Next-Generation Firewall
Device Telemetry Overview
Table of Contents
Device Telemetry Overview
PAN-OS device telemetry is used to power telemetry apps
that make it easier to monitor and manage firewalls.
Device telemetry collects data about your next-generation firewall or Panorama and shares it with
Palo Alto Networks by uploading the data to Strata Logging Service. This
data is used to power telemetry apps, which are cloud-based applications that make it
easy to monitor and manage your next-generation firewalls and Panoramas. These apps
improve your visibility into device health, performance, capacity planning, and
configuration. Through these apps, you can maximize the benefits you enjoy from the
products and services that Palo Alto Networks delivers.
Telemetry data is also used for sharing threat intelligence, providing enhanced intrusion
prevention, evaluation of threat signatures, as well as improved malware detection
within PAN-DB URL filtering, DNS-based command-and-control (C2) signatures, WildFire,
and to further improve Palo Alto Networks products and services. Review the PAN-OS Privacy information data sheet for
details about the data that Palo Alto Networks collects.
Palo Alto Networks automatically selects recommended settings when you configure
telemetry. When you commit the settings, PAN-OS begins collecting and
sending telemetry data. See Disable Device Telemetry to manually opt out of device telemetry
collection.
Telemetry data is collected and stored locally on your device for a limited period of time. This
data is shared with Palo Alto Networks only if you configure a destination region for
the data. If your organization has a Strata Logging Service license, then you can
only send the data to the same region as where your Strata Logging Service
instance resides. If your organization does not have a Strata Logging Service
license, then you must install a device certificate in order to share
this data. In this case, you can choose any available region, although you must conform
to all applicable local laws regarding privacy and data storage.
Telemetry data is collected and shared with Palo Alto Networks on predefined collection intervals starting from the time when
the firewall is turned on. These predefined intervals are set by the PAN-OS analytics engine, however you can control whether data is collected and shared by
enabling/disabling categories of data. You
can also monitor the current status of data collection
and transmission.
The size of each bundle of telemetry data depends on the features enabled on your
firewall, the number of metrics collected, and the model of the firewall. PAN-OS collects metrics related to operational health and performance,
such as CPU and memory, more frequently.
You can obtain a live sample of the data that your firewall is
collecting for telemetry purposes. For a complete description of all the telemetry
metrics that can be shared with Palo Alto Networks, including the privacy implication
for each metric, see the PAN-OS Device Telemetry Metrics Reference
Guide.
The automatically created user _cliuser may
appear under Logged in Admins on the dashboard
while telemetry is enabled. This user is created only for telemetry collection.
Telemetry Autoenablement
Beginning with PAN-OS 11.2.8 and later releases, the telemetry
autoenablement feature configures telemetry to be enabled by default on your
devices. Upon onboarding a new device (Panorama or firewall), telemetry is
automatically enabled with settings centrally controlled through Strata Cloud Manager. This centralized approach ensures consistent telemetry settings across your
entire environment. Metrics are automatically streamed to your data residency
region, eliminating the need for manual configuration.
A key distinction from previous configurations is that telemetry settings
no longer reside on individual Panorama or firewall devices. Instead, these settings
are retrieved from Strata Cloud Manager that store information for all devices with
a tenant service group (TSG). For devices without a TSG, the system maintains
backward compatibility by supporting direct configurations on Panorama or firewalls.
By centralizing and automating telemetry configuration, telemetry autoenablement
removes operational barriers to adoption. This enables you to fully leverage the
benefits of telemetry while maintaining control over your data sharing
preferences.
Telemetry autoenablement includes tiered telemetry options (Full and
Diagnostic), providing control over the level of data shared while streamlining the
enablement process. These tiers dictate the specific metrics collected and
transmitted to Palo Alto Networks. Each device independently polls the Device
Discovery Service endpoint daily using its device certificate to obtain region
information and tier settings. This method applies uniformly across all device
types, including Panorama, log collectors, Panorama managed firewalls, and
standalone firewalls. You can manage telemetry settings from Strata Cloud Manager or hub.
Telemetry autoenablement determines the appropriate data residency region
based on your existing configurations. If you're utilizing Strata Logging Service, your telemetry data is automatically synchronized
with your Strata Logging Service region. For customers without Strata Logging Service, the system determines your region based on
information in your Customer Support Portal account. You also have the option to
manually select a region if needed. You retain full control of your telemetry
settings and can adjust the telemetry tier from Full to Diagnostic as needed through
the hub or Strata Cloud Manager interface. This tiered approach ensures you can
select the level of information shared while adhering to data privacy
requirements.