End-of-Life (EoL)
Device > Setup > Management
- Device > Setup > Management
- Panorama > Setup > Management
On a firewall, select to
configure management settings.
Device
Setup
Management
On Panorama™, select to
configure firewalls that you manage with Panorama templates. Select to
configure settings for Panorama.
Device
Setup
Management
Panorama
Setup
Management
The following management settings apply to both the firewall
and Panorama, except where otherwise noted.
- Panorama Settings: Device > Setup > Management (settings configured on the firewall to connect to Panorama)
- Panorama Settings: Panorama > Setup > Management (settings configured on Panorama for its connection to firewalls)
Item | Description |
---|---|
General Settings | |
Hostname | Enter a host name (up to 31 characters).
The name is case-sensitive and must be unique. Use only letters,
numbers, spaces, hyphens, and underscores. If you don’t enter
a value, PAN-OS® uses the firewall model (for example, PA-5050_2)
as the default. Optionally, you can configure the firewall
to use a hostname that a DHCP server provides. See Accept
DHCP server-provided Hostname (Firewall only). |
Domain | Enter the network domain name for the firewall
(up to 31 characters). Optionally, you can configure the firewall
to use a domain that a DHCP server provides. See Accept
DHCP server-provided Domain (Firewall only). |
Accept DHCP server-provided Hostname
( Firewall only ) | ( Applies only when the Management Interface
IP Type is DHCP Client. ) Select this option to have the management
interface accept the hostname it receives from the DHCP server.
The hostname from the server (if valid) overwrites any value specified
in the Hostname field. |
Accept DHCP server-provided
Domain ( Firewall only ) | ( Applies only when the Management Interface
IP Type is DHCP Client. ) Select this option to have the management
interface accept the domain (DNS suffix) it receives from the DHCP
server. The domain from the server overwrites any value specified
in the Domain field. |
Login Banner | Enter text (up to 3,200 characters) to display
on the web interface login page below the Name and Password fields. |
Force Admins to Acknowledge Login Banner | Select this option to display and force
administrators to select the I Accept and Acknowledge
the Statement Below option above the login banner on
the login page; administrators must acknowledge the message before
they can Login . |
SSL/TLS Service Profile | Assign an existing SSL/TLS Service profile
or create a new one to specify a certificate and the SSL/TLS protocol
settings allowed on the management interface (see Device
> Certificate Management > SSL/TLS Service Profile). The
firewall or Panorama uses this certificate to authenticate to administrators
who access the web interface through the management (MGT) interface
or through any other interface that supports HTTP/HTTPS management
traffic (see Network
> Network Profiles > Interface Mgmt). If you select none (default), the
firewall or Panorama uses a predefined certificate.The predefined certificate is provided
for convenience. For better security, assign an SSL/TLS Service
profile. To ensure trust, the certificate must be signed by a certificate
authority (CA) certificate that is in the trusted root certificate
store of the client systems. |
Time Zone | Select the time zone of the firewall. |
Locale | Select a language for PDF reports from the
drop-down. See Monitor
> PDF Reports > Manage PDF Summary. Even if you have
a specific language preference set for the web interface, PDF reports
will use the language specified for Locale . |
Time | Set the date and time on the firewall:
You
can also define an NTP server from Device Setup Services |
Serial Number ( Panorama virtual appliances
only ) | Enter the serial number for Panorama. Find
the serial number in the order fulfillment email that you received
from Palo Alto Networks®. |
Geo Location | Enter the latitude (-90.0 to 90.0) and longitude
(-180.0 to 180.0) of the firewall. |
Automatically acquire commit lock | Select this option to automatically apply
a commit lock when you change the candidate configuration. For more
information, see Lock
Configurations. |
Certificate Expiration Check | Instruct the firewall to create warning
messages when on-box certificates near their expiration dates. |
Multiple Virtual System Capability | Enables the use of multiple virtual systems
on firewalls that support this feature (see Device
> Virtual Systems). To enable
multiple virtual systems on a firewall, firewall policies must reference
no more than 640 distinct user groups. If necessary, reduce the
number of referenced user groups. Then, after you enable and add
multiple virtual systems, the policies can then reference another
640 user groups for each additional virtual system. |
URL Filtering Database ( Panorama
only ) | Select a URL Filtering vendor for use with
Panorama: brightcloud or paloaltonetworks (PAN-DB). |
Use Hypervisor Assigned MAC Addresses ( VM-Series
firewalls only ) | Select this option to have the VM-Series
firewall use the MAC address that the hypervisor assigned, instead
of generating a MAC address using the PAN-OS custom schema. If
you enable this option and use an IPv6 address for the interface,
the interface ID must not use the EUI-64 format, which derives the
IPv6 address from the interface MAC address. In a high availability
(HA) active/passive configuration, a commit error occurs if the
EUI-64 format is used. |
GTP Security | Select this option to enable the ability
to inspect the control plane and user data plane messages in the
GPRS Tunneling Protocol (GTP) traffic. See Objects
> Security Profiles > GTP Protection) to configure a GTP protection
profile so that you can enforce policy on GTP traffic. GTP
security is supported only on PA-5200 Series and VM-Series firewalls. |
Authentication
Settings | |
Authentication Profile | Select the authentication profile (or sequence)
the firewall uses to authenticate administrative accounts that you
define on an external server instead of locally on the firewall
(see Device
> Authentication Profile). When external administrators log
in, the firewall requests authentication and authorization information
(such as the administrative role) from the external server. Enabling
authentication for external administrators requires additional steps
based on the server type that the authentication profile specifies,
which must be one of the following: Administrators
can use SAML to authenticate to the web interface but not to the
CLI. Select None to disable
authentication for external administrators.For administrative
accounts that you define locally (on the firewall), the firewall
authenticates using the authentication profile assigned to those
accounts (see Device
> Administrators). |
Certificate Profile | Select a certificate profile to verify the
client certificates of administrators who are configured for certificate-based
access to the firewall web interface. For instructions on configuring
certificate profiles, see Device
> Certificate Management > Certificate Profile. |
Idle Timeout | Enter the maximum time (in minutes) without
any activity on the web interface or CLI before an administrator
is automatically logged out (range is 0 to 1,440; default is 60).
A value of 0 means that inactivity does not trigger an automatic
logout. Both manual and automatic refreshing
of web interface pages (such as the Dashboard tab
and System Alarms dialog) reset the Idle Timeout counter.
To enable the firewall to enforce the timeout when you are on a
page that supports automatic refreshing, set the refresh interval
to Manual or to a value higher than the Idle
Timeout . You can also disable Auto Refresh in
the ACC tab. |
Failed Attempts | Enter the number of failed login attempts
(0 to 10) that the firewall allows for the web interface and CLI
before locking out the administrator account. A value of 0 specifies
unlimited login attempts. The default value is 0 for firewalls in
normal operational mode and 10 for firewalls in FIPS-CC mode. Limiting
login attempts can help protect the firewall from brute force attacks. If you set the Failed Attempts to
a value other than 0 but leave the Lockout Time at
0, the user is locked out after the set number of failed login attempts
until another administrator manually unlocks the account. |
Lockout Time | Enter the number of minutes (range is 0
to 60) for which the firewall locks out an administrator from access
to the web interface and CLI after reaching the Failed
Attempts limit. A value of 0 (default) means the lockout
applies until another administrator manually unlocks the account.If you set the Lockout Time to
a value other than 0 but leave the Failed Attempts at
0, the Lockout Time is ignored and the user is
never locked out. |
Panorama Settings:
Device > Setup > Management Configure the following settings
on the firewall or in a template on Panorama. These settings establish
a connection from the firewall to Panorama. You must also
configure connection and object sharing settings on Panorama: see Panorama
Settings: Panorama > Setup > Management. The
firewall uses an SSL connection with AES-256 encryption to register
with Panorama. By default, Panorama and the firewall authenticate
each other using predefined 2,048-bit certificates and they use
the SSL connection for configuration management and log collection.
To further secure the SSL connections between Panorama, firewalls,
and log collectors, see Secure
Client Communication to configure custom certificates between
the firewall and Panorama or a log collector. | |
Panorama Servers | Enter the IP address or FQDN of the Panorama
server. If Panorama is in a high availability (HA) configuration,
in the second Panorama Servers field, enter
the IP address or FQDN of the secondary Panorama server. |
Receive Timeout for Connection to Panorama | Enter the timeout in seconds for receiving
TCP messages from Panorama (range is 1–240; default is 240). |
Send Timeout for Connection to Panorama | Enter the timeout in seconds for sending
TCP messages to Panorama (range is 1 to 240; default is 240). |
Retry Count for SSL Send to Panorama | Enter the number of retry attempts allowed
when sending Secure Socket Layer (SSL) messages to Panorama (range
is 1 to 64; default is 25). |
Secure
Client Communication | Enabling Secure Client Communication ensures
that the firewall uses configured custom certificates (instead of
the default certificate) to authenticate SSL connections with Panorama
or log collectors.
|
Disable/Enable Panorama Policy and Objects | This option displays only when you edit
the Panorama Settings on a firewall (not
in a template on Panorama).Disable Panorama Policy
and Objects to disable the propagation of device group
policies and objects to the firewall. By default, this action also
removes those policies and objects from the firewall. To keep a local
copy of the device group policies and objects on the firewall, in the
dialog that opens when you click this option, select Import Panorama
Policy and Objects before disabling . After you perform a
commit, the policies and objects become part of the firewall configuration
and Panorama no longer manages them.Under normal operating
conditions, disabling Panorama management is unnecessary and could
complicate the maintenance and configuration of firewalls. This
option generally applies to situations where firewalls require rules
and object values that differ from those defined in the device group.
An example is when you move a firewall out of production and into
a laboratory environment for testing. To revert firewall policy
and object management to Panorama, click Enable Panorama
Policy and Objects . |
Disable/Enable Device and Network Template | This option displays only when you edit
the Panorama Settings on a firewall (not
in a template on Panorama).Disable Device and
Network Template to disable the propagation of template
information (device and network configurations) to the firewall.
By default, this action also removes the template information from
the firewall. To keep a local copy of the template information on the
firewall, in the dialog that opens when you select this option,
select Import Device and Network Templates before disabling .
After you perform a commit, the template information becomes part
of the firewall configuration and Panorama no longer manages that information.Under
normal operating conditions, disabling Panorama management is unnecessary
and could complicate the maintenance and configuration of firewalls.
This option generally applies to situations where firewalls require
device and network configuration values that differ from those defined
in the template. An example is when you move a firewall out of production
and into a laboratory environment for testing. To configure
the firewall to accept templates again, click Enable Device
and Network Templates . |
Panorama Settings:
Panorama > Setup > Management If you use Panorama to manage
firewalls, configure the following settings on Panorama. These settings
determine timeouts and SSL message attempts for the connections
from Panorama to managed firewalls, as well as object sharing parameters. You
must also configure Panorama connection settings on the firewall,
or in a template on Panorama: see Panorama
Settings: Device > Setup > Management. The firewall
uses an SSL connection with AES-256 encryption to register with
Panorama. By default, Panorama and the firewall authenticate each
other using predefined 2,048-bit certificates and they use the SSL
connection for configuration management and log collection. To further secure
these SSL connections, see Secure
Server Communication to configure custom certificates between
Panorama and its clients. | |
Receive Timeout for Connection to Device | Enter the timeout in seconds for receiving
TCP messages from all managed firewalls (range is 1 to 240; default
is 240). |
Send Timeout for Connection to Device | Enter the timeout in seconds for sending
TCP messages to all managed firewalls (range is 1 to 240; default
is 240). |
Retry Count for SSL Send to Device | Enter the number of allowed retry attempts
when sending Secure Socket Layer (SSL) messages to managed firewalls
(range is 1 to 64; default is 25). |
Share Unused Address and Service Objects
with Devices | Select this option to share all Panorama
shared objects and device-group-specific objects with managed firewalls.
This setting is enabled by default. If you clear this option,
PAN-OS checks Panorama policies for references to address, address
group, service, and service group objects, and does not share any
unreferenced objects. This option reduces the total object count
by ensuring that PAN-OS sends only necessary objects to managed
firewalls. If you have a policy rule that targets specific
devices in a device group, then the objects used in that policy
are considered used in that device group. |
Objects defined in ancestors
will take higher precedence | Select this option (disabled by default)
to specify that the object values in ancestor groups take precedence
over those in descendant groups when device groups at different
levels in the hierarchy have objects of the same type and name but
with different values. This means that when you perform a device
group commit, the ancestor values replace any override values. Likewise,
this option causes the value of a shared object to override the
values of objects of the same type and name in device groups. Selecting
this option displays the Find
Overridden Objects link. |
Find Overridden
Objects | Click this link at the bottom of the Panorama
Settings dialog to list any shadowed objects. A shadowed
object is an object in the Shared location that has the same name
but a different value in a device group. The link displays only
if you specify that Objects
defined in ancestors will take higher precedence. |
Enable
reporting and filtering on groups | Select this option (disabled by default)
to enable Panorama to locally store usernames, user group names,
and username-to-group mapping information that it receives from
firewalls. This option is global to all device groups in Panorama.
However, you must also enable local storage at the level of each
device group by specifying a Master
Device and selecting the Store
users and groups from Master Device option. |
Secure
Server Communication |
|
Logging and Reporting
Settings Use this section to modify:
| |
Log Storage tab ( Panorama
management server and all firewall models except PA-5200 Series
and PA‑7000 Series firewalls )Panorama displays
this tab if you edit the Logging and Reporting Settings on the Panorama Setup Management Device Setup Management | For each log type, specify:
Weekly
summary logs can age beyond the threshold before the next deletion
if they reach the expiration threshold between times when the firewall
deletes logs. When a log quota reaches the maximum size, new log
entries start overwriting the oldest log entries. If you reduce
a log quota size, the firewall or Panorama removes the oldest logs
when you commit the changes. In a high availability (HA) active/passive
configuration, the passive peer does not receive logs and, therefore,
does not delete them unless failover occurs and it becomes active.
large-core file
option, enter the following CLI command from configuration mode
and then commit the configuration:
The core file will be deleted when you disable
the option.
The
contents of the core files can be interpreted only by a Palo Alto
Networks support engineer.
|
Session
Log Storage and Management Log Storage tabs( PA-5200
Series and PA‑7000 Series firewalls only ) | PA-5200 Series
and PA-7000 Series firewalls store management logs and session
logs on separate disks. Select the tab for each set of logs and
configure the settings described in Log
Storage tab:
|
Single
Disk Storage and Multi Disk Storage tabs( Panorama
template only ) | If you use a Panorama template to configure
log quotas and expiration periods, configure the settings in one
or both of the following tabs based on the firewalls assigned to
the template:
|
Log Export and Reporting tab | Configure the following log export and reporting
settings as needed:
|
Dashboard , ACC ,
or Monitor tabs. Additionally, you must configure log forwarding to Panorama
![]() | |
( Panorama only ) |
|
Pre-Defined Reports —(Enabled
by default) Pre-defined reports for application, traffic, threat,
and URL Filtering are available on the firewall and on Panorama.Because
the firewalls consume memory resources in generating the results
hourly (and forwarding it to Panorama where it is aggregated and
compiled for viewing), to reduce memory usage you can disable the
reports that are not relevant to you; to disable a report, clear
this option for the report. Click Select All or Deselect
All to entirely enable or disable the generation of
pre-defined reports.Before disabling a report, verify
that there isn’t a Group Report or a PDF Report using it. If you
disable a pre-defined report assigned to a set of reports, the entire
set of reports will have no data. | |
Banners and Messages To
view all messages in a Message of the Day dialog, see Message
of the Day. After you configure
the Message of the Day and click OK , administrators
who subsequently log in and active administrators who refresh their
browsers will see the new or updated message immediately; a commit
is not required. This enables you to warn other administrators of
an impending commit before you perform that commit. | |
Message of the Day (check box) | Select this option to enable the Message
of the Day dialog to display upon login to the web interface. |
Message of the Day (text-entry field) | Enter the text (up to 3,200 characters)
for the Message of the Day dialog. |
Allow Do Not Display Again | Select this option to include a Do
not show again option in the Message of the Day dialog
(disabled by default). This gives administrators the option to avoid
seeing the same message in subsequent logins.If you
modify the Message of the Day text, the message displays
even to administrators who selected Do not show again . Administrators
must reselect this option to avoid seeing the same message in subsequent
sessions. |
Title | Enter text for the Message of the Day header
(default is Message of the Day ). |
Background Color | Select a background color for the Message
of the Day dialog. The default ( None ) is
a light gray background. |
Icon | Select a predefined icon to appear above
the text in the Message of the Day dialog:
|
Header Banner | Enter the text that the header banner displays
(up to 3,200 characters). |
Header Color | Select a color for the header background.
The default ( None ) is a transparent background. |
Header Text Color | Select a color for the header text. The
default ( None ) is black. |
Same banner for header and footer | Select this option (enabled by default)
if you want the footer banner to have the same text and colors as
the header banner. When enabled, the fields for the footer banner
text and colors are grayed out. |
Footer Banner | Enter the text that the footer banner displays
(up to 3,200 characters). |
Footer Color | Select a color for the footer background.
The default ( None ) is a transparent background. |
Footer Text Color | Select a color for the footer text. The
default ( None ) is black. |
Minimum Password
Complexity | |
Enabled | Enable minimum password requirements for
local accounts. With this feature, you can ensure that local administrator
accounts on the firewall will adhere to a defined set of password
requirements. You can also create a password profile with
a subset of these options that will override these settings and
can be applied to specific accounts. For more information, see Device
> Password Profiles and see Username
and Password Requirements for information on valid characters
that can be used for accounts. The maximum password
length is 31 characters. Avoid setting requirements that PAN-OS
does not accept. For example, do not set a requirement of 10 uppercase,
10 lower case, 10 numbers, and 10 special characters because that
would exceed the maximum length of 31 characters. If
you have high availability (HA) configured, always use the primary peer
when configuring password complexity options and commit soon after
making changes. Minimum password complexity settings do not
apply to local database accounts for which you specified a Password
Hash (see Device
> Local User Database > Users). |
Minimum Length | Require minimum length from 1 to 15 characters. |
Minimum Uppercase Letters | Require a minimum number of uppercase letters
from 0 to 15 characters. |
Minimum Lowercase Letters | Require a minimum number of lowercase letters
from 0 to 15 characters. |
Minimum Numeric Letters | Require a minimum number of numeric letters
from 0 to 15 numbers. |
Minimum Special Characters | Require a minimum number of special characters
(non-alphanumeric) from 0 to 15 characters. |
Block Repeated Characters | Specify the number of sequential duplicate
characters permitted in a password (range is 2 to 15). If
you set the value to 2, the password can contain the same character in
sequence twice, but if the same character is used three or more times
in sequence, the password is not permitted. For example, if
the value is set to 2, the system will accept the password test11
or 11test11, but not test111, because the number 1 appears three
times in sequence. |
Block Username Inclusion (including reversed) | Select this option to prevent the account
username (or reversed version of the name) from being used in the
password. |
New Password Differs By Characters | When administrators change their passwords,
the characters must differ by the specified value. |
Require Password Change on First Login | Select this option to prompt the administrators
to change their passwords the first time they log in to the firewall. |
Prevent Password Reuse Limit | Require that a previous password is not
reused based on the specified count. Example, if the value is set
to 4, you could not reuse the any of your last 4 passwords (range
is 0 to 50). |
Block Password Change Period (days) | User cannot change their passwords until
the specified number of days has been reached (range is 0 to 365
days). |
Required Password Change Period (days) | Require that administrators change their
password on a regular basis specified a by the number of days set,
ranging from 0 to 365 days. Example, if the value is set to 90,
administrators will be prompted to change their password every 90
days. You can also set an expiration warning from 0 to 30
days and specify a grace period. |
Expiration Warning Period (days) | If a required password change period is
set, this setting can be used to prompt the user to change their
password at each log in as the forced password change date approaches
(range is 0 to 30 days). |
Allowed expired admin login (count) | Allow the administrator to log in the specified
number of times after the account has expired. Example, if the value
is set to 3 and their account has expired, they can log in 3 more
times before their account is locked out (range is 0 to 3 logins). |
Post Expiration Grace Period (days) | Allow the administrator to log in the specified
number of days after the account has expired (range is 0 to 30 days). |
AutoFocus™ | |
Enabled | Enable the firewall to connect to an AutoFocus
portal to retrieve threat intelligence data and to enable integrated
searches between the firewall and AutoFocus. When connected
to AutoFocus, the firewall displays AutoFocus data associated with
Traffic, Threat, URL Filtering, WildFire™ Submissions, and Data
Filtering log entries ( Monitor Logs Check that
your AutoFocus license is active on the firewall: select Device Licenses License
Management options to activate the license. |
AutoFocus URL | Enter the AutoFocus URL: https://autofocus.paloaltonetworks.com:10443 |
Query Timeout (sec) | Set the duration of time for the firewall
to attempt to query AutoFocus for threat intelligence data. If the
AutoFocus portal does not respond before the end of the specified
period, the firewall will close the connection. |
Logging
Service Use this section to configure the VM-Series firewalls
and hardware-based firewalls to forward logs to the Logging Service. | |
Enabled | Enable the firewalls that belong to the
selected Template to forward logs to the
Logging Service. |
Region | Select the geographic region to which the
firewalls will forward logs. Based on the Logging Service
region you configured in the plugin ( Cloud
Services Configuration Logging
Service |
Recommended For You
Recommended Videos
Recommended videos not found.