Monitoring Palo Alto PanOS Firewall Devices

Overview

TOS monitors Palo Alto PanOS firewall devices for policy revision changes. For TOS to show revision accountability and show rule and object usage, you must also configure the device to send syslogs.

To see which TOS features are supported for your device, review the SecureTrack Features by Vendor.

PanOS Clusters

PanOS clusters must be monitored through the VIP address.

In active-passive clusters, there may be temporary data loss during failover until TOS pulls a new revision. TOS only stores one log identifier, and this will be updated after a new revision is retrieved from the new active device.

In active-active clusters, there may be data loss when pulling revisions because TOS only stores one log identifier. In active-active clusters, both devices send syslogs.

Prerequisites

Create a user with the Superuser admin role for the Palo Alto PanOS firewall device. For PanOS 4.1 and higher you can also use a Superuser (read-only) user. TOS does not write anything to the Palo Alto device for either user role.

Recommendations

  • TOS and the monitored devices must be synchronized with the correct date and time, either manually or automatically. We recommend that you also configure the devices to resolve DNS queries.

  • Object usage analysis requires plenty of free disk space (depending on the number of gateways and the amount of traffic logs generated). If disk space is limited, you can configure TOS to limit the number of days that data is kept.

  • Enable TOS administrative alerts, which notify you if there is low disk space on the server. When disk utilization exceeds 90% in the partition that has the database, TOS sends an alert.

  • Clusters are only fully supported when managed by a Panorama device. When adding standalone PanOS clusters without a Panorama, add the standby member with a different IP address (if possible), and disable usage analysis collection and topology. This will prevent the standby member from appearing in the Map, and ensure that routing is correct.

Add a Device

  1. Select Palo Alto > PanOS:

  2. Configure the device settings:

    • Name for Display

    • Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.

    • Get revisions from: One of the following:

      • IP Address: Revisions are retrieved automatically

        Enter the IP of the management device. If the device is in a cluster, enter the VIP.

      • Offline File: (If available) Revisions are manually uploaded to TOS for Offline Analysis

        This option is disabled for Panorama devices.

    • ST server: In a distributed deployment, select which TOS cluster monitors this device (not shown in image)

    • To enable adding and monitoring Virtual Systems, select This device has Virtual Systems configured. If selected, Usage Analysis is moved to the Import Virtual Systems step.

    Usage Analysis

    • Collect traffic logs for rule usage analysis is necessary for Rule Usage reports.

    • Collect counters for object usage analysis enables Rule Usage reports to include per-object usage information.

      • Collect traffic logs for object usage analysis is necessary for reporting on unused objects and services in Rule Usage Reports.

    Topology

    • Enable Topology: Collects routing information for building the network Map.
      Topology options for Advanced management mode are configured when you import managed devices.
    • If the device uses dynamic addressing (such as DHCP) or dynamic routing protocols (such as OSPF), also select Collect dynamic topology information. TOS always collects the interface information with static routes and IP addresses when it receives a policy.
  3. Click Next.

  4. Configure the TOS connection to the Palo Alto PanOS firewall device, according to the parameters required by the device.

    New Palo Alto stage 2

    Enter the authentication details needed to connect to the Palo Alto PanOS firewall device.

    To use default settings (recommended in most cases), leave the Port number blank.

  5. Click Next.

  6. The Monitoring Settings page appears:

    • To use timing settings from the Timing page, select Default. Otherwise, select Custom, Custom settings, and configure the Polling frequency: How often TOS fetches the configuration from each device.

    If you select 1 day, you can then select the exact time (hour and minute) for the daily polling.

  7. Save the configuration.

    The Palo Alto PanOS firewall device now appears in the Monitored Devices list.

For TOS to show revision accountability and show rule and object usage, you must also configure the device to send syslogs.

Configure a Monitored Device

After you add a device, further configuration options are available.

Options vary depending on your environment.

  • Edit configuration: Use the wizard to modify selected device settings. See Add a Device in this topic.

  • Delete this device: Type yes to confirm that you want to delete the device.

  • Migrate (ST servers): Available in distributed deployments. Select the server where the device will be monitored and click Migrate.

  • Migrate (Domains): Available in multi-domain deployments. Select the domain where the device will be monitored and click Migrate.

How Do I Get Here?

SecureTrack > Monitoring > Manage Devices