Enter a hostname (up to 31 characters). The name is case-sensitive, must be unique, and can contain only letters, numbers, spaces, hyphens, and underscores.

If you don’t enter a value, PAN-OS

®

uses the firewall model (for example, PA-5220_2) as the default.

Optionally, you can configure the firewall to use a hostname that a DHCP server provides. See Accept DHCP server-provided Hostname (Firewall only).

Enter the name of the network domain for the firewall (up to 31 characters).

Optionally, you can configure the firewalls and Panorama to use a domain that a DHCP server provides. See Accept DHCP server-provided Domain (Firewall only).

(

Applies only when the Management Interface IP Type is DHCP Client

) Select this option to have the management interface accept the hostname it receives from the DHCP server. The hostname from the server (if valid) overwrites any value specified in the Hostname field.

(

Applies only when the Management Interface IP Type is DHCP Client

) Select this option to have the management interface accept the domain (DNS suffix) it receives from the DHCP server. The domain from the server overwrites any value specified in the

Domain

field.

Enter text (up to 3,200 characters) to display on the web interface login page below the

Name

and

Password

fields.

Select this option to display and force administrators to select

I Accept and Acknowledge the Statement Below

(above the login banner on the login page), which forces administrators to acknowledge that they understand and accept the contents of the message before they can

Login

.

Assign an existing SSL/TLS Service profile or create a new one to specify a certificate and the SSL/TLS protocol settings allowed on the management interface (see Device > Certificate Management > SSL/TLS Service Profile). The firewall or Panorama uses this certificate to authenticate to administrators who access the web interface through the management (MGT) interface or through any other interface that supports HTTP/HTTPS management traffic (see Network > Network Profiles > Interface Mgmt). If you select

none

(default), the firewall or Panorama uses a predefined certificate.

Select the time zone of the firewall.

Select a language for PDF reports from the drop-down. See Monitor > PDF Reports > Manage PDF Summary.

Even if you have a specific language preference set for the web interface, PDF reports will use the language specified for

Locale

.

Set the date on the firewall; enter the current date (in YYYY/MM/DD format) or select the date from the drop-down.

Set the time on the firewall; enter the current time) in 24-hour format) or select the time from the drop-down.

Enter the serial number for Panorama. You can find the serial number in the order fulfillment email you received from Palo Alto Networks®.

Enter the latitude (-90.0 to 90.0) of the firewall.

Enter the longitude (-180.0 to 180.0) of the firewall.

Select this option to automatically apply a commit lock when you change the candidate configuration. For more information, see Lock Configurations.

Instruct the firewall to create warning messages when on-box certificates approach their expiration date.

Enables the use of multiple virtual systems on firewalls that support this feature (see Device > Virtual Systems).

Select a URL Filtering vendor for use with Panorama:

brightcloud

or

paloaltonetworks

(PAN-DB).

Select this option to have the VM-Series firewall use the MAC address that the hypervisor assigned, instead of generating a MAC address using the PAN-OS custom schema.

If you enable this option and use an IPv6 address for the interface, the interface ID cannot use the EUI-64 format, which derives the IPv6 address from the interface MAC address. In a high availability (HA) active/passive configuration, a commit error occurs if you use the EUI-64 format.

Select this option to enable the ability to inspect the control plane and user dataplane messages in the GPRS Tunneling Protocol (GTP) traffic. See Objects > Security Profiles > Mobile Network Protection to configure a Mobile Network Protection profile so that you can enforce policy on GTP traffic.

Select this option to enable the ability to inspect and filter Stream Control Transmission Protocol (SCTP) packets and chunks, and to apply SCTP initiation (INIT) flood protection. See Objects > Security Profiles > SCTP Protection. For SCTP INIT flood protection, see Configure SCTP INIT Flood Protection.

Select this option to enable the advanced routing engine, which supports BGP and static routes. You must commit and reboot the firewall for the change to the new routing engine to take effect (or to change back to the legacy route engine).

Select this option to improve performance and throughput for traffic going through GRE tunnels, VXLAN tunnels, and GTP-U tunnels This option is enabled by default.

Click to enter the One Time Password (OTP) generated from the Palo Alto Networks Customer Support Portal. The device certificate is required to successfully authenticate Panorama with the CSP and leverage cloud services such as Zero Touch Provisioning (ZTP), IoT, Device Telemetry, and Enterprise Data Loss Prevention (DLP). After you successfully install the device certificate, the following is displayed:

Select the authentication profile (or sequence) the firewall uses to authenticate administrative accounts that you define on an external server instead of locally on the firewall (see Device > Authentication Profile). When external administrators log in, the firewall requests authentication and authorization information (such as the administrative role) from the external server.

Enabling authentication for external administrators requires additional steps based on the server type that the authentication profile specifies, which must be one of the following:

Select

None

to disable authentication for external administrators.

For administrative accounts that you define locally (on the firewall), the firewall authenticates using the authentication profile assigned to those accounts (see Device > Administrators).

Select a certificate profile to verify the client certificates of administrators who are configured for certificate-based access to the firewall web interface. For instructions on configuring certificate profiles, see Device > Certificate Management > Certificate Profile.

Enter the maximum time (in minutes) without any activity on the web interface or CLI before an administrator is automatically logged out (range is 0 to 1,440; default is 60). A value of 0 means that inactivity does not trigger an automatic logout.

Enter the length of time (in minutes) for which the API key is valid (range is 0 to 525,600; default is 0). A value of 0 means that the API key never expires.

Expire All API Keys

to invalidate all previously generated API keys. Use this option with caution because all existing keys are rendered useless and any operation where you are currently using those API keys will stop functioning.

Displays the timestamp of when the API key last expired. This field has no value if you have never reset your keys.

Enter the number of failed login attempts (0 to 10) that the firewall allows for the web interface and CLI before locking out the administrator account. A value of 0 specifies unlimited login attempts. The default value is 0 for firewalls in normal operational mode and 10 for firewalls in FIPS-CC mode. Limiting login attempts can help protect the firewall from brute force attacks.

Enter the number of minutes (range is 0 to 60) for which the firewall locks out an administrator from access to the web interface and CLI after reaching the

Failed Attempts

limit. A value of 0 (default) means the lockout applies until another administrator manually unlocks the account.

Enter the number of concurrent sessions allowed for all administrator and user accounts (range is 0 to 4). A value of 0 (default) means that an unlimited amount of concurrent sessions are allowed.

Enter the number of minutes (range is 60 to 1,499) that an active, non-idle administrator can remain logged in. Once this max session time is reached, the session is terminated and requires re-authentication to begin another session. The default value is set to 0 (30 days), which cannot be manually entered. If no value is entered, the

Max Session Time

defaults to 0.

Requires at least one tag when creating a new policy rule. If a policy rule already exists when you enable this option, you must add at least one tag the next time you edit the rule.

Requires that you add a

Description

when you create a new policy rule. If a policy rule already exists when you enable this option, you must add a

Description

the next time you edit the rule.

Forces your commit to fail if you do not add any tags or a description to the policy rule. If a policy rule already exists when you enable this option, the commit will fail if no tag or description are added the next time you edit the rule.

To fail the commit, you must

Require tag on policies

or

Require description on policies

.

Requires

Audit Comment

when creating a new policy rule. If a policy rule already exists when you enable this option, you must add

Audit Comment

the next time you edit the rule.

Specify requirements for the comment format parameters in audit comments.

Tracks how often traffic matches the policy rules you configured on the firewall. When enabled, you can view the total Hit Count for total traffic matches against each rule along with the date and time when the rule was Created, Modified, was First Hit and Last Hit.

Enter the IP address or FQDN of the Panorama server. If Panorama is in a high availability (HA) configuration, in the second

Panorama Servers

field, enter the IP address or FQDN of the secondary Panorama server.

Enter the device registration auth key generated on Panorama..

Enter the timeout (in seconds) for receiving TCP messages from Panorama (range is 1 to 240; default is 240).

Enter the timeout (in seconds) for sending TCP messages to Panorama (range is 1 to 240; default is 240).

Enter the number of retry attempts allowed when sending Secure Socket Layer (SSL) messages to Panorama (range is 1 to 64; default is 25).

Enable to enable the firewall to automatically verify its connection to the Panorama management server when a configuration is committed and pushed to the firewall, and at configured intervals after a configuration is successfully pushed.

When enabled, and the firewall fails to verify its connection to the Panorama management server, the firewall and Panorama management automatically revert their configuration to the previous running configuration to restore connectivity.

When

Enabled Automated Commit Recovery

is enabled, configure the number of times the firewall tests its connection to the Panorama management server.

When

Enable Automated Commit Recovery

is enabled, configure the time in seconds between the number of attempts the firewall tests its connection to the Panorama management server.

Enable

Secure Client Communication

to ensure that the firewall uses configured custom certificates (instead of the default certificate) to authenticate SSL connections with Panorama or log collectors.

This option displays only when you edit the

Panorama Settings

on a firewall (not in a template on Panorama).

Disable Panorama Policy and Objects

to disable the propagation of device group policies and objects to the firewall. By default, this action also removes those policies and objects from the firewall. To keep a local copy of the device group policies and objects on the firewall, in the dialog that opens when you click this option, select

Import Panorama Policy and Objects before disabling

. After you perform a commit, these policies and objects become part of the firewall configuration and Panorama no longer manages them.

Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of firewalls. This option generally applies to situations where firewalls require rules and object values that differ from those defined in the device group. An example is when you move a firewall out of production and into a laboratory environment for testing.

To revert firewall policy and object management to Panorama, click

Enable Panorama Policy and Objects

.

This option displays only when you edit the

Panorama Settings

on a firewall (not in a template on Panorama).

Disable Device and Network Template

to disable the propagation of template information (device and network configurations) to the firewall. By default, this action also removes the template information from the firewall. To keep a local copy of the template information on the firewall, in the dialog that opens when you select this option, select

Import Device and Network Templates before disabling

. After you perform a commit, the template information becomes part of the firewall configuration and Panorama no longer manages that information.

To configure the firewall to accept templates again, click

Enable Device and Network Templates

.

Enter the timeout (in seconds) for receiving TCP messages from all managed firewalls (range is 1 to 240; default is 240).

Enter the timeout (in seconds) for sending TCP messages to all managed firewalls (range is 1 to 240; default is 240).

Enter the number of allowed retry attempts when sending Secure Socket Layer (SSL) messages to managed firewalls (range is 1 to 64; default is 25).

Select this option (enabled by default) to share all Panorama shared objects and device-group-specific objects with managed firewalls.

If you disable this option, the appliance checks Panorama policies for references to address, address group, service, and service group objects, and does not share any unreferenced objects. This option reduces the total object count by ensuring that the appliance sends only necessary objects to managed firewalls.

If you have a policy rule that targets specific devices in a device group, then the objects used in that policy are considered used in that device group.

Select this option (disabled by default) to specify that the object values in ancestor groups take precedence over those in descendant groups when device groups at different levels in the hierarchy have objects of the same type and name but with different values. This means that when you perform a device group commit, the ancestor values replace any override values. Likewise, this option causes the value of a shared object to override the values of objects of the same type and name in device groups.

Selecting this option displays the Find Overridden Objects link.

Select this option (bottom of the Panorama Settings dialog) to list any shadowed objects. A shadowed object is an object in the Shared location that has the same name but a different value in a device group. The link displays only if you specify that Objects defined in ancestors will take higher precedence.

Select this option (disabled by default) to enable Panorama to locally store usernames, user group names, and username-to-group mapping information that it receives from firewalls. This option is global to all device groups in Panorama. However, you must also enable local storage at the level of each device group by specifying a Master Device and configuring the firewall to Store users and groups from Master Device.

Using

Secure Client Communication

ensures that the client Panorama uses configured custom certificates (instead of the default predefined certificate) to authenticate SSL connections with another Panorama appliance in an HA pair or WildFire appliance.