1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. Panorama Features
    5. Authentication Key for Secure Onboarding

    Authentication Key for Secure Onboarding

    Onboard new firewalls, Log Collectors, and WildFire appliances to the Panorama™ management server using a secure device registration authentication key generated on Panorama.
    To strengthen your security posture when onboarding new firewalls, Dedicated Log Collectors, and WildFire appliances to a Panorama™ management server, PAN-OS 10.1 introduces improved mutual authentication between a new device and Panorama on first connection. You can configure an authentication key to have a specific lifetime, specify the count to determine the number of times the authentication key can be used to onboard new devices, specify one or more serial numbers for which the authentication key is valid, and specify for which devices the authentication key is valid. A device registration authentication key expires after 90 days. After 90 days, you are prompted re-certify the authentication key to maintain its validity, otherwise the authentication key becomes invalid and is no longer usable.
    To securely onboard a new firewall, you must generate a unique device registration authentication key on Panorama. You then import this authentication key to the device to securely authenticate and connect to Panorama when the device is onboarded for the first time. A system log is generated each time a firewall uses the Panorama-generated authentication key is used. Additionally, the device uses the authentication key to authenticate Panorama when it delivers the device certificate that is used for all subsequent communications.
    (
    PAN-OS 10.1 only
    ) For devices running a PAN-OS 10.1 release, Panorama running PAN-OS 10.1.3 or later release supports onboarding devices running PAN-OS 10.1.3 or later release only. You cannot add a device running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release to Panorama management if Panorama is running PAN-OS 10.1.3 or later release.
    Panorama supports onboarding devices running the following releases:
    • Panorama running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release—
       Devices running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release, and devices running PAN-OS 10.0 or earlier PAN-OS release.
    • Panorama running PAN-OS 10.1.3 or later release—
       Devices running PAN-OS 10.1.3 or later release, and devices running PAN-OS 10.0 or earlier PAN-OS release.
    There is no impact to devices already managed by Panorama on upgrade to PAN-OS 10.1.
    2. Create the device registration authentication key.
      1. Select
        Panorama
        Device Registration Auth Key
         and
        Add
         a new authentication key.
      2. Configure the authentication key.
        • Name
          —Enter a descriptive name for the authentication key.
        • Lifetime
          —Enter the key lifetime to specify how long the authentication key may be used to onboard new firewalls or Log Collectors.
        • Count
          —Specify how many times the authentication key may be used to onboard new firewalls or Log Collectors.
        • Device Type
          —Specify whether the authentication key may be used for
          Firewalls
          ,
          Log Collectors
          , or
          Any
           device.
        • (
          Optional
          )
          Devices
          —Enter one or more device serial numbers to specify for which firewalls or Log Collectors the authentication key is valid.
      3. Click
        OK
        .
      4. Copy Auth Key
         and
        Close
        .
    3. You must add the device registration authentication key when you configure the Panorama server IP address on the firewall.
      The device registration authentication key is required only when manually onboarding a firewall to Panorama management. A device registration authentication key is not required when leveraging Zero Touch Provisioning (ZTP) to onboard a firewall to Panorama management because ZTP provides its own security when onboarding a firewall.
    4. Add a Dedicated Log Collector to Panorama as a managed collector.
      3. Add the device registration authentication key. 
        admin>
         request authkey set <auth key>
    5. Add a WildFire appliance to manage with Panorama.
      2. Log in to the WildFire CLI and add the device registration authentication key. 
        admin>
         request authkey set <auth key>
    6. Verify that the managed firewall, Log Collector, and WildFire appliance are connected to Panorama.
      1. Select
        Panorama
        Managed Devices
        Summary
         and verify that the
        Device State
         for the new device shows as
        Connected
        .
      2. Select
        Panorama
        Managed Collectors
         and verify that the Run Time
        Status
         for the Log Collector shows as
        Connected
        .
      3. Select
        Panorama
        Managed WildFire Appliances
         and verify that the
        Connected
         status for the WildFire appliance shows as
        Connected
        .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo