Onboard new firewalls, Log Collectors, and WildFire appliances
to the Panorama™ management server using a secure device registration
authentication key generated on Panorama.
To strengthen your security posture when onboarding
new firewalls, Dedicated Log Collectors, and WildFire appliances
to a Panorama™ management server, PAN-OS 10.1 introduces improved
mutual authentication between a new device and Panorama on first
connection. You can configure an authentication key to have a specific
lifetime, specify the count to determine the number of times the
authentication key can be used to onboard new devices, specify one
or more serial numbers for which the authentication key is valid,
and specify for which devices the authentication key is valid.
securely onboard a new firewall, you must generate a unique device
registration authentication key on Panorama. You then import this
authentication key to the device to securely authenticate and connect
to Panorama when the device is onboarded for the first time. A system
log is generated each time a firewall uses the Panorama-generated
authentication key is used. Additionally, the device uses the authentication
key to authenticate Panorama when it delivers the device certificate that
is used for all subsequent communications.
) For devices running a PAN-OS 10.1 release, Panorama running
PAN-OS 10.1.3 or later release supports onboarding devices running PAN-OS
10.1.3 or later release only. You cannot add a device running PAN-OS 10.1.2
or earlier PAN-OS 10.1 release to Panorama management if Panorama
is running PAN-OS 10.1.3 or later release.
onboarding devices running the following releases:
running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release—
running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release, and devices running
PAN-OS 10.0 or earlier PAN-OS release.
Panorama running PAN-OS 10.1.3 or later release—
running PAN-OS 10.1.3 or later release, and devices running PAN-OS
10.0 or earlier PAN-OS release.
There is no impact
to devices already managed by Panorama on upgrade to PAN-OS 10.1.
You must add the device registration authentication key
when you configure the Panorama server IP address on the firewall.
device registration authentication key is required only when manually
onboarding a firewall to Panorama management. A device registration authentication
key is not required when leveraging Zero Touch Provisioning (ZTP)
to onboard a firewall to Panorama management because ZTP provides
its own security when onboarding a firewall.
Add a Dedicated Log Collector to Panorama as a managed