Device > Setup > Management
On a firewall, select Device > Setup > Management to configure management settings.
On Panorama™, select Device > Setup > Management to configure firewalls that you manage with Panorama templates. Select Panorama > Setup > Management to configure settings for Panorama.
The following management settings apply to both the firewall and Panorama, except where otherwise noted.
The following table describes Panorama general settings.
Item Description
General Settings
Hostname Enter a host name (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. If you don’t enter a value, PAN-OS uses the platform model (for example, PA-5050_2) as the default. Optionally, you can configure the firewall to use a hostname that a DHCP server provides. See Accept DHCP server-provided Hostname.
Domain Enter the Fully Qualified Domain Name (FQDN) of the firewall (up to 31 characters). If you don’t enter a value, PAN-OS uses the platform model (for example, PA-5050_2) as the default. Optionally, you can configure the firewall to use a domain that a DHCP server provides. See Accept DHCP server-provided Domain.
Accept DHCP server-provided Hostname ( Firewall only ) ( Applies only when the Management Interface IP Type is DHCP Client. ) Select this option to have the management interface accept the hostname it receives from the DHCP server. The hostname from the server (if valid) overwrites any value specified in the Hostname field.
Accept DHCP server-provided Domain ( Firewall only ) ( Applies only when the Management Interface IP Type is DHCP Client. ) Select this option to have the management interface accept the domain (DNS suffix) it receives from the DHCP server. The domain from the server overwrites any value specified in the Domain field.
Login Banner Enter text (up to 3,200 characters) to display on the web interface login page below the Name and Password fields.
Force Admins to Acknowledge Login Banner Select this option to display and force administrators to select the I Accept and Acknowledge the Statement Below option above the login banner on the login page; administrators must acknowledge the message before they can Login.
SSL/TLS Service Profile Assign an existing SSL/TLS Service profile or create a new one to specify a certificate and the allowed protocols for securing inbound management traffic (see Device > Certificate Management > SSL/TLS Service Profile). The firewall or Panorama uses this certificate to authenticate to administrators who access the web interface through the management (MGT) interface or through any other interface that supports HTTP/HTTPS management traffic (see Network > Network Profiles > Interface Mgmt). If you select None (default), the firewall or Panorama uses a predefined certificate. Don’t use the predefined certificate. For better security, we recommend that you assign an SSL/TLS Service profile associated with a certificate that the client systems of administrators trust. To ensure trust, the certificate must be signed by a certificate authority (CA) certificate that is in the trusted root certificate store of the client systems.
Time Zone Select the time zone of the firewall.
Locale Select a language for PDF reports from the drop-down. See Monitor > PDF Reports > Manage PDF Summary. Even if you have a specific language preference set for the web interface, PDF reports will use the language specified for Locale.
Time Set the date and time on the firewall: Enter the current date (in YYYY/MM/DD format) or select the date from the drop-down. Enter the current time in 24-hour format (HH:MM:SS). You can also define an NTP server from Device > Setup > Services.
Serial Number ( Panorama virtual appliances only ) Enter the serial number for Panorama. Find the serial number in the order fulfillment email that you received from Palo Alto Networks.
Geo Location Enter the latitude (-90.0 to 90.0) and longitude (-180.0 to 180.0) of the firewall.
Automatically acquire commit lock Select this option to automatically apply a commit lock when you change the candidate configuration. For more information, see Lock Configurations.
Certificate Expiration Check Instruct the firewall to create warning messages when on-box certificates near their expiration dates.
Multi Virtual System Capability Enables the use of multiple virtual systems on firewalls that support this feature (see Device > Virtual Systems). To enable multiple virtual systems on a PA-5060 firewall or PA-7000 Series firewall, the firewall policies must reference no more than 640 distinct user groups. If necessary, reduce the number of referenced user groups. Then, after you enable and add multiple virtual systems, the policies can then reference another 640 user groups for each additional virtual system.
URL Filtering Database ( Panorama only ) Select a URL Filtering vendor for use with Panorama— brightcloud or paloaltonetworks (PAN-DB).
Use Hypervisor Assigned MAC Addresses ( VM-Series firewalls only ) Select this option to have the VM-Series firewall use the MAC address that the hypervisor assigned, instead of generating a MAC address using the PAN-OS® custom schema. If you enable this option and use an IPv6 address for the interface, the interface ID must not use the EUI-64 format, which derives the IPv6 address from the interface MAC address. In a high availability (HA) active/passive configuration, a commit error occurs if the EUI-64 format is used.
Authentication Settings
Authentication Profile Select the authentication profile (or sequence) that the firewall uses to authenticate administrators who have external accounts (accounts that are not defined on the firewall). Only authentication profiles that have a type set to RADIUS and that reference a RADIUS server profile are available for this setting. When external administrators log in, the firewall requests authentication information (including the administrator role) from the RADIUS server. To enable authentication for external administrators, you must also install the Palo Alto Networks® RADIUS dictionary file on the RADIUS server. This file defines authentication attributes needed for communication between the firewall and the RADIUS server. Refer to the RADIUS server software documentation for instructions on where to install the file. If you select None, the firewall won’t authenticate external administrators; they cannot log in. For details, see Device > Authentication Profile and Device > Server Profiles > RADIUS. If an administrator is local, the firewall uses the authentication profile associated with the administrator account for authentication (see Device > Administrators).
Certificate Profile Select a certificate profile to verify the client certificates of administrators who are configured for certificate-based access to the firewall web interface. For instructions on configuring certificate profiles, see Device > Certificate Management > Certificate Profile.
Idle Timeout Enter the number of minutes that must pass without administrator activity during a firewall web interface or CLI session before the firewall automatically logs out the administrator (range is 0–1,440; default is 60). A value of 0 means that inactivity does not trigger the automatic logout. Both manual and automatic refreshing of web interface pages (such as the Dashboard tab and System Alarms dialog) reset the Idle Timeout counter. To enable the firewall to enforce the timeout when you are on a page that supports automatic refreshing, set the refresh interval to Manual or to a value higher than the Idle Timeout. You can also disable Auto Refresh in the ACC tab.
Failed Attempts Enter the number of failed login attempts (range is 0–10) that the firewall allows for the web interface and CLI before locking out the administrator account. A value of 0 (default) specifies unlimited login attempts. Limiting login attempts can help protect the firewall from brute force attacks. If you set the Failed Attempts to a value other than 0 but leave the Lockout Time at 0, the Failed Attempts is ignored and the user is never locked out.
Lockout Time Enter the number of minutes (range is 0–60) for which the firewall locks out an administrator from access to the web interface and CLI after reaching the Failed Attempts limit. A value of 0 (default) means the lockout applies until another administrator manually unlocks the account. If you set the Lockout Time to a value other than 0 but leave the Failed Attempts at 0, the Lockout Time is ignored and the user is never locked out.
Panorama Settings: Device > Setup > Management Configure the following settings on the firewall or in a template on Panorama. These settings establish a connection from the firewall to Panorama. You must also configure connection and object sharing settings on Panorama. See Panorama Settings: Panorama > Setup > Management. The firewall uses an SSL connection with AES-256 encryption to register with Panorama. Panorama and the firewall authenticate each other using 2,048-bit certificates and use the SSL connection for configuration management and log collection.
Panorama Server s Enter the IP address or FQDN of the Panorama server. If Panorama is in a high availability (HA) configuration, in the second Panorama Servers field, enter the IP address or FQDN of the secondary Panorama server.
Receive Timeout for Connection to Panorama Enter the timeout in seconds for receiving TCP messages from Panorama (range is 1–240; default is 240).
Send Timeout for Connection to Panorama Enter the timeout in seconds for sending TCP messages to Panorama (range is 1–240; default is 240).
Retry Count for SSL Send to Panorama Enter the number of retry attempts allowed when sending Secure Socket Layer (SSL) messages to Panorama (range is 1–64; default is 25).
Disable/Enable Panorama Policy and Objects This option displays when you edit the Panorama Settings on a firewall (not in a template on Panorama). Disable Panorama Policy and Objects to disable the propagation of device group policies and objects to the firewall. By default, this action also removes those policies and objects from the firewall. To keep a local copy of the device group policies and objects on the firewall, in the dialog that opens when you click this option, select Import Panorama Policy and Objects before disabling. After you perform a commit, the policies and objects become part of the firewall configuration and Panorama no longer manages them. Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of firewalls. This option generally applies to situations where firewalls require rules and object values that differ from those defined in the device group. An example is when you move a firewall out of production and into a laboratory environment for testing. To revert firewall policy and object management to Panorama, click Enable Panorama Policy and Objects.
Disable/Enable Device and Network Template This option displays only when you edit the Panorama Settings on a firewall (not in a template on Panorama). Disable Device and Network Template to disable the propagation of template information (device and network configurations) to the firewall. By default, this action also removes the template information from the firewall. To keep a local copy of the template information on the firewall, in the dialog that opens when you select this option, select Import Device and Network Templates before disabling. After you perform a commit, the template information becomes part of the firewall configuration and Panorama no longer manages that information. Under normal operating conditions, disabling Panorama management is unnecessary and could complicate the maintenance and configuration of firewalls. This option generally applies to situations where firewalls require device and network configuration values that differ from those defined in the template. An example is when you move a firewall out of production and into a laboratory environment for testing. To configure the firewall to accept templates again, click Enable Device and Network Templates.
Panorama Settings: Panorama > Setup > Management If you use Panorama to manage firewalls, configure the following settings on Panorama. These settings determine timeouts and SSL message attempts for the connections from Panorama to managed firewalls, as well as object sharing parameters. You must also configure Panorama connection settings on the firewall, or in a template on Panorama. See Panorama Settings: Device > Setup > Management. The firewall uses an SSL connection with AES-256 encryption to register with Panorama. Panorama and the firewall authenticate each other using 2,048-bit certificates and use the SSL connection for configuration management and log collection.
Receive Timeout for Connection to Device Enter the timeout in seconds for receiving TCP messages from all managed firewalls (range is 1–240; default is 240).
Send Timeout for Connection to Device Enter the timeout in seconds for sending TCP messages to all managed firewalls (range is 1–240; default is 240).
Retry Count for SSL Send to Device Enter the number of allowed retry attempts when sending Secure Socket Layer (SSL) messages to managed firewalls (range is 1–64; default is 25).
Share Unused Address and Service Objects with Devices Select this option to share all Panorama shared objects and device-group-specific objects with managed firewalls. This setting is enabled by default. If you clear this option, PAN-OS checks Panorama policies for references to address, address group, service, and service group objects, and does not share any unreferenced objects. This option reduces the total object count by ensuring that PAN-OS sends only necessary objects to managed firewalls.
Objects defined in ancestors will take higher precedence Select this option to specify that when device groups at different levels in the hierarchy have objects of the same type and name but different values, the object values in ancestor groups take precedence over those in descendant groups. This means that when you perform a device group commit, the ancestor values replace any override values. Likewise, this option causes the value of a shared object to override the values of objects of the same type and name in device groups. By default, this system-wide setting is disabled and objects that you override in a descendant group take precedence in that group over objects inherited from ancestor groups. Likewise, disabling this option causes the value of a device group object to override the value of shared object of the same type and name. Selecting this option displays the Find Overridden Objects link.
Find Overridden Objects Click this link to list any shadowed objects. A shadowed object is an object in the Shared location that has the same name but a different value in a device group. The link displays only if you select Objects defined in ancestors will take higher precedence.
Management Interface Settings This interface applies to the firewall, Panorama M-Series appliance, and Panorama virtual appliance. By default, the M-Series appliance uses the management (MGT) interface for configuration, log collection, and collector group communication. However, if you configure Eth1 or Eth2 for log collection or collector group communication, best practice is to define a separate subnet for the MGT interface that is more private than the Eth1 or Eth2 subnets. Specify the Netmask subnet (IPv4) or IPv6 Address/Prefix Length (IPv6) subnet. The Panorama virtual appliance does not support separate interfaces. To complete the configuration of the MGT interface, you must specify the IP address, the netmask (for IPv4) or prefix length (for IPv6), and the default gateway. If you commit a partial configuration (for example, you might omit the default gateway), you can only access the firewall or Panorama through the console port for future configuration changes. We recommend that you always commit a complete configuration. For firewall management, you can optionally Network > Interfaces > Loopback instead of using the management interface.
Type ( Firewall only ) Select one: Static —Requires you to enter the IP Address (IPv4), Netmask (IPv4), and Default Gateway manually. DHCP Client —Configures the MGT interface as a DHCP client so that the firewall can send DHCP Discover or Request messages to find a DHCP server. The server responds by providing an IP address (IPv4), netmask (IPv4), and default gateway for the MGT interface. DHCP on the MGT interface is turned off by default for the VM-Series firewall (except for the VM-Series firewall in AWS and Azure).If you select DHCP Client, optionally select either or both of the following Client Options: Send Hostname —Causes the management interface to send its hostname to the DHCP server as part of DHCP Option 12. Send Client ID —Causes the management interface to send its client identifier as part of DHCP Option 61. If you select DHCP Client, optionally click Show DHCP Client Runtime Info to view the dynamic IP interface status: Interface—Indicates management (MGT) interface. IP Address—IP address of the MGT interface. Netmask—Subnet mask for the IP address, indicating which bits are network or subnetwork and which are host. Gateway—Default gateway for traffic leaving the MGT interface. Primary/Secondary NTP—IP address of up to two NTP servers serving the MGT interface. If the DHCP Server returns NTP server addresses, the firewall considers them only if you did not manually configure NTP server addresses. If you manually configured NTP server addresses, the firewall does not overwrite them with those from the DHCP server. Lease Time—Number of days, hours, minutes, and seconds that the DHCP IP address is assigned. Expiry Time—Year/Month/Day, Hours/Minutes/Seconds, and time zone, indicating when DHCP lease will expire. DHCP Server—IP address of the DHCP Server responding to management interface DHCP Client. Domain—Name of domain to which the MGT interface belongs. DNS Server—IP address of up to two DNS servers serving the MGT interface. If the DHCP Server returns DNS server addresses, the firewall considers them only if you did not manually configure DNS server addresses. If you manually configured DNS server addresses, the firewall does not overwrite them with those from the DHCP server. Optionally, you can Renew the DHCP lease for the IP address assigned to the MGT interface. Otherwise, Close the window.
IP Address (IPv4) If your network uses IPv4, assign an IPv4 address to the management interface. Alternatively, you can assign the IP address of a loopback interface for firewall management. By default, the IP address you enter is the source address for log forwarding.
Netmask (IPv4) If you assigned an IPv4 address to the management interface, you must also enter a network mask (for example, 255.255.255.0).
Default Gateway If you assigned an IPv4 address to the management interface, you must also assign an IPv4 address to the default gateway (the gateway must be on the same subnet as the management interface).
IPv6 Address/Prefix Length If your network uses IPv6, assign an IPv6 address to the management interface. To indicate the netmask, enter an IPv6 prefix length (for example, 2001:400:f00::1/64).
Default IPv6 Gateway If you assigned an IPv6 address to the management interface, you must also assign an IPv6 address to the default gateway (the gateway must be on the same subnet as the management interface).
Speed Configure a data rate and duplex option for the management interface. The choices include 10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the default auto-negotiate setting to have the firewall or Panorama determine the interface speed. This setting must match the port settings on the neighboring network equipment.
MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range is 576–1,500; default is 1,500).
Services Select the services you want to enable on the MGT interface: Ping —Use to test connectivity with external services. For example, you can ping the MGT interface to verify it can receive PAN-OS software and content updates from the Palo Alto Networks Update Server. In a high availability (HA) deployment, HA peers use ping to exchange heartbeat backup information. Telnet —Use to access the firewall CLI. Telnet uses plaintext, which is not as secure as SSH. Therefore, as a best practice, enable SSH instead of Telnet for management traffic on the interface. SSH —Use for secure access to the firewall CLI. HTTP —Use to access the firewall web interface. HTTP uses plaintext, which is not as secure as HTTPS. Therefore, as a best practice, enable HTTPS instead of HTTP for management traffic on the interface. HTTP OCSP —Use to configure the firewall as an Online Certificate Status Protocol (OCSP) responder. For details, see Device > Certificate Management > OCSP Responder. HTTPS —Use for secure access to the firewall web interface. SNMP —Use to process firewall statistics queries from an SNMP manager. For details, see Enable SNMP Monitoring. Response Pages —Use to enable response pages: Captive Portal—The ports used to serve Captive Portal response pages are left open on Layer 3 interfaces—port 6080 for NTLM, 6081 for Captive Portal in transparent mode, and 6082 for Captive Portal in redirect mode. For details, see Device > User Identification > Captive Portal Settings. URL Admin Override—For details, see Device > Setup > Content-ID. User-ID —Use to Enable Redistribution of User Mappings Among Firewalls. User-ID Syslog Listener-SSL —Use to enable the PAN-OS integrated User-ID™ agent to collect syslog messages over SSL. For details, see Configure Access to Monitored Servers. User-ID Syslog Listener-UDP —Use to enable the PAN-OS integrated User-ID agent to collect syslog messages over UDP. For details, see Configure Access to Monitored Servers.
Permitted IP Addresses Enter the list of IP addresses from which firewall management is allowed. When using this option for the Panorama M-Series appliance, add the IP addresses of all managed firewalls so that they can connect and forward logs to Panorama and receive configuration updates.
Eth1 Interface Settings This interface only applies to the Panorama M-Series appliance. By default, the M-Series appliance uses the management interface for configuration, log collection, and collector group communication. However, if you enable Eth1, you can configure it for log collection or collector group communication when you define managed collectors ( Panorama > Managed Collectors). You cannot commit the Eth1 configuration unless you specify the IP address, the netmask (for IPv4) or prefix length (for IPv6), and the default gateway.
Eth1 Select this option to enable the Eth1 interface.
IP Address (IPv4) If your network uses IPv4, assign an IPv4 address to the Eth1 interface.
Netmask (IPv4) If you assigned an IPv4 address to the interface, you must also enter a network mask (for example, 255.255.255.0).
Default Gateway If you assigned an IPv4 address to the interface, you must also assign an IPv4 address to the default gateway (the gateway must be on the same subnet as the Eth1 interface).
IPv6 Address/Prefix Length If your network uses IPv6, you must also assign an IPv6 address to the Eth1 interface. To indicate the netmask, enter an IPv6 prefix length (for example, 2001:400:f00::1/64).
Default IPv6 Gateway If you assigned an IPv6 address to the interface, you must also assign an IPv6 address to the default gateway (the gateway must be on the same subnet as the Eth1 interface).
Speed Configure a data rate and duplex option for the Eth1 interface. The choices include 10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the default auto-negotiate setting to have Panorama determine the interface speed. This setting must match the port settings on the neighboring network equipment.
MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range is 576–1,500; default is 1,500).
Services Select Ping if you want to enable that service on the Eth1 interface.
Permitted IP Addresses Enter the list of IP addresses from which Eth1 management is allowed.
Eth2 Interface Settings This interface only applies to the Panorama M-Series appliance. By default, the M-Series appliance uses the management interface for configuration, log collection, and collector group communication. However, if you enable Eth2, you can configure it for log collection and/or collector group communication when you define managed collectors ( Panorama > Managed Collectors). You cannot commit the Eth2 configuration unless you specify the IP address, the netmask (for IPv4) or prefix length (for IPv6), and the default gateway.
Eth2 Select this option to enable the Eth2 interface.
IP Address (IPv4) If your network uses IPv4, assign an IPv4 address to the Eth2 interface.
Netmask (IPv4) If you assigned an IPv4 address to the interface, you must also enter a network mask (for example, 255.255.255.0).
Default Gateway If you assigned an IPv4 address to the interface, you must also assign an IPv4 address to the default gateway (the gateway must be on the same subnet as the Eth2 port).
IPv6 Address/Prefix Length If your network uses IPv6, assign an IPv6 address to the Eth2 interface. To indicate the netmask, enter an IPv6 prefix length (for example, 2001:400:f00::1/64).
Default IPv6 Gateway If you specified an IPv6 address to the interface, you must also assign an IPv6 address to the default gateway (the gateway must be on the same subnet as the Eth2 interface).
Speed Configure a data rate and duplex option for the Eth2 interface. The choices include 10Mbps, 100Mbps, and 1Gbps at full or half duplex. Use the default auto-negotiate setting to have Panorama determine the interface speed. This setting must match the port settings on the neighboring network equipment.
MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range is 576–1,500; default is 1,500).
Services Select Ping if you want to enable that service on the Eth2 interface.
Permitted IP Addresses Enter the list of IP addresses from which Eth2 management is allowed.
Logging and Reporting Settings Use this section to modify: Expiration periods and storage quotas for the following logs and reports. The settings are synchronized across high availability pairs: Logs that a firewall generates ( Device > Setup > Management). The settings apply to all the virtual systems on the firewall. Logs that a Panorama management server and its managed collectors generate ( Panorama > Setup > Management). To configure the settings for logs that a managed collector receives from firewalls, see Panorama > Collector Groups. Attributes for calculating and exporting user activity reports. Predefined reports created on the firewall/Panorama.
Log Storage tab ( Panorama management server and all firewall platforms except PA-7000 Series firewalls ) Panorama displays this tab if you edit the Logging and Reporting Settings on the Panorama > Setup > Management page. If you use a Panorama template to configure the settings for firewalls ( Device > Setup > Management), see Log Card Storage and Management Card Storage tabs. For each log type, specify: The Quota allocated on the hard disk for log storage, as a percentage. When you change a Quota value, the associated disk allocation changes automatically. If the total of all the values exceeds 100%, a message appears on the page in red, and an error message appears when you try to save the settings. If this happens, adjust the percentages so the total is within the 100% limit. The Max Days, which is the log expiration period (range is 1–2,000). The firewall or Panorama automatically deletes logs that exceed the specified period. By default, no expiration period is set, which means logs never expire. The firewall or Panorama evaluates logs as it creates them and deletes logs that exceed the expiration period or quota size. Weekly summary logs can age beyond the threshold before the next deletion if they reach the expiration threshold between times when the firewall or Panorama deletes logs. When a log quota reaches the maximum size, new log entries start overwriting the oldest log entries. If you reduce a log quota size, the firewall or Panorama removes the oldest logs when you commit the changes. In a high availability (HA) active/passive configuration, the passive peer does not receive logs and, therefore, does not delete them unless failover occurs and it becomes active. Core Files —If your firewall experiences a system process failure it will generate a core file that contains details about the process and why it failed. Core files are stored in the /var/cores partition. Restore Defaults —Click to revert to the default values.
Log Card Storage and Management Card Storage tabs ( Panorama template only ) If you use a Panorama template to configure log quotas and expiration periods, configure the settings in one or both of these tabs based on the firewalls assigned to the template. For PA-7000 Series firewalls, logs are stored in the Log Processing Card (LPC) and Switch Management Card (SMC) and log quotas are divided into these two areas. The Log Storage tab has quota settings for data-type traffic stored on the LPC (for example, traffic and threat logs). The Management Card Storage tab has quota settings for management-type traffic stored on the SMC (for example, the Config logs, System logs, and Alarms logs).
Log Export and Reporting tab Specify the following for Log Export and Reporting: Number of Versions for Config Audit —Enter the number of configuration versions to save before discarding the oldest ones (default is 100). You can use these saved versions to audit and compare changes in configuration. Number of Versions for Config Backups —( Panorama only ) Enter the number of configuration backups to save before discarding the oldest ones (default is 100). Max Rows in CSV Export —Enter the maximum number of rows that will appear in the CSV reports generated when you Export to CSV from the traffic logs view (range is 1–1,048,576; default is 65,535). Max Rows in User Activity Report —Enter the maximum number of rows that is supported for the detailed user activity reports (range is 1–1,048,576; default is 5,000). Average Browse Time (sec) —Configure this variable to adjust how the browse time is calculated in seconds for the Monitor > PDF Reports > User Activity Report (range is 0–300 seconds; default is 60). The calculation will ignore sites categorized as web advertisements and content delivery networks. The browse time calculation is based on container pages logged in the URL filtering logs. Container pages are used as the basis for this calculation because many sites load content from external sites that should not be considered. For more information on the container page, see Container Pages. The average browse time setting is the average time that the admin thinks it should take a user to browse a web page. Any request made after the average browse time has elapsed will be considered a new browsing activity. The calculation will ignore any new web pages that are loaded between the time of the first request (start time) and the average browse time. This behavior was designed to exclude any external sites that are loaded within the web page of interest. For example, if the average browse time setting is 2 minutes and a user opens a web page and views that page for 5 minutes, the browse time for that page will still be 2 minutes. This is done because there is no way to determine how long a user views a given page. Page Load Threshold (sec) —This option allows you to adjust the assumed time in seconds that it takes for page elements to load on the page (range is 0–60; default is 20). Any request that occurs between the first page load and the page load threshold is assumed to be elements of the page. Any requests that occur outside of the page load threshold is assumed to be the user clicking a link within the page. The page load threshold is also used in the calculations for the Monitor > PDF Reports > User Activity Report. Syslog HOSTNAME Format —Select whether to use the FQDN, hostname, IP address (v4 or V6) in the syslog message header; this header identifies the firewall/Panorama from which the message originated. Stop Traffic when LogDb full —( Firewall only ) Select this option if you want traffic through the firewall to stop when the log database is full (default is off). Report Expiration Period —Set the expiration period in days for reports (range is 1–2,000). By default, no expiration period is set, which means reports never expire. The firewall or Panorama deletes expired reports nightly at 2 a.m. according to its system time.
Log Export and Reporting tab (cont.) Enable Log on High DP Load —( Firewall only ) Select this option if you would like a system log entry generated when the packet processing load on the firewall is at 100% CPU utilization. A high CPU load can cause operational degradation because the CPU does not have enough cycles to process all packets. The system log alerts you to this issue (a log entry is generated each minute) and allows you to investigate the probable cause. Disabled by default.
Log Export and Reporting tab ( Panorama only ) Buffered Log Forwarding from Device —Allows the firewall to buffer log entries on its hard disk (local storage) when it loses connectivity to Panorama. When the connection to Panorama is restored, the log entries are forwarded to Panorama; the disk space available for buffering depends on the log storage quota for the platform and the volume of logs that are pending roll over. If the available space is consumed, the oldest entries are deleted to allow logging of new events. Enabled by default. Get Only New Logs on Convert to Primary —This option is only applicable when Panorama writes logs to a Network File Share (NFS). With NFS logging, only the primary Panorama is mounted to the NFS. Therefore, the firewalls send logs to the active primary Panorama only. This option allows an administrator to configure the managed firewalls to only send newly generated logs to Panorama when an HA failover occurs and the secondary Panorama resumes logging to the NFS (after it is promoted as primary). This behavior is typically enabled to prevent the firewalls from sending a large volume of buffered logs when connectivity to Panorama is restored after a significant period of time. Only Active Primary Logs to Local Disk —Allows you to configure only the active primary Panorama to save logs to the local disk. This option is valid for a Panorama virtual machine with a virtual disk and to the M-Series appliance in Panorama mode.
Pre-Defined Reports Pre-defined reports for application, traffic, threat, and URL Filtering are available on the firewall and on Panorama. By default, these pre-defined reports are enabled. Because the firewalls consume memory resources in generating the results hourly (and forwarding it to Panorama where it is aggregated and compiled for viewing), to reduce memory usage you can disable the reports that are not relevant to you; to disable a report, clear this option for the report. Click Select All or Deselect All to entirely enable or disable the generation of pre-defined reports. Before disabling a report, make sure no Group Report or a PDF Report uses it. If you disable a pre-defined report assigned to a set of reports, the entire set of reports will have no data.
Banners and Messages To view all messages in a Message of the Day dialog, see Message of the Day. After you configure the Message of the Day and click OK, administrators who subsequently log in and active administrators who refresh their browsers will see the new or updated message immediately; a commit isn’t necessary. This enables you to warn other administrators of an impending commit before you perform that commit.
Message of the Day (check box) Select this option to enable the Message of the Day dialog to display upon login to the web interface.
Message of the Day (text-entry field) Enter the text (up to 3,200 characters) for the Message of the Day dialog.
Allow Do Not Display Again Select this option to include a Do not show again option in the Message of the Day dialog (disabled by default). This gives administrators the option to avoid seeing the message in subsequent logins. If you modify the Message of the Day text, the message displays even to administrators who selected Do not show again. Administrators must reselect this option to avoid seeing the message in subsequent sessions.
Title Enter text for the Message of the Day header (default is Message of the Day ).
Background Color Select a background color for the Message of the Day dialog. The default ( None) is a light gray background.
Icon Select a predefined icon to appear above the text in the Message of the Day dialog: None (default) Error Help Information Warning
Header Banner Enter the text that the header banner displays (up to 3,200 characters).
Header Color Select a color for the header background. The default ( None) is a transparent background.
Header Text Color Select a color for the header text. The default ( None) is black.
Same banner for header and footer Select this option (enabled by default) if you want the footer banner to have the same text and colors as the header banner. When enabled, the fields for the footer banner text and colors are grayed out.
Footer Banner Enter the text that the footer banner displays (up to 3,200 characters).
Footer Color Select a color for the footer background. The default ( None) is a transparent background.
Footer Text Color Select a color for the footer text. The default ( None) is black.
Minimum Password Complexity
Enabled Enable minimum password requirements for local accounts. With this feature, you can ensure that local administrator accounts on the firewall will adhere to a defined set of password requirements. You can also create a password profile with a subset of these options that will override these settings and can be applied to specific accounts. For more information, see Device > Password Profiles and see Username and Password Requirements for information on valid characters that can be used for accounts. The maximum password length is 31 characters. Avoid setting requirements that PAN-OS does not accept. For example, do not set a requirement of 10 uppercase, 10 lower case, 10 numbers, and 10 special characters because that would exceed the maximum length of 31. If you have High Availability (HA) configured, always use the primary peer when configuring password complexity options and commit soon after making changes. Minimum password complexity settings do not apply to local database accounts for which you specified a Password Hash (see Device > Local User Database > Users).
Minimum Length Require minimum length from 1-15 characters.
Minimum Uppercase Letters Require a minimum number of uppercase letters from 0-15 characters.
Minimum Lowercase Letters Require a minimum number of lowercase letters from 0-15 characters.
Minimum Numeric Letters Require a minimum number of numeric letters from 0-15 numbers.
Minimum Special Characters Require a minimum number of special characters (non-alphanumeric) from 0-15 characters.
Block Repeated Characters Specify the number of sequential duplicate characters permitted in a password (range is 2–15). If you set the value to 2, the password can contain the same character in sequence twice, but if the same character is used three or more times in sequence, the password is not permitted. For example, if the value is set to 2, the system will accept the password test11 or 11test11, but not test111, because the number 1 appears three times in sequence.
Block Username Inclusion (including reversed) Select this option to prevent the account username (or reversed version of the name) from being used in the password.
New Password Differs By Characters When administrators change their passwords, the characters must differ by the specified value.
Require Password Change on First Login Select this option to prompt the administrators to change their passwords the first time they log in to the firewall.
Prevent Password Reuse Limit Require that a previous password is not reused based on the specified count. Example, if the value is set to 4, you could not reuse the any of your last 4 passwords (range is 0–50).
Block Password Change Period (days) User cannot change their passwords until the specified number of days has been reached (range is 0–365 days).
Required Password Change Period (days) Require that administrators change their password on a regular basis specified a by the number of days set, ranging from 0-365 days. Example, if the value is set to 90, administrators will be prompted to change their password every 90 days. You can also set an expiration warning from 0-30 days and specify a grace period.
Expiration Warning Period (days) If a required password change period is set, this setting can be used to prompt the user to change their password at each log in as the forced password change date approaches (range is 0–30 days).
Allowed expired admin login (count) Allow the administrator to log in the specified number of times after the account has expired. Example, if the value is set to 3 and their account has expired, they can log in 3 more times before their account is locked out (range is 0–3 logins).
Post Expiration Grace Period (days) Allow the administrator to log in the specified number of days after the account has expired (range is 0–30 days).
AutoFocus
Enabled Enable the firewall to connect to an AutoFocus portal to retrieve threat intelligence data and to enable integrated searches between the firewall and AutoFocus. When connected to AutoFocus, the firewall displays AutoFocus data associated with Traffic, Threat, URL Filtering, WildFire Submissions, and Data Filtering log entries ( Monitor > Logs). You can click on an artifact in these types of log entries (such as an IP address or a URL) to display a summary of the AutoFocus findings and statistics for that artifact. You can then open an expanded AutoFocus search for the artifact directly from the firewall. Check that your AutoFocus license is active on the firewall ( Device > Licenses). If the AutoFocus license is not displayed, use one of the License Management options to activate the license.
AutoFocus URL Enter the AutoFocus URL: https://autofocus.paloaltonetworks.com:10443
Query Timeout (sec) Set the duration of time for the firewall to attempt to query AutoFocus for threat intelligence data. If the AutoFocus portal does not respond before the end of the specified period, the firewall will close the connection.

Related Documentation