Palo Alto

Panorama Advanced (managing PanOS)

Advanced means device management mode in SecureTrack is Advanced management

Access Requests	Manual target selection Device object selection User Identity (LDAP groups in source)
Modify Group	Designer Provisioning + Committing Provisioning + Committing in automatic step Create/modify group
Add Access	Risk Analysis Designer Provisioning + Committing Provisioning + Committing in automatic step Verifier Authorization and documentation Auto close
Remove Access	Auto close Verifier (only in topology mode)
Server Decommission	Impact Analysis Designer Provisioning + Committing Verifier Authorization and documentation
Clone Server Policy	Designer Provisioning (or) Provisioning and Committing Verifier
Rule Decommission	Designer Provisioning + Committing Provisioning + Committing in automatic step Verifier Authorization and documentation Auto close
Rule Modification	Device object selection (object browser) Provisioning + Committing Provisioning + Committing in automatic step
Rule Recertification	Update metadata

Access Request supports full Next-Generation Firewall (NGFW) capabilities, including Tags, AppID, Custom AppID, UserID, Dynamic Address Groups (DAGs), Security Profile Group (ContentID) and Log Forwarding profiles.

Custom AppID’s are not supported for SecureApp
Unique names are required for Custom AppID’s. If there are multiple Custom Apps with the same name (not case sensitive), same domain, and different services or values, they will not appear in the application list.
For Custom AppIDs with no services, if the app is being run on a Panorama device that does not have that app, Designer will view the Custom AppID as having ANY services.
TOS cannot create new DAGs, but can use existing ones.

Access Request supports FQDN objects which are resolved as IP addresses
Rules on Panorama devices with ANY in the application column are treated as ANY by TOS, although Panorama treats them as 'Any predefined application'.
Access Request supports rule type for Designer and Verifier.
Access requests supports working with shared objects, this needs to be enabled in StConf. For details see Configuring Palo Alto Panorama for Shared Objects
Modify Group and Server Decommission supports shared groups/global objects.
Overriding objects are not supported for Server Decommission and Clone Server Policy. For Server Decommission, Designer suggests the implementation of manual changes.
New objects in a Rule Modification workflow can only be created on the policy where the rule is located. It is not possible to create a global object in a hierarchical environment and add the object to a rule on a sibling policy.
For a Palo Alto Panorama device with several hierarchies in a Rule Modification workflow, if an object name exists in a lower Device Group (DG), Designer does not allow the creation of an object with the same name in a higher DG, even though Panorama does allow using the same object names in different hierarchies.
Rule modification supports provision and commit in auto-step.

Basic means device management mode in SecureTrack is Basic firewalll management

Access Requests	Manual target selection Device object selection User Identity (LDAP groups in source)
Add Access	Risk Analysis Designer Provisioning Provisioning in automatic step Verifier Authorization and documentation Auto close
Remove Access	Verifier
Server Decommission	Impact Analysis Verifier
Rule Recertification	Update metadata

Access Request supports full Next-Generation Firewall (NGFW) capabilities, including AppID, UserID, Security Profile Group (ContentID) and Log Forwarding profiles.

Access Requests	Manual target selection Device object selection
Modify Group	Create/modify group
Add Access	Risk Analysis Verifier Authorization and documentation Auto close
Remove Access	Verifier
Server Decommission	Impact Analysis, Verifier
Rule Recertification	Update metadata