Authentication Key for Secure Onboarding
Onboard new firewalls, Log Collectors, and WildFire appliances
to the Panorama™ management server using a secure device registration
authentication key generated on Panorama.
To strengthen your security posture when onboarding
new firewalls, Dedicated Log Collectors, and WildFire appliances
to a Panorama™ management server, PAN-OS 10.1 introduces improved
mutual authentication between a new device and Panorama on first
connection. You can configure an authentication key to have a specific
lifetime, specify the count to determine the number of times the
authentication key can be used to onboard new devices, specify one
or more serial numbers for which the authentication key is valid,
and specify for which devices the authentication key is valid. A
device registration authentication key expires after 90 days. After
90 days, you are prompted re-certify the authentication key to maintain
its validity, otherwise the authentication key becomes invalid and
is no longer usable.
To securely onboard a new firewall, you
must generate a unique device registration authentication key on
Panorama. You then import this authentication key to the device
to securely authenticate and connect to Panorama when the device
is onboarded for the first time. A system log is generated each
time a firewall uses the Panorama-generated authentication key is
used. Additionally, the device uses the authentication key to authenticate
Panorama when it delivers the device certificate that is used for
all subsequent communications.
(
PAN-OS 10.1 only
)
For devices running a PAN-OS 10.1 release, Panorama running PAN-OS
10.1.3 or later release supports onboarding devices running PAN-OS
10.1.3 or later release only. You cannot add a device running PAN-OS 10.1.2
or earlier PAN-OS 10.1 release to Panorama management if Panorama
is running PAN-OS 10.1.3 or later release.Panorama supports
onboarding devices running the following releases:
- Panorama running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release—Devices running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release, and devices running PAN-OS 10.0 or earlier PAN-OS release.
- Panorama running PAN-OS 10.1.3 or later release—Devices running PAN-OS 10.1.3 or later release, and devices running PAN-OS 10.0 or earlier PAN-OS release.
There is no impact
to devices already managed by Panorama on upgrade to PAN-OS 10.1.
- Create the device registration authentication key.
- SelectandPanoramaDevice Registration Auth KeyAdda new authentication key.
- Configure the authentication key.
- Name—Enter a descriptive name for the authentication key.
- Lifetime—Enter the key lifetime to specify how long the authentication key may be used to onboard new firewalls or Log Collectors.
- Count—Specify how many times the authentication key may be used to onboard new firewalls or Log Collectors.
- Device Type—Specify whether the authentication key may be used forFirewalls,Log Collectors, orAnydevice.
- (Optional)Devices—Enter one or more device serial numbers to specify for which firewalls or Log Collectors the authentication key is valid.
- ClickOK.
- Copy Auth KeyandClose.
- On Panorama, add a firewall as a managed device.You must add the device registration authentication key when you configure the Panorama server IP address on the firewall.The device registration authentication key is required only when manually onboarding a firewall to Panorama management. A device registration authentication key is not required when leveraging Zero Touch Provisioning (ZTP) to onboard a firewall to Panorama management because ZTP provides its own security when onboarding a firewall.
- Add a Dedicated Log Collector to Panorama as a managed collector.
- On Panorama, configure a managed collector.
- Add the device registration authentication key.admin>request authkey set <auth key>
- Add a WildFire appliance to manage with Panorama.
- Log in to the WildFire CLI and add the device registration authentication key.admin>request authkey set <auth key>
- Verify that the managed firewall, Log Collector, and WildFire appliance are connected to Panorama.
- Selectand verify that thePanoramaManaged DevicesSummaryDevice Statefor the new device shows asConnected.
- Selectand verify that the Run TimePanoramaManaged CollectorsStatusfor the Log Collector shows asConnected.
- Selectand verify that thePanoramaManaged WildFire AppliancesConnectedstatus for the WildFire appliance shows asConnected.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.