NGFW Administration
  • NGFW Administration
  • Next-Generation Firewall Documentation
  • All Documentation
>
Create a Device Onboarding Rule
Focus
Download PDF
Focus
  1. Home
  2. Next-Generation Firewall
  3. Onboard NGFWs to Strata Cloud Manager
  4. Onboard Your Devices
  5. Create a Device Onboarding Rule
Download PDF
Next-Generation Firewall

Create a Device Onboarding Rule

Table of Contents

Create a Device Onboarding Rule

Create a device onboarding rule to automate NGFW onboarding to Strata Cloud Manager.
Where Can I Use This?What Do I Need?
Use a device onboarding rule to automate parts of the Palo Alto Networks Next Generation Firewall (NGFW) onboarding to Strata Cloud Manager whether you're manually onboarding Palo Alto Networks NGFW or onboarding using Zero Touch Provisioning (ZTP). This allows you to associate the firewall with a folder and push a configuration when the firewall first connects to Strata Cloud Manager. Device onboarding rules are designed to simplify and greatly reduce the time spent onboarding new Palo Alto Networks NGFW at scale and ensure the correct configuration is applied to newly onboarded Palo Alto Networks NGFW. You can create multiple device onboarding rules to define different match criteria that apply to different Palo Alto Networks NGFW.
To onboard VM-series funded by software NGFW credits, see Create a Deployment Profile.
The Match Criteria, Action, VPN Onboarding, and User Context Onboarding configurations are optional and can be configured as needed. If no Match Criteria is specified then the device onboarding rule applies to Any Palo Alto Networks NGFW model and serial number. The Palo Alto Networks NGFW must match all Match Criteria defined in the rule for Strata Cloud Manager to take the configured Action or push the VPN Onboarding and User Context Onboarding configurations.
For example, you don't configure the Match Criteria and configure only the Target Folder in the rule Action. Additionally, you don't configure VPN Onboarding and User Context Onboarding. In this example Strata Cloud Manager applies the rule to all Palo Alto Networks NGFW onboarded to Strata Cloud Manager and only adds them to the Target Folder. Another example is that you specify Palo Alto Networks NGFW models and serial numbers in the Match Criteria but you don't configure the rule Action at all. Additionally, you configure VPN Onboarding and User Context Onboarding. In this example Strata Cloud Manager pushes the VPN Onboarding and User Context Onboarding configurations to only the Palo Alto Networks NGFW models and serial numbers that match the Match Criteria.
  1. Log in to Strata Cloud Manager.
  2. Select WorkflowsNGFW SetupDevice Onboarding.
  3. Add Rule.
  4. Configure the General device onboarding rule settings.
    1. The device onboarding rule is Enabled by default. Toggle the Enable setting to disable the onboarding rule after you Save.
    2. Enter a descriptive Name for the onboarding rule.
    3. (Optional) Enter a Description for the onboarding rule.
  5. Define the onboarding rule Match Criteria.
    The match criteria define to which Palo Alto Networks NGFW the device onboarding rule applies.
    1. Specify which Palo Alto Networks NGFW Models.
      • Any—Applies to all Palo Alto Networks NGFW onboarded to Strata Cloud Manager.
      • Match—Inclusive condition that applies to the Palo Alto Networks NGFW models added to the match list. You can select one or multiple different Palo Alto Networks NGFW models.
        For example, if you add PA-1410 and PA-3260, then the onboarding rule Action applies only to those Palo Alto Networks NGFW.
      • Exclude (Negate)—Exclusive condition that applies to all Palo Alto Networks NGFW models not added to the exclude match list.
        For example, if you add PA-1410 and PA-3260, then the onboarding rule Action applies to all Palo Alto Networks NGFW models except for those added to the exclude list.
    2. Specify the Device S/N.
      This compliments the Models match criteria by allowing you to identify specific serial numbers of Palo Alto Networks NGFW Models that the onboarding rule applies to.
      • Any—Applies to all Palo Alto Networks NGFW serial numbers.
      • Match—Enter a regular expression (regex) to identify Palo Alto Networks NGFW serial numbers.
    3. Specify Labels applied to Palo Alto Networks NGFW during onboarding that the onboarding rule applies to.
      You can use And, Or, and Not operators to write a logical expression of labels to match. You can use parentheses (()) to group sets of labels and logical operators when writing your regular expression.
  6. Define the onboarding rule Action.
    1. Select the Target Folder the firewall is added to if it matches the device onboarding rule.
      If no Target Folder is specified, then the firewall is added to the default All Firewalls folder.
      (VM-Series, funded with Software NGFW Credits) You can configure the dgname field in the init.cfg.txt bootstrap parameters to add the VM-Series firewall to a target folder. In this case, Strata Cloud Manager prioritizes adding the VM-Series firewall to the target folder configured in the init.cfg.txt file over the one configured in the device onboarding rule.
    2. For Snippet Association, apply snippet configuration to the onboarded firewall after it successfully connects to Strata Cloud Manager.
      Snippets are a tool used to standardize a common base configuration for a set of firewalls or deployments. This allows you to quickly onboard a new firewall with a known good configuration and reduces the time required to onboard a new firewall.
    3. Enable VPN Onboarding if you have configured Auto VPN for secure hub-and-spoke connectivity between Strata Cloud Manager and your managed firewalls.
      If enabled, select the VPN Cluster to add the firewall to. This determines the gateway devices and automatically creates secure connections between the configured gateway and the newly onboarded firewall.
      Click Configure to configure the Palo Alto Networks NGFW as a hub or branch firewall.
    4. Enable User Context Onboarding to configure the user and tag mappings required for User Context for Cloud Identity Engine (CIE).
      User Context provides simplified granular control over the data that is shared across your security devices. It provides your administrators the flexibility to specify the data types each device sends and receives.
      If enabled, you must configure the Segments to Contribute Data To to customize the segment mappings the firewall sends to CIE and the Segments to Receive Data From to customize how CIE provides segment mappings to the firewall.
  7. Save.
  8. In Device Onboarding, review your newly configured onboarding rule and verify it's Enabled.
    Device onboarding rules are processed in a top-down priority. Strata Cloud Manager evaluates each onboarding rule Match Criteria starting with the rule highest in the rule hierarchy until the Palo Alto Networks NGFW meets all Match Criteria. Strata Cloud Manager then takes the Action specified in the matching rule. In the event two rules in the device onboarding rule hierarchy apply to the same firewall, Strata Cloud Manager takes the Action configured in the device onboarding rule higher up in the rule hierarchy.
  9. Onboard your Palo Alto Networks NGFW manually or using Zero Touching Provisioning (ZTP).

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.