Install Panorama on Alibaba Cloud
Install the Panorama™ virtual appliance on Alibaba Cloud.
Use the Elastic Compute Service (ECS) to create a Panorama™ virtual appliance instance on Alibaba Cloud. An ECS instance supports a single NIC by default and automatically attached an Elastic Network Interface (ENI) to it. You must manually upload a Panorama virtual appliance qcow2 image downloaded from the Palo Alto Networks Customer Supported Portal (CSP) to Alibaba Cloud to successfully install the Panorama virtual appliance on Alibaba Cloud.
A Panorama virtual appliance deployed on Alibaba Cloud is Bring Your Own License (BYOL), supports all deployment modes (Panorama, Log Collector, and Management Only), and shares the same processes and functionality as the M-Series hardware appliances. For more information on Panorama modes, see Panorama Models.
Review the Setup Prerequisites for the Panorama Virtual Appliance to determine the correct Elastic Computer Service (ECS) instance type for your needs. The virtual resources requirement for the Panorama virtual appliance is based on the total number of firewalls managed by the Panorama virtual appliance and the required Logs Per Second (LPS) for forwarding logs from your managed firewalls to your Log Collector.
Palo Alto Networks supports the following instance types.
Under-provisioning the Panorama virtual appliance will impact management performance. This includes the Panorama virtual appliance becoming slow or unresponsive depending on how under-provisioning the Panorama virtual appliance is.
- Log in to the Alibaba Cloud Console.
- Set up the virtual private cloud (VPC) for your network needs.Whether you launch the Panorama virtual appliance in an existing VPC or you create a new VPC, the Panorama virtual appliance must be able to receive traffic from other instances in the VPC and perform inbound and outbound communication between the VPC and the internet as needed.Refer to the Alibaba Cloud VPC documentation for more information.
- Create a VPC and Configure Networks or use an existing VPC.
- Verify that the network and security components are appropriately defined.
- Create an internet gateway to enable internet access to the subnet of your Panorama virtual appliance. Internet access is required to install software and content updates, activate licenses, and leverage Palo Alto Networks cloud services. Otherwise, you must manually install updates and activate licenses.
- Create subnets. Subnets are segments of the IP address range assigned to the VPC in which you can launch Alibaba Cloud instances. It is recommended that the Panorama virtual appliance belong to the management subnet so that you can configure it to access the internet if needed.
- Add routes to the route table for a private subnet to ensure traffic can be routed across subnets in the VPC and from the internet if applicable.Ensure you create routes between subnets to allow communication between:
- Panorama, managed firewalls, and Log Collectors.
- (Optional) Panorama and the internet.
- Ensure that the following ingress security rules are allowed for the VPC to manage VPC traffic. The ingress traffic source for each rule is unique to your deployment topology.See Ports Used for Panorama for more information.
- Allow SSH (port22) traffic to enable access to the Panorama CLI.
- Allow HTTPS (port443and27280) traffic to enable access to the Panorama web interface.
- Allow traffic on port3978to enable communication between Panorama, manage firewalls, and managed Log Collectors. This port is also used by Log Collectors to forward logs to Panorama.
- Allow traffic on port28443to enable managed firewalls to get software and content updates from Panorama.
- Selectand clickElastic Compute ServiceInstances & ImagesInstancesCreate Instancein the upper right corner.
- Create the Panorama virtual appliance instance.
- SelectCustom Launch.
- Configure the Panorama virtual appliance instance.
- Billing Method—Select the desired subscription method for the instance.
- Region—Select a region of your choice. The region you select must provide on of the supported instance types.
- Instance Type—Select one of the supported instance types. You can select Type-based Selection to search for the instance type.
- Image— SelectCustom Imageand select the Panorama virtual appliance image you uploaded.
- Storage—Choose a disk type and enter81GiB as the system disk capacity.
- (Optional)Add Disk—Add additional logging disks.If you intend to use the Panorama virtual appliance in Panorama mode or as a Dedicated Log Collector, add the virtual logging disks during the initial deployment. By default, the Panorama virtual appliance is in Panorama mode for the initial deployment when you meet the Panorama mode resource requirements and have added at least one virtual logging disk. Otherwise, the Panorama virtual appliance defaults to Management Only mode. Change the Panorama virtual appliance to Management Only mode if you just want to manage devices and Dedicated Log Collectors, and to not collect logs locally.The Panorama virtual appliance on Alibaba Cloud only supports 2TB logging disks, and in total supports up to 24TB of log storage. You are unable to add a logging disk smaller than 2TB, or a logging disk with a size not divisible by the 2TB logging disk requirement. The Panorama virtual appliance partitions logging disks larger than 2TB into 2TB partitions.
- (Optional)Snapshot—Specify how often a snapshot is automatically taken of the Panorama virtual appliance instance to prevent risks and accidental data deletion.
- Duration—Specify the duration for the Panorama virtual appliance instance.
- Configure the Panorama virtual appliance network settings.
- SelectNext: Networking.
- Configure the network settings for the Panorama virtual appliance instance.
- Public IP Address—If you do not have a public IP address, enable (check)Assign Public IPv4 Addressand a public IPv4 address is automatically assigned to the Panorama virtual appliance instance.If you must use a specific IP address, or an address in a specific range, you can request a custom IP address. Refer to the Elastic IP Address User Guide.
- Elastic Network Interface—No configuration needed. The Management interface is already attached to eth0.
- Configure the Panorama virtual appliance instance system settings.
- SelectNext: System Configurations.
- Configure system settings for the Panorama virtual appliance instance.
- Logon Credentials—SelectKey Pairand select the key pair. If a key pair has not already been created, selectCreate Key Pairto create an new key pair on Alibaba Cloud or import an existing key pair.Password authentication is not supported.
- Instance Name—Enter a descriptive name for the Panorama virtual appliance. This the name displayed for the instance throughout the Alibaba Cloud Console.
- Host—Enter a hostname for the Panorama virtual appliance instance.
- (Optional) SelectNext: Groupingto configuring grouping for all Alibaba Cloud resources associated with the Panorama virtual appliance instance.
- SelectPreviewto view the configuration before ordering.
- View and check theECS Terms of ServiceandProduct Terms of Service.
- Create Instanceto create the Panorama virtual appliance instance.When prompted, clickConsoleto view the instance creation status.
- Allocate Elastic IP (EIP) addresses.The EIP is a public IP address used to connect to the Panorama virtual appliance.This step is required only if you want to enable internet access for the Panorama virtual appliance.
- Select.Elastic Compute ServiceNetwork & SecurityVPCElastic IP AddressesElastic IP AddressesSelectCreate EIPif you do not have any existing EIPs.
- In theActionscolumn, selectBind Resourceto bind an EIP to any interface exposed to the Internet.
- Log in to the Panorama CLI using the SSH to configure the Panorama virtual appliance network settings.You must configure the system IP address , netmask, and default gateway. Additionally, you must add the Alibaba Cloud DNS servers to successfully connect to the Palo Alto Networks update server.You can also access the Panorama CLI from the Alibaba console. To access the Panorama CLI from the Alibaba console, selectand select the Panorama virtual appliance instance. In the Instance Details, selectElastic Compute ServiceInstances & ImagesInstancesConnect.You are prompted to create a VCN password for the Panorama virtual appliance instance on first connection from the Alibaba VCN. Be sure to save this password as it cannot be recovered and is required to connect using the VCN or update the password in the future.
- Configure the initial network settings for the Panorama virtual appliance.admin>configureCode copied to clipboardUnable to copy due to lack of browser support.admin#set deviceconfig system type staticCode copied to clipboardUnable to copy due to lack of browser support.admin#set deviceconfig system ip-address <instance-private-IP address> netmask <netmask> default-gateway <default-gateway-IP>Code copied to clipboardUnable to copy due to lack of browser support.The default gateway on Alibaba Cloud ends in.253. For example, if the private IP address for your Panorama virtual appliance instance is 192.168.100.20, the default gateway is 192.168.100.253.admin#set deviceconfig system dns-setting servers primary 100.100.2.136Code copied to clipboardUnable to copy due to lack of browser support.admin#set deviceconfig system dns-setting servers secondary 100.100.2.138Code copied to clipboardUnable to copy due to lack of browser support.admin#commitCode copied to clipboardUnable to copy due to lack of browser support.
- Verify you can log in to the Panorama web interface.If the Panorama virtual appliance has network connectivity, use the public IP address to log in to the Panorama web interface, otherwise use the private IP address. If you cannot log in to the Panorama web interface, review your route table and VCN security rules to ensure the correct routes and security rules are created.
- Register the Panorama virtual appliance and activate the device management license and support licenses.
- (VM Flex Licensing Only) Provisioning the Panorama Virtual Appliance Serial Number.When leveraging VM Flex licensing, this step is required to generate the Panorama virtual appliance serial number needed to register the Panorama virtual appliance with the Palo Alto Networks Customer Support Portal (CSP).
- You must register the Panorama virtual appliance using the serial number provided by Palo Alto Networks in the order fulfillment email.This step is not required when leveraging VM Flex licensing as the serial number is automatically registered with the CSP when generated.
- Complete configuring the Panorama virtual appliance for your deployment needs.
- (Log Collector mode) Begin at Step 6 to Switch from Panorama mode to Log Collector mode.Enter the Public IP address of the Dedicated Log Collector when you Add the Log Collector as a managed collector to the Panorama management server. You cannot specify theIP Address,Netmask, orGateway.
- (Panorama and Management Only mode) Configure a Managed Collector to add a Dedicated Log Collector to the Panorama virtual appliance. Management Only mode does not support local log collection, and requires a Dedicated Log Collector to store managed device logs.
- Complete configuring the Panorama virtual appliance for your deployment needs.
- For Panorama in Log Collector Mode.
- Adding at least one virtual logging disk is required before you can change the Panorama virtual appliance to Log Collector mode.
- Begin at Step 6 to switch to Log Collector mode.Enter the Public IP address of the Dedicated Log Collector when you add the Log Collector as a managed collector to the Panorama management server. You cannot specify theIP Address,Netmask, orGateway.
- For Panorama in Panorama mode.
- Adding at least one virtual logging disk is required before you can change the Panorama virtual appliance to Panorama mode.
- For Panorama in Management Only mode.
- Configure a Managed Collector to add a Dedicated Log Collector to the Panorama virtual appliance.Management Only mode does not support local log collection, and requires a Dedicated Log Collector to store managed device logs.
Recommended For You
Recommended videos not found.