Palo Alto Prisma Access Cloud Manager / Strata Cloud Manager

Details:

  • Support: Level 1 & 2

  • Supported Version: Cloud

  • Notes: Only support for cloud-managed, single tenant devices

  • Using Syslog over TLS:

    • Configuration is done at the Data Collector Group level.

    • You will enter the Instance ID in the Syslog Match Names field. The Instance ID is found in Strata Cloud Manager > device serial number > Actions > Product Information.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

  1. Log in to Palo Alto Networks Strata Cloud Manager using an account that has Write access to the tenant service group (TSG).

  2. Go to Settings > Identity & Access.

  3. Select the tenant to give Security Manager access to from the All Tenants list.

  4. Click Add Identity.

  5. Set Identity Type to Service Account.

  6. Enter a Service Account Name, and then click Next.

  7. Note the Client ID and Client Secret. You'll need these when adding the device to Security Manager.

  8. Click Next.

  9. Select Prisma Access & NGFW for Apps & Services and select View Only Administrator as the Role.

  10. Select All Apps & Services for Apps & Services and select Browser as the Role.

  11. Click Submit.

  12. Note the tenant service group ID (TSG ID). It's at the top of the Identity & Access page, next to the tenant name. You'll need this when adding the device to Security Manager.

Step 2: Add the Device in the Administration Module

  1. On the toolbar, click Device > Management Stations.
  1. Click Create, and then click Palo Alto Networks > Prisma Access.
  1. General Properties section.
  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

      A syslog server must be created before assigning to a device.

  1. In the Syslog Match Names box, type the syslog match names (optional). You can enter multiple names separated by a comma.

If you will use "Syslog over TLS" you will enter the Instance ID in the Syslog Match Names field. The Instance ID is found in Strata Cloud Manager > device serial number > Actions > Product Information.

  1. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  1. For Collection Configuration, enable Update Rule Documentation on Member Devices to allow Rule Documentation fields on member devices to inherit a value from the management station. Any management stations Rule Documentation field updates will override updates on the member device. A rule marked to be removed will not be updated.
  1. Device Settings section.

Credentials

  1. Enter the TSG ID (Tenant ID).
  2. Enter the Client ID.
  3. Enter and re-enter the Client Secret.

Proxy

  1. Proxy Server—this is the URL address of the proxy server.
  2. Proxy Username—this is the user name for authentication.
  3. Proxy Password—this is the password for the user name.

  1. Monitoring section.

Log Monitoring

Select the Enable Log Monitoring check box to use for Rule Usage Analysis. This will activate an additional field to complete.

  • Log Update Interval is set to 10 (minutes); this number determines how often usage data is sent to the application server.

Change Monitoring

Select the Enable Check for Change check box to enable checking for configuration changes after the specified interval, and perform a retrieval is changes are detected. This will activate additional fields to complete.

  • Enter an optional Alternate Syslog Source IP.
  • Select the Perform Change Verification check box to allow the data collector to verify that there are actual changes prior to posting a revision to Security Manager. Doing so will enable more efficient use of disk space by not posting revisions that did not change from the last normalized revision.
  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. This will activate additional fields to complete.

  • Set the Scheduled Retrieval Time to fit your requirements.

  • Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. This will activate an additional field to complete.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

  1. Advanced section.

    1. File Retrieval Options: Select the Use Batch Config Retrieval check box only if you are manually sending configurations for this device using your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled.

    2. The default Retrieval Timeout (seconds) is set to 120. This field is disabled when Use Batch Config Retrieval is enabled.

    3. The default API Entry Limit is set to 1000. This field is used to increase the retrieval process for large configs.

    4. Select the Skip PaaS API Retrieval check box to allow skipping PaaS API retrievals that include normalization of routes and interfaces.

  2. Click Save.

    Devices being managed will be listed in the Discovered Devices section.