Use Case: Configure Firewalls Using Panorama
Let’s say that you want to use Panorama in a high availability configuration to manage a dozen firewalls on your network: you have six firewalls deployed across six branch offices, a pair of firewalls in a high availability configuration at each of two data centers, and a firewall in each of the two regional head offices.
The first step in creating your central management strategy is to determine how to group the firewalls into device groups and templates to efficiently push configurations from Panorama. You can base the grouping on the business functions, geographic locations, or administrative domains of the firewalls. In this example, you create two device groups and three templates to administer the firewalls using Panorama:
Device Groups in this Use Case
In Use Case: Configure Firewalls Using Panorama, we need to define two device groups based on the functions the firewalls will perform:
DG_BranchAndRegional for grouping firewalls that serve as the security gateways at the branch offices and at the regional head offices. We placed the branch office firewalls and the regional office firewalls in the same device group because firewalls with similar functions will require similar policy rulebases. DG_DataCenter for grouping the firewalls that secure the servers at the data centers.
We can then administer shared policy rules across both device groups as well as administer distinct device group rules for the regional office and branch office groups. Then for added flexibility, the local administrator at a regional or branch office can create local rules that match specific source, destination, and service flows for accessing applications and services that are required for that office. In this example, we create the following hierarchy for security rules. you can use a similar approach for any of the other rulebases.
Templates in this Use Case
When grouping firewalls for templates, we must take into account the differences in the networking configuration. For example, if the interface configuration is not the same—the interfaces are unlike in type, or the interfaces used are not alike in the numbering scheme and link capacity, or the zone to interface mappings are different—the firewalls must be in separate templates. Further, the way the firewalls are configured to access network resources might be different because the firewalls are spread geographically; for example, the DNS server, syslog servers and gateways that they access might be different. So, to allow for an optimal base configuration, in Use Case: Configure Firewalls Using Panorama we must place the firewalls in separate templates as follows:
T_Branch for the branch office firewalls T_Regional for the regional office firewalls T_DataCenter for the data center firewalls
If you plan to deploy your firewalls in an active/active HA configuration, assign each firewall in the HA pair to a separate template. Doing so gives you the flexibility to set up separate networking configurations for each peer. For example, you can manage the networking configurations in a separate template for each peer so that each can connect to different northbound and southbound routers, and can have different OSPF or BGP peering configurations.
Set Up Your Centralized Configuration and Policies
In Use Case: Configure Firewalls Using Panorama, we would need to perform the following tasks to centrally deploy and administer firewalls:
Add the Managed Firewalls and Deploy Updates
The first task in Use Case: Configure Firewalls Using Panorama is to add the firewalls as managed devices and deploy content updates and PAN-OS software updates to those firewalls.
Add the Managed Firewalls and Deploy Updates
For each firewall that Panorama will manage, Add a Firewall as a Managed Device. In this example, add 12 firewalls.
Deploy the content updates to the firewalls. If you purchased a Threat Prevention subscription, the content and antivirus databases are available to you. First install the Applications or Applications and Threats database, then the Antivirus. To review the status or progress for all tasks performed on Panorama, see Use the Panorama Task Manager. Select Panorama > Device Deployment > Dynamic Updates. Click Check Now to check for the latest updates. If the value in the Action column is Download, this indicates an update is available. Click Download. When the download completes, the value in the Action column changes to Install. In the Action column, click Install. Use the filters or user-defined tags to select the managed firewalls on which you would like to install this update. Click OK, then monitor the status, progress, and result of the content update for each firewall. The Result column displays the success or failure of the installation.
Deploy the software updates to the firewalls. Select Panorama > Device Deployment > Software. Click Check Now to check for the latest updates. If the value in the Action column is Download, this indicates an update is available. Locate the version that you need for each hardware model and click Download. When the download completes, the value in the Action column changes to Install. In the Action column, click the Install link. Use the filters or user-defined tags to select the managed firewalls on which to install this version. Enable the check box for Reboot device after install or Upload only to device (do not install) and click OK. The Results column displays the success or failure of the installation.
Use Templates to Administer a Base Configuration
The second task in Use Case: Configure Firewalls Using Panorama is to create the templates you will need to push the base configuration to the firewalls.
Use Templates to Administer a Base configuration
For each template you will use, Add a Template and assign the appropriate firewalls to each. In this example, create templates named T_Branch, T_Regional, and T_DataCenter.
Define a DNS server, NTP server, syslog server, and login banner. Repeat this step for each template. In the Device tab, select the Template from the drop-down. Define the DNS and NTP servers: Select Device > Setup > Services > Global and edit the Services. In the Services tab, enter an IP address for the Primary DNS Server. For any firewall that has more than one virtual system (vsys), for each vsys, add a DNS server profile to the template ( Device > Server Profiles > DNS). In the NTP tab, enter an IP address for the Primary NTP Server. Click OK to save your changes. Add a login banner: select Device > Setup > Management, edit the General Settings, enter text for the Login Banner and click OK. Configure a Syslog server profile ( Device > Server Profiles > Syslog).
Enable HTTPS, SSH, and SNMP access to the management interface of the managed firewalls. Repeat this step for each template. In the Device tab, select the Template from the drop-down. Select Setup > Management, and edit the Management Interface Settings. Under Services, select the HTTPS, SSH, and SNMP check boxes, and click OK.
Create a Zone Protection profile for the firewalls in the data center template (T_DataCenter). Select the Network tab and, in the Template drop-down, select T_DataCenter. Select Network Profiles > Zone Protection and click Add. For this example, enable protection against a SYN flood—In the Flood Protection tab, select the SYN check box, set the Action to SYN Cookies as, set the Alert packets/second to 100 , set the Activate packets/second to 1000 , and set the Maximum packets/second to 10000 . For this example, enable alerts—In the Reconnaissance Protection tab, select the Enable check boxes for TCP Port Scan, Host Sweep, and UDP Port Scan. Ensure the Action values are set to alert (the default value). Click OK to save the Zone Protection profile.
Configure the interface and zone settings in the data center template (T_DataCenter), and then attach the Zone Protection profile you just created. Before performing this step, you must have configured the interfaces locally on the firewalls. As a minimum, for each interface, you must have defined the interface type, assigned it to a virtual router (if needed), and attached a security zone. Select the Network tab and, in the Template drop-down, select T_DataCenter. Select Network > Interface and, in the Interface column, click the interface name. Select the Interface Type from the drop-down. In the Virtual Router drop-down, click New Virtual Router. When defining the router, ensure the Name matches what is defined on the firewall. In the Security Zone drop-down, click New Zone. When defining the zone, ensure that the Name matches what is defined on the firewall. Click OK to save your changes to the interface. Select Network > Zones, and select the zone you just created. Verify that the correct interface is attached to the zone. In the Zone Protection Profile drop-down, select the profile you created, and click OK.
Commit your template changes. Click Commit, for the Commit Type select Panorama, and click Commit again. Click Commit, for the Commit Type select Template, select the firewalls assigned to the templates in which you made changes, and click Commit again.
Use Device Groups to Push Policy Rules
The third task in Use Case: Configure Firewalls Using Panorama is to create the device groups to manage policy rules on the firewalls.
Use Device Groups to Push Policy Rules
Create device groups and assign the appropriate firewalls to each device group: see Add a Device Group. In this example, create device groups named DG_BranchAndRegional and DG_DataCenter. When configuring the DG_BranchAndRegional device group, you must assign a Master firewall. This is the only firewall in the device group that gathers user and group mapping information for policy evaluation.
Create a shared pre-rule to allow DNS and SNMP services. Create a shared application group for the DNS and SNMP services. Select Objects > Application Group and click Add. Enter a Name and select the Shared check box to create a shared application group object. Click Add, type DNS , and select dns from the list. Repeat for SNMP and select snmp, snmp-trap. Click OK to create the application group. Create the shared rule. Select the Policies tab and, in the Device Group drop-down, select Shared. Select the Security > Pre-Rules rulebase. Click Add and enter a Name for the security rule. In the Source and Destination tabs for the rule, click Add and enter a Source Zone and a Destination Zone for the traffic. In the Applications tab, click Add, type the name of the applications group object you just created, and select it from the drop-down. In the Actions tab, set the Action to Allow, and click OK.
Define the corporate acceptable use policy for all offices. In this example, create a shared rule that restricts access to some URL categories and denies access to peer-to-peer traffic that is of risk level 3, 4, or 5. Select the Policies tab and, in the Device Group drop-down, select Shared. Select Security > Pre-Rules and click Add. In the General tab, enter a Name for the security rule. In the Source and Destination tabs, click Add and select any for the traffic Source Zone and Destination Zone. In the Application tab, define the application filter: Click Add and click New Application Filter in the footer of the drop-down. Enter a Name, and select the Shared check box. In the Risk column, select levels 3, 4, and 5. In the Technology column, select peer-to-peer. Click OK to save the new filter. In the Service/URL Category tab, URL Category section, click Add and select the categories you want to block (for example, streaming-media, dating, and online-personal-storage). You can also attach the default URL Filtering profile—In the Actions tab, Profile Setting section, select the Profile Type option Profiles, and select the URL Filtering option default. Click OK to save the security pre-rule.
Allow Facebook for all users in the Marketing group in the regional offices only. Enabling a security rule based on user and group has the following prerequisite tasks: Set up User-ID on the firewalls. Enable User-ID for each zone that contains the users you want to identify. Define a master firewall for the DG_BranchAndRegional device group ( Step 1). Select the Policies tab and, in the Device Group drop-down, select DG_BranchAndRegional. Select the Security > Pre-Rules rulebase. Click Add and enter a Name for the security rule. In the Source tab, Add the Source Zone that contains the Marketing group users. In the Destination tab, Add the Destination Zone. In the User tab, Add the Marketing user group to the Source User list. In the Application tab, click Add, type Facebook , and then select it from the drop-down. In the Action tab, set the Action to Allow. In the Target tab, select the regional office firewalls and click OK.
Allow access to the Amazon cloud application for the specified hosts/servers in the data center. Create an address object for the servers/hosts in the data center that need access to the Amazon cloud application. Select Objects > Addresses and, in the Device Group drop-down, select DG_DataCenter. Click Add and enter a Name for the address object. Select the Type, and specify an IP address and netmask ( IP Netmask), range of IP addresses ( IP Range), or FQDN. Click OK to save the object. Create a security rule that allows access to the Amazon cloud application. Select Policies > Security > Pre-Rules and, in the Device Group drop-down, select DG_DataCenter. Click Add and enter a Name for the security rule. Select the Source tab, Add the Source Zone for the data center, and Add the address object (Source Address) you just defined. Select the Destination tab and Add the Destination Zone. Select the Application tab, click Add, type amazon , and select the Amazon applications from the list. Select the Action tab and set the Action to Allow. Click OK to save the rule.
To enable logging for all internet-bound traffic on your network, create a rule that matches trust zone to untrust zone. Select the Policies tab and, in the Device Group drop-down, select Shared. Select the Security > Pre-Rules rulebase. Click Add and enter a Name for the security rule. In the Source and Destination tabs for the rule, Add trust_zone as the Source Zone and untrust_zone as the Destination Zone. In the Action tab, set the Action to Deny, set the Log Setting to Log at Session end, and click OK.
Preview the Rules and Commit Changes
The final task in Use Case: Configure Firewalls Using Panorama is to review the rules and commit the changes you have made to Panorama, device groups, and templates.
Preview the Rules and Commit Changes
In the Policies tab, click Preview Rules, and select a Rulebase, Device Group, and Device. This preview enables you to visually evaluate how rules are layered for a particular rulebase. Close the preview dialog when you are done.
Click Commit, for the Commit Type select Panorama, and click Commit again.
Click Commit, for the Commit Type select Device Group, select the device groups you added, select the Include Device and Network Templates check box, and click Commit again.
In the Context drop-down, select the firewall to access its web interface and confirm that Panorama applied the template and policy configurations.

Related Documentation