>
    Managed Firewall Information
    Focus
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Panorama Web Interface
    4. Panorama > Managed Devices > Summary
    5. Managed Firewall Information
    Next-Generation Firewall

    Managed Firewall Information

    Table of Contents

    Managed Firewall Information

    Select PanoramaManaged DevicesSummary to display the following information for each managed firewall.
    Managed Firewall Information
    Description
    Device Group
    Displays the name of the device group in which the firewall is a member. By default, this column is hidden, though you can display it by selecting the drop-down in any column header and selecting ColumnsDevice Group.
    The page displays firewalls in clusters according to their device group. Each cluster has a header row that displays the device group name, the total number of assigned firewalls, the number of connected firewalls, and the device group path in the hierarchy. For example, Data center (2/4 Devices Connected): SharedEuropeData center would indicate that a device group named Data center has four member firewalls (two of which are connected) and is a child of a device group named Europe. You can collapse or expand any device group to hide or display its firewalls.
    Device Name
    Displays the hostname or serial number of the firewall.
    For the VM-Series NSX edition firewall, the firewall name appends the hostname of the ESXi host. For example, PA-VM: Host-NY5105
    Virtual System
    Lists the virtual systems available on a firewall that is in Multiple Virtual Systems mode.
    Model
    Displays the firewall model.
    Tags
    Displays the tags defined for each firewall/virtual system.
    Serial Number
    Displays the serial number of the firewall.
    Operational Mode
    Displays the operational mode of the firewall. Can be FIPS-CC or Normal.
    IP Address
    Displays the IP address of the firewall/virtual system.
    IPv4—IPv4 address of the firewall/virtual system.
    IPv6—IPv6 address of the firewall/virtual system.
    Variables
    Create device specific variable definitions by copying them from a device in the template stack, or Edit existing variable definitions to create unique variables for the device. This column will be empty if the device is not associated with a template stack. By default, variables are inherited from the template stack. See Create or Edit Variable Definition on a Device.
    Template
    Displays the template stack to which the firewall is assigned.
    Status
    Device State—Indicates the state of the connection between Panorama and the firewall: Connected or Disconnected.
    A VM-Series firewall can have two additional states:
    • Deactivated—Indicates that you have deactivated a virtual machine either directly on the firewall or by selecting Deactivate VMs (PanoramaDevice DeploymentLicenses) and removed all licenses and entitlements on the firewall. A deactivated firewall is no longer connected to Panorama because the deactivation process removes the serial number on the VM-Series firewall.
    • Partially deactivated—Indicates that you have initiated the license deactivation process from Panorama, but the process is not fully complete because the firewall is offline and Panorama cannot communicate with it.
    HA Status—Indicates whether the firewall is:
    • Active—Normal traffic-handling operational state
    • Passive—Normal backup state
    • Initiating—The firewall is in this state for up to 60 seconds after bootup
    • Non-functional—Error state
    • Suspended—An administrator disabled the firewall
    • Tentative—For a link or path monitoring event in an active/active configuration
    Shared Policy—Indicates whether the policy and object configurations on the firewall are synchronized with Panorama.
    Template—Indicates whether the network and device configurations on the firewall are synchronized with Panorama.
    Status (cont)
    Certificate—Indicates the managed device’s client certificate status.
    • Pre-defined—The managed device is using a pre-defined certificate to authenticate with Panorama.
    • Deployed—The custom certificate is successfully deployed on the managed device.
    • Expires in N days N hours—The currently installed certificate will expire in less than 30 days.
    • Expires in N minutes—The currently installed certificate will expire in less than one day.
    • Client Identity Check Passed—The certificate common name matches the serial number of the connecting device.
    • OCSP Status Unknown—Panorama cannot get the OCSP status from the OCSP responder.
    • OCSP Status Unavailable—Panorama cannot contact the OCSP responder.
    • CRL Status Unknown—Panorama cannot get the revocation status from the CRL database.
    • CRL Status Unavailable—Panorama cannot contact the CRL database.
    • OCSP/CRL Status Unknown—Panorama cannot get the OCSP or revocation status when both are enabled.
    • OCSP/CRL Status Unavailable—Panorama cannot contact the OCSP or CRL database when both are enabled.
    • Untrusted Issuer—The managed device has a custom certificate but the server is not validating it.
    Last Commit State—Indicates whether the last commit failed or succeeded on the firewall.
    Software Version | Apps and Threat | Antivirus | URL Filtering | GlobalProtect™ Client | WildFire
    Displays the software and content versions that are currently installed on the firewall. For details, see Firewall Software and Content Updates.
    Backups
    On each firewall commit, PAN-OS automatically sends a firewall configuration backup to Panorama. Click Manage to view the available configuration backups and optionally load one. For details, see Firewall Backups.
    Last Master Key Push
    Displays the status of the master key deployment from Panorama to the firewall.
    Status—Displays the latest master key push status. Can be Success or Failed. Unknown is displayed if a master key has not been pushed to the firewall from Panorama.
    Timestamp—Displays the date and time of the latest master key push from Panorama.
    Containers—If you deployed the CN-Series firewall to secure your containerized application workloads on Kubernetes clusters, use the following columns.
    Container Number of Nodes
    Displays the number of containerized firewall data plane (CN-NGFW) that are connected to the Management plane (CN-Mgmt) registered to Panorama.
    The value can be 0—30 CN-NGFW pods for each pair of CN-Mgmt pods.
    Container Notes
    		Future use

    Create Device Variable Definition

    When a device is added to a template stack, the user has the option of creating device specific variables by copying existing overridden variables from a device in the same template stack, or override the template or template stack variables individually for the device.
    When a device is first added to a template stack, you have the option to create device-specific variable definitions copied from devices in the template stack or you can edit the template variable definitions through PanoramaManaged DevicesSummary. By default, all variable definitions are inherited from the template stack and you can only override, and —not delete—the variable definitions for an individual device. You can use variables to replace IP address objects and IP address literals (IP Netmask, IP Range, FQDN) in all areas of the configuration, interfaces in the IKE Gateway configuration (Interface) and HA configuration (Group ID).
    Create Device Variable Definition Information
    Description
    Clone device variable definition from another device in the template stack?
    No
    		View the existing variable definitions and edit as needed. See Panorama > Templates > Template Variables.
    Yes
    Select a device in the drop-down from which to clone variable definitions and then select the specific variable definitions you want to clone.

    © 2025 Palo Alto Networks, Inc. All rights reserved.