Professional Documents
Culture Documents
Panorama
Administrators
Guide
Version 7.0
Contact Information
Corporate Headquarters:
For information on how to configure other components in the Palo Alto Networks Next-Generation Security
Platform, go to the Technical Documentation portal: https://www.paloaltonetworks.com/documentation or
search the documentation.
For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to
https://live.paloaltonetworks.com.
For contacting support, for information on support programs, to manage your account or devices, or to open a
support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.
For the most current PAN-OS and Panorama 7.0 release notes, go to
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os-release-notes.html.
Administer Panorama
This section describes how to administer and maintain Panorama. It includes the following topics:
Manage Storage Quotas and Expiration Periods for Logs and Reports
Monitor Panorama
Administer Panorama
Step 2
Enter a Name and Description for the scheduled file export and Enable it.
Step 3
Using the 24-hour clock format, enter a daily Scheduled Export Start Time or select one from the drop-down.
Step 4
Set the export Protocol to Secure Copy (SCP) or File Transfer Protocol (FTP).
Step 5
Enter the details for accessing the server, including: Hostname or IP address, Port, Path for uploading the file,
Username, and Password.
Administer Panorama
(SCP only) Click Test SCP server connection. To enable the secure transfer of data, you must verify and
accept the host key of the SCP server. Panorama doesnt establish the connection until you accept the host
key. If Panorama has an HA configuration, perform this step on each HA peer so that each one accepts the
host key of the SCP server. If Panorama can successfully connect to the SCP server, it creates and uploads the
test file named ssh-export-test.txt.
Step 7
Click OK and Commit, for the Commit Type select Panorama, and click Commit again.
Administer Panorama
Select Panorama > Setup > Management and edit the Logging and Reporting Settings.
Step 2
For the Number of Versions for Config Backups, enter a value between 1 and 1048576. The default is 100.
Step 3
Click OK and Commit, for the Commit Type select Panorama, and click Commit again.
Administer Panorama
Step 2
Step 3
Step 4
Click Commit, for the Commit Type select Panorama, and click Commit again.
Administer Panorama
Preview the changes in configuration before committing them to Panorama. You can, for example,
preview the changes between the candidate configuration and the running configuration. As a best
practice, select the older version on the left pane and the newer version on the right pane, to easily
compare and identify modifications.
Perform a configuration audit to review and compare the changes between two sets of configuration files.
Step 2
Step 3
Select the number of lines that you want to include for Context, and click Go.
To easily compare versions, the changes have color highlighting.
Select Panorama > Setup > Management and edit the Logging and Reporting Settings.
Step 2
For the Number of Versions for Config Audit, enter a value between 1 and 1048576. The default is 100.
Step 3
Click OK and Commit, for the Commit Type select Panorama, and click Commit again.
Administer Panorama
1.
2.
3.
2.
3.
4.
Administer Panorama
Types of Locks
Take a Lock
Remove a Lock
Types of Locks
The available lock types are:
Config LockBlocks other administrators from making changes to the configuration. This type of lock can
be set globally or for a virtual system. It can be removed only by the administrator who set it or by a
superuser. The configuration lock is not released automatically.
Commit LockBlocks other administrators from committing changes until all of the locks have been
released. The commit lock ensures that partial configuration changes are not inadvertently committed to
the firewall or to Panorama when two administrators are making changes at the same time and the first
administrator finishes and commits changes before the second administrator has finished. The lock is
released automatically when the administrator who applied the lock commits the changes; the lock can
be removed manually by the administrator who took the lock or by the superuser.
If a commit lock is held on a firewall, and an administrator commits configuration changes or shared policy
rules to a template or device group that includes that firewall, the commit will fail with an error message
indicating that there is an outstanding lock on a firewall.
Read-only administrators who cannot make configuration changes to the firewall or Panorama
will not be able to take either lock.
Role-based administrators who cannot commit changes can take the config lock and save the
changes to the candidate configuration. They cannot, however, commit the changes themselves.
Because they cannot commit the changes, the lock is not automatically released on commit; the
administrator must manually remove the config lock after making the required changes.
Device groupRestricts changes to the selected device group but not its descendant device groups.
TemplateRestricts changes to the firewalls included in the selected template. (You cant take a lock for
SharedRestricts changes to the centrally administered rulespre-rules and post-rulesthat are shared
across all device groups. For more information on shared rules, see Device Group Policies.
Administer Panorama
Take a Lock
Take a Lock
Step 1
Click the lock icon at the top right of the web interface.
Step 2
Step 3
Step 4
As a best practice, add a Comment to describe the reasons for taking the lock.
Step 5
Select Panorama > Setup > Management tab and edit the General Settings.
Step 2
Step 3
Click OK and Commit, for the Commit Type select Panorama, and click Commit again.
Administer Panorama
Remove a Lock
Remove a Lock
Step 1
Click the lock icon at the top right of the web interface.
Step 2
Select the lock that you want to release, click Remove Lock, and click OK.
Unless you are a superuser, you can remove only the lock that you previously took.
Administer Panorama
Header on the top left corner of the web interface; you can also hide the Panorama default background
Supported image types include .jpg, .gif, and .png. Image files for use in PDF reports cannot contain an alpha
channel. The size of the image must be less than 128 Kilobytes (131,072 bytes); the recommended
dimensions are displayed on screen. If the dimension is larger than the recommended size, the image will be
automatically cropped.
Add Custom Logos to Panorama
Step 1
Step 2
Step 3
Click the Upload logo icon and select an image for any of the following options: the login screen, the left
corner of the main user interface, the PDF report title page and the PDF report footer.
Step 4
Click Open to add the image. To preview the image, click the preview logo icon.
Step 5
(Optional) To clear the green background header on the Panorama web interface, select the check box for
Remove Panorama background header.
Step 6
Step 7
Click Commit, for the Commit Type select Panorama, and click Commit again.
Administer Panorama
Click the Tasks icon on the bottom right corner of the web interface.
Step 2
Select the list of tasks to review. By default All Tasks are displayed.
Step 3
You can filter by All or Running tasks and select Jobs, Reports, or Log Requests:
JobsLists commits, auto commits, downloads and installs for software and dynamic updates performed
on locally on Panorama or centrally pushed to the managed firewalls from Panorama. Each job is a link; click
the link in the Type column to view details on the firewalls, status, and review errors, if any.
ReportsDisplays the status and start time for scheduled reports.
Log RequestsLists the log queries triggered from the Monitor >Log Viewer tab or the Dashboard. For
example, to display the logs in the URL Filtering widget or the Data Filtering widget on the Dashboard, log
requests are generated on Panorama.
Administer Panorama
Manage Storage Quotas and Expiration Periods for Logs and Reports
Configure Storage Quotas and Expiration Periods for Logs and Reports
Panorama virtual appliancePanorama writes all logs to its assigned storage space, which can be any of
one the following:
The approximately 11GB storage allocated by default on the virtual disk that you created when
installing Panorama.
An additional virtual disk: see Add a Virtual Disk to Panorama on an ESXi Server or Add a Virtual Disk
to Panorama in vCloud Air.
An NFS partition: see Mount the Panorama ESXi Server to an NFS Datastore.
The storage space for reports is 200MB.
M-Series appliancePanorama saves logs to its internal SSD and RAID-enabled disks. The M-Series
appliance uses its internal SSD to store the Config logs and System logs that Panorama and its Log
Collectors generate, and also to store the Application Statistics (App Stats) logs that Panorama
automatically receives at 15 minute intervals from all managed firewalls. Panorama saves all other log
types to its RAID-enabled disks. The RAID disks are either local to the M-Series appliance in Panorama
mode or are in a Dedicated Log Collector (M-Series appliance in Log Collector mode). To edit the storage
quotas for logs on the RAID disks, you must modify the Collector Group configuration. The storage space
for reports is 500MB for Panorama 6.1 or later releases and 200 MB for earlier releases.
ReportsPanorama deletes reports nightly at 2:00 a.m., when it generates scheduled reports.
Each log typePanorama evaluates logs as it receives them, and deletes logs that exceed the configured
expiration period.
Manage Storage Quotas and Expiration Periods for Logs and Reports
Administer Panorama
Each summary log typePanorama evaluates logs after the various summary periods (hourly, daily, and
weekly), and deletes logs that exceed the configured expiration period.
Weekly summary logs that fall short of the expiration threshold when log deletion occurs could
age past the threshold before the next log deletion. For example, if you configure Traffic Summary
logs to expire after 20 days and a weekly Traffic Summary log is 19 days old when the device
deletes expired logs, the device doesn't delete that log. The next time the device checks for
weekly logs to delete, 7 days later, that log will be 26 days old.
Panorama synchronizes expiration periods across high availability (HA) pairs. Because only the
active HA peer generates logs, the passive peer has no logs or reports to delete unless failover
occurs and it starts generating logs.
Even if you dont set expiration periods, when a log quota reaches the maximum size, Panorama
starts overwriting the oldest log entries with the new log entries.
Configure Storage Quotas and Expiration Periods for Logs and Reports
Configure Storage Quotas and Expiration Periods for Logs and Reports
Step 1
Step 2
1.
Configure the storage quotas and
expiration periods for:
Logs of all types that a Panorama
2.
virtual appliance receives from
firewalls.
App Stats logs that Panorama (a virtual
appliance or M-Series appliance)
receives from firewalls.
3.
System and Config logs that
Panorama (a virtual appliance or
M-Series appliance) and its Log
Collectors generate locally.
The Panorama management server
stores these logs.
If you reduce a storage quota
such that the current logs exceed
it, after you commit the change,
Panorama removes the oldest
logs to fit the quota.
Configure the expiration period for
reports that Panorama (a virtual
appliance or M-Series appliance)
generates.
Select Panorama > Setup > Management and edit the Logging
and Reporting Settings.
In the Log Storage tab, enter the storage Quota (%) for each
log type. When you change a percentage value, the page
refreshes to display the corresponding absolute value (Quota
GB/MB column) based on the total allotted storage on
Panorama.
Enter the Max Days (expiration period) for each log type
(range is 1-2,000). By default, the fields are blank, which
means the logs never expire.
To reset the quotas and expiration periods to the
factory defaults, click Restore Quota Defaults at the
bottom right of the dialog.
1.
2.
3.
Administer Panorama
Manage Storage Quotas and Expiration Periods for Logs and Reports
Configure Storage Quotas and Expiration Periods for Logs and Reports (Continued)
Step 3
Step 4
Step 5
1.
2.
3.
Enter the storage Quota(%) for each log type. When you
change a percentage value, the page refreshes to display the
corresponding absolute value (Quota GB/MB column) based
on the total storage allotted to the Collector Group.
4.
Enter the Max Days (expiration period) for each log type
(range is 1-2,000). By default, the fields are blank, which
means the logs never expire.
To reset the quotas and expiration periods to the
factory defaults, click Restore Quota Defaults at the
bottom right of the dialog.
5.
1.
2.
2.
Monitor Panorama
Administer Panorama
Monitor Panorama
To monitor Panorama and its managed collectors, you can periodically view their System and Config logs
(filter the log data by device), configure a Simple Network Management Protocol (SNMP) manager to collect
(GET) Panorama statistics on a regular basis, or configure SNMP traps or email alerts that notify you when a
monitored metric changes state or reaches a threshold on Panorama. Email alerts and SNMP traps are useful
for immediate notification about critical system events that need your attention. To configure email alerts or
SNMP traps, see Configure Log Forwarding from Panorama to External Destinations.
Description
Critical
Indicates a failure and the need for immediate attention, such as a hardware failure, including
high availability (HA) failover and link failures.
High
Serious issues that will impair the operation of the system, including disconnection of a Log
Collector or a commit failure.
Medium
Low
Informational
Notification events such as log in or log out, any configuration change, authentication success
and failure notifications, commit success, and all other events that the other severity levels
dont cover.
The M-Series appliance stores Config and System logs on its SSD. The Panorama virtual appliance stores the
logs on the assigned storage volume (see Set Up the Panorama Virtual Appliance). If you need longer-term
log storage for auditing, you can also Configure Log Forwarding from Panorama to External Destinations.
For information on using Panorama to monitor firewall logs, see Monitor Network Activity.
Administer Panorama
Monitor Panorama
Step 2
2.
3.
4.
Monitor Panorama
Administer Panorama
Step 4
Step 5
Step 6
Step 7
1.
2.
3.
2.
1.
2.
Monitor the Panorama and Log Collector Refer to the documentation of your SNMP manager.
statistics in an SNMP manager.
Administer Panorama
Step 2
Administer Panorama
1.
2.
Select Enabled.
3.
4.
5.
Administer Panorama
1.
Create password profiles.
You can create multiple password
2.
profiles and apply them to administrator
accounts as required to enforce security.
Administer Panorama