Palo Alto Networks Panorama. Setup and Control Basics
Panorama is Palo Alto Networks' next-generation centralized firewall monitoring and control system (NGFW), which has recently gained more and more popularity. In particular, we at Angara Professional Assistance work with this product quite often. In 2019, Gartner analytics agency recognized them as leaders in its Magic Quadrant 8 times. Using Panorama, we can aggregate and store logs from all firewalls, build reports, manage settings (using flexible access control), licenses, updates, and even monitor hardware status.
But let's take it in order.
Panorama comes as a PAK or virtual app. Virtual appendix has the same functionality as PAC. Virtual appliance can be deployed on VMware ESXi, Google Cloud Platform, Amazon Web Services, Microsoft Azure. Licensing on all platforms is the same. Panorama supports cluster work.
Panorama can work in three modes (in fact, in four, but the latter is very outdated and not recommended for new installations):
- Panorama Mode - default operation mode. In this mode, the device can both manage other firewalls and collect logs from them.
- Log Collector Mode - in this mode Panorama only collects logs from the corresponding firewalls.
- Management Only Mode - speaks for itself. Panorama only controls devices.
Accordingly, there are several popular architectural solutions for integrating Panorama into the network.
Let's look at the most popular architecture and Panorama Mode. This mode is used by default, so no additional steps are required to activate it.
After registering the device on the Support Portal, we connect to Panorama via the MGT interface on IP 192.168.1.252, admin/admin. If we use virtual appliance, then it is necessary to set the initial settings through the command line:
# set deviceconfig system ip-address <Panorama-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>
The initial interface is very similar to the one you see on the firewall.
The full interface will be available after configuring the Template and Device Group sections, but more on that later.
If we use a virtual device, we need to generate a serial number for it on the Palo Alto Network Customer Support Portal, and then enter it in the CDMY0CDMY section. Then you need to load the license in the CDMY1CDMY section.
In the panorama, it is recommended to install the version of PAN-OS and Dynamic Updates not lower than those installed on the firewalls. This can be done in the sections CDMY2CDMY and CDMY3CDMY. In the same section, it is advisable to configure automatic signature updates. In general, it is possible to distinguish Panorama versions from the firewall up to 5-6 versions as part of the main release. For example, Panorama version 9.0.6, and the firewall is 9.0.2.
The initial configuration of the device is not much different from what you perform on the firewall. In the CDMY4CDMY section, we specify the DNS and NTP servers (if we did not do this through the CLI at first).
Settings are applied in the same way - through the Commit menu, which is divided into three parts here: Commit to Panorama, Push to Devices, Commit and Push.
- Commit to Panorama - applies the configuration to the Panorama device only.
- Push to Devices - sending the applied (Running configuration) Panorama to the firewalls. By the way, the list of firewall data and other settings can be selected in the window that appears after this action.
- Commit and Push - Apply the configuration to Panorama, and then send it to slaves.
Adding Firewalls to Panorama
So, let's move on to the functionality for which this solution was created, namely, to add firewalls for subsequent management.
This happens in three steps:
- Configure the Panorama server address on the firewall.
- Adding a Firewall serial number to Panorama.
- Saving all settings through Commit.
On the firewall, go to the CDMY5CDMY section. Then in the Panorama Settings section we specify the IP address of the Panorama server.
On Panorama, go to the CDMY6CDMY section.
Click on the Add button and add the firewall serial number.
We apply all the settings on the firewall and Panorama.
After that, in the same menu of CDMY7CDMY, we will see that the status of the device has become “Connected”, and information has also appeared on the serial number, IP address, model, version of the signature database and other information.
There are nuances when, for example, you need to add a long-used firewall, transferring all existing policies and settings under Panorama control. Or when you need to move hundreds of firewalls and automate this process. We will not touch upon every nuance at this stage, we can only say that the process is not difficult at all.
Templates and Device Groups are the two key settings that initially cause the greatest difficulty for those who encounter Panorama.
Templates are objects created on Panorama that store data related to the Network and Device sections on firewalls.
Templates are created in the CDMY8CDMY section. Initially, this section is empty. We need to click on the Add button and add the first Template. Right after that, two new sections (Network and Device) will appear in the Panorama web interface.
There can be several Template’s, therefore, making changes to the Network and Device sections on Panorama, you must select the appropriate Template.
Template Stacks - a set that can be formed of eight Templates. Hierarchically, it looks like 8 layers. The settings on the top layer apply to the bottom and have a higher priority. They are created in the same section as regular Templates.
Suppose we have many firewalls that are managed using Panorama and have internal IP addresses from 10.0.1.1/24 to 10.0.100.1/24. In order not to create 100 different Template’s for each of them, you can use the variable functionality.
Let's see how to do this, using the example of the situation above.
Go to the menu CDMY9CDMY and create a Template that will be responsible for the IP addresses on the interfaces of the firewalls. Let's call it “Firewall interfaces”. We’ll go to the CDMY10CDMY menu and, making sure that the Template we created is selected above, we’ll go to the settings for the interface we need, for example, ethernet1/1. Going to the IPv4 section, click the Add button to add the IP address value, and then click on New X Variable. Here you can create a new variable. Give her a name and meaning.
Go to the CDMY11CDMY menu, where all of our firewalls connected to Panorama are displayed. Select a firewall, which by design should have the address 10.0.2.1/24, and click on the Create button in the Variables column, after which the Create Device Variable Definition window opens.
Select No and click OK. The Template Variables for Device $ name window opens.
Next, select the $ Inside_IP variable that we created and click the Override button. Enter the IP address we need 10.0.2.1/24.
Repeat these steps for all the firewalls we need, and then apply the CDMY12CDMY configuration.
These actions allowed us to use Panorama within the same Template to enter different values for several firewalls. We can also go in a less convenient way, using the Override functionality directly on the firewalls. If the administrator allowed to overwrite the values that come from Panorama, then using this functionality locally on the firewall, you can overwrite the value transmitted from Panorama (in this case, the IP address).
In the end, we can not determine the IP addresses of the interfaces on Panorama at all, but do it locally on each ITU.
Variables (Templates Variables) can be exported to a file, edited, and then imported. You can do this in the CDMY13CDMY section. To do this, select the Template we need and, without opening it, click on CDMY14CDMY. Having opened this file, you need to change the value for each firewall we use, and then import this file in the same way. This method is definitely faster and saves time if we manage a large number of firewalls.
Now let's talk about a similar concept - Device Groups.
Device Groups are objects created on Panorama that store data related to the Policies and Objects sections on firewalls.
Device Groups are created in the CDMY15CDMY section. Initially, this section is empty. We need to click on the Add button and add the first group. Right after that, two new sections (Policies and Objects) will appear in the Panorama web interface.
Like Templates, Device Groups are assigned to specific firewalls. A firewall can also belong to a group hierarchy. The principle is slightly different from Templates.
Example of a group hierarchy
It is worth noting that after we create the first group, we will have a common group called Shared, the settings of which will apply to all other groups.
What will happen if I attach Device Group to the device but don’t attach Template?
We may encounter difficulties, for example, when creating a new Security Policy: in the zone selection section, we will have access to nothing but Any. This is because the device does not have a single Template in which these zones would be designated. One way to solve this problem is through Reference Templates. When you create a Device Group and add a device to it, you also have the opportunity to specify a link to the template.
We can create a Template in which zones will be designated, and then simply make a link to it from the menu of creating or editing Device Group.
As we already know, Device Groups also manage policies that are sent to the firewall from Panorama. Unlike the regular policy editor, here we have new sections: Pre Rules, Post Rules, Default Rules.
From the point of view of the hierarchy, all this works as follows (do not forget that, in addition to the usual Device Group, we also have a common Shared group):
At first glance, this can be a little scary, but, in fact, everything is much simpler. The hierarchy of policies will be understood after the first few rules are created. In addition, you can always see how the final rules will look on the final device. To do this, you can use the Preview Rules button in the policy editing section.
When you create a rule, it is also possible to select a target (Target) to assign a policy to a specific device. In practice, the author of the article considers this functionality not the most convenient, because it can lead to confusion with politicians on different devices when they are displayed in one window. However, it all depends on the person. Perhaps it will seem convenient to someone.
Select devices to which policies will apply
There is still a very interesting functionality for those who love order. In the Panorama settings, you can set the necessary fields that need to be filled in by creating rules, otherwise “Commit fail” will occur. This is convenient and, for example, instructs administrators to always add descriptions to the rules they create or to hang tags. According to the description, we can understand what the concept of a particular rule was; by tags we can group the rules by filtering out unnecessary ones.
At the global level, this is configured in the CDMY16CDMY menu.
At the Templates level, this is configured in the CDMY17CDMY menu.
Now let's go through the logs.
Panorama receives log information from two sources: local and remote.
The local source is the logs that were sent by the firewall itself to Panorama. Logs that Panorama requested and received from Log Collectors’s and Cortex Data lake (we will not discuss them in this article).
Remote source - logs requested from the firewall.
There are also two types of logs: Summary Database and Detailed Logs.
- Summary Database - the firewall aggregates the logs every 15 minutes, composes them (some fields and information are deleted from the logs) and sends them to Panorama, even if the log forwarding rules are not configured. These logs contain information on application statistics, threats, traffic, tunnel inspection and URL filtering.
- Detailed Logs - in these logs there is complete information and all fields. Panorama asks for these logs from the firewall itself. Also, for their availability on the firewalls, the settings for sending logs must be made.
The log viewing interface itself is practically identical to what you see on the firewalls. There is ACC, the familiar Dashboard, and the Monitor section. And even the reporting sections are the same.
Now let's take a look at debugging issues at the top level.
It is worth checking the Device Summary section more often. There you can find information about the status of devices connected to Panorama.For example, we can see the following situation:
In this case, we see that the firewall configuration was out of sync with Panorama due to a “commit failed” error. Information on the causes of this error can be viewed by clicking on the red commit failed link.
In the CDMY18CDMY menu you can get information about the status of devices: bandwidth, the number of new sessions per second, the total number of sessions, the processor load on the Data Plane and Management Plane, memory usage, the number of logs per second, the status of fans and power supplies. Also, all this information can be viewed in the form of graphs.
Since we mentioned resources and debugging, in this article we’ll mention a wonderful plug-in for the Chrome browser called Pan (w) achrome . It turns on after entering the credentials in the web interface of the firewall. In the plugin, you can see general information about the status of the device and get not only more detailed information on loading resources than we will see on Panorama, but even look at statistics on various counters (counters) (the full list did not fit in the screenshot):
Of course, this information in a much more expanded form and with a description of the counters can be found through the CLI device, however, this is a separate topic for another article on debugging. This plugin will allow you to visually evaluate in graphical format what is happening with a particular device. And for 70% of the problems that arise, this may be enough.
Well, back to earthly issues. And one of the most common problems is connecting Panorama to firewalls. To do this, we need to check the availability of the following ports:
- 3978 - Panorama communication with firewalls and Log Collectors;
- 28443 - software update from Panorama to slaves;
- 28 - communication between HA Panorama nodes (encrypted);
- 28260, 28769 - communication between the Panorama HA nodes (unencrypted).
Also, do not forget that errors can be viewed on the firewall in the Monitor CDMY19CDMY section by filtering them through a filter ("description contains Panorama").
In the end, we’ll touch upon a not-so-frequent situation, such as replacing firewalls connected to Panorama. We omit the nuances of transferring licenses from the old device to the new one (you can read about this in the official manuals for “how to transfer licenses to a spare device”) and go straight to the setup sequence:
- We make basic settings for the new firewall. We need to make sure that we have configured access via the mgmt interface and that the PAN-OS versions match. It's also worth checking the signature versions in the dynamic updates section.
- Export the “device state” of the old device through Panorama. We go to the command line and execute one of the following commands (depending on the supported protocol on the server, where we will export the configuration):
> scp export device-state device <old-serial#> to <login>@<serverIP>:<path>
> tftp export device-state device <old-serial#> to <login>@<serverIP>:<path>
After we completed the transfer, you need to change the serial number of the old device to a new one:
> replace device old <old-serial#> new <new-serial#>
- Import the “device state” into the new firewall. On the new firewall, go to the CDMY20CDMY section and load the configuration we saved.
- Click Commit.
Of course, we went only to the very top of the Panorama setting and did not touch on many nuances. However, an understanding of the tops will allow you to connect firewalls to Panorama, understand its basic functions and start a more granular configuration yourself.
If the topic you have been interested in is interesting, in the following articles we will try to cover in more detail the debugging (Troubleshoot) issues that are usually given to the solution by technical support or ASC (Authorized Support Center) and which are not in the official manufacturer's manuals available to ordinary customers.
We can cover such topics as:
- CLI. Nuances and life hacks.
- Using Tech Support File for Troubleshoot.
- Flow Logic.
- Capture packets.
- Packet Diagnostic.
- Incoming traffic tripping. VPN, Ike, IPsec.
- Trafficshipping transit traffic.
- System Services (DAEMONS).
- Certificate Troubleshoot and SSL Inspections.
- Troubleshoot User-ID.
- Troubleshoot GlobalProtect.
Leave comments if you are interested in this topic.