Palo Alto VSYS

To add a VSYS device, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

If you have a multi-VSYS enabled firewall, each VSYS must be added as a Palo Alto VSYS in Security Manager. Virtual firewalls created in Security Manager as the single Palo Alto Firewall on which they reside, are not supported.

Prerequisite Security Manager uses SSH over port 22 and HTTPS over port 443 to the device's Web UI to retrieve some configuration information. Please make sure that these ports are open on your Palo Alto device.

  1. On the Palo Alto device, add a dynamic superuser (read-only) account for the Security Manager Data Collector. You can complete this step in either Palo Alto's web UI or in the CLI. We recommend using the web UI.
    1. Log into the Palo Alto web UI with superuser credentials.
    2. Click Device > Administrators > New.
    3. Enter the account settings. Select Dynamic and Superuser_ReadOnly as the role. Security Manager uses this account only to retrieve data from your device. Security Manager will never attempt to make changes to any device on your network.
    4. Note the name and password. You will enter them in the Administration module later.

    It is recommended to not use special characters in the account password. The API key generation will fail when the password contains special characters such as # and &. This is not a PAN-OS specific issue. This is due to the way browsers and cURL handle special characters. This is because these are reserved characters used as general or sub delimiters.

    If you change this name and password on your device in the future, you will need to manually update these credentials in SIP. Data retrieval will fail if the data collector cannot access the monitored device.

    Palo Alto 9.x+ users could create a custom admin role profile for device retrieval credentials if they want to retrieve predefined external dynamic lists but XML API cannot be restricted to read-only, so a user would have some write permissions granted with a custom admin role. Permissions needed for retrieval only are: XML API: Log, Configuration, and Operational Requests. Command Line: superreader.

      To create a custom admin role for retrieval only:

      • In the sidebar, click Admin Roles and click Add.

        1. In the Admin Role Profile dialog box, enter and Name and Description for the profile.

        2. Click the XML API tab and select Log, Configuration, and Operational Requests.

        3. Click the Command Line tab and select superreader from the list.

        4. Click OK.

      • In the sidebar, click Administrators and click Add.

        1. Enter a name and password for the account. Make note of the user name and password. You will enter them in the Administration module later.
        2. For Administrator Type select Role Based.
        3. For Profile, select the profile created from the list.
        4. For Password Profile, select None.
        5. Click OK.
  1. Establish the Data Collector as a syslog server, and send configuration, system and traffic logs from the Palo Alto device to the Security Manager Data Collector. Basic syslog settings can be entered through the Palo Alto web UI or CLI. We recommend using the web UI.
    1. Log into the web UI with Superuser credentials.
    2. Define the Data Collector as a Syslog Server:
      1. Click Device > Server Profiles > Syslog.
      2. Click New and enter the following information:
      • Name: for the Data Collector
      • Server: IP address of the Data Collector
      • Port: 514
      • Facility: local use 0 (log_local0)
    1. Set the Data Collector to receive Configuration logs:
      1. Click Device > Log Settings > Config.
      2. Click Edit and select the Data Collector Syslog server that you created earlier.
    2. Set the Data Collector to receive System logs at the Severity Level:
      1. Go to Device > Log Settings > System.
        • For versions 6.1.x, 7.1.x, 8.0.x, 9.1.x, 10.2.x and 11.0.x,, click Informational, and then select the Data Collector Syslog server that you created earlier as a Syslog destination.
        • For version 7.0.x, click High, and then select the Data Collector Syslog server that you created earlier as a Syslog destination.
    3. Create a Log Forwarding profile for the Data Collector:
      1. Click Objects > Log Forwarding.
      2. Click New and enter the following information:
        • Name: enter a profile name
        • In the Traffic Log Settings section, specify the Data Collector Syslog server (that you created earlier) as a Syslog setting destination. Security Manager uses traffic logs for rule and object usage analysis.
    4. In your security policies, configure your rules to forward traffic logs to the Data Collector:
      1. Click Policies > Security.
      2. Click a rule for which you want to forward traffic logs and click in the Options.
      3. In the Log Setting section of the Options dialog box, make sure that a Send Traffic Log option is selected. We recommend using the default setting Log at Session End.
      4. Select the Data Collector from the Log Forwarding list.
      5. Repeat steps 2-4 for each rule for which you want to forward traffic logs for usage analysis.
    5. Commit your changes. Security Manager will not be able to retrieve any data from your device until these settings have been committed.
    6. Restart the log forwarder for security rule traffic logs (Step 2f). This step will enable Security Manager to begin receiving usage data from the device.
      1. Log into the CLI at the Admin level.
      2. Enter the command: debug software restart log-receiver

Step 2: Add the Device in the Administration Module

For VSYS devices, Security Manager uses Central Syslog to collect logs from all monitored VSYSs. In this procedure you will add a representation of this Central Syslog Server in Security Manager.

  • If you are running your Security Manager server components (application server and data collector) on a single machine, you will configure that machine to collect the log files.
  • If you have a distributed deployment, where one Data Collector is installed on the same machine as your server, and one or more Data Collectors are installed on machines separate from your application server, you will configure the Data Collector that should receive logs from your VSYSs.
  • The IP address of the data collector selected in each device's properties in the Security Manager UI must match the IP address of the Data Collector that should receive logs for that device. If you have multiple data collectors, be sure to verify this information and configure the correct Data Collector to receive logs. To view and edit device properties in Security Manager, click a device name in the Devices section and press F4. (Note that you must have View/Modify permissions for the device group to which that device belongs.)
  • If you are running multiple VSYS on a single device, each VSYS must be added in Security Manager individually. If these VSYS are added as a single host, several prominent features, including Access Path Analysis, Usage Analysis and Risk Analysis will not work correctly.
  • If you configure your Palo Alto IP as a central syslog server, enter the serial number as the "Syslog Match Name" in order for rule usage to work.
  1. On the toolbar, click Device > Devices.
  1. Click Create and then click Palo Alto Networks > VSYS.
  1. General Properties section.

To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.

  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match name (optional). You can enter multiple comma-separated names.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. Collection Configuration is enabled on the management station or by duplicating and then editing the default configuration (DeviceCollection Configuration). Default is what is set on the installed device pack.
  1. Device Settings section.
  1. Managed By will display the management station name and the Connected via Management Station check box selected, if this device is being managed.
  2. In the VSYS Name field, enter the name of the virtual system on the root device.

Use only the real VSYS name (vsys1) rather than the display name. Using the display name will result in security rules not normalizing.

  1. If you have multiple VSYS devices, select the VSYS Siblings Share Configs check box to have one retrieval occur and the configuration to be shared across all virtual systems, instead of one retrieval for each virtual system.

Multiple VSYS do not have to share the same policy. Configurations are retrieved for the entire device, which includes all virtual systems.

    Credentials

  1. In the User Name box, type the user name used for the dynamic superuser account.
  2. In the Password box, type the password used for the dynamic superuser account.
  1. In the Re-enter Password box, retype the password entered above.

Retrieval

  • By default, Protocol is SSH, the Port is 22 and the REST API Port is 443.
  1. Automation section.
    • Select the Suppress FQDN Capabilities check box to use an IP address instead of FQDN when creating network objects.
    • Select the Recommend Changes via Manager Only check box to enable the automation of changes using only the configurations of the management station listed in the Managed By field in the Device Settings section.
    • Use the Location of Created Objects list to select where to create new network and service objects for this device.
      • Shared indicates objects should be added to the Panorama as shared objects.
      • Device Group indicates objects should be added to this device’s device group.
      • Local indicates objects should be added to this device only.
  1. Monitoring section.

Log Monitoring

  • Select the Enable Log Monitoring check box to use for Rule Usage Analysis.
    • Track Usage Via is set to Syslog.
    • Log Update Interval is set to 10 (minutes); this number determines how often usage data is sent to the application server.

Change Monitoring

  • Select the Enable Check for Change check box to enable checking for configuration changes after the specified interval, and perform a retrieval is changes are detected.
    • Enter an optional Alternate Syslog Source IP.
  • Select the Perform Change Verification check box to allow the data collector to verify that there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of disk space by not posting revisions that did not changes from the last successful normalized revision.
  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. This will activate additional fields to complete.

  • Set the Scheduled Retrieval Time to fit your requirements.

  • Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. This will activate an additional field to complete.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

  1. Advanced section.
    • File Retrieval Options:
      • Select the Use Batch Config Retrieval check box only if you are manually sending configurations for this device using your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled.
      • Select the Skip User File Retrieval check box if you want the retrieval to skip the user group file. This is useful in cases where the user group file is very large and is causing retrieval issues.
      • Select the Skip Dynamic Block List Retrieval check box if you want the retrieval to skip over the dynamic block list file. This is useful in cases where there are too many dynamic block lists or the file is too large and is causing retrieval issues.
    • SSH Key Options:
      • Select the Automatically Update SSH Keys check box if you want the data collector to automatically update the SSH key for a device when a conflict occurs.
      • Select the Use SSH Fallback for Version check box if the device version cannot be found using API; it will use an SSH call instead.
      • The Configuration Retrieval Timeout (seconds) is the time to wait for a response during a retrieval. The default is 120 seconds.
    • Interface Normalization:
      • Select the Force Interfaces to Set Layer 2 Enforcement check box to enable to force normalization of all interfaces with Layer 2 enforcement set to true.
      • Select the Retrieve Set Format Configuration check box to retrieve the running-config file in Set Output format; allowing Regex creation for compliance-related controls.
  1. Enforcement Window section.

Select an Enforcement Option from the list:

  •  Allow All: All automation is allowed (enforcement, change, manual).

  • Manual Only: When selected all changes must be manually pushed for this device.

  •  Prevent All: No automation is allowed.

  • Window Only: Automation can only take place in the assigned enforcement window.

If this device is assigned to an enforcement or change window, it will be listed. If no assignment, changes must be manually pushed for this device.

  1. Supplemental Routes section.

Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before continuing.

  1. Click Add.

  2. Complete fields in the Add Supplemental Routes dialog box:

  • Select an Interface.

If you select an Interface, you will not need to select a virtual router and next virtual router. If no interface is selected, you will need to select a Virtual Router and Next Virtual Router.

  • Type the Destination IP address.
  • Type the Gateway IP address.
  • Select a Virtual Router.
  • Select a Next Virtual Router.
  • Switch the Drop toggle to enable (disabled = Accept).
  • Click Add.
  1. Click Save.

Step 3: Verify Communication

Because automatically retrieving a configuration is enabled by default, there is nothing for you to do. Security Manager will automatically attempt to retrieve a device configuration.

To do a manual retrieval, select the device row, click the Menu icon and then click Retrieve Configuration.

It may take up to 15 minutes to see the status result of the retrieval.