Palo Alto Firewall

The process described in this topic is for adding Palo Alto Firewalls in Security Manager. If you would like to add a Panorama device to Security Manager, and all devices managed by it, including your firewalls or virtual firewalls, please see the instructions for Panorama in the Management Stations chapter.

To add a Palo Alto Firewall, complete the following steps.

Step 1: Configure the Device

If you have a multi-VSYS enabled firewall, each VSYS must be added as a Palo Alto VSYS in Security Manager. Virtual firewalls created in Security Manager as the single Palo Alto Firewall on which they reside, are not supported.

Prerequisite The data collector uses SSH over port 22 and HTTPS over port 443 to the device's Web UI to retrieve some configuration information. Please make sure that these ports are open on your Palo Alto device.

  1. On the Palo Alto device, add a Dynamic Superuser account for the SIP data collector.
    1. Log in to the Palo Alto Panorama Web UI with superuser credentials.
    2. On the toolbar, click the Device tab.
    3. In the sidebar, click Administrators and click Add.
      1. Enter a name and password for the account. Make note of the user name and password. You will enter them in the Administration module later.
      2. For Administrator Type select Dynamic.
      3. For the Admin Role select Superuser or Superuser (readonly).
      1. Click OK.

    It is recommended to not use special characters in the account password. The API key generation will fail when the password contains special characters such as # and &. This is not a PAN-OS specific issue. This is due to the way browsers and cURL handle special characters. This is because these are reserved characters used as general or sub delimiters.

    If you change this name and password on your device in the future, you will need to manually update these credentials in SIP. Data retrieval will fail if the data collector cannot access the monitored device.

    Palo Alto 9.x+ users could create a custom admin role profile for device retrieval credentials if they want to retrieve predefined external dynamic lists but XML API cannot be restricted to read-only, so a user would have some write permissions granted with a custom admin role. Permissions needed for retrieval only are: XML API: Log, Configuration, and Operational Requests. Command Line: superreader.

      To create a custom admin role for retrieval only:

      • In the sidebar, click Admin Roles and click Add.

        1. In the Admin Role Profile dialog box, enter and Name and Description for the profile.

        2. Click the XML API tab and select Log, Configuration, and Operational Requests.

        3. Click the Command Line tab and select superreader from the list.

        4. Click OK.

      • In the sidebar, click Administrators and click Add.

        1. Enter a name and password for the account. Make note of the user name and password. You will enter them in the Administration module later.
        2. For Administrator Type select Role Based.
        3. For Profile, select the profile created from the list.
        4. For Password Profile, select None.
        5. Click OK.
  1. Establish the data collector as a syslog server, and send configuration, system and traffic logs from the Palo Alto device to the data collector by creating a profile.
    1. Click the Device tab.

    2. Create a new syslog server profile. In the sidebar, click Server Profiles > Syslog and click Add. In the Syslog Server Profile dialog box:

      1. Enter a Name for the new profile.
      1. On the Servers tab, click Add and then complete the fields:
        • Name: Enter a name for the data collector
        • Syslog Server: Enter the IP address of the data collector
        • Transport: Select UDP
        • Port: Enter 514
        • Facility: Select any facility listed
      1. Click OK.
    1. Set the data collector to receive system and configuration logs at the correct severity level from the firewall.
      1. In the sidebar, click Log Settings.
      1. To create a new profile for system logs, in the System section click Add to open the Log Settings - System dialog box.
        •  Enter a Name for the log settings- system profile
        • For versions 6.1.x, 7.1.x, 8.0.x, 9.1.x, 10.2.x and 11.0.x, set the Filter to Informational
        • For versions 7.0.x, set the Filter to High
        • In the Syslog section, click Add to select the syslog server profile added in step B
        • Click OK

      To modify an existing system log profile to use the new profile created, click the profile name in the System section. In the Syslog section, click Add to select the syslog server profile created in step B.

      1. To create a new profile for configuration logs, in the Configuration section click Add to open the Log Settings - Configuration dialog box.
        • Enter a Name for the log settings - configuration profile
        • Leave the Filter set to All Logs
        • In the Syslog section, click Add to select the syslog server profile added in step C
        • Click OK

      To modify an existing configuration log profile to use the new profile created, click the profile name in the Configuration section. In the Syslog section, click Add to select the syslog server profile created in step B.

  2. Create a log forwarding profile for the data collector.
    1. Click the Objects tab.
    2. In the sidebar, click Log Forwarding.
    3. To add a new log forwarding profile, click Add to open the Log Forwarding Profile dialog box.
      • Enter a Name for the new log forwarding profile
      • Click Add to open the Log Forwarding Profile Match List
      • Enter a Name for the profile match list
      • Leave the Log Type set to traffic
      • Leave the Filter set to All Logs
      • In the Syslog section, click Add and select the previously created syslog server profile (step 2 B)
      • Click OK
    4. Click OK.
  3. Configure rules to forward traffic logs to the data collector.
    1. Click the Policies tab.
    2. In the sidebar, click Security.
    3. Click a rule that you want to forward traffic logs to open the Security Policy Rule dialog box.
      • Click the Actions tab
      • In the Log Setting section, select the Log at Session End check box (recommended)
      • For Log Forwarding, select the log forwarding profile created in step 3 C
      • Click OK
      • Repeat for each rule that you want to forward traffic logs for usage analysis
  4. Commit your changes. Security Manager will not be able to retrieve any data from your device until these settings have been committed.
  5. If a different source interface is needed for syslog other than the management interface,
    1. Click the Device tab.
    2. In the sidebar, click Setup.
    3. Click the Services tab.
    4. In the Services Features section, click Service Route Configuration.
      • In the Service Route Configuration dialog box, click Customize
      • Select the IPv4 or IPv6 tab
      • Select Syslog from the Service list
      • Click Set Selected Service Routes to open the Service Route Source dialog box:
        • Select a Source Interface from the list
        • Select a Source Address from the list
        • Click OK
      • Click OK
    5. Commit your changes.

Step 2: Onboard the Device in the Administration Module

  1. On the toolbar, click Device > Devices.
  1. Click Create and then click Palo Alto Networks > Firewall.
  1. General Properties section.

To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.

  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match name (optional). You can enter multiple comma-separated names.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. Collection Configuration is enabled on the management station or by duplicating and then editing the default configuration (DeviceCollection Configuration). Default is what is set on the installed device pack.
  1. Device Settings section.
  • Managed By will display the management station name and the Connected via Management Station check box selected, if this device is being managed.

    Credentials

  1. In the User Name box, type the user name used for the dynamic superuser account.
  2. In the Password box, type the password used for the dynamic superuser account.
  3. In the Re-enter Password box, retype the password entered above.

Retrieval

  • By default, Protocol is SSH, the Port is 22 and the REST API Port is 443.
  1. Automation section.
    • Select the Suppress FQDN Capabilities check box to use an IP address instead of FQDN when creating network objects.
    • Select the Recommend Changes via Manager Only check box to enable the automation of changes using only the configurations of the management station listed in the Managed By field in the Device Settings section.
    • Use the Location of Created Objects list to select where to create new network and service objects for this device.
      • Shared indicates objects should be added to the Panorama as shared objects.
      • Device Group indicates objects should be added to this device’s device group.
      • Local indicates objects should be added to this device only.
  1. Monitoring section.

Log Monitoring

  • Select the Enable Log Monitoring check box to use for Rule Usage Analysis.
    • Track Usage Via is set to Syslog.
    • Log Update Interval is set to 10 (minutes); this number determines how often usage data is sent to the application server.

Change Monitoring

  • Select the Enable Check for Change check box to enable checking for configuration changes after the specified interval, and perform a retrieval is changes are detected.
    • Enter an optional Alternate Syslog Source IP.
  • Select the Perform Change Verification check box to allow the data collector to verify that there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of disk space by not posting revisions that did not changes from the last successful normalized revision.
  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. This will activate additional fields to complete.

  • Set the Scheduled Retrieval Time to fit your requirements.

  • Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. This will activate an additional field to complete.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

  1. Advanced section.
    • File Retrieval Options:
      • Select the Use Batch Config Retrieval check box only if you are manually sending configurations for this device using your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled.
      • Select the Skip User File Retrieval check box if you want the retrieval to skip the user group file. This is useful in cases where the user group file is very large and is causing retrieval issues.
      • Select the Skip Dynamic Block List Retrieval check box if you want the retrieval to skip over the dynamic block list file. This is useful in cases where there are too many dynamic block lists or the file is too large and is causing retrieval issues.
    • SSH Key Options:
      • Select the Automatically Update SSH Keys check box if you want the data collector to automatically update the SSH key for a device when a conflict occurs.
      • Select the Use SSH Fallback for Version check box if the device version cannot be found using API; it will use an SSH call instead.
    • NSX Route Retrieval:
      • Enter the NSX Device ID of the NSX distributed firewall containing route information for this device.
      • The Configuration Retrieval Timeout (seconds) is the time to wait for a response during a retrieval. The default is 120 seconds.
    • Interface Normalization:
      • Select the Force Interfaces to Set Layer 2 Enforcement check box to enable to force normalization of all interfaces with Layer 2 enforcement set to true.
      • Select the Retrieve Set Format Configuration check box to retrieve the running-config file in Set Output format; allowing Regex creation for compliance-related controls.
  1. Enforcement section.

Select one of the available enforcement options:

  •  Allow All: All automation is allowed (enforcement, change, manual).

  • Manual Only: When selected all changes must be manually pushed for this device.

  •  Prevent All: No automation is allowed.

  • Window Only: Automation can only take place in the assigned enforcement window.

If this device is assigned to an enforcement or change window, it will be listed. If no assignment, changes must be manually pushed for this device.

  1. Supplemental Routes section.

Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before continuing.

  1. Click Add.

  2. Complete fields in the Add Supplemental Routes dialog box:

  • Select an Interface.

If you select an Interface, you will not need to select a virtual router and next virtual router. If no interface is selected, you will need to select a Virtual Router and Next Virtual Router.

  • Type the Destination IP address.
  • Type the Gateway IP address.
  • Select a Virtual Router.
  • Select a Next Virtual Router.
  • Switch the Drop toggle to enable (disabled = Accept).
  • Click Add.
  1. Click Save.

Step 3: Verify Communication

Because automatically retrieving a configuration is enabled by default, there is nothing for you to do. Security Manager will automatically attempt to retrieve a device configuration.

To do a manual retrieval, select the device row, click the Menu icon and then click Retrieve Configuration.

It may take up to 15 minutes to see the status result of the retrieval.