Plan Your Panorama Interconnect Deployment

• Review the system requirements for Panorama Interconnect.
  Verify that your Panoramas and managed firewalls meet the minimum resource requirements and that your firewalls are single-vsys firewalls.
• Plan your device group and template stack configuration for your Panorama Nodes and managed firewalls.
  Configuration management is centralized to the Panorama Controller and replicated to all Panorama Nodes managed by the Panorama Controller. Make sure that this configuration is simple, compact, and largely identical across all the Panorama Nodes.
  Interconnect supports centralized configuration based on device groups and templates which includes objects, policies, firewall, and network configuration. Incremental functionality added by Panorama Integration plugins such as NSX, SD-WAN, and Prisma Access are not supported in a Panorama Interconnect deployment.
  When designing your device group and template stack hierarchies, consider the ordering of child device groups and templates within the template stack and be mindful of where specific configuration objects and policy rules are created. This is important to ensure the correct configurations are pushed to your Panorama Nodes.
  If you want to target specific firewalls managed by a Panorama Node, specify the Devices in the child device group and not the parent device group in the device group hierarchy. This is required to push device group configurations to specific firewalls managed by a Panorama node.
  The Panorama Node configuration can only be managed from the Panorama Controller. Configuration changes made on the Panorama Node are overwritten when you synchronize the Panorama Node with the Panorama Controller.
• Set the Panorama Controller and the Panorama Nodes to Management Only mode. See Set Up an M-Series Appliance in Management Only Mode or Set Up a Panorama Virtual Appliance in Management Only Mode for more information on changing your Panorama management server mode.
  Deploying Panorama Interconnect on a Panorama Controller or Panorama Node in Panorama mode with local log collection may result in decreased performance due to high resource demand for management processes and log collection processes.
• Register Panorama and Install Licenses for the Panorama Controller and Panorama Nodes.
• Deploy one or more Dedicated Log Collectors for log collection. See Set Up Panorama for more information on log storage requirements and procedures deploying a Panorama management server in Log Collection mode.
  Logs and report generation are only available from the Panorama Nodes.
• Ensure that the Panorama Controller and all Panorama Nodes are in Operational mode before installing the plugin. The Panorama Interconnect plugin does not support Panorama management servers in FIPS mode, and may cause the Panorama management server to be come unresponsive.
• Obtain a Certificate Authority (CA) and generate the Panorama Node certificate signed by the Panorama Controller CA to create a certificate profile to secure communication between the Panorama Controller and Panorama Nodes.
• Enable HTTPS access on the Panorama Controller, Panorama Nodes and managed firewalls so you can log in to the Panorama web interface and firewall web interfaces. Panorama Interconnect does not support CLI and API access.