Strata Copilot
    Panorama Administrator's Guide
    : Prepare Panorama for SCM-Panorama Configuration Sync
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Panorama Plugins
    5. CloudConnector Plugin
    6. Prepare Panorama for SCM-Panorama Configuration Sync
    Download PDF

    Panorama Administrator's Guide

    Prepare Panorama for SCM-Panorama Configuration Sync

    Table of Contents

    Prepare Panorama for SCM-Panorama Configuration Sync

    Install and configure the CloudConnector plugin on Panorama to enable secure communication for SCM-Panorama Configuration Sync.
    Before Strata Cloud Manager can synchronize snippet configurations to your Panorama appliance, complete the following tasks on Panorama in the following order:
    1. Install and enable the CloudConnector plugin.
    2. Enable the SCM-Panorama Configuration Sync feature.
    3. Configure the SCM Service URL.
    4. Fetch a Thermite device certificate.

    Install the CloudConnector Plugin

    1. Log in to the Panorama web interface.
    2. Select PanoramaPlugins.
    3. Under Cloud Services Plugins, locate the CloudConnector plugin.
      If your Panorama is running PAN-OS 11.0.1 or later, the CloudConnector plugin is pre-installed. Verify that you have the latest version before proceeding.
      1. Select Check Now to retrieve the latest available versions.
      2. Download and install the latest version.
        Beginning with PAN-OS 12.1.2, you no longer have to manually find and download compatible plugin versions before installing them. Now, compatible plugins are automatically downloaded with the Panorama image, and you can directly install the ones you need.
      3. Confirm that the plugin status shows as installed in the Currently Installed column.

    Enable SCM-Panorama Configuration Sync

    1. Log in to the Panorama CLI.
    2. Enable the SCM-Panorama Configuration Sync feature. 
      set system setting scm-panorama-config-sync enable yes

    Configure the SCM Service URL

    This procedure requires a root user SSH session.
    Before you begin, contact your Palo Alto Networks account team to obtain the correct SCM admin cluster URL for your region.
    1. Log in to your Panorama appliance as a root user via SSH.
    2. Set the SCM admin cluster URL in the Panorama system database, replacing URL with the URL provided by your Palo Alto Networks account team.
      sdb set system NFW.dev_admin_cluster_url <URL>

    Fetch the Thermite Device Certificate

    The Thermite device certificate authenticates all communication between your Panorama appliance and Strata Cloud Manager. You must generate a One-Time Password (OTP) from the Customer Support Portal to fetch the certificate.
    1. Log in to the CSP.
    2. Navigate to ProductsDevice CertificatesGenerate OTP
    3. Select Generate OTP for a Panorama and click Next.
    4. Select your Panorama device.
    5. Generate an OTP for your Panorama and copy the OTP value.
    6. On the Panorama CLI, fetch the device certificate, replacing OTP_value with the value you copied.
      request certificate fetch otp <OTP_value>
    7. Verify that the command completes without errors.
      Each OTP is valid for a single use. If the certificate fetch fails, generate a new OTP from the CSP and retry.
    After completing these steps, return to Strata Cloud Manager to associate your Panorama with your tenant and begin synchronizing configurations. See Sync Panorama Configurations with SCM Snippets in the Strata Cloud Manager Getting Started Guide.

    © 2026 Palo Alto Networks, Inc. All rights reserved.