoucannotassignreadwriteaccess.
AnexampleuseofaPanoramarolewouldbeforsecurityadministratorswhorequire
accesstosecuritypolicydefinitions,logs,andreportsonPanorama.

DeviceGroupand
Template

Fortheseroles,youcanassignreadwriteaccess,readonlyaccess,ornoaccesstospecific
functionalareaswithindevicegroups,templates,andfirewallcontexts.Bycombining
theseroleswithAccessDomains,youcanenforcetheseparationofinformationamong
thefunctionalorregionalareasofyourorganization.DeviceGroupandTemplateroles
havethefollowinglimitations:
NoaccesstotheCLIorXMLAPI
Noaccesstoconfigurationorsystemlogs
NoaccesstoVMinformationsources
InthePanoramatab,accessislimitedto:
Devicedeploymentfeatures(readwrite,readonly,ornoaccess)
Thedevicegroupsspecifiedintheadministratoraccount(readwrite,readonly,or
noaccess)
Thetemplatesandmanageddevicesspecifiedintheadministratoraccount
(readonlyornoaccess)
Anexampleuseofthisrolewouldbeforadministratorsinyouroperationsstaffwho
requireaccesstothedeviceandnetworkconfigurationareasofthewebinterfacefor
specificdevicegroupsand/ortemplates.

AuthenticationProfilesandSequences
Anauthenticationprofilespecifiestheauthenticationservicethatvalidatesthecredentialsofan
administratorduringloginanddefineshowPanoramaaccessestheservice.Ifyoucreatealocaladministrator
accountonPanorama,youcanauthenticatetheadministratortothelocaldatabase,useanexternalservice
(RADIUS,TACACS+,LDAP,orKerberosserver),oruseKerberossinglesignon(SSO).Ifyouuseanexternal
service,youmustconfigureaserverprofilebeforeyouConfigureanAdminRoleProfile.Ifyouwanttouse
anexternalserviceforbothaccountadministration(insteadofcreatinglocalaccounts)andfor
authentication,youmustConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication.

26 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.

PanoramaOverview

RoleBasedAccessControl

Someenvironmentshavemultipledatabasesfordifferentusersandusergroups.Toauthenticatetomultiple
authenticationsources(forexample,localdatabaseandLDAP),configureanauthenticationsequence.An
authenticationsequenceisarankedorderofauthenticationprofilesthatanadministratorismatchedagainst
whenloggingin.Panoramachecksagainstthelocaldatabasefirst,andthencheckseachprofileinsequence
untiltheadministratorissuccessfullyauthenticated.TheadministratorisdeniedaccesstoPanoramaonlyif
authenticationfailsforalltheprofilesdefinedintheauthenticationsequence.

AccessDomains
Accessdomainscontroladministrativeaccesstospecificdevicegroups(tomanagepoliciesandobjects)and
templates(tomanagenetworkanddevicesettings),andalsocontroltheabilitytoswitchcontexttotheweb
interfaceofmanagedfirewalls.AccessdomainsapplyonlytoadministratorswithDeviceGroupand
Templateroles.BycombiningaccessdomainswithAdministrativeRoles,youcanenforcetheseparationof
informationamongthefunctionalorregionalareasofyourorganization.
YoucanmanageaccessdomainslocallyorbyusingRADIUSVendorSpecificAttributes(VSAs).Touse
RADIUSVSAs,yournetworkrequiresanexistingRADIUSserverandyoumustconfigureaRADIUSserver
profiletodefinehowPanoramaaccessestheserver.OntheRADIUSserver,youdefineaVSAattribute
numberandvalueforeachadministrator.Thevaluedefinedmustmatchtheaccessdomainconfiguredon
Panorama.WhenanadministratortriestologintoPanorama,PanoramaqueriestheRADIUSserverforthe
administratoraccessdomainandattributenumber.BasedontheresponsefromtheRADIUSserver,the
administratorisauthorizedforaccessandisrestrictedtothefirewalls,virtualsystems,devicegroups,and
templatesthatareassignedtotheaccessdomain.
Fortherelevantprocedures,see:

ConfigureanAccessDomain.

ConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication.

AdministrativeAuthentication
ThefollowingmethodsareavailabletoauthenticatePanoramaadministrators:

LocaladministratoraccountwithlocalauthenticationBoththeadministratoraccountcredentialsand
theauthenticationmechanismsarelocaltoPanorama.Tofurthersecurethelocaladministratoraccount,
createapasswordprofilethatdefinesavalidityperiodforpasswordsandsetPanoramawidepassword
complexitysettings.Fordetailsonhowtoconfigurethistypeofadministrativeaccess,seeConfigurean
AdministratorwithKerberosSSO,External,orLocalAuthentication.
LocaladministratoraccountwithcertificateorkeybasedauthenticationWiththisoption,the
administratoraccountsarelocaltoPanorama,butauthenticationisbasedonSecureShell(SSH)keys(for
CLIaccess)orclientcertificates/commonaccesscards(forthewebinterface).Fordetailsonhowto
configurethistypeofadministrativeaccess,seeConfigureanAdministratorwithCertificateBased
AuthenticationfortheWebInterfaceandConfigureanAdministratorwithSSHKeyBased
AuthenticationfortheCLI.
LocaladministratoraccountwithexternalauthenticationTheadministratoraccountsaremanagedon
Panorama,butexistingexternalauthenticationservices(LDAP,Kerberos,TACACS+,orRADIUS)handle
theauthenticationfunctions.IfyournetworksupportsKerberossinglesignon(SSO),youcanconfigure

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 27

Copyright 2007-2015 Palo Alto Networks

RoleBasedAccessControl

PanoramaOverview

externalauthenticationasanalternativeincaseSSOfails.Fordetailsonhowtoconfigurethistypeof
administrativeaccess,seeConfigureanAdministratorwithKerberosSSO,External,orLocal
Authentication.

ExternaladministratoraccountandauthenticationAnexternalRADIUSserverhandlesaccount
administrationandauthentication.Tousethisoption,youmustdefineVendorSpecificAttributes(VSAs)
onyourRADIUSserverthatmaptotheadministratorrolesandaccessdomains.Forahighleveloverview
oftheprocess,seeConfigureRADIUSVendorSpecificAttributesforAdministratorAuthentication.For
detailsonhowtoconfigurethistypeofadministrativeaccess,refertoRadiusVendorSpecificAttributes
(VSAs).

28 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.

PanoramaOverview

PanoramaRecommendedDeployments

PanoramaRecommendedDeployments
APanoramadeploymentcomprisesthePanoramamanagementserver(whichhasabrowserbased
interface),optionalLogCollectors,andthePaloAltoNetworksfirewallsthatPanoramamanages.The
recommendeddeploymentsare:

PanoramaforCentralizedManagementandReporting

PanoramainaDistributedLogCollectionDeployment
Fortheprocedurestoconfigurethemosttypicallogcollectiondeployments,seeLogCollection
Deployments.

PanoramaforCentralizedManagementandReporting
ThefollowingdiagramillustrateshowyoucandeploythePanoramavirtualapplianceorMSeriesappliance
inaredundantconfigurationforthefollowingbenefits:

CentralizedmanagementCentralizedpolicyanddevicemanagementthatallowsforrapiddeployment
andmanagementofuptoonethousandfirewalls.
VisibilityCentralizedloggingandreportingtoanalyzeandreportonusergeneratedtrafficandpotential
threats.
RolebasedaccesscontrolAppropriatelevelsofadministrativecontrolatthefirewalllevelorglobal
levelforadministrationandmanagement.

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 29

Copyright 2007-2015 Palo Alto Networks

PanoramaRecommendedDeployments

PanoramaOverview

PanoramainaDistributedLogCollectionDeployment
YoucandeploythehardwarebasedPanoramatheMSeriesapplianceeitherasaPanoramamanagement
serverthatperformsmanagementandlogcollectionfunctionsorasaDedicatedLogCollectorthatprovides
acomprehensivelogcollectionsolutionforthefirewallsonyournetwork.UsingtheMSeriesapplianceas
aLogCollectorallowsforamorerobustenvironmentwherethelogcollectionprocessisoffloadedtoa
dedicatedappliance.Usingadedicatedapplianceinadistributedlogcollection(DLC)deploymentprovides
redundancy,improvedscalability,andcapacityforlongertermlogstorage.
InaDLCdeployment,thePanoramamanagementserver(PanoramavirtualapplianceoranMSeries
applianceinPanoramamode)managesthefirewallsandtheLogCollectors.UsingPanorama,youconfigure
thefirewallstosendlogstooneormoreLogCollectors.YoucanthenusePanoramatoquerytheLog
Collectorsandprovideanaggregatedviewofnetworktraffic.InaDLCconfiguration,youcanaccessthelogs
storedontheLogCollectorsfromboththeprimaryandsecondaryPanoramapeersinahighavailability(HA)
pair.
Inthefollowingtopology,thePanoramapeersinanHAconfigurationmanagethedeploymentand
configurationoffirewalls.Thissolutionprovidesthefollowingbenefits:

AllowsforimprovedperformanceinthemanagementfunctionsonPanorama

Provideshighvolumelogstorageonadedicatedhardwareappliance

ProvideshorizontalscalabilityandredundancywithRAID1storage

30 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.

PanoramaOverview

PlanYourDeployment

PlanYourDeployment
Determinethemanagementapproach.DoyouplantousePanoramatocentrallyconfigureandmanage

thepolicies,tocentrallyadministersoftware,contentandlicenseupdates,and/orcentralizeloggingand
reportingacrossthemanageddevicesinthenetwork?
IfyoualreadydeployedandconfiguredthePaloAltoNetworksfirewallsonyournetwork,determine
whethertotransitionthedevicestocentralizedmanagement.Thisprocessrequiresamigrationofall
configurationandpoliciesfromyourfirewallstoPanorama.Fordetails,seeTransitionaFirewallto
PanoramaManagement.
VerifythatPanoramaisonthesamereleaseversionoralaterversionthanthefirewallsthatitwill

manage.Forexample,Panoramawithversion6.0cannotmanagefirewallsrunningPANOS7.0.For
versionswithinthesamefeaturerelease,althoughPanoramacanmanagefirewallsrunningalater
versionofPANOS,PaloAltoNetworksrecommendsthatPanoramarunthesameversionoralater
version.Forexample,ifPanoramaruns6.0.3,itisrecommendedthatallmanagedfirewallsrunPANOS
6.0.3orearlierversions.
PlantousethesameURLfilteringdatabase(BrightCloudorPANDB)acrossallmanagedfirewalls.If

somefirewallsareusingtheBrightClouddatabaseandothersareusingPANDB,Panoramacanonly
managesecurityrulesforoneortheotherURLfilteringdatabase.URLfilteringrulesfortheother
databasemustbemanagedlocallyonthefirewallsthatusethatdatabase.
PlantousePanoramainahighavailabilityconfiguration;setitupasanactive/passivehighavailability

pair.SeePanoramaHighAvailability.
Estimatethelogstoragecapacityyournetworkneedstomeetsecurityandcompliancerequirements.

Considersuchfactorsasthenetworktopology,numberoffirewallssendinglogs,typeoflogtraffic(for
example,URLFilteringandThreatlogsversusTrafficlogs),therateatwhichfirewallsgeneratelogs,and
thenumberofdaysforwhichyouwanttostorelogsonPanorama.Fordetails,seeDeterminePanorama
LogStorageRequirements.
Formeaningfulreportsonnetworkactivity,planaloggingsolution:

Doyouneedtoforwardlogstoasyslogserver,inadditiontoPanorama?
Ifyouneedalongtermstoragesolution,doyouhaveaSecurityInformationandEvent
Management(SIEM)solution,suchasSplunkorArcSight,towhichyouneedtoforwardlogs?
Doyouneedredundancyinlogging?WithPanoramavirtualappliancesinHA,eachpeercanlogto
itsvirtualdisk.ThemanageddevicescansendlogstobothpeersintheHApair.Thisoptionprovides
redundancyinloggingandisbestsuitedtosupportupto2TBoflogstoragecapacity.Ifyouuse
DedicatedLogCollectors(MSeriesappliancesinLogCollectormode),youcanenableredundancy
toensurethatnologsarelostifanyoneLogCollectorintheCollectorGroupbecomesunavailable.
EachlogwillhavetwocopiesandeachcopywillresideonadifferentLogCollector.
WillyoulogtoaNetworkFileSystem(NFS)?OnlythePanoramavirtualappliancesupportsNFS.
ConsiderusingNFSifPanoramarequiresmorethan2TBoflogstoragecapacityandbutdoesnt
manageDedicatedLogCollectors.IfusingNFS,notethatthemanageddevicescansendlogsonly
totheprimarypeerintheHApair,andonlytheactiveprimaryPanoramaismountedtotheNFSand
canwritetoit.
IfyourloggingsolutionincludesMSeriesappliances,bydefaulttheyusethemanagement(MGT)
interfaceforconfiguration,logcollection,andCollectorGroupcommunication.However,itisabest
practicetousetheEth1orEth2interfacesforlogcollectionandCollectorGroupcommunicationto
improvesecurity,controltrafficprioritization,performance,andscalability.Determinewhetheryour
solutionwouldbenefitfromusingseparateinterfacesforthesefunctions.Fordetails,seeSetUpthe
MSeriesAppliance.

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 31

Copyright 2007-2015 Palo Alto Networks

PlanYourDeployment

PanoramaOverview

Determinewhataccessprivileges,roles,andpermissionsadministratorsrequiretoaccesstothe

managedfirewallsandPanorama.SeeSetUpAdministrativeAccesstoPanorama.
PlantherequiredDeviceGroups.Considerwhethertogroupfirewallsbasedonfunction,security

policy,geographiclocation,ornetworksegmentation.Anexampleofafunctionbaseddevicegroupis
onethatcontainsallthefirewallsthataResearchandDevelopmentteamuses.Considerwhetherto
createsmallerdevicegroupsbasedoncommonality,largerdevicegroupstoscalemoreeasily,ora
DeviceGroupHierarchytosimplifycomplexlayersofadministration.
Planalayeringstrategyforadministeringpolicies.Considerhowfirewallsinheritandevaluatepolicy

ruleswithintheDeviceGroupHierarchy,andhowtobestimplementsharedrules,devicegrouprules,
andfirewallspecificrulestomeetyournetworkneeds.Forvisibilityandcentralizedpolicymanagement,
considerusingPanoramaforadministeringrulesevenifyouneedfirewallspecificexceptionsforshared
ordevicegrouprules.Ifnecessary,youcanPushaPolicyRuletoaSubsetofFirewallswithinadevice
group.
Plantheorganizationofyourfirewallsbasedonhowtheyinheritnetworkconfigurationsettingsfrom

TemplatesandTemplateStacks.Forexample,considerassigningfirewallstotemplatesbasedon
hardwareplatforms,geographicproximity,andsimilarnetworkneedsfortimezones,aDNSserver,and
interfacesettings.

32 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.

PanoramaOverview

DeployPanorama:TaskOverview

DeployPanorama:TaskOverview
ThefollowingtasklistsummarizesthestepstogetstartedwithPanorama.Foranexampleofhowtouse
Panoramaforcentralmanagement,seeUseCase:ConfigureFirewallsUsingPanorama.
DeployPanorama:TaskOverview
Step1

(MSeriesapplianceonly)Rackmounttheappliance.

Step2

PerforminitialconfigurationtoenablenetworkaccesstoPanorama.SeeSetUpthePanoramaVirtual
ApplianceorSetUptheMSeriesAppliance.

Step3

RegisterPanoramaandInstallLicenses.

Step4

InstallContentandSoftwareUpdatesforPanorama.

Step5

(Optional/recommended)SetupPanoramainahighavailabilityconfiguration.SeePanoramaHigh
Availability.

Step6

AddaFirewallasaManagedDevice.

Step7

AddaDeviceGrouporCreateaDeviceGroupHierarchy,AddaTemplate,and(ifapplicable)Configurea
TemplateStack.

Step8

(Optional)ConfigurelogforwardingtoPanoramaand/ortoexternalservices.SeeManageLogCollection.

Step9

MonitorNetworkActivityusingthevisibilityandreportingtoolsonPanorama.

PaloAltoNetworks,Inc.

Panorama7.0AdministratorsGuide 33

Copyright 2007-2015 Palo Alto Networks

DeployPanorama:TaskOverview

PanoramaOverview

34 Panorama7.0AdministratorsGuide

Copyright 2007-2015 Palo Alto Networks

PaloAltoNetworks,Inc.