Next-Generation Firewall
Onboard a Firewall
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
Onboard a Firewall
Onboard your PAN-OS firewall.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
After you activate your
AIOps for NGFW Premium
license, you can begin to onboard Palo Alto
Networks firewalls to Strata Cloud Manager
. Onboarding to Strata Cloud Manager
is
supported for firewalls running PAN-OS 10.2.3 and later releases.There are four components involved in firewall onboarding:
- The tenant — Created when you activate a product license on your Customer Support Portal (CSP) account. You add firewalls to your tenant to associate them withStrata Cloud Manager.
- The firewall — The Palo Alto Networks firewall that you intend to use withStrata Cloud Manager.You can only onboard a firewall not already associated withStrata Logging Service(CDL). If a firewall is already associated with CDL, it’s ineligible forStrata Cloud Managerand isn't displayed.
- AIOps for NGFW Premium—License required for cloud management of firewalls.
- Strata Cloud Manager— The app you will be associating with the firewall to manage its configuration from the cloud.
- Review the prerequisites for onboarding your firewall toStrata Cloud Manager.
- Activate theStrata Logging Servicelicense.Skip this step if you already activated thePrisma Access (Managed by Strata Cloud Manager)license on the same tenant you are activatingAIOps for NGFW Premiumlicense.
- Activate theAIOps for NGFW Premiumlicense.Skip this step if you already activated theAIOps for NGFW Premiumlicense.
- ActivateCloud Identity Engine(CIE) if you plan to use user-based authentication policy rules. CIE activation is not required for initial onboarding and can be activated at a later time as needed.
- Register the firewall with the Palo Alto Networks Customer Support Portal (CSP) and activate licenses.
- Log in to the firewall web interface and find theSerial #under the General Information widget in theDashboard.
- Activate the Support license on the firewall.
- Install the device certificate on the firewall.This is required to successfully authenticate the firewall with the Palo Alto Networks CSP and useStrata Cloud Manager.
- Configure the firewall Panorama Settings required to connect toStrata Cloud Manager.
- Configure the firewall DNS and NTP servers.This is required to successfully connect the firewall toStrata Cloud Managerand install software and content updates.
- Selectand edit the Services.DeviceSetupServices
- SelectServersand configure thePrimary DNS ServerandSecondary DNS Server.
- SelectNTPand configure the Primary and SecondaryNTP Server Address.
- ClickOK.
- Configure the Panorama Settings.
- Selectand edit the Panorama Settings.DeviceSetupManagement
- Select Managed ByCloud Service.
- () Select theNGFW (Managed by Strata Cloud Manager)Running PAN-OS 11.2 and laterPortused for connectivity between theNGFW (Managed by Strata Cloud Manager)andStrata Cloud Manager.
- Default—The default TCP port 3978. This port is dedicated for communication between theNGFW (Managed by Strata Cloud Manager)andStrata Cloud Manager.
- 443—TCP port 443 is the standard port used for HTTP traffic encrypted with SSL. Using port 443 forNGFW (Managed by Strata Cloud Manager)andStrata Cloud Managercommunication greatly simplifies network configuration management for both administrators and end users.Additionally, using port 443 reduces your network attack surface by reducing the number of open ports on your network.
- (Optional for () CheckNGFW (Managed by Strata Cloud Manager)Running PAN-OS 11.2 and laterEnable Compress Configto compress the size of the configuration file exchanged between theNGFW (Managed by Strata Cloud Manager)andStrata Cloud Manager, and vice versa, to increase file transfer times.Enabling this setting does not cause load or delay in firewall processing or increase commit operation times.
- ClickOK.
- Commit.
- (Optional) Create a Device Onboarding Rule to associate the firewall with a folder and push a configuration when the firewall first connects toStrata Cloud Manager.
- Associate a firewall with your Palo Alto Networks Customer Support Portal (CSP) account.
- Log in toStrata Cloud Manager.
- In the bottom-left corner of the window, select the icon for your tenant and select.SettingsDevice Associations
- .Add Devices
- Select one or more firewalls you want to onboard with your CSP account.You can use the firewall serial number you gathered in the previous step to search for a specific firewall.
- Save.
- Associate the firewall withStrata Cloud Manager.
- In Device Associations, select the firewall you added andAssociate Apps.
- For the Licensed Products, selectAIOps for NGFW.
- From theSelect Firewall Model, License Type, and Termdrop-down, select the firewall and support license to apply to the firewall.The model for the firewall license must match the firewall model you are onboarding toStrata Cloud Manager.
- Apply Licenses.
- In the Device Associations page, verify the Associated Apps for the onboarded firewall displayAIOps for NGFWand.Strata Logging Service
- Add the available device toStrata Cloud Manager.
- Select.WorkflowsNGFW SetupDevice ManagementAvailable Devices
- In theAvailable Devicesselect the firewall you just added.
- Move to Cloud Management.You are prompted to confirm the number of selected firewalls. ClickMove to Cloud Managementto continue.
- (Optional) ApplyLabelsto the onboarded firewall.You can select an existing label or create a new label by typing the label you want to create.ClickMove to Cloudto continue adding the firewall toStrata Cloud Manager.
- Confirm that the selected firewall is now listed in the list ofCloud Managed Devicesand that theOnboarding StatusshowsSuccess.
- Verify that the firewall successfully onboarded toStrata Cloud Manager.Two configuration pushes occur by default to the firewall after successful onboarding toStrata Cloud Manager. The first push fromStrata Cloud Managerautomatically enables the Advanced Routing Engine and restarts the firewall. The second pushes the configuration fromStrata Cloud Managerto the firewall.If the Advanced Routing Engine is not automatically enabled as part of the onboarding process toStrata Cloud Manager, you need to manually enable Advanced Routing on the firewall.
- Select.WorkflowsNGFW SetupDevice ManagementCloud Managed DevicesYou should see the serial number for the firewall that you just added, but you won’t see any additional device information for it yet.
- Log in to the firewall CLI and verify the firewall successfully connected toStrata Cloud Manager.After you connect the firewall toStrata Cloud Manager, it’s automatically converted to logical router mode, restarted, andStrata Cloud Managerpushes the default configuration to the firewall.For this to work, make sure:
- You’ve completed the earlier step to install the device certificate on the firewall.
- The firewall meets the prerequisites forStrata Cloud Manager.
- You’ve resolved variables. If variables aren’t resolved,Strata Cloud Managerwill fail to push the default configuration to the firewall.
admin>show cloud-management-statusVerify the firewall successfully connected to aStrata Cloud ManagerEndpointand that theConnectedstatus displaysYes.Once the firewall isConnected, the firewall automatically converts to logical router mode and restarts, andStrata Cloud Managerpushes the default configuration to the firewall.Return toStrata Cloud Managerand selectand verify that the details for the firewall appear, such as serial number, model, type, and IP address.WorkflowsNGFW SetupDevice ManagementBy default, newly onboarded firewalls are added to theAll Firewallsfolder. - Create and associate your firewall with a folder.Folders are used to logically group your firewalls for simplified configuration management. Skip this step if you created a device onboarding rule to automatically move the firewall to a target folder.(HA only) Both firewalls must be in the same folder to configure HA. If you need to configure your firewalls in a high availability (HA) configuration, be sure to plan your folder structure accordingly and move both firewalls to the same folder before you configure HA.Additionally, firewalls in an HA configuration can't be moved to a new folder. To move them, you must first break the HA configuration, move both firewalls to the new folder, and then reconfigure HA.
- SelectandWorkflowsNGFW SetupFolder ManagementAdd Folderto create a new folder.
- Locate the newly added firewall that is associated with theAll Firewallsby default.
- In the Action column,Movethe firewall to the folder you created.
- (Optional) Modify the displayed firewall name.By default, firewalls onboarded toStrata Cloud Managerdisplay the firewall serial number as the displayed firewall name throughoutStrata Cloud Manager. Rename the displayed firewall from the serial number to a more user-friendly name to make it easier to identify.
- Selectand locate the firewall you onboarded.WorkflowsNGFW SetupFolder Management
- In the Actions column, expand the Actions menu andEdit.
- Enter a newDisplay Namefor the firewall.
- Save.
- Review the predefined interface and logical router configurations.The predefined interfaces and logical router configuration are required to successfully push configuration changes to managed firewalls after they’re successfully added toStrata Cloud Manager.
- $eth-internet (eth1/3)—Ethernet interface for outbound internet connections. Associated with the default logical router configuration.
- $eth-local (eth1/4)—Ethernet interface for local network connections. Associated with the default router configuration.
The predefined interface and logical router configuration are associated with the defaultAll Firewallsfolder and are inherited by all other folders you create. You might reassign the$eth-internetand$eth-localinterfaces for a newly created folder or for the individual firewall as needed.- Selectand verify thatManageConfigurationDevice SettingsInterfacesEthernet$eth-internetand$eth-localare displayed.To reassign the interface, click the interface name to select a newDefault Interface AssignmentandSave.
- Selectand verify theManageConfigurationDevice SettingsRoutingLogical Routersdefaultlogical router is displayed.
- Push Configto push your configuration changes.
- Selectand to verify that your configuration push was successful.ManageOperationPush Status
- Finally, check the Strata Cloud Manager Command Center and confirm that your firewall appears in theSummaryview.