Device > Setup > Management

  • Device
    Setup
    Management
  • Panorama
    Setup
    Management
On a firewall, select
Device
Setup
Management
to configure management settings.
On Panorama™, select
Device
Setup
Management
to configure firewalls that you manage with Panorama templates. Select
Panorama
Setup
Management
to configure management settings for Panorama.
The following management settings apply to both the firewall and Panorama except where noted.
Item
Description
General Settings
Hostname
Enter a hostname (up to 31 characters). The name is case-sensitive, must be unique, and can contain only letters, numbers, spaces, hyphens, and underscores.
If you don’t enter a value, PAN-OS
®
uses the firewall model (for example, PA-5220_2) as the default.
Optionally, you can configure the firewall to use a hostname that a DHCP server provides. See Accept DHCP server-provided Hostname (Firewall only).
Configure a unique host name to easily identify the device you are managing.
Domain
Enter the name of the network domain for the firewall (up to 31 characters).
Optionally, you can configure the firewalls and Panorama to use a domain that a DHCP server provides. See Accept DHCP server-provided Domain (Firewall only).
Accept DHCP server-provided Hostname (
Firewall only
)
(
Applies only when the Management Interface IP Type is DHCP Client
) Select this option to have the management interface accept the hostname it receives from the DHCP server. The hostname from the server (if valid) overwrites any value specified in the Hostname field.
Accept DHCP server-provided Domain (
Firewall only
)
(
Applies only when the Management Interface IP Type is DHCP Client
) Select this option to have the management interface accept the domain (DNS suffix) it receives from the DHCP server. The domain from the server overwrites any value specified in the
Domain
field.
Login Banner
Enter text (up to 3,200 characters) to display on the web interface login page below the
Name
and
Password
fields.
Force Admins to Acknowledge Login Banner
Select this option to display and force administrators to select
I Accept and Acknowledge the Statement Below
(above the login banner on the login page), which forces administrators to acknowledge that they understand and accept the contents of the message before they can
Login
.
SSL/TLS Service Profile
Assign an existing SSL/TLS Service profile or create a new one to specify a certificate and the SSL/TLS protocol settings allowed on the management interface (see Device > Certificate Management > SSL/TLS Service Profile). The firewall or Panorama uses this certificate to authenticate to administrators who access the web interface through the management (MGT) interface or through any other interface that supports HTTP/HTTPS management traffic (see Network > Network Profiles > Interface Mgmt). If you select
none
(default), the firewall or Panorama uses a predefined certificate.
The predefined certificate is provided for convenience. For better security, assign an SSL/TLS Service profile. To ensure trust, the certificate must be signed by a certificate authority (CA) certificate that is in the trusted root certificate store of the client systems.
Time Zone
Select the time zone of the firewall.
Locale
Select a language for PDF reports from the drop-down. See Monitor > PDF Reports > Manage PDF Summary.
Even if you have a specific language preference set for the web interface, PDF reports will use the language specified for
Locale
.
Date
Set the date on the firewall; enter the current date (in YYYY/MM/DD format) or select the date from the drop-down.
You can also define an NTP server (
Device
Setup
Services
).
Time
Set the time on the firewall; enter the current time) in 24-hour format) or select the time from the drop-down.
You can also define an NTP server (
Device
Setup
Services
).
Serial Number
(
Panorama virtual appliances only
)
Enter the serial number for Panorama. You can find the serial number in the order fulfillment email you received from Palo Alto Networks®.
Latitude
Enter the latitude (-90.0 to 90.0) of the firewall.
Longitude
Enter the longitude (-180.0 to 180.0) of the firewall.
Automatically acquire commit lock
Select this option to automatically apply a commit lock when you change the candidate configuration. For more information, see Lock Configurations.
Enable
Automatically Acquire Commit Lock
so that other administrators can’t make configuration changes until the first administrator commits her/his changes.
Certificate Expiration Check
Instruct the firewall to create warning messages when on-box certificates approach their expiration date.
Enable
Certificate Expiration Check
to generate a warning message when on-box certificates approach their expiration date.
Multiple Virtual System Capability
Enables the use of multiple virtual systems on firewalls that support this feature (see Device > Virtual Systems).
To enable multiple virtual systems on a firewall, firewall policies must reference no more than 640 distinct user groups. If necessary, reduce the number of referenced user groups. Then, after you enable and add multiple virtual systems, the policies can then reference another 640 user groups for each additional virtual system.
URL Filtering Database
(
Panorama only
)
Select a URL Filtering vendor for use with Panorama:
brightcloud
or
paloaltonetworks
(PAN-DB).
Use Hypervisor Assigned MAC Addresses
(
VM-Series firewalls only
)
Select this option to have the VM-Series firewall use the MAC address that the hypervisor assigned, instead of generating a MAC address using the PAN-OS custom schema.
If you enable this option and use an IPv6 address for the interface, the interface ID cannot use the EUI-64 format, which derives the IPv6 address from the interface MAC address. In a high availability (HA) active/passive configuration, a commit error occurs if you use the EUI-64 format.
GTP Security
Select this option to enable the ability to inspect the control plane and user dataplane messages in the GPRS Tunneling Protocol (GTP) traffic. See Objects > Security Profiles > Mobile Network Protection to configure a Mobile Network Protection profile so that you can enforce policy on GTP traffic.
SCTP Security
Select this option to enable the ability to inspect and filter Stream Control Transmission Protocol (SCTP) packets and chunks, and to apply SCTP initiation (INIT) flood protection. See Objects > Security Profiles > SCTP Protection. For SCTP INIT flood protection, see Configure SCTP INIT Flood Protection.
Advanced Routing
Select this option to enable the advanced routing engine, which supports BGP and static routes. You must commit and reboot the firewall for the change to the new routing engine to take effect (or to change back to the legacy route engine).
Advanced Routing is in preview mode and that feature set is limited.
Tunnel Acceleration
Select this option to improve performance and throughput for traffic going through GRE tunnels, VXLAN tunnels, and GTP-U tunnels This option is enabled by default.
  • GRE and VXLAN tunnel acceleration
    —Supported on PA-3200 Series firewalls and PA-7000 Series firewalls with PA-7000-NPC and SMC-B.
  • GTP-U tunnel acceleration
    —Supported on PA-7000 Series firewalls with PA-7000-NPC and SMC-B. For GTP-U tunnel traffic to have tunnel acceleration, Tunnel Acceleration must be enabled, GTP must be enabled, no tunnel content inspection (TCI) policy rules for GTP-U protocol can be configured, and a Security policy rule with a Mobile Network Protection profile attached must allow the GTP traffic.
If you disable or re-enable Tunnel Acceleration and commit, you must reboot the firewall.
Device Certificate
Get certificate
Click to enter the One Time Password (OTP) generated from the Palo Alto Networks Customer Support Portal. The device certificate is required to successfully authenticate Panorama with the CSP and leverage cloud services such as Zero Touch Provisioning (ZTP), IoT, Device Telemetry, and Enterprise Data Loss Prevention (DLP). After you successfully install the device certificate, the following is displayed:
  • Current Device Certificate Status
    —The current status of device certificate (
    Valid
    ,
    Invalid
    , or
    Expired
    )
  • Not Valid Before
    —Timestamp indicating when the device certificate validity begins.
  • Not Valid After
    —Timestamp indicating when the device certificate validity expires and the device certificate becomes
    Invalid
    or
    Expired
    .
  • Last Fetched Message
    —Message displaying the whether the device certificate is successfully installed or if the device certificate installation failed.
  • Last Fetched Status
    —The status of fetching the device certificate (
    success
    or
    failed
    ).
  • Last Fetched Timestamp
    —Timestamp of the last device certificate installation attempt.
Authentication Settings
Authentication Profile
Select the authentication profile (or sequence) the firewall uses to authenticate administrative accounts that you define on an external server instead of locally on the firewall (see Device > Authentication Profile). When external administrators log in, the firewall requests authentication and authorization information (such as the administrative role) from the external server.
Enabling authentication for external administrators requires additional steps based on the server type that the authentication profile specifies, which must be one of the following:
Administrators can use SAML to authenticate to the web interface but not to the CLI.
Select
None
to disable authentication for external administrators.
For administrative accounts that you define locally (on the firewall), the firewall authenticates using the authentication profile assigned to those accounts (see Device > Administrators).
Certificate Profile
Select a certificate profile to verify the client certificates of administrators who are configured for certificate-based access to the firewall web interface. For instructions on configuring certificate profiles, see Device > Certificate Management > Certificate Profile.
Configure a certificate profile to ensure that the administrator’s host machine has the right certificates to authenticate with the Root CA certificate defined in the certificate profile.
Idle Timeout
Enter the maximum time (in minutes) without any activity on the web interface or CLI before an administrator is automatically logged out (range is 0 to 1,440; default is 60). A value of 0 means that inactivity does not trigger an automatic logout.
Both manual and automatic refreshing of web interface pages (such as the
Dashboard
and System Alarms dialog) reset the
Idle Timeout
counter. To enable the firewall to enforce the timeout when you are on a page that supports automatic refreshing, set the refresh interval to
Manual
or to a value higher than the
Idle Timeout
. You can also disable
Auto Refresh
in the
ACC
tab.
Set the
Idle Timeout
to 10 minutes to prevent unauthorized users from accessing the firewall if an administrator leaves a firewall session open.
API Key Lifetime
Enter the length of time (in minutes) for which the API key is valid (range is 0 to 525,600; default is 0). A value of 0 means that the API key never expires.
Expire All API Keys
to invalidate all previously generated API keys. Use this option with caution because all existing keys are rendered useless and any operation where you are currently using those API keys will stop functioning.
Perform this operation during a maintenance window so that you can replace the keys without disrupting current implementations where you referenced the API keys.
API Keys Last Expired
Displays the timestamp of when the API key last expired. This field has no value if you have never reset your keys.
Failed Attempts
Enter the number of failed login attempts (0 to 10) that the firewall allows for the web interface and CLI before locking out the administrator account. A value of 0 specifies unlimited login attempts. The default value is 0 for firewalls in normal operational mode and 10 for firewalls in FIPS-CC mode. Limiting login attempts can help protect the firewall from brute force attacks.
If you set the
Failed Attempts
to a value other than 0 but leave the
Lockout Time
at 0, the
Failed Attempts
is ignored and the user is never locked out.
Set the number of
Failed Attempts
to 5 or fewer to accommodate a reasonable number of retries in case of typing errors, while preventing malicious systems from trying brute force methods to log in to the firewall.
Lockout Time
Enter the number of minutes (range is 0 to 60) for which the firewall locks out an administrator from access to the web interface and CLI after reaching the
Failed Attempts
limit. A value of 0 (default) means the lockout applies until another administrator manually unlocks the account.
If you set the
Failed Attempts
to a value other than 0 but leave the
Lockout Time
at 0, the user is locked out after the set number of failed login attempts until another administrator manually unlocks the account.
Set the
Lockout Time
to at least 30 minutes to prevent continuous login attempts from a malicious actor.
Max Session Count
Enter the number of concurrent sessions allowed for all administrator and user accounts (range is 0 to 4). A value of 0 (default) means that an unlimited amount of concurrent sessions are allowed.
In FIPS-CC mode, the range is 0 to 4 with a default value of 4. Enter a value of
0
to allow an unlimited amount of concurrent sessions.
Max Session Time
Enter the number of minutes (range is 60 to 1,499) that an active, non-idle administrator can remain logged in. Once this max session time is reached, the session is terminated and requires re-authentication to begin another session. The default value is set to 0 (30 days), which cannot be manually entered. If no value is entered, the
Max Session Time
defaults to 0.
In FIPS-CC mode, the range is 60 to 1,499 and the default value is 720. If no value is entered, the
Max Session Time
defaults to 720.
Policy Rulebase Settings
Require Tag on Policies
Requires at least one tag when creating a new policy rule. If a policy rule already exists when you enable this option, you must add at least one tag the next time you edit the rule.
Require Description on Policies
Requires that you add a
Description
when you create a new policy rule. If a policy rule already exists when you enable this option, you must add a
Description
the next time you edit the rule.
Fail Commit if Policies Have No Tags or Descriptions
Forces your commit to fail if you do not add any tags or a description to the policy rule. If a policy rule already exists when you enable this option, the commit will fail if no tag or description are added the next time you edit the rule.
To fail the commit, you must
Require tag on policies
or
Require description on policies
.
Require Audit Comment on Policies
Requires
Audit Comment
when creating a new policy rule. If a policy rule already exists when you enable this option, you must add
Audit Comment
the next time you edit the rule.
Audit Comment Regular Expression
Specify requirements for the comment format parameters in audit comments.
Policy Rule Hit Count
Tracks how often traffic matches the policy rules you configured on the firewall. When enabled, you can view the total Hit Count for total traffic matches against each rule along with the date and time when the rule was Created, Modified, was First Hit and Last Hit.
Policy Application Usage
Panorama Settings
: Device > Setup > Management
Configure the following settings on the firewall or in a template on Panorama. These settings establish a connection from the firewall to Panorama.
You must also configure connection and object sharing settings on Panorama (Panorama Settings: Panorama > Setup > Management).
The firewall uses an SSL connection with AES256 encryption to register with Panorama. By default, Panorama and the firewall authenticate each other using predefined 2,048-bit certificates and they use the SSL connection for configuration management and log collection. To further secure the SSL connections between Panorama, firewalls, and log collectors, see Secure Client Communication to configure custom certificates between the firewall and Panorama or a log collector.
Panorama Servers
Enter the IP address or FQDN of the Panorama server. If Panorama is in a high availability (HA) configuration, in the second
Panorama Servers
field, enter the IP address or FQDN of the secondary Panorama server.
Auth Key
Enter the device registration auth key generated on Panorama..
Receive Timeout for Connection to Panorama
Enter the timeout (in seconds) for receiving TCP messages from Panorama (range is 1 to 240; default is 240).
Send Timeout for Connection to Panorama
Enter the timeout (in seconds) for sending TCP messages to Panorama (range is 1 to 240; default is 240).
Retry Count for SSL Send to Panorama
Enter the number of retry attempts allowed when sending Secure Socket Layer (SSL) messages to Panorama (range is 1 to 64; default is 25).
Enable Automated Commit Recovery
Enable to enable the firewall to automatically verify its connection to the Panorama management server when a configuration is committed and pushed to the firewall, and at configured intervals after a configuration is successfully pushed.
When enabled, and the firewall fails to verify its connection to the Panorama management server, the firewall and Panorama management automatically revert their configuration to the previous running configuration to restore connectivity.
Number of attempts to check for Panorama connectivity
When
Enabled Automated Commit Recovery
is enabled, configure the number of times the firewall tests its connection to the Panorama management server.
Interval between retries (sec)
When
Enable Automated Commit Recovery
is enabled, configure the time in seconds between the number of attempts the firewall tests its connection to the Panorama management server.
Secure Client Communication
Enable
Secure Client Communication
to ensure that the firewall uses configured custom certificates (instead of the default certificate) to authenticate SSL connections with Panorama or log collectors.
  • None
    (default)—No device certificate is configured and the default predefined certificate is used.
  • Local
    —The firewall uses a local device certificate and the corresponding private key generated on the firewall or imported from an existing enterprise PKI server.
    • Certificate
      —Select the local device certificate you generated or imported. This certificate can be unique to the firewall (based on a hash of the serial number of that firewall) or it can be a common device certificate used by all firewalls that connect to Panorama.
    • Certificate Profile
      —Select the Certificate Profile from the drop-down. The Certificate Profile defines the CA certificate for verifying client certificates and how to verify certificate revocation status.
  • SCEP
    —The firewall uses a device certificate and private key generated by a Simple Certificate Enrollment Protocol (SCEP) server.
    • SCEP Profile
      —Select a Device > Certificate Management > SCEP from the drop-down. The SCEP Profile provides Panorama with the necessary information to authenticate client devices against a SCEP server in your enterprise PKI.
    • Certificate Profile
      —Select the Device > Certificate Management > Certificate Profile from the drop-down. The Certificate Profile defines the CA certificate for verifying client certificates and how to verify certificate revocation status.
  • Customize Communication
    —The firewall uses its configured custom certificate to authenticate with the selected devices.
    • Panorama Communication
      —The firewall uses the configured client certificate for communication with Panorama.
    • PAN-DB Communication
      —The firewall uses the configured client certificate for communication with a PAN-DB appliance.
    • WildFire Communication
      —The firewall uses the configured client certificate for communication with a WildFire
      ®
      appliance.
    • Log Collector Communication
      —The firewall uses the configured client certificate for communication with a Log Collector.
    • Check Server Identity
      —(
      Panorama and Log Collector Communication only
      ) The firewall confirms the identify of the server by matching the common name (CN) with the IP address or FQDN of the server.
Disable/Enable Panorama Policy and Objects
This option displays only when you edit the
Panorama Settings
on a firewall (not in a template on Panorama).
Disable Panorama Policy and Objects
to disable the propagation of device group policies and objects to the firewall. By default, this action also removes those policies and objects from the firewall. To keep a local copy of the device group policies and objects on the firewall, in the dialog that opens when you click this option, select
Import Panorama Policy and Objects before disabling
. After you perform a commit, these policies and objects become part of the firewall configuration and Panorama no longer manages them.
For multi-vsys firewalls, you must first import the the template configuration and then import the device group configuration to successfully disable the Panorama pushed configuration.
Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of firewalls. This option generally applies to situations where firewalls require rules and object values that differ from those defined in the device group. An example is when you move a firewall out of production and into a laboratory environment for testing.
To revert firewall policy and object management to Panorama, click
Enable Panorama Policy and Objects
.
Disable/Enable Device and Network Template
This option displays only when you edit the
Panorama Settings
on a firewall (not in a template on Panorama).
Disable Device and Network Template
to disable the propagation of template information (device and network configurations) to the firewall. By default, this action also removes the template information from the firewall. To keep a local copy of the template information on the firewall, in the dialog that opens when you select this option, select
Import Device and Network Templates before disabling
. After you perform a commit, the template information becomes part of the firewall configuration and Panorama no longer manages that information.
For multi-vsys firewalls, you must first import the the template configuration and then import the device group configuration to successfully disable the Panorama pushed configuration.
Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of firewalls. This option generally applies to situations where firewalls require device and network configuration values that differ from those defined in the template. An example is when you move a firewall out of production and into a laboratory environment for testing.
To configure the firewall to accept templates again, click
Enable Device and Network Templates
.
Panorama Settings
: Panorama > Setup > Management
If you use Panorama to manage firewalls, configure the following settings on Panorama. These settings determine timeouts and SSL message attempts for the connections from Panorama to managed firewalls, as well as object sharing parameters.
You must also configure Panorama connection settings on the firewall or in a template on Panorama: see Panorama Settings: Device > Setup > Management.
The firewall uses an SSL connection with AES256 encryption to register with Panorama. By default, Panorama and the firewall authenticate each other using predefined 2,048-bit certificates and they use the SSL connection for configuration management and log collection. To further secure these SSL connections, see Customize Secure Server Communication to configure custom certificates between Panorama and its clients.
Receive Timeout for Connection to Device
Enter the timeout (in seconds) for receiving TCP messages from all managed firewalls (range is 1 to 240; default is 240).
Send Timeout for Connection to Device
Enter the timeout (in seconds) for sending TCP messages to all managed firewalls (range is 1 to 240; default is 240).
Retry Count for SSL Send to Device
Enter the number of allowed retry attempts when sending Secure Socket Layer (SSL) messages to managed firewalls (range is 1 to 64; default is 25).
Share Unused Address and Service Objects with Devices
Select this option (enabled by default) to share all Panorama shared objects and device-group-specific objects with managed firewalls.
If you disable this option, the appliance checks Panorama policies for references to address, address group, service, and service group objects, and does not share any unreferenced objects. This option reduces the total object count by ensuring that the appliance sends only necessary objects to managed firewalls.
If you have a policy rule that targets specific devices in a device group, then the objects used in that policy are considered used in that device group.
Objects defined in ancestors will take higher precedence
Select this option (disabled by default) to specify that the object values in ancestor groups take precedence over those in descendant groups when device groups at different levels in the hierarchy have objects of the same type and name but with different values. This means that when you perform a device group commit, the ancestor values replace any override values. Likewise, this option causes the value of a shared object to override the values of objects of the same type and name in device groups.
Selecting this option displays the Find Overridden Objects link.
Find Overridden Objects
Select this option (bottom of the Panorama Settings dialog) to list any shadowed objects. A shadowed object is an object in the Shared location that has the same name but a different value in a device group. The link displays only if you specify that Objects defined in ancestors will take higher precedence.
Enable reporting and filtering on groups
Select this option (disabled by default) to enable Panorama to locally store usernames, user group names, and username-to-group mapping information that it receives from firewalls. This option is global to all device groups in Panorama. However, you must also enable local storage at the level of each device group by specifying a Master Device and configuring the firewall to Store users and groups from Master Device.
Secure Communication Settings
: Panorama > Setup > Management
Customize Secure Server Communication
  • Custom Certificate Only
    —When enabled, Panorama accepts only custom certificates for authentication with managed firewalls and Log Collectors.
  • SSL/TLS Service Profile
    —Select an SSL/TLS service profile from the drop-down. This profile defines the certificate and supported SSL/TLS versions that the firewall can use to communicate with Panorama.
  • Certificate Profile
    —Select a certificate profile from the drop-down. This certificate profile defines certificate revocation-checking behavior and the root CA used to authenticate the certificate chain presented by the client.
  • Authorization List
    Add
    and configure a new authorization profile using the following fields to set the criteria for authorizing client devices that can connect to Panorama. The Authorization List supports a maximum of 16 profile entries.
    • Identifier
      —Select
      Subject
      or
      Subject Alt. Name
      as the authorization identifier.
    • Type
      —If you selected
      Subject Alt. Name
      as the Identifier, then select
      IP
      ,
      hostname
      , or
      e-mail
      as the identifier type. If you selected
      Subject
      , then you must use
      common name
      as the identifier type.
    • Value
      —Enter the identifier value.
  • Authorize Clients Based on Serial Number
    —Panorama authorizes client devices based on a hash of the device serial number.
  • Check Authorization List
    —Panorama checks client device identities against the authorization list. A device need match only one criterion on the list to be authorized. If no match is found, the device is not authorized.
  • Disconnect Wait Time (min)
    —The amount of time (in minutes) that Panorama waits before terminating the current connection with its managed devices. Panorama then reestablishes connections with its managed devices using the configured secure server communications settings. The wait time begins after you commit the secure server communications configuration.
Secure Client Communications
Using
Secure Client Communication
ensures that the client Panorama uses configured custom certificates (instead of the default predefined certificate) to authenticate SSL connections with another Panorama appliance in an HA pair or WildFire appliance.
  • Predefined
    (default)—No device certificate is configured and Panorama uses the default predefined certificate.
  • Local
    —Panorama uses a local device certificate and the corresponding private key generated on the firewall or imported from an existing enterprise PKI server.
    • Certificate
      —Select the local device certificate.
    • Certificate Profile
      —Select the Certificate Profile from the drop-down.
  • SCEP
    —Panorama uses a device certificate and private key generated by a Simple Certificate Enrollment Protocol (SCEP) server.
    • SCEP Profile
      —Select a SCEP Profile from the drop-down.
    • Certificate Profile
      —Select the Certificate Profile from the drop-down.
  • Customize Communication
    • HA Communication
      —Panorama uses the configured client certificate for HA communication with its HA peer.
    • WildFire Communication
      —Panorama uses the configured client certifi