Palo Alto Panorama

Details:

• Support: Level 5 / Automation

• Supported Versions8.x to 10.1.x

• Automation Notes:

  • PanOS version 8.1.x to 10.1.x using Panorama's API

  • Super User or a custom administrator role that includes XML API configuration permission.
    • If separate credentials are needed for Retrieval and Automation, set the retrieval credentials (in the Administration module) in the Device Settings section and the automation credentials in the Policy Automation section for the Panorama device.
  • Rules with duplicate names cannot be created.
  • User objects from remote authentication servers cannot be searched for.
  • Log Forwarding Profiles, Tags, Log at Session Start and End, Schedule, QOS Marking, and Disable Server Response Inspection must be set on the rule outside of automation.
  • For pre and post rules, the child device must be in sync with Panorama when SIP retrieves the configuration of the firewall that is targeted for automation.

• Notes:

  • Want to use a certificate for retrievals? Palo Alto provides documentation to use this functionality: Configure Certificate-Based Administrator Authentication to the Web Interface, You will enter the certificate information and RSA private key during Step 2: Add the Device in the Administration Module. ( https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface )

  • FIPS compliant device pack available

Security Manager retrieves configurations for firewalls and virtual firewalls managed under a Panorama server. To add your Panorama server and its managed devices, complete the procedure below.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

Prerequisite The data collector retrieves configurations from Panorama over SSH port 22 and REST API port 443. Please ensure these ports are open on your device.

1. On the Panorama device, in the Panorama context, add a superuser read-only account for the SIP data collector. SIP uses this account only to retrieve data from your device. SIP will never attempt to make changes to any device on your network.
   1. Log in to the Palo Alto Panorama Web UI with superuser credentials.
   2. On the toolbar, click the Panorama tab.
   3. In the sidebar, click Administrators and click Add.
      1. Enter a name and password for the account. Make note of the user name and password. You will enter them in the Administration module later.
      2. For Administrator Type select Dynamic.
      3. For the Admin Role select Superuser or Superuser (read-only).
      4. Click OK.

   It is recommended to not use special characters in the account password. The API key generation will fail when the password contains special characters such as # and &. This is not a PAN-OS specific issue. This is due to the way browsers and cURL handle special characters. This is because these are reserved characters used as general or sub delimiters.

   If you change this name and password on your device in the future, you will need to manually update these credentials in SIP. Data retrieval will fail if the data collector cannot access the monitored device.

   Panorama 9.x+ users could create a custom admin role profile for device retrieval credentials if they want to retrieve predefined external dynamic lists but XML API cannot be restricted to read-only, so a user would have some write permissions granted with a custom admin role. Permissions needed for retrieval only are: XML API: Log, Configuration, and Operational Requests. Command Line: superreader.

   To create a custom admin role for retrieval only:

   • In the sidebar, click Admin Roles and click Add.

   1. In the Admin Role Profile dialog box, enter and Name and Description for the profile.

   2. For Role, select Panorama.

   3. Click the XML API tab and select Log, Configuration, and Operational Requests.

   4. Click the Command Line tab and select superreader from the list.

   5. Click OK.

   • In the sidebar, click Administrators and click Add.

   1. Enter a name and password for the account. Make note of the user name and password. You will enter them in the Administration module later.
   2. For Administrator Type select Custom Panorama Admin.
   3. For Profile, select the profile created from the list.
   4. For Password Profile, select None.
   4. Click OK.
2. Establish the data collector as a syslog server by creating a profile for it, and send configuration logs from Panorama to the data collector. Basic syslog settings can be entered through the Panorama Web UI and needs to be done on both the Panorama and Device tabs. The Panorama tab sets up the syslog for the Panorama server itself, and the Device tab sets up the syslog template for all the firewalls.

If you are using collector groups or managed collectors, please refer to your Panorama admin guide for the steps to complete the log forwarding process.

1. Click the Panorama tab.
2. Create a new syslog server profile. In the sidebar, click Server Profiles > Syslog and click Add. In the Syslog Server Profile dialog box:
   1. Enter a Name for the new profile.
   2. On the Servers tab, click Add and then complete the fields:
   • Name: Enter a name for the data collector
   • Syslog Server: Enter the IP address of the data collector
   • Transport: Select UDP
   • Port: Enter 514
   • Facility: Select any facility listed
   3. Click OK.

3. Set the data collector to receive system and configuration logs at the correct severity level from Panorama.
   1. In the sidebar, click Log Settings.
   2. To create a new profile for system logs, in the System section click Add to open the Log Settings - System dialog box.
      • Enter a Name for the Log Settings - System profile.
      • For versions 6.1.x, 7.1.x, 8.0.x, 9.1.x, 10.2.x and 11.0.x, set the Filter to Informational
      • For versions 7.0.x, set the Filter to High
      • In the Syslog section, click Add to select the syslog server profile added in step B
      • Click OK

   To modify an existing system log profile to use the new profile created, click the profile name in the System section. In the Syslog section, click Add to select the syslog server profile created in step B.

   3. To create a new profile for configuration logs, in the Configuration section click Add to open the Log Settings - Configuration dialog box.
      • Enter a Name for the log settings - configuration profile
      • Leave the Filter set to All Logs
      • In the Syslog section, click Add to select the syslog server profile added in step C
      • Click OK

To modify an existing configuration log profile to use the new profile created, click the profile name in the Configuration section. In the Syslog section, click Add to select the syslog server profile created in step B.

4. Click the Device tab.
5. Create a new syslog server profile. In the sidebar, in the sidebar, click Server Profiles > Syslog and click Add. In the Syslog Server Profile dialog box:
   1. Enter a Name for the new profile.
   2. On the Servers tab, click Add and then complete the fields:
      • Name: Enter a name for the data collector
      • Syslog Server: Enter the IP address of the data collector
      • Transport: Select UDP
      • Port: Enter 514
      • Facility: Select any facility listed
   3. Click OK.

3. Create a Log Forwarding profile for the data collector.
   1. Click the Objects tab.
   2. In the sidebar, click Log Forwarding.
   3. To add a new log forwarding profile, click Add to open the Log Forwarding Profile dialog box.
      • Enter a Name for the new log forwarding profile
      • Click Add to open the Log Forwarding Profile Match List
      • Enter a Name for the profile match list
      • Leave the Log Type set to traffic
      • Leave the Filter set to All Logs
      • In the Syslog section, click Add and select the previously created syslog server profile
      • Click OK
   4. Click OK.
4. Configure rules to forward traffic logs to the data collector.
   1. Click the Policies tab.
   2. Select the Device Group from the list.
   3. In the sidebar, click Pre Rules or Post Rules.
   4. Click a rule that you want to forward traffic logs to open the Security Policy Rule dialog box.
      • Click the Actions tab
      • In the Log Setting section, select the Log at Session End check box (recommended)
      • For Log Forwarding, select the log forwarding profile created in step 3 C
      • Click OK
      • Repeat for each rule that you want to forward traffic logs for usage analysis

5. Commit your changes. Security Manager will not be able to retrieve any data from your device until these settings have been committed.

If you are forwarding logs through Panorama and can no longer see logs being received by the Panorama from firewalls, restart the log receiver. 1. Log into the Panorama CLI at the admin level. 2. Enter the command debug software restart log-receiver.

If you are using collector groups or managed collectors, please refer to your Panorama admin guide for the steps to complete the log forwarding process.

Caution! Verify that you will utilize Permitted IP Addresses before completing this step as doing so may result in loss of connectivity.

6. If you will be using permitted IP addresses, add the data collector IP address to the list of permitted IP addresses.

   1. In the navigation, click Setup. Then, in the Management Interface Settings dialog box, click the Edit button.

   2. Under the Permitted IP Addresses list, click the Add button.
   3. Enter the IP address of the Data Collector, and then click OK.
   4. Click OK to exit the settings window.
7. If you will be using Policy Automation (a separate license is required and will only work with Panorama versions 6.1+), you can set up a secondary administrator account that allows only API.
   1. In the Navigation, go to Panorama > Administrators and click Add.
   2. For the account settings, enter a user name and password for this secondary account.
   3. Make note of the user name and password. You will enter them in the Administration module later.
   4. Set the scope of the profile to Panorama.
   5. Click the XML API tab, and enable the following:
      • Log
      • Configuration
      • Operational Request
      • User-ID Agent
   6. Click the Command Line tab, and select superreader from the list.
   7. Click OK.
8. Commit your changes. Security Manager will not be able to retrieve any data from your device until these settings have been committed.

If separate credentials are desired for Retrieval and Automation, set the retrieval credentials in the Device Settings section of Panorama device in the Administration module and the automation credentials in the Policy Automation section of the Panorama device.

Step 2: Add the Device in the Administration Module

1. On the toolbar, click Device > Management Stations.

2. Click Create, and then click Palo Alto Networks > Panorama.

3. General Properties section.

1. In the Name box, type the name of the device as you want to see it in SIP.
2. In the Description box, type an optional description of the device being added.
3. In the Management IP Address box, type the IP address of the device.
4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
5. In the Central Syslog Server box, select the syslog server from the list (optional).

A syslog server must be created before assigning to a device.

6. In the Syslog Match Names box, type the syslog match names (optional). You can enter multiple names separated by a comma.
7. By default, the Automatically Retrieve Configuration check box is selected.
8. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.

9. For Collection Configuration, enable Update Rule Documentation on Member Devices to allow Rule Documentation fields on member devices to inherit a value from the management station. Any management stations Rule Documentation field updates will override updates on the member device. A rule marked to be removed will not be updated.

4. Device Settings section.

Credentials

1. In the User Name box, type the user name used for the administrator account.
2. In the Password box, type the password used for the administrator account.
3. In the Re-enter Password box, retype the password entered above.

Certificate

Palo Alto provides documentation to use this feature: Configure Certificate-Based Administrator Authentication to the Web Interface ( https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface )

1. Paste the certificate in the Certificate box.

2. Enter the RSA Private Key.

Retrieval

• By default, the SSH Port for retrieval is 22, and the REST API Port is 443.

5. Policy Automation section.

A valid Policy Automation license is required to complete this section and you needed to create a secondary admin account (Superuser or a custom administrator role that includes XML API configuration permission) in the Panorama UI.

1. In the User Name box, type the user name used for the secondary administrator account.
2. In the Password box, type the password used for the secondary administrator account.
3. In the Re-enter Password box, retype the password entered above.
4. Select the Commit Administrator's Change check box to automatically commit changes made by an administrator.
5. The Job Status Timeout is defaulted to 240 seconds to allow a job to complete before timing out.
6. Select a Rule Placement from the list to allow for implementation of rule placement in Policy Planner.
   • Pre Rules Only (default)
   • Post Rules Only
   • Pre or Post Rules
7. Select an Override Scope to use to enforce that new objects only be created at this level. Not making a selection or selecting a scope that has not yet been normalized will use the current functionality of creating objects at the specified device group level.
8. Select Push Changes to Firewalls to enable the ability to push changes to firewalls when the commit flag is set to true.
9. Select Require Audit Comments to enable requiring an audit comment to be added before implementing a rule change. Audit comments will not enforce a regex match if one is set on the Panorama device.
10. Select Skip Pushing Changes to Shared Device Group to prevent All Device Groups from being pushed to when changes are made in the Shared Device Group.

6. Monitoring section.

By default, the Enable Change Monitoring check box is selected.

• Enter an optional Alternate Syslog Source IP.

Select the Perform Change Verification check box to allow the Data Collector to verify there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of disk space by not posting revisions that did not change from the last normalized revision.

7. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. This will activate additional fields to complete.

• Set the Scheduled Retrieval Time to fit your requirements.

• Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. This will activate an additional field to complete.

• The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

8. Advanced section.
   • File Retrieval Options:
     • Select the Use Batch Config Retrieval check box only if you are manually sending configurations for this device using your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled.
     • The Skip Usergroup File on FromServer Retrievals for Child Devices check box is selected by default . Clear the check box to disable.
     • Select the Skip Granular Change Log Retrieval check box to disable performing a granular change log retrieval. This will impact the information available in the Changes by User report.
   • SSH Key Options:
     • Select the Automatically Update SSH Keys check box if you want the data collector to automatically update the SSH key for a device when a conflict occurs.
     • Select the Use SSH Fallback for Version check box if the device version cannot be found using API; it will use an SSH call instead.
   • Child Device Uniqueness:
     • Select the Include Serial Number on Child Device Naming check box to enforce child device uniqueness. When enabled, the serial number will be appended in the device name.
     • The Configuration Retrieval Timeout (seconds) is the time to wait for a response during a retrieval. The default is 120 seconds.
   • Interface Normalization:
     • Select the Force Interfaces to Set Layer 2 Enforcement check box to enable to force normalization of all interfaces with Layer 2 enforcement set to true.
     • Select the Retrieve Set Format Configuration check box to retrieve the running-config file in Set Output format; allowing Regex creation for compliance-related controls.
9. Click Save.

Devices being managed will be listed in the Discovered Devices section.