A Palo Alto Networks firewall that Panorama manages is called a managed device. Panorama can manage PAN-OS firewalls running the same major release or earlier supported versions, but not firewalls running a later release version. For example, Panorama 7.0 can manage firewalls running PAN-OS 7.0 or earlier supported versions, but cannot manage firewalls running PAN-OS 7.1.
Managed Firewall Administration
You can perform the following administrative tasks on firewalls.
Task Description
Add Click Add and enter the firewall serial numbers (one per row) to add them as managed devices . The Managed Devices page will then display Managed Firewall Information, including connection status, installed updates, and properties that were set during initial configuration . After adding the firewalls, enable Panorama to manage them by entering the IP address of the Panorama management server on the firewalls (see Device > Setup > Management). The firewall registers with Panorama over an SSL connection with AES-256 encryption. Panorama and the firewall authenticate each other using 2,048-bit certificates and use the SSL connection for configuration management and log collection.
Delete Select one or more firewalls and click Delete to remove them from the list of firewalls that Panorama manages.
Tag Select one or more firewalls, click Tag, and enter a text string of up to 31 characters or select an existing tag. Do not use an empty space. Wherever the web interface displays a long list of firewalls (for example, in the dialog for installing software), tags provide one means to filter the list. For example, you can use a tag called branch office to filter for all branch office firewalls across your network.
Install Click Install to install Firewall Software and Content Updates.
Group HA Peers Select Group HA Peers if you want the Managed Devices page to group firewalls that are peers in a high availability (HA) configuration. You then can only select to perform actions on both peers or neither peer in each HA pair.
Manage (Backups) Click Manage to manage Firewall Backups.
Managed Firewall Information
Select Panorama > Managed Devices to display the following information for each managed firewall.
Managed Firewall Information Description
Device Group Displays the name of the Panorama > VMware Service Manager in which the firewall is a member. By default, this column is hidden, though you can display it by selecting the drop-down in any column header and selecting Columns > Device Group. Regardless of whether the column is visible, the page displays firewalls in clusters according to their device group. Each cluster has a header row that displays the device group name, the total number of assigned firewalls, the number of connected firewalls, and the device group path in the hierarchy. For example, Datacenter (2/4 Devices Connected): Shared > Europe > Datacenter would indicate that a device group named Datacenter has four member firewalls (two of which are connected) and is a child of a device group named Europe. You can collapse or expand any device group to hide or display its firewalls.
Device Name Displays the hostname or serial number of the firewall. For the VM-Series NSX edition firewall, the firewall name appends the hostname of the ESXi host. For example, PA-VM: Host-NY5105
Virtual System Lists the virtual systems available on a firewall that is in Multiple Virtual Systems mode.
Tags Displays the tags defined for each firewall/virtual system.
Serial Number Displays the serial number of the firewall.
IP Address Displays the IP address of the firewall/virtual system.
Template Displays the template or template stack to which the firewall is assigned.
Status Device State —Indicates the state of the connection between Panorama and the firewall—Connected or Disconnected. A VM-Series firewall can have two additional states: Deactivated—Indicates that you have deactivated a virtual machine either directly on the firewall or by selecting Deactivate VMs ( Panorama > Device Deployment > Licenses) and removed all licenses and entitlements on the firewall. A deactivated firewall is no longer connected to Panorama because the deactivation process removes the serial number on the VM-Series firewall. Partially deactivated —Indicates that you have initiated the license deactivation process from Panorama, but the process is not fully complete because the firewall is offline and Panorama cannot communicate with it.
HA Status —Indicates whether the firewall is: Active—Normal traffic-handling operational state Passive—Normal backup state Initiating—The firewall is in this state for up to 60 seconds after bootup Non-functional—Error state Suspended—An administrator disabled the firewall Tentative—For a link or path monitoring event in an active/active configuration
Shared Policy —Indicates whether the policy and object configurations on the firewall are synchronized with Panorama.
Template—Indicates whether the network and device configurations on the firewall are synchronized with Panorama.
Last Commit State —Indicates whether the last commit failed or succeeded on the firewall.
Software Version | Apps and Threat | Antivirus | URL Filtering | GlobalProtect Client | WildFire Displays the software and content versions that are currently installed on the firewall. For details, see Firewall Software and Content Updates.
Backups On each firewall commit, PAN-OS automatically sends a firewall configuration backup to Panorama. Click Manage to view the available configuration backups and optionally load one. For details, see Firewall Backups.
Firewall Software and Content Updates
To install a software or content update on a managed firewall, first use the Panorama > Device Deployment pages to download or upload the update to Panorama. Then select the Panorama > Managed Devices page, click Install, and complete the following fields.
You can also install updates on firewalls using the Panorama > Device Deployment pages (see Manage Software and Content Updates).
Firewall Software/Content Update Installation Option Description
Type Select the type of update you want to install—PAN-OS Software, GlobalProtect Client software, Apps and Threats signatures, Antivirus signatures, WildFire, or URL Filtering.
File Select the update image. The drop-down includes only images that you downloaded or uploaded to Panorama using the Panorama > Device Deployment pages.
Filters Select Filters to filter the Devices list.
Devices Select the firewalls on which you want to install the image.
Device Name The firewall name.
Current Version The update version of the selected Type that is currently installed on the firewall.
HA Status Indicates whether the firewall is: Active—Normal traffic-handling operational state Passive—Normal backup state Initiating—The firewall is in this state for up to 60 seconds after bootup Non-functional—Error state Suspended—An administrator disabled the firewall Tentative—For a link or path monitoring event in an active/active configuration
Group HA Peers Select this option if you want the Devices list to group firewalls that are peers in a high availability (HA) configuration.
Filter Selected If you want the Devices list to display only specific firewalls, select the corresponding device names and Filter Selected.
Upload only to device Select this option if you want to upload the image on the firewall, but don’t want to automatically reboot the firewall. The image is installed when you manually reboot the firewall.
Reboot device after Install ( Software only ) Select this option if you want to upload and install the software image. The installation process triggers a reboot.
Disable new apps in content update ( Apps and Threats only ) Select this option if you want to disable applications in the update that are new relative to the last installed update. This protects against the latest threats while giving you the flexibility to enable applications after preparing any policy updates. Then, to enable applications, log in to the firewall, select Device > Dynamic Updates, click Apps in the Features column to display the new applications, and click Enable/Disable for each application you want to enable.
Firewall Backups
Panorama automatically backs up every configuration change you commit to managed firewalls. To manage the backups for a firewall, select Panorama > Managed Devices, click Manage in the Backups column for the firewall, and perform any of the following tasks.
To configure the number of firewall configuration backups that Panorama stores, select Panorama > Setup > Management, edit the Logging and Reporting Settings, select Log Export and Reporting, and enter the Number of Versions for Config Backups (default is 100).
Task Description
Display details about a saved or committed configuration. In the Version column for the backup, click the saved configuration filename or committed configuration version number to display the contents of the associated XML file.
Restore a saved or committed configuration to the candidate configuration. In the Action column for the backup, click Load and Commit.
Remove a saved configuration. In the Action column for the saved backup, click Delete ( ).

Related Documentation