Device Telemetry Overview
Focus
Focus
Next-Generation Firewall

Device Telemetry Overview

Table of Contents

Device Telemetry Overview

PAN-OS device telemetry is used to power telemetry apps that make it easier to monitor and manage firewalls.
Device telemetry collects data about your next-generation firewall or Panorama and shares it with Palo Alto Networks by uploading the data to Strata Logging Service. This data is used to power telemetry apps, which are cloud-based applications that make it easy to monitor and manage your next-generation firewalls and Panoramas. These apps improve your visibility into device health, performance, capacity planning, and configuration. Through these apps, you can maximize the benefits you enjoy from the products and services that Palo Alto Networks delivers.
Telemetry data is also used for sharing threat intelligence, providing enhanced intrusion prevention, evaluation of threat signatures, as well as improved malware detection within PAN-DB URL filtering, DNS-based command-and-control (C2) signatures, WildFire, and to further improve Palo Alto Networks products and services. Review the PAN-OS Privacy information data sheet for details about the data that Palo Alto Networks collects.
Palo Alto Networks automatically selects recommended settings when you configure telemetry. When you commit the settings, PAN-OS begins collecting and sending telemetry data. See Disable Device Telemetry to manually opt out of device telemetry collection.
Telemetry data is collected and stored locally on your device for a limited period of time. This data is shared with Palo Alto Networks only if you configure a destination region for the data. If your organization has a Strata Logging Service license, then you can only send the data to the same region as where your Strata Logging Service instance resides. If your organization does not have a Strata Logging Service license, then you must install a device certificate in order to share this data. In this case, you can choose any available region, although you must conform to all applicable local laws regarding privacy and data storage.
Telemetry data is collected and shared with Palo Alto Networks on predefined collection intervals starting from the time when the firewall is turned on. These predefined intervals are set by the PAN-OS analytics engine, however you can control whether data is collected and shared by enabling/disabling categories of data. You can also monitor the current status of data collection and transmission.
The size of each bundle of telemetry data depends on the features enabled on your firewall, the number of metrics collected, and the model of the firewall. PAN-OS collects metrics related to operational health and performance, such as CPU and memory, more frequently.
You can obtain a live sample of the data that your firewall is collecting for telemetry purposes. For a complete description of all the telemetry metrics that can be shared with Palo Alto Networks, including the privacy implication for each metric, see the PAN-OS Device Telemetry Metrics Reference Guide.
The automatically created user _cliuser may appear under Logged in Admins on the dashboard while telemetry is enabled. This user is created only for telemetry collection.

Telemetry Autoenablement

Beginning with PAN-OS 11.2.8 and later releases, the telemetry autoenablement feature configures telemetry to be enabled by default on your devices. Upon onboarding a new device (Panorama or firewall), telemetry is automatically enabled with settings centrally controlled through Strata Cloud Manager. This centralized approach ensures consistent telemetry settings across your entire environment. Metrics are automatically streamed to your data residency region, eliminating the need for manual configuration.
A key distinction from previous configurations is that telemetry settings no longer reside on individual Panorama or firewall devices. Instead, these settings are retrieved from Strata Cloud Manager that store information for all devices with a tenant service group (TSG). For devices without a TSG, the system maintains backward compatibility by supporting direct configurations on Panorama or firewalls. By centralizing and automating telemetry configuration, telemetry autoenablement removes operational barriers to adoption. This enables you to fully leverage the benefits of telemetry while maintaining control over your data sharing preferences.
Telemetry autoenablement includes tiered telemetry options (Full and Diagnostic), providing control over the level of data shared while streamlining the enablement process. These tiers dictate the specific metrics collected and transmitted to Palo Alto Networks. Each device independently polls the Device Discovery Service endpoint daily using its device certificate to obtain region information and tier settings. This method applies uniformly across all device types, including Panorama, log collectors, Panorama managed firewalls, and standalone firewalls. You can manage telemetry settings from Strata Cloud Manager or hub.
Telemetry autoenablement determines the appropriate data residency region based on your existing configurations. If you're utilizing Strata Logging Service, your telemetry data is automatically synchronized with your Strata Logging Service region. For customers without Strata Logging Service, the system determines your region based on information in your Customer Support Portal account. You also have the option to manually select a region if needed. You retain full control of your telemetry settings and can adjust the telemetry tier from Full to Diagnostic as needed through the hub or Strata Cloud Manager interface. This tiered approach ensures you can select the level of information shared while adhering to data privacy requirements.