: Add a Firewall as a Managed Device
Focus
Focus

Add a Firewall as a Managed Device

Table of Contents

Add a Firewall as a Managed Device

Add a firewall to the Panorama™ management server for centralized configuration management and monitoring.
To use Panorama for managing your firewalls, you need to enable a connection between the firewall and Panorama. A successful connection requires that you enter the Panorama IP address on each firewall that Panorama will manage and to also enter the serial number of each firewall on Panorama. When you add a firewall as a managed device, you can associate the new firewall with a device group, template stack, collector group, and Log Collector during the initial deployment. Additionally, you have the option to automatically push the configuration to your newly added firewall when the firewall first connects to Panorama, which ensures that firewalls are immediately configured and ready to secure your network.
Adding a firewall as a managed device requires that the total count of managed firewalls not exceed the device management license activated on Panorama. Select
Panorama
Licenses
to view the
Device Management License
active on Panorama and the maximum number of managed firewalls supported.
If the firewall you are attempting to add exceeds the device management license limit, the operation is blocked and you are prompted with a warning indicating that adding the firewall to Panorama management failed.
The firewall uses the Panorama management server IP address to set up an SSL connection to register with Panorama. Panorama and the firewall authenticate each other using 2,048-bit certificates and AES-256 encrypted SSL connections for configuration management and log collection. Prepare Panorama and each firewall as follows:
  1. Configure the firewall to communicate with Panorama.
    Repeat this step for each firewall Panorama will manage.
    1. Perform initial configuration on the firewall so that it is accessible and can communicate with Panorama over the network.
    2. Configure each data interface you plan to use on the firewall and attach it to a security zone so that you can push configuration and policy from Panorama.
    3. Add the Panorama IP address to the firewall.
      1. Select
        Device
        Setup
        Management
        and edit the Panorama Settings.
      2. Enter the Panorama IP address in the first field.
        Panorama issues a single IP address for device management, log collection, reporting, and dynamic updates. Enter the external, Internet-bound IP address to ensure Panorama can successfully access existing and new managed devices and Log Collectors. If an internal Panorama IP address is configured, you may be unable to manage some devices. For example, if you Install Panorama on AWS and enter the internal IP address, Panorama is unable to manage devices or Log Collectors outside of the AWS security group.
      3. (
        Optional
        ) If you have set up a high availability (HA) pair in Panorama, enter the IP address of the secondary Panorama in the second field.
      4. Click
        OK
        .
      5. Select
        Commit
        and
        Commit
        your changes.
  2. Add one or more firewalls to Panorama.
    You can bulk import only single-vsys firewalls to the Panorama management server You cannot bulk import firewalls with more than one virtual system (vsys).
    • Add one or more firewalls.
      1. Add a new managed device (
        Panorama
        Managed Devices
        Summary
        ).
      2. Enter the firewall
        Serial
        number. If you are adding multiple firewalls, enter each serial number on a separate line. If you want to associate the new firewalls with a device group, template stack, collector group, or Log Collector for the initial deployment, continue to the next step. To manually assign each firewall, click
        OK
        and continue to Step 3.
      3. Select the
        Associate Devices
        check box and click
        OK
        .
      4. Assign the
        Device Group
        ,
        Template Stack
        ,
        Collector Group
        , and
        Log Collector
        as needed from the drop-down for each column.
      5. Enable
        Auto Push on 1st connect
        check box to automatically push the device group and template stack configuration to the new devices when they successfully connect to Panorama.
        The
        Auto Push on 1st Connect
        option is supported only on firewalls running PAN-OS 8.1 or later releases. The
        commit all
        job executes from Panorama to managed devices running PAN-OS 8.1 and later releases.
      6. Click
        OK
        to add the devices.
    • Bulk import multiple firewalls using a comma-separated values (CSV) file.
      1. Add a new managed device (
        Panorama
        Managed Devices
        Summary
        ).
      2. Click
        Import
        .
      3. Download Sample CSV
        and edit the downloaded CSV file with the firewalls you are adding. You can choose to assign the firewalls to a device group, template stack, Collector Group, and Log Collector from the CSV or enter only the firewall serial numbers and assign them from the web interface. Save the CSV after you finish editing it.
      4. Browse
        and select the CSV file you edited in the previous step.
      5. If not already assigned in the CSV, assign the firewalls a
        Device Group
        ,
        Template Stack
        ,
        Collector Group
        , and
        Log Collector
        as needed from the drop-down foreach column.
      6. If not already enabled in the CSV, enable
        Auto Push on 1st connect
        check box to automatically push the device group and template stack configuration to the new devices when they successfully connect to Panorama.
      7. Click
        OK
        to add the devices.
  3. (
    Optional
    ) Add a
    Tag
    . Tags make it easier for you to find a firewall from a large list; they help you to dynamically filter and refine the list of firewalls in your display. For example, if you add a tag called branch office, you can filter for all branch office firewalls across your network.
    1. Select each firewall and click
      Tag
      .
    2. Click
      Add
      , enter a string of up to 31 characters (no empty spaces), and click
      OK
      .
  4. If your deployment is using custom certificates for authentication between Panorama and managed devices, deploy the custom client device certificate. For more information, see Set Up Authentication Using Custom Certificates and Add New Client Devices.
  5. Select
    Commit
    Commit to Panorama
    and
    Commit
    your changes.
  6. Verify that the firewall is connected to Panorama.
    1. Click
      Panorama
      Managed Devices
      Summary
      .
    2. Verify that the
      Device State
      for the new device shows as
      Connected
      .

Recommended For You