>
    Strata Copilot
    Device Setup (Management)
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Getting Started
    4. Configuration: Strata Cloud Manager
    5. Configuration: NGFW and Prisma Access
    6. Configuration: Device Settings
    7. Device Settings: Device Setup
    8. Device Setup (Management)
    Download PDF
    Strata Cloud Manager

    Device Setup (Management)

    Table of Contents

    Device Setup (Management)

    Learn about the device setup management tabs.
    In Strata Cloud Manager, select Manage > Configuration > NGFW and Prisma Access and set the Configuration Scope to the folder or NGFW you wish to configure. From the scope of your folder or NGFW, select Device Settings > Device Setup > Management.

    General Settings

    General SettingsDescription
    Domain
    Enter the name of the network domain for the NGFW (up to X characters).
    Login BannerEnter text (up to X characters) to display on the login page below the Name and Password fields.
    Force Admins to Acknowledge Login BannerSelect this option to display and force administrators to select I Accept and Acknowledge the Statement Below (above the login banner on the login page), which forces administrators to acknowledge that they understand and accept the contents of the message before they can Login.
    SSL/TLS Service ProfileAssign an existing SSL/TLS service profile or create a new one to specify a certificate and the SSL/TLS protocol settings allowed on the management interface (see Objects > Certificate Management > SSL/TLS Service Profile)
    Time ZoneSelect the time zone of the NGFW.
    LocaleSelect a language for the NGFW.
    LatitudeEnter the latitude (-90.0 to 90.0) of the NGFW.
    LongitudeEnter the longitude (-180.0 to 180.0) of the NGFW.
    Automatically Acquire Commit LockSelect this option to automatically apply a commit lock when you change the candidate configuration.
    Certificate Expiration CheckInstruct Strata Cloud Manager to create warning messages when on-box certificates approach their expiration date. This option is enabled by default.
    Use Hypervisor Assigned Mac Addresses
    Select this option to have the VM-Series NGFW use the MAC address that the hypervisor assigned, instead of generating a MAC address using the PAN-OS custom schema.
    If you enable this option and use an IPv6 address for the interface, the interface ID cannot use the EUI-64 format, which derives the IPv6 address from the interface MAC address. In a high availability (HA) active/passive configuration, a commit error occurs if you use the EUI-64 format.
    Tunnel AccelerationSelect this option to improve performance and throughput for traffic going through GRE tunnels, VXLAN tunnels, and GTP-U tunnels This option is enabled by default.
    Fail OpenCertain NGFW models have fail-open ports that can be configured to provide a pass-through connection in the event of a power or operating system failure. This feature is disabled by default and must be enabled.

    Service Route Settings

    Service Route SettingsDescription
    Use Management Interface for All/Customize
    Configure your device to route all management traffic (such as updates, logging, and administrative access) through the dedicated management interface instead of through your regular data interfaces. This keeps your management traffic separate from your network traffic.
    Allow you to manually specify which types of management traffic use the management interface and which use your data interfaces. This gives you granular control over how different services communicate.
    IPV4sThe IPv4 network address or address range that your device will use for routing management service traffic. Specify an individual IP address or subnet range depending on your network configuration.
    DestinationsEnter the Destination IP address where your device will send management traffic (such as DNS server, update server, or log collector). This determines where your device routes different types of administrative communications.

    Management Interface Settings

    Management Interface SettingsDescription
    SpeedConfigure a data rate and duplex option for the interface. The choices include 10 Mbps, 100 Mbps, and 1 Gbps at full or half duplex. Use the default autonegotiate setting to have Strata Cloud Manager determine the interface speed.
    MTUEnter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range is 576 to 1,500; default is 1,500).
    IP Type
    Static—Manually enter the IPv4 or IPv6 address (or both) and one or more default gateways, which are described further down in this table.
    DHCP Client—Configures the MGT interface as a DHCP client so that the NGFW can send DHCP Discover or Request messages to find a DHCP server. The server responds by providing an IP address (IPv4), netmask (IPv4), and default gateway for the MGT interface. DHCP on the MGT interface is turned off by default for the VM-Series NGFW (except for the VM-Series NGFW in AWS and Azure). If you select DHCP Client, optionally select either or both of the following Client Options:
    Send Hostname—Causes the MGT interface to send its hostname to the DHCP server as part of DHCP Option 12.
    Send Client ID—Causes the MGT interface to send its client identifier as part of DHCP Option 61.
    IP Address
    Assign an IP address to the interface.
    Alternatively, you can assign the IP address of a loopback interface for NGFW management. By default, the IP address you enter is the source address for log forwarding.
    NetmaskIf you assigned an IPv4 address to the interface, you must also enter a network mask (for example, 255.255.255.0).
    Default GatewayIf you assigned an IPv4 address to the interface, you must also assign an IPv4 address to the default gateway (the gateway must be on the same subnet as the interface).
    Administrative Management Services
    • HTTP—Use this service to access the NGFW web interface.
    HTTP uses plaintext, which isn't as secure as HTTPS. Therefore, Palo Alto Networks recommend you enable HTTPS instead of HTTP for management traffic on the interface.
    • Telnet—Use this service to access the NGFW CLI.
    Telnet uses plaintext, which isn't as secure as SSH. Therefore, Palo Alto Networks recommend you enable SSH instead of Telnet for management traffic on the interface.
    • HTTPS—Use this service for secure access to the NGFW web interface.
    • SSH—Use this service for secure access to the NGFW CLI.
    Network Services
    Select the services you want to enable on the interface:
    • HTTP OCSP—Use this service to configure the NGFW as an Online Certificate Status Protocol (OCSP) responder. For details, see Device > Certificate Management > OCSP Responder.
    • Ping—Use this service to test connectivity with external services. For example, you can ping the interface to verify it can receive PAN-OS software and content updates from the Palo Alto Networks Update Server. In a high availability (HA) deployment, HA peers use ping to exchange heartbeat backup information.
    • SNMP—Use this service to process NGFW statistics queries from an SNMP manager. For details, see Enable SNMP Monitoring.
    • User-ID—Use this service to enable data redistribution of user mappings among NGFWs.
    • User-ID Syslog Listener-SSL—Use this service to enable the PAN-OS integrated User-ID™ agent to collect syslog messages over SSL. For details, see Configure Access to Monitored Servers.
    • User-ID Syslog Listener-UDP—Use this service to enable the PAN-OS integrated User-ID agent to collect syslog messages over UDP. For details, see Configure Access to Monitored Servers.
    Permitted IP AddressesEnter the IP addresses from which administrators can access the NGFW through the interface. An empty list (default) specifies that access is available from any IP address.

    Services

    ServicesDescription
    Services
    Update ServerEnter the hostname or IP address of the update server that provides software updates, security patches, and configuration updates for the device.
    Verify Update Server IdentityEnable the NGFW to verify that the server from which the software or content package is downloaded has an SSL certificate signed by a trusted authority. This will help prevent man-in-the-middle attacks and ensure updates come from trusted sources.
    DNS Settings
    Choose the type of DNS service—Servers or DNS Proxy Object—for all DNS queries that the NGFW initiates in support of FQDN address objects, logging, and NGFW management. Options include:
    • Primary and secondary DNS servers to provide domain name resolution.
    • A DNS proxy configured on the NGFW as an alternative to configuring DNS servers. If you enable a DNS proxy, you must enable Cache and EDNS Cache Responses. ManageConfigurationNGFW and Prisma AccessSecurity ServicesDNS Security
    Primary DNS ServerEnter the IP address of the primary DNS server for DNS queries from the NGFW. For example, to find the update server, to resolve DNS entries in logs, or resolve FDQN-based address objects.
    Secondary DNS Server(Optional) Enter the IP address of a secondary DNS server to use if the primary server is unavailable.
    Encrypted DNS Connection TypeSpecify the encryption protocol for DNS queries (e.g., DNS-over-HTTPS, DNS-over-TLS) to protect DNS traffic from eavesdropping and tampering.
    Fallback on Unencrypted DNS Enable to determine whether the device should use standard unencrypted DNS queries if encrypted DNS connections fail. May compromise privacy but ensures connectivity.
    TCP Timeout (sec)Specify the maximum time in seconds to wait for a TCP-based DNS query response before considering it failed and retrying or falling back to alternative servers.
    Minimum FQDN Refresh Time (sec)Set a limit on how fast the NGFW refreshes FQDNs that it receives from a DNS. The NGFW refreshes an FQDN based on the TTL of the FQDN as long as the TTL is greater than or equal to this Minimum FQDN Refresh Time (in seconds). If the TTL is less than this Minimum FQDN Refresh Time, the NGFW refreshes the FQDN based on this Minimum FQDN Refresh Time (that is, the NGFW does not honor TTLs faster than this setting). The timer starts when the NGFW receives a DNS response from the DNS server or DNS proxy object resolving the FQDN (range is 0 to 14,400; default is 30). A setting of 0 means the NGFW will refresh the FQDN based on the TTL value in the DNS and does not enforce a minimum FQDN refresh time.
    FQDN Stale Entry Timeout (min)Specify the length of time (in minutes) that the NGFW continues to use stale FQDN resolutions in the event of a network failure or unreachable DNS server —when an FQDN is not getting refreshed (range is 0 to 10,080; default is 1,440). A value of 0 means the NGFW does not continue to use a stale entry. If the DNS server is still unreachable at the end of the state timeout, the FQDN entry becomes unresolved (stale resolutions are removed).
    ServerIf the NGFW needs to use a proxy server to reach Palo Alto Networks update services, enter the IP address or host name of the proxy server.
    PortEnter the port for the proxy server.
    UserEnter the username for the administrator to enter when accessing the proxy server.
    Password/Confirm PasswordEnter and confirm the password for the administrator to enter when accessing the proxy server.
    Proxy for Cloud Services
    Enable all communication with cloud-based services (such as software updates, telemetry, licensing servers, and remote management platforms) to be routed through the specified proxy server rather than connecting directly to the internet.
    This is commonly required in corporate environments where direct internet access is restricted or where traffic inspection is mandatory for security compliance.
    Proxy for Inline Cloud ServicesSeparate proxy configuration specifically for inline cloud services that may require different routing or authentication than general cloud services.

    Identity Settings

    Identity SettingsDescription
    Collector InterfaceSpecify the network interface designated for collecting and aggregating log data, telemetry, and monitoring information from network traffic or connected devices.

    Dynamic Updates Scheduler

    Dynamic Update SchedulerDescription
    RecurrenceDefine the schedule pattern (daily, weekly, monthly) for automated tasks such as updates, backups, or maintenance operations.
    Minutes Past HourSpecify the exact minute offset within each hour when scheduled tasks should execute (e.g., 15 minutes past every hour would run at 1:15, 2:15, etc.).
    Action
    Download Only—Strata Cloud Manager will download the scheduled update. You must manually install the update on NGFWs and Log Collectors.
    Download and Install—Strata Cloud Manager will download and automatically install the scheduled update.
    Download and SCP—Strata Cloud Manager will download and transfer the content update package to the specified SCP server.
    Disable New Apps in Content Update
    (Applications and Threats)
    You can disable new apps in content updates only if you set the update Type to App or App and Threat and only if Action is set to Download and Install.
    Select to disable applications in the update that are new relative to the last installed update. This protects against the latest threats while giving you the flexibility to enable the applications after preparing any policy updates. Then, to enable applications, log in to the NGFW, select DeviceDynamic Updates, click Apps in the Features column to display the new applications, and click Enable/Disable for each application you want to enable.
    Threshold (hours)The time duration in hours that must elapse before a specified action is triggered or a condition is considered met.
    New App-ID Threshold (hours)
    (Applications and Threats)
    		Specify the window in hours during which newly discovered application identifiers are considered "new" before being integrated into standard threat detection processes.
    Sync to PeerEnables synchronization of configuration, policies, or state information with peer devices in a high-availability or clustered deployment.

    Authentication and Accounting Settings

    Authentication and Account SettingsDescription
    Authentication ProfileSelect the authentication profile (or sequence) the NGFW uses to authenticate administrative accounts that you define on an external server instead of locally on the NGFW (see Device > Authentication Profile). When external administrators log in, the NGFW requests authentication and authorization information (such as the administrative role) from the external server.
    Authentication Profile (Non-UI) Specify the authentication method and credentials used for programmatic or API-based access that doesn't involve the web user interface.
    Certificate ProfileSelect a certificate profile to verify the client certificates of administrators who are configured for certificate-based access to the NGFW web interface. For instructions on configuring certificate profiles, see
    Accounting Server ProfileConfigure the RADIUS or TACACS+ accounting servers that log user authentication events, session duration, and resource usage for auditing purposes.
    Idle Timeout (min)Enter the maximum time (in minutes) without any activity on the web interface or CLI before an administrator is automatically logged out (range is 0 to 1,440; default is 60). A value of 0 means that inactivity does not trigger an automatic logout.
    API Key Lifetime (min)
    Enter the length of time (in minutes) for which the API key is valid (range is 0 to 525,600; default is 0). A value of 0 means that the API key never expires.
    Expire All API Keys to invalidate all previously generated API keys. Use this option with caution because all existing keys are rendered useless and any operation where you are currently using those API keys will stop functioning.
    API Key CertificateSelect a certificate that will utilize the PAN-OS device certificate management function to encrypt the API key.
    Failed AttemptsEnter the number of failed login attempts (0 to 10) that the NGFW allows for the web interface and CLI before locking out the administrator account. A value of 0 specifies unlimited login attempts. The default value is 0 for NGFWs in normal operational mode and 10 for NGFWs in FIPS-CC mode. Limiting login attempts can help protect the NGFW from brute force attacks.
    Lockout Time (min)Enter the number of minutes (range is 0 to 60) for which the NGFW locks out an administrator from access to the web interface and CLI after reaching the Failed Attempts limit. A value of 0 (default) means the lockout applies until another administrator manually unlocks the account.
    Max Session Count (number)Enter the number of concurrent sessions allowed for all administrator and user accounts (range is 0 to 4). A value of 0 (default) means that an unlimited amount of concurrent sessions are allowed.
    Mass Session Time (min)Enter the number of minutes (range is 60 to 1,499) that an active, non-idle administrator can remain logged in. Once this max session time is reached, the session is terminated and requires re-authentication to begin another session. The default value is set to 0 (30 days), which cannot be manually entered. If no value is entered, the Max Session Time defaults to 0.

    Aux1 and Aux2 Interface Settings

    Aux1 and Aux2 Interface SettingsDescription
    Enable InterfaceActivates or deactivates the specified network interface for data transmission.
    IP AddressAssign an IP address to the interface. Alternatively, you can assign the IP address of a loopback interface for NGFW management. By default, the IP address you enter is the source address for log forwarding.
    NetmaskIf you assigned an IP address to the interface, you must also enter a network mask (for example, 255.255.255.0).
    Default GatewayIf you assign an IP address to the interface, you must also assign an IPv4 address to the default gateway (the gateway must be on the same subnet as the interface).
    SpeedConfigure a data rate and duplex option for the interface. The choices include 10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the default auto-negotiate setting to have the NGFW determine the interface speed.
    MTUEnter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range is 576 to 1,500; default is 1,500).
    Administrative Management Services
    • HTTP—Use this service to access the NGFW web interface.
    HTTP uses plaintext, which is not as secure as HTTPS. Therefore, Palo Alto Networks recommend you enable HTTPS instead of HTTP for management traffic on the interface.
    • Telnet—Use this service to access the NGFW CLI.
    Telnet uses plaintext, which is not as secure as SSH. Therefore, Palo Alto Networks recommend you enable SSH instead of Telnet for management traffic on the interface.
    • HTTPS—Use this service for secure access to the NGFW web interface.
    • SSH—Use this service for secure access to the NGFW CLI.
    Network Services
    Select the services you want to enable on the interface:
    • HTTP OCSP—Use this service to configure the NGFW as an Online Certificate Status Protocol (OCSP) responder. For details, see Device > Certificate Management > OCSP Responder.
    • Ping—Use this service to test connectivity with external services. For example, you can ping the interface to verify it can receive PAN-OS software and content updates from the Palo Alto Networks Update Server. In a high availability (HA) deployment, HA peers use ping to exchange heartbeat backup information.
    • SNMP—Use this service to process NGFW statistics queries from an SNMP manager. For details, see Enable SNMP Monitoring.
    • User-ID—Use this service to enable Redistribution of user mappings among NGFWs.
    • User-ID Syslog Listener-SSL—Use this service to enable the PAN-OS integrated User-ID™ agent to collect syslog messages over SSL. For details, see Configure Access to Monitored Servers.
    • User-ID Syslog Listener-UDP—Use this service to enable the PAN-OS integrated User-ID agent to collect syslog messages over UDP. For details, see Configure Access to Monitored Servers.
    Permitted IP AddressesEnter the IP addresses from which administrators can access the NGFW through the interface. An empty list (default) specifies that access is available from any IP address.

    Banners and Messages

    Banner and MessagesDescription
    Message of the Day
    Select this option to enable the Message of the Day dialog to display when an administrator logs in to the web interface.
    Enter the text (up to 3,200 characters) for the Message of the Day dialog.
    Allow Do Not Display AgainSelect this option (disabled by default) to include a Do not show again option in the Message of the Day dialog. This gives administrators the option to avoid seeing the same message in subsequent logins.
    TitleEnter text for the Message of the Day header (default is Message of the Day).
    Background ColorSelect a background color for the Message of the Day dialog. The default (None) is a white background.
    Icon
    Select a predefined icon to appear above the text in the Message of the Day dialog:
    • None (default)
    • Error
    • Help
    • Information
    • Warning
    Header BannerEnter the text that the header banner displays (up to 3,200 characters).
    Header ColorSelect a color for the header background. The default (None) is a transparent background.
    Header Text ColorSelect a color for the header text. The default (None) is black.
    Same Banner for Header and FooterSelect this option (enabled by default) if you want the footer banner to have the same text and colors as the header banner. When enabled, the fields for the footer banner text and colors are grayed out.
    Footer BannerEnter the text that the footer banner displays (up to 3,200 characters).
    Footer ColorSelect a color for the footer background. The default (None) is a transparent background.
    Footer Text ColorSelect a color for the footer text. The default (None) is black.

    SNMP Settings

    SNMP SettingsDescription
    Physical LocationSpecify the physical location of the NGFW. When a log or trap is generated, this information allows you to identify (in an SNMP manager) the NGFW that generated the notification.
    ContactEnter the name or email address of the person responsible for maintaining the NGFW. This setting is reported in the standard system information MIB.
    Use Event-Specific Trap DefinitionsThis option is selected by default, which means the NGFW uses a unique OID for each SNMP trap based on the event type. If you clear this option, every trap will have the same OID.
    Version
    Select the SNMP version: V2c (default) or V3. Your selection controls the remaining fields that the dialog displays.
    SNMP Community String (V2C)
    Enter the community string, which identifies an SNMP community of SNMP managers and monitored devices and also serves as a password to authenticate the community members to each other when they exchange SNMP get (statistics request) and trap messages. The string can have up to 127 characters, accepts all characters, and is case-sensitive.
    Don’t use the default community string public. Because SNMP messages contain community strings in clear text, consider the security requirements of your network when defining community membership (administrator access).
    Views (V3)You can assign a group of one or more views to the user of an SNMP manager to control which MIB objects (statistics) the user can get from the NGFW. Each view is a paired OID and bitwise mask: the OID specifies a MIB and the mask (in hexadecimal format) specifies which objects are accessible within (include matching) or outside (exclude matching) that MIB.
    Users (V3)
    SNMP user accounts provide authentication, privacy, and access control when NGFWs forward traps and SNMP managers get NGFW statistics. For each user, click Add and configure the following settings:
    • Users—Specify a username to identify the SNMP user account. The username you configure on the NGFW must match the username configured on the SNMP manager. The username can have up to 31 characters.
    • View—Assign a group of views to the user.
    • Auth Password—Specify the authentication password of the user. The NGFW uses the password to authenticate to the SNMP manager when forwarding traps and responding to statistics requests. The password must be 8-256 characters and all characters are allowed.
    • Priv Password—Specify the privacy password of the user. The password must be 8-256 characters and all characters are allowed.
    • Authentication Protocol—The NGFW uses Secure Hash Algorithm (SHA) to hash the password.
      • SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
    • Privacy Protocol—The NGFW uses the password and Advanced Encryption Standard (AES) algorithm to encrypt SNMP traps and responses to statistics requests.
      • AES-128, AES-192, AES-256

    Minimum Password Complexity

    Minimum Password ComplexityDescription
    EnabledEnable minimum password requirements for local accounts. With this feature, you can ensure that local administrator accounts on the NGFW will adhere to a defined set of password requirements.
    Password Format Requirements
    There are no restrictions on any password field character sets.
    Commonly used words and phrases are not allowed as passwords, regardless of any combination of upper and lower case letters.
    Minimum LengthRequire a minimum password length (range is 1 to 16 characters).
    Minimum Uppercase LettersRequire a minimum number of uppercase letters (ranges is 0 to 16 characters).
    Minimum Lowercase LettersRequire a minimum number of lowercase letters (range is 0 to 16 characters).
    Minimum Numeric LettersRequire a minimum number of numeric letters (range is 0 to 16 numbers).
    Minimum Special CharactersRequire a minimum number of special (non-alphanumeric) characters (range is 0 to 16 characters).
    Block Repeated Characters
    Specify the number of sequential duplicate characters permitted in a password (range is 3 to 16).
    If you set the value to 3, the password can contain the same character in sequence three times but if the same character is used four or more times in sequence, the password is not permitted.
    For example, if the value is set to 3, the system will accept the password test111 or 111test111, but not test1111, because the number 1 appears four times in sequence.
    Block Username Inclusion (Including Reversed)Select this option to prevent the account username (or reversed version of the name) from being used in the password.
    Functionality RequirementsDefines the operational and behavioral rules that passwords must follow beyond basic format complexity to ensure secure password management practices. This setting establishes functional constraints and policies for password usage.
    New Password Differs by CharacterWhen administrators change their passwords, the characters must differ by the specified value.
    Require Password Change on First LoginSelect this option to prompt administrators to change their passwords the first time they log in to the NGFW.
    Prevent and Reuse LimitRequire that a previous password is not reused based on the specified count. For example, if the value is set to 4, you could not reuse any of your last 4 passwords (range is 0 to 50).
    Block Password Change Period (days)Users cannot change their passwords until the specified number of days is reached (range is 0 to 365 days).
    Required Password Change Period (days)Require that administrators change their password on a regular basis (in days) (range is 0 to 365). For example, if the value is set to 90, administrators are prompted to change their password every 90 days.You can also set an expiration warning from 0 to 30 days and specify a grace period.
    Expiration Warning Period (days)If a Required Password Change Period is set, you can use this Expiration Warning Period to prompt users at each log in to change their password when there are less than a specified number of days remaining before the required change date (range is 0 to 30).
    Post Expiration Admin Login CountAllow the administrator to log in a specified number of times after the required change date (range is 0 to 3). For example, if you set this value to 3 and their account has expired, they can log in 3 more times without changing their password before their account is locked out.
    Post Expiration Grace Period (days)Allow the administrator to log in for a specified number of days after the account has expired (range is 0 to 30).

    LLDP

    LLDPDescription
    EnableEnable the Link Layer Discovery Protocol (LLDP).
    Transmit Interval (sec)Specify the interval (in seconds) at which LLDPDUs are transmitted. Range is 1 to 3600; default is 30.
    Transmit Delay (sec)
    Specify the delay time (in seconds) between LLDP transmissions sent after a change is made in a TLV element.
    The Transmit Delay must be less than the Transmit Interval. Range is 1 to 600; default is 2.
    Hold Time MultipleSpecify a value that is multiplied by the Transmit Interval to determine the total TTL Hold Time. Range is 1 to 100; default is 4.
    Notification IntervalSpecify the interval (in seconds) at which LLDP Syslog Messages and SNMP Traps are transmitted when MIB changes occur. Range is 1 to 3600; default is 5.

    Policy Rulebase Settings

    Policy Rulebase SettingsDescription
    Require Tag on PoliciesRequires at least one tag when creating a new policy rule. If a policy rule already exists when you enable this option, you must add at least one tag the next time you edit the rule.
    Require Description on PoliciesRequires that you add a Description when you create a new policy rule. If a policy rule already exists when you enable this option, you must add a Description the next time you edit the rule.
    Fall Commit if Policies Have No Tags or Descriptions
    Forces your commit to fail if you do not add any tags or a description to the policy rule. If a policy rule already exists when you enable this option, the commit will fail if no tag or description are added the next time you edit the rule.
    To fail the commit, you must Require tag on policies or Require description on policies.
    Require Audit Comment on PoliciesRequires Audit Comment when creating a new policy rule. If a policy rule already exists when you enable this option, you must add Audit Comment the next time you edit the rule.
    Audit Comment Regular ExpressionSpecify requirements for the comment format parameters in audit comments.
    Wildcard Top Down Match ModeWhen Wildcard Top Down Match Mode is enabled, when a packet matches Security policy rules that use a source or destination IP address with wildcard mask and the masks overlap, the NGFW chooses the first of those matching rules (in top-down order) that fully matches all address bits based on masking. The default is disabled; in the event of matching overlapping wildcard masks, the NGFW chooses the rule with the longest matching prefix in the wildcard mask.
    Policy Rule Hit CountTracks how often traffic matches the policy rules you configured on the NGFW. When enabled, you can view the total Hit Count for total traffic matches against each rule along with the date and time when the rule was Created, Modified, was First Hit and Last Hit.
    Policy Application UsageDefine how security policies are applied to and enforced on network applications and traffic flows. This setting controls the scope and behavior of policy rules when evaluating application-specific traffic.

    Log Interface

    Log InterfaceDescription
    IP AddressEnter the IP address of the log interface port.
    NetmaskSpecify the network mask for the IP address of the log interface.
    Default GatewayEnter IP address of the default gateway to enable the path for outgoing log.
    IPv6 AddressThe IPv6 address of the log interface port.
    IPv6 Default GatewayThe IPv6 address of the default gateway for the port.
    Link SpeedSelect the interface speed in Mbps or select auto (default) to have the NGFW automatically determine the speed based on the connection. For interfaces that have a non-configurable speed, auto is the only option.
    Link DuplexSelect whether the interface transmission mode is full-duplex (full), half-duplex (half), or negotiated automatically (auto).
    Link StateSelect whether the interface status is enabled (up), disabled (down), or determined automatically based on the connection (auto). The default is auto.

    Custom Logos

    Custom LogosDescription
    Login ScreenUpload an image for the login screen.
    Main UIUpload an image for the UI.
    PDF Report Title PageUpload an image for the report title page.
    PDF Report FooterUpload an image for the report footer.

    PAN-OS Edge Service Settings

    PAN-OS Edge Service SettingsDescription
    Enable User Context Cloud ServiceEnable the service that the Cloud Identity Engine uses to communicate with your NGFW.
    Enable Host Compliance Cloud ServiceActivate the cloud-based host compliance monitoring service that continuously assesses and validates the security posture of endpoint devices connecting to the network.

    SSH Management Profile Settings

    SSH Management Profile SettingsDescription
    Server ProfileA type of SSH service profile that applies to the SSH sessions for the CLI management connections on your network. To apply an existing server profile, select a profile, click OK, and Commit your change.

    Logging and Reporting Settings

    Logging and Reporting SettingsDescription
    Improved DNS LoggingEnable enhanced DNS query logging that captures additional metadata such as query types, response codes, and client information for better security analysis.

    ACE Settings

    ACE SettingsDescription
    Disable App-ID Cloud Engine
    Disable the App-ID Cloud Engine (ACE). ACE is enabled by default. To disable ACE, click the check box so that ACE is not enabled.

    PAN-OS Security

    PAN-OS SecurityDescription
    Device Security Settings–System Behavior When Security Violation Detected
    Define the device's response when security threats or policy violations are detected, such as blocking traffic, generating alerts, initiating quarantine procedures, or triggering automated remediation actions.

    © 2026 Palo Alto Networks, Inc. All rights reserved.