Add a Firewall as a Managed Device

To use Panorama for managing your firewalls, you will need to enable a connection between the firewall and Panorama. This connections requires you enter the Panorama IP address on each firewall that will be managed, and to enter the serial number of each firewall on Panorama.
You can only bulk import single vsys firewalls to be managed by Panorama.
The firewall uses the Panorama server IP address to set up an SSL connection to register with Panorama. Panorama and the firewall authenticate each other using 2,048-bit certificates and AES-256 encrypted SSL connections for configuration management and log collection. Prepare Panorama, and each firewall as follows:
  1. Configure the firewall to communicate with Panorama.
    Repeat this step for each firewall Panorama will manage.
    1. Perform initial configuration on the firewall so that it is accessible and can communicate with Panorama over the network.
    2. Configure each data interface you plan to use on the firewall and attach it to a security zone so that you can push configuration and policy from Panorama.
    3. Add the Panorama IP address to the firewall.
      1. Select DeviceSetupManagement and edit the Panorama Settings.
      2. Enter the Panorama IP address in the first field.
        Panorama issues a single IP address for device management, log collection, reporting, and dynamic updates. Enter the external, Internet-bound IP address to ensure Panorama can successfully access existing and new managed devices and Log Collectors. If an internal Panorama IP address is configured, you may be unable to manage some devices. For example, if you Install Panorama on AWS and enter the internal IP address, Panorama is unable to manage devices or Log Collectors outside of the AWS security group.
      3. (Optional) If you have set up a High Availability pair in Panorama, enter the IP address of the secondary Panorama in the second field.
      4. Click OK.
      5. Select Commit and Commit your changes.
  2. Add the firewall to Panorama.
    1. Select PanoramaManaged Devices and click Add.
    2. Enter the serial number for each firewall (one entry per line) that you want to manage centrally using Panorama, and then click OK. The Managed Devices page displays the new firewall.
    3. (Optional) Add a Tag. Tags make it easier for you to find a firewall from a large list; they help you to dynamically filter and refine the list of firewalls that display. For example, if you add a tag called branch office, you can filter for all branch office firewalls across your network.
      1. Select the check box beside the firewall and click Tag.
      2. Click Add, enter a string of up to 31 characters (no empty spaces), and click OK.
    4. If your deployment is using custom certificates for authentication between Panorama and managed devices, deploy the custom client device certificate. For more information, see Set Up Authentication Using Custom Certificates and Add New Client Devices.
    5. Select CommitCommit to Panorama and Commit your changes.
  3. Verify that the firewall is connected to Panorama.
    In the PanoramaManaged Devices page, the Device State column displays whether the firewall is connected or disconnected to Panorama.

Related Documentation