Best Pracces for Managing Firewalls

with Panorama
10.1

docs.paloaltonetworks.com
 Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support.html

About the Documentaon

• For the most recent version of this guide or for access to related documentaon, visit the
Technical Documentaon portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or quesons for us? Leave a comment on any page in the portal, or write to us
at documentaon@paloaltonetworks.com.

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
©2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto
Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve
companies.

Last Revised
May 19, 2021

Best Pracces for Managing Firewalls with Panorama Version 2 ©2021 Palo Alto Networks, Inc.
10.1
Table of Contents
Best Pracces to Add Firewalls to Panorama............................................. 5
Use Case - Onboarding New Next-Generaon Firewalls to Panorama.......................... 6
Use Case - Migrate Your Next-Generaon Firewalls to Panorama..................................7

Best Pracces for Firewall Configuraon Management on

Panorama.............................................................................................................. 9
Manage Your Device Group Configuraons on Panorama..............................................10
Manage Your Template and Template Stack Configuraon on Panorama....................11
Manage the Template and Template Stack Variables on Panorama.............................. 12

Best Pracces for Configuraon Change Management......................... 13

Manage Admin Roles and Access Domains from Panorama...........................................14
Simplify Security Rules Managed by Panorama.................................................................15
Configuraon Change Management for Large Teams...................................................... 16
Commit Your Panorama Configuraon Changes............................................................... 17
Push Your Panorama Configuraon Changes.....................................................................18

Best Pracces for Monitoring and Visibility on Panorama.................... 19

Design Your Logging Infrastructure...................................................................................... 20
Monitoring the Applicaon Command Center (ACC) and Logs on Panorama.............21
Generate Standard and Custom Reports on Panorama................................................... 22

Best Pracces for Managing Firewalls with Panorama Version 3 ©2021 Palo Alto Networks, Inc.
10.1
Table of Contents

Best Pracces for Managing Firewalls with Panorama Version 4 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces to Add Firewalls to
Panorama
The Panorama™ management server is the Palo Alto Networks network security
management soluon for centralized management and visibility for your next-
generaon firewalls. This document covers the best pracces for onboarding new
firewalls or migrang exisng firewalls to Panorama to simplify and streamline this
operaon.

> Use Case - Onboarding New Next-Generaon Firewalls to Panorama

> Use Case - Migrate Your Next-Generaon Firewalls to Panorama

5
Best Pracces to Add Firewalls to Panorama

Use Case - Onboarding New Next-Generaon Firewalls

to Panorama
The first use case for geng started with the Panorama™ management server is to add a newly
deployed firewall as a managed device to Panorama.
STEP 1 | Associate Devices or Import mulple firewalls to streamline the onboarding process.
Associate the firewalls with a device group, template stack, Collector Group, and Log
Collector as you add them to Panorama from one locaon rather than manually associang
the firewalls aer they have been successfully added to Panorama.
If you are adding a large number of firewalls, import all your new firewalls to Panorama
in a CSV file. This CSV file allows you to associate all your firewalls with a device group,
template stack, Collector Group, and Log Collector rather than manually associang them.
This opon is especially beneficial when adding a large number of firewalls where manually
associang the firewalls would take a long me to complete.

STEP 2 | Enable Auto Push on 1st Connect and configure the To SW Version to automacally push
the device group and template stack configuraons to your managed firewalls when they
first successfully connect to Panorama and upgrade your managed firewalls to a specified
PAN-OS version of your choosing. This includes automacally installing all required content
updates for each PAN-OS version in the PAN-OS upgrade path.
If you are imporng all your new firewalls to Panorama in a CSV file, enable Auto Push
on 1st Connect and configure the To SW Version in the CSV file to streamline the import
process.
When implemenng role-based access control, leverage device group and template admins
to add firewalls to device groups and templates within their access domain rather than
enabling superuser privileges for all Panorama admins.

STEP 3 | Aer you successfully add your firewalls to Panorama, create and apply tags to make your
managed firewalls easier to search and filter. This helps you keep your managed firewalls
organized as the number of firewalls you manage using Panorama grows.

STEP 4 | If you are deploying firewalls in remote sites with lile to no IT staff, set up Zero Touch
Provisioning (ZTP) to streamline inial firewall deployment by automang new managed
firewall onboarding without the need for network or IT administrators at the remote site.

Best Pracces for Managing Firewalls with Panorama Version 6 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces to Add Firewalls to Panorama

Use Case - Migrate Your Next-Generaon Firewalls to

Panorama
The second use case for geng started with the Panorama™ management server is to Transion
exisng firewalls to Panorama. If possible, work with your Palo Alto Networks Sales Engineer or
Professional Services Engineer during the migraon to ensure your firewall configuraons are
correctly migrated to Panorama.
STEP 1 | Planning is key—before you start the migraon, make sure you have understood the
following:
Review the Palo Alto Networks Compability Matrix to understand compability
between Panorama and firewalls, across Log Collectors, and content versions to ensure no
compability errors are encountered during migraon.
Plan your device group and template hierarchy in such a way that reduces redundancy and
streamlines the management of sengs that are shared among all firewalls within a set of
firewalls.
Prepare a post-migraon test plan to verify that to verify crical traffic and applicaon
traffic aer you successfully migrate your firewall to Panorama.

STEP 2 | When you migrate a firewall to Panorama management, enable import devices’ shared
objects into Panorama’s shared context to avoid duplicang idencal configuraon objects.

STEP 3 | Aer a successful migraon, review the Policies to idenfy any duplicate rules. Delete one of
each duplicate rule before you Commit to Panorama to avoid commit errors.

STEP 4 | When you Export or push device config bundle to your managed firewalls, enable Merge
with Candidate Config, Include Device and Network Templates, and Force Template Values
to force a commit for any pending local changes on the firewall, include all device groups
and templates in the push, and delete any local configuraons not present in a device group
or template on Panorama. This ensures a baseline configuraon managed by Panorama is
pushed to all firewalls migrated to Panorama.

STEP 5 | Perform your post-migraon tests to verify that the migraon is successful and that
everything is working as intended. Over me, opmize the configuraon as needed. Use
migraon tools like Expedion the to periodically asses your configuraon hygiene by
removing any unused or duplicate objects and the Policy Opmizer to opmize your Security
policy rulebase.

Best Pracces for Managing Firewalls with Panorama Version 7 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces to Add Firewalls to Panorama

Best Pracces for Managing Firewalls with Panorama Version 8 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces for Firewall
Configuraon Management on
Panorama
Firewalls have two types of configuraons—security and network. Panorama uses
device groups to manage the security configuraons such as objects and policy rules
and templates and template stacks to manage the network configuraons.

> Manage Your Device Group Configuraons on Panorama

> Manage Your Template and Template Stack Configuraon on Panorama
> Manage the Template and Template Stack Variables on Panorama

9
Best Pracces for Firewall Configuraon Management on Panorama

Manage Your Device Group Configuraons on Panorama

Device groups provide a way to organize and reuse your policies by applying the principle of
inheritance and implemenng a well defined device group hierarchy. While Panorama enables you
to reuse the same device group configuraon across mulple device groups in a hierarchy, you can
also customize any local configuraons to override any inherited configuraon.
When designing your device group hierarchy, consider your funconal or regional needs and
understand the difference between pre-rules and post-rules.
For example, create any Security pre-rules that you want managed firewalls to apply without
excepon while creang Security post-rules to act as a cleanup for any traffic that did not
match a Security pre-rule.
Avoid overuse of the Shared device group so you do not exceed the capacity limits for smaller
managed firewalls. Managing configuraon objects at the appropriate device group level helps
minimize the number of Out of Sync firewalls more efficiently because all firewalls become
Out of Sync if a single shared configuraon object is modified.
Configure custom regions by using custom address objects to specify address ranges or
geolocaons.
While enterprises use the RFC 1918 address space, policies governing the enre 10.0.0x
network are not helpful. Instead define custom regions by using custom address objects to
specify address ranges or geolocaons. This allows you to create more granular and relevant
policies to reduce your aack surface.
Configure the Master Device for each device group to enable Panorama to gather user group
mappings. Having a Master Device configured in the device group makes user groups available
when creang policy rules. Addionally, you can filter the ACC and Monitor tabs using the user
group mappings gathered by Panorama.
Associate Reference Templates to refer to network configuraon objects contained in
a template that the managed firewall does not belong to in order to complete a security
configuraon. This allows you to take full advantage of common configuraon objects across
device groups and templates without overuse of the Shared device group or recreang the
idencal network configuraon objects.

Best Pracces for Managing Firewalls with Panorama Version 10 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces for Firewall Configuraon Management on Panorama

Manage Your Template and Template Stack

Configuraon on Panorama
Use Templates and template stacks to reuse your network and firewall configuraon objects
across your managed firewalls for common sengs such as logging and high availability (HA) while
sll allowing you to configure modular templates that can be combined as needed for mulple
managed firewalls in different template stacks.
Go modular by creang templates with logical groupings of sengs even if the configuraon
is incomplete. Remember, the configuraon must be complete and all references resolved at
the template stack level—not at every template. You can reuse, reference, and override objects
from different templates to complete the template stack configuraon.
Create model-specific templates (for example, network interface configuraon) and use case
specific templates (for example, admins, role-based access control sets). This enables you to mix
and match the right templates when you add them to a template stack.
Configure the template stack with network configuraons you want to override in a template
or locally on the managed firewall.

Best Pracces for Managing Firewalls with Panorama Version 11 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces for Firewall Configuraon Management on Panorama

Manage the Template and Template Stack Variables on

Panorama
Create Template and template stack variables to maximize configuraon sharing and reuse of
network and device configuraon objects across your managed firewalls.
Use template and template stack variables where appropriate to help manage your managed
firewall configuraon with fewer templates and streamline your configuraon.
For example, IP addresses typically differ across firewalls. Using template variables, you can
create the configuraon you need by specifying a variable instead of an IP address. When
the configuraon is pushed to your managed firewalls, Panorama can populate the correct IP
address per firewall based on the value configured per managed firewall.
Create variables with the default value of None to ensure the incorrect configuraon is not
accidentally pushed to the managed firewall.
A notable excepon to this is a DNS IP address. In a worst case scenario, the managed firewall
should sll able to resolve DNS queries.

Best Pracces for Managing Firewalls with Panorama Version 12 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces for Configuraon
Change Management
Manage the configuraon changes your administrators can make by leveraging role-
based access control (RBAC) and segmenng access to managed firewalls, ulizing
dynamic structures, such as External Dynamic Lists (EDL) and Dynamic User Groups
(DAG), to keep policy rules up to date, and leveraging granular control over what
configuraon changes administrators can commit and push to managed firewalls.

> Manage Admin Roles and Access Domains from Panorama

> Simplify Security Rules Managed by Panorama
> Configuraon Change Management for Large Teams
> Commit Your Panorama Configuraon Changes
> Push Your Panorama Configuraon Changes

13
Best Pracces for Configuraon Change Management

Manage Admin Roles and Access Domains from

Panorama
A key to successful configuraon management in a dynamic environment is to be able to assign
the appropriate privileges for your team members. Panorama provides extensive role-based access
control (RBAC) that allows granular role definion. RBAC can be combined with access domains to
facilitate segmenng access to managed firewalls. This helps reduce your aack surface and avoid
accidental or malicious misuse of administrator privileges.
See the Best Pracces for Security Administrave Access for more detailed informaon on
properly controlling access to your Panorama and managed firewall configuraons.
Define administrave roles to help administrators successfully manage firewalls without over-
provisioning their access.
Create access domains for your Panorama administrators if you have mulple subsets of
firewalls serving different purposes. For example, if you data center firewalls, perimeter
firewalls, and branch firewalls are managed by different Panorama administrators configure and
assign access domains that restrict access to only those firewalls that they manage.
Create device group and template admins to beer control administrave access to managed
firewalls within an access domain and admin role. This offers the most granular access that
allows your team to do their job without causing operaonal issues.

Best Pracces for Managing Firewalls with Panorama Version 14 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces for Configuraon Change Management

Simplify Security Rules Managed by Panorama

Managing your security policy is one of the most important tasks when managing your policy
rulebase.
Make your rulebase applicaon-aware by using a combinaon of the Policy Opmizer and
Policy Rule Usage to transion to App-ID and User-ID based security policy rules.
Create Use Groups in your security policy rules to make them more effecve and readable.
Addionally, you can leverage the Expedion and Best Pracce Asessment (BPA) tools to help
iterate through revisions of your rulebase to strengthen your security posture.
Leverage Global Find when evaluang your policy rulebase to idenfy objects or rules that may
already exist. This will help reduce unnecessary cluer in your configuraon that ulmately
slow down commits on Panorama.
Troubleshoot your policy rules to test if a proposed policy rule configuraon change is already
handled by an exisng rule that only needs modificaon. This allows you to reduce any
duplicate policy rules and prevent your policy rulebase from growing too large.
Use tag based rule groups to idenfy rule purpose, funcon, lifecycle or other characteriscs
to quickly sort and groups like rules together. Tag based rule groups allow you to visually
disnguish between sets of rules within a rulebase where they can be managed as a group or
you can individually modify a single rule in the group.
Enforce audit comments for policy rule creaon and modificaon to support the crical
operaonal funcon of supporng security audits. A rule with a well-documented series
of audit comments makes it easier to respond to an audit request instead of relying on rule
descripons or external tools. Addionally, you can supplement audit comments by entering a
descripon when you commit configuraon changes to Panorama.
Use dynamic constructs like External Dynamic Lists, Dynamic Address Groups, and Dynamic
User Groups to streamline your configuraon and simplify maintenance of your security policy
rulebase. As your environment changes, you can modify these as necessary without the need
to commit.
When creang your security policy rule, avoid selecng one or more managed firewalls in the
Target tab as it renders the managed firewall configuraon synchronizaon status unreliable.
This is commonly referred to as policy targeng. Policy targeng is evaluated on the firewall
and not on Panorama. As a result, managed firewalls that a policy rule is not pushed to may
erroneously display as Out of Sync. Design your device group hierarchy to minimize or avoid
the need to target policies.

Best Pracces for Managing Firewalls with Panorama Version 15 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces for Configuraon Change Management

Configuraon Change Management for Large Teams

Configuraon errors occur when a large team is leveraging Panorama for centralized configuraon
management. Panorama allows for granular manipulaon using the revert, import, export, load,
merge and replace configuraon operaons. These operaons are performed at a device group or
template level.
When trying to quickly revert the Panorama configuraon to a previously known state,
consider reverng only the impacted device group or template instead of the enre Panorama
configuraon.
This helps you preserve changes from other administrators who did not make any configuraon
changes in the impacted device group or template. Addionally, you can export the
configuraon to modify it offline and then import it back to Panorama when you’re ready.
Export the in progress device group and template configuraon changes in order to push any
emergency configuraon changes to managed firewalls. Aer you export, revert the Panorama
configuraon to make the emergency changes. When the changes are successfully pushed to
managed firewalls, you can import the Panorama configuraon that included the in progress
configuraon changes.
If you are consolidang mulple Panorama configuraons, taccally merge your device group
and template configuraons to consolidate the configuraon on a single Panorama.

Best Pracces for Managing Firewalls with Panorama Version 16 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces for Configuraon Change Management

Commit Your Panorama Configuraon Changes

Panorama provides many ways for you to control the commit process. It is worthwhile to
understand what they are and adopt them in your day-to-day operaons.
When you commit Panorama configuraon changes, select Commit Changes Made by to
only commit your own changes and not commit configuraon changes made by other admins.
This ensures other configuraon changes that are in progress or not yet approved are not
erroneously commied to Panorama.
When comming configuraon changes, require admins to Preview Changes and review the
change summary. A visual check of the configuraon changes oen helps catch mistakes and
saves me in operaonal maintenance later.

Best Pracces for Managing Firewalls with Panorama Version 17 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces for Configuraon Change Management

Push Your Panorama Configuraon Changes

Panorama provides many ways to control pushing configuraon changes to managed firewalls. It is
worthwhile to understand what they are and adopt them in your day-to-day operaons.
Before administrators push configuraon changes to managed firewalls, Require them to review
the push scope selecon (Commit > Push to Devices > Edit Selecons) to verify that the list of
target firewalls is correct.
Even if the device group hierarchy is designed correctly and the configuraon changes are well
planned, there may be scenarios where configuraon changes do not need to be pushed to
all firewalls at a given me due to different maintenance windows. It is always a best pracce
to review the list of target firewalls to ensure configuraon changes are pushed to only the
intended managed firewalls.
Use the Force Template Values (Commit > Push to Devices > Edit Selecons) seng sparingly.
A push with this seng enabled overwrites the enre managed firewall configuraon including
any local firewall configuraon.

Best Pracces for Managing Firewalls with Panorama Version 18 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces for Monitoring and
Visibility on Panorama
Design your logging infrastructure for opmal log ingeson and storage based on your
organizaonal requirement. Then, leverage the Applicaon Command Center (ACC),
PDF Summary reports, and custom reports to idenfy network acvity and threats
that need to be invesgated and resolved.

> Design Your Logging Infrastructure

> Monitoring the Applicaon Command Center (ACC) and Logs on Panorama
> Generate Standard and Custom Reports on Panorama

19
Best Pracces for Monitoring and Visibility on Panorama

Design Your Logging Infrastructure

It is a best pracce to plan and design your logging infrastructure before you deploy new managed
firewalls. The Panorama management server provides mulple modes for device management
and log collecon. Panorama mode allows you to both manage your firewall configuraon and
ingest and store logs. If you want your Panorama to have a single funcon, Log Collector mode is
designed solely for log ingeson and storage while Management Only mode is designed solely for
firewall configuraon management.
Use the Panorama Sizing and Design Guide to calculate the logging rate and determine your log
storage requirements. This is important when deciding on the log storage capacity of your Log
Collectors and can be based on numerous factors such as regulatory requirements.
Consult your Sales Engineer (SE) when sizing your logging infrastructure. They will provide you
with the technical experse needed to interpret and customize your deployment to meet your
needs.
Do not use Legacy mode if you are deploying a Panorama virtual appliance due to the many
logging limitaons and restricons associated with this mode. While suitable for a lab or demo
environment, avoid using a Panorama in Legacy mode in your producon environment.
Use a separate interface for log collecon on your managed firewalls. This helps you maintain
performance on your management interface which is communicang with Panorama. As a
sound security best pracce, configure a permied IP list for all interfaces.

Best Pracces for Managing Firewalls with Panorama Version 20 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces for Monitoring and Visibility on Panorama

Monitoring the Applicaon Command Center (ACC) and

Logs on Panorama
The Applicaon Command Center (ACC) is an interacve visualizaon tool designed to help you
quickly understand events in your network. The ACC contextualizes your managed firewall logs to
enable you gain insights into traffic paerns and aconable informaon on threats that you can
use in your invesgaons.
Learn to use all the data interacons available to you in the ACC.
• Use ACC filters to drill down for specific informaon such as addresses or users.
• Apply global filters to pivot the ACC display around details you care about most and exclude
unrelated informaon.
• If leveraging GlobalProtect, view the GlobalProtect Acvity widget to view the HIP reports
based on HIP match logs to understand the security status of end devices accessing your
network.
• Aer you have narrowed down the informaon you are interested in, Export your ACC data
in CSV format or widgets in PDF format to share with your team interested in performing
further invesgaon or remediaon.
Customize the ACC to ensure that is tailored to the specific network acvity you are interested
in monitoring.
This will help you improve your efficiency as you invesgate a parcular user or host. This
enables you to have complete contextual informaon without having to switch tabs or scroll
too far.
• Add a new widget to the ACC and select Content Acvity.
• Add a new widget to the ACC and select URL Filtering.
• By default, the Threat Acvity widget is displayed. If it is not displayed, add a new widget
and select Threat Acvity.
Select Objects > Regions and create custom regions with IP address ranges to use in your
security policy rules. Using custom regions makes the correlang network events in the ACC
more relevant.
For example, you configured custom regions for your branch offices and noce certain IP
addresses are responsible for a suspiciously large amount of traffic. By leveraging custom
regions, you can correlate this suspicious network acvity with a specific branch office and take
steps to invesgate and perform remediaon measures.

Best Pracces for Managing Firewalls with Panorama Version 21 ©2021 Palo Alto Networks, Inc.
10.1
Best Pracces for Monitoring and Visibility on Panorama

Generate Standard and Custom Reports on Panorama

The Panorama™ management server provides a way for you to centralize and aggregate all
informaon across your firewall deployment to generate PDF reports and create custom reports.
Idenfy and classify all SaaS applicaons used by your organizaon as Sanconed or
Unsanconed.
Panorama and managed firewalls consider any applicaon without the sanconed tag
as unsanconed for use on the network. Unsanconed SaaS applicaons can cause an
exposure to threats and loss of private and sensive data. It is important to classify your SaaS
applicaons to beer invesgate network acvity.
1. Select Objects > Applicaons.
2. Create a custom SaaS applicaon as needed.
3. Select one or more of your SaaS applicaons and Edit Tags.
4. From the Add Tags drop-down, select Sanconed or Unsanconed.
5. Repeat steps 1-4 unl your SaaS applicaons are tagged as needed.
6. Select Commit > Commit and Push and Commit and Push your configuraon changes.
Configure the user acvity report and SaaS applicaon usage report on the basis of user groups
to achieve a higher level of granularity in your reports.
For example, your finance department is storing a large amount of data in GitHub. Leveraging
user groups in your user acvity and SaaS applicaon usage reports allows you to more easily
idenfy this suspicious behavior. Otherwise, this suspicious behavior may have gone unnoced
if the report is run for the whole organizaon.
Configure purpose-driven and specific custom reports and limit the number of columns to what
is necessary.
Concise report parameters allow you to more easily idenfy network acvity that needs
invesgaon.
When creang a custom report, use the Query Builder when possible to rapidly narrow down the
results.
For example, a targeted report for one office locaon is far more efficient and aconable than
a report for all office locaons. If you need to a report that encompasses mulple offices, it is
beer to run a few different reports with specific queries for each office.

Best Pracces for Managing Firewalls with Panorama Version 22 ©2021 Palo Alto Networks, Inc.
10.1