Set Up Your Centralized Configuration and Policies
Focus
Focus
Panorama

Set Up Your Centralized Configuration and Policies

Table of Contents

Set Up Your Centralized Configuration and Policies

In Use Case: Configure Firewalls Using Panorama, perform the following tasks to centrally deploy and administer firewalls:
  • Add the Managed Firewalls and Deploy Updates
  • Use Templates to Administer a Base Configuration
  • Use Device Groups to Push Policy Rules
  • Preview the Rules and Commit Changes

Add the Managed Firewalls and Deploy Updates

The first task in Use Case: Configure Firewalls Using Panorama is to add the firewalls as managed devices and deploy content updates and PAN-OS software updates to those firewalls.
  1. For each firewall that Panorama will manage, Add a Firewall as a Managed Device.
    In this example, add 12 firewalls.
  2. Deploy the content updates to the firewalls. If you purchased a Threat Prevention subscription, the content and antivirus databases are available to you. First install the Applications or Applications and Threats database, then the Antivirus.
    To review the status or progress for all tasks performed on Panorama, see Use the Panorama Task Manager.
    1. Select PanoramaDevice DeploymentDynamic Updates.
    2. Click Check Now to check for the latest updates. If the value in the Action column is Download, this indicates an update is available.
    3. Click Download. When the download completes, the value in the Action column changes to Install.
    4. In the Action column, click Install. Use the filters or user-defined tags to select the managed firewalls on which you would like to install this update.
    5. Click OK, then monitor the status, progress, and result of the content update for each firewall. The Result column displays the success or failure of the installation.
  3. Deploy the software updates to the firewalls.
    1. Select PanoramaDevice DeploymentSoftware.
    2. Click Check Now to check for the latest updates. If the value in the Action column is Download, this indicates an update is available.
    3. Locate the version that you need for each hardware model and click Download. When the download completes, the value in the Action column changes to Install.
    4. In the Action column, Validate the PAN-OS version to view all the intermediate software and content versions required to upgrade.
      Panorama requires internet access to validate the PAN-OS version.
    5. In the Action column, click the Install link. Use the filters or user-defined tags to select the managed firewalls on which to install this version.
    6. (Optional) Enable the check box for Reboot device after install.
    7. Click OK. The Results column displays the success or failure of the installation.

Use Templates to Administer a Base Configuration

The second task in Use Case: Configure Firewalls Using Panorama is to create the templates you will need to push the base configuration to the firewalls.
  1. For each template you will use, Add a Template and assign the appropriate firewalls to each.
    In this example, create templates named T_Branch, T_Regional, and T_DataCenter.
  2. Define a DNS server, NTP server, syslog server, and login banner. Repeat this step for each template.
    1. In the Device tab, select the Template from the drop-down.
    2. Define the DNS and NTP servers:
      1. Select DeviceSetupServicesGlobal and edit the Services.
      2. In the Services tab, enter an IP address for the Primary DNS Server.
        For any firewall that has more than one virtual system (vsys), for each vsys, add a DNS server profile to the template (DeviceServer ProfilesDNS).
      3. In the NTP tab, enter an IP address for the Primary NTP Server.
      4. Click OK to save your changes.
    3. Add a login banner: select DeviceSetupManagement, edit the General Settings, enter text for the Login Banner and click OK.
    4. Configure a Syslog server profile (DeviceServer ProfilesSyslog).
  3. Enable HTTPS, SSH, and SNMP access to the management interface of the managed firewalls. Repeat this step for each template.
    1. In the Device tab, select the Template from the drop-down.
    2. Select SetupManagement, and edit the Management Interface Settings.
    3. Under Services, select the HTTPS, SSH, and SNMP check boxes, and click OK.
  4. Create a Zone Protection profile for the firewalls in the data center template (T_DataCenter).
    1. Select the Network tab and, in the Template drop-down, select T_DataCenter.
    2. Select Network ProfilesZone Protection and click Add.
    3. For this example, enable protection against a SYN flood—In the Flood Protection tab, select the SYN check box, set the Action to SYN Cookies as, set the Alert packets/second to 100, set the Activate packets/second to 1000, and set the Maximum packets/second to 10000.
    4. For this example, enable alerts—In the Reconnaissance Protection tab, select the Enable check boxes for TCP Port Scan, Host Sweep, and UDP Port Scan. Ensure the Action values are set to alert (the default value).
    5. Click OK to save the Zone Protection profile.
  5. Configure the interface and zone settings in the data center template (T_DataCenter), and then attach the Zone Protection profile you just created.
    Before performing this step, you must have configured the interfaces locally on the firewalls. As a minimum, for each interface, you must have defined the interface type, assigned it to a virtual router (if needed), and attached a security zone.
    1. Select the Network tab and, in the Template drop-down, select T_DataCenter.
    2. Select NetworkInterface and, in the Interface column, click the interface name.
    3. Select the Interface Type from the drop-down.
    4. In the Virtual Router drop-down, click New Virtual Router. When defining the router, ensure the Name matches what is defined on the firewall.
    5. In the Security Zone drop-down, click New Zone. When defining the zone, ensure that the Name matches what is defined on the firewall.
    6. Click OK to save your changes to the interface.
    7. Select NetworkZones, and select the zone you just created. Verify that the correct interface is attached to the zone.
    8. In the Zone Protection Profile drop-down, select the profile you created, and click OK.
  6. Push your template changes.
    1. Select CommitCommit and Push and Edit Selections in the Push Scope.
    2. Select Templates and select the firewalls assigned to the templates where you made changes.
    3. Commit and Push your changes to the Panorama configuration and to the template.

Use Device Groups to Push Policy Rules

The third task in Use Case: Configure Firewalls Using Panorama is to create the device groups to manage policy rules on the firewalls.
  1. Create device groups and assign the appropriate firewalls to each device group: see Add a Device Group.
    In this example, create device groups named DG_BranchAndRegional and DG_DataCenter.
    When configuring the DG_BranchAndRegional device group, you must assign a Master firewall. This is the only firewall in the device group that gathers user and group mapping information for policy evaluation.
  2. Create a shared pre-rule to allow DNS and SNMP services.
    1. Create a shared application group for the DNS and SNMP services.
      1. Select ObjectsApplication Group and click Add.
      2. Enter a Name and select the Shared check box to create a shared application group object.
      3. Click Add, type DNS, and select dns from the list. Repeat for SNMP and select snmp, snmp-trap.
      4. Click OK to create the application group.
    2. Create the shared rule.
      1. Select the Policies tab and, in the Device Group drop-down, select Shared.
      2. Select the SecurityPre-Rules rulebase.
      3. Click Add and enter a Name for the security rule.
      4. In the Source and Destination tabs for the rule, click Add and enter a Source Zone and a Destination Zone for the traffic.
      5. In the Applications tab, click Add, type the name of the applications group object you just created, and select it from the drop-down.
      6. In the Actions tab, set the Action to Allow, and click OK.
  3. Define the corporate acceptable use policy for all offices. In this example, create a shared rule that restricts access to some URL categories and denies access to peer-to-peer traffic that is of risk level 3, 4, or 5.
    1. Select the Policies tab and, in the Device Group drop-down, select Shared.
    2. Select SecurityPre-Rules and click Add.
    3. In the General tab, enter a Name for the security rule.
    4. In the Source and Destination tabs, click Add and select any for the traffic Source Zone and Destination Zone.
    5. In the Application tab, define the application filter:
      1. Click Add and click New Application Filter in the footer of the drop-down.
      2. Enter a Name, and select the Shared check box.
      3. In the Risk column, select levels 3, 4, and 5.
      4. In the Technology column, select peer-to-peer.
      5. Click OK to save the new filter.
    6. In the Service/URL Category tab, URL Category section, click Add and select the categories you want to block (for example, streaming-media, dating, and online-personal-storage).
    7. You can also attach the default URL Filtering profile—In the Actions tab, Profile Setting section, select the Profile Type option Profiles, and select the URL Filtering option default.
    8. Click OK to save the security pre-rule.
  4. Allow Facebook for all users in the Marketing group in the regional offices only.
    Enabling a security rule based on user and group has the following prerequisite tasks:
    1. Select the Policies tab and, in the Device Group drop-down, select DG_BranchAndRegional.
    2. Select the SecurityPre-Rules rulebase.
    3. Click Add and enter a Name for the security rule.
    4. In the Source tab, Add the Source Zone that contains the Marketing group users.
    5. In the Destination tab, Add the Destination Zone.
    6. In the User tab, Add the Marketing user group to the Source User list.
    7. In the Application tab, click Add, type Facebook, and then select it from the drop-down.
    8. In the Action tab, set the Action to Allow.
    9. In the Target tab, select the regional office firewalls and click OK.
  5. Allow access to the Amazon cloud application for the specified hosts/servers in the data center.
    1. Create an address object for the servers/hosts in the data center that need access to the Amazon cloud application.
      1. Select ObjectsAddresses and, in the Device Group drop-down, select DG_DataCenter.
      2. Click Add and enter a Name for the address object.
      3. Select the Type, and specify an IP address and netmask (IP Netmask), range of IP addresses (IP Range), or FQDN.
      4. Click OK to save the object.
    2. Create a security rule that allows access to the Amazon cloud application.
      1. Select PoliciesSecurityPre-Rules and, in the Device Group drop-down, select DG_DataCenter.
      2. Click Add and enter a Name for the security rule.
      3. Select the Source tab, Add the Source Zone for the data center, and Add the address object (Source Address) you just defined.
      4. Select the Destination tab and Add the Destination Zone.
      5. Select the Application tab, click Add, type amazon, and select the Amazon applications from the list.
      6. Select the Action tab and set the Action to Allow.
      7. Click OK to save the rule.
  6. To enable logging for all internet-bound traffic on your network, create a rule that matches trust zone to untrust zone.
    1. Select the Policies tab and, in the Device Group drop-down, select Shared.
    2. Select the SecurityPre-Rules rulebase.
    3. Click Add and enter a Name for the security rule.
    4. In the Source and Destination tabs for the rule, Add trust_zone as the Source Zone and untrust_zone as the Destination Zone.
    5. In the Action tab, set the Action to Deny, set the Log Setting to Log at Session end, and click OK.

Preview the Rules and Commit Changes

The final task in Use Case: Configure Firewalls Using Panorama is to review the rules and commit the changes you have made to Panorama, device groups, and templates.
  1. Preview the rules.
    This preview enables you to visually evaluate how rules are layered for a particular rulebase.
    1. Select Policies and Preview Rules.
    2. Select a Rulebase, Device Group, and Device.
    3. Close the preview dialog when you finish.
  2. Commit and push your configuration changes.
    1. Select CommitCommit and Push and Edit Selections in the Push Scope.
    2. Select Device Groups, select the device groups you added, and Include Device and Network Templates.
    3. (Optional) Disable Merge with Device Candidate Config if you manage local firewall configuration changes independently of configuration changes from Panorama.
      This setting is enabled by default and merges any pending local firewall configurations with the configuration push from Panorama. The local firewall configuration is merged and committed regardless of the admin pushing the changes from Panorama or the admin who made the local firewall configuration changes.
    4. Click OK to save your changes to the Push Scope.
    5. Commit and Push your changes.
  3. Verify that Panorama applied the template and policy configurations.
    1. In the Panorama header, set the Context to the firewall to access its web interface.
    2. Review the template and policy configurations to ensure your changes are there.