background image

©

 

Palo

 

Alto

 

Networks,

 

Inc.

Panorama

 

6.1

 

Administrator’s

 

Guide

 

 

115

Manage

 

Log

 

Collection

Configure

 

a

 

Managed

 

Collector

Step

 

6

Configure

 

network

 

access

 

for

 

the

 

Log

 

Collector.
Perform

 

this

 

step

 

only

 

for

 

a

 

Dedicated

 

Log

 

Collector

 

or

 

a

 

local

 

Log

 

Collector

 

on

 

the

 

secondary

 

Panorama

 

HA

 

peer.

Although

 

you

 

defined

 

similar

 

parameters

 

during

 

initial

 

configuration

 

of

 

the

 

Panorama

 

management

 

server,

 

you

 

must

 

re

define

 

the

 

parameters

 

for

 

the

 

Log

 

Collector.

1.

In

 

the

 

Panorama Server IP

 

field,

 

enter

 

the

 

IP

 

address

 

or

 

FQDN

 

of

 

the

 

solitary

 

(non

HA)

 

or

 

primary

 

(HA)

 

Panorama.

 

For

 

an

 

HA

 

deployment,

 

enter

 

the

 

IP

 

address

 

or

 

FQDN

 

of

 

the

 

secondary

 

Panorama

 

peer

 

in

 

the

 

Panorama Server IP 2

 

field.

 

These

 

fields

 

are

 

required.

2.

Configure

 

the

 

IP

 

addresses

 

of

 

the

 

Primary DNS Server

 

and

 

Secondary DNS Server

.

3.

(

Optional

)

 

Set

 

the

 

Timezone

 

that

 

Panorama

 

will

 

use

 

to

 

record

 

log

 

entries.

Step

 

7

Configure

 

administrative

 

access

 

to

 

the

 

Log

 

Collector

 

CLI.

Only

 

Dedicated

 

Log

 

Collectors

 

require

 

this

 

step.

 

The

 

default

 

CLI

 

administrator

 

is

 

admin

.

 

You

 

cannot

 

modify

 

this

 

username

 

nor

 

add

 

CLI

 

administrators.

1.

Select

 

the

 

Authentication

 

tab,

 

select

 

the

 

password

 

Mode

,

 

and

 

enter

 

the

 

Password

 

(the

 

default

 

is

 

admin

).

2.

Enter

 

the

 

number

 

of

 

Failed Attempts

 

to

 

log

 

in

 

that

 

Panorama

 

allows

 

before

 

locking

 

out

 

the

 

administrator.

 

Enter

 

the

 

Lockout 

Time

 

in

 

minutes.

 

These

 

settings

 

can

 

help

 

protect

 

the

 

Log

 

Collector

 

from

 

a

 

brute

 

force

 

attack.

Step

 

8

Configure

 

the

 

Log

 

Collector

 

interfaces.

Perform

 

this

 

step

 

only

 

for

 

a

 

Dedicated

 

Log

 

Collector

 

or

 

a

 

local

 

Log

 

Collector

 

on

 

the

 

secondary

 

Panorama

 

HA

 

peer.

The

 

Eth1

 

or

 

Eth2

 

interfaces

 

are

 

available

 

only

 

if

 

you

 

defined

 

them

 

during

 

initial

 

configuration

 

of

 

the

 

Panorama

 

management

 

server

.

1.

Configure

 

each

 

interface

 

that

 

the

 

Log

 

Collector

 

will

 

use.

 

Only

 

the

 

Management

 

interface

 

is

 

required.

 

For

 

each

 

interface,

 

select

 

the

 

corresponding

 

tab

 

and

 

configure

 

one

 

or

 

both

 

of

 

the

 

following

 

field

 

sets

 

based

 

on

 

the

 

IP

 

protocols

 

of

 

your

 

network.

 

IPv4—

IP Address

,

 

Netmask

,

 

and

 

Default Gateway

 

IPv6—

IPv6 Address/Prefix Length

 

and

 

Default IPv6 

Gateway

2.

(

Optional

)

 

In

 

the

 

Management

 

tab,

 

select

 

the

 

SNMP

 

service

 

if

 

you

 

will

 

use

 

SNMP

 

to

 

monitor

 

the

 

Log

 

Collector.

Using

 

SNMP

 

requires

 

additional

 

steps

 

besides

 

configuring

 

the

 

Log

 

Collector.

 

For

 

details,

 

see

 

Set

 

Up

 

SNMP

 

to

 

Monitor

 

Panorama

.

3.

Click

 

OK

 

and

 

Commit

,

 

set

 

the

 

Commit Type

 

to

 

Panorama

,

 

and

 

click

 

Commit

 

again.

This

 

step

 

is

 

required

 

before

 

you

 

can

 

enable

 

logging

 

disks

 

or

 

assign

 

the

 

Eth1

 

and

 

Eth2

 

interfaces

 

to

 

logging

 

functions.

4.

(

Optional

)

 

Edit

 

the

 

Log

 

Collector

 

and

 

select

 

the

 

interfaces

 

(

mgmt

,

 

eth1

,

 

or

 

eth2

)

 

that

 

it

 

will

 

use

 

for

 

Device Log Collection

 

and

 

Collector Group Communication

 

(default

 

is

 

mgmt

).

Step

 

9

Enable

 

the

 

logging

 

disks.

1.

Select

 

Disks

 

and

 

Add

 

each

 

disk

 

pair.

2.

Click

 

OK

 

and

 

Commit

,

 

for

 

the

 

Commit Type

 

select

 

Panorama

,

 

and

 

click

 

Commit

 

again.

Configure

 

a

 

Managed

 

Collector

 

(Continued)

Summary of Contents for Panorama 6.1

Page 1: ...Panorama Administrator s Guide Version 6 1...

Page 2: ...ocumentation portal https www paloaltonetworks com documentation or search the documentation For access to the knowledge base complete documentation set discussion forums and videos refer to https liv...

Page 3: ...ployment 26 Plan Your Deployment 27 Deploy Panorama Task Overview 29 Set Up Panorama 31 Determine Panorama Log Storage Requirements 32 Set Up the Panorama Virtual Appliance 34 Setup Prerequisites for...

Page 4: ...s to Panorama 73 Create an Administrative Account 73 Define an Access Domain 75 Create an Authentication Profile 75 Define an Authentication Sequence 76 Configure Administrative Authentication 77 Mana...

Page 5: ...9 Schedule Content Updates to Devices Using Panorama 149 Deploy Updates to Devices when Panorama Has an Internet Connection 151 Deploy Updates to Devices when Panorama Has No Internet Connection 154 M...

Page 6: ...allocate Log Storage Quota 200 Monitor Panorama 202 Panorama System and Configuration Logs 202 Set Up Email Alerts for Panorama 203 Set Up SNMP to Monitor Panorama 204 Reboot or Shut Down Panorama 208...

Page 7: ...f Contents Replace an RMA Firewall 233 Partial Device State Generation for Firewalls 233 Before Starting RMA Firewall Replacement 233 Restore the Firewall Configuration after Replacement 235 Diagnose...

Page 8: ...8 Panorama 6 1 Administrator s Guide Palo Alto Networks Inc Table of Contents...

Page 9: ...s that protect and control the entire network Using Panorama for centralized policy and device management increases operational efficiency in managing and maintaining a distributed network of firewall...

Page 10: ...use device groups to administer globally shared and local policies See Centralized Configuration and Deployment Management Aggregated logging with central oversight for analysis and reporting Collect...

Page 11: ...ult configuration ships with two 1TB drives with additional RAID pairs the M 100 appliance can support up to 4TB of log storage The M 100 appliance allows for separation of the central management func...

Page 12: ...plates You use templates to configure the settings that managed firewalls require to operate on the network Templates enable you to define a common base configuration using the Network and Device tabs...

Page 13: ...irewalls Using Panorama Policies Objects Policies Device groups provide a way to implement a layered approach for managing policies across a network of managed firewalls The following table lists the...

Page 14: ...urity profiles The device context determines the level at which you can edit override default rules On Panorama you can edit default rules that are part of the predefined configuration You can edit ru...

Page 15: ...maintain consistency and accuracy everywhere the shared object is used Pre rules post rules and rules locally defined on a firewall can all use shared objects and device group objects When creating an...

Page 16: ...ar drill down on specific data and activities it still provides a unified reporting approach Logging Options Managed Collectors and Collector Groups Caveats for a Collector Group with Multiple Log Col...

Page 17: ...egral to a distributed log collection deployment on Panorama A distributed log collection deployment allows for easy scalability and incremental addition of dedicated Log Collectors as your logging ne...

Page 18: ...l does not buffer logs to its local storage when it can connect to its Primary Log Collector Therefore FW1 will continue sending logs to L1 Because L2 is unavailable the Primary Log Collector L1 buffe...

Page 19: ...on deployment the Panorama database includes the local storage on Panorama and all the managed Log Collectors Panorama summarizes the information traffic application threat collected from all managed...

Page 20: ...Network Templates This option is available when committing a device group from Panorama It allows you to commit both device group and template changes to the pertinent firewalls in a single commit op...

Page 21: ...the managed firewall and ensures that the firewall inherits the settings defined in the template only Merge with Candidate Config When enabled this option allows you to merge and commit the Panorama c...

Page 22: ...how the user s access credentials are verified To enforce more granular administrative access use access domains to restrict administrative access to a particular firewall device group or template Ad...

Page 23: ...profile in sequence until the user is successfully authenticated The user is denied access to Panorama only if authentication fails for all the profiles defined in the authentication sequence To crea...

Page 24: ...tion see Create an Administrative Account Local administrator account with certificate or key based authentication With this option the administrator accounts are local to the firewall but authenticat...

Page 25: ...agement and Reporting The following diagram illustrates how you can deploy the Panorama virtual appliance or M 100 appliance in a redundant configuration for the following benefits Centralized managem...

Page 26: ...term log storage In a DLC deployment the Panorama management server Panorama virtual appliance or an M 100 appliance in Panorama mode manages the firewalls and the Log Collectors Using Panorama the fi...

Page 27: ...f firewalls sending logs type of log traffic for example URL and threat logs versus traffic logs the rate at which firewalls generate logs and the number of days for which you want to store logs on Pa...

Page 28: ...using Panorama for administering policies even if you would like to create device specific exceptions to shared device group policies To apply a rule to a subset of devices in a device group you can t...

Page 29: ...iguration to enable network access to Panorama See Set Up the Panorama Virtual Appliance or Set Up the M 100 Appliance 3 Register Panorama and Install Licenses 4 Install Content and Software Updates f...

Page 30: ...30 Panorama 6 1 Administrator s Guide Palo Alto Networks Inc Deploy Panorama Task Overview Panorama Overview...

Page 31: ...nce the M 100 appliance The following topics describe how to set up Panorama on your network Determine Panorama Log Storage Requirements Set Up the Panorama Virtual Appliance Set Up the M 100 Applianc...

Page 32: ...ation Regulatory requirements such as those specified by the Payment Card Industry Data Security Standard PCI DSS Sarbanes Oxley Act and Health Insurance Portability and Accountability Act HIPAA You c...

Page 33: ...formula required_storage_duration x average_log_size x average_logging_rate The average log size varies considerably by log type However you can use 360 bytes as an approximate average log size For e...

Page 34: ...he Panorama virtual appliance as a dedicated Log Collector Only an M 100 appliance in Log Collector mode provides dedicated log collection capabilities see Set Up the M 100 Appliance However you can u...

Page 35: ...u are upgrading your existing Panorama virtual appliance skip to Install Content and Software Updates for Panorama Install Panorama on the ESX i Server Step 1 Download and extract the Panorama base im...

Page 36: ...install the Panorama image and click Next Adding additional disk space does not increase the available log storage capacity on Panorama To expand log capacity you must add a virtual disk or set up acc...

Page 37: ...e 1 Enter commit 2 Enter exit Step 5 Verify network access to external services required for firewall management such as the Palo Alto Networks Update Server To verify that Panorama has external netwo...

Page 38: ...ures that the timestamps are in sync and the process of querying logs and generating reports on Panorama is harmonious 3 Enter a Hostname for the server and enter the network Domain name The domain na...

Page 39: ...2 Right click the Panorama virtual appliance and select Power Power Off Step 3 Right click the Panorama virtual appliance and select Edit Settings Step 4 Click Add in the Hardware tab to launch the A...

Page 40: ...the maximum size of the chunks of data that the client and server pass back and forth to each other Defining a read write size optimizes the data volume and speed in transferring data between Panoram...

Page 41: ...Interfaces Set Up Administrative Access to Panorama Manage Firewalls Step 4 Select Memory and enter the new Memory Size based on the number of firewalls that Panorama manages 1 10 firewalls 4GB memor...

Page 42: ...cation Each interface can support either or both of these functions for example you can configure Eth1 for both log collection and Collector Group communication However you cannot assign a single func...

Page 43: ...e from your computer 1 Connect to the M 100 appliance in one of the following ways Attach a serial cable from a computer to the Console port on the M 100 appliance and connect using terminal emulation...

Page 44: ...Maps and App Scope Threat Maps pages use these values 5 Click OK to save your entries Step 5 Configure the DNS and update servers 1 Select Panorama Setup Services and edit the settings 2 Enter the IP...

Page 45: ...itial configuration 2 Log in to the CLI when prompted Use the default admin account and the password that you specified during initial configuration 3 Use the ping utility to verify network connectivi...

Page 46: ...ot delete licenses software updates or content updates Set up the M 100 Appliance as a Log Collector Step 1 Set up the Panorama management server that will manage the Log Collector if you have not alr...

Page 47: ...Collector mode succeeded show system info match logger_mode If the mode change succeeded the output displays logger_mode True Step 6 Configure the logging disks as RAID1 pairs If you previously deploy...

Page 48: ...6 Gateway 5 Click OK and Commit set the Commit Type to Panorama and click OK This step is required before you can enable logging disks 6 Verify that the Panorama Managed Collectors page lists the Log...

Page 49: ...rface select the corresponding tab and configure one or both of the following field sets based on the IP protocols of your network IPv4 IP Address Netmask and Default Gateway IPv6 IPv6 Address Prefix...

Page 50: ...he additional disk pairs become available the M 100 appliance redistributes the logs among the disk pairs This log redistribution process happens in the background and does not impact uptime or the av...

Page 51: ...mplete the following response displays Disk Pair A Available Status clean Disk id A1 Present model ST91000640NS size 953869 MB status active sync Disk id A2 Present model ST91000640NS size 953869 MB s...

Page 52: ...the associated authorization codes to the serial number of your management appliance phase out support for the Panorama virtual appliance and trigger support for the M 100 appliance Starting at the ef...

Page 53: ...running configuration on the virtual Panorama 1 In the Panorama Setup Operations tab Configuration Management section select Export named Panorama configuration snapshot 2 Select the active configura...

Page 54: ...ror to ensure the migration included all configuration components Step 6 Review and modify the configuration on Panorama 1 If you do not plan to reuse the same network access settings for the MGT inte...

Page 55: ...roups will display an Out of sync icon 2 To synchronize the device groups a Click Commit and select Device Groups as the Commit Type b Select each device group and click OK 3 To synchronize the templa...

Page 56: ...License on the M 100 Appliance Register Panorama If you are running an evaluation license for device management on your Panorama virtual appliance and want to apply a Panorama license that you purcha...

Page 57: ...rt site If this is the first Palo Alto Networks appliance you are registering and you do not yet have a login a Click Register on the right side of the page enter your Email Address enter the code dis...

Page 58: ...ect Panorama Setup Management and edit the General Settings 2 Enter the Panorama Serial Number included in the order fulfillment email and click OK 3 Click Commit select Panorama as the Commit Type th...

Page 59: ...ma Licenses and click Retrieve license keys from the license server Panorama retrieves the activated license Manually upload the license from a host to Panorama Panorama must have access to that host...

Page 60: ...are running the same or an earlier PAN OS release with the caveat that Panorama 6 1 and later versions cannot push configurations to firewalls running PAN OS 6 0 0 through 6 0 3 Additionally the conte...

Page 61: ...f its peer Step 2 Suspend Primary_A to trigger a failover On Primary_A 1 Select Panorama High Availability 2 In the Operational Commands section click Suspend local Panorama 3 Verify that the bottom r...

Page 62: ...p Prerequisites for the Panorama Virtual Appliance Step 2 Save a backup of the current Panorama configuration file You can use this backup to restore the configuration if you have problems with the up...

Page 63: ...d install Panorama 6 0 0 and reboot Download Panorama 6 1 0 Optionally install this base image and reboot before you install the target maintenance release Download and install Panorama 6 1 3 and rebo...

Page 64: ...ion to which you are upgrading For example to upgrade an M 100 appliance to Panorama 6 0 0 download the Panorama_m 6 0 0 image to upgrade a Panorama virtual appliance to Panorama 6 0 0 download the Pa...

Page 65: ...e installation completes successfully reboot using one of the following methods If prompted to reboot click Yes If you see a CMS Login prompt press Enter without typing a username or password When the...

Page 66: ...ed firewalls 8GB 51 1 000 managed firewalls 16GB b Set the SCSI Controller to LSI Logic Parallel c Go to the Options tab select General Options set the Guest Operating System to Linux and set the Vers...

Page 67: ...to the latest content updates first upgrade managed firewalls to the latest updates If you do not need to install content updates at this time then skip ahead to Step 6 Step 4 Download the content upd...

Page 68: ...an upload each to the appliance as needed when you upgrade We highly recommend that you review the known issues and changes to default behavior in the Release Notes and upgrade downgrade consideration...

Page 69: ...e Panorama login prompt appears enter the username and password you specified during initial configuration If you are not prompted to reboot Reboot Panorama from the Device Operations section Panorama...

Page 70: ...g structure and the syntax for the commands the CLI allows quick response times and offers administrative efficiency See Log in to the Panorama CLI XML API The XML based API is provided as a web servi...

Page 71: ...ce Groups Objects Define policy objects that can be referenced in policy and shared across all managed firewalls device groups You must Add a Device Group for this tab to display Templates Network Con...

Page 72: ...n ABC_Sydney Use a serial port connection to log in to the Panorama CLI 1 Make sure that you have the following A null modem serial cable that connects Panorama to a computer with a DB 9 serial port A...

Page 73: ...ofile Define an Authentication Sequence Configure Administrative Authentication Create an Administrative Account An administrative user must have an account and be assigned to a role The role defines...

Page 74: ...ed setting Enable Read Only or Disable For Panorama access define access to the Web UI XML API and Command Line The Command Line tab does not allow granular access You must select a predefined option...

Page 75: ...uthentication Profile An authentication profile specifies the authentication service that validates the administrator s credentials and defines how to access that authentication service Panorama can b...

Page 76: ...uthentication profile Step 2 Define the conditions for locking out the administrative user 1 Enter the Lockout Time This is the number of minutes that a user is locked out upon reaching the maximum nu...

Page 77: ...ole profile For dynamic roles an Admin Role Profile is not required Use RADIUS Vendor Specific Attributes VSAs for managing administrative access to Panorama Use this option if you do not want to crea...

Page 78: ...tificate Management Certificates and click Generate 3 Enter a Certificate Name Add the IP address or FQDN of Panorama for listing in the Common Name field of the certificate Optionally you can change...

Page 79: ...tificates section and from the CA Certificate drop down select the CA certificate you just created Step 5 Configure Panorama to use the client certificate profile for authentication 1 On the Panorama...

Page 80: ...s passphrase when logging in to Panorama Step 2 Create an account for the administrator and enable certificate based authentication 1 Select Panorama Administrators and then click Add 2 Enter a user N...

Page 81: ...les 3 Create an custom administrative role profile with a Device Group and Template role Panorama Admin Roles 4 Configure Panorama to use the authentication profile for authentication Setup Management...

Page 82: ...82 Panorama 6 1 Administrator s Guide Palo Alto Networks Inc Set Up Administrative Access to Panorama Set Up Panorama...

Page 83: ...management approach requires an understanding of scripting and the use of the XML API on the firewalls To make this transition efficient Palo Alto Networks recommends using trained and certified partn...

Page 84: ...a managed device it uses an SSL connection with AES 256 encryption to register with Panorama Panorama and the firewall authenticate each other using 2 048 bit certificates and use the SSL connection f...

Page 85: ...oup Step 1 Create Device Group s A device can belong to only one Device Group for devices with multiple virtual systems each virtual system can belong to a different Device Group 1 Select Panorama Dev...

Page 86: ...enter device group is not available for use in any other device group or for use in shared policies Step 2 Begin centrally administering policies on the devices in the device group s Create Objects fo...

Page 87: ...Device Group for which you plan to use this object in the Device Group drop down 2 Select the Objects Addresses tab 3 Select Address and click Add 4 Verify that the Shared check box is not selected 5...

Page 88: ...the policies that you add to device groups and push to firewalls On any single device Panorama or a firewall only one URL Filtering vendor can be active PAN DB or BrightCloud To determine which vendo...

Page 89: ...id URL Filtering licenses on a managed firewall select Panorama Device Deployment Licenses and check the vendors listed in the URL column for the corresponding firewall To determine which license is a...

Page 90: ...he Service URL Category tab set the Service to application default f In the Actions tab set the Action to Allow g Leave all the other options at the default values Step 2 Target the policy to include...

Page 91: ...ptive Portal Application Override or DoS Protection Device Group For the selected rulebase you can view all Shared policies or select a specific Device Group for which you want to view the combined li...

Page 92: ...e Top or Move Bottom options to reorder the placement of the rule To rearrange local rules on the firewall switch to the local firewall context Step 4 If you modified the rules save the changes 1 Clic...

Page 93: ...in another template or group devices that require very similar network interface and zone configuration in a template The following topics provide more information on working with templates Template C...

Page 94: ...form these tasks locally on each managed firewall Enable operational modes such as multi vsys mode FIPS mode or CC mode using templates Configure the IP addresses of a firewall HA pair HA1 peer IP add...

Page 95: ...ces firewalls for which you plan to use this template You must select the firewalls individually Whenever you add a new managed firewall to Panorama you must assign it to the appropriate template Pano...

Page 96: ...the devices in the template 1 In the Template drop down select the template that you want to configure 2 Select Device Setup Services and edit the Services section 3 Enter an IP address for the Primar...

Page 97: ...d for the Primary DNS server IP address 3 Enter a new value for the Primary DNS Server Note that the template override icon yellow cog overlapping green now displays to indicate that the value that Pa...

Page 98: ...ot poll the devices for zone name or configuration Configure each device to communicate with Panorama You must define the Panorama IP addresses primary and secondary Panorama on each device Use device...

Page 99: ...Templates Set Up Your Centralized Configuration and Policies Device Groups In this example we decide to define two Device Groups based on the functions the firewalls will perform DG_BranchAndRegional...

Page 100: ...bering scheme and link capacity or the zone to interface mappings are different the devices must be in separate templates Further the way the devices are configured to access network resources might b...

Page 101: ...or BGP peering configurations Deploy Content Updates and PAN OS Software Updates to the Managed Firewalls TASK 1 Add the firewalls as managed devices and deploy content updates and PAN OS software upd...

Page 102: ...ws required to connect to the Syslog server You can add up to four servers to the same profile After you finish adding servers click OK to save the server profile Name Unique name for the server profi...

Page 103: ...s what is defined on the firewall e In the Security Zone drop down click New Zone When defining the zone ensure that the Name matches what is defined on the firewall f Click OK to save your changes to...

Page 104: ...e the corporate acceptable use policy for all offices In this example create a shared policy that restricts access to some URL categories and denies access to peer to peer traffic that is of risk leve...

Page 105: ...ddress group object for the servers hosts in the datacenter that need access to the Amazon cloud application Select the Objects tab and in the Device Group drop down select DG_DataCenter Select Addres...

Page 106: ...and click Preview Rules This preview enables you to visually evaluate how rules are layered for a particular rulebase 2 Click Commit select Panorama for the Commit Type then click OK 3 Click Commit s...

Page 107: ...Log Collector M 100 appliance in Log Collector mode you must perform some additional tasks to enable log collection You must add each Log Collector as a Managed Collector and create Collector Groups...

Page 108: ...g forwarding depends on the log types Traffic threat and WildFire logs Use device groups to create a log forwarding profile Objects Log Forwarding for forwarding to Panorama and if required to an exte...

Page 109: ...ll For each severity level for which you want to forward logs select forwarding to Panorama and if required to an email server SNMP trap server or Syslog server Config Logs Configuration logs record c...

Page 110: ...Server IP address or fully qualified domain name FQDN of the Syslog server Transport Select UDP TCP or SSL as the transport medium SSLv3 and TLSv1 are supported for Secure Syslog transport Port The p...

Page 111: ...re the firewall or virtual system is included in the device group and that the template in which you configured a server profile is applied to the firewall or virtual system 7 Click OK Step 3 Enable l...

Page 112: ...Select the daily Scheduled Export Start Time The options are in 15 minute increments for a 24 hour clock 00 00 23 59 6 Select the Protocol to export the logs SCP secure or FTP For FTP you have the opt...

Page 113: ...Reference Guide for instructions 2 Perform Initial Configuration of the M 100 Appliance When configuring interfaces configure only the Management MGT interface Switching to Log Collector mode in the n...

Page 114: ...ver IPaddress1 commit Step 4 Record the serial number of the Log Collector You will need this when you add the Log Collector as a Managed Collector The steps to display the serial number vary by Log C...

Page 115: ...hese settings can help protect the Log Collector from a brute force attack Step 8 Configure the Log Collector interfaces Perform this step only for a Dedicated Log Collector or a local Log Collector o...

Page 116: ...ction status Until you Configure a Collector Group and perform a Collector Group commit the Configuration Status column displays Out of Sync the Run Time Status column displays disconnected and the CL...

Page 117: ...nfigure a Collector Group You can configure each Collector Group to include up to 16 Log Collectors that aggregate firewall logs If you delete a Collector Group you will lose logs We recommend retaini...

Page 118: ...ssword to authenticate the community members to each other Don t use the default community string public it is well known and therefore not secure V3 Create at least one SNMP view group and one user U...

Page 119: ...ch log type Step 6 Optional Configure log forwarding from the Collector Group to external services To perform this step you must have added server profiles for the external services in the task Enable...

Page 120: ...Remove the Log Collector from Panorama management 1 Select Panorama Collector Groups and select the Collector Group that contains the Log Collector you will move 2 Select the Device Log Forwarding ta...

Page 121: ...Collector When you commit the Collector Group configuration Panorama starts redistributing logs across the Log Collectors This process can take hours for each terabyte of logs During the redistributi...

Page 122: ...g Forwarding Preference list and is forwarding logs to the configured Log Collector You cannot view this information from the web interface on the firewall 1 Access the CLI on the firewall 2 Enter the...

Page 123: ...ault Enabled Allows each managed firewall to buffer logs and send the logs at 30 second intervals to Panorama not user configurable Buffered log forwarding is very valuable when the firewall loses con...

Page 124: ...the NFS datastore Therefore the firewalls can only send logs to the primary Panorama peer which can write to the NFS datastore When an HA failover occurs the Get Only New Logs on Convert to Primary op...

Page 125: ...llection Deployment with Panorama M 100 appliance with default Collector and or Managed Collectors or Panorama virtual appliance with Managed Collectors To forward both Panorama local logs and Managed...

Page 126: ...TCP or SSL By default the header format for each syslog entry uses the FQDN hostname and domain name if configured of the appliance that forwards the logs Panorama or a Managed Collector The log data...

Page 127: ...ing logs to the syslog server 5 Select Shared if you want the certificate to be a shared certificate on Panorama or to be shared by all virtual systems in a multiple virtual system firewall 6 In Signe...

Page 128: ...ed as part of configuration backups For details see Recover Logs after Panorama Failure RMA in Non HA Deployments In HA deployments the Panorama management server only supports an active passive confi...

Page 129: ...services include Syslog servers email servers or SNMP trap servers The device firewall Panorama virtual appliance or M 100 appliance that forwards the logs to external services converts the logs to th...

Page 130: ...the template Device Server Profiles options Enable Log Forwarding to Panorama describes how to forward logs from firewalls to Panorama and to external services in parallel Figure Log Forwarding to Ext...

Page 131: ...A Alternatively you can use a pair of Panorama virtual appliances The firewalls send logs to dedicated Log Collectors M 100 appliances in Log Collector mode This is the recommended configuration if th...

Page 132: ...c Log Collection Deployments Manage Log Collection Figure Multiple Dedicated Log Collectors Per Collector Group Perform the following steps to deploy Panorama with dedicated Log Collectors Skip any st...

Page 133: ...configuring Panorama to use the Eth1 and Eth2 interfaces for log collection and Collector Group communication You define these interfaces during initial configuration of the Panorama management server...

Page 134: ...t admin account and the password that you specified during initial configuration 3 Switch to Log Collector mode by entering the following command request system logger mode logger 4 Enter Y to confirm...

Page 135: ...re you can enable logging disks on the Log Collectors 6 Verify that the Panorama Managed Collectors page lists the Log Collector you added The Connected column displays a check mark to indicate that t...

Page 136: ...ings of the Eth1 and or Eth2 interfaces For each interface select the corresponding tab and configure one or both of the following field sets based on the IP protocols of your network IPv4 IP Address...

Page 137: ...the Device Log Forwarding tab and in the Collector Group Members section assign one or more Log Collectors 4 In the Log Forwarding Preferences section assign firewalls according to the number of Log C...

Page 138: ...setup If you will assign more than one Log Collector to a Collector Group see Caveats for a Collector Group with Multiple Log Collectors to understand the requirements risks and recommended mitigation...

Page 139: ...00 Appliance To reduce the traffic load on the management MGT interface and to improve security for management traffic Palo Alto Networks recommends configuring Panorama to use the Eth1 and Eth2 inter...

Page 140: ...Panorama 5 Enable the secondary Panorama to connect to the primary Panorama by entering the following command where IPaddress1 represents the MGT interface of the primary Panorama configure set device...

Page 141: ...tor also For each interface select the corresponding tab and configure one or both of the following field sets based on the IP protocols of your network IPv4 IP Address Netmask and Default Gateway IPv...

Page 142: ...priority for half the firewalls and make Log Collector 2 the first priority for the other half as illustrated in Figure Multiple Default Log Collectors Per Collector Group 5 Click OK to save your chan...

Page 143: ...Gateway IPv6 IPv6 Address Prefix Length and Default IPv6 Gateway 4 Click OK and Commit for the Commit Type select Panorama and click OK Wait until the HA synchronization finishes before proceeding 5 C...

Page 144: ...TB of disk space Add a Virtual Disk to the Panorama Virtual Appliance If you need more than 2TB Mount the Panorama Virtual Appliance to an NFS Datastore Figure Panorama Virtual Appliances with Local L...

Page 145: ...Security select the rule in the Actions tab select the Log Forwarding profile you just added then click OK System a Select the template you just added b Select Device Log Settings System and select th...

Page 146: ...ement and edit the Logging and Reporting Settings 2 Define the Log Export and Reporting parameters as desired If you want only the primary Panorama to receive logs select the Only Active Primary Logs...

Page 147: ...update This capability facilitates deployment by eliminating the need to repeat the same tasks on each firewall or Dedicated Log Collector It is particularly useful for managing firewalls that don t...

Page 148: ...Perform a commit on each firewall that has a new WildFire subscription to complete the activation Commit any pending changes You must access each firewall web interface to do this Make a minor change...

Page 149: ...are active on each firewall or Log Collector Schedule Content Updates to Devices Using Panorama For a list of content updates you can schedule for firewalls see Supported Updates by Device Type For L...

Page 150: ...y Refer to the Release Notes for the minimum content release version you must install for a Panorama release Panorama can download only one update at a time stagger the updates to ensure they succeed...

Page 151: ...ama release If your Panorama management server is not running the appropriate software and content release versions then Install Content and Software Updates for Panorama before you update Log Collect...

Page 152: ...elease and reboot Download and install Panorama 6 0 0 and reboot Download Panorama 6 1 0 Optionally install this base image and reboot before you install the target maintenance release Download and in...

Page 153: ...r the next version in your upgrade path and select the appropriate Log Collectors 4 Select one of the following depending on the version you are installing within your upgrade path Step 3 Upload only...

Page 154: ...you will install on the Log Collectors Install Content and Software Updates for Panorama You must upgrade Panorama and then Log Collectors before upgrading firewalls Step 2 Determine the software upgr...

Page 155: ...ion you must install for a Panorama release Install the Applications or Applications and Threats update first and then install any other updates Antivirus or WildFire one at a time in any sequence Reg...

Page 156: ...irewalls The content versions must be the same as or lower than the versions you will install on the firewalls For important software and content compatibility details see Panorama Log Collector and F...

Page 157: ...Software Updates in the Resources section b Review the Download column to determine the version to install The filename of the update package indicates the platform c Click the filename and save the f...

Page 158: ...HA Peers select the HA peer that you didn t update yet select Reboot device after install and click OK Active passive HA firewalls In this example the active firewall is named fw1 and the passive fir...

Page 159: ...on Command Center ACC logs and the report generation capabilities you can centrally analyze investigate and report on all network activity identify areas with potential security impact and translate t...

Page 160: ...etwork infrastructure For a complete list of the available reports and charts and the description of each refer to the online help Monitor the Network with the ACC and AppScope Analyze Log Data Genera...

Page 161: ...cess it provides the ability to manage firewall specific settings such as firewall specific policy and or override network configuration pushed from a template on a specific firewall What are the top...

Page 162: ...broadly grouped into two types those that detail information on traffic flows on your network such as applications threats host information profiles URL categories content file types and those that r...

Page 163: ...time calculations This report is available in the Monitor PDF Reports User Activity Reports tab Custom Create and schedule custom reports that displays exactly the information you want to see by filt...

Page 164: ...er refine the selection criteria g To test the report settings select Run Now Modify the settings as required to change the information that is displayed in the report h Click OK to save the custom re...

Page 165: ...sent from To The email address to which notification emails will be sent Additional Recipient To send notifications to a second account enter the additional address here Email Gateway The IP address...

Page 166: ...atistics database it does not use the traffic logs and is generated whether or not you have enabled logging for security rules This view into the traffic on your network depicts everything that is all...

Page 167: ...down to review all the activity for that user Using the ACC view to filter for BitTorrent traffic that the specific source address or user generated enables you to verify the source and destination c...

Page 168: ...risk to your network assets and create an application filter that blocks all file sharing applications that are peer to peer technology with a risk factor of 4 or 5 Make sure to verify that the bittor...

Page 169: ...positioned to identify the application and make a decision on how you would like to take action on your network For example you can create a custom application that identifies this traffic instead of...

Page 170: ...t the incident is not a false positive What is your immediate course of action How do you use the available information to reconstruct the sequence of events that preceded or followed the triggering e...

Page 171: ...ite a download or was it sent through an email attachment Is the malware being propagated Are there other compromised hosts endpoints on the network Is it a zero day vulnerability The log details for...

Page 172: ...ious behavior Use this information to determine whether to block the application that caused the infection web browsing SMTP FTP make more stringent URL filtering policies or restrict some application...

Page 173: ...the Threat Monitor The threat map and traffic map Monitor AppScope Threat Map or Traffic Map allow you to visualize the geographic regions for incoming and outgoing traffic It is particularly useful f...

Page 174: ...n a web server Using device groups on Panorama push the object to the managed firewalls so that the firewalls can access the web server and import the list at a defined frequency After creating a dyna...

Page 175: ...evice cluster to provide redundancy in the event of a system or network failure Panorama in HA provides continuity in the task of centrally administering and monitoring the firewalls to secure your ne...

Page 176: ...umber for each Panorama virtual appliance if the serial number is duplicated both instances of Panorama will be placed in a suspended mode until you resolve the issue The Panorama servers in the HA co...

Page 177: ...d firewalls However either peer can be used to run reports or to perform log queries The passive peer is synchronized and ready to transition to the active state if a path link system or network failu...

Page 178: ...8 Panorama 6 1 Administrator s Guide Palo Alto Networks Inc Priority and Failover on Panorama in HA Panorama High Availability For more information see Panorama HA Prerequisites or Set Up HA on Panora...

Page 179: ...preemption is enabled and when the primary Panorama recovers from a failure and becomes available the secondary Panorama relinquishes control and returns to the passive state When preemption occurs th...

Page 180: ...ping interval is 5000ms An IP address is considered unreachable when three consecutive pings the default value fail and a device failure is triggered when any or all of the IP addresses monitored beco...

Page 181: ...tual appliance they buffer the logs when the connection is restored they resume sending logs from where it was last left off Log Storage Type Description Virtual Disk By default the managed devices se...

Page 182: ...igh Availability If you have a distributed log collection set up where the managed devices are sending logs to a dedicated Log Collector the Panorama peers in HA will query all the managed Log Collect...

Page 183: ...e those that are unique to each peer such as the following Panorama HA configuration Priority setting peer IP address path monitoring groups and IP addresses Panorama configuration Management port IP...

Page 184: ...vice in the pair and complete the remaining tasks Step 2 Enable HA and optionally enable encryption for the HA connection 1 Select Panorama High Availability and edit the Setup section 2 Select Enable...

Page 185: ...Failure Condition for this group any triggers a link monitoring failure if any one of the IP addresses becomes unreachable all triggers a link monitoring failure only when none of the IP addresses ar...

Page 186: ...available again When preemption is disabled you need to switch the priority on the secondary peer to primary so that it can mount the NFS partition receive logs from the managed devices and write to...

Page 187: ...for the Commit Type select Panorama and click OK Do not reboot when prompted 4 Log in to the Panorama CLI and enter the following command to change the ownership of the NFS partition to this peer req...

Page 188: ...188 Panorama 6 1 Administrator s Guide Palo Alto Networks Inc Manage a Panorama HA Pair Panorama High Availability...

Page 189: ...rama View Panorama Task Completion History Reallocate Log Storage Quota Monitor Panorama Reboot or Shut Down Panorama Generate Diagnostic Files for Panorama Configure Panorama Password Profiles and Co...

Page 190: ...s You can generate a gzip package of the latest version of the configuration backup of Panorama and that of each managed firewall either on demand or schedule an export using the Scheduled Config Expo...

Page 191: ...nfiguration files A 24 hour clock is used 5 Select the protocol 6 Enter the details for accessing the server Provide the hostname or IP address port path for uploading the file and authentication cred...

Page 192: ...en Save candidate Panorama configuration Saves the candidate configuration to disk it is the same as using the Save link at the top of the page to save the changes to the candidate configuration file...

Page 193: ...all 1 Select Panorama Managed Devices 2 Select the Manage link in the Backups column 3 Select from the Saved Configurations or the Committed Configurations Click the link in the Version column to view...

Page 194: ...ight pane to easily compare and identify modifications Perform a configuration audit to review and compare the changes between two sets of configuration files Compare Changes in Panorama Configuration...

Page 195: ...hed The lock is released automatically when the administrator who applied the lock commits the changes the lock can be removed manually by the administrator who took the lock or by the superuser If a...

Page 196: ...or the Type based on your role permissions select Commit or Config 4 Select the category for which you want to take the lock 5 As a best practice add a Comment to describe the reasons for taking the l...

Page 197: ...rict Access to Configuration Changes Remove a Lock Remove a Lock 1 Click the lock icon at the top right of the web interface 2 Select the lock that you want to release and click Remove Lock Unless you...

Page 198: ...72 bytes the recommended dimensions are displayed on screen If the dimension is larger than the recommended size the image will be automatically cropped Add Custom Logos to Panorama 1 Select Panorama...

Page 199: ...can filter by All or Running tasks and select Jobs Reports or Log Requests Jobs Lists commits auto commits downloads and installs for software and dynamic updates performed on locally on Panorama or c...

Page 200: ...vals from all managed firewalls Panorama saves all other log types to its RAID enabled disks The RAID disks are either local to the M 100 appliance in Panorama mode or are in a Dedicated Log Collector...

Page 201: ...corresponding absolute value Quota GB MB column based on the total storage allotted to the Collector Group To reset the quotas to the factory defaults click Restore Defaults at the bottom right of th...

Page 202: ...Panorama Log Settings Config Logs System Logs Enable forwarding of System logs by specifying a server profile in the log settings configuration Panorama Log Settings System Logs Select a server profil...

Page 203: ...Recipient s To send notifications to a second account enter the additional address here Gateway The IP address or host name of the SMTP gateway to use to send the emails 4 Click OK to save the server...

Page 204: ...or trending graphs that help identify the following potential system issues before a fault occurs Monitor the incoming log rate on an M 100 appliance or the capacity of the logging disks on the applia...

Page 205: ...known community string it is a best practice to use a value that is not easily guessed V3 You must create at least one View and one User in order to use SNMPv3 The view specifies which management inf...

Page 206: ...ser The username required to authenticate to the SNMP manager EngineID The engine ID of Panorama This is a hexadecimal value from 5 to 64 bytes with a 0x prefix Each Panorama has a unique engine ID In...

Page 207: ...er for specific instructions on how to do this Step 7 Identify the statistics to monitor Using a MIB browser walk the PAN OS MIB files to identify the object identifiers OIDs that correspond to the st...

Page 208: ...reboot option initiates a graceful restart of Panorama A shutdown halts the system and powers it off To restart Panorama after a shutdown manually disconnect and re cable the power cord on the system...

Page 209: ...a To assist Palo Alto Networks Technical Support in troubleshooting an issue the support representative might request a tech support file Perform the following steps to download a tech support file an...

Page 210: ...a validity period for passwords Configure Panorama Password Profiles and Complexity Step 1 Configure minimum password complexity settings 1 Select Panorama Setup Management and edit the Minimum Passwo...

Page 211: ...ord profile and define the following a Required Password Change Period Frequency in days at which the passwords must be changed b Expiration Warning Period Number of days before expiration that the ad...

Page 212: ...riate drive bay Refer to the M 100 Hardware Reference Guide for instructions to replace the failed with the new disk Step 2 Set up the disk in a RAID pair The time required to mirror the data on the d...

Page 213: ...lect logs during the process Contact Palo Alto Networks Customer Support for instructions on how to copy logs between disks A third way to preserve existing logs is to Enable Log Forwarding from Panor...

Page 214: ...214 Panorama 6 1 Administrator s Guide Palo Alto Networks Inc Replace the Virtual Disk on a Panorama Virtual Appliance Administer Panorama...

Page 215: ...s Guide 215 Troubleshooting The following topics address Panorama issues Troubleshoot Panorama System Issues Troubleshoot Log Storage and Connection Issues Replace an RMA Firewall Diagnose Template C...

Page 216: ...a file system integrity check FSCK to prevent corruption of the Panorama system files This check occurs after eight reboots or at a reboot that occurs 90 days after the last FSCK was executed If Panor...

Page 217: ...r the HA role of the other peer Both Panorama peers become active and manage a unique set of firewalls To resolve a split brain debug your network issues and restore connectivity between the Panorama...

Page 218: ...has a completely different configuration file they are out of sync Therefore to ensure that the configuration changes on each peer are not lost when the connection is restored you cannot allow the con...

Page 219: ...n log collection to MGT and assign Collector Group communication to Eth2 then MGT will use port 3978 and Eth2 will use port 28270 The Panorama virtual appliance can only use the MGT interface for all...

Page 220: ...displays as In sync Recover Logs after Failure RMA of M 100 Appliance in Log Collector Mode If you need to replace an M 100 appliance in Log Collector mode Dedicated Log Collector you can migrate the...

Page 221: ...e Serial Number of the new M 100 appliance d Click Transfer Licenses e Select the old M 100 appliance and click Submit 5 Activate Retrieve a Device Management License on the M 100 Appliance 6 Install...

Page 222: ...or Group communication you must define those interfaces on the new Log Collector when you configure it as a managed collector Panorama Managed Collectors Eth1 and Eth2 2 Verify that the Log Collector...

Page 223: ...rmat request system raid add A2 force no format The force and no format arguments are required The force argument associates the disk pair with the new Log Collector The no format argument prevents re...

Page 224: ...rd logs Panorama Collector Groups Device Log Forwarding Give the new Log Collector the same priority in the firewall preference lists as the old Log Collector You use the web interface to perform this...

Page 225: ...f M 100 Appliance in Panorama Mode Step 1 Forward any logs on the SSD of the old M 100 appliance to an external destination if you want to preserve them The SSD stores only the System and Config logs...

Page 226: ...se interfaces during initial configuration of the new M 100 appliance Panorama Setup Management 3 Register Panorama 4 Transfer licenses as follows a Log in to the Customer Support Portal b Select the...

Page 227: ...ce The no format argument prevents reformatting of the drives and retains the logs stored on the disks 3 Generate the metadata for each disk pair request metadata regenerate slot slot_number For examp...

Page 228: ...mit the changes to Panorama configure commit Step 7 Reconfigure the Collector Group 1 Use the web interface to assign the new Log Collector to the firewalls that forward logs Panorama Collector Groups...

Page 229: ...y Panorama peer that manages the Log Collectors stores the ring file to its internal storage SSD of an M 100 appliance or the internal disk of the Panorama virtual appliance This ring file is then aut...

Page 230: ...nnections to the managed collectors are restored Select Panorama Managed Collectors and check that the Managed Collectors are connected If the Managed Collectors don t appear this indicates that you d...

Page 231: ...w you to verify the name of the managed collector that you must define on Panorama a Enter the command request fetch ring from log collector serial_number The following error will display Server error...

Page 232: ...of log data launch four CLI sessions and run the command in each session to regenerate metadata simultaneously for all the pairs slots in about 10 hours During metadata regeneration the Collector Gro...

Page 233: ...d policies and templates that it pushes to firewalls Local configuration on the firewall When a configuration change is committed each firewall sends a copy of its local configuration file to Panorama...

Page 234: ...artial device state generated on Panorama If you have been following the recommendation to frequently generate and export the device state for firewalls in an LSVPN configuration use the device state...

Page 235: ...elect the operational mode as Set FIPS Mode or Set CCEAL 4 Mode from the main menu Step 3 Retrieve the license s Enter the following command to retrieve your licenses request license fetch Step 4 Opti...

Page 236: ...rewall 1 Enter the following command in operational mode replace device old old SN new new SN 2 Go in to configuration mode and commit your changes configure commit 3 Exit configuration mode exit Task...

Page 237: ...liance only If your managed firewalls forward logs to Log Collectors click Commit set the Commit Type to Collector Group select the Collector Group that contains the firewall and click Commit again If...

Page 238: ...figuration options to firewalls that are hard coded to disallow VPN configuration To resolve the error select Panorama Templates click the template name to edit it and select the VPN Disable Mode chec...

Page 239: ...or Failure Status View Task Success or Failure Status Use the Task Manager icon at the bottom right of the Panorama web interface to view the success or failure of a task The Task Manager also display...

Page 240: ...240 Panorama 6 1 Administrator s Guide Palo Alto Networks Inc View Task Success or Failure Status Troubleshooting...

Reviews: