Manage SCTP from Panorama
Table of Contents
10.1
Expand all | Collapse all
Manage SCTP from Panorama
Use Panorama™ to configure SCTP for firewalls in a device
group and then push the configuration to the Device Group.
Use Panorama™ to configure SCTP security for
firewalls in a Device Group. If your Panorama operates in legacy
mode, allocate log storage quotas to store SCTP logs on a Panorama
Log Collector.
- Log in to your Panorama virtual or M-Series appliance and enable SCTP security.
- Selectand edit the General Settings.PanoramaSetupManagement
- Enable (select)SCTP Security.
- ClickOK.
- (Panorama in legacy mode only) Allocate log quotas for Panorama.If your Panorama uses legacy mode, the General Information on theDashboardindicatesSystemMode: legacy. In this case, SCTP log storage percentages for firewalls managed by Panorama are required or your commit will fail. The log storage allocations default to 1% but you can increase these allocations.
- Selectand edit Logging and Reporting Settings.PanoramaSetupManagement
- On theLog Storagetab, forSCTP, enter aQuota (%)(default is 1%). Each SCTP log storage percentage you assign must equate to a minimum of 32MB, as shown to the right of the percentage.You should assign sufficient disk space for SCTP logs based on the number of firewalls you configured with SCTP security that this Panorama appliance is managing.
- (Optional) TheMax Daysthat Panorama keeps SCTP logs is unlimited by default, but you can specify a limit for the number of days (range is 1 to 2,000).
- ForSCTP Summary, enter aQuota (%)equivalent to a minimum of 32MB (default is 1%). TheMax Daysthat the firewall keeps SCTP Summary logs is unlimited by default, but you can specify a limit for the number of days (range is 1 to 2,000).
- EnterQuota(%)andMax DaysforHourly SCTP Summary,Daily SCTP Summary, andWeekly SCTP Summary, with each percentage equivalent to at least 32MB (default is 1%).
- ClickOK.
If your Panorama uses Panorama mode, the General Information on theDashboarddisplaysSystemMode: panorama. In this case, you do not need to configure any separate SCTP log quotas. - Create a Device Group. Selectand Add a Device Group that includes the managed firewalls, as described in the Panorama 8.1 Administrator’s Guide.PanoramaDevice Groups
- Create an SCTP Protection profile for the Device Group.
- Select.ObjectsSecurity ProfilesSCTP Protection
- Select theDevice Groupyou created.
- Addan SCTP Protection profile for the Device Group using the same procedure you use when you Configure SCTP Security on a firewall.
- Apply the SCTP Protection profile to a Security policy rule.
- Create a Panorama template stack. SelectandPanoramaTemplatesAdd Stack, as discussed in the Panorama 8.1 Administrator’s Guide (Add a Template).
- Allocate SCTP log quotas for the template stack.
- SelectDeviceand, forTemplate, select the template stack you created.
- Selectand edit Logging and Reporting Settings.SetupManagement
- (VM-Series only) SelectSingle Disk StorageandLog Storage Quota.
- (PA-5200 Series only) SelectandMulti Disk StorageSession Log StorageSession Log Quota.
- ForSCTP, enter aQuota (%)(default is 0%). Each SCTP log storage percentage you assign must equate to a minimum of 32MB on the firewall model to which you push the template. Panorama does not know the size of the log partition on the destination firewall, so no equivalent number of bytes is displayed. However, if you try toCommit All Changes, your attempt will fail if the template is pushed to any firewall where the calculation of disk quota does not meet the minimum requirement of 32MB.
- TheMax Daysthat Panorama keeps SCTP logs is unlimited by default, but you can specify a limit for the number of days (range is 1 to 2,000).
- ForSCTP Summary, enter aQuota (%)that is equivalent to a minimum of 32MB (default is 0%). TheMax Daysthat the firewall keeps SCTP Summary logs is unlimited by default, but you can specify a limit for the number of days (range is 1 to 2,000).
- EnterQuota(%)andMax DaysforHourly SCTP Summary,Daily SCTP Summary, andWeekly SCTP Summary, with each percentage equivalent to a minimum of 32MB.
- ClickOK.
- SelectCommitandPush to Devicesto push the SCTP configuration to firewalls in the Device Group.Push an SCTP configuration only to firewalls whereSCTP Securityis enabled; for those firewalls that do not have SCTP enabled, the commit and push will fail. If the commit fails, enableSCTP Securityon the firewalls andCommitfrom Panorama again.