Operational Guide for Managing Palo Alto Security Infrastructure

Overview

This blog post provides a comprehensive operational guide for administering Palo Alto Networks security infrastructure, specifically focusing on Panorama, VM-Series, and CN-Series firewalls.

This guide is structured to help security and network administrators perform day-to-day operations with clarity and consistency.

Introduction

This document aims to provide a step-by-step SOP (Standard Operating Procedure) for managing Palo Alto security components.

Access Management

How to Access Panorama and Firewalls

• Via Web UI or CLI using a secure bastion/jump host
• Ensure only authorized users have access to the firewalls or Panorama

Adding New Administrator Users

1. Go to Panorama, then Administrators, then Add
2. Enter username, password, and select role
3. Set the Administrator Type to Dynamic
4. Use the appropriate password profile

Firewall Management

Adding a New Firewall to Panorama

In the event of a firewall failure or provisioning a new VM-Series instance, follow these steps:

Generate Device Registration Auth Key

1. Navigate to Panorama > Device Registration Auth Key

Include a key that contains the name, type, count, and lifetime.

Add the New Firewall

1. Go to Panorama > Managed Devices > Summary → Add
2. Paste the Authentication Key after entering the serial number.
3. Associate:
   • Appropriate Device Group
   • Template (based on Availability Zone)
   • Log Collector

4. Enable Auto Push on First Connect

Configure Panorama on Firewall

• Go to Firewall UI → Device > Setup > Management
• Input Panorama IP and Auth Key
• Commit changes on both the firewall and Panorama
• Verify device status shows Connected

Associate GWLB Endpoints (If Applicable)

Use the CLI:

Check with:

Firewall Policy Management

Adding or Modifying Security Rules

1. To access Pre Rules, select Policies > Security.
2. Select Device Group (based on environment)

3. Define:

• • Rule Name, Source/Destination
  • Applications, Services
  • Actions (Allow/Deny), Log Forwarding

Firewall Object Management

Types of Objects You Can Create

• Address Object: Static IP or FQDN
• Static Address Group: Collection of addresses
• Dynamic Address Group: Use match criteria (tags)
• Service Object: Custom TCP/UDP ports
• Custom URL Category: For specific domain filtering

Software and Content Updates

Panorama Software Upgrade

1. Backup Panorama config:
   Setup > Operations > Save/Export
2. Update all dynamic packages (AV, Threats, WildFire, URL)
3. To access Pre Rules, click Policies, then Security
4. Download, Install, and Reboot (if prompted)
5. Validate software version on Dashboard

VM-Series Firewall Software Upgrade

1. Export config backup:
   Setup > Operations > Export Config Bundle
2. Update Dynamic Content:
   Device Deployment > Dynamic Updates
3. Upgrade PAN-OS via:
   Device Deployment > Software > Install
4. Reboot the firewall after installation
5. Repeat for all AZ firewall instances

License Management

Refresh Existing Licenses

• Go to Device Deployment > Licenses > Refresh

Activate New Licenses

1. Go to Device Deployment, then click on Licenses > Activate
2. Input Auth Code → Click Activate

Some support licenses may need to be activated directly from the firewall interface.

Custom Reports

1. Go to Manage Custom Reports
2. Add or edit reports with required filters
3. To generate click run and download reports

Conclusion

This guide offers an actionable reference for the day-to-day operations of Palo Alto Networks’ security infrastructure. Admins can ensure secure, up-to-date, and resilient firewall management using Panorama by following these structured procedures.

Drop a query if you have any questions regarding Palo Alto Networks’ and we will get back to you quickly.

About CloudThat