Add a Firewall as a Managed Device
To use a Panorama™ management server to manage your firewalls, you need to enable a connection between the firewall and the Panorama management server. To strengthen your Security posture when onboarding a new firewall, you must create a unique device registration authentication key on the Panorama management server for mutual authentication between the new firewall and the server on first connection. A successful first connection requires that you add the Panorama IP address on each firewall the server will manage, add the serial number on the server for each firewall, and specify the device registration authentication key on both the server and the firewall. When you add a firewall as a managed device, you can also associate the new firewall with a device group, template stack, collector group, and Log Collector during the initial deployment. Additionally, you have the option to automatically push the configuration to your newly added firewall when the firewall first connects to the Panorama server, which ensures that firewalls are immediately configured and ready to secure your network.
You can bulk import only single-vsys firewalls to the Panorama management server.
The firewall uses the Panorama management server IP address for registration with the server. The Panorama server and the firewall authenticate with each other using 2,048-bit certificates and AES-256 encrypted SSL connections for configuration management and log collection.
To configure the device registration authentication key, specify the key lifetime and the number of times you can use the authentication key to onboard new firewalls. Additionally, you can specify one or more firewall serial numbers for which the authentication key is valid.
The authentication key expires 90 days after the key lifetime expires. After 90 days, you are prompted to re-certify the authentication key to maintain its validity. If you do not re-certify, then the authentication key becomes invalid. A system log is generated each time a firewall uses the Panorama-generated authentication key. The firewall uses the authentication key to authenticate the Panorama server when it delivers the device certificate that is used for all subsequent communications.
PAN-OS 10.1 only) Panorama running PAN-OS 10.1.3 or later release supports onboarding firewalls running PAN-OS 10.1.3 or later releases only. You cannot add a firewall running PAN-OS 10.1.2 or earlier PAN-OS 10.1 release to Panorama management if Panorama is running PAN-OS 10.1.3 or later release.
There is no impact to firewalls already managed by Panorama on upgrade to PAN-OS 10.1.3.
- Set up the firewall.
- Perform initial configuration on the firewall so that it is accessible and can communicate with the Panorama server over the network.
- Configure each data interface you plan to use on the firewall and attach it to a security zone so that you can push configuration settings and policy rules from the Panorama server.
- Create a device registration authentication key.
- SelectandPanoramaDevice Registration Auth KeyAdda new authentication key.
- Configure the authentication key.
- Name—Add a descriptive name for the authentication key.
- Lifetime—Specify the key lifetime to limit how long you can use the authentication key to onboard new firewalls.
- Count—Specify how many times you can use the authentication key to onboard new firewalls.
- Device Type—Specify that this authentication key is used to authenticate only aFirewall.You can selectAnyto use the device registration authentication key to onboard firewalls, Log Collectors, and WildFire appliances.
- (Optional)Devices—Enter one or more device serial numbers to specify for which firewalls the authentication key is valid.
- Copy Auth KeyandClose.
- You cannot bulk import firewalls with more than one virtual system (vsys).
- Add one or more firewalls manually.
- SelectandPanoramaManaged DevicesSummaryAdda new firewall.
- Enter the firewallSerialnumber. If you are adding multiple firewalls, enter each serial number on a separate line.
- (Optional) SelectAssociate Devicesto associate the firewall with a device group, template stack, Log Collector, or Collector group when the firewall first connect to the Panorama management server.
- Enter the device registration authentication key you created.
- Associate your managed firewalls as needed.If you did not selectAssociate Devices, skip this step and continue to configure the firewall to communicate with Panorama.
- Assign theDevice Group,Template Stack,Collector Group, andLog Collectoras needed from the drop-down in each column.
- EnableAuto Push on 1st connectto automatically push the device group and template stack configuration to the new devices when they first successfully connect to the Panorama server.TheAuto Push on 1st Connectoption is supported only on firewalls running PAN-OS® 8.1 and later releases. Thecommit alljob executes from Panorama to managed devices running PAN-OS 8.1 and later releases.
- (Optional) Select a PAN-OS release version (To SW Versioncolumn) to begin automatically upgrading the managed firewall to the specified PAN-OS version upon successful connection to the Panorama management server.To upgrade a managed firewall to a target PAN-OS release on first connection, you must install the minimum content release version required for that PAN-OS release before adding the firewall as a managed device. To do this, you must register the firewall, activate the support license, and install the content update before adding the firewall to Panorama management.Leave this column empty if you do not want to automatically upgrade the managed firewall.
- ClickOKto add the devices.
- Bulk import multiple firewalls using a CSV file.
- SelectandPanoramaManaged DevicesSummaryAddyour new firewalls.
- Add the device registration authentication key you created.
- Download Sample CSVand edit the downloaded CSV file with the firewalls you are adding. You can choose to assign the firewalls to a device group, template stack, Collector Group, and Log Collector from the CSV or enter only the firewall serial numbers and assign them from the web interface. Save the CSV after you finish editing.
- Browseto and select the CSV file you edited in the previous step.
- If not already assigned in the CSV, assign the firewalls aDevice Group,Template Stack,Collector Group, andLog Collectoras needed from the drop-down in each column
- If not already enabled in the CSV, enableAuto Push on 1st connectto automatically push the device group and template stack configuration to the new devices when they first successfully connect to the Panorama server.
- (Optional) Select a PAN-OS release version (To SW Versioncolumn) to begin automatically upgrading the managed firewall to the specified PAN-OS version upon successful connection to the Panorama server.Leave this column empty if you do not want to automatically upgrade the managed firewall.
- ClickOKto add the firewalls.
- Configure the firewall to communicate with the Panorama management server.Repeat this step for each firewall the Panorama server will manage.
- Configure the Panorama Settings for the firewall.
- Selectand edit the Panorama Settings.DeviceSetupManagement
- Enter the Panorama IP address in the first field.Panorama issues a single IP address for device management, log collection, reporting, and dynamic updates. Enter the external, Internet-bound IP address to ensure Panorama can successfully access existing and new managed devices and Log Collectors. If an internal Panorama IP address is configured, you may be unable to manage some devices. For example, if you Install Panorama on AWS and enter the internal IP address, Panorama is unable to manage devices or Log Collectors outside of the AWS security group.
- (Optional) If you have configured a high availability (HA) pair in Panorama, enter the IP address of the secondary Panorama in the second field.
- Enter theAuth keyyou created on Panorama.
- Commityour changes.
- (Optional) Add aTag. Tags make it easier for you to find a firewall from a large list; they help you dynamically filter and refine the list of firewalls in your display. For example, if you add a tag calledbranch office, you can filter for all branch office firewalls across your network.
- Select each firewall and clickTag.
- ClickAdd, enter a string of up to 31 characters (no empty spaces), and clickOK.
- SelectandCommitCommit to PanoramaCommityour changes.
- Verify that the firewall is connected to Panorama.
- Click.PanoramaManaged DevicesSummary
- Verify that theDevice Statefor the new device shows asConnected.
Recommended For You
Recommended videos not found.