Panorama Changes

PAN-OS® 8.0 has the following changes in default behavior for Panorama™ features:
Management access
To configure interfaces on Panorama, you now select PanoramaSetupInterfaces (instead of PanoramaSetupManagement).
Log collection
  • When adding or editing a Log Collector (PanoramaManaged Collectors), you now configure interfaces in the Interfaces tab, which replaces the Management, Eth1, and Eth2 tabs in the Collector dialog.
  • When the Panorama virtual appliance is in Panorama mode and is deployed in a high availability (HA) configuration, you can configure both HA peers to collect logs, not just the active peer.
  • Logs databases have been consolidated on both M-Series appliances in Panorama mode and Dedicated Log Collectors.
    • Detailed Firewall Logs—Traffic, Threat, Application Statistics, URL, Wildfire® Submissions, Data Filtering, HIP Match, User-ID™, Tunnel, and Authentication
    • Summary Firewall Logs—Traffic Summary, Threat Summary, URL Summary, and Tunnel Inspection Summary
    • Infrastructure and Audit Logs—Config, System, and User-ID
    • Palo Alto Networks® Platform Logs—Traps™ ESM and Aperture™
    • Third-Party External Logs
  • By default, 4% of the total disk space has been allocated for the newly introduced Palo Alto Networks Platform Logs and 3rd Party External Logs and databases.
Commit and push operations
  • When pushing configurations to managed firewalls or Log Collectors, Panorama now pushes the running configuration instead of the candidate configuration. Therefore, you must commit changes to Panorama before pushing the changes to firewalls or Log Collectors.
  • With these commit workflow changes on Panorama that allow you to choose whether to commit on Panorama, push to devices, or commit and push, Commit is available (green) even when you have no pending changes on Panorama and all managed firewalls and Log Collectors are in sync with Panorama (which means that you have successfully pushed all changes you made on Panorama to all managed firewalls and appliances).
Content and software updates
Firewalls and Log Collectors now retrieve software and content updates from Panorama over port 28443 instead of Panorama pushing the updates over port 3978.
NAT deployment
(PAN-OS 8.0.8 and later releases) To enable a Panorama management server that is behind a NAT device and that runs a PAN-OS 8.0 or later release to manage firewalls that are also running PAN-OS 8.0 or a later release, you must run a new CLI command in operational mode on Panorama: set dlsrvr server [FQDN | IP-address], where [FQDN | IP-address] is the IP address or FQDN of the Panorama management (MGT) interface. To display the current value of this setting, run the show dlsrvr server command. If you stop deploying a NAT device between Panorama and firewalls, delete the value by running the delete dlsrvr server command.

Related Documentation