Use Templates to Administer a Base Configuration
Table of Contents
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on Alibaba Cloud
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Hyper-V
- Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on Alibaba Cloud
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Hyper-V
- Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
- Install the Device Certificate for a Dedicated Log Collector
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Admin Role Profile for Selective Push to Managed Firewalls
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
- Configure Tracking of Administrator Activity
-
- Add a Firewall as a Managed Device
- Change Between Panorama Management and Cloud Management
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Device Group Push to a Multi-VSYS Firewall
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Schedule a Configuration Push to Managed Firewalls
- Redistribute Data to Managed Firewalls
-
- Plan the Transition to Panorama Management
- Migrate a Firewall to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall to Panorama Management and Push a New Configuration
- Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
- Load a Partial Firewall Configuration into Panorama
- Localize a Panorama Pushed Configuration on a Managed Firewall
-
- Configure a Managed Collector
- Monitor Managed Collector Health Status
- Configure Log Forwarding to Panorama
- Configure Syslog Forwarding to External Destinations
- Forward Logs to Cortex Data Lake
- Verify Log Forwarding to Panorama
- Modify Log Forwarding and Buffering Defaults
- Configure Log Forwarding from Panorama to External Destinations
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
-
-
- Preview, Validate, or Commit Configuration Changes
- Commit Selective Configuration Changes for Managed Devices
- Push Selective Configuration Changes to Managed Devices
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- View Log Query Jobs
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- View Task Success or Failure Status
- Generate a Stats Dump File for a Managed Firewall
- Recover Managed Device Connectivity to Panorama
- Restore an Expired Device Certificate
Use Templates to Administer a Base Configuration
The second task in Use
Case: Configure Firewalls Using Panorama is to create the
templates you will need to push the base configuration to the firewalls.
- For each template you will use, Add a Template and assign the appropriate firewalls to each.In this example, create templates named T_Branch, T_Regional, and T_DataCenter.
- Define a DNS server, NTP server, syslog server, and login banner. Repeat this step for each template.
- In theDevicetab, select theTemplatefrom the drop-down.
- Define the DNS and NTP servers:
- Selectand edit the Services.DeviceSetupServicesGlobal
- In theServicestab, enter an IP address for thePrimary DNS Server.For any firewall that has more than one virtual system (vsys), for each vsys, add a DNS server profile to the template ().DeviceServer ProfilesDNS
- In theNTPtab, enter an IP address for thePrimary NTP Server.
- ClickOKto save your changes.
- Add a login banner: select, edit the General Settings, enter text for theDeviceSetupManagementLogin Bannerand clickOK.
- Configure a Syslog server profile ().DeviceServer ProfilesSyslog
- Enable HTTPS, SSH, and SNMP access to the management interface of the managed firewalls. Repeat this step for each template.
- In theDevicetab, select theTemplatefrom the drop-down.
- Select, and edit the Management Interface Settings.SetupManagement
- Under Services, select theHTTPS,SSH, andSNMPcheck boxes, and clickOK.
- Create a Zone Protection profile for the firewalls in the data center template (T_DataCenter).
- Select theNetworktab and, in theTemplatedrop-down, select T_DataCenter.
- Selectand clickNetwork ProfilesZone ProtectionAdd.
- For this example, enable protection against a SYN flood—In theFlood Protectiontab, select theSYNcheck box, set theActiontoSYN Cookiesas, set theAlertpackets/second to100, set theActivatepackets/second to1000, and set theMaximumpackets/second to10000.
- For this example, enable alerts—In theReconnaissance Protectiontab, select theEnablecheck boxes forTCP Port Scan,Host Sweep, andUDP Port Scan. Ensure the Action values are set toalert(the default value).
- ClickOKto save the Zone Protection profile.
- Configure the interface and zone settings in the data center template (T_DataCenter), and then attach the Zone Protection profile you just created.Before performing this step, you must have configured the interfaces locally on the firewalls. As a minimum, for each interface, you must have defined the interface type, assigned it to a virtual router (if needed), and attached a security zone.
- Select theNetworktab and, in theTemplatedrop-down, select T_DataCenter.
- Selectand, in the Interface column, click the interface name.NetworkInterface
- Select theInterface Typefrom the drop-down.
- In theVirtual Routerdrop-down, clickNew Virtual Router. When defining the router, ensure theNamematches what is defined on the firewall.
- In theSecurity Zonedrop-down, clickNew Zone. When defining the zone, ensure that theNamematches what is defined on the firewall.
- ClickOKto save your changes to the interface.
- Select, and select the zone you just created. Verify that the correct interface is attached to the zone.NetworkZones
- In theZone Protection Profiledrop-down, select the profile you created, and clickOK.
- Push your template changes.
- SelectandCommitCommit and PushEdit Selectionsin the Push Scope.
- SelectTemplatesand select the firewalls assigned to the templates where you made changes.
- Commit and Pushyour changes to the Panorama configuration and to the template.