Device > Setup > Management
- Device > Setup > Management
- Panorama > Setup > Management
On a firewall, select
to configure management settings.
On Panorama™, select
to configure firewalls that you manage with Panorama templates. Select
to configure management settings for Panorama.
The following management settings apply to both the firewall and Panorama except where noted.
Enter a host name (up to 31 characters). The name is case-sensitive, must be unique, and can contain only letters, numbers, spaces, hyphens, and underscores.
If you don’t enter a value, PAN-OS® uses the firewall model (for example, PA-5050_2) as the default.
Optionally, you can configure the firewall to use a hostname that a DHCP server provides. See Accept DHCP server-provided Hostname (Firewall only).
Configure a unique host name to easily identify the device you are managing.
Enter the network domain name for the firewall (up to 31 characters).
Optionally, you can configure the firewalls and Panorama to use a domain that a DHCP server provides. See Accept DHCP server-provided Domain (Firewall only).
Accept DHCP server-provided Hostname (
Applies only when the Management Interface IP Type is DHCP Client.) Select this option to have the management interface accept the hostname it receives from the DHCP server. The hostname from the server (if valid) overwrites any value specified in the Hostname field.
Accept DHCP server-provided Domain (
Applies only when the Management Interface IP Type is DHCP Client.) Select this option to have the management interface accept the domain (DNS suffix) it receives from the DHCP server. The domain from the server overwrites any value specified in the
Enter text (up to 3,200 characters) to display on the web interface login page below the
Force Admins to Acknowledge Login Banner
Select this option to display and force administrators to select
I Accept and Acknowledge the Statement Belowabove the login banner on the login page, which forces administrators to acknowledge that they understand and accept the contents of the message before they can
SSL/TLS Service Profile
Assign an existing SSL/TLS Service profile or create a new one to specify a certificate and the SSL/TLS protocol settings allowed on the management interface (see Device > Certificate Management > SSL/TLS Service Profile). The firewall or Panorama uses this certificate to authenticate to administrators who access the web interface through the management (MGT) interface or through any other interface that supports HTTP/HTTPS management traffic (see Network > Network Profiles > Interface Mgmt). If you select
none(default), the firewall or Panorama uses a predefined certificate.
The predefined certificate is provided for convenience. For better security, assign an SSL/TLS Service profile. To ensure trust, the certificate must be signed by a certificate authority (CA) certificate that is in the trusted root certificate store of the client systems.
Select the time zone of the firewall.
Select a language for PDF reports from the drop-down. See Monitor > PDF Reports > Manage PDF Summary.
Even if you have a specific language preference set for the web interface, PDF reports will use the language specified for
Set the date on the firewall:
You can also define an NTP server (
Set the time on the firewall:
You can also define an NTP server (
Panorama virtual appliances only)
Enter the serial number for Panorama. You can find the serial number in the order fulfillment email you received from Palo Alto Networks®.
Enter the latitude (-90.0 to 90.0) of the firewall.
Enter the longitude (-180.0 to 180.0) of the firewall.
Automatically acquire commit lock
Select this option to automatically apply a commit lock when you change the candidate configuration. For more information, see Lock Configurations.
Automatically Acquire Commit Lockso that other administrators can’t make configuration changes until the first administrator commits her/his changes.
Certificate Expiration Check
Instruct the firewall to create warning messages when on-box certificates approach their expiration date.
Certificate Expiration Checkto generate a warning message when on-box certificates approach their expiration date.
Multiple Virtual System Capability
Enables the use of multiple virtual systems on firewalls that support this feature (see Device > Virtual Systems).
To enable multiple virtual systems on a firewall, firewall policies must reference no more than 640 distinct user groups. If necessary, reduce the number of referenced user groups. Then, after you enable and add multiple virtual systems, the policies can then reference another 640 user groups for each additional virtual system.
URL Filtering Database
Select a URL Filtering vendor for use with Panorama:
Use Hypervisor Assigned MAC Addresses
VM-Series firewalls only)
Select this option to have the VM-Series firewall use the MAC address that the hypervisor assigned, instead of generating a MAC address using the PAN-OS custom schema.
If you enable this option and use an IPv6 address for the interface, the interface ID cannot use the EUI-64 format, which derives the IPv6 address from the interface MAC address. In a high availability (HA) active/passive configuration, a commit error occurs if you use the EUI-64 format.
Select this option to enable the ability to inspect the control plane and user dataplane messages in the GPRS Tunneling Protocol (GTP) traffic. See Objects > Security Profiles > GTP Protection to configure a GTP protection profile so that you can enforce policy on GTP traffic.
GTP security is supported only on PA-5200 Series and VM-Series firewalls.
Select this option to enable the ability to inspect and filter Stream Control Transmission Protocol (SCTP) packets and chunks, and to apply SCTP initiation (INIT) flood protection. See Objects > Security Profiles > SCTP Protection. For SCTP INIT flood protection, see Configure SCTP INIT Flood Protection.
SCTP security is supported only on PA-5200 Series and VM-Series firewalls.
Policy Rule Hit Count
Select this option to track how often traffic matches against policy rules you have configured on the firewall. When enabled, you can view the total Hit Count for total traffic matches against each rule, along with the date and time of the First Hit and Last Hit for traffic matches.
Select the authentication profile (or sequence) the firewall uses to authenticate administrative accounts that you define on an external server instead of locally on the firewall (see Device > Authentication Profile). When external administrators log in, the firewall requests authentication and authorization information (such as the administrative role) from the external server.
Enabling authentication for external administrators requires additional steps based on the server type that the authentication profile specifies, which must be one of the following:
Administrators can use SAML to authenticate to the web interface but not to the CLI.
Noneto disable authentication for external administrators.
For administrative accounts that you define locally (on the firewall), the firewall authenticates using the authentication profile assigned to those accounts (see Device > Administrators).
Select a certificate profile to verify the client certificates of administrators who are configured for certificate-based access to the firewall web interface. For instructions on configuring certificate profiles, see Device > Certificate Management > Certificate Profile.
Configure a certificate profile to ensure that the administrator’s host machine has the right certificates to authenticate with the Root CA certificate defined in the certificate profile.
Enter the maximum time (in minutes) without any activity on the web interface or CLI before an administrator is automatically logged out (range is 0 to 1,440; default is 60). A value of 0 means that inactivity does not trigger an automatic logout.
Both manual and automatic refreshing of web interface pages (such as the
Dashboardand System Alarms dialog) reset the
Idle Timeoutcounter. To enable the firewall to enforce the timeout when you are on a page that supports automatic refreshing, set the refresh interval to
Manualor to a value higher than the
Idle Timeout. You can also disable
Auto Refreshin the
Idle Timeoutto 10 minutes to prevent unauthorized users from accessing the firewall if an administrator leaves a firewall session open.
Enter the number of failed login attempts (0 to 10) that the firewall allows for the web interface and CLI before locking out the administrator account. A value of 0 specifies unlimited login attempts. The default value is 0 for firewalls in normal operational mode and 10 for firewalls in FIPS-CC mode. Limiting login attempts can help protect the firewall from brute force attacks.
If you set the
Failed Attemptsto a value other than 0 but leave the
Lockout Timeat 0, the
Failed Attemptsis ignored and the user is never locked out.
Set the number of
Failed Attemptsto 5 or fewer to accommodate a reasonable number of retries in case of typing errors, while preventing malicious systems from trying brute force methods to log in to the firewall.
Enter the number of minutes (range is 0 to 60) for which the firewall locks out an administrator from access to the web interface and CLI after reaching the
Failed Attemptslimit. A value of 0 (default) means the lockout applies until another administrator manually unlocks the account.
If you set the
Failed Attemptsto a value other than 0 but leave the
Lockout Timeat 0, the user is locked out after the set number of failed login attempts until another administrator manually unlocks the account.
Lockout Timeto at least 30 minutes to prevent continuous login attempts from a malicious actor.
Panorama Settings: Device > Setup > Management
Configure the following settings on the firewall or in a template on Panorama. These settings establish a connection from the firewall to Panorama.
You must also configure connection and object sharing settings on Panorama (Panorama Settings: Panorama > Setup > Management).
The firewall uses an SSL connection with AES256 encryption to register with Panorama. By default, Panorama and the firewall authenticate each other using predefined 2,048-bit certificates and they use the SSL connection for configuration management and log collection. To further secure the SSL connections between Panorama, firewalls, and log collectors, see Secure Client Communication to configure custom certificates between the firewall and Panorama or a log collector.
Enter the IP address or FQDN of the Panorama server. If Panorama is in a high availability (HA) configuration, in the second
Panorama Serversfield, enter the IP address or FQDN of the secondary Panorama server.
Receive Timeout for Connection to Panorama
Enter the timeout (in seconds) for receiving TCP messages from Panorama (range is 1 to 240; default is 240).
Send Timeout for Connection to Panorama
Enter the timeout (in seconds) for sending TCP messages to Panorama (range is 1 to 240; default is 240).
Retry Count for SSL Send to Panorama
Enter the number of retry attempts allowed when sending Secure Socket Layer (SSL) messages to Panorama (range is 1 to 64; default is 25).
Secure Client Communication
Secure Client Communicationto ensure that the firewall uses configured custom certificates (instead of the default certificate) to authenticate SSL connections with Panorama or log collectors.
Disable/Enable Panorama Policy and Objects
This option displays only when you edit the
Panorama Settingson a firewall (not in a template on Panorama).
Disable Panorama Policy and Objectsto disable the propagation of device group policies and objects to the firewall. By default, this action also removes those policies and objects from the firewall. To keep a local copy of the device group policies and objects on the firewall, in the dialog that opens when you click this option, select
Import Panorama Policy and Objects before disabling. After you perform a commit, these policies and objects become part of the firewall configuration and Panorama no longer manages them.
Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of firewalls. This option generally applies to situations where firewalls require rules and object values that differ from those defined in the device group. An example is when you move a firewall out of production and into a laboratory environment for testing.
To revert firewall policy and object management to Panorama, click
Enable Panorama Policy and Objects.
Disable/Enable Device and Network Template
This option displays only when you edit the
Panorama Settingson a firewall (not in a template on Panorama).
Disable Device and Network Templateto disable the propagation of template information (device and network configurations) to the firewall. By default, this action also removes the template information from the firewall. To keep a local copy of the template information on the firewall, in the dialog that opens when you select this option, select
Import Device and Network Templates before disabling. After you perform a commit, the template information becomes part of the firewall configuration and Panorama no longer manages that information.
Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of firewalls. This option generally applies to situations where firewalls require device and network configuration values that differ from those defined in the template. An example is when you move a firewall out of production and into a laboratory environment for testing.
To configure the firewall to accept templates again, click
Enable Device and Network Templates.
Panorama Settings: Panorama > Setup > Management
If you use Panorama to manage firewalls, configure the following settings on Panorama. These settings determine timeouts and SSL message attempts for the connections from Panorama to managed firewalls, as well as object sharing parameters.
You must also configure Panorama connection settings on the firewall or in a template on Panorama: see Panorama Settings: Device > Setup > Management.
The firewall uses an SSL connection with AES256 encryption to register with Panorama. By default, Panorama and the firewall authenticate each other using predefined 2,048-bit certificates and they use the SSL connection for configuration management and log collection. To further secure these SSL connections, see Customize Secure Server Communication to configure custom certificates between Panorama and its clients.
Receive Timeout for Connection to Device
Enter the timeout (in seconds) for receiving TCP messages from all managed firewalls (range is 1 to 240; default is 240).
Send Timeout for Connection to Device
Enter the timeout (in seconds) for sending TCP messages to all managed firewalls (range is 1 to 240; default is 240).
Retry Count for SSL Send to Device
Enter the number of allowed retry attempts when sending Secure Socket Layer (SSL) messages to managed firewalls (range is 1 to 64; default is 25).
Share Unused Address and Service Objects with Devices
Select this option (enabled by default) to share all Panorama shared objects and device-group-specific objects with managed firewalls.
If you disable this option, the appliance checks Panorama policies for references to address, address group, service, and service group objects, and does not share any unreferenced objects. This option reduces the total object count by ensuring that the appliance sends only necessary objects to managed firewalls.
Objects defined in ancestors will take higher precedence
Select this option (disabled by default) to specify that the object values in ancestor groups take precedence over those in descendant groups when device groups at different levels in the hierarchy have objects of the same type and name but with different values. This means that when you perform a device group commit, the ancestor values replace any override values. Likewise, this option causes the value of a shared object to override the values of objects of the same type and name in device groups.
Selecting this option displays the Find Overridden Objects link.
Find Overridden Objects
Select this option (bottom of the Panorama Settings dialog) to list any
shadowedobjects. A shadowed object is an object in the Shared location that has the same name but a different value in a device group. The link displays only if you specify that Objects defined in ancestors will take higher precedence.
Enable reporting and filtering on groups
Select this option (disabled by default) to enable Panorama to locally store usernames, user group names, and username-to-group mapping information that it receives from firewalls. This option is global to all device groups in Panorama. However, you must also enable local storage at the level of each device group by specifying a Master Device and configuring the firewall to Store users and groups from Master Device.
Secure Communication Settings: Panorama > Setup > Management
Customize Secure Server Communication
Secure Client Communications
Secure Client Communicationensures that the client Panorama uses configured custom certificates (instead of the default predefined certificate) to authenticate SSL connections with another Panorama appliance in an HA pair or WildFire appliance.
Logging and Reporting Settings
Use this section to modify:
Log Storage tab
Panorama management server and all firewall models except PA-5200 Series and PA‑7000 Series firewalls)
Panorama displays this tab if you edit the Logging and Reporting Settings (
). If you use a Panorama template to configure the settings for firewalls (
), see Single Disk Storage and Multi Disk Storage tabs.
For each log type, specify:
Weekly summary logs can age beyond the threshold before the next deletion if they reach the expiration threshold between times when the firewall deletes logs. When a log quota reaches the maximum size, new log entries start overwriting the oldest log entries. If you reduce a log quota size, the firewall or Panorama removes the oldest logs when you commit the changes. In an HA active/passive configuration, the passive peer does not receive logs and, therefore, does not delete them unless failover occurs and the passive peer becomes active.
large-corefile option, enter the following CLI command from configuration mode and then
The core file is deleted when you disable this option.
Only a Palo Alto Networks support engineer can interpret the contents of the core files.
Session Log Storageand
Management Log Storagetabs
PA-5200 Series and PA‑7000 Series firewalls only)
PA-5200 Series andPA-7000 Series firewalls store management logs and session logs on separate disks. Select the tab for each set of logs and configure the settings described in Log Storage tab:
Single Disk Storageand
Multi Disk Storagetabs
Panorama template only)
If you use a Panorama template to configure log quotas and expiration periods, configure the settings in one or both of the following tabs based on the firewalls assigned to the template:
Log Export and Reporting tab
Configure the following log export and reporting settings as needed:
Monitortabs. Additionally, you must configure log forwarding to Panorama to use this option.
Pre-Defined Reports(enabled by default)—Pre-defined reports for application, traffic, threat, URL Filtering, and Stream Control Transmission Protocol (SCTP) are available on the firewall and on Panorama. Pre-defined reports for SCTP are available on the firewall and Panorama after SCTP Security is enabled in
Because the firewalls consume memory resources in generating the results hourly (and forwarding it to Panorama where it is aggregated and compiled for viewing), to reduce memory usage, you can disable the reports that are not relevant to you. To disable a report, disable this option for the report.
Deselect Allto entirely enable or disable the generation of pre-defined reports.
Before disabling a report, verify that there isn’t a Group Report or a PDF Report using it. If you disable a pre-defined report assigned to a set of reports, the entire set of reports will have no data.
Banners and Messages
To view all messages in a Message of the Day dialog, see Message of the Day.
After you configure the Message of the Day and click
OK, administrators who subsequently log in and active administrators who refresh their browsers will see the new or updated message immediately; a commit is not required. This enables you to warn other administrators of an impending commit before you perform that commit.
Message of the Day
Select this option to enable the Message of the Day dialog to display when an administrator logs in to the web interface.
Message of the Day
Enter the text (up to 3,200 characters) for the Message of the Day dialog.
Allow Do Not Display Again
Select this option (disabled by default) to include a
Do not show againoption in the Message of the Day dialog. This gives administrators the option to avoid seeing the same message in subsequent logins.
If you modify the
Message of the Daytext, the message displays even to administrators who selected
Do not show again. Administrators must reselect this option to avoid seeing the modified message in subsequent sessions unless the message is modified again.
Enter text for the Message of the Day header (default is
Message of the Day).
Select a background color for the Message of the Day dialog. The default (
None) is a light gray background.
Select a predefined icon to appear above the text in the Message of the Day dialog:
Enter the text that the header banner displays (up to 3,200 characters).
Select a color for the header background. The default (
None) is a transparent background.
Header Text Color
Select a color for the header text. The default (
None) is black.
Same banner for header and footer
Select this option (enabled by default) if you want the footer banner to have the same text and colors as the header banner. When enabled, the fields for the footer banner text and colors are grayed out.
Enter the text that the footer banner displays (up to 3,200 characters).
Select a color for the footer background. The default (
None) is a transparent background.
Footer Text Color
Select a color for the footer text. The default (
None) is black.
Minimum Password Complexity
Enable minimum password requirements for local accounts. With this feature, you can ensure that local administrator accounts on the firewall will adhere to a defined set of password requirements.
You can also create a password profile with a subset of these options that will override these settings and can be applied to specific accounts. For more information, see Device > Password Profiles and see Username and Password Requirements for information on valid characters that can be used for accounts.
The maximum password length is 31 characters. Avoid setting requirements that PAN-OS does not accept. For example, do not set a requirement of 10 uppercase, 10 lower case, 10 numbers, and 10 special characters because that would exceed the maximum length of 31 characters.
If you have high availability (HA) configured, always use the primary peer when configuring password complexity options and commit soon after making changes.
Minimum password complexity settings do not apply to local database accounts for which you specified a
Password Hash(see Device > Local User Database > Users).
Require strong passwords to help prevent brute force network access attacks from succeeding. Require a minimum length and the use of at least one each of uppercase letters, lowercase letters, numerical values, and special characters. In addition, prevent excessive repetition of characters and usernames in passwords, set limits on how often passwords can be reused, and set regular password change periods so passwords don’t stay in use too long. The stronger the password requirements, the more difficult you make it for attackers to hack a password.
Require a minimum password length (range is 1 to 15 characters).
Minimum Uppercase Letters
Require a minimum number of uppercase letters (ranges is 0 to 15 characters).
Minimum Lowercase Letters
Require a minimum number of lowercase letters (range is 0 to 15 characters).
Minimum Numeric Letters
Require a minimum number of numeric letters (range is 0 to 15 numbers).
Minimum Special Characters
Require a minimum number of special (non-alphanumeric) characters (range is 0 to 15 characters).
Block Repeated Characters
Specify the number of sequential duplicate characters permitted in a password (range is 2 to 15).
If you set the value to 2, the password can contain the same character in sequence twice but if the same character is used three or more times in sequence, the password is not permitted.
For example, if the value is set to 2, the system will accept the password test11 or 11test11, but not test111, because the number 1 appears three times in sequence.
Block Username Inclusion (including reversed)
Select this option to prevent the account username (or reversed version of the name) from being used in the password.
New Password Differs By Characters
When administrators change their passwords, the characters must differ by the specified value.
Require Password Change on First Login
Select this option to prompt administrators to change their passwords the first time they log in to the firewall.
Prevent Password Reuse Limit
Require that a previous password is not reused based on the specified count. For example, if the value is set to 4, you could not reuse any of your last 4 passwords (range is 0 to 50).
Block Password Change Period (days)
User cannot change their passwords until the specified number of days is reached (range is 0 to 365 days).
Required Password Change Period (days)
Require that administrators change their password on a regular basis (in days) (range is 0 to 365). For example, if the value is set to 90, administrators are prompted to change their password every 90 days.
You can also set an expiration warning from 0 to 30 days and specify a grace period.
Expiration Warning Period (days)
Required Password Change Periodis set, you can use this
Expiration Warning Periodto prompt users at each log in to change their password when there are less than a specified number of days remaining before the required change date (range is 0 to 30).
Post Expiration Admin Login Count (count)
Allow the administrator to log in a specified number of times after the required change date (range is 0 to 3). For example, if you set this value to 3 and their account has expired, they can log in 3 more times without changing their password before their account is locked out.
Post Expiration Grace Period (days)
Allow the administrator to log in for a specified number of days after the account has expired (range is 0 to 30).
Enable the firewall to connect to an AutoFocus portal to retrieve threat intelligence data and to enable integrated searches between the firewall and AutoFocus.
When connected to AutoFocus, the firewall displays AutoFocus data associated with Traffic, Threat, URL Filtering, WildFire Submissions, and Data Filtering log entries (
). You can click on an artifact in these types of log entries (such as an IP address or a URL) to display a summary of the AutoFocus findings and statistics for that artifact. You can then open an expanded AutoFocus search for the artifact directly from the firewall.
Check that your AutoFocus license is active on the firewall (
). If the AutoFocus license is not displayed, use one of the
License Managementoptions to activate the license.
Enter the AutoFocus URL:
Query Timeout (sec)
Set the duration of time (in seconds) for the firewall to attempt to query AutoFocus for threat intelligence data. If the AutoFocus portal does not respond before the end of the specified period, the firewall closes the connection.
Use this section to configure VM-Series and hardware-based firewalls to forward logs to the Logging Service.
Enable Logging Service
After you configure Log Forwarding (Objects > Log Forwarding), the firewalls will forward logs to the Logging Service instead of sending the logs to your Panorama or the distributed Log Collectors.
Pick this option to enable the firewalls that belong to the selected
Templateto forward logs to the Logging Service.
If you want to forward logs to the Logging Service and your on-premise infrastructure, select Enable Duplicate Logging (Cloud and On-Premise).
Enable Duplicate Logging (Cloud and On-Premise)
Enable Duplicate Loggingto evaluate the Logging Service and to ensure that a copy of your logs is saved to the Logging Service in the cloud and to your existing on-premise Panorama or Distributed Log Collection architecture.
When enabled, the firewalls that belong to the selected Template will save a copy of the logs both to the Logging Service and to the Panorama or Distributed Log Collection architecture.
Enable Enhanced Application Logging
Enable Enhanced Application Loggingif you want the firewall to collect data that increases network visibility for Palo Alto Networks applications. For example, this increased network visibility enables the Palo Alto Networks Magnifier service to better categorize and establish a baseline for normal network activity so that the firewall can detect unusual behavior that might indicate an attack.
Enhanced Application Logging requires a Logging Service license. You cannot view these logs—they are designed to be consumed only by Palo Alto Networks applications.
Select the geographic region to which the firewalls will forward logs.
The Logging Service region you configured in the plugin (
) is the region in which Palo Alto Networks deploys the Logging Service infrastructure for you.
Manage SCTP from Panorama
Use Panorama™ to configure SCTP for firewalls in a device group and then push the configuration to the Device Group. ...
Device > Password Profiles
Device > Password Profiles Device > Password Profiles Panorama > Password Profiles Select Device Password Profiles or Panorama Password Profiles to set basic password requirements ...
Manage Firewall and Panorama Certificates
Manage Firewall and Panorama Certificates Device > Certificate Management > Certificates > Device Certificates Panorama > Certificate Management > Certificates Select Device Certificate Management Certificates ...
Monitor SCTP Security
Monitor SCTP traffic by viewing logs, ACC displays generated from SCTP logs, and predefined and custom reports. ...
Firewalls allow you to secure SCTP traffic by inspecting messages; by filtering SCTP, Diameter, and SS7 chunks; and by protecting against SCTP INIT packet flooding. ...
Set Up LDAP Authentication
Set Up LDAP Authentication LDAP is often used by organizations as an authentication service and a central repository for user information. It can also be ...
Configure SCTP Security
SCTP security features allow you to inspect and filter SCTP packets. Allocate SCTP log storage so the firewall can store SCTP log information. ...
Configure Authentication with Custom Certificates on the PAN-DB Private Cloud
Use custom certificates to establish a unique chain of trust that ensures mutual authentication between your PAN-DB server and your firewalls. ...
Device > Server Profiles > LDAP
Device > Server Profiles > LDAP Select Device Server Profiles LDAP or Panorama Server Profiles LDAP to configure settings for the Lightweight Directory Access Protocol ...