Panorama On Aws Deployment Guide

Deployment Guide for
Panorama on AWS
RELEASE 2 | AUGUST 2019

Table of Contents
Preface.................................................................................................................................................................................... 1
Purpose of This Guide......................................................................................................................................................... 3

Objectives............................................................................................................................................................................................................... 3
Audience................................................................................................................................................................................................................. 4
Related Documentation...................................................................................................................................................................................... 4
Deployment Overview........................................................................................................................................................ 5
Deployment Considerations............................................................................................................................................................................... 5
Design Model........................................................................................................................................................................ 6
Managing Cloud Deployments with Panorama.............................................................................................................................................. 6
Firewall Log Collection........................................................................................................................................................................................ 6
Panorama Device Administration...................................................................................................................................................................... 9
Panorama Operational Considerations.......................................................................................................................................................... 12
Assumptions and Prerequisites......................................................................................................................................13
Deployment Details for Panorama on AWS Infrastructure......................................................................................14

Creating and Configuring a VPC and Infrastructure Components...........................................................................................................14
Deploying a Panorama Server on AWS.......................................................................................................................................................... 21
Deployment Details for Panorama Services and Onboard Firewalls.....................................................................29

Updating Panorama System and Activating Services.................................................................................................................................. 29
Building Firewall Network Configuration Templates and Policies............................................................................................................40
Managing VM-Series with Panorama Server(s)............................................................................................................................................ 45
Palo Alto Networks

Preface
Preface
GUIDE TYPES
Overview guides provide high-level introductions to technologies or concepts.
Reference architecture guides provide an architectural overview for using Palo Alto Networks® technologies to provide
visibility, control, and protection to applications built in a specific environment. These guides are required reading prior
to using their companion deployment guides.
Deployment guides provide decision criteria for deployment scenarios, as well as procedures for combining Palo Alto
Networks technologies with third-party technologies in an integrated design.
DOCUMENT CONVENTIONS
Notes provide additional information.
Cautions warn about possible data loss, hardware damage, or compromise of security.
Blue text indicates a configuration variable for which you need to substitute the correct value for your environment.
In the IP box, enter 10.5.0.4/24, and then click OK.
Bold text denotes:
• Command-line commands;
# show device-group branch-offices
• User-interface elements.
In the Interface Type list, choose Layer 3.
• Navigational paths.
Navigate to Network > Virtual Routers.
• A value to be entered.
Enter the password admin.
Palo Alto Networks 1

Preface
Italic text denotes the introduction of important terminology.

An external dynamic list is a file hosted on an external server so that the firewall can import objects.
Highlighted text denotes emphasis.

Total valid entries: 755
ABOUT PROCEDURES
These guides sometimes describe other companies' products. Although steps and screen-shots were up-to-date at the
time of publication, those companies might have since changed their user interface, processes, or requirements.
GETTING THE LATEST VERSION OF GUIDES

We continually update reference architecture and deployment guides. You can access the latest version of this and all
guides at this location:
https://www.paloaltonetworks.com/referencearchitectures
WHAT'S NEW IN THIS RELEASE

Palo Alto Networks made the following changes since the last version of this guide:
• Updated the content to include PAN-OS® 9.0.1
• Changed Logging Service to Cortex™ Data Lake
• Added notes about Transit Gateway deployment
Comprehensive revision history for this guide

Purpose of This Guide

This guide provides reference architectures for deploying Palo Alto Networks Panorama™ centralized management
system for the Palo Alto Networks family of next-generation firewalls on Amazon Web Services (AWS) public cloud.
This guide:
• Provides architectural guidance and deployment details for using a Palo Alto Networks Panorama management
system, deployed on AWS, to provide a single location from which you can create network configurations and
security policies that enable visibility, control, and protection to your applications built in the AWS public cloud.
• Requires that you first read the Reference Architecture Guide for AWS. The reference architecture guide provides
design insight and guidance necessary for your organization to plan linkage of pertinent features with the
next-generation firewall in a high availability design, and then how to manage the environment with Panorama.
• Provides decision criteria for deployment scenarios, as well as procedures for programming features of the AWS
compute and network resources and the Palo Alto Networks Panorama centralized management system in order
to achieve an integrated design.
• Provides deployment details for programming advanced features and onboarding firewalls to the Panorama
management system.
OBJECTIVES
Completing the procedures in this guide, you are able to successfully deploy a Palo Alto Networks Panorama manage-
ment system on the AWS environment. You also enable the following functionality:
• Centralized management point for the firewalls on the AWS public cloud, and if desired, managing firewalls in
other parts of your organization’s network.
• Device groups to deploy security policies for application layer visibility and control for traffic inbound from the
internet or VPN, as well as traffic outbound from the AWS public cloud.
• Network and device templates to enable consistent features and functionality on the managed firewalls.
• Resilient design with primary and secondary Panorama systems each deployed in a separate AWS Availability
Zone.
• Centralized logging with Cortex Data Lake (formerly Logging Service), which also enables cloud-delivered security
analytics.
• An automation platform that can scale to configure and monitor thousands of Palo Alto Networks next-genera-
tion firewalls.

AUDIENCE
This guide is for technical readers, including system architects and design engineers, who want to deploy the Palo Alto
Networks Panorama centralized management system within a public cloud datacenter infrastructure. It assumes the
reader is familiar with the basic concepts of applications, networking, virtualization, security, and high availability, as
well as a basic understanding of network architectures.
RELATED DOCUMENTATION
The following documents support this guide:
• Palo Alto Networks Security Operating Platform Overview—Introduces the various components of the Security
Operating Platform and describes the roles they can serve in various designs
• Reference Architecture Guide for AWS—Presents a detailed discussion of the available design considerations and
options for the AWS public cloud infrastructure. If you are unable to access the URL for the reference architec-
ture guide, please ask your account team to assist you.
• Deployment Guide for AWS Single VPC—Details deployment scenarios for the Single Virtual Private Cloud design
model, which is well-suited for initial deployments and proof of concepts of Palo Alto Networks VM-Series on
AWS. This guide describes deploying VM-Series firewalls to provide visibility and protection for inbound and
outbound traffic for the VPC.
• Deployment Guide for AWS Transit Gateway—Details the deployment steps for an AWS Transit Gateway design
model. This model leverages the Transit Gateway and uses three security-dedicated VPCs, each configured with
dual firewalls, to secure inbound, outbound, and east-west traffic flows.
• Deployment Guide for AWS Transit VPC—Details the deployment of a central Transit VPC design model. This
model provides a hub-and-spoke design for centralized and scalable firewall services for resilient outbound
and east-west traffic flows. This guide describes deploying the VM-Series firewalls to provide protection and
visibility for traffic flowing through the Transit VPC.

Deployment Overview
Deployment Overview
The Reference Architecture Guide for AWS describes AWS concepts that provide a cloud-based infrastructure as a
service and how the Palo Alto Networks VM-Series firewalls can complement and enhance the security of applications
and workloads in the cloud. The design models presented in that guide provide visibility and control over traffic
inbound to the applications in AWS, outbound to on-premises or internet services and flows internal to the VPC.
To reduce the time required to manage multiple devices, maintain consistency of configurations, and deploy security
policy changes rapidly, Palo Alto Networks Panorama central management is included in the design. Panorama enables
you to manage all the key features of the Palo Alto Networks next-generation firewalls using a model that provides
central oversight and local control. You can deploy Panorama as either a hardware appliance or virtual appliance
on-premise. You can also deploy it as a virtual appliance in the public cloud.
DEPLOYMENT CONSIDERATIONS
Before deploying Panorama, consider the following factors:
• Where to deploy the Panorama management system(s)—Many organizations have an existing on-premises
Panorama system that is managing the firewalls in data centers and perhaps remote sites. They can use this
Panorama system to manage the firewalls in the cloud, providing that there is a robust encrypted transport to
the cloud firewalls. Panorama deployed in the cloud benefits from being inside of the provider’s robust network
and reduces charges for data that needs to go to/from the cloud for managing the environment. Depending on
size and scale projections, you may choose to deploy Panorama systems in both locations and interconnect the
systems. This guide focuses on a cloud deployment of Panorama.
• Where to deploy logging—Transporting log data from a number of firewalls in the cloud can be an expensive
operation due to the cost of transport. You can deploy dedicated logging inside of the cloud deployment even
if the Panorama management nodes are not in the cloud. Alternatively, moving to Cortex Data Lake offers more
than just a storage location option for your firewall logs; it also provides visibility for a host of network forensics
tools.
• Resilience and availability—What are the management requirements for availability? Panorama can be deployed
as a single node or a high availability (HA) pair operating in a primary/secondary role to reduce downtime and
data loss in the event of a failure. Panorama HA nodes can operate in different cloud data center availability
zones for enhanced availability. This guide demonstrates a high availability deployment.
• System Access—IP access to the Panorama system is required to deploy and operate Panorama. You should
use network tools like access control lists (ACLs) and security grouping to limit the IP addresses that can access
Panorama management to those required by your organization. You can pare the application ports allowed to
connect to Panorama to those required for central management operation.

Design Model
Design Model
MANAGING CLOUD DEPLOYMENTS WITH PANORAMA

The best method for ensuring up-to-date firewall configuration is to use Panorama for central management of firewall
policies. Panorama simplifies consistent policy configuration across multiple independent firewalls through its device
group and template stack capabilities. When multiple firewalls are part of the same device group, they receive a
common ruleset. Because Panorama enables you to control all of your firewalls—whether they are on-premises or in
the public cloud, a physical appliance or virtual—device groups also provide configuration hierarchy. With device group
hierarchy, lower-level groups include the policies of the higher-level groups. This allows you to configure consistent
rulesets that apply to all firewalls, as well as consistent rulesets that apply to specific firewall deployment locations such
as the public cloud.
You can deploy Panorama in your on-site data center or a public cloud provider such as AWS. When deployed in your
on-site data center, Panorama can manage all the physical appliances and VM-Series firewalls in your organization.
If you want a dedicated instance of Panorama for the VM-Series firewalls inside of AWS, deploy Panorama on AWS.
Three deployment mode options are available for Panorama which, if necessary, allows for the separation of manage-
ment and log collection.
• Panorama mode—Panorama controls both policy and log management functions for all the managed devices.
• Management-only mode—Panorama manages configurations for the managed devices but does not collect or
manage logs.
• Log Collector mode—One or more Log Collectors collect and manage logs from the managed devices. This
assumes that another deployment of Panorama is operating in management-only mode.
The separation of management and log collection enables the Panorama deployment to meet scalability, organizational,
and geographical requirements. The choice of form factor and deployment mode gives you the maximum flexibility for
managing Palo Alto Networks Next-Generation Firewalls in a distributed network.
FIREWALL LOG COLLECTION

Beyond management, your firewall log collection and retention need to be considered. Log collection, storage, and
analysis is an important cybersecurity best practice that organizations perform to correlate potential threats and
prevent successful cyber breaches.

Design Model
On-Premises Panorama with Dedicated Log Collectors in the Cloud

Sending logging data back to the on-premises Panorama can be inefficient, costly, and pose data privacy and residency
issues in some regions. An alternative to sending the logging data black to your on-premises Panorama is to deploy
Panorama dedicated log collectors on AWS and use the on-premises Panorama for management. Deploying a ded-
icated Log Collector on AWS reduces the amount of logging data that leaves the cloud but still allows your on-site
Panorama to manage the VM-Series firewalls in AWS and have full visibility to the logs as needed.
Figure 1 Panorama Log Collector mode in AWS
VPC
Management
VPN Gateway
Panorama
Log Collector Mode Panorama
Panorama Management in AWS with Cortex Data Lake

There are two design options when deploying Panorama management on AWS. First, you can use Panorama for
management only and use Cortex Data Lake to store the logs generated by the VM-Series firewalls. Cortex Data Lake
is a cloud-based log collector service that provides resilient storage and fast search capabilities for large amounts of
logging data. Cortex Data Lake emulates a traditional log collector. Logs are encrypted and then sent by the VM-Series
firewalls to Cortex Data Lake over TLS/SSL connections. Cortex Data Lake allows you to scale your logging storage as
your AWS deployment scales as licensing is based on storage capacity and not the number of devices sending log data.

Design Model
The benefit of using Cortex Data Lake goes well beyond scale and convenience when tied into the Cortex hub (former-
ly Application Framework). Cortex hub is a scalable ecosystem of security applications that can apply advanced analytics
in concert with Palo Alto Networks enforcement points to prevent the most advanced attacks. Palo Alto Networks
analytics applications, such as Cortex XDR (formerly Magnifier™) and AutoFocus™, as well as any third-party analytics
applications that you choose, use Cortex Data Lake as the primary data repository for all of Palo Alto Networks
offerings.
Figure 2 Panorama management and Cortex Data Lake
Cortex hub VPC Network

Management
Panorama
Management Only Mode
Cortex Data Lake

Design Model
Panorama Management and Log Collection in the Cloud

Second, you can use Panorama for both management and log collection. Panorama on AWS supports high-availability
deployment if both virtual appliances are in the same VPC and region. You can deploy the management and log col-
lection functionality as a shared virtual appliance or on dedicated virtual appliances. For smaller deployments, you can
deploy Panorama and the Log Collector as a single virtual appliance. For larger deployments, a dedicated Log Collector
per region allows traffic to stay within the region and reduce outbound data transfers.
Figure 3 Panorama management and log collection in AWS
VPC Management
Panorama
Panorama is available as a virtual appliance for deployment on AWS and supports Management Only mode, Panorama
mode, and Log Collector mode with the system requirements defined in Table 1. Panorama on AWS is only available
with a BYOL licensing model.
Table 1 Panorama Virtual Appliance on AWS
Management only Panorama Log Collector

4 CPUs 8 CPUs 16 CPUs
Minimum system 8GB memory 32GB memory 32GB memory
requirements 81GB system disk 2TB to 24TB log storage capacity 2TB to 24TB log storage capacity
t2.xlarge m4.2xlarge m4.4xlarge
AWS instance sizing m4.2xlarge m4.4xlarge c4.8xlarge
PANORAMA DEVICE ADMINISTRATION

The time it takes to deploy changes across 10s or 100s of firewalls can be costly in the number of employees required,
as well as the delay projects experience while employees wait for the process to be completed. In addition to time,
errors can increase when network and security engineers program changes firewall-by-firewall. Panorama provides a
number of tools for centralized administration that can reduce time and errors for your firewall management operation.

Design Model
Templates/Template Stacks
Panorama manages common device and network configuration through templates. You can use templates to manage
configuration centrally and then push the changes to all managed firewalls. This approach avoids making the same
individual firewall change repeatedly across many devices. Templates are grouped together within a template stack, and
the stack is applied to selected firewalls.
You can define common building blocks for device and network configuration within a template. These building blocks
are logically combined by adding them to a template stack. If there are no overlapping parameters, then the stack
reflects the combination of all the individual templates. If there is overlap, then the settings from the highest priority
template take precedence. You may override the template settings at the stack level. A local administrator may also
perform overrides directly on an individual device if necessary.
Firewall-specific settings such as IP addresses must be unique per-device. Instead of using overrides, these settings
may be managed using variables within templates. Panorama manages the variable assignments at deployment time,
either on a per-device basis through manual assignment or in bulk by importing a spreadsheet with the settings for
multiple devices.
Figure 4 Panorama template stack and templates
Individual Devices
Apply Override
Local Admins
Apply Override
Template Stack (may override templates)
Panorama Admins
Template (Priority 1) Ov erride Priority
Up To
Template (Priority 2) 8 Templates
Template (Priority 3)

Design Model
Hierarchical Device Groups

Panorama manages common policies and objects through hierarchical device groups. You use multi-level device groups
to centrally manage the policies across all deployment locations with common requirements. For example, device
groups may be determined geographically, such as Europe and North America. Also, each device group can have a
functional sub-device group (for example, perimeter or data center).
Figure 5 Panorama device groups and policy evaluation
Shared Policies (All Devices)
Parent Device Group

Pre Rules
Up To
Child Device Group Four L evels
Sub-Child Device Group
Local Rules Evaluation

(Individual Devices) Order
Panorama Admins Local Admins
Sub-Child Device Group
Up To
Child Device Group Four L evels
Post Rules
Parent Device Group
Shared Policies (All Devices)
You can define shared policies for central control while granting your local firewall administrator the autonomy to make
specific local adjustments. At the device group level, you can create common policies that are defined as the first set
of rules (pre-rules) and the last set of rules (post-rules) to be evaluated against match criteria. You can view pre- and
post-rules on a managed firewall, but they can only be edited in Panorama in the context of the defined administrative
roles. You can edit local device rules (those between pre- and post-rules) by either your local firewall administrator or
by a Panorama administrator who has switched to a local firewall context. In addition, you can reference shared objects
defined by a Panorama administrator in locally managed device rules.
Role-based administration delegates feature-level access, including availability of data (enabled, read-only, or disabled
and hidden from view), to different members of your staff. You can give specific individuals access to tasks that are
pertinent to their job while making other tasks either hidden or read-only.
As your deployment grows in size, you can make sure updates are sent to downstream boxes in an organized manner.
For instance, you may prefer to centrally qualify a software update before it is delivered via Panorama to all production
firewalls at once. Using Panorama, you can centrally manage the update process for software updates, content applica-
tion updates, antivirus signatures, threat signatures, URL-filtering database, and licenses.
Panorama can also integrate with your IT workflow applications. When a log is generated on the next-generation
firewall, Panorama can trigger actions and initiate workflows through HTTP-based APIs. Selective log forwarding allows
you to define the criteria to automate a workflow or an action.

Design Model
PANORAMA OPERATIONAL CONSIDERATIONS
Panorama on AWS Licensing

Panorama on AWS is available in a bring your own license (BYOL) and is composed of a license that you purchase from
a channel partner. Panorama on AWS supports all deployment modes (Panorama, Log Collector, and Management
Only), and shares the same processes and functionality as the M-Series hardware appliances. When using BYOL, you
license Panorama like a traditionally deployed appliance, registering it on the Palo Alto Customer Support web site prior
to implementation. After the Panorama instance is initialized and accessible, you must apply a licensed serial number
for operation. After you apply the serial number to the device, the device registers with the Palo Alto Networks support
portal and obtains information about its capacity and subscriptions.
System Access Control

When running the Panorama management system on AWS, you should use AWS security groups and network ACLs
to restrict Panorama to management communications to needed ports and IP address ranges. Panorama should have
dedicated public IP access so that you can always reach the firewalls in the transit using private IP addressing within
the VPC, and you should use security groups to restrict outside access to Panorama to only those ranges in use by your
organization to manage the firewalls. If you are not using Panorama, you need public IP addresses on the Transit firewall
management interfaces or a jumphost in the VPC.

Assumptions and Prerequisites
Assumptions and Prerequisites

AWS:
• Your organization has an active subscription with AWS, and the person(s) programming compute, network, and
storage resources have sufficient AWS privileges.
• This design uses IPv4 IP addressing. IPv6 is available but is not covered.
• Using this guide, you will deploy two Elastic IP addresses. Ensure that you have available Elastic IP addresses in
the AWS region into which you will deploy.
• You will deploy two AWS instances for Panorama.
• This deployment was tested predominantly in the US West (Oregon) region, although deploying this design
should be possible in any AWS region.
Palo Alto Networks Panorama:
• The tested PAN-OS version in this guide is 9.0.1.
• Panorama is implemented in management mode.
• Cortex Data Lake is provisioned for event logging.
• The Cloud services plugin for Panorama tested was 1.3.1-h5.
Palo Alto Networks VM-Series firewall:
• To complete this guide by onboarding a VM-Series (or hardware-based) firewall to your Panorama system, you
need a Palo Alto Networks firewall that is licensed and IP-reachable by Panorama.
Palo Alto Networks licensing:
• Your organization has licenses for Panorama primary and secondary (if used) servers. Panorama in AWS requires
BYOL at this time.
• Your organization has sufficient licenses for the VM-Series firewalls. This deployment guide uses BYOL; howev-
er, you could use usage-based licenses.
• Cortex Data Lake requires a license with sufficient storage for your expected retention period. Cortex Data Lake
requires an authentication code and a Panorama system associated to the service. This guide uses a Cortex
Data Lake hosted in the Americas region.

Deployment Details for Panorama on AWS Infrastructure
Deployment Details for Panorama on

AWS Infrastructure
Although an account may have existing AWS VPCs where you plan to deploy your Panorama VM, this section describes
some settings specific for Panorama VM deployment.
The first set of procedures sets up an AWS VPC for Panorama operation:
• When deploying Panorama VM in HA mode, you need two Availability Zones, one for each Panorama node.
Panorama HA mode on AWS requires that both nodes (peers) be in the same region and VPC.
• The Panorama console is accessible from outside of the AWS VPC and uses a public IP per node and an Internet
Gateway (IGW). The public IP addresses are assigned in the section “Deployment Details for Panorama Services
and Onboard Firewalls.”
• Route tables for Panorama need to be programmed for Internet access, typically via an IGW.
• Security group(s) for Panorama need to be programmed for necessary protocol support from Panorama to the
Internet services, as well as for Panorama to firewalls.
Follow all sections, or review the necessary sections, in the following procedure to program your VPC settings for
correct operation to support Panorama VM.
The second set of procedures deploys the Panorama system as a VM on AWS and prepares the instance for IP
communications.
Procedures
Creating and Configuring a VPC and Infrastructure Components
1.1 Create the VPC
1.2 Create IP Subnets
1.3 Create a VPC Internet Gateway
1.4 Create VPC Route Tables
1.5 Create VPC Security Groups
All resources in this guide were created and tested in the AWS US West (Oregon) region unless noted otherwise. You
should change to the AWS region most suitable for your deployment.

In this procedure group, you create the VPC and initial networking to enable resources for Panorama VM deployment.
Note that you can enter additional IPv4 CIDR blocks to a VPC if required. The goal is to avoid IP address overlap in the
AWS environment and your organization’s overall network.
Figure 6 Central management VPC layout
Central Mgmt VPC

192.168.100.0/24
AZ-a AZ-b
Panorama Panorama
- Primary - Standby
(eth0) (eth0)
192.168.100.10 192.168.100.138
Central-Mgmt-2a Central-Mgmt-2b
192.168.100.0/25 192.168.100.128/25
IGW
Internet
1.1 Create the VPC
In this procedure, you create a sample VPC named Central Mgmt VPC.
Step 1: Sign in to the console at https://console.aws.amazon.com, and then from the list at the top of the page, choose
US West (Oregon) region.
Step 2: Navigate to AWS services > Networking & Content Delivery > VPC. In the navigation pane on the left, under
Virtual Private Cloud, choose Your VPCs, and then click Create VPC.
Step 3: In the Name tag box, enter Central Mgmt VPC.
Step 4: In the IPv4 CIDR block box, enter the IP address and mask 192.168.100.0/24, and then click Yes, Create.

Next, you enable the assignment of public DNS hostnames for the virtual machines (instances) that you create in your
VPC. If you do not enable DNS hostnames, you may or may not be assigned a public DNS hostname depending on the
DNS attributes of your VPC and if your instance has a public IP address.
Step 5: In the VPC Dashboard, select Central Mgmt VPC, click the Actions list, and then choose Edit DNS
Hostnames. The Edit DNS Hostnames window opens.
Step 6: On the DNS Hostnames dialog box, select Yes, and then click Save.
1.2 Create IP Subnets
You should break up the initial IPv4 CIDR block into subnets. You can assign only IP address space in the configured
CIDR space(s) to a subnet. This procedure assigns IP address blocks for Management; any other subnets assigned are
optional in this procedure.
Table 2 Sample VPC IP subnets
Subnet name Availability Zone IPv4 CIDR block

Central-Mgmt-2a us-west-2a 192.168.100.0/25
Central-Mgmt-2b us-west-2b 192.168.100.128/25
Step 1: Navigate to the AWS VPC dashboard at https://console.aws.amazon.com/vpc/, and then in the navigation pane,
choose Subnets.
Step 2: At the top of the pane, click Create subnet.
Step 3: In the Name tag box, enter Central-Mgmt-2a.
Step 4: In the VPC list, choose Central Mgmt VPC.
Note
The VPC list shows both the VPC-name and the VPC-id number in the list for ease of
use, but only shows the VPC-id number in the resulting display.
Step 5: In the Availability Zone list, choose us-west-2a.
Step 6: In the IPv4 CIDR block box, enter 192.168.100.0/25.

Step 7: Click Create, and then click Close.
Step 8: Repeat steps 2-7 for all subnets in Table 2.
1.3 Create a VPC Internet Gateway
Now you create an IGW function for external IP connectivity and attach it to the VPC.
Step 1: Navigate to the VPC dashboard at https://console.aws.amazon.com/vpc/ and in the navigation pane, select
Internet Gateways.
Step 2: Click Create internet gateway, and in the Name tag box, enter Central Mgmt VPC IGW.
Step 3: Click Create, and then click Close.
It takes a few minutes for the IGW to initialize.
Step 4: In the Internet Gateways list, choose Central Mgmt VPC IGW.
Step 5: In the Actions list, choose Attach to VPC.
Step 6: In the VPC list, choose Central Mgmt VPC, and then click Attach.

1.4 Create VPC Route Tables
Route tables enable you to assign connectivity such as Internet Gateways and default gateways to specific groups of
endpoints. Recall that all endpoints in the VPC can natively connect to any other endpoint in the assigned VPC CIDR
block (example: 192.168.100.0/24). This cannot be changed by a route table. There is a Main route table created by
default for a VPC, and any subnets that are not assigned to a custom-built route table are assigned to the VPC’s Main
route table. By default, the Main route table routes only to the VPC CIDR block. Route tables can control any IP subnet
connectivity outside of the VPC CIDR block.
You can tailor your Management route table to go to only selected management destinations via the IGW versus a
default open table of 0.0.0.0/0.
Note
Each route table has a route entry for the VPC CIDR block of IP addresses. This is
pre-programmed into every VPC route table.
Table 3 VPC route tables
Route table name Route destination Target Subnets assigned Comments

Central-Mgmt 192.168.100.0/24 local Central Mgmt-2a, Central Mgmt-2b Pre-programmed VPC-wide
Central-Mgmt 0.0.0.0/0 Igw Central Mgmt-2a, Central Mgmt-2b Internet Gateway
Step 1: Navigate to the VPC dashboard at https://console.aws.amazon.com/vpc/, and then in the navigation pane,
choose Route Tables.
Step 2: At the top of the pane, click Create Route Table.
Step 3: In the Name tag box, enter Central-Mgmt.
Step 5: Click Yes, Create.

Step 6: With Central-Mgmt VPC selected in the top pane, click the Routes tab on the bottom pane, and then click
Edit routes.
Step 7: Click Add another route, and then in the Destination box, enter 0.0.0.0/0.
Step 8: Click in the Target box, choose the Central Mgmt VPC IGW, and then click Save.
Step 9: On the Subnet Associations tab, click Edit.
Step 10: Choose subnets Central Mgmt-2a and Central Mgmt-2b in the list, and then click Save.
Step 11: Repeat steps 2-10 for any other routes you may wish to add.
1.5 Create VPC Security Groups
When you create an AWS Elastic Compute (EC2) compute instance to run an application, you must assign the instance
to a new or existing security group (SG). Security groups provide a Layer 4 stateful firewall for control of the source/
destination IP addresses and ports that are permitted to or from the instances associated. SGs are applied to an
instance’s network interface. Up to five SGs can be associated with a network interface. The default Outbound access
list remains set to the default to allow all traffic to all locations; however, you can customize this for your operations. By
default, the Inbound access list is set to allow no traffic; you will change this per the table below.

The Firewall-Mgmt security group allows ports necessary for Panorama and firewall operation. Depending on your
firewall settings, you may require more or fewer ports configured. For more information, see Palo Alto Networks PAN-OS
9.0 Reference: Port Number Usage. Firewall management rules include an example range allowed to connect from your
HQ or management IP address range.
Table 4 Firewall-Mgmt-central security group—inbound rules
Port
Type Protocol range Source IP address Comments
Custom TCP rule TCP 3978 0.0.0.0/0 Firewall to Panorama
Custom TCP rule TCP 444 0.0.0.0/0 Panorama to Cortex Data Lake
Custom TCP rule TCP 28769 192.168.100.0/24 HA for Panorama
Custom ICMP rule Echo reply N/A 192.168.100.0/24 Ping reply—HA uses ping
Custom ICMP rule Echo request N/A 192.168.100.0/24 Ping request—HA uses ping
Custom TCP rule TCP 28443 0.0.0.0/0 Software retrieval
SSH TCP 22 10.0.0.0/8, 128.177.0.0/16 SSH from AWS VPCs and from example
HQ range
HTTPS TCP 443 10.0.0.0/8; 128.177.0.0/16 HTTPS from AWS VPCs and from example
HQ range
Custom UDP rule UDP 123 0.0.0.0/0 NTP
The security group is configured to allow this design to operate; your settings may vary based on your organization,
network, and application requirements.
Note
A newly configured security group allows all traffic outbound, but no traffic inbound.
You must set inbound filters to enable the Security Group to operate at all.
Step 1: Navigate to the EC2 Compute dashboard at https://console.aws.amazon.com/ec2/, navigate to NETWORK &
SECURITY > Security Groups, and then click Create Security Group.
Step 2: In the Security group name box, enter Firewall-Mgmt-Central.
Step 3: In the Description box, enter Firewall-Mgmt-Central.
Step 5: On the Inbound tab, click Add Rule.

Step 6: In the Type list, choose Custom TCP rule.
Step 7: In the Port Range box, enter 3978.
Step 8: In the Source CIDR, IP or Security Group list, choose Anywhere.
Step 9: In the Description box, enter Firewall to Panorama.
Step 10: Repeat steps 5-9 to add more rules to the security group Inbound list.
Step 11: Click Create.
Procedures
Deploying a Panorama Server on AWS
2.1 Create a Panorama Instance
2.2 Create Elastic IP Addresses for Panorama Instances
2.3 Configure Admin Login for Browser Access
In these procedures, you deploy Panorama in management mode and enable Logging Service. Panorama defaults to
management mode when it detects that there is not enough log storage capacity to run in Panorama mode.

You need a BYOL license for the primary Panorama server and another for the optional secondary Panorama server.
Figure 7 Panorama on AWS deployment
Central Mgmt VPC

192.168.100.0/24
AZ-a AZ-b
Panorama Panorama
- Primary - Standby
(eth0) (eth0)
192.168.100.10 192.168.100.138
Public IP - 32.X.X.66 Public IP - 32.X.X.67
Central-Mgmt-2a Central-Mgmt-2b
192.168.100.0/25 192.168.100.128/25
IGW
Internet
Table 5 Panorama on AWS deployment parameters
Parameter Value Comments

AWS VPC location US West (Oregon) Region where your VM-Series firewalls are deployed
EC2 Instance type m4.2xlarge Setup Prerequisites for the Panorama Virtual Appliance
System name Panorama-a Primary system in Availability Zone a
Panorama-b Optional Secondary system in Availability Zone b

System IP address/subnet 192.168.100.10/Mgmt-2a Primary system in Availability Zone a
192.168.100.138/Mgmt-2b Optional Secondary system in Availability Zone b

Security group Firewall-Mgmt-Central —
2.1 Create a Panorama Instance
Step 1: Sign in to the console at https://console.aws.amazon.com, and then from the list at the top of the page, choose
US West (Oregon) data center.
Step 2: Navigate to the EC2 Compute dashboard at https://console.aws.amazon.com/ec2/, choose INSTANCES >

Instances, and then click Launch Instance.

Step 3: In the Choose AMI workflow, select the AWS Marketplace tab. In the search box, enter Palo Alto Networks,
and then press ENTER.
Step 4: Click Select for the Palo Alto Networks Panorama instance. This selection supports Bring Your Own License.
Step 5: Read the Palo Alto Networks Panorama information message, and then click Continue.
Next, you choose the instance sizing. Table 5 above has URL to the Panorama setup guide, which includes more
information on instance sizing.
Step 6: In the Choose Instance Type window, scroll down and choose the m4.2xlarge instance, and then click NEXT:
Configure Instance Details.
The Instance Details screen configures the networking details for the Panorama instance.
Step 7: In the Number of instances box, enter 1.
Step 8: In the Network list, choose Central Mgmt VPC.
Step 9: In the Subnet list, choose Central Mgmt-2a.
Step 10: In the Auto-assign Public IP list, choose Enable. Later in this process, you will assign an Elastic IP address to
this instance. An Elastic public IP address will not change if the instance is shut down for maintenance.
Step 11: For Enable termination protection, select Protect against accidental termination.

Step 12: Expand Network Interfaces, in the Primary IP box for eth0, enter 192.168.100.10.
Step 13: Click Next: Add Storage, verify that the AMI template for Panorama added 81 GB of storage for this instance,
and then click Next: Add Tags.
Step 14: Click Next: Configure Security Group.
Step 15: In the Assign a security group, select Select an existing security group.
Step 16: Select the Firewall-Mgmt-Central security group, and then click Review and Launch. Ensure that only the
Firewall-Mgmt-Central group is selected.
Step 17: Review all selections, and then click Launch.

The next step asks you to choose an existing key pair or create a new one. If you have an existing key pair you can use
that to create the instance. This procedure shows creating a new key pair.
Step 18: In the Select an existing key pair or create a new pair dialog box, choose Create a new key pair.
Step 19: In the Key pair name box, enter key pair name aws-referencearchitecture-deployment.
Step 20: Click Download Key Pair. This downloads a file with a .pem file extension to your machine. Store this file in a
convenient and safe place. You need this to access your image with SSH.
Caution
Be sure to store the private key file in a safe place. Anyone with the private key file can
access your instances created with it. If you lose the file you will have to create new
instances to get a new private key file.
Step 21: Click Launch instances.
It can take up to 30 minutes for a new Panorama instance to boot entirely.
Step 22: Click View Instances.
Step 23: In the Instances pane, hover your mouse pointer over the Name field. A pencil image appears. Click the
pencil.

Step 24: In the Instance Name box, enter Panorama-a, and then select the checkmark.
Step 25: Repeat steps 2-24 to create the secondary Panorama instance (Panorama-b), using the parameters from
Table 5. In step 18, use the existing key pair that you created or used in that step.
2.2 Create Elastic IP Addresses for Panorama Instances
In the previous procedure, you chose to auto-assign a public IP address to each Panorama instance. The auto-assigned
public IP addresses can change when an instance is shut down or terminated. Elastic IP (EIP) addresses are public IP
addresses in the AWS IP address space that remain assigned to your VPC until you intentionally release them. EIP
addresses are associated to an instance and remain associated to the instance unless you disassociate them or termi-
nate the instance. Assigning an EIP does not require a reboot of the instance.
In this procedure, you create 2 EIP addresses, one for each Panorama instance, and then assign them to the Panorama
instance.
Step 1: Sign in to the console, and then from the list at the top of the page, select US West (Oregon) data center.
Step 2: Navigate to the VPC dashboard at https://console.aws.amazon.com/vpc/, and then in the navigation pane,
choose Elastic IPs.
Step 3: At the top of the pane, click Allocate new address.
Step 4: Click Allocate, and then click Close.
Step 5: Repeat steps 3-4 again to allocate another EIP.
Step 6: In the EIP pane, hover your mouse pointer over the Name field. A pencil image appears. Click the pencil.
Step 7: Enter Panorama-a in the Name box, and then select the checkmark.
Step 8: Repeat steps 6-7 for Panorama-b.
The next steps assign the EIPs to the Panorama instances.
Step 9: Choose the Panorama-a EIP, and then in the Actions dropdown, choose Associate address.
Step 10: For Resource type, choose Instance.

Step 11: In the Instance list, choose Panorama-a.
Step 12: In the Private IP list, choose 192.168.100.10.
Step 13: Click Associate, and then click Close.
Step 14: Choose the Panorama-b EIP, and then in the Actions dropdown, choose Associate address.
Step 15: For Resource type, choose Instance.
Step 16: In the Instance list, choose Panorama-b.
Step 17: In the Private IP list, choose 192.168.100.138.
Step 18: Click Associate, and then click Close.
2.3 Configure Admin Login for Browser Access
The initial login to a Panorama instance with HTTPS requires you to set an admin user password. The initial admin
password setup must be done via SSH to a CLI console on the instance. This procedure sets the admin password and
logs in to the Panorama GUI console via HTTPS.
To connect to your instances, you need to set up your SSH connection to use the key pair created in Procedure 2.1,
Step 18.
Step 1: Navigate to the AWS guide Connect to your Linux Instance and set up your system to access the instance using
SSH. After you are ready for the SSH login information proceed to the next step
Step 2: Navigate to the EC2 Compute dashboard at https://console.aws.amazon.com/ec2/, and then choose
INSTANCES > Instances.

Step 3: Select the Panorama-a instance, and in the lower pane, copy the Public DNS (IPv4) address.
The next step uses the SSH tool that was set up in step 1, the key pair, and the Public DNS IP address string.
Step 4: Use the admin username to open an SSH session to the EIP address for Panorama-a. For example: admin@
ec2-52-52-52-94.us-west-2.compute.amazonaws.com.
Step 5: Your console may show a security alert for the server’s host key not in the cache. Click YES to accept and add
the key.
Step 6: At the CLI prompt, set a strong admin password, and then commit.
admin@PA-VM> configure
admin@PA-VM# set mgt-config users admin password
Enter password :
Confirm password :
admin@PA-VM# commit
Commit job 2 is in progress. Use Ctrl+C to return to command prompt
......100%
Configuration committed successfully
admin@PA-VM#
Step 7: When the commit is complete, use your browser to connect to your Panorama instance using HTTPS to the
public IP address for Panorama-a. Accept the browser certificate warning.
Step 8: Log in to Panorama using admin for the username and the password that you configured above.
Step 9: Log out of the SSH session.
Step 10: Repeat steps 2-9 for the Panorama-b instance.

Deployment Details for Panorama Services and Onboard Firewalls
Deployment Details for

Panorama Services and Onboard Firewalls
Procedures
Updating Panorama System and Activating Services
3.1 License Panorama
3.2 Update Panorama Software to Recommended Version
3.3 Configure Panorama High Availability
3.4 Activate Cortex Data Lake
3.5 Install Cloud Service Plugin
3.6 Configure Cortex Data Lake for Firewall Logging Storage Space
Panorama is now running; however, it is unlicensed and is running in the default configuration. Based on the disk size
provisioned for the Panorama virtual machine, the system is running in management-only mode.
3.1 License Panorama
This procedure assumes that you have a valid serial number for your Panorama devices and that registration on the
customer support portal (https://support.paloaltonetworks.com) is complete.
Step 1: Log in to the primary Panorama server. For example, https://52.52.52.94.
You see a series of dialog boxes and warnings.
Step 2: On the There are no device groups dialog box, click OK.
Step 3: On the Retrieve Panorama License dialog box, click OK.
Step 4: On the Retrieve Panorama License dialog box, click Complete Manually.
Step 5: On the Offline Licensing Information dialog box, click OK.
Step 6: In Panorama > Setup > Management > General Settings, click the Edit cog.
Step 7: In the Hostname box, enter Panorama-a.

Step 8: In the Time Zone list, choose the appropriate time zone (example: US/Pacific).
Step 9: In the Serial Number box, enter the serial number from the customer support portal, and then click OK. When
you license a Panorama system, you use the serial number assigned to your account for that system. The serial number
can be found in the Palo Alto Networks customer support portal.
Step 10: In Panorama > Setup > Services, click the Edit cog.
Step 11: In the Primary DNS Server box, enter 169.254.169.253. This is the DNS address for AWS.
Step 12: In the Secondary DNS Server box, enter 8.8.8.8.
Step 13: On the NTP tab, in the Primary NTP Server section, in the NTP Server Address box, enter 0.pool.ntp.org.

Step 14: In the Secondary NTP Server section, in the NTP Server Address box, enter 1.pool.ntp.org, and then
click OK.
Step 15: On the Commit list, choose Commit to Panorama, and then click Commit.
Step 16: In Panorama > Licenses, click Retrieve license keys from license server.
Step 17: Verify in the status pane that Device Management License is active and has the correct device count.
Step 18: Repeat steps 1-17 on the secondary Panorama server. In step 7, enter the name of the secondary Panorama
server, Panorama-b. You must have a unique serial number for the secondary Panorama system.
3.2 Update Panorama Software to Recommended Version
Perform this procedure on both the primary and secondary Panorama instances. The Panorama PAN-OS version must
be the same major release or newer than the firewalls it is managing.
Step 1: Navigate to Panorama > Software.
Note
If you receive an Operation Failed warning with the message No update information
available, you may click Close to acknowledge. No action is required.
Step 2: Click Check Now.

Step 3: For version 9.0.1, in the Actions column, click Download. When the download is complete, click Close.
Step 4: After the status in the Available column has changed to Downloaded, in the Action column, click Install.
Step 5: When prompted to Reboot Panorama, click Yes.
3.3 Configure Panorama High Availability
Because Panorama supports multiple firewalls, you should configure it for HA operation. This procedure is necessary
only to deploy Panorama in a high availability configuration. Panorama supports an HA configuration in which one peer
is the active-primary and the other is the passive-secondary. If a failure occurs on the primary peer, it automatically fails
over and the secondary peer becomes active.
The Panorama HA peers synchronize the running configuration each time you commit changes on the active Panorama
peer. The candidate configuration is synchronized between the peers each time you save the configuration on the
active peer or just before a failover occurs.
Settings that are common across the pair—such as shared objects and policy rules, device group objects and rules,
template configuration, and administrative access configuration—are synchronized between the Panorama HA peers.
Perform steps 1-6 on the primary Panorama server.
Step 1: In Panorama > High Availability > Setup, click the Edit cog.
Step 2: Select Enable HA.
Step 3: In the Peer HA IP Address box, enter 192.168.100.138, and then click OK.
Step 4: In Panorama > High Availability > Election Settings, click the Edit cog.
Step 5: In the Priority list, choose primary, and then click OK.

Step 6: On the Commit list, choose Commit to Panorama, and then click Commit.
Perform steps 7-12 on the secondary Panorama server.
Step 7: In Panorama > High Availability>Setup, click the Edit cog.
Step 8: Select Enable HA.
Step 9: In the Peer HA IP Address box, enter 192.168.100.10, and then click OK.
Step 10: In Panorama > High Availability > Election Settings, click the Edit cog.
Step 11: In the Priority list, choose secondary, and then click OK.
Step 12: On the Commit menu, click Commit to Panorama.
Step 13: On the primary Panorama server, in Dashboard > Widgets > System, click High Availability to enable the
High Availability dashboard widget. This adds a dashboard pane that displays the status of the Panorama peers.
Step 14: Repeat Step 13 on the secondary Panorama server.
Step 15: On the primary Panorama server, in Dashboard > High Availability, click Sync to peer.

Step 16: Click Yes to accept the Overwrite Peer Configuration warning and proceed with the synchronization.
Figure 8 Primary Panorama HA status
Figure 9 Secondary Panorama HA status
3.4 Activate Cortex Data Lake
Cortex Data Lake requires an authorization code that is used to activate the service. This procedure also assumes that
you have a valid serial number for your Panorama device(s) and that registration on the customer support portal is
complete.
The Cortex Data Lake instance is associated with the serial number of the primary Panorama server. This procedure is
not repeated for the secondary Panorama server.
Step 1: Log in to the Customer Support Portal at https://support.paloaltonetworks.com.
Step 2: Select Assets > Cloud Services.
Step 3: Click Activate Cloud Services Auth-Code.

Step 4: In the Cloud Services window, in the Authorization Code box, enter the authorization code (example:
I11223345), and then press Tab key to advance. The Panorama and Logging Region boxes appear.
Step 5: In the Cloud Services window, in the Panorama list, choose the value that corresponds to the serial number
assigned to your primary Panorama server.
Step 6: In the Cloud Services window, in the Logging Region list, choose the value that corresponds to your region
(example: Americas).
Step 7: Select the checkbox to acknowledge the warning. You will perform this update later, in Procedure 3.6.
Step 8: Accept the EULA by clicking on Agree and Submit.
3.5 Install Cloud Service Plugin
If you are running Panorama in high availability mode, perform this procedure on the primary Panorama server first.
Then repeat this procedure for the secondary Panorama server.
Step 1: In Panorama > Plugins, click Check Now.
Step 2: For cloud _services-1.3.1.h5, in the Actions column, click Download.
Step 3: After the download is completed, click Close.
Step 4: After the status in the Available column changes to a checkmark, in the Action column, click Install.

Step 5: On the dialog box that indicates a successful installation, click OK.
Step 6: In Panorama > Licenses, click Retrieve license keys from server.
Step 7: Verify that you have a Cortex Data Lake license.
Step 8: Open another browser window and navigate to the customer support portal (https://support.paloaltonetworks.
com). Complete step 9 through step 11 in the customer support portal.
Step 9: In Assets > Cloud Services, click Generate OTP.
Step 10: In the Generate Cloud Services One Time Password window, in the Panorama list, choose the serial number
for the primary Panorama server, and then click Generate OTP.

Step 11: In the Generate Cloud Services One Time Password window, click Copy to Clipboard.
Step 12: On the primary Panorama server, navigate to Panorama > Cloud Services > Status, and then click Verify (on
Panorama-b if programming the secondary Panorama).
Step 13: In the One-Time Password box, paste the OTP that was generated from the Customer Support Portal, and
then click OK.

Step 14: In Panorama > Cloud Service > Status, verify the status. It may take a minute for the verification to complete.
Note
The UI still uses the former product name Logging Service instead of the new name
Cortex Data Lake.
Step 15: Click details to verify successful certificate retrieval and active connection to Cortex Data Lake.
Step 16: If Panorama is running in HA mode, repeat this procedure for the secondary Panorama server. In step 10, you
must generate a new OTP, this time for the secondary Panorama server serial number.

3.6 Configure Cortex Data Lake for Firewall Logging Storage Space
In Procedure 3.4, you acknowledged a warning that you must allocate storage space for firewall logs, or they will be
purged from Cortex Data Lake. This procedure provisions storage space for firewall logs.
Step 1: Navigate to the Palo Alto Networks Cloud Services Apps portal, log in, and then click Cortex Data Lake.
Step 2: If you have multiple Cortex Data Lake instances and Panorama systems, select the appropriate instance from
the list.
Step 3: In the navigation pane, click Configuration.
Step 4: In the Firewall Log Type Size box, enter 3 TB, and then click Apply.
This Firewall Log Type size is an example value. You are provisioning a portion of the total storage space for firewall
logs. For storage sizing, see this Knowledge Base Article.

Procedures
Building Firewall Network Configuration Templates and Policies
4.1 Configure Device Groups
4.2 Configure Log Forwarding Object
4.3 Configure Panorama Templates
4.4 Configure Firewall Baseline Settings Template
4.5 Configure Logging Service Template
4.6 Configure Template Stacks
Now that your Panorama system(s) are operational, you build a basic firewall system configuration template and a
Cortex Data Lake template on Panorama. You use device groups and templates to organize configurations that are then
pushed to VM-Series or physical firewalls:
• Hierarchical device groups—Panorama manages common policies and objects through hierarchical device
groups. Multi-level device groups are used to centrally manage the policies across all deployment locations with
common requirements
• Templates/template stacks—Panorama manages common device and network configuration through templates.
You can use templates to manage configuration centrally and then push the changes to all managed firewalls.
This approach avoids your making the same individual firewall change repeatedly across many devices. To make
things easier, you can stack templates and use them as building blocks for device and network configuration.
This guide describes how to configure a single device group in order to illustrate deploying the device group and
adding a firewall to it. After this, you can use the device group to deploy security and NAT policy, as well as other policy
objects. The device group allows you to push a new policy to an entire group of firewalls, reducing deployment time
and increasing consistency.
There are many ways to build templates and stacks. This guide describes the basics of deploying two templates in a
template stack for basic services on your firewall. Subsequently, you would layer network templates on top as you
configure your firewalls.
4.1 Configure Device Groups
This guide uses a single device group for common policy.
Note
If you are deploying an AWS Transit Gateway instead of a single device group, you need
to create three different Device Groups. For more information, refer to the Deployment
Guide for AWS Transit Gateway when completing this procedure and Procedure 4.2.

Step 1: Log in to the primary Panorama server, navigate to Panorama > Device Groups, and then click Add.
Step 2: In the Name box, enter single-group-vmfw.
Step 3: In the Description box, enter a valid description.
Step 4: In the Parent Device Group dropdown, verify that the value is set to Shared, and then click OK.
4.2 Configure Log Forwarding Object
This procedure configures a log forwarding object that directs logging to the logging service you configured earlier. You
use the log forwarding object in your Security Policies to direct log output to the logging service.
Step 1: In Device Groups > Objects, click the Device Group dropdown, and then choose single-group-vmfw.
Step 2: In the navigation pane, click Log Forwarding, and then click Add.
Step 3: In the Name box, enter forward-to-logging-service.
Step 4: Choose Enable enhanced application logging to Logging Service, and then click OK.

4.3 Configure Panorama Templates
You use templates to configure functions that are common across sets of firewalls. In this procedure, you create
shared templates that can be used for all vm-series firewalls in the environment: Baseline-vmfw-settings, and
Logging-service.
Step 1: In Panorama > Templates, click Add.
Step 2: In the Name box enter Baseline-vmfw-settings.
Step 3: In the Description box, enter a valid description, and then click OK.
Step 4: In Panorama > Templates, click Add.
Step 5: In the Name box, enter Logging-service.
Step 6: In the Description box, enter a valid description, and then click OK.
Step 7: On the Commit dropdown, select Commit to Panorama.
You should now see tabs for Device Groups and Templates.
4.4 Configure Firewall Baseline Settings Template
Step 1: On the primary Panorama server, navigate to TEMPLATES > Device.
Step 2: In the Template list, choose Baseline-vmfw-settings.
Step 3: In TEMPLATES > Device > Setup > Management > General Settings, click the Edit cog.
Step 4: Enter the appropriate timezone (US/Pacific), and then click OK.
Step 5: In TEMPLATES > Device > Setup > Services > Global > Services, click the Edit cog.
Step 6: In the Primary DNS Server box, enter 169.254.169.253.
Step 7: In the Secondary DNS Server box, enter 8.8.8.8.

Step 8: On the NTP tab, in the Primary NTP Server box, enter 0.pool.ntp.org.
Step 9: In the Secondary NTP Server box, enter 1.pool.ntp.org, and then click OK.
Step 10: In TEMPLATES > Device > Setup > Interfaces, click Management.
Step 11: In Administrative Management Services, select HTTPS and SSH.
Step 12: In Network Services, select Ping, and then click OK. Ping is optional; however, it is helpful for troubleshoot-
ing an installation.
Step 13: On the Commit menu, select Commit to Panorama. It is not mandatory to commit at this time but doing so
periodically prevents you from losing work if an outage occurs.
4.5 Configure Logging Service Template
This procedure configures a template to enable the Palo Alto Networks cloud-based logging service on the firewalls.
Step 1: In Panorama > Licenses, click Retrieve license keys from license server.
Step 2: Verify that the Logging Service license is active.
Step 3: Navigate to TEMPLATES > Device.
Step 4: In the Template dropdown, select Logging-Service.
Step 5: In TEMPLATES > Device > Setup > Management > Logging Service, click the Edit cog.
Step 6: Select Enable Logging Service, and then select Enable Enhanced Application Logging.

Step 7: In Region list, choose americas, and then click OK.
Step 8: In TEMPLATES > Device > Log Settings > System, click Add. The Log Settings—System configuration window
appears.
Step 9: In the Name box, enter System Logs.
Step 10: Select Panorama/Logging Service, and then click OK.
Step 11: In TEMPLATES > Device > Log Settings > Configuration, click Add. The Log Settings—Configuration window
appears.
Step 12: In the Name box, enter Configuration Logs.
Step 13: Select Panorama/Logging Service, and then click OK.
Step 14: On the Commit dropdown, click Commit to Panorama, and then commit.

4.6 Configure Template Stacks
Next, you configure a template stack. You use template stacks to combine a number of templates into a group. The
template stack can also have settings assigned to it. In this example, you use a template stack to group the common
templates you created.
Step 1: On the primary Panorama server, navigate to Panorama > Templates, and then click Add Stack.
Step 2: In the Name box, enter Sample-stack.
Step 3: In the Description box, enter an appropriate description.
Step 4: In the Templates pane, click Add, and then select Baseline-vmfw-settings.
Step 5: In the Templates pane, click Add, select Logging-service, and then click OK.
Procedures
Managing VM-Series with Panorama Server(s)
5.1 Add Firewall to Panorama Server(s)
5.2 Assign Firewalls to Template Stack
5.3 Assign Firewalls to Device Groups
5.4 Refresh Firewall License to Enable Logging Service
These procedures show you how to onboard a Palo Alto Networks VM-Series (or hardware-based) firewall to the
Panorama server(s), after which you push configuration templates to the firewalls. These procedures assume that you
have a firewall in the environment that is IP reachable by Panorama.
Note
If you are deploying Panorama as preparation for another AWS deployment guide, you
may skip this example onboarding process and move to the appropriate deployment
guide.
5.1 Add Firewall to Panorama Server(s)
Perform this procedure for each new firewall that you add to your environment.
Step 1: Log in to the VM-Series firewall. For example, https://52.52.52.94/.

Step 2: In Dashboard > General Information, record the Serial #.
Step 3: In Device > Setup > Management > Panorama Settings, click the Edit cog.
Step 4: In the Panorama servers section, in the top box, enter the address for the primary Panorama server
192.168.100.10.
Step 5: If you are using Panorama High Availability, in the bottom box, enter the address for the Secondary Panorama
server 192.168.100.138, and then click OK.
Step 6: Click Commit, and then click Commit.
Step 7: Log in to the primary Panorama server (Example: https://52.11.4.94)
Step 8: In Panorama > Managed Devices > Summary, click Add.
Step 9: In the Devices box, enter the serial number from Step 2, and then click OK.

Step 10: On the Commit menu, click Commit to Panorama, and then click Commit.
Step 11: In Panorama > Managed Devices > Summary, verify that the device state of the VM-Series is Connected. It
may take a few minutes for the state to change. If your firewall fails to connect, check that you have a communications
path between the firewall and Panorama and the correct Panorama protocol ports allowed.
5.2 Assign Firewalls to Template Stack
Now you add the firewall to the template stack you built in the previous procedure. This procedure uses the example
VM-Series firewall vmfw-PN-test-1.
Step 1: Log in to the primary Panorama server (Example: https://52.11.4.94).
Step 2: In Panorama > Templates, click the template stack Sample-stack.
Step 3: In the Devices pane, select vmfw-PN-test-1 to assign it to the device list, and then click OK.

5.3 Assign Firewalls to Device Groups
Device groups allow policies and objects defined on Panorama to be pushed to the firewalls in the device group as they
are created.
Note
If you are deploying an AWS Transit Gateway instead of a single device group, you need
to create three different Device Groups. For more information, refer to the Deployment
Guide for AWS Transit Gateway when completing this procedure and Procedure 4.2.
Step 1: In the Panorama > Device Groups, click the device group single-group-vmfw.
Step 2: In the Devices pane, select vmfw-PN-test-1, and then click OK.

Step 3: On the Commit dropdown, choose Commit and Push, and in the Push Scope pane click Edit Selections.
Step 4: On the Devices tab, select single-group-vmfw (to assign it to the device list scope), click OK, and then click
Commit and Push. When you select single-group-vmfw, you in turn selects all firewalls in that device group.
If you open a browser session to the firewall console, the firewall configuration should now reflect the settings pushed
from Panorama. The firewall System logs will also show if Panorama configuration pushes are completed successfully
on the firewall.

5.4 Refresh Firewall License to Enable Logging Service
Step 1: In Panorama > Device Deployment > Licenses, click Refresh. The Refresh License Deployment window
appears.
Step 2: In the Device Name column, select the single-group-vmfw, and then click Refresh.
Step 3: Verify the details include “Successfully installed license ‘Logging Service,’” and then click Close.
Step 4: In the local firewall vmfw-PN-test-1, navigate to Monitor > Logs > System and search the log with
( description contains “Logging service” ). The log should indicate that the “Logging service certificate fetch job
succeeded.”

At this point, you are ready to add new Policies and Objects to your firewalls, using the Device Groups tabs in
Panorama, and configure more Network and Device settings using the Templates tabs. If you are working on the AWS
Transit VPC design, you are now ready to go to the Deployment Guide for AWS Transit VPC and begin the “Deployment
Details for Firewall Policies using Panorama.”

You can use the feedback form to send comments
about this guide.
HEADQUARTERS
Palo Alto Networks Phone: +1 (408) 753-4000
3000 Tannery Way Sales: +1 (866) 320-4788
Santa Clara, CA 95054, USA Fax: +1 (408) 753-4001
http://www.paloaltonetworks.com info@paloaltonetworks.com
© 2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trade-
marks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be
trademarks of their respective companies. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise
revise this publication without notice.
B-000182P-1 08/19

Panorama On Aws Deployment Guide

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Panorama On Aws Deployment Guide

Încărcat de

Drepturi de autor:

Formate disponibile

Deployment Guide for

Purpose of This Guide......................................................................................................................................................... 3

Firewall Log Collection........................................................................................................................................................................................ 6

Panorama Device Administration...................................................................................................................................................................... 9

Panorama Operational Considerations.......................................................................................................................................................... 12

Assumptions and Prerequisites......................................................................................................................................13

Deployment Details for Panorama on AWS Infrastructure......................................................................................14

Deploying a Panorama Server on AWS.......................................................................................................................................................... 21

Deployment Details for Panorama Services and Onboard Firewalls.....................................................................29

Building Firewall Network Configuration Templates and Policies............................................................................................................40

Managing VM-Series with Panorama Server(s)............................................................................................................................................ 45

Palo Alto Networks

Notes provide additional information.

In the IP box, enter 10.5.0.4/24, and then click OK.

Bold text denotes:

# show device-group branch-offices

In the Interface Type list, choose Layer 3.

Navigate to Network > Virtual Routers.

Enter the password admin.

Palo Alto Networks 1

Italic text denotes the introduction of important terminology.

Highlighted text denotes emphasis.

GETTING THE LATEST VERSION OF GUIDES

WHAT'S NEW IN THIS RELEASE

• Updated the content to include PAN-OS® 9.0.1

• Changed Logging Service to Cortex™ Data Lake

• Added notes about Transit Gateway deployment

Comprehensive revision history for this guide

Palo Alto Networks 2

Purpose of This Guide

Palo Alto Networks 3

Palo Alto Networks 4

Palo Alto Networks 5

MANAGING CLOUD DEPLOYMENTS WITH PANORAMA

FIREWALL LOG COLLECTION

Palo Alto Networks 6

On-Premises Panorama with Dedicated Log Collectors in the Cloud

Figure 1 Panorama Log Collector mode in AWS

Panorama Management in AWS with Cortex Data Lake

Palo Alto Networks 7

Figure 2 Panorama management and Cortex Data Lake

Cortex hub VPC Network

Palo Alto Networks 8

Panorama Management and Log Collection in the Cloud

Figure 3 Panorama management and log collection in AWS

Table 1 Panorama Virtual Appliance on AWS

Management only Panorama Log Collector

PANORAMA DEVICE ADMINISTRATION

Palo Alto Networks 9

Figure 4 Panorama template stack and templates

Palo Alto Networks 10

Hierarchical Device Groups

Figure 5 Panorama device groups and policy evaluation

Shared Policies (All Devices)

Parent Device Group

Sub-Child Device Group

Local Rules Evaluation

Panorama Admins Local Admins

Sub-Child Device Group

Shared Policies (All Devices)

Palo Alto Networks 11

PANORAMA OPERATIONAL CONSIDERATIONS

Panorama on AWS Licensing