Sitemap

This is a standard content page. It can be authored similiarly to any other content page. To make it the sitemap page, drag the apply the sitemap component to the page placing it in the desired location.

TD2-243 Global Components Validation

Traps Endpoint Security Manager Administrator's Guide

Malware Protection Overview

Exploit Protection Overview

Traps Components

External Logging Platform

Forensic Folder

Traps Deployment Scenarios

Standalone Deployment

Small Deployments

Small Single-Site Deployment

Small Multi-Site Deployment

Large Deployments

Large Single-Site Deployment

Large Multi-Site Deployment with One Endpoint Security Mana...

Large Multi-Site Deployment with Roaming Agents (Without VP...

Large Multi-Site Deployment with Roaming Agents (With VPN)

Hardware Requirements

Standalone Endpoint Security Manager Hardware Requirements

Distributed Endpoint Security Manager Hardware Requirements

Software Requirements

ESM Console Software Requirements

ESM Server Software Requirements

Database Software Requirements

Set Up the Traps Infrastructure

Set Up the Endpoint Infrastructure

Activate Traps Licenses

Set Up the Endpoint Security Manager

Endpoint Infrastructure Installation Considerations

TLS/SSL Encryption for Traps Components

Configure the MS-SQL Server Database

Install the Endpoint Security Manager Server Software

Install the Endpoint Security Manager Console Software

Manage Proxy Communication with the Endpoint Security Manager

Install ESM Components Using Windows Msiexec

Install ESM Components

Uninstall ESM Components

Load Balance Traffic to ESM Servers

Set Up the Endpoints

Recommended Traps Deployment Process

Traps Installation Options

Manage Traps Installation Packages

Verify Connectivity from the ESM Console

VDI

Virtualized Applications and Desktops

Set Up Traps in a VDI Environment

Administer the ESM

Manage ESM Server Settings

Manage ESM Console Settings

Multi-ESM Deployments

Known Limitations with Multi-ESM Deployments

What Logic Does the Agent Use When Selecting an ESM Server?

Manage Multiple ESM Servers

Add a Traps License Using the ESM Console

Add a Traps License Using the DB Configuration Tool

Manage Administrator Access to the ESM Console

Administrative Roles

Administrative Privileges

Administrative Users

Administrative Authentication

Configure Administrative Accounts and Authentication

Configure Administrative Roles

Configure Administrative Users, Groups, or Organizational U...

Configure the Authentication Mode

Change the Ninja-Mode Password

Export and Import Policy Files

User-Defined Rules

Content Updates

Manage Content Updates

Maintain the Endpoints and Traps

Use the Endpoint Security Manager Dashboard

Monitor Security Events

Use the Security Events Dashboard

Manage Security Events

View Security Error Log Details

View the Security Event History on an Endpoint

Monitor the Endpoints

View Endpoint Health Details

View Notifications About Changes in the Agent Status

View the Rule History of an Endpoint

View the Service Status History of an Endpoint

Remove an Endpoint from the Health Page

Monitor the ESM Servers

View the Health of the ESM Servers

View Notifications About the ESM Server

View the Rule Summary

Monitor Data Retrieval

Get Started with Rules

Endpoint Policy Rule Concepts

Policy Rule Types

Policy Enforcement

Default Protection Policy

Common Rule Components and Actions

Define Activation Conditions for a Rule on Windows Endpoint...

Define Activation Condition for a Rule on Mac Endpoints

Define Activation Conditions for Linux

Include or Exclude Endpoints Using Conditions

Delete or Modify a Rule Condition

Manage Endpoint Groups

Name or Rename a Rule

Manage Saved Rules

Disable or Enable All Protection Rules

Show or Hide the Default Policy Rules

Wildcards and Variables in Policy Rules

Wildcards in Policy Rules

Environment Variables in Policy Rules

Environment Variable Support for Windows Vista and Later Re...

Environment Variable Support for Windows XP

Example: Using Wildcards and Variables in Restriction Rules

Process Management

Process Protection Types

Processes Protected by the Default Policy

Add a New Protected Process

Import or Export a Process

View, Modify, or Delete a Process

View Processes Currently Protected by Traps

Malware Protection

Malware Protection Policy Best Practices

Malware Protection Flow

Manage Malware Protection Rules

Malware Protection Rules

Configure Child Process Protection

Configure Anti-Ransomware Protection

Configure the Gatekeeper Enhancement MPM

Manage Restriction Rules

Block Execution from Local Folders

Define External Media Restrictions

Manage Global Whitelists

Add a New Restriction Rule

Whitelist a Network Folder

Restriction Rules

WildFire Integration

WildFire Integration Concepts

File Type Analysis

Set Up the ESM to Communicate with WildFire

Set Up a Private WildFire Cloud

Configure a WildFire Rule

Manage Hashes for Files

View and Search Hashes

Filter File Hash Records

File Hash Search Conditions

Export and Import Hashes

View a WildFire Report

View the History of a Verdict

Override a WildFire Verdict

Recheck a WildFire Decision

Report an Incorrect Verdict

Upload a File to WildFire for Analysis

Manage Quarantine Settings

Restore a Quarantined File

Manage Trusted Signers

Exploit Protection

Exploit Protection Rules

Windows Exploit Protection Modules (EPMs)

Mac Exploit Protection Modules (EPMs)

Linux Exploit Protection Modules

Create an Exploit Protection Rule

Exclude an Endpoint from an Exploit Protection Rule

Manage the Endpoints

Manage Traps Action Rules

Traps Action Rules

Add a New Action Rule

Manage Data Collected by Traps

Uninstall or Upgrade Traps on the Endpoint

Manage Agent Settings Rules

Traps Agent Settings Rules

Add a New Agent Settings Rule

Define Event Logging Preferences

Hide or Restrict Access to the Traps Console

Define Communication Settings Between the Endpoint and the ESM Server

Define Heartbeat Settings Between the Agent and the ESM Ser...

Define Communication Settings Between the Agent and the ESM...

Collect New Process Information

Manage Service Protection

Change the Uninstall Password

Create a Custom User Alert Message

Remove an Endpoint from the Health Page

Install an End-of-Life Traps Agent Version

Forensics Overview

Phase 1: Prevention Event Triggered

Phase 2: Automated Analysis

Phase 3: Automated Detection

Phase 4: Collection of Forensic Data

Forensic Data Types

Best Practices for Managing Forensic Data

Manage Forensics Rules and Settings

Forensics Rules

Change the Default Forensic Folder

Change the Forensic Folder Destination Using the ESM Consol...

Change the Forensic Folder Destination Using the DB Configu...

Create a Forensics Rule

Define Memory Dump Preferences

Define Forensics Collection Preferences

Retrieve Data About a Security Event

Agent Query Flow

Search Endpoints for a File, Folder, or Registry Key

View the Results of an Agent Query

Reports and Logging

Event Log Types

Security Events

Policies - General

Policies - Rules

Policies - Process Management

Policies - Restriction Settings

Policies - Hash Control

Monitor - Agent

Settings - Administration

Settings - Agent

Settings - Conditions

Settings - Licenses

Settings - Installation Package

Common Variables Used in Events

Agent Change Event Variables

ESM Configuration Change Event Variables

Policy Change Event Variables

ESM Server Event Variables

Security Event Monitoring Variables

Forward Logs to an External Logging Platform

Enable Log Forwarding to an External Logging Platform

Enable Log Forwarding to an External Logging Platform Using...

Syslog (RFC5424) Format

Forward Logs to Panorama

Set Up Secure Communication With Panorama

Enable Log Forwarding to Panorama

View ESM Logs and Correlation Events on Panorama

Forward Logs to Email

Enable Log Forwarding to Email

Troubleshooting

Traps Troubleshooting Resources

Traps and Endpoint Security Manager Processes

ESM Tech Support File

Database (DB) Configuration Tool

Access the Database Configuration Tool

Configure Administrative Access to the ESM Console Using th...

Configure ESM Server Settings Using the DB Configuration To...

Customizable ESM Server Settings

View the Status of the Agent Using Cytool

View Processes Currently Protected by Traps Using Cytool

Manage Protection Settings on the Endpoint Using Cytool

Enable or Disable Core Process Protection on the Endpoint

Enable or Disable Registry Protection Settings on the Endpo...

Enable or Disable Traps File Protection Settings on the End...

Enable or Disable Service Protection Settings on the Endpoi...

Use the Security Policy to Manage Service Protection

Manage Traps Drivers and Services on the Endpoint Using Cytool

View Traps Startup Components on the Endpoint

Enable or Disable the Startup of Traps Components on the En...

View Traps Runtime Components on the Endpoint

Start or Stop Traps Runtime Components on the Endpoint

Enable or Disable RPC Services Using Cytool

View and Compare Security Policies on an Endpoint Using Cyt...

View Details About an Active Policy

Compare Policies

Manage Logging of Traps Components Using Cytool

Restore a Quarantined File Using Cytool

View Statistics for a Protected Process Using Cytool

View Details About the Traps Local Analysis Module Using Cy...

View Hash Details About a File Using Cytool

Troubleshoot Traps Issues

Why can’t I install Traps?

Why can’t I upgrade or uninstall Traps?

Why can’t Traps connect to the ESM Server?

How do I fix a Traps server certificate error?

Troubleshoot ESM Console Issues

Why can’t I log in to the ESM Console?

Why do I get a server error when launching the ESM Console?

Why do all endpoints appear as disconnected in the ESM Cons...

Traps Endpoint Security Manager New Features Guide

Upgrade/Downgrade Considerations

Upgrade/Downgrade Considerations

Upgrade to Traps 4.2

Supported Platforms

Traps for Linux

Security Features

Trusted Signer Management

Granular Child Process Evaluation

Operational Features

Virtual Endpoint Groups

Traps Endpoint Security Manager Release Notes

Traps Endpoint Security Manager Release Information

Features Introduced in Traps Endpoint Security Manager

Associated Software and Content Versions

Changes to Default Behavior

Traps Endpoint Security Manager Known Issues

Addressed Issues

Issues Addressed in Traps Endpoint Security Manager 4.2

Traps™ Agent Administrator's Guide

Traps Agent 4.2 for Windows

Traps for Windows Requirements

Install the Traps Agent for Windows

Set Up a Non-Persistent VDI

VDI Installation Considerations

Configure the Golden Image for Non-Persistent VDI

Traps VDI Tool CLI

Configure Storage for a VDI

Tune and Test the VDI Policy

Use the Traps Agent for Windows

Uninstall the Traps Agent for Windows

Troubleshooting Resources for the Traps Agent for Windows

Cytool for Windows

Traps Agent 4.2 for Mac

Traps for Mac Requirements

Install the Traps Agent for Mac

Use the Traps Agent for Mac

Uninstall the Traps Agent for Mac

Troubleshooting Resources for the Traps Agent for Mac

Traps Agent 4.2 for Linux

Traps for Linux Requirements

Install the Traps Agent for Linux

Use the Traps Agent for Linux

Uninstall the Traps Agent for Linux

Troubleshooting Resources for the Traps Agent for Linux

Accio Configuration

Quick Paths Configuration

Advanced Threat Prevention Powered by Precision AI™

Advanced Threat Prevention Administration

Advanced Threat Prevention

Advanced Threat Prevention Detection Services

Threat Signature Categories

Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions

Share Threat Intelligence with Palo Alto Networks

Advanced Threat Prevention Resources

Configure Threat Prevention

Set Up Antivirus, Anti-Spyware, and Vulnerability Protection

Set Up Antivirus, Anti-Spyware, and Vulnerability Protection (Cloud Management)

Set Up Antivirus, Anti-Spyware, and Vulnerability Protection (NGFW (Managed by PAN-OS or Panorama))

Configure Inline Cloud Analysis

Configure Inline Cloud Analysis (PAN-OS & Panorama)

Configure Inline Cloud Analysis (Strata Cloud Manager)

Prevent Brute Force Attacks

Customize the Action and Trigger Conditions for a Brute Force Signature

Enable Evasion Signatures

Create Threat Exceptions

Create Threat Exceptions (Strata Cloud Manager)

Create Threat Exceptions (NGFW (Managed by PAN-OS or Panorama))

Use DNS Queries to Identify Infected Hosts on the Network

How DNS Sinkholing Works

Configure DNS Sinkholing

Configure DNS Sinkholing for a List of Custom Domains

Configure the Sinkhole IP Address to a Local Server on Your Network

See Infected Hosts that Attempted to Connect to a Malicious Domain

Custom Signatures

Monitor Advanced Threat Prevention

View Threat Logs

View Threat Logs (Cloud Management)

View Threat Logs (NGFW (Managed by PAN-OS or Panorama))

View Advanced Threat Prevention Report

Monitor Blocked IP Addresses

Learn More About Threat Signatures

Create Custom Reports Based on Threat Categories

Advanced URL Filtering

Advanced URL Filtering Administration

URL Filtering Basics

Palo Alto Networks URL Filtering Solution

URL Filtering Support

Local Inline Categorization

How Advanced URL Filtering Works

URL Filtering Profiles

URL Filtering Use Cases

Configure URL Filtering

Activate Advanced URL Filtering License

Activate Advanced URL Filtering License (Strata Cloud Manager)

Activate Advanced URL Filtering License (PAN-OS & Panorama)

Get Started with URL Filtering

Get Started with Advanced URL Filtering (Strata Cloud Manager)

Get Started with Advanced URL Filtering (PAN-OS & Panorama)

Configure URL Filtering

Configure URL Filtering (Strata Cloud Manager)

Configure URL Filtering (PAN-OS & Panorama)

Configure Inline Categorization

Configure Inline Categorization (Strata Cloud Manager)

Configure Inline Categorization (PAN-OS & Panorama)

Configure Inline Categorization (PAN-OS 10.1)

Configure Inline Categorization (PAN-OS 10.2 & Later)

URL Category Exceptions

Guidelines for URL Category Exceptions

Create a Custom URL Category

Create a Custom URL Category (Strata Cloud Manager)

Create a Custom URL Category (PAN-OS & Panorama)

Use an External Dynamic List in a URL Filtering Profile

Use an External Dynamic List in a URL Filtering Profile (Strata Cloud Manager)

Use an External Dynamic List in a URL Filtering Profile (PAN-OS & Panorama)

URL Filtering Best Practices

Test URL Filtering Configuration

URL Filtering Features

Inspect SSL/TLS Handshakes

Inspect SSL/TLS Handshakes (Strata Cloud Manager)

Inspect SSL/TLS Handshakes (PAN-OS & Panorama)

Allow Password Access to Certain Sites

Allow Password Access to Certain Sites (Strata Cloud Manager)

Allow Password Access to Certain Sites (PAN-OS & Panorama)

Credential Phishing Prevention

Methods to Check for Corporate Credential Submissions

Configure Credential Detection with the Windows User-ID Agent

Set Up Credential Phishing Prevention

Set Up Credential Phishing Prevention (Strata Cloud Manager)

Set Up Credential Phishing Prevention (PAN-OS & Panorama)

URL Filtering Response Pages

Predefined URL Filtering Response Pages

URL Filtering Response Page Objects

Customize URL Filtering Response Pages

Customize URL Filtering Response Pages (Strata Cloud Manager)

Customize URL Filtering Response Pages (PAN-OS & Panorama)

Safe Search Enforcement

Safe Search Settings for Search Providers

Block Search Results When Strict Safe Search Is Off

Block Search Results When Strict Safe Search Is Off (Strata Cloud Manager)

Block Search Results When Strict Safe Search Is Off (PAN-OS & Panorama)

Force Strict Safe Search

Force Strict Safe Search (Strata Cloud Manager)

Force Strict Safe Search (PAN-OS & Panorama)

Use Transparent SafeSearch in Prisma Access

Use Transparent SafeSearch in Prisma Access (Strata Cloud Manager)

Use Transparent SafeSearch in Prisma Access (Panorama)

Integrate with a Third-Party Remote Browser Isolation Provider

Monitoring Web Activity

Monitoring Web Activity (Strata Cloud Manager)

Monitoring Web Activity (PAN-OS & Panorama)

View the User Activity Report

View the User Activity Report (Strata Cloud Manager)

View the User Activity Report (PAN-OS & Panorama)

Schedule and Share URL Filtering Reports

Schedule and Share URL Filtering Reports (Strata Cloud Manager)

Schedule and Share URL Filtering Reports (PAN-OS & Panorama)

Log Only the Page a User Visits

Log Only the Page a User Visits (Strata Cloud Manager)

Log Only the Page a User Visits (PAN-OS & Panorama)

HTTP Header Logging

Request to Change the Category of a URL

Request to Change the Category of a URL (PAN-OS & Panorama)

Request to Change the Category of a URL (Test A Site)

Troubleshooting

Problems Activating Advanced URL Filtering

PAN-DB Cloud Connectivity Issues

URLs Classified as Not-Resolved

Incorrect Categorization

Troubleshoot Website Access Issues

Troubleshoot URL Filtering Response Page Display Issues

PAN-DB Private Cloud

How PAN-DB Private Cloud Works

PAN-DB Private Cloud Appliances

Set Up PAN-DB Private Cloud

Configure the PAN-DB Private Cloud

Configure Firewalls to Access the PAN-DB Private Cloud

Configure Authentication with Custom Certificates on the PAN-DB Private Cloud

Advanced WildFire Powered by Precision AI™

WildFire Appliance Administration

WildFire Appliance Overview

About the WildFire Appliance

WildFire Private Cloud

WildFire Hybrid Cloud

WildFire Appliance Interfaces

WildFire Appliance File Type Support

Set Up and Manage a WildFire Appliance

Configure the WildFire Appliance

Forward Files For WildFire Appliance Analysis

Submit Malware or Reports from the WildFire Appliance

Set Up Authentication Using a Custom Certificate on a Standalone WildFire Appliance

WildFire Appliance Mutual SSL Authentication

Configure Authentication with Custom Certificates on the WildFire Appliance

Set Up the WildFire Appliance VM Interface

Virtual Machine Interface Overview

Configure the VM Interface on the WildFire Appliance

Connect the Firewall to the WildFire Appliance VM Interface

Enable WildFire Appliance Analysis Features

Set Up WildFire Appliance Content Updates

Install WildFire Content Updates Directly from the Update Server

Install WildFire Content Updates from an SCP-Enabled Server

Enable Local Signature and URL Category Generation

Submit Locally-Discovered Malware or Reports to the WildFire Public Cloud

Upgrade a WildFire Appliance

Install WildFire Appliance Device Certificate With an Internet Connection

Monitor WildFire Appliance Activity

About WildFire Logs and Reporting

Use the WildFire Appliance to Monitor Sample Analysis Status

View WildFire Analysis Environment Utilization

View WildFire Sample Analysis Processing Details

Use the WildFire CLI to Monitor the WildFire Appliance

View the WildFire Appliance System Logs

Use the Firewall to Monitor WildFire Appliance Submissions

View WildFire Appliance Logs and Analysis Reports

WildFire Appliance Clusters

WildFire Appliance Cluster Resiliency and Scale

WildFire Cluster High Availability

Benefits of Managing WildFire Clusters Using Panorama

WildFire Appliance Cluster Management

Deploy a WildFire Cluster

Configure a Cluster Locally on WildFire Appliances

Configure a Cluster and Add Nodes Locally

Configure General Cluster Settings Locally

Remove a Node from a Cluster Locally

Configure WildFire Appliance-to-Appliance Encryption

Configure Appliance-to-Appliance Encryption Using Predefined Certificates Through the CLI

Configure Appliance-to-Appliance Encryption Using Custom Certificates Through the CLI

Monitor a WildFire Cluster

View WildFire Cluster Status Using the CLI

WildFire Application States

WildFire Service States

Upgrade WildFire Appliances in a Cluster

Upgrade a Cluster Locally with an Internet Connection

Upgrade a Cluster Locally without an Internet Connection

Troubleshoot a WildFire Cluster

Troubleshoot WildFire Split-Brain Conditions

What Causes a Split-Brain Condition?

Determine if the WildFire Cluster is in a Split-Brain Condition

Recover From a Split-Brain Condition

Use the WildFire Appliance CLI

WildFire Appliance Software CLI Concepts

WildFire Appliance Software CLI Structure

WildFire Appliance Software CLI Command Conventions

WildFire Appliance CLI Command Messages

WildFire Appliance Command Option Symbols

WildFire Appliance Privilege Levels

WildFire CLI Command Modes

WildFire Appliance CLI Configuration Mode

Configuration Mode Command Usage

Configuration Hierarchy

Hierarchy Paths

Navigate the Hierarchy

WildFire Appliance CLI Operational Mode

Access the WildFire Appliance CLI

Establish a Direct Console Connection

Establish an SSH Connection

WildFire Appliance CLI Operations

Access WildFire Appliance Operational and Configuration Modes

Display WildFire Appliance Software CLI Command Options

Restrict WildFire Appliance CLI Command Output

Set the Output Format for WildFire Appliance Configuration Commands

WildFire Appliance Configuration Mode Command Reference

set deviceconfig cluster

set deviceconfig high-availability

set deviceconfig setting management

set deviceconfig setting wildfire

set deviceconfig system eth2

set deviceconfig system eth3

set deviceconfig system panorama local-panorama panorama-server

set deviceconfig system panorama local-panorama panorama-server-2

set deviceconfig system update-schedule

set deviceconfig system vm-interface

WildFire Appliance Operational Mode Command Reference

clear high-availability

create wildfire api-key

delete high-availability-key

delete wildfire api-key

delete wildfire-metadata

disable wildfire

edit wildfire api-key

load wildfire api-key

request cluster decommission

request cluster reboot-local-node

request high-availability state

request high-availability sync-to-remote

request system raid

request wildfire sample redistribution

request system wildfire-vm-image

request wf-content

save wildfire api-key

set wildfire portal-admin

show cluster all-peers

show cluster controller

show cluster data migration status

show cluster membership

show cluster task

show high-availability all

show high-availability control-link

show high-availability state

show high-availability transitions

show system raid

submit wildfire local-verdict-change

show wildfire global

show wildfire local

test wildfire registration

Advanced WildFire Administration

Advanced WildFire Overview

Subscription Options

Advanced WildFire Concepts

Firewall Forwarding

Session Information Sharing

Session Information Sharing (Cloud Management)

Session Information Sharing (PAN-OS & Panorama)

Analysis Environment

Advanced WildFire Inline ML

Email Link Analysis

Compressed and Encoded File Analysis

Advanced WildFire Signatures

Advanced WildFire Inline Cloud Analysis

Advanced WildFire Deployments

Advanced WildFire Public Cloud

WildFire Private Cloud

WildFire Hybrid Cloud

WildFire FedRAMP-Authorized Cloud Platforms

Advanced WildFire Government Cloud

Advanced WildFire Public Sector Cloud

WildFire: U.S. Government Cloud

File Type Support

Supported File Types (Complete List)

Advanced WildFire Example

Get Started with Advanced WildFire

Advanced WildFire Deployment Best Practices

Advanced WildFire Best Practices

Configure Advanced WildFire Analysis

Forward Files for Advanced WildFire Analysis

Forward Files for Advanced WildFire Analysis (Cloud Management)

Forward Files for Advanced WildFire Analysis (PAN-OS & Panorama)

Manually Upload Files to the WildFire Portal

Forward Decrypted SSL Traffic for Advanced WildFire Analysis

Enable Advanced WildFire Inline ML

Enable Advanced WildFire Inline ML (PAN-OS & Panorama)

Enable Advanced WildFire Inline ML (Cloud Management)

Enable Hold Mode for Real-Time Signature Lookup

Verify Sample Submissions

Test a Sample Malware File

Verify File Forwarding

Sample Removal Request

Firewall File-Forwarding Capacity by Model

Enable Advanced WildFire Inline Cloud Analysis

Configure the Content Cloud FQDN Settings

Monitor Activity

About WildFire Logs and Reporting

Advanced WildFire Analysis Reports—Close Up

Configure WildFire Submission Log Settings

Enable Logging for Benign and Grayware Samples

Include Email Header Information in WildFire Logs and Reports

Set Up Alerts for Malware

View WildFire Logs and Analysis Reports

View WildFire Logs and Analysis Reports (PAN-OS & Panorama)

View WildFire Logs and Analysis Reports (Cloud Management)

Use the WildFire Portal to Monitor Malware

Configure WildFire Portal Settings

Add WildFire Portal Users

View Reports on the WildFire Portal

AI Access Security

Activation & Onboarding

AI Access Security Licenses

AI Access Setup Prerequisites

Activate the AI Access Security License

Activate the AI Access Security License for New Customers

Activate the AI Access Security License for Existing Customers

New Prisma Access User

Activate the AI Access Security License (New Deployments)

Activate the AI Access Security License (Existing Deployments)

Convert an AI Access Security Trial License to a Production License

Renew an AI Access Security License

Associate Devices with AI Access Security

AI Access Security Setup Prerequisites

Convert an AI Access Security Evaluation License to a Production License

New Feaures in AI Access Security

New Features in July 2024

New Features in November 2024

Addressed Issues

Getting Started

Introducing AI Access Security

Identify and Control GenAI Apps

Comprehensive Visualization and Reporting

Data Protection

What's Supported with AI Access Security?

Supported AI Access Security Use Cases

GenAI Apps Supported by AI Access Security

Perform Initial AI Access Security Configuration

Enable Role Based Access to AI Access Security

Enable Role Based Access for AI Access Security (NGFW Managed by Panorama)

Enable Role Based Access for AI Access Security (Prisma Access Managed by Panorama)

Enable Role Based Access for AI Access Security (NGFW Managed by Strata Cloud Manager)

Enable Role Based Access for AI Access Security (Prisma Access Managed by Strata Cloud Manager)

Associate the Application-Tagging Snippet

Discover Risks Posed by GenAI Apps

Discover Risks Posed by GenAI Apps by Use Case

Discover Risks Posed by GenAI Apps by Risky Apps

Discover Risks Posed by GenAI Apps by App Users

Tag GenAI Apps in the Application Config

Tag GenAI Apps in the Insights Dashboard

View the Risk Scores Assigned to GenAI Apps

Use Application Filters for GenAI Apps

Use Application Filters for GenAI Apps on Strata Cloud Manager

Use Application Filters for GenAI Apps on Panorama

Modify Default GenAI App Access Policy Rule to Control GenAI Access

Create Custom Security Policy Rules to Control GenAI Access

Create Custom Policy Rules to Control GenAI App Usage (Strata Cloud Manager)

Create Custom Policy Rules to Control GenAI App Usage (Panorama)

AI Access Security Recommendations

AI Runtime Security

AI Runtime Security Release Notes

New Features in AI Runtime Security

What's New in September 2024

What's New in October 2024

What's New in November 2024

Addressed Issues

AI Runtime Security Overview

AI Models on Public Clouds Support Table

Discover Your Cloud Resources

Analyze Risk in Network Traffic

Deploy AI Runtime Security: Network Intercept in Public Clouds

Deploy AI Runtime Security: Network Intercept in GCP

Deploy AI Runtime Security: Network Intercept in Azure

Deploy AI Runtime Security: Network Intercept in AWS

Configure Strata Cloud Manager to Secure VM Workloads and Kubernetes Clusters

GCP

AWS

Detect and Alert on Malicious Traffic with the AI Security Log Viewer

Explore OWASP Coverage in AI Runtime Security

Use case: Inspect Traffic between User and AI Medical Assistant

Create Security Policy Rule to Prevent AI Security Threats

Create Model Groups for Customized Protections

Create Traffic Objects for Zone-Based Security

Create an AI Security Profile

Harvest IP-Tags from Public and Hybrid Kubernetes Clusters to Enforce Security Policy Rules

Activation & Onboarding

AI Runtime Security Licenses

Activate Your Software NGFW Credits

Activate Strata Logging Service

Create and Associate a Deployment Profile for AI Runtime Security: Network Intercept

Generate a Device Certificate

AI Runtime Security Setup Prerequisites

Onboard and Activate a Cloud Account in Strata Cloud Manager

Onboard Cloud Account in GCP

GCP Cloud Account Onboarding Prerequisites

Onboard GCP Cloud Account in Strata Cloud Manager

Onboard Cloud Account in Azure

Azure Cloud Account Onboarding Prerequisites

Onboard Azure Cloud Account in Strata Cloud Manager

Onboard Cloud Account in AWS

AWS Cloud Account Onboarding Prerequisites

Onboard AWS Cloud Account in Strata Cloud Manager

Manage Onboarded Cloud Accounts in Strata Cloud Manager

AI Runtime Security: API Intercept Overview

Create and Associate a Deployment Profile for AI Runtime Security: API Intercept

Manage Deployment Profile in the Customer Support Portal (CSP)

Onboard AI Runtime Security: API Intercept in Strata Cloud Manager

Manage AI Runtime Security: API Intercept Scan Logs

Manage Applications, API Keys, and Security Profiles

AutoFocus™ Administrator’s Guide

Get Started With AutoFocus

About AutoFocus

First Look at the AutoFocus Portal

AutoFocus Concepts

Use AutoFocus with the Palo Alto Networks Firewall

AutoFocus Portal Settings

Activate AutoFocus Licenses

AutoFocus Dashboard

Dashboard Overview

Set the Dashboard Date Range

Drill Down on Dashboard Widgets

Customize the Dashboard

AutoFocus Search

Start a Quick Search

Work with the Search Editor

Drill Down in Search Results

Set Up Remote Search

General Artifacts

Sample Artifacts

Session Artifacts

Analysis Artifacts

Windows Artifacts

Android Artifacts

Search Operators and Values

Guidelines for Partial Searches

Contains and Does Not Contain Operators

Proximity Operator

AutoFocus Alerts

Supported TLS Ciphers

Define Alert Actions

Enable Alerts by Tag Type

Create Alert Exceptions

View Alerts in AutoFocus

Find Samples by Tag Details

Filter and Sort Tags

Find the Top Tags Detected During a Date Range

Vote for, Comment on, and Report Tags

Assess AutoFocus Artifacts

Find High-Risk Artifacts

Add High-Risk Artifacts to a Search or Export List

Export AutoFocus Content

Export AutoFocus Artifacts

Build an AutoFocus Export List

Create a CSV File

Use Export Lists with the Palo Alto Networks Firewall

Export AutoFocus Page Content

Export AutoFocus Dashboard and Reports

AutoFocus Reports

Reports Overview

Customize Reports

Scheduled Reporting

Use the Threat Summary Report to Observe Malware Trends

Threat Summary Report Overview

View Threat Summary Report Details

AutoFocus Feeds

Create Custom Feeds

Use AutoFocus Custom Feeds with the Palo Alto Networks Firewall

Manage Custom Feeds

see-the-top-tags-found-with-search-results

domain-url-and-ip-address-information

AutoFocus Dashboard

Dashboard Overview

Set the Dashboard Date Range

introduction-to-minemeld

create-alert-exceptions

manage-threat-indicators

use-autofocus-hosted-minemeld

autofocus-concepts

use-export-lists-with-the-palo-alto-networks-firewall

delete-a-minemeld-node

find-the-top-tags-detected-during-a-date-range

create-a-minemeld-node

add-high-risk-artifacts-to-a-search-or-export-list

vote-for-comment-on-and-report-tags

create-a-csv-file

find-high-risk-artifacts

connect-minemeld-nodes

filter-and-sort-tags

define-alert-actions

forward-minemeld-indicators-to-autofocus

forward-autofocus-indicators-to-minemeld

autofocus-portal-settings

enable-alerts-by-tag-type

troubleshoot-minemeld

export-autofocus-artifacts

view-alerts-in-autofocus

find-samples-by-tag-details

use-autofocus-miners-with-the-palo-alto-networks-firewall

set-the-dashboard-date-range

build-an-autofocus-export-list

autofocus-prototypes

start-stop-and-reset-minemeld

AutoFocus® API Reference

About the AutoFocus API

AutoFocus API Overview

AutoFocus API Prerequisites

AutoFocus API Rate Limits

Rate Limits and Points Allotment

How to Track Points

AutoFocus API Resources

Resources for Initiating Searches

Resources for Viewing Search Results

Resources for Direct Searches

AutoFocus API STIX Support

STIX Elements and Fields

Get Started with the AutoFocus API

Get Your API Key

Make Your First AutoFocus API Calls

Perform AutoFocus Searches

Search Samples and Sessions

Search Field Names

General Artifacts

Sample Artifacts

Session Artifacts

Analysis Artifacts

Linux Artifacts

Windows Artifacts

Android Artifacts

Macro Artifacts

Search Parameter Types and Operators

Search Countries and Country Codes

Search Top Tags, Session Histogram, and Session Aggregate Data

Search for Signatures

View Search Results

Perform Direct Searches

Get Session Details

Get Sample Analysis

Get Tag Details

Get Threat Indicator Feed

Get Custom Threat Indicator Feed

Get Threat Intelligence Card Summary

Get Anti-spyware, Vulnerability, and File-Format Signature

Get Antivirus Signature

Get DNS Signature

Get Geolocation

Get Anti-spyware, Vulnerability, and File-Format Release Info

AutoFocus API Error Codes

AutoFocus API Error Codes

Self-Serve Application Experience Troubleshooting

Application Experience User Interface

Open the Application Experience UI

Using the Application Experience UI

User Notifications

Data Security Notifications

Device Notifications

High CPU Consumption

High Memory Consumption

WiFi Notifications

Poor WiFi Connection

WiFi Connection Switchover

WiFi Disconnected

Internet Notifications

Internet Disconnected

AI-Powered Autonomous DEM Release Notes

Release Updates

What’s New—Autonomous DEM

Known Issues—Autonomous DEM

Addressed Issues—Autonomous DEM

ADEM Support Tables

Access Experience Agent 5.1 Release Notes

Access Experience Agent 5.1 Release Updates

What’s New—ADEM Access Experience Agent

Known Issues—ADEM Access Experience Agent

Addressed Issues—Autonomous DEM

Access Experience Agent 5.3 Release Notes

Access Experience Agent 5.3 Release Updates

Known Issues—Autonomous DEM Access Experience Agent

Addressed Issues—Autonomous DEM Access Experience Agent

Access Experience Agent 5.4 Release Notes

Access Experience Agent 5.4 Release Updates

Known Issues—Autonomous DEM Access Experience Agent

Autonomous DEM for China

Autonomous DEM for China

Products That Use Autonomous DEM

ADEM Monitoring and Tests

ADEM Monitoring and Tests for Mobile Users

ADEM Monitoring and Tests for Remote Sites

Get Started with Autonomous DEM

Get Started with Autonomous DEM For Mobile Users

Autonomous DEM for Hybrid Workforce

Get Started with Autonomous DEM For Remote Sites

Role Based Access Control in ADEM

Enable ADEM for Your Mobile Users

Enable ADEM in Panorama Managed Prisma Access for Mobile Users

Enable ADEM in Cloud Managed Prisma Access for Mobile Users

Enable ADEM for Your Remote Sites

Enable ADEM in Panorama Managed Prisma Access for Remote Sites

Enable ADEM in Cloud Managed Prisma Access for Remote Sites

Go to Autonomous DEM in Prisma Access

First Look at Autonomous DEM Dashboards

Experience Score

Time Range Filter

Summary Dashboard

Summary - Experience

Summary - Performance Trends for Mobile Users

Summary - Performance Trends for Remote Sites

Applications Dashboard

Applications - Applications Tab

Applications - Application Tests

Application Details

Application Details - Experience

Synthetics for an Application

Zoom Performance Analysis for an Application

Application Details - Performance Trends for Mobile Users

Application Details - Performance Trends for Remote Sites

Monitored Mobile Users Dashboard

Monitored Mobile Users - User Experience

Monitored Mobile Users - Self-Serve

Synthetics for a Mobile User

Zoom Performance Analysis for Mobile Users

Monitored Remote Sites Dashboard

Calculating Experience Score for Remote Sites

Remote Site Details

Types of Monitored Paths

Prisma Access Locations Dashboard

Prisma Access Locations - Map View

Prisma Access Locations - List View

Prisma Access Location Details

ADEM Settings Dashboard

ADEM Settings - Endpoint Agent Management

ADEM Settings - Remote Site Agent Management

ADEM Settings - Health Score Profiles

ADEM Settings - Audit Logs

ADEM Settings - License Details

Set up an Autonomous DEM Application Test

Manage Autonomous DEM

Manage Autonomous DEM Mobile Users

Manage Autonomous DEM Remote Sites

ADEM Self-Serve

Default Settings

Example User View of Notification

Application Experience User Interface

Open the Application Experience UI

Using the Application Experience UI

Enable and Configure ADEM Self-Serve

Enable ADEM Self-Serve

Select the Types of Notifications to Send

Adjust the Notification Threshold

Select Mobile Users and Groups to Send Notifications

Threshold for Notification Generation

Time Interval between User Notifications

IT View of End User Notification Statistics

View Self-Serve Related Metrics for All Users

View if Self-Serve is Enabled for a User

View Total Number of Notifications Sent to Each User

View Total Number of CPU or Memory Notifications Sent to a User

View Total Number of WiFi Notifications Sent to a User

Retrieving Past Notifications

Autonomous DEM Zoom Integration

Enable Zoom Integration with ADEM

Disable Zoom Monitoring

Access Zoom Application Experience Data

Zoom Performance Analysis for Mobile Users

Zoom Performance Analysis for an Application

Possible Root Causes for Performance Degradation

ADEM Data Collection and Agent Processes

Manage Autonomous DEM Agent Upgrades

Manually Upgrade Autonomous DEM Agent using MSI

Release Updates

Certificate Renewal for ADEM before June 3, 2022

Transition to the Prisma SASE Platform

What’s New—Autonomous DEM

Known Issues—Autonomous DEM

Addressed Issues—Autonomous DEM

AI-Powered ADEM Administrator’s Guide

Autonomous Digital Experience Management (ADEM)

Products That Use Autonomous DEM

Types of Application Experience Monitoring

Get Started with Autonomous DEM

Get Started Monitoring Mobile User Experience

Enable ADEM to Monitor Mobile User Experience

Strata Cloud Manager

Create an Application Test to Monitor Mobile User Experience

Browser-Based Real User Monitoring for Real-Time Application Experience Visibility

Configure Agent-Based Proxy for ADEM

Monitor Application Experience with Application Tests

Assign Application Tests to Monitor Application Experience

Create an Application Suite to Monitor a Group of Apps

How Often ADEM Runs Synthetic Tests

How ADEM Calculates Experience Score

Get Started Monitoring Remote Site Experience

Enable ADEM for Your Remote Sites

Strata Cloud Manager

Create an Application Test to Monitor Remote Site Experience

ADEM Dashboards

Filter Application Experience by Time Range

View Application Experience Across Your Organization

View Application Experience for a Specific Application

View Application Experience for a Specific User

View Application Experience for Monitored Users

View Application Experience for Branch Sites

View Application Experience for Prisma Access Locations

ADEM Self-Serve

Default Settings

Example User View of Notification

Application Experience User Interface

Open the Application Experience UI

Using the Application Experience UI

Enable and Configure ADEM Self-Serve

Enable ADEM Self-Serve

Select the Types of Notifications to Send

Adjust the Notification Threshold

Select Mobile Users and Groups to Send Notifications

Threshold for Notification Generation

Time Interval between User Notifications

IT View of End User Notification Statistics

View Self-Serve Related Metrics for All Users

View if Self-Serve is Enabled for a User

View Total Number of Notifications Sent to Each User

View Total Number of CPU or Memory Notifications Sent to a User

View Total Number of WiFi Notifications Sent to a User

Retrieving Past Notifications

About Access Analyzer

Create a Natural Language Query

Start a New Query

Manage Queries from the Query Results Page

Identify When a Security Profile is Blocking User Access

Autonomous DEM Zoom Integration

Enable Zoom Integration with ADEM

Disable Zoom Monitoring

Access Zoom Application Experience Data

Zoom Performance Analysis

Zoom Integration Tab

Zoom Integration Experience Cards

Zoom User Experience Summary

Zoom Poor Performance Root Causes

Users Experiencing Impacted Meetings

Global Distribution of Impacted Meetings

Zoom Performance Analysis for Mobile Users

Zoom Performance Analysis for Mobile Users

Overall Zoom Performance Impact

Zoom Application Experience

Zoom Integration

Possible Root Causes for Performance Degradation

Microsoft Teams Integration with ADEM

View Microsoft Teams Application Experience Data

View Microsoft Teams User Experience Data

View App Acceleration Metrics with AI-Powered ADEM

Autonomous DEM for Hybrid Workforce

Certificate Renewal for Autonomous Digital Experience Management

Role-Based Access Control in ADEM

ADEM Data Collection and Agent Processes

Manage Autonomous DEM Agent Upgrades

ADEM Support Tables

Reusable Components

Best Practices for Managing Firewalls with Panorama

Best Practices to Add Firewalls to Panorama

Use Case - Onboarding New Next-Generation Firewalls to Panorama

Use Case - Migrate Your Next-Generation Firewalls to Panorama

Best Practices for Firewall Configuration Management on Panorama

Manage Your Device Group Configurations on Panorama

Manage Your Template and Template Stack Configuration on Panorama

Manage the Template and Template Stack Variables on Panorama

Best Practices for Configuration Change Management

Manage Admin Roles and Access Domains from Panorama

Simplify Security Rules Managed by Panorama

Configuration Change Management for Large Teams

Commit Your Panorama Configuration Changes

Push Your Panorama Configuration Changes

Best Practices for Monitoring and Visibility on Panorama

Design Your Logging Infrastructure

Monitoring the Application Command Center (ACC) and Logs on Panorama

Generate Standard and Custom Reports on Panorama

User-ID Best Practices

User-ID Best Practices

Get Started with User-ID Best Practices

User-ID Best Practices for GlobalProtect

User-ID Best Practices for Syslog Monitoring

User-ID Best Practices for Redistribution

User-ID Best Practices for Group Mapping

User-ID Best Practices for Dynamic User Groups

Decryption Best Practices

Decryption Best Practices

Plan Your SSL Decryption Best Practice Deployment

Deploy SSL Decryption Using Best Practices

Follow Post-Deployment SSL Decryption Best Practices

Data Center Best Practice Security Policy

Data Center Security Policy Best Practices Checklist

Plan Your Data Center Best Practice Deployment

Deploy Data Center Best Practices

Global Data Center Objects, Policies, and Actions

User Data Center Traffic Policies

Internet-to-Data-Center Traffic Policies

Data-Center-to-Internet Traffic Policies

Intra-Data-Center Traffic Policy

Data Center Security Policy Rulebase Order

Follow Post-Deployment Data Center Best Practices

Data Center Best Practice Security Policy

What Is a Data Center Best Practice Security Policy?

Why Do I Need a Data Center Best Practice Security Policy?

Data Center Best Practice Methodology

How Do I Deploy a Data Center Best Practice Security Policy

How to Assess Your Data Center

How to Decrypt Data Center Traffic

Create the Data Center Best Practice Decryption Profiles

Exclude Unsuitable Traffic from Data Center Decryption

Create a Data Center Segmentation Strategy

How to Segment the Data Center

How to Segment Data Center Applications

How to Create Data Center Best Practice Security Profiles

Create the Data Center Best Practice Antivirus Profile

Create the Data Center Best Practice Anti-Spyware Profile

Create the Data Center Best Practice Vulnerability Protecti...

Create the Data Center Best Practice File Blocking Profile

Create the Data Center Best Practice WildFire Analysis Prof...

Use Traps to Protect Data Center Endpoints

Create Data Center Traffic Block Rules

Define the Initial User-to-Data-Center Traffic Security Pol...

User-to-Data-Center Traffic Security Approaches

Create User-to-Data-Center Application Allow Rules

Create User-to-Data-Center Authentication Policy Rules

Create User-to-Data-Center Decryption Policy Rules

Define the Initial Internet-to-Data-Center Traffic Security...

Internet-to-Data-Center Traffic Security Approach

Create Internet-to-Data-Center Application Allow Rules

Create Internet-to-Data-Center Decryption Policy Rules

Create Internet-to-Data-Center-DoS-Protection-Policy-Rules

Define the Initial Data-Center-to-Internet Traffic Security...

Data-Center-to-Internet Traffic Security Approaches

Create Data-Center-to-Internet Application Allow Rules

Create Data-Center-to-Internet Decryption Policy Rules

Define the Initial Intra-Data-Center Traffic Security Polic...

Intra-Data-Center Traffic Security Approach

Create Intra-Data-Center Application Allow Rules

Create Intra-Data-Center Decryption Policy Rules

Order the Data Center Security Policy Rulebase

Log and Monitor Data Center Traffic

What Data Center Traffic to Log and Monitor

Monitor Data Center Block Rules and Tune the Rulebase

Log Intra Data Center Traffic That Matches the Intrazone Al...

Log Data Center Traffic that Matches No Interzone Rules

Maintain the Data Center Best Practice Rulebase

Use Palo Alto Networks Assessment and Review Tools

Best Practices for Migrating to Application-Based Policy

Best Practices for Migrating to Application-Based Policy

Safe Application Enablement Via a Phased Transition

Migrate a Port-Based Policy to PAN-OS Using Expedition

Migrate to Application-Based Policy Using Policy Optimizer

Convert Simple Rules with Few Well-Known Applications

Rules to Begin Converting After 30 Days

Remove Unused Rules

Convert the Most Stable Rules

Convert the Web Access Rule Using Subcategories

Convert Rules with the Most Traffic

Convert Rules With Few Apps Seen Over a Time Period

Next Steps to Adopt Security Best Practices

Administrative Access Best Practices

Administrative Access Best Practices

Plan Administrative Access Best Practices

Deploy Administrative Access Best Practices

Maintain Administrative Access Best Practices

Data Center Best Practice Security Policy

Data Center Security Policy Best Practices Checklist

Plan Your Data Center Best Practice Deployment

Deploy Data Center Best Practices

Global Data Center Objects, Policies, and Actions

User Data Center Traffic Policies

Internet-to-Data-Center Traffic Policies

Data-Center-to-Internet Traffic Policies

Intra-Data-Center Traffic Policy

Data Center Security Policy Rulebase Order

Follow Post-Deployment Data Center Best Practices

Data Center Best Practice Security Policy

What Is a Data Center Best Practice Security Policy?

Why Do I Need a Data Center Best Practice Security Policy?

Data Center Best Practice Methodology

How Do I Deploy a Data Center Best Practice Security Policy

How to Assess Your Data Center

How to Decrypt Data Center Traffic

Create the Data Center Best Practice Decryption Profiles

Exclude Unsuitable Traffic from Data Center Decryption

Create a Data Center Segmentation Strategy

How to Segment the Data Center

How to Segment Data Center Applications

How to Create Data Center Best Practice Security Profiles

Create the Data Center Best Practice Antivirus Profile

Create the Data Center Best Practice Anti-Spyware Profile

Create the Data Center Best Practice Vulnerability Protecti...

Create the Data Center Best Practice File Blocking Profile

Create the Data Center Best Practice WildFire Analysis Prof...

Use Traps to Protect Data Center Endpoints

Create Data Center Traffic Block Rules

Define the Initial User-to-Data-Center Traffic Security Pol...

User-to-Data-Center Traffic Security Approaches

Create User-to-Data-Center Application Whitelist Rules

Create User-to-Data-Center Authentication Policy Rules

Create User-to-Data-Center Decryption Policy Rules

Create User-to-Data-Center Application Allow Rules

Define the Initial Internet-to-Data-Center Traffic Security...

Internet-to-Data-Center Traffic Security Approach

Create Internet-to-Data-Center Application Whitelist Rules

Create Internet-to-Data-Center Decryption Policy Rules

Create Internet-to-Data-Center-DoS-Protection-Policy-Rules

Create Internet-to-Data-Center Application Allow Rules

Define the Initial Data-Center-to-Internet Traffic Security...

Data-Center-to-Internet Traffic Security Approaches

Create Data-Center-to-Internet Application Whitelist Rules

Create Data-Center-to-Internet Decryption Policy Rules

Create Data-Center-to-Internet Application Allow Rules

Define the Initial Intra-Data-Center Traffic Security Polic...

Intra-Data-Center Traffic Security Approach

Create Intra-Data-Center Application Whitelist Rules

Create Intra-Data-Center Decryption Policy Rules

Create Intra-Data-Center Application Allow Rules

Order the Data Center Security Policy Rulebase

Log and Monitor Data Center Traffic

What Data Center Traffic to Log and Monitor

Monitor Data Center Block Rules and Tune the Rulebase

Log Intra Data Center Traffic That Matches the Intrazone Al...

Log Data Center Traffic that Matches No Interzone Rules

Maintain the Data Center Best Practice Rulebase

Use Palo Alto Networks Assessment and Review Tools

Decryption Best Practices

Decryption Best Practices

Plan Your SSL Decryption Best Practice Deployment

Deploy SSL Decryption Using Best Practices

Follow Post-Deployment SSL Decryption Best Practices

Best Practices for Migrating to Application-Based Policy

Best Practices for Migrating to Application-Based Policy

Safe Application Enablement Via a Phased Transition

Migrate a Port-Based Policy to PAN-OS Using Expedition

Migrate to Application-Based Policy Using Policy Optimizer

Convert Simple Rules with Few Well-Known Applications

Rules to Begin Converting After 30 Days

Remove Unused Rules

Convert the Most Stable Rules

Convert the Web Access Rule Using Subcategories

Convert Rules with the Most Traffic

Convert Rules With Few Apps Seen Over a Time Period

Next Steps to Adopt Security Best Practices

User-ID Best Practices

User-ID Best Practices

Get Started with User-ID Best Practices

User-ID Best Practices for GlobalProtect

User-ID Best Practices for Syslog Monitoring

User-ID Best Practices for Redistribution

User-ID Best Practices for Group Mapping

User-ID Best Practices for Dynamic User Groups

Best Practices for Managing Firewalls with Panorama

Adding Firewalls to Panorama

Use Case - Migrate Your Next-Generation Firewalls to Panorama

Use Case - Onboarding New Next-Generation Firewalls to Panorama

Configuration Management

Device Group Management

Template and Template Stack Management

Template and Template Stack Variables

Configuration Change Management

Admin Roles and Access Domains

Simplify Security Rules

Configuration Change Management for Large Teams

Commit Configuration Changes to Panorama

Push Configuration Changes to Managed Firewalls

Monitoring and Visibility

Logging Infrastructure

Application Command Center (ACC) and Monitor Logs

Standard and Custom Reports

Best Practices for Migrating to Application-Based Policy

Best Practices for Migrating to Application-Based Policy

Safe Application Enablement Via a Phased Transition

Migrate a Port-Based Policy to PAN-OS Using Expedition

Migrate to Application-Based Policy Using Policy Optimizer

Convert Simple Rules with Few Well-Known Applications

Rules to Begin Converting After 30 Days

Remove Unused Rules

Convert the Most Stable Rules

Convert the Web Access Rule Using Subcategories

Convert Rules with the Most Traffic

Convert Rules With Few Apps Seen Over a Time Period

Next Steps to Adopt Security Best Practices

Decryption Best Practices

Decryption Best Practices

Plan Your SSL Decryption Best Practice Deployment

Deploy SSL Decryption Using Best Practices

Follow Post-Deployment SSL Decryption Best Practices

Data Center Best Practice Security Policy

Data Center Security Policy Best Practices Checklist

Plan Your Data Center Best Practice Deployment

Deploy Data Center Best Practices

Global Data Center Objects, Policies, and Actions

User Data Center Traffic Policies

Internet-to-Data-Center Traffic Policies

Data-Center-to-Internet Traffic Policies

Intra-Data-Center Traffic Policies

Data Center Security Policy Rulebase Order

Follow Post-Deployment Data Center Best Practices

Data Center Best Practice Security Policy

What Is a Data Center Best Practice Security Policy?

Why Do I Need a Data Center Best Practice Security Policy?

Data Center Best Practice Methodology

How Do I Deploy a Data Center Best Practice Security Policy?

How to Assess Your Data Center

How to Decrypt Data Center Traffic

Create the Data Center Best Practice Decryption Profiles

Exclude Unsuitable Traffic from Data Center Decryption

Create a Data Center Segmentation Strategy

How to Segment the Data Center

How to Segment Data Center Applications

How to Create Data Center Best Practice Security Profiles

Create the Data Center Best Practice Antivirus Profile

Create the Data Center Best Practice Anti-Spyware Profile

Create the Data Center Best Practice Vulnerability Protection Profile

Create the Data Center Best Practice File Blocking Profile

Create the Data Center Best Practice WildFire Analysis Profile

Use Cortex XDR to Protect Data Center Endpoints

Create Data Center Traffic Block Rules

Define the Initial User-to-Data-Center Traffic Security Policy

User-to-Data-Center Traffic Security Approaches

Create User-to-Data-Center Application Allow Rules

Create User-to-Data-Center Authentication Policy Rules

Create User-to-Data-Center Decryption Policy Rules

Define the Initial Internet-to-Data-Center Traffic Security Policy

Internet-to-Data-Center Traffic Security Approach

Create Internet-to-Data-Center Application Allow Rules

Create Internet-to-Data-Center Decryption Policy Rules

Create Internet-to-Data-Center DoS Protection Policy Rules

Define the Initial Data-Center-to-Internet Traffic Security Policy

Data-Center-to-Internet Traffic Security Approaches

Create Data-Center-to-Internet Application Allow Rules

Create Data-Center-to-Internet Decryption Policy Rules

Define the Initial Intra-Data-Center Traffic Security Policy

Intra-Data-Center Traffic Security Approach

Create Intra-Data-Center Application Allow Rules

Create Intra-Data-Center Decryption Policy Rules

Order the Data Center Security Policy Rulebase

Log and Monitor Data Center Traffic

What Data Center Traffic to Log and Monitor

Monitor Data Center Block Rules and Tune the Rulebase

Log Intra Data Center Traffic That Matches the Intrazone Allow Rule

Log Data Center Traffic That Matches No Interzone Rules

Maintain the Data Center Best Practice Rulebase

Use Palo Alto Networks Assessment and Review Tools

Ways to Strengthen Your Internet Gateway

Transition to Best Practices

Decryption Best Practices

Decryption Best Practices

Plan Your SSL Decryption Best Practice Deployment

Deploy SSL Decryption Using Best Practices

Follow Post-Deployment SSL Decryption Best Practices

Data Center Best Practice Security Policy

Data Center Security Policy Best Practices Checklist

Plan Your Data Center Best Practice Deployment

Deploy Data Center Best Practices

Global Data Center Objects, Policies, and Actions

User Data Center Traffic Policies

Internet-to-Data-Center Traffic Policies

Data-Center-to-Internet Traffic Policies

Intra-Data-Center Traffic Policies

Data Center Security Policy Rulebase Order

Follow Post-Deployment Data Center Best Practices

Data Center Best Practice Security Policy

What Is a Data Center Best Practice Security Policy?

Why Do I Need a Data Center Best Practice Security Policy?

Data Center Best Practice Methodology

How Do I Deploy a Data Center Best Practice Security Policy?

How to Assess Your Data Center

How to Decrypt Data Center Traffic

Create the Data Center Best Practice Decryption Profiles

Exclude Unsuitable Traffic from Data Center Decryption

Create a Data Center Segmentation Strategy

How to Segment the Data Center

How to Segment Data Center Applications

How to Create Data Center Best Practice Security Profiles

Create the Data Center Best Practice Antivirus Profile

Create the Data Center Best Practice Anti-Spyware Profile

Create the Data Center Best Practice Vulnerability Protection Profile

Create the Data Center Best Practice File Blocking Profile

Create the Data Center Best Practice WildFire Analysis Profile

Use Cortex XDR Agent to Protect Data Center Endpoints

Create Data Center Traffic Block Rules

Define the Initial User-to-Data-Center Traffic Security Policy

User-to-Data-Center Traffic Security Approaches

Create User-to-Data-Center Application Allow Rules

Create User-to-Data-Center Authentication Policy Rules

Create User-to-Data-Center Decryption Policy Rules

Define the Initial Internet-to-Data-Center Traffic Security Policy

Internet-to-Data-Center Traffic Security Approach

Create Internet-to-Data-Center Application Allow Rules

Create Internet-to-Data-Center Decryption Policy Rules

Create Internet-to-Data-Center DoS Protection Policy Rules

Define the Initial Data-Center-to-Internet Traffic Security Policy

Data-Center-to-Internet Traffic Security Approaches

Create Data-Center-to-Internet Application Allow Rules

Create Data-Center-to-Internet Decryption Policy Rules

Define the Initial Intra-Data-Center Traffic Security Policy

Intra-Data-Center Traffic Security Approach

Create Intra-Data-Center Application Allow Rules

Create Intra-Data-Center Decryption Policy Rules

Order the Data Center Security Policy Rulebase

Log and Monitor Data Center Traffic

What Data Center Traffic to Log and Monitor

Monitor Data Center Block Rules and Tune the Rulebase

Log Intra Data Center Traffic That Matches the Intrazone Allow Rule

Log Data Center Traffic That Matches No Interzone Rules

Maintain the Data Center Best Practice Rulebase

Use Palo Alto Networks Assessment and Review Tools

Best Practices Implementing Zero Trust with Palo Alto Networks

Zero Trust Best Practices

What Is Zero Trust and Why Do I Need It?

High-Level Zero Trust Best Practice Concepts

How Do I Start My Zero Trust Implementation?

The Five Steps to Approaching Zero Trust

Step 1: Asset Discovery and Prioritization

Step 2: Map and Verify Transactions

Step 3: Standards and Designs

Step 4: Implementation

Step 5: Report and Maintenance

Zero Trust Resources

DoS and Zone Protection Best Practices

DoS and Zone Protection Best Practices

Plan DoS and Zone Protection Best Practice Deployment

Deploy DoS and Zone Protection Using Best Practices

Follow Post Deployment DoS and Zone Protection Best Practices

Security Policy Best Practices

Security Policy Best Practices

Plan Security Policy Best Practices

Deploy Security Policy Best Practices

Security Policy Rule Best Practices

Security Policy Rulebase Best Practices

Policy Optimizer Best Practices

App-ID Cloud Engine Best Practices

Policy Recommendation Best Practices

Maintain Security Policy Best Practices

Internet Gateway Best Practice Security Policy

Best Practice Internet Gateway Security Policy

What Is a Best Practice Internet Gateway Security Policy?

Why Do I Need a Best Practice Internet Gateway Security Policy?

How Do I Deploy a Best Practice Internet Gateway Security Policy?

Identify Your Application Allow List

Map Applications to Business Goals for a Simplified Rulebase

Use Temporary Rules to Tune the Allow List

Application Allow List Example

Create User Groups for Access to Allowed Applications

Decrypt Traffic for Full Visibility and Threat Inspection

Transition Safely to Best Practice Security Profiles

Transition Vulnerability Protection Profiles Safely to Best Practices

Transition Anti-Spyware Profiles Safely to Best Practices

Transition Antivirus Profiles Safely to Best Practices

Transition WildFire Profiles Safely to Best Practices

Transition URL Filtering Profiles Safely to Best Practices

Transition File Blocking Profiles Safely to Best Practices

Create Best Practice Security Profiles for the Internet Gateway

Define the Initial Internet Gateway Security Policy

Step 1: Create Rules Based on Trusted Threat Intelligence Sources

Step 2: Create the Application Allow Rules

Step 3: Create the Application Block Rules

Step 4: Create the Temporary Tuning Rules

Step 5: Enable Logging for Traffic That Doesn’t Match Any Rules

Monitor and Fine-Tune the Policy Rulebase

Remove the Temporary Rules

Maintain the Rulebase

Security Lifecycle Review (SLR)

Getting Started With Security Lifecycle Review (SLR)

About Security Lifecycle Review (SLR)

Security Lifecycle Review (SLR)—What’s in the Report?

Activate the Security Lifecycle Review (SLR) App

Create a New Security Lifecycle Review (SLR) Report

Customize Security Lifecycle Review (SLR) Reports

Security Lifecycle Review (SLR) Support Requirements

Security Lifecycle Review (SLR) Updates

Starting Best Practices with the BPA and Security Assurance

Getting Started with Best Practices

Identify and Prioritize Best Practices

Security Assurance

Branding Configuration

PANW Blue Theme

Authored and Search

PANW Yellow Theme

Authored and Search

PANW Green Theme

Authored and Search Templates

Default PaloAltoNetworks

Author and Search

Cloud-Delivered Security Services

Cloud Identity Engine Release Notes

Welcome to the Cloud Identity Engine

Cloud Identity Engine System Requirements

New Features Introduced for the Cloud Identity Agent

Cloud Identity Engine Known and Addressed Issues

New Features Introduced in April 2022

New Features Introduced in May 2022

New Features Introduced in June 2022

New Features Introduced in October 2022

New Features Introduced in November 2022

New Features Introduced in January 2023

New Features Introduced in April 2023

New Features Introduced in May 2023

New Features Introduced in June 2023

New Features Introduced in July 2023

New Features Introduced in August 2023

New Features Introduced in October 2023

New Features Introduced in November 2023

New Features Introduced in January 2024

New Features Introduced in February 2024

New Features Introduced in March 2024

New Features Introduced in April 2024

New Features Introduced in May 2024

New Features Introduced in June 2024

New Features Introduced in August 2024

New Features Introduced in September 2024

Cloud Identity Agent Help

Cloud Identity Agent Help

Cloud Identity Agent User Interface

Cloud Identity Configuration

LDAP Configuration

Cloud Identity Engine Getting Started

Get Started with Cloud Identity Engine

Learn About the Cloud Identity Engine

Plan Your Cloud Identity Engine Deployment

Configure Your Network to Allow Cloud Identity Agent Traffic

Configure Domains for the Cloud Identity Engine

Activate the Cloud Identity Engine

Manage Cloud Identity Engine App Roles

Set Up the Cloud Identity Engine

Configure the Cloud Identity Engine Visibility Scope

Choose Your Directory Type

Configure an On-Premises Directory

Install the Cloud Identity Agent

Configure the Cloud Identity Agent

Authenticate the Agent and the Cloud Identity Engine

Configure a Cloud-Based Directory

Configure Azure Active Directory

Reconnect or Edit Azure Active Directory

Revoke Cloud Identity Engine Permissions for Azure Active Directory

Set Up Azure Directory

Configure Azure Using the CIE Enterprise App

Configure Azure Using the Client Credential Flow

Configure Okta Directory

Reconnect Okta Directory

Remove Okta Directory

Deploy Client Credential Flow for Okta

Configure Google Directory

Reconnect Google Directory

Remove Google Directory

Configure SCIM Connector for the Cloud Identity Engine

Manage the Cloud Identity Engine App

Cloud Identity Engine Tenants

Create Cloud Identity Engine Tenants

View Cloud Identity Engine Tenants

Synchronize Cloud Identity Engine Tenants

Rename Cloud Identity Engine Tenants

Delete Cloud Identity Engine Tenants

Delete Domains or Directories from Cloud Identity Engine Tenants

Cloud Identity Engine Attributes

Collect Custom Attributes with the Cloud Identity Engine

View Directory Data

Cloud Identity Engine User Context

Create a Cloud Dynamic User Group

Configure Third-Party Device-ID

Configure an IP Tag Cloud Connection

Configure Dynamic Privilege Access in the Cloud Identity Engine

Configure Security Risk for the Cloud Identity Engine

Manage the Cloud Identity Agent

Configure Cloud Identity Agent Logs

Search Cloud Identity Agent Logs

Clear Cloud Identity Agent Logs

Update the Cloud Identity Agent

Start or Stop the Connection to the Cloud Identity Engine

Remove the Cloud Identity Agent

Manage Cloud Identity Engine Certificates

Revoke Cloud Identity Agent Certificates

Delete Obsolete Cloud Identity Agent Certificates

Associate the Cloud Identity Engine with Palo Alto Networks Apps

Associate the Cloud Identity Engine During Activation

Associate the Cloud Identity Engine with an Existing App

Authenticate Users with the Cloud Identity Engine

Configure a SAML 2.0 Authentication Type

Configure Azure as an IdP in the Cloud Identity Engine

Configure Okta as an IdP in the Cloud Identity Engine

Configure Google as an IdP in the Cloud Identity Engine

Configure PingOne as an IdP in the Cloud Identity Engine

Configure PingFederate as an IdP in the Cloud Identity Engine

Configure a SAML 2.0-Compliant IdP in the Cloud Identity Engine

Configure Cloud Identity Engine Authentication on the Firewall or Panorama

Configure the Cloud Identity Engine as a Mapping Source on the Firewall or Panorama

Configure a Client Certificate

Set Up an Authentication Profile

Configure Dynamic Privilege Access in the Cloud Identity Engine

Configure an OIDC Authentication Type

Troubleshoot the Cloud Identity Engine

Cloud Identity Engine Troubleshooting Checklist

Troubleshoot Cloud Identity Engine Issues

Use the Authentication Logs for Troubleshooting

Monitor Cloud Identity Engine Status

AWS

Cloud NGFW for AWS

Getting Started with Cloud NGFW for AWS

About Cloud NGFW for AWS

Getting Started from the AWS Marketplace

Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account

Working with Cloud NGFW for AWS

NGFW Management and Deployment

Security Features

Cloud NGFW for AWS Supported Regions and Zones

Supported Cloud NGFW for AWS Deployments

Cloud NGFW for AWS Pricing

Cloud NGFW Credit Distribution and Management

Cloud NGFW for AWS Free Trial

Cloud NGFW for AWS Limits and Quotas

Subscribe to Cloud NGFW for AWS

Locate Your Cloud NGFW for AWS Serial Number

Cross-Account Role CFT Permissions for Cloud NGFW

Invite Users to Cloud NGFW for AWS

Manage Cloud NGFW for AWS Users

Deploy Cloud NGFW for AWS with the AWS Firewall Manager

Enable Programmatic Access

Terraform Support for Cloud NGFW AWS

Provision Cloud NGFW Resources to your AWS CFT

Configure Automated Account Onboarding

Create a Support Case

Cloud NGFW for AWS Certifications

Cloud NGFW for AWS Privacy and Data Protection

Cloud NGFW for AWS Rulestacks and Rules

About Rulestacks and Rules on Cloud NGFW for AWS

X-Forwarded-For on Cloud NGFW for AWS

Create a Rulestack on Cloud NGFW for AWS

Cloud NGFW for AWS Security Rule Objects

Create a Prefix List on Cloud NGFW for AWS

Create an FQDN List for Cloud NGFW on AWS

Create a Custom URL Category for Cloud NGFW on AWS

Configure an Intelligent Feed on Cloud NGFW for AWS

Add a Certificate to Cloud NGFW for AWS

Create Security Rules on Cloud NGFW for AWS

Cloud NGFW for AWS Rule Usage

Cloud NGFW for AWS Security Profiles

Predefined URL Categories for Cloud NGFW for AWS

Set Up Site Access for URLs on Cloud NGFW for AWS

Set Up File Blocking on Cloud NGFW for AWS

Set Up Outbound Decryption on Cloud NGFW for AWS

Set Up Inbound Decryption on Cloud NGFW for AWS

Cloud NGFW Resource and NGFW Endpoints

Create a NGFW Resource on AWS

Create and View NGFW Endpoints

Direct Traffic to Cloud NGFW for AWS

Cloud NGFW for AWS Centralized Deployments

Cloud NGFW for AWS Distributed Deployments

Configure Logging for Cloud NGFW on AWS

Cloud NGFW for AWS Traffic Log Fields

Cloud NGFW for AWS Threat Log Fields

Cloud NGFW for AWS Decryption Log Fields

Cloud NGFW for AWS CloudWatch Metrics

Enable Audit Logging on Cloud NGFW for AWS

Delete a Cloud NGFW Resource

Cloud NGFW Integration with AWS Cloud WAN

Configure Private Traffic Range

Configure Egress NAT

Cloud NGFW for AWS Security Features

Configure DNS Security

Private DNS Server

Route 53 DNS Service

Private Hosted Zone DNS

Configure WildFire for Cloud NGFW on AWS

Cloud NGFW Advanced Threat Protection

Panorama Policy Management

Integrating Panorama

Prepare for Panorama Integration

Link the Cloud NGFW to Palo Alto Networks Management

Unlink the Cloud NGFW from Palo Alto Networks Management

Associate a Linked Panorama to the Cloud NGFW Resource

Use Panorama for Cloud NGFW Policy Management

View Cloud NGFW Logs and Activity in Panorama

View Cloud NGFW Logs in Strata Logging Service

Tag Based Policies

Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS

Configure Zone-based Policy Rules

Strata Cloud Manager Policy Management

Cloud NGFW for AWS Release Updates

Cloud NGFW for AWS Known Issues

Cloud NGFW for AWS Addressed Issues

Cloud NGFW for Azure

Getting Started with Cloud NGFW for Azure

Cloud NGFW for Azure

Cloud NGFW Components

Cloud NGFW for Azure Supported Regions

Start with Cloud NGFW for Azure

Manage Cloud NGFW Roles for Azure Users

Cloud NGFW for Azure Pricing

Cloud NGFW for Azure Free Trial

Monitor Cloud NGFW Health

Integrate Single Sign-on

Create a Support Case

Cloud NGFW for Azure Limits and Quotas

Cloud NGFW Credit Distribution and Management

Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account

Cloud NGFW for Azure Certifications

Cloud NGFW For Azure Privacy and Data Protection

Deploy Cloud NGFW for Azure

Deploy the Cloud NGFW in a vNET

Sample Configuration for Post vNET Deployment

Deploy the Cloud NGFW in a vWAN

Sample Configuration for Post vWAN Deployment

Cloud NGFW Native Policy Management Using Rulestacks

About Rulestacks and Rules on Cloud NGFW for Azure

Create a Rulestack on Cloud NGFW for Azure

Cloud NGFW for Azure Security Rule Objects

Create a Prefix List on Cloud NGFW for Azure

Create an FQDN List for Cloud NGFW on Azure

Add a Certificate to Cloud NGFW for Azure

Create Security Rules on Cloud NGFW for Azure

Set Up Outbound Decryption on Cloud NGFW for Azure

Cloud NGFW for Azure Security Services

Enable DNS Security on Cloud NGFW for Azure

Set Up Inbound Decryption on Cloud NGFW for Azure

Panorama Policy Management

Panorama Integration

Panorama Integration Prerequisites

Link the Cloud NGFW to Palo Alto Networks Management

Use Panorama for Cloud NGFW Policy Management

View Cloud NGFW Logs and Activity in Panorama

Configure Service Routes for On-Prem Services

Enable User-ID on the Cloud NGFW for Azure

Use XFF IP Address Values in Policy

Configure Logging for Cloud NGFW on Azure

Cloud NGFW for Azure Traffic Log Fields

Cloud NGFW for Azure Threat Log Fields

Cloud NGFW for Azure Decryption Log Fields

Enable Log Settings

Disable Log Settings

Enable Activity Logging on Cloud NGFW for Azure

View Audit Logs on a Firewall Resource

View Audit Logs on Resource Groups

Multiple Logging Destinations on Cloud NGFW for Azure

Cloud NGFW for Azure Known Issues

Cloud NGFW for Azure Addressed Issues

CN-Series Firewall Release Notes

CN-Series Firewall Release Notes

CN-Series PAN-MGMT-INIT

CN-Series 11.0.1

Known Issues in CN-Series 11.x

CN-Series 11.1.0

CN-Series 11.2.0

CN-Series 10.x Known Issues

CN-Series 10.x Addressed Issues

Known Issues in CN-Series 10.x

Addressed Issues in CN-Series 10.x

CN-Series Deployment

Deploy the CN-Series Firewall in Cloud and On-Premises

Deploy the CN-Series Firewall on GKE

Deploy the CN-Series Firewall as a Kubernetes Service on GKE

Deploy the CN-Series Firewall as a DaemonSet on GKE

Deploy the CN-Series Firewall on OKE

Deploy the CN-Series Firewall as a Kubernetes Service on OKE

Deploy the CN-Series Firewall as a DaemonSet on OKE

Deploy the CN-Series Firewall on EKS

Deploy the CN-Series Firewall as a Kubernetes Service on AWS EKS

Deploy the CN-Series Firewall as a Daemonset on AWS EKS

Deploy the CN-Series from the AWS Marketplace

Deploy the CN-Series on OpenShift

Deploy the CN-Series Firewall as a Kubernetes Service on ACK

Deploy the CN-Series on OpenShift Operator Hub

CN-Series HSF Deployment

CN-Series HSF Architecture

Interconnect Links

License the CN-Series HSF

Activate Credits

Create a CN-Series HSF Deployment Profile

Manage Deployment Profiles

CN-Series HSF System Requirements

Prerequisites to Deploy the CN-Series HSF

Cluster Requirements

Prepare the Cluster

Prepare Panorama for CN-Series HSF Deployment

Deploy the HSF Cluster

Different States of Deployment

Configure Traffic Flow Towards CN-Series HSF

Test Case: Layer 3 BFD Based CN-GW Failure Handling

View CN-Series HSF Summary and Monitoring

Validating the CN-Series HSF Deployment

Custom Metric Based HPA Using KEDA in EKS Environments

CN-Series HSF: Use Cases

5G Traffic Testing

Scale Out Firewalls Based on Custom Metrics Supported

Test Case: CN-MGMT Failure Handling

Test Case: CN-NGFW Failure Handling

Test Case: CN-DB Failure Handling

Features Not Supported on the CN-Series

Configure Dynamic Routing in CN-Series HSF

CN-Series Firewall Deployment Modes

Quickstart- CN-Series Firewall Deployment

Deployment Modes of CN-Series Firewalls

Deploy the CN-Series Firewall as a Kubernetes Service (Recommended mode of Deployment)

Enable Horizontal Pod Autoscaling on the CN-Series

Deploy the CN-Series Firewall as a DaemonSet

Deploy the CN-Series Firewall as a Kubernetes CNF

Deploy the Kubernetes CNF L3 in Standalone Mode

Deploy the CN-Series Firewalls

CN-Series Deployment Checklist

Deploy CN-Series Firewalls With (Recommended) and Without the Helm Chart

Deploy CN-Series Firewall with Terraform Templates

Deploy a Sample Application

Deploy a CN-Series Firewall Using Terraform

Configure the Kubernetes Plugin for Panorama

Deploy the CN-Series Firewall with Rancher Orchestration

Rancher Cluster Deployment

Set up Master and Worker Node on Rancher Cluster

Modify the Rancher Cluster Options YAML File

Editable Parameters in CN-Series Deployment YAML Files

Secure 5G With the CN-Series Firewall

Configure Panorama to Secure a Kubernetes Deployment

IP-Address-to-Tag Mapping of Kubernetes Attributes

Enable Inspection of Tagged VLAN Traffic

Uninstall the Kubernetes Plugin on Panorama

Features Not Supported on the CN-Series

High Availability and DPDK Support for CN-Series Firewall

High Availability Support for CN-Series Firewall as a Kubernetes CNF

High Availability for CN-Series Firewall on AWS EKS

IAM Roles for HA

Heartbeat Polling and Hello Messages

Device Priority and Preemption

Configure Active/Passive HA on AWS EKS Using a Secondary IP

Configure DPDK on CN-Series Firewall

Set up DPDK on On-Premises Worker Nodes

Set up DPDK on AWS EKS

CN-Series Upgrade

Upgrade the CN-Series Firewall

Migrate the CN-Series Firewall

Upgrade the CN-Series Firewall—Rolling Update

Upgrade the CN-Series Firewall—Redeploy

CN-Series Troubleshooting

CN-Series Troubleshooting

Getting Started with CN-Series

CN-Series Firewall for Kubernetes

Secure Kubernetes Workloads with CN-Series Firewall

CN-Series Key Concepts

CN-Series Core Building Blocks

Components Required to Secure Kubernetes Clusters with CN-Series Firewall

Additional CN-Series Resources

CN-Series System Requirements

CN-Series System Requirements for the Kubernetes Cluster

PAN-OS 11.1 and later

CN-Series System Requirements for On-Premises Kubernetes Deployments

CN-Series Performance and Scaling

CN-Series Deployment—Supported Environments

CN-Series Deployment Prerequisites

License the CN-Series Firewall

Activate Credits

Create a CN-Series Deployment Profile

Manage Deployment Profiles

Install a Device Certificate on the CN-Series Firewall

Create Service Accounts for Cluster Authentication

Install the Kubernetes Plugin and Set up Panorama for CN-Series

Get the Images and Files for the CN-Series Deployment

Strata Logging Service with CN-Series Firewall

IOT Security Support for CN-Series Firewall

Software Cut-through Based Offload on CN-Series Firewall

Common Services

Device Associations

Get Started with Device Associations

Associate Devices with a Tenant

Associate Products with Devices

Remove Device Associations

Release Updates

CASB-X Hardware Model Compatibility

Device Model Compatibility

AIOps for NGFW or Strata Cloud Manager

Firewall and License Type Compatibility

SaaS Security Inline

Strata Cloud Manager

aiops-for-ngfw-firewall-and-license-type-compatibility

aiops-for-ngfw-hardware-model-compatibility

hardware-model-compatibility-iot

firewall-and-license-type-compatibility-iot

FAQ: Where are My App Tiles, Instances, Roles, and More

FAQ: Where are My App Tiles, Instances, Roles, and More

FAQ: FedRAMP Moderate Customers TSG Migration and SASE Platform

Common Services: Identity and Access

Get Started with Common Services: Identity & Access

Manage Identity and Access Through Common Services

About Common Services: Identity and Access

Add User Access Through Common Services

Remove User Access Through Common Services

About Roles and Permissions Through Common Services

Assign a Predefined Role to a Tenant User or Service Account Through Common Services

Assign a Batch of Predefined Roles to Tenant Users or Service Accounts Through Common Services

Add a Custom Role Through Common Services

Modify a Custom Role Through Common Services

Clone a Role Through Common Services

Add a Service Account Through Common Services

Update a Service Account Through Common Services

Remove a Service Account Through Common Services

Manage Third Party Identity Provider Integrations Through Common Services

Add an Identity Federation Through Common Services

Manually Configure a SAML Identity Provider Through the Common Services

Upload SAML Identity Provider Metadata Through Common Services

Get the URL of a SAML Identity Provider Through Common Services

Clone SAML Identity Provider Configuration Through Common Services

Add or Delete an Identity Federation Owner Through Common Services

Configure Palo Alto Networks as a Service Provider Through Common Services

Delete an Identity Federation Through Common Services

Map a Tenant for Authorization Through Common Services

Update Tenant Mapping for Authorization Through Common Services

PAN Resource Names

Common Services: Identity and Access Management Release Updates

Manage Single Tenant Transition Through Common Services

Common Services: License Activation, Subscription, & Tenant Management

Get Started with Common Services: License Activation, Subscription, Tenant Management, & Product Management

Cloud Managed Prisma Access and Add-Ons License Activation

Activate a License for Cloud Managed Prisma Access and Add-Ons Through Common Services

First Time Cloud Managed Prisma Access and Add-Ons Activation - One CSP

First Time Cloud Managed Prisma Access and Add-Ons Activation - Multiple CSPs

Return Visit Cloud Managed Prisma Access and Add-Ons Activation

Allocate Licenses for Cloud Managed Prisma Access and Add-Ons Through Common Services

Plan Service Connections for Cloud Managed Prisma Access Through Common Services

Add Additional Locations for Cloud Managed Prisma Access Through Common Services

Enable Available Add-Ons for Cloud Managed Prisma Access and Add-Ons Through Common Servicess

Search for Subscription Details Through Common Services

Share a License for Cloud Managed Prisma Access Through Common Services

Increase Subscription Allocation Quantity Through Common Services

Service Provider Backbone License Activation Through Common Services

Activate a License for Multitenant Service Provider Backbone Through Common Services

Edit a License for Service Provider Backbone Through Common Services

Activate a License for Remote Browser Isolation Through Common Services

Prisma Access (Managed by Panorama) and Add-Ons License Activation

Activate a License for Prisma Access (Managed by Panorama) and Add-Ons Through Common Services

Activate a License for Prisma Access (Managed by Panorama) China Through Common Services

Prisma SD-WAN and Add-Ons License Activation

Activate a License for Prisma SD-WAN Through Common Services

New Purchase Cloud Managed Prisma SD-WAN Activation

New Purchase Cloud Managed Prisma SD-WAN Activation

Return Visit Cloud Managed Prisma SD-WAN Activation

Cloud Managed Prisma Access and Prisma SD-WAN Bundle License Activation

Activate a License for Cloud Managed Prisma Access and Prisma SD-WAN Bundle Through Common Services

Activate AIOps Premium

First time AIOps for NGFW Premium Activation - One Customer Support Portal Account

First time AIOps for NGFW Premium Activation - Multiple Customer Support Portal Account

Return Visit AIOPs Premium Activation

Activate Next-Generation CASB on Cross Platforms CASB-X

First time CASB-X Activation - One Customer Support Portal Account

First time CASB-X Activation - Multiple Customer Support Portal Account

Return Visit CASB-X Activation

Cloud Identity Engine Activation

First time Cloud Identity Engine Activation - One Customer Support Portal Account

First time Cloud Identity Engine Activation - Multiple Customer Support Portal Account

Return Visit Cloud Identity Engine Activation

Share Cloud Identity Engine

Activate IoT Security

First time IoT Security Activation - One Customer Support Portal Account

First time IoT Security Activation - Multiple Customer Support Portal Account

Return Visit IoT Security Activation

Activate SaaS Security Inline

First time SaaS Security Inline Activation - One Customer Support Portal Account

First time SaaS Security Inline Activation - Multiple Customer Support Portal Account

Return Visit SaaS Security Inline Activation

Activate SaaS Security Posture Management

First time Activation - One Customer Support Portal Account

First time SaaS Security Posture Management Activation - Multiple Customer Support Portal Account

Return Visit SaaS Security Posture Management Activation

Convert SSPM Evaluation to Production Through Common Services

Software NGFW Credits Activation

Activate a Software NGFW Credits License for IoT Through Common Services

Activate a Software NGFW Credits License of Strata Cloud Manager for NGFW Through Common Services

Activate a Software NGFW Credits License for AIOps for NGFW Premium on Panorama Through Common Services

Enterprise License Agreement Add-on Activation

Activate ELA AIOps for NGFW Premium Through Common Services

Activate ELA for IoT Security Through Common Services

Manage Subscriptions Through Common Services

Flexible License Management in Common Services

Diagnose License Activation Issues Through Common Services

Convert Trial License to Production

Request Evaluation to Production Conversion Through Common Services

Modify a Subscription Through Common Services

Extend or Renew a Subscription Through Common Services

Common Services: Tenant Management

What is a Tenant?

Add a Tenant Through Common Services

Edit a Tenant Through Common Services

Manage Tenant Licenses Through Common Services

Delete a Tenant Through Common Services

Transition from Single Tenant FedRAMP High "In Process" to Multitenant FedRAMP High "In Process" Through Common Services

Move an Internal Tenant Through Common Services

Acquire an External Tenant Through Common Services

Approve an External Tenant Acquisition Through Common Services

Limitations for Moving and Acquiring Tenants Through Common Services

Tenant Hierarchy Limits in Common Services

Common Services: Product Management

Common Services: Subscription and Tenant Management Release Updates

Known Issues in Common Services: Subscription and Tenant Management

What’s New in Common Services: Subscription and Tenant Management

Compatibility Matrix

Palo Alto Networks Compatibility Matrix

Supported OS Releases by Model

Palo Alto Networks Next-Generation Firewalls

Palo Alto Networks Appliances

WF-500 Appliance Analysis Environment Support

Palo Alto Networks PA-7000 Series Cards

Palo Alto Networks PA-5450 Cards

Palo Alto Networks PA-7500 Cards

HA Port and Processor Support

Breakout Port Support

VM-Series Firewalls

VM-Series Firewall Hypervisor Support

PacketMMAP and DPDK Drivers on VM-Series Firewalls

Partner Interoperability for VM-Series Firewalls

Palo Alto Networks Certified Integrations

Partner-Qualified Integrations

VM-Series Plugin

Google Cloud Regions

Alibaba Cloud Regions

VM-Series Firewall Amazon Machine Images (AMI)

PAN-OS Images for AWS GovCloud

CN-Series Firewalls

Panorama Plugins

Compatible Plugin Versions for PAN-OS 10.2

Panorama Management Compatibility

Panorama Hypervisor Support

Device Certificate for a Palo Alto Networks Cloud Service

MFA Vendor Support

Supported Cipher Suites

Cloud Identity Engine Cipher Suites

Cipher Suites Supported in PAN-OS 11.2

PAN-OS 11.2 GlobalProtect Cipher Suites

PAN-OS 11.2 IPSec Cipher Suites

PAN-OS 11.2 IKE and Web Certificate Cipher Suites

PAN-OS 11.2 Decryption Cipher Suites

PAN-OS 11.2 Administrative Session Cipher Suites

PAN-OS 11.2 HA1 SSH Cipher Suites

PAN-OS 11.2 PAN-OS-to-Panorama Connection Cipher Suites

PAN-OS 11.2 Cipher Suites Supported in FIPS-CC Mode

Cipher Suites Supported in PAN-OS 11.1

PAN-OS 11.1 GlobalProtect Cipher Suites

PAN-OS 11.1 IPSec Cipher Suites

PAN-OS 11.1 IKE and Web Certificate Cipher Suites

PAN-OS 11.1 Decryption Cipher Suites

PAN-OS 11.1 Administrative Session Cipher Suites

PAN-OS 11.1 HA1 SSH Cipher Suites

PAN-OS 11.1 PAN-OS-to-Panorama Connection Cipher Suites

PAN-OS 11.1 Cipher Suites Supported in FIPS-CC Mode

Cipher Suites Supported in PAN-OS 11.0

PAN-OS 11.0 GlobalProtect Cipher Suites

PAN-OS 11.0 IPSec Cipher Suites

PAN-OS 11.0 IKE and Web Certificate Cipher Suites

PAN-OS 11.0 Decryption Cipher Suites

PAN-OS 11.0 Administrative Session Cipher Suites

PAN-OS 11.0 HA1 SSH Cipher Suites

PAN-OS 11.0 PAN-OS-to-Panorama Connection Cipher Suites

PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode

Cipher Suites Supported in PAN-OS 10.2

PAN-OS 10.2 GlobalProtect Cipher Suites

PAN-OS 10.2 IPSec Cipher Suites

PAN-OS 10.2 IKE and Web Certificate Cipher Suites

PAN-OS 10.2 Decryption Cipher Suites

PAN-OS 10.2 Administrative Session Cipher Suites

PAN-OS 10.2 HA1 SSH Cipher Suites

PAN-OS 10.2 PAN-OS-to-Panorama Connection Cipher Suites

PAN-OS 10.2 Cipher Suites Supported in FIPS-CC Mode

Cipher Suites Supported in PAN-OS 10.1

PAN-OS 10.1 GlobalProtect Cipher Suites

PAN-OS 10.1 IPSec Cipher Suites

PAN-OS 10.1 IKE and Web Certificate Cipher Suites

PAN-OS 10.1 Decryption Cipher Suites

PAN-OS 10.1 Administrative Session Cipher Suites

PAN-OS 10.1 HA1 SSH Cipher Suites

PAN-OS 10.1 PAN-OS-to-Panorama Connection Cipher Suites

PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode

Cipher Suites Supported in PAN-OS 9.1

PAN-OS 9.1 GlobalProtect Cipher Suites

PAN-OS 9.1 IPSec Cipher Suites

PAN-OS 9.1 IKE and Web Certificate Cipher Suites

PAN-OS 9.1 Decryption Cipher Suites

PAN-OS 9.1 Administrative Session Cipher Suites

PAN-OS 9.1 HA1 SSH Cipher Suites

PAN-OS 9.1 PAN-OS-to-Panorama Connection Cipher Suites

PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode

Where Can I Install the GlobalProtect App?

Third-Party VPN Client Support

What Features Does GlobalProtect Support?

What Features Does GlobalProtect Support for IoT?

What GlobalProtect Features Do Third-Party Mobile Device Management Systems Support?

Strata Cloud Manager and Panorama Feature Parity

Terminal Server (TS) Agent

Strata Logging Service Software Compatibility

Endpoint Security Manager (ESM)

IPv6 Support by Feature

Mobile Network Infrastructure Feature Support

Security Operations

API Documentation

Advanced DNS Security Powered by Precision AI™

DNS Security Administration

About DNS Security Subscription Services

Cloud-Delivered DNS Signatures and Protections

Data Collection and Logging

Regional Service Domains

Configure DNS Security Subscription Services

Enable DNS Security

Enable DNS Security (Strata Cloud Manager)

Enable DNS Security (NGFW (Managed by PAN-OS or Panorama))

Enable DNS Security (PAN-OS 11.0 and Later)

Enable DNS Security (PAN-OS 10.x)

Enable DNS Security (PAN-OS 9.1)

Configure DNS Security Over TLS

Configure DNS Security Over TLS (Strata Cloud Manager)

Configure DNS Security Over TLS (NGFW (Managed by PAN-OS or Panorama))

Configure DNS Security Over DoH

Configure DNS Security Over DoH (Strata Cloud Manager)

Configure DNS Security Over DoH (PAN-OS 11.0 and Later)

Create Domain Exceptions and Allow | Block Lists

Create Domain Exceptions and Allow | Block Lists (Strata Cloud Manager)

Create Domain Exceptions and Allow | Block Lists (NGFW (Managed by PAN-OS or Panorama))

Create Domain Exceptions and Allow | Block Lists (PAN-OS 10.0 and later)

Create Domain Exceptions and Allow | Block Lists (PAN-OS 9.1)

Test Connectivity to the DNS Security Cloud Services

Configure Lookup Timeout

Bypass DNS Security Subscriptions Services

Bypass DNS Security Subscriptions Services (Strata Cloud Manager)

Bypass DNS Security Subscriptions Services (NGFW (Managed by PAN-OS or Panorama))

Bypass DNS Security Subscriptions Services (PAN-OS 10.0 and later)

Bypass DNS Security Subscriptions Services (PAN-OS 9.1)

Enable Advanced DNS Security

Enable Advanced DNS Security (PAN-OS 11.2 and Later)

Enable Advanced DNS Security (Strata Cloud Manager)

Monitor DNS Security Subscription Services

View DNS Security Dashboard

DNS Security Dashboard Cards

View DNS Security Dashboard (Strata Cloud Manager)

View DNS Security Dashboard (AIOps for NGFW Free)

View DNS Security Logs

View DNS Security Logs (Strata Cloud Manager)

View DNS Security Logs (NGFW (Managed by PAN-OS or Panorama))

View DNS Security Logs (AIOps for NGFW Free)

View DNS Security Logs (Strata Logging Service)

New Features in Enterprise DLP

New Features in the Enterprise DLP Cloud Service

New Features in Enterprise DLP Plugin 5.0

New Features in Enterprise DLP Plugin 4.0

New Features in Enterprise DLP Plugin 3.0

New Features in Enterprise DLP Plugin 1.0

Known Issues in the Enterprise DLP Cloud Service

Known Issues in Enterprise DLP Plugin 5.0

Known Issues in Enterprise DLP Plugin 5.0.4

Known Issues in Enterprise DLP Plugin 5.0.3

Known Issues in Enterprise DLP Plugin 5.0.2

Known Issues in Enterprise DLP Plugin 5.0.1

Known Issues in Enterprise DLP Plugin 5.0.0

Known Issues in Enterprise DLP Plugin 5.0.5

Known Issues in Enterprise DLP Plugin 4.0

Known Issues in Enterprise DLP Plugin 4.0.4

Known Issues in Enterprise DLP Plugin 4.0.3

Known Issues in Enterprise DLP Plugin 4.0.2

Known Issues in Enterprise DLP Plugin 4.0.1

Known Issues in Enterprise DLP Plugin 4.0.0

Known Issues in Enterprise DLP Plugin 4.0.5

Known Issues in Enterprise DLP Plugin 3.0

Known Issues in Enterprise DLP Plugin 3.0.9

Known Issues in Enterprise DLP Plugin 3.0.8

Known Issues in Enterprise DLP Plugin 3.0.7

Known Issues in Enterprise DLP Plugin 3.0.6

Known Issues in Enterprise DLP Plugin 3.0.5

Known Issues in Enterprise DLP Plugin 3.0.4

Known Issues in Enterprise DLP Plugin 3.0.3

Known Issues in Enterprise DLP Plugin 3.0.2

Known Issues in Enterprise DLP Plugin 3.0.1

Known Issues in Enterprise DLP Plugin 3.0.0

Known Issues in Enterprise DLP Plugin 1.0

Known Issues in Enterprise DLP Plugin 1.0.8

Known Issues in Enterprise DLP Plugin 1.0.7

Known Issues in Enterprise DLP Plugin 1.0.6

Known Issues in Enterprise DLP Plugin 1.0.5

Known Issues in Enterprise DLP Plugin 1.0.4

Known Issues in Enterprise DLP Plugin 1.0.3

Known Issues in Enterprise DLP Plugin 1.0.2

Known Issues in Enterprise DLP Plugin 1.0.1

Enterprise DLP Limitations

Known Issues in Endpoint DLP

Activation & Onboarding

Setup Prerequisites for Enterprise DLP

Prerequisite Ports and FQDNs for Enterprise DLP

Prerequisite IP Addresses for Enterprise DLP Evidence Storage

Prerequisite FQDNs for Exact Data Matching (EDM)

Prerequisites for Enterprise DLP End User Alerting with Cortex XSOAR

IP Addresses for Syslog Forwarding

Install the Enterprise DLP Plugin on Panorama

Install the Enterprise DLP Plugin

Uninstall the Enterprise DLP Plugin

Enable Enterprise DLP

Enable Enterprise DLP on Strata Cloud Manager

Enable Enterprise DLP on Panorama

Activate Email DLP

Activate Endpoint DLP

Enable Optical Character Recognition

Enable Exact Data Matching (EDM)

Enterprise DLP Support Tables

Getting Started

About Enterprise DLP

What’s Supported with Enterprise DLP?

Platform Support

GenAI Applications

Encoding Schemas

Detection Methods

Double Byte Characters

Non-File Based Traffic

Data Patterns, Document Types, and Data Profiles

Predefined Data Patterns

Predefined ML-Based Data Patterns

Predefined Data Profiles

Predefined Document Types

Supported Data Profile Actions

Enable Role Based Access

Strata Cloud Manager

Edit the Cloud Content Settings

Edit the Enterprise DLP Data Filtering Settings

Edit the Enterprise DLP Data Filtering Settings on Strata Cloud Manager

Edit the Enterprise DLP Data Filtering Settings on Panorama

Edit the Enterprise DLP Data Filtering Settings for Email DLP

Edit the Enterprise DLP Data Filtering Settings for Endpoint DLP

Edit the Enterprise DLP Snippet Settings

Edit the Enterprise DLP Snippet Settings on Strata Cloud Manager

Edit the Enterprise DLP Snippet Settings on Panorama

Edit the Enterprise DLP Snippet Settings for Email DLP

Edit the Enterprise DLP Snippet Settings for Endpoint DLP

Configure Syslog Forwarding for Enterprise DLP Incidents

Request a New Feature

Enterprise DLP Support Tables

Configure Enterprise DLP

Configure Regular Expressions

Create a Custom Data Pattern

Strata Cloud Manager

Create a File Property Data Pattern

Add Custom Match Criteria to a Predefined Data Pattern

Create a Classic Data Profile

Strata Cloud Manager

File Based for Panorama

Non-File Based for Panorama

Create an Advanced Data Profile

Create a Nested Data Profile

Update a Data Profile

Strata Cloud Manager

Test a Data Profile

Enable Existing Data Patterns and Filtering Profiles

Modify a DLP Rule on Strata Cloud Manager

Create a SaaS Security Policy Recommendation to Leverage Enterprise DLP

Reduce False Positive Detections

Exact Data Matching (EDM)

Supported EDM Data Set Formats

Set Up the EDM CLI App

Configure EDM CLI App Connectivity to Enterprise DLP

Upload an Encrypted EDM Data Set to Enterprise DLP Using a Configuration File

Create an Encrypted EDM Data Set Using a Configuration File

Upload an Encrypted EDM Data Set to Enterprise DLP

Create and Upload an Encrypted EDM Data Set Using a Configuration File

Create and Upload an Encrypted EDM Data to Enterprise DLP in Interactive Mode

Update an Existing EDM Data Set on Enterprise DLP

Enterprise DLP End User Alerting with Cortex XSOAR

About Enterprise DLP End User Alerting with Cortex XSOAR

Set Up Enterprise DLP End User Alerting with Cortex XSOAR

Microsoft Teams

Respond to Blocked Traffic Using Enterprise DLP End User Alerting with Cortex XSOAR

View the Enterprise DLP End User Alerting with Cortex XSOAR Response History

Inspection of Contextual Secrets for Chat Applications

About Inspection of Contextual Secrets

Contextual Chat Examples

Configure SaaS Security to Inspect for Contextual Secrets

Enterprise DLP and AI Apps

How Enterprise DLP Safeguards Against ChatGPT Data Leakage

Create a Security Policy Rule for ChatGPT

Strata Cloud Manager

Custom Document Types for Enterprise DLP

About Custom Document Types

Upload a Custom Document Type

IDM

Trainable Classifiers

Test a Custom Document Type

How Does Email DLP Work?

Onboard Microsoft Exchange Online

Connect Microsoft Exchange and Enterprise DLP

Create Microsoft Exchange Connectors

Create a Microsoft Exchange Outbound Connector

Create a Microsoft Exchange Inbound Connector

Create a Microsoft Exchange Proofpoint Server Connector

Create Microsoft Exchange Transport Rules

Create a Microsoft Exchange Email Transport Rule

Create a Microsoft Exchange Hosted Quarantine Transport Rule

Create a Microsoft Exchange Admin Approval Transport Rule

Create a Microsoft Exchange Manager Approval Transport Rule

Create a Microsoft Exchange Encrypt Transport Rule

Create a Microsoft Exchange Proofpoint Encrypt Transport Rule

Create a Microsoft Exchange Block Transport Rule

Create an Email DLP Sender Alert Policy

Obtain Your Microsoft Exchange Domain and Relay Host

Connect Gmail and Enterprise DLP

Set Up the Email DLP Host

Set Up a Proofpoint Server for Email Encryption

Create Gmail Transport Rules

Create a Gmail Email Transport Rule

Create a Gmail Quarantine Transport Rule

Create a Gmail Block Transport Rule

Create a Gmail Encrypt Transport Rule

Add an Enterprise DLP Email Policy Rule

Review Email DLP Incidents

Why Are Emails Not Being Blocked?

How Does Endpoint DLP Work?

Add a Peripheral

Add a USB Peripheral to Endpoint DLP

Add a Network Share Peripheral to Endpoint DLP

add a Printer Peripheral to Endpoint DLP

Create a Peripheral Group

Create an Endpoint DLP USB Peripheral Group

Create an Endpoint DLP Network Share Peripheral Group

Create an Endpoint DLP Printer Peripheral Group

Create an Endpoint DLP Policy Rule

Endpoint DLP Policy Rule Example

Create an Endpoint DLP Peripheral Control Policy Rule

Create an Endpoint DLP Data in Motion Policy Rule

Troubleshoot Endpoint DLP

Data Dictionaries

Recommendations for Security Policy Rules

Enterprise DLP Migrator

Monitor Enterprise DLP

Monitor DLP Status with the DLP Health and Telemetry App

View Enterprise DLP Log Details

Strata Cloud Manager

View Enterprise DLP Log Details for Endpoint DLP

Manage Enterprise DLP Incidents

View Enterprise DLP Audit Logs

View Enterprise DLP Audit Logs on Strata Cloud Manager

View Enterprise DLP Audit Logs for Email DLP

View Enterprise DLP Push Logs for Endpoint DLP

Reasons for Inspection Failure

Save Evidence for Investigative Analysis with Enterprise DLP

Set Up SFTP Storage to Save Evidence

Set Up Cloud Storage on AWS to Save Evidence

Set up Evidence Storage on Strata Cloud Manager Using AWS

Set up Evidence Storage on Strata Cloud Manager Using AWS KMS

Set Up Cloud Storage on Microsoft Azure to Save Evidence

Download Files for Evidence Analysis

What Is Data Risk?

Analyze the Data Risk Dashboard

Configure Risk Score Ranges

Configure Risk Factor Importance

Configure Severity for Data Profiles

Data Risk Recommendations

End User Coaching

End User Coaching for Enterprise DLP

End User Coaching for Endpoint DLP

Report a False Positive Detection

Enterprise DLP Support Tables

Prisma SASE FedRAMP

Prisma SASE FedRAMP Moderate and High "In Process" Requirements

Prisma SASE FedRAMP Moderate and High "In Process" Support

Prisma SASE FedRAMP Moderate and High "In Process" Locations

Prisma SASE FedRAMP Moderate and High "In Process" FQDNs

Prisma SASE FedRAMP Moderate and High "In Process" CDL IP Address Blocks

Panorama-Managed Prisma Access FedRAMP Moderate and High "In Process" Plugin and Dataplane Requirements Through Common Services

Prisma SASE FedRAMP Moderate and High “In Process” Release Updates

Prisma SASE FedRAMP Moderate and High "In Process" Activation

Activate a License for Cloud-Managed Prisma Access FedRAMP High "In Process" Through Common Services

Transition from Single Tenant FedRAMP High "In Process" to Multitenant FedRAMP High "In Process" Through Common Services

Activate a License for Prisma Access Multitenant FedRAMP High "In Process" Through Common Services

Share a License for Prisma Access FedRAMP High "In Process" Multitenant Through Common Services

Add Prisma Access FedRAMP High "In Process" to an Existing Prisma SD-WAN FedRAMP High "In Process" Tenant Through Common Services

Activate a License for Panorama-Managed Prisma Access FedRAMP High "In Process" Through Common Services

Activate a License for Prisma SD-WAN Multitenant and Single Tenant FedRAMP High "In Process" Through Common Services

Add Prisma SD-WAN FedRAMP High "In Process" to an Existing Prisma Access FedRAMP High "In Process" Tenant Through Common Services

Autonomous DEM for FedRAMP

Autonomous DEM for FedRAMP

Products That Use Autonomous DEM

ADEM Monitoring and Tests

ADEM Monitoring and Tests for Mobile Users

ADEM Monitoring and Tests for Remote Sites

Get Started with Autonomous DEM

Get Started with Autonomous DEM For Mobile Users

Autonomous DEM for Hybrid Workforce

Get Started with Autonomous DEM For Remote Sites

Role Based Access Control in ADEM

Enable ADEM for Your Mobile Users

Enable ADEM in Panorama Managed Prisma Access for Mobile Users

Enable ADEM in Cloud Managed Prisma Access for Mobile Users

Enable ADEM for Your Remote Sites

Enable ADEM in Panorama Managed Prisma Access for Remote Sites

Enable ADEM in Cloud Managed Prisma Access for Remote Sites

Go to Autonomous DEM in Prisma Access

First Look at Autonomous DEM Dashboards

Experience Score

Time Range Filter

Summary Dashboard

Summary - Experience

Summary - Performance Trends for Mobile Users

Summary - Performance Trends for Remote Sites

Applications Dashboard

Applications - Applications Tab

Applications - Application Tests

Application Details

Application Details - Experience

Synthetics for an Application

Zoom Performance Analysis for an Application

Application Details - Performance Trends for Mobile Users

Application Details - Performance Trends for Remote Sites

Monitored Mobile Users Dashboard

Monitored Mobile Users - User Experience

Monitored Mobile Users - Self-Serve

Synthetics for a Mobile User

Zoom Performance Analysis for Mobile Users

Monitored Remote Sites Dashboard

Calculating Experience Score for Remote Sites

Remote Site Details

Types of Monitored Paths

Prisma Access Locations Dashboard

Prisma Access Locations - Map View

Prisma Access Locations - List View

Prisma Access Location Details

ADEM Settings Dashboard

ADEM Settings - Endpoint Agent Management

ADEM Settings - Remote Site Agent Management

ADEM Settings - Health Score Profiles

ADEM Settings - Audit Logs

ADEM Settings - License Details

Set up an Autonomous DEM Application Test

Manage Autonomous DEM

Manage Autonomous DEM Mobile Users

Manage Autonomous DEM Remote Sites

ADEM Self-Serve

Default Settings

Example User View of Notification

Application Experience User Interface

Open the Application Experience UI

Using the Application Experience UI

Enable and Configure ADEM Self-Serve

Enable ADEM Self-Serve

Select the Types of Notifications to Send

Adjust the Notification Threshold

Select Mobile Users and Groups to Send Notifications

Threshold for Notification Generation

Time Interval between User Notifications

IT View of End User Notification Statistics

View Self-Serve Related Metrics for All Users

View if Self-Serve is Enabled for a User

View Total Number of Notifications Sent to Each User

View Total Number of CPU or Memory Notifications Sent to a User

View Total Number of WiFi Notifications Sent to a User

Retrieving Past Notifications

Autonomous DEM Zoom Integration

Enable Zoom Integration with ADEM

Disable Zoom Monitoring

Access Zoom Application Experience Data

Zoom Performance Analysis for Mobile Users

Zoom Performance Analysis for an Application

Possible Root Causes for Performance Degradation

ADEM Data Collection and Agent Processes

Manage Autonomous DEM Agent Upgrades

Manually Upgrade Autonomous DEM Agent using MSI

Release Updates

Certificate Renewal for ADEM before June 3, 2022

Transition to the Prisma SASE Platform

What’s New—Autonomous DEM

Known Issues—Autonomous DEM

Addressed Issues—Autonomous DEM

Autonomous DEM for FedRAMP

GlobalProtect Administrator's Guide

GlobalProtect Overview

About the GlobalProtect Components

What OS Versions are Supported with GlobalProtect?

About GlobalProtect Licenses

Create Interfaces and Zones for GlobalProtect

Enable SSL Between GlobalProtect Components

About GlobalProtect Certificate Deployment

GlobalProtect Certificate Best Practices

Deploy Server Certificates to the GlobalProtect Components

Replace an Expired GlobalProtect Portal or Gateway Certificate

GlobalProtect User Authentication

How Does the App Know What Credentials to Supply?

Cookie Authentication on the Portal or Gateway

Credential Forwarding to Some or All Gateways

How Does the App Know Which Certificate to Supply?

Set Up External Authentication

Set Up LDAP Authentication

Set Up SAML Authentication

Use the Default System Browser for SAML Authentication

About the Embedded Browser for SAML Authentication

Enable Default Browser for SAML Authentication Using Client Authentication Setting

Customize the SAML/CAS ACS Landing Page

Set Up Kerberos Authentication

Set Up RADIUS or TACACS+ Authentication

Set Up Client Certificate Authentication

Deploy Shared Client Certificates for Authentication

Deploy Machine Certificates for Authentication

Deploy User-Specific Client Certificates for Authentication

Enable Certificate Selection Based on OID

Support for Native Certificate Store for Prisma Access and GlobalProtect App on Linux Endpoints

Set Up Two-Factor Authentication

Enable Two-Factor Authentication Using Certificate and Authentication Profiles

Enable Two-Factor Authentication Using One-Time Passwords (OTPs)

Enable Two-Factor Authentication Using Smart Cards

Enhancements for Authentication Using Smart Cards-Removal of Multiple PIN Prompts

Enhancements for Authentication Using Smart Cards

Enable Two-Factor Authentication Using a Software Token Application

Set Up Authentication for strongSwan Ubuntu and CentOS Endpoints

Enable Certificate Authentication for strongSwan Endpoints

Enable X-Auth Support for strongSwan Endpoints

Enable Two-Factor Authentication for strongSwan Endpoints

Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications

Enable Delivery of VSAs to a RADIUS Server

Enable Group Mapping

CIE (SAML) Authentication using Embedded Web-view

Improvements for Multi Authentication CIE Experience

GlobalProtect Gateways

Gateway Priority in a Multiple Gateway Configuration

Best Gateway Selection Criteria

Configure a GlobalProtect Gateway

Customize Endpoint Session Timeout Settings

Split Tunnel Traffic on GlobalProtect Gateways

Configure a Split Tunnel Based on the Access Route

Configure a Split Tunnel Based on the Domain and Application

Wildcard Support for Split Tunnel Settings Based on the Application

Exclude Video Traffic from the GlobalProtect VPN Tunnel

Configure Split DNS for GlobalProtect App on iOS Endpoints

Host a Split Tunnel Configuration File on a Web Server

GlobalProtect MIB Support

DHCP Based IP Address Assignment and Management for GlobalProtect

Configure DHCP Server on the GlobalProtect Gateway to Assign DHCP IP Addresses to the Endpoints

Configure DHCP Server on the Infoblox Server

Configure DHCP Server on the Windows Server

GlobalProtect Portals

Set Up Access to the GlobalProtect Portal

Define the GlobalProtect Client Authentication Configurations

Define the GlobalProtect Agent Configurations

Customize the GlobalProtect App

Tunnel Connections Over Proxies

Customize the GlobalProtect Portal Login, Welcome, and Help Pages

Enforce GlobalProtect for Network Access

Configure Intelligent Portal Selection

GlobalProtect Apps

Deploy the GlobalProtect App to End Users

GlobalProtect App Minimum Hardware Requirements

Download the GlobalProtect App Software Package for Hosting on the Portal

Host App Updates on the Portal

Host App Updates on a Web Server

Test the App Installation

Download and Install the GlobalProtect Mobile App

View and Collect GlobalProtect App Logs

Deploy App Settings Transparently

Customizable App Settings

App Display Options

User Behavior Options

App Behavior Options

Script Deployment Options

Configure Conditional Connect Method Based on Network Type

Deploy App Settings to Windows Endpoints

Deploy App Settings in the Windows Registry

Deploy App Settings from Msiexec

Deploy Scripts Using the Windows Registry

Deploy Scripts Using Msiexec

Deploy Connect Before Logon Settings in the Windows Registry

Deploy GlobalProtect Credential Provider Settings in the Windows Registry

SSO Wrapping for Third-Party Credential Providers on Windows Endpoints

Enable SSO Wrapping for Third-Party Credentials with the Windows Registry

Enable SSO Wrapping for Third-Party Credentials with the Windows Installer

Deploy App Settings to macOS Endpoints

Deploy App Settings in the macOS Plist

Deploy Scripts Using the macOS Plist

Deploy App Settings to Linux Endpoints

GlobalProtect Clientless VPN

Clientless VPN Overview

Supported Technologies

Configure Clientless VPN

Troubleshoot Clientless VPN

Mobile Device Management

Mobile Device Management Overview

Set Up the MDM Integration With GlobalProtect

Qualified MDM Vendors

Manage the GlobalProtect App Using Workspace ONE

Deploy the GlobalProtect Mobile App Using Workspace ONE

Delegate GlobalProtect Certificates for Android Endpoints Using Workspace ONE

Deploy the GlobalProtect App for Android on Managed Chromebooks Using Workspace ONE

Configure Workspace ONE for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using Workspace ONE

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Workspace ONE

Configure a Per-App VPN Configuration for iOS Endpoints Using Workspace ONE

Configure Workspace ONE for Windows 10 UWP Endpoints

Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure a User-Initiated Remote Access VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure a Per-App VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure Workspace ONE for Android Endpoints

Configure a Per-App VPN Configuration for Android Endpoints Using Workspace ONE

Enable App Scan Integration with WildFire

Manage the GlobalProtect App Using Microsoft Intune

Deploy the GlobalProtect Mobile App Using Microsoft Intune

Deploy a New Device Using Windows Autopilot and Microsoft Intune

Configure Microsoft Intune for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure Microsoft Intune for Windows 10 UWP Endpoints

Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Microsoft Intune

Configure a Per-App VPN Configuration for Windows 10 UWP Endpoints Using Microsoft Intune

Manage the GlobalProtect App Using MobileIron

Deploy the GlobalProtect Mobile App Using MobileIron

Configure MobileIron for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using MobileIron

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using MobileIron

Configure a Per-App VPN Configuration for iOS Endpoints Using MobileIron

Configure MobileIron for Android Endpoints

Configure an Always On VPN Configuration for Android Endpoints Using MobileIron

Manage the GlobalProtect App Using Google Admin Console

Deploy the GlobalProtect App for Android on Managed Chromebooks Using the Google Admin Console

Configure Google Admin Console for Android Endpoints

Manage the GlobalProtect App Using Jamf Pro

Manage the GlobalProtect App for iOS Using Jamf Pro

Configure iOS Endpoints Using Jamf Configuration Profiles

Configure an Always On VPN Configuration for iOS Endpoints

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Jamf Pro

Configure a Per-App VPN Configuration for iOS Endpoints Using Jamf Pro

Deploy the GlobalProtect Mobile App for iOS Using Jamf Pro

Verify the GlobalProtect for iOS App Deployment Using Jamf Pro

Manage the GlobalProtect App for macOS Using Jamf Pro

Create a Smart Computer Group for GlobalProtect App Deployment

Create a Single Configuration Profile for the GlobalProtect App for macOS

Deploy the GlobalProtect Mobile App for macOS Using Jamf Pro

Enable System and Network Extensions on macOS Endpoints Using Multiple Configuration Profiles

Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro

Enable GlobalProtect Network Extensions on macOS Big Sur Endpoints Using Jamf Pro

Verify Configuration Profiles Deployed by Jamf Pro

Remove System Extensions on macOS Monterey Endpoints Using Jamf Pro

Add a Configuration Profile for the GlobalProtect Enforcer by Using Jamf Pro 10.26.0

Non-Removable System Extensions on macOS Sequoia Endpoints Using Jamf Pro

Uninstall the GlobalProtect Mobile App Using Jamf Pro

Suppress Notifications on the GlobalProtect App for macOS Endpoints

Enable Kernel Extensions in the GlobalProtect App for macOS Endpoints

Enable System Extensions in the GlobalProtect App for macOS Endpoints

Manage the GlobalProtect App Using Other Third-Party MDMs

Configure the GlobalProtect App for iOS

Example: GlobalProtect iOS App Device-Level VPN Configuration

Example: GlobalProtect iOS App App-Level VPN Configuration

Configure the GlobalProtect App for Android

Example: Set VPN Configuration

Example: Remove VPN Configuration

GlobalProtect for IoT Devices

GlobalProtect for IoT Requirements

Configure the GlobalProtect Portals and Gateways for IoT Devices

Install GlobalProtect for IoT on Android

Install GlobalProtect for IoT on Raspbian

Install GlobalProtect for IoT on Ubuntu

Install GlobalProtect for IoT on Windows

Host Information

About Host Information

What Data Does the GlobalProtect App Collect?

What Data Does the GlobalProtect App Collect on Each Operating System?

How Does the Gateway Use the Host Information to Enforce Policy?

How Do Users Know if Their Systems are Compliant?

How Do I Get Visibility into the State of the Endpoints?

Configure HIP-Based Policy Enforcement

Configure HIP Exceptions for Patch Management

Collect Application and Process Data From Endpoints

Configure HIP Process Remediation

Enhanced HIP Remediation Process

Redistribute HIP Reports

Configure Windows User-ID Agent to Collect Host Information

MDM Integration Overview

Information Collected

System Requirements

Configure GlobalProtect to Retrieve Host Information

Troubleshoot the MDM Integration Service

Quarantine Devices Using Host Information

Identification and Quarantine of Compromised Devices Overview and License Requirements

View Quarantined Device Information

Manually Add and Delete Devices From the Quarantine List

Automatically Quarantine a Device

Use GlobalProtect and Security Policies to Block Access to Quarantined Devices

Redistribute Device Quarantine Information from Panorama

Troubleshoot HIP Issues

GlobalProtect FIPS-CC Certification

Enable and Verify FIPS-CC Mode

Enable and Verify FIPS-CC Mode on Windows Endpoints

Enable and Verify FIPS-CC Mode on macOS Endpoints

Enable and Verify FIPS-CC Mode Using Workspace ONE on iOS Endpoints

Enable FIPS Mode on Linux EndPoints with Ubuntu or RHEL

Enable and Verify FIPS-CC Mode Using Microsoft Intune on Android Endpoints

FIPS-CC Security Functions

Resolve FIPS-CC Mode Issues

GlobalProtect Quick Configs

Remote Access VPN (Authentication Profile)

Remote Access VPN (Certificate Profile)

Remote Access VPN with Two-Factor Authentication

GlobalProtect Always On VPN Configuration

Remote Access VPN with Pre-Logon

User-Initiated Pre-Logon Connection

GlobalProtect Multiple Gateway Configuration

GlobalProtect for Internal HIP Checking and User-Based Access

Mixed Internal and External Gateway Configuration

Captive Portal and Enforce GlobalProtect for Network Access

GlobalProtect on Windows 365 Cloud PC

GlobalProtect Architecture

GlobalProtect Reference Architecture Topology

GlobalProtect Portal

GlobalProtect Gateways

GlobalProtect Reference Architecture Features

End User Experience

Management and Logging

Monitoring and High Availability

GlobalProtect Reference Architecture Configurations

Gateway Configuration

Portal Configuration

Policy Configurations

GlobalProtect Cryptography

About GlobalProtect Cipher Selection

Cipher Exchange Between the GlobalProtect App and Gateway

GlobalProtect Cryptography References

Reference: GlobalProtect App Cryptographic Functions

TLS Cipher Suites Supported by GlobalProtect Apps

Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks

Ciphers Used to Set Up IPsec Tunnels

GlobalProtect App Log Collection for Troubleshooting

GlobalProtect App Log Collection for Troubleshooting Overview

Checklist for GlobalProtect App Log Collection for Troubleshooting

Set Up GlobalProtect Connectivity to Strata Logging Service

Configure the App Log Collection Settings on the GlobalProtect Portal

View the GlobalProtect App Troubleshooting and Diagnostic Logs on the Explore App

Details Within the GlobalProtect App Troubleshooting and Diagnostic Logs

Logging for GlobalProtect in PAN-OS

View a Graphical Display of GlobalProtect User Activity in PAN-OS

View All GlobalProtect Logs on a Dedicated Page in PAN-OS

Event Descriptions for the GlobalProtect Logs in PAN-OS

Filter GlobalProtect Logs for Gateway Latency in PAN-OS

Restrict Access to GlobalProtect Logs in PAN-OS

Forward GlobalProtect Logs to an External Service in PAN-OS

Configure Custom Reports for GlobalProtect in PAN-OS

GlobalProtect Administrator's Guide

GlobalProtect Overview

About the GlobalProtect Components

What OS Versions are Supported with GlobalProtect?

About GlobalProtect Licenses

Create Interfaces and Zones for GlobalProtect

Enable SSL Between GlobalProtect Components

About GlobalProtect Certificate Deployment

GlobalProtect Certificate Best Practices

Deploy Server Certificates to the GlobalProtect Components

About GlobalProtect User Authentication

Supported GlobalProtect Authentication Methods

Local Authentication

External Authentication

Client Certificate Authentication

Two-Factor Authentication

Multi-Factor Authentication for Non-Browser-Based Applications

How Does the App Know What Credentials to Supply?

Cookie Authentication on the Portal or Gateway

Credential Forwarding to Some or All Gateways

How Does the App Know Which Certificate to Supply?

Set Up External Authentication

Set Up LDAP Authentication

Set Up SAML Authentication

Set Up Kerberos Authentication

Set Up RADIUS or TACACS+ Authentication

Set Up Client Certificate Authentication

Deploy Shared Client Certificates for Authentication

Deploy Machine Certificates for Authentication

Deploy User-Specific Client Certificates for Authentication

Enable Certificate Selection Based on OID

Set Up Two-Factor Authentication

Enable Two-Factor Authentication Using Certificate and Authentication Profiles

Enable Two-Factor Authentication Using One-Time Passwords (OTPs)

Enable Two-Factor Authentication Using Smart Cards

Enable Two-Factor Authentication Using a Software Token Application

Set Up Authentication for strongSwan Ubuntu and CentOS Endpoints

Enable Authentication Using a Certificate Profile

Enable Authentication Using an Authentication Profile

Enable Authentication Using Two-Factor Authentication

Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications

Enable Delivery of VSAs to a RADIUS Server

Enable Group Mapping

GlobalProtect Gateways

Gateway Priority in a Multiple Gateway Configuration

Configure a GlobalProtect Gateway

Split Tunnel Traffic on GlobalProtect Gateways

Configure a Split Tunnel Based on the Access Route

Configure a Split Tunnel Based on the Domain and Application

Exclude Video Traffic from the GlobalProtect VPN Tunnel

GlobalProtect MIB Support

GlobalProtect Portals

Set Up Access to the GlobalProtect Portal

Define the GlobalProtect Client Authentication Configurations

Define the GlobalProtect Agent Configurations

Customize the GlobalProtect App

Tunnel Connections Over Proxies

Customize the GlobalProtect Portal Login, Welcome, and Help Pages

Enforce GlobalProtect for Network Access

GlobalProtect Apps

Deploy the GlobalProtect App to End Users

Download the GlobalProtect App Software Package for Hosting on the Portal

Host App Updates on the Portal

Host App Updates on a Web Server

Test the App Installation

Download and Install the GlobalProtect Mobile App

Deploy App Settings Transparently

Customizable App Settings

App Display Options

User Behavior Options

App Behavior Options

Script Deployment Options

Deploy App Settings to Windows Endpoints

Deploy App Settings in the Windows Registry

Deploy App Settings from Msiexec

Deploy Scripts Using the Windows Registry

Deploy Scripts Using Msiexec

SSO Wrapping for Third-Party Credential Providers on Windows Endpoints

Enable SSO Wrapping for Third-Party Credentials with the Windows Registry

Enable SSO Wrapping for Third-Party Credentials with the Windows Installer

Deploy App Settings to macOS Endpoints

Deploy App Settings in the macOS Plist

Deploy Scripts Using the macOS Plist

GlobalProtect Clientless VPN

Clientless VPN Overview

Supported Technologies

Configure Clientless VPN

Troubleshoot Clientless VPN

Mobile Device Management

Mobile Device Management Overview

Set Up the MDM Integration With GlobalProtect

Qualified MDM Vendors

Manage the GlobalProtect App Using Workspace ONE

Deploy the GlobalProtect Mobile App Using Workspace ONE

Deploy the GlobalProtect App for Android on Managed Chromebooks Using Workspace ONE

Configure Workspace ONE for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using Workspace ONE

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Workspace ONE

Configure a Per-App VPN Configuration for iOS Endpoints Using Workspace ONE

Configure Workspace ONE for Windows 10 UWP Endpoints

Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure a User-Initiated Remote Access VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure a Per-App VPN Configuration for Windows 10 UWP Endpoints Using Workspace ONE

Configure Workspace ONE for Android Endpoints

Configure a Per-App VPN Configuration for Android Endpoints Using Workspace ONE

Enable App Scan Integration with WildFire

Manage the GlobalProtect App Using Microsoft Intune

Deploy the GlobalProtect Mobile App Using Microsoft Intune

Configure Microsoft Intune for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune

Configure Microsoft Intune for Windows 10 UWP Endpoints

Configure an Always On VPN Configuration for Windows 10 UWP Endpoints Using Microsoft Intune

Configure a Per-App VPN Configuration for Windows 10 UWP Endpoints Using Microsoft Intune

Manage the GlobalProtect App Using MobileIron

Deploy the GlobalProtect Mobile App Using MobileIron

Configure MobileIron for iOS Endpoints

Configure an Always On VPN Configuration for iOS Endpoints Using MobileIron

Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using MobileIron

Configure a Per-App VPN Configuration for iOS Endpoints Using MobileIron

Configure MobileIron for Android Endpoints

Configure an Always On VPN Configuration for Android Endpoints Using MobileIron

Manage the GlobalProtect App Using Google Admin Console

Deploy the GlobalProtect App for Android on Managed Chromebooks Using the Google Admin Console

Configure Google Admin Console for Android Endpoints

Configure an Always On VPN Configuration for Chromebooks Using the Google Admin Console

Suppress Notifications on the GlobalProtect App for macOS Endpoints

Enable Kernel Extensions in the GlobalProtect App for macOS Endpoints

Enable System Extensions in the GlobalProtect App for macOS Endpoints

Manage the GlobalProtect App Using Other Third-Party MDMs

Configure the GlobalProtect App for iOS

Example: GlobalProtect iOS App Device-Level VPN Configuration

Example: GlobalProtect iOS App App-Level VPN Configuration

Configure the GlobalProtect App for Android

Example: Set VPN Configuration

Example: Remove VPN Configuration

GlobalProtect for IoT Devices

GlobalProtect for IoT Requirements

Configure the GlobalProtect Portals and Gateways for IoT Devices

Install GlobalProtect for IoT on Android

Install GlobalProtect for IoT on Raspbian

Install GlobalProtect for IoT on Ubuntu

Install GlobalProtect for IoT on Windows

Host Information

About Host Information

What Data Does the GlobalProtect App Collect?

What Data Does the GlobalProtect App Collect on Each Operating System?

How Does the Gateway Use the Host Information to Enforce Policy?

How Do Users Know if Their Systems are Compliant?

How Do I Get Visibility into the State of the Endpoints?

Configure HIP-Based Policy Enforcement

Collect Application and Process Data From Endpoints

Redistribute HIP Reports

Block Endpoint Access

Configure Windows User-ID Agent to Collect Host Information

MDM Integration Overview

Information Collected

System Requirements

Configure GlobalProtect to Retrieve Host Information

Troubleshoot the MDM Integration Service

Enable and Verify FIPS-CC Mode

Enable and Verify FIPS-CC Mode Using the Windows Registry

Enable and Verify FIPS-CC Mode Using the macOS Property List

FIPS-CC Security Functions

Troubleshoot FIPS-CC Mode

View and Collect GlobalProtect Logs

Resolve FIPS-CC Mode Issues

GlobalProtect Quick Configs

Remote Access VPN (Authentication Profile)

Remote Access VPN (Certificate Profile)

Remote Access VPN with Two-Factor Authentication

Always On VPN Configuration

Remote Access VPN with Pre-Logon

GlobalProtect Multiple Gateway Configuration

GlobalProtect for Internal HIP Checking and User-Based Access

Mixed Internal and External Gateway Configuration

Captive Portal and Enforce GlobalProtect for Network Access

GlobalProtect Architecture

GlobalProtect Reference Architecture Topology

GlobalProtect Portal

GlobalProtect Gateways

GlobalProtect Reference Architecture Features

End User Experience

Management and Logging in Panorama

Logging for GlobalProtect in PAN-OS

View a Graphical Display of GlobalProtect User Activity in PAN-OS

View All GlobalProtect Logs on a Dedicated Page in PAN-OS

Event Descriptions for the GlobalProtect Logs in PAN-OS

Filter GlobalProtect Logs for Gateway Latency in PAN-OS

Restrict Access to GlobalProtect Logs in PAN-OS

Forward GlobalProtect Logs to an External Service in PAN-OS

Configure Custom Reports for GlobalProtect in PAN-OS

Monitoring and High Availability

GlobalProtect Reference Architecture Configurations

Gateway Configuration

Portal Configuration

Policy Configurations

GlobalProtect Cryptography

About GlobalProtect Cipher Selection

Cipher Exchange Between the GlobalProtect App and Gateway

GlobalProtect Cryptography References

Reference: GlobalProtect App Cryptographic Functions

TLS Cipher Suites Supported by GlobalProtect Apps

Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 10 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 7 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints

Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks

Ciphers Used to Set Up IPsec Tunnels

GlobalProtect App User Guide

GlobalProtect App for Windows

Download and Install the GlobalProtect App for Windows

Use Connect Before Logon

Use Single Sign-On for Smart Card Authentication

Use the GlobalProtect App for Windows

Report an Issue From the GlobalProtect App for Windows

Disconnect the GlobalProtect App for Windows

Uninstall the GlobalProtect App for Windows

Fix a Microsoft Installer Conflict

GlobalProtect App for macOS

Download and Install the GlobalProtect App for macOS

Use the GlobalProtect App for macOS

Report an Issue From the GlobalProtect App for macOS

Disconnect the GlobalProtect App for macOS

Uninstall the GlobalProtect App for macOS

Remove the GlobalProtect Enforcer Kernel Extension

Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication

GlobalProtect™ App Release Notes

Features Introduced

Changes to Default Behavior

Associated Software and Content Versions

Addressed Issues

GlobalProtect App User Guide

GlobalProtect App for Windows

Download and Install the GlobalProtect App for Windows

Use Connect Before Logon

Use Single Sign-On for Smart Card Authentication

Use the GlobalProtect App for Windows

Report an Issue From the GlobalProtect App for Windows

Disconnect the GlobalProtect App for Windows

Uninstall the GlobalProtect App for Windows

Fix a Microsoft Installer Conflict

GlobalProtect App for macOS

Download and Install the GlobalProtect App for macOS

Use the GlobalProtect App for macOS

Report an Issue From the GlobalProtect App for macOS

Disconnect the GlobalProtect App for macOS

Uninstall the GlobalProtect App for macOS

Remove the GlobalProtect Enforcer Kernel Extension

Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication

GlobalProtect App for Linux

Download and Install the GlobalProtect App for Linux

Use the GlobalProtect App for Linux

Report an Issue From the GlobalProtect App for Linux

Disconnect the GlobalProtect App for Linux

Uninstall the GlobalProtect App for Linux

GlobalProtect™ App Release Notes

Features Introduced in GlobalProtect App 6.2

Features Introduced in GlobalProtect App 6.2

Changes to Default Behavior in GlobalProtect App 6.2

Changes to Default Behavior in GlobalProtect App 6.2

Associated Content and Software Versions

Associated Software and Content Versions

GlobalProtect 6.2 Known and Addressed Issues

GlobalProtect App 6.2 Known Issues

Addressed Issues in GlobalProtect App 6.2

Features Introduced

Changes to Default Behavior

Associated Software and Content Versions

GlobalProtect App 6.2 Known Issues

Addressed Issues

GlobalProtect™ App New Features Guide

New Features Released in GlobalProtect App 6.1

Proxy Auto Configuration (PAC) Deployment from GlobalProtect

Advanced Internal Host Detection

End-user Notification about GlobalProtect Session Logout

GlobalProtect™ App Release Notes

Features Introduced in GlobalProtect App 6.1

Features Introduced in GlobalProtect App 6.1

Changes to Default Behavior in GlobalProtect App 6.1

Changes to Default Behavior in GlobalProtect App 6.1

Associated Content and Software Versions

Associated Software and Content Versions

GlobalProtect 6.1 Known and Addressed Issues

GlobalProtect App 6.1 Known Issues

Addressed Issues in GlobalProtect App 6.1

Features Introduced

Changes to Default Behavior

Associated Software and Content Versions

Addressed Issues

GlobalProtect App User Guide

GlobalProtect App for Windows

Download and Install the GlobalProtect App for Windows

Use Connect Before Logon

Use Single Sign-On for Smart Card Authentication

Use the GlobalProtect App for Windows

Report an Issue From the GlobalProtect App for Windows

Disconnect the GlobalProtect App for Windows

Uninstall the GlobalProtect App for Windows

Fix a Microsoft Installer Conflict

GlobalProtect App for macOS

Download and Install the GlobalProtect App for macOS

Use the GlobalProtect App for macOS

Report an Issue From the GlobalProtect App for macOS

Disconnect the GlobalProtect App for macOS

Uninstall the GlobalProtect App for macOS

Remove the GlobalProtect Enforcer Kernel Extension

Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication

GlobalProtect App for iOS

Download and Install the GlobalProtect App for iOS

Use the GlobalProtect App for iOS

Connect for the First Time

Connect with the On-Demand Method

Connect with Always On Connection Method

Report an Issue From the GlobalProtect App for iOS

Uninstall the GlobalProtect App for iOS

GlobalProtect App for Android

Download and Install the GlobalProtect App for Android

Download and Install the GlobalProtect App for Android on Chromebooks

Use the GlobalProtect App for Android

Report an Issue From the GlobalProtect App for Android

Disconnect the GlobalProtect App for Android

Uninstall the GlobalProtect App for Android

Uninstall the GlobalProtect App for Android from Chromebooks

GlobalProtect App for Linux

Download and Install the GlobalProtect App for Linux

Use the GlobalProtect App for Linux

Report an Issue From the GlobalProtect App for Linux

Disconnect the GlobalProtect App for Linux

Uninstall the GlobalProtect App for Linux

GlobalProtect for IoT Devices

GlobalProtect™ App New Features Guide

New Features Released in GlobalProtect App 6.0

Redesigned GlobalProtect App User Interface for Windows and macOS

Endpoint Traffic Policy Enforcement

Improved Connectivity Experience for the GlobalProtect App for Android and iOS

Security Policy Enforcement for Inactive GlobalProtect Sessions

Single Sign-On (SSO) Using Smart Card Authentication

Delivery Optimization Support for Windows

Improved Authentication Experience for the GlobalProtect App for Windows and macOS

SAML Authentication with Cloud Authentication Service

No Direct Access to Local Network Support for Linux

GlobalProtect App User Guide

GlobalProtect App for Windows

Download and Install the GlobalProtect App for Windows

Use Connect Before Logon

Use Single Sign-On for Smart Card Authentication

Use the GlobalProtect App for Windows

Report an Issue From the GlobalProtect App for Windows

Disconnect the GlobalProtect App for Windows

Uninstall the GlobalProtect App for Windows

Fix a Microsoft Installer Conflict

GlobalProtect App for macOS

Download and Install the GlobalProtect App for macOS

Use the GlobalProtect App for macOS

Report an Issue From the GlobalProtect App for macOS

Disconnect the GlobalProtect App for macOS

Uninstall the GlobalProtect App for macOS

Remove the GlobalProtect Enforcer Kernel Extension

Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication

GlobalProtect App for iOS

Download and Install the GlobalProtect App for iOS

Use the GlobalProtect App for iOS

Report an Issue From the GlobalProtect App for iOS

Uninstall the GlobalProtect App for iOS

GlobalProtect App for Android

Download and Install the GlobalProtect App for Android

Download and Install the GlobalProtect App for Android on Chromebooks

Use the GlobalProtect App for Android

Report an Issue From the GlobalProtect App for Android

Disconnect the GlobalProtect App for Android

Uninstall the GlobalProtect App for Android

Uninstall the GlobalProtect App for Android from Chromebooks

GlobalProtect App for Linux

Download and Install the GlobalProtect App for Linux

Use the GlobalProtect App for Linux

Report an Issue From the GlobalProtect App for Linux

Disconnect the GlobalProtect App for Linux

Uninstall the GlobalProtect App for Linux

GlobalProtect for IoT Devices

GlobalProtect™ App Release Notes

Features Introduced

Changes to Default Behavior

Associated Software and Content Versions

Addressed Issues

GlobalProtect™ App New Features Guide

New Features Released in GlobalProtect App 5.2

Improved Authentication Experience for the GlobalProtect App for Windows and macOS

Autonomous DEM Integration for User Experience Management

GlobalProtect App Log Collection for Troubleshooting

Configurable Maximum Transmission Unit for GlobalProtect Connections

Connect Before Logon

Default System Browser for SAML Authentication

Enforce GlobalProtect Connections with FQDN Exclusions

GlobalProtect™ App Release Notes

Features Introduced in GlobalProtect App 5.2

Features Introduced in GlobalProtect App 5.2

Changes to Default Behavior in GlobalProtect App 5.2

Changes to Default Behavior in GlobalProtect App 5.2

Associated Content and Software Versions

Associated Software and Content Versions for GlobalProtect App 5.2

GlobalProtect 5.2 Known and Addressed Issues

GlobalProtect App 5.2 Known Issues

Addressed Issues in GlobalProtect App 5.2

GlobalProtect App User Guide

GlobalProtect App for Windows

Download and Install the GlobalProtect App for Windows

Use Connect Before Logon

Use the GlobalProtect App for Windows

Report an Issue From the GlobalProtect App for Windows

Disable the GlobalProtect App for Windows

Uninstall the GlobalProtect App for Windows

Fix a Microsoft Installer Conflict

GlobalProtect App for macOS

Download and Install the GlobalProtect App for macOS

Use the GlobalProtect App for macOS

Report an Issue From the GlobalProtect App for macOS

Disable the GlobalProtect App for macOS

Uninstall the GlobalProtect App for macOS

Remove the GlobalProtect Enforcer Kernel Extension

Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication

GlobalProtect App for iOS

Download and Install the GlobalProtect App for iOS

Use the GlobalProtect App for iOS

Report an Issue From the GlobalProtect App for iOS

Uninstall the GlobalProtect App for iOS

GlobalProtect App for Android

Download and Install the GlobalProtect App for Android

Download and Install the GlobalProtect App for Android on Chromebooks

Use the GlobalProtect App for Android

Report an Issue From the GlobalProtect App for Android

Disable the GlobalProtect App for Android

Uninstall the GlobalProtect App for Android

Uninstall the GlobalProtect App for Android from Chromebooks

GlobalProtect App for Linux

Download and Install the GlobalProtect App for Linux

Use the GlobalProtect App for Linux

Report an Issue From the GlobalProtect App for Linux

Disable the GlobalProtect App for Linux

Uninstall the GlobalProtect App for Linux

GlobalProtect for IoT Devices

GlobalProtect App User Guide

GlobalProtect App for Windows

Download and Install the GlobalProtect App for Windows

Use the GlobalProtect App for Windows

Disable the GlobalProtect App for Windows

Uninstall the GlobalProtect App for Windows

Fix a Microsoft Installer Conflict

GlobalProtect App for macOS

Download and Install the GlobalProtect App for macOS

Use the GlobalProtect App for macOS

Disable the GlobalProtect App for macOS

Uninstall the GlobalProtect App for macOS

Remove the GlobalProtect Enforcer Kernel Extension

Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication

GlobalProtect App for iOS

Download and Install the GlobalProtect App for iOS

Use the GlobalProtect App for iOS

Uninstall the GlobalProtect App for iOS

GlobalProtect App for Android

Download and Install the GlobalProtect App for Android

Download and Install the GlobalProtect App for Android on Chromebooks

Use the GlobalProtect App for Android

Disable the GlobalProtect App for Android

Uninstall the GlobalProtect App for Android

Uninstall the GlobalProtect App for Android from Chromebooks

GlobalProtect App for Linux

Download and Install the GlobalProtect App for Linux

Use the GlobalProtect App for Linux

Disable the GlobalProtect App for Linux

Uninstall the GlobalProtect App for Linux

GlobalProtect for IoT Devices

GlobalProtect™ App New Features Guide

New Features Released in GlobalProtect App 5.1

Biometric Sign-In Support

Enforce GlobalProtect Exclusions

GlobalProtect for IoT Devices

GlobalProtect Gateway Latency Reporting

GUI for GlobalProtect App for Linux

macOS System Extensions Support

Proxy Handling for macOS Endpoints

SAML SSO for the GlobalProtect app for Android on Chromebooks

Seamless Soft-Token Authentication from GlobalProtect App

Single Sign-On (SSO) for macOS Endpoints

Uninstall Option for GlobalProtect

User Sign-Out Restriction

GlobalProtect™ App Release Notes

GlobalProtect App 5.1 Release Information

Features Introduced in GlobalProtect App 5.1

Changes to Default Behavior in GlobalProtect App 5.1

GlobalProtect App Upgrade Considerations

Associated Software and Content Versions

GlobalProtect App 5.1 Known Issues

Addressed Issues in GlobalProtect App 5.1

GlobalProtect™ App Release Notes

GlobalProtect App 5.3 Release Information

Features Introduced in GlobalProtect App 5.3

Changes to Default Behavior in GlobalProtect App 5.3

Associated Software and Content Versions

GlobalProtect App 5.3 Known Issues

Addressed Issues in GlobalProtect App 5.3

GlobalProtect App User Guide

GlobalProtect App for Linux

Download and Install the GlobalProtect App for Linux

Use the GlobalProtect App for Linux

Report an Issue From the GlobalProtect App for Linux

Disable the GlobalProtect App for Linux

Uninstall the GlobalProtect App for Linux

Firewalls & Appliances

ION 3000 Hardware Reference

Install ION 3000

Set Up the ION 3000 with an Existing Router

Set Up the ION 3000 by Replacing the Router

Rack Mount ION 3000

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

ION 3000 Overview

ION 3000 Specifications

Fail-to-Wire Cabling Matrix

Common Insertion Topologies

ION 3000 Installation Kit Components

ION Device Compliance Statement

Power on the ION 3000

ION 2000 Hardware Reference

Before You Begin

Third-Party Component Support

Product Safety Warnings

Tamper Proof Statement

ION 2000 Overview

ION 2000 Front Panel with LEDs

ION 2000 Fail-to-Wire Cabling Matrix

ION 2000 Installation Kit Components

ION 2000 Specifications

ION Device Compliance Statement

Power on the ION 2000

Install ION 2000

Rack Mount the ION 2000

Wall Mount the ION 2000

Set Up the ION 2000 with an Existing Router

Set Up the ION 2000 by Replacing the Router

M-200 and M-600 Appliance Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

Upgrade/Downgrade Considerations for Firewalls and Appliances

M-200 and M-600 Appliance Overview

M-200 Appliance Front Panel Description

M-200 Appliance Back Panel Description

M-600 Appliance Front Panel Description

M-600 Appliance Back Panel Description

Interpret the M-200 and M-600 Appliance port LEDs

Install the M-200 or M-600 Appliance

Install the M-200 Appliance in a 19” Equipment Rack

Install the M-600 Appliance in a 19” Equipment Rack

Connect Power to an M-200 or M-600 Appliance

Connect AC Power to an M-200 or M-600 Appliance

Service an M-200 or M-600 Appliance

Replace an M-200 or M-600 Drive

Replace an M-200 or M-600 Appliance System Drive

Replace an M-200 or M-600 Appliance Log Drive

Replace an M-200 or M-600 Power Supply

M-200 and M-600 Appliance Specifications

Physical Specifications

Electrical Specifications

Environmental Specifications

Miscellaneous Specifications

M-200 and M-600 Appliance Hardware Compliance Statements

M-200 and M-600 Compliance Statements

PA-3200 Series Next-Gen Firewall Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

Upgrade/Downgrade Considerations for Firewalls and Appliances

PA-3200 Series Firewall Overview

Front Panel Description

Back Panel Description

Install the PA-3200 Series Firewall

Install the PA-3200 Series Firewall Using the Rack Mount Br...

Install the PA-3200 Series Firewall Using the Four Post Rac...

Connect Power to a PA-3200 Series Firewal

Connect AC Power to a PA-3200 Series Firewall

Connect DC Power to a PA-3200 Series Firewall

Service the PA-3200 Series Firewall

Interpret the PA-3200 Series Status LEDs

Replace a PA-3200 Series Fan Tray

Replace a PA-3200 Series Power Supply

Replace a PA-3200 Series AC Power Supply

Replace a PA-3200 Series DC Power Supply

Replace a PA-3200 Series Drive

PA-3200 Series Firewall Specifications

PA-3200 Series Physical Specifications

PA-3200 Series Electrical Specifications

PA-3200 Series Environmental Specifications

PA-3200 Series Miscellaneous Specifications

PA-3200 Series Firewall Hardware Compliance Statements Over...

PA-3200 Series Firewall Compliance Statements

PA-220R Next-Gen Firewall Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

Upgrade/Downgrade Considerations for Firewalls and Appliances

PA-220R Firewall Overview

Front Panel Description

Back Panel Description

Interpret the LEDs on a PA-220R Firewall

Install the PA-220R Firewall

Install the PA-220R Firewall on a Flat Surface

Install the PA-220R Firewall on a DIN Rail

Install the PA-220R Firewall on a Wall

Install a PA-220R in a 19 in Equipment Rack

Connect Power to a PA-220R Firewall

Prepare to Connect DC Power to a PA-220R Firewall

Connect DC Power to a PA-220R Firewall

PA-220R Firewall Specifications

Physical Specifications

Electrical Specifications

Environmental Specifications

Miscellaneous Specifications

PA-220R Firewall Hardware Compliance Statements Overview

PA-220R Firewall Hardware Compliance Statements

PA-5400 Series Next-Gen Firewall Hardware Reference

Before You Begin

Upgrade/Downgrade Considerations for Firewalls and Appliances

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

PA-5400 Series Firewall Overview

PA-5450 Front and Back Panel Descriptions

PA-5450 Front Panel

PA-5450 Back Panel

PA-5400 Series Front and Back Panel Descriptions

PA-5400 Series Front Panel

PA-5400 Series Back Panel

PA-5400 Series Firewall Module and Interface Card Information

PA-5400 Series Firewall Base Cards (BCs)

PA-5400 BC-A Component Descriptions

PA-5400 Series Firewall Management Processor Cards (MPCs)

PA-5400 MPC-A Component Descriptions

Interpret the PA-5400 MPC-A LEDs

PA-5400 Series Firewall Networking Cards (NCs)

PA-5400 NC-A Component Descriptions

Interpret the PA-5400 NC-A LEDs

PA-5400 Series Firewall Data Processor Card (DPC)

PA-5400 DPC-A Component Descriptions

Interpret the PA-5400 Series DPC-A LEDs

PA-5400 Series Firewall Installation

PA-5400 Series Firewall Equipment Rack Installation

PA-5400 Series Firewall Rack Install Safety Information

Install the PA-5450 Firewall in an Equipment Rack

Install the PA-5400 Series Firewall in an Equipment Rack

Install the Mandatory PA-5400 Series Firewall Front Slot Cards

Install a PA-5400 Series Firewall Management Processor Card (MPC)

Install a PA-5400 Series Firewall Networking Card (NC)

Configure Session Distribution on a PA-5400 Series Firewall

Install a PA-5400 Series Firewall Data Processor Card (DPC)

Set Up a Connection to the Firewall

Connect Power to a PA-5400 Series Firewall

Connect AC or DC Power to a PA-5450 Firewall

Determine PA-5450 Firewall Power Configuration Requirements

View PA-5400 Series Firewall Power Statistics

Connect AC or DC Power to a PA-5400 Series Firewall

Connect Cables to a PA-5400 Series Firewall

Verify the PA-5450 Firewall NC Configuration

Service the PA-5400 Series Firewall Hardware

Replace a PA-5400 Series Firewall AC or DC Power Supply

Interpret the PA-5400 Series Firewall Power Supply LEDs

Replace a PA-5450 AC or DC Power Supply

Replace a PA-5410, PA-5420, and PA-5430 Firewall AC or DC Power Supply

Replace a PA-5400 Series Base Card (BC)

Replace a PA-5450 Base Card (BC)

Replace a PA-5400 Series Firewall Fan Assembly

Replace a PA-5450 Fan Assembly

Replace a PA-5410, PA-5420, and PA-5430 Fan Assembly

Replace a PA-5400 Series Firewall Front Slot Card

Replace a PA-5400 Series Management Processor Card (MPC)

Replace a PA-5450 Management Processor Card (MPC)

Replace a PA-5400 Series Networking Card (NC)

Replace a PA-5450 Networking Card (NC)

PA-5400 Series Firewall Networking Card (NC) Troubleshooting Commands

Replace a PA-5400 Series Data Processor Card (DPC)

Replace a PA-5450 Data Processor Card (DPC)

PA-5400 Series Front Slot and Card States

PA-5400 Series Logical Card Slots

Replace a PA-5450 Front Slot Card in a High Availability (HA) Configuration

Install an MPC Logging Drive

Replace an MPC System Drive

Replace a System Drive in a PA-5400 Series Firewall

Replace a System Drive in a PA-5450 MPC

Interpret the PA-5400 Series LEDs

Identify PA-5400 Series Port Activity and Link LEDs

PA-5400 Series Firewall Specifications

PA-5400 Series Firewall Physical Specifications

PA-5400 Series Firewall Electrical Specifications

PA-5400 Series Firewall Power Cord Types

PA-5450 Firewall Component Electrical Specifications

PA-5400 Series Firewall Environmental Specifications

PA-5400 Series Firewall Hardware Compliance Statements

PA-5400 Series Firewall Compliance Statements

PA-7000 Series Firewall Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

Upgrade/Downgrade Considerations for Firewalls and Appliances

PA-7000 Series Firewall Overview

PA-7050 Front and Back Panel Descriptions

PA-7050 Front Panel (AC)

PA-7050 Back Panel (AC)

PA-7050 Front Panel (DC)

PA-7050 Back Panel (DC)

PA-7080 Front and Back Panel Descriptions

PA-7080 Front Panel (AC)

PA-7080 Back Panel (AC)

PA-7080 Front Panel (DC)

PA-7080 Back Panel (DC)

PA-7000 Series Firewall Module and Interface Card Information

PA-7000 Series Firewall Switch Management Cards (SMCs)

PA-7000 Series Firewall SMC Component Descriptions

PA-7000 Series Firewall SMC-B Component Descriptions

PA-7000 Series Firewall SMC-B Requirements

Interpret the PA-7000 Series Firewall SMC LEDs

PA-7000 Series Firewall Log Cards

PA-7000 Series Firewall Log Processing Card (LPC)

PA-7000 Series Firewall LPC and AMC Component Descriptions

Interpret the PA-7000 Series Firewall AMC LEDs

PA-7000 Series Firewall Log Forwarding Card (LFC)

PA-7000 Series Firewall LFC Component Descriptions

Interpret the PA-7000 Series LFC LEDs

PA-7000 Series Firewall LFC Requirements

PA-7000 Series Firewall Network Processing Cards (NPCs)

PA-7000 20GXM NPC

PA-7000 20GQXM NPC

PA-7000 100G NPC

PA-7000 100G NPC Component Descriptions

Interpret the PA-7000 100G NPC LEDs

PA-7000 100G NPC Requirements

Identify PA-7000 Series NPC Port Activity and Link LEDs

PA-7000 Series Firewall Data Processing Card (DPC)

Interpret the PA-7000 Series DPC LEDS

PA-7000 Series Firewall Installation

PA-7000 Series Firewall Equipment Rack Installation

PA-7000 Series Firewall Rack Install Safety Information

Install the PA-7050 Firewall in the Mid-Mount Position

Install the PA-7050 Firewall in the Front-Mount Position

Install the PA-7080 Firewall in the Mid-Mount Position

Install the PA-7080 Firewall in the Front-Mount Position

Install the Mandatory PA-7000 Series Firewall Front Slot Cards

Install a PA-7000 Series Switch Management Card

Install the PA-7000 Series Firewall Switch Management Card (SMC)

Install the PA-7000 Series Firewall Switch Management Card (SMC-B)

Install a PA-7000 Series Firewall Log Card

Install the PA-7000 Series Firewall Log Processing Card (LPC)

Install the PA-7000 Series Firewall Log Forwarding Card (LFC)

Install a PA-7000 Series Firewall Network Processing Card (NPC)

Install a PA-7000 Series Firewall NPC in a Single Chassis

Install a PA-7000 Series Firewall NPC in a High Availability (HA) Configuration

Configure a Log Card Port on a PA-7000 Series Firewall

Configure Session Distribution on a PA-7000 Series Firewall

Install a PA-7000 Series Firewall Data Processing Card (DPC)

Install a PA-7000 Series Firewall DPC in a Single Chassis

Install a PA-7000 Series Firewall DPC in a High Availability (HA) Configuration

Connect Power to a PA-7000 Series Firewall

PA-7000 Series Power Configuration Options

Determine PA-7000 Series Firewall Power Configuration Requirements

Connect AC Power to a PA-7050 Firewall

Connect DC Power to a PA-7050 Firewall

Connect AC Power to a PA-7080 Firewall

Connect DC Power to a PA-7080 Firewall

View PA-7000 Series Firewall Power Statistics

Connect Cables to a PA-7000 Series Firewall

Verify the PA-7000 Series Firewall LPC and NPC Configuration

Verify the PA-7000 Series Firewall LPC Configuration

Verify the PA-7000 Series Firewall NPC Configuration

Install the PA-7080 Firewall EMI Filter

Service the PA-7000 Series Firewall Hardware

Replace a PA-7000 Series Firewall AC or DC Power Supply

Interpret the PA-7000 Series Firewall Power Supply LEDs

PA-7050 Power Supply LEDs

PA-7080 Power Supply LEDs

Replace a PA-7000 Series AC Power Supply

Replace a PA-7050 AC Power Supply

Replace a PA-7080 AC Power Supply

Replace a PA-7000 Series DC Power Supply

Replace a PA-7050 DC Power Supply

Replace a PA-7080 DC Power Supply

Replace a PA-7080 DC PEM

Replace a PA-7000 Series Firewall Fan Tray

Replace a PA-7050 Fan Tray

Replace a PA-7080 Fan Tray

Replace a PA-7000 Series Firewall Air Filter

Replace a PA-7000 Series Firewall Front Slot Card

Replace a PA-7000 Series Switch Management Card (SMC)

Replace a PA-7000 Series Log Card

Replace a PA-7000 Series Log Processing Card (LPC)

Replace a PA-7000 Series Log Forwarding Card (LFC)

Replace a PA-7000 Series Network Processing Card (NPC)

Replace PA-7000 Series Firewall NPC in a Single Chassis

Replace PA-7000 Series Firewall NPC in a High Availability (HA) Configuration

PA-7000 Series Front Slot and Card States

PA-7000 Series Firewall Network Processing Card (NPC) Troubleshooting Commands

Replace a PA-7000 Series Data Processing Card (DPC)

Replace a PA-7000 Series Firewall DPC in a Single Chassis

Replace a PA-7000 Series Firewall DPC in a High Availability (HA) Configuration

Replace a PA-7000 Series Firewall LPC Drive

Re-Index the LPC Drives

Replace a PA-7050-SMC-B or PA-7080-SMC-B Drive

Increase the PA-7000 Series Firewall LPC Log Storage Capacity

Replace a PA-7000 Series SMC Boot Drive

PA-7000 Series Firewall Specifications

PA-7000 Series Firewall Physical Specifications

PA-7000 Series Firewall Electrical Specifications

PA-7000 Series Firewall Component Electrical Specifications

PA-7000 Series Firewall Power Cord Types

PA-7000 Series Firewall Environmental Specifications

PA-7000 Series Firewall Hardware Compliance Statements

PA-7000 Series Firewall Compliance Statements

PA-220 Next-Gen Firewall Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

Upgrade/Downgrade Considerations for Firewalls and Appliances

PA-220 Firewall Overview

PA-220 Front Panel

PA-220 Back Panel

Install the PA-220 Firewall

Install the PA-220 Firewall on a Flat Surface

Install the PA-220 Firewall on a Wall

Install the PA-220 Firewall in a 19-inch Equipment Rack

Install the PA-220 Firewall Using the PAN-PA-220-RACKTRAY

Install the PA-220 Firewall Using the PAN-PA-220-RACK-SINGLE

Connect Power to a PA-220 Firewall

How to Connect Power to a PA-220 Firewall

Service the PA-220 Firewall Hardware

Interpret the LEDs on a PA-220 Firewall

Replace a Power Adapter on a PA-220 Firewall

PA-220 Firewall Specifications

Physical Specifications

Electrical Specifications

Environmental Specifications

Miscellaneous Specifications

PA-220 Firewall Compliance Statements Overview

PA-220 Firewall Compliance Statements

PA-5200 Series Next-Gen Firewall Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

Upgrade/Downgrade Considerations for Firewalls and Appliances

PA-5200 Series Firewall Overview

PA-5200 Front Panel

PA-5200 Back Panel

Install the PA-5200 Series Firewall

Install the PA-5200 Series Firewall in a 19-inch Equipment Rack

Install the Four-Post Rack Kit on a PA-5200 Series Firewall

Connect Power to a PA-5200 Series Firewall

Connect AC Power to a PA-5200 Series Firewall

Connect DC Power to a PA-5200 Series Firewall

Service the PA-5200 Series Firewall

Interpret the LEDs on a PA-5200 Series Firewall

Replace the Air Intake Filters on a PA-5200 Series Firewall

Replace a Fan Tray on a PA-5200 Series Firewall

Replace a Power Supply on a PA-5200 Series Firewall

Replace a Drive on a PA-5200 Series Firewall

PA-5200 Series Firewall Specifications

PA-5200 Series Physical Specifications

PA-5200 Series Electrical Specifications

PA-5200 Series Environmental Specifications

PA-5200 Series Miscellaneous Specifications

PA-5200 Series Firewall Compliance Statements Overview

PA-5200 Series Firewall Compliance Statements

PA-800 Series Next-Gen Firewall Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

Upgrade/Downgrade Considerations for Firewalls and Appliances

PA-800 Firewall Overview

PA-800 Front Panel

PA-800 Back-Panel

Install the PA-800 Series Firewall

Install the PA-800 Series Firewall in a Two-Post 19-inch Equipment Rack

Install the PA-800 Series Firewall in a Four-Post 19-inch Equipment Rack

Connect Power to a PA-800 Series Firewall Overview

Connect Power to a PA-800 Series Firewall

Service the PA-800 Series Firewall Hardware

Interpret the LEDs on a PA-800 Series Firewall

Replace a Power Supply on a PA-850 Firewall

PA-800 Series Firewall Specifications

PA-800 Series Physical Specifications

PA-800 Series Electrical Specifications

PA-800 Series Environmental Specifications

PA-800 Series Miscellaneous Specifications

PA-800 Series Firewall Compliance Statements Overview

PA-800 Series Firewall Compliance Statements

ION 1000 Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

ION 1000 Overview

ION 1000 Specifications

ION 1000 Installation Kit Components

ION Device Compliance Statement

Power on the ION 1000

Install the ION 1000

Rack Mount the ION 1000

Wall Mount the ION 1000

Install the ION 1000 by Replacing an Existing Router

Install the ION 1000 With an Existing Router

Install the ION 1000 in Control Mode

ION 7000 Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

ION 7000 Overview

ION 7000 Specifications

ION 7000 Installation Kit Components

ION Device Compliance Statement

Power on the ION 7000

Install the ION 7000

Rack Mount the ION 7000

Install the Slide Rail into the Rack

Rack Mount the Slide Rails

Install the ION 7000 in Virtual In-Path Configuration

Setup the ION 7000 Controller Port

ION 7000 Peering Ports

ION 7000 Internet Ports

Install the ION 7000 in High Availability

ION 9000 Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

ION 9000 Overview

ION 9000 Front Panel with LEDs

ION 9000 Device Specifications

Installation Kit Components of ION 9000

ION Device Compliance Statement

Power on the ION 9000

Install the ION 9000

Rack Mount the ION 9000

Install the ION 9000 in Virtual In-Path Configuration

Configure Controller Port

Configure Peering Ports

Configure Internet Ports

Install ION 9000 in High Availability

PA-400 Series Next-Gen Firewall Hardware Reference

Before You Begin

Upgrade/Downgrade Considerations for Firewalls and Appliances

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

PA-400 Series Firewall Overview

PA-400 Series Front Panel

PA-400 Series Back Panel

Install the PA-400 Series Firewall

Install the PA-400 Series Firewall on a Flat Surface

Install the PA-400 Series Firewall on a Wall

Install the PA-400 Series Firewall in a 19-inch Equipment Rack

Install the PA-400 Series Firewall Using the PAN-PA-400-RACKTRAY

Set Up a Connection to the Firewall

Install Antennas on the PA-400 Series 5G Firewall

Insert a SIM Card into a PA-400 Series Firewall

Connect Power to a PA-400 Series Firewall

Connect Power to a PA-400 Series Firewall

Connect Power to a PA-410 Firewall

Service the PA-400 Series Firewall Hardware

Interpret the LEDs on a PA-400 Series Firewall

Replace a Power Adapter on a PA-400 Series Firewall

PA-400 Series Firewall Specifications

Physical Specifications

Electrical Specifications

Environmental Specifications

Miscellaneous Specifications

Antenna Specifications

PA-400 Series Firewall Compliance Statements Overview

PA-400 Series Firewall Compliance Statements

PA-3400 Series Next-Gen Firewall Hardware Reference

Before You Begin

Upgrade/Downgrade Considerations for Firewalls and Appliances

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

PA-3400 Series Firewall Overview

PA-3400 Series Front Panel

PA-3400 Series Back Panel

Install the PA-3400 Series Firewall in an Equipment Rack

Install the PA-3400 Series Firewall Using the Four-Post Rack Kit

Connect Power to a PA-3400 Series Firewall

Set Up a Connection to the Firewall

Connect Power to a PA-3400 Series Firewall

Connect DC Power to a PA-3400 Series Firewall

Service the PA-3400 Series Firewall

Interpret the PA-3400 Series Status LEDs

Replace a PA-3400 Series Power Supply

Replace a PA-3400 Series Power Supply

Replace a PA-3400 Series Drive

PA-3400 Series Firewall Specifications

PA-3400 Series Physical Specifications

PA-3400 Series Electrical Specifications

PA-3400 Series Environmental Specifications

PA-3400 Series Miscellaneous Specifications

PA-3400 Series Firewall Hardware Compliance Statements

PA-3400 Series Firewall Compliance Statements

M-300 and M-700 Appliance Hardware Reference

Before You Begin

Upgrade/Downgrade Considerations for Firewalls and Appliances

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

M-300 and M-700 Appliance Overview

M-300 Appliance Front Panel

M-300 Appliance Back Panel

M-700 Appliance Front Panel

M-700 Appliance Back Panel

Install the M-300 and M-700 Appliance

Install the M-300 or M-700 Appliance in an Equipment Rack

Install the M-300 Appliance in a 19” Equipment Rack

Install the M-700 Appliance in a 19” Equipment Rack

Connect Power to an M-300 or M-700 Appliance

Connect AC Power to an M-300 or M-700 Appliance

Service the M-300 or M-700 Appliance

Replace an M-300 or M-700 Drive

Replace an M-300 or M-700 Appliance System Drive

Replace an M-300 or M-700 Appliance Log Drive

Replace an M-300 or M-700 Appliance Power Supply

M-300 and M-700 Appliance Port LEDs

M-300 and M-700 Appliance Specifications

M-300 and M-700 Physical Specifications

M-300 and M-700 Electrical Specifications

M-300 and M-700 Environmental Specifications

M-300 and M-700 Miscellaneous Specifications

M-300 and M-700 Appliance Hardware Compliance Statements

M-300 and M-700 Compliance Statements

WF-500-B Appliance Hardware Reference

Before You Begin

Upgrade/Downgrade Considerations for Firewalls and Appliances

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

WF-500-B Appliance Overview

WF-500-B Front Panel

WF-500-B Back Panel

Install the WF-500-B Appliance

Install the WF-500-B Appliance in a 19" Equipment Rack

Install the WF-500-B Appliance in a 4-Post Rack

Connect Power to the WF-500-B Appliance

Service the WF-500-B Appliance

Interpret the WF-500-B LEDs

Replace a WF-500-B Log Drive

Replace a WF-500-B System Drive

Replace a WF-500-B Power Supply

WF-500-B Appliance Specifications

WF-500-B Physical Specifications

WF-500-B Electrical Specifications

WF-500-B Environmental Specifications

WF-500-B Appliance Hardware Compliance Statements

WF-500-B Compliance Statements

ION 3200 Hardware Reference

Before You Begin

Tamper Proof Statement

Third Party Component Support

Product Safety Warnings

ION 3200 Overview

Overview of ION 3200

ION 3200 Hardware Specifications

ION 3200 Front Panel

ION 3200 Back Panel

ION 3200 Installation Kit Components

ION 3200 Compliance Statement

Install ION 3200

Install ION 3200 in a Rack

Power on the ION 3200

Install ION 3200 on a Wall

Wall Mount Template

Install the ION 3200 on a Flat Surface

Troubleshoot the ION 3200

Troubleshoot Common Issues of ION 3200

PA-1400 Series Next-Gen Firewall Hardware Reference

Before You Begin

Upgrade/Downgrade Considerations for Firewalls and Appliances

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

PA-1400 Series Firewall Overview

PA-1400 Series Front Panel

PA-1400 Series Back Panel

Install the PA-1400 Series Firewall in an Equipment Rack

Install the PA-1400 Series Firewall Using the Four-Post Rack Kit

Connect Power to a PA-1400 Series Firewall

Set Up a Connection to the Firewall

Connect Power to a PA-1400 Series Firewall

Connect DC Power to a PA-1400 Series Firewall

Service the PA-1400 Series Firewall

Interpret the PA-1400 Series Status LEDs

Replace a PA-1400 Series Power Supply

Replace a PA-1400 Series Power Supply

PA-1400 Series Firewall Specifications

PA-1400 Series Physical Specifications

PA-1400 Series Electrical Specifications

PA-1400 Series Environmental Specifications

PA-1400 Series Miscellaneous Specifications

PA-1400 Series Firewall Hardware Compliance Statements

PA-1400 Series Firewall Compliance Statements

ION 9200 Hardware Reference

Before You Begin

Product Safety Warnings

Tamper Proof Statement

Third-Party Component Support

ION 9200 Overview

ION 9200 Hardware Specifications

ION 9200 Front Panel

ION 9200 Back Panel

ION 9200 Compliance Statements

Installation Kit Components

Power on the ION

Install the ION 9200

Install the ION 9200 Using Four-Post Rack Mount Kit

ION 5200 Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

ION 5200 Overview

ION 5200 Hardware Specifications

ION 5200 Front Panel

ION 5200 Back Panel

ION 5200 Compliance Statement

Installation Kit Components

Power on the ION

Install the ION 5200

Install the ION 5200 Using the Four-Post Rack Mount Kit

ION 1200 Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

ION 1200 Overview

Overview ION 1200

ION 1200 Hardware Specifications

ION 1200 Front Panel

ION 1200-C-NA/ROW Front Panel

ION 1200-C-5G-WW Front Panel

ION 1200 Back Panel

ION 1200-C-NA/ROW Back Panel

ION 1200-C-5G Back Panel

ION 1200 Compliance Statement

Installation Kit Components

Install the ION 1200

Install Antennas

Insert SIM Cards

Install the ION 1200 on a Flat Surface

Install the ION 1200 on a Wall

Wall Mount Template

Install the ION 1200 in a 19-inch Equipment Rack

Install the ION 1200 Using the Racktray

Power on the ION 1200

Troubleshoot ION 1200

Troubleshoot Common Issues with the ION 1200

PA-400R Series Next-Gen Firewall Hardware Reference

Before You Begin

Upgrade/Downgrade Considerations for Firewalls and Appliances

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

PA-400R Series Firewall Overview

PA-400R Series Front Panel

PA-400R Series Back Panel

Interpret the LEDs on a PA-400R Series Firewall

PA-400R Series Top and Bottom Panels

Install the PA-400R Series Firewall

Install the PA-400R Series Firewall on a Flat Surface

Install the PA-400R Series Firewall on a Wall

Install the PA-400R Series Firewall in an Equipment Rack

Set Up a Connection to the Firewall

Install the PA-400R Series Firewall on a DIN Rail

Connect Cables to the PA-400R Series Firewall

Connect Ethernet Cables to the PA-400R Series Firewall

Connect Fiber Cables to the PA-400R Series Firewall

Install Antennas on the PA-400R Series 5G Firewall

Insert a SIM Card into a PA-400R Series Firewall

Connect Power to a PA-400R Series Firewall

Prepare to Connect Power to a PA-400R Series Firewall

Connect Power to a PA-400R Series Firewall

PA-400R Series Firewall Specifications

Physical Specifications

Electrical Specifications

Environmental Specifications

Miscellaneous Specifications

Antenna Specifications

PA-400R Series Firewall Compliance Statements Overview

PA-400R Series Firewall Compliance Statements

PA-7500 Next-Gen Firewall Hardware Reference

Before You Begin

Upgrade/Downgrade Considerations for Firewalls and Appliances

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

PA-7500 Series Firewall Overview

PA-7500 Series Firewall Front and Back Panel Descriptions

PA-7500 Series Front Panel

PA-7500 Series Back Panel

PA-7500 Series Module and Interface Card Descriptions

PA-7500 Series Firewall Management Processing Card (MPC)

PA-7500 Series Firewall Network Processing Card (NPC)

PA-7500 Series Firewall Data Processing Card (DPC)

PA-7500 Series Firewall Switch Fabric Card (SFC)

PA-7500 Series Firewall Installation

Install the PA-7500 Series Firewall in an Equipment Rack

Install a PA-7500 Series Firewall Interface Card

Connect Power to the PA-7500 Series Firewall

Determine Power Requirements of the PA-7500 Series Firewalls

Connect AC Power to the PA-7500 Series Firewall

Connect DC Power to the PA-7500 Series Firewall

View Power Statistics of the PA-7500 Series Firewalls

Connect Cables to the PA-7500 Series Firewall

PA-7500 Series Firewall LED Definitions

Interpret the PA-7500 Series Firewall LEDs

Interpret the PA-7500 Series Firewall Interface Card LEDs

PA-7500 Series Firewall MPC LEDs

PA-7500 Series Firewall NPC LEDs

PA-7500 Series Firewall DPC LEDs

PA-7500 Series Firewall SFC LEDs

PA-7500 Series Firewall Maintenance

Replace a PA-7500 Series Firewall AC or DC Power Supply

Replace a PA-7500 Series Firewall Interface Card

Replace a PA-7500 Series Firewall Fan Assembly

Replace a PA-7500 Series Firewall System Drive

Replace a PA-7500 Series Firewall Logging Drive

PA-7500 Series Firewall Specifications

PA-7500 Series Firewall Physical Specifications

PA-7500 Series Firewall Electrical Specifications

PA-7500 Series Firewall Component Electrical Specifications

PA-7500 Series Firewall Power Cord Types

PA-7500 Series Firewall Environmental Specifications

PA-7500 Series Firewall Compliance Statements

Compliance Statements

ION 1200-S Hardware Reference

Before You Begin

Tamper Proof Statement

Third-Party Component Support

Product Safety Warnings

ION 1200-S Overview

Overview ION 1200-S

ION 1200-S Hardware Specifications

ION 1200-S Front Panel

ION 1200-S-C-NA/ROW Front Panel

ION 1200-S-C5G-WW Front Panel

ION 1200-S Back Panel

ION 1200-S-C-NA/ROW Back Panel

ION 1200-S-C-5G Back Panel

ION 1200-S Compliance Statement

Installation Kit Components

ION 1200-S LEDs

Power on the ION 1200

Install ION 1200-S

Insert SIM Cards in the ION 1200-S

Install Antennas in the ION 1200-S

Install the ION 1200-S on a wall

ION 1200-S Wall Mount Template

Install the ION 1200-S on a Rack

Install the ION 1200-S on a Flat Surface

Troubleshoot ION 1200-S Series

Troubleshoot Common Issues with the ION 1200-S Series

Prisma Access Help

Prisma Access Setup

Remote Networks

Service Connections

Prisma Access Licenses

Shared Config Help Topics

Welcome to Your Prisma Access Dashboard

HTTP Header Insertion

Application Filters

Application Groups

Application Override

Certificate Management

Dynamic User Groups

External Dynamic Lists

Identity Redistribution

Quality of Service

SaaS Application Management

Security Policy

Security Profile Groups

URL Access Control

Vulnerability Protection

WildFire and Antivirus

Release Preview

Insights Help Topics

Insights Dashboard: Okyo Garde

Insights Dashboard: Summary

Insights Dashboard: Remote Networks

Insights Dashboard: Mobile Users

Insights Dashboard: Service Connections

Insights Dashboard: Locations

Insights Dashboard: Tunnels

Insights Dashboard: Alerts

Insights Dashboard: Notification Profiles

pai-notifications

Monitor Network Services

Insights Dashboard: ZTNA Connector

Autonomous DEM Help Topics

Autonomous DEM Summary

Prisma Access Locations

Hub

Hub Getting Started Guide

Application Access

Activating Partner Apps

Partner App Permissions

App Deactivation

Capture App Debug Information

Browser Support

View Apps by Tenant or by Support Account

Manage App Roles

App Access using Roles

Available Roles

Assign the Account Administrator Role

Assign the App Administrator Role

Assign Roles for App Instances

Role Migration Notes

Custom Role Creation and Management

Create a New Custom Role

Clone an Existing Role

Edit a Custom Role

Delete a Custom Role

Assign App Permissions

Hub Release Information

What’s New in the Hub

IoT

IoT Security Best Practices

IoT Security Best Practices

Plan Your IoT Security Deployment Using Best Practices

Deploy IoT Security Using Best Practices

Monitor Your IoT Security Deployment Using Best Practices

IoT Security API Reference

IoT Security API Overview

Get Started with the IoT Security API

IoT Security API

Get Device Details per MAC Address

Get Device Details per IP Address

Get the Device Inventory

Get Security Alerts

Resolve a Security Alert

Get Vulnerability Instances

Resolve Vulnerability Instances

Add and Remove User-defined Tags

Get a List of User-defined Tags

Get Profile Mapping

Get Active Policy Rule Recommendations

IoT Security Administrator’s Guide

Get Started with IoT Security

Firewall and PAN-OS Support of IoT Security

IoT Security Prerequisites

Onboard IoT Security

Firewall Deployment for Device Visibility

DHCP Data Collection by Traffic Type

Firewall Deployment Options for IoT Security

Configure a Pre-PAN-OS 10.0 Firewall with a DHCP Server

Configure a Pre-PAN-OS 10.0 Firewall for a Local DHCP Server

Use a Tap Interface for DHCP Visibility

Use a Virtual Wire Interface for DHCP Visibility

Use ERSPAN to Send Mirrored Traffic through GRE Tunnels

Use DHCP Server Logs to Increase Device Visibility

Use SNMP Network Discovery to Learn about Devices from Switches

Use Network Discovery Polling to Discover Devices

Plan for Scaling when Your Firewall Serves DHCP

Prepare Your Firewall for IoT Security

Configure Policies for Log Forwarding

IoT Security Integration with Prisma Access

Offboard IoT Security Subscriptions

IoT Security Licenses

Onboard IoT Security on VM-Series with Software NGFW Credits

Control Allowed Traffic for Onboarding Devices

Support Isolated Network Segments

IoT Security Overview

Introduction to IoT Security

IoT Security Integration with Next-generation Firewalls

IoT Security Portal

IoT Security Integration Status with Firewalls

IoT Security Integration Status with Prisma Access

IoT Security Integrations with Third-party Products

Sites and Site Groups

Data Quality Diagnostics

Device-to-Site Mapping

IoT Security and FedRAMP

Vertical-themed Portals

Network Visualizations

Create a Visualization Map

View Data in a Visualization Map

Authorize On-demand PCAP

Network Segments Configuration

Discover IoT Devices and Take Inventory

IoT Device Discovery

IoT Security Devices Page

IoT Security Device Details Page

Devices with Static IP Addresses

Upload a List of Static IP Devices

Add a Static IP Device Configuration

Upload a List of Subnets with Only Static IP Addresses

Add a Subnet with Only Static IP Addresses

Custom Attributes

Create Multi-interface Devices

Discover Mobile Device Attributes

Devices with Overlapping IP Addresses

Add a Network Segment

Manage Network Segments

Parse Industrial OT Device Files

Discover IoT Device Applications

IoT Device Applications Discovery

Detect IoT Device Vulnerabilities

IoT Device Vulnerability Detection

Vulnerabilities Page

Vulnerability Details Page

IoT Risk Assessment

Vulnerability Overview Dashboard

Respond to IoT Security Alerts

Security Alert Overview

Learn about Security Alerts

Act on Security Alerts

Routine Security Alert Management

Create Alert Rules

Recommend Security Policies

Create a Policy Set in IoT Security

Import a Policy Set into Panorama

Restrict Network Access

Policy Rule Recommendations

Device Profile Overview

Device Profile Behaviors

Device Profile Policy

Utilization Dashboard

Utilization Dashboard Filters

Utilization Information Panels

Biomed Dashboard

Manage IoT Security Users

Create IoT Security Users

User Roles for IoT Security

IoT Security Solution

IoT Security Solution Structure

IoT Security Solution Setup

IoT Security Documentation

Enterprise IoT Security Administrator’s Guide

Get Started with Enterprise IoT Security

What Enterprise IoT Security Does

How to Use Enterprise IoT Security

Onboard Enterprise IoT Security

Expand Network Coverage

Add Enterprise IoT Security Users

IoT Security Integration Guide

Get Started with IoT Security Integrations

Integrate with Third-party Systems

Third-party Integrations Using Cohosted XSOAR

Activate a Third-party Integrations Add-on

Third-party Integrations Using a Full-featured XSOAR Server

Check XSOAR Integration Activity

Asset Discovery

Integrate IoT Security with Rockwell Automation AssetCentre

Set up AssetCentre for Integration

Set up IoT Security and XSOAR for AssetCentre Integration

Learn Device Attributes by Polling

Asset Management

Integrate IoT Security with AIMS

Set up AIMS for Integration

Set up IoT Security and XSOAR for AIMS Integration

Send Work Orders to AIMS

Integrate IoT Security with Microsoft SCCM

Set up Microsoft SCCM for Integration

Set up IoT Security and XSOAR for SCCM Integration

Integrate IoT Security with Nuvolo

Set up Nuvolo for Integration

Set up IoT Security and XSOAR for Nuvolo Integration

Send Security Alerts to Nuvolo

Send Vulnerabilities to Nuvolo

Integrate IoT Security with ServiceNow

Set up ServiceNow for Integration

Set up IoT Security and XSOAR for ServiceNow Integration

Send Security Alerts to ServiceNow

Send Vulnerabilities to ServiceNow

Endpoint Protection

Integrate IoT Security with Cortex XDR

Set up Cortex XDR for Integration

Set up IoT Security and XSOAR for XDR Integration

Integrate IoT Security with CrowdStrike

Set up CrowdStrike for Integration

Set up IoT Security and XSOAR for CrowdStrike Integration

Integrate IoT Security with Microsoft Defender XDR

Set up Microsoft Defender XDR for Integration

Set up IoT Security and Cortex XSOAR for Microsoft Defender XDR Integration

Integrate IoT Security with Tanium

Set up Tanium for Integration

Set up IoT Security and XSOAR for Tanium Integration

Network Management

Integrate IoT Security with Aruba AirWave

Set up Aruba AirWave for Integration

Set up IoT Security and Cortex XSOAR for Aruba AirWave Integration

View Device Location Information

Integrate IoT Security with Aruba Central

Set up Aruba Central for Integration

Set up IoT Security and XSOAR for Aruba Central Integration

Integrate IoT Security with Cisco DNA Center

Set up Cisco DNA Center to Connect with XSOAR Engines

Set up IoT Security and XSOAR for DNA Center Integration

Integrate IoT Security with Cisco Meraki Cloud

Set up Cisco Meraki Cloud for Integration

Set up IoT Security and XSOAR for Cisco Meraki Cloud

Integrate IoT Security with Cisco Prime

Set up Cisco Prime to Accept Connections from IoT Security

Set up IoT Security and XSOAR for Cisco Prime Integration

Integrate IoT Security with Network Switches for SNMP Discovery

Set up IoT Security and Cortex XSOAR for SNMP Discovery

Integrate IoT Security with Switches for Network Discovery

Set up IoT Security and Cortex XSOAR for Network Discovery

IP Address Management

Integrate IoT Security with BlueCat IPAM

Set up BlueCat for Integration

Set up IoT Security and XSOAR for BlueCat Integration

Integrate IoT Security with Infoblox IPAM

Set up Infoblox for Integration

Set up IoT Security and XSOAR for Infoblox Integration

Wireless Network Controllers

Integrate IoT Security with Aruba WLAN Controllers

Set up Aruba WLAN Controllers for Integration

Set up IoT Security and XSOAR for Aruba WLAN Controllers

Integrate IoT Security with Cisco WLAN Controllers

Set up Cisco WLAN Controllers for Integration

Set up IoT Security and XSOAR for Cisco WLAN Controllers

Security Information and Event Management

Integrate IoT Security with SIEM

Set up SIEM for Integration

Set up IoT Security and XSOAR for SIEM Integration

Send Security Alerts to SIEM

Send Vulnerabilities to SIEM

Network Access Control

Integrate IoT Security with Aruba ClearPass

Set up Aruba ClearPass for Integration

Set up IoT Security and XSOAR for ClearPass Integration

Put a Device in Quarantine Using Aruba ClearPass

Release a Device from Quarantine Using Aruba ClearPass

Integrate IoT Security with Cisco ISE

Set up Cisco ISE to Identify IoT Devices

Set up Cisco ISE to Identify and Quarantine IoT Devices

Configure ISE Servers as an HA Pair

Set up IoT Security and XSOAR for Cisco ISE Integration

Put a Device in Quarantine Using Cisco ISE

Release a Device from Quarantine Using Cisco ISE

Apply Access Control Lists through Cisco ISE

Integrate IoT Security with Cisco ISE pxGrid

Set up Integration with Cisco ISE pxGrid

Put a Device in Quarantine Using Cisco ISE pxGrid

Release a Device from Quarantine Using Cisco ISE pxGrid

Integrate IoT Security with Forescout

Set up Forescout for Integration

Set up IoT Security and XSOAR for Forescout Integration

Put a Device in Quarantine Using Forescout

Release a Device from Quarantine Using Forescout

Vulnerability Scanning

Integrate IoT Security with Qualys

Set up QualysGuard Express for Integration

Set up IoT Security and XSOAR for Qualys Integration

Perform a Vulnerability Scan Using Qualys

Get Vulnerability Scan Reports from Qualys

Integrate IoT Security with Rapid7

Set up Rapid7 InsightVM for Integration

Set up IoT Security and XSOAR for Rapid7 Integration

Perform a Vulnerability Scan Using Rapid7

Get Vulnerability Scan Reports from Rapid7

Integrate IoT Security with Tenable

Set up Tenable for Integration

Set up IoT Security and XSOAR for Tenable Integration

Perform a Vulnerability Scan Using Tenable

Get Vulnerability Scan Reports from Tenable

Network Security

IPSec VPN Administration

IPSec VPN Basics

IPSec VPN Tunnels

VPN Deployments

Internet Key Exchange (IKE) for VPN

Get Started with IPSec VPN (Site-to-Site)

Site-to-Site VPN Overview

Tunnel Interface

Proxy ID for IPSec VPN

Configure IPSec VPN Tunnels (Site-to-Site)

Set Up an IKE Gateway

Export a Certificate for a Peer to Access Using Hash and URL

Import a Certificate for IKEv2 Gateway Authentication

Change the Key Lifetime or Authentication Interval for IKEv2

Change the Cookie Activation Threshold for IKEv2

Configure IKEv2 Traffic Selectors

Define Cryptographic Profiles

Define IKE Crypto Profiles

Define IKE Crypto Profiles (PAN-OS 10.1 and Later & )

Define IKE Crypto Profiles (Strata Cloud Manager)

Define IPSec Crypto Profiles

Define IPSec Crypto Profiles (Strata Cloud Manager)

Define IPSec Crypto Profiles (PAN-OS 10.1 and Later & )

Set Up an IPSec Tunnel

Set Up an IPSec Tunnel (Tunnel Mode)

Set Up an IPSec Tunnel (Tunnel Mode) (PAN-OS 10.1 and Later)

Set Up an IPSec Tunnel (Tunnel Mode) (Strata Cloud Manager)

Set Up an IPSec Tunnel (Tunnel Mode) ()

Set Up an IPSec Tunnel (Transport Mode)

Set Up an IPSec Tunnel (Transport Mode) (PAN-OS 11.0 and Later)

Monitor Your IPSec VPN Tunnel

Define a Tunnel Monitoring Profile

View the Tunnel Status

View the Tunnel Status ()

View the Tunnel Status (Strata Cloud Manager)

Enable, Disable, Refresh, or Restart an IKE Gateway or IPSec Tunnel

Site-to-Site VPN Configuration Examples

Site-to-Site VPN with Static Routing

Site-to-Site VPN with OSPF

Site-to-Site VPN with Static and Dynamic Routing

Troubleshooting

Troubleshoot Your IPSec VPN Tunnel Connection

Troubleshoot Site-to-Site VPN Issues Using CLI

Security Policy

Network Security: Security Policy

Security Policy

Create a Security Policy Rule

Create a Security Policy Rule (Strata Cloud Manager)

Create a Security Policy Rule (PAN-OS & Panorama)

Track Rules Within a Rulebase

Track Rules Within a Rulebase (Strata Cloud Manager)

Track Rules Within a Rulebase (PAN-OS & Panorama)

Enforce Security Rule Description, Tag, and Audit Comment

Enforce Security Rule Description, Tag, and Audit Comment (Strata Cloud Manager)

Enforce Security Rule Description, Tag, and Audit Comment (PAN-OS & Panorama)

Move or Clone a Security Rule or Object to a Different Virtual System

Test Security Rules

Test Security Rules (Strata Cloud Manager)

Test Security Rules (PAN-OS & Panorama)

Security Profiles

Security Profile Groups

Create a Security Profile Group (Strata Cloud Manager)

Create a Security Profile Group (PAN-OS & Panorama)

Security Profile: AI Security

Security Profile: WildFire® Analysis

Configure a WildFire Analysis Profile (Strata Cloud Manager)

Configure a WildFire Analysis Profile (PAN-OS & Panorama)

Security Profile: Antivirus

Configure an Antivirus Profile (Strata Cloud Manager)

Configure an Antivirus Profile (PAN-OS & Panorama)

Security Profile: Vulnerability Protection

Configure a Vulnerability Protection Profile (Strata Cloud Manager)

Configure a Vulnerability Protection Profile (PAN-OS & Panorama)

Security Profile: Anti-Spyware

Configure an Anti-Spyware Profile (Strata Cloud Manager)

Configure an Anti-Spyware Profile (PAN-OS & Panorama)

Security Profile: DNS Security

Security Profile: DNS Security (Strata Cloud Manager)

Security Profile: DNS Security (PAN-OS & Panorama)

Security Profile: DoS Protection Profile

Configure a DoS Protection Profile (Strata Cloud Manager)

Configure a DoS Protection Profile (PAN-OS & Panorama)

Security Profile: File Blocking

Configure a File Blocking Profile (Strata Cloud Manager)

Configure a File Blocking Profile (PAN-OS & Panorama)

Security Profile: URL Filtering

Configure URL Filtering (Strata Cloud Manager)

Configure URL Filtering (PAN-OS & Panorama)

Security Profile: Data Filtering

Predefined Data Filtering Patterns (Strata Cloud Manager)

Predefined Data Filtering Patterns (PAN-OS & Panorama)

Create a Data Filtering Profile (Strata Cloud Manager)

Create a Data Filtering Profile (PAN-OS & Panorama)

Security Profile: Zone Protection

Create a Zone Protection Profile (Strata Cloud Manager)

Create a Zone Protection Profile (PAN-OS & Panorama)

Policy Object: Addresses

Addresses Fields

Use an Address Object to Represent IP Addresses

Create an Address Object (Strata Cloud Manager)

Create an Address Object (PAN-OS & Panorama)

Register IP Addresses and Tags Dynamically

CLI Commands for Dynamic IP Addresses and Tags

Policy Object: Address Groups

Use Dynamic Address Groups in Policy (Strata Cloud Manager)

Use Dynamic Address Groups in Policy (PAN-OS & Panorama)

Policy Object: Regions

Add a Region (Strata Cloud Manager)

Add a Region (PAN-OS & Panorama)

Policy Object: Traffic Objects

Policy Object: Applications

Create a Custom Application (Strata Cloud Manager)

Create a Custom Application (PAN-OS & Panorama)

Application Override Policy (Strata Cloud Manager)

Application Override Policy (PAN-OS & Panorama)

Policy Object: Application Groups

Create an Application Group (Strata Cloud Manager)

Create an Application Group (PAN-OS & Panorama)

Policy Object: Application Filter

Create an Application Filter (Strata Cloud Manager)

Create an Application Filter (PAN-OS & Panorama)

Policy Object: Services

Create a Custom Service (Strata Cloud Manager)

Create a Custom Service (PAN-OS & Panorama)

Policy Object: Tags

Create, Apply, and Modify Tags

Create, Apply, and Modify Tags (Strata Cloud Manager)

Create, Apply, and Modify Tags (PAN-OS & Panorama)

View Rules by Tag Group

Policy Object: Auto-Tag Actions

Use Auto-Tagging to Automate Security Actions (Strata Cloud Manager)

Use Auto-Tagging to Automate Security Actions (PAN-OS & Panorama)

Policy Object: Devices

Policy Object: External Dynamic Lists

Uses for External Dynamic Lists in Policy

Formatting Guidelines for an External Dynamic List

Built-in External Dynamic Lists

Built-in External Dynamic Lists (Strata Cloud Manager)

Built-in External Dynamic Lists (PAN-OS & Panorama)

Configure Your Environment to Access an External Dynamic List

Configure Your Environment to Access an External Dynamic List (Strata Cloud Manager)

Configure Your Environment to Access an External Dynamic List (PAN-OS & Panorama)

Configure your Environment to Access an External Dynamic List from the EDL Hosting Service

Create an External Dynamic List Using the EDL Hosting Service (Strata Cloud Manager)

Create an External Dynamic List Using the EDL Hosting Service (PAN-OS & Panorama)

Retrieve an External Dynamic List from the Web Server

View External Dynamic List Entries

View External Dynamic List Entries (Strata Cloud Manager)

View External Dynamic List Entries (PAN-OS & Panorama)

Enforce Policy on an External Dynamic List

Enforce Policy on an External Dynamic List (Strata Cloud Manager)

Enforce Policy on an External Dynamic List (PAN-OS & Panorama)

Find External Dynamic Lists That Failed Authentication

Find External Dynamic Lists That Failed Authentication (Strata Cloud Manager)

Find External Dynamic Lists That Failed Authentication (PAN-OS & Panorama)

Disable Authentication for an External Dynamic List

Policy Object: HIP Objects

Add a HIP Object (Strata Cloud Manager)

Add a HIP Object (PAN-OS & Panorama)

Policy Object: Schedules

Add a Schedule (Strata Cloud Manager)

Add a Schedule (PAN-OS & Panorama)

Policy Object: Quarantine Device Lists

Policy Object: Quarantine Device Lists (Strata Cloud Manager)

Policy Object: Quarantine Device Lists (PAN-OS & Panorama)

Policy Object: Dynamic User Groups

Use Dynamic User Groups in Policy (Strata Cloud Manager)

Use Dynamic User Groups in Policy (PAN-OS & Panorama)

Policy Object: Custom Objects

Create Custom Objects (Strata Cloud Manager)

Create Custom Objects (PAN-OS & Panorama)

Policy Object: Log Forwarding

Configure a Log Forwarding Profile (Strata Cloud Manager)

Configure a Log Forwarding Profile (PAN-OS & Panorama)

Policy Object: Authentication

Policy Object: Decryption Profile

Create a Decryption Profile (Strata Cloud Manager)

Create a Decryption Profile (PAN-OS & Panorama)

Policy Object: Packet Broker Profile

All Policy Types

NAT

QoS

Enforce Policy on Endpoints and Users Behind an Upstream Device

Use XFF Values for Policy Based on Source Users

Use XFF IP Address Values in Security Policy and Logging

Use the IP Address in the XFF Header to Troubleshoot Events

Monitor Changes in the Virtual Environment

Enable VM Monitoring to Track Changes on the Virtual Network

Attributes Monitored on Virtual Machines in Cloud Platforms

Web Security Management

Your Web Access Security Policies at a Glance

Understand the Default Web Access Policies

Create Custom Web Access Policies

Manage Policy Recommendations from SaaS Security Administrators

Web Security: Security Settings

Web Security: Objects

Quantum Security

Quantum Security Administration

Quantum Security Concepts

The Quantum Computing Threat

How RFC 8784 Resists Quantum Computing Threats

Support for Post-Quantum Features

Post-Quantum Migration Planning and Preparation

Best Practices for Resisting Post-Quantum Attacks

Learn More About Post-Quantum Security

How RFC 9242 and RFC 9370 Resist Quantum Computing Threats

Configure Quantum Resistant IKEv2 VPNs

Configure Post-Quantum IKEv2 VPNs with RFC 8784 PPKs

Post-Quantum IKEv2 RFC 8784 Configuration Example

Configure Post-Quantum IKEv2 VPNs with RFC 9242 and RFC 9370 Hybrid Keys

Next-Generation CASB

Next-Generation Firewall

NGFW Incidents and Alerts

Manage NGFW Alerts

View Alert Details

View Probable Causes

Forecasting and Anomaly Detection

Create a Notification Rule

Integrating with ServiceNow

CPU Usage Metrics in AIOps for NGFW

Manage Capacity Analyzer Alerts

AIOps for NGFW Alerts Reference

Premium Health Alerts

Free Health Alerts

Alerts Raised by Leveraging Machine Learning

Manage NGFW Incidents

View Incident Details

NGFW Getting Started

Cloud Management and AIOps for NGFWs

Free and Premium Features

Where Are My AIOps for NGFW Features?

Activate AIOps for NGFW

Activate AIOps for NGFW (Free)

Get Started with NGFWs

Manage Your NGFWs

Cloud Management

PAN-OS & Panorama

NGFW Features and Support

onboard-your-ngfws

NGFW Administration

Onboard NGFWs to Strata Cloud Manager

Prerequisites for Strata Cloud Manager Onboarding

TCP Ports and FQDNs Required for Strata Cloud Manager

Onboard Your Devices

Onboard a Firewall

Onboard ZTP Firewalls

ZTP Configuration Elements

Add a ZTP Firewall to Strata Cloud Manager

Create a Device Onboarding Rule

Configure the Firewall General Settings

Configure the Firewall Session Settings

Configure Session Settings

Configure Session Timeout

Configure VPN Session Settings

Manage a Local Firewall Configuration

Set Up Firewalls

Policy Based Forwarding

About Policy Based Forwarding

Configure a Policy Based Forwarding Rule

Network Address Translation

Routing and Interfaces

Configure Interfaces

Configure a Tap Interface

Configure a Layer 2 Interface

Configure a Layer 3 Interface

Configure a Subinterface

Configure an Aggregate Interface Group

Configure a VLAN

Configure a Loopback Interface

Configure a Tunnel Interface

Configure an Aggregate Ethernet Interface Variable

Configure Routing Profiles

Configure a Filter Access List

Configure a Filter Prefix List

Configure a Filter Community List

Configure a BGP Filter Route Map

Configure a Filter Route Maps Redistribution List

Configure a Filter AS Path Access List

Configure an Address Family Profile

Configure a BGP Authentication Profile

Configure a BGP Redistribution Profile

Configure a BGP Filtering Profile

Configure an OSPF Authentication Profile

Configure a Logical Router

Configure a Static Route

Zone Protection and DoS Protection

Network Segmentation Using Zones

How Do Zones Protect the Network?

Configure a Zone Protection Profile to Increase Network Security

Configure Flood Protection

Configure Reconnaissance Protection

Configure Packet Based Attack Protection

Configure Protocol Protection

Configure Ethernet SGT Protection

Configure an IPSec Tunnel

Configure an Interface as a DHCP Server

Configure an Interface as a DHCP Client

Configure an Interface as a DHCP Relay Agent

About DNS Proxy

Configure a DNS Proxy Object

DNS Proxy Rule and FQDN Matching

Configure a Service Route

Configure the Management Interface Settings

Configure the Auxiliary Interface Settings

Configure Auto VPN

Refresh a Pre-Shared Key

About Virtual Wires

Configure a Virtual Wire

Configure SD-WAN

Create SD-WAN Link Management Profiles

Configure an SD-WAN Policy Rule

Cheat Sheet: GlobalProtect for Cloud Management of NGFWs

High Availability

Set Up Active/Passive HA

Configure Active/Passive HA

Define HA Failover Conditions

Forward Logs to an HTTP/S Destination

Configure Syslog Monitoring

Configure Custom Log/Event Format

Update Firewalls

Create a Software Update Grouping Rule

Schedule Dynamic Content Updates

Schedule a Software Update

NGFW Release Notes

New Features in September 2023

New Features Through August 2023

New Features in November 2023

New Features in December 2023

New Features in February 2024

New Features in March 2024

New Features in April 2024

New Features in May 2024

New Features in August 2024

Known and Addressed Issues

Feature History for AIOps for NGFW

PAN-OS OpenConfig Administrator’s Guide

Getting Started

About PAN-OS OpenConfig Support

PAN-OS OpenConfig Model Support

Install the OpenConfig Plugin

OpenConfig Models

BGP

Manage BGP Routes

Interfaces Behavior

Manage Interfaces

Local Routes Behavior

Manage Local Routes

Platform Behavior

Manage Platform

System Behavior

Telemetry Streaming

OpenConfig Telemetry on PAN-OS

PAN-OS OpenConfig Administrator’s Guide

Getting Started

About PAN-OS OpenConfig Support

PAN-OS OpenConfig Model Support

Install the OpenConfig Plugin

PAN-OS OpenConfig Wildcard Support

OpenConfig Models

BGP

Manage BGP Routes

Firewall Zones Behavior

Manage Firewall Zones

High Availabilty

High Availability Behavior

Manage High Availability

Interfaces Behavior

Manage Interfaces

Local Routes Behavior

Manage Local Routes

Network Instances

Network Instances Behavior

Manage Network Instances

OSPF Version 2 Behavior

Manage OSPF Version 2

Platform Behavior

Manage Platform

Routing Policy Behavior

Manage Routing Policies

System Behavior

Telemetry Streaming

OpenConfig Telemetry on PAN-OS

PAN-OS OpenConfig Administrator’s Guide

Getting Started

About PAN-OS OpenConfig Support

PAN-OS OpenConfig Model Support

Install the OpenConfig Plugin

PAN-OS OpenConfig Wildcard Support

PAN-OS OpenConfig Bundling Support

OpenConfig Models

BGP

Manage BGP Routes

Firewall Zones Behavior

Manage Firewall Zones

High Availabilty

High Availability Behavior

Manage High Availability

Interfaces Behavior

Manage Interfaces

Local Routes Behavior

Manage Local Routes

Network Instances

Network Instances Behavior

Manage Network Instances

OSPF Version 2 Behavior

Manage OSPF Version 2

Platform Behavior

Manage Platform

Routing Policy Behavior

Manage Routing Policies

System Behavior

Telemetry Streaming

OpenConfig Telemetry on PAN-OS

PAN-OS OpenConfig Administrator’s Guide

Getting Started

About PAN-OS OpenConfig Support

PAN-OS OpenConfig Model Support

Install the OpenConfig Plugin

PAN-OS OpenConfig Wildcard Support

PAN-OS OpenConfig Bundling Support

OpenConfig Models

BGP

Manage BGP Routes

Firewall Zones Behavior

Manage Firewall Zones

High Availabilty

High Availability Behavior

Manage High Availability

Interfaces Behavior

Manage Interfaces

Local Routes Behavior

Manage Local Routes

Network Instances

Network Instances Behavior

Manage Network Instances

OSPF Version 2 Behavior

Manage OSPF Version 2

Platform Behavior

Manage Platform

Routing Policy Behavior

Manage Routing Policies

System Behavior

Telemetry Streaming

OpenConfig Telemetry on PAN-OS

PAN-OS OpenConfig Administrator’s Guide

Getting Started

PAN-OS OpenConfig Model Support

PAN-OS OpenConfig Dial-Out Support

Install the OpenConfig Plugin

PAN-OS OpenConfig Wildcard Support

PAN-OS OpenConfig Bundling Support

Telemetry Streaming

OpenConfig Models

BGP Usage and Behavior

Firewall Zones Usage and Behavior

High Availabilty

Network Instances

PAN-OS OpenConfig Logging

PAN-OS OpenConfig Config

PAN-OS OpenConfig PCAP

PAN-OS OpenConfig XML API

PAN-OS OpenConfig File Upload

Panorama Administrator's Guide

Panorama Overview

Panorama Models

Centralized Firewall Configuration and Update Management

Context Switch—Firewall or Panorama

Total Configuration Size for Panorama

Templates and Template Stacks

Device Group Hierarchy

Device Group Policies

Device Group Objects

Centralized Logging and Reporting

Managed Collectors and Collector Groups

Local and Distributed Log Collection

Caveats for a Collector Group with Multiple Log Collectors

Log Forwarding Options

Centralized Reporting

Data Redistribution Using Panorama

Role-Based Access Control

Administrative Roles

Authentication Profiles and Sequences

Administrative Authentication

Panorama Commit, Validation, and Preview Operations

Plan Your Panorama Deployment

Deploy Panorama: Task Overview

Set Up Panorama

Determine Panorama Log Storage Requirements

Manage Large-Scale Firewall Deployments

Determine the Optimal Large-Scale Firewall Deployment Solution

Increased Device Management Capacity for M-600 and Panorama Virtual Appliance

Increased Device Management Capacity Requirements

Install Panorama for Increased Device Management Capacity

Set Up the Panorama Virtual Appliance

Setup Prerequisites for the Panorama Virtual Appliance

Install the Panorama Virtual Appliance

Install Panorama on VMware

Install Panorama on an ESXi Server

Install Panorama on vCloud Air

Support for VMware Tools on the Panorama Virtual Appliance

Set Up Panorama on Alibaba Cloud

Upload the Panorama Virtual Appliance Image to Alibaba Cloud

Install Panorama on Alibaba Cloud

Install Panorama on AWS

Install Panorama on AWS GovCloud

Install Panorama on Azure

Install Panorama on Google Cloud Platform

Install Panorama on KVM

Install Panorama on Hyper-V

Set Up Panorama on Oracle Cloud Infrastructure (OCI)

Upload the Panorama Virtual Appliance Image to OCI

Install Panorama on Oracle Cloud Infrastructure (OCI)

Generate a SSH Key for Panorama on OCI

Perform Initial Configuration of the Panorama Virtual Appliance

Set Up The Panorama Virtual Appliance as a Log Collector

Set Up the Panorama Virtual Appliance with Local Log Collector

Set up a Panorama Virtual Appliance in Panorama Mode

Set up a Panorama Virtual Appliance in Management Only Mode

Expand Log Storage Capacity on the Panorama Virtual Appliance

Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode

Add a Virtual Disk to Panorama on an ESXi Server

Add a Virtual Disk to Panorama on vCloud Air

Add a Virtual Disk to Panorama on Alibaba Cloud

Add a Virtual Disk to Panorama on AWS

Add a Virtual Disk to Panorama on Azure

Add a Virtual Disk to Panorama on Google Cloud Platform

Add a Virtual Disk to Panorama on KVM

Add a Virtual Disk to Panorama on Hyper-V

Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)

Mount the Panorama ESXi Server to an NFS Datastore

Increase CPUs and Memory on the Panorama Virtual Appliance

Increase CPUs and Memory for Panorama on an ESXi Server

Increase CPUs and Memory for Panorama on vCloud Air

Increase CPUs and Memory for Panorama on Alibaba Cloud

Increase CPUs and Memory for Panorama on AWS

Increase CPUs and Memory for Panorama on Azure

Increase CPUs and Memory for Panorama on Google Cloud Platform

Increase CPUs and Memory for Panorama on KVM

Increase CPUs and Memory for Panorama on Hyper-V

Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)

Increase the System Disk on the Panorama Virtual Appliance

Increase the System Disk for Panorama on an ESXi Server

Increase the System Disk for Panorama on Google Cloud Platform

Complete the Panorama Virtual Appliance Setup

Convert Your Panorama Virtual Appliance

Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector

Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector

Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector

Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector

Convert Your Production Panorama to an ELA Panorama

Set Up the M-Series Appliance

M-Series Appliance Interfaces

Perform Initial Configuration of the M-Series Appliance

Perform Initial Configuration of an Air Gapped M-Series Appliance

M-Series Setup Overview

Set Up an M-Series Appliance in Management Only Mode

Set Up an M-Series Appliance in Panorama Mode

Set Up an M-Series Appliance in Log Collector Mode

Set Up the M-Series Appliance as a Log Collector

Increase Storage on the M-Series Appliance

Add Additional Drives to an M-Series Appliance

Upgrade Drives on an M-Series Appliance

Configure Panorama to Use Multiple Interfaces

Multiple Interfaces for Network Segmentation Example

Configure Panorama for Network Segmentation

Register Panorama and Install Licenses

Register Panorama

Activate a Panorama Support License

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected

Activate/Retrieve a Firewall Management License on the M-Series Appliance

Install the Panorama Device Certificate

Install the Device Certificate for a Dedicated Log Collector

Transition to a Different Panorama Model

Migrate from a Panorama Virtual Appliance to an M-Series Appliance

Migrate a Panorama Virtual Appliance to a Different Hypervisor

Migrate from an M-Series Appliance to a Panorama Virtual Appliance

Migrate from an M-100 Appliance to an M-500 Appliance

Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance

Access and Navigate Panorama Management Interfaces

Log in to the Panorama Web Interface

Navigate the Panorama Web Interface

Log in to the Panorama CLI

Set Up Administrative Access to Panorama

Configure an Admin Role Profile

Configure an Access Domain

Configure Administrative Accounts and Authentication

Configure a Panorama Administrator Account

Configure Local or External Authentication for Panorama Administrators

Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

Configure an Administrator with SSH Key-Based Authentication for the CLI

Configure RADIUS Authentication for Panorama Administrators

Configure TACACS+ Authentication for Panorama Administrators

Configure SAML Authentication for Panorama Administrators

Configure Tracking of Administrator Activity

Set Up Authentication Using Custom Certificates

How Are SSL/TLS Connections Mutually Authenticated?

Configure Authentication Using Custom Certificates on Panorama

Configure Authentication Using Custom Certificates on Managed Devices

Add New Client Devices

Change Certificates

Change a Server Certificate

Change a Client Certificate

Change a Root or Intermediate CA Certificate

Manage Firewalls

Add a Firewall as a Managed Device

Install the Device Certificate for Managed Firewalls

Install the Device Certificate for a Managed Firewall

Install the Device Certificate for All Managed Firewalls Without a Device Certificate

Set Up Zero Touch Provisioning

ZTP Configuration Elements

Install the ZTP Plugin

Install the ZTP Plugin on Panorama

Register Panorama with the ZTP Service

Register Panorama with the ZTP Service for New Deployments

Register Panorama with the ZTP Service for Existing Deployments

Configure the ZTP Installer Administrator Account

Add ZTP Firewalls to Panorama

Add a ZTP Firewall to Panorama

Import Multiple ZTP Firewalls to Panorama

Use the CLI for ZTP Tasks

Uninstall the ZTP Plugin

Manage Device Groups

Add a Device Group

Create a Device Group Hierarchy

Create Objects for Use in Shared or Device Group Policy

Revert to Inherited Object Values

Manage Unused Shared Objects

Manage Precedence of Inherited Objects

Move or Clone a Policy Rule or Object to a Different Device Group

Push a Policy Rule to a Subset of Firewalls

Device Group Push to a Multi-VSYS Firewall

Manage the Rule Hierarchy

Manage Templates and Template Stacks

Template Capabilities and Exceptions

Configure a Template Stack

Configure a Template or Template Stack Variable

Import and Overwrite Existing Template Stack Variables

Override a Template or Template Stack Value

Override a Template Value on the Firewall

Override a Template Value Using a Template Stack

Override a Template or Template Stack Value Using Variables

Disable/Remove Template Settings

Manage the Master Key from Panorama

Schedule a Configuration Push to Managed Firewalls

Redistribute Data to Managed Firewalls

Transition a Firewall to Panorama Management

Plan the Transition to Panorama Management

Migrate a Firewall to Panorama Management and Reuse Existing Configuration

Migrate a Firewall to Panorama Management and Push a New Configuration

Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration

Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration

Load a Partial Firewall Configuration into Panorama

Localize a Panorama Pushed Configuration on a Managed Firewall

Device Monitoring on Panorama

Monitor Device Health

Monitor Policy Rule Usage

Use Case: Configure Firewalls Using Panorama

Device Groups in this Use Case

Templates in this Use Case

Set Up Your Centralized Configuration and Policies

Add the Managed Firewalls and Deploy Updates

Use Templates to Administer a Base Configuration

Use Device Groups to Push Policy Rules

Preview the Rules and Commit Changes

Manage Log Collection

Configure a Managed Collector

Configure Authentication for a Dedicated Log Collector

Configure an Administrative Account for a Dedicated Log Collector

Configure RADIUS Authentication for a Dedicated Log Collector

Configure TACACS+ Authentication for a Dedicated Log Collector

Configure LDAP Authentication for a Dedicated Log Collector

Manage Collector Groups

Configure a Collector Group

Configure Authentication with Custom Certificates Between Log Collectors

Move a Log Collector to a Different Collector Group

Remove a Firewall from a Collector Group

Configure Log Forwarding to Panorama

Configure Syslog Forwarding to External Destinations

Forward Logs to Strata Logging Service

Verify Log Forwarding to Panorama

Modify Log Forwarding and Buffering Defaults

Configure Log Forwarding from Panorama to External Destinations

Log Collection Deployments

Deploy Panorama with Dedicated Log Collectors

Deploy Panorama M-Series Appliances with Local Log Collectors

Deploy Panorama Virtual Appliances with Local Log Collectors

Deploy Panorama Virtual Appliances in Legacy Mode with Local Log Collection

Manage WildFire Appliances

Add Standalone WildFire Appliances to Manage with Panorama

Configure Basic WildFire Appliance Settings on Panorama

Configure Authentication for a WildFire Appliance

Configure An Administrative Account for a WildFire Appliance

Configure RADIUS Authentication for a WildFire Appliance

Configure TACACS+ Authentication for a WildFire Appliance

Configure LDAP Authentication for a WildFire Appliance

Set Up Authentication Using Custom Certificates on WildFire Appliances and Clusters

Configure a Custom Certificate for a Panorama Managed WildFire Appliance

Configure Authentication with a Single Custom Certificate for a WildFire Cluster

Apply Custom Certificates on a WildFire Appliance Configured through Panorama

Remove a WildFire Appliance from Panorama Management

Manage WildFire Clusters

Configure a Cluster Centrally on Panorama

Configure a Cluster and Add Nodes on Panorama

Configure General Cluster Settings on Panorama

Configure Authentication for a WildFire Cluster

Configure an Administrative Account for a WildFire Cluster

Configure RADIUS Authentication for a WildFire Cluster

Configure TACACS+ Authentication for a WildFire Cluster

Configure LDAP Authentication for a WildFire Cluster

Remove a Cluster from Panorama Management

Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama

Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama

View WildFire Cluster Status Using Panorama

Manage Licenses and Updates

Manage Licenses on Firewalls Using Panorama

Monitor Network Activity

Use Panorama for Visibility

Monitor the Network with the ACC and AppScope

Analyze Log Data

Generate, Schedule, and Email Reports

Configure Key Limits for Scheduled Reports

Ingest Traps ESM Logs on Panorama

Use Case: Monitor Applications Using Panorama

Use Case: Respond to an Incident Using Panorama

Incident Notification

Review the Widgets in the ACC

Review Threat Logs

Review WildFire Logs

Review Data Filtering Logs

Update Security Rules

Panorama High Availability

Panorama HA Prerequisites

Priority and Failover on Panorama in HA

Failover Triggers

HA Heartbeat Polling and Hello Messages

HA Path Monitoring

Logging Considerations in Panorama HA

Logging Failover on a Panorama Virtual Appliance in Legacy Mode

Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode

Synchronization Between Panorama HA Peers

Manage a Panorama HA Pair

Set Up HA on Panorama

Set Up Authentication Using Custom Certificates Between HA Peers

Test Panorama HA Failover

Switch Priority after Panorama Failover to Resume NFS Logging

Restore the Primary Panorama to the Active State

Administer Panorama

Preview, Validate, or Commit Configuration Changes

Enable Automated Commit Recovery

Manage Panorama and Firewall Configuration Backups

Schedule Export of Configuration Files

Save and Export Panorama and Firewall Configurations

Revert Panorama Configuration Changes

Configure the Maximum Number of Configuration Backups on Panorama

Load a Configuration Backup on a Managed Firewall

Compare Changes in Panorama Configurations

Manage Locks for Restricting Configuration Changes

Add Custom Logos to Panorama

Use the Panorama Task Manager

Manage Storage Quotas and Expiration Periods for Logs and Reports

Log and Report Storage

Log and Report Expiration Periods

Configure Storage Quotas and Expiration Periods for Logs and Reports

Configure the Run Time for Panorama Reports

Monitor Panorama

Panorama System and Configuration Logs

Monitor Panorama and Log Collector Statistics Using SNMP

Reboot or Shut Down Panorama

Configure Panorama Password Profiles and Complexity

Panorama Plugins

About Panorama Plugins

Install Panorama Plugins

VM-Series Plugin and Panorama Plugins

Install the VM-Series Plugin on Panorama

Endpoint Monitoring for Cisco TrustSec

Panorama Plugin for Cisco TrustSec

Install the Panorama Plugin for Cisco TrustSec

Configure the Panorama Plugin for Cisco TrustSec

Troubleshoot the Panorama Plugin for Cisco TrustSec

Troubleshooting

Troubleshoot Panorama System Issues

Generate Diagnostic Files for Panorama

Diagnose Panorama Suspended State

Monitor the File System Integrity Check

Manage Panorama Storage for Software and Content Updates

Recover from Split Brain in Panorama HA Deployments

Troubleshoot Log Storage and Connection Issues

Verify Panorama Port Usage

Resolve Zero Log Storage for a Collector Group

Replace a Failed Disk on an M-Series Appliance

Replace the Virtual Disk on an ESXi Server

Replace the Virtual Disk on vCloud Air

Migrate Logs to a New M-Series Appliance in Log Collector Mode

Migrate Logs to a New M-Series Appliance in Panorama Mode

Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability

Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability

Migrate Log Collectors after Failure/RMA of Non-HA Panorama

Regenerate Metadata for M-Series Appliance RAID Pairs

View Log Query Jobs

Replace an RMA Firewall

Partial Device State Generation for Firewalls

Before Starting RMA Firewall Replacement

Restore the Firewall Configuration after Replacement

Troubleshoot Commit Failures

Triage Commit Issues on Panorama

Troubleshoot Template or Device Group Push Failures

Troubleshoot Panorama Push Failure Due to Pending Local Firewall Changes

Troubleshoot Registration or Serial Number Errors

Troubleshoot Reporting Errors

Troubleshoot Device Management License Errors

Troubleshoot Automatically Reverted Firewall Configurations

View Task Success or Failure Status

Test Policy Match and Connectivity for Managed Devices

Troubleshoot Policy Rule Traffic Match

Troubleshoot Connectivity to Network Resources

Generate a Stats Dump File for a Managed Firewall

Recover Managed Device Connectivity to Panorama

Restore an Expired Device Certificate

Panorama Administrator's Guide

Panorama Overview

Panorama Models

Centralized Firewall Configuration and Update Management

Context Switch—Firewall or Panorama

Total Configuration Size for Panorama

Templates and Template Stacks

Device Group Hierarchy

Device Group Policies

Device Group Objects

Centralized Logging and Reporting

Managed Collectors and Collector Groups

Local and Distributed Log Collection

Caveats for a Collector Group with Multiple Log Collectors

Log Forwarding Options

Centralized Reporting

User-ID Redistribution Using Panorama

Role-Based Access Control

Administrative Roles

Authentication Profiles and Sequences

Administrative Authentication

Panorama Commit, Validation, and Preview Operations

Plan Your Panorama Deployment

Deploy Panorama: Task Overview

Set Up Panorama

Determine Panorama Log Storage Requirements

Set Up the Panorama Virtual Appliance

Setup Prerequisites for the Panorama Virtual Appliance

Install the Panorama Virtual Appliance

Install Panorama on VMware

Install Panorama on an ESXi Server

Install Panorama on vCloud Air

Support for VMware Tools on the Panorama Virtual Appliance

Install Panorama on AWS

Install Panorama on AWS GovCloud

Install Panorama on Azure

Install Panorama on Google Cloud Platform

Install Panorama on KVM

Install Panorama on Hyper-V

Set Up Panorama on Oracle Cloud Infrastructure (OCI)

Upload the Panorama Virtual Appliance Image to OCI

Install Panorama on Oracle Cloud Infrastructure (OCI)

Generate a SSH Key for Panorama on OCI

Set Up Panorama on Alibaba Cloud

Upload the Panorama Virtual Appliance Image to Alibaba Cloud

Install Panorama on Alibaba Cloud

Perform Initial Configuration of the Panorama Virtual Appli...

Set Up The Panorama Virtual Appliance as a Log Collector

Set Up the Panorama Virtual Appliance with Local Log Collec...

Set up a Panorama Virtual Appliance in Panorama Mode

Set up a Panorama Virtual Appliance in Management Only Mode

Expand Log Storage Capacity on the Panorama Virtual Appliance

Preserve Existing Logs When Adding Storage on Panorama Virt...

Add a Virtual Disk to Panorama on an ESXi Server

Add a Virtual Disk to Panorama on vCloud Air

Add a Virtual Disk to Panorama on AWS

Add a Virtual Disk to Panorama on Azure

Add a Virtual Disk to Panorama on Google Cloud Platform

Add a Virtual Disk to Panorama on KVM

Add a Virtual Disk to Panorama on Hyper-V

Mount the Panorama ESXi Server to an NFS Datastore

Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure

Add a Virtual Disk to Panorama on Alibaba Cloud

Increase CPUs and Memory on the Panorama Virtual Appliance

Increase CPUs and Memory for Panorama on an ESXi Server

Increase CPUs and Memory for Panorama on vCloud Air

Increase CPUs and Memory for Panorama on AWS

Increase CPUs and Memory for Panorama on Azure

Increase CPUs and Memory for Panorama on Google Cloud Platf...

Increase CPUs and Memory for Panorama on KVM

Increase CPUs and Memory for Panorama on Hyper-V

Increase CPUs and Memory for Panorama on Oracle Cloud Infrastructure

Increase CPUs and Memory for Panorama on Alibaba Cloud

Increase the System Disk on the Panorama Virtual Appliance

Increase the System Disk for Panorama on an ESXi Server

Increase the System Disk for Panorama on Google Cloud Platform

Complete the Panorama Virtual Appliance Setup

Convert Your Panorama Virtual Appliance

Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector

Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector

Convert Your Production Panorama to an ELA Panorama

Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector

Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector

Set Up the M-Series Appliance

M-Series Appliance Interfaces

Perform Initial Configuration of the M-Series Appliance

M-Series Setup Overview

Set Up an M-Series Appliance in Management Only Mode

Set Up an M-Series Appliance in Panorama Mode

Set Up an M-Series Appliance in Log Collector Mode

Set Up the M-Series Appliance as a Log Collector

Increase Storage on the M-Series Appliance

Add Additional Drives to an M-Series Appliance

Upgrade Drives on an M-Series Appliance

Configure Panorama to Use Multiple Interfaces

Multiple Interfaces for Network Segmentation Example

Configure Panorama for Network Segmentation

Register Panorama and Install Licenses

Register Panorama

Activate a Panorama Support License

Activate/Retrieve a Firewall Management License when the Pa...

Activate/Retrieve a Firewall Management License when the Pa...

Activate/Retrieve a Firewall Management License on the M-Se...

Install Content and Software Updates for Panorama

Panorama, Log Collector, Firewall, and WildFire Version Com...

Install Updates for Panorama in an HA Configuration

Install Updates for Panorama with an Internet Connection

Install Updates for Panorama When Not Internet-Connected

Install Updates Automatically for Panorama without an Internet Connection

Migrate Panorama Logs to the New Log Format

Transition to a Different Panorama Model

Migrate from a Panorama Virtual Appliance to an M-Series Ap...

Migrate a Panorama Virtual Appliance to a Different Hypervisor

Migrate from an M-Series Appliance to a Panorama Virtual Ap...

Migrate from an M-100 Appliance to an M-500 Appliance

Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance

Access and Navigate Panorama Management Interfaces

Log in to the Panorama Web Interface

Navigate the Panorama Web Interface

Log in to the Panorama CLI

Set Up Administrative Access to Panorama

Configure an Admin Role Profile

Configure an Access Domain

Configure Administrative Accounts and Authentication

Configure a Panorama Administrator Account

Configure Local or External Authentication for Panorama Adm...

Configure a Panorama Administrator with Certificate-Based A...

Configure an Administrator with SSH Key-Based Authenticatio...

Configure RADIUS Authentication for Panorama Administrators

Configure TACACS+ Authentication for Panorama Administrator...

Configure SAML Authentication for Panorama Administrators

Set Up Authentication Using Custom Certificates

How Are SSL/TLS Connections Mutually Authenticated?

Configure Authentication Using Custom Certificates on Panor...

Configure Authentication Using Custom Certificates on Manag...

Add New Client Devices

Change Certificates

Change a Server Certificate

Change a Client Certificate

Change a Root or Intermediate CA Certificate

Install the Panorama Device Certificate

Manage Large-Scale Firewall Deployments

Determine the Optimal Large-Scale Firewall Deployment Solution

Increased Device Management Capacity for M-600 and Panorama Virtual Appliance

Increased Device Management Capacity Requirements

Deploy Panorama for Increased Device Management

Install Panorama for Increased Device Management Capacity

Upgrade Panorama for Increased Device Management Capacity

Manage Firewalls

Add a Firewall as a Managed Device

Set Up Zero Touch Provisioning

ZTP Configuration Elements

Install the ZTP Plugin

Install the Panorama Certificate from the CSP

Install the ZTP Plugin on Panorama

Register Panorama with the ZTP Service

Register Panorama with the ZTP Service for New Deployments

Register Panorama with the ZTP Service for Existing Deployments

Configure the ZTP Installer Administrator Account

Add a ZTP Firewall to Panorama

Add ZTP Firewalls to Panorama

Add a ZTP Firewall to Panorama

Import Multiple ZTP Firewalls to Panorama

Use the CLI for ZTP Tasks

Uninstall the ZTP Plugin

Manage Device Groups

Add a Device Group

Create a Device Group Hierarchy

Create Objects for Use in Shared or Device Group Policy

Revert to Inherited Object Values

Manage Unused Shared Objects

Manage Precedence of Inherited Objects

Move or Clone a Policy Rule or Object to a Different Device...

Push a Policy Rule to a Subset of Firewalls

Manage the Rule Hierarchy

Manage Templates and Template Stacks

Template Capabilities and Exceptions

Configure a Template Stack

Configure a Template or Template Stack Variable

Import and Overwrite Existing Template Stack Variables

Override a Template Setting

Override a Template Setting on the Firewall

Override a Template Setting Using Template Stack Variables

Override a Template Stack Setting Using Variables

Disable/Remove Template Settings

Manage the Master Key from Panorama

Redistribute User-ID Information to Managed Firewalls

Transition a Firewall to Panorama Management

Plan the Transition to Panorama Management

Migrate a Firewall to Panorama Management

Migrate a Firewall HA Pair to Panorama Management

Load a Partial Firewall Configuration into Panorama

Localize a Panorama Pushed Configuration on a Managed Firewall

Device Monitoring on Panorama

Monitor Device Health

Monitor Policy Rule Usage

Use Case: Configure Firewalls Using Panorama

Device Groups in this Use Case

Templates in this Use Case

Set Up Your Centralized Configuration and Policies

Add the Managed Firewalls and Deploy Updates

Use Templates to Administer a Base Configuration

Use Device Groups to Push Policy Rules

Preview the Rules and Commit Changes

Install the Device Certificate for Managed Firewalls

Install the Device Certificate for a Managed Firewall

Install the Device Certificate for Multiple Managed Firewalls

Manage Log Collection

Configure a Managed Collector

Configure Authentication for a Dedicated Log Collector

Configure an Administrative Account for a Dedicated Log Collector

Configure RADIUS Authentication for a Dedicated Log Collector

Configure TACACS+ Authentication for a Dedicated Log Collector

Configure LDAP Authentication for a Dedicated Log Collector

Configure RADIUS Authentication for a Dedicated Log Collector

Manage Collector Groups

Configure a Collector Group

Configure Authentication with Custom Certificates Between L...

Move a Log Collector to a Different Collector Group

Remove a Firewall from a Collector Group

Configure Log Forwarding to Panorama

Configure Syslog Forwarding to External Destinations

Verify Log Forwarding to Panorama

Modify Log Forwarding and Buffering Defaults

Configure Log Forwarding from Panorama to External Destinat...

Log Collection Deployments

Deploy Panorama with Dedicated Log Collectors

Deploy Panorama M-Series Appliances with Local Log Collecto...

Deploy Panorama Virtual Appliances with Local Log Collector...

Deploy Panorama Virtual Appliances in Legacy Mode with Loca...

Forward Logs to Cortex Data Lake

Manage WildFire Appliances

Add Standalone WildFire Appliances to Manage with Panorama

Configure Basic WildFire Appliance Settings on Panorama

Configure Authentication for a WildFire Appliance

Configure An Administrative Account for a WildFire Appliance

Configure RADIUS Authentication for a WildFire Appliance

Configure TACACS+ Authentication for a WildFire Appliance

Configure LDAP Authentication for a WildFire Appliance

Set Up Authentication Using Custom Certificate on the WildF...

Configure Custom Certificates for the WildFire Appliance wi...

Configure Authentication with a Single Custom Certificate o...

Configure Custom Certificates for WildFire Appliance as a C...

Remove a WildFire Appliance from Panorama Management

Manage WildFire Clusters

Configure a Cluster Centrally on Panorama

Configure a Cluster and Add Nodes on Panorama

Configure General Cluster Settings on Panorama

Configure Authentication for a WildFire Cluster

Configure an Administrative Account for a WildFire Cluster

Configure RADIUS Authentication for a WildFire Cluster

Configure TACACS+ Authentication for a WildFire Cluster

Configure LDAP Authentication for a WildFire Cluster

Remove a Cluster from Panorama Management

Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama

Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama

View WildFire Cluster Status Using Panorama

Upgrade a Cluster Centrally on Panorama with an Internet Co...

Upgrade a Cluster Centrally on Panorama without an Internet...

Manage Licenses and Updates

Manage Licenses on Firewalls Using Panorama

Deploy Upgrades to Firewalls, Log Collectors, and WildFire Appliances Using Panorama

Supported Updates

Schedule a Content Update Using Panorama

Upgrade Log Collectors When Panorama Is Internet-Connected

Upgrade Log Collectors When Panorama Is Not Internet-Connec...

Upgrade Firewalls When Panorama is Internet-Connected

Upgrade Firewalls When Panorama Is Not Internet-Connected

Upgrade a ZTP Firewall

Revert Content Updates from Panorama

Monitor Network Activity

Use Panorama for Visibility

Monitor the Network with the ACC and AppScope

Analyze Log Data

Generate, Schedule, and Email Reports

Configure Key Limits for Scheduled Reports

Ingest Traps ESM Logs on Panorama

Use Case: Monitor Applications Using Panorama

Use Case: Respond to an Incident Using Panorama

Incident Notification

Review the Widgets in the ACC

Review Threat Logs

Review WildFire Logs

Review Data Filtering Logs

Update Security Rules

Panorama High Availability

Panorama HA Prerequisites

Priority and Failover on Panorama in HA

Failover Triggers

HA Heartbeat Polling and Hello Messages

HA Path Monitoring

Logging Considerations in Panorama HA

Logging Failover on a Panorama Virtual Appliance in Legacy Mode

Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode

Synchronization Between Panorama HA Peers

Manage a Panorama HA Pair

Set Up HA on Panorama

Set Up Authentication Using Custom Certificates Between HA Peers

Test Panorama HA Failover

Switch Priority after Panorama Failover to Resume NFS Logging

Restore the Primary Panorama to the Active State

Administer Panorama

Preview, Validate, or Commit Configuration Changes

Enable Automated Commit Recovery

Manage Panorama and Firewall Configuration Backups

Schedule Export of Configuration Files

Save and Export Panorama and Firewall Configurations

Revert Panorama Configuration Changes

Configure the Maximum Number of Configuration Backups on Panorama

Load a Configuration Backup on a Managed Firewall

Compare Changes in Panorama Configurations

Manage Locks for Restricting Configuration Changes

Add Custom Logos to Panorama

Use the Panorama Task Manager

Manage Storage Quotas and Expiration Periods for Logs and Reports

Log and Report Storage

Log and Report Expiration Periods

Configure Storage Quotas and Expiration Periods for Logs and Reports

Configure the Run Time for Panorama Reports

Monitor Panorama

Panorama System and Configuration Logs

Monitor Panorama and Log Collector Statistics Using SNMP

Reboot or Shut Down Panorama

Configure Panorama Password Profiles and Complexity

Panorama Plugins

About Panorama Plugins

Install Panorama Plugins

VM-Series Plugin and Panorama Plugins

Install the VM-Series Plugin on Panorama

Troubleshooting

Troubleshoot Panorama System Issues

Generate Diagnostic Files for Panorama

Diagnose Panorama Suspended State

Monitor the File System Integrity Check

Manage Panorama Storage for Software and Content Updates

Recover from Split Brain in Panorama HA Deployments

Troubleshoot Log Storage and Connection Issues

Verify Panorama Port Usage

Resolve Zero Log Storage for a Collector Group

Replace a Failed Disk on an M-Series Appliance

Replace the Virtual Disk on an ESXi Server

Replace the Virtual Disk on vCloud Air

Migrate Logs to a New M-Series Appliance in Log Collector M...

Migrate Logs to a New M-Series Appliance in Panorama Mode

Migrate Logs to a New M-Series Appliance Model in Panorama ...

Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability

Migrate Log Collectors after Failure/RMA of Non-HA Panorama

Regenerate Metadata for M-Series Appliance RAID Pairs

View Log Query Jobs

Replace an RMA Firewall

Partial Device State Generation for Firewalls

Before Starting RMA Firewall Replacement

Restore the Firewall Configuration after Replacement

Troubleshoot Commit Failures

Troubleshoot Registration or Serial Number Errors

Troubleshoot Reporting Errors

Troubleshoot Device Management License Errors

Troubleshoot Automatically Reverted Firewall Configurations

Complete Content Update When Panorama HA Peer is Down

View Task Success or Failure Status

Test Policy Match and Connectivity for Managed Devices

Troubleshoot Policy Rule Traffic Matches

Troubleshoot Connectivity to Network Resources

Downgrade from Panorama 10.0

Panorama Administrator's Guide

Panorama Overview

Panorama Models

Centralized Firewall Configuration and Update Management

Context Switch—Firewall or Panorama

Templates and Template Stacks

Device Group Hierarchy

Device Group Policies

Device Group Objects

Centralized Logging and Reporting

Managed Collectors and Collector Groups

Local and Distributed Log Collection

Caveats for a Collector Group with Multiple Log Collectors

Log Forwarding Options

Centralized Reporting

User-ID Redistribution Using Panorama

Role-Based Access Control

Administrative Roles

Authentication Profiles and Sequences

Administrative Authentication

Panorama Commit, Validation, and Preview Operations

Plan Your Panorama Deployment

Deploy Panorama: Task Overview

Set Up Panorama

Determine Panorama Log Storage Requirements

Set Up the Panorama Virtual Appliance

Setup Prerequisites for the Panorama Virtual Appliance

Install the Panorama Virtual Appliance

Install Panorama on VMware

Install Panorama on an ESXi Server

Install Panorama on vCloud Air

Support for VMware Tools on the Panorama Virtual Appliance

Install Panorama on AWS

Install Panorama on AWS GovCloud

Install Panorama on Azure

Install Panorama on Google Cloud Platform

Install Panorama on KVM

Install Panorama on Hyper-V

Perform Initial Configuration of the Panorama Virtual Appli...

Set Up The Panorama Virtual Appliance as a Log Collector

Set Up the Panorama Virtual Appliance with Local Log Collec...

Set up a Panorama Virtual Appliance in Panorama Mode

Set up a Panorama Virtual Appliance in Management Only Mode

Expand Log Storage Capacity on the Panorama Virtual Appliance

Preserve Existing Logs When Adding Storage on Panorama Virt...

Add a Virtual Disk to Panorama on an ESXi Server

Add a Virtual Disk to Panorama on vCloud Air

Add a Virtual Disk to Panorama on AWS

Add a Virtual Disk to Panorama on Azure

Add a Virtual Disk to Panorama on Google Cloud Platform

Add a Virtual Disk to Panorama on KVM

Add a Virtual Disk to Panorama on Hyper-V

Mount the Panorama ESXi Server to an NFS Datastore

Increase CPUs and Memory on the Panorama Virtual Appliance

Increase CPUs and Memory for Panorama on an ESXi Server

Increase CPUs and Memory for Panorama on vCloud Air

Increase CPUs and Memory for Panorama on AWS

Increase CPUs and Memory for Panorama on Azure

Increase CPUs and Memory for Panorama on Google Cloud Platf...

Increase CPUs and Memory for Panorama on KVM

Increase CPUs and Memory for Panorama on Hyper-V

Complete the Panorama Virtual Appliance Setup

Increase the System Disk on the Panorama Virtual Appliance

Increase the System Disk for Panorama on an ESXi Server

Increase the System Disk for Panorama on Google Cloud Platform

Convert Your Panorama Virtual Appliance

Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector

Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector

Convert Your Production Panorama to an ELA Panorama

Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector

Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector

Set Up the M-Series Appliance

M-Series Appliance Interfaces

Perform Initial Configuration of the M-Series Appliance

M-Series Setup Overview

Set Up an M-Series Appliance in Management Only Mode

Set Up an M-Series Appliance in Panorama Mode

Set Up an M-Series Appliance in Log Collector Mode

Set Up the M-Series Appliance as a Log Collector

Increase Storage on the M-Series Appliance

Add Additional Drives to an M-Series Appliance

Upgrade Drives on an M-Series Appliance

Configure Panorama to Use Multiple Interfaces

Multiple Interfaces for Network Segmentation Example

Configure Panorama for Network Segmentation

Perform Initial Configuration for an Air Gapped M-Series Appliance

Register Panorama and Install Licenses

Register Panorama

Activate a Panorama Support License

Activate/Retrieve a Firewall Management License when the Pa...

Activate/Retrieve a Firewall Management License when the Pa...

Activate/Retrieve a Firewall Management License on the M-Se...

Install Content and Software Updates for Panorama

Panorama, Log Collector, Firewall, and WildFire Version Com...

Install Updates for Panorama in an HA Configuration

Install Updates for Panorama with an Internet Connection

Install Updates for Panorama When Not Internet-Connected

Migrate Panorama Logs to the New Log Format

Transition to a Different Panorama Model

Migrate from a Panorama Virtual Appliance to an M-Series Ap...

Migrate a Panorama Virtual Appliance to a Different Hypervisor

Migrate from an M-Series Appliance to a Panorama Virtual Ap...

Migrate from an M-100 Appliance to an M-500 Appliance

Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance

Access and Navigate Panorama Management Interfaces

Log in to the Panorama Web Interface

Navigate the Panorama Web Interface

Log in to the Panorama CLI

Set Up Administrative Access to Panorama

Configure an Admin Role Profile

Configure an Access Domain

Configure Administrative Accounts and Authentication

Configure a Panorama Administrator Account

Configure Local or External Authentication for Panorama Adm...

Configure a Panorama Administrator with Certificate-Based A...

Configure an Administrator with SSH Key-Based Authenticatio...

Configure RADIUS Authentication for Panorama Administrators

Configure TACACS+ Authentication for Panorama Administrator...

Configure SAML Authentication for Panorama Administrators

Set Up Authentication Using Custom Certificates

How Are SSL/TLS Connections Mutually Authenticated?

Configure Authentication Using Custom Certificates on Panor...

Configure Authentication Using Custom Certificates on Manag...

Add New Client Devices

Change Certificates

Change a Server Certificate

Change a Client Certificate

Change a Root or Intermediate CA Certificate

Install the Panorama Device Certificate

Manage Large-Scale Firewall Deployments

Determine the Optimal Large-Scale Firewall Deployment Solution

Increased Device Management Capacity for M-600 and Panorama Virtual Appliance

Increased Device Management Capacity Requirements

Deploy Panorama for Increased Device Management

Install Panorama for Increased Device Management Capacity

Upgrade Panorama for Increased Device Management Capacity

Manage Firewalls

Add a Firewall as a Managed Device

Manage Device Groups

Add a Device Group

Create a Device Group Hierarchy

Create Objects for Use in Shared or Device Group Policy

Revert to Inherited Object Values

Manage Unused Shared Objects

Manage Precedence of Inherited Objects

Move or Clone a Policy Rule or Object to a Different Device...

Push a Policy Rule to a Subset of Firewalls

Manage the Rule Hierarchy

Manage Templates and Template Stacks

Template Capabilities and Exceptions

Configure a Template Stack

Configure a Template or Template Stack Variable

Import and Overwrite Existing Template Stack Variables

Override a Template Setting

Override a Template Setting on the Firewall

Override a Template Setting Using Template Stack Variables

Override a Template Stack Setting Using Variables

Disable/Remove Template Settings

Manage the Master Key from Panorama

Redistribute User-ID Information to Managed Firewalls

Transition a Firewall to Panorama Management

Plan the Transition to Panorama Management

Migrate a Firewall to Panorama Management

Migrate a Firewall HA Pair to Panorama Management

Load a Partial Firewall Configuration into Panorama

Localize a Panorama Pushed Configuration on a Managed Firewall

Migrate a Firewall to Panorama Management and Push a New Configuration

Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration

Device Monitoring on Panorama

Monitor Device Health

Monitor Policy Rule Usage

Use Case: Configure Firewalls Using Panorama

Device Groups in this Use Case

Templates in this Use Case

Set Up Your Centralized Configuration and Policies

Add the Managed Firewalls and Deploy Updates

Use Templates to Administer a Base Configuration

Use Device Groups to Push Policy Rules

Preview the Rules and Commit Changes

Set Up Zero Touch Provisioning

ZTP Configuration Elements

Install the ZTP Plugin

Install the ZTP Plugin on Panorama

Register Panorama with the ZTP Service

Register Panorama with the ZTP Service for New Deployments

Register Panorama with the ZTP Service for Existing Deployments

Configure the ZTP Installer Administrator Account

Add ZTP Firewalls to Panorama

Add a ZTP Firewall to Panorama

Import Multiple ZTP Firewalls to Panorama

Use the CLI for ZTP Tasks

Uninstall the ZTP Plugin

Install the Device Certificate for Managed Firewalls

Install the Device Certificate for a Managed Firewall

Install the Device Certificate for Multiple Managed Firewalls

Manage Log Collection

Configure a Managed Collector

Manage Collector Groups

Configure a Collector Group

Configure Authentication with Custom Certificates Between L...

Move a Log Collector to a Different Collector Group

Remove a Firewall from a Collector Group

Configure Log Forwarding to Panorama

Verify Log Forwarding to Panorama

Modify Log Forwarding and Buffering Defaults

Configure Log Forwarding from Panorama to External Destinat...

Log Collection Deployments

Deploy Panorama with Dedicated Log Collectors

Deploy Panorama M-Series Appliances with Local Log Collecto...

Deploy Panorama Virtual Appliances with Local Log Collector...

Deploy Panorama Virtual Appliances in Legacy Mode with Loca...

Forward Logs to Cortex Data Lake

Manage WildFire Appliances

Add Standalone WildFire Appliances to Manage with Panorama

Configure Basic WildFire Appliance Settings on Panorama

Set Up Authentication Using Custom Certificate on the WildF...

Configure Custom Certificates for the WildFire Appliance wi...

Configure Authentication with a Single Custom Certificate o...

Configure Custom Certificates for WildFire Appliance as a C...

Remove a WildFire Appliance from Panorama Management

Manage WildFire Clusters

Configure a Cluster Centrally on Panorama

Configure a Cluster and Add Nodes on Panorama

Configure General Cluster Settings on Panorama

Remove a Cluster from Panorama Management

Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama

Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama

View WildFire Cluster Status Using Panorama

Upgrade a Cluster Centrally on Panorama with an Internet Co...

Upgrade a Cluster Centrally on Panorama without an Internet...

Manage Licenses and Updates

Manage Licenses on Firewalls Using Panorama

Deploy Upgrades to Firewalls, Log Collectors, and WildFire Appliances Using Panorama

Supported Updates

Schedule a Content Update Using Panorama

Upgrade Log Collectors When Panorama Is Internet-Connected

Upgrade Log Collectors When Panorama Is Not Internet-Connec...

Upgrade Firewalls When Panorama is Internet-Connected

Upgrade Firewalls When Panorama Is Not Internet-Connected

Revert Content Updates from Panorama

Upgrade a ZTP Firewall

Monitor Network Activity

Use Panorama for Visibility

Monitor the Network with the ACC and AppScope

Analyze Log Data

Generate, Schedule, and Email Reports

Ingest Traps ESM Logs on Panorama

Use Case: Monitor Applications Using Panorama

Use Case: Respond to an Incident Using Panorama

Incident Notification

Review the Widgets in the ACC

Review Threat Logs

Review WildFire Logs

Review Data Filtering Logs

Update Security Rules

Panorama High Availability

Panorama HA Prerequisites

Priority and Failover on Panorama in HA

Failover Triggers

HA Heartbeat Polling and Hello Messages

HA Path Monitoring

Logging Considerations in Panorama HA

Logging Failover on a Panorama Virtual Appliance in Legacy Mode

Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode

Synchronization Between Panorama HA Peers

Manage a Panorama HA Pair

Set Up HA on Panorama

Set Up Authentication Using Custom Certificates Between HA Peers

Test Panorama HA Failover

Switch Priority after Panorama Failover to Resume NFS Logging

Restore the Primary Panorama to the Active State

Administer Panorama

Preview, Validate, or Commit Configuration Changes

Enable Automated Commit Recovery

Manage Panorama and Firewall Configuration Backups

Schedule Export of Configuration Files

Save and Export Panorama and Firewall Configurations

Revert Panorama Configuration Changes

Configure the Maximum Number of Configuration Backups on Panorama

Load a Configuration Backup on a Managed Firewall

Compare Changes in Panorama Configurations

Manage Locks for Restricting Configuration Changes

Add Custom Logos to Panorama

Use the Panorama Task Manager

Manage Storage Quotas and Expiration Periods for Logs and Reports

Log and Report Storage

Log and Report Expiration Periods

Configure Storage Quotas and Expiration Periods for Logs and Reports

Configure the Run Time for Panorama Reports

Monitor Panorama

Panorama System and Configuration Logs

Monitor Panorama and Log Collector Statistics Using SNMP

Reboot or Shut Down Panorama

Configure Panorama Password Profiles and Complexity

Panorama Plugins

About Panorama Plugins

Install Panorama Plugins

VM-Series Plugin and Panorama Plugins

Install the VM-Series Plugin on Panorama

Endpoint Monitoring for Cisco TrustSec

Panorama Plugin for Cisco TrustSec

Install the Panorama Plugin for Cisco TrustSec

Configure the Panorama Plugin for Cisco TrustSec

Troubleshoot the Panorama Plugin for Cisco TrustSec

Troubleshooting

Troubleshoot Panorama System Issues

Generate Diagnostic Files for Panorama

Diagnose Panorama Suspended State

Monitor the File System Integrity Check

Manage Panorama Storage for Software and Content Updates

Recover from Split Brain in Panorama HA Deployments

Troubleshoot Log Storage and Connection Issues

Verify Panorama Port Usage

Resolve Zero Log Storage for a Collector Group

Replace a Failed Disk on an M-Series Appliance

Replace the Virtual Disk on an ESXi Server

Replace the Virtual Disk on vCloud Air

Migrate Logs to a New M-Series Appliance in Log Collector M...

Migrate Logs to a New M-Series Appliance in Panorama Mode

Migrate Logs to a New M-Series Appliance Model in Panorama ...

Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability

Migrate Log Collectors after Failure/RMA of Non-HA Panorama

Regenerate Metadata for M-Series Appliance RAID Pairs

Replace an RMA Firewall

Partial Device State Generation for Firewalls

Before Starting RMA Firewall Replacement

Restore the Firewall Configuration after Replacement

Troubleshoot Commit Failures

Triage Commit Issues on Panorama

Troubleshoot Template or Device Group Push Failures

Troubleshoot Panorama Push Failure Due to Pending Local Firewall Changes

Troubleshoot Registration or Serial Number Errors

Troubleshoot Reporting Errors

Troubleshoot Device Management License Errors

Troubleshoot Automatically Reverted Firewall Configurations

Complete Content Update When Panorama HA Peer is Down

View Task Success or Failure Status

Test Policy Match and Connectivity for Managed Devices

Troubleshoot Policy Rule Traffic Matches

Troubleshoot Connectivity to Network Resources

Downgrade from Panorama 9.0

Restore an Expired Device Certificate

Panorama Interconnect

Panorama Interconnect Administrator’s Guide

Panorama Interconnect Overview

About Panorama Interconnect

Plan Your Panorama Interconnect Deployment

System Requirements for Panorama Interconnect

Certificate Requirements for Panorama Interconnect

Set Up Panorama Interconnect

Obtain the CA Certificate for the Panorama Controller

Generate the Panorama Node Certificate

Create a Certificate Profile for Authenticating Panorama Nodes

Set Up the Panorama Interconnect Plugin

Synchronize Panorama Interconnect

Push the Common Panorama Configuration to Panorama Nodes

Synchronize the Panorama Node with the Panorama Controller

Upgrade the Panorama Interconnect Plugin

Uninstall the Panorama Interconnect Plugin

View Panorama Interconnect Tasks

Manage Firewalls with Panorama Interconnect

Add a Firewall to a Panorama Node

Import Multiple Firewalls to a Panorama Node

Import Template Stack Variables

Manage the Master Key with Panorama Interconnect

Push the Panorama Node Configuration to Managed Firewalls

Panorama Interconnect Administrator’s Guide

Panorama Interconnect Overview

About Panorama Interconnect

Plan Your Panorama Interconnect Deployment

System Requirements for Panorama Interconnect

Certificate Requirements for Panorama Interconnect

Set Up Panorama Interconnect

Obtain the CA Certificate for the Panorama Controller

Generate the Panorama Node Certificate

Create a Certificate Profile for Authenticating Panorama Nodes

Set Up the Panorama Interconnect Plugin

Synchronize Panorama Interconnect

Push the Common Panorama Configuration to Panorama Nodes

Synchronize the Panorama Node with the Panorama Controller

Upgrade the Panorama Interconnect Plugin

Uninstall the Panorama Interconnect Plugin

Manage Firewalls with Panorama Interconnect

Add a Firewall to a Panorama Node

Import Multiple Firewalls to a Panorama Node

Import Template Stack Variables

Manage the Master Key with Panorama Interconnect

Push the Panorama Node Configuration to Managed Firewalls

Panorama Interconnect Administrator’s Guide

Panorama Interconnect Overview

About Panorama Interconnect

Plan Your Panorama Interconnect Deployment

System Requirements for Panorama Interconnect

Certificate Requirements for Panorama Interconnect

Set Up Panorama Interconnect

Obtain the CA Certificate for the Panorama Controller

Generate the Panorama Node Certificate

Create a Certificate Profile for Authenticating Panorama Nodes

Set Up the Panorama Interconnect Plugin

Synchronize Panorama Interconnect

Push the Common Panorama Configuration to Panorama Nodes

Synchronize the Panorama Node with the Panorama Controller

View Panorama Interconnect Tasks

Upgrade the Panorama Interconnect Plugin

Uninstall the Panorama Interconnect Plugin

Manage Firewalls with Panorama Interconnect

Add a Firewall to a Panorama Node

Import Multiple Firewalls to a Panorama Node

Import Template Stack Variables

Manage the Master Key with Panorama Interconnect

Push the Panorama Node Configuration to Managed Firewalls

Panorama Administrator's Guide

Panorama Overview

Panorama Models

Centralized Firewall Configuration and Update Management

Context Switch—Firewall or Panorama

Total Configuration Size for Panorama

Templates and Template Stacks

Device Group Hierarchy

Device Group Policies

Device Group Objects

Centralized Logging and Reporting

Managed Collectors and Collector Groups

Local and Distributed Log Collection

Caveats for a Collector Group with Multiple Log Collectors

Log Forwarding Options

Centralized Reporting

Data Redistribution Using Panorama

Role-Based Access Control

Administrative Roles

Authentication Profiles and Sequences

Administrative Authentication

Panorama Commit, Validation, and Preview Operations

Plan Your Panorama Deployment

Deploy Panorama: Task Overview

Set Up Panorama

Determine Panorama Log Storage Requirements

Manage Large-Scale Firewall Deployments

Determine the Optimal Large-Scale Firewall Deployment Solution

Increased Device Management Capacity for M-Series and Panorama Virtual Appliance

Increased Device Management Capacity Requirements

Install Panorama for Increased Device Management Capacity

Set Up the Panorama Virtual Appliance

Setup Prerequisites for the Panorama Virtual Appliance

Install the Panorama Virtual Appliance

Install Panorama on VMware

Install Panorama on an ESXi Server

Install Panorama on vCloud Air

Support for VMware Tools on the Panorama Virtual Appliance

Set Up Panorama on Alibaba Cloud

Upload the Panorama Virtual Appliance Image to Alibaba Cloud

Install Panorama on Alibaba Cloud

Install Panorama on AWS

Install Panorama on AWS GovCloud

Install Panorama on Azure

Install Panorama on Google Cloud Platform

Install Panorama on KVM

Install Panorama on Hyper-V

Set Up Panorama on Oracle Cloud Infrastructure (OCI)

Upload the Panorama Virtual Appliance Image to OCI

Install Panorama on Oracle Cloud Infrastructure (OCI)

Generate a SSH Key for Panorama on OCI

Perform Initial Configuration of the Panorama Virtual Appliance

Set Up The Panorama Virtual Appliance as a Log Collector

Set Up the Panorama Virtual Appliance with Local Log Collector

Set up a Panorama Virtual Appliance in Panorama Mode

Set up a Panorama Virtual Appliance in Management Only Mode

Expand Log Storage Capacity on the Panorama Virtual Appliance

Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode

Add a Virtual Disk to Panorama on an ESXi Server

Add a Virtual Disk to Panorama on vCloud Air

Add a Virtual Disk to Panorama on Alibaba Cloud

Add a Virtual Disk to Panorama on AWS

Add a Virtual Disk to Panorama on Azure

Add a Virtual Disk to Panorama on Google Cloud Platform

Add a Virtual Disk to Panorama on KVM

Add a Virtual Disk to Panorama on Hyper-V

Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)

Mount the Panorama ESXi Server to an NFS Datastore

Increase CPUs and Memory on the Panorama Virtual Appliance

Increase CPUs and Memory for Panorama on an ESXi Server

Increase CPUs and Memory for Panorama on vCloud Air

Increase CPUs and Memory for Panorama on Alibaba Cloud

Increase CPUs and Memory for Panorama on AWS

Increase CPUs and Memory for Panorama on Azure

Increase CPUs and Memory for Panorama on Google Cloud Platform

Increase CPUs and Memory for Panorama on KVM

Increase CPUs and Memory for Panorama on Hyper-V

Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)

Increase the System Disk on the Panorama Virtual Appliance

Increase the System Disk for Panorama on an ESXi Server

Increase the System Disk for Panorama on Google Cloud Platform

Complete the Panorama Virtual Appliance Setup

Convert Your Panorama Virtual Appliance

Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector

Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector

Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector

Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector

Convert Your Production Panorama to an ELA Panorama

Set Up the M-Series Appliance

M-Series Appliance Interfaces

Perform Initial Configuration of the M-Series Appliance

Perform Initial Configuration of an Air Gapped M-Series Appliance

M-Series Setup Overview

Set Up an M-Series Appliance in Management Only Mode

Set Up an M-Series Appliance in Panorama Mode

Set Up an M-Series Appliance in Log Collector Mode

Set Up the M-Series Appliance as a Log Collector

Increase Storage on the M-Series Appliance

Add Additional Drives to an M-Series Appliance

Upgrade Drives on an M-Series Appliance

Configure Panorama to Use Multiple Interfaces

Multiple Interfaces for Network Segmentation Example

Configure Panorama for Network Segmentation

Register Panorama and Install Licenses

Register Panorama

Activate a Panorama Support License

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected

Activate/Retrieve a Firewall Management License on the M-Series Appliance

Install the Panorama Device Certificate

Install the Device Certificate for a Dedicated Log Collector

Transition to a Different Panorama Model

Migrate from a Panorama Virtual Appliance to an M-Series Appliance

Migrate a Panorama Virtual Appliance to a Different Hypervisor

Migrate from an M-Series Appliance to a Panorama Virtual Appliance

Migrate from an M-500 Appliance to an M-700 Appliance

Migrate from an M-600 Appliance to an M-700 Appliance

Migrate from an M-100 Appliance to an M-500 Appliance

Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance

Access and Navigate Panorama Management Interfaces

Log in to the Panorama Web Interface

Navigate the Panorama Web Interface

Log in to the Panorama CLI

Set Up Administrative Access to Panorama

Configure an Admin Role Profile

Configure an Admin Role Profile for Selective Push to Managed Firewalls

Configure an Access Domain

Configure Administrative Accounts and Authentication

Configure a Panorama Administrator Account

Configure Local or External Authentication for Panorama Administrators

Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

Configure an Administrator with SSH Key-Based Authentication for the CLI

Configure RADIUS Authentication for Panorama Administrators

Configure TACACS+ Authentication for Panorama Administrators

Configure SAML Authentication for Panorama Administrators

Configure Tracking of Administrator Activity

Set Up Authentication Using Custom Certificates

How Are SSL/TLS Connections Mutually Authenticated?

Configure Authentication Using Custom Certificates on Panorama

Configure Authentication Using Custom Certificates on Managed Devices

Add New Client Devices

Change Certificates

Change a Server Certificate

Change a Client Certificate

Change a Root or Intermediate CA Certificate

Manage Firewalls

Add a Firewall as a Managed Device

Install the Device Certificate for Managed Firewalls

Install the Device Certificate for a Managed Firewall

Install the Device Certificate for All Managed Firewalls Without a Device Certificate

Set Up Zero Touch Provisioning

ZTP Configuration Elements

Install the ZTP Plugin

Install the ZTP Plugin on Panorama

Register Panorama with the ZTP Service

Register Panorama with the ZTP Service for New Deployments

Register Panorama with the ZTP Service for Existing Deployments

Configure the ZTP Installer Administrator Account

Add ZTP Firewalls to Panorama

Add a ZTP Firewall to Panorama

Import Multiple ZTP Firewalls to Panorama

Use the CLI for ZTP Tasks

Uninstall the ZTP Plugin

Manage Device Groups

Add a Device Group

Create a Device Group Hierarchy

Create Objects for Use in Shared or Device Group Policy

Revert to Inherited Object Values

Manage Unused Shared Objects

Manage Precedence of Inherited Objects

Move or Clone a Policy Rule or Object to a Different Device Group

Push a Policy Rule to a Subset of Firewalls

Device Group Push to a Multi-VSYS Firewall

Manage the Rule Hierarchy

Manage Templates and Template Stacks

Template Capabilities and Exceptions

Configure a Template Stack

Configure a Template or Template Stack Variable

Import and Overwrite Existing Template Stack Variables

Override a Template or Template Stack Value

Override a Template Value on the Firewall

Override a Template Value Using a Template Stack

Override a Template or Template Stack Value Using Variables

Disable/Remove Template Settings

Manage the Master Key from Panorama

Schedule a Configuration Push to Managed Firewalls

Redistribute Data to Managed Firewalls

Transition a Firewall to Panorama Management

Plan the Transition to Panorama Management

Migrate a Firewall to Panorama Management and Reuse Existing Configuration

Migrate a Firewall to Panorama Management and Push a New Configuration

Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration

Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration

Load a Partial Firewall Configuration into Panorama

Localize a Panorama Pushed Configuration on a Managed Firewall

Device Monitoring on Panorama

Monitor Device Health

Monitor Policy Rule Usage

Use Case: Configure Firewalls Using Panorama

Device Groups in this Use Case

Templates in this Use Case

Set Up Your Centralized Configuration and Policies

Add the Managed Firewalls and Deploy Updates

Use Templates to Administer a Base Configuration

Use Device Groups to Push Policy Rules

Preview the Rules and Commit Changes

Manage Log Collection

Configure a Managed Collector

Monitor Managed Collector Health Status

Configure Authentication for a Dedicated Log Collector

Configure an Administrative Account for a Dedicated Log Collector

Configure RADIUS Authentication for a Dedicated Log Collector

Configure TACACS+ Authentication for a Dedicated Log Collector

Configure LDAP Authentication for a Dedicated Log Collector

Manage Collector Groups

Configure a Collector Group

Configure Authentication with Custom Certificates Between Log Collectors

Move a Log Collector to a Different Collector Group

Remove a Firewall from a Collector Group

Configure Log Forwarding to Panorama

Configure Syslog Forwarding to External Destinations

Forward Logs to Strata Logging Service

Verify Log Forwarding to Panorama

Modify Log Forwarding and Buffering Defaults

Configure Log Forwarding from Panorama to External Destinations

Log Collection Deployments

Deploy Panorama with Dedicated Log Collectors

Deploy Panorama M-Series Appliances with Local Log Collectors

Deploy Panorama Virtual Appliances with Local Log Collectors

Deploy Panorama Virtual Appliances in Legacy Mode with Local Log Collection

Manage WildFire Appliances

Add Standalone WildFire Appliances to Manage with Panorama

Configure Basic WildFire Appliance Settings on Panorama

Configure Authentication for a WildFire Appliance

Configure An Administrative Account for a WildFire Appliance

Configure RADIUS Authentication for a WildFire Appliance

Configure TACACS+ Authentication for a WildFire Appliance

Configure LDAP Authentication for a WildFire Appliance

Set Up Authentication Using Custom Certificates on WildFire Appliances and Clusters

Configure a Custom Certificate for a Panorama Managed WildFire Appliance

Configure Authentication with a Single Custom Certificate for a WildFire Cluster

Apply Custom Certificates on a WildFire Appliance Configured through Panorama

Remove a WildFire Appliance from Panorama Management

Manage WildFire Clusters

Configure a Cluster Centrally on Panorama

Configure a Cluster and Add Nodes on Panorama

Configure General Cluster Settings on Panorama

Configure Authentication for a WildFire Cluster

Configure an Administrative Account for a WildFire Cluster

Configure RADIUS Authentication for a WildFire Cluster

Configure TACACS+ Authentication for a WildFire Cluster

Configure LDAP Authentication for a WildFire Cluster

Remove a Cluster from Panorama Management

Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama

Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama

View WildFire Cluster Status Using Panorama

Manage Licenses and Updates

Manage Licenses on Firewalls Using Panorama

Monitor Network Activity

Use Panorama for Visibility

Monitor the Network with the ACC and AppScope

Analyze Log Data

Generate, Schedule, and Email Reports

Configure Key Limits for Scheduled Reports

Ingest Traps ESM Logs on Panorama

Use Case: Monitor Applications Using Panorama

Use Case: Respond to an Incident Using Panorama

Incident Notification

Review the Widgets in the ACC

Review Threat Logs

Review WildFire Logs

Review Data Filtering Logs

Update Security Rules

Panorama High Availability

Panorama HA Prerequisites

Priority and Failover on Panorama in HA

Failover Triggers

HA Heartbeat Polling and Hello Messages

HA Path Monitoring

Logging Considerations in Panorama HA

Logging Failover on a Panorama Virtual Appliance in Legacy Mode

Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode

Synchronization Between Panorama HA Peers

Manage a Panorama HA Pair

Set Up HA on Panorama

Set Up Authentication Using Custom Certificates Between HA Peers

Test Panorama HA Failover

Switch Priority after Panorama Failover to Resume NFS Logging

Restore the Primary Panorama to the Active State

Administer Panorama

Preview, Validate, or Commit Configuration Changes

Commit Selective Configuration Changes for Managed Devices

Push Selective Configuration Changes to Managed Devices

Enable Automated Commit Recovery

Manage Panorama and Firewall Configuration Backups

Schedule Export of Configuration Files

Save and Export Panorama and Firewall Configurations

Revert Panorama Configuration Changes

Configure the Maximum Number of Configuration Backups on Panorama

Load a Configuration Backup on a Managed Firewall

Compare Changes in Panorama Configurations

Manage Locks for Restricting Configuration Changes

Add Custom Logos to Panorama

Use the Panorama Task Manager

Manage Storage Quotas and Expiration Periods for Logs and Reports

Log and Report Storage

Log and Report Expiration Periods

Configure Storage Quotas and Expiration Periods for Logs and Reports

Configure the Run Time for Panorama Reports

Monitor Panorama

Panorama System and Configuration Logs

Monitor Panorama and Log Collector Statistics Using SNMP

Reboot or Shut Down Panorama

Configure Panorama Password Profiles and Complexity

Panorama Plugins

About Panorama Plugins

Install Panorama Plugins

VM-Series Plugin and Panorama Plugins

Install the VM-Series Plugin on Panorama

Endpoint Monitoring for Cisco TrustSec

Panorama Plugin for Cisco TrustSec

Install the Panorama Plugin for Cisco TrustSec

Configure the Panorama Plugin for Cisco TrustSec

Troubleshoot the Panorama Plugin for Cisco TrustSec

Troubleshooting

Troubleshoot Panorama System Issues

Generate Diagnostic Files for Panorama

Diagnose Panorama Suspended State

Monitor the File System Integrity Check

Manage Panorama Storage for Software and Content Updates

Recover from Split Brain in Panorama HA Deployments

Troubleshoot Log Storage and Connection Issues

Verify Panorama Port Usage

Resolve Zero Log Storage for a Collector Group

Replace a Failed Disk on an M-Series Appliance

Replace the Virtual Disk on an ESXi Server

Replace the Virtual Disk on vCloud Air

Migrate Logs to a New M-Series Appliance in Log Collector Mode

Migrate Logs to a New M-Series Appliance in Panorama Mode

Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability

Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability

Migrate Log Collectors after Failure/RMA of Non-HA Panorama

Regenerate Metadata for M-Series Appliance RAID Pairs

View Log Query Jobs

Replace an RMA Firewall

Partial Device State Generation for Firewalls

Before Starting RMA Firewall Replacement

Restore the Firewall Configuration after Replacement

Troubleshoot Commit Failures

Triage Commit Issues on Panorama

Troubleshoot Template or Device Group Push Failures

Troubleshoot Panorama Push Failure Due to Pending Local Firewall Changes

Troubleshoot Registration or Serial Number Errors

Troubleshoot Reporting Errors

Troubleshoot Device Management License Errors

Troubleshoot Automatically Reverted Firewall Configurations

View Task Success or Failure Status

Test Policy Match and Connectivity for Managed Devices

Troubleshoot Policy Rule Traffic Match

Troubleshoot Connectivity to Network Resources

Generate a Stats Dump File for a Managed Firewall

Recover Managed Device Connectivity to Panorama

Restore an Expired Device Certificate

Panorama Administrator's Guide

Panorama Overview

Panorama Models

Centralized Firewall Configuration and Update Management

Context Switch—Firewall or Panorama

Total Configuration Size for Panorama

Templates and Template Stacks

Device Group Hierarchy

Device Group Policies

Device Group Objects

Centralized Logging and Reporting

Managed Collectors and Collector Groups

Local and Distributed Log Collection

Caveats for a Collector Group with Multiple Log Collectors

Log Forwarding Options

Centralized Reporting

Data Redistribution Using Panorama

Role-Based Access Control

Administrative Roles

Authentication Profiles and Sequences

Administrative Authentication

Panorama Commit, Validation, and Preview Operations

Plan Your Panorama Deployment

Deploy Panorama: Task Overview

Set Up Panorama

Determine Panorama Log Storage Requirements

Manage Large-Scale Firewall Deployments

Determine the Optimal Large-Scale Firewall Deployment Solution

Increased Device Management Capacity for M-Series and Panorama Virtual Appliance

Increased Device Management Capacity Requirements

Install Panorama for Increased Device Management Capacity

Set Up the Panorama Virtual Appliance

Setup Prerequisites for the Panorama Virtual Appliance

Install the Panorama Virtual Appliance

Install Panorama on VMware

Install Panorama on an ESXi Server

Install Panorama on vCloud Air

Support for VMware Tools on the Panorama Virtual Appliance

Set Up Panorama on Alibaba Cloud

Upload the Panorama Virtual Appliance Image to Alibaba Cloud

Install Panorama on Alibaba Cloud

Install Panorama on AWS

Install Panorama on AWS GovCloud

Install Panorama on Azure

Install Panorama on Google Cloud Platform

Install Panorama on KVM

Install Panorama on Hyper-V

Set Up Panorama on Oracle Cloud Infrastructure (OCI)

Upload the Panorama Virtual Appliance Image to OCI

Install Panorama on Oracle Cloud Infrastructure (OCI)

Generate a SSH Key for Panorama on OCI

Perform Initial Configuration of the Panorama Virtual Appliance

Set Up The Panorama Virtual Appliance as a Log Collector

Set Up the Panorama Virtual Appliance with Local Log Collector

Set up a Panorama Virtual Appliance in Panorama Mode

Set up a Panorama Virtual Appliance in Management Only Mode

Expand Log Storage Capacity on the Panorama Virtual Appliance

Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode

Add a Virtual Disk to Panorama on an ESXi Server

Add a Virtual Disk to Panorama on vCloud Air

Add a Virtual Disk to Panorama on Alibaba Cloud

Add a Virtual Disk to Panorama on AWS

Add a Virtual Disk to Panorama on Azure

Add a Virtual Disk to Panorama on Google Cloud Platform

Add a Virtual Disk to Panorama on KVM

Add a Virtual Disk to Panorama on Hyper-V

Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)

Mount the Panorama ESXi Server to an NFS Datastore

Increase CPUs and Memory on the Panorama Virtual Appliance

Increase CPUs and Memory for Panorama on an ESXi Server

Increase CPUs and Memory for Panorama on vCloud Air

Increase CPUs and Memory for Panorama on Alibaba Cloud

Increase CPUs and Memory for Panorama on AWS

Increase CPUs and Memory for Panorama on Azure

Increase CPUs and Memory for Panorama on Google Cloud Platform

Increase CPUs and Memory for Panorama on KVM

Increase CPUs and Memory for Panorama on Hyper-V

Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)

Increase the System Disk on the Panorama Virtual Appliance

Increase the System Disk for Panorama on an ESXi Server

Increase the System Disk for Panorama on Google Cloud Platform

Complete the Panorama Virtual Appliance Setup

Convert Your Panorama Virtual Appliance

Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector

Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector

Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector

Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector

Convert Your Production Panorama to an ELA Panorama

Set Up the M-Series Appliance

M-Series Appliance Interfaces

Perform Initial Configuration of the M-Series Appliance

Perform Initial Configuration of an Air Gapped M-Series Appliance

M-Series Setup Overview

Set Up an M-Series Appliance in Management Only Mode

Set Up an M-Series Appliance in Panorama Mode

Set Up an M-Series Appliance in Log Collector Mode

Set Up the M-Series Appliance as a Log Collector

Increase Storage on the M-Series Appliance

Add Additional Drives to an M-Series Appliance

Upgrade Drives on an M-Series Appliance

Configure Panorama to Use Multiple Interfaces

Multiple Interfaces for Network Segmentation Example

Configure Panorama for Network Segmentation

Register Panorama and Install Licenses

Register Panorama

Activate a Panorama Support License

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected

Activate/Retrieve a Firewall Management License on the M-Series Appliance

Install the Panorama Device Certificate

Install the Device Certificate for a Dedicated Log Collector

Transition to a Different Panorama Model

Migrate from a Panorama Virtual Appliance to an M-Series Appliance

Migrate a Panorama Virtual Appliance to a Different Hypervisor

Migrate from an M-Series Appliance to a Panorama Virtual Appliance

Migrate from an M-500 Appliance to an M-700 Appliance

Migrate from an M-600 Appliance to an M-700 Appliance

Migrate from an M-100 Appliance to an M-500 Appliance

Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance

Access and Navigate Panorama Management Interfaces

Log in to the Panorama Web Interface

Navigate the Panorama Web Interface

Log in to the Panorama CLI

Set Up Administrative Access to Panorama

Configure an Admin Role Profile

Configure an Admin Role Profile for Selective Push to Managed Firewalls

Configure an Access Domain

Configure Administrative Accounts and Authentication

Configure a Panorama Administrator Account

Configure Local or External Authentication for Panorama Administrators

Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

Configure an Administrator with SSH Key-Based Authentication for the CLI

Configure RADIUS Authentication for Panorama Administrators

Configure TACACS+ Authentication for Panorama Administrators

Configure SAML Authentication for Panorama Administrators

Configure Tracking of Administrator Activity

Set Up Authentication Using Custom Certificates

How Are SSL/TLS Connections Mutually Authenticated?

Configure Authentication Using Custom Certificates on Panorama

Configure Authentication Using Custom Certificates on Managed Devices

Add New Client Devices

Change Certificates

Change a Server Certificate

Change a Client Certificate

Change a Root or Intermediate CA Certificate

Manage Firewalls

Add a Firewall as a Managed Device

Install the Device Certificate for Managed Firewalls

Install the Device Certificate for a Managed Firewall

Install the Device Certificate for All Managed Firewalls Without a Device Certificate

Change Between Panorama Management and Cloud Management

Set Up Zero Touch Provisioning

ZTP Configuration Elements

Install the ZTP Plugin

Install the ZTP Plugin on Panorama

Register Panorama with the ZTP Service

Register Panorama with the ZTP Service for New Deployments

Register Panorama with the ZTP Service for Existing Deployments

Configure the ZTP Installer Administrator Account

Add ZTP Firewalls to Panorama

Add a ZTP Firewall to Panorama

Import Multiple ZTP Firewalls to Panorama

Use the CLI for ZTP Tasks

Uninstall the ZTP Plugin

Manage Device Groups

Add a Device Group

Create a Device Group Hierarchy

Create Objects for Use in Shared or Device Group Policy

Revert to Inherited Object Values

Manage Unused Shared Objects

Manage Precedence of Inherited Objects

Move or Clone a Policy Rule or Object to a Different Device Group

Push a Policy Rule to a Subset of Firewalls

Device Group Push to a Multi-VSYS Firewall

Manage the Rule Hierarchy

Manage Templates and Template Stacks

Template Capabilities and Exceptions

Configure a Template Stack

Configure a Template or Template Stack Variable

Import and Overwrite Existing Template Stack Variables

Override a Template or Template Stack Value

Override a Template Value on the Firewall

Override a Template Value Using a Template Stack

Override a Template or Template Stack Value Using Variables

Disable/Remove Template Settings

Manage the Master Key from Panorama

Schedule a Configuration Push to Managed Firewalls

Redistribute Data to Managed Firewalls

Transition a Firewall to Panorama Management

Plan the Transition to Panorama Management

Migrate a Firewall to Panorama Management and Reuse Existing Configuration

Migrate a Firewall to Panorama Management and Push a New Configuration

Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration

Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration

Load a Partial Firewall Configuration into Panorama

Localize a Panorama Pushed Configuration on a Managed Firewall

Device Monitoring on Panorama

Monitor Device Health

Monitor Policy Rule Usage

Use Case: Configure Firewalls Using Panorama

Device Groups in this Use Case

Templates in this Use Case

Set Up Your Centralized Configuration and Policies

Add the Managed Firewalls and Deploy Updates

Use Templates to Administer a Base Configuration

Use Device Groups to Push Policy Rules

Preview the Rules and Commit Changes

Manage Log Collection

Configure a Managed Collector

Monitor Managed Collector Health Status

Configure Authentication for a Dedicated Log Collector

Configure an Administrative Account for a Dedicated Log Collector

Configure RADIUS Authentication for a Dedicated Log Collector

Configure TACACS+ Authentication for a Dedicated Log Collector

Configure LDAP Authentication for a Dedicated Log Collector

Manage Collector Groups

Configure a Collector Group

Configure Authentication with Custom Certificates Between Log Collectors

Move a Log Collector to a Different Collector Group

Remove a Firewall from a Collector Group

Configure Log Forwarding to Panorama

Configure Syslog Forwarding to External Destinations

Forward Logs to Strata Logging Service

Verify Log Forwarding to Panorama

Modify Log Forwarding and Buffering Defaults

Configure Log Forwarding from Panorama to External Destinations

Log Collection Deployments

Deploy Panorama with Dedicated Log Collectors

Deploy Panorama M-Series Appliances with Local Log Collectors

Deploy Panorama Virtual Appliances with Local Log Collectors

Deploy Panorama Virtual Appliances in Legacy Mode with Local Log Collection

Manage WildFire Appliances

Add Standalone WildFire Appliances to Manage with Panorama

Configure Basic WildFire Appliance Settings on Panorama

Configure Authentication for a WildFire Appliance

Configure An Administrative Account for a WildFire Appliance

Configure RADIUS Authentication for a WildFire Appliance

Configure TACACS+ Authentication for a WildFire Appliance

Configure LDAP Authentication for a WildFire Appliance

Set Up Authentication Using Custom Certificates on WildFire Appliances and Clusters

Configure a Custom Certificate for a Panorama Managed WildFire Appliance

Configure Authentication with a Single Custom Certificate for a WildFire Cluster

Apply Custom Certificates on a WildFire Appliance Configured through Panorama

Remove a WildFire Appliance from Panorama Management

Manage WildFire Clusters

Configure a Cluster Centrally on Panorama

Configure a Cluster and Add Nodes on Panorama

Configure General Cluster Settings on Panorama

Configure Authentication for a WildFire Cluster

Configure an Administrative Account for a WildFire Cluster

Configure RADIUS Authentication for a WildFire Cluster

Configure TACACS+ Authentication for a WildFire Cluster

Configure LDAP Authentication for a WildFire Cluster

Remove a Cluster from Panorama Management

Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama

Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama

View WildFire Cluster Status Using Panorama

Manage Licenses and Updates

Manage Licenses on Firewalls Using Panorama

Monitor Network Activity

Use Panorama for Visibility

Monitor the Network with the ACC and AppScope

Analyze Log Data

Generate, Schedule, and Email Reports

Configure Key Limits for Scheduled Reports

Ingest Traps ESM Logs on Panorama

Use Case: Monitor Applications Using Panorama

Use Case: Respond to an Incident Using Panorama

Incident Notification

Review the Widgets in the ACC

Review Threat Logs

Review WildFire Logs

Review Data Filtering Logs

Update Security Rules

Panorama High Availability

Panorama HA Prerequisites

Priority and Failover on Panorama in HA

Failover Triggers

HA Heartbeat Polling and Hello Messages

HA Path Monitoring

Logging Considerations in Panorama HA

Logging Failover on a Panorama Virtual Appliance in Legacy Mode

Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode

Synchronization Between Panorama HA Peers

Manage a Panorama HA Pair

Set Up HA on Panorama

Set Up Authentication Using Custom Certificates Between HA Peers

Test Panorama HA Failover

Switch Priority after Panorama Failover to Resume NFS Logging

Restore the Primary Panorama to the Active State

Administer Panorama

Preview, Validate, or Commit Configuration Changes

Commit Selective Configuration Changes for Managed Devices

Push Selective Configuration Changes to Managed Devices

Enable Automated Commit Recovery

Manage Panorama and Firewall Configuration Backups

Schedule Export of Configuration Files

Save and Export Panorama and Firewall Configurations

Revert Panorama Configuration Changes

Configure the Maximum Number of Configuration Backups on Panorama

Load a Configuration Backup on a Managed Firewall

Compare Changes in Panorama Configurations

Manage Locks for Restricting Configuration Changes

Add Custom Logos to Panorama

Use the Panorama Task Manager

Manage Storage Quotas and Expiration Periods for Logs and Reports

Log and Report Storage

Log and Report Expiration Periods

Configure Storage Quotas and Expiration Periods for Logs and Reports

Configure the Run Time for Panorama Reports

Monitor Panorama

Panorama System and Configuration Logs

Monitor Panorama and Log Collector Statistics Using SNMP

Reboot or Shut Down Panorama

Configure Panorama Password Profiles and Complexity

Panorama Plugins

About Panorama Plugins

Install Panorama Plugins

VM-Series Plugin and Panorama Plugins

Install the VM-Series Plugin on Panorama

Endpoint Monitoring for Cisco TrustSec

Panorama Plugin for Cisco TrustSec

Install the Panorama Plugin for Cisco TrustSec

Configure the Panorama Plugin for Cisco TrustSec

Troubleshoot the Panorama Plugin for Cisco TrustSec

Troubleshooting

Troubleshoot Panorama System Issues

Generate Diagnostic Files for Panorama

Diagnose Panorama Suspended State

Monitor the File System Integrity Check

Manage Panorama Storage for Software and Content Updates

Recover from Split Brain in Panorama HA Deployments

Reboot Panorama Due to Memory Issues

Troubleshoot Log Storage and Connection Issues

Verify Panorama Port Usage

Resolve Zero Log Storage for a Collector Group

Replace a Failed Disk on an M-Series Appliance

Replace the Virtual Disk on an ESXi Server

Replace the Virtual Disk on vCloud Air

Migrate Logs to a New M-Series Appliance in Log Collector Mode

Migrate Logs to a New M-Series Appliance in Panorama Mode

Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability

Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability

Migrate Log Collectors after Failure/RMA of Non-HA Panorama

Regenerate Metadata for M-Series Appliance RAID Pairs

View Log Query Jobs

Replace an RMA Firewall

Partial Device State Generation for Firewalls

Before Starting RMA Firewall Replacement

Restore the Firewall Configuration after Replacement

Troubleshoot Commit Failures

Triage Commit Issues on Panorama

Troubleshoot Template or Device Group Push Failures

Troubleshoot Panorama Push Failure Due to Pending Local Firewall Changes

Troubleshoot Registration or Serial Number Errors

Troubleshoot Reporting Errors

Troubleshoot Device Management License Errors

Troubleshoot Automatically Reverted Firewall Configurations

View Task Success or Failure Status

Test Policy Match and Connectivity for Managed Devices

Troubleshoot Policy Rule Traffic Match

Troubleshoot Connectivity to Network Resources

Generate a Stats Dump File for a Managed Firewall

Recover Managed Device Connectivity to Panorama

Restore an Expired Device Certificate

Panorama Administrator's Guide

Panorama Overview

Panorama Models

Centralized Firewall Configuration and Update Management

Context Switch—Firewall or Panorama

Total Configuration Size for Panorama

Templates and Template Stacks

Device Group Hierarchy

Device Group Policies

Device Group Objects

Centralized Logging and Reporting

Managed Collectors and Collector Groups

Local and Distributed Log Collection

Caveats for a Collector Group with Multiple Log Collectors

Log Forwarding Options

Centralized Reporting

Data Redistribution Using Panorama

Role-Based Access Control

Administrative Roles

Authentication Profiles and Sequences

Administrative Authentication

Panorama Commit, Validation, and Preview Operations

Plan Your Panorama Deployment

Deploy Panorama: Task Overview

Set Up Panorama

Determine Panorama Log Storage Requirements

Manage Large-Scale Firewall Deployments

Determine the Optimal Large-Scale Firewall Deployment Solution

Increased Device Management Capacity for M-Series and Panorama Virtual Appliance

Increased Device Management Capacity Requirements

Install Panorama for Increased Device Management Capacity

Set Up the Panorama Virtual Appliance

Setup Prerequisites for the Panorama Virtual Appliance

Install the Panorama Virtual Appliance

Install Panorama on VMware

Install Panorama on an ESXi Server

Install Panorama on vCloud Air

Support for VMware Tools on the Panorama Virtual Appliance

Set Up Panorama on Alibaba Cloud

Upload the Panorama Virtual Appliance Image to Alibaba Cloud

Install Panorama on Alibaba Cloud

Install Panorama on AWS

Install Panorama on AWS GovCloud

Install Panorama on Azure

Install Panorama on Google Cloud Platform

Install Panorama on KVM

Install Panorama on Hyper-V

Set Up Panorama on Oracle Cloud Infrastructure (OCI)

Upload the Panorama Virtual Appliance Image to OCI

Install Panorama on Oracle Cloud Infrastructure (OCI)

Generate a SSH Key for Panorama on OCI

Perform Initial Configuration of the Panorama Virtual Appliance

Set Up The Panorama Virtual Appliance as a Log Collector

Set Up the Panorama Virtual Appliance with Local Log Collector

Set up a Panorama Virtual Appliance in Panorama Mode

Set up a Panorama Virtual Appliance in Management Only Mode

Expand Log Storage Capacity on the Panorama Virtual Appliance

Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode

Add a Virtual Disk to Panorama on an ESXi Server

Add a Virtual Disk to Panorama on vCloud Air

Add a Virtual Disk to Panorama on Alibaba Cloud

Add a Virtual Disk to Panorama on AWS

Add a Virtual Disk to Panorama on Azure

Add a Virtual Disk to Panorama on Google Cloud Platform

Add a Virtual Disk to Panorama on KVM

Add a Virtual Disk to Panorama on Hyper-V

Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)

Mount the Panorama ESXi Server to an NFS Datastore

Increase CPUs and Memory on the Panorama Virtual Appliance

Increase CPUs and Memory for Panorama on an ESXi Server

Increase CPUs and Memory for Panorama on vCloud Air

Increase CPUs and Memory for Panorama on Alibaba Cloud

Increase CPUs and Memory for Panorama on AWS

Increase CPUs and Memory for Panorama on Azure

Increase CPUs and Memory for Panorama on Google Cloud Platform

Increase CPUs and Memory for Panorama on KVM

Increase CPUs and Memory for Panorama on Hyper-V

Increase the CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)

Increase the System Disk on the Panorama Virtual Appliance

Increase the System Disk for Panorama on an ESXi Server

Increase the System Disk for Panorama on Google Cloud Platform

Complete the Panorama Virtual Appliance Setup

Convert Your Panorama Virtual Appliance

Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector

Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector

Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector

Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector

Convert Your Production Panorama to an ELA Panorama

Set Up the M-Series Appliance

M-Series Appliance Interfaces

Perform Initial Configuration of the M-Series Appliance

Perform Initial Configuration of an Air Gapped M-Series Appliance

M-Series Setup Overview

Set Up an M-Series Appliance in Management Only Mode

Set Up an M-Series Appliance in Panorama Mode

Set Up an M-Series Appliance in Log Collector Mode

Set Up the M-Series Appliance as a Log Collector

Increase Storage on the M-Series Appliance

Add Additional Drives to an M-Series Appliance

Upgrade Drives on an M-Series Appliance

Configure Panorama to Use Multiple Interfaces

Multiple Interfaces for Network Segmentation Example

Configure Panorama for Network Segmentation

Register Panorama and Install Licenses

Register Panorama

Activate a Panorama Support License

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected

Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected

Activate/Retrieve a Firewall Management License on the M-Series Appliance

Install the Panorama Device Certificate

Install the Device Certificate for a Dedicated Log Collector

Transition to a Different Panorama Model

Migrate from a Panorama Virtual Appliance to an M-Series Appliance

Migrate a Panorama Virtual Appliance to a Different Hypervisor

Migrate from an M-Series Appliance to a Panorama Virtual Appliance

Migrate from an M-500 Appliance to an M-700 Appliance

Migrate from an M-600 Appliance to an M-700 Appliance

Migrate from an M-100 Appliance to an M-500 Appliance

Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance

Access and Navigate Panorama Management Interfaces

Log in to the Panorama Web Interface

Navigate the Panorama Web Interface

Log in to the Panorama CLI

Set Up Administrative Access to Panorama

Configure an Admin Role Profile

Configure an Admin Role Profile for Selective Push to Managed Firewalls

Configure an Access Domain

Configure Administrative Accounts and Authentication

Configure a Panorama Administrator Account

Configure Local or External Authentication for Panorama Administrators

Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

Configure an Administrator with SSH Key-Based Authentication for the CLI

Configure RADIUS Authentication for Panorama Administrators

Configure TACACS+ Authentication for Panorama Administrators

Configure SAML Authentication for Panorama Administrators

Enable SCP Uploads for an Administrator

Configure Tracking of Administrator Activity

Set Up Authentication Using Custom Certificates

How Are SSL/TLS Connections Mutually Authenticated?

Configure Authentication Using Custom Certificates on Panorama

Configure Authentication Using Custom Certificates on Managed Devices

Add New Client Devices

Change Certificates

Change a Server Certificate

Change a Client Certificate

Change a Root or Intermediate CA Certificate

Manage Firewalls

Add a Firewall as a Managed Device

Install the Device Certificate for Managed Firewalls

Install the Device Certificate for a Managed Firewall

Install the Device Certificate for All Managed Firewalls Without a Device Certificate

Change Between Panorama Management and Cloud Management

Set Up Zero Touch Provisioning

ZTP Configuration Elements

Install the ZTP Plugin

Install the ZTP Plugin on Panorama

Register Panorama with the ZTP Service

Register Panorama with the ZTP Service for New Deployments

Register Panorama with the ZTP Service for Existing Deployments

Configure the ZTP Installer Administrator Account

Add ZTP Firewalls to Panorama

Add a ZTP Firewall to Panorama

Import Multiple ZTP Firewalls to Panorama

Use the CLI for ZTP Tasks

Uninstall the ZTP Plugin

Manage Device Groups

Add a Device Group

Create a Device Group Hierarchy

Create Objects for Use in Shared or Device Group Policy

Revert to Inherited Object Values

Manage Unused Shared Objects

Manage Precedence of Inherited Objects

Move or Clone a Policy Rule or Object to a Different Device Group

Push a Policy Rule to a Subset of Firewalls

Device Group Push to a Multi-VSYS Firewall

Manage the Rule Hierarchy

Manage Templates and Template Stacks

Template Capabilities and Exceptions

Configure a Template Stack

Configure a Template or Template Stack Variable

Import and Overwrite Existing Template Stack Variables

Override a Template or Template Stack Value

Override a Template Value on the Firewall

Override a Template Value Using a Template Stack

Override a Template or Template Stack Value Using Variables

Disable/Remove Template Settings

Manage the Master Key from Panorama

Schedule a Configuration Push to Managed Firewalls

Redistribute Data to Managed Firewalls

Transition a Firewall to Panorama Management

Plan the Transition to Panorama Management

Migrate a Firewall to Panorama Management and Reuse Existing Configuration

Migrate a Firewall to Panorama Management and Push a New Configuration

Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration

Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration

Load a Partial Firewall Configuration into Panorama

Localize a Panorama Pushed Configuration on a Managed Firewall

Device Monitoring on Panorama

Monitor Device Health

Monitor Policy Rule Usage

Use Case: Configure Firewalls Using Panorama

Device Groups in this Use Case

Templates in this Use Case

Set Up Your Centralized Configuration and Policies

Add the Managed Firewalls and Deploy Updates

Use Templates to Administer a Base Configuration

Use Device Groups to Push Policy Rules

Preview the Rules and Commit Changes

Manage Log Collection

Configure a Managed Collector

Monitor Managed Collector Health Status

Configure Authentication for a Dedicated Log Collector

Configure an Administrative Account for a Dedicated Log Collector

Configure RADIUS Authentication for a Dedicated Log Collector

Configure TACACS+ Authentication for a Dedicated Log Collector

Configure LDAP Authentication for a Dedicated Log Collector

Manage Collector Groups

Configure a Collector Group

Configure Authentication with Custom Certificates Between Log Collectors

Move a Log Collector to a Different Collector Group

Remove a Firewall from a Collector Group

Configure Log Forwarding to Panorama

Configure Syslog Forwarding to External Destinations

Forward Logs to Strata Logging Service

Verify Log Forwarding to Panorama

Modify Log Forwarding and Buffering Defaults

Configure Log Forwarding from Panorama to External Destinations

Log Collection Deployments

Deploy Panorama with Dedicated Log Collectors

Deploy Panorama M-Series Appliances with Local Log Collectors

Deploy Panorama Virtual Appliances with Local Log Collectors

Deploy Panorama Virtual Appliances in Legacy Mode with Local Log Collection

Manage WildFire Appliances

Add Standalone WildFire Appliances to Manage with Panorama

Configure Basic WildFire Appliance Settings on Panorama

Configure Authentication for a WildFire Appliance

Configure An Administrative Account for a WildFire Appliance

Configure RADIUS Authentication for a WildFire Appliance

Configure TACACS+ Authentication for a WildFire Appliance

Configure LDAP Authentication for a WildFire Appliance

Set Up Authentication Using Custom Certificates on WildFire Appliances and Clusters

Configure a Custom Certificate for a Panorama Managed WildFire Appliance

Configure Authentication with a Single Custom Certificate for a WildFire Cluster

Apply Custom Certificates on a WildFire Appliance Configured through Panorama

Remove a WildFire Appliance from Panorama Management

Manage WildFire Clusters

Configure a Cluster Centrally on Panorama

Configure a Cluster and Add Nodes on Panorama

Configure General Cluster Settings on Panorama

Configure Authentication for a WildFire Cluster

Configure an Administrative Account for a WildFire Cluster

Configure RADIUS Authentication for a WildFire Cluster

Configure TACACS+ Authentication for a WildFire Cluster

Configure LDAP Authentication for a WildFire Cluster

Remove a Cluster from Panorama Management

Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama

Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama

View WildFire Cluster Status Using Panorama

Manage Licenses and Updates

Manage Licenses on Firewalls Using Panorama

Monitor Network Activity

Use Panorama for Visibility

Monitor the Network with the ACC and AppScope

Analyze Log Data

Generate, Schedule, and Email Reports

Configure Key Limits for Scheduled Reports

Ingest Traps ESM Logs on Panorama

Use Case: Monitor Applications Using Panorama

Use Case: Respond to an Incident Using Panorama

Incident Notification

Review the Widgets in the ACC

Review Threat Logs

Review WildFire Logs

Review Data Filtering Logs

Update Security Rules

Panorama High Availability

Panorama HA Prerequisites

Priority and Failover on Panorama in HA

Failover Triggers

HA Heartbeat Polling and Hello Messages

HA Path Monitoring

Logging Considerations in Panorama HA

Logging Failover on a Panorama Virtual Appliance in Legacy Mode

Logging Failover on an M-Series Appliance or Panorama Virtual Appliance in Panorama Mode

Synchronization Between Panorama HA Peers

Manage a Panorama HA Pair

Set Up HA on Panorama

Set Up Authentication Using Custom Certificates Between HA Peers

Test Panorama HA Failover

Switch Priority after Panorama Failover to Resume NFS Logging

Restore the Primary Panorama to the Active State

Administer Panorama

Preview, Validate, or Commit Configuration Changes

Commit Selective Configuration Changes for Managed Devices

Push Selective Configuration Changes to Managed Devices

Enable Automated Commit Recovery

Manage Panorama and Firewall Configuration Backups

Schedule Export of Configuration Files

Save and Export Panorama and Firewall Configurations

Revert Panorama Configuration Changes

Configure the Maximum Number of Configuration Backups on Panorama

Load a Configuration Backup on a Managed Firewall

Perform a Config Audit

Compare Changes in Panorama Configurations

Manage Locks for Restricting Configuration Changes

Add Custom Logos to Panorama

Use the Panorama Task Manager

Manage Storage Quotas and Expiration Periods for Logs and Reports

Log and Report Storage

Log and Report Expiration Periods

Configure Storage Quotas and Expiration Periods for Logs and Reports

Configure the Run Time for Panorama Reports

Monitor Panorama

Panorama System and Configuration Logs

Monitor Panorama and Log Collector Statistics Using SNMP

Reboot or Shut Down Panorama

Configure Panorama Password Profiles and Complexity

Panorama Plugins

About Panorama Plugins

Install Panorama Plugins

VM-Series Plugin and Panorama Plugins

Install the VM-Series Plugin on Panorama

Endpoint Monitoring for Cisco TrustSec

Panorama Plugin for Cisco TrustSec

Install the Panorama Plugin for Cisco TrustSec

Configure the Panorama Plugin for Cisco TrustSec

Troubleshoot the Panorama Plugin for Cisco TrustSec

Troubleshooting

Troubleshoot Panorama System Issues

Generate Diagnostic Files for Panorama

Diagnose Panorama Suspended State

Monitor the File System Integrity Check

Manage Panorama Storage for Software and Content Updates

Recover from Split Brain in Panorama HA Deployments

Reboot Panorama Due to Memory Issues

Troubleshoot Log Storage and Connection Issues

Verify Panorama Port Usage

Resolve Zero Log Storage for a Collector Group

Replace a Failed Disk on an M-Series Appliance

Replace the Virtual Disk on an ESXi Server

Replace the Virtual Disk on vCloud Air

Migrate Logs to a New M-Series Appliance in Log Collector Mode

Migrate Logs to a New M-Series Appliance in Panorama Mode

Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability

Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability

Migrate Log Collectors after Failure/RMA of Non-HA Panorama

Regenerate Metadata for M-Series Appliance RAID Pairs

View Log Query Jobs

Replace an RMA Firewall

Partial Device State Generation for Firewalls

Before Starting RMA Firewall Replacement

Restore the Firewall Configuration after Replacement

Troubleshoot Commit Failures

Triage Commit Issues on Panorama

Troubleshoot Template or Device Group Push Failures

Troubleshoot Panorama Push Failure Due to Pending Local Firewall Changes

Troubleshoot Registration or Serial Number Errors

Troubleshoot Reporting Errors

Troubleshoot Device Management License Errors

Troubleshoot Automatically Reverted Firewall Configurations

View Task Success or Failure Status

Test Policy Match and Connectivity for Managed Devices

Troubleshoot Policy Rule Traffic Match

Troubleshoot Connectivity to Network Resources

Generate a Stats Dump File for a Managed Firewall

Recover Managed Device Connectivity to Panorama

Restore an Expired Device Certificate

PAN-OS Web Interface Help

Web Interface Basics

Firewall Overview

Features and Benefits

Last Login Time and Failed Login Attempts

Message of the Day

Save Candidate Configurations

Lock Configurations

AutoFocus Intelligence Summary

Configuration Table Export

Change Boot Mode

Dashboard Widgets

ACC

A First Glance at the ACC

Working with Tabs and Widgets

Working with Filters—Local Filters and Global Filters

Monitor > External Logs

Monitor > Automated Correlation Engine

Monitor > Automated Correlation Engine > Correlation Objects

Monitor > Automated Correlation Engine > Correlated Events

Monitor > Packet Capture

Packet Capture Overview

Building Blocks for a Custom Packet Capture

Enable Threat Packet Capture

Monitor > App Scope

App Scope Overview

App Scope Summary Report

App Scope Change Monitor Report

App Scope Threat Monitor Report

App Scope Threat Map Report

App Scope Network Monitor Report

App Scope Traffic Map Report

Monitor > Session Browser

Monitor > Block IP List

Block IP List Entries

View or Delete Block IP List Entries

Monitor > Botnet

Botnet Report Settings

Botnet Configuration Settings

Monitor > PDF Reports

Monitor > PDF Reports > Manage PDF Summary

Monitor > PDF Reports > User Activity Report

Monitor > PDF Reports > SaaS Application Usage

Monitor > PDF Reports > Report Groups

Monitor > PDF Reports > Email Scheduler

Monitor > Manage Custom Reports

Monitor > Reports

Move or Clone a Policy Rule

Audit Comment Archive

Rule Usage Hit Count Query

Policies > Security

Security Policy Overview

Building Blocks in a Security Policy Rule

Creating and Managing Policies

Overriding or Reverting a Security Policy Rule

Applications and Usage

Security Policy Optimizer

NAT Policies General Tab

NAT Original Packet Tab

NAT Translated Packet Tab

NAT Active/Active HA Binding Tab

Policies > Policy Based Forwarding

Policy Based Forwarding General Tab

Policy Based Forwarding Source Tab

Policy Based Forwarding Destination/Application/Service Tab

Policy Based Forwarding Forwarding Tab

Policy Based Forwarding Target Tab

Policies > Decryption

Decryption General Tab

Decryption Source Tab

Decryption Destination Tab

Decryption Service/URL Category Tab

Decryption Options Tab

Decryption Target Tab

Policies > Network Packet Broker

Network Packet Broker General Tab

Network Packet Broker Source Tab

Network Packet Broker Destination Tab

Network Packet Broker Application/Service/Traffic Tab

Network Packet Broker Path Selection Tab

Network Packet Broker Policy Optimizer Rule Usage

Policies > Tunnel Inspection

Building Blocks in a Tunnel Inspection Policy

Policies > Application Override

Application Override General Tab

Application Override Source Tab

Application Override Destination Tab

Application Override Protocol/Application Tab

Application Override Target Tab

Policies > Authentication

Building Blocks of an Authentication Policy Rule

Create and Manage Authentication Policy

Policies > DoS Protection

DoS Protection General Tab

DoS Protection Source Tab

DoS Protection Destination Tab

DoS Protection Option/Protection Tab

DoS Protection Target Tab

Policies > SD-WAN

SD-WAN General Tab

SD-WAN Source Tab

SD-WAN Destination Tab

SD-WAN Application/Service Tab

SD-WAN Path Selection Tab

SD-WAN Target Tab

Move, Clone, Override, or Revert Objects

Move or Clone an Object

Override or Revert an Object

Objects > Addresses

Objects > Address Groups

Objects > Regions

Objects > Dynamic User Groups

Objects > Applications

Applications Overview

Actions Supported on Applications

Defining Applications

Objects > Application Groups

Objects > Application Filters

Objects > Services

Objects > Service Groups

View Rulebase as Groups

Move Rules in Group to Different Rulebase or Device Group

Change Group of All Rules

Move All Rules in Group

Delete All Rules in Group

Clone All Rules in Group

Objects > Devices

Objects > External Dynamic Lists

Objects > Custom Objects

Objects > Custom Objects > Data Patterns

Data Pattern Settings

Syntax for Regular Expression Data Patterns

Regular Expression Data Pattern Examples

Objects > Custom Objects > Spyware/Vulnerability

Objects > Custom Objects > URL Category

Objects > Security Profiles

Actions in Security Profiles

Objects > Security Profiles > Antivirus

Objects > Security Profiles > Anti-Spyware Profile

Objects > Security Profiles > Vulnerability Protection

Objects > Security Profiles > URL Filtering

URL Filtering General Settings

URL Filtering Categories

URL Filtering Settings

User Credential Detection

HTTP Header Insertion

Inline Categorization

Objects > Security Profiles > File Blocking

Objects > Security Profiles > WildFire Analysis

Objects > Security Profiles > Data Filtering

Objects > Security Profiles > DoS Protection

Objects > Security Profiles > Mobile Network Protection

Objects > Security Profiles > SCTP Protection

Objects > Security Profile Groups

Objects > Log Forwarding

Objects > Authentication

Objects > Decryption Profile

Decryption Profile General Settings

Settings to Control Decrypted Traffic

Settings to Control Traffic that is not Decrypted

Settings to Control Decrypted SSH Traffic

Objects > Packet Broker Profile

Objects > SD-WAN Link Management

Objects > SD-WAN Link Management > Path Quality Profile

Objects > SD-WAN Link Management > SaaS Quality Profile

Objects > SD-WAN Link Management > Traffic Distribution-Profile

Objects > SD-WAN Link Management > Error Correction Profile

Objects > Schedules

Network > Interfaces

Firewall Interfaces Overview

Common Building Blocks for Firewall Interfaces

Common Building Blocks for PA-7000 Series Firewall Interfaces

Virtual Wire Interface

Virtual Wire Subinterface

PA-7000 Series Layer 2 Interface

PA-7000 Series Layer 2 Subinterface

PA-7000 Series Layer 3 Interface

Layer 3 Interface

Layer 3 Subinterface

Log Card Interface

Log Card Subinterface

Decrypt Mirror Interface

Aggregate Ethernet (AE) Interface Group

Aggregate Ethernet (AE) Interface

Network > Interfaces > VLAN

Network > Interfaces > Loopback

Network > Interfaces > Tunnel

Network > Interfaces > SD-WAN

Network > Zones

Security Zone Overview

Building Blocks of Security Zones

Network > VLANs

Network > Virtual Wires

Network > Virtual Routers

General Settings of a Virtual Router

Route Redistribution

RIP

RIP Interfaces Tab

RIP Auth Profiles Tab

RIP Export Rules Tab

OSPF Auth Profiles Tab

OSPF Export Rules Tab

OSPF Advanced Tab

OSPFv3 Areas Tab

OSPFv3 Auth Profiles Tab

OSPFv3 Export Rules Tab

OSPFv3 Advanced Tab

BGP

Basic BGP Settings

BGP General Tab

BGP Advanced Tab

BGP Peer Group Tab

BGP Import and Export Tabs

BGP Conditional Adv Tab

BGP Aggregate Tab

BGP Redist Rules Tab

Multicast Rendezvous Point Tab

Multicast Interfaces Tab

Multicast SPT Threshold Tab

Multicast Source Specific Address Space Tab

Multicast Advanced Tab

More Runtime Stats for a Virtual Router

BFD Summary Information Tab

More Runtime Stats for a Logical Router

Routing Stats for a Logical Router

BGP Stats for a Logical Router

Network > Routing > Logical Routers

Network > Routing > Logical Routers > General

Network > Routing > Logical Routers > Static

Network > Routing > Logical Routers > OSPF

Network > Routing > Logical Routers > OSPFv3

Network > Routing > Logical Routers > RIPv2

Network > Routing > Logical Routers > BGP

Network > Routing > Logical Routers > Multicast

Network > IPSec Tunnels

IPSec VPN Tunnel Management

IPSec Tunnel General Tab

IPSec Tunnel Proxy IDs Tab

IPSec Tunnel Status on the Firewall

IPSec Tunnel Restart or Refresh

Network > GRE Tunnels

DHCP Addressing

Network > DNS Proxy

DNS Proxy Overview

DNS Proxy Settings

Additional DNS Proxy Actions

QoS Interface Settings

QoS Interface Statistics

Building Blocks of LLDP

Network > Network Profiles

Network > Network Profiles > GlobalProtect IPSec Crypto

Network > Network Profiles > IKE Gateways

IKE Gateway Management

IKE Gateway General Tab

IKE Gateway Advanced Options Tab

IKE Gateway Restart or Refresh

Network > Network Profiles > IPSec Crypto

Network > Network Profiles > IKE Crypto

Network > Network Profiles > Monitor

Network > Network Profiles > Interface Mgmt

Network > Network Profiles > Zone Protection

Building Blocks of Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet Based Attack Protection

Protocol Protection

Ethernet SGT Protection

Network > Network Profiles > QoS

Network > Network Profiles > LLDP Profile

Network > Network Profiles > BFD Profile

Building Blocks of a BFD Profile

View BFD Summary and Details

Network > Network Profiles > SD-WAN Interface Profile

Network > Routing > Routing Profiles

Network > Routing > Routing Profiles > BGP

Network > Routing > Routing Profiles > BFD

Network > Routing > Routing Profiles > OSPF

Network > Routing > Routing Profiles > OSPFv3

Network > Routing > Routing Profiles > RIPv2

Network > Routing > Routing Profiles > Filters

Network > Routing > Routing Profiles > Multicast

Device > Setup > Management

Device > Setup > Operations

Enable SNMP Monitoring

Device > Setup > HSM

Hardware Security Module Provider Settings

HSM Authentication

Hardware Security Operations

Hardware Security Module Provider Configuration and Status

Hardware Security Module Status

Device > Setup > Services

Configure Services for Global and Virtual Systems

Global Services Settings

IPv4 and IPv6 Support for Service Route Configuration

Destination Service Route

Device > Setup > Interfaces

Device > Setup > Telemetry

Device > Setup > Content-ID

Device > Setup > WildFire

Device > Setup > Session

Session Settings

Session Timeouts

Decryption Settings: Certificate Revocation Checking

Decryption Settings: Forward Proxy Server Certificate Settings

Decryption Settings: SSL Decryption Settings

VPN Session Settings

Device Setup Ace

Device > Setup > DLP

Device > High Availability

Important Considerations for Configuring HA

HA General Settings

HA Communications

HA Link and Path Monitoring

HA Active/Active Config

Device > Log Forwarding Card

Device > Config Audit

Device > Password Profiles

Username and Password Requirements

Device > Administrators

Device > Admin Roles

Device > Access Domain

Device > Authentication Profile

Authentication Profile

SAML Metadata Export from an Authentication Profile

Device > Authentication Sequence

Device > Data Redistribution

Device > Data Redistribution > Agents

Device > Data Redistribution > Clients

Device > Data Redistribution > Collector Settings

Device > Data Redistribution > Include/Exclude Networks

Device > Device Quarantine

Device > VM Information Sources

Settings to Enable VM Information Sources for VMware ESXi and vCenter Servers

Settings to Enable VM Information Sources for AWS VPC

Settings to Enable VM Information Sources for Google Compute Engine

Device > Troubleshooting

Security Policy Match

QoS Policy Match

Authentication Policy Match

Decryption/SSL Policy Match

NAT Policy Match

Policy Based Forwarding Policy Match

DoS Policy Match

Log Collector Connectivity

External Dynamic List

Test Cloud Logging Service Status

Test Cloud GP Service Status

Device > Virtual Systems

Device > Shared Gateways

Device > Certificate Management

Device > Certificate Management > Certificates

Manage Firewall and Panorama Certificates

Other Supported Actions to Manage Certificates

Manage Default Trusted Certificate Authorities

Device > Certificate Management > Certificate Profile

Device > Certificate Management > OCSP Responder

Device > Certificate Management > SSL/TLS Service Profile

Device > Certificate Management > SCEP

Device > Certificate Management > SSL Decryption Exclusion

Device > Certificate Management > SSH Service Profile

Device > Response Pages

Device > Log Settings

Select Log Forwarding Destinations

Define Alarm Settings

Device > Server Profiles

Device > Server Profiles > SNMP Trap

Device > Server Profiles > Syslog

Device > Server Profiles > Email

Device > Server Profiles > HTTP

Device > Server Profiles > NetFlow

Device > Server Profiles > RADIUS

Device > Server Profiles > TACACS+

Device > Server Profiles > LDAP

Device > Server Profiles > Kerberos

Device > Server Profiles > SAML Identity Provider

Device > Server Profiles > DNS

Device > Server Profiles > Multi Factor Authentication

Device > Local User Database > Users

Device > Local User Database > User Groups

Device > Scheduled Log Export

Device > Software

Device > Dynamic Updates

Device > Licenses

Device > Support

Device > Master Key and Diagnostics

Deploy Master Key

Device > Policy Recommendation > IoT

Device > Policy > Recommendation SaaS

Device > Server Profiles > SCP

User Identification

Device > User Identification > User Mapping

Palo Alto Networks User-ID Agent Setup

Server Monitor Account

Server Monitoring

Ignore User List

Monitor Servers

Configure Access to Monitored Servers

Manage Access to Monitored Servers

Include or Exclude Subnetworks for User Mapping

Device > User Identification > Connection Security

Device > User Identification > Terminal Server Agents

Device > User Identification > Group Mapping Settings Tab

Device > User Identification > Cloud Identity Engine

Device > User Identification > Authentication Portal

Network > GlobalProtect > Portals

GlobalProtect Portals General Tab

GlobalProtect Portals Authentication Configuration Tab

GlobalProtect Portals Portal Data Collection Tab

GlobalProtect Portals Agent Tab

GlobalProtect Portals Agent Authentication Tab

GlobalProtect Portals Agent Config Selection Criteria Tab

GlobalProtect Portals Agent Internal Tab

GlobalProtect Portals Agent External Tab

GlobalProtect Portals Agent App Tab

GlobalProtect Portals Agent HIP Data Collection Tab

GlobalProtect Portals Clientless VPN Tab

GlobalProtect Portal Satellite Tab

Network > GlobalProtect > Gateways

GlobalProtect Gateways General Tab

GlobalProtect Gateway Authentication Tab

GlobalProtect Gateways Agent Tab

Tunnel Settings Tab

Client Settings Tab

Client IP Pool Tab

Network Services Tab

Connection Settings Tab

Video Traffic Tab

HIP Notification Tab

GlobalProtect Gateway Satellite Tab

Network > GlobalProtect > MDM

Network > GlobalProtect > Clientless Apps

Network > GlobalProtect > Clientless App Groups

Objects > GlobalProtect > HIP Objects

HIP Objects General Tab

HIP Objects Mobile Device Tab

HIP Objects Patch Management Tab

HIP Objects Firewall Tab

HIP Objects Anti-Malware Tab

HIP Objects Disk Backup Tab

HIP Objects Disk Encryption Tab

HIP Objects Data Loss Prevention Tab

HIP Objects Certificate Tab

HIP Objects Custom Checks Tab

Objects > GlobalProtect > HIP Profiles

Device > GlobalProtect Client

Managing the GlobalProtect App Software

Setting Up the GlobalProtect App

Using the GlobalProtect App

Panorama Web Interface

Use the Panorama Web Interface

Panorama Commit Operations

Defining Policies on Panorama

Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode

Panorama > Setup > Interfaces

Panorama > High Availability

Panorama > Managed WildFire Clusters

Managed WildFire Cluster Tasks

Managed WildFire Appliance Tasks

Managed WildFire Information

Managed WildFire Cluster and Appliance Administration

Panorama > Administrators

Panorama > Admin Roles

Panorama > Access Domains

Panorama > Scheduled Config Push

Scheduled Config Push Scheduler

Scheduled Config Push Execution History

Panorama > Managed Devices > Summary

Managed Firewall Administration

Managed Firewall Information

Firewall Software and Content Updates

Firewall Backups

Panorama > Device Quarantine

Panorama > Managed Devices > Health

Detailed Device Health on Panorama

Panorama > Templates

Template Stacks

Panorama > Templates > Template Variables

Panorama > Device Groups

Panorama > Managed Collectors

Log Collector Information

Log Collector Configuration

General Log Collector Settings

Log Collector Authentication Settings

Log Collector Interface Settings

Log Collector RAID Disk Settings

User-ID Agent Settings

Connection Security

Communication Settings

Software Updates for Dedicated Log Collectors

Panorama > Collector Groups

Collector Group Configuration

Collector Group Information

Panorama > Plugins

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Panorama > VMware NSX

Configure a Notify Group

Create Service Definitions

Configure Access to the NSX Manager

Create Steering Rules

Panorama > Log Ingestion Profile

Panorama > Log Settings

Panorama > Server Profiles > SCP

Panorama > Scheduled Config Export

Panorama > Software

Manage Panorama Software Updates

Display Panorama Software Update Information

Panorama > Device Deployment

Manage Software and Content Updates

Display Software and Content Update Information

Schedule Dynamic Content Updates

Revert Content Versions from Panorama

Manage Firewall Licenses

Panorama > Device Registration Auth Key

PAN-OS® Networking Administrator’s Guide

Networking Introduction

Configure Interfaces

Virtual Wire Interfaces

Layer 2 and Layer 3 Packets over a Virtual Wire

Port Speeds of Virtual Wire Interfaces

LLDP over a Virtual Wire

Aggregated Interfaces for a Virtual Wire

Virtual Wire Support of High Availability

Zone Protection for a Virtual Wire Interface

VLAN-Tagged Traffic

Virtual Wire Subinterfaces

Configure Virtual Wires

Layer 2 Interfaces

Layer 2 Interfaces with No VLANs

Layer 2 Interfaces with VLANs

Configure a Layer 2 Interface

Configure a Layer 2 Interface, Subinterface, and VLAN

Manage Per-VLAN Spanning Tree (PVST+) BPDU Rewrite

Layer 3 Interfaces

Configure Layer 3 Interfaces

Manage IPv6 Hosts Using NDP

IPv6 Router Advertisements for DNS Configuration

Configure RDNS Servers and DNS Search List for IPv6 Router Advertisements

Enable NDP Monitoring

Configure an Aggregate Interface Group

Configure Bonjour Reflector for Network Segmentation

Use Interface Management Profiles to Restrict Access

Virtual Routers

Virtual Router Overview

Configure Virtual Routers

Service Routes Overview

Configure Service Routes

Static Route Overview

Static Route Removal Based on Path Monitoring

Configure a Static Route

Configure Path Monitoring for a Static Route

RIP

OSPF Router Types

Configure OSPFv3

Configure OSPF Graceful Restart

Confirm OSPF Operation

View the Routing Table

Confirm OSPF Adjacencies

Confirm that OSPF Connections are Established

BGP

Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast

Configure a BGP Peer with MP-BGP for IPv4 Multicast

BGP Confederations

PIM

Shortest-Path Tree (SPT) and Shared Tree

PIM Assert Mechanism

Reverse-Path Forwarding

Configure IP Multicast

View IP Multicast Information

Route Redistribution

Route Redistribution Overview

Configure Route Redistribution

GRE Tunnel Overview

Create a GRE Tunnel

Firewall as a DHCP Server and Client

DHCP Addressing

DHCP Address Allocation Methods

Predefined DHCP Options

Multiple Values for a DHCP Option

DHCP Options 43, 55, and 60 and Other Customized Options

Configure an Interface as a DHCP Server

Configure an Interface as a DHCP Client

Configure the Management Interface as a DHCP Client

Configure an Interface as a DHCP Relay Agent

Monitor and Troubleshoot DHCP

View DHCP Server Information

Clear DHCP Leases

View DHCP Client Information

Gather Debug Output about DHCP

DNS

DNS Proxy Object

DNS Server Profile

Multi-Tenant DNS Deployments

Configure a DNS Proxy Object

Configure a DNS Server Profile

Use Case 1: Firewall Requires DNS Resolution

Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System

Use Case 3: Firewall Acts as DNS Proxy Between Client and Server

DNS Proxy Rule and FQDN Matching

Dynamic DNS Overview

Configure Dynamic DNS for Firewall Interfaces

NAT

NAT Policy Rules

NAT Policy Overview

NAT Address Pools Identified as Address Objects

Proxy ARP for NAT Address Pools

Source NAT and Destination NAT

Destination NAT

Destination NAT with DNS Rewrite Use Cases

Destination NAT with DNS Rewrite Reverse Use Cases

Destination NAT with DNS Rewrite Forward Use Cases

NAT Rule Capacities

Dynamic IP and Port NAT Oversubscription

Dataplane NAT Memory Statistics

Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)

Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Configure Destination NAT with DNS Rewrite

Configure Destination NAT Using Dynamic IP Addresses

Modify the Oversubscription Rate for DIPP NAT

Reserve Dynamic IP NAT Addresses

Disable NAT for a Specific Host or Interface

NAT Configuration Examples

Destination NAT Example—One-to-One Mapping

Destination NAT with Port Translation Example

Destination NAT Example—One-to-Many Mapping

Source and Destination NAT Example

Virtual Wire Source NAT Example

Virtual Wire Static NAT Example

Virtual Wire Destination NAT Example

Unique Local Addresses

Reasons to Use NPTv6

How NPTv6 Works

Checksum-Neutral Mapping

Bi-Directional Translation

NPTv6 Applied to a Specific Service

NPTv6 and NDP Proxy Example

The ND Cache in NPTv6 Example

The NDP Proxy in NPTv6 Example

The NPTv6 Translation in NPTv6 Example

Neighbors in the ND Cache are Not Translated

Create an NPTv6 Policy

IPv4-Embedded IPv6 Address

Path MTU Discovery

IPv6-Initiated Communication

Configure NAT64 for IPv6-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication with Port Translation

ECMP Load-Balancing Algorithms

Configure ECMP on a Virtual Router

Enable ECMP for Multiple BGP Autonomous Systems

Supported TLVs in LLDP

LLDP Syslog Messages and SNMP Traps

View LLDP Settings and Status

Clear LLDP Statistics

BFD

BFD Model, Interface, and Client Support

Non-Supported RFC Components of BFD

BFD for Static Routes

BFD for Dynamic Routing Protocols

Reference: BFD Details

Session Settings and Timeouts

Transport Layer Sessions

TCP

TCP Half Closed and TCP Time Wait Timers

Unverified RST Timer

TCP Split Handshake Drop

Maximum Segment Size (MSS)

UDP

Security Policy Rules Based on ICMP and ICMPv6 Packets

ICMPv6 Rate Limiting

Control Specific ICMP or ICMPv6 Types and Codes

Configure Session Timeouts

Configure Session Settings

Session Distribution Policies

Session Distribution Policy Descriptions

Change the Session Distribution Policy and View Statistics

Prevent TCP Split Handshake Session Establishment

Tunnel Content Inspection

Tunnel Content Inspection Overview

Configure Tunnel Content Inspection

View Inspected Tunnel Activity

View Tunnel Information in Logs

Create a Custom Report Based on Tagged Tunnel Traffic

Tunnel Acceleration Behavior

Disable Tunnel Acceleration

Network Packet Broker

Network Packet Broker Overview

How Network Packet Broker Works

Prepare to Deploy Network Packet Broker

Configure Transparent Bridge Security Chains

Configure Routed Layer 3 Security Chains

Network Packet Broker HA Support

User Interface Changes for Network Packet Broker

Limitations of Network Packet Broker

Troubleshoot Network Packet Broker

Advanced Routing

Enable Advanced Routing

Logical Router Overview

Configure a Logical Router

Create a Static Route

Configure BGP on an Advanced Routing Engine

Create BGP Routing Profiles

Create Filters for the Advanced Routing Engine

Configure OSPFv2 on an Advanced Routing Engine

Create OSPF Routing Profiles

Configure OSPFv3 on an Advanced Routing Engine

Create OSPFv3 Routing Profiles

Configure RIPv2 on an Advanced Routing Engine

Create RIPv2 Routing Profiles

Create BFD Profiles

Configure IPv4 Multicast

Create Multicast Routing Profiles

Create an IPv4 MRoute

PAN-OS CLI Quick Start

Get Started with the CLI

Verify SSH Connection to Firewall

Refresh SSH Keys and Configure Key Options for Management Interface Connection

Give Administrators Access to the CLI

Administrative Privileges

Set Up a Firewall Administrative Account and Assign CLI Privileges

Set Up a Panorama Administrative Account and Assign CLI Privileges

Change CLI Modes

Navigate the CLI

View the Entire Command Hierarchy

Find a Specific Command Using a Keyword Search

Get Help on Command Syntax

Get Help on a Command

Interpret the Command Help

Customize the CLI

View Settings and Statistics

Modify the Configuration

Commit Configuration Changes

Test the Configuration

Test the Authentication Configuration

Test Policy Matches

Load Configurations

Load Configuration Settings from a Text File

Load a Partial Configuration

Xpath Location Formats Determined by Device Configuration

Load a Partial Configuration into Another Configuration Using Xpath Values

Use Secure Copy to Import and Export Files

Export a Saved Configuration from One Firewall and Import it into Another

Export and Import a Complete Log Database (logdb)

CLI Cheat Sheets

CLI Cheat Sheet: Device Management

CLI Cheat Sheet: User-ID

CLI Cheat Sheet: HA

CLI Cheat Sheet: Networking

CLI Cheat Sheet: VSYS

CLI Cheat Sheet: Panorama

CLI Cheat Sheet: CTD Evasion Detection

CLI Changes in PAN-OS 10.2

Set Commands Introduced in PAN-OS 10.2

Set Commands Removed in PAN-OS 102

Show Commands Introduced in PAN-OS 102

Show Commands Removed in PAN-OS 102

CLI Command Hierarchy for PAN-OS 10.2

PAN-OS 10.2 CLI Ops Command Hierarchy

PAN-OS 10.2 Configure CLI Command Hierarchy

PAN-OS® and Panorama™API Usage Guide

About the PAN-OS API

PAN-OS XML API Components

Structure of a PAN-OS XML API Request

API Authentication and Security

XPath Node Selection

Get Started with the PAN-OS XML API

Enable API Access

Get Your API Key

Authenticate Your API Requests

Make Your First API Call

Explore the API

Use the API Browser

Use the CLI to Find XML API Syntax

Use the Web Interface to Find XML API Syntax

PAN-OS XML API Error Codes

PAN-OS XML API Use Cases

Upgrade a Firewall to the Latest PAN-OS Version (API)

Show and Manage GlobalProtect Users (API)

Query a Firewall from Panorama (API)

Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)

Automatically Check for and Install Content Updates (API)

Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)

Configure SAML 2.0 Authentication (API)

Quarantine Compromised Devices (API)

Manage Certificates (API)

PAN-OS XML API Request Types

PAN-OS XML API Request Types and Actions

Configuration Actions

Actions for Modifying a Configuration

Actions for Reading a Configuration

Asynchronous and Synchronous Requests to the PAN-OS XML API

Configuration (API)

Get Active Configuration

Use XPath to Get Active Configuration

Use XPath to Get ARP Information

Get Candidate Configuration

Set Configuration

Edit Configuration

Delete Configuration

Rename Configuration

Clone Configuration

Move Configuration

Override Configuration

Multi-Move or Multi-Clone Configuration

View Configuration Node Values for XPath

Multi-config Request (API)

Commit Configuration (API)

Run Operational Mode Commands (API)

Get Reports (API)

Dynamic Reports

Predefined Reports

Export Files (API)

Export Packet Captures

Export Application PCAPS

Export Threat, Filter, and Data Filtering PCAPs

Export Certificates and Keys

Export Technical Support Data

Import Files (API)

Importing Basics

Retrieve Logs (API)

API Log Retrieval Parameters

Example: Use the API to Retrieve Traffic Logs

Apply User-ID Mapping and Populate Dynamic Groups (API)

Get Version Info (API)

Get Started with the PAN-OS REST API

PAN-OS REST API

Access the PAN-OS REST API

Resource Methods and Query Parameters (REST API)

PAN-OS REST API Request and Response Structure

PAN-OS REST API Error Codes

Work With Objects (REST API)

Create a Security Policy Rule (REST API)

Work with Policy Rules on Panorama (REST API)

Create a Tag (REST API)

Configure a Security Zone (REST API)

Configure an SD-WAN Interface (REST API)

Create an SD-WAN Policy Pre Rule (REST API)

Configure an Ethernet Interface (REST API)

Update a Virtual Router (REST API)

Work With Decryption (APIs)

User-ID™ Agent Release Notes

User-ID Agent 10.2 Release Information

Features Introduced in User-ID Agent 10.2

Changes to Default Behavior

System Requirements

Operating System (OS) Compatibility

User-ID Agent 10.2 Addressed Issues

Related Documentation

Requesting Support

Terminal Server (TS) Agent Release Notes

Terminal Server (TS) Agent 10.2 Release Information

Changes to Default Behavior

Features Introduced in TS Agent 10.2

System Requirements

Operating System (OS) Compatibility

Known Issues in TS Agent 10.2

Terminal Server (TS) Agent 10.2 Addressed Issues

Related Documentation

Requesting Support

PAN-OS ® New Features Guide

Panorama Features

Automatic Content Push for VM-Series and CN-Series Firewalls

Log Collector Health Monitoring on Panorama

Administrator-Level Push

Increased Device Management Capacity for the Panorama Virtual Appliance

IoT Security Features

Simplified IoT Security Onboarding

Data Collection for IoT Security

Management Features

Simplified Software Upgrade

Selective Commit of Configuration Changes

Policy Rulebase Management Using Tags

Networking Features

Advanced Routing Engine

IPv4 Multicast for Advanced Routing Engine

Content Inspection Features

Advanced Threat Prevention: Inline Cloud Analysis

Domain Fronting Detection

Decryption Features

Multiple Certificate Support for SSL Inbound Inspection

URL Filtering Features

HTTP Header Expansion

Inline Deep Learning Analysis for Advanced URL Filtering

Mobile Infrastructure Security Features

New Deployment Option for GTP Security in 3G/4G Networks

Mobile Network Security Support on New Mid-Range Hardware Platforms

Virtualization Features

CN-Series Firewall as a Kubernetes CNF

High Availability Support for CN-Series Firewall as a Kubernetes CNF

High Availability for CN-Series Firewall on AWS EKS

Daemonset(vWire) IPv6 Support

IPv6 DAG Kubernetes Plugin Support

L3 IPV4 Support for CN-Series

Memory Scaling of the VM-Series Firewall

DPDK Support for CN-Series Firewall

47 Dataplane Cores Support for VM-Series and CN-Series Firewalls

PAN-OS SD-WAN Features

Copy ToS Header Support

Enterprise Data Loss Prevention Features

Web Form Data Inspection for Enterprise Data Loss Prevention

Policy Features

Security Policy Rule Top-Down Order When Wildcard Masks Overlap

PAN-OS® Administrator’s Guide

Getting Started

Integrate the Firewall into Your Management Network

Determine Your Access Strategy for Business Continuity

Determine Your Management Strategy

Perform Initial Configuration

Perform Initial Configuration for an Air Gapped Firewall

Set Up Network Access for External Services

Register the Firewall

Segment Your Network Using Interfaces and Zones

Network Segmentation for a Reduced Attack Surface

Configure Interfaces and Zones

Set Up a Basic Security Policy

Assess Network Traffic

Enable Free WildFire Forwarding

Best Practices for Completing the Firewall Deployment

Subscriptions You Can Use With the Firewall

Activate Subscription Licenses

What Happens When Licenses Expire?

Enhanced Application Logs for Palo Alto Networks Cloud Services

Firewall Administration

Management Interfaces

Use the Web Interface

Launch the Web Interface

Configure Banners, Message of the Day, and Logos

Use the Administrator Login Activity Indicators to Detect Account Misuse

Manage and Monitor Administrative Tasks

Commit, Validate, and Preview Firewall Configuration Changes

Commit Selective Configuration Changes

Export Configuration Table Data

Use Global Find to Search the Firewall or Panorama Management Server

Manage Locks for Restricting Configuration Changes

Manage Configuration Backups

Save and Export Firewall Configurations

Revert Firewall Configuration Changes

Manage Firewall Administrators

Administrative Role Types

Configure an Admin Role Profile

Administrative Authentication

Configure Administrative Accounts and Authentication

Configure a Firewall Administrator Account

Configure Local or External Authentication for Firewall Administrators

Configure Certificate-Based Administrator Authentication to the Web Interface

Configure SSH Key-Based Administrator Authentication to the CLI

Configure API Key Lifetime

Configure Tracking of Administrator Activity

Reference: Web Interface Administrator Access

Web Interface Access Privileges

Define Access to the Web Interface Tabs

Provide Granular Access to the Monitor Tab

Provide Granular Access to the Policy Tab

Provide Granular Access to the Objects Tab

Provide Granular Access to the Network Tab

Provide Granular Access to the Device Tab

Define User Privacy Settings in the Admin Role Profile

Restrict Administrator Access to Commit and Validate Functions

Provide Granular Access to Global Settings

Provide Granular Access to the Panorama Tab

Provide Granular Access to Operations Settings

Panorama Web Interface Access Privileges

Reference: Port Number Usage

Ports Used for Management Functions

Ports Used for HA

Ports Used for Panorama

Ports Used for GlobalProtect

Ports Used for User-ID

Ports Used for IPSec

Ports Used for Routing

Ports Used for DHCP

Ports Used for Infrastructure

Reset the Firewall to Factory Default Settings

Bootstrap the Firewall

USB Flash Drive Support

Sample init-cfg.txt Files

Prepare a USB Flash Drive for Bootstrapping a Firewall

Bootstrap a Firewall Using a USB Flash Drive

Device Telemetry

Device Telemetry Overview

Device Telemetry Collection and Transmission Intervals

Manage Device Telemetry

Enable Device Telemetry

Disable Device Telemetry

Enable Service Routes for Telemetry

Manage the Data the Device Telemetry Collects

Manage Historical Device Telemetry

Monitor Device Telemetry

Sample the Data that Device Telemetry Collects

Authentication Types

External Authentication Services

Multi-Factor Authentication

Local Authentication

Plan Your Authentication Deployment

Configure Multi-Factor Authentication

Configure MFA Between RSA SecurID and the Firewall

Configure MFA Between Okta and the Firewall

Configure MFA Between Duo and the Firewall

Configure SAML Authentication

Configure Kerberos Single Sign-On

Configure Kerberos Server Authentication

Configure TACACS+ Authentication

Configure RADIUS Authentication

Configure LDAP Authentication

Connection Timeouts for Authentication Servers

Guidelines for Setting Authentication Server Timeouts

Modify the PAN-OS Web Server Timeout

Modify the Authentication Portal Session Timeout

Configure Local Database Authentication

Configure an Authentication Profile and Sequence

Test Authentication Server Connectivity

Authentication Policy

Authentication Timestamps

Configure Authentication Policy

Troubleshoot Authentication Issues

Pre-Logon for SAML Authentication

Certificate Management

Keys and Certificates

Default Trusted Certificate Authorities (CAs)

Certificate Revocation

Certificate Revocation List (CRL)

Online Certificate Status Protocol (OCSP)

Certificate Deployment

Set Up Verification for Certificate Revocation Status

Configure an OCSP Responder

Configure Revocation Status Verification of Certificates

Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

Configure the Master Key

Master Key Encryption

Configure Master Key Encryption Level

Master Key Encryption on a Firewall HA Pair

Master Key Encryption Logs

Unique Master Key Encryptions for AES-256-GCM

Obtain Certificates

Create a Self-Signed Root CA Certificate

Generate a Certificate

Import a Certificate and Private Key

Obtain a Certificate from an External CA

Install a Device Certificate

Restore an Expired Device Certificate

Deploy Certificates Using SCEP

Export a Certificate and Private Key

Configure a Certificate Profile

Configure an SSL/TLS Service Profile

Configure an SSH Service Profile

Replace the Certificate for Inbound Management Traffic

Configure the Key Size for SSL Forward Proxy Server Certificates

Revoke and Renew Certificates

Revoke a Certificate

Renew a Certificate

Secure Keys with a Hardware Security Module

Set Up Connectivity with an HSM

Set Up Connectivity with a SafeNet Network HSM

Set Up Connectivity with an nCipher nShield Connect HSM

Encrypt a Master Key Using an HSM

Encrypt the Master Key

Refresh the Master Key Encryption

Store Private Keys on an HSM

Manage the HSM Deployment

High Availability

HA Links and Backup Links

HA Ports on Palo Alto Networks Firewalls

Device Priority and Preemption

LACP and LLDP Pre-Negotiation for Active/Passive HA

Floating IP Address and Virtual MAC Address

ARP Load-Sharing

Route-Based Redundancy

NAT in Active/Active HA Mode

ECMP in Active/Active HA Mode

Set Up Active/Passive HA

Prerequisites for Active/Passive HA

Configuration Guidelines for Active/Passive HA

Configure Active/Passive HA

Define HA Failover Conditions

Verify Failover

Set Up Active/Active HA

Prerequisites for Active/Active HA

Configure Active/Active HA

Determine Your Active/Active Use Case

Use Case: Configure Active/Active HA with Route-Based Redundancy

Use Case: Configure Active/Active HA with Floating IP Addresses

Use Case: Configure Active/Active HA with ARP Load-Sharing

Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall

Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses

Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3

HA Clustering Overview

HA Clustering Best Practices and Provisioning

Configure HA Clustering

Refresh HA1 SSH Keys and Configure Key Options

HA Firewall States

Reference: HA Synchronization

Use the Dashboard

Use the Application Command Center

ACC—First Look

Widget Descriptions

Interact with the ACC

Use Case: ACC—Path of Information Discovery

Use the App Scope Reports

Change Monitor Report

Threat Monitor Report

Threat Map Report

Network Monitor Report

Traffic Map Report

Use the Automated Correlation Engine

Automated Correlation Engine Concepts

Correlation Object

Correlated Events

View the Correlated Objects

Interpret Correlated Events

Use the Compromised Hosts Widget in the ACC

Take Packet Captures

Types of Packet Captures

Disable Hardware Offload

Take a Custom Packet Capture

Take a Threat Packet Capture

Take an Application Packet Capture

Take a Packet Capture for Unknown Applications

Take a Custom Application Packet Capture

Take a Packet Capture on the Management Interface

Monitor Applications and Threats

View and Manage Logs

Log Types and Severity Levels

URL Filtering Logs

WildFire Submissions Logs

Data Filtering Logs

Correlation Logs

Tunnel Inspection Logs

GlobalProtect Logs

Decryption Logs

Authentication Logs

Use Case: Export Traffic Logs for a Date Range

Configure Log Storage Quotas and Expiration Periods

Schedule Log Exports to an SCP or FTP Server

Monitor Block List

View and Manage Reports

Configure the Expiration Period and Run Time for Reports

Disable Predefined Reports

Generate Custom Reports

Generate Botnet Reports

Configure a Botnet Report

Interpret Botnet Report Output

Generate the SaaS Application Usage Report

Manage PDF Summary Reports

Generate User/Group Activity Reports

Manage Report Groups

Schedule Reports for Email Delivery

Manage Report Storage Capacity

View Policy Rule Usage

Use External Services for Monitoring

Configure Log Forwarding

Configure Email Alerts

Use Syslog for Monitoring

Configure Syslog Monitoring

Syslog Field Descriptions

Traffic Log Fields

Threat Log Fields

URL Filtering Log Fields

Data Filtering Log Fields

HIP Match Log Fields

GlobalProtect Log Fields

IP-Tag Log Fields

User-ID Log Fields

Decryption Log Fields

Tunnel Inspection Log Fields

SCTP Log Fields

Authentication Log Fields

Config Log Fields

System Log Fields

Correlated Events Log Fields

Audit Log Fields

Syslog Severity

Custom Log/Event Format

Escape Sequences

SNMP Monitoring and Traps

Use an SNMP Manager to Explore MIBs and Objects

Identify a MIB Containing a Known OID

Identify the OID for a System Statistic or Trap

Enable SNMP Services for Firewall-Secured Network Elements

Monitor Statistics Using SNMP

Forward Traps to an SNMP Manager

HOST-RESOURCES-MIB

ENTITY-SENSOR-MIB

ENTITY-STATE-MIB

IEEE 802.3 LAG MIB

PAN-COMMON-MIB.my

PAN-GLOBAL-REG-MIB.my

PAN-GLOBAL-TC-MIB.my

PAN-PRODUCT-MIB.my

PAN-ENTITY-EXT-MIB.my

Forward Logs to an HTTP/S Destination

NetFlow Monitoring

Configure NetFlow Exports

NetFlow Templates

Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors

Monitor Transceivers

User-ID Overview

User-ID Concepts

Server Monitoring

Username Header Insertion

Authentication Policy and Authentication Portal

Map Users to Groups

Map IP Addresses to Users

Create a Dedicated Service Account for the User-ID Agent

Configure User Mapping Using the Windows User-ID Agent

Install the Windows-Based User-ID Agent

Configure the Windows User-ID Agent for User Mapping

Configure User Mapping Using the PAN-OS Integrated User-ID Agent

Configure Server Monitoring Using WinRM

Configure User-ID to Monitor Syslog Senders for User Mapping

Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener

Configure the Windows User-ID Agent as a Syslog Listener

Map IP Addresses to Usernames Using Authentication Portal

Authentication Portal Authentication Methods

Authentication Portal Modes

Configure Authentication Portal

Configure User Mapping for Terminal Server Users

Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping

Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API

Send User Mappings to User-ID Using the XML API

Enable User- and Group-Based Policy

Enable Policy for Users with Multiple Accounts

Verify the User-ID Configuration

Deploy User-ID in a Large-Scale Network

Deploy User-ID for Numerous Mapping Information Sources

Windows Log Forwarding and Global Catalog Servers

Plan a Large-Scale User-ID Deployment

Configure Windows Log Forwarding

Configure User-ID for Numerous Mapping Information Sources

Insert Username in HTTP Headers

Redistribute Data and Authentication Timestamps

Firewall Deployment for Data Redistribution

Configure Data Redistribution

Share User-ID Mappings Across Virtual Systems

App-ID Overview

Streamlined App-ID Policy Rules

Create an Application Filter Using Tags

Create an Application Filter Based on Custom Tags

App-ID and HTTP/2 Inspection

Manage Custom or Unknown Applications

Manage New and Modified App-IDs

Workflow to Best Incorporate New and Modified App-IDs

See the New and Modified App-IDs in a Content Release

See How New and Modified App-IDs Impact Your Security Policy

Ensure Critical New App-IDs are Allowed

Monitor New App-IDs

Disable and Enable App-IDs

Enable and Monitor App-ID TSIDs

Use Application Objects in Policy

Create an Application Group

Create an Application Filter

Create a Custom Application

Resolve Application Dependencies

Safely Enable Applications on Default Ports

Applications with Implicit Support

Security Policy Rule Optimization

Policy Optimizer Concepts

Sorting and Filtering Security Policy Rules

Clear Application Usage Data

Migrate Port-Based to App-ID Based Security Policy Rules

Rule Cloning Migration Use Case: Web Browsing and SSL Traffic

Add Applications to an Existing Rule

Identify Security Policy Rules with Unused Applications

High Availability for Application Usage Statistics

How to Disable Policy Optimizer

App-ID Cloud Engine

Prepare to Deploy App-ID Cloud Engine

Enable or Disable the App-ID Cloud Engine

App-ID Cloud Engine Processing and Policy Usage

New App Viewer (Policy Optimizer)

Add Apps to an Application Filter with Policy Optimizer

Add Apps to an Application Group with Policy Optimizer

Add Apps Directly to a Rule with Policy Optimizer

Replace an RMA Firewall (ACE)

Impact of License Expiration or Disabling ACE

Commit Failure Due to Cloud Content Rollback

Troubleshoot App-ID Cloud Engine

SaaS App-ID Policy Recommendation

Import SaaS Policy Recommendation

Import Updated SaaS Policy Recommendation

Remove Deleted SaaS Policy Recommendation

Application Level Gateways

Disable the SIP Application-level Gateway (ALG)

Use HTTP Headers to Manage SaaS Application Access

Understand SaaS Custom Headers

Domains used by the Predefined SaaS Application Types

Create HTTP Header Insertion Entries using Predefined Types

Create Custom HTTP Header Insertion Entries

Maintain Custom Timeouts for Data Center Applications

Device-ID Overview

Prepare to Deploy Device-ID

Configure Device-ID

Manage Device-ID

CLI Commands for Device-ID

Decryption Overview

Decryption Concepts

Keys and Certificates for Decryption Policies

SSL Forward Proxy

SSL Forward Proxy Decryption Profile

SSL Inbound Inspection

SSL Inbound Inspection Decryption Profile

SSL Protocol Settings Decryption Profile

SSH Proxy Decryption Profile

Profile for No Decryption

SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates

Perfect Forward Secrecy (PFS) Support for SSL Decryption

SSL Decryption and Subject Alternative Names (SANs)

TLSv1.3 Decryption

High Availability Not Supported for Decrypted Sessions

Decryption Mirroring

Prepare to Deploy Decryption

Work with Stakeholders to Develop a Decryption Deployment Strategy

Develop a PKI Rollout Plan

Size the Decryption Firewall Deployment

Plan a Staged, Prioritized Deployment

Define Traffic to Decrypt

Create a Decryption Profile

Create a Decryption Policy Rule

Configure SSL Forward Proxy

Configure SSL Inbound Inspection

Configure SSH Proxy

Configure Server Certificate Verification for Undecrypted Traffic

Decryption Exclusions

Palo Alto Networks Predefined Decryption Exclusions

Exclude a Server from Decryption for Technical Reasons

Local Decryption Exclusion Cache

Create a Policy-Based Decryption Exclusion

Block Private Key Export

Generate a Private Key and Block It

Import a Private Key and Block It

Import a Private Key for IKE Gateway and Block It

Verify Private Key Blocking

Enable Users to Opt Out of SSL Decryption

Temporarily Disable SSL Decryption

Configure Decryption Port Mirroring

Verify Decryption

Troubleshoot and Monitor Decryption

Decryption Application Command Center Widgets

Configure Decryption Logging

Decryption Log Errors, Error Indexes, and Bitmasks

Repair Incomplete Certificate Chains

Custom Report Templates for Decryption

Unsupported Parameters by Proxy Type and TLS Version

Decryption Troubleshooting Workflow Examples

Investigate Decryption Failure Reasons

Troubleshoot Unsupported Cipher Suites

Identify Weak Protocols and Cipher Suites

Identify Untrusted CA Certificates

Troubleshoot Expired Certificates

Troubleshoot Revoked Certificates

Troubleshoot Pinned Certificates

Activate Free Licenses for Decryption Features

Quality of Service

QoS for Applications and Users

QoS Priority Queuing

QoS Bandwidth Management

QoS Egress Interface

QoS for Clear Text and Tunneled Traffic

Configure Lockless QoS

Configure QoS for a Virtual System

Enforce QoS Based on DSCP Classification

Use Case: QoS for a Single User

Use Case: QoS for Voice and Video Applications

VPN Deployments

Site-to-Site VPN Overview

Site-to-Site VPN Concepts

Tunnel Interface

Tunnel Monitoring

Internet Key Exchange (IKE) for VPN

Methods of Securing IPSec VPN Tunnels (IKE Phase 2)

Cookie Activation Threshold and Strict Cookie Validation

Traffic Selectors

Hash and URL Certificate Exchange

SA Key Lifetime and Re-Authentication Interval

Set Up Site-to-Site VPN

Set Up an IKE Gateway

Export a Certificate for a Peer to Access Using Hash and URL

Import a Certificate for IKEv2 Gateway Authentication

Change the Key Lifetime or Authentication Interval for IKEv2

Change the Cookie Activation Threshold for IKEv2

Configure IKEv2 Traffic Selectors

Define Cryptographic Profiles

Define IKE Crypto Profiles

Define IPSec Crypto Profiles

Set Up an IPSec Tunnel

Set Up Tunnel Monitoring

Define a Tunnel Monitoring Profile

View the Status of the Tunnels

Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel

Enable or Disable an IKE Gateway or IPSec Tunnel

Refresh and Restart Behaviors

Refresh or Restart an IKE Gateway or IPSec Tunnel

Test VPN Connectivity

Interpret VPN Error Messages

Site-to-Site VPN Quick Configs

Site-to-Site VPN with Static Routing

Site-to-Site VPN with OSPF

Site-to-Site VPN with Static and Dynamic Routing

Large Scale VPN (LSVPN)

Create Interfaces and Zones for the LSVPN

Enable SSL Between GlobalProtect LSVPN Components

About Certificate Deployment

Deploy Server Certificates to the GlobalProtect LSVPN Components

Deploy Client Certificates to the GlobalProtect Satellites Using SCEP

Configure the Portal to Authenticate Satellites

Configure GlobalProtect Gateways for LSVPN

Configure the GlobalProtect Portal for LSVPN

GlobalProtect Portal for LSVPN Prerequisite Tasks

Configure the Portal

Define the Satellite Configurations

Prepare the Satellite to Join the LSVPN

Verify the LSVPN Configuration

LSVPN Quick Configs

Basic LSVPN Configuration with Static Routing

Advanced LSVPN Configuration with Dynamic Routing

Advanced LSVPN Configuration with iBGP

Security Policy

Components of a Security Policy Rule

Security Policy Actions

Create a Security Policy Rule

Security Profiles

Create a Security Profile Group

Set Up or Override a Default Security Profile Group

Create a Data Filtering Profile

Predefined Data Filtering Patterns

Set Up File Blocking

Track Rules Within a Rulebase

Enforce Policy Rule Description, Tag, and Audit Comment

Move or Clone a Policy Rule or Object to a Different Virtual System

Use an Address Object to Represent IP Addresses

Address Objects

Create an Address Object

Use Tags to Group and Visually Distinguish Objects

Create and Apply Tags

View Rules by Tag Group

Use an External Dynamic List in Policy

External Dynamic List

Formatting Guidelines for an External Dynamic List

IP Address List

Built-in External Dynamic Lists

Configure the Firewall to Access an External Dynamic List

Configure the Firewall to Access an External Dynamic List from the EDL Hosting Service

Create an External Dynamic List Using the EDL Hosting Service

Convert the GlobalSign Root R1 Certificate to PEM Format

Retrieve an External Dynamic List from the Web Server

View External Dynamic List Entries

Exclude Entries from an External Dynamic List

Enforce Policy on an External Dynamic List

Find External Dynamic Lists That Failed Authentication

Disable Authentication for an External Dynamic List

Register IP Addresses and Tags Dynamically

Use Dynamic User Groups in Policy

Use Auto-Tagging to Automate Security Actions

Monitor Changes in the Virtual Environment

Enable VM Monitoring to Track Changes on the Virtual Network

Attributes Monitored on Virtual Machines in Cloud Platforms

Use Dynamic Address Groups in Policy

CLI Commands for Dynamic IP Addresses and Tags

Enforce Policy on Endpoints and Users Behind an Upstream Device

Use XFF Values for Policy Based on Source Users

Use XFF IP Address Values in Security Policy and Logging

Use the IP Address in the XFF Header to Troubleshoot Events

Policy-Based Forwarding

PBF

Egress Path and Symmetric Return

Path Monitoring for PBF

Service Versus Applications in PBF

Create a Policy-Based Forwarding Rule

Use Case: PBF for Outbound Access with Dual ISPs

Application Override Policy

Test Policy Rules

Virtual Systems

Virtual Systems Overview

Virtual System Components and Segmentation

Benefits of Virtual Systems

Use Cases for Virtual Systems

Platform Support and Licensing for Virtual Systems

Administrative Roles for Virtual Systems

Shared Objects for Virtual Systems

Communication Between Virtual Systems

Inter-VSYS Traffic That Must Leave the Firewall

Inter-VSYS Traffic That Remains Within the Firewall

External Zones and Security Policies For Traffic Within a Firewall

Inter-VSYS Communication Uses Two Sessions

External Zones and Shared Gateway

Networking Considerations for a Shared Gateway

Configure Virtual Systems

Configure Inter-Virtual System Communication within the Firewall

Configure a Shared Gateway

Customize Service Routes for a Virtual System

Customize Service Routes to Services for Virtual Systems

Configure a PA-7000 Series Firewall for Logging Per Virtual System

Configure a PA-7000 Series LPC for Logging per Virtual System

Configure a PA-7000 Series LFC for Logging per Virtual System

Configure Administrative Access Per Virtual System or Firewall

Virtual System Functionality with Other Features

Zone Protection and DoS Protection

Network Segmentation Using Zones

How Do Zones Protect the Network?

Zone Defense Tools

How Do the Zone Defense Tools Work?

Firewall Placement for DoS Protection

Baseline CPS Measurements for Setting Flood Thresholds

CPS Measurements to Take

How to Measure CPS

Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet-Based Attack Protection

Protocol Protection

Ethernet SGT Protection

Packet Buffer Protection

DoS Protection Profiles and Policy Rules

Classified Versus Aggregate DoS Protection

DoS Protection Profiles

DoS Protection Policy Rules

Configure Zone Protection to Increase Network Security

Configure Reconnaissance Protection

Configure Packet Based Attack Protection

Configure Protocol Protection

Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces

Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces

Configure Packet Buffer Protection

Configure Packet Buffer Protection Based on Latency

Configure Ethernet SGT Protection

DoS Protection Against Flooding of New Sessions

Multiple-Session DoS Attack

Single-Session DoS Attack

Configure DoS Protection Against Flooding of New Sessions

End a Single Session DoS Attack

Identify Sessions That Use Too Much of the On-Chip Packet Descriptor

Discard a Session Without a Commit

Enable FIPS and Common Criteria Support

Access the Maintenance Recovery Tool (MRT)

Change the Operational Mode to FIPS-CC Mode

FIPS-CC Security Functions

Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode

PAN-OS Upgrade Guide

Software and Content Updates

PAN-OS Software Updates

Dynamic Content Updates

Install Content Updates

Applications and Threats Content Updates

Deploy Applications and Threats Content Updates

Tips for Content Updates

Best Practices for Applications and Threats Content Updates

Best Practices for Content Updates—Mission-Critical

Best Practices for Content Updates—Security-First

Content Delivery Network Infrastructure

Upgrade Panorama

Install Content Updates and Software Upgrades for Panorama

Upgrade Panorama with an Internet Connection

Upgrade Panorama Without an Internet Connection

Install Content Updates Automatically for Panorama without an Internet Connection

Upgrade Panorama in an HA Configuration

Install a PAN-OS Software Patch

Migrate Panorama Logs to the New Log Format

Upgrade Panorama for Increased Device Management Capacity

Upgrade Panorama and Managed Devices in FIPS-CC Mode

Downgrade from Panorama 10.2

Troubleshoot Your Panorama Upgrade

Deploy Upgrades to Firewalls, Log Collectors, and WildFire Appliances Using Panorama

What Updates Can Panorama Push to Other Devices?

Schedule a Content Update Using Panorama

Panorama, Log Collector, Firewall, and WildFire Version Compatibility

Upgrade Log Collectors When Panorama Is Internet-Connected

Upgrade Log Collectors When Panorama Is Not Internet-Connected

Upgrade a WildFire Cluster from Panorama with an Internet Connection

Upgrade a WildFire Cluster from Panorama without an Internet Connection

Upgrade Firewalls When Panorama Is Internet-Connected

Upgrade Firewalls When Panorama Is Not Internet-Connected

Upgrade a ZTP Firewall

Install a PAN-OS Software Patch

Revert Content Updates from Panorama

PAN-OS Upgrade Checklist

Upgrade/Downgrade Considerations

Upgrade the Firewall to PAN-OS 10.2

Determine the Upgrade Path to PAN-OS 10.2

Upgrade Firewalls Using Panorama

Upgrade a Standalone Firewall

Upgrade an HA Firewall Pair

Upgrade the Firewall to PAN-OS 10.2 from Panorama

Upgrade Firewalls When Panorama Is Internet-Connected

Upgrade Firewalls When Panorama Is Not Internet-Connected

Upgrade a ZTP Firewall

Install a PAN-OS Software Patch

Downgrade PAN-OS

Downgrade a Firewall to a Previous Maintenance Release

Downgrade a Firewall to a Previous Feature Release

Downgrade a Windows Agent

Troubleshoot Your PAN-OS Upgrade

Upgrade the VM-Series Firewall

Upgrade the VM-Series PAN-OS Software (Standalone)

Upgrade the VM-Series PAN-OS Software (HA Pair)

Upgrade the VM-Series PAN-OS Software Using Panorama

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

Upgrade the VM-Series Model

Upgrade the VM-Series Model in an HA Pair

Downgrade a VM-Series Firewall to a Previous Release

Upgrade Panorama Plugins

Panorama Plugins Upgrade/Downgrade Considerations

Upgrade a Panorama Plugin

Upgrade the Enterprise DLP Plugin

Upgrade the Panorama Interconnect Plugin

Install/Upgrade SD-WAN Plugin with Compatible PAN-OS Release

Upgrade and Downgrade Paths for SD-WAN Plugin

Install the SD-WAN Plugin

Upgrade Panorama High Availability Pair (Active/Passive) Leveraging SD-WAN Plugin

Upgrade Standalone Panorama Leveraging SD-WAN Plugin

Changes to Note After Upgrade

CLI Commands for Upgrade

Use CLI Commands for Upgrade Tasks

APIs for Upgrade

Use the API for Upgrade Tasks

PAN-OS Release Notes

Features Introduced in PAN-OS 10.2

Content Inspection Features

URL Filtering Features

Panorama Features

Networking Features

GlobalProtect Features

Management Features

Decryption Features

App-ID Features

IoT Security Features

Mobile Infrastructure Security Features

Authentication Features

Virtualization Features

Hardware Features

Enterprise Data Loss Prevention Features

Changes to Default Behavior

Changes to Default Behavior in PAN-OS 10.2

Limitations in PAN-OS 10.2

Associated Content and Software Versions

Associated Content and Software Versions for PAN-OS 10.2

Compatible Plugin Versions for PAN-OS 10.2

WildFire Analysis Environment Support for PAN-OS 10.2.2

PAN-OS 10.2.12 Known and Addressed Issues

PAN-OS 10.2.12 Known Issues

PAN-OS 10.2.12-h2 Addressed Issues

PAN-OS 10.2.12-h1 Addressed Issues

PAN-OS 10.2.12 Addressed Issues

PAN-OS 10.2.11 Known and Addressed Issues

PAN-OS 10.2.11 Known Issues

PAN-OS 10.2.11-h6 Addressed Issues

PAN-OS 10.2.11-h4 Addressed Issues

PAN-OS 10.2.11-h3 Addressed Issues

PAN-OS 10.2.11-h2 Addressed Issues

PAN-OS 10.2.11-h1 Addressed Issues

PAN-OS 10.2.11 Addressed Issues

PAN-OS 10.2.10 Known and Addressed Issues

PAN-OS 10.2.10 Known Issues

PAN-OS 10.2.10-h9 Addressed Issues

PAN-OS 10.2.10-h7 Addressed Issues

PAN-OS 10.2.10-h5 Addressed Issues

PAN-OS 10.2.10-h4 Addressed Issues

PAN-OS 10.2.10-h3 Addressed Issues

PAN-OS 10.2.10-h2 Addressed Issues

PAN-OS 10.2.10 Addressed Issues

PAN-OS 10.2.10-h10 Addressed Issues

PAN-OS 10.2.9 Known and Addressed Issues

PAN-OS 10.2.9 Known Issues

PAN-OS 10.2.9-h16 Addressed Issues

PAN-OS 10.2.9-h14 Addressed Issues

PAN-OS 10.2.9-h11 Addressed Issues

PAN-OS 10.2.9-h9 Addressed Issues

PAN-OS 10.2.9-h1 Addressed Issues

PAN-OS 10.2.9 Addressed Issues

PAN-OS 10.2.8 Known and Addressed Issues

PAN-OS 10.2.8 Known Issues

PAN-OS 10.2.8-h15 Addressed Issues

PAN-OS 10.2.8-h13 Addressed Issues

PAN-OS 10.2.8-h10 Addressed Issues

PAN-OS 10.2.8-h4 Addressed Issues

PAN-OS 10.2.8-h3 Addressed Issues

PAN-OS 10.2.8 Addressed Issues

PAN-OS 10.2.7 Known and Addressed Issues

PAN-OS 10.2.7 Known Issues

PAN-OS 10.2.7-h18 Addressed Issues

PAN-OS 10.2.7-h16 Addressed Issues

PAN-OS 10.2.7-h12 Addressed Issues

PAN-OS 10.2.7-h8 Addressed Issues

PAN-OS 10.2.7-h6 Addressed Issues

PAN-OS 10.2.7-h3 Addressed Issues

PAN-OS 10.2.7-h1 Addressed Issues

PAN-OS 10.2.7 Addressed Issues

PAN-OS 10.2.7-h19 Addressed Issues

PAN-OS 10.2.6 Known and Addressed Issues

PAN-OS 10.2.6 Known Issues

PAN-OS 10.2.6-h6 Addressed Issues

PAN-OS 10.2.6-h3 Addressed Issues

PAN-OS 10.2.6-h1 Addressed Issues

PAN-OS 10.2.6 Addressed Issues

PAN-OS 10.2.5 Known and Addressed Issues

PAN-OS 10.2.5 Known Issues

PAN-OS 10.2.5-h9 Addressed Issues

PAN-OS 10.2.5-h6 Addressed Issues

PAN-OS 10.2.5-h4 Addressed Issues

PAN-OS 10.2.5-h1 Addressed Issues

PAN-OS 10.2.5 Addressed Issues

PAN-OS 10.2.4 Known and Addressed Issues

PAN-OS 10.2.4 Known Issues

PAN-OS 10.2.4-h32 Addressed Issues

PAN-OS 10.2.4-h16 Addressed Issues

PAN-OS 10.2.4-h10 Addressed Issues

PAN-OS 10.2.4-h4 Addressed Issues

PAN-OS 10.2.4-h3 Addressed Issues

PAN-OS 10.2.4-h2 Addressed Issues

PAN-OS 10.2.4 Addressed Issues

PAN-OS 10.2.3 Known and Addressed Issues

PAN-OS 10.2.3 Known Issues

PAN-OS 10.2.3-h14 Addressed Issues

PAN-OS 10.2.3-h13 Addressed Issues

PAN-OS 10.2.3-h12 Addressed Issues

PAN-OS 10.2.3-h11 Addressed Issues

PAN-OS 10.2.3-h9 Addressed Issues

PAN-OS 10.2.3-h4 Addressed Issues

PAN-OS 10.2.3-h2 Addressed Issues

PAN-OS 10.2.3 Addressed Issues

PAN-OS 10.2.2 Known and Addressed Issues

PAN-OS 10.2.2 Known Issues

PAN-OS 10.2.2-h6 Addressed Issues

PAN-OS 10.2.2-h5 Addressed Issues

PAN-OS 10.2.2-h4 Addressed Issues

PAN-OS 10.2.2-h2 Addressed Issues

PAN-OS 10.2.2-h1 Addressed Issues

PAN-OS 10.2.2 Addressed Issues

PAN-OS 10.2.1 Known and Addressed Issues

PAN-OS 10.2.1 Known Issues

PAN-OS 10.2.1-h3 Addressed Issues

PAN-OS 10.2.1-h2 Addressed Issues

PAN-OS 10.2.1-h1 Addressed Issues

PAN-OS 10.2.1 Addressed Issues

PAN-OS 10.2.0 Known and Addressed Issues

PAN-OS 10.2.0 Known Issues

PAN-OS 10.2.0-h4 Addressed Issues

PAN-OS 10.2.0-h3 Addressed Issues

PAN-OS 10.2.0-h2 Addressed Issues

PAN-OS 10.2.0-h1 Addressed Issues

PAN-OS 10.2.0 Addressed Issues

Related Documentation

Related Documentation for PAN-OS 10.2

User-ID™ Agent Release Notes

User-ID Agent 10.1 Release Information

Features Introduced in User-ID Agent 10.1

Changes to Default Behavior

System Requirements

Operating System (OS) Compatibility

User-ID Agent 10.1 Addressed Issues

Related Documentation

Requesting Support

Terminal Server (TS) Agent Release Notes

Terminal Server (TS) Agent 10.1 Release Information

Features Introduced in TS Agent 10.1

Changes to Default Behavior

System Requirements

Operating System (OS) Compatibility

Known Issues in TS Agent 10.1

Terminal Server (TS) Agent 10.1 Addressed Issues

Related Documentation

Requesting Support

PAN-OS Web Interface Help

Web Interface Basics

Firewall Overview

Features and Benefits

Last Login Time and Failed Login Attempts

Message of the Day

Save Candidate Configurations

Lock Configurations

AutoFocus Intelligence Summary

Configuration Table Export

Change Boot Mode

Dashboard Widgets

ACC

A First Glance at the ACC

Working with Tabs and Widgets

Working with Filters—Local Filters and Global Filters

Monitor > External Logs

Monitor > Automated Correlation Engine

Monitor > Automated Correlation Engine > Correlation Object...

Monitor > Automated Correlation Engine > Correlated Events

Monitor > Packet Capture

Packet Capture Overview

Building Blocks for a Custom Packet Capture

Enable Threat Packet Capture

Monitor > App Scope

App Scope Overview

App Scope Summary Report

App Scope Change Monitor Report

App Scope Threat Monitor Report

App Scope Threat Map Report

App Scope Network Monitor Report

App Scope Traffic Map Report

Monitor > Session Browser

Monitor > Block IP List

Block IP List Entries

View or Delete Block IP List Entries

Monitor > Botnet

Managing Botnet Reports

Configuring the Botnet Report

Monitor > PDF Reports

Monitor > PDF Reports > Manage PDF Summary

Monitor > PDF Reports > User Activity Report

Monitor > PDF Reports > SaaS Application Usage

Monitor > PDF Reports > Report Groups

Monitor > PDF Reports > Email Scheduler

Monitor > Manage Custom Reports

Monitor > Reports

Move or Clone a Policy Rule

Audit Comment Archive

Rule Usage Query

Policies > Security

Security Policy Overview

Building Blocks in a Security Policy Rule

Creating and Managing Policies

Overriding or Reverting a Security Policy Rule

Applications and Usage

Security Policy Rule Usage

NAT Policies General Tab

NAT Original Packet Tab

NAT Translated Packet Tab

NAT Active/Active HA Binding Tab

Policies > Policy Based Forwarding

Policy Based Forwarding General Tab

Policy Based Forwarding Source Tab

Policy Based Forwarding Destination/Application/Service Tab

Policy Based Forwarding Forwarding Tab

Policy Based Forwarding Target Tab

Policies > Decryption

Decryption General Tab

Decryption Source Tab

Decryption Destination Tab

Decryption Service/URL Category Tab

Decryption Options Tab

Decryption Target Tab

Policies > Network Packet Broker

Network Packet Broker General Tab

Network Packet Broker Source Tab

Network Packet Broker Destination Tab

Network Packet Broker Application/Service/Traffic Tab

Network Packet Broker Path Selection Tab

Network Packet Broker Policy Optimizer Rule Usage

Policies > Tunnel Inspection

Building Blocks in a Tunnel Inspection Policy

Policies > Application Override

Application Override General Tab

Application Override Source Tab

Application Override Destination Tab

Application Override Protocol/Application Tab

Application Override Target Tab

Policies > Authentication

Building Blocks of an Authentication Policy Rule

Create and Manage Authentication Policy

Policies > DoS Protection

DoS Protection General Tab

DoS Protection Source Tab

DoS Protection Destination Tab

DoS Protection Option/Protection Tab

DoS Protection Target Tab

Policies > SD-WAN

SD-WAN General Tab

SD-WAN Source Tab

SD-WAN Destination Tab

SD-WAN Application/Service Tab

SD-WAN Path Selection Tab

SD-WAN Target Tab

Move, Clone, Override, or Revert Objects

Move or Clone an Object

Override or Revert an Object

Objects > Addresses

Objects > Address Groups

Objects > Regions

Objects > Dynamic User Groups

Objects > Applications

Applications Overview

Actions Supported on Applications

Defining Applications

Objects > Application Groups

Objects > Application Filters

Objects > Services

Objects > Service Groups

View Rulebase as Groups

Move Rules in Group to Different Rulebase or Device Group

Change Group of All Rules

Move All Rules in Group

Delete All Rules in Group

Clone All Rules in Group

Objects > Devices

Objects > External Dynamic Lists

Objects > Custom Objects

Objects > Custom Objects > Data Patterns

Data Pattern Settings

Syntax for Regular Expression Data Patterns

Regular Expression Data Pattern Examples

Objects > Custom Objects > Spyware/Vulnerability

Objects > Custom Objects > URL Category

Objects > Security Profiles

Actions in Security Profiles

Objects > Security Profiles > Antivirus

Objects > Security Profiles > Anti-Spyware Profile

Objects > Security Profiles > Vulnerability Protection

Objects > Security Profiles > URL Filtering

URL Filtering General Settings

URL Filtering Categories

URL Filtering Settings

User Credential Detection

HTTP Header Insertion

URL Filtering Inline ML

Objects > Security Profiles > File Blocking

Objects > Security Profiles > WildFire Analysis

Objects > Security Profiles > Data Filtering

Objects > Security Profiles > DoS Protection

Objects > Security Profiles > Mobile Network Protection

Objects > Security Profiles > SCTP Protection

Objects > Security Profile Groups

Objects > Log Forwarding

Objects > Authentication

Objects > Decryption Profile

Decryption Profile General Settings

Settings to Control Decrypted SSL Traffic

Settings to Control Traffic that is not Decrypted

Settings to Control Decrypted SSH Traffic

Objects > Packet Broker Profile

Objects > SD-WAN Link Management

Objects > SD-WAN Link Management > Path Quality Profile

Objects > SD-WAN Link Management > SaaS Quality Profile

Objects > SD-WAN Link Management > Traffic Distribution-Profile

Objects > SD-WAN Link Management > Error Correction Profile

Objects > Schedules

Network > Interfaces

Firewall Interfaces Overview

Common Building Blocks for Firewall Interfaces

Common Building Blocks for PA-7000 Series Firewall Interfac...

Virtual Wire Interface

Virtual Wire Subinterface

PA-7000 Series Layer 2 Interface

PA-7000 Series Layer 2 Subinterface

PA-7000 Series Layer 3 Interface

Layer 3 Interface

Layer 3 Subinterface

Log Card Interface

Log Card Subinterface

Decrypt Mirror Interface

Aggregate Ethernet (AE) Interface Group

Aggregate Ethernet (AE) Interface

Network > Interfaces > VLAN

Network > Interfaces > Loopback

Network > Interfaces > Tunnel

Network > Interfaces > SD-WAN

Network > Zones

Security Zone Overview

Building Blocks of Security Zones

Network > VLANs

Network > Virtual Wires

Network > Virtual Routers

General Settings of a Virtual Router

Route Redistribution

RIP

RIP Interfaces Tab

RIP Auth Profiles Tab

RIP Export Rules Tab

OSPF Auth Profiles Tab

OSPF Export Rules Tab

OSPF Advanced Tab

OSPFv3 Areas Tab

OSPFv3 Auth Profiles Tab

OSPFv3 Export Rules Tab

OSPFv3 Advanced Tab

BGP

Basic BGP Settings

BGP General Tab

BGP Advanced Tab

BGP Peer Group Tab

BGP Import and Export Tabs

BGP Conditional Adv Tab

BGP Aggregate Tab

BGP Redist Rules Tab

Multicast Rendezvous Point Tab

Multicast Interfaces Tab

Multicast SPT Threshold Tab

Multicast Source Specific Address Tab

Multicast Advanced Tab

More Runtime Stats for a Virtual Router

BFD Summary Information Tab

More Runtime Stats for a Logical Router

Routing Stats for a Logical Router

BGP Stats for a Logical Router

Network > Routing > Logical Routers

General Settings of a Logical Router

Static Routes for a Logical Router

BGP Routing for a Logical Router

Network > Routing > Routing Profiles > BGP

Network > IPSec Tunnels

IPSec VPN Tunnel Management

IPSec Tunnel General Tab

IPSec Tunnel Proxy IDs Tab

IPSec Tunnel Status on the Firewall

IPSec Tunnel Restart or Refresh

Network > GRE Tunnels

DHCP Addressing

Network > DNS Proxy

DNS Proxy Overview

DNS Proxy Settings

Additional DNS Proxy Actions

QoS Interface Settings

QoS Interface Statistics

Building Blocks of LLDP

Network > Network Profiles

Network > Network Profiles > GlobalProtect IPSec Crypto

Network > Network Profiles > IKE Gateways

IKE Gateway Management

IKE Gateway General Tab

IKE Gateway Advanced Options Tab

IKE Gateway Restart or Refresh

Network > Network Profiles > IPSec Crypto

Network > Network Profiles > IKE Crypto

Network > Network Profiles > Monitor

Network > Network Profiles > Interface Mgmt

Network > Network Profiles > Zone Protection

Building Blocks of Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet Based Attack Protection

Protocol Protection

Ethernet SGT Protection

Network > Network Profiles > QoS

Network > Network Profiles > LLDP Profile

Network > Network Profiles > BFD Profile

Building Blocks of a BFD Profile

View BFD Summary and Details

Network > Network Profiles > SD-WAN Interface Profile

Device > Setup > Management

Device > Setup > Operations

Enable SNMP Monitoring

Device > Setup > HSM

Hardware Security Module Provider Settings

HSM Authentication

Hardware Security Operations

Hardware Security Module Provider Configuration and Status

Hardware Security Module Status

Device > Setup > Services

Configure Services for Global and Virtual Systems

Global Services Settings

IPv4 and IPv6 Support for Service Route Configuration

Destination Service Route

Device > Setup > Interfaces

Device > Setup > Telemetry

Device > Setup > Content-ID

Device > Setup > WildFire

Device > Setup > Session

Session Settings

Session Timeouts

Decryption Settings: Certificate Revocation Checking

Decryption Settings: Forward Proxy Server Certificate Setti...

Decryption Settings: SSL Decryption Settings

VPN Session Settings

Device Setup Ace

Device > Setup > DLP

Device > High Availability

Important Considerations for Configuring HA

HA General Settings

HA Communications

HA Link and Path Monitoring

HA Active/Active Config

Device > Log Forwarding Card

Device > Config Audit

Device > Password Profiles

Username and Password Requirements

Device > Administrators

Device > Admin Roles

Device > Access Domain

Device > Authentication Profile

Authentication Profile

SAML Metadata Export from an Authentication Profile

Device > Authentication Sequence

Device > Data Redistribution

Device > Data Redistribution > Agents

Device > Data Redistribution > Clients

Device > Data Redistribution > Collector Settings

Device > Data Redistribution > Include/Exclude Networks

Device > Device Quarantine

Device > VM Information Sources

Settings to Enable VM Information Sources for VMware ESXi a...

Settings to Enable VM Information Sources for AWS VPC

Settings to Enable VM Information Sources for Google Comput...

Device > Troubleshooting

Security Policy Match

QoS Policy Match

Authentication Policy Match

Decryption/SSL Policy Match

NAT Policy Match

Policy Based Forwarding Policy Match

DoS Policy Match

Log Collector Connectivity

External Dynamic List

Test Cloud Logging Service Status

Test Cloud GP Service Status

Device > Virtual Systems

Device > Shared Gateways

Device > Certificate Management

Device > Certificate Management > Certificates

Manage Firewall and Panorama Certificates

Other Supported Actions to Manage Certificates

Manage Default Trusted Certificate Authorities

Device > Certificate Management > Certificate Profile

Device > Certificate Management > OCSP Responder

Device > Certificate Management > SSL/TLS Service Profile

Device > Certificate Management > SCEP

Device > Certificate Management > SSL Decryption Exclusion

Device > Certificate Management > SSH Service Profile

Device > Response Pages

Device > Log Settings

Select Log Forwarding Destinations

Define Alarm Settings

Device > Server Profiles

Device > Server Profiles > SNMP Trap

Device > Server Profiles > Syslog

Device > Server Profiles > Email

Device > Server Profiles > HTTP

Device > Server Profiles > NetFlow

Device > Server Profiles > RADIUS

Device > Server Profiles > TACACS+

Device > Server Profiles > LDAP

Device > Server Profiles > Kerberos

Device > Server Profiles > SAML Identity Provider

Device > Server Profiles > DNS

Device > Server Profiles > Multi Factor Authentication

Device > Local User Database > Users

Device > Local User Database > User Groups

Device > Scheduled Log Export

Device > Software

Device > Dynamic Updates

Device > Licenses

Device > Support

Device > Master Key and Diagnostics

Deploy Master Key

Device > Policy Recommendation

Device > Policy > Recommendation SaaS

User Identification

Device > User Identification > User Mapping

Palo Alto Networks User-ID Agent Setup

Server Monitor Account

Server Monitoring

Ignore User List

Monitor Servers

Configure Access to Monitored Servers

Manage Access to Monitored Servers

Include or Exclude Subnetworks for User Mapping

Device > User Identification > Connection Security

Device > User Identification > Terminal Services Agents

Device > User Identification > Group Mapping Settings Tab

Device > User Identification > Cloud Identity Engine

Device > User Identification > Captive Portal Settings

Network > GlobalProtect > Portals

GlobalProtect Portals General Tab

GlobalProtect Portals Authentication Configuration Tab

GlobalProtect Portals Portal Data Collection Tab

GlobalProtect Portals Agent Configuration Tab

GlobalProtect Portals Agent Authentication Tab

GlobalProtect Portals Agent Config Selection Criteria Tab

GlobalProtect Portals Agent Internal Tab

GlobalProtect Portals Agent External Tab

GlobalProtect Portals Agent App Tab

GlobalProtect Portals Agent HIP Data Collection Tab

GlobalProtect Portals Clientless Configuration Tab

GlobalProtect Portal Satellite Configuration Tab

Network > GlobalProtect > Gateways

GlobalProtect Gateways General Tab

GlobalProtect Gateway Authentication Tab

GlobalProtect Gateways Agent Tab

Tunnel Settings Tab

Client Settings Tab

Client IP Pool Tab

Network Services Tab

Connection Settings Tab

Video Traffic Tab

HIP Notification Tab

GlobalProtect Gateway Satellite Configuration Tab

Network > GlobalProtect > MDM

Network > GlobalProtect > Clientless Apps

Network > GlobalProtect > Clientless App Groups

Objects > GlobalProtect > HIP Objects

HIP Objects General Tab

HIP Objects Mobile Device Tab

HIP Objects Patch Management Tab

HIP Objects Firewall Tab

HIP Objects Anti-Malware Tab

HIP Objects Disk Backup Tab

HIP Objects Disk Encryption Tab

HIP Objects Data Loss Prevention Tab

HIP Objects Certificate Tab

HIP Objects Custom Checks Tab

Objects > GlobalProtect > HIP Profiles

Device > GlobalProtect Client

Managing the GlobalProtect Agent Software

Setting Up the GlobalProtect Agent

Using the GlobalProtect Agent

Panorama Web Interface

Use the Panorama Web Interface

Panorama Commit Operations

Defining Policies on Panorama

Log Storage Partitions for a Panorama Virtual Appliance in ...

Panorama > Setup > Interfaces

Panorama > High Availability

Panorama > Managed WildFire Clusters

Managed WildFire Cluster Tasks

Managed WildFire Appliance Tasks

Managed WildFire Information

Managed WildFire Cluster and Appliance Administration

Panorama > Administrators

Panorama > Admin Roles

Panorama > Access Domains

Panorama > Scheduled Config Push

Scheduled Config Push Scheduler

Scheduled Config Push Execution History

Panorama > Managed Devices > Summary

Managed Firewall Administration

Managed Firewall Information

Firewall Software and Content Updates

Firewall Backups

Panorama > Device Quarantine

Panorama > Managed Devices > Health

Detailed Device Health in Panorama

Panorama > Templates

Template Stacks

Panorama > Templates > Template Variables

Panorama > Device Groups

Panorama > Managed Collectors

Log Collector Information

Log Collector Configuration

General Log Collector Settings

Log Collector Authentication Settings

Log Collector Interface Settings

Log Collector RAID Disk Settings

User-ID Agent Settings

Connection Security

Communication Settings

Software Updates for Dedicated Log Collectors

Panorama > Collector Groups

Collector Group Configuration

Collector Group Information

Panorama > Plugins

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Panorama > VMware NSX

Configure a Notify Group

Create Service Definitions

Configure Access to the NSX Manager

Create Steering Rules

Panorama > Log Ingestion Profile

Panorama > Log Settings

Panorama > Server Profiles > SCP

Panorama > Scheduled Config Export

Panorama > Software

Manage Panorama Software Updates

Display Panorama Software Update Information

Panorama > Device Deployment

Manage Software and Content Updates

Display Software and Content Update Information

Schedule Dynamic Content Updates

Panorama > Dynamic Updates > Revert Content

Manage Firewall Licenses

Panorama > Device Registration Auth Key

PAN-OS CLI Quick Start

Get Started with the CLI

Verify SSH Connection to Firewall

Refresh SSH Keys and Configure Key Options for Management Interface Connection

Give Administrators Access to the CLI

Administrative Privileges

Set Up a Firewall Administrative Account and Assign CLI Privileges

Set Up a Panorama Administrative Account and Assign CLI Privileges

Change CLI Modes

Navigate the CLI

View the Entire Command Hierarchy

Find a Specific Command Using a Keyword Search

Get Help on Command Syntax

Get Help on a Command

Interpret the Command Help

Customize the CLI

View Settings and Statistics

Modify the Configuration

Commit Configuration Changes

Test the Configuration

Test the Authentication Configuration

Test Policy Matches

Load Configurations

Load Configuration Settings from a Text File

Load a Partial Configuration

Xpath Location Formats Determined by Device Configuration

Load a Partial Configuration into Another Configuration Using Xpath Values

Use Secure Copy to Import and Export Files

Export a Saved Configuration from One Firewall and Import it into Another

Export and Import a Complete Log Database (logdb)

CLI Cheat Sheets

CLI Cheat Sheet: Device Management

CLI Cheat Sheet: User-ID

CLI Cheat Sheet: HA

CLI Cheat Sheet: Networking

CLI Cheat Sheet: VSYS

CLI Cheat Sheet: Panorama

CLI Cheat Sheet: CTD Evasion Detection

CLI Changes in PAN-OS 10.1

Set Commands Introduced in PAN-OS 10.1

Set Commands Changed in PAN-OS 10.1

Set Commands Removed in PAN-OS 10.1

Show Commands Introduced in PAN-OS 10.1

Show Commands Changed in PAN-OS 10.1

Show Commands Removed in PAN-OS 10.1

CLI Command Hierarchy for PAN-OS 10.1

PAN-OS 10.1 CLI Ops Command Hierarchy

PAN-OS 10.1 Configure CLI Command Hierarchy

PAN-OS® Networking Administrator’s Guide

Networking Introduction

Configure Interfaces

Virtual Wire Interfaces

Layer 2 and Layer 3 Packets over a Virtual Wire

Port Speeds of Virtual Wire Interfaces

LLDP over a Virtual Wire

Aggregated Interfaces for a Virtual Wire

Virtual Wire Support of High Availability

Zone Protection for a Virtual Wire Interface

VLAN-Tagged Traffic

Virtual Wire Subinterfaces

Configure Virtual Wires

Layer 2 Interfaces

Layer 2 Interfaces with No VLANs

Layer 2 Interfaces with VLANs

Configure a Layer 2 Interface

Configure a Layer 2 Interface, Subinterface, and VLAN

Manage Per-VLAN Spanning Tree (PVST+) BPDU Rewrite

Layer 3 Interfaces

Configure Layer 3 Interfaces

Manage IPv6 Hosts Using NDP

IPv6 Router Advertisements for DNS Configuration

Configure RDNS Servers and DNS Search List for IPv6 Router Advertisements

Enable NDP Monitoring

Configure an Aggregate Interface Group

Configure Bonjour Reflector for Network Segmentation

Use Interface Management Profiles to Restrict Access

Virtual Routers

Virtual Router Overview

Configure Virtual Routers

Service Routes Overview

Configure Service Routes

Static Route Overview

Static Route Removal Based on Path Monitoring

Configure a Static Route

Configure Path Monitoring for a Static Route

RIP

OSPF Router Types

Configure OSPFv3

Configure OSPF Graceful Restart

Confirm OSPF Operation

View the Routing Table

Confirm OSPF Adjacencies

Confirm that OSPF Connections are Established

BGP

Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast

Configure a BGP Peer with MP-BGP for IPv4 Multicast

BGP Confederations

PIM

Shortest-Path Tree (SPT) and Shared Tree

PIM Assert Mechanism

Reverse-Path Forwarding

Configure IP Multicast

View IP Multicast Information

Route Redistribution

Route Redistribution Overview

Configure Route Redistribution

GRE Tunnel Overview

Create a GRE Tunnel

Firewall as a DHCP Server and Client

DHCP Addressing

DHCP Address Allocation Methods

Predefined DHCP Options

Multiple Values for a DHCP Option

DHCP Options 43, 55, and 60 and Other Customized Options

Configure an Interface as a DHCP Server

Configure an Interface as a DHCP Client

Configure the Management Interface as a DHCP Client

Configure an Interface as a DHCP Relay Agent

Monitor and Troubleshoot DHCP

View DHCP Server Information

Clear DHCP Leases

View DHCP Client Information

Gather Debug Output about DHCP

DNS

DNS Proxy Object

DNS Server Profile

Multi-Tenant DNS Deployments

Configure a DNS Proxy Object

Configure a DNS Server Profile

Use Case 1: Firewall Requires DNS Resolution

Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System

Use Case 3: Firewall Acts as DNS Proxy Between Client and Server

DNS Proxy Rule and FQDN Matching

Dynamic DNS Overview

Configure Dynamic DNS for Firewall Interfaces

NAT

NAT Policy Rules

NAT Policy Overview

NAT Address Pools Identified as Address Objects

Proxy ARP for NAT Address Pools

Source NAT and Destination NAT

Destination NAT

Destination NAT with DNS Rewrite Use Cases

Destination NAT with DNS Rewrite Reverse Use Cases

Destination NAT with DNS Rewrite Forward Use Cases

NAT Rule Capacities

Dynamic IP and Port NAT Oversubscription

Dataplane NAT Memory Statistics

Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)

Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Configure Destination NAT with DNS Rewrite

Configure Destination NAT Using Dynamic IP Addresses

Modify the Oversubscription Rate for DIPP NAT

Reserve Dynamic IP NAT Addresses

Disable NAT for a Specific Host or Interface

NAT Configuration Examples

Destination NAT Example—One-to-One Mapping

Destination NAT with Port Translation Example

Destination NAT Example—One-to-Many Mapping

Source and Destination NAT Example

Virtual Wire Source NAT Example

Virtual Wire Static NAT Example

Virtual Wire Destination NAT Example

Unique Local Addresses

Reasons to Use NPTv6

How NPTv6 Works

Checksum-Neutral Mapping

Bi-Directional Translation

NPTv6 Applied to a Specific Service

NPTv6 and NDP Proxy Example

The ND Cache in NPTv6 Example

The NDP Proxy in NPTv6 Example

The NPTv6 Translation in NPTv6 Example

Neighbors in the ND Cache are Not Translated

Create an NPTv6 Policy

IPv4-Embedded IPv6 Address

Path MTU Discovery

IPv6-Initiated Communication

Configure NAT64 for IPv6-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication with Port Translation

ECMP Load-Balancing Algorithms

Configure ECMP on a Virtual Router

Enable ECMP for Multiple BGP Autonomous Systems

Supported TLVs in LLDP

LLDP Syslog Messages and SNMP Traps

View LLDP Settings and Status

Clear LLDP Statistics

BFD

BFD Model, Interface, and Client Support

Non-Supported RFC Components of BFD

BFD for Static Routes

BFD for Dynamic Routing Protocols

Reference: BFD Details

Session Settings and Timeouts

Transport Layer Sessions

TCP

TCP Half Closed and TCP Time Wait Timers

Unverified RST Timer

TCP Split Handshake Drop

Maximum Segment Size (MSS)

UDP

Security Policy Rules Based on ICMP and ICMPv6 Packets

ICMPv6 Rate Limiting

Control Specific ICMP or ICMPv6 Types and Codes

Configure Session Timeouts

Configure Session Settings

Session Distribution Policies

Session Distribution Policy Descriptions

Change the Session Distribution Policy and View Statistics

Prevent TCP Split Handshake Session Establishment

Tunnel Content Inspection

Tunnel Content Inspection Overview

Configure Tunnel Content Inspection

View Inspected Tunnel Activity

View Tunnel Information in Logs

Create a Custom Report Based on Tagged Tunnel Traffic

Tunnel Acceleration Behavior

Disable Tunnel Acceleration

Network Packet Broker

Network Packet Broker Overview

How Network Packet Broker Works

Prepare to Deploy Network Packet Broker

Configure Transparent Bridge Security Chains

Configure Routed Layer 3 Security Chains

Network Packet Broker HA Support

User Interface Changes for Network Packet Broker

Limitations of Network Packet Broker

Troubleshoot Network Packet Broker

PAN-OS® and Panorama™API Usage Guide

About the PAN-OS API

PAN-OS XML API Components

Structure of a PAN-OS XML API Request

API Authentication and Security

XPath Node Selection

Get Started with the PAN-OS XML API

Enable API Access

Get Your API Key

Make Your First API Call

Explore the API

Use the API Browser

Use the CLI to Find XML API Syntax

Use the Web Interface to Find XML API Syntax

PAN-OS XML API Error Codes

Authenticate Your API Requests

PAN-OS XML API Use Cases

Upgrade a Firewall to the Latest PAN-OS Version (API)

Show and Manage GlobalProtect Users (API)

Query a Firewall from Panorama (API)

Upgrade PAN-OS on Multiple HA Firewalls through Panorama (A...

Automatically Check for and Install Content Updates (API)

Enforce Policy using External Dynamic Lists and AutoFocus A...

Configure SAML 2.0 Authentication (API)

Quarantine Compromised Devices (API)

Manage Certificates (API)

PAN-OS XML API Request Types

PAN-OS XML API Request Types and Actions

Configuration Actions

Actions for Modifying a Configuration

Actions for Reading a Configuration

Asynchronous and Synchronous Requests to the PAN-OS XML API

Configuration (API)

Get Active Configuration

Use XPath to Get Active Configuration

Use XPath to Get ARP Information

Get Candidate Configuration

Set Configuration

Edit Configuration

Delete Configuration

Rename Configuration

Clone Configuration

Move Configuration

Override Configuration

Multi-Move or Multi-Clone Configuration

View Configuration Node Values for XPath

Multi-config Request (API)

Commit Configuration (API)

Run Operational Mode Commands (API)

Get Reports (API)

Dynamic Reports

Predefined Reports

Export Files (API)

Export Packet Captures

Export Application PCAPS

Export Threat, Filter, and Data Filtering PCAPs

Export Certificates and Keys

Export Technical Support Data

Import Files (API)

Importing Basics

Retrieve Logs (API)

API Log Retrieval Parameters

Example: Use the API to Retrieve Traffic Logs

Apply User-ID Mapping and Populate Dynamic Address Groups (...

Get Version Info (API)

Get Started with the PAN-OS REST API

PAN-OS REST API

Access the PAN-OS REST API

Resource Methods and Query Parameters (REST API)

PAN-OS REST API Request and Response Structure

PAN-OS REST API Error Codes

Work With Objects (REST API)

Create a Security Policy Rule (REST API)

Work with Policy Rules on Panorama (REST API)

Create a Tag (REST API)

Configure a Security Zone (REST API)

Configure an SD-WAN Interface (REST API)

Create an SD-WAN Policy Pre Rule (REST API)

Configure an Ethernet Interface (REST API)

Update a Virtual Router (REST API)

Work With Decryption (REST APIs)

PAN-OS Release Notes

Features Introduced in PAN-OS 10.1

App-ID Features

Management Features

Panorama Features

Networking Features

Identity Features

User-ID Features

URL Filtering Features

Content Inspection Features

PAN-OS SD-WAN Features

GlobalProtect Features

Virtualization Features

Mobile Infrastructure Security Features

Hardware Features

Changes to Default Behavior

Changes to Default Behavior in PAN-OS 10.1

Limitations in PAN-OS 10.1

Associated Content and Software Versions

Associated Content and Software Versions for PAN-OS 10.1

WildFire Analysis Environment Support for PAN-OS 10.1

PAN-OS 10.1.11 Known and Addressed Issues

PAN-OS 10.1.11 Known Issues

PAN-OS 10.1.11 Addressed Issues

PAN-OS 10.1.11-h1 Addressed Issues

PAN-OS 10.1.11-h3 Addressed Issues

PAN-OS 10.1.11-h4 Addressed Issues

PAN-OS 10.1.11-h5 Addressed Issues

PAN-OS 10.1.11-h10 Addressed Issues

PAN-OS 10.1.10 Known and Addressed Issues

PAN-OS 10.1.10 Known Issues

PAN-OS 10.1.10-h2 Addressed Issues

PAN-OS 10.1.10-h1 Addressed Issues

PAN-OS 10.1.10 Addressed Issues

PAN-OS 10.1.10-h5 Addressed Issues

PAN-OS 10.1.10-h9 Addressed Issues

PAN-OS 10.1.9 Known and Addressed Issues

PAN-OS 10.1.9 Known Issues

PAN-OS 10.1.9-h1 Addressed Issues

PAN-OS 10.1.9-h3 Addressed Issues

PAN-OS 10.1.9-h6 Addressed Issues

PAN-OS 10.1.9 Addressed Issues

PAN-OS 10.1.9-h8 Addressed Issues

PAN-OS 10.1.9-h14 Addressed Issues

PAN-OS 10.1.8 Known and Addressed Issues

PAN-OS 10.1.8 Known Issues

PAN-OS 10.1.8-h2 Addressed Issues

PAN-OS 10.1.8 Addressed Issues

PAN-OS 10.1.8-h6 Addressed Issues

PAN-OS 10.1.8-h7 Addressed Issues

PAN-OS 10.1.8-h8 Addressed Issues

PAN-OS 10.1.7 Known and Addressed Issues

PAN-OS 10.1.7 Known Issues

PAN-OS 10.1.7 Addressed Issues

PAN-OS 10.1.7-h1 Addressed Issues

PAN-OS 10.1.6 Known and Addressed Issues

PAN-OS 10.1.6 Known Issues

PAN-OS 10.1.6-h6 Addressed Issues

PAN-OS 10.1.6-h3 Addressed Issues

PAN-OS 10.1.6 Addressed Issues

PAN-OS 10.1.6-h7 Addressed Issues

PAN-OS 10.1.6-h8 Addressed Issues

PAN-OS 10.1.6-h9 Addressed Issues

PAN-OS 10.1.5 Known and Addressed Issues

PAN-OS 10.1.5 Known Issues

PAN-OS 10.1.5-h2 Addressed Issues

PAN-OS 10.1.5-h1 Addressed Issues

PAN-OS 10.1.5 Addressed Issues

PAN-OS 10.1.5-h3 Addressed Issues

PAN-OS 10.1.5-h4 Addressed Issues

PAN-OS 10.1.4 Known and Addressed Issues

PAN-OS 10.1.4 Known Issues

PAN-OS 10.1.4-h4 Addressed Issues

PAN-OS 10.1.4-h2 Addressed Issues

PAN-OS 10.1.4 Addressed Issues

PAN-OS 10.1.4-h6 Addressed Issues

PAN-OS 10.1.3 Known and Addressed Issues

PAN-OS 10.1.3 Known Issues

PAN-OS 10.1.3-h1 Addressed Issues

PAN-OS 10.1.3 Addressed Issues

PAN-OS 10.1.3-h2 Addressed Issues

PAN-OS 10.1.3-h3 Addressed Issues

PAN-OS 10.1.3-h4 Addressed Issues

PAN-OS 10.1.2 Known and Addressed Issues

PAN-OS 10.1.2 Known Issues

PAN-OS 10.1.2 Addressed Issues

PAN-OS 10.1.1 Known and Addressed Issues

PAN-OS 10.1.1 Known Issues

PAN-OS 10.1.1 Addressed Issues

PAN-OS 10.1.0 Known and Addressed Issues

PAN-OS 10.1.0 Known Issues

PAN-OS 10.1.0 Addressed Issues

Related Documentation

Related Documentation for PAN-OS 10.1

PAN-OS 10.1.12 Known and Addressed Issues

PAN-OS 10.1.12 Known Issues

PAN-OS 10.1.12 Addressed Issues

PAN-OS 10.1.12-h3 Addressed Issues

PAN-OS 10.1.13 Known and Addressed Issues

PAN-OS 10.1.13 Known Issues

PAN-OS 10.1.13 Addressed Issues

PAN-OS 10.1.13-h1 Addressed Issues

PAN-OS 10.1.13-h5 Addressed Issues

PAN-OS 10.1.14 Known and Addressed Issues

PAN-OS 10.1.14 Known Issues

PAN-OS 10.1.14 Addressed Issues

PAN-OS 10.1.14-h2 Addressed Issues

PAN-OS 10.1.14-h4 Addressed Issues

PAN-OS 10.1.14-h6 Addressed Issues

PAN-OS ® New Features Guide

App-ID Features

Cloud-Based App-ID

SaaS Policy Rule Recommendation

Management Features

Audit Tracking for Administrator Activity

Simplified Onboarding to Cortex Data Lake

PAN-OS OpenConfig Support

Persistent Uncommitted Changes on PAN-OS

Panorama Features

Authentication Enhancement for Onboarding Firewalls

Scheduled Configuration Push to Managed Firewalls

Unique Master Key for a Managed Firewall

Device Group Push to a Multi-VSYS Firewall

Networking Features

Aggregate Group Members on Multiple Cards

Network Packet Broker

Persistent NAT for DIPP

LSVPN Cookie Expiry Extension

Identity Features

Cloud Identity Engine

User-ID Features

Group Mapping Centralization for Virtual System Hubs

URL Filtering Features

Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic

Advanced URL Filtering

SD-WAN Features

SD-WAN Support for AE and Subinterfaces

SD-WAN Support for Layer 3 Subinterfaces

Prisma Access Hub Support

GlobalProtect Features

Security Policy Enforcement for Inactive GlobalProtect Sessions

Support for Gzip Encoding in Clientless VPN

Virtualization Features

DPDK Support for Different NIC Types

CN-Series Firewall as a k8s Service

Intelligent Traffic Offload Service for VM-Series on KVM

Customize Dataplane Cores

Mobile Infrastructure Security Features

5G Multi-Edge Security

PAN-OS® Administrator’s Guide

Getting Started

Integrate the Firewall into Your Management Network

Determine Your Access Strategy for Business Continuity

Determine Your Management Strategy

Perform Initial Configuration

Perform Initial Configuration for an Air Gapped Firewall

Set Up Network Access for External Services

Register the Firewall

Segment Your Network Using Interfaces and Zones

Network Segmentation for a Reduced Attack Surface

Configure Interfaces and Zones

Set Up a Basic Security Policy

Assess Network Traffic

Enable Free WildFire Forwarding

Best Practices for Completing the Firewall Deployment

Subscriptions You Can Use With the Firewall

Activate Subscription Licenses

What Happens When Licenses Expire?

Enhanced Application Logs for Palo Alto Networks Cloud Services

Firewall Administration

Management Interfaces

Use the Web Interface

Launch the Web Interface

Configure Banners, Message of the Day, and Logos

Use the Administrator Login Activity Indicators to Detect Account Misuse

Manage and Monitor Administrative Tasks

Commit, Validate, and Preview Firewall Configuration Changes

Export Configuration Table Data

Use Global Find to Search the Firewall or Panorama Management Server

Manage Locks for Restricting Configuration Changes

Manage Configuration Backups

Save and Export Firewall Configurations

Revert Firewall Configuration Changes

Manage Firewall Administrators

Administrative Role Types

Configure an Admin Role Profile

Administrative Authentication

Configure Administrative Accounts and Authentication

Configure a Firewall Administrator Account

Configure Local or External Authentication for Firewall Administrators

Configure Certificate-Based Administrator Authentication to the Web Interface

Configure SSH Key-Based Administrator Authentication to the CLI

Configure API Key Lifetime

Configure Tracking of Administrator Activity

Reference: Web Interface Administrator Access

Web Interface Access Privileges

Define Access to the Web Interface Tabs

Provide Granular Access to the Monitor Tab

Provide Granular Access to the Policy Tab

Provide Granular Access to the Objects Tab

Provide Granular Access to the Network Tab

Provide Granular Access to the Device Tab

Define User Privacy Settings in the Admin Role Profile

Restrict Administrator Access to Commit and Validate Functions

Provide Granular Access to Global Settings

Provide Granular Access to the Panorama Tab

Provide Granular Access to Operations Settings

Panorama Web Interface Access Privileges

Reference: Port Number Usage

Ports Used for Management Functions

Ports Used for HA

Ports Used for Panorama

Ports Used for GlobalProtect

Ports Used for User-ID

Ports Used for IPSec

Ports Used for Routing

Ports Used for DHCP

Ports Used for Infrastructure

Reset the Firewall to Factory Default Settings

Bootstrap the Firewall

USB Flash Drive Support

Sample init-cfg.txt Files

Prepare a USB Flash Drive for Bootstrapping a Firewall

Bootstrap a Firewall Using a USB Flash Drive

Device Telemetry

Device Telemetry Overview

Device Telemetry Collection and Transmission Intervals

Manage Device Telemetry

Enable Device Telemetry

Disable Device Telemetry

Enable Service Routes for Telemetry

Manage the Data the Device Telemetry Collects

Manage Historical Device Telemetry

Monitor Device Telemetry

Sample the Data that Device Telemetry Collects

Authentication Types

External Authentication Services

Multi-Factor Authentication

Local Authentication

Plan Your Authentication Deployment

Configure Multi-Factor Authentication

Configure MFA Between RSA SecurID and the Firewall

Configure MFA Between Okta and the Firewall

Configure MFA Between Duo and the Firewall

Configure SAML Authentication

Configure Kerberos Single Sign-On

Configure Kerberos Server Authentication

Configure TACACS+ Authentication

Configure RADIUS Authentication

Configure LDAP Authentication

Connection Timeouts for Authentication Servers

Guidelines for Setting Authentication Server Timeouts

Modify the PAN-OS Web Server Timeout

Modify the Authentication Portal Session Timeout

Configure Local Database Authentication

Configure an Authentication Profile and Sequence

Test Authentication Server Connectivity

Authentication Policy

Authentication Timestamps

Configure Authentication Policy

Troubleshoot Authentication Issues

Pre-Logon for SAML Authentication

Certificate Management

Keys and Certificates

Default Trusted Certificate Authorities (CAs)

Certificate Revocation

Certificate Revocation List (CRL)

Online Certificate Status Protocol (OCSP)

Certificate Deployment

Set Up Verification for Certificate Revocation Status

Configure an OCSP Responder

Configure Revocation Status Verification of Certificates

Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

Configure the Master Key

Master Key Encryption

Configure Master Key Encryption Level

Master Key Encryption on a Firewall HA Pair

Master Key Encryption Logs

Unique Master Key Encryptions for AES-256-GCM

Obtain Certificates

Create a Self-Signed Root CA Certificate

Generate a Certificate

Import a Certificate and Private Key

Obtain a Certificate from an External CA

Install a Device Certificate

Restore an Expired Device Certificate

Deploy Certificates Using SCEP

Export a Certificate and Private Key

Configure a Certificate Profile

Configure an SSL/TLS Service Profile

Configure an SSH Service Profile

Replace the Certificate for Inbound Management Traffic

Configure the Key Size for SSL Forward Proxy Server Certificates

Revoke and Renew Certificates

Revoke a Certificate

Renew a Certificate

Secure Keys with a Hardware Security Module

Set Up Connectivity with an HSM

Set Up Connectivity with a SafeNet Network HSM

Set Up Connectivity with an nCipher nShield Connect HSM

Encrypt a Master Key Using an HSM

Encrypt the Master Key

Refresh the Master Key Encryption

Store Private Keys on an HSM

Manage the HSM Deployment

High Availability

HA Links and Backup Links

HA Ports on Palo Alto Networks Firewalls

Device Priority and Preemption

LACP and LLDP Pre-Negotiation for Active/Passive HA

Floating IP Address and Virtual MAC Address

ARP Load-Sharing

Route-Based Redundancy

NAT in Active/Active HA Mode

ECMP in Active/Active HA Mode

Set Up Active/Passive HA

Prerequisites for Active/Passive HA

Configuration Guidelines for Active/Passive HA

Configure Active/Passive HA

Define HA Failover Conditions

Verify Failover

Set Up Active/Active HA

Prerequisites for Active/Active HA

Configure Active/Active HA

Determine Your Active/Active Use Case

Use Case: Configure Active/Active HA with Route-Based Redundancy

Use Case: Configure Active/Active HA with Floating IP Addresses

Use Case: Configure Active/Active HA with ARP Load-Sharing

Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall

Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses

Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3

HA Clustering Overview

HA Clustering Best Practices and Provisioning

Configure HA Clustering

Refresh HA1 SSH Keys and Configure Key Options

HA Firewall States

Reference: HA Synchronization

Use the Dashboard

Use the Application Command Center

ACC—First Look

Widget Descriptions

Interact with the ACC

Use Case: ACC—Path of Information Discovery

Use the App Scope Reports

Change Monitor Report

Threat Monitor Report

Threat Map Report

Network Monitor Report

Traffic Map Report

Use the Automated Correlation Engine

Automated Correlation Engine Concepts

Correlation Object

Correlated Events

View the Correlated Objects

Interpret Correlated Events

Use the Compromised Hosts Widget in the ACC

Take Packet Captures

Types of Packet Captures

Disable Hardware Offload

Take a Custom Packet Capture

Take a Threat Packet Capture

Take an Application Packet Capture

Take a Packet Capture for Unknown Applications

Take a Custom Application Packet Capture

Take a Packet Capture on the Management Interface

Monitor Applications and Threats

View and Manage Logs

Log Types and Severity Levels

URL Filtering Logs

WildFire Submissions Logs

Data Filtering Logs

Correlation Logs

Tunnel Inspection Logs

GlobalProtect Logs

Decryption Logs

Authentication Logs

Use Case: Export Traffic Logs for a Date Range

Configure Log Storage Quotas and Expiration Periods

Schedule Log Exports to an SCP or FTP Server

Monitor Block List

View and Manage Reports

Configure the Expiration Period and Run Time for Reports

Disable Predefined Reports

Generate Custom Reports

Generate Botnet Reports

Configure a Botnet Report

Interpret Botnet Report Output

Generate the SaaS Application Usage Report

Manage PDF Summary Reports

Generate User/Group Activity Reports

Manage Report Groups

Schedule Reports for Email Delivery

Manage Report Storage Capacity

View Policy Rule Usage

Use External Services for Monitoring

Configure Log Forwarding

Configure Email Alerts

Use Syslog for Monitoring

Configure Syslog Monitoring

Syslog Field Descriptions

Traffic Log Fields

Threat Log Fields

URL Filtering Log Fields

Data Filtering Log Fields

HIP Match Log Fields

GlobalProtect Log Fields

IP-Tag Log Fields

User-ID Log Fields

Decryption Log Fields

Tunnel Inspection Log Fields

SCTP Log Fields

Authentication Log Fields

Config Log Fields

System Log Fields

Correlated Events Log Fields

Audit Log Fields

Syslog Severity

Custom Log/Event Format

Escape Sequences

SNMP Monitoring and Traps

Use an SNMP Manager to Explore MIBs and Objects

Identify a MIB Containing a Known OID

Identify the OID for a System Statistic or Trap

Enable SNMP Services for Firewall-Secured Network Elements

Monitor Statistics Using SNMP

Forward Traps to an SNMP Manager

HOST-RESOURCES-MIB

ENTITY-SENSOR-MIB

ENTITY-STATE-MIB

IEEE 802.3 LAG MIB

PAN-COMMON-MIB.my

PAN-GLOBAL-REG-MIB.my

PAN-GLOBAL-TC-MIB.my

PAN-PRODUCT-MIB.my

PAN-ENTITY-EXT-MIB.my

Forward Logs to an HTTP/S Destination

NetFlow Monitoring

Configure NetFlow Exports

NetFlow Templates

Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors

Monitor Transceivers

User-ID Overview

User-ID Concepts

Server Monitoring

Username Header Insertion

Authentication Policy and Authentication Portal

Map Users to Groups

Map IP Addresses to Users

Create a Dedicated Service Account for the User-ID Agent

Configure User Mapping Using the Windows User-ID Agent

Install the Windows-Based User-ID Agent

Configure the Windows User-ID Agent for User Mapping

Configure User Mapping Using the PAN-OS Integrated User-ID Agent

Configure Server Monitoring Using WinRM

Configure User-ID to Monitor Syslog Senders for User Mapping

Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener

Configure the Windows User-ID Agent as a Syslog Listener

Map IP Addresses to Usernames Using Authentication Portal

Authentication Portal Authentication Methods

Authentication Portal Modes

Configure Authentication Portal

Configure User Mapping for Terminal Server Users

Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping

Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API

Send User Mappings to User-ID Using the XML API

Enable User- and Group-Based Policy

Enable Policy for Users with Multiple Accounts

Verify the User-ID Configuration

Deploy User-ID in a Large-Scale Network

Deploy User-ID for Numerous Mapping Information Sources

Windows Log Forwarding and Global Catalog Servers

Plan a Large-Scale User-ID Deployment

Configure Windows Log Forwarding

Configure User-ID for Numerous Mapping Information Sources

Insert Username in HTTP Headers

Redistribute Data and Authentication Timestamps

Firewall Deployment for Data Redistribution

Configure Data Redistribution

Share User-ID Mappings Across Virtual Systems

App-ID Overview

Streamlined App-ID Policy Rules

Create an Application Filter Using Tags

Create an Application Filter Based on Custom Tags

App-ID and HTTP/2 Inspection

Manage Custom or Unknown Applications

Manage New and Modified App-IDs

Workflow to Best Incorporate New and Modified App-IDs

See the New and Modified App-IDs in a Content Release

See How New and Modified App-IDs Impact Your Security Policy

Ensure Critical New App-IDs are Allowed

Monitor New App-IDs

Disable and Enable App-IDs

Use Application Objects in Policy

Create an Application Group

Create an Application Filter

Create a Custom Application

Resolve Application Dependencies

Safely Enable Applications on Default Ports

Applications with Implicit Support

Security Policy Rule Optimization

Policy Optimizer Concepts

Sorting and Filtering Security Policy Rules

Clear Application Usage Data

Migrate Port-Based to App-ID Based Security Policy Rules

Rule Cloning Migration Use Case: Web Browsing and SSL Traffic

Add Applications to an Existing Rule

Identify Security Policy Rules with Unused Applications

High Availability for Application Usage Statistics

How to Disable Policy Optimizer

App-ID Cloud Engine

Prepare to Deploy App-ID Cloud Engine

Enable or Disable the App-ID Cloud Engine

App-ID Cloud Engine Processing and Usage

New App Viewer (Policy Optimizer)

Add Apps to an Application Filter with Policy Optimizer

Add Apps to an Application Group with Policy Optimizer

Add Apps Directly to a Rule with Policy Optimizer

Replace an RMA Firewall (ACE)

Impact of License Expiration or Disabling ACE

Commit Failure Due to Cloud Content Rollback

Troubleshoot App-ID Cloud Engine

SaaS App-ID Policy Recommendation

Import SaaS Policy Recommendation

Import Updated SaaS Policy Recommendation

Remove Deleted SaaS Policy Recommendation

Application Level Gateways

Disable the SIP Application-level Gateway (ALG)

Use HTTP Headers to Manage SaaS Application Access

Understand SaaS Custom Headers

Domains used by the Predefined SaaS Application Types

Create HTTP Header Insertion Entries using Predefined Types

Create Custom HTTP Header Insertion Entries

Maintain Custom Timeouts for Data Center Applications

Device-ID Overview

Prepare to Deploy Device-ID

Configure Device-ID

Manage Device-ID

CLI Commands for Device-ID

Decryption Overview

Decryption Concepts

Keys and Certificates for Decryption Policies

SSL Forward Proxy

SSL Forward Proxy Decryption Profile

SSL Inbound Inspection

SSL Inbound Inspection Decryption Profile

SSL Protocol Settings Decryption Profile

SSH Proxy Decryption Profile

Profile for No Decryption

SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates

Perfect Forward Secrecy (PFS) Support for SSL Decryption

SSL Decryption and Subject Alternative Names (SANs)

TLSv1.3 Decryption

High Availability Not Supported for Decrypted Sessions

Decryption Mirroring

Prepare to Deploy Decryption

Work with Stakeholders to Develop a Decryption Deployment Strategy

Develop a PKI Rollout Plan

Size the Decryption Firewall Deployment

Plan a Staged, Prioritized Deployment

Define Traffic to Decrypt

Create a Decryption Profile

Create a Decryption Policy Rule

Configure SSL Forward Proxy

Configure SSL Inbound Inspection

Configure SSH Proxy

Configure Server Certificate Verification for Undecrypted Traffic

Decryption Exclusions

Palo Alto Networks Predefined Decryption Exclusions

Exclude a Server from Decryption for Technical Reasons

Local Decryption Exclusion Cache

Create a Policy-Based Decryption Exclusion

Block Private Key Export

Generate a Private Key and Block It

Import a Private Key and Block It

Import a Private Key for IKE Gateway and Block It

Verify Private Key Blocking

Enable Users to Opt Out of SSL Decryption

Temporarily Disable SSL Decryption

Configure Decryption Port Mirroring

Verify Decryption

Troubleshoot and Monitor Decryption

Decryption Application Command Center Widgets

Configure Decryption Logging

Decryption Log Errors, Error Indexes, and Bitmasks

Repair Incomplete Certificate Chains

Custom Report Templates for Decryption

Unsupported Parameters by Proxy Type and TLS Version

Decryption Troubleshooting Workflow Examples

Investigate Decryption Failure Reasons

Troubleshoot Unsupported Cipher Suites

Identify Weak Protocols and Cipher Suites

Identify Untrusted CA Certificates

Troubleshoot Expired Certificates

Troubleshoot Revoked Certificates

Troubleshoot Pinned Certificates

Activate Free Licenses for Decryption Features

Quality of Service

QoS for Applications and Users

QoS Priority Queuing

QoS Bandwidth Management

QoS Egress Interface

QoS for Clear Text and Tunneled Traffic

Configure QoS for a Virtual System

Enforce QoS Based on DSCP Classification

Use Case: QoS for a Single User

Use Case: QoS for Voice and Video Applications

VPN Deployments

Site-to-Site VPN Overview

Site-to-Site VPN Concepts

Tunnel Interface

Tunnel Monitoring

Internet Key Exchange (IKE) for VPN

Methods of Securing IPSec VPN Tunnels (IKE Phase 2)

Cookie Activation Threshold and Strict Cookie Validation

Traffic Selectors

Hash and URL Certificate Exchange

SA Key Lifetime and Re-Authentication Interval

Set Up Site-to-Site VPN

Set Up an IKE Gateway

Export a Certificate for a Peer to Access Using Hash and URL

Import a Certificate for IKEv2 Gateway Authentication

Change the Key Lifetime or Authentication Interval for IKEv2

Change the Cookie Activation Threshold for IKEv2

Configure IKEv2 Traffic Selectors

Define Cryptographic Profiles

Define IKE Crypto Profiles

Define IPSec Crypto Profiles

Set Up an IPSec Tunnel

Set Up Tunnel Monitoring

Define a Tunnel Monitoring Profile

View the Status of the Tunnels

Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel

Enable or Disable an IKE Gateway or IPSec Tunnel

Refresh and Restart Behaviors

Refresh or Restart an IKE Gateway or IPSec Tunnel

Test VPN Connectivity

Interpret VPN Error Messages

Site-to-Site VPN Quick Configs

Site-to-Site VPN with Static Routing

Site-to-Site VPN with OSPF

Site-to-Site VPN with Static and Dynamic Routing

Large Scale VPN (LSVPN)

Create Interfaces and Zones for the LSVPN

Enable SSL Between GlobalProtect LSVPN Components

About Certificate Deployment

Deploy Server Certificates to the GlobalProtect LSVPN Components

Deploy Client Certificates to the GlobalProtect Satellites Using SCEP

Configure the Portal to Authenticate Satellites

Configure GlobalProtect Gateways for LSVPN

Configure the GlobalProtect Portal for LSVPN

GlobalProtect Portal for LSVPN Prerequisite Tasks

Configure the Portal

Define the Satellite Configurations

Prepare the Satellite to Join the LSVPN

Verify the LSVPN Configuration

LSVPN Quick Configs

Basic LSVPN Configuration with Static Routing

Advanced LSVPN Configuration with Dynamic Routing

Advanced LSVPN Configuration with iBGP

Security Policy

Components of a Security Policy Rule

Security Policy Actions

Create a Security Policy Rule

Security Profiles

Create a Security Profile Group

Set Up or Override a Default Security Profile Group

Create a Data Filtering Profile

Predefined Data Filtering Patterns

Set Up File Blocking

Track Rules Within a Rulebase

Enforce Policy Rule Description, Tag, and Audit Comment

Move or Clone a Policy Rule or Object to a Different Virtual System

Use an Address Object to Represent IP Addresses

Address Objects

Create an Address Object

Use Tags to Group and Visually Distinguish Objects

Create and Apply Tags

View Rules by Tag Group

Use an External Dynamic List in Policy

External Dynamic List

Formatting Guidelines for an External Dynamic List

IP Address List

Built-in External Dynamic Lists

Configure the Firewall to Access an External Dynamic List

Configure the Firewall to Access an External Dynamic List from the EDL Hosting Service

Create an External Dynamic List Using the EDL Hosting Service

Convert the GlobalSign Root R1 Certificate to PEM Format

Retrieve an External Dynamic List from the Web Server

View External Dynamic List Entries

Exclude Entries from an External Dynamic List

Enforce Policy on an External Dynamic List

Find External Dynamic Lists That Failed Authentication

Disable Authentication for an External Dynamic List

Register IP Addresses and Tags Dynamically

Use Dynamic User Groups in Policy

Use Auto-Tagging to Automate Security Actions

Monitor Changes in the Virtual Environment

Enable VM Monitoring to Track Changes on the Virtual Network

Attributes Monitored on Virtual Machines in Cloud Platforms

Use Dynamic Address Groups in Policy

CLI Commands for Dynamic IP Addresses and Tags

Enforce Policy on Endpoints and Users Behind an Upstream Device

Collect XFF Values for User-ID

Use XFF IP Address Values in Security Policy and Logging

Use the IP Address in the XFF Header to Troubleshoot Events

Policy-Based Forwarding

PBF

Egress Path and Symmetric Return

Path Monitoring for PBF

Service Versus Applications in PBF

Create a Policy-Based Forwarding Rule

Use Case: PBF for Outbound Access with Dual ISPs

Application Override Policy

Test Policy Rules

Virtual Systems

Virtual Systems Overview

Virtual System Components and Segmentation

Benefits of Virtual Systems

Use Cases for Virtual Systems

Platform Support and Licensing for Virtual Systems

Administrative Roles for Virtual Systems

Shared Objects for Virtual Systems

Communication Between Virtual Systems

Inter-VSYS Traffic That Must Leave the Firewall

Inter-VSYS Traffic That Remains Within the Firewall

External Zones and Security Policies For Traffic Within a Firewall

Inter-VSYS Communication Uses Two Sessions

External Zones and Shared Gateway

Networking Considerations for a Shared Gateway

Configure Virtual Systems

Configure Inter-Virtual System Communication within the Firewall

Configure a Shared Gateway

Customize Service Routes for a Virtual System

Customize Service Routes to Services for Virtual Systems

Configure a PA-7000 Series Firewall for Logging Per Virtual System

Configure a PA-7000 Series LPC for Logging per Virtual System

Configure a PA-7000 Series LFC for Logging per Virtual System

Configure Administrative Access Per Virtual System or Firewall

Virtual System Functionality with Other Features

Zone Protection and DoS Protection

Network Segmentation Using Zones

How Do Zones Protect the Network?

Zone Defense Tools

How Do the Zone Defense Tools Work?

Firewall Placement for DoS Protection

Baseline CPS Measurements for Setting Flood Thresholds

CPS Measurements to Take

How to Measure CPS

Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet-Based Attack Protection

Protocol Protection

Ethernet SGT Protection

Packet Buffer Protection

DoS Protection Profiles and Policy Rules

Classified Versus Aggregate DoS Protection

DoS Protection Profiles

DoS Protection Policy Rules

Configure Zone Protection to Increase Network Security

Configure Reconnaissance Protection

Configure Packet Based Attack Protection

Configure Protocol Protection

Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces

Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces

Configure Packet Buffer Protection

Configure Packet Buffer Protection Based on Latency

Configure Ethernet SGT Protection

DoS Protection Against Flooding of New Sessions

Multiple-Session DoS Attack

Single-Session DoS Attack

Configure DoS Protection Against Flooding of New Sessions

End a Single Session DoS Attack

Identify Sessions That Use Too Much of the On-Chip Packet Descriptor

Discard a Session Without a Commit

Enable FIPS and Common Criteria Support

Access the Maintenance Recovery Tool (MRT)

Change the Operational Mode to FIPS-CC Mode

FIPS-CC Security Functions

Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode

PAN-OS Upgrade Guide

Software and Content Updates

PAN-OS Software Updates

Dynamic Content Updates

Install Content Updates

Applications and Threats Content Updates

Deploy Applications and Threats Content Updates

Tips for Content Updates

Best Practices for Applications and Threats Content Updates

Best Practices for Content Updates—Mission-Critical

Best Practices for Content Updates—Security-First

Content Delivery Network Infrastructure

Upgrade Panorama

Install Content Updates and Software Upgrades for Panorama

Upgrade Panorama with an Internet Connection

Upgrade Panorama Without an Internet Connection

Install Content Updates Automatically for Panorama without an Internet Connection

Upgrade Panorama in an HA Configuration

Migrate Panorama Logs to the New Log Format

Upgrade Panorama for Increased Device Management Capacity

Downgrade from Panorama 10.1

Troubleshoot Your Panorama Upgrade

Deploy Upgrades to Firewalls, Log Collectors, and WildFire Appliances Using Panorama

What Updates Can Panorama Push to Other Devices?

Schedule a Content Update Using Panorama

Panorama, Log Collector, Firewall, and WildFire Version Compatibility

Upgrade Log Collectors When Panorama Is Internet-Connected

Upgrade Log Collectors When Panorama Is Not Internet-Connected

Upgrade a WildFire Cluster from Panorama with an Internet Connection

Upgrade a WildFire Cluster from Panorama without an Internet Connection

Upgrade Firewalls When Panorama Is Internet-Connected

Upgrade Firewalls When Panorama Is Not Internet-Connected

Upgrade a ZTP Firewall

Revert Content Updates from Panorama

PAN-OS Upgrade Checklist

Upgrade/Downgrade Considerations

Upgrade the Firewall to PAN-OS 10.1

Determine the Upgrade Path to PAN-OS 10.1

Upgrade Firewalls Using Panorama

Upgrade a Standalone Firewall

Upgrade an HA Firewall Pair

Upgrade the Firewall to PAN-OS 10.1 from Panorama

Upgrade Firewalls When Panorama Is Internet-Connected

Upgrade Firewalls When Panorama Is Not Internet-Connected

Upgrade a ZTP Firewall

Downgrade PAN-OS

Downgrade a Firewall to a Previous Maintenance Release

Downgrade a Firewall to a Previous Feature Release

Downgrade a Windows Agent

Troubleshoot Your PAN-OS Upgrade

Upgrade the VM-Series Firewall

Upgrade the VM-Series PAN-OS Software (Standalone)

Upgrade the VM-Series PAN-OS Software (HA Pair)

Upgrade the VM-Series PAN-OS Software Using Panorama

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

Upgrade the VM-Series Model

Upgrade the VM-Series Model in an HA Pair

Downgrade a VM-Series Firewall to a Previous Release

Upgrade Panorama Plugins

Panorama Plugins Upgrade/Downgrade Considerations

Upgrade the Enterprise DLP Plugin

Upgrade the Panorama Interconnect Plugin

Install/Upgrade SD-WAN Plugin with Compatible PAN-OS Release

Upgrade and Downgrade Paths for SD-WAN Plugin

Install the SD-WAN Plugin

Upgrade Panorama High Availability Pair (Active/Passive) Leveraging SD-WAN Plugin

Upgrade Standalone Panorama Leveraging SD-WAN Plugin

Changes to Note After Upgrade

CLI Commands for Upgrade

Use CLI Commands for Upgrade Tasks

APIs for Upgrade

Use the API for Upgrade Tasks

PAN-OS CLI Quick Start

Get Started with the CLI

Verify SSH Connection to Firewall

Refresh SSH Keys and Configure Key Options for Management Interface Connection

Give Administrators Access to the CLI

Administrative Privileges

Set Up a Firewall Administrative Account and Assign CLI Pri...

Set Up a Panorama Administrative Account and Assign CLI Pri...

Change CLI Modes

Navigate the CLI

View the Entire Command Hierarchy

Find a Specific Command Using a Keyword Search

Get Help on Command Syntax

Get Help on a Command

Interpret the Command Help

Customize the CLI

View Settings and Statistics

Modify the Configuration

Commit Configuration Changes

Test the Configuration

Test the Authentication Configuration

Test Policy Matches

Load Configurations

Load Configuration Settings from a Text File

Load a Partial Configuration

Xpath Location Formats Determined by Device Configuration

Load a Partial Configuration into Another Configuration Usi...

Use Secure Copy to Import and Export Files

Export a Saved Configuration from One Firewall and Import i...

Export and Import a Complete Log Database (logdb)

CLI Cheat Sheets

CLI Cheat Sheet: Device Management

CLI Cheat Sheet: User-ID

CLI Cheat Sheet: HA

CLI Cheat Sheet: Networking

CLI Cheat Sheet: VSYS

CLI Cheat Sheet: Panorama

CLI Changes in PAN-OS 10.0

New Set Commands

Changed Set Commands

Removed Set Commands

New Show Commands

Removed Show Commands

Changed Revert Commands

Changed Load Commands

Removed Load Commands

PAN-OS® Release Notes

PAN-OS 10.0 Release Information

Features Introduced in PAN-OS 10.0

Enterprise Data Loss Prevention Features

IoT Security Features

Content Inspection Features

Decryption Features

GlobalProtect Features

Management Features

Certificate Management Features

Panorama Features

Networking Features

User-ID Features

Policy Features

Authentication Features

WildFire Features

Virtualization Features

SD-WAN Features

Mobile Infrastructure Security Features

New Hardware Introduced with PAN-OS 10.0

Changes to Default Behavior

Associated Software and Content Versions

Known Issues Related to PAN-OS 10.0 Releases

PAN-OS 10.0.12 Known Issues

PAN-OS 10.0.11 Known Issues

PAN-OS 10.0.10 Known Issues

PAN-OS 10.0.9 Known Issues

PAN-OS 10.0.8 Known Issues

PAN-OS 10.0.7 Known Issues

PAN-OS 10.0.6 Known Issues

PAN-OS 10.0.5 Known Issues

PAN-OS 10.0.4 Known Issues

PAN-OS 10.0.3 Known Issues

PAN-OS 10.0.2 Known Issues

PAN-OS 10.0.1 Known Issues

Known Issues for the CN-Series on Version 10.0

PAN-OS 10.0 Addressed Issues

PAN-OS 10.0.12-h1 Addressed Issues

PAN-OS 10.0.12 Addressed Issues

PAN-OS 10.0.11-h1 Addressed Issues

PAN-OS 10.0.11 Addressed Issues

PAN-OS 10.0.10-h1 Addressed Issues

PAN-OS 10.0.10 Addressed Issues

PAN-OS 10.0.9 Addressed Issues

PAN-OS 10.0.8-h8 Addressed Issues

PAN-OS 10.0.8-h4 Addressed Issues

PAN-OS 10.0.8 Addressed Issues

PAN-OS 10.0.7 Addressed Issues

PAN-OS 10.0.6 Addressed Issues

PAN-OS 10.0.5 Addressed Issues

PAN-OS 10.0.4 Addressed Issues

PAN-OS 10.0.3 Addressed Issues

PAN-OS 10.0.2 Addressed Issues

PAN-OS 10.0.1 Addressed Issues

PAN-OS 10.0.0 Addressed Issues

PAN-OS 10.0.11-h3 Addressed Issues

PAN-OS 10.0.12-h3 Addressed Issues

PAN-OS 10.0.8-h10 Addressed Issues

PAN-OS 10.0.12-h4 Addressed Issues

PAN-OS 10.0.12-h5 Addressed Issues

PAN-OS 10.0.11-h4 Addressed Issues

PAN-OS 10.0.8-h11 Addressed Issues

PAN-OS 10.0.12-h6 Addressed Issues

Related Documentation

Requesting Support

Table of Contents

PAN-OS® and Panorama™ API Usage Guide

About the PAN-OS API

PAN-OS XML API Components

Structure of a PAN-OS XML API Request

API Authentication and Security

XPath Node Selection

Get Started with the PAN-OS XML API

Enable API Access

Get Your API Key

Make Your First API Call

Explore the API

Use the API Browser

Use the CLI to Find XML API Syntax

Use the Web Interface to Find XML API Syntax

PAN-OS XML API Error Codes

Authenticate Your API Requests

PAN-OS XML API Use Cases

Upgrade a Firewall to the Latest PAN-OS Version (API)

Show and Manage GlobalProtect Users (API)

Query a Firewall from Panorama (API)

Upgrade PAN-OS on Multiple HA Firewalls through Panorama (A...

Automatically Check for and Install Content Updates (API)

Enforce Policy using External Dynamic Lists and AutoFocus A...

Configure SAML 2.0 Authentication (API)

Quarantine Compromised Devices (API)

Manage Certificates (API)

PAN-OS XML API Request Types

PAN-OS XML API Request Types and Actions

Configuration Actions

Actions for Modifying a Configuration

Actions for Reading a Configuration

Asynchronous and Synchronous Requests to the PAN-OS XML API

Configuration (API)

Get Active Configuration

Use XPath to Get Active Configuration

Use XPath to Get ARP Information

Get Candidate Configuration

Set Configuration

Edit Configuration

Delete Configuration

Rename Configuration

Clone Configuration

Move Configuration

Override Configuration

Multi-Move or Multi-Clone Configuration

View Configuration Node Values for XPath

Multi-config Request (API)

Commit Configuration (API)

Run Operational Mode Commands (API)

Get Reports (API)

Dynamic Reports

Predefined Reports

Export Files (API)

Export Packet Captures

Export Application PCAPS

Export Threat, Filter, and Data Filtering PCAPs

Export Certificates and Keys

Export Technical Support Data

Import Files (API)

Importing Basics

Retrieve Logs (API)

API Log Retrieval Parameters

Example: Use the API to Retrieve Traffic Logs

Apply User-ID Mapping and Populate Dynamic Address Groups (...

Get Version Info (API)

Get Started with the PAN-OS REST API

PAN-OS REST API

Access the PAN-OS REST API

Resource Methods and Query Parameters (REST API)

PAN-OS REST API Request and Response Structure

PAN-OS REST API Error Codes

Work With Objects (REST API)

Create a Security Policy Rule (REST API)

Work with Policy Rules on Panorama (REST API)

Create a Tag (REST API)

Configure a Security Zone (REST API)

Configure an SD-WAN Interface (REST API)

Create an SD-WAN Policy Pre Rule (REST API)

Configure an Ethernet Interface (REST API)

Update a Virtual Router (REST API)

Work With Decryption (REST APIs)

PAN-OS Web Interface Help

Web Interface Basics

Firewall Overview

Features and Benefits

Last Login Time and Failed Login Attempts

Message of the Day

Save Candidate Configurations

Lock Configurations

AutoFocus Intelligence Summary

Configuration Table Export

Dashboard Widgets

ACC

A First Glance at the ACC

Working with Tabs and Widgets

Working with Filters—Local Filters and Global Filters

Monitor > External Logs

Monitor > Automated Correlation Engine

Monitor > Automated Correlation Engine > Correlation Object...

Monitor > Automated Correlation Engine > Correlated Events

Monitor > Packet Capture

Packet Capture Overview

Building Blocks for a Custom Packet Capture

Enable Threat Packet Capture

Monitor > App Scope

App Scope Overview

App Scope Summary Report

App Scope Change Monitor Report

App Scope Threat Monitor Report

App Scope Threat Map Report

App Scope Network Monitor Report

App Scope Traffic Map Report

Monitor > Session Browser

Monitor > Block IP List

Block IP List Entries

View or Delete Block IP List Entries

Monitor > Botnet

Managing Botnet Reports

Configuring the Botnet Report

Monitor > PDF Reports

Monitor > PDF Reports > Manage PDF Summary

Monitor > PDF Reports > User Activity Report

Monitor > PDF Reports > SaaS Application Usage

Monitor > PDF Reports > Report Groups

Monitor > PDF Reports > Email Scheduler

Monitor > Manage Custom Reports

Monitor > Reports

Move or Clone a Policy Rule

Audit Comment Archive

Rule Usage Query

Policies > Security

Security Policy Overview

Building Blocks in a Security Policy Rule

Creating and Managing Policies

Overriding or Reverting a Security Policy Rule

Applications and Usage

Security Policy Rule Usage

NAT Policies General Tab

NAT Original Packet Tab

NAT Translated Packet Tab

NAT Active/Active HA Binding Tab

Policies > Policy Based Forwarding

Policy Based Forwarding General Tab

Policy Based Forwarding Source Tab

Policy Based Forwarding Destination/Application/Service Tab

Policy Based Forwarding Forwarding Tab

Policy Based Forwarding Target Tab

Policies > Decryption

Decryption General Tab

Decryption Source Tab

Decryption Destination Tab

Decryption Service/URL Category Tab

Decryption Options Tab

Decryption Target Tab

Policies > Tunnel Inspection

Building Blocks in a Tunnel Inspection Policy

Policies > Application Override

Application Override General Tab

Application Override Source Tab

Application Override Destination Tab

Application Override Protocol/Application Tab

Application Override Target Tab

Policies > Authentication

Building Blocks of an Authentication Policy Rule

Create and Manage Authentication Policy

Policies > DoS Protection

DoS Protection General Tab

DoS Protection Source Tab

DoS Protection Destination Tab

DoS Protection Option/Protection Tab

DoS Protection Target Tab

Policies > SD-WAN

SD-WAN General Tab

SD-WAN Source Tab

SD-WAN Destination Tab

SD-WAN Application/Service Tab

SD-WAN Path Selection Tab

SD-WAN Target Tab

Move, Clone, Override, or Revert Objects

Move or Clone an Object

Override or Revert an Object

Objects > Addresses

Objects > Address Groups

Objects > Regions

Objects > Dynamic User Groups

Objects > Applications

Applications Overview

Actions Supported on Applications

Defining Applications

Objects > Application Groups

Objects > Application Filters

Objects > Services

Objects > Service Groups

View Rulebase as Groups

Move Rules in Group to Different Rulebase or Device Group

Change Group of All Rules

Move All Rules in Group

Delete All Rules in Group

Clone All Rules in Group

Objects > External Dynamic Lists

Objects > Custom Objects

Objects > Custom Objects > Data Patterns

Data Pattern Settings

Syntax for Regular Expression Data Patterns

Regular Expression Data Pattern Examples

Objects > Custom Objects > Spyware/Vulnerability

Objects > Custom Objects > URL Category

Objects > Security Profiles

Actions in Security Profiles

Objects > Security Profiles > Antivirus

Objects > Security Profiles > Anti-Spyware Profile

Objects > Security Profiles > Vulnerability Protection

Objects > Security Profiles > URL Filtering

URL Filtering General Settings

URL Filtering Categories

URL Filtering Settings

User Credential Detection

HTTP Header Insertion

URL Filtering Inline ML

Objects > Security Profiles > File Blocking

Objects > Security Profiles > WildFire Analysis

Objects > Security Profiles > Data Filtering

Objects > Security Profiles > DoS Protection

Objects > Security Profiles > Mobile Network Protection

Objects > Security Profiles > SCTP Protection

Objects > Security Profile Groups

Objects > Log Forwarding

Objects > Authentication

Objects > Decryption Profile

Decryption Profile General Settings

Settings to Control Decrypted SSL Traffic

Settings to Control Traffic that is not Decrypted

Settings to Control Decrypted SSH Traffic

Objects > Decryption > Forwarding Profile

Objects > SD-WAN Link Management

Objects > SD-WAN Link Management > Path Quality Profile

Objects > SD-WAN Link Management > Traffic Distribution-Profile

Objects > SD-WAN Link Management > SaaS Quality Profile

Objects > SD-WAN Link Management > Error Correction Profile

Objects > Schedules

Objects > Devices

Network > Interfaces

Firewall Interfaces Overview

Common Building Blocks for Firewall Interfaces

Common Building Blocks for PA-7000 Series Firewall Interfac...

Virtual Wire Interface

Virtual Wire Subinterface

PA-7000 Series Layer 2 Interface

PA-7000 Series Layer 2 Subinterface

PA-7000 Series Layer 3 Interface

Layer 3 Interface

Layer 3 Subinterface

Log Card Interface

Log Card Subinterface

Decrypt Mirror Interface

Aggregate Ethernet (AE) Interface Group

Aggregate Ethernet (AE) Interface

Network > Interfaces > VLAN

Network > Interfaces > Loopback

Network > Interfaces > Tunnel

Network > Interfaces > SD-WAN

Network > Zones

Security Zone Overview

Building Blocks of Security Zones

Network > VLANs

Network > Virtual Wires

Network > Virtual Routers

General Settings of a Virtual Router

Route Redistribution

RIP

RIP Interfaces Tab

RIP Auth Profiles Tab

RIP Export Rules Tab

OSPF Auth Profiles Tab

OSPF Export Rules Tab

OSPF Advanced Tab

OSPFv3 Areas Tab

OSPFv3 Auth Profiles Tab

OSPFv3 Export Rules Tab

OSPFv3 Advanced Tab

BGP

Basic BGP Settings

BGP General Tab

BGP Advanced Tab

BGP Peer Group Tab

BGP Import and Export Tabs

BGP Conditional Adv Tab

BGP Aggregate Tab

BGP Redist Rules Tab

Multicast Rendezvous Point Tab

Multicast Interfaces Tab

Multicast SPT Threshold Tab

Multicast Source Specific Address Tab

Multicast Advanced Tab

More Runtime Stats for a Virtual Router

BFD Summary Information Tab

More Runtime Stats for a Logical Router

Routing Stats for a Logical Router

BGP Stats for a Logical Router

Network > Routing > Logical Routers

General Settings of a Logical Router

Static Routes for a Logical Router

BGP Routing for a Logical Router

Network > Routing > Routing Profiles > BGP

Network > IPSec Tunnels

IPSec VPN Tunnel Management

IPSec Tunnel General Tab

IPSec Tunnel Proxy IDs Tab

IPSec Tunnel Status on the Firewall

IPSec Tunnel Restart or Refresh

Network > GRE Tunnels

DHCP Addressing

Network > DNS Proxy

DNS Proxy Overview

DNS Proxy Settings

Additional DNS Proxy Actions

QoS Interface Settings

QoS Interface Statistics

Building Blocks of LLDP

Network > Network Profiles

Network > Network Profiles > GlobalProtect IPSec Crypto

Network > Network Profiles > IKE Gateways

IKE Gateway Management

IKE Gateway General Tab

IKE Gateway Advanced Options Tab

IKE Gateway Restart or Refresh

Network > Network Profiles > IPSec Crypto

Network > Network Profiles > IKE Crypto

Network > Network Profiles > Monitor

Network > Network Profiles > Interface Mgmt

Network > Network Profiles > Zone Protection

Building Blocks of Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet Based Attack Protection

Protocol Protection

Ethernet SGT Protection

Network > Network Profiles > QoS

Network > Network Profiles > LLDP Profile

Network > Network Profiles > BFD Profile

Building Blocks of a BFD Profile

View BFD Summary and Details

Network > Network Profiles > SD-WAN Interface Profile

Device > Setup > Management

Device > Setup > Operations

Enable SNMP Monitoring

Device > Setup > HSM

Hardware Security Module Provider Settings

HSM Authentication

Hardware Security Operations

Hardware Security Module Provider Configuration and Status

Hardware Security Module Status

Device > Setup > Services

Configure Services for Global and Virtual Systems

Global Services Settings

IPv4 and IPv6 Support for Service Route Configuration

Destination Service Route

Device > Setup > Interfaces

Device > Setup > Telemetry

Device > Setup > Content-ID

Device > Setup > WildFire

Device > Setup > Session

Session Settings

Session Timeouts

Decryption Settings: Certificate Revocation Checking

Decryption Settings: Forward Proxy Server Certificate Setti...

VPN Session Settings

Device > High Availability

Important Considerations for Configuring HA

HA General Settings

HA Communications

HA Link and Path Monitoring

HA Active/Active Config

Device > Log Forwarding Card

Device > Config Audit

Device > Password Profiles

Username and Password Requirements

Device > Administrators

Device > Admin Roles

Device > Access Domain

Device > Authentication Profile

Authentication Profile

SAML Metadata Export from an Authentication Profile

Device > Authentication Sequence

Device > Data Redistribution

Device > Data Redistribution > Agents

Device > Data Redistribution > Clients

Device > Data Redistribution > Collector Settings

Device > Data Redistribution > Include/Exclude Networks

Device > Device Quarantine

Device > VM Information Sources

Settings to Enable VM Information Sources for VMware ESXi a...

Settings to Enable VM Information Sources for AWS VPC

Settings to Enable VM Information Sources for Google Comput...

Device > Troubleshooting

Security Policy Match

QoS Policy Match

Authentication Policy Match

Decryption/SSL Policy Match

NAT Policy Match

Policy Based Forwarding Policy Match

DoS Policy Match

Log Collector Connectivity

External Dynamic List

Test Cloud Logging Service Status

Test Cloud GP Service Status

Device > Virtual Systems

Device > Shared Gateways

Device > Certificate Management

Device > Certificate Management > Certificates

Manage Firewall and Panorama Certificates

Other Supported Actions to Manage Certificates

Manage Default Trusted Certificate Authorities

Device > Certificate Management > Certificate Profile

Device > Certificate Management > OCSP Responder

Device > Certificate Management > SSL/TLS Service Profile

Device > Certificate Management > SCEP

Device > Certificate Management > SSL Decryption Exclusion

Device > Response Pages

Device > Log Settings

Select Log Forwarding Destinations

Define Alarm Settings

Device > Server Profiles

Device > Server Profiles > SNMP Trap

Device > Server Profiles > Syslog

Device > Server Profiles > Email

Device > Server Profiles > HTTP

Device > Server Profiles > NetFlow

Device > Server Profiles > RADIUS

Device > Server Profiles > TACACS+

Device > Server Profiles > LDAP

Device > Server Profiles > Kerberos

Device > Server Profiles > SAML Identity Provider

Device > Server Profiles > DNS

Device > Server Profiles > Multi Factor Authentication

Device > Local User Database > Users

Device > Local User Database > User Groups

Device > Scheduled Log Export

Device > Software

Device > Dynamic Updates

Device > Licenses

Device > Support

Device > Master Key and Diagnostics

Deploy Master Key

Device > Policy Recommendation

Device > Certificate Management > SSH Service Profile

Device > Setup > DLP

User Identification

Device > User Identification > User Mapping

Palo Alto Networks User-ID Agent Setup

Server Monitor Account

Server Monitoring

Ignore User List

Monitor Servers

Configure Access to Monitored Servers

Manage Access to Monitored Servers

Include or Exclude Subnetworks for User Mapping

Device > User Identification > Connection Security

Device > User Identification > Terminal Services Agents

Device > User Identification > Group Mapping Settings Tab

Device > User Identification > Captive Portal Settings

Network > GlobalProtect > Portals

GlobalProtect Portals General Tab

GlobalProtect Portals Authentication Configuration Tab

GlobalProtect Portals Portal Data Collection Tab

GlobalProtect Portals Agent Configuration Tab

GlobalProtect Portals Agent Authentication Tab

GlobalProtect Portals Agent Config Selection Criteria Tab

GlobalProtect Portals Agent Internal Tab

GlobalProtect Portals Agent External Tab

GlobalProtect Portals Agent App Tab

GlobalProtect Portals Agent HIP Data Collection Tab

GlobalProtect Portals Clientless Configuration Tab

GlobalProtect Portal Satellite Configuration Tab

Network > GlobalProtect > Gateways

GlobalProtect Gateways General Tab

GlobalProtect Gateway Authentication Tab

GlobalProtect Gateways Agent Tab

Tunnel Settings Tab

Client Settings Tab

Client IP Pool Tab

Network Services Tab

Connection Settings Tab

Video Traffic Tab

HIP Notification Tab

GlobalProtect Gateway Satellite Configuration Tab

Network > GlobalProtect > MDM

Network > GlobalProtect > Clientless Apps

Network > GlobalProtect > Clientless App Groups

Objects > GlobalProtect > HIP Objects

HIP Objects General Tab

HIP Objects Mobile Device Tab

HIP Objects Patch Management Tab

HIP Objects Firewall Tab

HIP Objects Anti-Malware Tab

HIP Objects Disk Backup Tab

HIP Objects Disk Encryption Tab

HIP Objects Data Loss Prevention Tab

HIP Objects Certificate Tab

HIP Objects Custom Checks Tab

Objects > GlobalProtect > HIP Profiles

Device > GlobalProtect Client

Managing the GlobalProtect Agent Software

Setting Up the GlobalProtect Agent

Using the GlobalProtect Agent

Panorama Web Interface

Use the Panorama Web Interface

Panorama Commit Operations

Defining Policies on Panorama

Log Storage Partitions for a Panorama Virtual Appliance in ...

Panorama > Setup > Interfaces

Panorama > High Availability

Panorama > Managed WildFire Clusters

Managed WildFire Cluster Tasks

Managed WildFire Appliance Tasks

Managed WildFire Information

Managed WildFire Cluster and Appliance Administration

Panorama > Administrators

Panorama > Admin Roles

Panorama > Access Domains

Panorama > Managed Devices > Summary

Managed Firewall Administration

Managed Firewall Information

Firewall Software and Content Updates

Firewall Backups

Panorama > Device Quarantine

Panorama > Managed Devices > Health

Detailed Device Health in Panorama

Panorama > Templates

Template Stacks

Panorama > Templates > Template Variables

Panorama > Device Groups

Panorama > Managed Collectors

Log Collector Information

Log Collector Configuration

General Log Collector Settings

Log Collector Authentication Settings

Log Collector Interface Settings

Log Collector RAID Disk Settings

User-ID Agent Settings

Connection Security

Communication Settings

Software Updates for Dedicated Log Collectors

Panorama > Collector Groups

Collector Group Configuration

Collector Group Information

Panorama > Plugins

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Panorama > VMware NSX

Configure a Notify Group

Create Service Definitions

Configure Access to the NSX Manager

Create Steering Rules

Panorama > Log Ingestion Profile

Panorama > Log Settings

Panorama > Server Profiles > SCP

Panorama > Scheduled Config Export

Panorama > Software

Manage Panorama Software Updates

Display Panorama Software Update Information

Panorama > Device Deployment

Manage Software and Content Updates

Display Software and Content Update Information

Schedule Dynamic Content Updates

Panorama > Dynamic Updates > Revert Content

Manage Firewall Licenses

User-ID™ Agent Release Notes

User-ID Agent 10.0 Release Information

Features Introduced in User-ID Agent 10.0

Changes to Default Behavior

System Requirements

Operating System (OS) Compatibility

User-ID Agent 10.0 Addressed Issues

Related Documentation

Requesting Support

Terminal Server (TS) Agent Release Notes

Terminal Server (TS) Agent 10.0 Release Information

Features Introduced in TS Agent 10.0

Changes to Default Behavior

System Requirements

Operating System (OS) Compatibility

Known Issues in TS Agent 10.0

Terminal Server (TS) Agent 10.0 Addressed Issues

Related Documentation

Requesting Support

PAN-OS ® New Features Guide

Upgrade/Downgrade Considerations

Upgrade the Firewall to PAN-OS 10.0

Determine the Upgrade Path to PAN-OS 10.0

Upgrade Firewalls Using Panorama

Upgrade a Standalone Firewall

Upgrade an HA Firewall Pair

Downgrade PAN-OS

Downgrade a Firewall to a Previous Maintenance Release

Downgrade a Firewall to a Previous Feature Release

Downgrade a Windows Agent

Enterprise Data Loss Prevention Features

Enterprise Data Loss Prevention

SD-WAN Features

SD-WAN Remove Private AS

SD-WAN Full Mesh VPN Cluster with DDNS Service

SD-WAN DIA AnyPath

SaaS Application Path Monitoring

SD-WAN Forward Error Correction

SD-WAN Packet Duplication

IoT Security Features

Content Inspection Features

DNS Security Signature Categories

Enhanced Pattern-Matching Engine for Custom Signatures

IPS Signature Converter Plugin for Panorama

Expanded Data Collection for DNS Security Improvements

Decryption Features

Decryption for TLSv1.3

Block Export of Private Keys

Enhanced Decryption Troubleshooting

GlobalProtect Features

Identification and Quarantine of Compromised Devices

Enhanced Logging for the Selected GlobalProtect Gateway

Management Features

Millisecond Granularity for PAN-OS Log Forwarding

Visibility on Custom Threat Names

Proxy Support for Cortex Data Lake

External Dynamic List Log Fields

Additional Predefined Time Filters for the ACC, Monitoring, and Reports

Rule Usage Filtering Actions

Device Telemetry

Certificate Management Features

Master Key Encryption Enhancement

Panorama Features

Automatic Content Updates Through Offline Panorama

Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances

Syslog Forwarding Using Ethernet Interfaces

Increased Configuration Size for Panorama

Access Domain Enhancements for Multi-Tenancy

Enhanced Performance for Panorama Query and Reporting

Log Query Debugging

Configurable Key Limits in Scheduled Reports

Multiple Plugin Support for Panorama

Networking Features

HA Additional Path Monitoring Groups

Packet Buffer Protection Based on Latency

Ethernet SGT Protection

ECMP Strict Source Path

Tunnel Acceleration for GRE, VXLAN, and GTP-U Tunnels

Advanced Route Engine

Bonjour Reflector for Network Segmentation

Authentication Features

TLS Encryption for Email Server Profiles

Authentication Portal Exclusion for Predefined Domains

User-ID Features

Streamlined and Resilient Redistribution

Authentication with Custom Certificates for Redistribution

Policy Features

IP Range and Subnet Support in Dynamic Address Groups

X-Forwarded-For HTTP Header Data Support in Policy

URL Filtering Features

URL Filtering Inline ML

WildFire Features

WildFire Real-Time Signature Updates

IPv6 Address Support for the WildFire Appliance

Windows 10 Analysis Environment for the WildFire Appliance

WildFire Inline ML

Virtualization Features

Automatic Site License Activation on the PAYG VM-Series Firewalls

CN-Series Firewalls for Securing Kubernetes Deployments

Panorama Support for Multiple IP-Tag Sources

VMotion Support for the VM-Series Firewall on NSX-T and ESXi

Mobile Infrastructure Security Features

Network Slice Security in a 5G Network

Equipment ID Security in a 5G Network

Subscriber ID Security in a 5G Network

Equipment ID Security in a 4G Network

Subscriber ID Security in a 4G Network

PAN-OS® Administrator’s Guide

Getting Started

Integrate the Firewall into Your Management Network

Determine Your Management Strategy

Perform Initial Configuration

Set Up Network Access for External Services

Register the Firewall

Segment Your Network Using Interfaces and Zones

Network Segmentation for a Reduced Attack Surface

Configure Interfaces and Zones

Set Up a Basic Security Policy

Assess Network Traffic

Enable Free WildFire Forwarding

Best Practices for Completing the Firewall Deployment

Best Practices for Securing Administrative Access

Subscriptions You Can Use With the Firewall

Activate Subscription Licenses

What Happens When Licenses Expire?

Enhanced Application Logs for Palo Alto Networks Cloud Services

Software and Content Updates

PAN-OS Software Updates

Dynamic Content Updates

Install Content Updates

Applications and Threats Content Updates

Deploy Applications and Threats Content Updates

Tips for Content Updates

Best Practices for Applications and Threats Content Updates

Best Practices for Content Updates—Mission-Critical

Best Practices for Content Updates—Security-First

Content Delivery Network Infrastructure

Firewall Administration

Management Interfaces

Use the Web Interface

Launch the Web Interface

Configure Banners, Message of the Day, and Logos

Use the Administrator Login Activity Indicators to Detect Account Misuse

Manage and Monitor Administrative Tasks

Commit, Validate, and Preview Firewall Configuration Changes

Export Configuration Table Data

Use Global Find to Search the Firewall or Panorama Management Server

Manage Locks for Restricting Configuration Changes

Manage Configuration Backups

Save and Export Firewall Configurations

Revert Firewall Configuration Changes

Manage Firewall Administrators

Administrative Role Types

Configure an Admin Role Profile

Administrative Authentication

Configure Administrative Accounts and Authentication

Configure a Firewall Administrator Account

Configure Local or External Authentication for Firewall Administrators

Configure Certificate-Based Administrator Authentication to the Web Interface

Configure SSH Key-Based Administrator Authentication to the CLI

Configure API Key Lifetime

Reference: Web Interface Administrator Access

Web Interface Access Privileges

Define Access to the Web Interface Tabs

Provide Granular Access to the Monitor Tab

Provide Granular Access to the Policy Tab

Provide Granular Access to the Objects Tab

Provide Granular Access to the Network Tab

Provide Granular Access to the Device Tab

Define User Privacy Settings in the Admin Role Profile

Restrict Administrator Access to Commit and Validate Functions

Provide Granular Access to Global Settings

Provide Granular Access to the Panorama Tab

Provide Granular Access to Operations Settings

Panorama Web Interface Access Privileges

Reference: Port Number Usage

Ports Used for Management Functions

Ports Used for HA

Ports Used for Panorama

Ports Used for GlobalProtect

Ports Used for User-ID

Reset the Firewall to Factory Default Settings

Bootstrap the Firewall

USB Flash Drive Support

Sample init-cfg.txt Files

Prepare a USB Flash Drive for Bootstrapping a Firewall

Bootstrap a Firewall Using a USB Flash Drive

Device Telemetry

Device Telemetry Overview

Device Telemetry Collection and Transmission Intervals

Manage Device Telemetry

Enable Device Telemetry

Disable Device Telemetry

Manage the Data the Device Telemetry Collects

Manage Historical Device Telemetry

Monitor Device Telemetry

Sample the Data that Device Telemetry Collects

Authentication Types

External Authentication Services

Multi-Factor Authentication

Local Authentication

Plan Your Authentication Deployment

Configure Multi-Factor Authentication

Configure MFA Between RSA SecurID and the Firewall

Configure MFA Between Okta and the Firewall

Configure MFA Between Duo and the Firewall

Configure SAML Authentication

Configure Kerberos Single Sign-On

Configure Kerberos Server Authentication

Configure TACACS+ Authentication

Configure RADIUS Authentication

Configure LDAP Authentication

Connection Timeouts for Authentication Servers

Guidelines for Setting Authentication Server Timeouts

Modify the PAN-OS Web Server Timeout

Modify the Authentication Portal Session Timeout

Configure Local Database Authentication

Configure an Authentication Profile and Sequence

Test Authentication Server Connectivity

Authentication Policy

Authentication Timestamps

Configure Authentication Policy

Troubleshoot Authentication Issues

Certificate Management

Keys and Certificates

Default Trusted Certificate Authorities (CAs)

Certificate Revocation

Certificate Revocation List (CRL)

Online Certificate Status Protocol (OCSP)

Certificate Deployment

Set Up Verification for Certificate Revocation Status

Configure an OCSP Responder

Configure Revocation Status Verification of Certificates

Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

Configure the Master Key

Master Key Encryption

Configure Master Key Encryption Level

Master Key Encryption on a Firewall HA Pair

Master Key Encryption Logs

Unique Master Key Encryptions for AES-256-GCM

Obtain Certificates

Create a Self-Signed Root CA Certificate

Generate a Certificate

Import a Certificate and Private Key

Obtain a Certificate from an External CA

Install a Device Certificate

Deploy Certificates Using SCEP

Export a Certificate and Private Key

Configure a Certificate Profile

Configure an SSL/TLS Service Profile

Configure an SSH Service Profile

Replace the Certificate for Inbound Management Traffic

Configure the Key Size for SSL Forward Proxy Server Certificates

Revoke and Renew Certificates

Revoke a Certificate

Renew a Certificate

Secure Keys with a Hardware Security Module

Set Up Connectivity with an HSM

Set Up Connectivity with a SafeNet Network HSM

Set Up Connectivity with an nCipher nShield Connect HSM

Encrypt a Master Key Using an HSM

Encrypt the Master Key

Refresh the Master Key Encryption

Store Private Keys on an HSM

Manage the HSM Deployment

High Availability

HA Links and Backup Links

HA Ports on Palo Alto Networks Firewalls

Device Priority and Preemption

LACP and LLDP Pre-Negotiation for Active/Passive HA

Floating IP Address and Virtual MAC Address

ARP Load-Sharing

Route-Based Redundancy

NAT in Active/Active HA Mode

ECMP in Active/Active HA Mode

Set Up Active/Passive HA

Prerequisites for Active/Passive HA

Configuration Guidelines for Active/Passive HA

Configure Active/Passive HA

Define HA Failover Conditions

Verify Failover

Set Up Active/Active HA

Prerequisites for Active/Active HA

Configure Active/Active HA

Determine Your Active/Active Use Case

Use Case: Configure Active/Active HA with Route-Based Redundancy

Use Case: Configure Active/Active HA with Floating IP Addresses

Use Case: Configure Active/Active HA with ARP Load-Sharing

Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall

Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses

Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3

HA Clustering Overview

HA Clustering Best Practices and Provisioning

Configure HA Clustering

Refresh HA1 SSH Keys and Configure Key Options

HA Firewall States

Reference: HA Synchronization

What Settings Don’t Sync in Active/Passive HA?

What Settings Don’t Sync in Active/Active HA?

Synchronization of System Runtime Information

Use the Dashboard

Use the Application Command Center

ACC—First Look

Widget Descriptions

Interact with the ACC

Use Case: ACC—Path of Information Discovery

Use the App Scope Reports

Change Monitor Report

Threat Monitor Report

Threat Map Report

Network Monitor Report

Traffic Map Report

Use the Automated Correlation Engine

Automated Correlation Engine Concepts

Correlation Object

Correlated Events

View the Correlated Objects

Interpret Correlated Events

Use the Compromised Hosts Widget in the ACC

Take Packet Captures

Types of Packet Captures

Disable Hardware Offload

Take a Custom Packet Capture

Take a Threat Packet Capture

Take an Application Packet Capture

Take a Packet Capture for Unknown Applications

Take a Custom Application Packet Capture

Take a Packet Capture on the Management Interface

Monitor Applications and Threats

View and Manage Logs

Log Types and Severity Levels

URL Filtering Logs

WildFire Submissions Logs

Data Filtering Logs

Correlation Logs

Tunnel Inspection Logs

GlobalProtect Logs

Decryption Logs

Authentication Logs

Configure Log Storage Quotas and Expiration Periods

Schedule Log Exports to an SCP or FTP Server

Monitor Block List

View and Manage Reports

Configure the Expiration Period and Run Time for Reports

Disable Predefined Reports

Generate Custom Reports

Generate Botnet Reports

Configure a Botnet Report

Interpret Botnet Report Output

Generate the SaaS Application Usage Report

Manage PDF Summary Reports

Generate User/Group Activity Reports

Manage Report Groups

Schedule Reports for Email Delivery

Manage Report Storage Capacity

View Policy Rule Usage

Use External Services for Monitoring

Configure Log Forwarding

Configure Email Alerts

Use Syslog for Monitoring

Configure Syslog Monitoring

Syslog Field Descriptions

Traffic Log Fields

Threat Log Fields

URL Filtering Log Fields

Data Filtering Log Fields

HIP Match Log Fields

GlobalProtect Log Fields

IP-Tag Log Fields

User-ID Log Fields

Decryption Log Fields

Tunnel Inspection Log Fields

SCTP Log Fields

Authentication Log Fields

Config Log Fields

System Log Fields

Correlated Events Log Fields

Syslog Severity

Custom Log/Event Format

Escape Sequences

SNMP Monitoring and Traps

Use an SNMP Manager to Explore MIBs and Objects

Identify a MIB Containing a Known OID

Identify the OID for a System Statistic or Trap

Enable SNMP Services for Firewall-Secured Network Elements

Monitor Statistics Using SNMP

Forward Traps to an SNMP Manager

HOST-RESOURCES-MIB

ENTITY-SENSOR-MIB

ENTITY-STATE-MIB

IEEE 802.3 LAG MIB

PAN-COMMON-MIB.my

PAN-GLOBAL-REG-MIB.my

PAN-GLOBAL-TC-MIB.my

PAN-PRODUCT-MIB.my

PAN-ENTITY-EXT-MIB.my

Forward Logs to an HTTP/S Destination

NetFlow Monitoring

Configure NetFlow Exports

NetFlow Templates

Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors

Monitor Transceivers

User-ID Overview

User-ID Concepts

Server Monitoring

Username Header Insertion

Authentication Policy and Authentication Portal

Map Users to Groups

Map IP Addresses to Users

Create a Dedicated Service Account for the User-ID Agent

Configure User Mapping Using the Windows User-ID Agent

Install the Windows-Based User-ID Agent

Configure the Windows User-ID Agent for User Mapping

Configure User Mapping Using the PAN-OS Integrated User-ID Agent

Configure Server Monitoring Using WinRM

Configure User-ID to Monitor Syslog Senders for User Mapping

Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener

Configure the Windows User-ID Agent as a Syslog Listener

Map IP Addresses to Usernames Using Authentication Portal

Authentication Portal Authentication Methods

Authentication Portal Modes

Configure Authentication Portal

Configure User Mapping for Terminal Server Users

Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping

Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API

Send User Mappings to User-ID Using the XML API

Enable User- and Group-Based Policy

Enable Policy for Users with Multiple Accounts

Verify the User-ID Configuration

Deploy User-ID in a Large-Scale Network

Deploy User-ID for Numerous Mapping Information Sources

Windows Log Forwarding and Global Catalog Servers

Plan a Large-Scale User-ID Deployment

Configure Windows Log Forwarding

Configure User-ID for Numerous Mapping Information Sources

Insert Username in HTTP Headers

Redistribute Data and Authentication Timestamps

Firewall Deployment for Data Redistribution

Configure Data Redistribution

Share User-ID Mappings Across Virtual Systems

App-ID Overview

Streamlined App-ID Policy Rules

Create an Application Filter Using Tags

Create an Application Filter Based on Custom Tags

App-ID and HTTP/2 Inspection

Manage Custom or Unknown Applications

Manage New and Modified App-IDs

Workflow to Best Incorporate New and Modified App-IDs

See the New and Modified App-IDs in a Content Release

See How New and Modified App-IDs Impact Your Security Policy

Ensure Critical New App-IDs are Allowed

Monitor New App-IDs

Disable and Enable App-IDs

Use Application Objects in Policy

Create an Application Group

Create an Application Filter

Create a Custom Application

Resolve Application Dependencies

Safely Enable Applications on Default Ports

Applications with Implicit Support

Security Policy Rule Optimization

Policy Optimizer Concepts

Sorting and Filtering Security Policy Rules

Clear Application Usage Data

Migrate Port-Based to App-ID Based Security Policy Rules

Rule Cloning Migration Use Case: Web Browsing and SSL Traffic

Add Applications to an Existing Rule

Identify Security Policy Rules with Unused Applications

High Availability for Application Usage Statistics

How to Disable Policy Optimizer

Application Level Gateways

Disable the SIP Application-level Gateway (ALG)

Use HTTP Headers to Manage SaaS Application Access

Understand SaaS Custom Headers

Domains used by the Predefined SaaS Application Types

Create HTTP Header Insertion Entries using Predefined Types

Create Custom HTTP Header Insertion Entries

Maintain Custom Timeouts for Data Center Applications

Device-ID Overview

Prepare to Deploy Device-ID

Configure Device-ID

Manage Device-ID

CLI Commands for Device-ID

Threat Prevention

Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions

Set Up Antivirus, Anti-Spyware, and Vulnerability Protection

About DNS Security

Cloud-Delivered DNS Signatures and Protections

DNS Security Analytics

Enable DNS Security

DNS Security Data Collection and Logging

Use DNS Queries to Identify Infected Hosts on the Network

How DNS Sinkholing Works

Configure DNS Sinkholing

Configure DNS Sinkholing for a List of Custom Domains

Configure the Sinkhole IP Address to a Local Server on Your Network

See Infected Hosts that Attempted to Connect to a Malicious Domain

Create a Data Filtering Profile

Predefined Data Filtering Patterns

WildFire Inline ML

Configure WildFire Inline ML

Set Up File Blocking

Prevent Brute Force Attacks

Customize the Action and Trigger Conditions for a Brute Force Signature

Enable Evasion Signatures

Monitor Blocked IP Addresses

Threat Signature Categories

Create Threat Exceptions

Custom Signatures

Monitor and Get Threat Reports

Monitor Activity and Create Custom Reports Based on Threat Categories

Learn More About Threat Signatures

AutoFocus Threat Intelligence for Network Traffic

AutoFocus Intelligence Summary

Enable AutoFocus Threat Intelligence

View and Act on AutoFocus Intelligence Summary Data

Share Threat Intelligence with Palo Alto Networks

Threat Prevention Resources

Decryption Overview

Decryption Concepts

Keys and Certificates for Decryption Policies

SSL Forward Proxy

SSL Forward Proxy Decryption Profile

SSL Inbound Inspection

SSL Inbound Inspection Decryption Profile

SSL Protocol Settings Decryption Profile

SSH Proxy Decryption Profile

Profile for No Decryption

SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates

Perfect Forward Secrecy (PFS) Support for SSL Decryption

SSL Decryption and Subject Alternative Names (SANs)

TLSv1.3 Decryption

High Availability Support for Decrypted Sessions

Decryption Mirroring

Prepare to Deploy Decryption

Work with Stakeholders to Develop a Decryption Deployment Strategy

Develop a PKI Rollout Plan

Size the Decryption Firewall Deployment

Plan a Staged, Prioritized Deployment

Define Traffic to Decrypt

Create a Decryption Profile

Create a Decryption Policy Rule

Configure SSL Forward Proxy

Configure SSL Inbound Inspection

Configure SSH Proxy

Configure Server Certificate Verification for Undecrypted Traffic

Decryption Exclusions

Palo Alto Networks Predefined Decryption Exclusions

Exclude a Server from Decryption for Technical Reasons

Local Decryption Exclusion Cache

Create a Policy-Based Decryption Exclusion

Block Private Key Export

Generate a Private Key and Block It

Import a Private Key and Block It

Import a Private Key for IKE Gateway and Block It

Verify Private Key Blocking

Enable Users to Opt Out of SSL Decryption

Temporarily Disable SSL Decryption

Configure Decryption Port Mirroring

Verify Decryption

Troubleshoot and Monitor Decryption

Decryption Application Command Center Widgets

Configure Decryption Logging

Decryption Log Errors, Error Indexes, and Bitmasks

Repair Incomplete Certificate Chains

Custom Report Templates for Decryption

Unsupported Parameters by Proxy Type and TLS Version

Decryption Troubleshooting Workflow Examples

Investigate Decryption Failure Reasons

Troubleshoot Unsupported Cipher Suites

Identify Weak Protocols and Cipher Suites

Identify Untrusted CA Certificates

Troubleshoot Expired Certificates

Troubleshoot Revoked Certificates

Troubleshoot Pinned Certificates

Decryption Broker

How Decryption Broker Works

Decryption Broker Concepts

Decryption Broker: Forwarding Interfaces

Decryption Broker: Layer 3 Security Chain

Decryption Broker: Transparent Bridge Security Chain

Decryption Broker: Security Chain Session Flow

Decryption Broker: Multiple Security Chains

Decryption Broker: Security Chain Health Checks

Layer 3 Security Chain Guidelines

Configure Decryption Broker with One or More Layer 3 Security Chain

Transparent Bridge Security Chain Guidelines

Configure Decryption Broker with a Single Transparent Bridge Security Chain

Configure Decryption Broker with Multiple Transparent Bridge Security Chains

Activate Free Licenses for Decryption Features

About Palo Alto Networks URL Filtering Solution

How Advanced URL Filtering Works

URL Filtering Inline ML

URL Filtering Use Cases

Security-Focused URL Categories

Malicious URL Categories

Verified URL Categories

Policy Actions You Can Take Based on URL Categories

Plan Your URL Filtering Deployment

URL Filtering Best Practices

Activate The Advanced URL Filtering Subscription

Test URL Filtering Configuration

Configure URL Filtering

Configure URL Filtering Inline ML

Monitor Web Activity

Monitor Web Activity of Network Users

View the User Activity Report

Configure Custom URL Filtering Reports

Log Only the Page a User Visits

Create a Custom URL Category

URL Category Exceptions

Use an External Dynamic List in a URL Filtering Profile

Allow Password Access to Certain Sites

Prevent Credential Phishing

Methods to Check for Corporate Credential Submissions

Configure Credential Detection with the Windows User-ID Agent

Set Up Credential Phishing Prevention

Safe Search Enforcement

Safe Search Settings for Search Providers

Block Search Results when Strict Safe Search is not Enabled

Transparently Enable Safe Search for Users

URL Filtering Response Pages

Customize the URL Filtering Response Pages

HTTP Header Logging

Request to Change the Category for a URL

Troubleshoot URL Filtering

Problems Activating Advanced URL Filtering

PAN-DB Cloud Connectivity Issues

URLs Classified as Not-Resolved

Incorrect Categorization

PAN-DB Private Cloud

M-600 Appliance for PAN-DB Private Cloud

Set Up the PAN-DB Private Cloud

Configure the PAN-DB Private Cloud

Configure the Firewalls to Access the PAN-DB Private Cloud

Configure Authentication with Custom Certificates on the PAN-DB Private Cloud

Quality of Service

QoS for Applications and Users

QoS Priority Queuing

QoS Bandwidth Management

QoS Egress Interface

QoS for Clear Text and Tunneled Traffic

Configure QoS for a Virtual System

Enforce QoS Based on DSCP Classification

Use Case: QoS for a Single User

Use Case: QoS for Voice and Video Applications

VPN Deployments

Site-to-Site VPN Overview

Site-to-Site VPN Concepts

Tunnel Interface

Tunnel Monitoring

Internet Key Exchange (IKE) for VPN

Methods of Securing IPSec VPN Tunnels (IKE Phase 2)

Cookie Activation Threshold and Strict Cookie Validation

Traffic Selectors

Hash and URL Certificate Exchange

SA Key Lifetime and Re-Authentication Interval

Set Up Site-to-Site VPN

Set Up an IKE Gateway

Export a Certificate for a Peer to Access Using Hash and URL

Import a Certificate for IKEv2 Gateway Authentication

Change the Key Lifetime or Authentication Interval for IKEv2

Change the Cookie Activation Threshold for IKEv2

Configure IKEv2 Traffic Selectors

Define Cryptographic Profiles

Define IKE Crypto Profiles

Define IPSec Crypto Profiles

Set Up an IPSec Tunnel

Set Up Tunnel Monitoring

Define a Tunnel Monitoring Profile

View the Status of the Tunnels

Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel

Enable or Disable an IKE Gateway or IPSec Tunnel

Refresh and Restart Behaviors

Refresh or Restart an IKE Gateway or IPSec Tunnel

Test VPN Connectivity

Interpret VPN Error Messages

Site-to-Site VPN Quick Configs

Site-to-Site VPN with Static Routing

Site-to-Site VPN with OSPF

Site-to-Site VPN with Static and Dynamic Routing

Large Scale VPN (LSVPN)

Create Interfaces and Zones for the LSVPN

Enable SSL Between GlobalProtect LSVPN Components

About Certificate Deployment

Deploy Server Certificates to the GlobalProtect LSVPN Components

Deploy Client Certificates to the GlobalProtect Satellites Using SCEP

Configure the Portal to Authenticate Satellites

Configure GlobalProtect Gateways for LSVPN

Configure the GlobalProtect Portal for LSVPN

GlobalProtect Portal for LSVPN Prerequisite Tasks

Configure the Portal

Define the Satellite Configurations

Prepare the Satellite to Join the LSVPN

Verify the LSVPN Configuration

LSVPN Quick Configs

Basic LSVPN Configuration with Static Routing

Advanced LSVPN Configuration with Dynamic Routing

Advanced LSVPN Configuration with iBGP

Configure Interfaces

Virtual Wire Interfaces

Layer 2 and Layer 3 Packets over a Virtual Wire

Port Speeds of Virtual Wire Interfaces

LLDP over a Virtual Wire

Aggregated Interfaces for a Virtual Wire

Virtual Wire Support of High Availability

Zone Protection for a Virtual Wire Interface

VLAN-Tagged Traffic

Virtual Wire Subinterfaces

Configure Virtual Wires

Layer 2 Interfaces

Layer 2 Interfaces with No VLANs

Layer 2 Interfaces with VLANs

Configure a Layer 2 Interface

Configure a Layer 2 Interface, Subinterface, and VLAN

Manage Per-VLAN Spanning Tree (PVST+) BPDU Rewrite

Layer 3 Interfaces

Configure Layer 3 Interfaces

Manage IPv6 Hosts Using NDP

IPv6 Router Advertisements for DNS Configuration

Configure RDNS Servers and DNS Search List for IPv6 Router Advertisements

Enable NDP Monitoring

Configure an Aggregate Interface Group

Configure Bonjour Reflector for Network Segmentation

Use Interface Management Profiles to Restrict Access

Virtual Routers

Static Route Overview

Static Route Removal Based on Path Monitoring

Configure a Static Route

Configure Path Monitoring for a Static Route

RIP

OSPF Router Types

Configure OSPFv3

Configure OSPF Graceful Restart

Confirm OSPF Operation

View the Routing Table

Confirm OSPF Adjacencies

Confirm that OSPF Connections are Established

BGP

Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast

Configure a BGP Peer with MP-BGP for IPv4 Multicast

BGP Confederations

PIM

Shortest-Path Tree (SPT) and Shared Tree

PIM Assert Mechanism

Reverse-Path Forwarding

Configure IP Multicast

View IP Multicast Information

Route Redistribution

GRE Tunnel Overview

Create a GRE Tunnel

Firewall as a DHCP Server and Client

DHCP Addressing

DHCP Address Allocation Methods

Predefined DHCP Options

Multiple Values for a DHCP Option

DHCP Options 43, 55, and 60 and Other Customized Options

Configure an Interface as a DHCP Server

Configure an Interface as a DHCP Client

Configure the Management Interface as a DHCP Client

Configure an Interface as a DHCP Relay Agent

Monitor and Troubleshoot DHCP

View DHCP Server Information

Clear DHCP Leases

View DHCP Client Information

Gather Debug Output about DHCP

DNS

DNS Proxy Object

DNS Server Profile

Multi-Tenant DNS Deployments

Configure a DNS Proxy Object

Configure a DNS Server Profile

Use Case 1: Firewall Requires DNS Resolution

Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System

Use Case 3: Firewall Acts as DNS Proxy Between Client and Server

DNS Proxy Rule and FQDN Matching

Dynamic DNS Overview

Configure Dynamic DNS for Firewall Interfaces

NAT

NAT Policy Rules

NAT Policy Overview

NAT Address Pools Identified as Address Objects

Proxy ARP for NAT Address Pools

Source NAT and Destination NAT

Destination NAT

Destination NAT with DNS Rewrite Use Cases

Destination NAT with DNS Rewrite Reverse Use Cases

Destination NAT with DNS Rewrite Forward Use Cases

NAT Rule Capacities

Dynamic IP and Port NAT Oversubscription

Dataplane NAT Memory Statistics

Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)

Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Configure Destination NAT with DNS Rewrite

Configure Destination NAT Using Dynamic IP Addresses

Modify the Oversubscription Rate for DIPP NAT

Reserve Dynamic IP NAT Addresses

Disable NAT for a Specific Host or Interface

NAT Configuration Examples

Destination NAT Example—One-to-One Mapping

Destination NAT with Port Translation Example

Destination NAT Example—One-to-Many Mapping

Source and Destination NAT Example

Virtual Wire Source NAT Example

Virtual Wire Static NAT Example

Virtual Wire Destination NAT Example

NPTv6 Does Not Provide Security

Model Support for NPTv6

Unique Local Addresses

Reasons to Use NPTv6

How NPTv6 Works

Checksum-Neutral Mapping

Bi-Directional Translation

NPTv6 Applied to a Specific Service

NPTv6 and NDP Proxy Example

The ND Cache in NPTv6 Example

The NDP Proxy in NPTv6 Example

The NPTv6 Translation in NPTv6 Example

Neighbors in the ND Cache are Not Translated

Create an NPTv6 Policy

IPv4-Embedded IPv6 Address

Path MTU Discovery

IPv6-Initiated Communication

Configure NAT64 for IPv6-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication with Port Translation

ECMP Load-Balancing Algorithms

ECMP Model, Interface, and IP Routing Support

Configure ECMP on a Virtual Router

Enable ECMP for Multiple BGP Autonomous Systems

Supported TLVs in LLDP

LLDP Syslog Messages and SNMP Traps

View LLDP Settings and Status

Clear LLDP Statistics

BFD

BFD Model, Interface, and Client Support

Non-Supported RFC Components of BFD

BFD for Static Routes

BFD for Dynamic Routing Protocols

Reference: BFD Details

Session Settings and Timeouts

Transport Layer Sessions

TCP

TCP Half Closed and TCP Time Wait Timers

Unverified RST Timer

TCP Split Handshake Drop

Maximum Segment Size (MSS)

UDP

Security Policy Rules Based on ICMP and ICMPv6 Packets

ICMPv6 Rate Limiting

Control Specific ICMP or ICMPv6 Types and Codes

Configure Session Timeouts

Configure Session Settings

Session Distribution Policies

Session Distribution Policy Descriptions

Change the Session Distribution Policy and View Statistics

Prevent TCP Split Handshake Session Establishment

Tunnel Content Inspection

Tunnel Content Inspection Overview

Configure Tunnel Content Inspection

View Inspected Tunnel Activity

View Tunnel Information in Logs

Create a Custom Report Based on Tagged Tunnel Traffic

Disable Tunnel Acceleration

Security Policy

Components of a Security Policy Rule

Security Policy Actions

Create a Security Policy Rule

Security Profiles

Create a Security Profile Group

Set Up or Override a Default Security Profile Group

Track Rules Within a Rulebase

Enforce Policy Rule Description, Tag, and Audit Comment

Move or Clone a Policy Rule or Object to a Different Virtual System

Use an Address Object to Represent IP Addresses

Address Objects

Create an Address Object

Use Tags to Group and Visually Distinguish Objects

Create and Apply Tags

View Rules by Tag Group

Use an External Dynamic List in Policy

External Dynamic List

Formatting Guidelines for an External Dynamic List

IP Address List

Built-in External Dynamic Lists

Configure the Firewall to Access an External Dynamic List

Configure the Firewall to Access an External Dynamic List from the EDL Hosting Service

Create an External Dynamic List Using the EDL Hosting Service

Convert the GlobalSign Root R1 Certificate to PEM Format

Retrieve an External Dynamic List from the Web Server

View External Dynamic List Entries

Exclude Entries from an External Dynamic List

Enforce Policy on an External Dynamic List

Find External Dynamic Lists That Failed Authentication

Disable Authentication for an External Dynamic List

Register IP Addresses and Tags Dynamically

Use Dynamic User Groups in Policy

Use Auto-Tagging to Automate Security Actions

Monitor Changes in the Virtual Environment

Enable VM Monitoring to Track Changes on the Virtual Network

Attributes Monitored on Virtual Machines in Cloud Platforms

Use Dynamic Address Groups in Policy

CLI Commands for Dynamic IP Addresses and Tags

Enforce Policy on Endpoints and Users Behind an Upstream Device

Use XFF Values for Policy Based on Source Users

Use XFF IP Address Values in Security Policy and Logging

Use the IP Address in the XFF Header to Troubleshoot Events

Policy-Based Forwarding

PBF

Egress Path and Symmetric Return

Path Monitoring for PBF

Service Versus Applications in PBF

Create a Policy-Based Forwarding Rule

Use Case: PBF for Outbound Access with Dual ISPs

Test Policy Rules

Virtual Systems

Virtual Systems Overview

Virtual System Components and Segmentation

Benefits of Virtual Systems

Use Cases for Virtual Systems

Platform Support and Licensing for Virtual Systems

Administrative Roles for Virtual Systems

Shared Objects for Virtual Systems

Communication Between Virtual Systems

Inter-VSYS Traffic That Must Leave the Firewall

Inter-VSYS Traffic That Remains Within the Firewall

External Zones and Security Policies For Traffic Within a Firewall

Inter-VSYS Communication Uses Two Sessions

External Zones and Shared Gateway

Networking Considerations for a Shared Gateway

Configure Virtual Systems

Configure Inter-Virtual System Communication within the Firewall

Configure a Shared Gateway

Customize Service Routes for a Virtual System

Customize Service Routes to Services for Virtual Systems

Configure a PA-7000 Series Firewall for Logging Per Virtual System

Configure a PA-7000 Series LPC for Logging per Virtual System

Configure a PA-7000 Series LFC for Logging per Virtual System

Configure Administrative Access Per Virtual System or Firewall

Virtual System Functionality with Other Features

Zone Protection and DoS Protection

Network Segmentation Using Zones

How Do Zones Protect the Network?

Zone Defense Tools

How Do the Zone Defense Tools Work?

Firewall Placement for DoS Protection

Baseline CPS Measurements for Setting Flood Thresholds

CPS Measurements to Take

How to Measure CPS

Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet-Based Attack Protection

Protocol Protection

Ethernet SGT Protection

Packet Buffer Protection

DoS Protection Profiles and Policy Rules

Classified Versus Aggregate DoS Protection

DoS Protection Profiles

DoS Protection Policy Rules

Configure Zone Protection to Increase Network Security

Configure Reconnaissance Protection

Configure Packet Based Attack Protection

Configure Protocol Protection

Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces

Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces

Configure Packet Buffer Protection

Configure Packet Buffer Protection Based on Latency

Configure Ethernet SGT Protection

DoS Protection Against Flooding of New Sessions

Multiple-Session DoS Attack

Single-Session DoS Attack

Configure DoS Protection Against Flooding of New Sessions

End a Single Session DoS Attack

Identify Sessions That Use Too Much of the On-Chip Packet Descriptor

Discard a Session Without a Commit

Enable FIPS and Common Criteria Support

Access the Maintenance Recovery Tool (MRT)

Change the Operational Mode to FIPS-CC Mode

FIPS-CC Security Functions

Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode

PAN-OS® Release Notes

PAN-OS 9.1 Release Information

Features Introduced in PAN-OS 9.1

SD-WAN Features

App-ID Features

Panorama Features

User-ID Features

GlobalProtect Features

Virtualization Features

Networking Features

Hardware Features

Changes to Default Behavior

Associated Software and Content Versions

WildFire Analysis Environment Support for PAN-OS 9.1

Known Issues Related to PAN-OS 9.1 Releases

PAN-OS 9.1.16 Known Issues

PAN-OS 9.1.15 Known Issues

PAN-OS 9.1.14 Known Issues

PAN-OS 9.1.13 Known Issues

PAN-OS 9.1.12 Known Issues

PAN-OS 9.1.11 Known Issues

PAN-OS 9.1.10 Known Issues

PAN-OS 9.1.9 Known Issues

PAN-OS 9.1.8 Known Issues

PAN-OS 9.1.7 Known Issues

PAN-OS 9.1.6 Known Issues

PAN-OS 9.1.5 Known Issues

PAN-OS 9.1.4 Known Issues

PAN-OS 9.1.3 Known Issues

PAN-OS 9.1.2 Known Issues

PAN-OS 9.1.1 Known Issues

PAN-OS 9.1.17 Known Issues

PAN-OS 9.1.18 Known Issues

PAN-OS 9.1.19 Known Issues

PAN-OS 9.1 Addressed Issues

PAN-OS 9.1.16 Addressed Issues

PAN-OS 9.1.15-h1 Addressed Issues

PAN-OS 9.1.15 Addressed Issues

PAN-OS 9.1.14-h4 Addressed Issues

PAN-OS 9.1.14-h1 Addressed Issues

PAN-OS 9.1.14 Addressed Issues

PAN-OS 9.1.13-h3 Addressed Issues

PAN-OS 9.1.13-h1 Addressed Issues

PAN-OS 9.1.13 Addressed Issues

PAN-OS 9.1.12-h4 Addressed Issues

PAN-OS 9.1.12-h3 Addressed Issues

PAN-OS 9.1.12 Addressed Issues

PAN-OS 9.1.11-h3 Addressed Issues

PAN-OS 9.1.11-h2 Addressed Issues

PAN-OS 9.1.11 Addressed Issues

PAN-OS 9.1.10 Addressed Issues

PAN-OS 9.1.9 Addressed Issues

PAN-OS 9.1.8 Addressed Issues

PAN-OS 9.1.7 Addressed Issues

PAN-OS 9.1.6 Addressed Issues

PAN-OS 9.1.5 Addressed Issues

PAN-OS 9.1.4 Addressed Issues

PAN-OS 9.1.3-h1 Addressed Issues

PAN-OS 9.1.3 Addressed Issues

PAN-OS 9.1.2-h1 Addressed Issues

PAN-OS 9.1.2 Addressed Issues

PAN-OS 9.1.1 Addressed Issues

PAN-OS 9.1.0 Addressed Issues

PAN-OS 9-1-16-h3 Addressed Issues

PAN-OS 9.1.14-h7 Addressed Issues

PAN-OS 9.1.11-h4 Addressed Issues

PAN-OS 9.1.12-h6 Addressed Issues

PAN-OS 9.1.13-h4 Addressed Issues

PAN-OS 9.1.16-h4 Addressed Issues

PAN-OS 9.1.17 Addressed Issues

PAN-OS 9.1.17-h1 Addressed Issues

PAN-OS 9.1.16-h5 Addressed Issues

PAN-OS 9.1.14-h8 Addressed Issues

PAN-OS 9.1.13-h5 Addressed Issues

PAN-OS 9.1.12-h7 Addressed Issues

PAN-OS 9.1.11-h5 Addressed Issues

PAN-OS 9.1.18 Addressed Issues

PAN-OS 9.1.19 Addressed Issues

Related Documentation

Requesting Support

User-ID™ Agent Release Notes

User-ID Agent 9.1 Release Information

Features Introduced in User-ID Agent 9.1

Changes to Default Behavior

System Requirements

Operating System (OS) Compatibility

User-ID Agent 9.1 Addressed Issues

Related Documentation

Requesting Support

Terminal Server (TS) Agent Release Notes

Terminal Server (TS) Agent 9.1 Release Information

Features Introduced in TS Agent 9.1

Changes to Default Behavior

System Requirements

Operating System (OS) Compatibility

Known Issues in TS Agent 9.1

Terminal Server (TS) Agent 9.1 Addressed Issues

Related Documentation

Requesting Support

PAN-OS CLI Quick Start

Get Started with the CLI

Verify SSH Connection to Firewall

Refresh SSH Keys and Configure Key Options for Management Interface Connection

Give Administrators Access to the CLI

Administrative Privileges

Set Up a Firewall Administrative Account and Assign CLI Pri...

Set Up a Panorama Administrative Account and Assign CLI Pri...

Change CLI Modes

Navigate the CLI

View the Entire Command Hierarchy

Find a Specific Command Using a Keyword Search

Get Help on Command Syntax

Get Help on a Command

Interpret the Command Help

Customize the CLI

View Settings and Statistics

Modify the Configuration

Commit Configuration Changes

Test the Configuration

Test the Authentication Configuration

Test Policy Matches

Load Configurations

Load Configuration Settings from a Text File

Load a Partial Configuration

Xpath Location Formats Determined by Device Configuration

Load a Partial Configuration into Another Configuration Usi...

Use Secure Copy to Import and Export Files

Export a Saved Configuration from One Firewall and Import i...

Export and Import a Complete Log Database (logdb)

CLI Cheat Sheets

CLI Cheat Sheet: Device Management

CLI Cheat Sheet: User-ID

CLI Cheat Sheet: Networking

CLI Cheat Sheet: VSYS

CLI Cheat Sheet: Panorama

CLI Changes in PAN-OS 9.1

New Set Commands

Changed Set Commands

Removed Set Commands

New Show Commands

Removed Show Commands

PAN-OS Web Interface Reference

Web Interface Basics

Firewall Overview

Features and Benefits

Last Login Time and Failed Login Attempts

Message of the Day

Save Candidate Configurations

Lock Configurations

AutoFocus Intelligence Summary

Configuration Table Export

Dashboard Widgets

ACC

A First Glance at the ACC

Working with Tabs and Widgets

Working with Filters—Local Filters and Global Filters

Monitor > External Logs

Monitor > Automated Correlation Engine

Monitor > Automated Correlation Engine > Correlation Object...

Monitor > Automated Correlation Engine > Correlated Events

Monitor > Packet Capture

Packet Capture Overview

Building Blocks for a Custom Packet Capture

Enable Threat Packet Capture

Monitor > App Scope

App Scope Overview

App Scope Summary Report

App Scope Change Monitor Report

App Scope Threat Monitor Report

App Scope Threat Map Report

App Scope Network Monitor Report

App Scope Traffic Map Report

Monitor > Session Browser

Monitor > Block IP List

Block IP List Entries

View or Delete Block IP List Entries

Monitor > Botnet

Managing Botnet Reports

Configuring the Botnet Report

Monitor > PDF Reports

Monitor > PDF Reports > Manage PDF Summary

Monitor > PDF Reports > User Activity Report

Monitor > PDF Reports > SaaS Application Usage

Monitor > PDF Reports > Report Groups

Monitor > PDF Reports > Email Scheduler

Monitor > Manage Custom Reports

Monitor > Reports

Move or Clone a Policy Rule

Audit Comment Archive

Rule Usage Query

Policies > Security

Security Policy Overview

Building Blocks in a Security Policy Rule

Creating and Managing Policies

Overriding or Reverting a Security Policy Rule

Applications and Usage

Security Policy Rule Usage

NAT Policies General Tab

NAT Original Packet Tab

NAT Translated Packet Tab

NAT Active/Active HA Binding Tab

Policies > Policy Based Forwarding

Policy Based Forwarding General Tab

Policy Based Forwarding Source Tab

Policy Based Forwarding Destination/Application/Service Tab

Policy Based Forwarding Forwarding Tab

Policy Based Forwarding Target Tab

Policies > Decryption

Decryption General Tab

Decryption Source Tab

Decryption Destination Tab

Decryption Service/URL Category Tab

Decryption Options Tab

Decryption Target Tab

Policies > Tunnel Inspection

Building Blocks in a Tunnel Inspection Policy

Policies > Application Override

Application Override General Tab

Application Override Source Tab

Application Override Destination Tab

Application Override Protocol/Application Tab

Application Override Target Tab

Policies > Authentication

Building Blocks of an Authentication Policy Rule

Create and Manage Authentication Policy

Policies > DoS Protection

DoS Protection General Tab

DoS Protection Source Tab

DoS Protection Destination Tab

DoS Protection Option/Protection Tab

DoS Protection Target Tab

Policies > SD-WAN

SD-WAN General Tab

SD-WAN Source Tab

SD-WAN Destination Tab

SD-WAN Application/Service Tab

SD-WAN Path Selection Tab

SD-WAN Target Tab

Move, Clone, Override, or Revert Objects

Move or Clone an Object

Override or Revert an Object

Objects > Addresses

Objects > Address Groups

Objects > Regions

Objects > Dynamic User Groups

Objects > Applications

Applications Overview

Actions Supported on Applications

Defining Applications

Objects > Application Groups

Objects > Application Filters

Objects > Services

Objects > Service Groups

View Rulebase as Groups

Move Rules in Group to Different Rulebase or Device Group

Change Group of All Rules

Move All Rules in Group

Delete All Rules in Group

Clone All Rules in Group

Objects > External Dynamic Lists

Objects > Custom Objects

Objects > Custom Objects > Data Patterns

Data Pattern Settings

Syntax for Regular Expression Data Patterns

Regular Expression Data Pattern Examples

Objects > Custom Objects > Spyware/Vulnerability

Objects > Custom Objects > URL Category

Objects > Security Profiles

Actions in Security Profiles

Objects > Security Profiles > Antivirus

Objects > Security Profiles > Anti-Spyware Profile

Objects > Security Profiles > Vulnerability Protection

Objects > Security Profiles > URL Filtering

URL Filtering General Settings

URL Filtering Categories

URL Filtering Settings

User Credential Detection

HTTP Header Insertion

Objects > Security Profiles > File Blocking

Objects > Security Profiles > WildFire Analysis

Objects > Security Profiles > Data Filtering

Objects > Security Profiles > DoS Protection

Objects > Security Profiles > GTP Protection

Objects > Security Profiles > SCTP Protection

Objects > Security Profile Groups

Objects > Log Forwarding

Objects > Authentication

Objects > Decryption Profile

Decryption Profile General Settings

Settings to Control Decrypted SSL Traffic

Settings to Control Traffic that is not Decrypted

Settings to Control Decrypted SSH Traffic

Objects > Decryption > Forwarding Profile

Objects > SD-WAN Link Management

Objects > SD-WAN Link Management > Path Quality Profile

Objects > SD-WAN Link Management > Traffic Distribution-Profile

Objects > Schedules

Network > Interfaces

Firewall Interfaces Overview

Common Building Blocks for Firewall Interfaces

Common Building Blocks for PA-7000 Series Firewall Interfac...

Virtual Wire Interface

Virtual Wire Subinterface

PA-7000 Series Layer 2 Interface

PA-7000 Series Layer 2 Subinterface

PA-7000 Series Layer 3 Interface

Layer 3 Interface

Layer 3 Subinterface

Log Card Interface

Log Card Subinterface

Decrypt Mirror Interface

Aggregate Ethernet (AE) Interface Group

Aggregate Ethernet (AE) Interface

Network > Interfaces > VLAN

Network > Interfaces > Loopback

Network > Interfaces > Tunnel

Network > Interfaces > SD-WAN

Network > Zones

Security Zone Overview

Building Blocks of Security Zones

Network > VLANs

Network > Virtual Wires

Network > Virtual Routers

General Settings of a Virtual Router

Route Redistribution

RIP

RIP Interfaces Tab

RIP Auth Profiles Tab

RIP Export Rules Tab

OSPF Auth Profiles Tab

OSPF Export Rules Tab

OSPF Advanced Tab

OSPFv3 Areas Tab

OSPFv3 Auth Profiles Tab

OSPFv3 Export Rules Tab

OSPFv3 Advanced Tab

BGP

Basic BGP Settings

BGP General Tab

BGP Advanced Tab

BGP Peer Group Tab

BGP Import and Export Tabs

BGP Conditional Adv Tab

BGP Aggregate Tab

BGP Redist Rules Tab

Multicast Rendezvous Point Tab

Multicast Interfaces Tab

Multicast SPT Threshold Tab

Multicast Source Specific Address Tab

Multicast Advanced Tab

More Runtime Stats for a Virtual Router

BFD Summary Information Tab

Network > IPSec Tunnels

IPSec VPN Tunnel Management

IPSec Tunnel General Tab

IPSec Tunnel Proxy IDs Tab

IPSec Tunnel Status on the Firewall

IPSec Tunnel Restart or Refresh

Network > GRE Tunnels

DHCP Addressing

Network > DNS Proxy

DNS Proxy Overview

DNS Proxy Settings

Additional DNS Proxy Actions

QoS Interface Settings

QoS Interface Statistics

Building Blocks of LLDP

Network > Network Profiles

Network > Network Profiles > GlobalProtect IPSec Crypto

Network > Network Profiles > IKE Gateways

IKE Gateway Management

IKE Gateway General Tab

IKE Gateway Advanced Options Tab

IKE Gateway Restart or Refresh

Network > Network Profiles > IPSec Crypto

Network > Network Profiles > IKE Crypto

Network > Network Profiles > Monitor

Network > Network Profiles > Interface Mgmt

Network > Network Profiles > Zone Protection

Building Blocks of Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet Based Attack Protection

Protocol Protection

Network > Network Profiles > QoS

Network > Network Profiles > LLDP Profile

Network > Network Profiles > BFD Profile

Building Blocks of a BFD Profile

View BFD Summary and Details

Network > Network Profiles > SD-WAN Interface Profile

Device > Setup > Management

Device > Setup > Operations

Enable SNMP Monitoring

Device > Setup > HSM

Hardware Security Module Provider Settings

HSM Authentication

Hardware Security Operations

Hardware Security Module Provider Configuration and Status

Hardware Security Module Status

Device > Setup > Services

Configure Services for Global and Virtual Systems

Global Services Settings

IPv4 and IPv6 Support for Service Route Configuration

Destination Service Route

Device > Setup > Interfaces

Device > Setup > Telemetry

Device > Setup > Content-ID

Device > Setup > WildFire

Device > Setup > Session

Session Settings

Session Timeouts

Decryption Settings: Certificate Revocation Checking

Decryption Settings: Forward Proxy Server Certificate Setti...

VPN Session Settings

Device > High Availability

Important Considerations for Configuring HA

Configure HA Settings

Device > Log Forwarding Card

Device > Config Audit

Device > Password Profiles

Username and Password Requirements

Device > Administrators

Device > Admin Roles

Device > Access Domain

Device > Authentication Profile

Authentication Profile

SAML Metadata Export from an Authentication Profile

Device > Authentication Sequence

Device > VM Information Sources

Settings to Enable VM Information Sources for VMware ESXi a...

Settings to Enable VM Information Sources for AWS VPC

Settings to Enable VM Information Sources for Google Comput...

Device > Troubleshooting

Security Policy Match

QoS Policy Match

Authentication Policy Match

Decryption/SSL Policy Match

NAT Policy Match

Policy Based Forwarding Policy Match

DoS Policy Match

Log Collector Connectivity

External Dynamic List

Test Cloud Logging Service Status

Test Cloud GP Service Status

Device > Virtual Systems

Device > Shared Gateways

Device > Certificate Management

Device > Certificate Management > Certificates

Manage Firewall and Panorama Certificates

Other Supported Actions to Manage Certificates

Manage Default Trusted Certificate Authorities

Device > Certificate Management > Certificate Profile

Device > Certificate Management > OCSP Responder

Device > Certificate Management > SSL/TLS Service Profile

Device > Certificate Management > SCEP

Device > Certificate Management > SSL Decryption Exclusion

Device > Response Pages

Device > Log Settings

Select Log Forwarding Destinations

Define Alarm Settings

Device > Server Profiles

Device > Server Profiles > SNMP Trap

Device > Server Profiles > Syslog

Device > Server Profiles > Email

Device > Server Profiles > HTTP

Device > Server Profiles > NetFlow

Device > Server Profiles > RADIUS

Device > Server Profiles > TACACS+

Device > Server Profiles > LDAP

Device > Server Profiles > Kerberos

Device > Server Profiles > SAML Identity Provider

Device > Server Profiles > DNS

Device > Server Profiles > Multi Factor Authentication

Device > Local User Database > Users

Device > Local User Database > User Groups

Device > Scheduled Log Export

Device > Software

Device > Dynamic Updates

Device > Licenses

Device > Support

Device > Master Key and Diagnostics

Deploy Master Key

User Identification

Device > User Identification > User Mapping

Palo Alto Networks User-ID Agent Setup

Server Monitor Account

Server Monitoring

NTLM Authentication

Ignore User List

Monitor Servers

Configure Access to Monitored Servers

Manage Access to Monitored Servers

Include or Exclude Subnetworks for User Mapping

Device > User Identification > Connection Security

Device > User Identification > User-ID Agents

Configure Access to User-ID Agents

Manage Access to User-ID Agents

Device > User Identification > Terminal Services Agents

Device > User Identification > Group Mapping Settings Tab

Device > User Identification > Captive Portal Settings

Network > GlobalProtect > Portals

GlobalProtect Portals General Tab

GlobalProtect Portals Authentication Configuration Tab

GlobalProtect Portals Portal Data Collection Tab

GlobalProtect Portals Agent Configuration Tab

GlobalProtect Portals Agent Authentication Tab

GlobalProtect Portals Agent Config Selection Criteria Tab

GlobalProtect Portals Agent Internal Tab

GlobalProtect Portals Agent External Tab

GlobalProtect Portals Agent App Tab

GlobalProtect Portals Agent HIP Data Collection Tab

GlobalProtect Portals Clientless Configuration Tab

GlobalProtect Portal Satellite Configuration Tab

Network > GlobalProtect > Gateways

GlobalProtect Gateways General Tab

GlobalProtect Gateway Authentication Tab

GlobalProtect Gateways Agent Tab

Tunnel Settings Tab

Client Settings Tab

Client IP Pool Tab

Network Services Tab

Connection Settings Tab

Video Traffic Tab

HIP Notification Tab

GlobalProtect Gateway Satellite Configuration Tab

Network > GlobalProtect > MDM

Network > GlobalProtect > Block List

Network > GlobalProtect > Clientless Apps

Network > GlobalProtect > Clientless App Groups

Objects > GlobalProtect > HIP Objects

HIP Objects General Tab

HIP Objects Mobile Device Tab

HIP Objects Patch Management Tab

HIP Objects Firewall Tab

HIP Objects Anti-Malware Tab

HIP Objects Disk Backup Tab

HIP Objects Disk Encryption Tab

HIP Objects Data Loss Prevention Tab

HIP Objects Certificate Tab

HIP Objects Custom Checks Tab

Objects > GlobalProtect > HIP Profiles

Device > GlobalProtect Client

Managing the GlobalProtect Agent Software

Setting Up the GlobalProtect Agent

Using the GlobalProtect Agent

Panorama Web Interface

Use the Panorama Web Interface

Panorama Commit Operations

Defining Policies on Panorama

Log Storage Partitions for a Panorama Virtual Appliance in ...

Panorama > Setup > Interfaces

Panorama > High Availability

Panorama > Managed WildFire Clusters

Managed WildFire Cluster Tasks

Managed WildFire Appliance Tasks

Managed WildFire Information

Managed WildFire Cluster and Appliance Administration

Panorama > Administrators

Panorama > Admin Roles

Panorama > Access Domains

Panorama > Managed Devices > Summary

Managed Firewall Administration

Managed Firewall Information

Firewall Software and Content Updates

Firewall Backups

Panorama > Managed Devices > Health

Detailed Device Health in Panorama

Panorama > Templates

Template Stacks

Panorama > Templates > Template Variables

Panorama > Device Groups

Panorama > Managed Collectors

Log Collector Information

Log Collector Configuration

General Log Collector Settings

Log Collector CLI Authentication Settings

Log Collector Interface Settings

Log Collector RAID Disk Settings

User-ID Agent Settings

Connection Security

Communication Settings

Software Updates for Dedicated Log Collectors

Panorama > Collector Groups

Collector Group Configuration

Collector Group Information

Panorama > Plugins

Panorama > VMware NSX

Configure a Notify Group

Create Service Definitions

Configure Access to the NSX Manager

Create Steering Rules

Panorama > Log Ingestion Profile

Panorama > Log Settings

Panorama > Scheduled Config Export

Panorama > Software

Manage Panorama Software Updates

Display Panorama Software Update Information

Panorama > Device Deployment

Manage Software and Content Updates

Display Software and Content Update Information

Schedule Dynamic Content Updates

Panorama > Dynamic Updates > Revert Content

Manage Firewall Licenses

PAN-OS® and Panorama™ API Guide

About the PAN-OS API

PAN-OS XML API Components

Structure of a PAN-OS XML API Request

API Authentication and Security

XPath Node Selection

Get Started with the PAN-OS XML API

Enable API Access

Get Your API Key

Make Your First API Call

Explore the API

Use the API Browser

Use the CLI to Find XML API Syntax

Use the Web Interface to Find XML API Syntax

PAN-OS XML API Error Codes

Authenticate Your API Requests

PAN-OS XML API Use Cases

Upgrade a Firewall to the Latest PAN-OS Version (API)

Show and Manage GlobalProtect Users (API)

Query a Firewall from Panorama (API)

Upgrade PAN-OS on Multiple HA Firewalls through Panorama (A...

Automatically Check for and Install Content Updates (API)

Enforce Policy using External Dynamic Lists and AutoFocus A...

Configure SAML 2.0 Authentication (API)

PAN-OS XML API Request Types

PAN-OS XML API Request Types and Actions

Configuration Actions

Actions for Modifying a Configuration

Actions for Reading a Configuration

Asynchronous and Synchronous Requests to the PAN-OS XML API

Configuration (API)

Get Active Configuration

Use XPath to Get Active Configuration

Use XPath to Get ARP Information

Get Candidate Configuration

Set Configuration

Edit Configuration

Delete Configuration

Rename Configuration

Clone Configuration

Move Configuration

Override Configuration

Multi-Move or Multi-Clone Configuration

View Configuration Node Values for XPath

Commit Configuration (API)

Run Operational Mode Commands (API)

Get Reports (API)

Dynamic Reports

Predefined Reports

Export Files (API)

Export Packet Captures

Export Application PCAPS

Export Threat, Filter, and Data Filtering PCAPs

Export Certificates and Keys

Export Technical Support Data

Import Files (API)

Importing Basics

Retrieve Logs (API)

API Log Retrieval Parameters

Example: Use the API to Retrieve Traffic Logs

Apply User-ID Mapping and Populate Dynamic Address Groups (...

Get Version Info (API)

Get Started with the PAN-OS REST API

PAN-OS REST API

Access the PAN-OS REST API

Resource Methods and Query Parameters (REST API)

PAN-OS REST API Request and Response Structure

PAN-OS REST API Error Codes

Work With Objects (REST API)

Create a Security Policy Rule (REST API)

Work with Policy Rules on Panorama (REST API)

Create a Tag (REST API)

Configure a Security Zone (REST API)

Configure an SD-WAN Interface (REST API)

Create an SD-WAN Policy Pre Rule (REST API)

PAN-OS® New Features Guide

Upgrade to PAN-OS 9.1

Upgrade/Downgrade Considerations

Upgrade the Firewall to PAN-OS 9.1

Determine the Upgrade Path to PAN-OS 9.1

Upgrade Firewalls Using Panorama

Upgrade a Standalone Firewall to PAN-OS 9.1

Upgrade an HA Firewall Pair to PAN-OS 9.1

Downgrade from PAN-OS 9.1

Downgrade a Firewall to a Previous Maintenance Release

Downgrade a Firewall to a Previous Feature Release

Downgrade a Windows Agent from PAN-OS 9.1

SD-WAN Features

App-ID Features

Simplified Application Dependency Workflow

Streamlined Application-Based Policy

Panorama Features

Automatic Panorama Connection Recovery

Next-Generation Firewalls for Zero Touch Provisioning

User-ID Features

Include Username in HTTP Header Insertion Entries

Dynamic User Groups

GlobalProtect Features

Enhanced Logging for GlobalProtect

Virtualization Features

VM-Series Firewall on VMware NSX-T (East-West)

PAN-OS® Administrator’s Guide

Getting Started

Integrate the Firewall into Your Management Network

Determine Your Management Strategy

Perform Initial Configuration

Perform Initial Configuration for an Air Gapped Firewall

Set Up Network Access for External Services

Register the Firewall

Segment Your Network Using Interfaces and Zones

Network Segmentation for a Reduced Attack Surface

Configure Interfaces and Zones

Set Up a Basic Security Policy

Assess Network Traffic

Enable Free WildFire Forwarding

Best Practices for Completing the Firewall Deployment

Best Practices for Securing Administrative Access

Subscriptions You Can Use With the Firewall

Activate Subscription Licenses

What Happens When Licenses Expire?

Enhanced Application Logs for Palo Alto Networks Cloud Services

Software and Content Updates

PAN-OS Software Updates

Dynamic Content Updates

Install Content Updates

Applications and Threats Content Updates

Deploy Applications and Threats Content Updates

Tips for Content Updates

Best Practices for Applications and Threats Content Updates

Best Practices for Content Updates—Mission-Critical

Best Practices for Content Updates—Security-First

Content Delivery Network Infrastructure

Firewall Administration

Management Interfaces

Use the Web Interface

Launch the Web Interface

Configure Banners, Message of the Day, and Logos

Use the Administrator Login Activity Indicators to Detect Account Misuse

Manage and Monitor Administrative Tasks

Commit, Validate, and Preview Firewall Configuration Changes

Export Configuration Table Data

Use Global Find to Search the Firewall or Panorama Management Server

Manage Locks for Restricting Configuration Changes

Manage Configuration Backups

Save and Export Firewall Configurations

Revert Firewall Configuration Changes

Manage Firewall Administrators

Administrative Role Types

Configure an Admin Role Profile

Administrative Authentication

Configure Administrative Accounts and Authentication

Configure a Firewall Administrator Account

Configure Local or External Authentication for Firewall Administrators

Configure Certificate-Based Administrator Authentication to the Web Interface

Configure SSH Key-Based Administrator Authentication to the CLI

Configure API Key Lifetime

Reference: Web Interface Administrator Access

Web Interface Access Privileges

Define Access to the Web Interface Tabs

Provide Granular Access to the Monitor Tab

Provide Granular Access to the Policy Tab

Provide Granular Access to the Objects Tab

Provide Granular Access to the Network Tab

Provide Granular Access to the Device Tab

Define User Privacy Settings in the Admin Role Profile

Restrict Administrator Access to Commit and Validate Functions

Provide Granular Access to Global Settings

Provide Granular Access to the Panorama Tab

Panorama Web Interface Access Privileges

Reference: Port Number Usage

Ports Used for Management Functions

Ports Used for HA

Ports Used for Panorama

Ports Used for GlobalProtect

Ports Used for User-ID

Reset the Firewall to Factory Default Settings

Bootstrap the Firewall

USB Flash Drive Support

Sample init-cfg.txt Files

Prepare a USB Flash Drive for Bootstrapping a Firewall

Bootstrap a Firewall Using a USB Flash Drive

Authentication Types

External Authentication Services

Multi-Factor Authentication

Local Authentication

Plan Your Authentication Deployment

Configure Multi-Factor Authentication

Configure MFA Between RSA SecurID and the Firewall

Configure MFA Between Okta and the Firewall

Configure MFA Between Duo and the Firewall

Configure SAML Authentication

Configure Kerberos Single Sign-On

Configure Kerberos Server Authentication

Configure TACACS+ Authentication

Configure RADIUS Authentication

Configure LDAP Authentication

Connection Timeouts for Authentication Servers

Guidelines for Setting Authentication Server Timeouts

Modify the PAN-OS Web Server Timeout

Modify the Captive Portal Session Timeout

Configure Local Database Authentication

Configure an Authentication Profile and Sequence

Test Authentication Server Connectivity

Authentication Policy

Authentication Timestamps

Configure Authentication Policy

Troubleshoot Authentication Issues

Certificate Management

Keys and Certificates

Default Trusted Certificate Authorities (CAs)

Certificate Revocation

Certificate Revocation List (CRL)

Online Certificate Status Protocol (OCSP)

Certificate Deployment

Set Up Verification for Certificate Revocation Status

Configure an OCSP Responder

Configure Revocation Status Verification of Certificates

Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

Configure the Master Key

Obtain Certificates

Create a Self-Signed Root CA Certificate

Generate a Certificate

Import a Certificate and Private Key

Obtain a Certificate from an External CA

Install a Device Certificate

Restore an Expired Device Certificate

Deploy Certificates Using SCEP

Export a Certificate and Private Key

Configure a Certificate Profile

Configure an SSL/TLS Service Profile

Replace the Certificate for Inbound Management Traffic

Configure the Key Size for SSL Forward Proxy Server Certificates

Revoke and Renew Certificates

Revoke a Certificate

Renew a Certificate

Secure Keys with a Hardware Security Module

Set Up Connectivity with an HSM

Set Up Connectivity with a SafeNet Network HSM

Set Up Connectivity with an nCipher nShield Connect HSM

Encrypt a Master Key Using an HSM

Encrypt the Master Key

Refresh the Master Key Encryption

Store Private Keys on an HSM

Manage the HSM Deployment

High Availability

HA Links and Backup Links

HA Ports on Palo Alto Networks Firewalls

Device Priority and Preemption

LACP and LLDP Pre-Negotiation for Active/Passive HA

Floating IP Address and Virtual MAC Address

ARP Load-Sharing

Route-Based Redundancy

NAT in Active/Active HA Mode

ECMP in Active/Active HA Mode

Set Up Active/Passive HA

Prerequisites for Active/Passive HA

Configuration Guidelines for Active/Passive HA

Configure Active/Passive HA

Define HA Failover Conditions

Verify Failover

Set Up Active/Active HA

Prerequisites for Active/Active HA

Configure Active/Active HA

Determine Your Active/Active Use Case

Use Case: Configure Active/Active HA with Route-Based Redundancy

Use Case: Configure Active/Active HA with Floating IP Addresses

Use Case: Configure Active/Active HA with ARP Load-Sharing

Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall

Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses

Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3

Refresh HA1 SSH Keys and Configure Key Options

HA Firewall States

Reference: HA Synchronization

Use the Dashboard

Use the Application Command Center

ACC—First Look

Widget Descriptions

Interact with the ACC

Use Case: ACC—Path of Information Discovery

Use the App Scope Reports

Change Monitor Report

Threat Monitor Report

Threat Map Report

Network Monitor Report

Traffic Map Report

Use the Automated Correlation Engine

Automated Correlation Engine Concepts

Correlation Object

Correlated Events

View the Correlated Objects

Interpret Correlated Events

Use the Compromised Hosts Widget in the ACC

Take Packet Captures

Types of Packet Captures

Disable Hardware Offload

Take a Custom Packet Capture

Take a Threat Packet Capture

Take an Application Packet Capture

Take a Packet Capture for Unknown Applications

Take a Custom Application Packet Capture

Take a Packet Capture on the Management Interface

Monitor Applications and Threats

View and Manage Logs

Log Types and Severity Levels

URL Filtering Logs

WildFire Submissions Logs

Data Filtering Logs

Correlation Logs

Tunnel Inspection Logs

GlobalProtect Logs

Authentication Logs

Use Case: Export Traffic Logs for a Date Range

Configure Log Storage Quotas and Expiration Periods

Schedule Log Exports to an SCP or FTP Server

Monitor Block List

View and Manage Reports

Configure the Expiration Period and Run Time for Reports

Disable Predefined Reports

Generate Custom Reports

Generate Botnet Reports

Configure a Botnet Report

Interpret Botnet Report Output

Generate the SaaS Application Usage Report

Manage PDF Summary Reports

Generate User/Group Activity Reports

Manage Report Groups

Schedule Reports for Email Delivery

Manage Report Storage Capacity

View Policy Rule Usage

Use External Services for Monitoring

Configure Log Forwarding

Configure Email Alerts

Use Syslog for Monitoring

Configure Syslog Monitoring

Syslog Field Descriptions

Traffic Log Fields

Threat Log Fields

URL Filtering Log Fields

Data Filtering Log Fields

HIP Match Log Fields

GlobalProtect Log Fields

GlobalProtect Log Fields for PAN-OS 9.1.0 Through 9.1.2

GlobalProtect Log Fields for PAN-OS 9.1.3 and Later Releases

IP-Tag Log Fields

User-ID Log Fields

Tunnel Inspection Log Fields

SCTP Log Fields

Authentication Log Fields

Config Log Fields

System Log Fields

Correlated Events Log Fields

Syslog Severity

Custom Log/Event Format

Escape Sequences

SNMP Monitoring and Traps

Use an SNMP Manager to Explore MIBs and Objects

Identify a MIB Containing a Known OID

Identify the OID for a System Statistic or Trap

Enable SNMP Services for Firewall-Secured Network Elements

Monitor Statistics Using SNMP

Forward Traps to an SNMP Manager

HOST-RESOURCES-MIB

ENTITY-SENSOR-MIB

ENTITY-STATE-MIB

IEEE 802.3 LAG MIB

PAN-COMMON-MIB.my

PAN-GLOBAL-REG-MIB.my

PAN-GLOBAL-TC-MIB.my

PAN-PRODUCT-MIB.my

PAN-ENTITY-EXT-MIB.my

Forward Logs to an HTTP/S Destination

NetFlow Monitoring

Configure NetFlow Exports

NetFlow Templates

Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors

User-ID Overview

User-ID Concepts

Server Monitoring

Username Header Insertion

Authentication Policy and Captive Portal

Map Users to Groups

Map IP Addresses to Users

Create a Dedicated Service Account for the User-ID Agent

Configure User Mapping Using the Windows User-ID Agent

Install the Windows-Based User-ID Agent

Configure the Windows User-ID Agent for User Mapping

Configure User Mapping Using the PAN-OS Integrated User-ID Agent

Configure Server Monitoring Using WinRM

Configure User-ID to Monitor Syslog Senders for User Mapping

Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener

Configure the Windows User-ID Agent as a Syslog Listener

Map IP Addresses to Usernames Using Captive Portal

Captive Portal Authentication Methods

Captive Portal Modes

Configure Captive Portal

Configure User Mapping for Terminal Server Users

Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping

Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API

Send User Mappings to User-ID Using the XML API

Enable User- and Group-Based Policy

Enable Policy for Users with Multiple Accounts

Verify the User-ID Configuration

Deploy User-ID in a Large-Scale Network

Deploy User-ID for Numerous Mapping Information Sources

Windows Log Forwarding and Global Catalog Servers

Plan a Large-Scale User-ID Deployment

Configure Windows Log Forwarding

Configure User-ID for Numerous Mapping Information Sources

Insert Username in HTTP Headers

Redistribute User Mappings and Authentication Timestamps

Firewall Deployment for User-ID Redistribution

Configure User-ID Redistribution

Share User-ID Mappings Across Virtual Systems

App-ID Overview

App-ID and HTTP/2 Inspection

Manage Custom or Unknown Applications

Manage New and Modified App-IDs

Apply Tags to an Application Filter

Create Custom Application Tags

Workflow to Best Incorporate New and Modified App-IDs

See the New and Modified App-IDs in a Content Release

See How New and Modified App-IDs Impact Your Security Policy

Ensure Critical New App-IDs are Allowed

Monitor New App-IDs

Disable and Enable App-IDs

Use Application Objects in Policy

Create an Application Group

Create an Application Filter

Create a Custom Application

Resolve Application Dependencies

Safely Enable Applications on Default Ports

Applications with Implicit Support

Security Policy Rule Optimization

Policy Optimizer Concepts

Sorting and Filtering Security Policy Rules

Clear Application Usage Data

Migrate Port-Based to App-ID Based Security Policy Rules

Rule Cloning Migration Use Case: Web Browsing and SSL Traffic

Add Applications to an Existing Rule

Identify Security Policy Rules with Unused Applications

High Availability for Application Usage Statistics

How to Disable Policy Optimizer

Application Level Gateways

Disable the SIP Application-level Gateway (ALG)

Use HTTP Headers to Manage SaaS Application Access

Understand SaaS Custom Headers

Domains used by the Predefined SaaS Application Types

Create HTTP Header Insertion Entries using Predefined Types

Create Custom HTTP Header Insertion Entries

Maintain Custom Timeouts for Data Center Applications

Threat Prevention

Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions

Set Up Antivirus, Anti-Spyware, and Vulnerability Protection

About DNS Security

Domain Generation Algorithm (DGA) Detection

DNS Tunneling Detection

Cloud-Delivered DNS Signatures and Protections

Enable DNS Security

Use DNS Queries to Identify Infected Hosts on the Network

How DNS Sinkholing Works

Configure DNS Sinkholing

Configure DNS Sinkholing for a List of Custom Domains

Configure the Sinkhole IP Address to a Local Server on Your Network

See Infected Hosts that Attempted to Connect to a Malicious Domain

Create a Data Filtering Profile

Predefined Data Filtering Patterns

Set Up File Blocking

Prevent Brute Force Attacks

Customize the Action and Trigger Conditions for a Brute Force Signature

Enable Evasion Signatures

Prevent Credential Phishing

Methods to Check for Corporate Credential Submissions

Configure Credential Detection with the Windows User-ID Agent

Set Up Credential Phishing Prevention

Monitor Blocked IP Addresses

Threat Signature Categories

Create Threat Exceptions

Custom Signatures

Monitor and Get Threat Reports

Monitor Activity and Create Custom Reports Based on Threat Categories

Learn More About Threat Signatures

AutoFocus Threat Intelligence for Network Traffic

AutoFocus Intelligence Summary

Enable AutoFocus Threat Intelligence

View and Act on AutoFocus Intelligence Summary Data

Share Threat Intelligence with Palo Alto Networks

What Telemetry Data Does the Firewall Collect?

Passive DNS Monitoring

Enable Telemetry

Threat Prevention Resources

Decryption Overview

Decryption Concepts

Keys and Certificates for Decryption Policies

SSL Forward Proxy

SSL Forward Proxy Decryption Profile

SSL Inbound Inspection

SSL Inbound Inspection Decryption Profile

SSL Protocol Settings Decryption Profile

SSH Proxy Decryption Profile

Decryption Profile for No Decryption

SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates

Perfect Forward Secrecy (PFS) Support for SSL Decryption

SSL Decryption and Subject Alternative Names (SANs)

High Availability Support for Decrypted Sessions

Decryption Mirroring

Prepare to Deploy Decryption

Work with Stakeholders to Develop a Decryption Deployment Strategy

Develop a PKI Rollout Plan

Size the Decryption Firewall Deployment

Plan a Staged, Prioritized Deployment

Define Traffic to Decrypt

Create a Decryption Profile

Create a Decryption Policy Rule

Configure SSL Forward Proxy

Configure SSL Inbound Inspection

Configure SSH Proxy

Configure Server Certificate Verification for Undecrypted Traffic

Decryption Exclusions

Palo Alto Networks Predefined Decryption Exclusions

Exclude a Server from Decryption for Technical Reasons

Create a Policy-Based Decryption Exclusion

Enable Users to Opt Out of SSL Decryption

Temporarily Disable SSL Decryption

Configure Decryption Port Mirroring

Verify Decryption

Decryption Broker

How Decryption Broker Works

Decryption Broker Concepts

Decryption Broker: Forwarding Interfaces

Decryption Broker: Layer 3 Security Chain

Decryption Broker: Transparent Bridge Security Chain

Decryption Broker: Security Chain Session Flow

Decryption Broker: Multiple Security Chains

Decryption Broker: Security Chain Health Checks

Layer 3 Security Chain Guidelines

Configure Decryption Broker with One or More Layer 3 Security Chain

Transparent Bridge Security Chain Guidelines

Configure Decryption Broker with a Single Transparent Bridge Security Chain

Configure Decryption Broker with Multiple Transparent Bridge Security Chains

Activate Free Licenses for Decryption Features

About Palo Alto Networks URL Filtering Solution

How Advanced URL Filtering Works

URL Filtering Use Cases

Security-Focused URL Categories

Malicious URL Categories

Verified URL Categories

Policy Actions You Can Take Based on URL Categories

Plan Your URL Filtering Deployment

URL Filtering Best Practices

Activate The Advanced URL Filtering Subscription

Configure URL Filtering

Test URL Filtering Configuration

Monitor Web Activity

Monitor Web Activity of Network Users

View the User Activity Report

Configure Custom URL Filtering Reports

Log Only the Page a User Visits

Create a Custom URL Category

URL Category Exceptions

Use an External Dynamic List in a URL Filtering Profile

Allow Password Access to Certain Sites

Safe Search Enforcement

Safe Search Settings for Search Providers

Block Search Results When Strict Safe Search Is Not Enabled

Transparently Enable Safe Search for Users

URL Filtering Response Pages

Customize the URL Filtering Response Pages

HTTP Header Logging

Request to Change the Category for a URL

Troubleshoot URL Filtering

Problems Activating Advanced URL Filtering

PAN-DB Cloud Connectivity Issues

URLs Classified as Not-Resolved

Incorrect Categorization

PAN-DB Private Cloud

M-600 Appliance for PAN-DB Private Cloud

Set Up the PAN-DB Private Cloud

Configure the PAN-DB Private Cloud

Configure the Firewalls to Access the PAN-DB Private Cloud

Configure Authentication with Custom Certificates on the PAN-DB Private Cloud

Quality of Service

QoS for Applications and Users

QoS Priority Queuing

QoS Bandwidth Management

QoS Egress Interface

QoS for Clear Text and Tunneled Traffic

Configure QoS for a Virtual System

Enforce QoS Based on DSCP Classification

Use Case: QoS for a Single User

Use Case: QoS for Voice and Video Applications

VPN Deployments

Site-to-Site VPN Overview

Site-to-Site VPN Concepts

Tunnel Interface

Tunnel Monitoring

Internet Key Exchange (IKE) for VPN

Methods of Securing IPSec VPN Tunnels (IKE Phase 2)

Cookie Activation Threshold and Strict Cookie Validation

Traffic Selectors

Hash and URL Certificate Exchange

SA Key Lifetime and Re-Authentication Interval

Set Up Site-to-Site VPN

Set Up an IKE Gateway

Export a Certificate for a Peer to Access Using Hash and URL

Import a Certificate for IKEv2 Gateway Authentication

Change the Key Lifetime or Authentication Interval for IKEv2

Change the Cookie Activation Threshold for IKEv2

Configure IKEv2 Traffic Selectors

Define Cryptographic Profiles

Define IKE Crypto Profiles

Define IPSec Crypto Profiles

Set Up an IPSec Tunnel

Set Up Tunnel Monitoring

Define a Tunnel Monitoring Profile

View the Status of the Tunnels

Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel

Enable or Disable an IKE Gateway or IPSec Tunnel

Refresh and Restart Behaviors

Refresh or Restart an IKE Gateway or IPSec Tunnel

Test VPN Connectivity

Interpret VPN Error Messages

Site-to-Site VPN Quick Configs

Site-to-Site VPN with Static Routing

Site-to-Site VPN with OSPF

Site-to-Site VPN with Static and Dynamic Routing

Large Scale VPN (LSVPN)

Create Interfaces and Zones for the LSVPN

Enable SSL Between GlobalProtect LSVPN Components

About Certificate Deployment

Deploy Server Certificates to the GlobalProtect LSVPN Components

Deploy Client Certificates to the GlobalProtect Satellites Using SCEP

Configure the Portal to Authenticate Satellites

Configure GlobalProtect Gateways for LSVPN

Configure the GlobalProtect Portal for LSVPN

GlobalProtect Portal for LSVPN Prerequisite Tasks

Configure the Portal

Define the Satellite Configurations

Prepare the Satellite to Join the LSVPN

Verify the LSVPN Configuration

LSVPN Quick Configs

Basic LSVPN Configuration with Static Routing

Advanced LSVPN Configuration with Dynamic Routing

Advanced LSVPN Configuration with iBGP

Configure Interfaces

Virtual Wire Interfaces

Layer 2 and Layer 3 Packets over a Virtual Wire

Port Speeds of Virtual Wire Interfaces

LLDP over a Virtual Wire

Aggregated Interfaces for a Virtual Wire

Virtual Wire Support of High Availability

Zone Protection for a Virtual Wire Interface

VLAN-Tagged Traffic

Virtual Wire Subinterfaces

Configure Virtual Wires

Layer 2 Interfaces

Layer 2 Interfaces with No VLANs

Layer 2 Interfaces with VLANs

Configure a Layer 2 Interface

Configure a Layer 2 Interface, Subinterface, and VLAN

Manage Per-VLAN Spanning Tree (PVST+) BPDU Rewrite

Layer 3 Interfaces

Configure Layer 3 Interfaces

Manage IPv6 Hosts Using NDP

IPv6 Router Advertisements for DNS Configuration

Configure RDNS Servers and DNS Search List for IPv6 Router Advertisements

Enable NDP Monitoring

Configure an Aggregate Interface Group

Use Interface Management Profiles to Restrict Access

Virtual Routers

Static Route Overview

Static Route Removal Based on Path Monitoring

Configure a Static Route

Configure Path Monitoring for a Static Route

RIP

OSPF Router Types

Configure OSPFv3

Configure OSPF Graceful Restart

Confirm OSPF Operation

View the Routing Table

Confirm OSPF Adjacencies

Confirm that OSPF Connections are Established

BGP

Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast

Configure a BGP Peer with MP-BGP for IPv4 Multicast

BGP Confederations

PIM

Shortest-Path Tree (SPT) and Shared Tree

PIM Assert Mechanism

Reverse-Path Forwarding

Configure IP Multicast

View IP Multicast Information

Route Redistribution

GRE Tunnel Overview

Create a GRE Tunnel

Firewall as a DHCP Server and Client

DHCP Addressing

DHCP Address Allocation Methods

Predefined DHCP Options

Multiple Values for a DHCP Option

DHCP Options 43, 55, and 60 and Other Customized Options

Configure an Interface as a DHCP Server

Configure an Interface as a DHCP Client

Configure the Management Interface as a DHCP Client

Configure an Interface as a DHCP Relay Agent

Monitor and Troubleshoot DHCP

View DHCP Server Information

Clear DHCP Leases

View DHCP Client Information

Gather Debug Output about DHCP

DNS

DNS Proxy Object

DNS Server Profile

Multi-Tenant DNS Deployments

Configure a DNS Proxy Object

Configure a DNS Server Profile

Use Case 1: Firewall Requires DNS Resolution

Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System

Use Case 3: Firewall Acts as DNS Proxy Between Client and Server

DNS Proxy Rule and FQDN Matching

Dynamic DNS Overview

Configure Dynamic DNS for Firewall Interfaces

NAT

NAT Policy Rules

NAT Policy Overview

NAT Address Pools Identified as Address Objects

Proxy ARP for NAT Address Pools

Source NAT and Destination NAT

Destination NAT

Destination NAT with DNS Rewrite Use Cases

Destination NAT with DNS Rewrite Reverse Use Cases

Destination NAT with DNS Rewrite Forward Use Cases

NAT Rule Capacities

Dynamic IP and Port NAT Oversubscription

Dataplane NAT Memory Statistics

Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)

Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Configure Destination NAT with DNS Rewrite

Configure Destination NAT Using Dynamic IP Addresses

Modify the Oversubscription Rate for DIPP NAT

Reserve Dynamic IP NAT Addresses

Disable NAT for a Specific Host or Interface

NAT Configuration Examples

Destination NAT Example—One-to-One Mapping

Destination NAT with Port Translation Example

Destination NAT Example—One-to-Many Mapping

Source and Destination NAT Example

Virtual Wire Source NAT Example

Virtual Wire Static NAT Example

Virtual Wire Destination NAT Example

NPTv6 Does Not Provide Security

Model Support for NPTv6

Unique Local Addresses

Reasons to Use NPTv6

How NPTv6 Works

Checksum-Neutral Mapping

Bi-Directional Translation

NPTv6 Applied to a Specific Service

NPTv6 and NDP Proxy Example

The ND Cache in NPTv6 Example

The NDP Proxy in NPTv6 Example

The NPTv6 Translation in NPTv6 Example

Neighbors in the ND Cache are Not Translated

Create an NPTv6 Policy

IPv4-Embedded IPv6 Address

Path MTU Discovery

IPv6-Initiated Communication

Configure NAT64 for IPv6-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication with Port Translation

ECMP Load-Balancing Algorithms

ECMP Model, Interface, and IP Routing Support

Configure ECMP on a Virtual Router

Enable ECMP for Multiple BGP Autonomous Systems

Supported TLVs in LLDP

LLDP Syslog Messages and SNMP Traps

View LLDP Settings and Status

Clear LLDP Statistics

BFD

BFD Model, Interface, and Client Support

Non-Supported RFC Components of BFD

BFD for Static Routes

BFD for Dynamic Routing Protocols

Reference: BFD Details

Session Settings and Timeouts

Transport Layer Sessions

TCP

TCP Half Closed and TCP Time Wait Timers

Unverified RST Timer

TCP Split Handshake Drop

Maximum Segment Size (MSS)

UDP

Security Policy Rules Based on ICMP and ICMPv6 Packets

ICMPv6 Rate Limiting

Control Specific ICMP or ICMPv6 Types and Codes

Configure Session Timeouts

Configure Session Settings

Session Distribution Policies

Session Distribution Policy Descriptions

Change the Session Distribution Policy and View Statistics

Prevent TCP Split Handshake Session Establishment

Tunnel Content Inspection

Tunnel Content Inspection Overview

Configure Tunnel Content Inspection

View Inspected Tunnel Activity

View Tunnel Information in Logs

Create a Custom Report Based on Tagged Tunnel Traffic

Security Policy

Components of a Security Policy Rule

Security Policy Actions

Create a Security Policy Rule

Security Profiles

Create a Security Profile Group

Set Up or Override a Default Security Profile Group

Track Rules Within a Rulebase

Enforce Policy Rule Description, Tag, and Audit Comment

Move or Clone a Policy Rule or Object to a Different Virtual System

Use an Address Object to Represent IP Addresses

Address Objects

Create an Address Object

Use Tags to Group and Visually Distinguish Objects

Create and Apply Tags

View Rules by Tag Group

Use an External Dynamic List in Policy

External Dynamic List

Formatting Guidelines for an External Dynamic List

IP Address List

Built-in External Dynamic Lists

Configure the Firewall to Access an External Dynamic List

Configure the Firewall to Access an External Dynamic List from the EDL Hosting Service

Create an External Dynamic List Using the EDL Hosting Service

Convert the GlobalSign Root R1 Certificate to PEM Format

Retrieve an External Dynamic List from the Web Server

View External Dynamic List Entries

Exclude Entries from an External Dynamic List

Enforce Policy on an External Dynamic List

Find External Dynamic Lists That Failed Authentication

Disable Authentication for an External Dynamic List

Register IP Addresses and Tags Dynamically

Use Dynamic User Groups in Policy

Use Auto-Tagging to Automate Security Actions

Monitor Changes in the Virtual Environment

Enable VM Monitoring to Track Changes on the Virtual Network

Attributes Monitored on Virtual Machines in Cloud Platforms

Use Dynamic Address Groups in Policy

CLI Commands for Dynamic IP Addresses and Tags

Identify Users Connected through a Proxy Server

Use XFF Values for Policies and Logging Source Users

Use the IP Address in the XFF Header to Troubleshoot Events

Policy-Based Forwarding

PBF

Egress Path and Symmetric Return

Path Monitoring for PBF

Service Versus Applications in PBF

Create a Policy-Based Forwarding Rule

Use Case: PBF for Outbound Access with Dual ISPs

Application Override Policy

Test Policy Rules

Virtual Systems

Virtual Systems Overview

Virtual System Components and Segmentation

Benefits of Virtual Systems

Use Cases for Virtual Systems

Platform Support and Licensing for Virtual Systems

Administrative Roles for Virtual Systems

Shared Objects for Virtual Systems

Communication Between Virtual Systems

Inter-VSYS Traffic That Must Leave the Firewall

Inter-VSYS Traffic That Remains Within the Firewall

External Zones and Security Policies For Traffic Within a Firewall

Inter-VSYS Communication Uses Two Sessions

External Zones and Shared Gateway

Networking Considerations for a Shared Gateway

Configure Virtual Systems

Configure Inter-Virtual System Communication within the Firewall

Configure a Shared Gateway

Customize Service Routes for a Virtual System

Customize Service Routes to Services for Virtual Systems

Configure a PA-7000 Series Firewall for Logging Per Virtual System

Configure a PA-7000 Series LPC for Logging per Virtual System

Configure a PA-7000 Series LFC for Logging per Virtual System

Configure Administrative Access Per Virtual System or Firewall

Virtual System Functionality with Other Features

Zone Protection and DoS Protection

Network Segmentation Using Zones

How Do Zones Protect the Network?

Zone Defense Tools

How Do the Zone Defense Tools Work?

Firewall Placement for DoS Protection

Baseline CPS Measurements for Setting Flood Thresholds

CPS Measurements to Take

How to Measure CPS

Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet-Based Attack Protection

Protocol Protection

Packet Buffer Protection

DoS Protection Profiles and Policy Rules

Classified Versus Aggregate DoS Protection

DoS Protection Profiles

DoS Protection Policy Rules

Configure Zone Protection to Increase Network Security

Configure Reconnaissance Protection

Configure Packet Based Attack Protection

Configure Protocol Protection

Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces

Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces

Configure Packet Buffer Protection

DoS Protection Against Flooding of New Sessions

Multiple-Session DoS Attack

Single-Session DoS Attack

Configure DoS Protection Against Flooding of New Sessions

End a Single Session DoS Attack

Identify Sessions That Use Too Much of the On-Chip Packet Descriptor

Discard a Session Without a Commit

Enable FIPS and Common Criteria Support

Access the Maintenance Recovery Tool (MRT)

Change the Operational Mode to FIPS-CC Mode

FIPS-CC Security Functions

Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode

PAN-OS® Release Notes

PAN-OS 9.0 Release Information

Features Introduced in PAN-OS 9.0

App-ID Features

Virtualization Features

Panorama Features

Content Inspection Features

GlobalProtect Features

Management Features

Networking Features

User-ID Features

WildFire Features

New Hardware Introduced with PAN-OS 9.0

Changes to Default Behavior

Associated Software and Content Versions

Known Issues Related to PAN-OS 9.0

PAN-OS 9.0.17 Known Issues

PAN-OS 9.0.16 Known Issues

PAN-OS 9.0.15 Known Issues

PAN-OS 9.0.14 Known Issues

PAN-OS 9.0.13 Known Issues

PAN-OS 9.0.12 Known Issues

PAN-OS 9.0.11 Known Issues

PAN-OS 9.0.10 Known Issues

PAN-OS 9.0.9 Known Issues

PAN-OS 9.0.8 Known Issues

PAN-OS 9.0.7 Known Issues

PAN-OS 9.0.6 Known Issues

PAN-OS 9.0.5 (and 9.0.5-h3) Known Issues

PAN-OS 9.0.4 Known Issues

PAN-OS 9.0.3 (and 9.0.3-h2 and 9.0.3-h3) Known Issues

PAN-OS 9.0.2 (and 9.0.2-h4) Known Issues

PAN-OS 9.0.1 Known Issues

Known Issues Specific to the WildFire Appliance

PAN-OS 9.0 Addressed Issues

PAN-OS 9.0.17-h1 Addressed Issues

PAN-OS 9.0.17 Addressed Issues

PAN-OS 9.0.16-h3 Addressed Issues

PAN-OS 9.0.16-h2 Addressed Issues

PAN-OS 9.0.16 Addressed Issues

PAN-OS 9.0.15 Addressed Issues

PAN-OS 9.0.14-h4 Addressed Issues

PAN-OS 9.0.14-h3 Addressed Issues

PAN-OS 9.0.14 Addressed Issues

PAN-OS 9.0.13 Addressed Issues

PAN-OS 9.0.12 Addressed Issues

PAN-OS 9.0.11 Addressed Issues

PAN-OS 9.0.10 Addressed Issues

PAN-OS 9.0.9-h1 Addressed Issues

PAN-OS 9.0.9 Addressed Issues

PAN-OS 9.0.8 Addressed Issues

PAN-OS 9.0.7 Addressed Issues

PAN-OS 9.0.6 Addressed Issues

PAN-OS 9.0.5-h3 Addressed Issues

PAN-OS 9.0.5 Addressed Issues

PAN-OS 9.0.4 Addressed Issues

PAN-OS 9.0.3-h3 Addressed Issues

PAN-OS 9.0.3-h2 Addressed Issues

PAN-OS 9.0.3 Addressed Issues

PAN-OS 9.0.2-h4 Addressed Issues

PAN-OS 9.0.2 Addressed Issues

PAN-OS 9.0.1 Addressed Issues

PAN-OS 9.0.0 Addressed Issues

PAN-OS 9.0.16-h5 Addressed Issues

PAN-OS 9.0.16-6 Addressed Issues

PAN-OS 9.0.17-h4 Addressed Issues

PAN-OS 9.0.17-h5 Addressed Issues

PAN-OS 9.0.16-h7 Addressed Issues

Related Documentation

Requesting Support

PAN-OS® Release Notes

PAN-OS 8.1 Release Information

Features Introduced in PAN-OS 8.1

App-ID Features

Virtualization Features

Decryption Features

WildFire Features

Panorama Features

Content Inspection Features

Authentication Features

GlobalProtect Features

Management Features

Networking Features

User-ID Features

Certifications Features

New Hardware Introduced with PAN-OS 8.1

Changes to Default Behavior

App-ID Changes in PAN-OS 8.1

Authentication Changes in PAN-OS 8.1

Content Inspection Changes in PAN-OS 8.1

GlobalProtect Changes in PAN-OS 8.1

User-ID Changes in PAN-OS 8.1

Panorama Changes in PAN-OS 8.1

Networking Changes in PAN-OS 8.1

Virtualization Changes in PAN-OS 8.1

Appliance Changes in PAN-OS 8.1

CLI and XML API Changes in PAN-OS 8.1

Authentication CLI and XML API Changes

Content Inspection CLI and XML API Changes

Decryption CLI and XML API Changes

GlobalProtect CLI and XML API Changes

Management CLI and XML API Changes

Panorama CLI and XML API Changes

User-ID CLI and XML API Changes

Associated Software and Content Versions

Known Issues Related to PAN-OS 8.1 Releases

Known Issues Specific to the WF-500 Appliance

PAN-OS 8.1 Addressed Issues

PAN-OS 8.1.25 Addressed Issues

PAN-OS 8.1.24-h2 Addressed Issues

PAN-OS 8.1.24-h1 Addressed Issues

PAN-OS 8.1.24 Addressed Issues

PAN-OS 8.1.23-h1 Addressed Issues

PAN-OS 8.1.23 Addressed Issues

PAN-OS 8.1.22 Addressed Issues

PAN-OS 8.1.21-h1 Addressed Issues

PAN-OS 8.1.21 Addressed Issues

PAN-OS 8.1.20-h1 Addressed Issues

PAN-OS 8.1.20 Addressed Issues

PAN-OS 8.1.19 Addressed Issues

PAN-OS 8.1.18 Addressed Issues

PAN-OS 8.1.17 Addressed Issues

PAN-OS 8.1.16 Addressed Issues

PAN-OS 8.1.15-h3 Addressed Issues

PAN-OS 8.1.15 Addressed Issues

PAN-OS 8.1.14-h2 Addressed Issues

PAN-OS 8.1.14 Addressed Issues

PAN-OS 8.1.13 Addressed Issues

PAN-OS 8.1.12 Addressed Issues

PAN-OS 8.1.11 Addressed Issues

PAN-OS 8.1.10 Addressed Issues

PAN-OS 8.1.9-h4 Addressed Issues

PAN-OS 8.1.9 Addressed Issues

PAN-OS 8.1.8-h5 Addressed Issues

PAN-OS 8.1.8 Addressed Issues

PAN-OS 8.1.7 Addressed Issues

PAN-OS 8.1.6-h2 Addressed Issues

PAN-OS 8.1.6 Addressed Issues

PAN-OS 8.1.5 Addressed Issues

PAN-OS 8.1.4-h2 Addressed Issues

PAN-OS 8.1.4 Addressed Issues

PAN-OS 8.1.3 Addressed Issues

PAN-OS 8.1.2 Addressed Issues

PAN-OS 8.1.1 Addressed Issues

PAN-OS 8.1.0 Addressed Issues

PAN-OS 8.1.25-h1 Addressed Issues

PAN-OS 8.1.21-h2 Addressed Issues

PAN-OS 8.1.25-h2 Addressed Issues

PAN-OS 8.1.26 Addressed Issues

PAN-OS 8.1.25-h3 Addressed Issues

PAN-OS 8.1.21-h3 Addressed Issues

PAN-OS 8.1.26-h1 Addressed Issues

Related Documentation

Requesting Support

Custom Application IDs and Signatures

Custom Application and Threat Signatures

About Custom Application Signatures

About Custom Threat Signatures

Combination Signatures for Brute Force Attacks

Create Custom Application Signature

Create a Custom Threat Signature

Create a Combination Signature

Create a Custom Threat Signature from a Snort Signature

Test a Custom Signature

Custom Signature Pattern Requirements

Custom Signature Contexts

String Contexts

dns-req-addition-section Context

dns-req-answer-section Context

dns-req-authority-section Context

dns-req-header Context

dns-req-section Context

dns-rsp-addition-section Context

dns-rsp-answer-section Context

dns-rsp-authority-section Context

dns-rsp-header Context

dns-rsp-ptr-answer-data Context

dns-rsp-queries-section Context

email-headers Context

file-elf-body Context

file-flv-body Context

file-html-body Context

file-java-body Context

file-mov-body Context

file-office-content Context

file-pdf-body Context

file-riff-body Context

file-swv-body Context

file-tiff-body Context

file-unknown-body Context

ftp-req-params Context

ftp-rsp-banner Context

ftp-rsp-message Context

gdbremote-req-context Context

gdbremote-rsp-context Context

giop-req-message-body Context

giop-rsp-message-body Context

h225-payload Context

http-req-cookie Context

http-req-headers Context

http-req-host-header Context

http-req-message-body Context

http-req-mime-form-data Context

http-req-params Context

http-req-uri-path Context

http-rsp-headers Context

http-rsp-non-2xx-response-body Context

imap-req-cmd-line Context

imap-req-first-param Context

imap-req-params-after-first-param Context

irc-req-params Context

irc-req-prefix Context

jpeg-file-scan-data Context

jpeg-file-segment-data Context

jpeg-file-segment-header Context

ms-ds-smb-req-share-name Context

msrpc-req-bind-data Context

mssql-db-req-body Context

nettcp-req-context Context

oracle-req-data-text Context

pe-dos-headers Context

pe-file-header Context

pe-optional-header Context

pe-section-header Context

pe-body-data Context

rtmp-req-message-body Context

rtsp-req-headers Context

rtsp-req-uri-path Context

snmp-req-community-text Context

smtp-req-argument Context

smtp-rsp-content Context

ssh-req-banner Context

ssh-rsp-banner Context

ssl-req-certificate Context

ssl-req-client-hello Context

ssl-req-random-bytes Context

ssl-rsp-cert-subjectpublickey Context

ssl-rsp-certificate Context

ssl-rsp-server-hello Context

telnet-req-client-data Context

telnet-rsp-server-data Context

unknown-req-tcp-payload Context

unknown-rsp-tcp-payload Context

unknown-req-udp-payload Context

unknown-rsp-udp-payload Context

tcp-context-free

udp-context-free

ike-req-headers

ike-rsp-headers

ike-req-payload-text

ike-rsp-payload-text

dns-req-protocol-payload

dns-rsp-protocol-payload

ftp-req-protocol-payload

ftp-rsp-protocol-payload

http-req-user-agent-header

http-rsp-reason

icmp-req-protocol-payload

icmp-rsp-protocol-payload

icmp-req-possible-custom-payload

imap-req-protocol-payload

imap-rsp-protocol-payload

netbios-dg-req-protocol-payload

netbios-dg-rsp-protocol-payload

netbios-ns-req-protocol-payload

netbios-ns-rsp-protocol-payload

pop3-req-protocol-payload

pop3-rsp-protocol-payload

smtp-req-protocol-payload

smtp-rsp-protocol-payload

ssl-req-protocol-payload

ssl-rsp-protocol-payload

http-req-host-ipv4-address-found

http-req-host-ipv6-address-found

ms-ds-smb-req-v1-create-filename

ms-ds-smb-req-v2-create-filename

pre-app-req-data

pre-app-rsp-data

dhcp-req-chaddr

dhcp-req-ciaddr

dhcp-rsp-chaddr

dhcp-rsp-ciaddr

http-req-ms-subdomain

http-req-origin-headers

ldap-req-searchrequest-baseobject

ldap-rsp-searchresentry-objectname

sip-req-headers

ssl-req-chello-sni

Integer Contexts

dnp3-req-func-code Context

dnp3-req-object-type Context

dns-rsp-tcp-over-dns Context

dns-rsp-txt-found Context

ftp-req-params-len Context

http-req-content-length Context

http-req-cookie-length Context

http-req-header-length Context

http-req-param-length Context

http-req-no-version-string-small-pkt Context

http-req-uri-path-length Context

http-req-uri-tilde-count-num Context

http-rsp-code Context

http-rsp-content-length Context

http-rsp-total-headers-len Context

iccp-req-func-code Context

imap-req-cmd-param-len Context

imap-req-first-param-len Context

imap-req-param-len-from-second Context

smtp-req-helo-argument-length Context

smtp-req-mail-argument-length Context

smtp-req-rcpt-argument-length Context

sctp-req-ppid Context

ssl-rsp-version Context

stun-req-attr-type Context

panav-rsp-zip-compression-ratiio Context

ike-req-payload-type

ike-rsp-payload-type

ike-req-payload-length

ike-rsp-payload-length

irc-req-protocol-payload

irc-rsp-protocol-payload

open-vpn-req-protocol-payload

http-req-connect-method

http-req-dst-port

pfcp-req-msg-type

pfcp-rsp-msg-type

ssl-req-client-hello-ext-type

ssl-req-client-hello-missing-sni

http-req-no-host-header

http-req-simple-request

Context Qualifiers

Testing Pattern Performance Impact

Create a Custom L3 & L4 Vulnerability Signature

IPS Signature Converter Plugin for Panorama

About the IPS Signature Converter Plugin

Convert Rules Using the Panorama Web Interface

Convert Rules Using the Panorama CLI

Convert Rules Using the Panorama XML API

Troubleshooting

Install the IPS Signature Converter Plugin

CLI Quick Start

PAN-OS Device Telemetry Metrics Reference

PAN-OS Device Telemetry Overview

Data Collection

Collection Frequency

Metrics that can not Identify Anything

Metrics that Identify a Device

Metrics that Identify a Network

Metrics that Identify a User

Device Health and Performance Metrics

Chassis Inventory

Configuration Log Contents

Content Update Counters

CPU Load Sampling by Firewall Function

CPU Utilization Statistics

Crash and Trace Files

Current Users per GlobalProtect Gateway

Data-Management Plane Health Heartbeat

Dataplane Link Utilization

Device Time-Series Data

DOS Block Table

Fan Speed Measurements

Forwarding Information Base (FIB) Routing Health

Front LED State

Global Counters

GlobalProtect Client Versions

GlobalProtect Failure Connections

GlobalProtect Gateway Connection Details

GlobalProtect Gateway Connection Performance

GlobalProtect Gateway Connection Protocols

GlobalProtect Gateway Failure Details

GlobalProtect Gateway Statistics

GlobalProtect Gateway Tunnel Rates

GlobalProtect Operating System Types

GlobalProtect Portal Connection Failure

GlobalProtect Portal Connection Success

GlobalProtect Quarantined Devices

GlobalProtect Successful Connections

Hardware Alarms

Hardware and Software Pools

Hardware Buffer Statistics

Hardware System Logs

High Availability

High Availability Backup Interfaces

High Availability Interface 1

High Availability Interface 2

Ingress Backlogs

IP Address to User Mapping Count

Log Forwarding Data Transfer Speed

Log Forwarding Generation Rate

Log Receiver Statistics

Logging Statistics

Managed Devices

Management and Data Plane Logs

Management to Data Plane Counters

Maximum Concurrent GlobalProtect Gateway Tunnels

Maximum Concurrent GlobalProtect Gateway Users

Memory Pool Utilization Count

NAT Pool Utilization

NSX Update Rate

Octeon Chip Health

Operational Command History

Packet Buffer Protection

Packet Scheduling Engine Performance

PAN-DNS Cache Usage

PAN-DNS End-to-End Response Time

PAN-DNS Lookup Timeout

PAN-OS Counters

PAN-OS REST API Error Response

PAN-OS REST API Performance Metrics

PAN-OS XML API Error Response

PAN-OS XML API Performance Metrics

Panorama Log Reception Rate

Power Supply Measurements

QUMRAN Chip Health

Registered IP Addresses

Routing Resource

Security Policy Usage and Hit Count

Session Distribution

Session Information

Session Table Usage

SMART Disk Information

Software Buffer Statistics

Software Update History

SSL Decyrption Memory

System Alarm History

System Disk Utilization

System Resource Usage

Temperature Measurements

Traffic Blocked as Command and Control

Traffic Blocked as Malware

Traffic Blocked as Phishing

URL Cache Statistics

User-ID Agent State

WildFire Statistics and Status

Device Connection Status

Device Logging Health

HA Health Errors

Panorama HA Health

Panorama Logging Infra Health

Product Usage Metrics

ACC and Monitor Query History

Anti-Spyware in Security Policies

Antivirus in Security Policies

Any App in Security Policies

App-ID Adoption in Security Policies

Application Blacklisting

Application Override Policies

Asymmetric Network Traffic

Authentication Policy Usage

Bidrectional Forwarding Detection Configuration

Cisco ACI Plugin Configuration

Credential Phishing in Security Policies

Credential Phishing Protection Configuration

Credential Phishing Protection Detection Method

Custom Reports using Detailed Logs Databases

Custom Vulnerability and Spyware Signatures

DAG Security Policies

Data Filtering in Security Policies

Data Filtering Profiles

Data Filtering Profiles by Data Pattern Type

Decryption SSH Proxy Configuration

Destination NAT Session Policies

Device Geographic Location

Device Group and Template Stack Usage

Device Model Number

Device Power On Hours

DNS Proxy Adoption

DNS Sinkhole Protection in Security Policies

DoS Protection Adoption

DoS Protection Threshold Frequency

DSRI Enabled Security Policies

Dynamic DNS Adoption

ECMP Load Balancing

EDL Configuration and Capacity

File Blocking in Security Policies

Firewall Resource Protection Adoption

GlobalProtect Adoption

GlobalProtect Clientless VPN Adoption

GlobalProtect IPv6 Usage

GlobalProtect Mobil App Adoption

GlobalProtect on Linux Endpoints

GlobalProtect Split Tunneling Adoption

HA Heartbeat Backup

HA Passive Link State

HA1 and HA2 Backups

High Risk URL Filtering Logs

HIP Based Features

HIP Based Policies

IPSec Tunnel Monitoring

Known User Security Policy Matching

Large Scale VPN Configuration

License Entitlements

Link and Path Monitoring

Log Collector Group Architecture

Log Collector Redundancy Adoption

Log Creation Policies

Log Forwarding Adoption in Security Policies

Log Forwarding Auto Tag

Log Forwarding Profiles in Security Rules

Log Forwarding Settings

Log Retention Policy

Logging Enablement in Security Policies

Managed Devices Licenses

Miscellaneous Object Usage Statistics

Most Recent Threat Exceptions for all Threat Signatures

NAT Configuration

NetFlow Adoption

NSX Automated Security Actions

NSX Multi-Tenancy Configuration

Number of Custom Reports

PAN-OS REST API Usage

PAN-OS XML API Usage

Panorama Plugins

QoS Configuration

Region Based Security Policies

Route Table Size

Security Policies with File Blocking

Service Ports and App IDs in Security Policies

Severity Based Log Forwarding

SSL Decrypt Configuration

Threat Exceptions by Threat ID

Threat Prevention Policy

Threatening SaaS Traffic

Unused Predefined Reports

URL Category Settings

URL Filtering in Security Policies

User Activity Report

User-ID Adoption in Security Policies

User-ID Mapping Sources

User-ID to Include or Exclude User Mappings

VMware NSX Plugin Configuration

Vulnerability Protection in Security Policies

WildFire Global Cloud Configuration

WildFire in Security Policies

WildFire Virus Threat Logs

XML Configuration Size

Zone Protection Adoption

Timezone and Timestamp

VM Plugin Usage Statistics

Support Licenses Installed

User Interface Interaction

Threat Prevention Metrics

Attacking Countries

Content and Threat Detection State

Correlated Events

Correlated Events Details

Credential Theft

Current Application ID Version

Data Plane Statistics

Decryption Usage

DNS-Related Threat Logs

File Identification

Management Plane Statistics

Non-Standard Port Usage

PAN-DNS Threat Logs

Previous Application ID Version

Proxy Avoidance and Anonymizers

Questionable Sites

Sanctioned Tag SaaS Usage

System Information

Threat Inspection of Mobile Devices

Threats Permitted

Top Application Usage

Uninspected Network Traffic

Unknown Applications by Destination Address

Unknown Applications by Destination Ports

Unknown TCP or UDP Traffic

Advanced Routing Engine Migration Reference

Get Started with Routing Engine Migration

Plan Your Routing Engine Migration

Differences Between Legacy and Advanced Routing Engine

Routing Protocol Migration Exceptions

PIM

PAN-OS ® New Features Guide

Networking Features

DHCPv6 Client with Prefix Delegation

IPSec Transport Mode

Multicast Source Discovery Protocol on Advanced Routing Engine

Power Over Ethernet (PoE)

PPPoE Client Support on a Subinterface

Panorama Features

Static Security Group Tag (SGT) for TrustSec Plugin

Admin-Level Commit with Policy Reordering

Management Features

Skip Software Version Upgrade

TLSv1.3 Support for Management Access

Policy Rulebase Management Using Tags

Cloud Identity Features

User Context for the Cloud Identity Engine

Content Inspection Features

DNS Security Support for DNS Over HTTPS (DoH)

Advanced Threat Prevention Support for Zero-day Exploit Prevention

Support for Custom Layer 3 and Layer 4 Threat Signatures

IoT Security Features

IoT Security Policy Rule Recommendation Enhancements

Improved DHCP Traffic Visibility for IoT Security

Mobile Infrastructure Security Features

User Equipment (UE) to IP Address Correlation with PFCP for 4G

SD-WAN Features

SD-WAN Plugin Support for Advanced Routing Engine

SD-WAN IPv6 Basic Connectivity

Virtualization Features

KMS Support for VM-Series

Software Cut-Through Based Offload on Software Firewalls

WildFire Features

Advanced WildFire Support for Intelligent Run-time Memory Analysis

Hold Mode for WildFire Real-Time Signature Lookup

Certificate Management Features

Support for OCSP Verification through HTTP Proxy

Enterprise Data Loss Prevention Features

File Type Include or Exclude List for Data filtering Profiles

PAN-OS® Networking Administrator’s Guide

Networking Introduction

Configure Interfaces

Virtual Wire Interfaces

Layer 2 and Layer 3 Packets over a Virtual Wire

Port Speeds of Virtual Wire Interfaces

LLDP over a Virtual Wire

Aggregated Interfaces for a Virtual Wire

Virtual Wire Support of High Availability

Zone Protection for a Virtual Wire Interface

VLAN-Tagged Traffic

Virtual Wire Subinterfaces

Configure Virtual Wires

Layer 2 Interfaces

Layer 2 Interfaces with No VLANs

Layer 2 Interfaces with VLANs

Configure a Layer 2 Interface

Configure a Layer 2 Interface, Subinterface, and VLAN

Manage Per-VLAN Spanning Tree (PVST+) BPDU Rewrite

Layer 3 Interfaces

Configure Layer 3 Interfaces

Manage IPv6 Hosts Using NDP

IPv6 Router Advertisements for DNS Configuration

Configure RDNS Servers and DNS Search List for IPv6 Router Advertisements

Enable NDP Monitoring

Configure a PPPoE Client on a Subinterface

Configure an Aggregate Interface Group

Configure Bonjour Reflector for Network Segmentation

Use Interface Management Profiles to Restrict Access

Virtual Routers

Virtual Router Overview

Configure Virtual Routers

Service Routes Overview

Configure Service Routes

Static Route Overview

Static Route Removal Based on Path Monitoring

Configure a Static Route

Configure Path Monitoring for a Static Route

RIP

OSPF Router Types

Configure OSPFv3

Configure OSPF Graceful Restart

Confirm OSPF Operation

View the Routing Table

Confirm OSPF Adjacencies

Confirm that OSPF Connections are Established

BGP

Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast

Configure a BGP Peer with MP-BGP for IPv4 Multicast

BGP Confederations

PIM

Shortest-Path Tree (SPT) and Shared Tree

PIM Assert Mechanism

Reverse-Path Forwarding

Configure IP Multicast

View IP Multicast Information

Route Redistribution

Route Redistribution Overview

Configure Route Redistribution

GRE Tunnel Overview

Create a GRE Tunnel

Firewall as a DHCP Server and Client

Firewall as a DHCPv6 Client

DHCP Addressing

DHCP Address Allocation Methods

Predefined DHCP Options

Multiple Values for a DHCP Option

DHCP Options 43, 55, and 60 and Other Customized Options

Configure an Interface as a DHCP Server

Configure an Interface as a DHCPv4 Client

Configure an Interface as a DHCPv6 Client with Prefix Delegation

Configure the Management Interface as a DHCP Client

Configure an Interface as a DHCP Relay Agent

Monitor and Troubleshoot DHCP

View DHCP Server Information

Clear DHCP Leases

View DHCP Client Information

Gather Debug Output about DHCP

DNS

DNS Proxy Object

DNS Server Profile

Multi-Tenant DNS Deployments

Configure a DNS Proxy Object

Configure a DNS Server Profile

Configure a Web Proxy

Configure Explicit Proxy

Strata Cloud Manager

Configure Transparent Proxy

Strata Cloud Manager

Configure Authentication for Explicit Web Proxy

Use Case 1: Firewall Requires DNS Resolution

Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System

Use Case 3: Firewall Acts as DNS Proxy Between Client and Server

DNS Proxy Rule and FQDN Matching

Dynamic DNS Overview

Configure Dynamic DNS for Firewall Interfaces

NAT

NAT Policy Rules

NAT Policy Overview

NAT Address Pools Identified as Address Objects

Proxy ARP for NAT Address Pools

Source NAT and Destination NAT

Destination NAT

Destination NAT with DNS Rewrite Use Cases

Destination NAT with DNS Rewrite Reverse Use Cases

Destination NAT with DNS Rewrite Forward Use Cases

NAT Rule Capacities

Dynamic IP and Port NAT Oversubscription

Dataplane NAT Memory Statistics

Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)

Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Configure Destination NAT with DNS Rewrite

Configure Destination NAT Using Dynamic IP Addresses

Modify the Oversubscription Rate for DIPP NAT

Reserve Dynamic IP NAT Addresses

Disable NAT for a Specific Host or Interface

NAT Configuration Examples

Destination NAT Example—One-to-One Mapping

Destination NAT with Port Translation Example

Destination NAT Example—One-to-Many Mapping

Source and Destination NAT Example

Virtual Wire Source NAT Example

Virtual Wire Static NAT Example

Virtual Wire Destination NAT Example

Unique Local Addresses

Reasons to Use NPTv6

How NPTv6 Works

Checksum-Neutral Mapping

Bi-Directional Translation

NPTv6 Applied to a Specific Service

NPTv6 and NDP Proxy Example

The ND Cache in NPTv6 Example

The NDP Proxy in NPTv6 Example

The NPTv6 Translation in NPTv6 Example

Neighbors in the ND Cache are Not Translated

Create an NPTv6 Policy

IPv4-Embedded IPv6 Address

Path MTU Discovery

IPv6-Initiated Communication

Configure NAT64 for IPv6-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication with Port Translation

ECMP Load-Balancing Algorithms

Configure ECMP on a Virtual Router

Enable ECMP for Multiple BGP Autonomous Systems

Supported TLVs in LLDP

LLDP Syslog Messages and SNMP Traps

View LLDP Settings and Status

Clear LLDP Statistics

BFD

BFD Model, Interface, and Client Support

Non-Supported RFC Components of BFD

BFD for Static Routes

BFD for Dynamic Routing Protocols

Reference: BFD Details

Session Settings and Timeouts

Transport Layer Sessions

TCP

TCP Half Closed and TCP Time Wait Timers

Unverified RST Timer

TCP Split Handshake Drop

Maximum Segment Size (MSS)

UDP

Security Policy Rules Based on ICMP and ICMPv6 Packets

ICMPv6 Rate Limiting

Control Specific ICMP or ICMPv6 Types and Codes

Configure Session Timeouts

Configure Session Settings

Session Distribution Policies

Session Distribution Policy Descriptions

Change the Session Distribution Policy and View Statistics

Prevent TCP Split Handshake Session Establishment

Tunnel Content Inspection

Tunnel Content Inspection Overview

Configure Tunnel Content Inspection

View Inspected Tunnel Activity

View Tunnel Information in Logs

Create a Custom Report Based on Tagged Tunnel Traffic

Tunnel Acceleration Behavior

Disable Tunnel Acceleration

Network Packet Broker

Network Packet Broker Overview

How Network Packet Broker Works

Prepare to Deploy Network Packet Broker

Configure Transparent Bridge Security Chains

Configure Routed Layer 3 Security Chains

Network Packet Broker HA Support

User Interface Changes for Network Packet Broker

Limitations of Network Packet Broker

Troubleshoot Network Packet Broker

Advanced Routing

Enable Advanced Routing

Logical Router Overview

Configure a Logical Router

Create a Static Route

Configure BGP on an Advanced Routing Engine

Create BGP Routing Profiles

Create Filters for the Advanced Routing Engine

Configure OSPFv2 on an Advanced Routing Engine

Create OSPF Routing Profiles

Configure OSPFv3 on an Advanced Routing Engine

Create OSPFv3 Routing Profiles

Configure RIPv2 on an Advanced Routing Engine

Create RIPv2 Routing Profiles

Create BFD Profiles

Configure IPv4 Multicast

Create Multicast Routing Profiles

Create an IPv4 MRoute

PoE

PAN-OS® and Panorama™API Usage Guide

About the PAN-OS API

PAN-OS XML API Components

Structure of a PAN-OS XML API Request

API Authentication and Security

XPath Node Selection

Get Started with the PAN-OS XML API

Enable API Access

Get Your API Key

Authenticate Your API Requests

Make Your First API Call

Explore the API

Use the API Browser

Use the CLI to Find XML API Syntax

Use the Web Interface to Find XML API Syntax

PAN-OS XML API Error Codes

PAN-OS XML API Use Cases

Upgrade a Firewall to the Latest PAN-OS Version (API)

Show and Manage GlobalProtect Users (API)

Query a Firewall from Panorama (API)

Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)

Automatically Check for and Install Content Updates (API)

Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)

Configure SAML 2.0 Authentication (API)

Quarantine Compromised Devices (API)

Manage Certificates (API)

PAN-OS XML API Request Types

PAN-OS XML API Request Types and Actions

Configuration Actions

Actions for Modifying a Configuration

Actions for Reading a Configuration

Asynchronous and Synchronous Requests to the PAN-OS XML API

Configuration (API)

Get Active Configuration

Use XPath to Get Active Configuration

Use XPath to Get ARP Information

Get Candidate Configuration

Set Configuration

Edit Configuration

Delete Configuration

Rename Configuration

Clone Configuration

Move Configuration

Override Configuration

Multi-Move or Multi-Clone Configuration

Multi-config Request (API)

View Configuration Node Values for XPath

Commit Configuration (API)

Run Operational Mode Commands (API)

Get Reports (API)

Dynamic Reports

Predefined Reports

Export Files (API)

Export Packet Captures

Export Application PCAPS

Export Threat, Filter, and Data Filtering PCAPs

Export Certificates and Keys

Export Technical Support Data

Import Files (API)

Importing Basics

Retrieve Logs (API)

API Log Retrieval Parameters

Example: Use the API to Retrieve Traffic Logs

Apply User-ID Mapping and Populate Dynamic Groups (API)

Get Version Info (API)

Get Started with the PAN-OS REST API

PAN-OS REST API

Access the PAN-OS REST API

Resource Methods and Query Parameters (REST API)

PAN-OS REST API Request and Response Structure

PAN-OS REST API Error Codes

Work With Objects (REST API)

Create a Security Policy Rule (REST API)

Work with Policy Rules on Panorama (REST API)

Create a Tag (REST API)

Configure a Security Zone (REST API)

Configure an SD-WAN Interface (REST API)

Create an SD-WAN Policy Pre Rule (REST API)

Configure an Ethernet Interface (REST API)

Update a Virtual Router (REST API)

Work With Decryption (APIs)

PAN-OS CLI Quick Start

Get Started with the CLI

Verify SSH Connection to Firewall

Refresh SSH Keys and Configure Key Options for Management Interface Connection

Give Administrators Access to the CLI

Administrative Privileges

Set Up a Firewall Administrative Account and Assign CLI Privileges

Set Up a Panorama Administrative Account and Assign CLI Privileges

Change CLI Modes

Navigate the CLI

View the Entire Command Hierarchy

Find a Specific Command Using a Keyword Search

Get Help on Command Syntax

Get Help on a Command

Interpret the Command Help

Customize the CLI

View Settings and Statistics

Modify the Configuration

Commit Configuration Changes

Test the Configuration

Test the Authentication Configuration

Test Policy Matches

Load Configurations

Load Configuration Settings from a Text File

Load a Partial Configuration

Xpath Location Formats Determined by Device Configuration

Load a Partial Configuration into Another Configuration Using Xpath Values

Use Secure Copy to Import and Export Files

Export a Saved Configuration from One Firewall and Import it into Another

Export and Import a Complete Log Database (logdb)

CLI Cheat Sheets

CLI Cheat Sheet: Device Management

CLI Cheat Sheet: User-ID

CLI Cheat Sheet: HA

CLI Cheat Sheet: Networking

CLI Cheat Sheet: VSYS

CLI Cheat Sheet: Panorama

CLI Cheat Sheet: CTD Evasion Detection

CLI Changes in PAN-OS 11.0

Set Commands Introduced in PAN-OS 11.0

Set Commands Removed in PAN-OS 11.0

Show Commands Introduced in PAN-OS 11.0

CLI Command Hierarchy for PAN-OS 11.0

PAN-OS 11.0 CLI Ops Command Hierarchy

PAN-OS 11.0 Configure CLI Command Hierarchy

PAN-OS Release Notes

Features Introduced in PAN-OS 11.0

Networking Features

Panorama Features

Management Features

Certificate Management Features

Cloud Identity Features

Content Inspection Features

IoT Security Features

Mobile Infrastructure Security Features

SD-WAN Features

Virtualization Features

Advanced WildFire Features

GlobalProtect Features

Hardware Features

Enterprise Data Loss Prevention Features

Changes to Default Behavior

Changes to Default Behavior in PAN-OS 11.0

Limitations in PAN-OS 11.0

Associated Content and Software Versions

Associated Content and Software Versions for PAN-OS 11.0

WildFire Analysis Environment Support for PAN-OS 11.0

PAN-OS 11.0.2 Known and Addressed Issues

PAN-OS 11.0.2 Known Issues

PAN-OS 11.0.2-h2 Addressed Issues

PAN-OS 11.0.2-h1 Addressed Issues

PAN-OS 11.0.2 Addressed Issues

PAN-OS 11.0.2-h3 Addressed Issues

PAN-OS 11.0.2-h4 Addressed Issues

PAN-OS 11.0.2-h5 Addressed Issues

PAN-OS 11.0.1 Known and Addressed Issues

PAN-OS 11.0.1 Known Issues

PAN-OS 11.0.1-h2 Addressed Issues

PAN-OS 11.0.1 Addressed Issues

PAN-OS 11.0.1-h3 Addressed Issues

PAN-OS 11.0.1-h4 Addressed Issues

PAN-OS 11.0.1-h5 Addressed Issues

PAN-OS 11.0.0 Known and Addressed Issues

PAN-OS 11.0.0 Known Issues

PAN-OS 11.0.0 Addressed Issues

PAN-OS 11.0.0-h1 Addressed Issues

PAN-OS 11.0.0-h2 Addressed Issues

PAN-OS 11.0.0-h3 Addressed Issues

PAN-OS 11.0.0-h4 Addressed Issues

Related Documentation

Related Documentation for PAN-OS 11.0

PAN-OS 11.0.3 Known and Addressed Issues

PAN-OS 11.0.3 Known Issues

PAN-OS 11.0.3 Addressed Issues

PAN-OS 11.0.3-h1 Addressed Issues

PAN-OS 11.0.3-h3 Addressed Issues

PAN-OS 11.0.3-h5 Addressed Issues

PAN-OS 11.0.3-h10 Addressed Issues

PAN-OS 11.0.3-h12 Addressed Issues

PAN-OS 11.0.3-h13 Addressed Issues

PAN-OS 11.0.4 Known and Addressed Issues

PAN-OS 11.0.4 Known Issues

PAN-OS 11.0.4 Addressed Issues

PAN-OS 11.0.4-h1 Addressed Issues

PAN-OS 11.0.4-h2 Addressed Issues

PAN-OS 11.0.4-h5 Addressed Issues

PAN-OS 11.0.4-h6 Addressed Issues

PAN-OS 11.0.5 Known and Addressed Issues

PAN-OS 11.0.5 Known Issues

PAN-OS 11.0.5 Addressed Issues

PAN-OS 11.0.5-h1 Addressed Issues

PAN-OS 11.0.5-h2 Addressed Issues

PAN-OS 11.0.6 Known and Addressed Issues

PAN-OS 11.0.6 Known Issues

PAN-OS 11.0.6 Addressed Issues

PAN-OS 11.0.6-h1 Addressed Issues

PAN-OS Web Interface Help

Web Interface Basics

Firewall Overview

Features and Benefits

Last Login Time and Failed Login Attempts

Message of the Day

Save Candidate Configurations

Lock Configurations

AutoFocus Intelligence Summary

Configuration Table Export

Change Boot Mode

Dashboard Widgets

ACC

A First Glance at the ACC

Working with Tabs and Widgets

Working with Filters—Local Filters and Global Filters

Monitor > External Logs

Monitor > Automated Correlation Engine

Monitor > Automated Correlation Engine > Correlation Objects

Monitor > Automated Correlation Engine > Correlated Events

Monitor > Packet Capture

Packet Capture Overview

Building Blocks for a Custom Packet Capture

Enable Threat Packet Capture

Monitor > App Scope

App Scope Overview

App Scope Summary Report

App Scope Change Monitor Report

App Scope Threat Monitor Report

App Scope Threat Map Report

App Scope Network Monitor Report

App Scope Traffic Map Report

Monitor > Session Browser

Monitor > Block IP List

Block IP List Entries

View or Delete Block IP List Entries

Monitor > Botnet

Botnet Report Settings

Botnet Configuration Settings

Monitor > PDF Reports

Monitor > PDF Reports > Manage PDF Summary

Monitor > PDF Reports > User Activity Report

Monitor > PDF Reports > SaaS Application Usage

Monitor > PDF Reports > Report Groups

Monitor > PDF Reports > Email Scheduler

Monitor > Manage Custom Reports

Monitor > Reports

Move or Clone a Policy Rule

Audit Comment Archive

Rule Usage Hit Count Query

Policies > Security

Security Policy Overview

Building Blocks in a Security Policy Rule

Creating and Managing Policies

Overriding or Reverting a Security Policy Rule

Applications and Usage

Security Policy Optimizer

NAT Policies General Tab

NAT Original Packet Tab

NAT Translated Packet Tab

NAT Active/Active HA Binding Tab

Policies > Policy Based Forwarding

Policy Based Forwarding General Tab

Policy Based Forwarding Source Tab

Policy Based Forwarding Destination/Application/Service Tab

Policy Based Forwarding Forwarding Tab

Policy Based Forwarding Target Tab

Policies > Decryption

Decryption General Tab

Decryption Source Tab

Decryption Destination Tab

Decryption Service/URL Category Tab

Decryption Options Tab

Decryption Target Tab

Policies > Network Packet Broker

Network Packet Broker General Tab

Network Packet Broker Source Tab

Network Packet Broker Destination Tab

Network Packet Broker Application/Service/Traffic Tab

Network Packet Broker Path Selection Tab

Network Packet Broker Policy Optimizer Rule Usage

Policies > Tunnel Inspection

Building Blocks in a Tunnel Inspection Policy

Policies > Application Override

Application Override General Tab

Application Override Source Tab

Application Override Destination Tab

Application Override Protocol/Application Tab

Application Override Target Tab

Policies > Authentication

Building Blocks of an Authentication Policy Rule

Create and Manage Authentication Policy

Policies > DoS Protection

DoS Protection General Tab

DoS Protection Source Tab

DoS Protection Destination Tab

DoS Protection Option/Protection Tab

DoS Protection Target Tab

Policies > SD-WAN

SD-WAN General Tab

SD-WAN Source Tab

SD-WAN Destination Tab

SD-WAN Application/Service Tab

SD-WAN Path Selection Tab

SD-WAN Target Tab

Move, Clone, Override, or Revert Objects

Move or Clone an Object

Override or Revert an Object

Objects > Addresses

Objects > Address Groups

Objects > Regions

Objects > Dynamic User Groups

Objects > Applications

Applications Overview

Actions Supported on Applications

Defining Applications

Objects > Application Groups

Objects > Application Filters

Objects > Services

Objects > Service Groups

View Rulebase as Groups

Move Rules in Group to Different Rulebase or Device Group

Change Group of All Rules

Move All Rules in Group

Delete All Rules in Group

Clone All Rules in Group

Objects > Devices

Objects > External Dynamic Lists

Objects > Custom Objects

Objects > Custom Objects > Data Patterns

Data Pattern Settings

Syntax for Regular Expression Data Patterns

Regular Expression Data Pattern Examples

Objects > Custom Objects > Spyware/Vulnerability

Objects > Custom Objects > URL Category

Objects > Security Profiles

Actions in Security Profiles

Objects > Security Profiles > Antivirus

Objects > Security Profiles > Anti-Spyware Profile

Objects > Security Profiles > Vulnerability Protection

Objects > Security Profiles > URL Filtering

URL Filtering General Settings

URL Filtering Categories

URL Filtering Settings

User Credential Detection

HTTP Header Insertion

Inline Categorization

Objects > Security Profiles > File Blocking

Objects > Security Profiles > WildFire Analysis

Objects > Security Profiles > Data Filtering

Objects > Security Profiles > DoS Protection

Objects > Security Profiles > Mobile Network Protection

Objects > Security Profiles > SCTP Protection

Objects > Security Profile Groups

Objects > Log Forwarding

Objects > Authentication

Objects > Decryption Profile

Decryption Profile General Settings

Settings to Control Decrypted Traffic

Settings to Control Traffic that is not Decrypted

Settings to Control Decrypted SSH Traffic

Objects > Packet Broker Profile

Objects > SD-WAN Link Management

Objects > SD-WAN Link Management > Path Quality Profile

Objects > SD-WAN Link Management > SaaS Quality Profile

Objects > SD-WAN Link Management > Traffic Distribution Profile

Objects > SD-WAN Link Management > Error Correction Profile

Objects > Schedules

Network > Interfaces

Firewall Interfaces Overview

Common Building Blocks for Firewall Interfaces

Common Building Blocks for PA-7000 Series Firewall Interfaces

Virtual Wire Interface

Virtual Wire Subinterface

PA-7000 Series Layer 2 Interface

PA-7000 Series Layer 2 Subinterface

PA-7000 Series Layer 3 Interface

Layer 3 Interface

Layer 3 Subinterface

Log Card Interface

Log Card Subinterface

Decrypt Mirror Interface

Aggregate Ethernet (AE) Interface Group

Aggregate Ethernet (AE) Interface

Network > Interfaces > VLAN

Network > Interfaces > Loopback

Network > Interfaces > Tunnel

Network > Interfaces > SD-WAN

Network > Interfaces > PoE

Network > Zones

Security Zone Overview

Building Blocks of Security Zones

Network > VLANs

Network > Virtual Wires

Network > Virtual Routers

General Settings of a Virtual Router

Route Redistribution

RIP

RIP Interfaces Tab

RIP Auth Profiles Tab

RIP Export Rules Tab

OSPF Auth Profiles Tab

OSPF Export Rules Tab

OSPF Advanced Tab

OSPFv3 Areas Tab

OSPFv3 Auth Profiles Tab

OSPFv3 Export Rules Tab

OSPFv3 Advanced Tab

BGP

Basic BGP Settings

BGP General Tab

BGP Advanced Tab

BGP Peer Group Tab

BGP Import and Export Tabs

BGP Conditional Adv Tab

BGP Aggregate Tab

BGP Redist Rules Tab

Multicast Rendezvous Point Tab

Multicast Interfaces Tab

Multicast SPT Threshold Tab

Multicast Source Specific Address Space Tab

Multicast Advanced Tab

More Runtime Stats for a Virtual Router

BFD Summary Information Tab

More Runtime Stats for a Logical Router

Routing Stats for a Logical Router

BGP Stats for a Logical Router

Network > Routing > Logical Routers

Network > Routing > Logical Routers > General

Network > Routing > Logical Routers > Static

Network > Routing > Logical Routers > OSPF

Network > Routing > Logical Routers > OSPFv3

Network > Routing > Logical Routers > RIPv2

Network > Routing > Logical Routers > BGP

Network > Routing > Logical Routers > Multicast

Network > Routing > Routing Profiles

Network > Routing > Routing Profiles > BGP

Network > Routing > Routing Profiles > BFD

Network > Routing > Routing Profiles > OSPF

Network > Routing > Routing Profiles > OSPFv3

Network > Routing > Routing Profiles > RIPv2

Network > Routing > Routing Profiles > Filters

Network > Routing > Routing Profiles > Multicast

Network > IPSec Tunnels

IPSec VPN Tunnel Management

IPSec Tunnel General Tab

IPSec Tunnel Proxy IDs Tab

IPSec Tunnel Status on the Firewall

IPSec Tunnel Restart or Refresh

Network > GRE Tunnels

DHCP Addressing

Network > DNS Proxy

DNS Proxy Overview

DNS Proxy Settings

Additional DNS Proxy Actions

Network > Proxy

QoS Interface Settings

QoS Interface Statistics

Building Blocks of LLDP

Network > Network Profiles

Network > Network Profiles > GlobalProtect IPSec Crypto

Network > Network Profiles > IKE Gateways

IKE Gateway Management

IKE Gateway General Tab

IKE Gateway Advanced Options Tab

IKE Gateway Restart or Refresh

Network > Network Profiles > IPSec Crypto

Network > Network Profiles > IKE Crypto

Network > Network Profiles > Monitor

Network > Network Profiles > Interface Mgmt

Network > Network Profiles > Zone Protection

Building Blocks of Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet Based Attack Protection

Protocol Protection

Ethernet SGT Protection

L3 & L4 Header Inspection

Network > Network Profiles > QoS

Network > Network Profiles > LLDP Profile

Network > Network Profiles > BFD Profile

Building Blocks of a BFD Profile

View BFD Summary and Details

Network > Network Profiles > SD-WAN Interface Profile

Device > Setup > Management

Device > Setup > Operations

Enable SNMP Monitoring

Device > Setup > HSM

Hardware Security Module Provider Settings

HSM Authentication

Hardware Security Operations

Hardware Security Module Provider Configuration and Status

Hardware Security Module Status

Device > Setup > Services

Configure Services for Global and Virtual Systems

Global Services Settings

IPv4 and IPv6 Support for Service Route Configuration

Destination Service Route

Device > Setup > Interfaces

Device > Setup > Telemetry

Device > Setup > Content-ID

Device > Setup > WildFire

Device > Setup > Session

Session Settings

Session Timeouts

Decryption Settings: Certificate Revocation Checking

Decryption Settings: Forward Proxy Server Certificate Settings

Decryption Settings: SSL Decryption Settings

VPN Session Settings

Device > Setup > ACE

Device > Setup > DLP

Device > High Availability

Important Considerations for Configuring HA

HA General Settings

HA Communications

HA Link and Path Monitoring

HA Active/Active Config

Device > Log Forwarding Card

Device > Config Audit

Device > Password Profiles

Username and Password Requirements

Device > Administrators

Device > Admin Roles

Device > Access Domain

Device > Authentication Profile

Authentication Profile

SAML Metadata Export from an Authentication Profile

Device > Authentication Sequence

Device > IoT > DHCP Server

Device > Data Redistribution

Device > Data Redistribution > Agents

Device > Data Redistribution > Clients

Device > Data Redistribution > Collector Settings

Device > Data Redistribution > Include/Exclude Networks

Device > Device Quarantine

Device > VM Information Sources

Settings to Enable VM Information Sources for VMware ESXi and vCenter Servers

Settings to Enable VM Information Sources for AWS VPC

Settings to Enable VM Information Sources for Google Compute Engine

Device > Troubleshooting

Security Policy Match

QoS Policy Match

Authentication Policy Match

Decryption/SSL Policy Match

NAT Policy Match

Policy Based Forwarding Policy Match

DoS Policy Match

Log Collector Connectivity

External Dynamic List

Test Cloud Logging Service Status

Test Cloud GP Service Status

Device > Virtual Systems

Device > Shared Gateways

Device > Certificate Management

Device > Certificate Management > Certificates

Manage Firewall and Panorama Certificates

Other Supported Actions to Manage Certificates

Manage Default Trusted Certificate Authorities

Device > Certificate Management > Certificate Profile

Device > Certificate Management > OCSP Responder

Device > Certificate Management > SSL/TLS Service Profile

Device > Certificate Management > SCEP

Device > Certificate Management > SSL Decryption Exclusion

Device > Certificate Management > SSH Service Profile

Device > Response Pages

Device > Log Settings

Select Log Forwarding Destinations

Define Alarm Settings

Device > Server Profiles

Device > Server Profiles > SNMP Trap

Device > Server Profiles > Syslog

Device > Server Profiles > Email

Device > Server Profiles > HTTP

Device > Server Profiles > NetFlow

Device > Server Profiles > RADIUS

Device > Server Profiles > TACACS+

Device > Server Profiles > LDAP

Device > Server Profiles > Kerberos

Device > Server Profiles > SAML Identity Provider

Device > Server Profiles > DNS

Device > Server Profiles > Multi Factor Authentication

Device > Local User Database > Users

Device > Local User Database > User Groups

Device > Scheduled Log Export

Device > Software

Device > Dynamic Updates

Device > Licenses

Device > Support

Device > Master Key and Diagnostics

Deploy Master Key

Device > Policy Recommendation > IoT

Device > Policy > Recommendation SaaS

Device > Server Profiles > SCP

User Identification

Device > User Identification > User Mapping

Palo Alto Networks User-ID Agent Setup

Server Monitor Account

Server Monitoring

Ignore User List

Monitor Servers

Configure Access to Monitored Servers

Manage Access to Monitored Servers

Include or Exclude Subnetworks for User Mapping

Device > User Identification > Connection Security

Device > User Identification > Terminal Server Agents

Device > User Identification > Group Mapping Settings

Device > User Identification> Trusted Source Address

Device > User Identification > Authentication Portal Settings

Device > User Identification > Cloud Identity Engine

Network > GlobalProtect > Portals

GlobalProtect Portals General Tab

GlobalProtect Portals Authentication Configuration Tab

GlobalProtect Portals Portal Data Collection Tab

GlobalProtect Portals Agent Tab

GlobalProtect Portals Agent Authentication Tab

GlobalProtect Portals Agent Config Selection Criteria Tab

GlobalProtect Portals Agent Internal Tab

GlobalProtect Portals Agent External Tab

GlobalProtect Portals Agent App Tab

GlobalProtect Portals Agent HIP Data Collection Tab

GlobalProtect Portals Clientless VPN Tab

GlobalProtect Portal Satellite Tab

Network > GlobalProtect > Gateways

GlobalProtect Gateways General Tab

GlobalProtect Gateway Authentication Tab

GlobalProtect Gateways Agent Tab

Tunnel Settings Tab

Client Settings Tab

Client IP Pool Tab

Network Services Tab

Connection Settings Tab

Video Traffic Tab

HIP Notification Tab

GlobalProtect Gateway Satellite Tab

Network > GlobalProtect > MDM

Network > GlobalProtect > Clientless Apps

Network > GlobalProtect > Clientless App Groups

Objects > GlobalProtect > HIP Objects

HIP Objects General Tab

HIP Objects Mobile Device Tab

HIP Objects Patch Management Tab

HIP Objects Firewall Tab

HIP Objects Anti-Malware Tab

HIP Objects Disk Backup Tab

HIP Objects Disk Encryption Tab

HIP Objects Data Loss Prevention Tab

HIP Objects Certificate Tab

HIP Objects Custom Checks Tab

Objects > GlobalProtect > HIP Profiles

Device > GlobalProtect Client

Managing the GlobalProtect App Software

Setting Up the GlobalProtect App

Using the GlobalProtect App

Panorama Web Interface

Use the Panorama Web Interface

Panorama Commit Operations

Defining Policies on Panorama

Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode

Panorama > Setup > Interfaces

Panorama > High Availability

Panorama > Managed WildFire Clusters

Managed WildFire Cluster Tasks

Managed WildFire Appliance Tasks

Managed WildFire Information

Managed WildFire Cluster and Appliance Administration

Panorama > Firewall Clusters

Panorama > Administrators

Panorama > Admin Roles

Panorama > Access Domains

Panorama > Scheduled Config Push

Scheduled Config Push Scheduler

Scheduled Config Push Execution History

Panorama > Managed Devices > Summary

Managed Firewall Administration

Managed Firewall Information

Firewall Software and Content Updates

Firewall Backups

Panorama > Device Quarantine

Panorama > Managed Devices > Health

Detailed Device Health on Panorama

Panorama > Templates

Template Stacks

Panorama > Templates > Template Variables

Panorama > Device Groups

Panorama > Managed Collectors

Log Collector Information

Log Collector Configuration

General Log Collector Settings

Log Collector Authentication Settings

Log Collector Interface Settings

Log Collector RAID Disk Settings

Connection Security

Communication Settings

Software Updates for Dedicated Log Collectors

Panorama > Collector Groups

Collector Group Configuration

Collector Group Information

Panorama > Plugins

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Panorama > VMware NSX

Configure a Notify Group

Create Service Definitions

Configure Access to the NSX Manager

Create Steering Rules

Panorama > Log Ingestion Profile

Panorama > Log Settings

Panorama > Server Profiles > SCP

Panorama > Scheduled Config Export

Panorama > Software

Manage Panorama Software Updates

Display Panorama Software Update Information

Panorama > Device Deployment

Manage Software and Content Updates

Display Software and Content Update Information

Schedule Dynamic Content Updates

Revert Content Versions from Panorama

Manage Firewall Licenses

Panorama > Device Registration Auth Key

Terminal Server (TS) Agent Release Notes

Terminal Server (TS) Agent 11.0 Release Information

Changes to Default Behavior

Features Introduced in TS Agent 11.0

System Requirements

Operating System (OS) Compatibility

Known Issues in TS Agent 11.0

Terminal Server (TS) Agent 11.0 Addressed Issues

Related Documentation

Requesting Support

User-ID™ Agent Release Notes

User-ID Agent 11.0 Release Information

Features Introduced in User-ID Agent 11.0

Changes to Default Behavior

System Requirements

Operating System (OS) Compatibility

Known Issues in User-ID Agent 11.0

User-ID Agent 11.0 Addressed Issues

Related Documentation

Requesting Support

PAN-OS® Administrator’s Guide

Getting Started

Integrate the Firewall into Your Management Network

Determine Your Access Strategy for Business Continuity

Determine Your Management Strategy

Perform Initial Configuration

Perform Initial Configuration for an Air Gapped Firewall

Set Up Network Access for External Services

Manage Firewall Resources

Register the Firewall

Manage Hardware Consumption

Decommission a Firewall

Segment Your Network Using Interfaces and Zones

Network Segmentation for a Reduced Attack Surface

Configure Interfaces and Zones

Set Up a Basic Security Policy

Assess Network Traffic

Enable Free WildFire Forwarding

Best Practices for Completing the Firewall Deployment

Subscriptions You Can Use With the Firewall

Activate Subscription Licenses

What Happens When Licenses Expire?

Enhanced Application Logs for Palo Alto Networks Cloud Services

Firewall Administration

Management Interfaces

Use the Web Interface

Launch the Web Interface

Configure Banners, Message of the Day, and Logos

Use the Administrator Login Activity Indicators to Detect Account Misuse

Manage and Monitor Administrative Tasks

Commit, Validate, and Preview Firewall Configuration Changes

Commit Selective Configuration Changes

Export Configuration Table Data

Use Global Find to Search the Firewall or Panorama Management Server

Manage Locks for Restricting Configuration Changes

Manage Configuration Backups

Save and Export Firewall Configurations

Revert Firewall Configuration Changes

Manage Firewall Administrators

Administrative Role Types

Configure an Admin Role Profile

Administrative Authentication

Configure Administrative Accounts and Authentication

Configure a Firewall Administrator Account

Configure Local or External Authentication for Firewall Administrators

Configure Certificate-Based Administrator Authentication to the Web Interface

Configure SSH Key-Based Administrator Authentication to the CLI

Configure API Key Lifetime

Configure Tracking of Administrator Activity

Reference: Web Interface Administrator Access

Web Interface Access Privileges

Define Access to the Web Interface Tabs

Provide Granular Access to the Monitor Tab

Provide Granular Access to the Policy Tab

Provide Granular Access to the Objects Tab

Provide Granular Access to the Network Tab

Provide Granular Access to the Device Tab

Define User Privacy Settings in the Admin Role Profile

Restrict Administrator Access to Commit and Validate Functions

Provide Granular Access to Global Settings

Provide Granular Access to the Panorama Tab

Provide Granular Access to Operations Settings

Panorama Web Interface Access Privileges

Reference: Port Number Usage

Ports Used for Management Functions

Ports Used for HA

Ports Used for Panorama

Ports Used for GlobalProtect

Ports Used for User-ID

Ports Used for IPSec

Ports Used for Routing

Ports Used for DHCP

Ports Used for Infrastructure

Reset the Firewall to Factory Default Settings

Bootstrap the Firewall

USB Flash Drive Support

Sample init-cfg.txt Files

Prepare a USB Flash Drive for Bootstrapping a Firewall

Bootstrap a Firewall Using a USB Flash Drive

Device Telemetry

Device Telemetry Overview

Device Telemetry Collection and Transmission Intervals

Manage Device Telemetry

Enable Device Telemetry

Disable Device Telemetry

Enable Service Routes for Telemetry

Manage the Data the Device Telemetry Collects

Manage Historical Device Telemetry

Monitor Device Telemetry

Sample the Data that Device Telemetry Collects

Authentication Types

External Authentication Services

Multi-Factor Authentication

Local Authentication

Plan Your Authentication Deployment

Configure Multi-Factor Authentication

Configure MFA Between RSA SecurID and the Firewall

Configure MFA Between Okta and the Firewall

Configure MFA Between Duo and the Firewall

Configure SAML Authentication

Configure Kerberos Single Sign-On

Configure Kerberos Server Authentication

Configure TACACS+ Authentication

Configure RADIUS Authentication

Configure LDAP Authentication

Connection Timeouts for Authentication Servers

Guidelines for Setting Authentication Server Timeouts

Modify the PAN-OS Web Server Timeout

Modify the Authentication Portal Session Timeout

Configure Local Database Authentication

Configure an Authentication Profile and Sequence

Test Authentication Server Connectivity

Authentication Policy

Authentication Timestamps

Configure Authentication Policy

Troubleshoot Authentication Issues

Pre-Logon for SAML Authentication

Certificate Management

Keys and Certificates

Default Trusted Certificate Authorities (CAs)

Certificate Revocation

Certificate Revocation List (CRL)

Online Certificate Status Protocol (OCSP)

Enable an HTTP Proxy for OCSP Status Checks

Certificate Deployment

Set Up Verification for Certificate Revocation Status

Configure an OCSP Responder

Configure Revocation Status Verification of Certificates

Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

Configure the Master Key

Master Key Encryption

Configure Master Key Encryption Level

Master Key Encryption on a Firewall HA Pair

Master Key Encryption Logs

Unique Master Key Encryptions for AES-256-GCM

Obtain Certificates

Create a Self-Signed Root CA Certificate

Generate a Certificate

Import a Certificate and Private Key

Obtain a Certificate from an External CA

Install a Device Certificate

Restore an Expired Device Certificate

Deploy Certificates Using SCEP

Export a Certificate and Private Key

Configure a Certificate Profile

Configure an SSL/TLS Service Profile

Configure an SSH Service Profile

Replace the Certificate for Inbound Management Traffic

Configure the Key Size for SSL Forward Proxy Server Certificates

Revoke and Renew Certificates

Revoke a Certificate

Renew a Certificate

Secure Keys with a Hardware Security Module

Set Up Connectivity with an HSM

Set Up Connectivity with a SafeNet Network HSM

Set Up Connectivity with an nCipher nShield Connect HSM

Encrypt a Master Key Using an HSM

Encrypt the Master Key

Refresh the Master Key Encryption

Store Private Keys on an HSM

Manage the HSM Deployment

High Availability

HA Links and Backup Links

HA Ports on Palo Alto Networks Firewalls

Device Priority and Preemption

LACP and LLDP Pre-Negotiation for Active/Passive HA

Floating IP Address and Virtual MAC Address

ARP Load-Sharing

Route-Based Redundancy

NAT in Active/Active HA Mode

ECMP in Active/Active HA Mode

Set Up Active/Passive HA

Prerequisites for Active/Passive HA

Configuration Guidelines for Active/Passive HA

Configure Active/Passive HA

Define HA Failover Conditions

Verify Failover

Set Up Active/Active HA

Prerequisites for Active/Active HA

Configure Active/Active HA

Determine Your Active/Active Use Case

Use Case: Configure Active/Active HA with Route-Based Redundancy

Use Case: Configure Active/Active HA with Floating IP Addresses

Use Case: Configure Active/Active HA with ARP Load-Sharing

Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall

Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses

Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3

HA Clustering Overview

HA Clustering Best Practices and Provisioning

Configure HA Clustering

Refresh HA1 SSH Keys and Configure Key Options

HA Firewall States

Reference: HA Synchronization

Use the Dashboard

Use the Application Command Center

ACC—First Look

Widget Descriptions

Interact with the ACC

Use Case: ACC—Path of Information Discovery

Use the App Scope Reports

Change Monitor Report

Threat Monitor Report

Threat Map Report

Network Monitor Report

Traffic Map Report

Use the Automated Correlation Engine

Automated Correlation Engine Concepts

Correlation Object

Correlated Events

View the Correlated Objects

Interpret Correlated Events

Use the Compromised Hosts Widget in the ACC

Take Packet Captures

Types of Packet Captures

Disable Hardware Offload

Take a Custom Packet Capture

Take a Threat Packet Capture

Take an Application Packet Capture

Take a Packet Capture for Unknown Applications

Take a Custom Application Packet Capture

Take a Packet Capture on the Management Interface

Monitor Applications and Threats

View and Manage Logs

Log Types and Severity Levels

URL Filtering Logs

WildFire Submissions Logs

Data Filtering Logs

Correlation Logs

Tunnel Inspection Logs

GlobalProtect Logs

Decryption Logs

Authentication Logs

Use Case: Export Traffic Logs for a Date Range

Configure Log Storage Quotas and Expiration Periods

Schedule Log Exports to an SCP or FTP Server

Monitor Block List

View and Manage Reports

Configure the Expiration Period and Run Time for Reports

Disable Predefined Reports

Generate Custom Reports

Generate Botnet Reports

Configure a Botnet Report

Interpret Botnet Report Output

Generate the SaaS Application Usage Report

Manage PDF Summary Reports

Generate User/Group Activity Reports

Manage Report Groups

Schedule Reports for Email Delivery

Manage Report Storage Capacity

View Policy Rule Usage

Use External Services for Monitoring

Configure Log Forwarding

Configure Email Alerts

Use Syslog for Monitoring

Configure Syslog Monitoring

Syslog Field Descriptions

Traffic Log Fields

Threat Log Fields

URL Filtering Log Fields

Data Filtering Log Fields

HIP Match Log Fields

GlobalProtect Log Fields

IP-Tag Log Fields

User-ID Log Fields

Decryption Log Fields

Tunnel Inspection Log Fields

SCTP Log Fields

Authentication Log Fields

Config Log Fields

System Log Fields

Correlated Events Log Fields

Audit Log Fields

Syslog Severity

Custom Log/Event Format

Escape Sequences

Syslog Severity Reference

Informational System Log Messages

Low Severity System Log Messages

Medium System Log Messages

High System Log Messages

Critical System Log Messages

SNMP Monitoring and Traps

Use an SNMP Manager to Explore MIBs and Objects

Identify a MIB Containing a Known OID

Identify the OID for a System Statistic or Trap

Enable SNMP Services for Firewall-Secured Network Elements

Monitor Statistics Using SNMP

Forward Traps to an SNMP Manager

HOST-RESOURCES-MIB

ENTITY-SENSOR-MIB

ENTITY-STATE-MIB

IEEE 802.3 LAG MIB

PAN-COMMON-MIB.my

PAN-GLOBAL-REG-MIB.my

PAN-GLOBAL-TC-MIB.my

PAN-PRODUCT-MIB.my

PAN-ENTITY-EXT-MIB.my

Forward Logs to an HTTP/S Destination

NetFlow Monitoring

Configure NetFlow Exports

NetFlow Templates

Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors

Monitor Transceivers

User-ID Overview

User-ID Concepts

Server Monitoring

Username Header Insertion

Authentication Policy and Authentication Portal

Map Users to Groups

Map IP Addresses to Users

Create a Dedicated Service Account for the User-ID Agent

Configure User Mapping Using the Windows User-ID Agent

Install the Windows-Based User-ID Agent

Configure the Windows User-ID Agent for User Mapping

Configure User Mapping Using the PAN-OS Integrated User-ID Agent

Configure Server Monitoring Using WinRM

Configure User-ID to Monitor Syslog Senders for User Mapping

Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener

Configure the Windows User-ID Agent as a Syslog Listener

Map IP Addresses to Usernames Using Authentication Portal

Authentication Portal Authentication Methods

Authentication Portal Modes

Configure Authentication Portal

Configure User Mapping for Terminal Server Users

Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping

Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API

Send User Mappings to User-ID Using the XML API

Enable User- and Group-Based Policy

Enable Policy for Users with Multiple Accounts

Verify the User-ID Configuration

Deploy User-ID in a Large-Scale Network

Deploy User-ID for Numerous Mapping Information Sources

Windows Log Forwarding and Global Catalog Servers

Plan a Large-Scale User-ID Deployment

Configure Windows Log Forwarding

Configure User-ID for Numerous Mapping Information Sources

Insert Username in HTTP Headers

Redistribute Data and Authentication Timestamps

Firewall Deployment for Data Redistribution

Configure Data Redistribution

Share User-ID Mappings Across Virtual Systems

App-ID Overview

Streamlined App-ID Policy Rules

Create an Application Filter Using Tags

Create an Application Filter Based on Custom Tags

App-ID and HTTP/2 Inspection

Manage Custom or Unknown Applications

Manage New and Modified App-IDs

Workflow to Best Incorporate New and Modified App-IDs

See the New and Modified App-IDs in a Content Release

See How New and Modified App-IDs Impact Your Security Policy

Ensure Critical New App-IDs are Allowed

Monitor New App-IDs

Disable and Enable App-IDs

Enable and Monitor App-ID TSIDs

Use Application Objects in Policy

Create an Application Group

Create an Application Filter

Create a Custom Application

Resolve Application Dependencies

Safely Enable Applications on Default Ports

Applications with Implicit Support

Security Policy Rule Optimization

Policy Optimizer Concepts

Sorting and Filtering Security Policy Rules

Clear Application Usage Data

Migrate Port-Based to App-ID Based Security Policy Rules

Rule Cloning Migration Use Case: Web Browsing and SSL Traffic

Add Applications to an Existing Rule

Identify Security Policy Rules with Unused Applications

High Availability for Application Usage Statistics

How to Disable Policy Optimizer

App-ID Cloud Engine

Prepare to Deploy App-ID Cloud Engine

Enable or Disable the App-ID Cloud Engine

App-ID Cloud Engine Processing and Policy Usage

New App Viewer (Policy Optimizer)

Add Apps to an Application Filter with Policy Optimizer

Add Apps to an Application Group with Policy Optimizer

Add Apps Directly to a Rule with Policy Optimizer

Replace an RMA Firewall (ACE)

Impact of License Expiration or Disabling ACE

Commit Failure Due to Cloud Content Rollback

Troubleshoot App-ID Cloud Engine

SaaS App-ID Policy Recommendation

Import SaaS Policy Recommendation

Import Updated SaaS Policy Recommendation

Remove Deleted SaaS Policy Recommendation

Application Level Gateways

Disable the SIP Application-level Gateway (ALG)

Use HTTP Headers to Manage SaaS Application Access

Understand SaaS Custom Headers

Domains used by the Predefined SaaS Application Types

Create HTTP Header Insertion Entries using Predefined Types

Create Custom HTTP Header Insertion Entries

Maintain Custom Timeouts for Data Center Applications

Device-ID Overview

Prepare to Deploy Device-ID

Configure Device-ID

Manage Device-ID

CLI Commands for Device-ID

Decryption Overview

Decryption Concepts

Keys and Certificates for Decryption Policies

SSL Forward Proxy

SSL Forward Proxy Decryption Profile

SSL Inbound Inspection

SSL Inbound Inspection Decryption Profile

SSL Protocol Settings Decryption Profile

SSH Proxy Decryption Profile

Profile for No Decryption

SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates

Perfect Forward Secrecy (PFS) Support for SSL Decryption

SSL Decryption and Subject Alternative Names (SANs)

TLSv1.3 Decryption

High Availability Not Supported for Decrypted Sessions

Decryption Mirroring

Prepare to Deploy Decryption

Work with Stakeholders to Develop a Decryption Deployment Strategy

Develop a PKI Rollout Plan

Size the Decryption Firewall Deployment

Plan a Staged, Prioritized Deployment

Define Traffic to Decrypt

Create a Decryption Profile

Create a Decryption Policy Rule

Configure SSL Forward Proxy

Configure SSL Inbound Inspection

Configure SSH Proxy

Configure Server Certificate Verification for Undecrypted Traffic

Decryption Exclusions

Palo Alto Networks Predefined Decryption Exclusions

Exclude a Server from Decryption for Technical Reasons

Local Decryption Exclusion Cache

Create a Policy-Based Decryption Exclusion

Block Private Key Export

Generate a Private Key and Block It

Import a Private Key and Block It

Import a Private Key for IKE Gateway and Block It

Verify Private Key Blocking

Enable Users to Opt Out of SSL Decryption

Temporarily Disable SSL Decryption

Configure Decryption Port Mirroring

Verify Decryption

Troubleshoot and Monitor Decryption

Decryption Application Command Center Widgets

Configure Decryption Logging

Decryption Log Errors, Error Indexes, and Bitmasks

Repair Incomplete Certificate Chains

Custom Report Templates for Decryption

Unsupported Parameters by Proxy Type and TLS Version

Decryption Troubleshooting Workflow Examples

Investigate Decryption Failure Reasons

Troubleshoot Unsupported Cipher Suites

Identify Weak Protocols and Cipher Suites

Identify Untrusted CA Certificates

Troubleshoot Expired Certificates

Troubleshoot Revoked Certificates

Troubleshoot Pinned Certificates

Activate Free Licenses for Decryption Features

Quality of Service

QoS for Applications and Users

QoS Priority Queuing

QoS Bandwidth Management

QoS Egress Interface

QoS for Clear Text and Tunneled Traffic

Configure Lockless QoS

Configure QoS for a Virtual System

Enforce QoS Based on DSCP Classification

Use Case: QoS for a Single User

Use Case: QoS for Voice and Video Applications

VPN Deployments

Site-To-Site VPN Overview

Site-To-Site VPN Concepts

Tunnel Interface

Tunnel Monitoring

Internet Key Exchange (IKE) for VPN

Methods of Securing IPSec VPN Tunnels (IKE Phase 2)

Cookie Activation Threshold and Strict Cookie Validation

Traffic Selectors

Hash and URL Certificate Exchange

SA Key Lifetime and Re-Authentication Interval

Set Up Site-To-Site VPN

Set Up an IKE Gateway

Export a Certificate for a Peer to Access Using Hash and URL

Import a Certificate for IKEv2 Gateway Authentication

Change the Key Lifetime or Authentication Interval for IKEv2

Change the Cookie Activation Threshold for IKEv2

Configure IKEv2 Traffic Selectors

Define Cryptographic Profiles

Define IKE Crypto Profiles

Define IPSec Crypto Profiles

Set Up an IPSec Tunnel

Set Up an IPSec Tunnel (Tunnel Mode)

Set Up an IPSec Tunnel (Transport Mode)

Set Up Tunnel Monitoring

Define a Tunnel Monitoring Profile

View the Status of the Tunnels

Enable, Disable, Refresh, or Restart an IKE Gateway or IPSec Tunnel

Enable or Disable an IKE Gateway or IPSec Tunnel

Refresh and Restart Behaviors

Refresh or Restart an IKE Gateway or IPSec Tunnel

Test VPN Connectivity

Interpret VPN Error Messages

Site-To-Site VPN Quick Configurations

Site-To-Site VPN with Static Routing

Site-to-Site VPN with OSPF

Site-To-Site VPN with Static and Dynamic Routing

Large Scale VPN (LSVPN)

Create Interfaces and Zones for the LSVPN

Enable SSL Between GlobalProtect LSVPN Components

About Certificate Deployment

Deploy Server Certificates to the GlobalProtect LSVPN Components

Deploy Client Certificates to the GlobalProtect Satellites Using SCEP

Configure the Portal to Authenticate Satellites

Configure GlobalProtect Gateways for LSVPN

Configure the GlobalProtect Portal for LSVPN

GlobalProtect Portal for LSVPN Prerequisite Tasks

Configure the Portal

Define the Satellite Configurations

Prepare the Satellite to Join the LSVPN

Verify the LSVPN Configuration

LSVPN Quick Configuration

Basic LSVPN Configuration with Static Routing

Advanced LSVPN Configuration with Dynamic Routing

Advanced LSVPN Configuration with iBGP

Security Policy

Components of a Security Policy Rule

Security Policy Actions

Create a Security Policy Rule

Security Profiles

Create a Security Profile Group

Set Up or Override a Default Security Profile Group

Create a Data Filtering Profile

Predefined Data Filtering Patterns

Set Up File Blocking

Track Rules Within a Rulebase

Enforce Policy Rule Description, Tag, and Audit Comment

Move or Clone a Policy Rule or Object to a Different Virtual System

Use an Address Object to Represent IP Addresses

Address Objects

Create an Address Object

Use Tags to Group and Visually Distinguish Objects

Create and Apply Tags

View Rules by Tag Group

Use an External Dynamic List in Policy

External Dynamic List

Formatting Guidelines for an External Dynamic List

IP Address List

Built-in External Dynamic Lists

Configure the Firewall to Access an External Dynamic List

Configure the Firewall to Access an External Dynamic List from the EDL Hosting Service

Create an External Dynamic List Using the EDL Hosting Service

Convert the GlobalSign Root R1 Certificate to PEM Format

Retrieve an External Dynamic List from the Web Server

View External Dynamic List Entries

Exclude Entries from an External Dynamic List

Enforce Policy on an External Dynamic List

Find External Dynamic Lists That Failed Authentication

Disable Authentication for an External Dynamic List

Register IP Addresses and Tags Dynamically

Use Dynamic User Groups in Policy

Use Auto-Tagging to Automate Security Actions

Monitor Changes in the Virtual Environment

Enable VM Monitoring to Track Changes on the Virtual Network

Attributes Monitored on Virtual Machines in Cloud Platforms

Use Dynamic Address Groups in Policy

CLI Commands for Dynamic IP Addresses and Tags

Enforce Policy on Endpoints and Users Behind an Upstream Device

Use XFF Values for Policy Based on Source Users

Use XFF IP Address Values in Security Policy and Logging

Use the IP Address in the XFF Header to Troubleshoot Events

Policy-Based Forwarding

PBF

Egress Path and Symmetric Return

Path Monitoring for PBF

Service Versus Applications in PBF

Create a Policy-Based Forwarding Rule

Use Case: PBF for Outbound Access with Dual ISPs

Application Override Policy

Test Policy Rules

Virtual Systems

Virtual Systems Overview

Virtual System Components and Segmentation

Benefits of Virtual Systems

Use Cases for Virtual Systems

Platform Support and Licensing for Virtual Systems

Administrative Roles for Virtual Systems

Shared Objects for Virtual Systems

Communication Between Virtual Systems

Inter-VSYS Traffic That Must Leave the Firewall

Inter-VSYS Traffic That Remains Within the Firewall

External Zones and Security Policies For Traffic Within a Firewall

Inter-VSYS Communication Uses Two Sessions

External Zones and Shared Gateway

Networking Considerations for a Shared Gateway

Configure Virtual Systems

Configure Inter-Virtual System Communication within the Firewall

Configure a Shared Gateway

Customize Service Routes for a Virtual System

Customize Service Routes to Services for Virtual Systems

Configure a PA-7000 Series Firewall for Logging Per Virtual System

Configure a PA-7000 Series LPC for Logging per Virtual System

Configure a PA-7000 Series LFC for Logging per Virtual System

Configure Administrative Access Per Virtual System or Firewall

Virtual System Functionality with Other Features

Zone Protection and DoS Protection

Network Segmentation Using Zones

How Do Zones Protect the Network?

Zone Defense Tools

How Do the Zone Defense Tools Work?

Firewall Placement for DoS Protection

Baseline CPS Measurements for Setting Flood Thresholds

CPS Measurements to Take

How to Measure CPS

Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet-Based Attack Protection

Protocol Protection

Ethernet SGT Protection

Packet Buffer Protection

DoS Protection Profiles and Policy Rules

Classified Versus Aggregate DoS Protection

DoS Protection Profiles

DoS Protection Policy Rules

Configure Zone Protection to Increase Network Security

Configure Reconnaissance Protection

Configure Packet Based Attack Protection

Configure Protocol Protection

Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces

Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces

Configure Packet Buffer Protection

Configure Packet Buffer Protection Based on Latency

Configure Ethernet SGT Protection

DoS Protection Against Flooding of New Sessions

Multiple-Session DoS Attack

Single-Session DoS Attack

Configure DoS Protection Against Flooding of New Sessions

End a Single Session DoS Attack

Identify Sessions That Use Too Much of the On-Chip Packet Descriptor

Discard a Session Without a Commit

Enable FIPS and Common Criteria Support

Access the Maintenance Recovery Tool (MRT)

Change the Operational Mode to FIPS-CC Mode

FIPS-CC Security Functions

Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode

PAN-OS Upgrade Guide

Software and Content Updates

PAN-OS Software Updates

Dynamic Content Updates

Install Content Updates

Applications and Threats Content Updates

Deploy Applications and Threats Content Updates

Tips for Content Updates

Best Practices for Applications and Threats Content Updates

Best Practices for Content Updates—Mission-Critical

Best Practices for Content Updates—Security-First

Content Delivery Network Infrastructure

Upgrade Panorama

Install Content Updates and Software Upgrades for Panorama

Upgrade Panorama with an Internet Connection

Upgrade Panorama Without an Internet Connection

Install Content Updates Automatically for Panorama without an Internet Connection

Upgrade Panorama in an HA Configuration

Migrate Panorama Logs to the New Log Format

Upgrade Panorama for Increased Device Management Capacity

Upgrade Panorama and Managed Devices in FIPS-CC Mode

Downgrade from Panorama 11.0

Troubleshoot Your Panorama Upgrade

Deploy Upgrades to Firewalls, Log Collectors, and WildFire Appliances Using Panorama

What Updates Can Panorama Push to Other Devices?

Schedule a Content Update Using Panorama

Panorama, Log Collector, Firewall, and WildFire Version Compatibility

Upgrade Log Collectors When Panorama Is Internet-Connected

Upgrade Log Collectors When Panorama Is Not Internet-Connected

Upgrade a WildFire Cluster from Panorama with an Internet Connection

Upgrade a WildFire Cluster from Panorama without an Internet Connection

Upgrade Firewalls When Panorama Is Internet-Connected

Upgrade Firewalls When Panorama Is Not Internet-Connected

Upgrade a ZTP Firewall

Revert Content Updates from Panorama

PAN-OS Upgrade Checklist

Upgrade/Downgrade Considerations

Upgrade the Firewall to PAN-OS 11.0

Determine the Upgrade Path to PAN-OS 11.0

Upgrade a Standalone Firewall

Upgrade an HA Firewall Pair

Upgrade the Firewall to PAN-OS 11.0 from Panorama

Upgrade Firewalls When Panorama Is Internet-Connected

Upgrade Firewalls When Panorama Is Not Internet-Connected

Upgrade a ZTP Firewall

Downgrade PAN-OS

Downgrade a Firewall to a Previous Maintenance Release

Downgrade a Firewall to a Previous Feature Release

Downgrade a Windows Agent

Troubleshoot Your PAN-OS Upgrade

Upgrade the VM-Series Firewall

Upgrade the VM-Series PAN-OS Software (Standalone)

Upgrade the VM-Series PAN-OS Software (HA Pair)

Upgrade the VM-Series PAN-OS Software Using Panorama

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

Upgrade the VM-Series Model

Upgrade the VM-Series Model in an HA Pair

Downgrade a VM-Series Firewall to a Previous Release

Upgrade Panorama Plugins

Panorama Plugins Upgrade/Downgrade Considerations

Upgrade a Panorama Plugin

Upgrade the Enterprise DLP Plugin

Upgrade the Panorama Interconnect Plugin

Install/Upgrade SD-WAN Plugin with Compatible PAN-OS Release

Upgrade and Downgrade Paths for SD-WAN Plugin

Install the SD-WAN Plugin

Upgrade Panorama High Availability Pair (Active/Passive) Leveraging SD-WAN Plugin

Upgrade Standalone Panorama Leveraging SD-WAN Plugin

Changes to Note After Upgrade

CLI Commands for Upgrade

Use CLI Commands for Upgrade Tasks

APIs for Upgrade

Use the API for Upgrade Tasks

PAN-OS® and Panorama™API Usage Guide

About the PAN-OS API

PAN-OS XML API Components

Structure of a PAN-OS XML API Request

API Authentication and Security

XPath Node Selection

PAN-OS API Authentication

Enable API Access

Get Your API Key

Generate an API Key Certificate

Authenticate Your API Requests

Get Started with the PAN-OS XML API

Make Your First API Call

Explore the API

Use the API Browser

Use the CLI to Find XML API Syntax

Use the Web Interface to Find XML API Syntax

PAN-OS XML API Error Codes

PAN-OS XML API Use Cases

Upgrade a Firewall to the Latest PAN-OS Version (API)

Show and Manage GlobalProtect Users (API)

Query a Firewall from Panorama (API)

Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)

Automatically Check for and Install Content Updates (API)

Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)

Configure SAML 2.0 Authentication (API)

Quarantine Compromised Devices (API)

Manage Certificates (API)

PAN-OS XML API Request Types

PAN-OS XML API Request Types and Actions

Configuration Actions

Actions for Modifying a Configuration

Actions for Reading a Configuration

Asynchronous and Synchronous Requests to the PAN-OS XML API

Configuration (API)

Get Active Configuration

Use XPath to Get Active Configuration

Use XPath to Get ARP Information

Get Candidate Configuration

Set Configuration

Edit Configuration

Delete Configuration

Rename Configuration

Clone Configuration

Move Configuration

Override Configuration

Multi-Move or Multi-Clone Configuration

Multi-config Request (API)

View Configuration Node Values for XPath

Commit Configuration (API)

Run Operational Mode Commands (API)

Get Reports (API)

Dynamic Reports

Predefined Reports

Export Files (API)

Export Packet Captures

Export Application PCAPS

Export Threat, Filter, and Data Filtering PCAPs

Export Certificates and Keys

Export Technical Support Data

Import Files (API)

Importing Basics

Retrieve Logs (API)

API Log Retrieval Parameters

Example: Use the API to Retrieve Traffic Logs

Apply User-ID Mapping and Populate Dynamic Groups (API)

Get Version Info (API)

Get Started with the PAN-OS REST API

PAN-OS REST API

Access the PAN-OS REST API

Resource Methods and Query Parameters (REST API)

PAN-OS REST API Request and Response Structure

PAN-OS REST API Error Codes

Work With Objects (REST API)

Create a Security Policy Rule (REST API)

Work with Policy Rules on Panorama (REST API)

Create a Tag (REST API)

Configure a Security Zone (REST API)

Configure an SD-WAN Interface (REST API)

Create an SD-WAN Policy Pre Rule (REST API)

Configure an Ethernet Interface (REST API)

Update a Virtual Router (REST API)

Work With Decryption (APIs)

PAN-OS CLI Quick Start

Get Started with the CLI

Verify SSH Connection to Firewall

Refresh SSH Keys and Configure Key Options for Management Interface Connection

Give Administrators Access to the CLI

Administrative Privileges

Set Up a Firewall Administrative Account and Assign CLI Privileges

Set Up a Panorama Administrative Account and Assign CLI Privileges

Change CLI Modes

Navigate the CLI

View the Entire Command Hierarchy

Find a Specific Command Using a Keyword Search

Get Help on Command Syntax

Get Help on a Command

Interpret the Command Help

Customize the CLI

View Settings and Statistics

Modify the Configuration

Commit Configuration Changes

Test the Configuration

Test the Authentication Configuration

Test Policy Matches

Load Configurations

Load Configuration Settings from a Text File

Load a Partial Configuration

Xpath Location Formats Determined by Device Configuration

Load a Partial Configuration into Another Configuration Using Xpath Values

Use Secure Copy to Import and Export Files

Export a Saved Configuration from One Firewall and Import it into Another

Export and Import a Complete Log Database (logdb)

CLI Cheat Sheets

CLI Cheat Sheet: Device Management

CLI Cheat Sheet: User-ID

CLI Cheat Sheet: HA

CLI Cheat Sheet: Networking

CLI Cheat Sheet: VSYS

CLI Cheat Sheet: Panorama

CLI Cheat Sheet: CTD Evasion Detection

CLI Cheat Sheet: Content-ID

CLI Changes in PAN-OS 11.1+

Set Commands Introduced in PAN-OS 11.1

Set Commands Removed in PAN-OS 11.1

Show Commands Introduced in PAN-OS 11.1

Set Commands Introduced in PAN-OS 11.2

Set Commands Changed in PAN-OS 11.2

Set Commands Removed in PAN-OS 11.2

Show Commands Introduced in PAN-OS 11.2

Show Commands Removed in PAN-OS 11.2

CLI Command Hierarchy for PAN-OS 11.1+

PAN-OS 11.1 CLI Ops Command Hierarchy

PAN-OS 11.1 Configure CLI Command Hierarchy

PAN-OS 11.2 CLI Ops Command Hierarchy

PAN-OS 11.2 Configure CLI Command Hierarchy

PAN-OS Web Interface Help

Web Interface Basics

Firewall Overview

Features and Benefits

Last Login Time and Failed Login Attempts

Message of the Day

Save Candidate Configurations

Lock Configurations

AutoFocus Intelligence Summary

Configuration Table Export

Change Boot Mode

Dashboard Widgets

ACC

A First Glance at the ACC

Working with Tabs and Widgets

Working with Filters—Local Filters and Global Filters

Monitor > External Logs

Monitor > Automated Correlation Engine

Monitor > Automated Correlation Engine > Correlation Objects

Monitor > Automated Correlation Engine > Correlated Events

Monitor > Packet Capture

Packet Capture Overview

Building Blocks for a Custom Packet Capture

Enable Threat Packet Capture

Monitor > App Scope

App Scope Overview

App Scope Summary Report

App Scope Change Monitor Report

App Scope Threat Monitor Report

App Scope Threat Map Report

App Scope Network Monitor Report

App Scope Traffic Map Report

Monitor > Session Browser

Monitor > Block IP List

Block IP List Entries

View or Delete Block IP List Entries

Monitor > Botnet

Botnet Report Settings

Botnet Configuration Settings

Monitor > IoT Devices

IoT Devices > Summary

IoT Devices > Asset Inventory

Monitor > PDF Reports

Monitor > PDF Reports > Manage PDF Summary

Monitor > PDF Reports > User Activity Report

Monitor > PDF Reports > SaaS Application Usage

Monitor > PDF Reports > Report Groups

Monitor > PDF Reports > Email Scheduler

Monitor > Manage Custom Reports

Monitor > Reports

Move or Clone a Policy Rule

Audit Comment Archive

Rule Usage Hit Count Query

Policies > Security

Security Policy Overview

Building Blocks in a Security Policy Rule

Creating and Managing Policies

Overriding or Reverting a Security Policy Rule

Applications and Usage

Security Policy Optimizer

NAT Policies General Tab

NAT Original Packet Tab

NAT Translated Packet Tab

NAT Active/Active HA Binding Tab

Policies > Policy Based Forwarding

Policy Based Forwarding General Tab

Policy Based Forwarding Source Tab

Policy Based Forwarding Destination/Application/Service Tab

Policy Based Forwarding Forwarding Tab

Policy Based Forwarding Target Tab

Policies > Decryption

Decryption General Tab

Decryption Source Tab

Decryption Destination Tab

Decryption Service/URL Category Tab

Decryption Options Tab

Decryption Target Tab

Policies > Network Packet Broker

Network Packet Broker General Tab

Network Packet Broker Source Tab

Network Packet Broker Destination Tab

Network Packet Broker Application/Service/Traffic Tab

Network Packet Broker Path Selection Tab

Network Packet Broker Policy Optimizer Rule Usage

Policies > Tunnel Inspection

Building Blocks in a Tunnel Inspection Policy

Policies > Application Override

Application Override General Tab

Application Override Source Tab

Application Override Destination Tab

Application Override Protocol/Application Tab

Application Override Target Tab

Policies > Authentication

Building Blocks of an Authentication Policy Rule

Create and Manage Authentication Policy

Policies > DoS Protection

DoS Protection General Tab

DoS Protection Source Tab

DoS Protection Destination Tab

DoS Protection Option/Protection Tab

DoS Protection Target Tab

Policies > SD-WAN

SD-WAN General Tab

SD-WAN Source Tab

SD-WAN Destination Tab

SD-WAN Application/Service Tab

SD-WAN Path Selection Tab

SD-WAN Target Tab

Move, Clone, Override, or Revert Objects

Move or Clone an Object

Override or Revert an Object

Objects > Addresses

Objects > Address Groups

Objects > Regions

Objects > Dynamic User Groups

Objects > Applications

Applications Overview

Actions Supported on Applications

Defining Applications

Objects > Application Groups

Objects > Application Filters

Objects > Services

Objects > Service Groups

View Rulebase as Groups

Move Rules in Group to Different Rulebase or Device Group

Change Group of All Rules

Move All Rules in Group

Delete All Rules in Group

Clone All Rules in Group

Objects > Devices

Objects > External Dynamic Lists

Objects > Custom Objects

Objects > Custom Objects > Data Patterns

Data Pattern Settings

Syntax for Regular Expression Data Patterns

Regular Expression Data Pattern Examples

Objects > Custom Objects > Spyware/Vulnerability

Objects > Custom Objects > URL Category

Objects > Security Profiles

Actions in Security Profiles

Objects > Security Profiles > Antivirus

Objects > Security Profiles > Anti-Spyware Profile

Objects > Security Profiles > Vulnerability Protection

Objects > Security Profiles > URL Filtering

URL Filtering General Settings

URL Filtering Categories

URL Filtering Settings

User Credential Detection

HTTP Header Insertion

Inline Categorization

Objects > Security Profiles > File Blocking

Objects > Security Profiles > WildFire Analysis

Objects > Security Profiles > Data Filtering

Objects > Security Profiles > DoS Protection

Objects > Security Profiles > Mobile Network Protection

Objects > Security Profiles > SCTP Protection

Objects > Security Profile Groups

Objects > Log Forwarding

Objects > Authentication

Objects > Decryption Profile

Decryption Profile General Settings

Settings to Control Decrypted Traffic

Settings to Control Traffic that is not Decrypted

Settings to Control Decrypted SSH Traffic

Objects > Packet Broker Profile

Objects > SD-WAN Link Management

Objects > SD-WAN Link Management > Path Quality Profile

Objects > SD-WAN Link Management > SaaS Quality Profile

Objects > SD-WAN Link Management > Traffic Distribution Profile

Objects > SD-WAN Link Management > Error Correction Profile

Objects > Schedules

Network > Interfaces

Firewall Interfaces Overview

Common Building Blocks for Firewall Interfaces

Common Building Blocks for PA-7000 Series Firewall Interfaces

Virtual Wire Interface

Virtual Wire Subinterface

PA-7000 Series Layer 2 Interface

PA-7000 Series Layer 2 Subinterface

PA-7000 Series Layer 3 Interface

Layer 3 Interface

Layer 3 Subinterface

Log Card Interface

Log Card Subinterface

Decrypt Mirror Interface

Aggregate Ethernet (AE) Interface Group

Aggregate Ethernet (AE) Interface

Network > Interfaces > VLAN

Network > Interfaces > Loopback

Network > Interfaces > Tunnel

Network > Interfaces > SD-WAN

Network > Interfaces > PoE

Network > Interfaces > Cellular

Network > Interfaces > Fail Open

Network > Zones

Security Zone Overview

Building Blocks of Security Zones

Network > VLANs

Network > Virtual Wires

Network > Virtual Routers

General Settings of a Virtual Router

Route Redistribution

RIP

RIP Interfaces Tab

RIP Auth Profiles Tab

RIP Export Rules Tab

OSPF Auth Profiles Tab

OSPF Export Rules Tab

OSPF Advanced Tab

OSPFv3 Areas Tab

OSPFv3 Auth Profiles Tab

OSPFv3 Export Rules Tab

OSPFv3 Advanced Tab

BGP

Basic BGP Settings

BGP General Tab

BGP Advanced Tab

BGP Peer Group Tab

BGP Import and Export Tabs

BGP Conditional Adv Tab

BGP Aggregate Tab

BGP Redist Rules Tab

Multicast Rendezvous Point Tab

Multicast Interfaces Tab

Multicast SPT Threshold Tab

Multicast Source Specific Address Space Tab

Multicast Advanced Tab

More Runtime Stats for a Virtual Router

BFD Summary Information Tab

More Runtime Stats for a Logical Router

Routing Stats for a Logical Router

BGP Stats for a Logical Router

Network > Routing > Logical Routers

Network > Routing > Logical Routers > General

Network > Routing > Logical Routers > Static

Network > Routing > Logical Routers > OSPF

Network > Routing > Logical Routers > OSPFv3

Network > Routing > Logical Routers > RIPv2

Network > Routing > Logical Routers > BGP

Network > Routing > Logical Routers > Multicast

Network > Routing > Routing Profiles

Network > Routing > Routing Profiles > BGP

Network > Routing > Routing Profiles > BFD

Network > Routing > Routing Profiles > OSPF

Network > Routing > Routing Profiles > OSPFv3

Network > Routing > Routing Profiles > RIPv2

Network > Routing > Routing Profiles > Filters

Network > Routing > Routing Profiles > Multicast

Network > IPSec Tunnels

IPSec VPN Tunnel Management

IPSec Tunnel General Tab

IPSec Tunnel Proxy IDs Tab

IPSec Tunnel Status on the Firewall

IPSec Tunnel Restart or Refresh

Network > GRE Tunnels

DHCP Addressing

Network > DNS Proxy

DNS Proxy Overview

DNS Proxy Settings

Additional DNS Proxy Actions

Network > Proxy

QoS Interface Settings

QoS Interface Statistics

Building Blocks of LLDP

Network > Network Profiles

Network > Network Profiles > GlobalProtect IPSec Crypto

Network > Network Profiles > IKE Gateways

IKE Gateway Management

IKE Gateway General Tab

IKE Gateway Advanced Options Tab

IKE Gateway Restart or Refresh

Network > Network Profiles > IPSec Crypto

Network > Network Profiles > IKE Crypto

Network > Network Profiles > Monitor

Network > Network Profiles > Interface Mgmt

Network > Network Profiles > Zone Protection

Building Blocks of Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet Based Attack Protection

Protocol Protection

Ethernet SGT Protection

L3 & L4 Header Inspection

Network > Network Profiles > QoS

Network > Network Profiles > LLDP Profile

Network > Network Profiles > BFD Profile

Building Blocks of a BFD Profile

View BFD Summary and Details

Network > Network Profiles > SD-WAN Interface Profile

Network > Network Profiles > MACsec Profile

Device > Setup > Management

Device > Setup > Operations

Enable SNMP Monitoring

Device > Setup > HSM

Hardware Security Module Provider Settings

HSM Authentication

Hardware Security Operations

Hardware Security Module Provider Configuration and Status

Hardware Security Module Status

Device > Setup > Services

Configure Services for Global and Virtual Systems

Global Services Settings

IPv4 and IPv6 Support for Service Route Configuration

Destination Service Route

Device > Setup > Interfaces

Device > Setup > Telemetry

Device > Setup > Content-ID

Device > Setup > WildFire

Device > Setup > Session

Session Settings

Session Timeouts

Decryption Settings: Certificate Revocation Checking

Decryption Settings: Forward Proxy Server Certificate Settings

Decryption Settings: SSL Decryption Settings

VPN Session Settings

Device > Setup > ACE

Device > Setup > DLP

Device > High Availability

Important Considerations for Configuring HA

HA General Settings

HA Communications

HA Link and Path Monitoring

HA Active/Active Config

Device > Log Forwarding Card

Device > Config Audit

Device > Password Profiles

Username and Password Requirements

Device > Administrators

Device > Admin Roles

Device > Access Domain

Device > Authentication Profile

Authentication Profile

SAML Metadata Export from an Authentication Profile

Device > Authentication Sequence

Device > IoT Security > DHCP Server Log Ingestion

Device > Data Redistribution

Device > Data Redistribution > Agents

Device > Data Redistribution > Clients

Device > Data Redistribution > Collector Settings

Device > Data Redistribution > Include/Exclude Networks

Device > Device Quarantine

Device > VM Information Sources

Settings to Enable VM Information Sources for VMware ESXi and vCenter Servers

Settings to Enable VM Information Sources for AWS VPC

Settings to Enable VM Information Sources for Google Compute Engine

Device > Troubleshooting

Security Policy Match

QoS Policy Match

Authentication Policy Match

Decryption/SSL Policy Match

NAT Policy Match

Policy Based Forwarding Policy Match

DoS Policy Match

Log Collector Connectivity

External Dynamic List

Test Cloud Logging Service Status

Test Cloud GP Service Status

Device > Virtual Systems

Device > Shared Gateways

Device > Certificate Management

Device > Certificate Management > Certificates

Manage Firewall and Panorama Certificates

Other Supported Actions to Manage Certificates

Manage Default Trusted Certificate Authorities

Device > Certificate Management > Certificate Profile

Device > Certificate Management > OCSP Responder

Device > Certificate Management > SSL/TLS Service Profile

Device > Certificate Management > SCEP

Device > Certificate Management > SSL Decryption Exclusion

Device > Certificate Management > SSH Service Profile

Device > Response Pages

Device > Log Settings

Select Log Forwarding Destinations

Define Alarm Settings

Device > Server Profiles

Device > Server Profiles > SNMP Trap

Device > Server Profiles > Syslog

Device > Server Profiles > Email

Device > Server Profiles > HTTP

Device > Server Profiles > NetFlow

Device > Server Profiles > RADIUS

Device > Server Profiles > TACACS+

Device > Server Profiles > LDAP

Device > Server Profiles > Kerberos

Device > Server Profiles > SAML Identity Provider

Device > Server Profiles > DNS

Device > Server Profiles > Multi Factor Authentication

Device > Local User Database > Users

Device > Local User Database > User Groups

Device > Scheduled Log Export

Device > Software

Device > Dynamic Updates

Device > Licenses

Device > Support

Device > Master Key and Diagnostics

Deploy Master Key

Device > Policy Recommendation > IoT

Device > Policy > Recommendation SaaS

Device > Policy Recommendation > IoT or SaaS > Import Policy Rule

Device > Server Profiles > SCP

User Identification

Device > User Identification > User Mapping

Palo Alto Networks User-ID Agent Setup

Server Monitor Account

Server Monitoring

Ignore User List

Monitor Servers

Configure Access to Monitored Servers

Manage Access to Monitored Servers

Include or Exclude Subnetworks for User Mapping

Device > User Identification > Connection Security

Device > User Identification > Terminal Server Agents

Device > User Identification > Group Mapping Settings

Device > User Identification> Trusted Source Address

Device > User Identification > Authentication Portal Settings

Device > User Identification > Cloud Identity Engine

Network > GlobalProtect > Portals

GlobalProtect Portals General Tab

GlobalProtect Portals Authentication Configuration Tab

GlobalProtect Portals Portal Data Collection Tab

GlobalProtect Portals Agent Tab

GlobalProtect Portals Agent Authentication Tab

GlobalProtect Portals Agent Config Selection Criteria Tab

GlobalProtect Portals Agent Internal Tab

GlobalProtect Portals Agent External Tab

GlobalProtect Portals Agent App Tab

GlobalProtect Portals Agent HIP Data Collection Tab

GlobalProtect Portals Clientless VPN Tab

GlobalProtect Portal Satellite Tab

Network > GlobalProtect > Gateways

GlobalProtect Gateways General Tab

GlobalProtect Gateway Authentication Tab

GlobalProtect Gateways Agent Tab

Tunnel Settings Tab

Client Settings Tab

Client IP Pool Tab

Network Services Tab

Connection Settings Tab

Video Traffic Tab

HIP Notification Tab

GlobalProtect Gateway Satellite Tab

Network > GlobalProtect > MDM

Network > GlobalProtect > Clientless Apps

Network > GlobalProtect > Clientless App Groups

Objects > GlobalProtect > HIP Objects

HIP Objects General Tab

HIP Objects Mobile Device Tab

HIP Objects Patch Management Tab

HIP Objects Firewall Tab

HIP Objects Anti-Malware Tab

HIP Objects Disk Backup Tab

HIP Objects Disk Encryption Tab

HIP Objects Data Loss Prevention Tab

HIP Objects Certificate Tab

HIP Objects Custom Checks Tab

Objects > GlobalProtect > HIP Profiles

Device > GlobalProtect Client

Managing the GlobalProtect App Software

Setting Up the GlobalProtect App

Using the GlobalProtect App

Panorama Web Interface

Use the Panorama Web Interface

Panorama Commit Operations

Defining Policies on Panorama

Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode

Panorama > Setup > Interfaces

Panorama > High Availability

Panorama > Managed WildFire Clusters

Managed WildFire Cluster Tasks

Managed WildFire Appliance Tasks

Managed WildFire Information

Managed WildFire Cluster and Appliance Administration

Panorama > Firewall Clusters

Panorama > Administrators

Panorama > Admin Roles

Panorama > Access Domains

Panorama > Scheduled Config Push

Scheduled Config Push Scheduler

Scheduled Config Push Execution History

Panorama > Managed Devices > Summary

Managed Firewall Administration

Managed Firewall Information

Firewall Software and Content Updates

Firewall Backups

Panorama > Device Quarantine

Panorama > Managed Devices > Health

Detailed Device Health on Panorama

Panorama > Templates

Template Stacks

Panorama > Templates > Template Variables

Panorama > Device Groups

Panorama > Managed Collectors

Log Collector Information

Log Collector Configuration

General Log Collector Settings

Log Collector Authentication Settings

Log Collector Interface Settings

Log Collector RAID Disk Settings

Connection Security

Communication Settings

Software Updates for Dedicated Log Collectors

Panorama > Collector Groups

Collector Group Configuration

Collector Group Information

Panorama > Plugins

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Panorama > VMware NSX

Configure a Notify Group

Create Service Definitions

Configure Access to the NSX Manager

Create Steering Rules

Panorama > Log Ingestion Profile

Panorama > Log Settings

Panorama > Server Profiles > SCP

Panorama > Scheduled Config Export

Panorama > Software

Manage Panorama Software Updates

Display Panorama Software Update Information

Panorama > Device Deployment

Manage Software and Content Updates

Display Software and Content Update Information

Schedule Dynamic Content Updates

Revert Content Versions from Panorama

Manage Firewall Licenses

Panorama > Device Registration Auth Key

PAN-OS® Networking Administrator’s Guide

Networking Introduction

Configure Interfaces

Virtual Wire Interfaces

Layer 2 and Layer 3 Packets over a Virtual Wire

Port Speeds of Virtual Wire Interfaces

LLDP over a Virtual Wire

Aggregated Interfaces for a Virtual Wire

Virtual Wire Support of High Availability

Zone Protection for a Virtual Wire Interface

VLAN-Tagged Traffic

Virtual Wire Subinterfaces

Configure Virtual Wires

Layer 2 Interfaces

Layer 2 Interfaces with No VLANs

Layer 2 Interfaces with VLANs

Configure a Layer 2 Interface

Configure a Layer 2 Interface, Subinterface, and VLAN

Manage Per-VLAN Spanning Tree (PVST+) BPDU Rewrite

Layer 3 Interfaces

Configure Layer 3 Interfaces

Manage IPv6 Hosts Using NDP

IPv6 Router Advertisements for DNS Configuration

Configure RDNS Servers and DNS Search List for IPv6 Router Advertisements

Enable NDP Monitoring

Configure a PPPoE Client on a Subinterface

Configure an Aggregate Interface Group

Configure Bonjour Reflector for Network Segmentation

Use Interface Management Profiles to Restrict Access

Configure an IPv6 PPPoE Client

Cellular Interfaces

Configure 5G for a Cellular Interface

Upgrade 5G Firmware

Virtual Routers

Virtual Router Overview

Configure Virtual Routers

Service Routes Overview

Configure Service Routes

Static Route Overview

Static Route Removal Based on Path Monitoring

Configure a Static Route

Configure Path Monitoring for a Static Route

RIP

OSPF Router Types

Configure OSPFv3

Configure OSPF Graceful Restart

Confirm OSPF Operation

View the Routing Table

Confirm OSPF Adjacencies

Confirm that OSPF Connections are Established

BGP

Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast

Configure a BGP Peer with MP-BGP for IPv4 Multicast

BGP Confederations

PIM

Shortest-Path Tree (SPT) and Shared Tree

PIM Assert Mechanism

Reverse-Path Forwarding

Configure IP Multicast

View IP Multicast Information

Route Redistribution

Route Redistribution Overview

Configure Route Redistribution

GRE Tunnel Overview

Create a GRE Tunnel

Firewall as a DHCP Server and Client

Firewall as a DHCPv6 Client

DHCP Addressing

DHCP Address Allocation Methods

Predefined DHCP Options

Multiple Values for a DHCP Option

DHCP Options 43, 55, and 60 and Other Customized Options

Configure an Interface as a DHCP Server

Configure an Interface as a DHCPv4 Client

Configure an Interface as a DHCPv6 Client with Prefix Delegation

Configure the Management Interface as a DHCP Client

Configure the Management Interface for Dynamic IPv6 Address Assignment

Configure an Interface as a DHCP Relay Agent

Monitor and Troubleshoot DHCP

View DHCP Server Information

Clear DHCP Leases

View DHCP Client Information

Gather Debug Output about DHCP

Dynamic IPv6 Addressing on the Management Interface

DNS

DNS Proxy Object

DNS Server Profile

Multi-Tenant DNS Deployments

Configure a DNS Proxy Object

Configure a DNS Server Profile

Configure a Web Proxy

Configure Explicit Proxy

Cloud Management

Configure Transparent Proxy

Strata Cloud Manager

Configure Authentication for Explicit Web Proxy

Configure Exemptions for Explicit Proxy Authentication

Exclude All Explicit Proxy Traffic From Authentication

Use Case 1: Firewall Requires DNS Resolution

Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System

Use Case 3: Firewall Acts as DNS Proxy Between Client and Server

DNS Proxy Rule and FQDN Matching

Dynamic DNS Overview

Configure Dynamic DNS for Firewall Interfaces

NAT

NAT Policy Rules

NAT Policy Overview

NAT Address Pools Identified as Address Objects

Proxy ARP for NAT Address Pools

Source NAT and Destination NAT

Destination NAT

Destination NAT with DNS Rewrite Use Cases

Destination NAT with DNS Rewrite Reverse Use Cases

Destination NAT with DNS Rewrite Forward Use Cases

NAT Rule Capacities

Dynamic IP and Port NAT Oversubscription

Dataplane NAT Memory Statistics

Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)

Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)

Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)

Configure Destination NAT with DNS Rewrite

Configure Destination NAT Using Dynamic IP Addresses

Modify the Oversubscription Rate for DIPP NAT

Reserve Dynamic IP NAT Addresses

Disable NAT for a Specific Host or Interface

Create a Source NAT Rule with Persistent DIPP

Strata Cloud Manager

NAT Configuration Examples

Destination NAT Example—One-to-One Mapping

Destination NAT with Port Translation Example

Destination NAT Example—One-to-Many Mapping

Source and Destination NAT Example

Virtual Wire Source NAT Example

Virtual Wire Static NAT Example

Virtual Wire Destination NAT Example

Unique Local Addresses

Reasons to Use NPTv6

How NPTv6 Works

Checksum-Neutral Mapping

Bi-Directional Translation

NPTv6 Applied to a Specific Service

NPTv6 and NDP Proxy Example

The ND Cache in NPTv6 Example

The NDP Proxy in NPTv6 Example

The NPTv6 Translation in NPTv6 Example

Neighbors in the ND Cache are Not Translated

Create an NPTv6 Policy

IPv4-Embedded IPv6 Address

Path MTU Discovery

IPv6-Initiated Communication

Configure NAT64 for IPv6-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication

Configure NAT64 for IPv4-Initiated Communication with Port Translation

ECMP Load-Balancing Algorithms

Configure ECMP on a Virtual Router

Enable ECMP for Multiple BGP Autonomous Systems

Supported TLVs in LLDP

LLDP Syslog Messages and SNMP Traps

View LLDP Settings and Status

Clear LLDP Statistics

BFD

BFD Model, Interface, and Client Support

Non-Supported RFC Components of BFD

BFD for Static Routes

BFD for Dynamic Routing Protocols

Reference: BFD Details

Session Settings and Timeouts

Transport Layer Sessions

TCP

TCP Half Closed and TCP Time Wait Timers

Unverified RST Timer

TCP Split Handshake Drop

Maximum Segment Size (MSS)

UDP

Security Policy Rules Based on ICMP and ICMPv6 Packets

ICMPv6 Rate Limiting

Control Specific ICMP or ICMPv6 Types and Codes

Configure Session Timeouts

Configure Session Settings

Session Distribution Policies

Session Distribution Policy Descriptions

Change the Session Distribution Policy and View Statistics

Prevent TCP Split Handshake Session Establishment

Tunnel Content Inspection

Tunnel Content Inspection Overview

Configure Tunnel Content Inspection

View Inspected Tunnel Activity

View Tunnel Information in Logs

Create a Custom Report Based on Tagged Tunnel Traffic

Tunnel Acceleration Behavior

Disable Tunnel Acceleration

Network Packet Broker

Network Packet Broker Overview

How Network Packet Broker Works

Prepare to Deploy Network Packet Broker

Configure Transparent Bridge Security Chains

Configure Routed Layer 3 Security Chains

Network Packet Broker HA Support

User Interface Changes for Network Packet Broker

Limitations of Network Packet Broker

Troubleshoot Network Packet Broker

Advanced Routing

Enable Advanced Routing

Logical Router Overview

Configure a Logical Router

Create a Static Route

Configure BGP on an Advanced Routing Engine

Create BGP Routing Profiles

Create Filters for the Advanced Routing Engine

Configure OSPFv2 on an Advanced Routing Engine

Create OSPF Routing Profiles

Configure OSPFv3 on an Advanced Routing Engine

Create OSPFv3 Routing Profiles

Configure RIPv2 on an Advanced Routing Engine

Create RIPv2 Routing Profiles

Create BFD Profiles

Configure IPv4 Multicast

Create Multicast Routing Profiles

Create an IPv4 MRoute

PoE

PAN-OS Release Notes

Features Introduced in PAN-OS 11.1

Networking Features

Certificate Management Features

Management Features

Panorama Features

SD-WAN Features

Zone Protection Features

GlobalProtect Features

IoT Security Features

Virtualization Features

Advanced WildFire Features

Hardware Features

Decryption Features

Mobile Infrastructure Security Features

Authentication Features

Changes to Default Behavior

Changes to Default Behavior in PAN-OS 11.1

Limitations in PAN-OS 11.1

Associated Content and Software Versions

Associated Content and Software Versions for PAN-OS 11.1

WildFire Analysis Environment Support for PAN-OS 11.1

PAN-OS 11.1.0 Known and Addressed Issues

PAN-OS 11.1.0 Known Issues

PAN-OS 11.1.0 Addressed Issues

PAN-OS 11.1.0-h1 Addressed Issues

PAN-OS 11.1.0-h2 Addressed Issues

PAN-OS 11.1.0-h3 Addressed Issues

PAN-OS 11.1.0-h4 Addressed Issues

Related Documentation

Related Documentation for PAN-OS 11.1

PAN-OS 11.1.1 Known and Addressed Issues

PAN-OS 11.1.1 Known Issues

PAN-OS 11.1.1 Addressed Issues

PAN-OS 11.1.1-h1 Addressed Issues

PAN-OS 11.1.1-h2 Addressed Issues

PAN-OS 11.1.2 Known and Addressed Issues

PAN-OS 11.1.2 Known Issues

PAN-OS 11.1.2 Addressed Issues

PAN-OS 11.1.2-h1 Addressed Issues

PAN-OS 11.1.2-h3 Addressed Issues

PAN-OS 11.1.2-h4 Addressed Issues

PAN-OS 11.1.2-h9 Addressed Issues

PAN-OS 11.1.2-h12 Addressed Issues

PAN-OS 11.1.2-h14 Addressed Issues

PAN-OS 11.1.2-h15 Addressed Issues

PAN-OS 11.1.3 Known and Addressed Issues

PAN-OS 11.1.3 Known Issues

PAN-OS 11.1.3 Addressed Issues

PAN-OS 11.1.3-h1 Addressed Issues

PAN-OS 11.1.3-h2 Addressed Issues

PAN-OS 11.1.3-h4 Addressed Issues

PAN-OS 11.1.3-h6 Addressed Issues

PAN-OS 11.1.3-h10 Addressed Issues

PAN-OS 11.1.3-h11 Addressed Issues

PAN-OS 11.1.4 Known and Addressed Issues

PAN-OS 11.1.4 Known Issues

PAN-OS 11.1.4 Addressed Issues

PAN-OS 11.1.4-h1 Addressed Issues

PAN-OS 11.1.4-h4 Addressed Issues

PAN-OS 11.1.4-h7 Addressed Issues

PAN-OS 11.1.5 Known and Addressed Issues

PAN-OS 11.1.5 Known Issues

PAN-OS 11.1.5 Addressed Issues

PAN-OS 11.1.5-h1 Addressed Issues

PAN-OS 11.1.6 Known and Addressed Issues

PAN-OS 11.1.6 Known Issues

PAN-OS 11.1.6 Addressed Issues

PAN-OS® Administrator’s Guide

Getting Started

Integrate the Firewall into Your Management Network

Determine Your Access Strategy for Business Continuity

Determine Your Management Strategy

Perform Initial Configuration

Perform Initial Configuration for an Air Gapped Firewall

Set Up Network Access for External Services

Manage Firewall Resources

Register the Firewall

Manage Hardware Consumption

Decommission a Firewall

Segment Your Network Using Interfaces and Zones

Network Segmentation for a Reduced Attack Surface

Configure Interfaces and Zones

Set Up a Basic Security Policy

Assess Network Traffic

Enable Free WildFire Forwarding

Best Practices for Completing the Firewall Deployment

Subscriptions You Can Use With the Firewall

Activate Subscription Licenses

What Happens When Licenses Expire?

Enhanced Application Logs for Palo Alto Networks Cloud Services

Firewall Administration

Management Interfaces

Use the Web Interface

Launch the Web Interface

Configure Banners, Message of the Day, and Logos

Configure Banners and Message of the Day (Strata Cloud Manager)

Configure Banners, Message of the Day, and Logos (PAN-OS)

Use the Administrator Login Activity Indicators to Detect Account Misuse

Manage and Monitor Administrative Tasks

Commit, Validate, and Preview Firewall Configuration Changes

Commit Selective Configuration Changes

Export Configuration Table Data

Use Global Find to Search the Firewall or Panorama Management Server

Manage Locks for Restricting Configuration Changes

Manage Configuration Backups

Perform a Config Audit

Save and Export Firewall Configurations

Revert Firewall Configuration Changes

Manage Firewall Administrators

Administrative Role Types

Configure an Admin Role Profile

Administrative Authentication

Configure Administrative Accounts and Authentication

Configure a Firewall Administrator Account

Configure Local or External Authentication for Firewall Administrators

Configure Certificate-Based Administrator Authentication to the Web Interface

Configure SSH Key-Based Administrator Authentication to the CLI

Configure API Key Lifetime

Enable SCP Uploads for an Administrator

Configure Tracking of Administrator Activity

Reference: Web Interface Administrator Access

Web Interface Access Privileges

Define Access to the Web Interface Tabs

Provide Granular Access to the Monitor Tab

Provide Granular Access to the Policy Tab

Provide Granular Access to the Objects Tab

Provide Granular Access to the Network Tab

Provide Granular Access to the Device Tab

Define User Privacy Settings in the Admin Role Profile

Restrict Administrator Access to Commit and Validate Functions

Provide Granular Access to Global Settings

Provide Granular Access to the Panorama Tab

Provide Granular Access to Operations Settings

Panorama Web Interface Access Privileges

Reference: Port Number Usage

Ports Used for Management Functions

Ports Used for HA

Ports Used for Clustering

Ports Used for Panorama

Ports Used for GlobalProtect

Ports Used for User-ID

Ports Used for IPSec

Ports Used for Routing

Ports Used for DHCP

Ports Used for Infrastructure

Reset the Firewall to Factory Default Settings

Bootstrap the Firewall

USB Flash Drive Support

Sample init-cfg.txt Files

Prepare a USB Flash Drive for Bootstrapping a Firewall

Bootstrap a Firewall Using a USB Flash Drive

Device Telemetry

Device Telemetry Overview

Device Telemetry Collection and Transmission Intervals

Manage Device Telemetry

Enable Device Telemetry

Disable Device Telemetry

Enable Service Routes for Telemetry

Manage the Data the Device Telemetry Collects

Manage Historical Device Telemetry

Monitor Device Telemetry

Sample the Data that Device Telemetry Collects

Authentication Types

External Authentication Services

Multi-Factor Authentication

Local Authentication

Plan Your Authentication Deployment

Configure Multi-Factor Authentication

Configure MFA Between RSA SecurID and the Firewall

Configure MFA Between Okta and the Firewall

Configure MFA Between Duo and the Firewall

Configure SAML Authentication

Configure Kerberos Single Sign-On

Configure Kerberos Server Authentication

Configure TACACS+ Authentication

Configure TACACS Accounting

Configure RADIUS Authentication

Configure LDAP Authentication

Connection Timeouts for Authentication Servers

Guidelines for Setting Authentication Server Timeouts

Modify the PAN-OS Web Server Timeout

Modify the Authentication Portal Session Timeout

Configure Local Database Authentication

Configure an Authentication Profile and Sequence

Test Authentication Server Connectivity

Authentication Policy

Authentication Timestamps

Configure Authentication Policy

Troubleshoot Authentication Issues

Pre-Logon for SAML Authentication

Certificate Management

Keys and Certificates

Default Trusted Certificate Authorities (CAs)

Certificate Revocation

Certificate Revocation List (CRL)

Online Certificate Status Protocol (OCSP)

Enable an HTTP Proxy for OCSP Status Checks

Certificate Deployment

Set Up Verification for Certificate Revocation Status

Configure an OCSP Responder

Configure Revocation Status Verification of Certificates

Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption

Configure the Master Key

Master Key Encryption

Configure Master Key Encryption Level

Master Key Encryption on a Firewall HA Pair

Master Key Encryption Logs

Unique Master Key Encryptions for AES-256-GCM

Obtain Certificates

Create a Self-Signed Root CA Certificate

Generate a Certificate

Import a Certificate and Private Key

Obtain a Certificate from an External CA

Install a Device Certificate

Restore an Expired Device Certificate

Deploy Certificates Using SCEP

Export a Certificate and Private Key

Configure a Certificate Profile

Configure an SSL/TLS Service Profile

Cloud Management

PAN-OS & Panorama

Configure an SSH Service Profile

Replace the Certificate for Inbound Management Traffic

Configure the Key Size for SSL Forward Proxy Server Certificates

Revoke and Renew Certificates

Revoke a Certificate

Renew a Certificate

Secure Keys with a Hardware Security Module

Set Up Connectivity with an HSM

Set Up Connectivity with a SafeNet Network HSM

Set Up Connectivity with an nCipher nShield Connect HSM

Set Up Connectivity with a Thales CipherTrust Manager HSM

Encrypt a Master Key Using an HSM

Encrypt the Master Key

Refresh the Master Key Encryption

Store Private Keys on an HSM

Manage the HSM Deployment

Block Private Key Export

Generate a Private Key and Block It

Import a Private Key and Block It

Import a Private Key for IKE Gateway and Block It

Verify Private Key Blocking

High Availability

HA Links and Backup Links

HA Ports on Palo Alto Networks Firewalls

Device Priority and Preemption

LACP and LLDP Pre-Negotiation for Active/Passive HA

Floating IP Address and Virtual MAC Address

ARP Load-Sharing

Route-Based Redundancy

NAT in Active/Active HA Mode

ECMP in Active/Active HA Mode

Set Up Active/Passive HA

Prerequisites for Active/Passive HA

Configuration Guidelines for Active/Passive HA

Configure Active/Passive HA

Define HA Failover Conditions

Verify Failover

Set Up Active/Active HA

Prerequisites for Active/Active HA

Configure Active/Active HA

Determine Your Active/Active Use Case

Use Case: Configure Active/Active HA with Route-Based Redundancy

Use Case: Configure Active/Active HA with Floating IP Addresses

Use Case: Configure Active/Active HA with ARP Load-Sharing

Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall

Use Case: Configure Active/Active HA with Source DIPP NAT Using Floating IP Addresses

Use Case: Configure Separate Source NAT IP Address Pools for Active/Active HA Firewalls

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT

Use Case: Configure Active/Active HA for ARP Load-Sharing with Destination NAT in Layer 3

HA Clustering Overview

HA Clustering Best Practices and Provisioning

Configure HA Clustering

Refresh HA1 SSH Keys and Configure Key Options

HA Firewall States

Reference: HA Synchronization

Use the Dashboard

Use the Application Command Center

ACC—First Look

Widget Descriptions

Interact with the ACC

Use Case: ACC—Path of Information Discovery

Use the App Scope Reports

Change Monitor Report

Threat Monitor Report

Threat Map Report

Network Monitor Report

Traffic Map Report

Use the Automated Correlation Engine

Automated Correlation Engine Concepts

Correlation Object

Correlated Events

View the Correlated Objects

Interpret Correlated Events

Use the Compromised Hosts Widget in the ACC

Take Packet Captures

Types of Packet Captures

Disable Hardware Offload

Take a Custom Packet Capture

Take a Threat Packet Capture

Take an Application Packet Capture

Take a Packet Capture for Unknown Applications

Take a Custom Application Packet Capture

Take a Packet Capture on the Management Interface

Monitor Applications and Threats

View and Manage Logs

Log Types and Severity Levels

URL Filtering Logs

WildFire Submissions Logs

Data Filtering Logs

Correlation Logs

Tunnel Inspection Logs

GlobalProtect Logs

Decryption Logs

Authentication Logs

Use Case: Export Traffic Logs for a Date Range

Configure Log Storage Quotas and Expiration Periods

Schedule Log Exports to an SCP or FTP Server

Monitor Block List

View and Manage Reports

Configure the Expiration Period and Run Time for Reports

Disable Predefined Reports

Generate Custom Reports

Generate Botnet Reports

Configure a Botnet Report

Interpret Botnet Report Output

Generate the SaaS Application Usage Report

Manage PDF Summary Reports

Generate User/Group Activity Reports

Manage Report Groups

Schedule Reports for Email Delivery

Manage Report Storage Capacity

View Policy Rule Usage

Use External Services for Monitoring

Configure Log Forwarding

Configure Email Alerts

Configure Email Alerts (Strata Cloud Manager)

Configure Email Alerts (PAN-OS)

Use Syslog for Monitoring

Configure Syslog Monitoring

Syslog Field Descriptions

Traffic Log Fields

Threat Log Fields

URL Filtering Log Fields

Data Filtering Log Fields

HIP Match Log Fields

GlobalProtect Log Fields

IP-Tag Log Fields

User-ID Log Fields

Decryption Log Fields

Tunnel Inspection Log Fields

SCTP Log Fields

Authentication Log Fields

Config Log Fields

System Log Fields

Correlated Events Log Fields

Audit Log Fields

Syslog Severity

Custom Log/Event Format

Escape Sequences

Syslog Severity Reference

Informational System Log Messages

Low Severity System Log Messages

Medium System Log Messages

High System Log Messages

Critical System Log Messages

SNMP Monitoring and Traps

Use an SNMP Manager to Explore MIBs and Objects

Identify a MIB Containing a Known OID

Identify the OID for a System Statistic or Trap

Enable SNMP Services for Firewall-Secured Network Elements

Monitor Statistics Using SNMP

Forward Traps to an SNMP Manager

Forward Traps to an SNMP Manager (Strata Cloud Manager)

Forward Traps to an SNMP Manager (PAN-OS)

HOST-RESOURCES-MIB

ENTITY-SENSOR-MIB

ENTITY-STATE-MIB

IEEE 802.3 LAG MIB

PAN-COMMON-MIB.my

PAN-GLOBAL-REG-MIB.my

PAN-GLOBAL-TC-MIB.my

PAN-PRODUCT-MIB.my

PAN-ENTITY-EXT-MIB.my

Forward Logs to an HTTP/S Destination

NetFlow Monitoring

Configure NetFlow Exports

NetFlow Templates

Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors

Monitor Transceivers

User-ID Overview

User-ID Concepts

Server Monitoring

Username Header Insertion

Authentication Policy and Authentication Portal

Map Users to Groups

Map IP Addresses to Users

Create a Dedicated Service Account for the User-ID Agent

Configure User Mapping Using the Windows User-ID Agent

Install the Windows-Based User-ID Agent

Configure the Windows User-ID Agent for User Mapping

Configure User Mapping Using the PAN-OS Integrated User-ID Agent

Configure Server Monitoring Using WinRM

Configure User-ID to Monitor Syslog Senders for User Mapping

Configure the PAN-OS Integrated User-ID Agent as a Syslog Listener

Configure the Windows User-ID Agent as a Syslog Listener

Map IP Addresses to Usernames Using Authentication Portal

Authentication Portal Authentication Methods

Authentication Portal Modes

Configure Authentication Portal

Configure User Mapping for Terminal Server Users

Configure the Palo Alto Networks Terminal Server (TS) Agent for User Mapping

Retrieve User Mappings from a Terminal Server Using the PAN-OS XML API

Send User Mappings to User-ID Using the XML API

Enable User- and Group-Based Policy

Enable Policy for Users with Multiple Accounts

Verify the User-ID Configuration

Deploy User-ID in a Large-Scale Network

Deploy User-ID for Numerous Mapping Information Sources

Windows Log Forwarding and Global Catalog Servers

Plan a Large-Scale User-ID Deployment

Configure Windows Log Forwarding

Configure User-ID for Numerous Mapping Information Sources

Insert Username in HTTP Headers

Redistribute Data and Authentication Timestamps

Firewall Deployment for Data Redistribution

Configure Data Redistribution

Share User-ID Mappings Across Virtual Systems

App-ID Overview

Streamlined App-ID Policy Rules

Create an Application Filter Using Tags

Create an Application Filter Based on Custom Tags

App-ID and HTTP/2 Inspection

Manage Custom or Unknown Applications

Manage New and Modified App-IDs

Workflow to Best Incorporate New and Modified App-IDs

See the New and Modified App-IDs in a Content Release

See How New and Modified App-IDs Impact Your Security Policy

Ensure Critical New App-IDs are Allowed

Monitor New App-IDs

Disable and Enable App-IDs

Enable and Monitor App-ID TSIDs

Use Application Objects in Policy

Create an Application Group

Create an Application Filter

Create a Custom Application

Resolve Application Dependencies

Safely Enable Applications on Default Ports

Applications with Implicit Support

Security Policy Rule Optimization

Policy Optimizer Concepts

Sorting and Filtering Security Policy Rules

Clear Application Usage Data

Migrate Port-Based to App-ID Based Security Policy Rules

Rule Cloning Migration Use Case: Web Browsing and SSL Traffic

Add Applications to an Existing Rule

Identify Security Policy Rules with Unused Applications

High Availability for Application Usage Statistics

How to Disable Policy Optimizer

App-ID Cloud Engine

Prepare to Deploy App-ID Cloud Engine

Enable or Disable the App-ID Cloud Engine

App-ID Cloud Engine Processing and Policy Usage

New App Viewer (Policy Optimizer)

Add Apps to an Application Filter with Policy Optimizer

Add Apps to an Application Group with Policy Optimizer

Add Apps Directly to a Rule with Policy Optimizer

Replace an RMA Firewall (ACE)

Impact of License Expiration or Disabling ACE

Commit Failure Due to Cloud Content Rollback

Troubleshoot App-ID Cloud Engine

SaaS App-ID Policy Recommendation

Import SaaS Policy Recommendation

Import Updated SaaS Policy Recommendation

Remove Deleted SaaS Policy Recommendation

Application Level Gateways

Disable the SIP Application-level Gateway (ALG)

Use HTTP Headers to Manage SaaS Application Access

Understand SaaS Custom Headers

Domains used by the Predefined SaaS Application Types

Create HTTP Header Insertion Entries using Predefined Types

Create Custom HTTP Header Insertion Entries

Maintain Custom Timeouts for Data Center Applications

Device-ID Overview

Prepare to Deploy Device-ID

Configure Device-ID

Manage Device-ID

CLI Commands for Device-ID

Decryption Overview

Decryption Concepts

Keys and Certificates for Decryption Policies

SSL Forward Proxy

SSL Forward Proxy Decryption Profile

SSL Inbound Inspection

SSL Inbound Inspection Decryption Profile

SSL Protocol Settings Decryption Profile

SSH Proxy Decryption Profile

Profile for No Decryption

SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates

Perfect Forward Secrecy (PFS) Support for SSL Decryption

SSL Decryption and Subject Alternative Names (SANs)

TLSv1.3 Decryption

High Availability Not Supported for Decrypted Sessions

Decryption Mirroring

Prepare to Deploy Decryption

Work with Stakeholders to Develop a Decryption Deployment Strategy

Develop a PKI Rollout Plan

Size the Decryption Firewall Deployment

Plan a Staged, Prioritized Deployment

Define Traffic to Decrypt

Create a Decryption Profile

Create a Decryption Policy Rule

Configure SSL Forward Proxy

Configure SSL Inbound Inspection

Configure SSH Proxy

Configure Server Certificate Verification for Undecrypted Traffic

Decryption Exclusions

Palo Alto Networks Predefined Decryption Exclusions

Exclude a Server from Decryption for Technical Reasons

Local Decryption Exclusion Cache

Create a Policy-Based Decryption Exclusion

Post-Quantum Cryptography Detection and Control

Enable Users to Opt Out of SSL Decryption

Temporarily Disable SSL Decryption

Configure Decryption Port Mirroring

Verify Decryption

Troubleshoot and Monitor Decryption

Decryption Application Command Center Widgets

Configure Decryption Logging

Decryption Log Errors, Error Indexes, and Bitmasks

Repair Incomplete Certificate Chains

Custom Report Templates for Decryption

Unsupported Parameters by Proxy Type and TLS Version

Decryption Troubleshooting Workflow Examples

Investigate Decryption Failure Reasons

Troubleshoot Unsupported Cipher Suites

Identify Weak Protocols and Cipher Suites

Identify Untrusted CA Certificates

Troubleshoot Expired Certificates

Troubleshoot Revoked Certificates

Troubleshoot Pinned Certificates

Activate Free Licenses for Decryption Features

Quality of Service

QoS for Applications and Users

QoS Priority Queuing

QoS Bandwidth Management

QoS Egress Interface

QoS for Clear Text and Tunneled Traffic

Configure Lockless QoS

Configure QoS for a Virtual System

Enforce QoS Based on DSCP Classification

Use Case: QoS for a Single User

Use Case: QoS for Voice and Video Applications

Large Scale VPN (LSVPN)

Create Interfaces and Zones for the LSVPN

Enable SSL Between GlobalProtect LSVPN Components

About Certificate Deployment

Deploy Server Certificates to the GlobalProtect LSVPN Components

Deploy Client Certificates to the GlobalProtect Satellites Using SCEP

Configure the Portal to Authenticate Satellites

Configure GlobalProtect Gateways for LSVPN

Configure the GlobalProtect Portal for LSVPN

GlobalProtect Portal for LSVPN Prerequisite Tasks

Configure the Portal

Define the Satellite Configurations

Prepare the Satellite to Join the LSVPN

Verify the LSVPN Configuration

LSVPN Quick Configuration

Basic LSVPN Configuration with Static Routing

Advanced LSVPN Configuration with Dynamic Routing

Advanced LSVPN Configuration with iBGP

Security Policy

Components of a Security Policy Rule

Security Policy Actions

Create a Security Policy Rule

Security Profiles

Create a Security Profile Group

Set Up or Override a Default Security Profile Group

Create a Data Filtering Profile

Predefined Data Filtering Patterns

Set Up File Blocking

Track Rules Within a Rulebase

Enforce Policy Rule Description, Tag, and Audit Comment

Move or Clone a Policy Rule or Object to a Different Virtual System

Use an Address Object to Represent IP Addresses

Address Objects

Create an Address Object

Use Tags to Group and Visually Distinguish Objects

Create and Apply Tags

View Rules by Tag Group

Use an External Dynamic List in Policy

External Dynamic List

Formatting Guidelines for an External Dynamic List

IP Address List

Built-in External Dynamic Lists

Configure the Firewall to Access an External Dynamic List

Configure the Firewall to Access an External Dynamic List from the EDL Hosting Service

Create an External Dynamic List Using the EDL Hosting Service

Convert the GlobalSign Root R1 Certificate to PEM Format

Retrieve an External Dynamic List from the Web Server

View External Dynamic List Entries

Exclude Entries from an External Dynamic List

Enforce Policy on an External Dynamic List

Find External Dynamic Lists That Failed Authentication

Disable Authentication for an External Dynamic List

Register IP Addresses and Tags Dynamically

Use Dynamic User Groups in Policy

Use Auto-Tagging to Automate Security Actions

Monitor Changes in the Virtual Environment

Enable VM Monitoring to Track Changes on the Virtual Network

Attributes Monitored on Virtual Machines in Cloud Platforms

Use Dynamic Address Groups in Policy

CLI Commands for Dynamic IP Addresses and Tags

Enforce Policy on Endpoints and Users Behind an Upstream Device

Use XFF Values for Policy Based on Source Users

Use XFF IP Address Values in Security Policy and Logging

Use the IP Address in the XFF Header to Troubleshoot Events

Policy-Based Forwarding

PBF

Egress Path and Symmetric Return

Path Monitoring for PBF

Service Versus Applications in PBF

Create a Policy-Based Forwarding Rule

Use Case: PBF for Outbound Access with Dual ISPs

Application Override Policy

Test Policy Rules

Virtual Systems

Virtual Systems Overview

Virtual System Components and Segmentation

Benefits of Virtual Systems

Use Cases for Virtual Systems

Platform Support and Licensing for Virtual Systems

Administrative Roles for Virtual Systems

Shared Objects for Virtual Systems

Communication Between Virtual Systems

Inter-VSYS Traffic That Must Leave the Firewall

Inter-VSYS Traffic That Remains Within the Firewall

External Zones and Security Policies For Traffic Within a Firewall

Inter-VSYS Communication Uses Two Sessions

External Zones and Shared Gateway

Networking Considerations for a Shared Gateway

Configure Virtual Systems

Configure Inter-Virtual System Communication within the Firewall

Configure a Shared Gateway

Customize Service Routes for a Virtual System

Customize Service Routes to Services for Virtual Systems

Configure a PA-7000 Series Firewall for Logging Per Virtual System

Configure a PA-7000 Series LPC for Logging per Virtual System

Configure a PA-7000 Series LFC for Logging per Virtual System

Configure Administrative Access Per Virtual System or Firewall

Virtual System Functionality with Other Features

Zone Protection and DoS Protection

Network Segmentation Using Zones

How Do Zones Protect the Network?

Zone Defense Tools

How Do the Zone Defense Tools Work?

Firewall Placement for DoS Protection

Baseline CPS Measurements for Setting Flood Thresholds

CPS Measurements to Take

How to Measure CPS

Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet-Based Attack Protection

Protocol Protection

Ethernet SGT Protection

Packet Buffer Protection

DoS Protection Profiles and Policy Rules

Classified Versus Aggregate DoS Protection

DoS Protection Profiles

DoS Protection Policy Rules

Configure Zone Protection to Increase Network Security

Configure Reconnaissance Protection

Cloud Management

Configure Packet Based Attack Protection

Configure Protocol Protection

Use Case: Non-IP Protocol Protection Between Security Zones on Layer 2 Interfaces

Use Case: Non-IP Protocol Protection Within a Security Zone on Layer 2 Interfaces

Configure Packet Buffer Protection

Configure Packet Buffer Protection Based on Latency

Configure Ethernet SGT Protection

DoS Protection Against Flooding of New Sessions

Multiple-Session DoS Attack

Single-Session DoS Attack

Configure DoS Protection Against Flooding of New Sessions

End a Single Session DoS Attack

Identify Sessions That Use Too Much of the On-Chip Packet Descriptor

Discard a Session Without a Commit

Enable FIPS and Common Criteria Support

Access the Maintenance Recovery Tool (MRT)

Change the Operational Mode to FIPS-CC Mode

FIPS-CC Security Functions

Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode

NGFW Clustering

Configure an NGFW Cluster

NGFW Cluster Summary and Monitoring

Migrate to NGFW Clustering

PAN-OS Upgrade Guide

Software and Content Updates

PAN-OS Software Updates

Dynamic Content Updates

Install Content Updates

Applications and Threats Content Updates

Deploy Applications and Threats Content Updates

Tips for Content Updates

Best Practices for Applications and Threats Content Updates

Best Practices for Content Updates—Mission-Critical

Best Practices for Content Updates—Security-First

Content Delivery Network Infrastructure

Upgrade Panorama

Install Content Updates and Software Upgrades for Panorama

Upgrade Panorama with an Internet Connection

Upgrade Panorama Without an Internet Connection

Install Content Updates Automatically for Panorama without an Internet Connection

Upgrade Panorama in an HA Configuration

Install a PAN-OS Software Patch

Migrate Panorama Logs to the New Log Format

Upgrade Panorama for Increased Device Management Capacity

Upgrade Panorama and Managed Devices in FIPS-CC Mode

Downgrade from Panorama 11.1

Troubleshoot Your Panorama Upgrade

Deploy Upgrades to Firewalls, Log Collectors, and WildFire Appliances Using Panorama

What Updates Can Panorama Push to Other Devices?

Schedule a Content Update Using Panorama

Panorama, Log Collector, Firewall, and WildFire Version Compatibility

Upgrade Log Collectors When Panorama Is Internet-Connected

Upgrade Log Collectors When Panorama Is Not Internet-Connected

Upgrade a WildFire Cluster from Panorama with an Internet Connection

Upgrade a WildFire Cluster from Panorama without an Internet Connection

Upgrade Firewalls When Panorama Is Internet-Connected

Upgrade Firewalls When Panorama Is Not Internet-Connected

Upgrade a ZTP Firewall

Install a PAN-OS Software Patch

Revert Content Updates from Panorama

PAN-OS Upgrade Checklist

Upgrade/Downgrade Considerations

Upgrade the Firewall to PAN-OS 11.1

Determine the Upgrade Path to PAN-OS 11.1

Upgrade a Standalone Firewall

Upgrade an HA Firewall Pair

Upgrade the Firewall to PAN-OS 11.1 from Panorama

Upgrade Firewalls When Panorama Is Internet-Connected

Upgrade Firewalls When Panorama Is Not Internet-Connected

Upgrade a ZTP Firewall

Install a PAN-OS Software Patch

Downgrade PAN-OS

Downgrade a Firewall to a Previous Maintenance Release

Downgrade a Firewall to a Previous Feature Release

Downgrade a Windows Agent

Troubleshoot Your PAN-OS Upgrade

Upgrade the VM-Series Firewall

Upgrade the VM-Series PAN-OS Software (Standalone)

Upgrade the VM-Series PAN-OS Software (HA Pair)

Upgrade the VM-Series PAN-OS Software Using Panorama

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

Upgrade the VM-Series Model

Upgrade the VM-Series Model in an HA Pair

Downgrade a VM-Series Firewall to a Previous Release

Upgrade Panorama Plugins

Panorama Plugins Upgrade/Downgrade Considerations

Upgrade a Panorama Plugin

Upgrade the Enterprise DLP Plugin

Upgrade the Panorama Interconnect Plugin

Install/Upgrade SD-WAN Plugin with Compatible PAN-OS Release

Upgrade and Downgrade Paths for SD-WAN Plugin

Install the SD-WAN Plugin

Upgrade Panorama High Availability Pair (Active/Passive) Leveraging SD-WAN Plugin

Upgrade Standalone Panorama Leveraging SD-WAN Plugin

Changes to Note After Upgrade

CLI Commands for Upgrade

Use CLI Commands for Upgrade Tasks

APIs for Upgrade

Use the API for Upgrade Tasks

PAN-OS Web Interface Help

Web Interface Basics

Firewall Overview

Features and Benefits

Last Login Time and Failed Login Attempts

Message of the Day

Save Candidate Configurations

Lock Configurations

AutoFocus Intelligence Summary

Configuration Table Export

Change Boot Mode

Dashboard Widgets

ACC

A First Glance at the ACC

Working with Tabs and Widgets

Working with Filters—Local Filters and Global Filters

Monitor > External Logs

Monitor > Automated Correlation Engine

Monitor > Automated Correlation Engine > Correlation Objects

Monitor > Automated Correlation Engine > Correlated Events

Monitor > Packet Capture

Packet Capture Overview

Building Blocks for a Custom Packet Capture

Enable Threat Packet Capture

Monitor > App Scope

App Scope Overview

App Scope Summary Report

App Scope Change Monitor Report

App Scope Threat Monitor Report

App Scope Threat Map Report

App Scope Network Monitor Report

App Scope Traffic Map Report

Monitor > Session Browser

Monitor > Block IP List

Block IP List Entries

View or Delete Block IP List Entries

Monitor > Botnet

Botnet Report Settings

Botnet Configuration Settings

Monitor > IoT Devices

IoT Devices > Summary

IoT Devices > Asset Inventory

Monitor > PDF Reports

Monitor > PDF Reports > Manage PDF Summary

Monitor > PDF Reports > User Activity Report

Monitor > PDF Reports > SaaS Application Usage

Monitor > PDF Reports > Report Groups

Monitor > PDF Reports > Email Scheduler

Monitor > Manage Custom Reports

Monitor > Reports

Move or Clone a Policy Rule

Audit Comment Archive

Rule Usage Hit Count Query

Policies > Security

Security Policy Overview

Building Blocks in a Security Policy Rule

Creating and Managing Policies

Overriding or Reverting a Security Policy Rule

Applications and Usage

Security Policy Optimizer

NAT Policies General Tab

NAT Original Packet Tab

NAT Translated Packet Tab

NAT Active/Active HA Binding Tab

Policies > Policy Based Forwarding

Policy Based Forwarding General Tab

Policy Based Forwarding Source Tab

Policy Based Forwarding Destination/Application/Service Tab

Policy Based Forwarding Forwarding Tab

Policy Based Forwarding Target Tab

Policies > Decryption

Decryption General Tab

Decryption Source Tab

Decryption Destination Tab

Decryption Service/URL Category Tab

Decryption Options Tab

Decryption Target Tab

Policies > Network Packet Broker

Network Packet Broker General Tab

Network Packet Broker Source Tab

Network Packet Broker Destination Tab

Network Packet Broker Application/Service/Traffic Tab

Network Packet Broker Path Selection Tab

Network Packet Broker Policy Optimizer Rule Usage

Policies > Tunnel Inspection

Building Blocks in a Tunnel Inspection Policy

Policies > Application Override

Application Override General Tab

Application Override Source Tab

Application Override Destination Tab

Application Override Protocol/Application Tab

Application Override Target Tab

Policies > Authentication

Building Blocks of an Authentication Policy Rule

Create and Manage Authentication Policy

Policies > DoS Protection

DoS Protection General Tab

DoS Protection Source Tab

DoS Protection Destination Tab

DoS Protection Option/Protection Tab

DoS Protection Target Tab

Policies > SD-WAN

SD-WAN General Tab

SD-WAN Source Tab

SD-WAN Destination Tab

SD-WAN Application/Service Tab

SD-WAN Path Selection Tab

SD-WAN Target Tab

Move, Clone, Override, or Revert Objects

Move or Clone an Object

Override or Revert an Object

Objects > Addresses

Objects > Address Groups

Objects > Regions

Objects > Dynamic User Groups

Objects > Applications

Applications Overview

Actions Supported on Applications

Defining Applications

Objects > Application Groups

Objects > Application Filters

Objects > Services

Objects > Service Groups

View Rulebase as Groups

Move Rules in Group to Different Rulebase or Device Group

Change Group of All Rules

Move All Rules in Group

Delete All Rules in Group

Clone All Rules in Group

Objects > Devices

Objects > External Dynamic Lists

Objects > Custom Objects

Objects > Custom Objects > Data Patterns

Data Pattern Settings

Syntax for Regular Expression Data Patterns

Regular Expression Data Pattern Examples

Objects > Custom Objects > Spyware/Vulnerability

Objects > Custom Objects > URL Category

Objects > Security Profiles

Actions in Security Profiles

Objects > Security Profiles > Antivirus

Objects > Security Profiles > Anti-Spyware Profile

Objects > Security Profiles > Vulnerability Protection

Objects > Security Profiles > URL Filtering

URL Filtering General Settings

URL Filtering Categories

URL Filtering Settings

User Credential Detection

HTTP Header Insertion

Inline Categorization

Objects > Security Profiles > File Blocking

Objects > Security Profiles > WildFire Analysis

Objects > Security Profiles > Data Filtering

Objects > Security Profiles > DoS Protection

Objects > Security Profiles > Mobile Network Protection

Objects > Security Profiles > SCTP Protection

Objects > Security Profile Groups

Objects > Log Forwarding

Objects > Authentication

Objects > Decryption Profile

Decryption Profile General Settings

Settings to Control Decrypted Traffic

Settings to Control Traffic that is not Decrypted

Settings to Control Decrypted SSH Traffic

Objects > Packet Broker Profile

Objects > SD-WAN Link Management

Objects > SD-WAN Link Management > Path Quality Profile

Objects > SD-WAN Link Management > SaaS Quality Profile

Objects > SD-WAN Link Management > Traffic Distribution Profile

Objects > SD-WAN Link Management > Error Correction Profile

Objects > Schedules

Network > Interfaces

Firewall Interfaces Overview

Common Building Blocks for Firewall Interfaces

Common Building Blocks for PA-7000 Series Firewall Interfaces

Virtual Wire Interface

Virtual Wire Subinterface

PA-7000 Series Layer 2 Interface

PA-7000 Series Layer 2 Subinterface

PA-7000 Series Layer 3 Interface

Layer 3 Interface

Layer 3 Subinterface

Log Card Interface

Log Card Subinterface

Decrypt Mirror Interface

Aggregate Ethernet (AE) Interface Group

Aggregate Ethernet (AE) Interface

Network > Interfaces > VLAN

Network > Interfaces > Loopback

Network > Interfaces > Tunnel

Network > Interfaces > SD-WAN

Network > Interfaces > PoE

Network > Interfaces > Cellular

Network > Interfaces > Fail Open

Network > Zones

Security Zone Overview

Building Blocks of Security Zones

Network > VLANs

Network > Virtual Wires

Network > Virtual Routers

General Settings of a Virtual Router

Route Redistribution

RIP

RIP Interfaces Tab

RIP Auth Profiles Tab

RIP Export Rules Tab

OSPF Auth Profiles Tab

OSPF Export Rules Tab

OSPF Advanced Tab

OSPFv3 Areas Tab

OSPFv3 Auth Profiles Tab

OSPFv3 Export Rules Tab

OSPFv3 Advanced Tab

BGP

Basic BGP Settings

BGP General Tab

BGP Advanced Tab

BGP Peer Group Tab

BGP Import and Export Tabs

BGP Conditional Adv Tab

BGP Aggregate Tab

BGP Redist Rules Tab

Multicast Rendezvous Point Tab

Multicast Interfaces Tab

Multicast SPT Threshold Tab

Multicast Source Specific Address Space Tab

Multicast Advanced Tab

More Runtime Stats for a Virtual Router

BFD Summary Information Tab

More Runtime Stats for a Logical Router

Routing Stats for a Logical Router

BGP Stats for a Logical Router

Network > Routing > Logical Routers

Network > Routing > Logical Routers > General

Network > Routing > Logical Routers > Static

Network > Routing > Logical Routers > OSPF

Network > Routing > Logical Routers > OSPFv3

Network > Routing > Logical Routers > RIPv2

Network > Routing > Logical Routers > BGP

Network > Routing > Logical Routers > Multicast

Network > Routing > Routing Profiles

Network > Routing > Routing Profiles > BGP

Network > Routing > Routing Profiles > BFD

Network > Routing > Routing Profiles > OSPF

Network > Routing > Routing Profiles > OSPFv3

Network > Routing > Routing Profiles > RIPv2

Network > Routing > Routing Profiles > Filters

Network > Routing > Routing Profiles > Multicast

Network > IPSec Tunnels

IPSec VPN Tunnel Management

IPSec Tunnel General Tab

IPSec Tunnel Proxy IDs Tab

IPSec Tunnel Status on the Firewall

IPSec Tunnel Restart or Refresh

Network > GRE Tunnels

DHCP Addressing

Network > DNS Proxy

DNS Proxy Overview

DNS Proxy Settings

Additional DNS Proxy Actions

Network > Proxy

QoS Interface Settings

QoS Interface Statistics

Building Blocks of LLDP

Network > Network Profiles

Network > Network Profiles > GlobalProtect IPSec Crypto

Network > Network Profiles > IKE Gateways

IKE Gateway Management

IKE Gateway General Tab

IKE Gateway Advanced Options Tab

IKE Gateway Restart or Refresh

Network > Network Profiles > IPSec Crypto

Network > Network Profiles > IKE Crypto

Network > Network Profiles > Monitor

Network > Network Profiles > Interface Mgmt

Network > Network Profiles > Zone Protection

Building Blocks of Zone Protection Profiles

Flood Protection

Reconnaissance Protection

Packet Based Attack Protection

Protocol Protection

Ethernet SGT Protection

L3 & L4 Header Inspection

Network > Network Profiles > QoS

Network > Network Profiles > LLDP Profile

Network > Network Profiles > BFD Profile

Building Blocks of a BFD Profile

View BFD Summary and Details

Network > Network Profiles > SD-WAN Interface Profile

Network > Network Profiles > MACsec Profile

Device > Setup > Management

Device > Setup > Operations

Enable SNMP Monitoring

Device > Setup > HSM

Hardware Security Module Provider Settings

HSM Authentication

Hardware Security Operations

Hardware Security Module Provider Configuration and Status

Hardware Security Module Status

Device > Setup > Services

Configure Services for Global and Virtual Systems

Global Services Settings

IPv4 and IPv6 Support for Service Route Configuration

Destination Service Route

Device > Setup > Interfaces

Device > Setup > Telemetry

Device > Setup > Content-ID

Device > Setup > WildFire

Device > Setup > Session

Session Settings

Session Timeouts

Decryption Settings: Certificate Revocation Checking

Decryption Settings: Forward Proxy Server Certificate Settings

Decryption Settings: SSL Decryption Settings

VPN Session Settings

Device > Setup > ACE

Device > Setup > DLP

Device > High Availability

Important Considerations for Configuring HA

HA General Settings

HA Communications

HA Link and Path Monitoring

HA Active/Active Config

Device > Log Forwarding Card

Device > Config Audit

Device > Password Profiles

Username and Password Requirements

Device > Administrators

Device > Admin Roles

Device > Access Domain

Device > Authentication Profile

Authentication Profile

SAML Metadata Export from an Authentication Profile

Device > Authentication Sequence

Device > IoT Security > DHCP Server Log Ingestion

Device > Data Redistribution

Device > Data Redistribution > Agents

Device > Data Redistribution > Clients

Device > Data Redistribution > Collector Settings

Device > Data Redistribution > Include/Exclude Networks

Device > Device Quarantine

Device > VM Information Sources

Settings to Enable VM Information Sources for VMware ESXi and vCenter Servers

Settings to Enable VM Information Sources for AWS VPC

Settings to Enable VM Information Sources for Google Compute Engine

Device > Troubleshooting

Security Policy Match

QoS Policy Match

Authentication Policy Match

Decryption/SSL Policy Match

NAT Policy Match

Policy Based Forwarding Policy Match

DoS Policy Match

Log Collector Connectivity

External Dynamic List

Test Cloud Logging Service Status

Test Cloud GP Service Status

Device > Virtual Systems

Device > Shared Gateways

Device > Certificate Management

Device > Certificate Management > Certificates

Manage Firewall and Panorama Certificates

Other Supported Actions to Manage Certificates

Manage Default Trusted Certificate Authorities

Device > Certificate Management > Certificate Profile

Device > Certificate Management > OCSP Responder

Device > Certificate Management > SSL/TLS Service Profile

Device > Certificate Management > SCEP

Device > Certificate Management > SSL Decryption Exclusion

Device > Certificate Management > SSH Service Profile

Device > Response Pages

Device > Log Settings

Select Log Forwarding Destinations

Define Alarm Settings

Device > Server Profiles

Device > Server Profiles > SNMP Trap

Device > Server Profiles > Syslog

Device > Server Profiles > Email

Device > Server Profiles > HTTP

Device > Server Profiles > NetFlow

Device > Server Profiles > RADIUS

Device > Server Profiles > SCP

Device > Server Profiles > TACACS+

Device > Server Profiles > LDAP

Device > Server Profiles > Kerberos

Device > Server Profiles > SAML Identity Provider

Device > Server Profiles > DNS

Device > Server Profiles > Multi Factor Authentication

Device > Local User Database > Users

Device > Local User Database > User Groups

Device > Scheduled Log Export

Device > Software

Device > Dynamic Updates

Device > Licenses

Device > Support

Device > Master Key and Diagnostics

Deploy Master Key

Device > Policy Recommendation > IoT

Device > Policy > Recommendation SaaS

Device > Policy Recommendation > IoT or SaaS > Import Policy Rule

User Identification

Device > User Identification > User Mapping

Palo Alto Networks User-ID Agent Setup

Server Monitor Account

Server Monitoring

Ignore User List

Monitor Servers

Configure Access to Monitored Servers

Manage Access to Monitored Servers

Include or Exclude Subnetworks for User Mapping

Device > User Identification > Connection Security

Device > User Identification > Terminal Server Agents

Device > User Identification > Group Mapping Settings

Device > User Identification> Trusted Source Address

Device > User Identification > Authentication Portal Settings

Device > User Identification > Cloud Identity Engine

Network > GlobalProtect > Portals

GlobalProtect Portals General Tab

GlobalProtect Portals Authentication Configuration Tab

GlobalProtect Portals Portal Data Collection Tab

GlobalProtect Portals Agent Tab

GlobalProtect Portals Agent Authentication Tab

GlobalProtect Portals Agent Config Selection Criteria Tab

GlobalProtect Portals Agent Internal Tab

GlobalProtect Portals Agent External Tab

GlobalProtect Portals Agent App Tab

GlobalProtect Portals Agent HIP Data Collection Tab

GlobalProtect Portals Clientless VPN Tab

GlobalProtect Portal Satellite Tab

Network > GlobalProtect > Gateways

GlobalProtect Gateways General Tab

GlobalProtect Gateway Authentication Tab

GlobalProtect Gateways Agent Tab

Tunnel Settings Tab

Client Settings Tab

Client IP Pool Tab

Network Services Tab

Connection Settings Tab

Video Traffic Tab

HIP Notification Tab

GlobalProtect Gateway Satellite Tab

Network > GlobalProtect > MDM

Network > GlobalProtect > Clientless Apps

Network > GlobalProtect > Clientless App Groups

Objects > GlobalProtect > HIP Objects

HIP Objects General Tab

HIP Objects Mobile Device Tab

HIP Objects Patch Management Tab

HIP Objects Firewall Tab

HIP Objects Anti-Malware Tab

HIP Objects Disk Backup Tab

HIP Objects Disk Encryption Tab

HIP Objects Data Loss Prevention Tab

HIP Objects Certificate Tab

HIP Objects Custom Checks Tab

Objects > GlobalProtect > HIP Profiles

Device > GlobalProtect Client

Managing the GlobalProtect App Software

Setting Up the GlobalProtect App

Using the GlobalProtect App

Panorama Web Interface

Use the Panorama Web Interface

Panorama Commit Operations

Defining Policies on Panorama

Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode

Panorama > Setup > Interfaces

Panorama > High Availability

Panorama > Managed WildFire Clusters

Managed WildFire Cluster Tasks

Managed WildFire Appliance Tasks

Managed WildFire Information

Managed WildFire Cluster and Appliance Administration

Panorama > Firewall Clusters

Panorama > Administrators

Panorama > Admin Roles

Panorama > Access Domains

Panorama > Scheduled Config Push

Scheduled Config Push Scheduler

Scheduled Config Push Execution History

Panorama > Managed Devices > Summary

Managed Firewall Administration

Managed Firewall Information

Firewall Software and Content Updates

Firewall Backups

Panorama > Device Quarantine

Panorama > Managed Devices > Health

Detailed Device Health on Panorama

Panorama > Templates

Template Stacks

Panorama > Templates > Template Variables

Panorama > Device Groups

Panorama > Managed Collectors

Log Collector Information

Log Collector Configuration

General Log Collector Settings

Log Collector Authentication Settings

Log Collector Interface Settings

Log Collector RAID Disk Settings

Connection Security

Communication Settings

Software Updates for Dedicated Log Collectors

Panorama > Collector Groups

Collector Group Configuration

Collector Group Information

Panorama > Plugins

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Panorama > VMware NSX

Configure a Notify Group

Create Service Definitions

Configure Access to the NSX Manager

Create Steering Rules

Panorama > Log Ingestion Profile

Panorama > Log Settings

Panorama > Server Profiles > SCP

Panorama > Scheduled Config Export

Panorama > Software

Manage Panorama Software Updates

Display Panorama Software Update Information

Panorama > Device Deployment

Manage Software and Content Updates

Display Software and Content Update Information

Schedule Dynamic Content Updates

Revert Content Versions from Panorama

Manage Firewall Licenses

Panorama > Device Registration Auth Key

PAN-OS Release Notes

Features Introduced in PAN-OS 11.2

Content Inspection Features

Management Features

Networking Features

Panorama Features

Mobile Infrastructure Security Features

Decryption Features

App-ID Features

SD-WAN Features

Virtualization Features

GlobalProtect Features

Hardware Features

Changes to Default Behavior

Changes to Default Behavior in PAN-OS 11.2

Limitations in PAN-OS 11.2

Associated Content and Software Versions

Associated Content and Software Versions for PAN-OS 11.2

WildFire Analysis Environment Support for PAN-OS 11.2

PAN-OS 11.2.2 Known and Addressed Issues

PAN-OS 11.2.2 Known Issues

PAN-OS 11.2.2-h1 Addressed Issues

PAN-OS 11.2.2 Addressed Issues

PAN-OS 11.2.2-h2 Addressed Issues

PAN-OS 11.2.1 Known and Addressed Issues

PAN-OS 11.2.1 Known Issues

PAN-OS 11.2.1 Addressed Issues

PAN-OS 11.2.1-h1 Addressed Issues

PAN-OS 11.2.0 Known and Addressed Issues

PAN-OS 11.2.0 Known Issues

PAN-OS 11.2.0 Addressed Issues

PAN-OS 11.2.0-h1 Addressed Issues

Related Documentation

Related Documentation for PAN-OS 11.2

PAN-OS 11.2.3 Known and Addressed Issues

PAN-OS 11.2.3 Known Issues

PAN-OS 11.2.3 Addressed Issues

PAN-OS 11.2.3-h3 Addressed Issues

PAN-OS 11.2.3-h5 Addressed Issues

PAN-OS 11.2.4 Known and Addressed Issues

PAN-OS 11.2.4 Known Issues

PAN-OS 11.2.4 Addressed Issues

PAN-OS 11.2.4-h1 Addressed Issues

PAN-OS 11.2.4-h2 Addressed Issues

SD-WAN Administrator’s Guide

SD-WAN Overview

SD-WAN Configuration Elements

Plan Your SD-WAN Configuration

System Requirements for SD-WAN

Configure SD-WAN

Install the SD-WAN Plugin

Install the SD-WAN Plugin When Panorama is Internet-Connected

Install the SD-WAN Plugin When Panorama is not Internet-Connected

Set Up Panorama and Firewalls for SD-WAN

Add Your SD-WAN Firewalls as Managed Devices

Create an SD-WAN Network Template

Create the Predefined Zones in Panorama

Create the SD-WAN Device Groups

Create a Link Tag

Configure an SD-WAN Interface Profile

Configure a Physical Ethernet Interface for SD-WAN

Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN

Configure Layer 3 Subinterfaces for SD-WAN

Configure a Virtual SD-WAN Interface

Create a Default Route to the SD-WAN Interface

Configure SD-WAN Link Management Profiles

Create a Path Quality Profile

Configure SaaS Monitoring

Create a SaaS Quality Profile

Use Case: Configure SaaS Monitoring for a Branch Firewall

Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination

Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination

SD-WAN Traffic Distribution Profiles

Create a Traffic Distribution Profile

Create an Error Correction Profile

Configure an SD-WAN Policy Rule

Allow Direct Internet Access Traffic Failover to MPLS Link

Configure DIA AnyPath

Distribute Unmatched Sessions

Add SD-WAN Devices to Panorama

Add an SD-WAN Device

Bulk Import Multiple SD-WAN Devices

Onboard PAN-OS Firewalls to Prisma Access

Configure HA Devices for SD-WAN

Create a VPN Cluster

Create a Full Mesh VPN Cluster with DDNS Service

Create a Static Route for SD-WAN

Monitoring and Reporting

Monitor SD-WAN Tasks

Monitor SD-WAN Application and Link Performance

Monitor Prisma Access Hubs

Baseline Your Prisma Access Hub Application and Link Performance

Monitor Prisma Access Hub Application and Link Performance

Generate an SD-WAN Report

Troubleshooting

Use CLI Commands for SD-WAN Tasks

Troubleshoot App Performance

Troubleshoot Link Performance

Upgrade your SD-WAN Firewalls

Install the SD-WAN Plugin

Uninstall the SD-WAN Plugin

Replace an SD-WAN Device

SD-WAN Administrator’s Guide

SD-WAN Overview

SD-WAN Configuration Elements

Plan Your SD-WAN Configuration

Configure SD-WAN

Install the SD-WAN Plugin

Install the SD-WAN Plugin When Panorama is Internet-Connected

Install the SD-WAN Plugin When Panorama is not Internet-Connected

Set Up Panorama and Firewalls for SD-WAN

Add Your SD-WAN Firewalls as Managed Devices

Create an SD-WAN Network Template

Create the Predefined Zones in Panorama

Create the SD-WAN Device Groups

Create a Link Tag

Configure an SD-WAN Interface Profile

Configure a Physical Ethernet Interface for SD-WAN

Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN

Configure Layer 3 Subinterfaces for SD-WAN

Configure a Virtual SD-WAN Interface

Create a Default Route to the SD-WAN Interface

Create a Path Quality Profile

Configure SaaS Monitoring

Create a SaaS Quality Profile

Use Case: Configure SaaS Monitoring for a Branch Firewall

Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination

Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination

SD-WAN Traffic Distribution Profiles

Create a Traffic Distribution Profile

Create an Error Correction Profile

Configure an SD-WAN Policy Rule

Allow Direct Internet Access Traffic Failover to MPLS Link

Configure DIA AnyPath

Distribute Unmatched Sessions

Add SD-WAN Devices to Panorama

Add an SD-WAN Device

Bulk Import Multiple SD-WAN Devices

Configure HA Devices for SD-WAN

Create a VPN Cluster

Create a Full Mesh VPN Cluster with DDNS Service

Create a Static Route for SD-WAN

Monitoring and Reporting

Monitor SD-WAN Tasks

Monitor SD-WAN Application and Link Performance

Generate an SD-WAN Report

Troubleshooting

Use CLI Commands for SD-WAN Tasks

Troubleshoot App Performance

Troubleshoot Link Performance

Upgrade your SD-WAN Firewalls

Upgrade the SD-WAN Plugin

Uninstall the SD-WAN Plugin

Replace an SD-WAN Device

SD-WAN Administrator’s Guide

SD-WAN Overview

SD-WAN Configuration Elements

Plan Your SD-WAN Configuration

Configure SD-WAN

Install the SD-WAN Plugin

Install the SD-WAN Plugin When Panorama is Internet-Connected

Install the SD-WAN Plugin When Panorama is not Internet-Connected

Set Up Panorama and Firewalls for SD-WAN

Add Your SD-WAN Firewalls as Managed Devices

Create an SD-WAN Network Template

Create the Predefined Zones in Panorama

Create the SD-WAN Device Groups

Create a Link Tag

Configure an SD-WAN Interface Profile

Configure a Physical Ethernet Interface for SD-WAN

Configure a Virtual SD-WAN Interface

Create a Default Route to the SD-WAN Interface

Create a Path Quality Profile

Configure SaaS Monitoring

Create a SaaS Quality Profile

Use Case: Configure SaaS Monitoring for a Branch Firewall

Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination

Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination

SD-WAN Traffic Distribution Profiles

Create a Traffic Distribution Profile

Create an Error Correction Profile

Configure an SD-WAN Policy Rule

Allow Direct Internet Access Traffic Failover to MPLS Link

Distribute Unmatched Sessions

Add SD-WAN Devices to Panorama

Add an SD-WAN Device

Bulk Import Multiple SD-WAN Devices

Configure HA Devices for SD-WAN

Create a VPN Cluster

Create a Static Route for SD-WAN

Configure DIA AnyPath

Create a Full Mesh VPN Cluster with DDNS Service

Monitoring and Reporting

Monitor SD-WAN Tasks

Monitor SD-WAN Application and Link Performance

Generate an SD-WAN Report

Troubleshooting

Use CLI Commands for SD-WAN Tasks

Troubleshoot App Performance

Troubleshoot Link Performance

Upgrade your SD-WAN Firewalls

Upgrade the SD-WAN Plugin

Uninstall the SD-WAN Plugin

SD-WAN Administrator’s Guide

SD-WAN Overview

SD-WAN Configuration Elements

Plan Your SD-WAN Configuration

Configure SD-WAN

Install the SD-WAN Plugin

Install the SD-WAN Plugin When Panorama is Internet-Connected

Install the SD-WAN Plugin When Panorama is not Internet-Connected

Set Up Panorama and Firewalls for SD-WAN

Add Your SD-WAN Firewalls as Managed Devices

Create an SD-WAN Network Template

Create the Predefined Zones in Panorama

Create the SD-WAN Device Groups

Create a Link Tag

Configure an SD-WAN Interface Profile

Configure a Physical Ethernet Interface for SD-WAN

Configure a Virtual SD-WAN Interface

Create a Default Route to the SD-WAN Interface

Create a Path Quality Profile

SD-WAN Traffic Distribution Profiles

Create a Traffic Distribution Profile

Configure an SD-WAN Policy Rule

Distribute Unmatched Sessions

Add SD-WAN Devices to Panorama

Add an SD-WAN Device

Bulk Import Multiple SD-WAN Devices

Configure HA Devices for SD-WAN

Create a VPN Cluster

Create a Static Route for SD-WAN

Allow Direct Internet Access Traffic Failover to MPLS Link

Monitoring and Reporting

Monitor SD-WAN Application and Link Performance

Generate an SD-WAN Report

Monitor SD-WAN Tasks

Troubleshooting

Use CLI Commands for SD-WAN Tasks

Troubleshoot App Performance

Troubleshoot Link Performance

Uninstall the SD-WAN Plugin

Upgrade your SD-WAN Firewalls

Upgrade the SD-WAN Plugin

SD-WAN Administrator’s Guide

SD-WAN Overview

System Requirements for SD-WAN

SD-WAN Configuration Elements

Plan Your SD-WAN Configuration

Configure SD-WAN

Install the SD-WAN Plugin

Install the SD-WAN Plugin When Panorama is Internet-Connected

Install the SD-WAN Plugin When Panorama is not Internet-Connected

Set Up Panorama and Firewalls for SD-WAN

Add Your SD-WAN Firewalls as Managed Devices

Create an SD-WAN Network Template

Create the Predefined Zones in Panorama

Create the SD-WAN Device Groups

Create a Link Tag

Configure an SD-WAN Interface Profile

Configure a Physical Ethernet Interface for SD-WAN

Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN

Configure Layer 3 Subinterfaces for SD-WAN

Configure a Virtual SD-WAN Interface

Create a Default Route to the SD-WAN Interface

Configure SD-WAN Link Management Profiles

Create a Path Quality Profile

Configure SaaS Monitoring

Create a SaaS Quality Profile

Use Case: Configure SaaS Monitoring for a Branch Firewall

Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination

Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination

SD-WAN Traffic Distribution Profiles

Create a Traffic Distribution Profile

Create an Error Correction Profile

Configure an SD-WAN Policy Rule

Allow Direct Internet Access Traffic Failover to MPLS Link

Configure DIA AnyPath

Distribute Unmatched Sessions

Add SD-WAN Devices to Panorama

Add an SD-WAN Device

Bulk Import Multiple SD-WAN Devices

Onboard PAN-OS Firewalls to Prisma Access

Configure HA Devices for SD-WAN

Create a VPN Cluster

Create a Full Mesh VPN Cluster with DDNS Service

Create a Static Route for SD-WAN

Configure Multiple Virtual Routers on SD-WAN Hub

Monitoring and Reporting

Monitor SD-WAN Tasks

Monitor SD-WAN Application and Link Performance

Monitor Prisma Access Hubs

Baseline Your Prisma Access Hub Application and Link Performance

Monitor Prisma Access Hub Application and Link Performance

Generate an SD-WAN Report

Troubleshooting

Use CLI Commands for SD-WAN Tasks

Troubleshoot App Performance

Troubleshoot Link Performance

Upgrade your SD-WAN Firewalls

Install the SD-WAN Plugin

Uninstall the SD-WAN Plugin

Replace an SD-WAN Device

SD-WAN Administrator’s Guide

SD-WAN Overview

System Requirements for SD-WAN

SD-WAN Configuration Elements

Plan Your SD-WAN Configuration

Configure SD-WAN

Install the SD-WAN Plugin

Install the SD-WAN Plugin When Panorama is Internet-Connected

Install the SD-WAN Plugin When Panorama is not Internet-Connected

Set Up Panorama and Firewalls for SD-WAN

Add Your SD-WAN Firewalls as Managed Devices

Create an SD-WAN Network Template

Create the Predefined Zones in Panorama

Create the SD-WAN Device Groups

Create a Link Tag

Configure an SD-WAN Interface Profile

Configure a Physical Ethernet Interface for SD-WAN

Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN

Configure Layer 3 Subinterfaces for SD-WAN

Configure a Virtual SD-WAN Interface

Create a Default Route to the SD-WAN Interface

Configure SD-WAN Link Management Profiles

Create a Path Quality Profile

Configure SaaS Monitoring

Create a SaaS Quality Profile

Use Case: Configure SaaS Monitoring for a Branch Firewall

Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination

Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination

SD-WAN Traffic Distribution Profiles

Create a Traffic Distribution Profile

Create an Error Correction Profile

Configure an SD-WAN Policy Rule

Allow Direct Internet Access Traffic Failover to MPLS Link

Configure DIA AnyPath

Distribute Unmatched Sessions

Add SD-WAN Devices to Panorama

Add an SD-WAN Device

Bulk Import Multiple SD-WAN Devices

Onboard PAN-OS Firewalls to Prisma Access

Configure HA Devices for SD-WAN

Create a VPN Cluster

Create a Full Mesh VPN Cluster with DDNS Service

Create a Static Route for SD-WAN

Configure Advanced Routing for SD-WAN

Monitoring and Reporting

Monitor SD-WAN Tasks

Monitor SD-WAN Application and Link Performance

Monitor Prisma Access Hubs

Baseline Your Prisma Access Hub Application and Link Performance

Monitor Prisma Access Hub Application and Link Performance

Generate an SD-WAN Report

Troubleshooting

Use CLI Commands for SD-WAN Tasks

Troubleshoot App Performance

Troubleshoot Link Performance

Upgrade your SD-WAN Firewalls

Install the SD-WAN Plugin

Uninstall the SD-WAN Plugin

Replace an SD-WAN Device

SD-WAN Administrator’s Guide

SD-WAN Overview

System Requirements for SD-WAN

SD-WAN Configuration Elements

Plan Your SD-WAN Configuration

Configure SD-WAN

Install the SD-WAN Plugin

Install the SD-WAN Plugin When Panorama is Internet-Connected

Install the SD-WAN Plugin When Panorama is not Internet-Connected

Set Up Panorama and Firewalls for SD-WAN

Add Your SD-WAN Firewalls as Managed Devices

Create an SD-WAN Network Template

Create the Predefined Zones in Panorama

Create the SD-WAN Device Groups

Create a Link Tag

Configure an SD-WAN Interface Profile

Configure a Physical Ethernet Interface for SD-WAN

Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN

Configure Layer 3 Subinterfaces for SD-WAN

Configure a Virtual SD-WAN Interface

Create a Default Route to the SD-WAN Interface

Configure SD-WAN Link Management Profiles

Create a Path Quality Profile

Configure SaaS Monitoring

Create a SaaS Quality Profile

Use Case: Configure SaaS Monitoring for a Branch Firewall

Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination

Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination

SD-WAN Traffic Distribution Profiles

Create a Traffic Distribution Profile

Create an Error Correction Profile

Configure an SD-WAN Policy Rule

Allow Direct Internet Access Traffic Failover to MPLS Link

Configure DIA AnyPath

Distribute Unmatched Sessions

Add SD-WAN Devices to Panorama

Add an SD-WAN Device

Bulk Import Multiple SD-WAN Devices

Onboard PAN-OS Firewalls to Prisma Access

Configure Certificate-Based Authentication for SD-WAN Devices

Configure HA Devices for SD-WAN

Create a VPN Cluster

Create a Full Mesh VPN Cluster with DDNS Service

Create a Static Route for SD-WAN

Configure Advanced Routing for SD-WAN

Configure Multiple Virtual Routers on SD-WAN Hub

Configure Multiple Virtual Routers on SD-WAN Branch

Monitoring and Reporting

Monitor SD-WAN Tasks

Monitor SD-WAN Application and Link Performance

Monitor Prisma Access Hubs

Baseline Your Prisma Access Hub Application and Link Performance

Monitor Prisma Access Hub Application and Link Performance

Generate an SD-WAN Report

Troubleshooting

Use CLI Commands for SD-WAN Tasks

Replace an SD-WAN Device

Troubleshoot App Performance

Troubleshoot Link Performance

Upgrade your SD-WAN Firewalls

Install the SD-WAN Plugin

Uninstall the SD-WAN Plugin

Panorama SD-WAN Plugin Help

Panorama SD-WAN Plugin

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Monitor App and Link Performance for All VPN Clusters

Monitor Prisma Access Hub-Spoke Performance

Monitor App and Link Performance

Application and Link Characteristics

SD-WAN App Performance Run Now Report

SD-WAN Link Performance Run Now Report

Panorama SD-WAN Plugin Help

Panorama SD-WAN Plugin

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Monitor App and Link Performance

Application and Link Characteristics

SD-WAN App Performance Run Now Report

SD-WAN Link Performance Run Now Report

Panorama SD-WAN Plugin Help

Panorama SD-WAN Plugin

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Monitor App and Link Performance

Application and Link Characteristics

SD-WAN App Performance Run Now Report

SD-WAN Link Performance Run Now Report

Panorama SD-WAN Plugin Help

Panorama SD-WAN Plugin

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Application and Link Characteristics

SD-WAN App Performance Run Now Report

SD-WAN Link Performance Run Now Report

Panorama SD-WAN Plugin Help

Panorama SD-WAN Plugin

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Monitor App and Link Performance for All VPN Clusters

Monitor Prisma Access Hub-Spoke Performance

Monitor App and Link Performance

Application and Link Characteristics

SD-WAN App Performance Run Now Report

SD-WAN Link Performance Run Now Report

Panorama SD-WAN Plugin Help

Panorama SD-WAN Plugin

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Monitor App and Link Performance for All VPN Clusters

Monitor Prisma Access Hub-Spoke Performance

Monitor App and Link Performance

Application and Link Characteristics

SD-WAN App Performance Run Now Report

SD-WAN Link Performance Run Now Report

Panorama SD-WAN Plugin Help

Panorama SD-WAN Plugin

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Monitor App and Link Performance for All VPN Clusters

Monitor Prisma Access Hub-Spoke Performance

Monitor App and Link Performance

Application and Link Characteristics

SD-WAN App Performance Run Now Report

SD-WAN Link Performance Run Now Report

Panorama SD-WAN Plugin Help

Panorama SD-WAN Plugin

Panorama > SD-WAN

SD-WAN VPN Clusters

SD-WAN Monitoring

Monitor App and Link Performance for All VPN Clusters

Monitor Prisma Access Hub-Spoke Performance

Monitor App and Link Performance

Application and Link Characteristics

SD-WAN App Performance Run Now Report

SD-WAN Link Performance Run Now Report

VM-Series and Panorama Plugins Release Notes

Palo Alto Networks VM-Series and Panorama Plugins

VM-Series Plugin and Panorama Plugins

Panorama Plugins

Compatible Plugin Versions for PAN-OS 10.2

VM-Series Plugin

VM-Series Plugin 5.1.x

VM-Series Plugin 5.1.3

Addressed Issues in VM-Series Plugin 5.1.3

VM-Series Plugin 5.1.1

Addressed Issues in VM-Series Plugin 5.1.1

VM-Series Plugin 5.1.0

Known Issues in VM-Series Plugin 5.1.0

VM-Series Plugin 5.1.4

VM-Series Plugin 5.0.x

VM-Series Plugin 5.0.2

VM-Series Plugin 5.0.1

VM-Series Plugin 5.0.0

Addressed Issues in VM-Series Plugin 5.0.0

VM-Series Plugin 4.0.x

VM-Series Plugin 4.0.8

Addressed Issues in VM-Series Plugin 4.0.8

VM-Series Plugin 4.0.7

Addressed Issues in VM-Series Plugin 4.0.7

Known Issues in VM-Series Plugin 4.0.7

VM-Series Plugin 4.0.5

Known Issues in VM-Series Plugin 4.0.5

VM-Series Plugin 4.0.4

Known Issues in VM-Series Plugin 4.0.4

VM-Series Plugin 4.0.3-h1

Addressed Issues in VM-Series Plugin 4.0.3-h1

Known Issues in VM-Series Plugin 4.0.3-h1

VM-Series Plugin 4.0.3

Addressed Issues in VM-Series Plugin 4.0.3

Known Issues in VM-Series Plugin 4.0.3

VM-Series Plugin 4.0.2

Addressed Issues in VM-Series Plugin 4.0.2

Known Issues in VM-Series Plugin 4.0.2

VM-Series Plugin 4.0.1

Addressed Issues in VM-Series Plugin 4.0.1

Known Issues in VM-Series Plugin 4.0.1

VM-Series Plugin 4.0.0

What’s New in VM-Series Plugin 4.0.0

Known Issues in VM-Series Plugin 4.0.0

VM-Series Plugin 3.0.x

VM-Series Plugin 3.0.9

Addressed Issues in VM-Series Plugin 3.0.9

VM-Series Plugin 3.0.8

Addressed Issues in VM-Series Plugin 3.0.8

VM-Series Plugin 3.0.6

Addressed Issues in VM-Series Plugin 3.0.6

Known Issues in VM-Series Plugin 3.0.6

VM-Series Plugin 3.0.5-h1

VM-Series Plugin 3.0.5

Addressed Issues in VM-Series Plugin 3.0.5

VM-Series Plugin 3.0.4

Addressed Issues in VM-Series Plugin 3.0.4

Known Issues in VM-Series Plugin 3.0.4

VM-Series Plugin 3.0.3

What’s New in VM-Series Plugin 3.0.3

Addressed Issues in VM-Series Plugin 3.0.3

VM-Series Plugin 3.0.2

Known Issues in VM-Series Plugin 3.0.2

Addressed Issues in VM-Series Plugin 3.0.2

VM-Series Plugin 3.0.1

What’s New in VM-Series Plugin 3.0.1

Addressed Issues in VM-Series Plugin 3.0.1

Known Issues in VM-Series Plugin 3.0.1

VM-Series Plugin 3.0.0

Known Issues in VM-Series Plugin 3.0.0

VM-Series Plugin 3.0.10

Addressed Issues in VM-Series Plugin 3.0.10

VM-Series Plugin 2.1.x

VM-Series Plugin 2.1.17

Addressed Issues in VM-Series Plugin 2.1.17

Known Issues in VM-Series Plugin 2.1.17

VM-Series Plugin 2.1.16

Addressed Issues in VM-Series Plugin 2.1.16

Known Issues in VM-Series Plugin 2.1.16

VM-Series Plugin 2.1.15

Addressed Issues in VM-Series Plugin 2.1.15

Known Issues in VM-Series Plugin 2.1.15

VM-Series Plugin 2.1.14

Addressed Issues in VM-Series Plugin 2.1.14

VM-Series Plugin 2.1.13

Addressed Issues in VM-Series Plugin 2.1.13

VM-Series Plugin 2.1.12

Addressed Issues in VM-Series Plugin 2.1.12

Known Issues in VM-Series Plugin 2.1.12

VM-Series Plugin 2.1.11

What's New in VM-Series Plugin 2.1.11

Addressed Issues in VM-Series Plugin 2.1.11

Known Issues in VM-Series Plugin 2.1.11

VM-Series Plugin 2.1.10

Addressed Issues in VM-Series Plugin 2.1.10

Known Issues in VM-Series Plugin 2.1.10

VM-Series Plugin 2.1.9

Addressed Issues in VM-Series Plugin 2.1.9

Known Issues in VM-Series Plugin 2.1.9

VM-Series Plugin 2.1.8

What’s New in VM-Series Plugin 2.1.8

Addressed Issues in VM-Series Plugin 2.1.8

Known Issues in VM-Series Plugin 2.1.8

VM-Series Plugin 2.1.7

Addressed Issues in VM-Series Plugin 2.1.7

Known Issues in VM-Series Plugin 2.1.7

VM-Series Plugin 2.1.6

Addressed Issues in VM-Series Plugin 2.1.6

Known Issues in VM-Series Plugin 2.1.6

VM-Series Plugin 2.1.5

Addressed Issues in VM-Series Plugin 2.1.5

Known Issues in VM-Series Plugin 2.1.5

VM-Series Plugin 2.1.4

What’s New in VM-Series Plugin 2.1.4

Known Issues in VM-Series Plugin 2.1.4

VM-Series Plugin 2.1.3

Known Issues in VM-Series Plugin 2.1.3

Addressed Issues in VM-Series Plugin 2.1.3

VM-Series Plugin 2.1.2

What’s New in VM-Series Plugin 2.1.2

Known Issues in VM-Series Plugin 2.1.2

Addressed Issues in VM-Series Plugin 2.1.2

VM-Series Plugin 2.1.1

What’s New in VM-Series Plugin 2.1.1

Known Issues in VM-Series Plugin 2.1.1

VM-Series Plugin 2.1.0

Known Issues in VM-Series Plugin 2.1.0

VM-Series Plugin 2.0.x

VM-Series Plugin 2.0.7

What’s New in VM-Series Plugin 2.0.7

Known Issues in VM-Series Plugin 2.0.7

Addressed Issues in VM-Series Plugin 2.0.7

VM-Series Plugin 2.0.6

Known Issues in VM-Series Plugin 2.0.6

Addressed Issues in VM-Series Plugin 2.0.6

VM-Series Plugin 2.0.5

What’s New in VM-Series Plugin 2.0.5

Known Issues in VM-Series Plugin 2.0.5

Addressed Issues in VM-Series Plugin 2.0.5

VM-Series Plugin 2.0.4

What’s New in VM-Series Plugin 2.0.4

Known Issues in VM-Series Plugin 2.0.4

Addressed Issues in VM-Series Plugin 2.0.4

VM-Series Plugin 2.0.3

What’s New in VM-Series Plugin 2.0.3

Addressed Issues in VM-Series Plugin 2.0.3

Known Issues in VM-Series Plugin 2.0.3

VM-Series Plugin 2.0.2

What’s New in VM-Series Plugin 2.0.2

Addressed Issues in VM-Series Plugin 2.0.2

Known Issues in VM-Series Plugin 2.0.2

VM-Series Plugin 2.0.1

What’s New in VM-Series Plugin 2.0.1

Addressed Issues in VM-Series Plugin 2.0.1

Known Issues in VM-Series Plugin 2.0.1

VM-Series Plugin 2.0.0

Known Issues in VM-Series Plugin 2.0.0

VM-Series Plugin 1.0.x

VM-Series Plugin 1.0.13

Addressed Issues in VM-Series Plugin 1.0.13

Known Issues in VM-Series Plugin 1.0.13

VM-Series Plugin 1.0.12

What’s New in VM-Series Plugin 1.0.12

Addressed Issues in VM-Series Plugin 1.0.12

Known Issues in VM-Series Plugin 1.0.12

VM-Series Plugin 1.0.11

What’s New in VM-Series Plugin 1.0.11

Addressed Issues in VM-Series Plugin 1.0.11

Known Issues in VM-Series Plugin 1.0.11

VM-Series Plugin 1.0.10

Addressed Issues in VM-Series Plugin 1.0.10

Known Issues in VM-Series Plugin 1.0.10

VM-Series Plugin 1.0.9

What’s New in VM-Series Plugin 1.0.9

Addressed Issues in VM-Series Plugin 1.0.9

Known Issues in VM-Series Plugin 1.0.9

VM-Series Plugin 1.0.8

Addressed Issues in VM-Series Plugin 1.0.8

Changes to Default Behavior in VM-Series Plugin 1.0.8

Known Issues in VM-Series Plugin 1.0.8

VM-Series Plugin 1.0.7

Addressed Issues in VM-Series Plugin 1.0.7

VM-Series Plugin 1.0.6

Addressed Issues in VM-Series Plugin 1.0.6

VM-Series Plugin 1.0.5

Known Issues in VM-Series Plugin 1.0.5

Addressed Issues in VM-Series Plugin 1.0.5

VM-Series Plugin 1.0.4

Known Issues in VM-Series Plugin 1.0.4

Addressed Issues in VM-Series Plugin 1.0.4

VM-Series Plugin 1.0.3

Known Issues in VM-Series Plugin 1.0.3

Addressed Issues in VM-Series Plugin 1.0.3

VM-Series Plugin 1.0.2

Known Issues in VM-Series Plugin 1.0.2

Addressed Issues in VM-Series Plugin 1.0.2

VM-Series Plugin 1.0.0

Known Issues in VM-Series Plugin 1.0.0

Panorama CloudConnector Plugin

Panorama Plugin for AIOps 1.0.0

Panorama Plugin for AIOps 1.1.0

Panorama CloudConnector Plugin 2.0.0

Panorama CloudConnector Plugin 2.0.1

Panorama CloudConnector Plugin 2.1.0

Panorama Plugin for Azure

Panorama Plugin for Azure 5.2.1

What's New in the Panorama Plugin for Azure 5.2.1

Addressed Issues in the Panorama Plugin for Azure 5.2.1

Known Issues in the Panorama Plugin for Azure 5.2.1

Panorama Plugin for Azure 5.2.0

What's New in the Panorama Plugin for Azure 5.2.0

Known Issues in the Panorama Plugin for Azure 5.2.0

Panorama Plugin for Azure 5.1.2

What's New in the Panorama Plugin for Azure 5.1.2

Addressed Issues in the Panorama Plugin for Azure 5.1.2

Panorama Plugin for Azure 5.1.1

What's New In the Panorama Plugin for Azure 5.1.1

Addressed Issues in the Panorama Plugin for Azure 5.1.1

Known Issues in the Panorama Plugin for Azure 5.1.1

Panorama Plugin for Azure 4.2.0

What's New In the Panorama Plugin for Azure 4.2.0

Addressed Issues in the Panorama Plugin for Azure 4.2.0

Known Issues in the Panorama Plugin for Azure 4.2.0

Panorama Plugin for Azure 4.1.0

What’s New in the Panorama Plugin for Azure 4.1.0

Known Issues in the Panorama Plugin for Azure 4.1.0

Addressed Issues in the Panorama Plugin for Azure 4.1.0

Panorama Plugin for Azure 4.0.0

Known Issues in the Panorama Plugin for Azure 4.0.0

Panorama Plugin for Azure 3.2.2

Addressed Issues in Panorama Plugin for Azure 3.2.2

Known Issues in Panorama Plugin for Azure 3.2.2

Panorama Plugin for Azure 3.2.1

Known Issues in Panorama Plugin for Azure 3.2.1

Addressed Issues in Panorama Plugin for Azure 3.2.1

Panorama Plugin for Azure 3.2.0

What’s New in Panorama Plugin for Azure 3.2.0

Known Issues in Panorama Plugin for Azure 3.2.0

Addressed Issues in Panorama Plugin for Azure 3.2.0

Panorama Plugin for Azure 3.1.0

Known Issues in the Panorama Plugin for Azure 3.1.0

Addressed Issues in Panorama Plugin for Azure 3.1.0

Panorama Plugin for Azure 3.0.1

Known Issues in the Panorama Plugin for Azure 3.0.1

Addressed Issues in the Panorama Plugin for Azure 3.0.1

Panorama Plugin for Azure 3.0.0

What’s New in the Panorama Plugin for Azure 3.0.0

Known Issues in the Panorama Plugin for Azure 3.0.0

Panorama Plugin for Azure 2.0.3

Addressed Issues in Panorama Plugin for Azure 2.0.3

Panorama Plugin for Azure 2.0.2

Addressed Issues in Panorama Plugin for Azure 2.0.2

Panorama Plugin for Azure 2.0.1

Known Issues in Panorama Plugin for Azure 2.0.x

Addressed Issues in Panorama Plugin for Azure 2.0.1

Panorama Plugin for Azure 2.0.0

What’s New in Panorama Plugin for Azure 2.0.0

Known Issues in Panorama Plugin for Azure 2.0.0

Panorama Plugin for Azure 1.0.0

Known Issues in Panorama Plugin for Azure 1.0.0

Panorama Plugin for AWS

Panorama Plugin for AWS 5.2.2

Addressed issues in Panorama Plugin for AWS 5.2.2

Known Issues in Panorama Plugin for AWS 5.2.2

Panorama Plugin for AWS 5.2.1

Addressed issues in Panorama Plugin for AWS 5.2.1

Known Issues in Panorama Plugin for AWS 5.2.1

Panorama Plugin for AWS 5.2.0

What's New in Panorama Plugin for AWS 5.2.0

Addressed issues in Panorama Plugin for AWS 5.2.0

Known Issues in Panorama Plugin for AWS 5.2.0

Panorama Plugin for AWS 5.1.1

What’s New in Panorama Plugin for AWS 5.1.1

Addressed issues in Panorama Plugin for AWS 5.1.1

Known Issues in Panorama Plugin for AWS 5.1.1

Panorama Plugin for AWS 5.0.1

Known Issues in Panorama Plugin for AWS 5.0.1

Addressed issues in Panorama Plugin for AWS 5.0.1

Panorama Plugin for AWS 5.0.0

Known Issues in Panorama Plugin for AWS 5.0.0

Panorama Plugin for AWS 4.1.0

Known Issues in Panorama Plugin for AWS 4.1.0

Addressed Issues in Panorama Plugin for AWS 4.1.0

What's New in Panorama Plugin for AWS 4.1.0

Panorama Plugin for AWS 4.0.0

Known Issues in Panorama Plugin for AWS 4.0.0

Panorama Plugin for AWS 3.0.3

What’s New in Panorama Plugin for AWS 3.0.3

Known Issues in Panorama Plugin for AWS 3.0.3

Panorama Plugin for AWS 3.0.2

What’s New in Panorama Plugin for AWS 3.0.2

Known Issues in Panorama Plugin for AWS 3.0.2

Addressed Issues in Panorama Plugin for AWS 3.0.2

Panorama Plugin for AWS 3.0.1

What’s new in Panorama Plugin for AWS 3.0.1

Addressed Issues in Panorama Plugin for AWS 3.0.1

Known Issues in Panorama Plugin for AWS 3.0.1

Panorama Plugin for AWS 3.0.0

What’s New in Panorama Plugin for AWS 3.0.0

Known Issues in Panorama Plugin for AWS 3.0.0

Panorama Plugin for AWS 2.0.2

Addressed Issues in Panorama Plugin for AWS 2.0.2

Panorama Plugin for AWS 2.0.1

Addressed Issues in Panorama Plugin for AWS 2.0.1

Panorama Plugin for AWS 2.0.0

What’s New in Panorama Plugin for AWS 2.0.0

Fixed Issues in Panorama Plugin for AWS 2.0.0

Known Issues in Panorama Plugin for AWS 2.0.x

Panorama Plugin for AWS 1.0.1

Addressed Issues in Panorama Plugin for AWS 1.0.1

Panorama Plugin for AWS 1.0.0

Known Issues in Panorama Plugin for AWS 1.0.x

Panorama Plugin for AWS 5.1.2

Addressed issues in Panorama Plugin for AWS 5.1.2

Known Issues in Panorama Plugin for AWS 5.1.2

Panorama Plugin for AWS 5.1.3

Addressed issues in Panorama Plugin for AWS 5.1.3

Panorama Plugin for AWS 5.3.0

What's New in Panorama Plugin for AWS 5.3.0

Addressed issues in Panorama Plugin for AWS 5.3.0

Panorama Plugin for AWS 5.3.1

Addressed Issues in Panorama Plugin for AWS 5.3.1

Known Issues in Panorama Plugin for AWS 5.3.1

Panorama Plugin for GCP

Panorama Plugin for GCP 3.1.0

Known Issues in Panorama Plugin for GCP 3.1.0

Panorama Plugin for GCP 3.0.0

Panorama Plugin for GCP 2.0.0

Known Issues in Panorama Plugin for GCP 2.0.0

Panorama Plugin for GCP 1.0.0

Known Issues in Panorama Plugin for GCP 1.0.0

Panorama Plugin for GCP 3.1.1

Known Issues in Panorama Plugin for GCP 3.1.1

Addressed Issues in Panorama Plugin for GCP 3.1.1

Panorama Plugin for VMware NSX

NSX-V OVF URL Best Practice

Panorama Plugin for VMware NSX 5.0.2

Addressed Issues in Panorama Plugin for VMware NSX 5.0.2

Known Issues in Panorama Plugin for VMware NSX 5.0.2

Panorama Plugin for VMware NSX 5.0.1

Addressed Issues in Panorama Plugin for VMware NSX 5.0.1

Known Issues in Panorama Plugin for VMware NSX 5.0.1

Panorama Plugin for VMware NSX 5.0.0

Upgrading the Panorama Plugin for VMware NSX to Version 5.0.0

Known Issues in Panorama Plugin for VMware NSX 5.0.0

Addressed Issues in Panorama Plugin for VMware NSX 5.0.0

Panorama Plugin for VMware NSX 4.0.4

Addressed Issues in Panorama Plugin for VMware NSX 4.0.4

Known Issues in Panorama Plugin for VMware NSX 4.0.4

Panorama Plugin for VMware NSX 4.0.3

Addressed Issues in Panorama Plugin for VMware NSX 4.0.3

Known Issues in Panorama Plugin for VMware NSX 4.0.3

Panorama Plugin for VMware NSX 4.0.2

Known Issues in Panorama Plugin for VMware NSX 4.0.2

Addressed Issues in Panorama Plugin for VMware NSX 4.0.2

Panorama Plugin for VMware NSX 4.0.1

Known Issues in Panorama Plugin for VMware NSX 4.0.1

Addressed Issues in Panorama Plugin for VMware NSX 4.0.1

Panorama Plugin for VMware NSX 4.0.0

What’s New in Panorama Plugin for VMware NSX 4.0.0

Upgrade or Downgrade the VMware NSX Plugin 4.0.0

Known Issues in Panorama Plugin for VMware NSX 4.0.0

Addressed Issues in Panorama Plugin for VMware NSX 4.0.0

Panorama Plugin for VMware NSX 3.2.4

Known Issues in Panorama Plugin for VMware NSX 3.2.4

Addressed Issues in Panorama Plugin for VMware NSX 3.2.4

Panorama Plugin for VMware NSX 3.2.3

Known Issues in Panorama Plugin for VMware NSX 3.2.3

Addressed Issues in Panorama Plugin for VMware NSX 3.2.3

Panorama Plugin for VMware NSX 3.2.1

Known Issues in Panorama Plugin for VMware NSX 3.2.1

Addressed Issues in Panorama Plugin for VMware NSX 3.2.1

Panorama Plugin for VMware NSX 3.2.0

What’s New in Panorama Plugin for VMware NSX 3.2.0

Upgrading the Panorama Plugin for VMware NSX to 3.2.0

Known Issues in Panorama Plugin for VMware NSX 3.2.0

Addressed Issues in Panorama Plugin for VMware NSX 3.2.0

Panorama Plugin for VMware NSX 3.0.1

Known Issues for Panorama Plugin for VMware NSX 3.0.1

Addressed Issues in Panorama Plugin for VMware NSX 3.0.1

Panorama Plugin for VMware NSX 3.0.0

Known Issues for Panorama Plugin for VMware NSX 3.0.0

Panorama Plugin for VMware NSX 2.0.6

Known Issues in Panorama Plugin for VMware NSX 2.0.6

Addressed Issues in Panorama Plugin for VMware NSX 2.0.6

Panorama Plugin for VMware NSX 2.0.5

What’s New in Panorama Plugin for VMware NSX 2.0.5

Known Issues in Panorama Plugin for VMware NSX 2.0.5

Addressed Issues in Panorama Plugin for VMware NSX 2.0.5

Panorama Plugin for VMware NSX 2.0.4

What’s New in Panorama Plugin for VMware NSX 2.0.4

Known Issues in Panorama Plugin for VMware NSX 2.0.4

Addressed Issues in Panorama Plugin for VMware NSX 2.0.4

Panorama Plugin for VMware NSX 2.0.3

Known Issues in Panorama Plugin for VMware NSX 2.0.3

Addressed Issues in Panorama Plugin for VMware NSX 2.0.3

Panorama Plugin for VMware NSX 2.0.2

Known Issues in Panorama Plugin for VMware NSX 2.0.2

Addressed Issues in Panorama Plugin for VMware NSX 2.0.2

Panorama Plugin for VMware NSX 2.0.1

Known Issues in Panorama Plugin for VMware NSX 2.0.1

Addressed Issues in Panorama Plugin for VMware NSX 2.0.1

Panorama Plugin for VMware NSX 2.0.0

Known Issues in Panorama Plugin for VMware NSX 2.0.0

Panorama Plugin for VMware NSX 1.0.4

Addressed Issues in Panorama Plugin for VMware NSX 1.0.4

Panorama Plugin for VMware NSX 1.0.3

Addressed Issues in Panorama Plugin for VMware NSX 1.0.3

Panorama Plugin for VMware NSX 1.0.2

Addressed Issues in Panorama Plugin for VMware NSX 1.0.2

Panorama Plugin for VMware NSX 1.0.1

Addressed Issues in Panorama Plugin for VMware NSX 1.0.1

Panorama Plugin for VMware NSX 1.0.0

Panorama Plugin for Cisco ACI

Panorama Plugin for Cisco ACI 3.0.1

Addressed Issues in Panorama Plugin for Cisco ACI 3.0.1

Panorama Plugin for Cisco ACI 3.0.0

Panorama Plugin for Cisco ACI 2.0.3

Addressed Issues in Panorama Plugin for Cisco ACI 2.0.3

Known Issues in Panorama Plugin for Cisco ACI 2.0.3

Panorama Plugin for Cisco ACI 2.0.2

Known Issues in Panorama Plugin for Cisco ACI 2.0.2

Panorama Plugin for Cisco ACI 2.0.1

Known Issues in Panorama Plugin for Cisco ACI 2.0.1

Addressed Issues in Panorama Plugin for Cisco ACI 2.0.1

Panorama Plugin for Cisco ACI 2.0.0-h10

Known Issues in Panorama Plugin for Cisco ACI 2.0.0-h10

Addressed Issues in the Panorama Plugin for Cisco ACI 2.0.0-h10

Panorama Plugin for Cisco ACI 2.0.0

Whats New in the Panorama Plugin for Cisco ACI 2.0.0

Known Issues in Panorama Plugin for Cisco ACI 2.0.0

Panorama Plugin for Cisco ACI 1.0.1

Known Issues in Panorama Plugin for Cisco ACI 1.0.1

Addressed Issues in Panorama Plugin for Cisco ACI 1.0.1

Panorama Plugin for Cisco ACI 1.0.0

Known Issues in Panorama Plugin for Cisco ACI 1.0.0

Panorama Plugin for VMware vCenter

Panorama Plugin for VMware vCenter 2.1.0

Addressed Issues in Panorama Plugin for VMware vCenter 2.1.0

Known Issues in Panorama Plugin for VMware vCenter 2.1.0

Panorama Plugin for VMware vCenter 2.0.0

Panorama Plugin for VMware vCenter 1.0.1

Addressed Issues in Panorama Plugin for VMware vCenter 1.0.1

Known Issues in Panorama Plugin for VMware vCenter 1.0.1

Panorama Plugin for VMware vCenter 1.0.0

Known Issues in Panorama Plugin for VMware vCenter 1.0.0

Panorama Interconnect Plugin

Panorama Interconnect Plugin 2.0.0

Features Introduced in Panorama Interconnect Plugin 2.0.0

Known Issues in Panorama Interconnect Plugin 2.0.0

Panorama Interconnect Plugin 1.1.0

Features Introduced in Panorama Interconnect Plugin 1.1.0

Known Issues in Panorama Interconnect Plugin 1.1.0

Issues Addressed in Panorama Interconnect Plugin 1.1.0

Panorama Interconnect Plugin 1.0.2

Known Issues in Panorama Interconnect Plugin 1.0.2

Addressed Issues in Panorama Interconnect Plugin 1.0.2

Panorama Interconnect Plugin 1.0.1

Known Issues in Panorama Interconnect Plugin 1.0.1

Addressed Issues in Panorama Interconnect Plugin 1.0.1

Panorama Interconnect Plugin 1.0.0

Known Issues in Panorama Interconnect Plugin 1.0.0

Panorama Plugin for Cisco TrustSec

Panorama Plugin for Cisco TrustSec 2.0.1

Addressed Issues in Panorama Plugin for Cisco TrustSec 2.0.1

Panorama Plugin for Cisco TrustSec 2.0.0

Addressed Issues in Panorama Plugin for Cisco TrustSec 2.0.0

Panorama Plugin for Cisco TrustSec 1.0.4

Addressed Issues in Panorama Plugin for Cisco TrustSec 1.0.4

Known Issues in the Panorama Plugin for Cisco TrustSec 1.0.4

Panorama Plugin for Cisco TrustSec 1.0.3

Addressed Issues in Panorama Plugin for Cisco TrustSec 1.0.3

Known Issues in the Panorama Plugin for Cisco TrustSec 1.0.3

Panorama Plugin for Cisco TrustSec 1.0.2

What’s New in the Panorama Plugin for Cisco TrustSec 1.0.2

Known Issues in the Panorama Plugin for Cisco TrustSec 1.0.2

Panorama Plugin for Cisco TrustSec 1.0.1

What’s New in the Panorama Plugin for Cisco TrustSec 1.0.1

Known Issues in the Panorama Plugin for Cisco TrustSec 1.0.1

Panorama Plugin for Cisco TrustSec 1.0.0

Panorama Plugin for Nutanix

Panorama Plugin for Nutanix 2.0.1

Addressed Issues in Panorama Plugin for Nutanix 2.0.1

Panorama Plugin for Nutanix 2.0.0

Panorama Plugin for Nutanix 1.0.0

Known Issues in Panorama Plugin for Nutanix 1.0.0

Panorama Plugin for SD-WAN

Panorama Plugin for SD-WAN 3.3

Features Introduced in SD-WAN Plugin 3.3

Changes to Default Behavior in SD-WAN Plugin 3.3.1

Known Issues in SD-WAN Plugin 3.3

Panorama Plugin for SD-WAN 3.2

Features Introduced in SD-WAN Plugin 3.2

Known Issues in SD-WAN Plugin 3.2

Changes to Default Behavior in SD-WAN Plugin 3.2.2

Panorama Plugin for SD-WAN 3.1

Features Introduced in SD-WAN Plugin 3.1

Known Issues in SD-WAN Plugin 3.1

Panorama Plugin for SD-WAN 3.0

Features Introduced in SD-WAN Plugin 3.0

Changes to Default Behavior in SD-WAN Plugin 3.0.8

Known Issues in SD-WAN Plugin 3.0

Panorama Plugin for SD-WAN 2.2

Features Introduced in SD-WAN Plugin 2.2

Known Issues in SD-WAN Plugin 2.2

Panorama Plugin for SD-WAN 2.1

Features Introduced in SD-WAN Plugin 2.1

Known Issues in SD-WAN Plugin 2.1

Panorama Plugin for SD-WAN 2.0

Features Introduced in SD-WAN Plugin 2.0

Known Issues in SD-WAN Plugin 2.0

Panorama Plugin for SD-WAN 1.0

Features Introduced in SD-WAN Plugin 1.0

Changes to Default Behavior in SD-WAN Plugin 1.0.2

Known Issues in the SD-WAN Plugin 1.0 Releases

Upgrade/Downgrade Considerations

Panorama Plugin for Zero Touch Provisioning

Panorama Plugin for Zero Touch Provisioning 3.0

Features Introduced in Zero Touch Provisioning 3.0

Known Issues in Zero Touch Provisioning 3.0.1

Known Issues in Zero Touch Provisioning 3.0.0

Panorama Plugin for Zero Touch Provisioning 2.0

Features Introduced in Zero Touch Provisioning 2.0

Known Issues in the Zero Touch Provisioning 2.0.4 Release

Known Issues in the Zero Touch Provisioning 2.0.3 Release

Known Issues in the Zero Touch Provisioning 2.0.2 Release

Known Issues in the Zero Touch Provisioning 2.0.1 Release

Known Issues in the Zero Touch Provisioning 2.0.0 Release

Panorama Plugin for Zero Touch Provisioning 1.0

Features Introduced in Zero Touch Provisioning 1.0

Known Issues in the Zero Touch Provisioning 1.0.2 Release

Known Issues in the Zero Touch Provisioning 1.0.1 Release

Known Issues in the Zero Touch Provisioning 1.0.0 Release

Panorama Plugin for Kubernetes

Panorama Plugin for Kubernetes 4.0.0

What’s New in Panorama Plugin for Kubernetes 4.0.0

Known Issues in Kubernetes Plugin 4.0.0

Panorama Plugin for Kubernetes 3.0.2

Addressed Issues in Kubernetes Plugin 3.0.2

Panorama Plugin for Kubernetes 3.0.1

Known Issues in Kubernetes Plugin 3.0.1

Addressed Issues in Kubernetes Plugin 3.0.1

Panorama Plugin for Kubernetes 3.0.0

What’s New in Panorama Plugin for Kubernetes 3.0.0

Known Issues in Kubernetes Plugin 3.0.0

Panorama Plugin for Kubernetes 2.0.2

What’s New in Panorama Plugin for Kubernetes 2.0.2

Panorama Plugin for Kubernetes 2.0.1

Addressed Issues in Kubernetes Plugin 2.0.1

Panorama Plugin for Kubernetes 2.0.0

What’s New in Panorama Plugin for Kubernetes 2.0.0

Known Issues in Kubernetes Plugin 2.0.0

Panorama Plugin for Kubernetes 1.0.5

Known Issues in Kubernetes Plugin 1.0.5

Addressed Issues in Kubernetes Plugin 1.0.5

Panorama Plugin for Kubernetes 1.0.4

Known Issues in Kubernetes Plugin 1.0.4

Addressed Issues in Kubernetes Plugin 1.0.4

Panorama Plugin for Kubernetes 1.0.3

Known Issues in Kubernetes Plugin 1.0.3

Addressed Issues in Kubernetes Plugin 1.0.3

Panorama Plugin for Kubernetes 1.0.2

Known Issues in Kubernetes Plugin 1.0.2

Addressed Issues in Kubernetes Plugin 1.0.2

Panorama Plugin for Kubernetes 1.0.1

What’s New in Panorama Plugin for Kubernetes 1.0.1

Known Issues in Kubernetes Plugin 1.0.1

Addressed Issues in Kubernetes Plugin 1.0.1

Panorama Plugin for Kubernetes 1.0.0

What’s New in Panorama Plugin for Kubernetes 1.0.0

Known Issues in Kubernetes Plugin 1.0.0

Panorama Plugin for Kubernetes 3.0.3

Addressed Issues in Kubernetes Plugin 3.0.3

Known Issues in Kubernetes Plugin 3.0.3

Panorama Plugin for Clustering

Panorama Clustering Plugin 2.0.0

What's New in Panorama Clustering Plugin 2.0.0

Known Issues in Panorama Clustering Plugin 2.0.0

Panorama Clustering Plugin 1.0.0

What’s New in Panorama Clustering Plugin 1.0.0

Known Issues in Panorama Clustering Plugin 1.0.0

Panorama Software Firewall License Plugin

Panorama Software Firewall License Plugin 1.1.2

Addressed Issues in the Panorama Software Firewall License Plugin 1.1.2

Known Issues in the Panorama Software Firewall License Plugin 1.1.2

Panorama Software Firewall License Plugin 1.1.1

Addressed Issues in the Panorama Software Firewall License Plugin 1.1.1

Known Issues in the Panorama Software Firewall License Plugin 1.1.1

Panorama Software Firewall License Plugin 1.1.0

Addressed Issues in the Panorama Software Firewall License Plugin 1.1.0

Panorama Software Firewall License Plugin 1.0.0

Known Issues in the Panorama Software Firewall License Plugin 1.0.0

Panorama Software Firewall License Plugin 1.1.3

Addressed Issues in the Panorama Software Firewall License Plugin 1.1.3

Known Issues in the Panorama Software Firewall License Plugin 1.1.3

Panorama IPS Signature Converter Plugin

Panorama IPS Signature Converter Plugin 1.0.0

Known Issues in the IPS Signature Converter Plugin 1.0.0

Panorama IPS Signature Converter Plugin 1.0.1

What’s New in the IPS Signature Converter Plugin 1.0.1

Known Issues in the IPS Signature Converter Plugin 1.0.1

Panorama IPS Signature Converter Plugin 1.0.2

What’s New in the IPS Signature Converter Plugin 1.0.2

Known Issues in the IPS Signature Converter Plugin 1.0.2

Panorama IPS Signature Converter Plugin 1.0.3

What’s New in the IPS Signature Converter Plugin 1.0.3

Known Issues in the IPS Signature Converter Plugin 1.0.3

Panorama IPS Signature Converter Plugin 1.0.4

Known Issues in the IPS Signature Converter Plugin 1.0.4

Panorama IPS Signature Converter Plugin 1.0.5

What’s New in the IPS Signature Converter Plugin 1.0.5

Known Issues in the IPS Signature Converter Plugin 1.0.5

Panorama IPS Signature Converter Plugin 1.0.6

What’s New in the IPS Signature Converter Plugin 1.0.6

Known Issues in the IPS Signature Converter Plugin 1.0.6

Panorama IPS Signature Converter Plugin 1.0.7

What’s New in the IPS Signature Converter Plugin 1.0.7

Known Issues in the IPS Signature Converter Plugin 1.0.7

Panorama IPS Signature Converter Plugin 2.0.0

What’s New in the IPS Signature Converter Plugin 2.0.0

Known Issues in the IPS Signature Converter Plugin 2.0.0

Panorama IPS Signature Converter Plugin 2.0.2

What’s New in the IPS Signature Converter Plugin 2.0.2

Known Issues in the IPS Signature Converter Plugin 2.0.2

Panorama IPS Signature Converter Plugin 2.0.3

What’s New in the IPS Signature Converter Plugin 2.0.3

Known Issues in the IPS Signature Converter Plugin 2.0.3

Panorama IPS Signature Converter Plugin 2.0.1

What’s New in the IPS Signature Converter Plugin 2.0.1

Known Issues in the IPS Signature Converter Plugin 2.0.1

Panorama Network Discovery Plugin

Network Discovery Plugin 2.0

Features Introduced in Network Discovery 2.0

Known Issues in Network Discovery 2.0

Network Discovery Plugin 1.0

Features Introduced in Network Discovery 1.0

Known Issues in Network Discovery Plugin 1.0

Upgrade/Downgrade Considerations

PAN-OS OpenConfig Plugin

PAN-OS Plugin for OpenConfig 2.0.2

Whats New in OpenConfig Plugin 2.0.2

Known Issues in OpenConfig Plugin 2.0.2

PAN-OS Plugin for OpenConfig 2.0.1

Whats New in OpenConfig Plugin 2.0.1

Known Issues in OpenConfig Plugin 2.0.1

PAN-OS Plugin for OpenConfig 2.0

Whats New in OpenConfig Plugin 2.0

Known Issues in OpenConfig Plugin 2.0

PAN-OS Plugin for OpenConfig 1.3.0

Whats New in OpenConfig Plugin 1.3

Known Issues in OpenConfig Plugin 1.3

PAN-OS Plugin for OpenConfig 1.2.0

Whats New in the OpenConfig Plugin 1.2.0

Known Issues in the OpenConfig Plugin 1.2.0

PAN-OS Plugin for OpenConfig 1.1.0

Whats New in the OpenConfig Plugin 1.1.0

Known Issues in OpenConfig Plugin 1.1.0

PAN-OS Plugin for OpenConfig 1.0.0

Known Issues in OpenConfig Plugin 1.0.0

PAN-OS Plugin for OpenConfig 2.1.1

Whats New in OpenConfig Plugin 2.1.1

Known Issues in OpenConfig Plugin 2.1.1

PAN-OS Plugin for OpenConfig 2.1.0

What's New in OpenConfig Plugin 2.1.0

Known Issues in OpenConfig Plugin 2.1.0

Addressed Issues in OpenConfig Plugin 2.1.0

CloudGenix SD-WAN

CloudBlades Integration and Deployment

Virtual ION on GCP Deployment Guide

Plan a Prisma SD-WAN GCP Virtual Deployment

Prisma SD-WAN GCP Reference Architecture

Virtual ION Licensing and Token Management

Prisma SD-WAN to GCP Deployment

Prisma SD-WAN Virtual ION Deployment on GCP Prerequisites

Use the Prisma SD-WAN GCP Deployment Template

Claim the Prisma SD-WAN ION and Assign to a Site

Use GCP Serial Console to Access Virtual ION Device

Virtual ION on VMware Deployment Guide

Prisma SD-WAN to a VMware Host Deployment

Deploy Prisma SD-WAN to a VMware Host

Claim the ION Device and Assign to a Site

Configure Static IP Addressing for ION devices in Virtual Environments

Metadata Missing or Incorrect Information

Prisma SD-WAN Virtual ION VMware Deployment

Prisma SD-WAN Virtual ION Deployment on VMware Prerequisites

Manage Virtual Form Factor (VFF) Licensing

Generate Tokens

Virtual ION on KVM for NFV Deployment Guide

Prisma SD-WAN NFV Virtual Deployment

Prisma SD-WAN NFV Virtual Deployment Prerequisites

Manage Virtual Form Factor (VFF) Licensing

Generate Tokens

Prisma SD-WAN to an NFV Environment Orchestration Deployment

Claim the ION Device and Assign to a Site

Deploy Prisma SD-WAN Manually to an NFV or KVM Host

Configure Static IP Addressing for ION devices in Virtual Environments

Metadata Missing or Incorrect Information

Virtual ION on Azure Deployment Guide

Plan a Prisma SD-WAN Azure Virtual Deployment

Prerequisites to Prisma SD-WAN Azure Deployment

Prisma SD-WAN Azure Virtual Deployment

Manage Virtual ION Licenses and Tokens

Deploy Prisma SD-WAN to Azure

Deploy Using the Prisma SD-WAN Azure Deployment Template

Claim the Prisma SD-WAN ION and Assign to a Datacenter

Finalize Azure Configuration

Use Azure Serial Console to access Virtual ION

Deploy vIONs with (High Availability) HA in Azure

Virtual ION on AWS Deployment Guide

Prisma SD-WAN AWS Virtual Deployment

Plan a Prisma SD-WAN AWS Virtual Deployment

Prerequisites of AWS Virtual Form Factor

Licensing Process of Virtual Form Factor

Generate Tokens for Virtual Form Factor

Deploy Prisma SD-WAN to an AWS VPC

Deploy Prisma SD-WAN

Greenfield Deployment

Brownfield Deployment

Claim the Prisma SD-WAN ION and Assign to a Site

Claim and Assign the Prisma SD-WAN ION

Assign Static IP Address to Virtual Prisma SD-WAN IONs

Netskope Integration Guide

Prisma SD-WAN Netskope Integration

Set up the Netskope Security Cloud

Configure Prisma SD-WAN Tunnels to Netskope Security Cloud

Create an IPsec Profile

Create a Service Group

Create an IPsec Tunnel

Create a Path Policy

Verify the Configuration

Monitor Cybersecurity Events on the Netskope Portal

Symantec Web Security Services Integration Guide

Integrate Prisma SD-WAN and Symantec Web Security Services

Prisma SD-WAN and Symantec Web Security Services

Prerequisites to Integrate Prisma SD-WAN and Symantec Security Services

Plan the Deployment

Prepare Prisma SD-WAN Network

Configure Symantec Integration

Configure Symantec Web Security Services

Configure IPSEC Tunnel to Symantec Web Security Service

Sample Traditional IPSEC Router Configuration

Configure Prisma SD-WAN Secure Application Fabric

Check Point Integration Guide

Prisma SD-WAN Check Point Network Security-as-a-Service Integration

Sign in to the Check Point Infinity Portal

Configure your Router or SD-WAN Device

Support for Multiple External IP Addresses

Set up Prisma SD-WAN Overview

Create an IPsec Profile

Create a Service Group

Assign IPsec Tunnels to your Site

Test the Configuration

Monitor Cybersecurity Events at the Check Point Infinity Portal

LiveAction Integration Guide

Prisma SD-WAN Integration with LiveAction

Prisma SD-WAN Integration with LiveAction Prerequisites

Configure Prisma SD-WAN to Export IPFIX Records

Configure LiveNX to integrate with Prisma SD-WAN

Troubleshoot IPFIX Integration

GCP-NCC CloudBlade Integration Guide

Integrate Prisma SD-WAN with GCP-NCC

Integrate with GCP-NCC

Plan the GCP-NCC CloudBlade Integration

Configure and Install GCP-NCC CloudBlade

Configure GCP-NCC CloudBlade

Configure and Install the GCP-NCC Integration CloudBlade

Configure Cloud Router Advertisement

Create VPC Network Peering

Validate the GCP-NCC Integration with CloudBlade

Validate the GCP-NCC Integration CloudBlade

Manage the GCP-NCC Integration CloudBlade

Monitor the GCP-NCC Integration CloudBlade

Prisma Access CloudBlade Integration Release Notes (Cloud-Managed)

Prisma Access CloudBlade Integration Release 3.1.6

Prisma Access (Cloud Managed) CloudBlade 3.1.6

Prisma Access CloudBlade Integration Release 3.1.5

Features Introduced in Prisma Access CloudBlade 3.1.5

Limitations and Caveats in Release 3.1.5

Prisma Access CloudBlade Integration Release 3.1.1

Features Introduced in Prisma Access CloudBlade 3.1.1

Compatibility of CloudBlade Version 3.1.1 and Prisma Access

Addressed Issues in Prisma Access CloudBlade 3.1.1

Prisma Access for Networks CloudBlade Release 3.0.1

Features Introduced in Prisma Access CloudBlade 3.0.1

Compatibility of CloudBlade Version 3.0.1 and Prisma Access

Limitations and Caveats in Release 3.0.1

AWS Transit Gateway CloudBlade Integration Guide

Integrate with AWS Transit Gateway CloudBlade

Integrate with AWS Transit Gateway

AWS and Prisma SD-WAN CloudBlade Prerequisites

Plan the Deployment

Configure the AWS Transit Gateway Integration

Configure and Install the AWS Transit Gateway Integration CloudBlade

Validate the AWS Transit Gateway Integration CloudBlade

Setup Application Path Policy Rules

Manage and Troubleshoot the AWS Transit Gateway Integration CloudBlade

Enable, Pause, Disable, and Uninstall the Integration

Troubleshoot the AWS Tansit Gateway Integration

Monitor the AWS Transit Gateway CloudBlade

Prisma Access CloudBlade Integration Release Notes (Panorama Managed)

Prisma Access CloudBlade Integration Release 4.0.0

Features Introduced in Prisma Access CloudBlade 4.0.0

Compatibility of CloudBlade 4.0.0 and Prisma Access

Upgrade or Downgrade Considerations in Release 4.0.0

Prisma Access CloudBlade Release 3.1.6

Features Introduced in Prisma Access CloudBlade 3.1.6

Compatibility of CloudBlade Version 3.1.6 and Prisma Access

Prisma Access CloudBlade Integration Release 3.1.5

Features Introduced in Prisma Access CloudBlade 3.1.5

Compatibility of CloudBlade Version 3.1.5 and Prisma Access

Limitations and Caveats in Release 3.1.5

Prisma Access for Networks CloudBlade Release 3.1.3

Features Introduced in Prisma Access CloudBlade 3.1.3

Addressed Issues in Prisma Access CloudBlade 3.1.3

Upgrade or Downgrade Considerations in Release 3.1.3

Compatibility of CloudBlade Version 3.1.3 and Prisma Access

Prisma Access for Networks CloudBlade Release 3.1.2

Features Introduced in Prisma Access CloudBlade 3.1.2

Compatibility of CloudBlade Version 3.1.2 and Prisma Access

Limitations and Caveats in Release 3.1.2

ServiceNow CloudBlade Integration Guide

Prisma SD-WAN ServiceNow CloudBlade Integration

Prisma SD-WAN Events

Alert and Alarm Attributes

Configure ServiceNow CloudBlade in Prisma SD-WAN

Configure ServiceNow CloudBlade

Configure ServiceNow CloudBlade Parameters

Configure ServiceNow

ServiceNow CloudBlade Infrastructure

Query for Events

Convert Prisma SD-WAN Events to ServiceNow Constructs

Create Incident on ServiceNow

ServiceNow Incident Updates

ServiceNow Advanced Configurations

Monitor ServiceNow Status in Prisma SD-WAN

Azure Virtual WAN with vION CloudBlade Integration Guide

Azure Virtual WAN with vION CloudBlade Integration

Prisma SD-WAN and Azure Integration Prerequisites

Plan the Azure Virtual WAN with vION Integration

Create Application Registration Object in Azure

Configure the Azure Virtual WAN with vION CloudBlade

Configure the Azure Virtual WAN

Validate the Azure Virtual WAN Integration CloudBlade

Manage the Azure Virtual WAN with vION CloudBlade

Monitor the Azure Virtual WAN with vION CloudBlade

Azure vWAN CloudBlade Integration Guide

Prisma SD-WAN Azure Virtual WAN CloudBlade Integration

Prisma SD-WAN Azure Virtual WAN CloudBlade Integration Requirements

Plan the Deployment

Create and Acquire the Azure Information

Configure and Install the Azure Virtual WAN CloudBlade

Configure and Install the Azure Virtual WAN

Assign tags to objects in the Prisma SD-WAN Portal

Validate the Prisma SD-WAN Configuration

Edit Application Network Path Policy Rules

Manage and Troubleshoot the Azure vWAN CloudBlade

Enable, Pause, Disable and Uninstall the Integration

List of Interface Specific Tags

Chatbot CloudBlade for Slack Integration Guide

Integrate Chatbot to Slack

Prerequisites to Integrate Chatbot with Slack

Configure Chatbot CloudBlade for Slack

Chatbot Supported Alerts and Alarms

Install Prisma SD-WAN Chatbot via Slack OAuth

Chatbot Supported Commands

Manage and Monitor the Chatbot CloudBlade for Slack Integration

Manage the Chatbot CloudBlade for Slack

Monitor the Chatbot CloudBlade for Slack

Chatbot MS Teams CloudBlade Integration Guide

Integrate with Chatbot MS Teams

Prerequisites to Integrate with ChatBot MS Teams

Create User Groups on MS Teams

Configure Chatbot MS Teams

Assign Chatbot to a Channel/Team

Chatbot Supported Commands

Manage and Monitor Chatbot MS Teams Integration CloudBlade

Manage the Chatbot MS Teams CloudBlade

Monitor the MS Teams Chatbot

Zscaler Internet Access CloudBlade Integration Guide

Prisma SD-WAN Zscaler Internet Access Integration Requirements

Integrate with Zscaler Internet Access

Plan the Deployment

Acquire the Zscaler Information

Configure and Install the Zscaler Integration CloudBlade

Create Security Zone and Security Policy for GRE Tunnels Creation

Configure and Install the Zscaler Integration

Assign Tags to Objects in Prisma SD-WAN

Validate the Zscaler Configuration

Edit Application Network Policy Rules

Understand Service and Data Center Groups

Verify Standard VPN Endpoints

Verify Standard VPN Group

Assign Domains to Sites

Use Groups in Network Policy Rules

Use a Group in Stacked Policies

Manage and Troubleshoot the Zscaler CloudBlade

Enable, Pause, Disable, and Uninstall the CloudBlade

Installation Troubleshooting

Wrong API Key or Partner Admin Credentials

Prisma SD-WAN Standard VPNs Not Created

Troubleshoot Standard VPNs

Use the Zscaler Test Page

View Standard VPN at Site Level

View Alerts and Alarms

View Activity Charts

Zscaler Location Gateway Options

Prisma SD-WAN Zoom QSS CloudBlade Integration Guide

Integrate with Zoom QSS

Prisma SD-WAN and Zoom QSS Prerequisites

Configure the Zoom QSS CloudBlade in Prisma SD-WAN

Access Zoom Application Experience Data

Prisma SD-WAN CloudBlades Release Notes

AWS Transit Gateway CloudBlade Integration

AWS Transit Gateway CloudBlade Version 2.1.0

AWS Transit Gateway CloudBlade Version 2.0.0

AWS Transit Gateway CloudBlade Version 1.0.0

GCP-NCC CloudBlade Integration

GCP-NCC CloudBlade Version 1.0.0

GCP-NCC CloudBlade Version Beta

Zscaler Internet Access CloudBlade Integration

Zscaler Internet Access CloudBlade Version 2.1.0

Zscaler Internet Access CloudBlade Version 2.0.0

Zscaler Internet Access CloudBlade Version 1.4.1

Zscaler Internet Access CloudBlade Version 1.3.1

Chatbot MS Teams CloudBlade Integration

Chatbot MS Teams CloudBlade Version 1.0.0

Azure Virtual WAN with vION CloudBlade Integration

Azure vWAN with vION CloudBlade Version 1.0.0

Chatbot CloudBlade for Slack

Chatbot CloudBlade for Slack Version 1.0.0

ServiceNow CloudBlade Integration

ServiceNow CloudBlade Version 1.7.1

ServiceNow CloudBlade Version 1.6.1

Azure vWAN CloudBlade Integration

Azure vWAN CloudBlade Version 2.0.1

Zoom QSS CloudBlade Integration

Zoom QSS CloudBlade Version 1.0.0

Release Revision History

On-Premises Controller for Prisma SD-WAN Release Notes

Features Introduced in On-Premises Controller

Features Introduced in On-Premises Controller

Supported Hardware and Software Versions

Supported Hardware and Software Versions

Known Isssues in On-Premises Controller

Known Issues in On-Premises Controller

Prisma SD-WAN Administrator’s Guide

Get Started with Prisma SD-WAN

Prisma SD-WAN Key Elements

Activate and Launch Prisma SD-WAN

Allocate ION Devices for an Existing TSG-enabled User

Prisma SD-WAN Summary

Prisma SD-WAN Application Insights

Device Activity Charts

Site Summary Dashboard

Prisma SD-WAN Predictive Analytics Dashboard

Prisma SD-WAN Link Quality Dashboard

Prisma SD-WAN Subscription Usage

Prisma SD-WAN Releases and Upgrades

Prisma SD-WAN Sites and Devices

Add a Data Center

Add a Branch Gateway

Configure Circuits

Configure Internet Circuit Underlay Link Aggregation

Configure Private WAN Underlay Link Quality Aggregation

Configure Circuit Categories

Configure Device Initiated Connections for Circuits

Add Public IP LAN Address to Enterprise Prefixes

Site Configuration Template

Create a Site Template

Deploy Site with Template

Device Pre-Staging

Associate a Device with the Shell

Manage Data Center Clusters

Configure a Site Prefix

Configure a DHCP Server

Configure NTP for Prisma SD-WAN

Enable IoT Device Visibility in Prisma SD-WAN

Create an IoT Discovery Profile in Prisma SD-WAN

Attach an IoT Discovery Profile to a Site

Configure IoT SNMP Start Nodes

Set a Source Interface for IoT SNMP Discovery

Flow Decision Bitmap

Flow Decision Data

Connect the ION Device

Claim the ION Device

Assign the ION Device

Configure Device Access One-Time Password

Configure the ION Device at a Branch Site

Configure the ION Device at a Data Center

Switch a Site to Control Mode

Allow IP Addresses in Firewall Configuration

Configure Layer 2 Switch Ports

Add a VLAN or Switch Virtual Interface (SVI)

Configure VLAN on Switch Ports

Edit Switch Configurations

Monitor Switch Activity and Statistics

Switch Layer 2/Layer 3 Change Mode

Prisma SD-WAN Ports and Interfaces

Configure a Controller Port

Configure Internet Ports

Configure WAN/LAN Ports

Configure Cellular Interfaces

View Cellular Statistics

Create a Customized APN Profile

Modify Cellular SIM Settings

Manage SIM Operations

Customize Cellular Firmware

View Cellular Tab

Cellular Charts

Configure a Sub-Interface

Configure a Loopback Interface

Virtual Interface

Add and Configure a Virtual Interface

Prisma SD-WAN Standard VPN

Configure Data Center (DC-DC) Interconnectivity

Configure a Bypass Pair

Configure a Cellular Software Bypass Pair

Configure LAN State Propagation

Configure a PoE Port

Configure and Monitor LLDP Activity and Status

Configure a PPPoE Interface

Configure a Layer 3 LAN Interface

Configure Application Reachability Probes

Configure a Secondary IP Address

Configure a Static ARP

Configure a DHCP Relay

Configure IP Directed Broadcast

VPN Keep-Alives

Use External Services for Monitoring

Configure Prisma SD-WAN IPFIX

Configure IPFIX Profiles and Templates

Configure and Attach a Collector Context to a Device Interface in IPFIX

Configure and Attach a Filter Context to a Device Interface in IPFIX

Configure Global and Local IPFIX Prefixes

Flow Information Elements

Options Information Elements

Configure the DNS Service on the Prisma SD-WAN Interface

Prisma SD-WAN DNS Use Cases

Configure System for DNS Survivability

Syslog Server Support in Prisma SD-WAN

Syslog Flow Export

Configure Syslog Server Support

Returned Merchandise Authorization (RMA)

Replace a Prisma SD-WAN ION Device

Return the ION Device to Prisma SD-WAN

Upgrade ION Device Software

Schedule Software Upgrade

View Device Software Upgrade Status

Bulk Upgrade ION Device Image Software

Prisma SD-WAN Administrator Authorization and Authentication

Role Based Access Control

Add a New User on Prisma SD-WAN

Create Custom Roles

Assign System or Custom Role

Single Sign On Access using SAML

Request SAML Access

Configure SAML Users and Groups

Map Roles and Permissions

Enable SAML Access to End Users

Work with Audit Logs

Client Authentication using 802.1x/MAC

Add the RADIUS Server

Supported RADIUS Attribute Value Pairs (AVPs)

Prisma SD-WAN Branch and Data Center Routing

Prisma SD-WAN Branch Routing

Prisma SD-WAN Data Center Routing

Configure a Static Route

Configure NextHop Reachability Probe

Configure Dynamic Routing

Configure an OSPF in Prisma SD-WAN

Enable BGP for Private WAN and LAN

Configure BGP Global Parameters

Global or Local Scope for BGP Peers

Configure a BGP Peer

Configure a Route Map

Configure a Prefix List

Configure an AS Path List

Configure an IP Community List

View Routing Status and Statistics

Prisma SD-WAN Multicast Routing

Configure Multicast

Create a WAN Multicast Configuration Profile

Assign WAN Multicast Configuration Profiles to Branch Sites

Configure a Multicast Source at a Branch Site

Configure Global Multicast Parameters

Configure a Multicast Static Rendezvous Point (RP)

Learn Rendezvous Points (RPs) Dynamically

View LAN Statistics for Multicast

View WAN Statistics for Multicast

View IGMP Membership

View the Multicast Route Table

View Multicast Flow Statistics

View Routing Statistics

Prisma SD-WAN VRF

Configure a VRF Profile in Prisma SD-WAN

Prisma SD-WAN Stacked Policies

Migrate Original Policy Sets to Stacked Policy Sets

Simple Path and QoS Stacks

Add Simple Path or QoS Stacks

Advanced Path and QoS Stacks

Add Advanced Path or QoS Stacks

Add QoS Policy Sets

Add QoS Policy Rules

Add a Path Policy Set

Add a Path Policy Rule

Configure User-ID based Policy Rules

L3 Failure Paths

Minimize Metered LTE Usage

Configure Default Path Policy Rule for IPv6

Bind Path or QoS Stacks to Sites

Custom Applications and System Application Overrides

Configure Custom Applications

Configure System Application Overrides

Service and Data Center Groups

Add a Standard VPN Endpoint

Bind Domain to Sites

Use Prisma SD-WAN Data Center Endpoints

Use Service Endpoint Groups in Policies

Configure Network Contexts

Attach Network Contexts to LANs

Configure Circuit Capacities

Configure Global Prefixes

Configure Local Prefixes

Configure Syslog Profiles

Prisma SD-WAN Stacked Security Policies

Add a Security Policy Stack

Add Stacked Security Policy Sets

Add a Stacked Security Policy Rule

Add a Security Policy Set to a Security Stack

Bind Security Stacks to Sites

Add Security Zones for Stacked Security Policies

Bind Security Zones to Sites and Devices

Bind Security Zones to Sites

Bind Security Zones to Interfaces

Configure Security Prefixes

Attach Local Security Prefixes to Sites

Monitor Security Policy Rules

Security Policy Migration

Prisma SD-WAN Performance Policy

Performance Policy Default Behavior

Add Performance Policy Stack

Add Performance Policy Set

Add Performance Policy Rules

Add Performance Policy SLA

Configure Probes

Best Practices and Recommendations

Performance Policy Use Cases

Use Case 1 - Protect a Business Critical SaaS Application

Use Case 2 - Protect a Business Critical Enterprise Application

Use Case 3 - Protect Physical Security on LEO Satellite and 5G

Use Case 4 - Protect An Enterprise Voice Application

Prisma SD-WAN Security Policies

Prisma SD-WAN Security Architecture

Prisma SD-WAN ZBFW

ZBFW Application

ZBFW Prefix Filters

Security Policy Sets

Security Policy Rules

Configure Security Policies

Bind Zones to Sites and Devices

Bind Zones to Sites

Bind Zones to Devices

Create Prefix Filters

Create a Security Policy Set

Create Security Policy Rules

Bind a Security Policy Set to a Site

Modify and Delete Policy Rules and Sets

Change Security Rule Order

Manage Existing Security Policy Rules

Edit a Security Policy Set

Clone a Security Policy Set

Delete a Security Policy Set

Prisma SD-WAN NAT Policies

Add a NAT Stack

Add NAT Policy Sets

Add a NAT Policy Rule

Add a NAT Policy Set to a NAT Stack

Bind NAT Stacks to Sites

Configure NAT Zones

Bind NAT Zones to Interfaces

Configure NAT Pools

Bind NAT Pools to Interfaces

Configure NAT Prefixes

Default Source NAT

Destination NAT

Prisma SD-WAN Incident Policies

Prisma SD-WAN Branch High Availability

Prisma SD-WAN Branch HA Key Concepts

Configure Branch HA

Configure HA Groups

Configure a High Availability (HA) Interface for HA Deployment

Configure a Switch Virtual Interface (SVI) for HA Connectivity

Configure a Sub-interface for HA Connectivity

Configure a Main Interface for HA Connectivity

Add ION Devices to HA Groups

View Device Configuration of HA Groups

Edit HA Groups and Group Membership

Branch HA Topologies

Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)

Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)

Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)

Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)

Configure Branch HA for Platforms without Bypass Pairs

Configure Branch HA in a Hybrid Topology with Gen-1 (3000) and Gen-2 (3200) Platforms

Prisma SD-WAN Clarity Reports

WAN Clarity Branch Reports

WAN Clarity Data Center Reports

WAN Clarity Aggregate On-Demand Bandwidth Reports

Prisma SD-WAN SASE Easy Onboarding

Connect a Single Prisma SD-WAN Site to Prisma Access

Connect Multiple Prisma SD-WAN Sites to Prisma Access

Edit Application Policy Network Rules

Understand Service and Data Center Groups

Verify Standard VPN Endpoints

Configure Standard Groups

Assign Domains to Sites

Configure SASE Connectivity

Prisma SD-WAN Incidents and Alerts

Prisma SD-WAN Device and Tenant Management

Prisma SD-WAN MSP Dashboard

Monitor Tenant Devices

Monitor Tenant Branches

Monitor Tenant Alarms

Access Child Tenants

Device Lifecycle

MSP Account Roles and Permissions

Add a User Role in the Child Tenant

Manage Devices for Client Tenants

Manage System Administration in the MSP Portal

Alert and Alarm Event Codes

API Changes for Network Secure Fabric Link Event Codes

Prisma SD-WAN New Features

Prisma SD-WAN Release Information

Prisma SD-WAN Features Introduced in 2024

Features Introduced in July 2024

Preview of Features Introduced in April 2024

Known Issues in Prisma SD-WAN April 2024

Features Introduced in February 2024

Known Issues in Prisma SD-WAN February 2024

Features Introduced in August 2024

Prisma SD-WAN Features Introduced in 2023

Features Introduced in December 2023

Features Introduced in November 2023

Features Introduced in October 2023

Features Introduced in August 2023

Features Introduced in June 2023

Features Introduced in March 2023

Tenant Service Group (TSG) Migration of Prisma SD-WAN Users

Prisma SD-WAN Features Introduced in 2022

Features Introduced in October 2022

Features Introduced in August 2022

Features Introduced in May 2022

Prisma SD-WAN to PAN-OS (PANW) App-ID Name Mapping

Navigation Path Changes in Prisma SD-WAN Web Interface and MSP Portal

Allow Hostnames in Firewall Configuration

Prisma SD-WAN Features Introduced in 2021

Features Introduced in September 2021

Features Introduced in June 2021

Features Introduced in April 2021

Prisma SD-WAN Features Introduced in 2020

Prisma SD-WAN Features Introduced in October 2020

Prisma SD-WAN Features Introduced in July 2020

Prisma SD-WAN Features Introduced in May 2020

Prisma SD-WAN Features Introduced in April 2020

Prisma SD-WAN Features Introduced in March 2020

Prisma SD-WAN Features Introduced in February 2020

Prisma SD-WAN Features Introduced in January 2020

5-2

Prisma SD-WAN ION Release Notes

Prisma SD-WAN ION Device Release 5.2

Features Introduced in Prisma SD-WAN ION Device Release 5.2

Features Introduced in Prisma SD-WAN Release 5.2.1

Changes to Default Behavior in Prisma SD-WAN ION Device Release 5.2

Changes to Default Behavior in Prisma SD-WAN ION Device Release 5.2.7

Changes to Default Behavior in Prisma SD-WAN ION Device Release 5.2.1

CLI Commands in Prisma SD-WAN ION Device Release 5.2

CLI Commands in Prisma SD-WAN ION Device Release 5.2.1

Addressed Issues in Prisma SD-WAN ION Device Release 5.2

Addressed Issues in Prisma SD-WAN ION Device Release 5.2.11

Addressed Issues in Prisma SD-WAN ION Device Release 5.2.9

Addressed Issues in Prisma SD-WAN ION Device Release 5.2.7

Addressed Issues in Prisma SD-WAN ION Device Release 5.2.5

Addressed Issues in Prisma SD-WAN ION Device Release 5.2.3

Addressed Issues in Prisma SD-WAN ION Device Release 5.2.1

5-3

Prisma SD-WAN ION Release Notes

Prisma SD-WAN ION Device Release 5.3

Features introduced in Prisma SD-WAN Release 5.3

Features Introduced in Prisma SD-WAN Release 5.3.1

Changes to Default Behavior in Prisma SD-WAN ION Device Release 5.3

Changes to Default Behavior in Prisma SD-WAN ION Device Release 5.3.1

CLI Commands in Prisma SD-WAN ION Device Release 5.3

CLI Commands in Prisma SD-WAN ION Device Release 5.3.1

Addressed Issues in Prisma SD-WAN ION Device Release 5.3

Addressed Issues in Prisma SD-WAN ION Device Release 5.3.1

5-4

Prisma SD-WAN ION Device Release Notes

Prisma SD-WAN ION Device Release 5.4

Features Introduced in Prisma SD-WAN Release 5.4

Features Introduced in Prisma SD-WAN Release 5.4.3

Features Introduced in Prisma SD-WAN Release 5.4.1

Changes to Default Behavior in Prisma SD-WAN ION Device Release 5.4

Changes to Default Behavior in Prisma SD-WAN ION Device Release 5.4.3

Changes to Default Behavior in Prisma SD-WAN ION Device Release 5.4.1

Upgrade ION 9000 Firmware

CLI Commands in Prisma SD-WAN ION Device Release 5.4

CLI Commands in Prisma SD-WAN ION Device Release 5.4.3

CLI Commands in Prisma SD-WAN ION Device Release 5.4.1

Addressed Issues in Prisma SD-WAN ION Device Release 5.4

Addressed Issues in Prisma SD-WAN ION Device Release 5.4.13

Addressed Issues in Prisma SD-WAN ION Device Release 5.4.11

Addressed Issues in Prisma SD-WAN ION Device Release 5.4.9

Addressed Issues in Prisma SD-WAN ION Device Release 5.4.7

Addressed Issues in Prisma SD-WAN ION Device Release 5.4.5

Addressed Issues in Prisma SD-WAN ION Device Release 5.4.3

Addressed Issues in Prisma SD-WAN ION Device Release 5.4.1

5-5

Prisma SD-WAN ION Device Release Notes

Prisma SD-WAN ION Device Release 5.5

Features Introduced in Prisma SD-WAN ION Release 5.5

Features Introduced in Prisma SD-WAN Release 5.5.3

Features Introduced in Prisma SD-WAN Release 5.5.1

Download the Prisma SD-WAN Virtual ION Image

Changes to Default Behavior in Release 5.5

Upgrade Or Downgrade Considerations in Release 5.5.1

Upgrade ION 9000 Firmware

CLI Commands in Prisma SD-WAN ION Release 5.5

CLI Commands in Prisma SD-WAN ION Device Release 5.5.1

Addressed Issues in Prisma SD-WAN ION Release 5.5

Addressed Issues in Prisma SD-WAN ION Device Release 5.5.7

Addressed Issues in Prisma SD-WAN ION Device Release 5.5.5

Addressed Issues in Prisma SD-WAN ION Device Release 5.5.3

Addressed Issues in Prisma SD-WAN ION Device Release 5.5.1

5-6

Prisma SD-WAN ION Device Release Notes

Prisma SD-WAN ION Device Release 5.6

Features Introduced in Prisma SD-WAN ION Release 5.6

Features Introduced in Prisma SD-WAN Release 5.6.1

Changes to Default Behavior in Prisma SD-WAN ION Release 5.6

Upgrade or Downgrade Considerations in Release 5.6.1

Upgrade ION 9000 Firmware for Device Version 5.6.x

CLI Commands in Prisma SD-WAN ION Release 5.6

CLI Commands in Prisma SD-WAN ION Device Release 5.6.1

CLI Commands in Prisma SD-WAN ION Device Release 5.6.11

Addressed Issues in Prisma SD-WAN ION Release 5.6

Addressed Issues in Prisma SD-WAN ION Device Release 5.6.17

Addressed Issues in Prisma SD-WAN ION Device Release 5.6.15

Addressed Issues in Prisma SD-WAN ION Device Release 5.6.13

Addressed Issues in Prisma SD-WAN ION Device Release 5.6.11

Addressed Issues in Prisma SD-WAN ION Device Release 5.6.9

Addressed Issues in Prisma SD-WAN ION Device Release 5.6.7

Addressed Issues in Prisma SD-WAN ION Device Release 5.6.5

Addressed Issues in Prisma SD-WAN ION Device Release 5.6.3

Addressed Issues in Prisma SD-WAN ION Device Release 5.6.1

Known Issues in Prisma SD-WAN ION Release 5.6

Known Issues in Prisma SD-WAN ION Release 5.6.13

Known Issues in Prisma SD-WAN ION Release 5.6.9

Known Issues in Prisma SD-WAN ION Release 5.6.7

Known Issues in Prisma SD-WAN ION Release 5.6.5

6-0

Prisma SD-WAN ION Device Release Notes

Prisma SD-WAN ION Device Release 6-0

Features Introduced in Prisma SD-WAN ION Release 6.0

Features Introduced in Prisma SD-WAN Release 6.0.2

Features Introduced in Prisma SD-WAN Release 6.0.1

Upgrade or Downgrade Considerations in Prisma SD-WAN ION Release 6.0

Upgrade or Downgrade Considerations in Prisma SD-WAN ION Device Release 6.0.1

CLI Commands in Prisma SD-WAN ION Release 6.0

CLI Commands in Prisma SD-WAN ION Device Release 6.0.2

CLI Commands in Prisma SD-WAN ION Device Release 6.0.1

Addressed Issues in Prisma SD-WAN ION Release 6.0

Addressed Issues in Prisma SD-WAN ION Device Release 6.0.2

Addressed Issues in Prisma SD-WAN ION Device Release 6.0.1

Known Issues in Prisma SD-WAN ION Release 6.0

Known Issues in Prisma SD-WAN ION Device Release 6.0.1

On-Premises Controller for Prisma SD-WAN Deployment Guide

Overview of On-Premises Controller

Installation Prerequisites

Minimum Hardware Requirements

Multiple Node Set Up for HA

Installation Workflow

Understand Installation Workflow

Order Prisma SD-WAN License

Download and Activate the Controller Image

Install the On-Premises Controller

Configure HAProxy for HA Setup

Change Default Password

Install On-Premises Controller using CLIs

Verify the Controller Installation

Configure Certificate on the Device Using CLI Commands

Access the Administrator Console

Access the Operator Console

ZTP Service to Connect ION Device to On-Premises Controller

Allocate the Device to the Controller

SAML Based Authentication

Manage VFF License

Upgrade the Deployment

Upgrade On-Premises Controller

Upgrade the Device Software

Upload the Software Image to the Operator Console

Upgrade the Device Software using the Administrator Console

Download the Appdef

Verify Device Upgrade

View the Activity Reports

Returned Merchandise Authorization (RMA)

Upgrade a Pre-Owned Device

Update Controller Software Inventory

Troubleshoot the Deployment

Tech Support Dump Utility

Understand Error Scenarios

6-1

Prisma SD-WAN ION Device Release Notes

Prisma SD-WAN ION Device Release 6.1

Features Introduced in Prisma SD-WAN ION Release 6.1

Features Introduced in Prisma SD-WAN Release 6.1.3

Features Introduced in Prisma SD-WAN Release 6.1.1

Upgrade or Downgrade Considerations in Prisma SD-WAN ION Release 6.1

Upgrade or Downgrade Considerations in Prisma SD-WAN ION Device Release 6.1.1

CLI Commands in Prisma SD-WAN ION Release 6.1

CLI Commands in Prisma SD-WAN ION Device Release 6.1.2

CLI Commands in Prisma SD-WAN ION Device Release 6.1.1

Addressed Issues in Prisma SD-WAN ION Release 6.1

Addressed Issues in Prisma SD-WAN ION Device Release 6.1.8

Addressed Issues in Prisma SD-WAN ION Device Release 6.1.7

Addressed Issues in Prisma SD-WAN ION Device Release 6.1.6

Addressed Issues in Prisma SD-WAN ION Device Release 6.1.5

Addressed Issues in Prisma SD-WAN ION Device Release 6.1.4

Addressed Issues in Prisma SD-WAN ION Device Release 6.1.3

Addressed Issues in Prisma SD-WAN ION Device Release 6.1.2

Addressed Issues in Prisma SD-WAN ION Device Release 6.1.1

Addressed Issues in Prisma SD-WAN ION Device Release 6.1.9

Addressed Issues in Prisma SD-WAN ION Device Release 6.1.10

Known Issues in Prisma SD-WAN ION Release 6.1

Known Issues in Prisma SD-WAN ION Device Release 6.1.8

Known Issues in Prisma SD-WAN ION Device Release 6.1.7

Known Issues in Prisma SD-WAN ION Device Release 6.1.6

Known Issues in Prisma SD-WAN ION Device Release 6.1.5

Known Issues in Prisma SD-WAN ION Device Release 6.1.4

Known Issues in Prisma SD-WAN ION Device Release 6.1.3

Known Issues in Prisma SD-WAN ION Device Release 6.1.2

Known Issues in Prisma SD-WAN ION Device Release 6.1.1

Known Issues in Prisma SD-WAN ION Device Release 6.1.9

Known Issues in Prisma SD-WAN ION Device Release 6.1.10

6-4

Prisma SD-WAN ION Device Release Notes

Prisma SD-WAN ION Device Release 6.4

Features Introduced in Prisma SD-WAN ION Release 6.4

Upgrade or Downgrade Considerations in Prisma SD-WAN ION Release 6.4

CLI Commands in Prisma SD-WAN ION Release 6.4

Addressed Issues in Prisma SD-WAN ION Release 6.4

Known Issues in Prisma SD-WAN ION Release 6.4

6-2

Prisma SD-WAN ION Device Release Notes

Prisma SD-WAN ION Device Release 6.2

Features Introduced in Prisma SD-WAN ION Release 6.2

Features Introduced in Prisma SD-WAN Release 6.2.1

Upgrade or Downgrade Considerations in Prisma SD-WAN ION Release 6.2

Upgrade or Downgrade Considerations in Prisma SD-WAN ION Device Release 6.2.1

CLI Commands in Prisma SD-WAN ION Release 6.2

CLI Commands in Prisma SD-WAN ION Device Release 6.2.1

Addressed Issues in Prisma SD-WAN ION Release 6.2

Addressed Issues in Prisma SD-WAN ION Device Release 6.2.3

Addressed Issues in Prisma SD-WAN ION Device Release 6.2.1

Known Issues in Prisma SD-WAN ION Release 6.2

Known Issues in Prisma SD-WAN ION Device Release 6.2.1

Prisma SD-WAN Incidents and Alerts

Incidents and Alerts

Filter Alerts and Incidents

Event Correlation of Incidents

Monitor Incidents

Acknowledge Incidents

Synchronize Incidents

Troubleshoot Incidents

Correlate Incidents with SNMP Traps

Device High Temperature Incident

Incident and Alert Events

Incident and Alert Event Categories

Incident and Alert Event Codes

Event Category-Device

Event Category-Network

Event Category-Policy

Event Category-Branch HA

Event Category-Application

Event Category-AAA

Event Category-Cellular

Event Category-Switch Port and RADIUS Server

Event Category-User ID

API Changes for Network Secure Fabric Link Event Codes

Setup Incident Policies

Incident Policy Constructs

Incident Policy Framework—Use Cases

Create a New Incident Policy Set

Create New Incident Policy Rule

6-3

Prisma SD-WAN ION Device Release Notes

Prisma SD-WAN ION Device Release 6.3

Features Introduced in Prisma SD-WAN ION Release 6.3

Features Introduced in Prisma SD-WAN Release 6.3.2

Features Introduced in Prisma SD-WAN Release 6.3.1

Upgrade or Downgrade Considerations in Prisma SD-WAN ION Release 6.3

Upgrade or Downgrade Considerations in Prisma SD-WAN ION Device Release 6.3.1

Upgrade or Downgrade Considerations in Prisma SD-WAN ION Device Release 6.3.3

Upgrade or Downgrade Considerations in Prisma SD-WAN ION Device Release 6.3.2

CLI Commands in Prisma SD-WAN ION Release 6.3

CLI Commands in Prisma SD-WAN ION Device Release 6.3.1

Addressed Issues in Prisma SD-WAN ION Release 6.3

Addressed Issues in Prisma SD-WAN ION Device Release 6.3.2

Addressed Issues in Prisma SD-WAN ION Device Release 6.3.1

Addressed Issues in Prisma SD-WAN ION Device Release 6.3.4

Addressed Issues in Prisma SD-WAN ION Device Release 6.3.3

Known Issues in Prisma SD-WAN ION Release 6.3

Known Issues in Prisma SD-WAN ION Device Release 6.3.2

Known Issues in Prisma SD-WAN ION Device Release 6.3.1

Known Issues in Prisma SD-WAN ION Device Release 6.3.4

Known Issues in Prisma SD-WAN ION Device Release 6.3.3

Prisma SD-WAN ION Device CLI Reference

Get Started with the ION Device CLI

Roles to Access the ION Device CLI Commands

Grep Support for the ION Device CLI Commands

Access the ION Device CLI Commands

Access through SSH

Assign a Static IP Address Using the Console

Access the ION Device CLI Commands Using the Prisma SD-WAN Web Interface

Use CLI Commands

clear app-engine

clear app-map dynamic

clear app-probe prefix

clear connection

clear device account-login

clear dhcplease

clear dhcprelay stat

clear flow and clear flows

clear qos-bwc queue-snapshot

clear routing multicast statistics

clear routing ospf

clear routing peer-ip

clear switch mac-address-entries

clear user-id agent statistics

Config Commands

config bypass pair interface delete

config cellular modem

config controller cipher

config interface

config poe system usage threshold

config static host

arping interface

debug bounce interface

debug bw-test src-interface

debug cellular stats

debug controller reachability

debug logging facility

debug logs dump

debug logs follow

debug logs tail

debug poe interface

debug routing multicast log

debug routing multicast pimd

debug servicelink logging

debug time sync

debug performance-policy

file space available

debug log agent eal file log

dump appdef config

dump appdef version

dump app-engine

dump app-l4-prefix table

dump app-probe config

dump app-probe flow

dump app-probe prefix

dump app-probe status

dump auth config

dump auth status

dump banner config

dump bfd status

dump bypass-pair config

dump cellular config

dump cellular stats

dump cellular status

dump cgnxinfra status

dump cgnxinfra status live

dump cgnxinfra status store

dump config network

dump config security

dump controller cipher

dump controller status

dump device accessconfig

dump device conntrack count

dump device date

dump device info

dump device status

dump dhcp-relay config

dump dhcprelay stat

dump dhcp-server config

dump dhcp-server status

dump dnsservice config all

dump dpdk interface

dump dpdk port status

dump dpdk stats

dump flow count-summary

dump interface config

dump interface status

dump interface status interface details

dump interface status interface module

dump ipfix config collector-contexts

dump ipfix config derived-exporters

dump ipfix config filter-contexts

dump ipfix config ipfix-overrides

dump ipfix config prefix-filters

dump ipfix config profiles

dump ipfix config templates

dump lldp config

dump lldp stats

dump lldp status

dump log-agent eal conn

dump log-agent eal response-time

dump log-agent eal stats

dump log-agent config

dump log-agent status

dump ml7 mctd counters

dump ml7 mctd session

dump ml7 mctd version

dump nat counters

dump nat summary

dump network-policy config policy-rules

dump network-policy config policy-sets

dump network-policy config policy-stacks

dump network-policy config prefix-filters

dump performance-policy config policy-rules

dump performance-policy config policy-sets

dump performance-policy config policy-set-stacks

dump performance-policy config threshold-profile

dump poe system config

dump poe system status

dump priority-policy config policy-rules

dump priority-policy config policy-sets

dump priority-policy config policy-stacks

dump priority-policy config prefix-filters

dump probe config

dump probe profile

dump radius config

dump radius statistics

dump radius status

dump reachability-probe config

dump qos-bwc config

dump reachability-probe status

dump routing aspath-list

dump routing cache

dump routing communitylist

dump routing multicast config

dump routing multicast igmp

dump routing multicast interface

dump routing multicast internal vif-entries

dump routing multicast mroute

dump routing multicast pim

dump routing multicast sources

dump routing multicast statistics

dump routing multicast status

dump routing ospf

dump routing peer advertised routes

dump routing peer config

dump routing peer received-routes

dump routing peer routes

dump routing peer status

dump routing peer route-json

dump routing prefixlist

dump routing prefix-reachability

dump routing route

dump routing routemap

dump routing running-config

dump routing summary

dump routing static-route reachability-status

dump routing static-route config

dump security-policy config policy-rules

dump security-policy config policy-set

dump security-policy config policy-set-stack

dump security-policy config prefix-filters

dump security-policy config zones

dump sensor type

dump sensor type summary

dump serviceendpoints

dump servicelink summary

dump servicelink stats

dump servicelink status

dump site config

dump snmpagent config

dump snmpagent status

dump software status

dump spoke-ha config

dump spoke-ha status

dump standingalarms

dump static-arp config

dump static host config

dump static routes

dump support details

dump switch fdb vlan-id

dump switch port status

dump switch vlan-db

dump syslog config

dump syslog-rtr stats

dump syslog status

dump time config

dump time status

dump troubleshoot message

dump user-id agent config

dump user-id agent statistics

dump user-id agent status

dump user-id agent summary

dump user-id groupidx

dump user-id group-mapping

dump user-id ip-user-mapping

dump user-id statistics

dump user-id status

dump user-id summary

dump user-id useridx

dump vlan member

dump vpn ka all

dump vpn ka summary

dump vpn ka VpnID

dump vpn status

dump vpn summary

dump waninterface config

dump waninterface summary

dump log-agent iot snmp config

dump log-agent iot snmp device discovery stats

dump log-agent ip mac bindings

dump log-agent neighbor discovery stats

dump routing peer neighbor

dump routing peer route-via

dump nat6 counters

Inspect Commands

inspect app-flow-table

inspect app-l4-prefix lookup

inspect app-map

inspect certificate

inspect certificate device

inspect cgnxinfra role

inspect connection

inspect dhcplease

inspect dhcp6lease

inspect dpdk ip-rules

inspect dpdk vrf

inspect flow-arp

inspect flow brief

inspect flow-detail

inspect flow internal

inspect interface stats

inspect ipfix exporter-stats

inspect ipfix collector-stats

inspect ipfix app-table

inspect ipfix wan-path-info

inspect ipfix interface-info

inspect ip-rules

inspect ipv6-rules

inspect lqm stats

inspect memory summary

inspect network-policy conflicts

inspect network-policy dropped

inspect network-policy hits policy-rules

inspect network-policy lookup

inspect policy-manager status

inspect policy-mix lookup-flow

inspect priority-policy conflicts

inspect priority-policy dropped

inspect priority-policy hits default-rule-dscp

inspect priority-policy hits policy-rules

inspect priority-policy lookup

inspect performance-policy incidents

inspect performance-policy lookup

inspect performance-policy hits analytics

inspect process status

inspect qos-bwc debug-state

inspect qos-bwc queue-history

inspect qos-bwc queue-snapshot

inspect routing multicast fc site-iface

inspect routing multicast interface

inspect routing multicast mroute

inspect security-policy lookup

inspect security-policy size

inspect switch mac-address-table

inspect system arp

inspect system ipv6-neighbor

inspect wanpaths

inspect fib-leak

inspect performance-policy fec status

inspect system vrf

Prisma Access Administrator’s Guide (Panorama Managed)

Prisma Access Overview

Prisma Access Infrastructure Management

Releases and Upgrades

Manage Upgrade Options for the GlobalProtect App

Notifications and Alerts for Panorama, Cloud Services Plugin, and PAN-OS Dataplane Versions

Prisma Access Licensing

Monitor Your Data Transfer Usage

Retrieve the IP Addresses for Prisma Access

Plan for IP Address Changes for Mobile Users, Remote Networks, and Service Connections

Service IP and Egress IP Address Allocation for Remote Networks

How to Calculate Remote Network Bandwidth

Prisma Access APIs

Use Logging, Routing, and EDL Information to Troubleshoot Your Deployment

Activate and Install the Prisma Access Components

Activate and Install Prisma Access (Panorama Managed)

Transfer or Update Prisma Access Licenses

Reset Your Prisma Access License

Transfer or Update Prisma Access Licenses Between Panorama Appliances

Configure Panorama Appliances in High Availability for Prisma Access

Prepare the Prisma Access Infrastructure and Service Connections

Set Up Prisma Access

Plan the Service Infrastructure and Service Connections

Configure the Service Infrastructure

Create a Service Connection to Allow Access to Your Corporate Resources

Create a Service Connection to Enable Access between Mobile Users and Remote Networks

Deployment Progress and Status

How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections

Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections

Routing Preferences for Service Connection Traffic

Create a High-Bandwidth Network Using Multiple Service Connections

List of Prisma Access Locations

Secure Mobile Users with Prisma Access

Plan To Deploy Prisma Access for Mobile Users

Secure Mobile Users With GlobalProtect

Secure Mobile Users with an Explicit Proxy

Specify IP Address Pools for Mobile Users

How the GlobalProtect App Selects a Prisma Access Location for Mobile Users

View Logged In User Information and Log Out Current Users

Quick Configs for Mobile User Deployments

Use Explicit Proxy to Secure Public Apps and GlobalProtect or a Third-Party VPN to Secure Private Apps

Prisma Access with On-Premises Gateways

Manage Priorities for Prisma Access and On-Premises Gateways

Set Equal Gateway Priorities for On-Premises and Prisma Access Gateways

Set a Higher Gateway Priority for an On-Premises Gateway

Set Higher Priorities for Multiple On-Premises Gateways

Configure Priorities for Prisma Access and On-Premises Gateways

Allow Mobile Users to Manually Select Specific Prisma Access Gateways

DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments

IPv6 Support for Private App Access

Sinkhole IPv6 Traffic In Mobile Users—GlobalProtect Deployments

Identification and Quarantine of Compromised Devices With Prisma Access

Support for Gzip Encoding in Clientless VPN

Report Website Access Issues

Use Remote Networks to Secure Branches

Plan to Deploy Remote Networks

Onboard and Configure Remote Networks

Plan to Migrate to an Aggregate Bandwidth Remote Network Deployment

Migrate to the Aggregate Bandwidth Model

Quick Configs for Remote Network Deployments

Remote Network Locations with Overlapping Subnets

Remote Network Locations with WAN Link

Use Predefined IPSec Templates to Onboard Service and Remote Network Connections

Onboard Remote Networks with Configuration Import

Configure Quality of Service in Prisma Access

Create a High-Bandwidth Network for a Remote Site

Provide Secure Inbound Access to Remote Network Locations

Configure User-ID and User-Based Policies with Prisma Access

Configure User-ID in Prisma Access

Configure User-ID for Remote Network Deployments

Configure Your Prisma Access Deployment to Retrieve Group Mapping

Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls

Get User and Group Information Using the Cloud Identity Engine

Redistribute HIP Information and View HIP Reports

Redistribute HIP Information with Prisma Access

View HIP Reports from Panorama

Manage Multiple Tenants in Prisma Access

Multitenancy Overview

Multitenancy Configuration Overview

Plan Your Multitenant Deployment

Create an All-New Multitenant Deployment

Enable Multitenancy and Migrate the First Tenant

Add Tenants to Prisma Access

Delete a Tenant

Create a Tenant-Level Administrative User

Control Role-Based Access for Tenant-Level Administrative Users

Sort Logs by Device Group ID for External Logging

Prisma Access in a FedRAMP Environment

Panorama Managed Prisma Access and FedRAMP Authorization

Panorama Managed Prisma Access FedRAMP Requirements

Configure a Prisma Access FedRAMP Deployment

Use DLP With Prisma Access

DLP Integration with Prisma Access

IoT Security Integration with Prisma Access

Use IoT Security with Prisma Access

Create and Configure Prisma Access for Clean Pipe

Prisma Access for Clean Pipe Overview

Configure Prisma Access for Clean Pipe

Visibility and Monitoring Features in the Prisma Access App

Prisma Access Release Notes (Panorama Managed)

Prisma Access (Panorama Managed) Release Information

Features Introduced in Prisma Access 2.2 Preferred

Features Introduced in Previous Prisma Access (Panorama Managed) Releases

Features Introduced in Prisma Access 2.1 Innovation

Features Introduced in Prisma Access 2.1 Preferred

Features Introduced in Prisma Access 2.0 Innovation

Features Introduced in Prisma Access 2.0 Preferred

Features Introduced in Prisma Access 1.8

Features Introduced in Prisma Access 1.7

Features Introduced in Prisma Access 1.6.1

Features Introduced in Prisma Access 1.6.0

Features Introduced in Prisma Access 1.5.1

Features Introduced in Prisma Access 1.5.0

Features Introduced in Prisma Access 1.4.0

Features Introduced in Prisma Access 1.3.1

Features Introduced in Prisma Access 1.3.0

Features Introduced in Prisma Access 1.2.0

Features Introduced in Prisma Access 1.1.0

Changes to Default Behavior

Upgrade the Cloud Services Plugin

Prisma Access Known Issues

Prisma Access Addressed Issues

Release Updates for Reports

3-2

Prisma Access Release Notes (Panorama Managed)

Prisma Access (Panorama Managed) Release Information

Features in Prisma Access 3.2 and 3.2.1

Changes to Default Behavior

Upgrade the Cloud Services Plugin

Prisma Access Known Issues

Prisma Access Addressed Issues

Release Updates for Reports

Features Introduced in Previous Prisma Access (Panorama Managed) Releases

Features in Prisma Access 3.1 Preferred and Innovation

Features in Prisma Access 3.0 Preferred and Innovation

Features Introduced in Prisma Access 2.2 Preferred

Features Introduced in Prisma Access 2.1 Innovation

Features Introduced in Prisma Access 2.1 Preferred

Features Introduced in Prisma Access 2.0 Innovation

Features Introduced in Prisma Access 2.0 Preferred

Features Introduced in Prisma Access 1.8

Features Introduced in Prisma Access 1.7

Features Introduced in Prisma Access 1.6.1

Features Introduced in Prisma Access 1.6.0

Features Introduced in Prisma Access 1.5.1

Features Introduced in Prisma Access 1.5.0

Features Introduced in Prisma Access 1.4.0

Features Introduced in Prisma Access 1.3.1

Features Introduced in Prisma Access 1.3.0

Features Introduced in Prisma Access 1.2.0

Features Introduced in Prisma Access 1.1.0

Prisma Access Administrator’s Guide (Panorama Managed)

Prisma Access Overview

Prisma Access Infrastructure Management

Releases and Upgrades

Prisma Access Release Types

Prisma Access Upgrade Types

Cadence for Software and Content Updates for Prisma Access

Prisma Access Dataplane Upgrades

Dataplane Upgrade Overview

Dataplane Upgrade Example

Use the Prisma Access App to Get Upgrade Alerts and Updates

View Prisma Access Software Versions

Prisma Access Licensing

Determine Your Prisma Access License Type from Panorama

Cheat Sheet: Integrate ADEM with Panorama Managed Prisma Access

Cheat Sheet: Integrate IoT Security with Panorama Managed Prisma Access

Cheat Sheet: Enterprise DLP on Panorama Managed Prisma Access

Visibility and Monitoring Features in the Prisma Access App

Monitor Your Prisma Access Data Transfer Usage

Plan for Prisma Access IP Address Changes

IP Address Allocation For Mobile Users on Prisma Access

Public IP Address Scaling Examples for Mobile Users

Loopback IP Address Allocation for Mobile Users

Remote Network IPSec Termination Nodes and Service IP Addresses on Prisma Access

IP Address Changes For Remote Network Connections That Allocate Bandwidth by Location

Service IP and Egress IP Address Allocation for Remote Networks

Retrieve the IP Addresses for Prisma Access

Prisma Access IP Address Retrieval Using the API Examples

Pre-Allocate IP Addresses for Prisma Access Mobile User Locations

Set Up Prisma Access IP Address Change Notifications

Use Legacy Scripts to Retrieve Loopback Addresses

Use the Legacy Script to Retrieve Mobile User IP Addresses

Use the Legacy Script to Retrieve Public, Loopback, and Egress IP Addresses

Prisma Access APIs

Prisma Access Deployment Progress and Status

Troubleshoot the Prisma Access Deployment

Activate and Install the Prisma Access Components

Activate and Install Panorama Managed Prisma Access

Verify Your Account Using the One-Time Password

Transfer or Update Panorama Managed Prisma Access Licenses

Reset Your Panorama Managed Prisma Access License

Transfer or Update Prisma Access Licenses Between Panorama Appliances

Configure Panorama Appliances in High Availability for Panorama Managed Prisma Access

Prepare the Prisma Access Infrastructure and Service Connections

Set Up Panorama Managed Prisma Access

Prisma Access Service Infrastructure

Service Infrastructure Requirements

Configure the Service Infrastructure

Prisma Access Service Connections

Plan the Service Connections

Create a Service Connection to Allow Access to Private Apps

Verify Service Connection Status

Create a Service Connection to Enable Access between Mobile Users and Remote Networks

Prisma Access Locations

Prisma Access Locations by Compute Location

Prisma Access Locations by Region

Map of North America Prisma Access Locations

Explicit Proxy Locations

Secure Mobile Users

Prisma Access Mobile User Deployments

GlobalProtect on Prisma Access

Planning Checklist—GlobalProtect on Prisma Access

IP Address Pools in a Mobile Users—GlobalProtect Deployment

Set Up GlobalProtect on Panorama Managed Prisma Access

Enable Mobile User Regional Redundancy

How the GlobalProtect App Selects a Prisma Access Location for Mobile Users

Explicit Proxy on Prisma Access

How Explicit Proxy Works in Prisma Access

How Explicit Proxy Identifies Users

Planning Checklist—Explicit Proxy

Set Up Your Explicit Proxy PAC File

Secure Mobile Users with an Explicit Proxy

Create Block Settings in an Explicit Proxy Deployment

Use Special Objects to Restrict Explicit Proxy Internet Traffic to Source IP Addresses

Monitor and Troubleshoot Explicit Proxy

Monitor and Log Out GlobalProtect Users in Prisma Access

View GlobalProtect Mobile Users from the Status Tab

View GlobalProtect Mobile Users from the Monitor Tab

How Prisma Access Counts GlobalProtect Mobile Users

Manage GlobalProtect App Upgrades in Prisma Access

Select the Active GlobalProtect App Version for Prisma Access

Manage User Access to GlobalProtect App Updates from Prisma Access

Perform Staged Updates of the GlobalProtect App on Prisma Access

Deploy Explicit Proxy and GlobalProtect or a Third-Party VPN in Prisma Access

Use Explicit Proxy with GlobalProtect and Third-Party VPNs Examples

How Explicit Proxy Works With GlobalProtect

Requirements and Recommendations for Using Explicit Proxy with GlobalProtect and Third-Party VPNs

Use Explicit Proxy with GlobalProtect

Use Explicit Proxy with Third-Party VPNs

Integrate Prisma Access with On-Premises Gateways

Manage Priorities for Prisma Access and On-Premises Gateways

Set Equal Gateway Priorities for On-Premises and Prisma Access Gateways

Set a Higher Gateway Priority for an On-Premises Gateway

Set Higher Priorities for Multiple On-Premises Gateways

Configure Priorities for Prisma Access and On-Premises Gateways

Allow Mobile Users to Manually Select Specific Prisma Access Gateways

Allow Listing for Mobile Users—GlobalProtect Deployments

Manage Allow Listing for Existing Mobile User Deployments

Manage Allow Listing for New Prisma Access Deployments

Allow Listing Examples for Autoscale Events

Fields in the Egress IP Allow List table

Report Prisma Access Website Access Issues

Use Remote Networks to Secure Branches

Prisma Access Remote Network Deployments

Planning Checklist—Prisma Access Remote Networks

Onboard and Configure Remote Networks

Configure Prisma Access for Networks—Allocating Bandwidth by Compute Location

Configure Prisma Access for Networks—Allocating Bandwidth by Location

Verify Remote Network Connection Status

Verify Remote Connection BGP Status

Plan to Migrate to an Aggregate Bandwidth Remote Network Deployment

Migrate to the Aggregate Bandwidth Model

Remote Network Locations with Overlapping Subnets

Configure Remote Network and Service Connection Connected with a WAN Link

Use Predefined IPSec Templates to Onboard Service and Remote Network Connections

Onboard a Service Connection or Remote Network Connection Using Predefined Templates

Onboard Multiple Remote Network Connections of the Same Type

Supported IKE and IPSec Cryptographic Profiles for Common SD-WAN Devices

Onboard Remote Networks with Configuration Import

Fields in Remote Networks Table

Configure User-ID and User-Based Policies with Prisma Access

Configure User-ID in Panorama Managed Prisma Access

Configure User-ID for Remote Network Deployments

Get User and Group Information Using the Cloud Identity Engine

Populate User and Group Names in Security Policy Rules

Populate User Group Names in Security Policy Rules Using the Cloud Identity Engine

Populate User Group Names in Security Policy Rules Using a Master Device

Configure an on-premises or VM-Series Firewall as a Master Device

Use Long-Form DN Entries to Implement User- and Group-Based Policy

Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls

Redistribute User-ID Information From Prisma Access to an On-Premise Firewall

Redistribute User-ID Information From an On-Premises Firewall to Prisma Access

Quality of Service in Prisma Access

Configure QoS in Prisma Access

QoS for Remote Networks

QoS for Remote Networks Using Guaranteed Bandwidth and Bandwidth Allocation Ratios

Change the Guaranteed Bandwidth For Remote Networks

Select QoS Profiles for Remote Networks

Configure Quality of Service in Prisma Access

Configure Quality of Service for Clean Pipe

Manage Multiple Tenants in Prisma Access

Multitenancy Overview

Multitenancy Configuration Overview

Plan Your Multitenant Deployment

Create an All-New Multitenant Deployment

Enable Multitenancy and Migrate the First Tenant

Add Tenants to Prisma Access

Delete a Tenant

Create a Tenant-Level Administrative User

Control Role-Based Access for Tenant-Level Administrative Users

Remove Plugin Access for a Tenant-Level Administrative User

Sort Logs by Device Group ID in a Multitenant Deployment

Prisma Access Advanced Deployments

Advanced Deployments that Apply to All Prisma Access Types

Add a New Compute Location for a Deployed Prisma Access Location

IPv6 Support for Private App Access

Private App Access Over IPv6 Examples

Enable and Configure IPv6 Networking and IP Pools in Your Prisma Access Infrastructure

Enable IPv6 Networking for a Mobile Users—GlobalProtect Deployment

Enable IPv6 Networking for Service Connections

Enable IPv6 Networking for Remote Networks

DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments

DNS Resolution for Mobile Users—GlobalProtect Deployments

DNS Resolution for Remote Networks

How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections

Proxy Support for Prisma Access and Strata Logging Service

Prisma Access Service Connection Advanced Deployments

Service Connection Multi-Cloud Redundancy

Configure and Activate Service Connection Cloud Provider Redundancy for Panorama Managed Prisma Access

Supported In-Country Active and Backup Cloud Provider Redundancy Locations

Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections

Default Routes With Prisma Access Traffic Steering

Traffic Steering in Prisma Access

Traffic Steering Requirements

Default Routes with Traffic Steering Example

Default Routes with Traffic Steering Direct to Internet Example

Default Routes with Traffic Steering and Dedicated Service Connection Example

Prisma Access Traffic Steering Rule Guidelines

Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections

Configure Traffic Steering in Prisma Access

Routing for Service Connection Traffic

Configure Routing Preferences

Create a High-Bandwidth Network Using Multiple Service Connections

Create a High-Bandwidth Connection to a Headquarters or Data Center Location

Configure More than Two Service Connections to a Headquarters or Data Center Location

Prisma Access Mobile Users—GlobalProtect Advanced Deployments

Configure Multiple Portals in Prisma Access

Dynamic DNS Registration Support for Mobile Users—GlobalProtect

Enable DDNS for Mobile Users—GlobalProtect

Verify Dynamic DNS Configuration

Identification and Quarantine of Compromised Devices in a Prisma Access GlobalProtect Deployment

Use Cases for Quarantine List Redistribution

Configure Quarantine List Redistribution in Prisma Access

Sinkhole IPv6 Traffic In Mobile Users—GlobalProtect Deployments

Configure GlobalProtect to Disable Direct Access to the Local Network

Set Up an IPv6 Sinkhole On the On-Premises Gateway

Redistribute HIP Information with Prisma Access

HIP Redistribution Overview

Use Cases for HIP Redistribution

Configure HIP Redistribution in Prisma Access

View HIP Reports from Panorama

Support for Gzip Encoding in Clientless VPN

Prisma Access Mobile Users—Explicit Proxy Advanced Deployments

Secure Users and Devices at Remote Networks With an Explicit Proxy

Prisma Access Remote Network Advanced Deployments

Provide Secure Inbound Access to Remote Network Locations

Secure Inbound Access for Remote Network Sites

Secure Inbound Access Examples

Guidelines for Using Secure Inbound Access

Configure Secure Inbound Access for Remote Network Sites

Configure Secure Inbound Access for Remote Network Sites for Locations that Allocate Bandwidth by Location

Configure Secure Inbound Access for Remote Network Sites

Create a High-Bandwidth Network for a Remote Site

Create a High-Bandwidth Remote Network Connection

Create and Configure Prisma Access for Clean Pipe

Prisma Access for Clean Pipe Overview

Clean Pipe Use Cases

Clean Pipe Examples

Clean Pipe and Partner Interconnect Requirements

Configure Prisma Access for Clean Pipe

Enable Multitenancy and Create a Tenant

Complete the Clean Pipe Configuration

3-1

Prisma Access Administrator’s Guide (Panorama Managed)

Prisma Access Overview

Prisma Access Infrastructure Management

Releases and Upgrades

Prisma Access Release Types

Prisma Access Upgrade Types

Cadence for Software and Content Updates for Prisma Access

Prisma Access Dataplane Upgrades

Dataplane Upgrade Overview

Dataplane Upgrade Example

Use the Prisma Access App to Get Upgrade Alerts and Updates

View Prisma Access Software Versions

Prisma Access Licensing

Determine Your Prisma Access License Type from Panorama

Cheat Sheet: Integrate ADEM with Panorama Managed Prisma Access

Cheat Sheet: Integrate IoT Security with Panorama Managed Prisma Access

Cheat Sheet: Enterprise DLP on Panorama Managed Prisma Access

Visibility and Monitoring Features in the Prisma Access App

Monitor Your Prisma Access Data Transfer Usage

Plan for Prisma Access IP Address Changes

IP Address Allocation For Mobile Users on Prisma Access

Public IP Address Scaling Examples for Mobile Users

Loopback IP Address Allocation for Mobile Users

Remote Network IPSec Termination Nodes and Service IP Addresses on Prisma Access

IP Address Changes For Remote Network Connections That Allocate Bandwidth by Location

Service IP and Egress IP Address Allocation for Remote Networks

Retrieve the IP Addresses for Prisma Access

Prisma Access IP Address Retrieval Using the API Examples

Pre-Allocate IP Addresses for Prisma Access Mobile User Locations

Set Up Prisma Access IP Address Change Notifications

Use Legacy Scripts to Retrieve Loopback Addresses

Use the Legacy Script to Retrieve Mobile User IP Addresses

Use the Legacy Script to Retrieve Public, Loopback, and Egress IP Addresses

Prisma Access APIs

Prisma Access Deployment Progress and Status

Troubleshoot the Prisma Access Deployment

Activate and Install the Prisma Access Components

Activate and Install Panorama Managed Prisma Access

Verify Your Account Using the One-Time Password

Transfer or Update Panorama Managed Prisma Access Licenses

Reset Your Panorama Managed Prisma Access License

Transfer or Update Prisma Access Licenses Between Panorama Appliances

Configure Panorama Appliances in High Availability for Panorama Managed Prisma Access

Prepare the Prisma Access Infrastructure and Service Connections

Set Up Panorama Managed Prisma Access

Prisma Access Service Infrastructure

Service Infrastructure Requirements

Configure the Service Infrastructure

Prisma Access Service Connections

Plan the Service Connections

Create a Service Connection to Allow Access to Private Apps

Verify Service Connection Status

Create a Service Connection to Enable Access between Mobile Users and Remote Networks

Prisma Access Locations

Prisma Access Locations by Compute Location

Prisma Access Locations by Region

Map of North America Prisma Access Locations

Explicit Proxy Locations

Secure Mobile Users

Prisma Access Mobile User Deployments

GlobalProtect on Prisma Access

Planning Checklist—GlobalProtect on Prisma Access

IP Address Pools in a Mobile User—GlobalProtect Deployment

Set Up GlobalProtect on Panorama Managed Prisma Access

Enable Mobile User Regional Redundancy

How the GlobalProtect App Selects a Prisma Access Location for Mobile Users

Explicit Proxy on Prisma Access

How Explicit Proxy Works in Prisma Access

How Explicit Proxy Identifies Users

Planning Checklist—Explicit Proxy

Set Up Your Explicit Proxy PAC File

Secure Mobile Users with an Explicit Proxy

Create Block Settings in an Explicit Proxy Deployment

Monitor and Troubleshoot Explicit Proxy

Monitor and Log Out GlobalProtect Users in Prisma Access

View GlobalProtect Mobile Users from the Status Tab

View GlobalProtect Mobile Users from the Monitor Tab

How Prisma Access Counts GlobalProtect Mobile Users

Manage GlobalProtect App Upgrades in Prisma Access

Select the Active GlobalProtect App Version for Prisma Access

Manage User Access to GlobalProtect App Updates from Prisma Access

Perform Staged Updates of the GlobalProtect App on Prisma Access

Deploy Explicit Proxy and GlobalProtect or a Third-Party VPN in Prisma Access

Use Explicit Proxy with GlobalProtect and Third-Party VPNs Examples

How Explicit Proxy Works With GlobalProtect

Requirements and Recommendations for Using Explicit Proxy with GlobalProtect and Third-Party VPNs

Use Explicit Proxy with GlobalProtect

Use Explicit Proxy with Third-Party VPNs

Integrate Prisma Access with On-Premises Gateways

Manage Priorities for Prisma Access and On-Premises Gateways

Set Equal Gateway Priorities for On-Premises and Prisma Access Gateways

Set a Higher Gateway Priority for an On-Premises Gateway

Set Higher Priorities for Multiple On-Premises Gateways

Configure Priorities for Prisma Access and On-Premises Gateways

Allow Mobile Users to Manually Select Specific Prisma Access Gateways

Allow Listing for Mobile Users—GlobalProtect Deployments

Manage Allow Listing for Existing Mobile User Deployments

Manage Allow Listing for New Prisma Access Deployments

Allow Listing Examples for Autoscale Events

Fields in the Egress IP Allow List table

Report Prisma Access Website Access Issues

Use Remote Networks to Secure Branches

Prisma Access Remote Network Deployments

Planning Checklist—Prisma Access Remote Networks

Onboard and Configure Remote Networks

Configure Prisma Access for Networks—Allocating Bandwidth by Compute Location

Configure Prisma Access for Networks—Allocating Bandwidth by Location

Verify Remote Network Connection Status

Verify Remote Connection BGP Status

Plan to Migrate to an Aggregate Bandwidth Remote Network Deployment

Migrate to the Aggregate Bandwidth Model

Remote Network Locations with Overlapping Subnets

Configure Remote Network and Service Connection Connected with a WAN Link

Use Predefined IPSec Templates to Onboard Service and Remote Network Connections

Onboard a Service Connection or Remote Network Connection Using Predefined Templates

Onboard Multiple Remote Network Connections of the Same Type

Supported IKE and IPSec Cryptographic Profiles for Common SD-WAN Devices

Onboard Remote Networks with Configuration Import

Fields in Remote Networks Table

How to Calculate Remote Network Bandwidth

Configure User-ID and User-Based Policies with Prisma Access

Configure User-ID in Panorama Managed Prisma Access

Configure User-ID for Remote Network Deployments

Get User and Group Information Using the Cloud Identity Engine

Retrieve Group Mapping Using a Master Device or Long-Form DN Entries

Make Group Names Selectable in Security Policy Rules Using a Master Device

Configure an on-premises or VM-Series Firewall as a Master Device

Use Long-Form DN Entries to Implement Group-Based Policy

Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls

Redistribute User-ID Information From Prisma Access to an On-Premise Firewall

Redistribute User-ID Information From an On-Premises Firewall to Prisma Access

Quality of Service in Prisma Access

Configure QoS in Prisma Access

QoS for Remote Networks

IPSec Termination Nodes, Bandwidth Allocation, and Guaranteed Bandwidth

Change the Guaranteed Bandwidth For Remote Networks

Select QoS Profiles for Remote Networks

Configure Quality of Service in Prisma Access

Configure Quality of Service for Clean Pipe

Manage Multiple Tenants in Prisma Access

Multitenancy Overview

Multitenancy Configuration Overview

Plan Your Multitenant Deployment

Create an All-New Multitenant Deployment

Enable Multitenancy and Migrate the First Tenant

Add Tenants to Prisma Access

Delete a Tenant

Create a Tenant-Level Administrative User

Control Role-Based Access for Tenant-Level Administrative Users

Remove Plugin Access for a Tenant-Level Administrative User

Sort Logs by Device Group ID in a Multitenant Deployment

Prisma Access Advanced Deployments

Advanced Deployments that Apply to All Prisma Access Types

Add a New Compute Location for a Deployed Prisma Access Location

IPv6 Support for Private App Access

Private App Access Over IPv6 Examples

Enable and Configure IPv6 Networking and IP Pools in Your Prisma Access Infrastructure

Enable IPv6 Networking for a Mobile Users—GlobalProtect Deployment

Enable IPv6 Networking for Service Connections

Enable IPv6 Networking for Remote Networks

DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments

DNS Resolution for Mobile Users—GlobalProtect Deployments

DNS Resolution for Remote Networks

How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections

Proxy Support for Prisma Access and Strata Logging Service

Prisma Access Service Connection Advanced Deployments

Service Connection Multi-Cloud Redundancy

Configure and Activate Service Connection Cloud Provider Redundancy for Panorama Managed Prisma Access

Supported In-Country Active and Backup Cloud Provider Redundancy Locations

Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections

Default Routes With Prisma Access Traffic Steering

Traffic Steering in Prisma Access

Traffic Steering Requirements

Default Routes with Traffic Steering Example

Default Routes with Traffic Steering Direct to Internet Example

Default Routes with Traffic Steering and Dedicated Service Connection Example

Prisma Access Traffic Steering Rule Guidelines

Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections

Configure Traffic Steering in Prisma Access

Routing for Service Connection Traffic

Mobile User and Remote Network Routing to Service Connections

Prisma Access Default Routing

Prisma Access Hot Potato Routing

Configure Routing Preferences

Create a High-Bandwidth Network Using Multiple Service Connections

Create a High-Bandwidth Connection to a Headquarters or Data Center Location

Configure More than Two Service Connections to a Headquarters or Data Center Location

Prisma Access Mobile User—GlobalProtect Advanced Deployments

Dynamic DNS Registration Support for Mobile Users—GlobalProtect

Enable DDNS for Mobile Users—GlobalProtect

Verify Dynamic DNS Configuration

Identification and Quarantine of Compromised Devices in a Prisma Access GlobalProtect Deployment

Use Cases for Quarantine List Redistribution

Configure Quarantine List Redistribution in Prisma Access

Sinkhole IPv6 Traffic In Mobile Users—GlobalProtect Deployments

Configure GlobalProtect to Disable Direct Access to the Local Network

Set Up an IPv6 Sinkhole On the On-Premises Gateway

Redistribute HIP Information with Prisma Access

HIP Redistribution Overview

Use Cases for HIP Redistribution

Configure HIP Redistribution in Prisma Access

View HIP Reports from Panorama

Support for Gzip Encoding in Clientless VPN

Prisma Access Mobile Users—Explicit Proxy Advanced Deployments

Secure Users and Devices at Remote Networks With an Explicit Proxy

Prisma Access Remote Network Advanced Deployments

Provide Secure Inbound Access to Remote Network Locations

Secure Inbound Access for Remote Network Sites

Secure Inbound Access Examples

Guidelines for Using Secure Inbound Access

Configure Secure Inbound Access for Remote Network Sites

Configure Secure Inbound Access for Remote Network Sites for Locations that Allocate Bandwidth by Location

Configure Secure Inbound Access for Remote Network Sites

Create a High-Bandwidth Network for a Remote Site

Create a High-Bandwidth Remote Network Connection

Create and Configure Prisma Access for Clean Pipe

Prisma Access for Clean Pipe Overview

Clean Pipe Use Cases

Clean Pipe Examples

Clean Pipe and Partner Interconnect Requirements

Configure Prisma Access for Clean Pipe

Enable Multitenancy and Create a Tenant

Complete the Clean Pipe Configuration

Prisma Access Release Notes (Panorama Managed)

Prisma Access (Panorama Managed) Release Information

Features in Prisma Access 3.1

Changes to Default Behavior

Upgrade the Cloud Services Plugin

Prisma Access Known Issues

Prisma Access Addressed Issues

Release Updates for Reports

Features Introduced in Previous Prisma Access (Panorama Managed) Releases

Features in Prisma Access 3.0 Preferred and Innovation

Features Introduced in Prisma Access 2.2 Preferred

Features Introduced in Prisma Access 2.1 Innovation

Features Introduced in Prisma Access 2.1 Preferred

Features Introduced in Prisma Access 2.0 Innovation

Features Introduced in Prisma Access 2.0 Preferred

Features Introduced in Prisma Access 1.8

Features Introduced in Prisma Access 1.7

Features Introduced in Prisma Access 1.6.1

Features Introduced in Prisma Access 1.6.0

Features Introduced in Prisma Access 1.5.1

Features Introduced in Prisma Access 1.5.0

Features Introduced in Prisma Access 1.4.0

Features Introduced in Prisma Access 1.3.1

Features Introduced in Prisma Access 1.3.0

Features Introduced in Prisma Access 1.2.0

Features Introduced in Prisma Access 1.1.0

3-0

Prisma Access Administrator’s Guide (Panorama Managed)

Prisma Access Overview

Prisma Access Infrastructure Management

Releases and Upgrades

Prisma Access Release Types

Prisma Access Upgrade Types

Cadence for Software and Content Updates for Prisma Access

Prisma Access Dataplane Upgrades

Dataplane Upgrade Overview

Dataplane Upgrade Example

Use the Prisma Access App to Get Upgrade Alerts and Updates

View Prisma Access Software Versions

Prisma Access Licensing

Determine Your Prisma Access License Type from Panorama

Cheat Sheet: Integrate ADEM with Panorama Managed Prisma Access

Cheat Sheet: Integrate IoT Security with Panorama Managed Prisma Access

Cheat Sheet: Enterprise DLP on Panorama Managed Prisma Access

Visibility and Monitoring Features in the Prisma Access App

Monitor Your Prisma Access Data Transfer Usage

Plan for Prisma Access IP Address Changes

IP Address Allocation For Mobile Users on Prisma Access

Public IP Address Scaling Examples for Mobile Users

Loopback IP Address Allocation for Mobile Users

Remote Network IPSec Termination Nodes and Service IP Addresses on Prisma Access

IP Address Changes For Remote Network Connections That Allocate Bandwidth by Location

Service IP and Egress IP Address Allocation for Remote Networks

Retrieve the IP Addresses for Prisma Access

Prisma Access IP Address Retrieval Using the API Examples

Pre-Allocate IP Addresses for Prisma Access Mobile User Locations

Set Up Prisma Access IP Address Change Notifications

Use Legacy Scripts to Retrieve Loopback Addresses

Use the Legacy Script to Retrieve Mobile User IP Addresses

Use the Legacy Script to Retrieve Public, Loopback, and Egress IP Addresses

Prisma Access APIs

Prisma Access Deployment Progress and Status

Troubleshoot the Prisma Access Deployment

Activate and Install the Prisma Access Components

Activate and Install Panorama Managed Prisma Access

Verify Your Account Using the One-Time Password

Transfer or Update Panorama Managed Prisma Access Licenses

Reset Your Panorama Managed Prisma Access License

Transfer or Update Prisma Access Licenses Between Panorama Appliances

Configure Panorama Appliances in High Availability for Panorama Managed Prisma Access

Prepare the Prisma Access Infrastructure and Service Connections

Set Up Panorama Managed Prisma Access

Prisma Access Service Infrastructure

Service Infrastructure Requirements

Configure the Service Infrastructure

Prisma Access Service Connections

Plan the Service Connections

Create a Service Connection to Allow Access to Your Corporate Resources

Verify Service Connection Status

Create a Service Connection to Enable Access between Mobile Users and Remote Networks

Prisma Access Locations

Prisma Access Locations by Compute Location

Prisma Access Locations by Region

Map of North America Prisma Access Locations

Explicit Proxy Locations

Secure Mobile Users

Prisma Access Mobile User Deployments

GlobalProtect on Prisma Access

Planning Checklist—GlobalProtect on Prisma Access

IP Address Pools in a Mobile User—GlobalProtect Deployment

Set Up GlobalProtect on Panorama Managed Prisma Access

Enable Mobile User Regional Redundancy

How the GlobalProtect App Selects a Prisma Access Location for Mobile Users

Explicit Proxy on Prisma Access

How Explicit Proxy Works in Prisma Access

How Explicit Proxy Identifies Users

Planning Checklist—Explicit Proxy

Set Up Your Explicit Proxy PAC File

Secure Mobile Users with an Explicit Proxy

Monitor and Troubleshoot Explicit Proxy

Monitor and Log Out GlobalProtect Users in Prisma Access

View GlobalProtect Mobile Users from the Status Tab

View GlobalProtect Mobile Users from the Monitor Tab

How Prisma Access Counts GlobalProtect Mobile Users

Manage GlobalProtect App Upgrades in Prisma Access

Select the Active GlobalProtect App Version for Prisma Access

Manage User Access to GlobalProtect App Updates from Prisma Access

Perform Staged Updates of the GlobalProtect App on Prisma Access

Deploy Explicit Proxy and GlobalProtect or a Third-Party VPN in Prisma Access

Use Explicit Proxy with GlobalProtect and Third-Party VPNs Examples

How Explicit Proxy Works With GlobalProtect

Requirements and Recommendations for Using Explicit Proxy with GlobalProtect and Third-Party VPNs

Use Explicit Proxy with GlobalProtect

Use Explicit Proxy with Third-Party VPNs

Integrate Prisma Access with On-Premises Gateways

Manage Priorities for Prisma Access and On-Premises Gateways

Set Equal Gateway Priorities for On-Premises and Prisma Access Gateways

Set a Higher Gateway Priority for an On-Premises Gateway

Set Higher Priorities for Multiple On-Premises Gateways

Configure Priorities for Prisma Access and On-Premises Gateways

Allow Mobile Users to Manually Select Specific Prisma Access Gateways

Allow Listing for Mobile Users—GlobalProtect Deployments

Manage Allow Listing for Existing Mobile User Deployments

Manage Allow Listing for New Prisma Access Deployments

Allow Listing Examples for Autoscale Events

Fields in the Egress IP Allow List table

Report Prisma Access Website Access Issues

Use Remote Networks to Secure Branches

Prisma Access Remote Network Deployments

Planning Checklist—Prisma Access Remote Networks

Onboard and Configure Remote Networks

Configure Prisma Access for Networks—Allocating Bandwidth by Compute Location

Configure Prisma Access for Networks—Allocating Bandwidth by Location

Verify Remote Network Connection Status

Verify Remote Connection BGP Status

Plan to Migrate to an Aggregate Bandwidth Remote Network Deployment

Migrate to the Aggregate Bandwidth Model

Remote Network Locations with Overlapping Subnets

Configure Remote Network and Service Connection Connected with a WAN Link

Use Predefined IPSec Templates to Onboard Service and Remote Network Connections

Onboard a Service Connection or Remote Network Connection Using Predefined Templates

Onboard Multiple Remote Network Connections of the Same Type

Supported IKE and IPSec Cryptographic Profiles for Common SD-WAN Devices

Onboard Remote Networks with Configuration Import

Fields in Remote Networks Table

How to Calculate Remote Network Bandwidth

Configure User-ID and User-Based Policies with Prisma Access

Configure User-ID in Prisma Access

Configure User-ID for Remote Network Deployments

Configure User-ID for Prisma Access Using the PAN-OS Integrated User-ID Agent

Get User and Group Information Using the Cloud Identity Engine

Configure Your Prisma Access Deployment to Retrieve Group Mapping

Retrieve Group Mappings Using a Master Device

Configure an on-premises or VM-Series Firewall as a Master Device

Implement User-ID in Security Policies For a Standalone Prisma Access Deployment

Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls

Redistribute User-ID Information From Prisma Access to an On-Premise Firewall

Redistribute User-ID Information From an On-Premises Firewall to Prisma Access

Configure Quality of Service in Prisma Access

Configure QoS in Prisma Access

QoS for Remote Networks

IPSec Termination Nodes, Bandwidth Allocation, and Guaranteed Bandwidth

Change the Guaranteed Bandwidth For Remote Networks

Select QoS Profiles for Remote Networks

Configure Quality of Service for Mobile Users and Remote Networks

Configure Quality of Service for Clean Pipe

Manage Multiple Tenants in Prisma Access

Multitenancy Overview

Multitenancy Configuration Overview

Plan Your Multitenant Deployment

Create an All-New Multitenant Deployment

Enable Multitenancy and Migrate the First Tenant

Add Tenants to Prisma Access

Delete a Tenant

Create a Tenant-Level Administrative User

Control Role-Based Access for Tenant-Level Administrative Users

Remove Plugin Access for a Tenant-Level Administrative User

Sort Logs by Device Group ID in a Multitenant Deployment

Prisma Access in a FedRAMP Environment

Panorama Managed Prisma Access and FedRAMP Authorization

Panorama Managed Prisma Access FedRAMP Requirements

Configure a Prisma Access FedRAMP Deployment

Prisma Access Advanced Deployments

Advanced Deployments that Apply to All Prisma Access Types

Add a New Compute Location for a Deployed Prisma Access Location

IPv6 Support for Private App Access

Private App Access Over IPv6 Examples

Enable and Configure IPv6 Networking and IP Pools in Your Prisma Access Infrastructure

Enable IPv6 Networking for a Mobile Users—GlobalProtect Deployment

Enable IPv6 Networking for Service Connections

Enable IPv6 Networking for Remote Networks

DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments

DNS Resolution for Mobile Users—GlobalProtect Deployments

DNS Resolution for Remote Networks

How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections

Proxy Support for Prisma Access and Strata Logging Service

Prisma Access Service Connection Advanced Deployments

Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections

Default Routes With Prisma Access Traffic Steering

Traffic Steering in Prisma Access

Traffic Steering Requirements

Default Routes with Traffic Steering Example

Default Routes with Traffic Steering Direct to Internet Example

Default Routes with Traffic Steering and Dedicated Service Connection Example

Prisma Access Traffic Steering Rule Guidelines

Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections

Configure Traffic Steering in Prisma Access

Routing for Service Connection Traffic

Mobile User and Remote Network Routing to Service Connections

Prisma Access Default Routing

Prisma Access Hot Potato Routing

Configure Routing Preferences

Create a High-Bandwidth Network Using Multiple Service Connections

Create a High-Bandwidth Connection to a Headquarters or Data Center Location

Configure More than Two Service Connections to a Headquarters or Data Center Location

Prisma Access Mobile User—GlobalProtect Advanced Deployments

Identification and Quarantine of Compromised Devices in a Prisma Access GlobalProtect Deployment

Use Cases for Quarantine List Redistribution

Configure Quarantine List Redistribution in Prisma Access

Sinkhole IPv6 Traffic In Mobile Users—GlobalProtect Deployments

Configure GlobalProtect to Disable Direct Access to the Local Network

Set Up an IPv6 Sinkhole On the On-Premises Gateway

Redistribute HIP Information with Prisma Access

HIP Redistribution Overview

Use Cases for HIP Redistribution

Configure HIP Redistribution in Prisma Access

View HIP Reports from Panorama

Support for Gzip Encoding in Clientless VPN

Prisma Access Remote Network Advanced Deployments

Provide Secure Inbound Access to Remote Network Locations

Secure Inbound Access for Remote Network Sites

Secure Inbound Access Examples

Guidelines for Using Secure Inbound Access

Configure Secure Inbound Access for Remote Network Sites

Configure Secure Inbound Access for Remote Network Sites for Locations that Allocate Bandwidth by Location

Configure Secure Inbound Access for Remote Network Sites

Create a High-Bandwidth Network for a Remote Site

Create a High-Bandwidth Remote Network Connection

Create and Configure Prisma Access for Clean Pipe

Prisma Access for Clean Pipe Overview

Clean Pipe Use Cases

Clean Pipe Examples

Clean Pipe and Partner Interconnect Requirements

Configure Prisma Access for Clean Pipe

Enable Multitenancy and Create a Tenant

Complete the Clean Pipe Configuration

Prisma Access Release Notes (Panorama Managed)

Prisma Access (Panorama Managed) Release Information

Features in Prisma Access 3.0

Changes to Default Behavior

Upgrade the Cloud Services Plugin

Prisma Access Known Issues

Prisma Access Addressed Issues

Release Updates for Reports

Features Introduced in Previous Prisma Access (Panorama Managed) Releases

Features Introduced in Prisma Access 2.2 Preferred

Features Introduced in Prisma Access 2.1 Innovation

Features Introduced in Prisma Access 2.1 Preferred

Features Introduced in Prisma Access 2.0 Innovation

Features Introduced in Prisma Access 2.0 Preferred

Features Introduced in Prisma Access 1.8

Features Introduced in Prisma Access 1.7

Features Introduced in Prisma Access 1.6.1

Features Introduced in Prisma Access 1.6.0

Features Introduced in Prisma Access 1.5.1

Features Introduced in Prisma Access 1.5.0

Features Introduced in Prisma Access 1.4.0

Features Introduced in Prisma Access 1.3.1

Features Introduced in Prisma Access 1.3.0

Features Introduced in Prisma Access 1.2.0

Features Introduced in Prisma Access 1.1.0

Prisma Access in China

Prisma Access in China

Configure a Prisma Access China Deployment

Prisma Access Insights

Insights in Prisma Access

Get Started with Prisma Access Insights

Give the Right People Access to Prisma Access

First Look at Insights in Prisma Access

Terminology Used in Prisma Access Insights

The Time Range Selection Filter

Monitor Your Prisma Access Environment

View User to IP Address or User Groups Mappings

Monitor Your Remote Networks

Manage Mobile Users

Manage GlobalProtect Mobile Users

Manage Explicit Proxy Mobile Users

Monitor Your Service Connections

Manage ZTNA Connector

Manage Prisma Access Locations

Manage Tunnel Health

Monitor Network Services

Prisma Access Insights APIs

Choose a Preferred Window for Certain Prisma Access Upgrades

Release Updates

Prisma Access Release Notes

Prisma Access Release Information

New Features in Prisma Access 4.0

Changes to Default Behavior

Prisma Access Known Issues

Prisma Access Addressed Issues

Panorama Support for Prisma Access 4.0 Preferred

Required Software Versions for Panorama Managed Prisma Access (4.0 Preferred)

Upgrade Considerations for Panorama Managed Prisma Access (4.0 Preferred)

Upgrade the Cloud Services Plugin (4.0 Preferred)

Prisma Access Release Notes

Prisma Access Release Information

New Features in Prisma Access 4.1

Changes to Default Behavior

Prisma Access Known Issues

Prisma Access Addressed Issues

Panorama Support for Prisma Access 4.1 Preferred

Required Software Versions for Panorama Managed Prisma Access (4.1 Preferred)

Upgrade Considerations for Panorama Managed Prisma Access (4.1 Preferred)

Upgrade the Cloud Services Plugin (4.1 Preferred)

Prisma Access Release Notes

Prisma Access Release Information

New Features in Prisma Access 4.2

Changes to Default Behavior

Prisma Access Known Issues

Prisma Access Addressed Issues

Panorama Support for Prisma Access 4.2 Preferred

Required Software Versions for Panorama Managed Prisma Access (4.2 Preferred)

Upgrade Considerations for Panorama Managed Prisma Access

Upgrade the Cloud Services Plugin

Prisma Access Release Notes

Prisma Access Release Information

New Features in Prisma Access 5.0 and 5.0.1

Changes to Default Behavior for Prisma Access 5.0 and 5.0.1

Prisma Access Known Issues

Prisma Access Addressed Issues

Panorama Support for Prisma Access 5.0 and 5.0.1

Required and Recommended Software Versions for Panorama Managed Prisma Access 5.0 and 5.0.1

Upgrade Considerations for Panorama Managed Prisma Access

Upgrade the Cloud Services Plugin

Prisma Access Release Notes

Prisma Access Release Information

New Features in Prisma Access 5.1 and 5.1.1

Changes to Default Behavior for Prisma Access 5.1

Prisma Access Known Issues

Prisma Access Addressed Issues

Panorama Support for Prisma Access 5.1

Required and Recommended Software Versions for Panorama Managed Prisma Access 5.1

Upgrade Considerations for Panorama Managed Prisma Access

Upgrade the Cloud Services Plugin

Prisma Access Release Notes

Prisma Access Release Information

New Features in Prisma Access 5.2 and 5.2.1

Changes to Default Behavior for Prisma Access 5.2 and 5.2.1

Prisma Access Known Issues

Prisma Access Addressed Issues

Panorama Support for Prisma Access 5.2 and 5.2.1

Required and Recommended Software Versions for Panorama Managed Prisma Access 5.2 and 5.2.1

Upgrade Considerations for Panorama Managed Prisma Access

Upgrade the Cloud Services Plugin

Prisma Access Integrations

Authenticate Mobile Users

SAML Authentication Using Okta as IdP for Mobile Users

SAML Authentication Using Okta as IdP for Mobile Users (Strata Cloud Manager)

SAML Authentication Using Okta as IdP for Mobile Users (Panorama)

Configure ADFS as a SAML Provider for Mobile Users

Configure ADFS as a SAML Provider for Mobile Users (Strata Cloud Manager)

Configure ADFS as a SAML Provider for Mobile Users (Panorama)

Integrate Prisma Access With Other Palo Alto Networks Apps

Integrate Third-Party SD-WANs with Prisma Access

Aruba SD-WAN Solution Guide

Integrate Prisma Access with Aruba SD-WAN

Integrate Prisma Access with Aruba SD-WAN (Strata Cloud Manager)

Integrate Prisma Access with Aruba SD-WAN (Panorama)

Aryaka SD-WAN Solution Guide

Integrate Prisma Access with Aryaka SD-WAN

Integrate Prisma Access with Aryaka SD-WAN (Strata Cloud Manager)

Integrate Prisma Access with Aryaka SD-WAN (Panorama)

Citrix SD-WAN Solution Guide

Integrate Prisma Access with Citrix SD-WAN

Integrate Prisma Access with Citrix SD-WAN (Strata Cloud Manager)

Integrate Prisma Access with Citrix SD-WAN (Panorama)

Integrate Prisma Access with Cisco Meraki SD-WAN

Integrate Prisma Access with Cisco Meraki SD-WAN (Manual Integration)

Nuage Networks SD-WAN Solution Guide

Integrate Prisma Access with Nuage SD-WAN

Integrate Prisma Access with Nuage SD-WAN (Strata Cloud Manager)

Integrate Prisma Access with Nuage SD-WAN (Panorama)

Riverbed SteelConnect SD-WAN Solution Guide

Integrate Prisma Access with Riverbed SteelConnect SD-WAN

Silver Peak SD-WAN Solution Guide

Integrate Prisma Access with Silver Peak SD-WAN

Integrate Prisma Access with Silver Peak SD-WAN (Strata Cloud Manager)

Integrate Prisma Access with Silver Peak SD-WAN (Panorama)

VMware SD-WAN by VeloCloud Solution Guide

Integrate Prisma Access with VMware SD-WAN by VeloCloud

Integrate Prisma Access with VMware SD-WAN by VeloCloud (Strata Cloud Manager)

Integrate Prisma Access with VMware SD-WAN by VeloCloud (Panorama)

Cisco Catalyst SD-WAN Solution Guide

Integrate Prisma Access with Cisco Catalyst SD-WAN

Integrate Prisma Access with Cisco Catalyst SD-WAN (Manual Integration)

Integrate Prisma Access with Cisco Catalyst SD-WAN (Manual Integration) (Strata Cloud Manager)

Integrate Prisma Access with Cisco Catalyst SD-WAN (Manual Integration) (Panorama)

Integrate ServiceNow with Prisma Access

Add a ServiceNow Notification Profile

ServiceNow Audit Log

ServiceNow in the Incidents and Alerts Overview

ServiceNow in the Incident List

Microsoft Integrations with Prisma Access

Microsoft Entra ID SAML Authentication for Mobile User Deployments

Configure Mobile Users using Cloud Identity Engine (Recommended)

Configure Mobile Users using Cloud Identity Engine (Recommended) (Strata Cloud Manager)

Configure Mobile Users using Cloud Identity Engine (Recommended) (Panorama)

Configure GlobalProtect Mobile Users using Cloud Identity Engine (Recommended) (Panorama)

Configure Explicit Proxy Mobile Users using Cloud Identity Engine (Recommended) (Panorama)

Configure Mobile Users without Cloud Identity Engine

Configure Mobile Users without Cloud Identity Engine (Strata Cloud Manager)

Configure Mobile Users without Cloud Identity Engine (Panorama)

Configure Microsoft Entra ID User Group Mapping in Prisma Access

Add Microsoft Entra ID

Authorize Mobile Users in Prisma Access

Secure AIP Labeled Files with Enterprise DLP

Set Up HTTPS Log Forwarding to Microsoft Sentinel

Set Up Syslog Forwarding to Microsoft Sentinel

Integrate Prisma Access with Microsoft Defender for Cloud Apps

Onboard Mobile Users and Branch Offices in Mainland China

Onboard Mobile Users in Mainland China to Prisma Access

Connect your Mobile Users in Mainland China to Prisma Access Overview

Configure Prisma Access for Mobile Users in China

Configure Real-Name Registration and Create the VPCs in Alibaba Cloud

Attach the CEN and Specify the Bandwidth

Create Linux Instances in the Alibaba Cloud VPCs

Configure the Router Instances

Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal

Onboard Branch Offices in Mainland China to Prisma Access

Connect Your Remote Network in Mainland China to Prisma Access

Configure the Remote Nework in Prisma Access

Set up the Alibaba Cloud Infrastructure

Configure the Linux Instances as Routers

Configure the Customer Premises Equipment at Your Branch Site

Secure Public Cloud Deployments with Prisma Access

Onboard an AWS Virtual Private Cloud

Onboard an Azure Virtual Network

Onboard an Azure Virtual Network (Strata Cloud Manager)

Onboard an Azure Virtual Network (Panorama)

Onboard a Google Cloud Platform Virtual Private Cloud

Integrate Third-Party Enterprise Browser with Explicit Proxy

Prisma Access Incidents and Alerts Reference Guide

About Prisma SASE Incidents and Alerts

Incidents and Alerts: Overview

Priority Alerts

Informational Alerts

Notification Profiles

ServiceNow Audit Log

Incident Settings

About Incident Settings

Customize Incident Settings by Category Level

Customize Incident Settings by Code Level

AI-Powered ADEM Incidents

INC_CIE_AGENT_DISCONNECT

INC_CIE_DIRECTORY_DISCONNECT

INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS

INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION

INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS

INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION

INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS

INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION

INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS

INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION

INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS

INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION

INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS

INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION

INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS

INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION

INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE

INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE

INC_RN_SECONDARY_TUNNEL_DOWN

INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE

INC_RN_SITE_CAPACITY_PREDICTION

INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE

INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE

INC_SC_SITE_CAPACITY_PREDICTION

Prisma Access Incidents

INC_CERTIFICATE_EXPIRY

INC_GP_CLIENT_VERSION_UNSUPPORTED

INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY

INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD

INC_PA_INFRA_DEGRADATION

INC_PA_SERVICE_DEGRADATION_PA_LOCATION

INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY

INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY

INC_RN_ECMP_BGP_DOWN

INC_RN_ECMP_BGP_FLAP

INC_RN_ECMP_PROXY_TUNNEL_DOWN

INC_RN_ECMP_PROXY_TUNNEL_FLAP

INC_RN_ECMP_TUNNEL_DOWN

INC_RN_ECMP_TUNNEL_FLAP

INC_RN_PRIMARY_WAN_BGP_FLAP

INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN

INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP

INC_RN_PRIMARY_WAN_TUNNEL_DOWN

INC_RN_PRIMARY_WAN_TUNNEL_FLAP

INC_RN_SECONDARY_WAN_BGP_DOWN

INC_RN_SECONDARY_WAN_BGP_FLAP

INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN

INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP

INC_RN_SECONDARY_WAN_TUNNEL_DOWN

INC_RN_SECONDARY_WAN_TUNNEL_FLAP

INC_RN_SITE_DOWN

INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD

INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY

INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD

INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY

INC_SC_PRIMARY_WAN_BGP_DOWN

INC_SC_PRIMARY_WAN_BGP_FLAP

INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN

INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP

INC_SC_PRIMARY_WAN_TUNNEL_DOWN

INC_SC_PRIMARY_WAN_TUNNEL_FLAP

INC_SC_SECONDARY_WAN_BGP_DOWN

INC_SC_SECONDARY_WAN_BGP_FLAP

INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN

INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP

INC_SC_SECONDARY_WAN_TUNNEL_DOWN

INC_SC_SECONDARY_WAN_TUNNEL_FLAP

INC_SC_SITE_DOWN

INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD

INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY

INC_ZTNA_CONNECTOR_APP_STATUS_DOWN

INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL

INC_ZTNA_CONNECTOR_CPU_HIGH

INC_ZTNA_CONNECTOR_MEMORY_HIGH

INC_ZTNA_CONNECTOR_TUNNEL_DOWN

Priority Alerts

AL_CIE_AGENT_DISCONNECT

AL_CIE_DIRECTORY_DISCONNECT

AL_MU_IP_POOL_CAPACITY

AL_MU_IP_POOL_USAGE

AL_RN_ECMP_BGP_DOWN

AL_RN_ECMP_BGP_FLAP

AL_RN_PRIMARY_WAN_BGP_DOWN

AL_RN_PRIMARY_WAN_BGP_FLAP

AL_RN_PRIMARY_WAN_TUNNEL_DOWN

AL_RN_PRIMARY_WAN_TUNNEL_FLAP

AL_RN_SECONDARY_WAN_BGP_DOWN

AL_RN_SECONDARY_WAN_BGP_FLAP

AL_RN_SECONDARY_WAN_TUNNEL_DOWN

AL_RN_SECONDARY_WAN_TUNNEL_FLAP

AL_RN_SITE_DOWN

AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD

AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY

AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD

AL_SC_PRIMARY_WAN_BGP_DOWN

AL_SC_PRIMARY_WAN_BGP_FLAP

AL_SC_PRIMARY_WAN_TUNNEL_DOWN

AL_SC_PRIMARY_WAN_TUNNEL_FLAP

AL_SC_SECONDARY_WAN_BGP_DOWN

AL_SC_SECONDARY_WAN_BGP_FLAP

AL_SC_SECONDARY_WAN_TUNNEL_DOWN

AL_SC_SECONDARY_WAN_TUNNEL_FLAP

AL_SC_SITE_DOWN

AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD

AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY

AL_ZTNA_CONNECTOR_APP_STATUS_DOWN

AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL

AL_ZTNA_CONNECTOR_CPU_HIGH

AL_ZTNA_CONNECTOR_MEMORY_HIGH

AL_ZTNA_CONNECTOR_TUNNEL_DOWN

Informational Alerts

AL_MU_GATEWAY_NEW_EGRESS_IP

AL_MU_GATEWAY_SCHEDULED_AUTOSCALE_FAILURE

AL_PRISMA_ACCESS_INFRASTRUCTURE_ NOTIFICATION

New Features in Incidents and Alerts

Prisma Access Activation and Onboarding

Your Prisma Access License

Validate Your License

Validate Your License (Strata Cloud Manager)

Validate Your License (Prisma Access (Managed by Panorama))

All Available Apps and Services

Cheat Sheet: ADEM with Prisma Access

Cheat Sheet: IoT Security with Prisma Access

Cheat Sheet: Enterprise DLP with Prisma Access

Cheat Sheet: Enterprise DLP with Prisma Access (Managed by Strata Cloud Manager)

Cheat Sheet: Enterprise DLP with Prisma Access (Managed by Panorama)

Cheat Sheet: SaaS Security with Prisma Access

Cheat Sheet: SaaS Security with Prisma Access (Managed by Strata Cloud Manager)

Cheat Sheet: SaaS Security with Prisma Access (Managed by Panorama)

Cheat Sheet: URL Filtering with Prisma Access

Cheat Sheet: Remote Browser Isolation

Cheat Sheet: Remote Browser Isolation (Strata Cloud Manager)

Cheat Sheet: Remote Browser Isolation (Panorama)

Make Changes To Your License

Reset Your Prisma Access License

Transfer Or Update Your License

Verify Your Prisma Access Account

Activate Your Prisma Access License

Set up Prisma Access

Prisma Access Administration

Prisma Access Overview

Secure Internet Traffic Using Prisma Access

How to Manage Prisma Access

Prisma Access Visibility and Monitoring with Strata Cloud Manager

Prisma Access Locations

Prisma Access and Associated Services Processing Locations

Prisma Access Infrastructure Management

Prisma Access APIs

Prisma Access Insights APIs

Migrate Prisma Access from Panorama to Strata Cloud Manager

Prisma Access Releases and Upgrades

Prisma Access Release Types

Prisma Access Upgrade Types

Cadence for Software and Content Updates for Prisma Access

Cadence for Software and Content Updates for Prisma Access (Managed by Strata Cloud Manager)

Cadence for Software and Content Updates for Prisma Access (Managed by Panorama)

Prisma Access Dataplane Upgrades

Get Upgrade Alerts and Updates

View Prisma Access Software Versions

Prisma Access Setup

Set Up Prisma Access

Set Up Prisma Access (Strata Cloud Manager)

Set Up Prisma Access (Panorama)

Configure the Prisma Access Service Infrastructure

Configure the Prisma Access Service Infrastructure (Strata Cloud Manager)

Configure the Prisma Access Service Infrastructure (Panorama)

Mobile Users: IP Address Allocation

Example: Public IP Address Scaling Examples (Mobile Users)

Loopback IP Address Allocation (Mobile Users)

Remote Networks: IPSec Termination Nodes and Service IP Addresses

Remote Networks: IP Address Changes Related To Bandwidth Allocation

Remote Networks: Service IP Address and Egress IP Address Allocation

Retrieve the IP Addresses for Prisma Access

Retrieve the IP Addresses for Prisma Access (Strata Cloud Manager)

Retrieve the IP Addresses for Prisma Access (Panorama)

IP Optimization for Mobile Users—GlobalProtect Deployments

API Examples for Retrieving Prisma Access IP Addresses

Get Notifications When Prisma Access IP Addresses Change

Use Legacy Scripts to Retrieve IP Addresses

Retrieve Mobile User IP Addresses

Retrieve Public, Loopback, and Egress IP Addresses

Prisma Access Zones

DNS for Prisma Access

DNS for Prisma Access (Strata Cloud Manager)

DNS for Prisma Access (Panorama)

High Availability for Prisma Access

Predefined Templates: Onboard a Service Connection or Remote Network

Supported IKE and IPSec Cryptographic Profiles for Common SD-WAN Devices

Prisma Access Service Connections

Plan a Service Connection

Configure a Service Connection in Prisma Access

Configure a Service Connection in Prisma Access (Strata Cloud Manager)

Configure a Service Connection in Prisma Access (Panorama)

Use a Service Connection to Enable Access between Mobile Users and Remote Networks

Dynamic Routing Considerations for Service Connections

Prisma Access ZTNA Connector

ZTNA Connector Requirements and Guidelines

Certificate Management

Enable ZTNA Connector

Enable ZTNA Connector (Strata Cloud Manager)

Enable ZTNA Connector (Panorama)

Configure ZTNA Connector

Upgrade ZTNA Connectors

ZTNA Connector Diagnostic Tools

Delete Connector IP Blocks

Delete Connector IP Blocks (Cloud Managed)

Delete Connector IP Blocks (Panorama)

Set Up Auto Discovery of Applications Using Cloud Identity Engine

Private Application Target Discovery

Security Policy for Apps Enabled with ZTNA Connector

Security Policy for Apps Enabled with ZTNA Connector (Strata Cloud Manager)

Security Policy for Apps Enabled with ZTNA Connector (Panorama)

Onboard the ZTNA Connector VM in Your Data Center

Microsoft Azure Deployments Supported by ZTNA Connector

Onboard a ZTNA Connector in Microsoft Azure

Google Cloud Platform Deployments Supported by ZTNA Connector

Onboard a ZTNA Connector in Google Cloud Platform

Amazon Web Services Deployments Supported by ZTNA Connector

Onboard a ZTNA Connector in Amazon Web Services

VMware ESXi Deployments Supported by Prisma Access ZTNA Connector

Onboard a ZTNA Connector in VMware ESXi

KVM Deployments Supported by Prisma Access ZTNA Connector

Onboard a ZTNA Connector Using KVM

Hyper-V Deployments Supported by Prisma Access ZTNA Connector

Onboard a ZTNA Connector Using Hyper-V

Monitor ZTNA Connector

View ZTNA Connector Logs

View ZTNA Connector Logs (Panorama)

View ZTNA Connector Logs (Strata Cloud Manager)

Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT

Configure Dynamic Privilege Access Settings

Enable Dynamic Privilege Access for Prisma Access Through Common Services

Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access

Enable the Access Agent

Set Up the Agent Infrastructure for Dynamic Privilege Access

Create a Snippet

Configure Project-Specific Prisma Access Agent Settings

Configure Forwarding Profiles to Manage Agent Traffic for Dynamic Privilege Access Agents

Verify and Troubleshoot Forwarding Profile Configurations for Dynamic Privilege Access Agents

Configure Prisma Access Agent App Settings for Dynamic Privilege Access

Configure DNS Settings for Dynamic Privilege Access

Configure HIP Data Collection Settings for Dynamic Privilege Access

Create a Project

Traffic Steering for Dynamic Privilege Access

Set Up the Prisma Access Agent for Dynamic Privilege Access

Configure Staged Rollouts for the Prisma Access Agent

Configure General Global Settings for Prisma Access Agents

Configure HIP Notifications for the Dynamic Privilege Access Prisma Access Agent

Create a HIP Notification for the Dynamic Privilege Access Prisma Access Agent

Create and Manage HIP Objects for the Dynamic Privilege Access Prisma Access Agent

Create and Manage HIP Profiles for the Dynamic Privilege Access Prisma Access Agent

Push the Prisma Access Agent Configuration

Download the Dynamic Privilege Access Enabled Prisma Access Agent Package

Use the Prisma Access Agent to Access Your Projects

Install the Prisma Access Agent

Install the Prisma Access Agent (macOS)

Install the Prisma Access Agent (Windows)

Log in to the Dynamic Privilege Access Enabled Prisma Access Agent

Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent

Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location

Switch to a Different Project

Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server

Switch Between the Prisma Access Agent and GlobalProtect App

Switch Between the Prisma Access Agent and GlobalProtect App (Using the Prisma Access Agent App)

Switch Between the Prisma Access Agent and GlobalProtect App (Using the PACli Tool)

View and Monitor Dynamic Privilege Access Users

View and Monitor Dynamic Privilege Access Projects

Prisma Access Colo-Connect

Requirements and Prerequisites for Prisma Access Colo-Connect

Configure Prisma Access Colo-Connect

Configure Prisma Access Colo-Connect (Strata Cloud Manager)

Configure Prisma Access Colo-Connect (Panorama)

App Acceleration in Prisma Access

Configure App Acceleration in Prisma Access (Strata Cloud Manager)

Configure App Acceleration in Prisma Access (Panorama)

Prisma Access Mobile Users

Mobile Users: GlobalProtect

Planning Checklist for GlobalProtect on Prisma Access

Set Up GlobalProtect Mobile Users

Set Up GlobalProtect Mobile Users (Strata Cloud Manager)

Set Up GlobalProtect Mobile Users (Panorama)

GlobalProtect — Customize Tunnel Settings

GlobalProtect — Customize Tunnel Settings (Strata Cloud Manager)

GlobalProtect — Customize Tunnel Settings (Panorama)

GlobalProtect — Customize App Settings

Ticket Request to Disable GlobalProtect

Ticket Request to Disable GlobalProtect (Strata Cloud Manager)

Ticket Request to Disable GlobalProtect (Panorama)

GlobalProtect Pre-Logon

GlobalProtect Pre-Logon (Strata Cloud Manager)

GlobalProtect Pre-Logon (Panorama)

GlobalProtect — Clientless VPN

Monitor GlobalProtect Mobile Users

IP Address Pools for a GlobalProtect Mobile Users Deployment

Static IP Address Allocation for Mobile Users—GlobalProtect Deployments

How the GlobalProtect App Selects Prisma Access Locations for Mobile Users

Allow Listing GlobalProtect Mobile Users

Allow Listing GlobalProtect Mobile Users (Strata Cloud Manager)

Allow Listing GlobalProtect Mobile Users (Panorama)

GlobalProtect App Upgrades

Select the Active GlobalProtect App Version for Prisma Access

Select the Active GlobalProtect App Version for Prisma Access (Managed by Strata Cloud Manager)

Select the Active GlobalProtect App Version for Prisma Access (Managed by Panorama)

Allow Users to Upgrade the GlobalProtect App

Allow Users to Upgrade the GlobalProtect App (Strata Cloud Manager)

Allow Users to Upgrade the GlobalProtect App (Panorama)

Stagger GlobalProtect App Updates

Integrate Prisma Access with On-Premises GlobalProtect Gateways

Setting Priority for Prisma Access and On-Premises Gateways

Mobile Users: Explicit Proxy

Explicit Proxy Configuration Guidelines

GlobalProtect in Proxy Mode

GlobalProtect in Proxy Mode (Strata Cloud Manager)

GlobalProtect in Proxy Mode (Panorama)

GlobalProtect in Tunnel and Proxy Mode

GlobalProtect in Tunnel and Proxy Mode (Strata Cloud Manager)

GlobalProtect in Tunnel and Proxy Mode (Panorama)

Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic

Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic (Strata Cloud Manager)

Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic (Panorama)

SAML Authentication for Explicit Proxy

Configure Explicit Proxy with SAML (Strata Cloud Manager)

Configure Explicit Proxy with SAML (Panorama)

Set Up Explicit Proxy

Cloud Management

Set Up Explicit Proxy (Panorama)

Kerberos Authentication for Explicit Proxy Deployments

Requirements and Recommendations for Deploying Kerberos for Explicit Proxy Deployments

Create a Kerberos Keytab

Configure Kerberos Authentication for Explicit Proxy Deployments

Configure Kerberos Authentication for Explicit Proxy Deployments (Strata Cloud Manager)

Configure Kerberos Authentication for Explicit Proxy Deployments (Panorama)

Cloud Identity Engine Authentication for Explicit Proxy Deployments

Cloud Identity Engine Authentication for Explicit Proxy Deployments (Strata Cloud Manager)

Cloud Identity Engine Authentication for Explicit Proxy Deployments (Panorama)

Proxy Mode on Remote Networks

Proxy mode on Remote Networks (Strata Cloud Manager)

Proxy mode on Remote Networks (Panorama)

How Explicit Proxy Identifies Users

Explicit Proxy Forwarding Profiles

PAC File Guidelines

PAC File Guidelines (Strata Cloud Manager)

PAC File Guidelines (Panorama)

Explicit Proxy Best Practices

Monitor and Troubleshoot Explicit Proxy

Monitor and Troubleshoot Explicit Proxy (Strata Cloud Manager)

Monitor and Troubleshoot Explicit Proxy (Panorama)

Block Settings for Explicit Proxy

Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses

Access Your Data Center Using Explicit Proxy

Access Your Data Center Using Explicit Proxy (Strata Cloud Manager)

Access Your Data Center Using Explicit Proxy (Panorama)

App-Based Office 365 Integration with Explicit Proxy

App-Based Office 365 Integration with Explicit Proxy (Strata Cloud Manager)

App-Based Office 365 Integration with Explicit Proxy (Panorama)

Configure Proxy Chaining with Blue Coat Proxy

Use Explicit Proxy with GlobalProtect (or a Third-Party VPN)

Requirements for Using Explicit Proxy with GlobalProtect or a Third-Party VPN

Explicit Proxy and GlobalProtect: How It Works

Explicit Proxy and GlobalProtect: Set It Up

Explicit Proxy and GlobalProtect: Set It Up (Strata Cloud Manager)

Explicit Proxy and GlobalProtect: Set It Up (Panorama)

Explicit Proxy with Third-Party VPNs

IP Address Optimization for Explicit Proxy Users- Proxy Deployments

DNS Resolution for Mobile Users—Explicit Proxy Deployments

View User to IP Address or User Groups Mappings

Report Mobile User Site Access Issues

Enable Mobile Users to Authenticate to Prisma Access

Authentication Support and Features

Set Up Authentication

Enable Mobile Users to Access Corporate Resources

Prisma Access Remote Networks

Planning Checklist for Remote Networks

Allocate Remote Network Bandwidth

Allocate Remote Network Bandwidth (Strata Cloud Manager)

Allocate Remote Network Bandwidth (Panorama)

Plan Your Migration to the New Model

Migrate Your Bandwidth Management Settings

Migrate Your Bandwidth Management Settings (Strata Cloud Manager)

Migrate Your Bandwidth Management Settings (Panorama)

Onboard a Remote Network

Onboard a Remote Network (Strata Cloud Manager)

Onboard a Remote Network (Panorama)

Connect a Remote Network Site to Prisma Access

Enable Routing for Your Remote Network

Onboard Multiple Remote Networks

Verify If Remote Network Is Connected to Prisma Access

Verify If Remote Network Is Connected to Prisma Access (Strata Cloud Manager)

Verify If Remote Network Is Connected to Prisma Access (Panorama)

Verify Remote Connection BGP Status

Configure Remote Network and Service Connection Connected with a WAN Link

QoS for Remote Networks

QoS for Remote Networks (Strata Cloud Manager)

QoS for Remote Networks (Panorama)

Change the Guaranteed Bandwidth

Remote Networks—High Performance

Strata Cloud Manager

Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server

Prisma Access Monitoring and Visibility

Prisma Access Logs

Prisma Access Logs (Strata Cloud Manager)

Prisma Access Logs (Panorama)

External Logs and Other Data

Prisma Access Activity Dashboards and Reports

View and Monitor Prisma Access in Strata Cloud Manager

Get Started with Prisma Access Monitoring in Strata Cloud Manager

View and Monitor Applications

View and Monitor App Acceleration

View Mobile Users

View and Monitor IPv6 for Mobile Users

View and Monitor Branch Sites

View and Monitor Data Centers

View and Monitor Service Connections

View and Monitor Colo-Connect

View and Monitor ZTNA Connectors

View and Monitor ZTNA Connector Access Objects

View and Monitor Network Services

View and Monitor Network Services: GlobalProtect Authentication

View and Monitor Network Services: DNS

View Subscription Usage

View and Monitor Prisma Access Locations

View and Monitor Third-Party Device-IDs

View and Monitor Remote Browser Isolation

Prisma Access and Autonomous DEM

Prisma Access User-Based Policy

Prisma Access User-Based Policy (Strata Cloud Manager)

Prisma Access User-Based Policy (Panorama)

Integrate Cloud Identity Engine with Prisma Access

Integrate Cloud Identity Engine with Prisma Access (Strata Cloud Manager)

Integrate Cloud Identity Engine with Prisma Access (Panorama)

Retrieve User-ID Group Mappings for Prisma Access

Cloud Identity Engine

Long-Form Distinguished Name Entries

Identity Redistribution

Identity Redistribution (Strata Cloud Manager)

Identity Redistribution (Panorama)

Configure Third-Party Device-ID in Prisma Access

Configure Third-Party Device-ID in Prisma Access (Strata Cloud Manager)

Configure Third-Party Device-ID in Prisma Access (Panorama)

Third-Party Device-ID APIs

Update Verdicts

Delete All Verdicts

verdicts Object

Query Verdicts by IP Address

Query Verdict Statistics

Prisma Access Multi-Tenancy

Multitenancy Configuration Overview

Plan Your Multitenant Deployment

Create an All-New Multitenant Deployment

Enable Multitenancy and Migrate the First Tenant

Add Tenants to Prisma Access

Delete a Tenant

Create a Tenant-Level Administrative User

Control Role-Based Access for Tenant-Level Administrative Users

Remove Plugin Access for a Tenant-Level Administrative User

Sort Logs by Device Group ID in a Multitenant Deployment

Prisma Access in a FedRAMP Environment

Prisma Access FedRAMP Requirements

Configure Prisma Access in a FedRAMP Environment

Prisma Access Advanced Deployments

Add a New Compute Location for a Deployed Prisma Access Location

Native IPv6 Support Overview

Enable and Configure IPv6 Networking and IP Pools in Your Prisma Access Infrastructure

Enable and Configure IPv6 Networking and IP Pools in Your Prisma Access Infrastructure (Strata Cloud Manager)

Enable and Configure IPv6 Networking and IP Pools in Your Prisma Access Infrastructure (Panorama)

Enable IPv6 Networking for Mobile Users—GlobalProtect Deployment

Enable IPv6 Networking for Mobile Users—GlobalProtect Deployment (Strata Cloud Manager)

Enable IPv6 Networking for Mobile Users—GlobalProtect Deployment (Panorama)

Enable IPv6 Networking for Service Connections

Enable IPv6 Networking for Service Connections (Strata Cloud Manager)

Enable IPv6 Networking for Service Connections (Panorama)

Enable IPv6 Networking for Remote Networks

Enable IPv6 Networking for Remote Networks (Strata Cloud Manager)

Enable IPv6 Networking for Remote Networks (Panorama)

DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments

DNS Resolution for Mobile Users—GlobalProtect Deployments

DNS Resolution for Remote Networks

How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections

Proxy Support for Prisma Access and Strata Logging Service

Block Incoming Connections from Specific Countries

Secure Internet Traffic from AWS WorkSpace

Configure a PAC File on AWS WorkSpace Clients

Configure a Site-to-Site Tunnel between AWS and Prisma Access

Prisma Access for No Default Route Networks

Prisma Access Service Connection Advanced Deployments

Service Connection Multi-Cloud Redundancy

Configure and Activate Service Connection Cloud Provider Redundancy

Supported In-Country Active and Backup Cloud Provider Redundancy Locations

Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections

Default Routes With Prisma Access Traffic Steering

Traffic Steering in Prisma Access

Traffic Steering Requirements

Default Routes with Traffic Steering Example

Default Routes with Traffic Steering Direct to Internet Example

Default Routes with Traffic Steering and Dedicated Service Connection Example

Prisma Access Traffic Steering Rule Guidelines

Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections

Configure Traffic Steering in Prisma Access

Configure Traffic Steering in Prisma Access (Strata Cloud Manager)

Configure Traffic Steering in Prisma Access (Panorama)

Routing for Service Connection Traffic

Configure Routing Preferences

Create a High-Bandwidth Network Using Multiple Service Connections

Create a High-Bandwidth Connection to a Headquarters or Data Center Location

Configure More than Two Service Connections to a Headquarters or Data Center Location

Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT

Preserve User and Device-ID Mapping for Service Connections with Source NAT (Strata Cloud Manager)

Preserve User and Device-ID Mapping for Service Connections with Source NAT (Panorama)

Prisma Access Mobile Users—GlobalProtect Advanced Deployments

Configure Multiple Portals in Prisma Access

Configure Multiple Portals in Prisma Access (Strata Cloud Manager)

Configure Multiple Portals in Prisma Access (Panorama)

Dynamic DNS Registration Support for Remote Troubleshooting and Updates

Configure Dynamic DNS Updates for Prisma Access (Managed by Strata Cloud Manager)

Configure Dynamic DNS Updates for Prisma Access (Managed by Panorama)

Dynamic DNS Registration Support for Mobile Users—GlobalProtect

Enable DDNS for Mobile Users—GlobalProtect

Verify Dynamic DNS Configuration

Identification and Quarantine of Compromised Devices in a Prisma Access GlobalProtect Deployment

Use Cases for Quarantine List Redistribution

Configure Quarantine List Redistribution in Prisma Access

Sinkhole IPv6 Traffic in Mobile Users—GlobalProtect Deployments

Configure GlobalProtect to Disable Direct Access to the Local Network

Set Up an IPv6 Sinkhole On the On-Premises Gateway

Redistribute HIP Information with Prisma Access

Configure HIP Redistribution in Prisma Access

Configure HIP Redistribution in Prisma Access (Strata Cloud Manager)

Configure HIP Redistribution in Prisma Access (Panorama)

View HIP Reports

Support for Gzip Encoding in Clientless VPN

Traffic Replication in Prisma Access

Traffic Replication in Prisma Access (Strata Cloud Manager)

Traffic Replication in Prisma Access (Panorama)

Prisma Access Remote Network Advanced Deployments

Prisma Access Internal Gateway

Prisma Access Internal Gateway (Strata Cloud Manager)

Prisma Access Internal Gateway (Panorama)

Provide Secure Inbound Access to Remote Network Locations

Secure Inbound Access for Remote Network Sites

Secure Inbound Access Examples

Guidelines for Using Secure Inbound Access

Configure Secure Inbound Access for Remote Network Sites

Configure Secure Inbound Access for Remote Networks

Configure Secure Inbound Access for Remote Networks (Strata Cloud Manager)

Configure Secure Inbound Access for Remote Networks (Panorama)

Configure Secure Inbound Access for Remote Network Sites for Locations that Allocate Bandwidth by Location

Create a High-Bandwidth Network for a Remote Site

Prisma Access for Clean Pipe

Prisma Access for Clean Pipe Overview

Clean Pipe Use Cases

Clean Pipe Examples

Clean Pipe and Partner Interconnect Requirements

Complete the Clean Pipe Configuration

Enable Multitenancy and Create a Tenant

Privileged Remote Access

Configure Privileged Remote Access Settings

Set Up the Privileged Remote Access Portal

Configure Applications for Privileged Remote Access

Set Up Privileged Remote Access Profiles

Define Permissions for Accessing Privileged Remote Access Apps

Configure Split Tunneling for Privileged Remote Access Traffic

Configure Split Tunneling for Privileged Remote Access Traffic (Strata Cloud Manager)

Configure Split Tunneling for Privileged Remote Access Traffic (Panorama)

Manage Privileged Remote Access Connections

Use Privileged Remote Access

Prisma Access Browser

Prisma Access Browser Getting Started

Overview: What is the Prisma Access Browser?

Prisma Access Browser Prerequisites

Prisma Access Browser Administration

Use the Prisma Access Browser Dashboards

Monitor Prisma Access Browser Statistics

Investigate Prisma Access Browser Events

Manage Prisma Access Browser Users

Manage Prisma Access Browser Devices

Configure Prisma Access Browser Device Posture Attributes

Configure Prisma Access Browser Mobile Device Posture Attributes

Configure Prisma Access Browser Extension Posture Attributes

Manage Prisma Access Browser Device Groups

Prisma Access Browser Device Posture Attributes

Manage Prisma Access Browser Applications

Manage Prisma Access Browser Extensions

Manage Prisma Access Browser Policy Rules

Manage Prisma Access Browser Access and Data Control Rules

Manage Prisma Access Browser Security Rules

Manage Prisma Access Browser Customization Rules

Manage Prisma Access Browser Policy Profiles

Configure Prisma Access Browser Data Controls

Configure Prisma Access Browser Browser Security Controls

Configure Prisma Access Browser Browser Customization Controls

Manage Prisma Access Browser Sign-in Rules

Manage Prisma Access Browser Requests to Bypass Policy Rules

Manage Prisma Access Browser Mobile Devices

Location-based Policy

The Prisma Access Browser Extension

Prisma Access Browser User Guide

Prisma Access Browser User Guide Overview

Set Up and Use the Prisma Access Browser

Use the Prisma Access Browser Control Pane

Prisma Access Browser Release Notes

Prisma Access Browser Release Updates

Prisma Access Browser Deployment

Deploy the Prisma Access Browser

Deploy Prisma Access Browser Using Self-Service Methods

Deploy Prisma Access Browser Using Offline MSI Installer

Deploy Prisma Access Browser Using Jamf

Deploy Prisma Access Browser Using Intune

Deploy Prisma Access Browser Using Workplace ONE

Prisma Access Browser End-of-Life Policy

Deploy the Prisma Access Browser Extension

Prisma Access Browser Update Mechanics

Troubleshoot the Prisma Access Browser

Prisma Access Mobile Browser

Deploy the Prisma Access Browser Extension

Prisma Access Browser Activation & Onboarding

Activate New Prisma Access Browser with Prisma Access Enterprise Bundle License

Cloud Managed Prisma Access Browser Bundle License

Panorama Managed Prisma Access Browser Bundle License

Activate Standalone Prisma Access Browser License

Onboard Prisma Access Browser on the Strata Cloud Manager

Assign Prisma Access Browser Roles

Prisma Access Browser Integrations

Integrate Prisma Access Browser with Microsoft 365

Integrate Prisma Access Browser with Microsoft Information Protection

Integrate Prisma Access Browser with Google Workspace

Integrate Prisma Access Browser with Votiro

Integrate Prisma Access Browser with CrowdStrike Falcon Intelligence

Integrate Prisma Access Browser with OPSWAT MetaDefender

Integrate Prisma Access Browser with YazamTech SelectorIT

Integrate Prisma Access Browser with Symantec DLP

IP Based Enforcement

Certificate-Based Enforcement

F5 Certificate Enforcement

Prisma SD-WAN CloudBlades Integration with Prisma Access

Prisma SD-WAN CloudBlades Integration with Prisma Access

Prisma SD-WAN and Prisma Access Integration Requirements

Prisma SD-WAN and Prisma Access Integration Requirements (Panorama Managed CloudBlade)

Prisma SD-WAN and Prisma Access Integration Requirements (Cloud Managed CloudBlade)

Prisma Access and Prisma SD-WAN CloudBlade Compatibility

Plan your Prisma SD-WAN Panorama Managed CloudBlade for Prisma Access Deployment

Panorama High Availability (HA) Support

Configure and Integrate Prisma Access CloudBlade

Configure and Integrate Prisma Access CloudBlade (Panorama Managed CloudBlade)

Configure and Integrate Prisma Access CloudBlade (Cloud Managed CloudBlade)

Configure Custom Liveliness Probe

Prisma Access for Networks Aggregate Bandwidth Licensing

QoS CIR Support For Aggregate Bandwidth

QoS CIR Support for Aggregate Bandwidth (Panorama Managed CloudBlade)

QoS CIR Support for Aggregate Bandwidth (Cloud Managed CloudBlade)

IPSec Termination Nodes Within Prisma

IPSec Termination Nodes Within Prisma (Panorama Managed CloudBlade)

IPSec Termination Nodes Within Prisma (Cloud Managed CloudBlade)

Determine IPSec Termination Nodes

Determine IPSec Termination Nodes (Panorama Managed CloudBlade)

Determine IPSec Termination Nodes (Cloud Managed CloudBlade)

Configure Site-Level Settings to Onboard a Site

Onboard an ECMP Site

Onboard a Non-ECMP Site

Prisma Access CloudBlade Tag Information

Customize Prisma Access Objects Names using CloudBlade Tag

Prisma Access for Networks Region List

Edit Application Policy Network Rules

Understand Service and Data Center Groups

Verify Standard VPN Endpoints

Use Groups in Network Policy Rules

Enable, Pause, Disable, and Uninstall the Integration

ADEM for Prisma SD-WAN Remote Networks

Enable Autonomous DEM in Prisma Access

Enable Autonomous DEM in Prisma Access (Panorama Managed CloudBlade)

Enable Autonomous DEM in Prisma Access (Cloud Managed CloudBlade)

Troubleshoot the Integration Process and Standard VPNs

Monitor the Prisma Access for Networks CloudBlade

Troubleshoot Common Scenarios

Correlate Objects between Prisma SD-WAN and Prisma Access

View Standard VPNs at a Site Level

Use the Device Toolkit

Check Tunnel Status

Check Tunnel Status (Panorama Managed CloudBlade)

Check Tunnel Status (Cloud Managed CloudBlade)

All Release Notes

Remote Browser Isolation

Remote Browser Isolation Administrator's Guide

Remote Browser Isolation

How Remote Browser Isolation Works

Configure Remote Browser Isolation

Configure Remote Browser Isolation (Strata Cloud Manager)

Configure Remote Browser Isolation (Panorama)

Integrate with a Third-Party Content Disarm and Reconstruction Provider

Integrate RBI with Votiro

Isolated Browsing Experience

Monitor Remote Browser Isolation

Remote Browser Isolation Logs

Remote Browser Isolation in China

Remote Browser Isolation Release Notes

Remote Browser Isolation Release Information

What's New in Remote Browser Isolation

Remote Browser Isolation Known Issues

Remote Browser Isolation Limitations

Transparent Safe Search

Windows Batch Script: Exclude Traffic from VPN Tunnel

Msiexec: Deploy Scripts that Run Before a Connect Event

Msiexec: Deploy Scripts that Run at Pre/Post-Connect, and Pre-Disconnect Events

Mac Batch Script: Mount a Network Share

Licensing, Registration, and Activation

Common Event Format (CEF) Configuration Guides

Enterprise SNMP MIB Files

RADIUS Dictionary

Micro USB Console Port

Software End-of-Life (EoL)

Hardware End-of-Sale (EoS)

Recent Documentation Updates

Recent Release Note Updates

All Products A - Z

External Resources

EDL Hosting Service

Quick Config Video: About Dynamic Address Groups

Quick Config Video: Remote Access VPN (Authentication Profile)

Quick Config Video: Use Dynamic Address Groups in Policy

How to Use Global Find to Search for Specific Strings

AutoFocus Feature Snapshot: Quick Search

Introduction to the AutoFocus API

SaaS Application Visibility in PAN-OS 8.0

Panorama on Google Cloud Platform

Deploy Panorama Interconnect

Configure a GRE Tunnel

Create an Enterprise DLP Data Pattern on Panorama

Introduction to the PAN-OS API

IoT Security Topology Explorer, Part 1

IoT Security Topology Explorer, Part 2

Create a Folder on Strata Cloud Manager

Create a Notification Rule for Alerts in Strata Cloud Manager

Assess Vulnerabilities and Generate Upgrade Reports in Strata Cloud Manager

Create a Customized APN Profile

Reports in Strata Cloud Manager

Configure a Template or Template Stack Variable

Create a Custom Dashboard in Strata Cloud Manager

Allocate Storage Based on Log Type

Monitor Security Subscriptions in Strata Cloud Manager

Analyze Metric Capacity in Strata Cloud Manager

About Prisma SASE Incidents and Alerts

Prisma SASE Incident List

Scope Management in Strata Cloud Manager

Manage Your Favorites in Strata Cloud Manager

Accio Web Features

What's New Search

SaaS Security Release Notes

Features Introduced in 2021

New Features Introduced in March 2021

New Features Introduced in January 2021

New Features Introduced in June 2021

New Features Introduced in May 2021

New Features Introduced in July 2021

New Features Introduced in August 2021

New Features Introduced in September 2021

New Features Introduced in October 2021

New Features Introduced in December 2021

Features Introduced in 2022

New Features Introduced in January 2022

New Features Introduced in February 2022

New Features Introduced in March 2022

New Features Introduced in April 2022

New Features Introduced in June 2022

New Features Introduced in August 2022

Features Introduced in 2023

New Features Introduced in January 2023

New Features Introduced in March 2023

New Features Introduced in April 2023

New Features Introduced in June 2023

New Features Introduced in July 2023

New Features Introduced in August 2023

New Features Introduced in September 2023

New Features Introduced in October 2023

New Features Introduced in May 2023

New Features Introduced in November 2023

Features Introduced in 2024

New Features Introduced in January 2024

New Features Introduced in March 2024

New Features Introduced in April 2024

New Features Introduced in May 2024

New Features Introduced in June 2024

New Features Introduced in July 2024

New Features Introduced in August 2024

New Features Introduced in October 2024

New Features Introduced in November 2024

New Features Introduced in December 2024

SaaS Security Administrator's Guide

What’s SaaS Security?

SaaS Security License Types

Get Started with Data Security

What’s Data Security?

Navigate To Data Security in Cloud Management Console

Support on Data Security

Supported SaaS Applications on Data Security

Supported Content, Remediation and Monitoring

Supported File Types for Scanning Assets

Supported File Types for WildFire Analysis

Supported SaaS Applications with Selective Scanning

Supported Languages for Scanning Assets

Activate Data Security on the Hub

Manage Data Security Administrators

View Administrator Activity on Data Security

Create Application Groups

Add a Custom Admin Role

Predefined Role Privileges on Data Security

Configure Settings on Data Security

Define Your Internal Domains

Define Trusted and Untrusted Users and Domains

Enable Data Masking

Configure the Email Alias and Logo for Sending Notifications

Secure Sanctioned SaaS Apps on Data Security

Allowed List of IP Addresses

Add Cloud Apps to Data Security

Begin Scanning an Amazon S3 App

Scan a Single Amazon S3 Account

Cross Account Scan Multiple Amazon S3 Accounts

Add the Amazon S3 App

Exclude Amazon S3 Buckets from Scans

Begin Scanning a Bitbucket App

Begin Scanning a Box App

Begin Scanning ChatGPT Enterprise App

Begin Scanning a Cisco Webex Teams App

Begin Scanning a Confluence App

Begin Scanning a Confluence Data Center App

Begin Scanning a Dropbox App

Begin Scanning a GitHub App

Begin Scanning a Gmail App

Begin Scanning a Google Drive App

Begin Scanning a Jira App

Begin Scanning a Jira Data Center App

Begin Scanning a Microsoft Exchange App

Begin Scanning Office 365 Apps

Begin Scanning a Microsoft Teams App

Begin Scanning a Salesforce App

Begin Scanning a ServiceNow App

Begin Scanning a ShareFile App

Begin Scanning a Slack Enterprise App

Begin Scanning a Slack for Pro and Business App

Begin Scanning a Workday App (Beta)

Begin Scanning a Zendesk App

Begin Scanning a Zoom App

Reauthenticate to a Cloud App

Verify Permissions on Cloud Apps

Start Scanning a Cloud App

Rescan a Managed Cloud App

Delete Cloud Apps Managed by Data Security

Configure Classification Labels

Microsoft Labeling for Office 365

Configure WildFire Analysis

Google Drive Labeling

Configure Phishing Analysis

Manage Policy for Sanctioned SaaS Apps

Policy Types on Data Security

Data Asset Policies

Predefined Data Asset Policies on Data Security

Add a New Data Asset Policy

Building Blocks in Data Asset Policies

Match Criteria for Data Asset Policies

View Asset Details

User Activity Policies

Add a New User Activity Policy

Match Criteria for User Activity Policies

Examples of User Activity Policies

View Policy Violations for User Activity

Predefined Policies to Detect Suspicious User Activity

Security Control Policies

Add a New Security Control Policy

View Policy Violations for Security Controls

Fine-Tune Policy

Delete a Policy

Disable a Policy

Assess Incidents on Data Security

What is an Incident?

Assess New Incidents on Data Security

Filter Incidents

Configure Slack Notification Alerts on Data Security

Security Controls Incident Details

Track Down Threats with WildFire Report

Customize the Incident Categories

Close Incidents

Download Assets for Incidents

View Asset Snippets for Incidents

Analyze Inherited Exposure

Email Asset Owners

Modify Incident Status

Generate Reports on Data Security

Generate the SaaS Risk Assessment Report

Generate the GDPR Report

Remediate Risks of Sanctioned SaaS Apps

Remediation Approaches for Incidents

Automatic Incident Remediation Options

Automatically Remediate Incidents

Manage Quarantined Files

Remediation Email Digest

View Remediation Activity Logs

Manually Remediate Incidents

Modify Incident Status

Manually Quarantine Assets

Assign Incidents to Another Administrator

Create a Custom Email Template

Monitor Data Security

Monitor Services on Data Security

Monitor Scan Results on the Dashboard

View All Open Incidents

View All Domains for Collaborators

Monitor and Investigate User Activity

Group-Based Visibility

Connect Directory Services to Data Security

Begin Using Azure Active Directory Groups

Manage Your Directory Service on Data Security

Enable Group-Based Policy

Enable Group-Based Incident Management

Enable Group-based Selective Scanning

Use Faceted Search to Filter Assets

Use Advanced Search

Use Advanced Search Expressions

Export Results to CSV File

Integrate CIE with Data Security

Syslog and API Client Integration on Data Security

Syslog Integration on Data Security

Configure Syslog Monitoring on Data Security

Syslog Field Descriptions

Incidents Log Fields

Remediation Activity Log Fields

Policy Violation Log Fields

Activity Monitoring Log Fields

Admin Audit Log Fields

API Client Integration on Data Security

Cortex XSOAR for Data Security

Add Your API Client to Data Security

API Client Authentication

Retrieve a Token

Authentication Errors

API References on Data Security

HTTP Request Methods and Status Codes

Incident and Remediation API

SaaS Security Inline

Get Started with SaaS Security Inline

What’s SaaS Security Inline?

Navigate To SaaS Security Inline

SaaS Visibility for NGFW

SaaS Visibility and Controls for NGFW

SaaS Visibility for Prisma Access

SaaS Visibility and Controls for Panorama Managed Prisma Access

SaaS Visibility and Controls for Cloud Managed Prisma Access

Activate SaaS Security Inline for NGFW

Activate SaaS Security Inline for VM-Series Firewalls with Software NGFW Credits

Activate SaaS Security Inline for Prisma Access

Connect SaaS Security Inline and Strata Logging Service

Integrate with Azure Active Directory

Manage SaaS Security Inline Administrators

Predefined Role Privileges on SaaS Security Inline

View Administrator Activity on SaaS Security Inline

Update Your Security Policy Rulebase for ACE App-IDs

Update Your Policy Rulebase for ACE App-IDs on Strata Cloud Manager

Update Your Policy Rulebase for ACE App-IDs on Panorama

Assess Risks of Unsanctioned SaaS Apps

View Usage Data for Unsanctioned SaaS Apps

SaaS Visibility Application Attributes

How SaaS Security Inline Determines an Application's Risk Score

Identify Risky Unsanctioned SaaS Applications and Users

SaaS Security Report

Generate the SaaS Security Report

Filter Unsanctioned SaaS Apps

Remediate Risks of Unsanctioned SaaS Apps

Manage Policy for Unsanctioned SaaS Apps

SaaS Policy Rule Recommendations

App-ID Cloud Engine

Guidelines for SaaS Policy Rule Recommendations

Predefined SaaS Policy Rule Recommendations

Apply Predefined SaaS Policy Rule Recommendations

Create SaaS Policy Rule Recommendations

Delete SaaS Policy Rule Recommendations

Enable SaaS Policy Rule Recommendations

Modify Active SaaS Policy Rule Recommendations

Monitor SaaS Policy Rule Recommendations

Manage Enforcement of Rule Recommendations on Cloud Managed Prisma Access

Enable Automatic Updates for SaaS Policy Rule Recommendations on Cloud Managed Prisma Access

Import New SaaS Policy Rule Recommendations on Cloud Managed Prisma Access

Update Imported SaaS Policy Rule Recommendations on Cloud Managed Prisma Access

Remove Deleted SaaS Policy Rule Recommendations on Cloud Managed Prisma Access

Manage Enforcement of Rule Recommendations on NGFW

Manage Enforcement of Rule Recommendations on Panorama Managed Prisma Access

Tag Discovered SaaS Apps

Apply Tag Recommendations to Sanctioned Apps

Change Risk Score for Discovered SaaS Apps

Troubleshoot Issues on SaaS Security Inline

Troubleshoot Issues on SaaS Security Inline for Cloud Managed Prisma Access

Troubleshoot Issues on SaaS Security Inline for NGFW

SaaS Security Posture Management

Get Started with SaaS Security Posture Management

What’s SaaS Security Posture Management (SSPM)?

Navigate to SSPM

Activate SaaS Security Posture Management

Add SaaS Security Posture Management Administrators

Configure SSPM to Create Tickets in an Issue Tracking System

Link SSPM to a Jira Instance

Unlink SSPM from a Jira or ServiceNow Instance

Link SSPM to a ServiceNow Instance

Supported SaaS Applications on SSPM

Onboard SaaS Apps Supported by SSPM

Onboarding Overview for Supported SaaS Apps

Onboard an Aha.io App to SSPM

Onboard an Alteryx Designer Cloud App to SSPM

Onboard an Aptible App to SSPM

Onboard an ArcGIS App to SSPM

Onboard an Articulate Global App to SSPM

Onboard an Atlassian App to SSPM

Onboard a BambooHR App to SSPM

Onboard a Basecamp App to SSPM

Onboard a Bitbucket App to SSPM

Onboard a BlueJeans App to SSPM

Onboard a Box App to SSPM

Onboard a Bright Security App to SSPM

Onboard a Celonis App to SSPM

Onboard a Cisco Meraki App to SSPM

Onboard a ClickUp App to SSPM

Onboard a Confluence App to SSPM

Onboard a Contentful App to SSPM

Onboard a Convo App to SSPM

Onboard a Couchbase App to SSPM

Onboard a Coveo App to SSPM

Onboard a Crowdin Enterprise App to SSPM

Onboard a Customer.io App to SSPM

Onboard a Databricks App to SSPM

Onboard a Datadog App to SSPM

Onboard a DocHub App to SSPM

Onboard a DocuSign App to SSPM

Onboard a Dropbox Business App to SSPM

Onboard a Dropbox Business App to SSPM Using OAuth 2.0

Onboard a Dropbox Business App to SSPM Using Okta SSO

Onboard an Envoy App to SSPM

Onboard an Expiration Reminder App to SSPM

Onboard a Gainsight PX App to SSPM

Onboard a GitHub Enterprise App to SSPM

Onboard a GitHub Enterprise App to SSPM Using OAuth 2.0

Onboard a GitHub Enterprise App to SSPM Using Login Credentials

Onboard a GitLab App to SSPM

Onboard a Google Analytics App to SSPM

Onboard a Google Workspace App to SSPM

Onboard a GoTo Meeting App to SSPM

Onboard a Grammarly App to SSPM

Onboard a Harness App to SSPM

Onboard a Hellonext App to SSPM

Onboard an IDrive App to SSPM

Onboard an Intercom App to SSPM

Onboard a Jira App to SSPM

Onboard a Kanbanize App to SSPM

Onboard a Kanban Tool App to SSPM

Onboard a Kustomer App to SSPM

Onboard a Lokalise App to SSPM

Onboard a Microsoft Azure AD App to SSPM

Onboard a Microsoft Exchange App to SSPM

Onboard a Microsoft Exchange App for Scans That Use the Microsoft Graph API

Onboard a Microsoft Exchange App for Scans That Use Data Extraction

Onboard a Microsoft OneDrive App to SSPM

Onboard a Microsoft OneDrive App for Scans That Use the Microsoft Graph API

Onboard a Microsoft OneDrive App for Scans That Use Data Extraction

Onboard a Microsoft Outlook App to SSPM

Onboard a Microsoft Power BI App to SSPM

Onboard a Microsoft SharePoint App to SSPM

Onboard a Microsoft SharePoint App for Scans That Use the Microsoft Graph API

Onboard a Microsoft SharePoint App for Scans That Use Data Extraction

Onboard a Microsoft Teams App to SSPM

Onboard a Microsoft Teams App for Scans That Use the Microsoft Graph API

Onboard a Microsoft Teams App for Scans That Use Data Extraction

Onboard a Miro App to SSPM

Onboard a monday.com App to SSPM

Onboard a MongoDB Atlas App to SSPM

Onboard a MuleSoft App to SSPM

Onboard a Mural App to SSPM

Onboard an Office 365 App to SSPM

Onboard Office 365 Productivity Apps to SSPM

Onboard Office 365 Productivity Apps for Scans That Use the Microsoft Graph API

Onboard Office 365 Productivity Apps for Scans That Use Data Extraction

Onboard an Okta App to SSPM

Onboard a PagerDuty App to SSPM

Onboard a RingCentral App to SSPM

Onboard a Salesforce App to SSPM

Onboard an SAP Ariba App to SSPM

Onboard a ServiceNow App to SSPM

Onboard a Slack Enterprise App to SSPM

Onboard a Snowflake App to SSPM

Onboard a SparkPost App to SSPM

Onboard a Tableau Cloud App to SSPM

Onboard a Webex App to SSPM

Onboard a Workday App to SSPM

Onboard a Wrike App to SSPM

Onboard a YouTrack App to SSPM

Onboard a Zendesk App to SSPM

Onboard a Zoom App to SSPM

Onboarding an App Using Azure AD Credentials

Onboarding an App Using Okta Credentials

Register an Azure AD Client Application

View the Health Status of Application Scans

Delete SaaS Apps Managed by SSPM

Assess Posture Security

Monitor Posture Security

Send SSPM Notifications to Webhooks

Configure a Syslog Receiver for SSPM

SSPM Syslog Field Descriptions

View Misconfigured Settings Detected by SSPM

Create SSPM Policies to Monitor SaaS Application Settings

View Misconfigurations by SaaS App

View Third-Party Plugins

View a Catalog of Third-Party Plugins

Determine the Risks Posed by a Third-Party Plugin

Determine the Risks Posed by Third-Party Plugins for One Marketplace App

Determine the Risks Posed by a Third-Party Plugin Across All Marketplace Apps

View Third-Party Plugin Users

View Third-Party Plugin Users for One Marketplace App

View Third-Party Plugin Users Across All Marketplace Apps

View Risky Accounts by SaaS App

Assess Identity Security

View MFA Misconfigurations

View Account Risks

Assess Compliance Posture

Remediate Posture Security Risks

Best Practices for Posture Security Remediation

Remediate SaaS App Misconfigurations

Take Action on Third-Party Plugins

Take Action on Risky Accounts

Remediate Identity Security Risks

Create and View Tickets for Rule Violations

Create a Ticket for a Rule Violation

View a Ticket Associated With a Rule Violation

Unlink a Ticket Associated With a Rule Violation

Change App Owner to an Onboarded Application

Behavior Threats

Navigate to Behavior Threats

Policies for Detecting Threats

Disable and Enable Policies

View Details for the Most Risky Users

View All Threat Incidents

View Threat Details for All Users

Add Users of Interest to the Watchlist

View the Users on the Watchlist

Secure Access Service Edge

Strata Multitenant Cloud Manager

Strata Multitenant Cloud Manager

Access the Strata Multitenant Cloud Manager

Access Products from the Strata Multitenant Cloud Manager

License and Activate Strata Multitenant Cloud Manager

Use Common Services: Subscription Management

First Time Setup for Strata Multitenant Cloud Manager

Tenant Management Through the Strata Multitenant Cloud Manager

Use Common Services: Tenant Management

Manage Identity and Access Through the Strata Multitenant Cloud Manager

Use Common Services: Identity Management

Monitor Tenants Through the Strata Multitenant Cloud Manager

Summary Screen of the Strata Multitenant Cloud Manager

SASE Summary Dashboard

Prisma Access Summary Dashboard

Prisma SD-WAN Summary Dashboard

Monitor Tenant Threats Through the Strata Multitenant Cloud Manager

View Child Tenant Threat Details Through the Strata Multitenant Cloud Manager

Monitor Tenant Applications Through the Strata Multitenant Cloud Manager

Monitor Service Connectivity Through the Strata Multitenant Cloud Manager

View Child Service Connectivity Details Through the Strata Multitenant Cloud Manager

Monitor Service Provider Backbones Through the Strata Multitenant Cloud Manager

Monitor Tenant Branches Through the Strata Multitenant Cloud Manager

Monitor Tenant Devices Through the Strata Multitenant Cloud Manager

Monitor Tenant Licenses Through the Strata Multitenant Cloud Manager

Monitor Upgrades Through the Strata Multitenant Cloud Manager

Monitor Using Prisma Access Insights

Switch Tenants Through the Strata Multitenant Cloud Manager

Monitor Service Provider IP Address Pools Through the Strata Multitenant Cloud Manager

View Incidents Through the Strata Multitenant Cloud Manager

Monitor Prisma Access Incidents Through the Strata Multitenant Cloud Manager

Monitor Prisma SD-WAN Incidents Through the Strata Multitenant Cloud Manager

Manage Services Through the Strata Multitenant Cloud Manager

Manage Services Through the Strata Multitenant Cloud Manager

Manage Devices Through the Strata Multitenant Cloud Manager

Allocate Hardware Devices Through the Strata Multitenant Cloud Manager

Return Devices Through the Strata Multitenant Cloud Manager

Re-allocate Devices Through the Strata Multitenant Cloud Manager

Revoke Devices Through the Strata Multitenant Cloud Manager

Allocate Virtual ION (vION) Devices Through the Strata Multitenant Cloud Manager

Instantiate Virtual ION (vION) Devices Through the Strata Multitenant Cloud Manager

Revoke Virtual ION Devices Through the Strata Multitenant Cloud Manager

Manage Service Provider Backbones Through the Strata Multitenant Cloud Manager

Add a Service Provider Backbone Through the Strata Multitenant Cloud Manager

Add a Service Provider Connection Through the Strata Multitenant Cloud Manager

View Service Provider Backbones Through the Strata Multitenant Cloud Manager

View Service Provider Connections Through the Strata Multitenant Cloud Manager

Delete a Service Provider Backbone or Connection Through the Strata Multitenant Cloud Manager

Configure Service Provider IP Address Pools Through the Strata Multitenant Cloud Manager

Related Documentation

Read Product Documentation

Open a Support Case for a Tenant of the Strata Multitenant Cloud Manager

Release Updates in Strata Multitenant Cloud Manager

Known Issues in Strata Multitenant Cloud Manager

What’s New in Strata Multitenant Cloud Manager

Monitor Security Alerts Through the Strata Multitenant Cloud Manager

Monitor Through the ASC Support View

Manage Multitenant Notifications

Add a Multitenant Notifications Profile

View Multitenant Notifications Profiles

Enable or Disable a Multitenant Notifications Profile

Copy or Delete a Multitenant Notifications Profile

Read Multitenant in-App Notifications and Mark as Read

ASC Support View Support View

Monitor Services Through the ASC Support View

Monitor Performance of Tunnel Status Through the ASC Support View

Monitor Performance of Auto Scaling Through the ASC Support View

Monitor Performance of Throughput Through the ASC Support View

Monitor Performance of the System Through the ASC Support View

Monitor Tenant Licenses Through the ASC Support View

Monitor Upgrades Through the ASC Support View

Manage Bulk Configurations Through the Strata Multitenant Cloud Manager

Assign and Push Bulk Config Snippets Through the Strata Multitenant Cloud Manager

View Tenant Bulk Config Status Through the Strata Multitenant Cloud Manager

View Bulk Config Job Status Through the Strata Multitenant Cloud Manager

Remove Configuration Snippet Through the Strata Multitenant Cloud Manager

View Child Tenant Application Details Through the Strata Multitenant Cloud Manager

Manage Multitenant Reports

Service Providers

Mobile Network Infrastructure Getting Started

Stream Control Transmission Protocol (SCTP)

SCTP Introduction

SCTP Association

SCTP Multihoming

SCTP Packets and Chunks

SCTP Security Measures

Configure SCTP Security

Configure SCTP INIT Flood Protection

Monitor SCTP Security

SCTP Event Types

Manage SCTP from Panorama

GPRS Tunneling Protocol (GTP)

GTP Deployments

Roaming Security

Non-3GPP Access Security

Configure GTP Stateful Inspection

Mobile Network Protection Profile

Monitor GTP Traffic

GTP Information on the ACC

Generate Mobile Network Reports

GTP Event Types and Severity

GTP Event Codes

GTP Cause Values in Logs

GTP Message Type

Get a Packet Capture of a GTP Event

Disable Tunnel Acceleration

5G-Ready K2 Next-Generation Firewalls

Express Mode and Secure Mode

Restore Express Mode

Upgrade Line Cards to K2 Secure Mode

5G Network Slice Security

5G Equipment ID and Subscriber ID Security

Configure 5G Network Slice Security

Configure 5G Equipment ID Security

Configure 5G Subscriber ID Security

5G Multi-Edge Security

Configure 5G Multi-Edge Security

PFCP Event Types

4G Equipment ID and Subscriber ID Security

4G Equipment ID Security

4G Subscriber ID Security

Configure 4G Equipment ID Security

Configure 4G Subscriber ID Security

Mobile Network Infrastructure Getting Started

Stream Control Transmission Protocol (SCTP)

SCTP Introduction

SCTP Association

SCTP Multihoming

SCTP Packets and Chunks

SCTP Security Measures

Configure SCTP Security

Configure SCTP INIT Flood Protection

Monitor SCTP Security

Manage SCTP from Panorama

SCTP Event Types

GPRS Tunneling Protocol (GTP)

GTP Deployments

Roaming Security

Non-3GPP Access Security

Configure GTP Stateful Inspection

Mobile Network Protection Profile

Monitor GTP Traffic

GTP Information on the ACC

Generate Mobile Network Reports

GTP Event Types and Severity

GTP Event Codes

GTP Cause Values in Logs

GTP Message Type

Get a Packet Capture of a GTP Event

Disable Tunnel Acceleration

5G-Ready K2 Next-Generation Firewalls

Express Mode and Secure Mode

Restore Express Mode

Upgrade Line Cards to K2 Secure Mode

5G Network Slice Security

5G Equipment ID and Subscriber ID Security

Configure 5G Network Slice Security

Configure 5G Equipment ID Security

Configure 5G Subscriber ID Security

4G Equipment ID and Subscriber ID Security

4G Equipment ID Security

4G Subscriber ID Security

Configure 4G Equipment ID Security

Configure 4G Subscriber ID Security

Mobile Network Infrastructure Getting Started

Stream Control Transmission Protocol (SCTP)

SCTP Introduction

SCTP Association

SCTP Multihoming

SCTP Packets and Chunks

SCTP Security Measures

Configure SCTP Security

Configure SCTP INIT Flood Protection

Monitor SCTP Security

Manage SCTP from Panorama

SCTP Event Types

GPRS Tunneling Protocol (GTP)

GTP Deployments

Roaming Security

Non-3GPP Access Security

Configure GTP Stateful Inspection

GTP Protection Profile

Monitor GTP Traffic

GTP Information on the ACC

Generate Mobile Network Reports

GTP Event Types and Severity

GTP Event Codes

GTP Cause Values in Logs

GTP Message Type

Get a Packet Capture of a GTP Event

5G-Ready K2 Next-Generation Firewalls

Express Mode and Secure Mode

Restore Express Mode

Upgrade Line Cards to K2 Secure Mode

Mobile Network Infrastructure Getting Started

Stream Control Transmission Protocol (SCTP)

SCTP Introduction

SCTP Association

SCTP Multihoming

SCTP Packets and Chunks

SCTP Security Measures on the Firewall

Configure SCTP Security

Configure SCTP INIT Flood Protection

Monitor SCTP Security

SCTP Event Types

Manage SCTP from Panorama

GPRS Tunneling Protocol (GTP)

GTP Deployments

Roaming Security

Non-3GPP Access Security

Configure GTP Stateful Inspection

Mobile Network Protection Profile

Monitor GTP Traffic

GTP Information on the ACC

Generate Mobile Network Reports

GTP Event Types and Severity

GTP Event Codes

GTP Cause Values in Logs

GTP Message Type

Get a Packet Capture of a GTP Event

Disable Tunnel Acceleration

5G-Ready K2 Next-Generation Firewalls

Express Mode and Secure Mode

Restore Express Mode

Upgrade Line Cards to K2 Secure Mode

5G Network Slice Security

5G Equipment ID and Subscriber ID Security

Configure 5G Network Slice Security

Configure 5G Equipment ID Security

Configure 5G Subscriber ID Security

5G Multi-access Edge Computing Security

Configure 5G Multi-access Edge Computing Security

PFCP Event Types

4G Equipment ID and Subscriber ID Security

4G Equipment ID Security

4G Subscriber ID Security

Configure 4G Equipment ID Security

Configure 4G Subscriber ID Security

Mobile Network Infrastructure Getting Started

Stream Control Transmission Protocol (SCTP)

SCTP Introduction

SCTP Association

SCTP Multihoming

SCTP Packets and Chunks

SCTP Security Measures on the Firewall

Configure SCTP Security

Configure SCTP INIT Flood Protection

Monitor SCTP Security

SCTP Event Types

Manage SCTP from Panorama

GPRS Tunneling Protocol (GTP)

GTP Deployments

Roaming Security

Non-3GPP Access Security

Configure GTP Stateful Inspection

Mobile Network Protection Profile

Monitor GTP Traffic

GTP Information on the ACC

Generate Mobile Network Reports

GTP Event Types and Severity

GTP Event Codes

GTP Cause Values in Logs

GTP Message Type

Get a Packet Capture of a GTP Event

Disable Tunnel Acceleration

5G-Ready K2 Next-Generation Firewalls

Express Mode and Secure Mode

Restore Express Mode

Upgrade Line Cards to K2 Secure Mode

5G Network Slice Security

5G Equipment ID and Subscriber ID Security

Configure 5G Network Slice Security

Configure 5G Equipment ID Security

Configure 5G Subscriber ID Security

5G Multi-access Edge Computing Security

Configure 5G Multi-access Edge Computing Security

PFCP Event Types

4G Equipment ID and Subscriber ID Security

4G Equipment ID Security

4G Subscriber ID Security

Configure 4G Equipment ID Security

Configure 4G Subscriber ID Security

Intelligent Security and User Equipment Correlation with IP Addresses

Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation

Configure Intelligent Security Using RADIUS for User Equipment to IP Address Correlation

Mobile Network Infrastructure Getting Started

Stream Control Transmission Protocol (SCTP)

SCTP Introduction

SCTP Association

SCTP Multihoming

SCTP Packets and Chunks

SCTP Security Measures on the Firewall

Configure SCTP Security

Configure SCTP INIT Flood Protection

Monitor SCTP Security

SCTP Event Types

Manage SCTP from Panorama

GPRS Tunneling Protocol (GTP)

GTP Deployments

Roaming Security

Non-3GPP Access Security

Configure GTP Stateful Inspection

Mobile Network Protection Profile

Monitor GTP Traffic

GTP Information on the ACC

Generate Mobile Network Reports

GTP Event Types and Severity

GTP Event Codes

GTP Cause Values in Logs

GTP Message Type

Get a Packet Capture of a GTP Event

Disable Tunnel Acceleration

5G-Ready K2 Next-Generation Firewalls

Express Mode and Secure Mode

Restore Express Mode

Upgrade Line Cards to K2 Secure Mode

5G Network Slice Security

5G Equipment ID and Subscriber ID Security

Configure 5G Network Slice Security

Configure 5G Equipment ID Security

Configure 5G Subscriber ID Security

5G Multi-access Edge Computing Security

Configure 5G Multi-access Edge Computing Security

PFCP Event Types

4G Equipment ID and Subscriber ID Security

4G Equipment ID Security

4G Subscriber ID Security

Configure 4G Equipment ID Security

Configure 4G Subscriber ID Security

Intelligent Security and User Equipment Correlation with IP Addresses

Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation

Configure Intelligent Security Using RADIUS for User Equipment to IP Address Correlation

Intelligent Security and the UEIP Database

Intelligent Security with PFCP for User Equipment to IP Address Correlation

Configure Intelligent Security using GTP for User Equipment to IP Address Correlation

Strata Cloud Manager

Strata Cloud Manager Release Notes

Strata Cloud Manager Release Information

New Features in Strata Cloud Manager

New Features in April 2024

New Features in March 2024

New Features in February 2024

New Features in January 2024

New Features in November 2023

New Features in October 2023

New Features in September 2023

New Features in May 2024

New Features in June 2024

New Features in July 2024

New Features in August 2024

New Features in September 2024

New Features in October 2024

New Features in November 2024

Addressed Issues

Strata Cloud Manager AIOps

Regions for AIOps for NGFW

Free and Premium Features

How to Activate AIOps for NGFW

Where Are My AIOps for NGFW Features?

Panorama CloudConnector Plugin

Get Alert Notifications

Troubleshoot NGFW Connectivity and Policy Enforcement Anomalies

Device Telemetry for AIOps for NGFW

Domains Required for AIOps for NGFW

Optimize Security Posture

Monitor Security Posture Insights

Monitor Feature Adoption

Monitor Security Subscriptions

Assess Vulnerabilities

Monitor Compliance Summary

Proactively Enforce Security Checks

Policy Analyzer

Pre-Change Policy Analysis

Pre-Change Policy Analysis Reports

Post-Change Policy Analysis

NGFW Health and Software Management

Monitor Device Health

Get Upgrade Recommendations

Analyze Metric Capacity

Best Practices for NGFWs

On-Demand BPA Report

Strata Cloud Manager Activation & Onboarding

Strata Cloud Manager Licenses

Strata Cloud Manager Essentials and Pro

Essentials and Pro Features

Strata Cloud Manager License Information

Strata Cloud Manager Essentials

Strata Cloud Manager Pro

Strata Cloud Manager Essentials and Pro Feature Support

Prerequisites for Strata Cloud Manager Onboarding

Activate Your Strata Cloud Manager Licenses

Activate Strata Cloud Manager Essentials

Activate Strata Cloud Manager Pro

Activate Strata Cloud Manager Pro for NGFW

Activate Strata Cloud Manager Pro for Prisma Access

Activate Strata Cloud Manager Pro for VM-Series with Software NGFW Credits

Activate Strata Cloud Manager Pro with the Enterprise License Agreement

Upgrade to Strata Cloud Manager Pro, from Strata Cloud Manager Essentials

Strata Cloud Manager Getting Started

Introducing Strata Cloud Manager

Products that Strata Cloud Manager Supports

First Look at Strata Cloud Manager

Launch Strata Cloud Manager

Get Started with Strata Cloud Manager

Built-In Best Practices in Strata Cloud Manager

Command Center: Strata Cloud Manager

Command Center (Summary)

Operational Health

Insights: Activity Insights

Activity Insights: Overview

Activity Insights: Applications

Activity Insights: SD-WAN Applications

Activity Insights: Threats

Activity Insights: Users

Activity Insights: URLs

Activity Insights: Rules

Activity Insights: Regions

Activity Insights: Projects

Insights: AI Access

Insights: AI Runtime Security

Dashboards: Strata Cloud Manager

Dashboard: Build a Custom Dashboard

Dashboard: Device Health

Device Health Dashboard: Device Health Scores

Device Health Dashboard: Device Statistics

Device Health Dashboard: Score Trend

Dashboard: Executive Summary

Dashboard: WildFire

WildFire Dashboard: Filters

WildFire Dashboard: Total Samples Submitted

WildFire Dashboard: Analysis Insights

WildFire Dashboard: Session Trends For Samples Submitted

WildFire Dashboard: Verdict Distribution

WildFire Dashboard: Top Applications Delivering Malicious Samples

WildFire Dashboard: Top Users Impacted By Malicious Samples

WildFire Dashboard: Top Malware Regions

WildFire Dashboard: Top Firewalls

Dashboard: DNS Security

Dashboard: AI Runtime Security

Dashboard: Advanced Threat Prevention

Advanced Threat Prevention Dashboard: Threat Overview

Advanced Threat Prevention Dashboard: Top Rules Allowing Threats

Advanced Threat Prevention Dashboard: Hosts Generating Cloud Detected C2 Traffic

Advanced Threat Prevention Dashboard: Hosts Targeted by Cloud-Detected Exploits

Dashboard: IoT Security

Dashboard: Prisma Access

Dashboard: Application Experience

Application Experience Dashboard: Mobile User Experience Card

Application Experience Dashboard: Remote Site Experience Card

Application Experience Dashboard: Experience Score Trends

Application Experience Dashboard: Experience Score Across the Network

Application Experience Dashboard: Global Distribution of Application Experience Scores

Application Experience Dashboard: Experience Score for Top Monitored Sites

Application Experience Dashboard: Experience Score for Top Monitored Apps

Application Experience Dashboard: Application Performance Metrics

Application Experience Dashboard: Network Performance Metrics

Dashboard: Best Practices

Dashboard: Compliance Summary

Dashboard: Security Posture Insights

Security Posture Insights Dashboard: Device Security Posture

Security Posture Insights Dashboard: Security Posture Statistics

Security Posture Insights Dashboard: Score Trend

Dashboard: NGFW SD-WAN

NGFW SD-WAN Dashboard: Application Health

NGFW SD-WAN Dashboard: Top Impacted Applications

NGFW SD-WAN Dashboard: Impacted Applications

NGFW SD-WAN Dashboard: Link Health

NGFW SD-WAN Dashboard: Top Worst Links

NGFW SD-WAN Dashboard: Poor Links

NGFW SD-WAN Dashboard: Health By Cluster and Sites

Dashboard: Prisma SD-WAN

Prisma SD-WAN Dashboard: Device to Controller Connectivity

Prisma SD-WAN Dashboard: Applications

Prisma SD-WAN Dashboard: Top Alerts by Priority

Prisma SD-WAN Dashboard: Overall Link Quality

Prisma SD-WAN Dashboard: Bandwidth Utilization

Prisma SD-WAN Dashboard: Transaction Stats

Prisma SD-WAN Dashboard: Predictive Analytics

Dashboard: PAN-OS CVEs

Dashboard: CDSS Adoption

Dashboard: Feature Adoption

Dashboard: On Demand BPA

Dashboard: SASE Health

SASE Health Dashboard: Current Mobile Users - Map View

SASE Health Dashboard: Current Sites - Map View

SASE Health Dashboard: Monitored Applications

Monitor: Strata Cloud Manager

Monitor: IOC Search

Monitor: Branch Sites

Branch Sites (Prisma Access)

Branch Sites (Prisma SD-WAN)

Monitor: Data Centers

Service Connections

ZTNA Connectors

Data Centers (Prisma SD-WAN)

Monitor: Network Services

GlobalProtect Authentication

DNS

Monitor: Subscription Usage

Monitor: ION Devices

Monitor: Access Analyzer

Monitor: NGFW Devices

Monitor: Capacity Analyzer

Monitor: Prisma Access Locations

Monitor: Assets

Incidents and Alerts: Strata Cloud Manager

Incidents and Alerts: NGFW

Incidents and Alerts: Prisma Access

Incidents and Alerts: Prisma SD-WAN

Incidents and Alerts: Log Viewer

Incident and Alert Settings

Manage: NGFW and Prisma Access

Manage: Configuration Scope

Manage: Snippets

Manage: Variables

Manage: Overview

Configuration Overview (Prisma Access)

Configuration Overview (Strata Cloud Manager)

Manage: Security Services

Manage: Security Policy

Manage: Decryption

Manage: Network Policies

Manage: Application Override

Manage: Policy Based Forwarding

Manage: Identity Services

Manage: Authentication

Manage: Authentication Setup

Manage: Authentication Profiles

Cloud Identity Engine

Manage: Cloud Identity Engine

Manage: Identity Redistribution

Identity Redistribution (Prisma Access)

Identity Redistribution (NGFW)

Manage: Local Users and Groups

Manage: Device Settings

Manage: Objects

Manage: Certificate Management

Manage: SaaS Application Management

Manage: Global Settings

User Coaching Notification Template

Manage: Operations

Manage: IoT Policy Recommendation

Manage: Enterprise DLP

Manage: SaaS Security

Manage: Prisma SD-WAN

Manage: Policies for Prisma SD-WAN

Manage: Resource Types for Prisma SD-WAN

Manage: CloudBlades for Prisma SD-WAN

Manage: System Resources for Prisma SD-WAN

Manage: Prisma Access Browser

Manage: Operations

Manage: Push Config

Manage: Push Status

Manage: Config Version Snapshots

Manage: Security Posture

Manage: Policy Analyzer

Manage: Policy Optimizer

Manage: Config Cleanup

Manage: Security Posture Settings

Manage: Access Control

Manage: Scope Management

Manage: IP Restrictions

Workflows: Strata Cloud Manager

Workflows: Discovery

Workflows: NGFW Setup

Workflows: Device Management

Workflows: Folder Management

Folder Management (NGFWs)

Folder Management (Prisma Access)

Workflows: Prisma SD-WAN Setup

Workflows: Prisma Access Setup

Workflows: Prisma Access

Workflows: Mobile Users

Workflows: Remote Networks

Workflows: Service Connections

Workflows: Remote Browser Isolation

Workflows: Software Upgrades

Software Upgrades (NGFW)

Software Upgrades (Prisma Access)

Workflows: Prisma Access Browser

Reports: Strata Cloud Manager

Reports (Prisma Access and NGFW)

Reports (Prisma SD-WAN)

Favorites: Strata Cloud Manager

Delete Favorites

Settings: Strata Cloud Manager

Settings: Audit Logs

Settings: Trusted IP List

Add Trusted IPs

Delete Trusted IPs

Settings: User Preferences

Settings: Strata Logging Service

Application Experience

Endpoint Agent Management

Remote Site Agent Management

Health Score Profiles

ADEM Audit Logs

Strata Cloud Manager Support Tables

Strata Logging Service

Strata Logging Service Release Notes

New Features in Strata Logging Service

Strata Logging Service Addressed Issues

Strata Logging Service Known Issues

Strata Logging Service Log Reference

Schema Overview

Audit CEF Fields

Audit EMAIL Fields

Audit HTTPS Fields

Audit LEEF Fields

Configuration Syslog Default Field Order

Configuration CEF Fields

Configuration EMAIL Fields

Configuration HTTPS Fields

Configuration LEEF Fields

System Syslog Default Field Order

System CEF Fields

System EMAIL Fields

System HTTPS Fields

System LEEF Fields

GlobalProtect App Troubleshooting

GlobalProtect App Troubleshooting Syslog Default Field Order

GlobalProtect App Troubleshooting CEF Fields

GlobalProtect App Troubleshooting EMAIL Fields

GlobalProtect App Troubleshooting HTTPS Fields

GlobalProtect App Troubleshooting LEEF Fields

Events CEF Fields

Events EMAIL Fields

Events HTTPS Fields

Events LEEF Fields

Authentication Syslog Default Field Order

Authentication CEF Fields

Authentication EMAIL Fields

Authentication HTTPS Fields

Authentication LEEF Fields

DNS Security Syslog Default Field Order

DNS Security CEF Fields

DNS Security EMAIL Fields

DNS Security HTTPS Fields

DNS Security LEEF Fields

Decryption Syslog Default Field Order

Decryption CEF Fields

Decryption EMAIL Fields

Decryption HTTPS Fields

Decryption LEEF Fields

File Syslog Default Field Order

File CEF Fields

File EMAIL Fields

File HTTPS Fields

File LEEF Fields

GlobalProtect Syslog Default Field Order

GlobalProtect CEF Fields

GlobalProtect EMAIL Fields

GlobalProtect HTTPS Fields

GlobalProtect LEEF Fields

HIP Match Syslog Default Field Order

HIP Match CEF Fields

HIP Match EMAIL Fields

HIP Match HTTPS Fields

HIP Match LEEF Fields

IPtag Syslog Default Field Order

IPtag CEF Fields

IPtag EMAIL Fields

IPtag HTTPS Fields

IPtag LEEF Fields

Remote Browser Isolation

SCTP Syslog Default Field Order

SCTP CEF Fields

SCTP EMAIL Fields

SCTP HTTPS Fields

SCTP LEEF Fields

Threat Syslog Default Field Order

Threat CEF Fields

Threat EMAIL Fields

Threat HTTPS Fields

Threat LEEF Fields

Traffic Syslog Default Field Order

Traffic CEF Fields

Traffic EMAIL Fields

Traffic HTTPS Fields

Traffic LEEF Fields

Tunnel Syslog Default Field Order

Tunnel CEF Fields

Tunnel EMAIL Fields

Tunnel HTTPS Fields

Tunnel LEEF Fields

URL

URL Syslog Default Field Order

URL EMAIL Fields

URL HTTPS Fields

URL LEEF Fields

UserID Syslog Default Field Order

UserID CEF Fields

UserID EMAIL Fields

UserID HTTPS Fields

UserID LEEF Fields

Activation & Onboarding

Strata Logging Service License

Strata Logging Service Deployment Prerequisites

Sizing for Strata Logging Service Storage

TCP Ports and FQDNs Required for Strata Logging Service

Activate Strata Logging Service

Onboard Firewalls to Strata Logging Service

Strata Cloud Manager

Onboard Devices to Your Strata Logging Service Instance

Allocate Storage Based on Log Type

Allocate Log Retention Days

Start Sending Logs to Strata Logging Service

Strata Cloud Manager

Strata Logging Service Administration

Introduction to Strata Logging Service

Strata Logging Service Regions

User Roles for Strata Logging Service

Launch Strata Logging Service

Monitor Strata Logging Service

View Status of your Strata Logging Service Instance

View Strata Logging Service Status

Strata Logging Service Log Types

Troubleshooting Firewall Connectivity

View Logs in Strata Logging Service

View Strata Logging Service Logs in Explore

Using Query Builder

Interact with Query Results

Forward Logs from Strata Logging Service

Forward Logs to a Syslog Server

Forward Logs to an HTTPS Server

Forward Logs to an Email Server

Forward Logs to Amazon Security Lake

Forward Logs to AWS S3 Bucket

Forward Logs to Snowflake

Create Log Filters

Server Certificate Validation

List of Trusted Certificates for Syslog and HTTPS Forwarding

Log Forwarding Errors

Forward Logs With Log Replay

Threat Prevention

日本語ドキュメンテーション

한국어 선적 서류 비치

繁體中文文件

Français Documentation

ישראל תיעוד

Português Documentation

Русский Документация

Español Documentación

Tiếng Anh Tài liệu

Deutsch Dokumentation

Translated PAN-OS Documentation

Translated GlobalProtect Documentation

Translated WildFire Documentation

Translated VM-Series Documentation

Translated Traps Documentation

Translated Firewall and Appliances Documentation

Translated Panorama Documentation

Translated Best Practices Documentation

Українська документація

الوثائق العربية

Translated Prisma Documentation

VM-Series Deployment Guide

About the VM-Series Firewall

VM-Series Deployments

VM-Series in High Availability

Upgrade the VM-Series Firewall

Upgrade the PAN-OS Software Version (Standalone Version)

Upgrade the PAN-OS Software Version (HA Pair)

Upgrade the PAN-OS Software Version Using Panorama

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

Upgrade the VM-Series Model

Upgrade the VM-Series Model in an HA Pair

Downgrade a VM-Series Firewall to a Previous Release

VM-Series Plugin

Configure the VM-Series Plugin on the Firewall

Upgrade the VM-Series Plugin

Enable Jumbo Frames on the VM-Series Firewall

Hypervisor Assigned MAC Addresses

Custom PAN-OS Metrics Published for Monitoring

Interface Used for Accessing External Services on the VM-Series Firewall

PacketMMAP and DPDK Driver Support

Enable NUMA Performance Optimization on the VM-Series

Enable ZRAM on the VM-Series Firewall

License the VM-Series Firewall

VM-Series Firewall Licensing

Create a Support Account

Serial Number and CPU ID Format for the VM-Series Firewall

Use Panorama-Based Software Firewall License Management

Software NGFW Credits

Maximum Limits Based on Memory

Activate Credits

Create a Deployment Profile

Manage a Deployment Profile

Register the VM-Series Firewall (Software NGFW Credits)

Provision Panorama

Migrate Panorama to a Software NGFW License

Transfer Credits

Deactivate License (Software NGFW Credits)

Customize Dataplane Cores

Migrate a Firewall to a Flexible VM-Series License

Set the Number of Licensed vCPUs

Renew Your Software NGFW Credit License

Amend and Extend a Credit Pool

Delicense Ungracefully Terminated Firewalls

Software NGFW Licensing API

Manage Deployment Profiles Using the Licensing API

Create a Deployment Profile Using the Licensing API

Update a Deployment Profile Using the Licensing API

Generate Your OAuth Client Credentials

Get Serial Numbers Associated with an Authcode Using the API

Deactivate a VM-Series Firewall Using the API

VM-Series Models

VM-Series System Requirements

CPU Oversubscription

VM-50 Lite Mode

VM-Series Model License Types

VM-Series Firewall Licenses for Public Clouds

VM-Series Enterprise License Agreement (Multi-Model ELA)

Manage VM-Series ELA License Tokens

Accept the VM-Series ELA

Activate VM-Series Model Licenses

Activate the License for the VM-Series Firewall (Standalone Version)

Activate the License for the VM-Series Firewall for VMware NSX

Activate Licenses on VM-Series Firewalls on NSX When Panorama has Internet Access

Activate Licenses on VM-Series Firewalls on NSX When Panorama has No Internet Access

Troubleshoot License Activation Issues

Register the VM-Series Firewall

Register the VM-Series Firewall (with auth code)

Register the Usage-Based Model of the VM-Series Firewall for Public Clouds (no auth code)

Install a Device Certificate on the VM-Series Firewall

Switch Between the BYOL and the PAYG Licenses

Switch Between VM-Series Model Licenses

Deactivate License(s)

Deactivate a Feature License or Subscription Using the CLI

Renew VM-Series Firewall License Bundles

Install a License API Key

Manage the Licensing API Key

Use the Licensing API

Activate Licenses

Deactivate Licenses

Track License Usage

Licensing API Error Codes

Licenses for Cloud Security Service Providers (CSSPs)

Get the Auth Codes for CSSP License Packages

Register the VM-Series Firewall with a CSSP Auth Code

Add End-Customer Information for a Registered VM-Series Firewall

Add End-Customer Information for a Registered VM-Series Firewall (Customer Support Portal)

Add End-Customer Information for a Registered VM-Series Firewall (API)

What Happens When Licenses Expire?

Set Up a VM-Series Firewall on an ESXi Server

Supported Deployments on VMware vSphere Hypervisor (ESXi)

VM-Series on ESXi System Requirements and Limitations

VM-Series on ESXi System Requirements

VM-Series on ESXi System Limitations

Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi)

Plan the Interfaces for the VM-Series for ESXi

Provision the VM-Series Firewall on an ESXi Server

Perform Initial Configuration on the VM-Series on ESXi

Add Additional Disk Space to the VM-Series Firewall

Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air

Use vMotion to Move the VM-Series Firewall Between Hosts

Use the VM-Series CLI to Swap the Management Interface on ESXi

VM Monitoring on vCenter

About VM Monitoring on VMware vCenter

Install the Panorama Plugin for VMware vCenter

Configure the Panorama Plugin for VMware vCenter

Troubleshoot ESXi Deployments

Basic Troubleshooting

Installation Issues

Issues with Deploying the OVA

Why does the firewall boot into maintenance mode?

How do I modify the base image file for the VM-1000-HV license?

Licensing Issues

Why am I unable to apply the support or feature license?

Why does my cloned VM-Series firewall not have a valid license?

Does moving the VM-Series firewall cause license invalidation?

Connectivity Issues

Why is the VM-Series firewall not receiving any network traffic?

Performance Tuning of the VM-Series for ESXi

Install the NIC Driver on ESXi

Enable DPDK on ESXi

Enable SR-IOV on ESXi

Enable ESXi VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on ESXi

VNF Tuning for Performance

Set Up the VM-Series Firewall on vCloud Air

About the VM-Series Firewall on vCloud Air

Deployments Supported on vCloud Air

Deploy the VM-Series Firewall on vCloud Air

Set Up the VM-Series Firewall on VMware NSX-T

Set Up the VM-Series Firewall on VMware NSX-T (North-South)

Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)

Components of the VM-Series Firewall on NSX-T (North-South)

Deploy the VM-Series Firewall on NSX-T (North-South)

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Deploy the VM-Series Firewall

Direct Traffic to the VM-Series Firewall

Apply Security Policy to the VM-Series Firewall on NSX-T

Use vMotion to Move the VM-Series Firewall Between Hosts

Extend Security Policy from NSX-V to NSX-T

Set Up the VM-Series Firewall on NSX-T (East-West)

Components of the VM-Series Firewall on NSX-T (East-West)

VM-Series Firewall on NSX-T (East-West) Integration

Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)

Deploy the VM-Series Using the Operations-Centric Workflow

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Add a Service Chain

Direct Traffic to the VM-Series Firewall

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Use vMotion to Move the VM-Series Firewall Between Hosts

Deploy the VM-Series Using the Security-Centric Workflow

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Create Dynamic Address Groups

Create Security Policies

Use the Pre Rulebase to Define NSX-T Steering Rules

Use the Post Rulebase to Define NSX-T Steering Rules

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Create Dynamic Address Group Membership Criteria

Generate Steering Policy

Generate Steering Rules

Delete a Service Definition from Panorama

Migrate from VM-Series on NSX-T Operation to Security Centric Deployment

Extend Security Policy from NSX-V to NSX-T

Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T

Set Up the VM-Series Firewall on AWS

About the VM-Series Firewall on AWS

AWS EC2 Instance Types

VM-Series Firewall on AWS GovCloud

VM-Series Firewall on AWS China

VM-Series Firewall on AWS Outposts

AWS Terminology

Management Interface Mapping for Use with Amazon ELB

Performance Tuning for the VM-Series Firewall on AWS

Deployments Supported on AWS

Deploy the VM-Series Firewall on AWS

AMI in the Public AWS Cloud

AMI on AWS GovCloud

Get the VM-Series Firewall Amazon Machine Image (AMI) ID

Planning Worksheet for the VM-Series in the AWS VPC

Launch the VM-Series Firewall on AWS

Launch the VM-Series Firewall on AWS Outpost

Create a Custom Amazon Machine Image (AMI)

Encrypt EBS Volume for the VM-Series Firewall on AWS

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable CloudWatch Monitoring on the VM-Series Firewall

VM-Series Firewall Startup and Health Logs on AWS

VM-Series Integration with an AWS Gateway Load Balancer

Manual Integration of the VM-Series with a Gateway Load Balancer

Enable VM-Series Integration with a Gateway Load Balancer

Manually Integrate the VM-Series with a Gateway Load Balancer

Associate a VPC Endpoint with a VM-Series Interface

Enable Overlay Routing for the VM-Series on AWS

VM-Series Integration with AWS Cloud WAN

VM-Series Auto Scaling Group with AWS Gateway Load Balancer

Before Launching the Templates

Launch the Firewall Template

Launch the Application Template

High Availability for VM-Series Firewall on AWS

Overview of HA on AWS

IAM Roles for HA

Heartbeat Polling and Hello Messages

Device Priority and Preemption

Configure Active/Passive HA on AWS Using a Secondary IP

Configure Active/Passive HA on AWS Using Interface Move

Migrate Active/Passive HA on AWS

Migrate Active/Passive HA on AWS to Secondary IP Mode

Migrate Active/Passive HA on AWS to Interface Move Mode

Use Case: Secure the EC2 Instances in the AWS Cloud

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC

Use Case: VM-Series Firewalls as GlobalProtect Gateways on AWS

Components of the GlobalProtect Infrastructure

Deploy GlobalProtect Gateways on AWS

Resource Monitoring on AWS

AWS Resource Monitoring with the AWS Plugin on Panorama

Set Up the AWS Plugin for VM Monitoring on Panorama

Auto Scaling VM-Series Firewalls with the Amazon ELB Service

VM-Series Auto Scaling Templates for AWS Version 2.0

What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?

How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?

Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)

Customize the Firewall Template Before Launch (v2.0 and v2.1)

Launch the VM-Series Auto Scaling Template for AWS (v2.0)

Customize the Bootstrap.xml File (v2.0)

Create a new Bootstrap File from Scratch

Use the GitHub Bootstrap Files as Seed

SQS Messaging Between the Application Template and Firewall Template

Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)

Modify Administrative Account and Update Stack (v2.0)

VM-Series Auto Scaling Templates for AWS Version 2.1

Launch the Firewall Template (v2.1)

Launch the Application Template (v2.1)

Create a Custom Amazon Machine Image (v2.1)

VM-Series Auto Scaling Template Cleanup (v2.1)

SQS Messaging Between the Application Template and Firewall Template (v2.1)

Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)

Modify Administrative Account (v2.1)

Change Scaling Parameters and CloudWatch Metrics (v2.1)

List of Attributes Monitored on the AWS VPC

IAM Permissions Required for Monitoring the AWS VPC

Panorama Orchestrated Deployments in AWS

Prepare for an Orchestrated AWS Deployment

Orchestrate a VM-Series Firewall Deployment in AWS

View the Deployment Status

Traffic Flow and Configurations

Set Up the VM-Series Firewall on KVM

VM-Series on KVM—Requirements and Prerequisites

Options for Attaching the VM-Series on the Network

Prerequisites for VM-Series on KVM

Prepare the Linux Server

Prepare to Deploy the VM-Series Firewall

Supported Deployments on KVM

Secure Traffic on a Single Host

Secure Traffic Across Linux hosts

Install the VM-Series Firewall on KVM

Install the VM-Series Firewall Using Virt-Manager

Provision the VM-Series Firewall on a KVM Host

Perform Initial Configuration of the VM-Series Firewall on KVM

Install the VM-Series Firewall Using an ISO

Use an ISO File to Deploy the VM-Series Firewall

Sample XML file for the VM-Series Firewall

Use the VM-Series CLI to Swap the Management Interface on KVM

Enable the Use of a SCSI Controller

Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall

Performance Tuning of the VM-Series for KVM

Install KVM and Open vSwitch on Ubuntu 16.04.1 LTS

Enable Open vSwitch on KVM

Integrate Open vSwitch with DPDK

Install QEMU, DPDK, and OVS on Ubuntu

Configure OVS and DPDK on the Host

Edit the VM-Series Firewall Configuration File

Enable SR-IOV on KVM

Enable VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on KVM

Isolate CPU Resources in a NUMA Node on KVM

Intelligent Traffic Offload

Set Up the VM-Series Firewall on Hyper-V

Supported Deployments on Hyper-V

Secure Traffic on a Single Hyper-V Host

Secure Traffic Across Multiple Hyper-V Hosts

System Requirements on Hyper-V

Linux Integration Services

Install the VM-Series Firewall on Hyper-V

Before You Begin

Virtual Switch Types

MAC Address Spoofing

Performance Tuning of the VM-Series Firewall on Hyper-V

Disable Virtual Machine Queues

Isolate CPU Resources in a NUMA Node

Provision the VM-Series Firewall on a Hyper-V host with Hyper-V Manager

Provision the VM-Series Firewall on a Hyper-V host with PowerShell

Perform Initial Configuration on the VM-Series Firewall

Set up the VM-Series Firewall on Azure

About the VM-Series Firewall on Azure

Azure Networking and VM-Series Firewall

Azure Security Center Integration

VM-Series Firewall Templates on Azure

Minimum System Requirements for the VM-Series on Azure

Support for High Availability on VM-Series on Azure

VM-Series on Azure Service Principal Permissions

Deployments Supported on Azure

Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)

Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)

Panorama Orchestrated Deployments in Azure

Prepare for an Orchestrated Deployment

Orchestrate a VM-Series Firewall Deployment in Azure

Create a Custom VM-Series Image for Azure

Use Azure Security Center Recommendations to Secure Your Workloads

Use Panorama to Forward Logs to Azure Security Center

Deploy the VM-Series Firewall on Azure Stack

Enable Azure Application Insights on the VM-Series Firewall

Monitoring on Azure

About Monitoring on Azure

Set Up the Azure Plugin for Monitoring on Panorama

Attributes Monitored Using the Panorama Plugin on Azure

Set up Active/Passive HA on Azure

Use the ARM Template to Deploy the VM-Series Firewall

Deploy the VM-Series and Azure Application Gateway Template

VM-Series and Azure Application Gateway Template

Start Using the VM-Series & Azure Application Gateway Template

Deploy the Template to Azure

VM-Series and Azure Application Gateway Template Parameters

Sample Configuration File

Adapt the Template

Secure Kubernetes Services on Azure

How Does the Panorama Plugin for Azure Secure Kubernetes Services?

Secure an AKS Cluster

Deploy the VM-Series with the Azure Gateway Load Balancer

Deploy the VM-Series Firewall on Azure Stack HCI

Deploy VM-Series on Azure Stack Edge

Set Up the VM-Series Firewall on OpenStack

VM-Series Deployments in OpenStack

Service Chaining and Service Scaling

Components of the VM-Series for OpenStack Solution

Heat Template for a Basic Gateway Deployment

Heat Templates for Service Chaining and Service Scaling

Virtual Network

Virtual Machine

Service Template

Service Instance

Install the VM-Series Firewall in a Basic Gateway Deployment

Install the VM-Series Firewall with Service Chaining or Scaling

Set Up the VM-Series Firewall on Google Cloud Platform

About the VM-Series Firewall on Google Cloud Platform

Supported Deployments on Google Cloud Platform

Prepare to Set Up VM-Series Firewalls on Google Public Cloud

Deploy the VM-Series Firewall on Google Cloud Platform

Deploy the VM-Series Firewall from Google Cloud Platform Marketplace

Management Interface Swap for Google Cloud Platform Load Balancing

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable Google Stackdriver Monitoring on the VM Series Firewall

Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)

Use Dynamic Address Groups to Secure Instances Within the VPC

Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall

VM Monitoring with the Panorama Plugin for GCP

Configure VM Monitoring with the Panorama Plugin for GCP

Auto Scaling the VM-Series Firewall on Google Cloud Platform

Auto Scaling Components for Google Cloud Platform

Deploy GCP Auto Scaling Templates

Create a Custom VM-Series Firewall Image for Google Cloud Platform

Set up Active/Passive HA on Google Cloud Platform

Architecture of Active/Passive HA on GCP

Deploy the GCP Active/Passive HA

Set Up a VM-Series Firewall on a Cisco ENCS Network

Plan Your Cisco ENCS Deployment

Prepare the VM-Series Firewall Image for Cisco ENCS

Deploy the VM-Series Firewall on Cisco ENCS

Set up the VM-Series Firewall on Oracle Cloud Infrastructure

OCI Shape Types

Deployments Supported on OCI

Prepare to Set Up the VM-Series Firewall on OCI

Deploy the VM-Series Firewall From the Oracle Cloud Marketplace

Configure Active/Passive HA on OCI

Set Up the VM-Series Firewall on Alibaba Cloud

VM-Series Firewall on Alibaba Cloud

Minimum System Requirements for the VM-Series Firewall on Alibaba Cloud

Prepare to Deploy the VM-Series Firewall on Alibaba Cloud

Deploy the VM-Series Firewall on Alibaba Cloud

Create a VPC and Configure Networks

Create and Configure the VM-Series Firewall

Secure North-South Traffic on Alibaba Cloud

Configure Load Balancing on Alibaba Cloud

Set Up a Firewall in Cisco ACI

Palo Alto Networks Firewall Integration with Cisco ACI

Service Graph Templates

Multi-Context Deployments

Prepare Your ACI Environment for Integration

Integrate the Firewall with Cisco ACI in Network Policy Mode

Deploy the Firewall to Secure East-West Traffic in Network Policy Mode

Create a Virtual Router and Security Zone

Configure the Network Interfaces

Configure a Static Default Route

Create Address Objects for the EPGs

Create Security Policy Rules

Create a VLAN Pool and Domain

Configure an Interface Policy for LLDP and LACP for East-West Traffic

Establish the Connection Between the Firewall and ACI Fabric

Create a VRF and Bridge Domain

Create an L4-L7 Device

Create a Policy-Based Redirect

Create and Apply a Service Graph Template

Deploy the Firewall to Secure North-South Traffic in Network Policy Mode

Create a VLAN Pool and External Routed Domain

Configure an Interface Policy for LLDP and LACP for North-South Traffic

Create an External Routed Network

Configure Subnets to Advertise to the External Firewall

Create an Outbound Contract

Create an Inbound Web Contract

Apply Outbound and Inbound Contracts to the EPGs

Create a Virtual Router and Security Zone for North-South Traffic

Configure the Network Interfaces

Configure Route Redistribution and OSPF

Configure NAT for External Connections

Endpoint Monitoring in Cisco ACI

Install the Panorama Plugin for Cisco ACI

Configure the Cisco ACI Plugin

Panorama Plugin for Cisco ACI Dashboard

Set Up the VM-Series Firewall on Cisco CSP

VM-Series on Cisco CSP System Requirements

Deploy the VM-Series Firewall on Cisco CSP

Endpoint Monitoring for Cisco TrustSec

Panorama Plugin for Cisco TrustSec

Install the Panorama Plugin for Cisco TrustSec

Configure the Panorama Plugin for Cisco TrustSec

Troubleshoot the Panorama Plugin for Cisco TrustSec

Set Up the VM-Series Firewall on Nutanix AHV

VM Monitoring on Nutanix

About VM Monitoring on Nutanix

Install the Panorama Plugin for Nutanix

Configure the Panorama Plugin for Nutanix

Bootstrap the VM-Series Firewall

Choose a Bootstrap Method

VM-Series Firewall Bootstrap Workflow

Bootstrap Package

Bootstrap Configuration Files

Generate the VM Auth Key on Panorama

Create the init-cfg.txt File

init-cfg.txt File Components

Sample init-cfg.txt File

Create the bootstrap.xml File

Prepare the Licenses for Bootstrapping

Prepare the Bootstrap Package

Bootstrap the VM-Series Firewall on AWS

Bootstrap the VM-Series Firewall on Azure

Bootstrap the VM-Series Firewall on ESXi

Bootstrap the VM-Series Firewall on ESXi with an ISO

Bootstrap the VM-Series Firewall on ESXi with a Block Storage Device

Bootstrap the VM-Series Firewall on Google Cloud Platform

Bootstrap the VM-Series Firewall on Hyper-V

Bootstrap the VM-Series Firewall on Hyper-V with an ISO

Bootstrap the VM-Series Firewall on Hyper-V with a Block Storage Device

Bootstrap the VM-Series Firewall on KVM

Bootstrap the VM-Series Firewall on KVM with an ISO

Bootstrap the VM-Series Firewall on KVM With a Block Storage Device

Verify Bootstrap Completion

Bootstrap Errors

Bootstrap the VM-Series Firewall on Azure Stack HCI

Set Up the VM-Series Firewall on IBM Cloud

About the VM-Series Firewall on IBM Cloud

Prepare to Set Up VM-Series Firewalls on IBM Cloud

Deploy the VM-Series Firewall Using IBM Cloud Schematics

High Resiliency for VM-Series Firewall on IBM Cloud

Use Case: Deploy a NLB Using the VM-Series Firewall

VM-Series Performance & Capacity

VM-Series Performance and Capacity

VM-Series Performance and Capacity on Public Clouds

VM-Series Models on AWS EC2 Instances

VM-Series on Microsoft Azure Performance and Capacity

VM-Series Models on Azure Virtual Machines (VMs)

VM-Series on Google Cloud Platform Performance and Capacity

VM-Series on Oracle Cloud Infrastructure Performance and Capacity

VM-Series Performance & Capacity

VM-Series Performance and Capacity

VM-Series on Amazon Web Services Performance and Capacity

VM-Series Models on AWS EC2 Instances

VM-Series on Microsoft Azure Performance and Capacity

VM-Series Models on Azure Virtual Machines (VMs)

VM-Series on Google Cloud Platform Performance and Capacity

VM-Series on Oracle Cloud Infrastructure Performance and Capacity

VM-Series Deployment Guide

About the VM-Series Firewall

VM-Series Deployments

VM-Series in High Availability

Upgrade the VM-Series Firewall

Upgrade the PAN-OS Software Version (Standalone Version)

Upgrade the PAN-OS Software Version (HA Pair)

Upgrade the PAN-OS Software Version Using Panorama

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

Upgrade the VM-Series Model

Upgrade the VM-Series Model in an HA Pair

Downgrade a VM-Series Firewall to a Previous Release

VM-Series Plugin

Configure the VM-Series Plugin on the Firewall

Upgrade the VM-Series Plugin

Enable Jumbo Frames on the VM-Series Firewall

Hypervisor Assigned MAC Addresses

Custom PAN-OS Metrics Published for Monitoring

Interface Used for Accessing External Services on the VM-Series Firewall

PacketMMAP and DPDK Driver Support

Enable NUMA Performance Optimization on the VM-Series

Enable ZRAM on the VM-Series Firewall

License the VM-Series Firewall

VM-Series Firewall Licensing

Create a Support Account

Serial Number and CPU ID Format for the VM-Series Firewall

Use Panorama-Based Software Firewall License Management

Software NGFW Credits

Maximum Limits Based on Memory

Activate Credits

Create a Deployment Profile

Manage a Deployment Profile

Register the VM-Series Firewall (Software NGFW Credits)

Provision Panorama

Transfer Credits

Deactivate License (Software NGFW Credits)

Customize Dataplane Cores

Migrate to a Flexible VM-Series License

Migrate Panorama to a FW-Flex License

Create and Apply a Subscription-Only Auth Code

Renew Your Software NGFW Credit License

Amend and Extend a Credit Pool

Set the Number of Licensed vCPUs

Delicense Ungracefully Terminated Firewalls

Software NGFW Licensing API

Manage Deployment Profiles Using the Licensing API

Create a Deployment Profile Using the Licensing API

Update a Deployment Profile Using the Licensing API

Generate Your OAuth Client Credentials

Get Serial Numbers Associated with an Authcode Using the API

Deactivate a VM-Series Firewall Using the API

VM-Series Models

VM-Series System Requirements

CPU Oversubscription

VM-50 Lite Mode

VM-Series Model License Types

VM-Series Firewall Licenses for Public Clouds

VM-Series Enterprise License Agreement (Multi-Model ELA)

Manage VM-Series ELA License Tokens

Accept the VM-Series ELA

Activate VM-Series Model Licenses

Activate the License for the VM-Series Firewall (Standalone Version)

Activate the License for the VM-Series Firewall for VMware NSX

Activate Licenses on VM-Series Firewalls on NSX When Panorama has Internet Access

Activate Licenses on VM-Series Firewalls on NSX When Panorama has No Internet Access

Troubleshoot License Activation Issues

Register the VM-Series Firewall

Register the VM-Series Firewall (with auth code)

Register the Usage-Based Model of the VM-Series Firewall for Public Clouds (no auth code)

Install a Device Certificate on the VM-Series Firewall

Switch Between the BYOL and the PAYG Licenses

Switch Between VM-Series Model Licenses

Deactivate License(s)

Deactivate a Feature License or Subscription Using the CLI

Renew VM-Series Firewall License Bundles

Install a License API Key

Manage the Licensing API Key

Use the Licensing API

Activate Licenses

Deactivate Licenses

Track License Usage

Licensing API Error Codes

Licenses for Cloud Security Service Providers (CSSPs)

Get the Auth Codes for CSSP License Packages

Register the VM-Series Firewall with a CSSP Auth Code

Add End-Customer Information for a Registered VM-Series Firewall

Add End-Customer Information for a Registered VM-Series Firewall (Customer Support Portal)

Add End-Customer Information for a Registered VM-Series Firewall (API)

What Happens When Licenses Expire?

Set Up a VM-Series Firewall on an ESXi Server

Supported Deployments on VMware vSphere Hypervisor (ESXi)

VM-Series on ESXi System Requirements and Limitations

VM-Series on ESXi System Requirements

VM-Series on ESXi System Limitations

Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi)

Plan the Interfaces for the VM-Series for ESXi

Provision the VM-Series Firewall on an ESXi Server

Perform Initial Configuration on the VM-Series on ESXi

Add Additional Disk Space to the VM-Series Firewall

Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air

Use vMotion to Move the VM-Series Firewall Between Hosts

Use the VM-Series CLI to Swap the Management Interface on ESXi

VM Monitoring on vCenter

About VM Monitoring on VMware vCenter

Install the Panorama Plugin for VMware vCenter

Configure the Panorama Plugin for VMware vCenter

Troubleshoot ESXi Deployments

Basic Troubleshooting

Installation Issues

Issues with Deploying the OVA

Why does the firewall boot into maintenance mode?

How do I modify the base image file for the VM-1000-HV license?

Licensing Issues

Why am I unable to apply the support or feature license?

Why does my cloned VM-Series firewall not have a valid license?

Does moving the VM-Series firewall cause license invalidation?

Connectivity Issues

Why is the VM-Series firewall not receiving any network traffic?

Performance Tuning of the VM-Series for ESXi

Install the NIC Driver on ESXi

Enable DPDK on ESXi

Enable SR-IOV on ESXi

Enable ESXi VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on ESXi

VNF Tuning for Performance

Set Up the VM-Series Firewall on vCloud Air

About the VM-Series Firewall on vCloud Air

Deployments Supported on vCloud Air

Deploy the VM-Series Firewall on vCloud Air

Set Up the VM-Series Firewall on VMware NSX

Set Up the VM-Series Firewall on VMware NSX-T (North-South)

Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)

Components of the VM-Series Firewall on NSX-T (North-South)

Deploy the VM-Series Firewall on NSX-T (North-South)

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Deploy the VM-Series Firewall

Direct Traffic to the VM-Series Firewall

Apply Security Policy to the VM-Series Firewall on NSX-T

Use vMotion to Move the VM-Series Firewall Between Hosts

Extend Security Policy from NSX-V to NSX-T

Set Up the VM-Series Firewall on NSX-T (East-West)

Components of the VM-Series Firewall on NSX-T (East-West)

VM-Series Firewall on NSX-T (East-West) Integration

Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)

Deploy the VM-Series Using the Operations-Centric Workflow

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Add a Service Chain

Direct Traffic to the VM-Series Firewall

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Use vMotion to Move the VM-Series Firewall Between Hosts

Deploy the VM-Series Using the Security-Centric Workflow

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Create Dynamic Address Groups

Create Security Policies

Use the Pre Rulebase to Define NSX-T Steering Rules

Use the Post Rulebase to Define NSX-T Steering Rules

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Create Dynamic Address Group Membership Criteria

Generate Steering Policy

Generate Steering Rules

Delete a Service Definition from Panorama

Migrate from VM-Series on NSX-T Operation to Security Centric Deployment

Extend Security Policy from NSX-V to NSX-T

Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T

Set Up the VM-Series Firewall on AWS

About the VM-Series Firewall on AWS

AWS EC2 Instance Types

VM-Series Firewall on AWS GovCloud

VM-Series Firewall on AWS China

VM-Series Firewall on AWS Outposts

AWS Terminology

Management Interface Mapping for Use with Amazon ELB

Performance Tuning for the VM-Series Firewall on AWS

Deployments Supported on AWS

Deploy the VM-Series Firewall on AWS

AMI in the Public AWS Cloud

AMI on AWS GovCloud

Get the VM-Series Firewall Amazon Machine Image (AMI) ID

Planning Worksheet for the VM-Series in the AWS VPC

Launch the VM-Series Firewall on AWS

Launch the VM-Series Firewall on AWS Outpost

Create a Custom Amazon Machine Image (AMI)

Encrypt EBS Volume for the VM-Series Firewall on AWS

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable CloudWatch Monitoring on the VM-Series Firewall

VM-Series Firewall Startup and Health Logs on AWS

VM-Series Integration with an AWS Gateway Load Balancer

Manual Integration of the VM-Series with a Gateway Load Balancer

Enable VM-Series Integration with a Gateway Load Balancer

Manually Integrate the VM-Series with a Gateway Load Balancer

Associate a VPC Endpoint with a VM-Series Interface

Enable Overlay Routing for the VM-Series on AWS

VM-Series Auto Scaling Group with AWS Gateway Load Balancer

Before Launching the Templates

Launch the Firewall Template

Launch the Application Template

High Availability for VM-Series Firewall on AWS

Overview of HA on AWS

IAM Roles for HA

Heartbeat Polling and Hello Messages

Device Priority and Preemption

Configure Active/Passive HA on AWS Using a Secondary IP

Configure Active/Passive HA on AWS Using Interface Move

Migrate Active/Passive HA on AWS

Migrate Active/Passive HA on AWS to Secondary IP Mode

Migrate Active/Passive HA on AWS to Interface Move Mode

Use Case: Secure the EC2 Instances in the AWS Cloud

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC

Use Case: VM-Series Firewalls as GlobalProtect Gateways on AWS

Components of the GlobalProtect Infrastructure

Deploy GlobalProtect Gateways on AWS

Resource Monitoring on AWS

AWS Resource Monitoring with the AWS Plugin on Panorama

Set Up the AWS Plugin for Monitoring on Panorama

Auto Scaling VM-Series Firewalls with the Amazon ELB Service

VM-Series Auto Scaling Templates for AWS Version 2.0

What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?

How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?

Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)

Customize the Firewall Template Before Launch (v2.0 and v2.1)

Launch the VM-Series Auto Scaling Template for AWS (v2.0)

Customize the Bootstrap.xml File (v2.0)

Create a new Bootstrap File from Scratch

Use the GitHub Bootstrap Files as Seed

SQS Messaging Between the Application Template and Firewall Template

Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)

Modify Administrative Account and Update Stack (v2.0)

VM-Series Auto Scaling Templates for AWS Version 2.1

Launch the Firewall Template (v2.1)

Launch the Application Template (v2.1)

Create a Custom Amazon Machine Image (v2.1)

VM-Series Auto Scaling Template Cleanup (v2.1)

SQS Messaging Between the Application Template and Firewall Template (v2.1)

Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)

Modify Administrative Account (v2.1)

Change Scaling Parameters and CloudWatch Metrics (v2.1)

List of Attributes Monitored on the AWS VPC

IAM Permissions Required for Monitoring the AWS VPC

Panorama Orchestrated Deployments in AWS

Prepare for an Orchestrated AWS Deployment

Orchestrate a VM-Series Firewall Deployment in AWS

View the Deployment Status

Traffic Flow and Configurations

Set Up the VM-Series Firewall on KVM

VM-Series on KVM— Requirements and Prerequisites

Options for Attaching the VM-Series on the Network

Prerequisites for VM-Series on KVM

Prepare the Linux Server

Prepare to Deploy the VM-Series Firewall

Supported Deployments on KVM

Secure Traffic on a Single Host

Secure Traffic Across Linux hosts

Install the VM-Series Firewall on KVM

Install the VM-Series Firewall Using Virt-Manager

Provision the VM-Series Firewall on a KVM Host

Perform Initial Configuration of the VM-Series Firewall on KVM

Install the VM-Series Firewall Using an ISO

Use an ISO File to Deploy the VM-Series Firewall

Sample XML file for the VM-Series Firewall

Use the VM-Series CLI to Swap the Management Interface on KVM

Enable the Use of a SCSI Controller

Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall

Performance Tuning of the VM-Series for KVM

Install KVM and Open vSwitch on Ubuntu 16.04.1 LTS

Enable Open vSwitch on KVM

Integrate Open vSwitch with DPDK

Install QEMU, DPDK, and OVS on Ubuntu

Configure OVS and DPDK on the Host

Edit the VM-Series Firewall Configuration File

Enable SR-IOV on KVM

Enable VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on KVM

Isolate CPU Resources in a NUMA Node on KVM

Intelligent Traffic Offload

Set Up the VM-Series Firewall on Hyper-V

Supported Deployments on Hyper-V

Secure Traffic on a Single Hyper-V Host

Secure Traffic Across Multiple Hyper-V Hosts

System Requirements on Hyper-V

Linux Integration Services

Install the VM-Series Firewall on Hyper-V

Before You Begin

Virtual Switch Types

MAC Address Spoofing

Performance Tuning of the VM-Series Firewall on Hyper-V

Disable Virtual Machine Queues

Isolate CPU Resources in a NUMA Node

Provision the VM-Series Firewall on a Hyper-V host with Hyper-V Manager

Provision the VM-Series Firewall on a Hyper-V host with PowerShell

Perform Initial Configuration on the VM-Series Firewall

Set up the VM-Series Firewall on Azure

About the VM-Series Firewall on Azure

Azure Networking and VM-Series Firewall

Azure Security Center Integration

VM-Series Firewall Templates on Azure

Minimum System Requirements for the VM-Series on Azure

Support for High Availability on VM-Series on Azure

VM-Series on Azure Service Principal Permissions

Deployments Supported on Azure

Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)

Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)

Panorama Orchestrated Deployments in Azure Networks

Prepare for an Orchestrated Deployment

Orchestrate a VM-Series Firewall Deployment in Azure

Create a Custom VM-Series Image for Azure

Use Azure Security Center Recommendations to Secure Your Workloads

Use Panorama to Forward Logs to Azure Security Center

Deploy the VM-Series Firewall on Azure Stack

Enable Azure Application Insights on the VM-Series Firewall

Monitoring on Azure

About Monitoring on Azure

Set Up the Azure Plugin for Monitoring on Panorama

Attributes Monitored Using the Panorama Plugin on Azure

Set up Active/Passive HA on Azure

Use the ARM Template to Deploy the VM-Series Firewall

Deploy the VM-Series and Azure Application Gateway Template

VM-Series and Azure Application Gateway Template

Start Using the VM-Series & Azure Application Gateway Template

Deploy the Template to Azure

VM-Series and Azure Application Gateway Template Parameters

Sample Configuration File

Adapt the Template

Secure Kubernetes Services on Azure

How Does the Azure Plugin Secure Kubernetes Services?

Use Panorama to Manage VM-Series Firewalls on AKS

Deploy the VM-Series with the Azure Gateway Load Balancer

Deploy the VM-Series Firewall on Azure Stack HCI

Set Up the VM-Series Firewall on OpenStack

VM-Series Deployments in OpenStack

Service Chaining and Service Scaling

Components of the VM-Series for OpenStack Solution

Heat Template for a Basic Gateway Deployment

Heat Templates for Service Chaining and Service Scaling

Virtual Network

Virtual Machine

Service Template

Service Instance

Install the VM-Series Firewall in a Basic Gateway Deployment

Install the VM-Series Firewall with Service Chaining or Scaling

Set Up the VM-Series Firewall on Google Cloud Platform

About the VM-Series Firewall on Google Cloud Platform

Supported Deployments on Google Cloud Platform

Prepare to Set Up VM-Series Firewalls on Google Public Cloud

Deploy the VM-Series Firewall on Google Cloud Platform

Deploy the VM-Series Firewall from Google Cloud Platform Marketplace

Management Interface Swap for Google Cloud Platform Load Balancing

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable Google Stackdriver Monitoring on the VM Series Firewall

Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)

Use Dynamic Address Groups to Secure Instances Within the VPC

Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall

VM Monitoring with the Google Cloud Platform Plugin

Configure VM Monitoring

Auto Scaling the VM-Series Firewall on Google Cloud Platform

Auto Scaling Components for Google Cloud Platform

Deploy GCP Auto Scaling Templates

Create a Custom VM-Series Firewall Image for Google Cloud Platform

Set up Active/Passive HA on Google Cloud Platform

Architecture of Active/Passive HA on GCP

Deploy the GCP Active/Passive HA

Set Up a VM-Series Firewall on a Cisco ENCS Network

Plan Your Cisco ENCS Deployment

Prepare the VM-Series Firewall Image for Cisco ENCS

Deploy the VM-Series Firewall on Cisco ENCS

Set up the VM-Series Firewall on Oracle Cloud Infrastructure

OCI Shape Types

Deployments Supported on OCI

Prepare to Set Up the VM-Series Firewall on OCI

Deploy the VM-Series Firewall From the Oracle Cloud Marketplace

Configure Active/Passive HA on OCI

Set Up the VM-Series Firewall on Alibaba Cloud

VM-Series Firewall on Alibaba Cloud

Minimum System Requirements for the VM-Series Firewall on Alibaba Cloud

Prepare to Deploy the VM-Series Firewall on Alibaba Cloud

Deploy the VM-Series Firewall on Alibaba Cloud

Create a VPC and Configure Networks

Create and Configure the VM-Series Firewall

Secure North-South Traffic on Alibaba Cloud

Configure Load Balancing on Alibaba Cloud

Set Up a Firewall in Cisco ACI

Palo Alto Firewall Integration with Cisco ACI

Service Graph Templates

Multi-Context Deployments

Prepare Your ACI Environment for Integration

Integrate the Firewall with Cisco ACI in Network Policy Mode

Deploy the Firewall to Secure East-West Traffic in Network Policy Mode

Create a Virtual Router and Security Zone

Configure the Network Interfaces

Configure a Static Default Route

Create Address Objects for the EPGs

Create Security Policy Rules

Create a VLAN Pool and Domain

Configure an Interface Policy for LLDP and LACP for East-West Traffic

Establish the Connection Between the Firewall and ACI Fabric

Create a VRF and Bridge Domain

Create an L4-L7 Device

Create a Policy-Based Redirect

Create and Apply a Service Graph Template

Deploy the Firewall to Secure North-South Traffic in Network Policy Mode

Create a VLAN Pool and External Routed Domain

Configure an Interface Policy for LLDP and LACP for North-South Traffic

Create an External Routed Network

Configure Subnets to Advertise to the External Firewall

Create an Outbound Contract

Create an Inbound Web Contract

Apply Outbound and Inbound Contracts to the EPGs

Create a Virtual Router and Security Zone for North-South Traffic

Configure the Network Interfaces

Configure Route Redistribution and OSPF

Configure NAT for External Connections

Endpoint Monitoring in Cisco ACI

Install the Cisco ACI Plugin for Panorama

Configure the Cisco ACI Plugin

Panorama Plugin for Cisco ACI Dashboard

Set Up the VM-Series Firewall on Cisco CSP

VM-Series on Cisco CSP System Requirements

Deploy the VM-Series Firewall on Cisco CSP

Endpoint Monitoring for Cisco TrustSec

Panorama Plugin for Cisco TrustSec

Install the Panorama Plugin for Cisco TrustSec

Configure the Panorama Plugin for Cisco TrustSec

Troubleshoot the Panorama Plugin for Cisco TrustSec

Set Up the VM-Series Firewall on Nutanix AHV

VM Monitoring on Nutanix

About VM Monitoring on Nutanix

Install the Panorama Plugin for Nutanix

Configure the Panorama Plugin for Nutanix

Bootstrap the VM-Series Firewall

Choose a Bootstrap Method

VM-Series Firewall Bootstrap Workflow

Bootstrap Package

Bootstrap Configuration Files

Generate the VM Auth Key on Panorama

Create the init-cfg.txt File

init-cfg.txt File Components

Sample init-cfg.txt File

Create the bootstrap.xml File

Prepare the Licenses for Bootstrapping

Prepare the Bootstrap Package

Bootstrap the VM-Series Firewall on AWS

Bootstrap the VM-Series Firewall on Azure

Bootstrap the VM-Series Firewall on ESXi

Bootstrap the VM-Series Firewall on ESXi with an ISO

Bootstrap the VM-Series Firewall on ESXi with a Block Storage Device

Bootstrap the VM-Series Firewall on Google Cloud Platform

Bootstrap the VM-Series Firewall on Hyper-V

Bootstrap the VM-Series Firewall on Hyper-V with an ISO

Bootstrap the VM-Series Firewall on Hyper-V with a Block Storage Device

Bootstrap the VM-Series Firewall on KVM

Bootstrap the VM-Series Firewall on KVM with an ISO

Bootstrap the VM-Series Firewall on KVM With a Block Storage Device

Verify Bootstrap Completion

Bootstrap Errors

Bootstrap the VM-Series Firewall on OCI

Bootstrap the VM-Series Firewall on Azure Stack HCI

Set Up the VM-Series Firewall on IBM Cloud

About the VM-Series Firewall on IBM Cloud

Prepare to Set Up VM-Series Firewalls on IBM Cloud

Deploy the VM-Series Firewall Using IBM Cloud Schematics

High Resiliency for VM-Series Firewall on IBM Cloud

Use Case: Deploy a NLB Using the VM-Series Firewall

VM-Series Performance & Capacity

VM-Series Performance and Capacity on Public Clouds

VM-Series on AWS Performance and Capacity

VM-Series Models on AWS EC2 Instances

VM-Series on Azure Performance and Capacity

VM-Series Models on Azure Virtual Machines (VMs)

VM-Series on Google Performance and Capacity

VM-Series on Oracle Performance and Capacity

VM-Series Deployment Guide

About the VM-Series Firewall

VM-Series Deployments

VM-Series in High Availability

Upgrade the VM-Series Firewall

Upgrade the PAN-OS Software Version (Standalone Version)

Upgrade the PAN-OS Software Version (HA Pair)

Upgrade the PAN-OS Software Version Using Panorama

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

Upgrade the VM-Series Model

Upgrade the VM-Series Model in an HA Pair

Downgrade a VM-Series Firewall to a Previous Release

VM-Series Plugin

Configure the VM-Series Plugin on the Firewall

Upgrade the VM-Series Plugin

Enable Jumbo Frames on the VM-Series Firewall

Hypervisor Assigned MAC Addresses

Custom PAN-OS Metrics Published for Monitoring

Interface Used for Accessing External Services on the VM-Series Firewall

PacketMMAP and DPDK Driver Support

Enable ZRAM on the VM-Series Firewall

License the VM-Series Firewall

VM-Series Firewall Licensing

Create a Support Account

Serial Number and CPU ID Format for the VM-Series Firewall

Manage the Licensing API Key

Use the Licensing API

Activate Licenses

Deactivate Licenses

Track License Usage

Licensing API Error Codes

Install a License API Key

Use Panorama-Based Software Firewall License Management

Software NGFW Credits

Maximum Limits Based on Memory

Activate Credits

Create a Deployment Profile

Manage a Deployment Profile

Register the VM-Series Firewall (Software NGFW Credits)

Provision Panorama

Transfer Credits

Deactivate License (Software NGFW Credits)

Migrate to a Flexible VM-Series License

Migrate Panorama to a FW-Flex License

Create and Apply a Subscription-Only Auth Code

Renew Your Software NGFW Credit License

VM-Series Models

VM-Series System Requirements

CPU Oversubscription

VM-50 Lite Mode

VM-Series Model License Types

VM-Series Firewall Licenses for Public Clouds

VM-Series Enterprise License Agreement (Multi-Model ELA)

Manage VM-Series ELA License Tokens

Accept the VM-Series ELA

Activate VM-Series Model Licenses

Activate the License for the VM-Series Firewall (Standalone Version)

Activate the License for the VM-Series Firewall for VMware NSX

Activate Licenses on VM-Series Firewalls on NSX When Panorama has Internet Access

Activate Licenses on VM-Series Firewalls on NSX When Panorama has No Internet Access

Troubleshoot License Activation Issues

Register the VM-Series Firewall

Register the VM-Series Firewall (with auth code)

Register the Usage-Based Model of the VM-Series Firewall for Public Clouds (no auth code)

Install a Device Certificate on the VM-Series Firewall

Switch Between the BYOL and the PAYG Licenses

Switch Between VM-Series Model Licenses

Deactivate License(s)

Deactivate a Feature License or Subscription Using the CLI

Renew VM-Series Firewall License Bundles

Licenses for Cloud Security Service Providers (CSSPs)

Get the Auth Codes for CSSP License Packages

Register the VM-Series Firewall with a CSSP Auth Code

Add End-Customer Information for a Registered VM-Series Firewall

Add End-Customer Information for a Registered VM-Series Firewall (Customer Support Portal)

Add End-Customer Information for a Registered VM-Series Firewall (API)

What Happens When Licenses Expire?

Set Up a VM-Series Firewall on an ESXi Server

Supported Deployments on VMware vSphere Hypervisor (ESXi)

VM-Series on ESXi System Requirements and Limitations

VM-Series on ESXi System Requirements

VM-Series on ESXi System Limitations

Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi)

Plan the Interfaces for the VM-Series for ESXi

Provision the VM-Series Firewall on an ESXi Server

Perform Initial Configuration on the VM-Series on ESXi

Add Additional Disk Space to the VM-Series Firewall

Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air

Use vMotion to Move the VM-Series Firewall Between Hosts

Use the VM-Series CLI to Swap the Management Interface on ESXi

VM Monitoring on vCenter

About VM Monitoring on VMware vCenter

Install the Panorama Plugin for VMware vCenter

Configure the Panorama Plugin for VMware vCenter

Troubleshoot ESXi Deployments

Basic Troubleshooting

Installation Issues

Issues with Deploying the OVA

Why does the firewall boot into maintenance mode?

How do I modify the base image file for the VM-1000-HV license?

Licensing Issues

Why am I unable to apply the support or feature license?

Why does my cloned VM-Series firewall not have a valid license?

Does moving the VM-Series firewall cause license invalidation?

Connectivity Issues

Why is the VM-Series firewall not receiving any network traffic?

Performance Tuning of the VM-Series for ESXi

Install the NIC Driver on ESXi

Enable DPDK on ESXi

Enable SR-IOV on ESXi

Enable ESXi VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on ESXi

VNF Tuning for Performance

Set Up the VM-Series Firewall on vCloud Air

About the VM-Series Firewall on vCloud Air

Deployments Supported on vCloud Air

Deploy the VM-Series Firewall on vCloud Air

Set Up the VM-Series Firewall on VMware NSX

Set Up the VM-Series Firewall on VMware NSX-V

VM-Series for Firewall NSX-V Overview

What are the Components of the VM-Series for NSX-V Solution?

VM-Series Firewall for NSX-V

Ports/Protocols used Network Communication

How Do the Components in the VM-Series Firewall for NSX-V Solution Work Together?

Integrated Policy Rules

Policy Enforcement using Dynamic Address Groups

What are the Benefits of the NSX-V VM-Series firewall for NSX-V Solution?

What is Multi-Tenant Support on the VM-Series Firewall for NSX-V?

VM-Series Firewall for NSX-V Deployment Checklist

Install the VMware NSX Plugin

Register the VM-Series Firewall as a Service on the NSX-V Manager

Enable Communication Between the NSX-V Manager and Panorama

Create Template(s), Template Stack(s), and Device Group(s) on Panorama

Create the Service Definitions on Panorama

Deploy the VM-Series Firewall

Define an IP Address Pool

Prepare the ESXi Host for the VM-Series Firewall

Deploy the Palo Alto Networks NGFW Service

Enable Large Receive Offload

Create Security Groups and Steering Rules

Create Security Groups and Steering Rules in a Security Centric Deployment

Set Up Dynamic Address Groups on Panorama

Create Steering Rules on Panorama

Create Security Groups and Steering Rules in an Operations Centric Deployment

Set Up Security Groups on the NSX-V Manager

Create Steering Rules on NSX-V Manager

Apply Security Policies to the VM-Series Firewall

Steer Traffic from Guests that are not Running VMware Tools

What is Multi-NSX Manager Support on the VM-Series for NSX-V?

Plan Your Multi-NSX Deployment

Deploy the VM-Series Firewall in a Multi-NSX Manager Environment

Dynamically Quarantine Infected Guests

Migrate Operations-Centric Configuration to Security-Centric Configuration

Add a New Host to Your NSX-V Deployment

Use Case: Shared Compute Infrastructure and Shared Security Policies

Use Case: Shared Security Policies on Dedicated Compute Infrastructure

Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama

Set Up the VM-Series Firewall on VMware NSX-T (North-South)

Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)

Components of the VM-Series Firewall on NSX-T (North-South)

Deploy the VM-Series Firewall on NSX-T (North-South)

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Deploy the VM-Series Firewall

Direct Traffic to the VM-Series Firewall

Apply Security Policy to the VM-Series Firewall on NSX-T

Use vMotion to Move the VM-Series Firewall Between Hosts

Extend Security Policy from NSX-V to NSX-T

Set Up the VM-Series Firewall on NSX-T (East-West)

Components of the VM-Series Firewall on NSX-T (East-West)

VM-Series Firewall on NSX-T (East-West) Integration

Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)

Deploy the VM-Series Firewall on NSX-T (East-West)

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Add a Service Chain

Direct Traffic to the VM-Series Firewall

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Use vMotion to Move the VM-Series Firewall Between Hosts

Deploy the VM-Series Using the Security-Centric Workflow

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Create Dynamic Address Groups

Create Security Policies

Use the Pre Rulebase to Define NSX-T Steering Rules

Use the Post Rulebase to Define NSX-T Steering Rules

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Create Dynamic Address Group Membership Criteria

Generate Steering Policy

Generate Steering Rules

Delete a Service Definition from Panorama

Migrate from VM-Series on NSX-T Operation to Security Centric Deployment

Extend Security Policy from NSX-V to NSX-T

Migrate Your VM-Series Deployment from NSX-V to NSX-T

Use Migration Coordinator to Move Your VM-Series from NSX-V to NSX-T

Set Up the VM-Series Firewall on AWS

About the VM-Series Firewall on AWS

AWS EC2 Instance Types

VM-Series Firewall on AWS GovCloud

VM-Series Firewall on AWS China

VM-Series Firewall on AWS Outposts

AWS Terminology

Management Interface Mapping for Use with Amazon ELB

Performance Tuning for the VM-Series on AWS

Deployments Supported on AWS

Deploy the VM-Series Firewall on AWS

AMI in the Public AWS Cloud

AMI on AWS GovCloud

Get the VM-Series Firewall Amazon Machine Image (AMI) ID

Planning Worksheet for the VM-Series in the AWS VPC

Launch the VM-Series Firewall on AWS

Launch the VM-Series Firewall on AWS Outpost

Create a Custom Amazon Machine Image (AMI)

Encrypt EBS Volume for the VM-Series Firewall on AWS

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable CloudWatch Monitoring on the VM-Series Firewall

Panorama Orchestrated Deployment in AWS

Prepare for an Orchestrated AWS Deployment

Orchestrate a VM-Series Firewall Deployment in AWS

View the Deployment Status

Traffic Flow and Configurations

VM-Series Integration with an AWS Gateway Load Balancer

Manual Integration of the VM-Series with a Gateway Load Balancer

Enable VM-Series Integration with a Gateway Load Balancer

Manually Integrate the VM-Series with a Gateway Load Balancer

Associate a VPC Endpoint with a VM-Series Interface

Enable Overlay Routing for the VM-Series on AWS

VM-Series Auto Scaling Group with AWS Gateway Load Balancer

Before Launching the Templates

Launch the Firewall Template

Launch the Application Template

High Availability for VM-Series Firewall on AWS

Overview of HA on AWS

IAM Roles for HA

Heartbeat Polling and Hello Messages

Device Priority and Preemption

Configure Active/Passive HA on AWS Using a Secondary IP

Configure Active/Passive HA on AWS Using Interface Move

Migrate Active/Passive HA on AWS

Migrate Active/Passive HA on AWS to Secondary IP Mode

Migrate Active/Passive HA on AWS to Interface Move Mode

Use Case: Secure the EC2 Instances in the AWS Cloud

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC

Use Case: VM-Series Firewalls as GlobalProtect Gateways on AWS

Components of the GlobalProtect Infrastructure

Deploy GlobalProtect Gateways on AWS

Resource Monitoring on AWS

AWS Resource Monitoring with the AWS Plugin on Panorama

Set Up the AWS Plugin for Monitoring on Panorama

Auto Scaling VM-Series Firewalls with the Amazon ELB Service

VM-Series Auto Scaling Templates for AWS Version 2.0

What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?

How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?

Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)

Customize the Firewall Template Before Launch (v2.0 and v2.1)

Launch the VM-Series Auto Scaling Template for AWS (v2.0)

Customize the Bootstrap.xml File (v2.0)

Create a new Bootstrap File from Scratch

Use the GitHub Bootstrap Files as Seed

SQS Messaging Between the Application Template and Firewall Template

Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)

Modify Administrative Account and Update Stack (v2.0)

VM-Series Auto Scaling Templates for AWS Version 2.1

Launch the Firewall Template (v2.1)

Launch the Application Template (v2.1)

Create a Custom Amazon Machine Image (v2.1)

VM-Series Auto Scaling Template Cleanup (v2.1)

SQS Messaging Between the Application Template and Firewall Template (v2.1)

Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)

Modify Administrative Account (v2.1)

Change Scaling Parameters and CloudWatch Metrics (v2.1)

List of Attributes Monitored on the AWS VPC

IAM Permissions Required for Monitoring the AWS VPC

Set Up the VM-Series Firewall on KVM

VM-Series on KVM— Requirements and Prerequisites

Options for Attaching the VM-Series on the Network

Prerequisites for VM-Series on KVM

Prepare the Linux Server

Prepare to Deploy the VM-Series Firewall

Supported Deployments on KVM

Secure Traffic on a Single Host

Secure Traffic Across Linux hosts

Install the VM-Series Firewall on KVM

Install the VM-Series Firewall Using Virt-Manager

Provision the VM-Series Firewall on a KVM Host

Perform Initial Configuration of the VM-Series Firewall on KVM

Install the VM-Series Firewall Using an ISO

Use an ISO File to Deploy the VM-Series Firewall

Sample XML file for the VM-Series Firewall

Use the VM-Series CLI to Swap the Management Interface on KVM

Enable the Use of a SCSI Controller

Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall

Performance Tuning of the VM-Series for KVM

Install KVM and Open vSwitch on Ubuntu 16.04.1 LTS

Enable Open vSwitch on KVM

Integrate Open vSwitch with DPDK

Install QEMU, DPDK, and OVS on Ubuntu

Configure OVS and DPDK on the Host

Edit the VM-Series Firewall Configuration File

Enable SR-IOV on KVM

Enable VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on KVM

Isolate CPU Resources in a NUMA Node on KVM

Set Up the VM-Series Firewall on Hyper-V

Supported Deployments on Hyper-V

Secure Traffic on a Single Hyper-V Host

Secure Traffic Across Multiple Hyper-V Hosts

System Requirements on Hyper-V

Linux Integration Services

Install the VM-Series Firewall on Hyper-V

Before You Begin

Virtual Switch Types

MAC Address Spoofing

Performance Tuning of the VM-Series Firewall on Hyper-V

Disable Virtual Machine Queues

Isolate CPU Resources in a NUMA Node

Provision the VM-Series Firewall on a Hyper-V host with Hyper-V Manager

Provision the VM-Series Firewall on a Hyper-V host with PowerShell

Perform Initial Configuration on the VM-Series Firewall

Set up the VM-Series Firewall on Azure

About the VM-Series Firewall on Azure

Azure Networking and VM-Series Firewall

Azure Security Center Integration

VM-Series Firewall Templates on Azure

Minimum System Requirements for the VM-Series on Azure

Support for High Availability on VM-Series on Azure

VM-Series on Azure Service Principal Permissions

Deployments Supported on Azure

Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)

Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)

Panorama Orchestrated Deployments in Azure Networks

Prepare for an Orchestrated Deployment

Orchestrate a VM-Series Firewall Deployment in Azure

Create a Custom VM-Series Image for Azure

Use Azure Security Center Recommendations to Secure Your Workloads

Use Panorama to Forward Logs to Azure Security Center

Deploy the VM-Series Firewall on Azure Stack

Enable Azure Application Insights on the VM-Series Firewall

Monitoring on Azure

About Monitoring on Azure

Set Up the Azure Plugin for Monitoring on Panorama

Attributes Monitored Using the Panorama Plugin on Azure

Set up Active/Passive HA on Azure

Use the ARM Template to Deploy the VM-Series Firewall

Deploy the VM-Series and Azure Application Gateway Template

VM-Series and Azure Application Gateway Template

Start Using the VM-Series & Azure Application Gateway Template

Deploy the Template to Azure

VM-Series and Azure Application Gateway Template Parameters

Sample Configuration File

Adapt the Template

Secure Kubernetes Services on Azure

How Does the Azure Plugin Secure Kubernetes Services?

Use Panorama to Manage VM-Series Firewalls on AKS

Set Up the VM-Series Firewall on OpenStack

VM-Series Deployments in OpenStack

Service Chaining and Service Scaling

Components of the VM-Series for OpenStack Solution

Heat Template for a Basic Gateway Deployment

Heat Templates for Service Chaining and Service Scaling

Virtual Network

Virtual Machine

Service Template

Service Instance

Install the VM-Series Firewall in a Basic Gateway Deployment

Install the VM-Series Firewall with Service Chaining or Scaling

Set Up the VM-Series Firewall on Google Cloud Platform

About the VM-Series Firewall on Google Cloud Platform

Supported Deployments on Google Cloud Platform

Prepare to Set Up VM-Series Firewalls on Google Public Cloud

Deploy the VM-Series Firewall on Google Cloud Platform

Deploy the VM-Series Firewall from Google Cloud Platform Marketplace

Management Interface Swap for Google Cloud Platform Load Balancing

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable Google Stackdriver Monitoring on the VM Series Firewall

Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)

Use Dynamic Address Groups to Secure Instances Within the VPC

Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall

VM Monitoring with the Google Cloud Platform Plugin

Configure VM Monitoring

Auto Scaling the VM-Series Firewall on Google Cloud Platform

Auto Scaling Components for Google Cloud Platform

Deploy GCP Auto Scaling Templates

Create a Custom VM-Series Firewall Image for Google Cloud Platform

Set Up a VM-Series Firewall on a Cisco ENCS Network

Plan Your Cisco ENCS Deployment

Prepare the VM-Series Firewall Image for Cisco ENCS

Deploy the VM-Series Firewall on Cisco ENCS

Set up the VM-Series Firewall on Oracle Cloud Infrastructure

OCI Shape Types

Deployments Supported on OCI

Prepare to Set Up the VM-Series Firewall on OCI

Deploy the VM-Series Firewall From the Oracle Cloud Marketplace

Configure Active/Passive HA on OCI

Set Up the VM-Series Firewall on Alibaba Cloud

VM-Series Firewall on Alibaba Cloud

Minimum System Requirements for the VM-Series Firewall on Alibaba Cloud

Prepare to Deploy the VM-Series Firewall on Alibaba Cloud

Deploy the VM-Series Firewall on Alibaba Cloud

Create a VPC and Configure Networks

Create and Configure the VM-Series Firewall

Secure North-South Traffic on Alibaba Cloud

Configure Load Balancing on Alibaba Cloud

Set Up a Firewall in Cisco ACI

Palo Alto Firewall Integration with Cisco ACI

Service Graph Templates

Multi-Context Deployments

Prepare Your ACI Environment for Integration

Integrate the Firewall with Cisco ACI in Network Policy Mode

Deploy the Firewall to Secure East-West Traffic in Network Policy Mode

Create a Virtual Router and Security Zone

Configure the Network Interfaces

Configure a Static Default Route

Create Address Objects for the EPGs

Create Security Policy Rules

Create a VLAN Pool and Domain

Configure an Interface Policy for LLDP and LACP for East-West Traffic

Establish the Connection Between the Firewall and ACI Fabric

Create a VRF and Bridge Domain

Create an L4-L7 Device

Create a Policy-Based Redirect

Create and Apply a Service Graph Template

Deploy the Firewall to Secure North-South Traffic in Network Policy Mode

Create a VLAN Pool and External Routed Domain

Configure an Interface Policy for LLDP and LACP for North-South Traffic

Create an External Routed Network

Configure Subnets to Advertise to the External Firewall

Create an Outbound Contract

Create an Inbound Web Contract

Apply Outbound and Inbound Contracts to the EPGs

Create a Virtual Router and Security Zone for North-South Traffic

Configure the Network Interfaces

Configure Route Redistribution and OSPF

Configure NAT for External Connections

Endpoint Monitoring in Cisco ACI

Install the Cisco ACI Plugin for Panorama

Configure the Cisco ACI Plugin

Panorama Plugin for Cisco ACI Dashboard

Set Up the VM-Series Firewall on Cisco CSP

VM-Series on Cisco CSP System Requirements

Deploy the VM-Series Firewall on Cisco CSP

Endpoint Monitoring for Cisco TrustSec

Panorama Plugin for Cisco TrustSec

Install the Panorama Plugin for Cisco TrustSec

Configure the Panorama Plugin for Cisco TrustSec

Troubleshoot the Panorama Plugin for Cisco TrustSec

Set Up the VM-Series Firewall on Nutanix AHV

VM Monitoring on Nutanix

About VM Monitoring on Nutanix

Install the Panorama Plugin for Nutanix

Configure the Panorama Plugin for Nutanix

Bootstrap the VM-Series Firewall

Choose a Bootstrap Method

VM-Series Firewall Bootstrap Workflow

Bootstrap Package

Bootstrap Configuration Files

Generate the VM Auth Key on Panorama

Create the init-cfg.txt File

init-cfg.txt File Components

Sample init-cfg.txt File

Create the bootstrap.xml File

Prepare the Licenses for Bootstrapping

Prepare the Bootstrap Package

Bootstrap the VM-Series Firewall on AWS

Bootstrap the VM-Series Firewall on Azure

Bootstrap the VM-Series Firewall on ESXi

Bootstrap the VM-Series Firewall on ESXi with an ISO

Bootstrap the VM-Series Firewall on ESXi with a Block Storage Device

Bootstrap the VM-Series Firewall on Google Cloud Platform

Bootstrap the VM-Series Firewall on Hyper-V

Bootstrap the VM-Series Firewall on Hyper-V with an ISO

Bootstrap the VM-Series Firewall on Hyper-V with a Block Storage Device

Bootstrap the VM-Series Firewall on KVM

Bootstrap the VM-Series Firewall on KVM with an ISO

Bootstrap the VM-Series Firewall on KVM With a Block Storage Device

Verify Bootstrap Completion

Bootstrap Errors

VM-Series Performance & Capacity

VM-Series Performance and Capacity on Public Clouds

VM-Series on AWS Performance and Capacity

VM-Series on Azure Performance and Capacity

VM-Series on Google Performance and Capacity

VM-Series on Oracle Performance and Capacity

VM-Series Models on AWS EC2 Instances

VM-Series Models on Azure Virtual Machines (VMs)

VM-Series Deployment Guide

About the VM-Series Firewall

VM-Series Deployments

VM-Series in High Availability

Upgrade the VM-Series Firewall

Upgrade the PAN-OS Software Version (Standalone Version)

Upgrade the PAN-OS Software Version (HA Pair)

Upgrade the PAN-OS Software Version Using Panorama

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

Upgrade the VM-Series Model

Upgrade the VM-Series Model in an HA Pair

Downgrade a VM-Series Firewall to a Previous Release

VM-Series Plugin

Configure the VM-Series Plugin on the Firewall

Upgrade the VM-Series Plugin

Enable Jumbo Frames on the VM-Series Firewall

Hypervisor Assigned MAC Addresses

Custom PAN-OS Metrics Published for Monitoring

Interface Used for Accessing External Services on the VM-Series Firewall

PacketMMAP and DPDK Driver Support

License the VM-Series Firewall

VM-Series Firewall Licensing

Create a Support Account

Serial Number and CPU ID Format for the VM-Series Firewall

Software NGFW Credits

Activate Credits

Transfer Credits

Create a Deployment Profile

Manage a Deployment Profile

Provision Panorama

Deactivate a Firewall

Migrate to a Flexible VM-Series License

Migrate Panorama to a FW-Flex License

Create and Apply a Subscription-Only Auth Code

Renew Your Software NGFW Credit License

Amend and Extend a Credit Pool

Delicense Ungracefully Terminated Firewalls

Software NGFW Licensing API

Manage Deployment Profiles Using the Licensing API

Create a Deployment Profile Using the Licensing API

Update a Deployment Profile Using the Licensing API

Generate Your OAuth Client Credentials

Get Serial Numbers Associated with an Authcode Using the API

Deactivate a VM-Series Firewall Using the API

VM-Series Models

VM-Series System Requirements

CPU Oversubscription

VM-50 Lite Mode

VM-Series Model License Types

VM-Series Firewall for NSX Licenses

VM-Series Firewall Licenses for Public Clouds

VM-Series Enterprise License Agreement (Multi-Model ELA)

Manage VM-Series ELA License Tokens

Accept the VM-Series ELA

Activate the License

Activate the License for the VM-Series Firewall (Standalone Version)

Activate the License for the VM-Series Firewall for VMware NSX

Activate Licenses on VM-Series Firewalls on NSX When Panorama has Internet Access

Activate Licenses on VM-Series Firewalls on NSX When Panorama has No Internet Access

Troubleshoot License Activation Issues

Switch Between the BYOL and the PAYG Licenses

Switch Between VM-Series Model Licenses

Renew VM-Series Firewall License Bundles

Manage the Licensing API Key

Use the Licensing API

Activate Licenses

Deactivate Licenses

Track License Usage

Licensing API Error Codes

Register the VM-Series Firewall

Register the VM-Series Firewall (Software NGFW Credits)

Register the VM-Series Firewall (with auth code)

Register the Usage-Based Model of the VM-Series Firewall for Public Clouds (no auth code)

Use Panorama-Based Software Firewall License Management

Install a Device Certificate on the VM-Series Firewall

Deactivate the License(s)

Install a License Deactivation API Key

Deactivate a Feature License or Subscription Using the CLI

Licenses for Cloud Security Service Providers (CSSPs)

Get the Auth Codes for CSSP License Packages

Register the VM-Series Firewall with a CSSP Auth Code

Add End-Customer Information for a Registered VM-Series Firewall

Add End-Customer Information for a Registered VM-Series Firewall (Customer Support Portal)

Add End-Customer Information for a Registered VM-Series Firewall (API)

What Happens When Licenses Expire?

Set Up a VM-Series Firewall on an ESXi Server

Supported Deployments on VMware vSphere Hypervisor (ESXi)

VM-Series on ESXi System Requirements and Limitations

VM-Series on ESXi System Requirements

VM-Series on ESXi System Limitations

Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi)

Plan the Interfaces for the VM-Series for ESXi

Provision the VM-Series Firewall on an ESXi Server

Perform Initial Configuration on the VM-Series on ESXi

Add Additional Disk Space to the VM-Series Firewall

Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air

Use vMotion to Move the VM-Series Firewall Between Hosts

Use the VM-Series CLI to Swap the Management Interface on ESXi

VM Monitoring on vCenter

About VM Monitoring on VMware vCenter

Install the Panorama Plugin for VMware vCenter

Configure the Panorama Plugin for VMware vCenter

Troubleshoot ESXi Deployments

Basic Troubleshooting

Installation Issues

Issues with Deploying the OVA

Why does the firewall boot into maintenance mode?

How do I modify the base image file for the VM-1000-HV license?

Licensing Issues

Why am I unable to apply the support or feature license?

Why does my cloned VM-Series firewall not have a valid license?

Does moving the VM-Series firewall cause license invalidation?

Connectivity Issues

Why is the VM-Series firewall not receiving any network traffic?

Performance Tuning of the VM-Series for ESXi

Install the NIC Driver on ESXi

Enable DPDK on ESXi

Enable SR-IOV on ESXi

Enable Multi-Queue Support for NICs on ESXi

VNF Tuning for Performance

Set Up the VM-Series Firewall on vCloud Air

About the VM-Series Firewall on vCloud Air

Deployments Supported on vCloud Air

Deploy the VM-Series Firewall on vCloud Air

Set Up the VM-Series Firewall on VMware NSX

Set Up the VM-Series Firewall on VMware NSX-V

VM-Series for Firewall NSX-V Overview

What are the Components of the VM-Series for NSX-V Solution?

VM-Series Firewall for NSX-V

Ports/Protocols used Network Communication

How Do the Components in the VM-Series Firewall for NSX-V Solution Work Together?

Integrated Policy Rules

Policy Enforcement using Dynamic Address Groups

What are the Benefits of the NSX-V VM-Series firewall for NSX-V Solution?

What is Multi-Tenant Support on the VM-Series Firewall for NSX-V?

VM-Series Firewall for NSX-V Deployment Checklist

Install the VMware NSX Plugin

Register the VM-Series Firewall as a Service on the NSX-V Manager

Enable Communication Between the NSX-V Manager and Panorama

Create Template(s), Template Stack(s), and Device Group(s) on Panorama

Create the Service Definitions on Panorama

Deploy the VM-Series Firewall

Define an IP Address Pool

Prepare the ESXi Host for the VM-Series Firewall

Deploy the Palo Alto Networks NGFW Service

Enable Large Receive Offload

Create Security Groups and Steering Rules

Create Security Groups and Steering Rules in a Security Centric Deployment

Set Up Dynamic Address Groups on Panorama

Create Steering Rules on Panorama

Create Security Groups and Steering Rules in an Operations Centric Deployment

Set Up Security Groups on the NSX-V Manager

Create Steering Rules on NSX-V Manager

Apply Security Policies to the VM-Series Firewall

Steer Traffic from Guests that are not Running VMware Tools

What is Multi-NSX Manager Support on the VM-Series for NSX-V?

Plan Your Multi-NSX Deployment

Deploy the VM-Series Firewall in a Multi-NSX Manager Environment

Add a New Host to Your NSX-V Deployment

Dynamically Quarantine Infected Guests

Migrate Operations-Centric Configuration to Security-Centric Configuration

Use Case: Shared Compute Infrastructure and Shared Security Policies

Use Case: Shared Security Policies on Dedicated Compute Infrastructure

Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama

Set Up the VM-Series Firewall on VMware NSX-T (North-South)

Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)

Components of the VM-Series Firewall on NSX-T (North-South)

Deploy the VM-Series Firewall on NSX-T (North-South)

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Deploy the VM-Series Firewall

Direct Traffic to the VM-Series Firewall

Apply Security Policy to the VM-Series Firewall on NSX-T

Use vMotion to Move the VM-Series Firewall Between Hosts

Extend Security Policy from NSX-V to NSX-T

Set Up the VM-Series Firewall on NSX-T (East-West)

Components of the VM-Series Firewall on NSX-T (East-West)

VM-Series Firewall on NSX-T (East-West) Integration

Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)

Deploy the VM-Series Firewall on NSX-T (East-West)

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Add a Service Chain

Direct Traffic to the VM-Series Firewall

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Use vMotion to Move the VM-Series Firewall Between Hosts

Extend Security Policy from NSX-V to NSX-T

Use Migration Coordinator to Move Your VM-Series from NSX-V to NSX-T

Set Up the VM-Series Firewall on AWS

About the VM-Series Firewall on AWS

AWS EC2 Instance Types

VM-Series Firewall on AWS GovCloud

VM-Series Firewall on AWS China

VM-Series Firewall on AWS Outposts

AWS Terminology

Management Interface Mapping for Use with Amazon ELB

Performance Tuning for the VM-Series on AWS

Deployments Supported on AWS

Deploy the VM-Series Firewall on AWS

AMI in the Public AWS Cloud

AMI on AWS GovCloud

Get the VM-Series Firewall Amazon Machine Image (AMI) ID

Planning Worksheet for the VM-Series in the AWS VPC

Launch the VM-Series Firewall on AWS

Launch the VM-Series Firewall on AWS Outpost

Create a Custom Amazon Machine Image (AMI)

Encrypt EBS Volume for the VM-Series Firewall on AWS

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable CloudWatch Monitoring on the VM-Series Firewall

VM-Series Firewall Startup and Health Logs on AWS

High Availability for VM-Series Firewall on AWS

Overview of HA on AWS

IAM Roles for HA

Heartbeat Polling and Hello Messages

Device Priority and Preemption

Configure Active/Passive HA on AWS Using a Secondary IP

Configure Active/Passive HA on AWS Using Interface Move

Migrate Active/Passive HA on AWS

Migrate Active/Passive HA on AWS to Secondary IP Mode

Migrate Active/Passive HA on AWS to Interface Move Mode

Use Case: Secure the EC2 Instances in the AWS Cloud

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC

Use Case: VM-Series Firewalls as GlobalProtect Gateways on AWS

Components of the GlobalProtect Infrastructure

Deploy GlobalProtect Gateways on AWS

VM Monitoring on AWS

VM Monitoring with the AWS Plugin on Panorama

Set Up the AWS Plugin for VM Monitoring on Panorama

Auto Scaling VM-Series Firewalls with the Amazon ELB Service

VM-Series Auto Scaling Templates for AWS Version 2.0

What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?

How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?

Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)

Customize the Firewall Template Before Launch (v2.0 and v2.1)

Launch the VM-Series Auto Scaling Template for AWS (v2.0)

Customize the Bootstrap.xml File (v2.0)

Create a new Bootstrap File from Scratch

Use the GitHub Bootstrap Files as Seed

SQS Messaging Between the Application Template and Firewall Template

Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)

Modify Administrative Account and Update Stack (v2.0)

VM-Series Auto Scaling Templates for AWS Version 2.1

Launch the Firewall Template (v2.1)

Launch the Application Template (v2.1)

Create a Custom Amazon Machine Image (v2.1)

VM-Series Auto Scaling Template Cleanup (v2.1)

SQS Messaging Between the Application Template and Firewall Template (v2.1)

Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)

Modify Administrative Account (v2.1)

Change Scaling Parameters and CloudWatch Metrics (v2.1)

List of Attributes Monitored on the AWS VPC

IAM Permissions Required for Monitoring the AWS VPC

Set Up the VM-Series Firewall on KVM

VM-Series on KVM— Requirements and Prerequisites

Options for Attaching the VM-Series on the Network

Prerequisites for VM-Series on KVM

Prepare the Linux Server

Prepare to Deploy the VM-Series Firewall

Supported Deployments on KVM

Secure Traffic on a Single Host

Secure Traffic Across Linux hosts

Install the VM-Series Firewall on KVM

Install the VM-Series Firewall Using Virt-Manager

Provision the VM-Series Firewall on a KVM Host

Perform Initial Configuration of the VM-Series Firewall on KVM

Install the VM-Series Firewall Using an ISO

Use an ISO File to Deploy the VM-Series Firewall

Sample XML file for the VM-Series Firewall

Use the VM-Series CLI to Swap the Management Interface on KVM

Enable the Use of a SCSI Controller

Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall

Performance Tuning of the VM-Series for KVM

Install KVM and Open vSwitch on Ubuntu 16.04.1 LTS

Enable Open vSwitch on KVM

Integrate Open vSwitch with DPDK

Install QEMU, DPDK, and OVS on Ubuntu

Configure OVS and DPDK on the Host

Edit the VM-Series Firewall Configuration File

Enable SR-IOV on KVM

Enable VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on KVM

Isolate CPU Resources in a NUMA Node on KVM

Set Up the VM-Series Firewall on Hyper-V

Supported Deployments on Hyper-V

Secure Traffic on a Single Hyper-V Host

Secure Traffic Across Multiple Hyper-V Hosts

System Requirements on Hyper-V

Linux Integration Services

Install the VM-Series Firewall on Hyper-V

Before You Begin

Virtual Switch Types

MAC Address Spoofing

Performance Tuning of the VM-Series Firewall on Hyper-V

Disable Virtual Machine Queues

Isolate CPU Resources in a NUMA Node

Provision the VM-Series Firewall on a Hyper-V host with Hyper-V Manager

Provision the VM-Series Firewall on a Hyper-V host with PowerShell

Perform Initial Configuration on the VM-Series Firewall

Set up the VM-Series Firewall on Azure

About the VM-Series Firewall on Azure

Azure Networking and VM-Series Firewall

Azure Security Center Integration

VM-Series Firewall Templates on Azure

Minimum System Requirements for the VM-Series on Azure

Support for High Availability on VM-Series on Azure

VM-Series on Azure Service Principal Permissions

Deployments Supported on Azure

Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)

Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)

Use Azure Security Center Recommendations to Secure Your Workloads

Use Panorama to Forward Logs to Azure Security Center

Deploy the VM-Series Firewall on Azure Stack

Enable Azure Application Insights on the VM-Series Firewall

VM Monitoring on Azure

About VM Monitoring on Azure

Set Up the Azure Plugin for VM Monitoring on Panorama

Attributes Monitored Using the Panorama Plugin on Azure

Set up Active/Passive HA on Azure

Use the ARM Template to Deploy the VM-Series Firewall

Deploy the VM-Series and Azure Application Gateway Template

VM-Series and Azure Application Gateway Template

Start Using the VM-Series & Azure Application Gateway Template

Deploy the Template to Azure

VM-Series and Azure Application Gateway Template Parameters

Sample Configuration File

Adapt the Template

Auto Scaling the VM-Series Firewall on Azure

Auto Scaling on Azure - Components and Planning Checklist

Azure Auto Scaling Deployment Use Cases

Auto Scaling on Azure—How it Works

Deploy Azure Auto Scaling Template

Parameters in the Auto Scaling Templates for Azure

Secure Kubernetes Services on Azure

How Does the Azure Plugin Secure Kubernetes Services?

Use Panorama to Manage VM-Series Firewalls on AKS

Set Up the VM-Series Firewall on OpenStack

VM-Series Deployments in OpenStack

Service Chaining and Service Scaling

Components of the VM-Series for OpenStack Solution

Heat Template for a Basic Gateway Deployment

Heat Templates for Service Chaining and Service Scaling

Virtual Network

Virtual Machine

Service Template

Service Instance

Install the VM-Series Firewall in a Basic Gateway Deployment

Install the VM-Series Firewall with Service Chaining or Scaling

Set Up the VM-Series Firewall on Google Cloud Platform

About the VM-Series Firewall on Google Cloud Platform

Supported Deployments on Google Cloud Platform

Prepare to Set Up VM-Series Firewalls on Google Public Cloud

Deploy the VM-Series Firewall on GCP

Deploy the VM-Series Firewall from Google Cloud Platform Marketplace

Management Interface Swap for Google Cloud Platform Load Balancing

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable Google Stackdriver Monitoring on the VM Series Firewall

Enable VM Monitoring to Track VM Changes on GCP

Secure Firewalls Deployed in GCP with Dynamic Address Groups

Locate VM-Series Firewall Images in the GCP Marketplace

VM Monitoring with the Google Cloud Platform Plugin

Configure VM Monitoring

Auto Scaling the VM-Series Firewall on Google Cloud Platform

Auto Scaling Components for Google Cloud Platform

Deploy GCP Auto Scaling Templates

Create a Custom VM-Series Firewall Image for Google Cloud Platform

Set Up a VM-Series Firewall on a Cisco ENCS Network

Plan Your Cisco ENCS Deployment

Prepare the VM-Series Firewall Image for Cisco ENCS

Deploy the VM-Series Firewall on Cisco ENCS

Set up the VM-Series Firewall on Oracle Cloud Infrastructure

OCI Shape Types

Deployments Supported on OCI

Prepare to Set Up the VM-Series Firewall on OCI

Deploy the VM-Series Firewall From the Oracle Cloud Marketplace

Configure Active/Passive HA on OCI

Set Up the VM-Series Firewall on Alibaba Cloud

VM-Series Firewall on Alibaba Cloud

Minimum System Requirements for the VM-Series Firewall on Alibaba Cloud

Prepare to Deploy the VM-Series Firewall on Alibaba Cloud

Deploy the VM-Series Firewall on Alibaba Cloud

Create a VPC and Configure Networks

Create and Configure the VM-Series Firewall

Secure North-South Traffic on Alibaba Cloud

Configure Load Balancing on Alibaba Cloud

Set Up a Firewall in Cisco ACI

Palo Alto Firewall Integration with Cisco ACI

Service Graph Templates

Multi-Context Deployments

Prepare Your ACI Environment for Integration

Integrate the Firewall with Cisco ACI in Network Policy Mode

Deploy the Firewall to Secure East-West Traffic in Network Policy Mode

Create a Virtual Router and Security Zone

Configure the Network Interfaces

Configure a Static Default Route

Create Address Objects for the EPGs

Create Security Policy Rules

Create a VLAN Pool and Domain

Configure an Interface Policy for LLDP and LACP for East-West Traffic

Establish the Connection Between the Firewall and ACI Fabric

Create a VRF and Bridge Domain

Create an L4-L7 Device

Create a Policy-Based Redirect

Create and Apply a Service Graph Template

Deploy the Firewall to Secure North-South Traffic in Network Policy Mode

Create a VLAN Pool and External Routed Domain

Configure an Interface Policy for LLDP and LACP for North-South Traffic

Create an External Routed Network

Configure Subnets to Advertise to the External Firewall

Create an Outbound Contract

Create an Inbound Web Contract

Apply Outbound and Inbound Contracts to the EPGs

Create a Virtual Router and Security Zone for North-South Traffic

Configure the Network Interfaces

Configure Route Redistribution and OSPF

Configure NAT for External Connections

Endpoint Monitoring in Cisco ACI

Install the Cisco ACI Plugin for Panorama

Configure the Cisco ACI Plugin

Panorama Plugin for Cisco ACI Dashboard

Set Up the VM-Series Firewall on Cisco CSP

VM-Series on Cisco CSP System Requirements

Deploy the VM-Series Firewall on Cisco CSP

Endpoint Monitoring for Cisco TrustSec

Panorama Plugin for Cisco TrustSec

Install the Panorama Plugin for Cisco TrustSec

Configure the Panorama Plugin for Cisco TrustSec

Troubleshoot the Panorama Plugin for Cisco TrustSec

Set Up the VM-Series Firewall on Nutanix AHV

VM Monitoring on Nutanix

About VM Monitoring on Nutanix

Install the Panorama Plugin for Nutanix

Configure the Panorama Plugin for Nutanix

Bootstrap the VM-Series Firewall

Choose a Bootstrap Method

VM-Series Firewall Bootstrap Workflow

Bootstrap Package

Bootstrap Configuration Files

Generate the VM Auth Key on Panorama

Create the init-cfg.txt File

init-cfg.txt File Components

Sample init-cfg.txt File

Create the bootstrap.xml File

Prepare the Licenses for Bootstrapping

Prepare the Bootstrap Package

Bootstrap the VM-Series Firewall on AWS

Bootstrap the VM-Series Firewall on Azure

Bootstrap the VM-Series Firewall on ESXi

Bootstrap the VM-Series Firewall on ESXi with an ISO

Bootstrap the VM-Series Firewall on ESXi with a Block Storage Device

Bootstrap the VM-Series Firewall on Google Cloud Platform

Bootstrap the VM-Series Firewall on Hyper-V

Bootstrap the VM-Series Firewall on Hyper-V with an ISO

Bootstrap the VM-Series Firewall on Hyper-V with a Block Storage Device

Bootstrap the VM-Series Firewall on KVM

Bootstrap the VM-Series Firewall on KVM with an ISO

Bootstrap the VM-Series Firewall on KVM With a Block Storage Device

Verify Bootstrap Completion

Bootstrap Errors

VM-Series Releases

VM-Series Deployment Guide

About the VM-Series Firewall

VM-Series Deployments

VM-Series in High Availability

Upgrade the VM-Series Firewall

Upgrade the PAN-OS Software Version (Standalone Version)

Upgrade the PAN-OS Software Version (HA Pair)

Upgrade the PAN-OS Software Version Using Panorama

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

Upgrade the VM-Series Model

Upgrade the VM-Series Model in an HA Pair

Downgrade a VM-Series Firewall to a Previous Release

VM-Series Plugin

Configure the VM-Series Plugin on the Firewall

Upgrade the VM-Series Plugin

Enable Jumbo Frames on the VM-Series Firewall

Hypervisor Assigned MAC Addresses

Custom PAN-OS Metrics Published for Monitoring

Interface Used for Accessing External Services on the VM-Series Firewall

PacketMMAP and DPDK Driver Support

Enable NUMA Performance Optimization on the VM-Series

Enable ZRAM on the VM-Series Firewall

IPv6 Support on Public Cloud

License the VM-Series Firewall

VM-Series Firewall Licensing

Create a Support Account

Serial Number and CPU ID Format for the VM-Series Firewall

Use Panorama-Based Software Firewall License Management

Software NGFW Credits

Maximum Limits Based on Tier and Memory

Activate Credits

Create a Deployment Profile

Manage a Deployment Profile

Register the VM-Series Firewall (Software NGFW Credits)

Provision Panorama

Migrate Panorama to a Software NGFW License

Transfer Credits

Renew Your Software NGFW Credit License

Deactivate License (Software NGFW Credits)

Set the Number of Licensed vCPUs

Customize Dataplane Cores

Migrate a Firewall to a Flexible VM-Series License

Delicense Ungracefully Terminated Firewalls

Software NGFW Licensing API

Manage Deployment Profiles Using the Licensing API

Create a Deployment Profile Using the Licensing API

Update a Deployment Profile Using the Licensing API

Generate Your OAuth Client Credentials

Get Serial Numbers Associated with an Authcode Using the API

Deactivate a VM-Series Firewall Using the API

VM-Series Models

VM-Series System Requirements

CPU Oversubscription

VM-50 Lite Mode

VM-Series Model License Types

VM-Series Firewall Licenses for Public Clouds

VM-Series Enterprise License Agreement (Multi-Model ELA)

Manage VM-Series ELA License Tokens

Accept the VM-Series ELA

Activate VM-Series Model Licenses

Activate the License for the VM-Series Firewall (Standalone Version)

Activate the License for the VM-Series Firewall for VMware NSX

Activate Licenses on VM-Series Firewalls on NSX When Panorama has Internet Access

Activate Licenses on VM-Series Firewalls on NSX When Panorama has No Internet Access

Troubleshoot License Activation Issues

Register the VM-Series Firewall

Register the VM-Series Firewall (with auth code)

Register the Usage-Based Model of the VM-Series Firewall for Public Clouds (no auth code)

Install a Device Certificate on the VM-Series Firewall

Switch Between the BYOL and the PAYG Licenses

Switch Between VM-Series Model Licenses

Deactivate License(s)

Deactivate a Feature License or Subscription Using the CLI

Renew VM-Series Firewall License Bundles

Model-Based Licensing API

Install a License API Key

Manage the Licensing API Key

Use the Licensing API

Activate Licenses

Deactivate Licenses

Track License Usage

Licensing API Error Codes

What Happens When Licenses Expire?

Licenses for Cloud Security Service Providers (CSSPs)

Get the Auth Codes for CSSP License Packages

Register the VM-Series Firewall with a CSSP Auth Code

Add End-Customer Information for a Registered VM-Series Firewall

Add End-Customer Information for a Registered VM-Series Firewall (Customer Support Portal)

Add End-Customer Information for a Registered VM-Series Firewall (API)

Set Up a VM-Series Firewall on an ESXi Server

Supported Deployments on VMware vSphere Hypervisor (ESXi)

VM-Series on ESXi System Requirements and Limitations

VM-Series on ESXi System Requirements

VM-Series on ESXi System Limitations

Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi)

Plan the Interfaces for the VM-Series for ESXi

Provision the VM-Series Firewall on an ESXi Server

Perform Initial Configuration on the VM-Series on ESXi

Add Additional Disk Space to the VM-Series Firewall

Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air

Use vMotion to Move the VM-Series Firewall Between Hosts

Use the VM-Series CLI to Swap the Management Interface on ESXi

VM Monitoring on vCenter

About VM Monitoring on VMware vCenter

Install the Panorama Plugin for VMware vCenter

Configure the Panorama Plugin for VMware vCenter

Troubleshoot ESXi Deployments

Basic Troubleshooting

Installation Issues

Issues with Deploying the OVA

Why does the firewall boot into maintenance mode?

How do I modify the base image file for the VM-1000-HV license?

Licensing Issues

Why am I unable to apply the support or feature license?

Why does my cloned VM-Series firewall not have a valid license?

Does moving the VM-Series firewall cause license invalidation?

Connectivity Issues

Why is the VM-Series firewall not receiving any network traffic?

Performance Tuning of the VM-Series for ESXi

Install the NIC Driver on ESXi

Enable DPDK on ESXi

Enable SR-IOV on ESXi

Enable ESXi VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on ESXi

VNF Tuning for Performance

Set Up the VM-Series Firewall on vCloud Air

About the VM-Series Firewall on vCloud Air

Deployments Supported on vCloud Air

Deploy the VM-Series Firewall on vCloud Air

Set Up the VM-Series Firewall on VMware NSX-T

Set Up the VM-Series Firewall on VMware NSX-T (North-South)

Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)

Components of the VM-Series Firewall on NSX-T (North-South)

Deploy the VM-Series Firewall on NSX-T (North-South)

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Deploy the VM-Series Firewall

Direct Traffic to the VM-Series Firewall

Apply Security Policy to the VM-Series Firewall on NSX-T

Use vMotion to Move the VM-Series Firewall Between Hosts

Extend Security Policy from NSX-V to NSX-T

Set Up the VM-Series Firewall on NSX-T (East-West)

Components of the VM-Series Firewall on NSX-T (East-West)

VM-Series Firewall on NSX-T (East-West) Integration

Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)

Deploy the VM-Series Using the Operations-Centric Workflow

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Add a Service Chain

Direct Traffic to the VM-Series Firewall

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Use vMotion to Move the VM-Series Firewall Between Hosts

Deploy the VM-Series Using the Security-Centric Workflow

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Create Dynamic Address Groups

Create Security Policies

Use the Pre Rulebase to Define NSX-T Steering Rules

Use the Post Rulebase to Define NSX-T Steering Rules

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Create Dynamic Address Group Membership Criteria

Generate Steering Policy

Generate Steering Rules

Delete a Service Definition from Panorama

Migrate from VM-Series on NSX-T Operation to Security Centric Deployment

Extend Security Policy from NSX-V to NSX-T

Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T

Set Up the VM-Series Firewall on AWS

About the VM-Series Firewall on AWS

AWS EC2 Instance Types

VM-Series Firewall on AWS GovCloud

VM-Series Firewall on AWS China

VM-Series Firewall on AWS Outposts

AWS Terminology

Management Interface Mapping for Use with Amazon ELB

Performance Tuning for the VM-Series Firewall on AWS

Deployments Supported on AWS

Deploy the VM-Series Firewall on AWS

AMI in the Public AWS Cloud

AMI on AWS GovCloud

Get the VM-Series Firewall Amazon Machine Image (AMI) ID

Planning Worksheet for the VM-Series in the AWS VPC

Launch the VM-Series Firewall on AWS

Launch the VM-Series Firewall on AWS Outpost

Create a Custom Amazon Machine Image (AMI)

Encrypt EBS Volume for the VM-Series Firewall on AWS

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable CloudWatch Monitoring on the VM-Series Firewall

VM-Series Firewall Startup and Health Logs on AWS

VM-Series Integration with an AWS Gateway Load Balancer

Manual Integration of the VM-Series with a Gateway Load Balancer

Enable VM-Series Integration with a Gateway Load Balancer

Manually Integrate the VM-Series with a Gateway Load Balancer

Associate a VPC Endpoint with a VM-Series Interface

Enable Overlay Routing for the VM-Series on AWS

VM-Series Integration with AWS Cloud WAN

VM-Series Auto Scaling Group with AWS Gateway Load Balancer

Before Launching the Templates

Launch the Firewall Template

Launch the Application Template

High Availability for VM-Series Firewall on AWS

Overview of HA on AWS

IAM Roles for HA

Heartbeat Polling and Hello Messages

Device Priority and Preemption

Configure Active/Passive HA on AWS Using a Secondary IP

Configure Active/Passive HA on AWS Using Interface Move

Migrate Active/Passive HA on AWS

Migrate Active/Passive HA on AWS to Secondary IP Mode

Migrate Active/Passive HA on AWS to Interface Move Mode

Use Case: Secure the EC2 Instances in the AWS Cloud

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC

Use Case: VM-Series Firewalls as GlobalProtect Gateways on AWS

Components of the GlobalProtect Infrastructure

Deploy GlobalProtect Gateways on AWS

Resource Monitoring on AWS

AWS Resource Monitoring with the AWS Plugin on Panorama

Set Up the AWS Plugin for VM Monitoring on Panorama

List of Attributes Monitored on the AWS VPC

IAM Permissions Required for Monitoring the AWS VPC

Use AWS Secrets Manager to Store VM-Series Certificates

Panorama Orchestrated Deployments in AWS

Prepare for an Orchestrated AWS Deployment

Orchestrate a VM-Series Firewall Deployment in AWS

View the Deployment Status

Traffic Flow and Configurations

Set Up the VM-Series Firewall on KVM

VM-Series on KVM—Requirements and Prerequisites

Options for Attaching the VM-Series on the Network

Prerequisites for VM-Series on KVM

Prepare the Linux Server

Prepare to Deploy the VM-Series Firewall

Supported Deployments on KVM

Secure Traffic on a Single Host

Secure Traffic Across Linux hosts

Install the VM-Series Firewall on KVM

Install the VM-Series Firewall Using Virt-Manager

Provision the VM-Series Firewall on a KVM Host

Perform Initial Configuration of the VM-Series Firewall on KVM

Install the VM-Series Firewall Using an ISO

Use an ISO File to Deploy the VM-Series Firewall

Sample XML file for the VM-Series Firewall

Use the VM-Series CLI to Swap the Management Interface on KVM

Enable the Use of a SCSI Controller

Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall

Performance Tuning of the VM-Series for KVM

Install KVM and Open vSwitch on Ubuntu 16.04.1 LTS

Enable Open vSwitch on KVM

Integrate Open vSwitch with DPDK

Install QEMU, DPDK, and OVS on Ubuntu

Configure OVS and DPDK on the Host

Edit the VM-Series Firewall Configuration File

Enable SR-IOV on KVM

Enable VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on KVM

Isolate CPU Resources in a NUMA Node on KVM

Intelligent Traffic Offload

Software Cut-through Based Offload

Set Up the VM-Series Firewall on Hyper-V

Supported Deployments on Hyper-V

Secure Traffic on a Single Hyper-V Host

Secure Traffic Across Multiple Hyper-V Hosts

System Requirements on Hyper-V

Linux Integration Services

Install the VM-Series Firewall on Hyper-V

Before You Begin

Virtual Switch Types

MAC Address Spoofing

Performance Tuning of the VM-Series Firewall on Hyper-V

Disable Virtual Machine Queues

Isolate CPU Resources in a NUMA Node

Provision the VM-Series Firewall on a Hyper-V host with Hyper-V Manager

Provision the VM-Series Firewall on a Hyper-V host with PowerShell

Perform Initial Configuration on the VM-Series Firewall

Set up the VM-Series Firewall on Azure

About the VM-Series Firewall on Azure

Azure Networking and VM-Series Firewall

Azure Security Center Integration

VM-Series Firewall Templates on Azure

Minimum System Requirements for the VM-Series on Azure

Support for High Availability on VM-Series on Azure

VM-Series on Azure Service Principal Permissions

Deployments Supported on Azure

Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)

Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)

Panorama Orchestrated Deployments in Azure

Prepare for an Orchestrated Deployment

Orchestrate a VM-Series Firewall Deployment in Azure

Deploy the VM-Series with the Azure Gateway Load Balancer

Create a Custom VM-Series Image for Azure

Use Azure Security Center Recommendations to Secure Your Workloads

Use Panorama to Forward Logs to Azure Security Center

Deploy the VM-Series Firewall on Azure Stack

Enable Azure Application Insights on the VM-Series Firewall

Monitoring on Azure

About Monitoring on Azure

Set Up the Azure Plugin for Monitoring on Panorama

Attributes Monitored Using the Panorama Plugin on Azure

Set up Active/Passive HA on Azure

Use Azure Key Vault to Store VM-Series Certificates

Use the ARM Template to Deploy the VM-Series Firewall

Deploy the VM-Series and Azure Application Gateway Template

VM-Series and Azure Application Gateway Template

Start Using the VM-Series & Azure Application Gateway Template

Deploy the Template to Azure

VM-Series and Azure Application Gateway Template Parameters

Sample Configuration File

Adapt the Template

Secure Kubernetes Services on Azure

How Does the Panorama Plugin for Azure Secure Kubernetes Services?

Secure an AKS Cluster

Deploy the VM-Series Firewall on Azure Stack HCI

Set Up the VM-Series Firewall on OpenStack

VM-Series Deployments in OpenStack

Service Chaining and Service Scaling

Components of the VM-Series for OpenStack Solution

Heat Template for a Basic Gateway Deployment

Heat Templates for Service Chaining and Service Scaling

Virtual Network

Virtual Machine

Service Template

Service Instance

Install the VM-Series Firewall in a Basic Gateway Deployment

Install the VM-Series Firewall with Service Chaining or Scaling

Set Up the VM-Series Firewall on Google Cloud Platform

About the VM-Series Firewall on Google Cloud Platform

Supported Deployments on Google Cloud Platform

Prepare to Set Up VM-Series Firewalls on Google Public Cloud

Deploy the VM-Series Firewall on Google Cloud Platform

Deploy the VM-Series Firewall from Google Cloud Platform Marketplace

Management Interface Swap for Google Cloud Platform Load Balancing

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable Google Stackdriver Monitoring on the VM Series Firewall

Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)

Use Dynamic Address Groups to Secure Instances Within the VPC

Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall

VM Monitoring with the Panorama Plugin for GCP

Configure VM Monitoring with the Panorama Plugin for GCP

Auto Scaling the VM-Series Firewall on Google Cloud Platform

Auto Scaling Components for Google Cloud Platform

Deploy GCP Auto Scaling Templates

Create a Custom VM-Series Firewall Image for Google Cloud Platform

Set up Active/Passive HA on Google Cloud Platform

Architecture of Active/Passive HA on GCP

Deploy the GCP Active/Passive HA

Set Up a VM-Series Firewall on a Cisco ENCS Network

Plan Your Cisco ENCS Deployment

Prepare the VM-Series Firewall Image for Cisco ENCS

Deploy the VM-Series Firewall on Cisco ENCS

Set up the VM-Series Firewall on Oracle Cloud Infrastructure

OCI Shape Types

Deployments Supported on OCI

Prepare to Set Up the VM-Series Firewall on OCI

Deploy the VM-Series Firewall From the Oracle Cloud Marketplace

Configure Active/Passive HA on OCI

Set Up the VM-Series Firewall on Alibaba Cloud

VM-Series Firewall on Alibaba Cloud

Minimum System Requirements for the VM-Series Firewall on Alibaba Cloud

Prepare to Deploy the VM-Series Firewall on Alibaba Cloud

Deploy the VM-Series Firewall on Alibaba Cloud

Create a VPC and Configure Networks

Create and Configure the VM-Series Firewall

Secure North-South Traffic on Alibaba Cloud

Configure Load Balancing on Alibaba Cloud

Set up Active/Passive HA on Alibaba Cloud

Deploy the Active/Passive HA on Alibaba Cloud

Set Up a Firewall in Cisco ACI

Palo Alto Networks Firewall Integration with Cisco ACI

Service Graph Templates

Multi-Context Deployments

Prepare Your ACI Environment for Integration

Integrate the Firewall with Cisco ACI in Network Policy Mode

Deploy the Firewall to Secure East-West Traffic in Network Policy Mode

Create a Virtual Router and Security Zone

Configure the Network Interfaces

Configure a Static Default Route

Create Address Objects for the EPGs

Create Security Policy Rules

Create a VLAN Pool and Domain

Configure an Interface Policy for LLDP and LACP for East-West Traffic

Establish the Connection Between the Firewall and ACI Fabric

Create a VRF and Bridge Domain

Create an L4-L7 Device

Create a Policy-Based Redirect

Create and Apply a Service Graph Template

Deploy the Firewall to Secure North-South Traffic in Network Policy Mode

Create a VLAN Pool and External Routed Domain

Configure an Interface Policy for LLDP and LACP for North-South Traffic

Create an External Routed Network

Configure Subnets to Advertise to the External Firewall

Create an Outbound Contract

Create an Inbound Web Contract

Apply Outbound and Inbound Contracts to the EPGs

Create a Virtual Router and Security Zone for North-South Traffic

Configure the Network Interfaces

Configure Route Redistribution and OSPF

Configure NAT for External Connections

Endpoint Monitoring in Cisco ACI

Install the Panorama Plugin for Cisco ACI

Configure the Cisco ACI Plugin

Panorama Plugin for Cisco ACI Dashboard

Set Up the VM-Series Firewall on Cisco CSP

VM-Series on Cisco CSP System Requirements

Deploy the VM-Series Firewall on Cisco CSP

Endpoint Monitoring for Cisco TrustSec

Panorama Plugin for Cisco TrustSec

Install the Panorama Plugin for Cisco TrustSec

Configure the Panorama Plugin for Cisco TrustSec

Troubleshoot the Panorama Plugin for Cisco TrustSec

Set Up the VM-Series Firewall on Nutanix AHV

VM Monitoring on Nutanix

About VM Monitoring on Nutanix

Install the Panorama Plugin for Nutanix

Configure the Panorama Plugin for Nutanix

Bootstrap the VM-Series Firewall

Choose a Bootstrap Method

VM-Series Firewall Bootstrap Workflow

Bootstrap Package

Bootstrap Configuration Files

Generate the VM Auth Key on Panorama

Create the init-cfg.txt File

init-cfg.txt File Components

Sample init-cfg.txt File

Create the bootstrap.xml File

Prepare the Licenses for Bootstrapping

Prepare the Bootstrap Package

Bootstrap the VM-Series Firewall on AWS

Bootstrap the VM-Series Firewall on Azure

Bootstrap the VM-Series Firewall on ESXi

Bootstrap the VM-Series Firewall on ESXi with an ISO

Bootstrap the VM-Series Firewall on ESXi with a Block Storage Device

Bootstrap the VM-Series Firewall on Google Cloud Platform

Bootstrap the VM-Series Firewall on Hyper-V

Bootstrap the VM-Series Firewall on Hyper-V with an ISO

Bootstrap the VM-Series Firewall on Hyper-V with a Block Storage Device

Bootstrap the VM-Series Firewall on KVM

Bootstrap the VM-Series Firewall on KVM with an ISO

Bootstrap the VM-Series Firewall on KVM With a Block Storage Device

Verify Bootstrap Completion

Bootstrap Errors

Bootstrap the VM-Series Firewall on Azure Stack HCI

Set Up the VM-Series Firewall on IBM Cloud

About the VM-Series Firewall on IBM Cloud

Prepare to Set Up VM-Series Firewalls on IBM Cloud

Deploy the VM-Series Firewall Using IBM Cloud Schematics

High Resiliency for VM-Series Firewall on IBM Cloud

Use Case: Deploy a NLB Using the VM-Series Firewall

VM-Series Performance & Capacity

VM-Series Performance and Capacity on Public Clouds

VM-Series on Amazon Web Services Performance and Capacity

VM-Series Models on AWS EC2 Instances

VM-Series Models on Azure Virtual Machines (VMs)

VM-Series on AWS Capability Matrix

VM-Series on Azure Capability Matrix

VM-Series on Google Cloud Platform Performance and Capacity

VM-Series on Microsoft Azure Performance and Capacity

VM-Series Performance & Capacity on Public Clouds

VM-Series Performance and Capacity on Public Clouds

VM-Series on AWS Capability Matrix

VM-Series Models on AWS EC2 Instances

VM-Series on Azure Capability Matrix

VM-Series Models on Azure Virtual Machines (VMs)

VM-Series on Google Cloud Platform Performance and Capacity

VM-Series on Amazon Web Services Performance and Capacity

VM-Series on Microsoft Azure Performance and Capacity

VM-Series Deployment Guide

About the VM-Series Firewall

VM-Series Deployments

VM-Series in High Availability

IPv6 Support on Public Cloud

Upgrade the VM-Series Firewall

Upgrade the PAN-OS Software Version (Standalone Version)

Upgrade the PAN-OS Software Version (HA Pair)

Upgrade the PAN-OS Software Version Using Panorama

Upgrade the PAN-OS Software Version (VM-Series for NSX)

Upgrade the VM-Series for NSX During a Maintenance Window

Upgrade the VM-Series for NSX Without Disrupting Traffic

License the VM-Series Firewall with API key

Upgrade the VM-Series Model in an HA Pair

Downgrade a VM-Series Firewall to a Previous Release

VM-Series Plugin

Configure the VM-Series Plugin on the Firewall

Upgrade the VM-Series Plugin

Enable Jumbo Frames on the VM-Series Firewall

Hypervisor Assigned MAC Addresses

Custom PAN-OS Metrics Published for Monitoring

Interface Used for Accessing External Services on the VM-Series Firewall

PacketMMAP and DPDK Driver Support

Enable NUMA Performance Optimization on the VM-Series

Enable ZRAM on the VM-Series Firewall

License the VM-Series Firewall

VM-Series Firewall Licensing

Create a Support Account

Serial Number and CPU ID Format for the VM-Series Firewall

Use Panorama-Based Software Firewall License Management

Software NGFW Credits

Maximum Limits Based on Memory

Activate Credits

Create a Deployment Profile

Manage a Deployment Profile

Register the VM-Series Firewall (Software NGFW Credits)

Provision Panorama

Migrate Panorama to a Software NGFW License

Transfer Credits

Renew Your Software NGFW Credits

Deactivate License (Software NGFW Credits)

Delicense Ungracefully Terminated Firewalls

Set the Number of Licensed vCPUs

Customize Dataplane Cores

Migrate a Firewall to a Flexible VM-Series License

Software NGFW Licensing API

Generate Your OAuth Client Credentials

Manage Deployment Profiles Using the Licensing API

Create a Deployment Profile Using the Licensing API

Update a Deployment Profile Using the Licensing API

Get Serial Numbers Associated with an Authcode Using the API

Deactivate a VM-Series Firewall Using the API

Activate the Deployment Profile

VM-Series Models

VM-Series System Requirements

CPU Oversubscription

VM-50 Lite Mode

VM-Series Model License Types

VM-Series Firewall Licenses for Public Clouds

VM-Series Enterprise License Agreement (Multi-Model ELA)

Manage VM-Series ELA License Tokens

Accept the VM-Series ELA

Activate VM-Series Model Licenses

Activate the License for the VM-Series Firewall (Standalone Version)

Activate the License for the VM-Series Firewall for VMware NSX

Activate Licenses on VM-Series Firewalls on NSX When Panorama has Internet Access

Activate Licenses on VM-Series Firewalls on NSX When Panorama has No Internet Access

Troubleshoot License Activation Issues

Register the VM-Series Firewall

Register the VM-Series Firewall (with auth code)

Register the Usage-Based Model of the VM-Series Firewall for Public Clouds (no auth code)

Install a Device Certificate on the VM-Series Firewall

Switch Between the BYOL and the PAYG Licenses

Switch Between VM-Series Model Licenses

Deactivate License(s)

Deactivate a Feature License or Subscription Using the CLI

Renew VM-Series Firewall License Bundles

Model-Based Licensing API

Install a License API Key

Manage the Licensing API Key

Use the Licensing API

Activate Licenses

Deactivate Licenses

Track License Usage

Licensing API Error Codes

What Happens When Licenses Expire?

Licenses for Cloud Security Service Providers (CSSPs)

Get the Auth Codes for CSSP License Packages

Register the VM-Series Firewall with a CSSP Auth Code

Add End-Customer Information for a Registered VM-Series Firewall

Add End-Customer Information for a Registered VM-Series Firewall (Customer Support Portal)

Add End-Customer Information for a Registered VM-Series Firewall (API)

Set Up a VM-Series Firewall on an ESXi Server

Supported Deployments on VMware vSphere Hypervisor (ESXi)

VM-Series on ESXi System Requirements and Limitations

VM-Series on ESXi System Requirements

VM-Series on ESXi System Limitations

Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi)

Plan the Interfaces for the VM-Series for ESXi

Provision the VM-Series Firewall on an ESXi Server

Perform Initial Configuration on the VM-Series on ESXi

Add Additional Disk Space to the VM-Series Firewall

Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air

Use vMotion to Move the VM-Series Firewall Between Hosts

Use the VM-Series CLI to Swap the Management Interface on ESXi

Configure Link Aggregation Control Protocol

VM Monitoring on vCenter

About VM Monitoring on VMware vCenter

Install the Panorama Plugin for VMware vCenter

Configure the Panorama Plugin for VMware vCenter

Troubleshoot ESXi Deployments

Basic Troubleshooting

Installation Issues

Issues with Deploying the OVA

Why does the firewall boot into maintenance mode?

How do I modify the base image file for the VM-1000-HV license?

Licensing Issues

Why am I unable to apply the support or feature license?

Why does my cloned VM-Series firewall not have a valid license?

Does moving the VM-Series firewall cause license invalidation?

Connectivity Issues

Why is the VM-Series firewall not receiving any network traffic?

Performance Tuning of the VM-Series for ESXi

Install the NIC Driver on ESXi

Enable DPDK on ESXi

Enable SR-IOV on ESXi

Enable ESXi VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on ESXi

VNF Tuning for Performance

Set Up the VM-Series Firewall on vCloud Air

About the VM-Series Firewall on vCloud Air

Deployments Supported on vCloud Air

Deploy the VM-Series Firewall on vCloud Air

Set Up the VM-Series Firewall on VMware NSX-T

Set Up the VM-Series Firewall on VMware NSX-T (North-South)

Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)

Components of the VM-Series Firewall on NSX-T (North-South)

Deploy the VM-Series Firewall on NSX-T (North-South)

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Deploy the VM-Series Firewall

Direct Traffic to the VM-Series Firewall

Apply Security Policy to the VM-Series Firewall on NSX-T

Use vMotion to Move the VM-Series Firewall Between Hosts

Extend Security Policy from NSX-V to NSX-T

Set Up the VM-Series Firewall on NSX-T (East-West)

Components of the VM-Series Firewall on NSX-T (East-West)

VM-Series Firewall on NSX-T (East-West) Integration

Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)

Deploy the VM-Series Using the Operations-Centric Workflow

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Add a Service Chain

Direct Traffic to the VM-Series Firewall

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Use vMotion to Move the VM-Series Firewall Between Hosts

Deploy the VM-Series Using the Security-Centric Workflow

Install the Panorama Plugin for VMware NSX

Enable Communication Between NSX-T Manager and Panorama

Create Template Stacks and Device Groups on Panorama

Configure the Service Definition on Panorama

Launch the VM-Series Firewall on NSX-T (East-West)

Create Dynamic Address Groups

Create Security Policies

Use the Pre Rulebase to Define NSX-T Steering Rules

Use the Post Rulebase to Define NSX-T Steering Rules

Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)

Create Dynamic Address Group Membership Criteria

Generate Steering Policy

Generate Steering Rules

Delete a Service Definition from Panorama

Migrate from VM-Series on NSX-T Operation to Security Centric Deployment

Extend Security Policy from NSX-V to NSX-T

Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T

Set Up the VM-Series Firewall on AWS

About the VM-Series Firewall on AWS

AWS EC2 Instance Types

VM-Series Firewall on AWS GovCloud

VM-Series Firewall on AWS China

VM-Series Firewall on AWS Outposts

AWS Terminology

Management Interface Mapping for Use with Amazon ELB

Performance Tuning for the VM-Series Firewall on AWS

Deployments Supported on AWS

Deploy the VM-Series Firewall on AWS

AMI in the Public AWS Cloud

AMI on AWS GovCloud

Get the VM-Series Firewall Amazon Machine Image (AMI) ID

Planning Worksheet for the VM-Series in the AWS VPC

Launch the VM-Series Firewall on AWS

Launch the VM-Series Firewall on AWS Outpost

Create a Custom Amazon Machine Image (AMI)

Encrypt EBS Volume for the VM-Series Firewall on AWS

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable CloudWatch Monitoring on the VM-Series Firewall

VM-Series Firewall Startup and Health Logs on AWS

Panorama Orchestrated Deployments in AWS

Prepare for an Orchestrated AWS Deployment

Orchestrate a VM-Series Firewall Deployment in AWS

View the Deployment Status

Traffic Flow and Configurations

VM-Series Integration with an AWS Gateway Load Balancer

Manual Integration of the VM-Series with a Gateway Load Balancer

Enable VM-Series Integration with a Gateway Load Balancer

Manually Integrate the VM-Series with a Gateway Load Balancer

VM-Series Integration with AWS Cloud WAN

Associate a VPC Endpoint with a VM-Series Interface

Enable Overlay Routing for the VM-Series on AWS

VM-Series Auto Scaling Group with AWS Gateway Load Balancer

Before Launching the Templates

Launch the Firewall Template

Launch the Application Template

Enable Session Resiliency on VM-Series for AWS

High Availability for VM-Series Firewall on AWS

Overview of HA on AWS

IAM Roles for HA

Heartbeat Polling and Hello Messages

Device Priority and Preemption

Configure Active/Passive HA on AWS Using a Secondary IP

Configure Active/Passive HA on AWS Using Interface Move

Migrate Active/Passive HA on AWS

Migrate Active/Passive HA on AWS to Secondary IP Mode

Migrate Active/Passive HA on AWS to Interface Move Mode

Use AWS Secrets Manager to Store VM-Series Certificates

Use Case: Secure the EC2 Instances in the AWS Cloud

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC

Use Case: VM-Series Firewalls as GlobalProtect Gateways on AWS

Components of the GlobalProtect Infrastructure

Deploy GlobalProtect Gateways on AWS

Resource Monitoring on AWS

AWS Resource Monitoring with the AWS Plugin on Panorama

Set Up the AWS Plugin for VM Monitoring on Panorama

List of Attributes Monitored on the AWS VPC

IAM Permissions Required for Monitoring the AWS VPC

Set Up the VM-Series Firewall on KVM

VM-Series on KVM—Requirements and Prerequisites

Options for Attaching the VM-Series on the Network

Prerequisites for VM-Series on KVM

Prepare the Linux Server

Prepare to Deploy the VM-Series Firewall

Supported Deployments on KVM

Secure Traffic on a Single Host

Secure Traffic Across Linux hosts

Install the VM-Series Firewall on KVM

Install the VM-Series Firewall Using Virt-Manager

Provision the VM-Series Firewall on a KVM Host

Perform Initial Configuration of the VM-Series Firewall on KVM

Install the VM-Series Firewall Using an ISO

Use an ISO File to Deploy the VM-Series Firewall

Sample XML file for the VM-Series Firewall

Use the VM-Series CLI to Swap the Management Interface on KVM

Enable the Use of a SCSI Controller

Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall

Configure Link Aggregation Control Protocol

Performance Tuning of the VM-Series for KVM

Install KVM and Open vSwitch on Ubuntu 16.04.1 LTS

Enable Open vSwitch on KVM

Integrate Open vSwitch with DPDK

Install QEMU, DPDK, and OVS on Ubuntu

Configure OVS and DPDK on the Host

Edit the VM-Series Firewall Configuration File

Enable SR-IOV on KVM

Enable VLAN Access Mode with SR-IOV

Enable Multi-Queue Support for NICs on KVM

Isolate CPU Resources in a NUMA Node on KVM

Intelligent Traffic Offload

Software Cut-through Based Offload

Set Up the VM-Series Firewall on Hyper-V

Supported Deployments on Hyper-V

Secure Traffic on a Single Hyper-V Host

Secure Traffic Across Multiple Hyper-V Hosts

System Requirements on Hyper-V

Linux Integration Services

Install the VM-Series Firewall on Hyper-V

Before You Begin

Virtual Switch Types

MAC Address Spoofing

Performance Tuning of the VM-Series Firewall on Hyper-V

Disable Virtual Machine Queues

Isolate CPU Resources in a NUMA Node

Provision the VM-Series Firewall on a Hyper-V host with Hyper-V Manager

Provision the VM-Series Firewall on a Hyper-V host with PowerShell

Perform Initial Configuration on the VM-Series Firewall

Set up the VM-Series Firewall on Azure

About the VM-Series Firewall on Azure

Azure Networking and VM-Series Firewall

Azure Security Center Integration

VM-Series Firewall Templates on Azure

Minimum System Requirements for the VM-Series on Azure

Support for High Availability on VM-Series on Azure

VM-Series on Azure Service Principal Permissions

Deployments Supported on Azure

Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)

Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)

Panorama Orchestrated Deployments in Azure

Prepare for an Orchestrated Deployment

Orchestrate a VM-Series Firewall Deployment in Azure

Deploy the VM-Series with the Azure Gateway Load Balancer

Create a Custom VM-Series Image for Azure

Use Azure Security Center Recommendations to Secure Your Workloads

Use Panorama to Forward Logs to Azure Security Center

Deploy the VM-Series Firewall on Azure Stack

Deploy the VM-Series Firewall on Azure Stack HCI

Enable Azure Application Insights on the VM-Series Firewall

Monitoring on Azure

About Monitoring on Azure

Set Up the Azure Plugin for Monitoring on Panorama

Attributes Monitored Using the Panorama Plugin on Azure

Set up Active/Passive HA on Azure

Use Azure Key Vault to Store VM-Series Certificates

Use the ARM Template to Deploy the VM-Series Firewall

Deploy the VM-Series and Azure Application Gateway Template

VM-Series and Azure Application Gateway Template

Start Using the VM-Series & Azure Application Gateway Template

Start Using the & Azure Application Gateway Template

VM-Series and Azure Application Gateway Template Parameters

Sample Configuration File

Adapt the Template

Secure Kubernetes Services on Azure

How Does the Panorama Plugin for Azure Secure Kubernetes Services?

Secure an AKS Cluster

Set Up the VM-Series Firewall on OpenStack

VM-Series Deployments in OpenStack

Service Chaining and Service Scaling

Components of the VM-Series for OpenStack Solution

Heat Template for a Basic Gateway Deployment

Heat Templates for Service Chaining and Service Scaling

Virtual Network

Virtual Machine

Service Template

Service Instance

Install the VM-Series Firewall in a Basic Gateway Deployment

Install the VM-Series Firewall with Service Chaining or Scaling

Set Up the VM-Series Firewall on Google Cloud Platform

About the VM-Series Firewall on Google Cloud Platform

Supported Deployments on Google Cloud Platform

Create a Custom VM-Series Firewall Image for Google Cloud Platform

Prepare to Set Up VM-Series Firewalls on Google Public Cloud

Deploy the VM-Series Firewall on Google Cloud Platform

Deploy the VM-Series Firewall from Google Cloud Platform Marketplace

Management Interface Swap for Google Cloud Platform Load Balancing

Use the VM-Series Firewall CLI to Swap the Management Interface

Enable Google Stackdriver Monitoring on the VM Series Firewall

Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)

Use Dynamic Address Groups to Secure Instances Within the VPC

Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall

Enable Session Resiliency on VM-Series for GCP

VM Monitoring with the Panorama Plugin for GCP

Configure VM Monitoring with the Panorama Plugin for GCP

Auto Scaling the VM-Series Firewall on Google Cloud Platform

Auto Scaling Components for Google Cloud Platform

Deploy GCP Auto Scaling Templates

Set up Active/Passive HA on Google Cloud Platform

Architecture of Active/Passive HA on GCP

Deploy the GCP Active/Passive HA

Deployment Models for VM-Series on GCP

Auto Scale Model

Active/Passive HA Model

Securing VPC Networks with VM-Series Firewall on GCP

Multiple Network Interface Architecture

VPC network peering model

Network Connectivity Center

Configuring GCP Load Balancer

Onboarding External Load Balancer

Onboarding Global HTTPS Load Balancer

Configuring Global HTTP(s) Load Balancer with XFF Header

Set Up a VM-Series Firewall on a Cisco ENCS Network

Plan Your Cisco ENCS Deployment

Prepare the VM-Series Firewall Image for Cisco ENCS

Deploy the VM-Series Firewall on Cisco ENCS

Set up the VM-Series Firewall on Oracle Cloud Infrastructure

OCI Shape Types

Deployments Supported on OCI

Prepare to Set Up the VM-Series Firewall on OCI

Deploy the VM-Series Firewall From the Oracle Cloud Marketplace

Configure Active/Passive HA on OCI

Set Up the VM-Series Firewall on Alibaba Cloud

VM-Series Firewall on Alibaba Cloud

Minimum System Requirements for the VM-Series Firewall on Alibaba Cloud

Prepare to Deploy the VM-Series Firewall on Alibaba Cloud

Deploy the VM-Series Firewall on Alibaba Cloud

Create a VPC and Configure Networks

Create and Configure the VM-Series Firewall

Secure North-South Traffic on Alibaba Cloud

Configure Load Balancing on Alibaba Cloud

Set up Active/Passive HA on Alibaba Cloud

Deploy the Active/Passive HA on Alibaba Cloud

Set Up a Firewall in Cisco ACI

Palo Alto Networks Firewall Integration with Cisco ACI

Service Graph Templates

Multi-Context Deployments

Prepare Your ACI Environment for Integration

Integrate the Firewall with Cisco ACI in Network Policy Mode

Deploy the Firewall to Secure East-West Traffic in Network Policy Mode

Create a Virtual Router and Security Zone

Configure the Network Interfaces

Configure a Static Default Route

Create Address Objects for the EPGs

Create Security Policy Rules

Create a VLAN Pool and Domain

Configure an Interface Policy for LLDP and LACP for East-West Traffic

Establish the Connection Between the Firewall and ACI Fabric

Create a VRF and Bridge Domain

Create an L4-L7 Device

Create a Policy-Based Redirect

Create and Apply a Service Graph Template

Deploy the Firewall to Secure North-South Traffic in Network Policy Mode

Create a VLAN Pool and External Routed Domain

Configure an Interface Policy for LLDP and LACP for North-South Traffic

Create an External Routed Network

Configure Subnets to Advertise to the External Firewall

Create an Outbound Contract

Create an Inbound Web Contract

Apply Outbound and Inbound Contracts to the EPGs

Create a Virtual Router and Security Zone for North-South Traffic

Configure the Network Interfaces

Configure Route Redistribution and OSPF

Configure NAT for External Connections

Endpoint Monitoring in Cisco ACI

Install the Panorama Plugin for Cisco ACI

Configure the Cisco ACI Plugin

Panorama Plugin for Cisco ACI Dashboard

Set Up the VM-Series Firewall on Cisco CSP

VM-Series on Cisco CSP System Requirements

Deploy the VM-Series Firewall on Cisco CSP

Endpoint Monitoring for Cisco TrustSec

Panorama Plugin for Cisco TrustSec

Install the Panorama Plugin for Cisco TrustSec

Configure the Panorama Plugin for Cisco TrustSec

Troubleshoot the Panorama Plugin for Cisco TrustSec

Set Up the VM-Series Firewall on Nutanix AHV

VM Monitoring on Nutanix

About VM Monitoring on Nutanix

Install the Panorama Plugin for Nutanix

Configure the Panorama Plugin for Nutanix

Bootstrap the VM-Series Firewall

Choose a Bootstrap Method

VM-Series Firewall Bootstrap Workflow

Bootstrap Package

Bootstrap Configuration Files

Generate the VM Auth Key on Panorama

Create the init-cfg.txt File

init-cfg.txt File Components

Sample init-cfg.txt File

Create the bootstrap.xml File

Prepare the Licenses for Bootstrapping

Prepare the Bootstrap Package

Bootstrap the VM-Series Firewall on AWS

Bootstrap the VM-Series Firewall on Azure

Bootstrap the VM-Series Firewall on Azure Stack HCI

Bootstrap the VM-Series Firewall on ESXi

Bootstrap the VM-Series Firewall on ESXi with an ISO

Bootstrap the VM-Series Firewall on ESXi with a Block Storage Device

Bootstrap the VM-Series Firewall on Google Cloud Platform

Bootstrap the VM-Series Firewall on Hyper-V

Bootstrap the VM-Series Firewall on Hyper-V with an ISO

Bootstrap the VM-Series Firewall on Hyper-V with a Block Storage Device

Bootstrap the VM-Series Firewall on KVM

Bootstrap the VM-Series Firewall on KVM with an ISO

Bootstrap the VM-Series Firewall on KVM With a Block Storage Device

Verify Bootstrap Completion

Bootstrap Errors

Set Up the VM-Series Firewall on IBM Cloud

About the VM-Series Firewall on IBM Cloud

Prepare to Set Up VM-Series Firewalls on IBM Cloud

Deploy the VM-Series Firewall Using IBM Cloud Schematics

High Resiliency for VM-Series Firewall on IBM Cloud

Use Case: Deploy a NLB Using the VM-Series Firewall

Virtual Systems Support on VM-Series Firewall

Licensing and Prerequisites for Virtual Systems Support on VM-Series

System Requirements for Virtual Systems Support on VM-Series

Enable Multiple Virtual Systems Support on VM-Series Firewall

Enable Multiple Virtual Systems Support on VM-Series in Panorama Console

Enable Multiple Virtual Systems Support Using Bootstrap Method

Set up the VM-Series Firewall on Tencent Cloud China

License the VM-Series Firewall on Tencent Cloud

Deploying the VM-Series Firewall on Tencent Cloud

WildFire API Reference

About the WildFire API

WildFire API Access Control

Authenticate Access

Impose API Limits

View WildFire API Usage Statistics

WildFire API Resources

WildFire API Changelog

Standalone WildFire API Subscription

Get Started with the WildFire API

Get Your API Key

Get Your WildFire Public Cloud API Key

Get Your WildFire Appliance API Key

Manage WildFire Appliance API Keys

View All API Keys

Disable or Enable an API Key

Delete an API Key

Export API Key using Secure Copy (SCP)

Import API Keys using Secure Copy (SCP)

Get Your WildFire Public Cloud API Key From the Palo Alto Networks Support Portal

Make Your First WildFire API Call

WildFire API Best Practices

Submit Files and Links through the WildFire API

Submit a Local File to WildFire (API)

Submit a Remote File to WildFire (API)

Submit a Website Link to WildFire (API)

Submit Multiple Website Links to WildFire (API)

Submit a Sample Verdict Change (API)

Get WildFire Information through the WildFire API

Get a WildFire Verdict (WildFire API)

Get Multiple WildFire Verdicts (WildFire API)

Get a List of Samples with Changed WildFire Appliance Verdi...

Get a Sample (WildFire API)

Get a Packet Capture (WildFire API)

Get a WildFire Analysis Report (WildFire API)

Get a Malware Test File (WildFire API)

WildFire API Error Codes

Get URL Web Artifacts

WildFire What's New Guide

Latest WildFire Cloud Features

Advanced WildFire Public Sector Cloud

Advanced WildFire Government Cloud

WildFire Spain Cloud

WildFire Saudi Arabia Cloud

WildFire Israel Cloud

WildFire South Korea Cloud

WildFire Qatar Cloud

WildFire France Cloud

WildFire Taiwan Cloud

WildFire Indonesia Cloud

WildFire Poland Cloud

WildFire Switzerland Cloud

Advanced WildFire Support for Intelligent Run-time Memory Analysis

Shell Script Analysis Support for Wildfire Inline ML

Standalone WildFire API Subscription

WildFire India Cloud

MSI, IQY, and SLK File Analysis

MS Office Analysis Support for Wildfire Inline ML

WildFire Germany Cloud

WildFire Australia Cloud

Executable and Linked Format (ELF) Analysis Support for WildFire Inline ML

Global URL Analysis

WildFire Canada Cloud

WildFire UK Cloud

HTML Application and Link File Analysis

Recursive Analysis

Perl Script Analysis

WildFire U.S. Government Cloud

Real Time WildFire Verdicts and Signatures for PDF and APK Files

Batch File Analysis

Real Time WildFire Verdicts and Signatures for PE and ELF Files

Real Time WildFire Verdicts and Signatures for Documents

Script Sample Analysis

ELF Malware Test File

Email Link Analysis Enhancements

Sample Removal Request

Updated WildFire Cloud Data Retention Period

DEX File Analysis

Network Traffic Profiling

Additional Malware Test Files

Dynamic Unpacking

Windows 10 Analysis Environment

Archive (RAR/7z) and ELF File Analysis

WildFire Analysis of Blocked Files

WildFire Phishing Verdict

Mach-O Support for WildFire Inline ML

WildFire Features in PAN-OS 11.1.3

OOXML Support for WildFire Inline ML

WildFire Features in PAN-OS 11.1

Advanced WildFire Inline Cloud Analysis

WildFire Features in PAN-OS 11.0.2

Hold Mode for WildFire Real-Time Signature Lookup

WildFire Features in PAN-OS 10.2

WF-500B Appliance

WildFire Features in PAN-OS 10.0

WildFire Real-Time Signature Updates

Windows 10 Analysis Environment for the WildFire Appliance

IPv6 Address Support for the WildFire Appliance

WildFire Inline ML

WildFire Features in PAN-OS 9.0

Increased WildFire File Fowarding Capacity

WildFire Appliance Archive Support

WildFire Appliance Script Support

WildFire Appliance Monitoring Enhancements

WildFire Features in PAN-OS 8.1

WildFire Appliance-to-Appliance Encryption

WildFire Features in PAN-OS 8.0

Panorama Centralized Management for WildFire Appliances

WildFire Appliance Clusters

Preferred Analysis for Documents or Executables

Verdict Changes

Verdict Checks with the WildFire Global Cloud

Internal Server Error

Trending Content

Recent Releases

Palo Alto Networks Open-Source Software (OSS) Licenses

PAN-OS OSS Listings

PAN-OS 11.0 OSS Listing

PAN-OS 10.2 OSS Listing

PAN-OS 10.1 OSS Listing

PAN-OS 10.0 OSS Listing

PAN-OS 9.1 OSS Listing

PAN-OS 9.0 OSS Listing

PAN-OS 8.1 OSS Listing

PAN-OS 8.0 OSS Listing

PAN-OS 7.1 OSS Listing

PAN-OS 7.0 OSS Listing

PAN-OS 6.1 OSS Listing

PAN-OS 6.0 OSS Listing

PAN-OS 5.1 OSS Listing

PAN-OS 5.0 OSS Listing

PAN-OS 4.1 OSS Listing

PAN-OS 4.0 OSS Listing

CN-Series OSS Listings

CN-Series 11.0 OSS Listing

CN-Series 10.2 OSS Listing

CN-Series 10.1 OSS Listing

CN-Series 10.0 OSS Listing

Panorama OSS Listings

Panorama 11.0 OSS Listing

Panorama 10.2 OSS Listing

Panorama 10.1 OSS Listing

Panorama 10.0 OSS Listing

Panorama 9.1 OSS Listing

Panorama 9.0 OSS Listing

Panorama 8.1 OSS Listing

Panorama 8.0 OSS Listing

Panorama 7.1 OSS Listing

Panorama 7.0 OSS Listing

Panorama 6.1 OSS Listing

Panorama 6.0 OSS Listing

Panorama 5.0 OSS Listing

Panorama 4.1 OSS Listing

Panorama 4.0 OSS Listing

WildFire OSS Listings

WildFire 11.0 OSS Listing

WildFire 10.2 OSS Listing

WildFire 10.1 OSS Listing

WildFire 10.0 OSS Listing

WildFire 9.1 OSS Listing

WildFire 9.0 OSS Listing

WildFire 8.1 OSS Listing

WildFire 8.0 OSS Listing

WildFire 7.1 OSS Listing

WildFire 7.0 OSS Listing

WildFire 6.1 OSS Listing

WildFire 6.0 OSS Listing

Cortex XDR OSS Listings

GlobalProtect Mobile Security Manager OSS Listings

GlobalProtect Mobile Security Manager 6.2 OSS Listing

GlobalProtect Mobile Security Manager 6.1 OSS Listing

GlobalProtect Mobile Security Manager 6.0 OSS Listing

Traps OSS Listings

Traps Agent 5.0 OSS Listing

Traps Agent and Traps Endpoint Security Manager 4.2 OSS Listing

Traps Agent and Traps Endpoint Security Manager 4.1 OSS Listing

Traps Agent and Traps Endpoint Security Manager 4.0 OSS Listing

Traps Agent and Traps Endpoint Security Manager 3.4 OSS Listing

Traps Agent and Traps Endpoint Security Manager 3.3 OSS Listing

Traps Agent and Traps Endpoint Security Manager 3.2 OSS Listing

GlobalProtect App OSS Listings

GlobalProtect App 6.2 OSS Listing

GlobalProtect App 6.1 OSS Listing

GlobalProtect App 6.0 OSS Listing

GlobalProtect App 5.2 OSS Listing

Remote Browser Isolation (RBI) OSS Listings

What's New in the NetSec Platform

What's New in the NetSec Platform

End User Timeout Notifications

Source IP Address Enforcement for Authentication Cookies

Exclude URLs and Apps for Non-File Based Traffic

Named Configuration Snapshots for Strata Cloud Manager

New Prisma Access Cloud Management Location

Privileged Remote Access

Role-Based Access Control for Managing and Overriding Security Checks

Session Browser for Strata Cloud Managed NGFWs

Support for Brotli Decompression

Log Forwarding from Strata Logging Service China to AWS S3

Specific SD-WAN Path Monitoring

EDM CLI App Version 3.5

NGFW Support for Strata Cloud Manager Configuration APIs

NG-CASB Standalone Web Interface Deprecation in November 2024

Browser-Based Real User Monitoring (RUM)

Configure Phishing Analysis

Explicit Proxy for Colo-Connect

Google Drive Labeling

Identity and Access Management Enhancements

IKE Gateway with Dynamic IPv6 Address Assignment

IPv6 Support on Cellular Interface for PA-415-5G Firewall

Israel and Saudi Arabia Strata Logging Service Region Support

Strata Logging Service License with One Year Log Retention and Unlimited Storage

Multitenant Reports

NPTv6 with Dynamically Assigned IPv6 Address Prefix

Strata Logging Service in Device Associations

Remote Network—High Performance Private App Access Support

RFC6598 Mobile Users Address Pool for New Prisma Access (Managed by Strata Cloud Manager) Deployments

Secure Integration of Third-Party Enterprise Browsers with Explicit Proxy

Security Profile Visibility

Simplified Application Test Configuration

Static IP Address Enhancements for Mobile Users

Streamlined Licensing for Strata Cloud Manager

Support for Proxy ID in IPSec Transport Mode

Test an Enterprise DLP Data Profile Using Dry Run Mode

Wildcard FQDN Configuration for Security Policies in ZTNA Connector

ZTNA Connector for Onboarding Applications

25,000 Remote Network and 50,000 IKE Gateway Support

Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic

Bandwidth Consumption

Best Gateway Selection Criteria

Enhancements for Authentication Using Smart Cards

Explicit Proxy China Support

Explicit Proxy Support for Advanced Services

IP Address Optimization for Explicit Proxy Users- Proxy Deployments

Improved Security with Enhanced Auto VPN Configuration for Large Enterprises

Improvements for Multi Authentication CIE Experience

Intelligent Internal Host Detection

Multiple Virtual Routers Support on SD-WAN Branch

Multitenant Application Monitoring Update

New Check Box for Overriding Security Checks

New Prisma Access Cloud Management Location

PA-455-5G Next-Generation Firewall

Panorama CloudConnector Plugin 2.1.0

Preventing DoS Attacks from Internet with Enhanced DoS and PBP Configurations

Prisma Access Browser Visibility

Remote Browser Isolation in China

Remote Networks—High Performance

Route Summarization for Dynamic Privilege Access

SC-NAT Support for Dynamic Privilege Access

Strata Cloud Manager Centralized Report Management

SD-WAN on 5G Cellular Interface

Simplified Prisma Access Private App Connectivity

Simplify Prisma Access SaaS Connectivity with IP Optimization for Mobile Users and Explicit Proxy Deployments

Static IP Address Enhancements for Mobile Users

TLS 1.3 and PubSub Support for Traffic Replication

View and Monitor Colo-Connect

View Prisma Access, Dataplane, and Application and Threats Content Releases in Strata Cloud Manager and Panorama

Wildcard Support for Split Tunnel Settings Based on the Application

ZTNA Connector Support for Commitless App Onboarding

CLI Support to Connect to the GlobalProtect App with SAML Authentication

AI Access Security

Prisma Access Browser

Prisma Access Browser Roles

SASE Easy Onboarding Enhancements

Subscription Usage Visibility Enhancements

Streamlined NGFW Incidents and Alerts Management

AI Runtime Security

Browser Support for Remote Browser Isolation

Cross-Scope References Using Snippets

Disable Default HIP Profiles

Encrypted DNS for DNS Proxy and the Management Interface

Mobile Support for Remote Browser Isolation

Panorama to Strata Cloud Manager Migration

Scan Support for ChatGPT Enterprise App

Support for Deleting Connector IP Blocks

Prisma SD-WAN Support for FedRAMP Moderate Environment

Email DLP Enhancements

Forward Email Alerts and SNMP Traps to External Servers

Auto VPN Support for HA Devices

Policy Management for Your Cloud NGFW Resource Using Strata Cloud Manager

Connect to GlobalProtect App with IPSec Only

Changes to Behavior for Web Traffic Handling

Dynamic Privilege Access

Embedded Browser Framework Upgrade

End User Coaching

Enhanced HIP Remediation Process Improvements

Enhancements for Authentication Using Smart Cards-Authentication Fallback

Enhancements for Authentication Using Smart Cards-Removal of Multiple PIN Prompts

Global Find Using Config Search

Intelligent Portal

Local Configuration Management Support for Firewalls

Manage and Share Common Configuration Using Snippet Sharing

Native IPv6 Compatibility

Overlapping IP Address Support

PA-410R-5G Next-Generation Firewall

Simplified License Activation and Default Tenant Creation

Strata Logging Service in Strata Cloud Manager

Third-Party CDR Integration for Remote Browser Isolation

View and Monitor App Acceleration

View and Monitor Native IPv6 Compatibility

View and Monitor Third-Party Device-IDs

ZTNA Connector Application Discovery, User-ID Across NAT, and Support for Connector IP Block Deletion

Advanced DNS Security

Advanced Threat Prevention (ATP) Support on CN-Series Firewall

Advanced Threat Prevention: Support for Zero-day Exploit Prevention

App Acceleration Support for Additional Apps

Authorized Support Center Support View

Bulk Configuration

Business Continuity During Mergers and Acquisitions

Calgary and South Africa Central Compute Locations

CIE (SAML) Authentication using Embedded Web-view

Configuration File Compression

Dynamic DNS Registration Support for Mobile Users—GlobalProtect

Explicit Proxy Forwarding Profiles with Multiple PAC File Support

Explicit Proxy SAML Authentication Improvements

Explicit Proxy Support for South Africa Central Location

Fast-Session Delete

FedRAMP Moderate

FQDNs for Remote Network and Service Connection IPSec Tunnels

GlobalProtect Portal and Gateway Support for TLSv1.3

GlobalProtect Proxy Enhancements

GlobalProtect Support for PAN-OS-11.2-DHCP-Based IP Address Assignments

GTP Support for Intelligent Security

Increased Maximum Number of Security Rules for PA-3400 Series Firewalls

IPSec Serviceability

Local Deep Learning for Advanced Threat Prevention

Monitor Bandwidth on SD-WAN Devices

NGFW Clustering of PA-7500 Series Firewalls

OOXML Support for WildFire Inline ML

PA-410R Next-Generation Firewall

PA-450R-5G Next-Generation Firewall

PAN-OS 11.0, 11.1, and 11.2 Dataplane Support

PAN-OS 11.2 Support for Panoramas That Manage Prisma Access

Post Quantum Hybrid Key Exchange VPN

Prisma Access Internal Gateway

Remote Network Tunnel Automation API

Static IP Address Allocation for Mobile Users

Strata Cloud Manager Connectivity Using Port 443

TLSv1.3 Support for HSM Integration with SSL Inbound Inspection

User-ID for CN-Series

User-ID Across NAT

Virtual Systems Support on VM-Series Firewall

Intelligent Traffic Offload - Layer 3 (Dynamic Routing) Support on VM-Series Firewall

Intelligent Traffic Offload - NAT Support on VM-Series Firewall

Zero Touch Provisioning (ZTP) Onboarding Enhancements

View Preferred and Base Releases of PAN-OS Software

Additional Private Link Types

Additional SD-WAN Hubs in VPN Cluster

Aggregate Ethernet Interface Usability Enhancement

App SLA Assurance Enhancements

Configuration Indicator

Device Onboarding Rules

External Gateway Integration for Prisma Access and On-Premises NGFWs

Enhanced Incident Management

Enterprise DLP Migrator

Prisma SD-WAN OSPF

SDDC — Megaport (VFF)

Site Template Enhancements

Software Cut-through based Offload on CN-Series Firewall

Software Cut Through Support for PA-400 and PA-1400 Series Firewalls

Subscription Usage Visibility for Prisma SD-WAN

Support for Additional System Applications

Support for Configurable Layer 3 Reachability Probes

Standard VPN Enhancements for DC to DC

Strata Cloud Manager: Activity Insights

Strata Cloud Manager: Command Center

SVI Operational Enhancements

Trusted IP List

View Only Administrator Role Enhancement

VRF- Support for Standard VPN, NTP, Syslog, and SNMP

Web Proxy for Cloud-Managed Firewalls

Multitenant Notifications

Authenticate LSVPN Satellite with Serial Number and IP Address Method

Private Key Export in Certificate Management

Clone a Snippet

Security Checks

Disable Tunnel Reoptimization

DNS Reachability

GlobalProtect Portal and Gateway

IP Optimization for Mobile Users - GlobalProtect Deployments

License Enforcement for Mobile Users (Enhancements)

Multiple Virtual Routers Support on SD-WAN Hubs

Native SASE Integration with Prisma SD-WAN

New Prisma Access Cloud Management Location

Normalized Username Formats

PAN-OS Software Patch Deployment

Policy Analyzer

Saudi Arabia Compute Location

Site Template Configuration

TACACS+ Accounting

Tenant Moves and Acquisitions

Traceability and Control of Post-Quantum Cryptography in Decryption

User Session Inactivity Timeout

FedRAMP High "In Process" Requirements and Activation

License Activation Changes

Performance Policy with Forward Error Correction (FEC)

View and Monitor ZTNA Connector Access Objects

Software Cut-Through Support for PA-3400 and PA-5400 Series Firewalls

Persistent NAT for DIPP

ZTNA Connector Wildcard and FQDN Support for Applications and Additional Diagnostic Tools

5G Cellular Interface for IPv4

Advanced WildFire Inline Cloud Analysis

API Key Certificate

App Acceleration in Prisma Access

ARM Support on VM-Series Firewall

Authentication Exemptions for Explicit Proxy

BGP MRAI Configuration Support

Cloud Managed Support for Prisma Access China

Configuration Audit Enhancements

Strata Logging Service with CN-Series Firewall

Device-ID Visibility and Policy Rule Recommendations in PAN-OS

Dynamic IPv6 Address Assignment on the Management Interface

Dynamic Routing in CN-Series HSF

Enhanced IoT Policy Recommendation Workflow for Strata Cloud Manager

Enhanced SaaS Tenants Control

Exclude All Explicit Proxy Traffic from Authentication

GlobalProtect Portal and Gateway Support for TLSv1.3

IKEv2 Certificate Authentication Support for Stronger Authentication

Improved Throughput with Lockless QoS

Incident Dampening

Increased Device Management Capacity for the Panorama Virtual Appliance

Inline Security Checks

Integrate Prisma Access with Microsoft Defender for Cloud Apps

Intelligent Security with PFCP for N6 and SGI Use Cases

IoT Security: Device Visibility and Automatic Policy Rule Recommendations

IoT Security Support for CN-Series

IP Protocol Scan Protection

IPSec VPN Monitoring

IPv6 for BGP Support

Layer 2 Switching Capabilities in ION 3200

Link Aggregation Support on VM-Series

Maximum of 500 Remote Networks Per 1 Gbps IPSec Termination Node

New Platform Support for Web Proxy

New Template Variables

PA-415-5G Next-Generation Firewall

PA-450R Next-Generation Firewall

PA-455 Next-Generation Firewall

PA-5445 Next-Generation Firewall

PA-7500 Next-Generation Firewall

Policy Rulebase Management Using Tags

Post Quantum IKE VPN Support

PPPoE Client for IPv6

Public Cloud SD-WAN High Availability (HA)

Remote Browser Isolation

Secure Copy Protocol (SCP) Support

Security Checks

Service Connection Identity Redistribution Management

Service Provider Backbone Integration

Session Resiliency for the VM-Series on Public Clouds

SNMP-based Discovery for IoT

SNMP Network Discovery for IoT Security

Strata Cloud Manager: Application Name Updates

Support for Strata Logging Service Switzerland Region

TACACS+ Accounting

Throughput Enhancements for Web Proxy

TLSv1.3 Support for Administrative Access Using SSL/TLS Service Profiles

Traceability and Control of Post-Quantum Cryptography in Decryption

Traffic Replication Remote Network and Strata Cloud Manager Support

Used-for-HA Capability on Layer 3 Interfaces

VM-Series Device Management

View and Monitor App Acceleration

View and Monitor Remote Browser Isolation

Virtual Routing Forwarding for WAN Segmentation

Cisco Catalyst SD-WAN Integration

Cloud IP-Tag Collection

Config Version Snapshot

Create a Custom Path Quality Profile

Delete a Snippet

Web Proxy for Cloud-Managed Firewalls

High-Bandwidth Private App Access with Colo-Connect

Integrate Prisma Access with Microsoft Defender for Cloud Apps

Introducing ADEM APIs

Log Viewer Usability Enhancements

New Predefined BGP Redistribution Profile

New Prisma Access Cloud Management Location

Refresh Pre Shared Keys for Auto VPN

Strata Logging Service Regional Support

Troubleshoot NGFW Connectivity and Policy Enforcement Anomalies

Credential Phishing Prevention Support

Prisma Access PAC File Endpoint for Explicit Proxy

User-Based Enforcement for Explicit Proxy Kerberos Authentication

DLP Support for AI Applications

High-Bandwidth Private App Access with Colo-Connect

Traffic Replication and PCAP Support

Third-Party Device-ID in Prisma Access

New and Remapped Prisma Access Locations and Compute Locations

Transparent SafeSearch Support

Private IP Visibility and Enforcement for Explicit Proxy Traffic Originating from Remote Networks

Service Provider Backbone Integration

Cloud Management of NGFWs

Feature Adoption Dashboard

Best Practices Dashboard

Compliance Summary Dashboard

Security Posture Insights Dashboard

Advanced Threat Prevention Dashboard

Custom Dashboard

Device Health Dashboard

Incidents and Alerts

NGFW SDWAN Dashboard

Capacity Analyzer

Enhancements to CDSS Dashboard

Conditional Connect Method for GlobalProtect

Enhanced Split Tunnel Configuration

Prisma Access Explicit Proxy Connectivity in GlobalProtect for Always-On Internet Security

Host Information Profile (HIP) Exceptions for Patch Management

Host Information Profile (HIP) Process Remediation

License Activation

All Users for Prisma Access

High-Performance Branch Sites Visibility

Route Table Visibility at Branch Sites and Service Connections

View Agent-Based Explicit Proxy

View Prisma Access Agent in All Users

View Static IP Address Allocation for Mobile Users

Route Table Visibility at Branch Sites and Service Connections

Support for Prisma Access Browser and Cloud NGFW Data in the Strata Cloud Manager Command Center