Prepare to Deploy App-ID Cloud Engine
Set up and deploy the App-ID Cloud Engine (ACE).
There are several onboarding tasks to do before the firewall can use the App-ID Cloud Engine (ACE). You can deploy ACE on standalone firewalls or use Panorama to deploy ACE on managed firewalls.
Before a firewall can use ACE to provide specific App-IDs for traffic previously identified as ssl, web-browsing, unknown-tcp, and unknown-udp traffic, the PAN-OS administrator and the SaaS Security administrator must work together to:
- Install a valid device certificate on each appliance that will use ACE, including Panorama appliances that manage ACE firewalls. (PAN-OS administrator.)
- Activate SaaS Security Inline on each firewall that will use ACE. Panorama doesn’t require a license. (SaaS Security administrator.)
- Configure a service route for communication between the firewall and ACE. (PAN-OS administrator.)
- Enable ACE on Panorama appliances which manage firewalls that will use ACE. (PAN-OS administrator.)On firewalls, ACE is enabled by default after activating SaaS Security Inline.
- Create Security policy rule that allows ACE traffic. (PAN-OS administrator.)
- Configure Log Forwarding from the firewall to the Cortex Data Lake (CDL). (PAN-OS administrator.)
At the appropriate step in the following procedure, the PAN-OS administrator should notify the SaaS Security administrator that the deployment is ready for SaaS Security Inline activation. After activating SaaS Security Inline, the SaaS Security Inline administrator should notify the PAN-OS administrator that the deployment is ready to complete on the PAN-OS devices. Communication between the administrators is essential to achieving a smooth deployment.
- Standalone firewalls, Panorama appliances, and managed firewalls must run PAN-OS 10.1 or later.
- All ACE firewalls must have purchased a SaaS Security Inline license. Panorama does not require a license to manage ACE firewalls or push ACE configurations to managed firewalls.
- All ACE appliances must be able to connect to the US, APAC, or EU GCP region, depending on your location (the region is selected automatically based on your CDL region).Verify that the firewall uses the correct Content Cloud FQDN () for your region and change the FQDN if necessary:DeviceSetupContent-IDContent Cloud Setting
ACE data, including traffic payloads, is sent to the servers in the selected region. If you specify a Content Cloud FQDN that is outside of your region (for example, if you are in the EU region but you specify the APAC region FQDN), you may break your country’s or your organization’s privacy and legal regulations.
The PAN-OS administrator completes the first two steps of the procedure and then hands it off to the SaaS Security Inline administrator for activation (Step 3). After activation, the SaaS Security Inline administrator hands the rest of the procedure off to the PAN-OS administrator to complete on the PAN-OS devices.
- Bring the firewall and Panorama (if using) online. (PAN-OS administrator.)
- Install a Device Certifcate on individual firewalls so that they can use cloud services or use Panorama to Install the Device Certificate for Managed Firewalls. (PAN-OS administrator.)Hand off the next step to the SaaS Security administrator.
- Activate SaaS Security Inline on every firewall that will use ACE. Activation enables ACE on the firewalls. (SaaS Security administrator.)Panorama does not require a SaaS Security Inline license to manage firewalls that use ACE. Only managed firewalls need licenses, which you must retrieve manually as shown in the next step.Hand off the rest of the steps to the PAN-OS administrator.
- Retrieve the SaaS Security Inline license on each firewall—Panorama doesn’t need a license—and verify that it is activated. (PAN-OS administrator.)The SaaS Security administrator’s activation sets up the licenses for the firewall, so you don’t have to go to the Customer Support Portal or obtain Auth Codes.
- Go toand selectDeviceLicensesLicense ManagementRetrieve license keys from license serverto retrieve the license.
- Checkto ensure that the SaaS Security Inline license is active.DeviceLicenses
- Configure a data services (dataplane) service route so that the firewall can communicate with the App-ID Cloud Engine. (PAN-OS administrator.)You can push this configuration to managed firewalls from Panorama. Both Panorama and the managed firewalls must run PAN-OS 10.1 or later.By default, the firewall uses the management interface as the source interface for the data services service route, but it is recommended that you configure a dataplane interface that has connectivity to cloud services as theSource InterfaceandSource Addressfor data services, as shown later in this step.The issue on firewalls is that if an explicit proxy is configured on the management interface and you use it for the data services service route, then the management interface can only connect to the Knowledge Cloud Service (KCS), which manages the cloud application and signatures. When an explicit proxy is configured on the management interface, it cannot connect to the Detection Cloud Service (DCS), which checks the application payload against existing ACE App-IDs and provides verdicts. KCS and DCS are services in the ACE cloud. If the management interface has an explicit proxy configured, you can’t use it for the data services service route for ACE because it can’t connect to all of the services. In this case, you must use a dataplane interface on the firewall to connect to the data services.Panorama uses the management port by default to connect to the KCS and does not connect to the DCS.To configure the service route on a data plane interface instead of using the default management interface:
- Selectthen inDeviceSetupServicesService Features, selectService Route Configuration.
- Customizea service route.
- Select theIPv4protocol.
- ClickData Servicesin the Service column to open theService Route Sourcedialog box.
- Select aSource InterfaceandSource Address(these cannot be the management interface).
- ClickOKto set the source interface and address.
- ClickOKto set the Service Route Configuration.
- Selectand add a Security policy rule that allows traffic from the source interface you specified earlier in this procedure to the FQDN addresses for the KCS and DCS services, which arePoliciesSecuritykcs.ace.tpcloud.paloaltonetworks(KCS service for all regions) andhawkeye.services-edge.paloaltonetworks.com(US region DCS service),eu.hawkeye.services-edge.paloaltonetworks.com(EU region DCS service), orapac.hawkeye.services-edge.paloaltonetworks.com(APAC region DCS service).Also add and allow the following two FQDNs in a new or existing Security policy rule:ocsp.paloaltonetworks.comandcrl.paloaltonetworks.comfor certificate verification.Finally, add or modify a Security policy rule to allow ACE traffic by allowing the following three applications:paloalto-ace,paloalto-ace-kcs, andpaloalto-dlp-service.
- Make sure that hawkeye.services-edge.paloaltonetworks.com and kcs.ace.tpcloud.paloaltonetworks are reachable on firewalls and that kcs.ace.tpcloud.paloaltonetworks is reachable on Panorama devices. (PAN-OS administrator.)Run the operational commandadmin@fw1> show cloud-appid connection-to-cloud. The output informs you whether the connection is working and if the license is installed.
- (Panorama only) Enable ACE on any Panorama appliance that manages ACE-enabled firewalls. (PAN-OS administrator.)ACE is disabled by default on Panorama.If you push ACE configurations to managed groups that do not have ACE-enabled firewalls (some or all firewalls in the group do not have ACE enabled), the push fails.
- Navigate to.PanoramaSetupACESettings
- Click edit ( ) and then de-selectDisable App-ID Cloud Engine.
- TheEnable App-ID Cloud Enginedialog appears.ClickYesto enable ACE.
- Committhe change.
- Wait for the App-ID catalog to download. (PAN-OS administrator.)There are fewer than four thousand content-provided App-IDs. After you download the ACE catalog, you see many thousands more applications on the firewall and can confirm by checkingor by using the operational CLI commandObjectsApplicationsshow cloud-appid cloud-app-data application allto see the new App-IDs.
- (Panorama only) Push the desired configuration to the managed firewall(s). (PAN-OS administrator.)
- Configure Log Forwarding to Cortex Data Lake (CDL) and enable Log Forwarding with the correct Log Forwarding profile in Security policy rules. (PAN-OS administrator.)
Recommended For You
Recommended videos not found.