: Install Panorama on Alibaba Cloud
Focus
Focus

Install Panorama on Alibaba Cloud

Table of Contents
End-of-Life (EoL)

Install Panorama on Alibaba Cloud

Install the Panorama™ virtual appliance on Alibaba Cloud.
Use the Elastic Compute Service (ECS) to create a Panorama™ virtual appliance instance on Alibaba Cloud. An ECS instance supports a single NIC by default and automatically attached an Elastic Network Interface (ENI) to it. You must manually upload a Panorama virtual appliance qcow2 image downloaded from the Palo Alto Networks Customer Supported Portal (CSP) to Alibaba Cloud to successfully install the Panorama virtual appliance on Alibaba Cloud.
A Panorama virtual appliance deployed on Alibaba Cloud is Bring Your Own License (BYOL), supports all deployment modes (Panorama, Log Collector, and Management Only), and shares the same processes and functionality as the M-Series hardware appliances. For more information on Panorama modes, see Panorama Models.
Review the Setup Prerequisites for the Panorama Virtual Appliance to determine the correct Elastic Computer Service (ECS) instance type for your needs. The virtual resources requirement for the Panorama virtual appliance is based on the total number of firewalls managed by the Panorama virtual appliance and the required Logs Per Second (LPS) for forwarding logs from your managed firewalls to your Log Collector.
Palo Alto Networks supports the following instance types.
  • ecs.g5.xlarge
    ,
    ecs.g5.2xlarge
    ,
    ecs.g5.4xlarge
  • ecs.sn2ne.xlarge
    ,
    ecs.sn2ne.2xlarge
    ,
    ecs.sn2ne.4xlarge
Under-provisioning the Panorama virtual appliance will impact management performance. This includes the Panorama virtual appliance becoming slow or unresponsive depending on how under-provisioning the Panorama virtual appliance is.
  1. Log in to the Alibaba Cloud Console.
  2. Set up the virtual private cloud (VPC) for your network needs.
    Whether you launch the Panorama virtual appliance in an existing VPC or you create a new VPC, the Panorama virtual appliance must be able to receive traffic from other instances in the VPC and perform inbound and outbound communication between the VPC and the internet as needed.
    Refer to the Alibaba Cloud VPC documentation for more information.
    1. Create a VPC and Configure Networks or use an existing VPC.
    2. Verify that the network and security components are appropriately defined.
      • Create an internet gateway to enable internet access to the subnet of your Panorama virtual appliance. Internet access is required to install software and content updates, activate licenses, and leverage Palo Alto Networks cloud services. Otherwise, you must manually install updates and activate licenses.
      • Create subnets. Subnets are segments of the IP address range assigned to the VPC in which you can launch Alibaba Cloud instances. It is recommended that the Panorama virtual appliance belong to the management subnet so that you can configure it to access the internet if needed.
      • Add routes to the route table for a private subnet to ensure traffic can be routed across subnets in the VPC and from the internet if applicable.
        Ensure you create routes between subnets to allow communication between:
        • Panorama, managed firewalls, and Log Collectors.
        • (
          Optional
          ) Panorama and the internet.
      • Ensure that the following ingress security rules are allowed for the VPC to manage VPC traffic. The ingress traffic source for each rule is unique to your deployment topology.
        See Ports Used for Panorama for more information.
        • Allow SSH (port
          22
          ) traffic to enable access to the Panorama CLI.
        • Allow HTTPS (port
          443
          and
          27280
          ) traffic to enable access to the Panorama web interface.
        • Allow traffic on port
          3978
          to enable communication between Panorama, manage firewalls, and managed Log Collectors. This port is also used by Log Collectors to forward logs to Panorama.
        • Allow traffic on port
          28443
          to enable managed firewalls to get software and content updates from Panorama.
  3. Select
    Elastic Compute Service
    Instances & Images
    Instances
    and click
    Create Instance
    in the upper right corner.
  4. Create the Panorama virtual appliance instance.
    1. Select
      Custom Launch
      .
    2. Configure the Panorama virtual appliance instance.
      • Billing Method
        —Select the desired subscription method for the instance.
      • Region
        —Select a region of your choice. The region you select must provide on of the supported instance types.
      • Instance Type
        —Select one of the supported instance types. You can select Type-based Selection to search for the instance type.
      • Image
        — Select
        Custom Image
        and select the Panorama virtual appliance image you uploaded.
      • Storage
        —Choose a disk type and enter
        81
        GiB as the system disk capacity.
      • (
        Optional
        )
        Add Disk
        —Add additional logging disks.
        If you intend to use the Panorama virtual appliance in Panorama mode or as a Dedicated Log Collector, add the virtual logging disks during the initial deployment. By default, the Panorama virtual appliance is in Panorama mode for the initial deployment when you meet the Panorama mode resource requirements and have added at least one virtual logging disk. Otherwise, the Panorama virtual appliance defaults to Management Only mode. Change the Panorama virtual appliance to Management Only mode if you just want to manage devices and Dedicated Log Collectors, and to not collect logs locally.
        The Panorama virtual appliance on Alibaba Cloud only supports 2TB logging disks, and in total supports up to 24TB of log storage. You are unable to add a logging disk smaller than 2TB, or a logging disk with a size not divisible by the 2TB logging disk requirement. The Panorama virtual appliance partitions logging disks larger than 2TB into 2TB partitions.
      • (
        Optional
        )
        Snapshot
        —Specify how often a snapshot is automatically taken of the Panorama virtual appliance instance to prevent risks and accidental data deletion.
      • Duration
        —Specify the duration for the Panorama virtual appliance instance.
  5. Configure the Panorama virtual appliance network settings.
    1. Select
      Next: Networking
      .
    2. Configure the network settings for the Panorama virtual appliance instance.
      • Network Type
        —Select the VPC and management VSwitch you created.
      • Public IP Address
        —If you do not have a public IP address, enable (check)
        Assign Public IPv4 Address
        and a public IPv4 address is automatically assigned to the Panorama virtual appliance instance.
        If you must use a specific IP address, or an address in a specific range, you can request a custom IP address. Refer to the Elastic IP Address User Guide.
      • Security Group
        —Select the management security group you created and enable
        Port 443 (HTTPS)
        ,
        Port 22
        , and
        Port 3389
        .
      • Elastic Network Interface
        —No configuration needed. The Management interface is already attached to eth0.
  6. Configure the Panorama virtual appliance instance system settings.
    1. Select
      Next: System Configurations
      .
    2. Configure system settings for the Panorama virtual appliance instance.
      • Logon Credentials
        —Select
        Key Pair
        and select the key pair. If a key pair has not already been created, select
        Create Key Pair
        to create an new key pair on Alibaba Cloud or import an existing key pair.
        Password authentication is not supported.
      • Instance Name
        —Enter a descriptive name for the Panorama virtual appliance. This the name displayed for the instance throughout the Alibaba Cloud Console.
      • Host
        —Enter a hostname for the Panorama virtual appliance instance.
  7. (
    Optional
    ) Select
    Next: Grouping
    to configuring grouping for all Alibaba Cloud resources associated with the Panorama virtual appliance instance.
  8. Select
    Preview
    to view the configuration before ordering.
  9. View and check the
    ECS Terms of Service
    and
    Product Terms of Service
    .
  10. Create Instance
    to create the Panorama virtual appliance instance.
    When prompted, click
    Console
    to view the instance creation status.
  11. Allocate Elastic IP (EIP) addresses.
    The EIP is a public IP address used to connect to the Panorama virtual appliance.
    This step is required only if you want to enable internet access for the Panorama virtual appliance.
    1. Select
      Elastic Compute Service
      Network & Security
      VPC
      Elastic IP Addresses
      Elastic IP Addresses
      .
      Select
      Create EIP
      if you do not have any existing EIPs.
    2. In the
      Actions
      column, select
      Bind Resource
      to bind an EIP to any interface exposed to the Internet.
  12. Log in to the Panorama CLI using the SSH to configure the Panorama virtual appliance network settings.
    You must configure the system IP address , netmask, and default gateway. Additionally, you must add the Alibaba Cloud DNS servers to successfully connect to the Palo Alto Networks update server.
    You can also access the Panorama CLI from the Alibaba console. To access the Panorama CLI from the Alibaba console, select
    Elastic Compute Service
    Instances & Images
    Instances
    and select the Panorama virtual appliance instance. In the Instance Details, select
    Connect
    .
    You are prompted to create a VCN password for the Panorama virtual appliance instance on first connection from the Alibaba VCN. Be sure to save this password as it cannot be recovered and is required to connect using the VCN or update the password in the future.
  13. Configure a new administrative password for the Panorama virtual appliance.
    You must configure a unique administrative password before you can access the web interface or CLI of the Panorama virtual appliance. To access the CLI, the private key used to launch the Panorama virtual appliance is required.
    The new password must be a minimum of eight characters and include a minimum of one lowercase character, one uppercase character, and one number or special character.
    Configure a new password using the following commands and follow the on screen prompts:
    admin>
    configure
    admin#
    set mgt-config users admin password
  14. Configure the initial network settings for the Panorama virtual appliance.
    admin>
    configure
    admin#
    set deviceconfig system type static
    admin#
    set deviceconfig system ip-address <instance-private-IP address> netmask <netmask> default-gateway <default-gateway-IP>
    The default gateway on Alibaba Cloud ends in
    .253
    . For example, if the private IP address for your Panorama virtual appliance instance is 192.168.100.20, the default gateway is 192.168.100.253.
    admin#
    set deviceconfig system dns-setting servers primary 100.100.2.136
    admin#
    set deviceconfig system dns-setting servers secondary 100.100.2.138
    admin#
    commit
  15. If the Panorama virtual appliance has network connectivity, use the public IP address to log in to the Panorama web interface, otherwise use the private IP address. If you cannot log in to the Panorama web interface, review your route table and VCN security rules to ensure the correct routes and security rules are created.
  16. Register the Panorama virtual appliance and activate the device management license and support licenses.
    1. When leveraging VM Flex licensing, this step is required to generate the Panorama virtual appliance serial number needed to register the Panorama virtual appliance with the Palo Alto Networks Customer Support Portal (CSP).
    2. You must register the Panorama virtual appliance using the serial number provided by Palo Alto Networks in the order fulfillment email.
      This step is not required when leveraging VM Flex licensing as the serial number is automatically registered with the CSP when generated.
  17. Complete configuring the Panorama virtual appliance for your deployment needs.
  18. Complete configuring the Panorama virtual appliance for your deployment needs.

Recommended For You