Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Panorama
Panorama Administrator's Guide
Manage Firewalls
Manage Device Groups
Push a Policy Rule to a Subset of Firewalls

Last Updated:

Mon Mar 14 15:52:55 PDT 2022

Current Version:

9.0 (EoL)

Version 10.2
Version 10.1
Version 10.0
Version 9.1
Version 9.0 (EoL)
Version 8.1 (EoL)
Version 8.0 (EoL)
Version 7.1 (EoL)

End-of-Life (EoL)

Table of Contents

Search the Table of Contents

Panorama Overview

About Panorama

Panorama Models

Centralized Firewall Configuration and Update Management

Context Switch—Firewall or Panorama

Templates and Template Stacks

Device Groups

Device Group Hierarchy

Device Group Policies

Device Group Objects

Centralized Logging and Reporting

Managed Collectors and Collector Groups

Local and Distributed Log Collection

Caveats for a Collector Group with Multiple Log Collectors

Log Forwarding Options

Centralized Reporting

User-ID Redistribution Using Panorama

Role-Based Access Control

Administrative Roles

Authentication Profiles and Sequences

Access Domains

Administrative Authentication

Panorama Commit, Validation, and Preview Operations

Plan Your Panorama Deployment

Deploy Panorama: Task Overview

Set Up Panorama

Determine Panorama Log Storage Requirements

Manage Large-Scale Firewall Deployments

Determine the Optimal Large-Scale Firewall Deployment Solution

Increased Device Management Capacity for M-600 and Panorama Virtual Appliance

Increased Device Management Capacity Requirements

Deploy Panorama for Increased Device Management

Install Panorama for Increased Device Management Capacity

Upgrade Panorama for Increased Device Management Capacity

Set Up the Panorama Virtual Appliance

Setup Prerequisites for the Panorama Virtual Appliance

Install the Panorama Virtual Appliance

Install Panorama on VMware

Install Panorama on an ESXi Server

Install Panorama on vCloud Air

Support for VMware Tools on the Panorama Virtual Appliance

Install Panorama on AWS

Install Panorama on AWS GovCloud

Install Panorama on Azure

Install Panorama on Google Cloud Platform

Install Panorama on KVM

Install Panorama on Hyper-V

Perform Initial Configuration of the Panorama Virtual Appliance

Set Up The Panorama Virtual Appliance as a Log Collector

Set Up the Panorama Virtual Appliance with Local Log Collector

Set up a Panorama Virtual Appliance in Panorama Mode

Set up a Panorama Virtual Appliance in Management Only Mode

Expand Log Storage Capacity on the Panorama Virtual Appliance

Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode

Add a Virtual Disk to Panorama on an ESXi Server

Add a Virtual Disk to Panorama on vCloud Air

Add a Virtual Disk to Panorama on AWS

Add a Virtual Disk to Panorama on Azure

Add a Virtual Disk to Panorama on Google Cloud Platform

Add a Virtual Disk to Panorama on KVM

Add a Virtual Disk to Panorama on Hyper-V

Mount the Panorama ESXi Server to an NFS Datastore

Increase CPUs and Memory on the Panorama Virtual Appliance

Increase CPUs and Memory for Panorama on an ESXi Server

Increase CPUs and Memory for Panorama on vCloud Air

Increase CPUs and Memory for Panorama on AWS

Increase CPUs and Memory for Panorama on Azure

Increase CPUs and Memory for Panorama on Google Cloud Platform

Increase CPUs and Memory for Panorama on KVM

Increase CPUs and Memory for Panorama on Hyper-V

Complete the Panorama Virtual Appliance Setup

Convert Your Panorama Virtual Appliance

Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector

Convert Your Evaluation Panorama to a Production Panorama without Local Log Collection

Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log collector

Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector

Convert Your Production Panorama to an ELA Panorama

Set Up the M-Series Appliance

M-Series Appliance Interfaces

Perform Initial Configuration of the M-Series Appliance

M-Series Setup Overview

Set Up an M-Series Appliance in Management Only Mode

Set Up an M-Series Appliance in Panorama Mode

Set Up an M-Series Appliance in Log Collector Mode

Set Up the M-Series Appliance as a Log Collector

Increase Storage on the M-Series Appliance

Add Additional Drives to an M-Series Appliance

Upgrade Drives on an M-Series Appliances

Configure Panorama to Use Multiple Interfaces

Multiple Interfaces for Network Segmentation Example

Configure Panorama for Network Segmentation

Register Panorama and Install Licenses

Register Panorama

Activate a Panorama Support License

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected

Activate/Retrieve a Firewall Management License on the M-Series Appliance

Install Content and Software Updates for Panorama

Panorama, Log Collector, Firewall, and WildFire Version Compatibility

Install Updates for Panorama in an HA Configuration

Install Updates for Panorama with an Internet Connection

Install Updates for Panorama When Not Internet-Connected

Migrate Panorama Logs to the New Log Format

Transition to a Different Panorama Model

Migrate from a Panorama Virtual Appliance to an M-Series Appliance

Migrate a Panorama Virtual Appliance to a Different Hypervisor

Migrate from an M-Series Appliance to a Panorama Virtual Appliance

Migrate from an M-100 Appliance to an M-500 Appliance

Access and Navigate Panorama Management Interfaces

Log in to the Panorama Web Interface

Navigate the Panorama Web Interface

Log in to the Panorama CLI

Set Up Administrative Access to Panorama

Configure an Admin Role Profile

Configure an Access Domain

Configure Administrative Accounts and Authentication

Configure a Panorama Administrator Account

Configure Local or External Authentication for Panorama Administrators

Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

Configure an Administrator with SSH Key-Based Authentication for the CLI

Configure RADIUS Authentication for Panorama Administrators

Configure TACACS+ Authentication for Panorama Administrators

Configure SAML Authentication for Panorama Administrators

Set Up Authentication Using Custom Certificates

How Are SSL/TLS Connections Mutually Authenticated?

Configure Authentication Using Custom Certificates on Panorama

Configure Authentication Using Custom Certificates on Managed Devices

Add New Client Devices

Change Certificates

Change a Server Certificate

Change a Client Certificate

Change a Root or Intermediate CA Certificate

Manage Firewalls

Add a Firewall as a Managed Device

Manage Device Groups

Add a Device Group

Create a Device Group Hierarchy

Create Objects for Use in Shared or Device Group Policy

Revert to Inherited Object Values

Manage Unused Shared Objects

Manage Precedence of Inherited Objects

Move or Clone a Policy Rule or Object to a Different Device Group

Select a URL Filtering Vendor on Panorama

Must Panorama and Firewalls Have Matching URL Filtering Vendors?

Change the URL Filtering Vendor on HA Panorama

Change the URL Filtering Vendor on non-HA Panorama

Migrate Panorama and HA Firewalls from BrightCloud to PAN-DB

Migrate Panorama and non-HA Firewalls from BrightCloud to PAN-DB

Push a Policy Rule to a Subset of Firewalls

Manage the Rule Hierarchy

Manage Templates and Template Stacks

Template Capabilities and Exceptions

Add a Template

Configure a Template Stack

Configure a Template or Template Stack Variable

Import and Overwrite Existing Template Stack Variables

Override a Template or Template Stack Value

Override a Template Value on the Firewall

Override a Template Value Using a Template Stack

Override a Template or Template Stack Value Using Variables

Disable/Remove Template Settings

Manage the Master Key from Panorama

Redistribute User-ID Information to Managed Firewalls

Transition a Firewall to Panorama Management

Plan the Transition to Panorama Management

Migrate a Firewall to Panorama Management

Migrate a Firewall HA Pair to Panorama Management

Load a Partial Firewall Configuration into Panorama

Localize a Panorama Pushed Configuration on a Managed Firewall

Device Monitoring on Panorama

Monitor Device Health

Monitor Policy Rule Usage

Use Case: Configure Firewalls Using Panorama

Device Groups in this Use Case

Templates in this Use Case

Set Up Your Centralized Configuration and Policies

Add the Managed Firewalls and Deploy Updates

Use Templates to Administer a Base Configuration

Use Device Groups to Push Policy Rules

Preview the Rules and Commit Changes

Manage Log Collection

Configure a Managed Collector

Manage Collector Groups

Configure a Collector Group

Configure Authentication with Custom Certificates Between Log Collectors

Move a Log Collector to a Different Collector Group

Remove a Firewall from a Collector Group

Configure Log Forwarding to Panorama

Forward Logs to Cortex Data Lake

Verify Log Forwarding to Panorama

Modify Log Forwarding and Buffering Defaults

Configure Log Forwarding from Panorama to External Destinations

Log Collection Deployments

Deploy Panorama with Dedicated Log Collectors

Deploy Panorama M-Series Appliances with Local Log Collectors

Deploy Panorama Virtual Appliances with Local Log Collectors

Deploy Panorama Virtual Appliances in Legacy Mode with Local Log Collection

Manage WildFire Appliances

Add Standalone WildFire Appliances to Manage with Panorama

Configure Basic WildFire Appliance Settings on Panorama

Set Up Authentication Using Custom Certificates on WildFire Appliances and Clusters

Configure a Custom Certificate for a Panorama Managed WildFire Appliance

Configure Authentication with a Single Custom Certificate for a WildFire Cluster

Apply Custom Certificates on a WildFire Appliance Configured through Panorama

Remove a WildFire Appliance from Panorama Management

Manage WildFire Clusters

Configure a Cluster Centrally on Panorama

Configure a Cluster and Add Nodes on Panorama

Configure General Cluster Settings on Panorama

Remove a Cluster from Panorama Management

Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama

Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama

View WildFire Cluster Status Using Panorama

Upgrade a Cluster Centrally on Panorama with an Internet Connection

Upgrade a Cluster Centrally on Panorama without an Internet Connection

Manage Licenses and Updates

Manage Licenses on Firewalls Using Panorama

Deploy Upgrades to Firewalls, Log Collectors, and WildFire Appliances Using Panorama

Supported Updates

Schedule a Content Update Using Panorama

Upgrade Log Collectors When Panorama Is Internet-Connected

Upgrade Log Collectors When Panorama Is Not Internet-Connected

Upgrade Firewalls When Panorama Is Internet-Connected

Upgrade Firewalls When Panorama Is Not Internet-Connected

Revert Content Updates from Panorama

Monitor Network Activity

Use Panorama for Visibility

Monitor the Network with the ACC and AppScope

Analyze Log Data

Generate, Schedule, and Email Reports

Ingest Traps ESM Logs on Panorama

Use Case: Monitor Applications Using Panorama

Use Case: Respond to an Incident Using Panorama

Incident Notification

Review the Widgets in the ACC

Review Threat Logs

Review WildFire Logs

Review Data Filtering Logs

Update Security Rules

Panorama High Availability

Panorama HA Prerequisites

Priority and Failover on Panorama in HA

Failover Triggers

HA Heartbeat Polling and Hello Messages

HA Path Monitoring

Logging Considerations in Panorama HA

Logging Failover on a Panorama Virtual Appliance in Legacy Mode

Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode

Synchronization Between Panorama HA Peers

Manage a Panorama HA Pair

Set Up HA on Panorama

Set Up Authentication Using Custom Certificates Between HA Peers

Test Panorama HA Failover

Switch Priority after Panorama Failover to Resume NFS Logging

Restore the Primary Panorama to the Active State

Administer Panorama

Preview, Validate, or Commit Configuration Changes

Manage Panorama and Firewall Configuration Backups

Schedule Export of Configuration Files

Save and Export Panorama and Firewall Configurations

Revert Panorama Configuration Changes

Configure the Maximum Number of Configuration Backups on Panorama

Load a Configuration Backup on a Managed Firewall

Compare Changes in Panorama Configurations

Manage Locks for Restricting Configuration Changes

Add Custom Logos to Panorama

Use the Panorama Task Manager

Manage Storage Quotas and Expiration Periods for Logs and Reports

Log and Report Storage

Log and Report Expiration Periods

Configure Storage Quotas and Expiration Periods for Logs and Reports

Configure the Run Time for Panorama Reports

Monitor Panorama

Panorama System and Configuration Logs

Monitor Panorama and Log Collector Statistics Using SNMP

Reboot or Shut Down Panorama

Configure Panorama Password Profiles and Complexity

Panorama Plugins

About Panorama Plugins

Install Panorama Plugins

VM-Series Plugin and Panorama Plugins

Install the VM-Series Plugin on Panorama

Troubleshooting

Troubleshoot Panorama System Issues

Generate Diagnostic Files for Panorama

Diagnose Panorama Suspended State

Monitor the File System Integrity Check

Manage Panorama Storage for Software and Content Updates

Recover from Split Brain in Panorama HA Deployments

Troubleshoot Log Storage and Connection Issues

Verify Panorama Port Usage

Resolve Zero Log Storage for a Collector Group

Replace a Failed Disk on an M-Series Appliance

Replace the Virtual Disk on an ESXi Server

Replace the Virtual Disk on vCloud Air

Migrate Logs to a New M-Series Appliance in Log Collector Mode

Migrate Logs to a New M-Series Appliance in Panorama Mode

Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability

Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability

Migrate Log Collectors after Failure/RMA of Non-HA Panorama

Regenerate Metadata for M-Series Appliance RAID Pairs

Replace an RMA Firewall

Partial Device State Generation for Firewalls

Before Starting RMA Firewall Replacement

Restore the Firewall Configuration after Replacement

Troubleshoot Commit Failures

Troubleshoot Registration or Serial Number Errors

Troubleshoot Reporting Errors

Troubleshoot Device Management License Errors

Complete Content Update When Panorama HA Peer is Down

View Task Success or Failure Status

Test Policy Match and Connectivity for Managed Devices

Troubleshoot Policy Rule Traffic Match

Troubleshoot Connectivity to Network Resources

Increase the System Disk on the Panorama Virtual Appliance in Legacy Mode

Downgrade from Panorama 9.0

Panorama Overview
Set Up Panorama
Manage Firewalls
Manage Log Collection
Manage WildFire Appliances
Manage Licenses and Updates
- Manage Licenses on Firewalls Using Panorama
- Deploy Upgrades to Firewalls, Log Collectors, and WildFire Appliances Using Panorama
Monitor Network Activity
Panorama High Availability
Administer Panorama
Panorama Plugins
- About Panorama Plugins
  - Install Panorama Plugins
- VM-Series Plugin and Panorama Plugins
  - Install the VM-Series Plugin on Panorama
Troubleshooting

Document:Panorama Administrator's Guide

Push a Policy Rule to a Subset of Firewalls

Last Updated:

Mon Mar 14 15:52:55 PDT 2022

Current Version:

9.0 (EoL)

Version 10.2
Version 10.1
Version 10.0
Version 9.1
Version 9.0 (EoL)
Version 8.1 (EoL)
Version 8.0 (EoL)
Version 7.1 (EoL)

Table of Contents

Search the Table of Contents

Panorama Overview

About Panorama

Panorama Models

Centralized Firewall Configuration and Update Management

Context Switch—Firewall or Panorama

Templates and Template Stacks

Device Groups

Device Group Hierarchy

Device Group Policies

Device Group Objects

Centralized Logging and Reporting

Managed Collectors and Collector Groups

Local and Distributed Log Collection

Caveats for a Collector Group with Multiple Log Collectors

Log Forwarding Options

Centralized Reporting

User-ID Redistribution Using Panorama

Role-Based Access Control

Administrative Roles

Authentication Profiles and Sequences

Access Domains

Administrative Authentication

Panorama Commit, Validation, and Preview Operations

Plan Your Panorama Deployment

Deploy Panorama: Task Overview

Set Up Panorama

Determine Panorama Log Storage Requirements

Manage Large-Scale Firewall Deployments

Determine the Optimal Large-Scale Firewall Deployment Solution

Increased Device Management Capacity for M-600 and Panorama Virtual Appliance

Increased Device Management Capacity Requirements

Deploy Panorama for Increased Device Management

Install Panorama for Increased Device Management Capacity

Upgrade Panorama for Increased Device Management Capacity

Set Up the Panorama Virtual Appliance

Setup Prerequisites for the Panorama Virtual Appliance

Install the Panorama Virtual Appliance

Install Panorama on VMware

Install Panorama on an ESXi Server

Install Panorama on vCloud Air

Support for VMware Tools on the Panorama Virtual Appliance

Install Panorama on AWS

Install Panorama on AWS GovCloud

Install Panorama on Azure

Install Panorama on Google Cloud Platform

Install Panorama on KVM

Install Panorama on Hyper-V

Perform Initial Configuration of the Panorama Virtual Appliance

Set Up The Panorama Virtual Appliance as a Log Collector

Set Up the Panorama Virtual Appliance with Local Log Collector

Set up a Panorama Virtual Appliance in Panorama Mode

Set up a Panorama Virtual Appliance in Management Only Mode

Expand Log Storage Capacity on the Panorama Virtual Appliance

Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode

Add a Virtual Disk to Panorama on an ESXi Server

Add a Virtual Disk to Panorama on vCloud Air

Add a Virtual Disk to Panorama on AWS

Add a Virtual Disk to Panorama on Azure

Add a Virtual Disk to Panorama on Google Cloud Platform

Add a Virtual Disk to Panorama on KVM

Add a Virtual Disk to Panorama on Hyper-V

Mount the Panorama ESXi Server to an NFS Datastore

Increase CPUs and Memory on the Panorama Virtual Appliance

Increase CPUs and Memory for Panorama on an ESXi Server

Increase CPUs and Memory for Panorama on vCloud Air

Increase CPUs and Memory for Panorama on AWS

Increase CPUs and Memory for Panorama on Azure

Increase CPUs and Memory for Panorama on Google Cloud Platform

Increase CPUs and Memory for Panorama on KVM

Increase CPUs and Memory for Panorama on Hyper-V

Complete the Panorama Virtual Appliance Setup

Convert Your Panorama Virtual Appliance

Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector

Convert Your Evaluation Panorama to a Production Panorama without Local Log Collection

Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log collector

Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector

Convert Your Production Panorama to an ELA Panorama

Set Up the M-Series Appliance

M-Series Appliance Interfaces

Perform Initial Configuration of the M-Series Appliance

M-Series Setup Overview

Set Up an M-Series Appliance in Management Only Mode

Set Up an M-Series Appliance in Panorama Mode

Set Up an M-Series Appliance in Log Collector Mode

Set Up the M-Series Appliance as a Log Collector

Increase Storage on the M-Series Appliance

Add Additional Drives to an M-Series Appliance

Upgrade Drives on an M-Series Appliances

Configure Panorama to Use Multiple Interfaces

Multiple Interfaces for Network Segmentation Example

Configure Panorama for Network Segmentation

Register Panorama and Install Licenses

Register Panorama

Activate a Panorama Support License

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected

Activate/Retrieve a Firewall Management License on the M-Series Appliance

Install Content and Software Updates for Panorama

Panorama, Log Collector, Firewall, and WildFire Version Compatibility

Install Updates for Panorama in an HA Configuration

Install Updates for Panorama with an Internet Connection

Install Updates for Panorama When Not Internet-Connected

Migrate Panorama Logs to the New Log Format

Transition to a Different Panorama Model

Migrate from a Panorama Virtual Appliance to an M-Series Appliance

Migrate a Panorama Virtual Appliance to a Different Hypervisor

Migrate from an M-Series Appliance to a Panorama Virtual Appliance

Migrate from an M-100 Appliance to an M-500 Appliance

Access and Navigate Panorama Management Interfaces

Log in to the Panorama Web Interface

Navigate the Panorama Web Interface

Log in to the Panorama CLI

Set Up Administrative Access to Panorama

Configure an Admin Role Profile

Configure an Access Domain

Configure Administrative Accounts and Authentication

Configure a Panorama Administrator Account

Configure Local or External Authentication for Panorama Administrators

Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

Configure an Administrator with SSH Key-Based Authentication for the CLI

Configure RADIUS Authentication for Panorama Administrators

Configure TACACS+ Authentication for Panorama Administrators

Configure SAML Authentication for Panorama Administrators

Set Up Authentication Using Custom Certificates

How Are SSL/TLS Connections Mutually Authenticated?

Configure Authentication Using Custom Certificates on Panorama

Configure Authentication Using Custom Certificates on Managed Devices

Add New Client Devices

Change Certificates

Change a Server Certificate

Change a Client Certificate

Change a Root or Intermediate CA Certificate

Manage Firewalls

Add a Firewall as a Managed Device

Manage Device Groups

Add a Device Group

Create a Device Group Hierarchy

Create Objects for Use in Shared or Device Group Policy

Revert to Inherited Object Values

Manage Unused Shared Objects

Manage Precedence of Inherited Objects

Move or Clone a Policy Rule or Object to a Different Device Group

Select a URL Filtering Vendor on Panorama

Must Panorama and Firewalls Have Matching URL Filtering Vendors?

Change the URL Filtering Vendor on HA Panorama

Change the URL Filtering Vendor on non-HA Panorama

Migrate Panorama and HA Firewalls from BrightCloud to PAN-DB