Onboard a Firewall

Review the prerequisites for onboarding your firewall to
Strata Cloud Manager
.
Activate the
Strata Logging Service
license.
Skip this step if you already activated the
Prisma Access (Managed by Strata Cloud Manager)
license on the same tenant you are activating
AIOps for NGFW Premium
license.
Activate the
AIOps for NGFW Premium
license.
Skip this step if you already activated the
AIOps for NGFW Premium
license.
(
Optional
) Activate the
Cloud Identity Engine
license.
Activate
Cloud Identity Engine
(CIE) if you plan to use user-based authentication policy rules. CIE activation is not required for initial onboarding and can be activated at a later time as needed.
Register the firewall with the Palo Alto Networks Customer Support Portal (CSP) and activate licenses.
Log in to the firewall web interface and find the
Serial #
under the General Information widget in the
Dashboard
.
Register the firewall.
Activate the Support license on the firewall.
Install the device certificate on the firewall.
This is required to successfully authenticate the firewall with the Palo Alto Networks CSP and use
Strata Cloud Manager
.
Configure the firewall Panorama Settings required to connect to
Strata Cloud Manager
.
Log in to the firewall web interface.
Configure the firewall DNS and NTP servers.
This is required to successfully connect the firewall to
Strata Cloud Manager
and install software and content updates.
Select
Device
Setup
Services
and edit the Services.
Select
Servers
and configure the
Primary DNS Server
and
Secondary DNS Server
.
Select
NTP
and configure the Primary and Secondary
NTP Server Address
.
Click
OK
.
Configure the Panorama Settings.
Select
Device
Setup
Management
and edit the Panorama Settings.
Select Managed By
Cloud Service
.
(
NGFW (Managed by Strata Cloud Manager)
Running PAN-OS 11.2 and later
) Select the
Port
used for connectivity between the
NGFW (Managed by Strata Cloud Manager)
and
Strata Cloud Manager
.
Default
—The default TCP port 3978. This port is dedicated for communication between the
NGFW (Managed by Strata Cloud Manager)
and
Strata Cloud Manager
.
443
—TCP port 443 is the standard port used for HTTP traffic encrypted with SSL. Using port 443 for
NGFW (Managed by Strata Cloud Manager)
and
Strata Cloud Manager
communication greatly simplifies network configuration management for both administrators and end users.
Additionally, using port 443 reduces your network attack surface by reducing the number of open ports on your network.
(
Optional for (
NGFW (Managed by Strata Cloud Manager)
Running PAN-OS 11.2 and later
) Check
Enable Compress Config
to compress the size of the configuration file exchanged between the
NGFW (Managed by Strata Cloud Manager)
and
Strata Cloud Manager
, and vice versa, to increase file transfer times.
Enabling this setting does not cause load or delay in firewall processing or increase commit operation times.
Click
OK
.

Commit
.
(
Optional
) Create a Device Onboarding Rule to associate the firewall with a folder and push a configuration when the firewall first connects to
Strata Cloud Manager
.
Associate a firewall with your Palo Alto Networks Customer Support Portal (CSP) account.
Log in to

Strata Cloud Manager

.

In the bottom-left corner of the window, select the icon for your tenant and select

Settings

Device Associations

.



Add Devices

.

Select one or more firewalls you want to onboard with your CSP account.

You can use the firewall serial number you gathered in the previous step to search for a specific firewall.

Save

.


Associate the firewall with
Strata Cloud Manager
.
In Device Associations, select the firewall you added and
Associate Apps
.

For the Licensed Products, select
AIOps for NGFW
.
From the
Select Firewall Model, License Type, and Term
drop-down, select the firewall and support license to apply to the firewall.
The model for the firewall license must match the firewall model you are onboarding to
Strata Cloud Manager
.
Apply Licenses
.

In the Device Associations page, verify the Associated Apps for the onboarded firewall display
AIOps for NGFW
and
Strata Logging Service
.
Add the available device to
Strata Cloud Manager
.
Select

Workflows

NGFW Setup

Device Management

Available Devices

.

In the

Available Devices

select the firewall you just added.

Move to Cloud Management

.

You are prompted to confirm the number of selected firewalls. Click

Move to Cloud Management

to continue.



(

Optional

) Apply

Labels

to the onboarded firewall.

You can select an existing label or create a new label by typing the label you want to create.

Click

Move to Cloud

to continue adding the firewall to

Strata Cloud Manager

.



Confirm that the selected firewall is now listed in the list of

Cloud Managed Devices

and that the

Onboarding Status

shows

Success

.


Verify that the firewall successfully onboarded to
Strata Cloud Manager
.
Two configuration pushes occur by default to the firewall after successful onboarding to
Strata Cloud Manager
. The first push from
Strata Cloud Manager
automatically enables the Advanced Routing Engine and restarts the firewall. The second pushes the configuration from
Strata Cloud Manager
to the firewall.
If the Advanced Routing Engine is not automatically enabled as part of the onboarding process to
Strata Cloud Manager
, you need to manually enable Advanced Routing on the firewall.
Select
Workflows
NGFW Setup
Device Management
Cloud Managed Devices
.
You should see the serial number for the firewall that you just added, but you won’t see any additional device information for it yet.
Log in to the firewall CLI and verify the firewall successfully connected to
Strata Cloud Manager
.
After you connect the firewall to
Strata Cloud Manager
, it’s automatically converted to logical router mode, restarted, and
Strata Cloud Manager
pushes the default configuration to the firewall.
For this to work, make sure:
You’ve completed the earlier step to install the device certificate on the firewall.
The firewall meets the prerequisites for
Strata Cloud Manager
.
You’ve resolved variables. If variables aren’t resolved,
Strata Cloud Manager
will fail to push the default configuration to the firewall.
admin> 
show cloud-management-status

Verify the firewall successfully connected to a
Strata Cloud Manager
Endpoint
and that the
Connected
status displays
Yes
.
Once the firewall is
Connected
, the firewall automatically converts to logical router mode and restarts, and
Strata Cloud Manager
pushes the default configuration to the firewall.
Return to
Strata Cloud Manager
and select
Workflows
NGFW Setup
Device Management
and verify that the details for the firewall appear, such as serial number, model, type, and IP address.
By default, newly onboarded firewalls are added to the
All Firewalls
folder.
Create and associate your firewall with a folder.
Folders are used to logically group your firewalls for simplified configuration management. Skip this step if you created a device onboarding rule to automatically move the firewall to a target folder.
(
HA only
) Both firewalls must be in the same folder to configure HA. If you need to configure your firewalls in a high availability (HA) configuration, be sure to plan your folder structure accordingly and move both firewalls to the same folder before you configure HA.
Additionally, firewalls in an HA configuration can't be moved to a new folder. To move them, you must first break the HA configuration, move both firewalls to the new folder, and then reconfigure HA.
Select
Workflows
NGFW Setup
Folder Management
and
Add Folder
to create a new folder.
Locate the newly added firewall that is associated with the
All Firewalls
by default.
In the Action column,
Move
the firewall to the folder you created.
(
Optional
) Modify the displayed firewall name.
By default, firewalls onboarded to
Strata Cloud Manager
display the firewall serial number as the displayed firewall name throughout
Strata Cloud Manager
. Rename the displayed firewall from the serial number to a more user-friendly name to make it easier to identify.
Select
Workflows
NGFW Setup
Folder Management
and locate the firewall you onboarded.
In the Actions column, expand the Actions menu and
Edit
.
Enter a new
Display Name
for the firewall.
Save
.
Review the predefined interface and logical router configurations.
The predefined interfaces and logical router configuration are required to successfully push configuration changes to managed firewalls after they’re successfully added to
Strata Cloud Manager
.
$eth-internet (eth1/3)
—Ethernet interface for outbound internet connections. Associated with the default logical router configuration.
$eth-local (eth1/4)
—Ethernet interface for local network connections. Associated with the default router configuration.
The predefined interface and logical router configuration are associated with the default
All Firewalls
folder and are inherited by all other folders you create. You might reassign the
$eth-internet
and
$eth-local
interfaces for a newly created folder or for the individual firewall as needed.
Select

Manage

Configuration

Device Settings

Interfaces

Ethernet

and verify that

$eth-internet

and

$eth-local

are displayed.

To reassign the interface, click the interface name to select a new

Default Interface Assignment

and

Save

.



Select

Manage

Configuration

Device Settings

Routing

Logical Routers

and verify the

default

logical router is displayed.


Push Config
to push your configuration changes.
Select
Manage
Operation
Push Status
and to verify that your configuration push was successful.
Finally, check the Strata Cloud Manager Command Center and confirm that your firewall appears in the
Summary
view.