Add Palo Alto Networks devices

Relevant for: AFA Administrators

This topic describes how AFA connects to Palo Alto Panorama and firewall devices.

Palo Alto network connections

The following image shows how an ASMS Central Manager or Remote Agent connects to Palo Alto Panorama and Palo Alto Next Generation Firewalls (NGFWs).

 

Note: Log data can also be forwarded from M100/M500 collectors.

Panorama device permissions

ASMS requires the following device permissions to connect to Palo Alto Panorama devices:

Palo Alto Networks Firewall device permissions

To connect to Palo Alto firewall devices, ASMS requires one of the following types of users:

  • Superuser (read-only)
  • Device Admin
  • Device Admin (read-only)

If the Palo Alto firewall is a version earlier than 4.1.7, is managed by Panorama, but is defined directly in AFA, ASMS requires one of the following types of users:

  • SuperUser (read/write)
  • Admin (read/write)

Add a Palo Alto Networks Panorama

This procedure describes how to add a Palo Alto Networks Panorama device to AFA.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.

  2. In the vendor and device selection page, select Palo Alto Networks > Panorama.

  3. Complete the fields as needed.

  4. If you enabled ActiveChange, the ActiveChange License Agreement dialog is displayed.

    Select I Agree and click OK.

  5. Click Next to display the Panorama - Step 2/2 page.

    This page lists the devices that are managed by the Panorama, including standalone devices and virtual systems.

    Tip: Clear any devices that you don't want to add to AFA.

  6. Select the remaining options as needed:

    Real-time change monitoring

    Select this option to enable real-time alerting upon configuration changes.

    For details, see Configure real-time monitoring.

    Set user permissions

    Select this option to set user permissions for this device.

  7. Click Finish. The new device is added to the device tree.

    In the device tree, Panoramas are represented with a four tier hierarchy: Panorama, PA firewall, VSYS, and VR/Vwire.

  8. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

A success message appears to confirm that the device is added.

Configure one-armed mode manually

AFA automatically identifies Palo Alto Panorama devices in one-armed mode when the device has a single interface, or a single one non-management interface. If your device has multiple non-management interfaces and one-armed mode is not identified automatically, configure this for your device manually.

Do the following:

  1. On the AFA machine, access your device configuration meta file as follows:

    /home/afa/.fa/firewalls/<device_name>/fwa.meta

    where <device_name> is the name of the device listed. If you device is listed multiple times, enter the longer name.

  2. On a new line, enter:

    is_steering_device=yes

  3. Run an analysis on the device to update the device data in AFA.

Add a Palo Alto Networks firewall

This procedure describes how to add a Palo Alto Networks firewall to AFA.

Note: Palo Alto Networks firewalls defined directly in AFA do not support the advanced routing analysis provided for Palo Alto Networks devices defined at the Panorama level. AFA does not identify individual VR/Vwires and therefore does not benefit from the routing information they provide.

For more details, see Add a Palo Alto Networks Panorama.

Do the following:

  1. Access the Devices Setup page. For details, see Access the DEVICES SETUP page.

  2. In the vendor device selection page, select Palo Alto NetworksFirewall.

  3. Complete the fields as needed.

  4. Click Finish.

    The new device is added to the device tree, with a two tier hierarchy: firewall and VSYS.

  5. If you selected Set user permissions, the Edit users dialog box appears.

    In the list of users displayed, select one or more users to provide access to reports for this account.

    1. To select multiple users, press the CTRL button while selecting.

    1. Click OK to close the dialog.

  6. A success message appears to confirm that the device is added.

 

â See also: