: Onboard Firewalls with Panorama (10.0 or Earlier)
Focus
Focus

Onboard Firewalls with Panorama (10.0 or Earlier)

Table of Contents

Onboard Firewalls with Panorama (10.0 or Earlier)

This is how you onboard firewalls to
Cortex Data Lake
using Panorama.
  1. On your firewalls, allow access to the ports and FQDNs required to connect to
    Cortex Data Lake
    . If you are using a proxy server, allow the same ports and FQDNs on the server without SSL decryption.
    Ensure that you are not decrypting traffic to
    Cortex Data Lake
    .
  2. (
    Optional
    ) To configure firewall to connect to
    Cortex Data Lake
    through a proxy server:
    • On firewall, select
      Device
      Setup
      Services
      Use proxy to send logs to Cortex Data Lake
    • On Panorama, select
      Setup
      Services
      Use proxy to send logs to Cortex Data Lake
  3. By default, the management interface is used to forward logs to
    Cortex Data Lake
    . If you choose not to use the management interface, use a data interface by configuring destination service routes for the following FQDNs: api.paloaltonetworks.com, apitrusted.paloaltonetworks.com, lic.lc.prod.us.cs.paloaltonetworks.com,certificatetrusted.paloaltonetworks.com, certificate.paloaltonetworks.com.
    1. Select
      Device
      Setup
      Services
      Global
      .
      Global
      on a firewall without multiple virtual system (multi-vsys) capability.
    2. Under Services Features, click
      Service Route Configuration
      .
    3. Select
      Customize
      .
    4. Under Service, select the following:
      • Palo Alto Networks Services
      • CRL status
      • DNS
      • HTTP
      • NTP
    5. Set
      Selected Service Routes
      .
    6. Select the
      Source Interface
      you want to use for activation and then select a
      Source Address
      from that interface and click
      OK
      .
    7. Select
      Destination
      and
      Add
      a destination.
    8. Enter any of the FQDNs above as
      Destination
      .
    9. Select the same
      Source Interface
      and
      Source Address
      that you selected for activation and click
      OK
      .
    10. Add
      two more destinations for the same interface using the remaining two FQDNs.
    11. Click
      OK
      again to exit Service Route Configuration.
    12. Update the access rules required to connect to
      Cortex Data Lake
      for the new interface IP address.
  4. Configure NTP so that the firewall stays in sync with
    Cortex Data Lake
    . Ignore this step if you have enabled proxy configuration:
    • On firewall, click
      Device
      Setup
      Services
      and set it to the same
      NTP Server Address
      on Panorama. For example:
      pool.ntp.org
      .
  5. Retrieve and push the
    Cortex Data Lake
    licenses for managed firewalls. Ensure that you have subscribed to a valid support license of
    Cortex Data Lake
    (90 days software warranty is not counted as a valid support license).
    1. From Panorama, select
      Panorama
      Device Deployment
      License
      .
    2. First
      Refresh
      and then select the firewalls from the list. Panorama retrieves the licenses, deploys them to the selected firewalls, and updates the licensing status on the Panorama web interface.
      Make sure you see that Panorama successfully installed the
      Cortex Data Lake
      license on the firewall.
      Do not
      Refresh
      again until the first refresh completes. When the refresh completes, you will see that Status shows Completed and Progress is 100%. There are also Details about whether the refresh succeeded.
  6. (Optional)
    If you have not created a template and a device group, from Panorama create a template and a device group to push log forwarding settings to the firewalls from which you want to forward logs to
    Cortex Data Lake
    .
  7. Enable the firewalls in the template to send logs to
    Cortex Data Lake
    and select the region where you want the logs stored.
    If some firewalls in your deployment are sending logs to dedicated Log Collectors or to Panorama with a local Log Collector, only firewalls that belong to the template with the Enable
    Cortex Data Lake
    option selected can send logs to
    Cortex Data Lake
    .
    1. Select
      Device
      Setup
      Management
      .
    2. Select the
      Template
      that contains the firewalls from which you want to forward logs to
      Cortex Data Lake
      .
    3. Edit the
      Cortex Data Lake
      settings.
    4. Enable either of the two following options:
      • Enable Logging Service
        —Send and save logs to
        Cortex Data Lake
        only. With this option, use Explore or Panorama to see and interact with your log data.
      • Enable Duplicate Logging
        —For firewalls running PAN-OS 8.1 and later releases, you can send and save logs both to
        Cortex Data Lake
        and to your Panorama and log collection setup. Firewalls save a copy of all log data to both Panorama and
        Cortex Data Lake
        except for system and config logs, which are sent to Panorama only.
      To forward logs to
      Cortex Data Lake
      with Duplicate Logging enabled, you must add the firewalls with the option enabled to a Collector Group.
    5. Enable Enhanced Application Logging to allow the firewall to collect data for apps running the Palo Alto Networks Cloud Services environment. These logs provide Palo Alto Networks Cloud services apps increased visibility into network activity and, in some cases, are required to support app features.
    6. Select the
      Region
      where you want to forward logs for the firewalls associated with this template and then click
      OK
      .
      Starting with PAN-OS 9.0.2, there is an option to
      Onboard Without Panorama
      . This setting is used only for firewalls that are not managed by Panorama; there’s no need to populate it when you’re enabling Panorama-managed firewalls to forward logs to
      Cortex Data Lake
      .
    7. (
      Panorama 9.0 or later releases only
      ) Specify the
      Connection count to
      Cortex Data Lake
      for PA-7000s and PA-5200s
      .
      Specify the number of connections that are established between the firewalls and
      Cortex Data Lake
      for forwarding logs to Cortex Data Lake (range is 1 to 20; default is 5).
    8. (
      Optional
      ) Configure interfaces and zones in the template.
    9. Commit and push the config to the firewalls.
  8. Firewall fetches a certificate automatically after pushing the configuration. To check the certificate status:
    If a certificate was not fetched for a firewall, run this command locally to fetch a certificate:
    request logging-service-forwarding certificate fetch
  9. Enable Panorama-managed firewalls to
    send logs to
    Cortex Data Lake
    .
    Remember that for any firewalls from which you want to forward logs to
    Cortex Data Lake
    and that are not already managed by Panorama, you first need to add the firewalls to Panorama as managed devices.

Recommended For You