Authentication Key for Secure Onboarding
Onboard new firewalls, Log Collectors, and WildFire appliances to the Panorama™ management server using a secure device registration authentication key generated on Panorama.
To strengthen your security posture when onboarding new firewalls, Dedicated Log Collectors, and WildFire appliances to a Panorama™ management server, PAN-OS 10.1 introduces improved mutual authentication between a new device and Panorama on first connection. You can configure an authentication key to have a specific lifetime, specify the count to determine the number of times the authentication key can be used to onboard new devices, specify one or more serial numbers for which the authentication key is valid, and specify for which devices the authentication key is valid. A device registration authentication key expires after 90 days. After 90 days, you are prompted re-certify the authentication key to maintain its validity, otherwise the authentication key becomes invalid and is no longer usable.
To securely onboard a new firewall, you must generate a unique device registration authentication key on Panorama. You then import this authentication key to the device to securely authenticate and connect to Panorama when the device is onboarded for the first time. A system log is generated each time a firewall uses the Panorama-generated authentication key is used. Additionally, the device uses the authentication key to authenticate Panorama when it delivers the device certificate that is used for all subsequent communications.
PAN-OS 10.1 only) Panorama running PAN-OS 10.1.3 or later release supports onboarding firewalls running PAN-OS 10.1.3 or later releases only. You cannot add a firewall running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release to Panorama management if Panorama is running PAN-OS 10.1.3 or later release.
There is no impact to firewalls already managed by Panorama on upgrade to PAN-OS 10.1.3.
- Create the device registration authentication key.
- SelectandPanoramaDevice Registration Auth KeyAdda new authentication key.
- Configure the authentication key.
- Name—Enter a descriptive name for the authentication key.
- Lifetime—Enter the key lifetime to specify how long the authentication key may be used to onboard new firewalls or Log Collectors.
- Count—Specify how many times the authentication key may be used to onboard new firewalls or Log Collectors.
- Device Type—Specify whether the authentication key may be used forFirewalls,Log Collectors, orAnydevice.
- (Optional)Devices—Enter one or more device serial numbers to specify for which firewalls or Log Collectors the authentication key is valid.
- Copy Auth KeyandClose.
- On Panorama, add a firewall as a managed device.You must add the device registration authentication key when you configure the Panorama server IP address on the firewall.The device registration authentication key is required only when manually onboarding a firewall to Panorama management. A device registration authentication key is not required when bootstrapping or leveraging Zero Touch Provisioning (ZTP) to onboard a firewall to Panorama management because both provide their own security when onboarding a firewall.
- Add a Dedicated Log Collector to Panorama as a managed collector.
- On Panorama, configure a managed collector.
- Add the device registration authentication key.admin>request authkey set <auth key>
- Add a WildFire appliance to manage with Panorama.
- Log in to the WildFire CLI and add the device registration authentication key.admin>request authkey set <auth key>
- Verify that the managed firewall, Log Collector, and WildFire appliance are connected to Panorama.
- Selectand verify that thePanoramaManaged DevicesSummaryDevice Statefor the new device shows asConnected.
- Selectand verify that the Run TimePanoramaManaged CollectorsStatusfor the Log Collector shows asConnected.
- Selectand verify that thePanoramaManaged WildFire AppliancesConnectedstatus for the WildFire appliance shows asConnected.
Recommended For You
Recommended videos not found.