Adding Palo Alto Panorama Devices

TOS Classic monitors Palo Alto Panorama devices for policy revision changes. To help you organize the information for your devices, you can use the device information worksheet. To see which TOS features are supported for your device, review the feature support table.

Overview

To monitor a Palo Alto Panorama device (and its managed devices) in TOS Classic, you must complete the following procedures:

  1. Add the Palo Alto Panorama device to TOS Classic.

  2. Import the Device Groups (DGs) and devices managed by the Palo Alto Panorama device.

    When you select the DGs and devices to be managed by the Palo Alto Panorama device, if you have configured Advanced monitoring mode, you can also select the Collect dynamic topology information option.

  3. Edit the configuration of a managed Palo Alto Panorama firewall device, including enabling or disabling the option to Collect dynamic topology information.

Additional considerations:

  • If the device being added is an HA cluster of the managed firewall, TOS Classic will only provision the changes to the active HA server.

  • TOS Classic and the monitored devices must be synchronized with the correct date and time, either manually or automatically. We recommend that you also configure the devices to resolve DNS queries.

  • TOS R16-2 and higher includes improved support for Palo Alto Panorama versions 7.1 or higher. If you upgrade from TOS R16-1 or lower and want to use the advanced features, disable your Palo Alto Panorama devices to keep your device data and re-add the Palo Alto Panorama device and its firewalls as new devices. You can then remove the old Palo Alto Panorama device and its firewalls when the device data is obsolete.

  • If you currently monitor your firewalls as standalone devices and you want to now monitor the firewall through the Palo Alto Panorama device that manages them, add the Palo Alto Panorama device and its firewalls as a new device and then disable your standalone firewalls (see Status). You can select the standalone devices from the device tree to see the historical device data. When the device data in the standalone firewalls is obsolete, you can remove the standalone firewall devices from TOS Classic.

After you add a Panorama device for monitoring, you can see the list of policy templates on the Panorama and which devices use each template. To see this information, go to: Compare > select the Panorama device from the device tree > click on the Panorama tab in the Policy pane > click on the Templates tab > expand the Templates tree.

In 2019, Palo Alto announced that online updates for Palo Alto Panorama software versions (up to and including version 7.1) will no longer be available. From R19-3, support for Panorama devices in Basic firewall management mode is deprecated for new devices. If you are upgrading to R19-3, the existing Panorama devices in Basic mode will continue to be monitored in TOS Classic. For more information about supported features in each monitoring mode, see the TOS Classic Features by Vendor.

Prerequisites

Monitoring and Provisioning: Create a user with the Superuser admin role for the Palo Alto Panorama device.

To support FQDN objects in SecureTrack, configure the relevant DNS on your Palo Alto Panorama device. For more information, refer to the Palo Alto documentation.

Adding a Palo Alto Panorama Device

  1. In TOS Classic, go to Settings >  Monitoring > Manage Devices.

  2. Select the appropriate device type:

  3. Configure the device settings:

    • Name for Display

    • Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.

    • Get revisions from: One of the following:

      • IP Address: Revisions are retrieved automatically.

        If your Panorama devices are configured for a High Availability deployment, enter the IP address of the primary (Active) Panorama server

      • Offline File: (If available) Revisions are manually uploaded to TOS Classic for Offline Analysis

        This option is disabled for Panorama devices.

      • Enable High Availability: Select this option if your Panorama devices are configured for a High Availability deployment with a primary (Active) and a secondary (Standby) Panorama server.

        This option is only available in Advanced management mode.

    • ST server: In a distributed deployment, select which TOS Classic server monitors this device (This field is not displayed in the image)

  4. Click Next.

  5. Configure the TOS Classic connection to the Palo Alto Panorama device, according to the parameters required by the device:

    Enter the authentication details needed to connect to the Palo Alto Panorama device.

  6. Click Establish Connection to retrieve the certificate.
    This is mandatory if you selected Enable High Availability when you configured the device settings.

  7. Click Next.

  8. Configure the Syslog Settings.

    The default Syslog Authentication protocol option is UDP.

  9. In Monitoring Settings, do one of the following:

    • To use real-time monitoring and timing settings from the Timing page, select Default.

    Otherwise, select Custom and configure the monitoring mode and settings.

    • Real-Time Monitoring: Applies only if syslogs (Configuring Devices to Send Logs) are configured. Select Custom settings and configure:

      • 'Save policy' interval: When a Save Policy event is followed within this time interval by an Install Policy event for the same policy, TOS Classic tries to combine the two events into a single revision. The default value is 60 seconds.

      • Automatic fetch frequency: Frequency (in minutes) for automatic fetch 

    • Periodic Polling, select Custom settings and configure the Polling frequency: How often TOS Classic fetches the configuration from each device.

      If you select 1 day, you can then select the exact time (hour and minute) for the daily polling.

  10. Click Next and then click Save.

    The Palo Alto Panorama device now appears in the Monitored Devices tree.

  11. To complete the configuration, do one of the following:

    • Click Done.

    • Click Import Managed Devices (or Import Administrative Domains and Managed Devices/Import Device Groups and Managed Devices if available), select all the managed devices to be added, and click Save or Import.

      To import managed devices later, you can select the device and click Import Managed Devices (or Import Administrative Domains and Managed Devices/Import Device Groups and Managed Devices if available).

    • Add another device.

       

Topology options to collect routing information for building the network Interactive Map are configured when you import managed devices.

Importing the Domains or Devices Managed by a Palo Alto Panorama Device

  1. Select the Palo Alto Panorama device from the device tree.

  2. Click Import Device Groups and Managed Devices.

  3. From the list of devices managed by the Palo Alto Panorama device, select the devices to import.

  4. Configure the Topology options:

    Enable Topology: Collects routing information for building the network Interactive Map.
    Topology options are configured when you import managed devices.

    • Collect dynamic topology information when dynamic addressing (DHCP) or routing protocols (OSPF and BGP) are in use.

  5. Configure the Usage Tracking options:

    • Enable Tracking of Rule Usage - Monitor last hit information for rules in the managed devices being imported.
    • Enable Tracking of Application and User Usage - Monitor last hit information for applications and users in the managed devices being imported.
  6. Click Import.
  7. Do one of the following:
    • Click Reset to update the list of managed devices.
    • Click Done to return to the device tree.

      The managed devices appear under the Palo Alto Panorama device in the device tree.

If a conflict is detected between the name of a management domain (DG) on the Panorama device, and the name of the DG in SecureTrack, you will have to choose whether to Update the name or Ignore the conflict.
After the DG name in SecureTrack is synchronized with the name on the Panorama device, the DG is no longer suggested when you next select devices to import.

Editing the Dynamic Topology Settings for Devices Managed by a Palo Alto Panorama Device

  1. Select the Palo Alto Panorama device from the device tree.

  2. Click Collect Dynamic Routing Information and click Collect.

    Collect dynamic topology information is enabled for all the managed devices.

How Do I Get Here?

In TOS Classic, go to Settings >  Monitoring > Manage Devices.