Device > Setup > Management
- DeviceSetupManagement
- PanoramaSetupManagement
On a firewall, select to
configure management settings.
Device
Setup
Management
On Panorama™, select to
configure firewalls that you manage with Panorama templates. Select to
configure management settings for Panorama.
Device
Setup
Management
Panorama
Setup
Management
The following management settings apply to both the firewall
and Panorama except where noted.
- Panorama Settings: Device > Setup > Management (settings configured on the firewall to connect to Panorama)
- Panorama Settings: Panorama > Setup > Management (settings configured on Panorama for connections to firewalls)
Item | Description |
---|---|
General Settings | |
Hostname | Enter a hostname (up to 31 characters).
The name is case-sensitive, must be unique, and can contain only
letters, numbers, spaces, hyphens, and underscores. If you
don’t enter a value, PAN-OS ® uses the firewall model
(for example, PA-5220_2) as the default.Optionally, you can
configure the firewall to use a hostname that a DHCP server provides.
See Accept
DHCP server-provided Hostname (Firewall only). Configure a unique host name to easily
identify the device you are managing. |
Domain | Enter the name of the network domain for
the firewall (up to 31 characters). Optionally, you can configure
the firewalls and Panorama to use a domain that a DHCP server provides.
See Accept
DHCP server-provided Domain (Firewall only). |
Accept DHCP server-provided
Hostname ( Firewall only ) | ( Applies only when the Management Interface
IP Type is DHCP Client ) Select this option to have the management
interface accept the hostname it receives from the DHCP server.
The hostname from the server (if valid) overwrites any value specified
in the Hostname field. |
Accept DHCP server-provided
Domain ( Firewall only ) | ( Applies only when the Management Interface
IP Type is DHCP Client ) Select this option to have the management
interface accept the domain (DNS suffix) it receives from the DHCP
server. The domain from the server overwrites any value specified
in the Domain field. |
Login Banner | Enter text (up to 3,200 characters) to display
on the web interface login page below the Name and Password fields. |
Force Admins to Acknowledge Login Banner | Select this option to display and force
administrators to select I Accept and Acknowledge the Statement
Below (above the login banner on the login page), which
forces administrators to acknowledge that they understand and accept
the contents of the message before they can Login . |
SSL/TLS Service Profile | Assign an existing SSL/TLS Service profile
or create a new one to specify a certificate and the SSL/TLS protocol settings
allowed on the management interface (see Device
> Certificate Management > SSL/TLS Service Profile). The
firewall or Panorama uses this certificate to authenticate to administrators
who access the web interface through the management (MGT) interface
or through any other interface that supports HTTP/HTTPS management
traffic (see Network
> Network Profiles > Interface Mgmt). If you select none (default),
the firewall or Panorama uses a predefined certificate.The predefined certificate is provided
for convenience. For better security, assign an SSL/TLS Service
profile. To ensure trust, the certificate must be signed by a certificate
authority (CA) certificate that is in the trusted root certificate
store of the client systems. |
Time Zone | Select the time zone of the firewall. |
Locale | Select a language for PDF reports from the
drop-down. See Monitor
> PDF Reports > Manage PDF Summary. Even if you have
a specific language preference set for the web interface, PDF reports
will use the language specified for Locale . |
Date | Set the date on the firewall; enter the
current date (in YYYY/MM/DD format) or select the date from the drop-down. You
can also define an NTP server ( Device Setup Services |
Time | Set the time on the firewall; enter the
current time) in 24-hour format) or select the time from the drop-down. You
can also define an NTP server ( Device Setup Services |
Serial Number ( Panorama virtual appliances
only ) | Enter the serial number for Panorama. You
can find the serial number in the order fulfillment email you received
from Palo Alto Networks®. |
Latitude | Enter the latitude (-90.0 to 90.0) of the
firewall. |
Longitude | Enter the longitude (-180.0 to 180.0) of
the firewall. |
Automatically acquire commit lock | Select this option to automatically apply
a commit lock when you change the candidate configuration. For more information,
see Lock
Configurations. Enable Automatically
Acquire Commit Lock so that other administrators can’t
make configuration changes until the first administrator commits
her/his changes. |
Certificate Expiration Check | Instruct the firewall to create warning
messages when on-box certificates approach their expiration date. Enable Certificate Expiration
Check to generate a warning message when on-box certificates
approach their expiration date. |
Multiple Virtual System Capability | Enables the use of multiple virtual systems
on firewalls that support this feature (see Device
> Virtual Systems). To enable
multiple virtual systems on a firewall, firewall policies must reference
no more than 640 distinct user groups. If necessary, reduce the
number of referenced user groups. Then, after you enable and add
multiple virtual systems, the policies can then reference another
640 user groups for each additional virtual system. |
URL Filtering Database ( Panorama only ) | Select a URL Filtering vendor for use with
Panorama: brightcloud or paloaltonetworks (PAN-DB). |
Use Hypervisor Assigned MAC Addresses ( VM-Series
firewalls only ) | Select this option to have the VM-Series
firewall use the MAC address that the hypervisor assigned, instead
of generating a MAC address using the PAN-OS custom schema. If
you enable this option and use an IPv6 address for the interface,
the interface ID cannot use the EUI-64 format, which derives the
IPv6 address from the interface MAC address. In a high availability
(HA) active/passive configuration, a commit error occurs if you
use the EUI-64 format. |
GTP Security | Select this option to enable the ability
to inspect the control plane and user dataplane messages in the
GPRS Tunneling Protocol (GTP) traffic. See Objects > Security
Profiles > Mobile Network Protection to configure a Mobile
Network Protection profile so that you can enforce policy on GTP
traffic. |
SCTP Security | Select this option to enable the ability
to inspect and filter Stream Control Transmission Protocol (SCTP)
packets and chunks, and to apply SCTP initiation (INIT) flood protection.
See Objects
> Security Profiles > SCTP Protection. For SCTP INIT flood
protection, see Configure SCTP INIT Flood Protection. |
Advanced Routing | Select this option to enable the advanced
routing engine, which supports BGP and static routes. You must commit
and reboot the firewall for the change to the new routing engine
to take effect (or to change back to the legacy route engine). Advanced
Routing is in preview mode and that feature set is limited. |
Tunnel Acceleration | Select this option to improve performance
and throughput for traffic going through GRE tunnels, VXLAN tunnels,
and GTP-U tunnels This option is enabled by default.
If you disable or re-enable Tunnel Acceleration
and commit, you must reboot the firewall. |
Device Certificate | |
Get certificate | Click to enter the One Time Password (OTP)
generated from the Palo Alto Networks Customer Support Portal.
The device certificate is required to successfully authenticate
Panorama with the CSP and leverage cloud services such as Zero Touch
Provisioning (ZTP), IoT, Device Telemetry, and Enterprise Data Loss Prevention
(DLP). After you successfully install the device certificate, the
following is displayed:
|
Authentication
Settings | |
Authentication Profile | Select the authentication profile (or sequence)
the firewall uses to authenticate administrative accounts that you define
on an external server instead of locally on the firewall (see Device
> Authentication Profile). When external administrators log
in, the firewall requests authentication and authorization information
(such as the administrative role) from the external server. Enabling
authentication for external administrators requires additional steps
based on the server type that the authentication profile specifies,
which must be one of the following: Administrators
can use SAML to authenticate to the web interface but not to the CLI. Select None to
disable authentication for external administrators.For administrative
accounts that you define locally (on the firewall), the firewall
authenticates using the authentication profile assigned to those
accounts (see Device
> Administrators). |
Certificate Profile | Select a certificate profile to verify the
client certificates of administrators who are configured for certificate-based access
to the firewall web interface. For instructions on configuring certificate
profiles, see Device
> Certificate Management > Certificate Profile. Configure a certificate profile to ensure
that the administrator’s host machine has the right certificates
to authenticate with the Root CA certificate defined in the certificate
profile. |
Idle Timeout | Enter the maximum time (in minutes) without
any activity on the web interface or CLI before an administrator
is automatically logged out (range is 0 to 1,440; default is 60). A
value of 0 means that inactivity does not trigger an automatic logout. Both manual and automatic refreshing of
web interface pages (such as the Dashboard and
System Alarms dialog) reset the Idle Timeout counter.
To enable the firewall to enforce the timeout when you are on a
page that supports automatic refreshing, set the refresh interval
to Manual or to a value higher than the Idle
Timeout . You can also disable Auto Refresh in
the ACC tab.Set
the Idle Timeout to 10 minutes to prevent
unauthorized users from accessing the firewall if an administrator
leaves a firewall session open. |
API Key Lifetime | Enter the length of time (in minutes) for
which the API key is valid (range is 0 to 525,600; default is 0).
A value of 0 means that the API key never expires. Expire
All API Keys to invalidate all previously generated
API keys. Use this option with caution because all existing keys
are rendered useless and any operation where you are currently using
those API keys will stop functioning.Perform
this operation during a maintenance window so that you can replace
the keys without disrupting current implementations where you referenced
the API keys. |
API Keys Last Expired | Displays the timestamp of when the API key
last expired. This field has no value if you have never reset your keys. |
Failed Attempts | Enter the number of failed login attempts
(0 to 10) that the firewall allows for the web interface and CLI
before locking out the administrator account. A value of 0 specifies unlimited
login attempts. The default value is 0 for firewalls in normal operational
mode and 10 for firewalls in FIPS-CC mode. Limiting login attempts
can help protect the firewall from brute force attacks. If you set the Failed Attempts to
a value other than 0 but leave the Lockout Time at
0, the Failed Attempts is ignored and the user
is never locked out.Set the
number of Failed Attempts to 5 or fewer to accommodate
a reasonable number of retries in case of typing errors, while preventing
malicious systems from trying brute force methods to log in to the
firewall. |
Lockout Time | Enter the number of minutes (range is 0
to 60) for which the firewall locks out an administrator from access
to the web interface and CLI after reaching the Failed
Attempts limit. A value of 0 (default) means the lockout
applies until another administrator manually unlocks the account.If you set the Failed Attempts to
a value other than 0 but leave the Lockout Time at
0, the user is locked out after the set number of failed login attempts
until another administrator manually unlocks the account.Set the Lockout Time to
at least 30 minutes to prevent continuous login attempts from a
malicious actor. |
Max Session Count | Enter the number of concurrent sessions
allowed for all administrator and user accounts (range is 0 to 4).
A value of 0 (default) means that an unlimited amount of concurrent sessions
are allowed. In FIPS-CC mode, the range is 0 to 4 with
a default value of 4. Enter a value of 0 to
allow an unlimited amount of concurrent sessions. |
Max Session Time | Enter the number of minutes (range is 60
to 1,499) that an active, non-idle administrator can remain logged
in. Once this max session time is reached, the session is terminated
and requires re-authentication to begin another session. The default
value is set to 0 (30 days), which cannot be manually entered. If
no value is entered, the Max Session Time defaults
to 0.In FIPS-CC mode, the range is 60 to 1,499 and
the default value is 720. If no value is entered, the Max
Session Time defaults to 720. |
Policy
Rulebase Settings | |
Require Tag on Policies | Requires at least one tag when creating
a new policy rule. If a policy rule already exists when you enable
this option, you must add at least one tag the next time you edit the
rule. |
Require Description on Policies | Requires that you add a Description when
you create a new policy rule. If a policy rule already exists when
you enable this option, you must add a Description the
next time you edit the rule. |
Fail Commit if Policies Have No Tags or
Descriptions | Forces your commit to fail if you do not
add any tags or a description to the policy rule. If a policy rule
already exists when you enable this option, the commit will fail
if no tag or description are added the next time you edit the rule. To
fail the commit, you must Require tag on policies or Require description
on policies . |
Require Audit Comment on Policies | Requires Audit Comment when
creating a new policy rule. If a policy rule already exists when
you enable this option, you must add Audit Comment the
next time you edit the rule. |
Audit Comment Regular Expression | Specify requirements for the comment format parameters
in audit comments. |
Policy Rule Hit Count | Tracks how often traffic matches the policy
rules you configured on the firewall. When enabled, you can view
the total Hit Count for total traffic matches against each rule along
with the date and time when the rule was Created, Modified, was
First Hit and Last Hit. |
Policy Application Usage | |
Panorama Settings :
Device > Setup > ManagementConfigure the following settings
on the firewall or in a template on Panorama. These settings establish
a connection from the firewall to Panorama. You must also
configure connection and object sharing settings on Panorama (Panorama
Settings: Panorama > Setup > Management). The
firewall uses an SSL connection with AES256 encryption to register
with Panorama. By default, Panorama and the firewall authenticate
each other using predefined 2,048-bit certificates and they use
the SSL connection for configuration management and log collection.
To further secure the SSL connections between Panorama, firewalls,
and log collectors, see Secure
Client Communication to configure custom certificates between
the firewall and Panorama or a log collector. | |
Panorama Servers | Enter the IP address or FQDN of the Panorama
server. If Panorama is in a high availability (HA) configuration,
in the second Panorama Servers field, enter
the IP address or FQDN of the secondary Panorama server. |
Auth Key | Enter the device registration
auth key generated on Panorama.. |
Receive Timeout for Connection to Panorama | Enter the timeout (in seconds) for receiving
TCP messages from Panorama (range is 1 to 240; default is 240). |
Send Timeout for Connection to Panorama | Enter the timeout (in seconds) for sending
TCP messages to Panorama (range is 1 to 240; default is 240). |
Retry Count for SSL Send to Panorama | Enter the number of retry attempts allowed
when sending Secure Socket Layer (SSL) messages to Panorama (range
is 1 to 64; default is 25). |
Enable Automated Commit Recovery | Enable to enable the firewall to automatically
verify its connection to the Panorama management server when a configuration
is committed and pushed to the firewall, and at configured intervals
after a configuration is successfully pushed. When enabled,
and the firewall fails to verify its connection to the Panorama
management server, the firewall and Panorama management automatically
revert their configuration to the previous running configuration
to restore connectivity. |
Number of attempts to check for Panorama connectivity | When Enabled Automated Commit Recovery is
enabled, configure the number of times the firewall tests its connection
to the Panorama management server. |
Interval between retries (sec) | When Enable Automated Commit Recovery is
enabled, configure the time in seconds between the number of attempts
the firewall tests its connection to the Panorama management server. |
Secure
Client Communication | Enable Secure Client Communication to
ensure that the firewall uses configured custom certificates (instead
of the default certificate) to authenticate SSL connections with
Panorama or log collectors.
|
| |
Disable/Enable Panorama Policy and Objects | This option displays only when you edit
the Panorama Settings on a firewall (not
in a template on Panorama).Disable Panorama Policy
and Objects to disable the propagation of device group
policies and objects to the firewall. By default, this action also
removes those policies and objects from the firewall. To keep a
local copy of the device group policies and objects on the firewall,
in the dialog that opens when you click this option, select Import
Panorama Policy and Objects before disabling . After
you perform a commit, these policies and objects become part of the
firewall configuration and Panorama no longer manages them.For
multi-vsys firewalls, you must first import the the template configuration
and then import the device group configuration to successfully disable
the Panorama pushed configuration. Under normal operating
conditions, disabling Panorama management is unnecessary and could
complicate the maintenance and configuration of firewalls. This
option generally applies to situations where firewalls require rules and
object values that differ from those defined in the device group.
An example is when you move a firewall out of production and into
a laboratory environment for testing. To revert firewall policy
and object management to Panorama, click Enable Panorama
Policy and Objects . |
Disable/Enable Device and Network Template | This option displays only when you edit
the Panorama Settings on a firewall (not
in a template on Panorama).Disable Device and
Network Template to disable the propagation of template information
(device and network configurations) to the firewall. By default,
this action also removes the template information from the firewall.
To keep a local copy of the template information on the firewall,
in the dialog that opens when you select this option, select Import Device
and Network Templates before disabling . After you perform
a commit, the template information becomes part of the firewall configuration
and Panorama no longer manages that information.For
multi-vsys firewalls, you must first import the the template configuration
and then import the device group configuration to successfully disable
the Panorama pushed configuration. Under
normal operating conditions, disabling Panorama management is unnecessary
and could complicate the maintenance and configuration of firewalls. This
option generally applies to situations where firewalls require device
and network configuration values that differ from those defined
in the template. An example is when you move a firewall out of production
and into a laboratory environment for testing. To configure
the firewall to accept templates again, click Enable
Device and Network Templates . |
Panorama Settings :
Panorama > Setup > ManagementIf you use Panorama to manage
firewalls, configure the following settings on Panorama. These settings
determine timeouts and SSL message attempts for the connections
from Panorama to managed firewalls, as well as object sharing parameters. You
must also configure Panorama connection settings on the firewall
or in a template on Panorama: see Panorama
Settings: Device > Setup > Management. The firewall
uses an SSL connection with AES256 encryption to register with Panorama.
By default, Panorama and the firewall authenticate each other using
predefined 2,048-bit certificates and they use the SSL connection
for configuration management and log collection. To further secure
these SSL connections, see Customize
Secure Server Communication to configure custom certificates
between Panorama and its clients. | |
Receive Timeout for Connection to Device | Enter the timeout (in seconds) for receiving
TCP messages from all managed firewalls (range is 1 to 240; default
is 240). |
Send Timeout for Connection to Device | Enter the timeout (in seconds) for sending
TCP messages to all managed firewalls (range is 1 to 240; default is
240). |
Retry Count for SSL Send to Device | Enter the number of allowed retry attempts
when sending Secure Socket Layer (SSL) messages to managed firewalls
(range is 1 to 64; default is 25). |
Share Unused Address and Service Objects
with Devices | Select this option (enabled by default)
to share all Panorama shared objects and device-group-specific objects with
managed firewalls. If you disable this option, the appliance
checks Panorama policies for references to address, address group, service,
and service group objects, and does not share any unreferenced objects.
This option reduces the total object count by ensuring that the
appliance sends only necessary objects to managed firewalls. If
you have a policy rule that targets specific devices in a device
group, then the objects used in that policy are considered used
in that device group. |
Objects defined in ancestors
will take higher precedence | Select this option (disabled by default)
to specify that the object values in ancestor groups take precedence
over those in descendant groups when device groups at different levels
in the hierarchy have objects of the same type and name but with
different values. This means that when you perform a device group
commit, the ancestor values replace any override values. Likewise,
this option causes the value of a shared object to override the
values of objects of the same type and name in device groups. Selecting
this option displays the Find
Overridden Objects link. |
Find Overridden Objects | Select this option (bottom of the Panorama
Settings dialog) to list any shadowed objects. A shadowed
object is an object in the Shared location that has the same name
but a different value in a device group. The link displays only
if you specify that Objects
defined in ancestors will take higher precedence. |
Enable
reporting and filtering on groups | Select this option (disabled by default)
to enable Panorama to locally store usernames, user group names,
and username-to-group mapping information that it receives from firewalls.
This option is global to all device groups in Panorama. However,
you must also enable local storage at the level of each device group
by specifying a Master
Device and configuring the firewall to Store
users and groups from Master Device. |
Secure Communication Settings :
Panorama > Setup > Management | |
Customize
Secure Server Communication |
|
Secure Client Communications | Using Secure Client Communication ensures
that the client Panorama uses configured custom certificates (instead
of the default predefined certificate) to authenticate SSL connections
with another Panorama appliance in an HA pair or WildFire appliance.
|