Introduction to Palo Alto Panorama 

Palo Alto Panorama is the centralized management server that offers a global visibility and control over the multiple Palo Alto Networks next generation firewalls from web interface console. Panorama manage multiple Palo Alto Networks firewalls all from a central location.

Key Features of Palo Alto Panorama

• Application Command Center (ACC): ACC provides a visual summary of application, web, threat and data transfer activity.
• App-Scope: App-Store provides a comparison view of application activity across either multiple devices or a single device.
• Policy-Based Application Usage Control: Using a policy editor application can be developed, deployed and managed the application usage control.
• Shared Policies: Panorama deploys a set of global policies across a set of distributed firewalls. Panorama administrator can modify or remove policy.
• Centralized Update Management: Panorama can be used to manage licenses and performs device or content updates (virus patterns, threat signatures, App-ID).
• Logging: Detailed logs are collected locally, leveraging device storage and eliminating the need for centralized logging.
• Reporting: Reporting feature of panorama can generate more than 30 predefined reports, can be used as is or modified and saved for future use. Reports can be exported to PDF format and also scheduled for email delivery.

Panorama Management Architecture

Panorama provides many features to manage their Palo Alto Networks firewalls using a model that provides both central and local control. Panorama features a number of tools for centralized administration:

Templates: Templates can be used to manage configuration centrally and then push the changes to all managed Palo Alto firewalls.

Device Groups: Panorama manages common policy and objects via device groups. Device groups are used to centrally manage the Palo Alto with common requirements and common policies.

Role-based Administration: This feature can be used to assign role-based administration access (enabled, read-only, or disabled and hidden from view) to different users.

Software, Content and License Update Management: Software update, license management can be flooded in network by Panorama in organized manner.

Panorama Deployment

Panorama can be deployed in either as a hardware appliance or as a virtual appliance.

Hardware Appliance:

Panorama uses M-100 hardware appliance for high performance dedicated hardware and the separate the Panorama management and logging functions for large volumes of log data. Panorama running on the M-100 appliance can be deployed in the following ways:

Centralized: All Panorama management and logging functions are combined centrally in the single device with the option of HA. (Related – High Availability Palo Alto)

Distributed: Management and logging function can be parted across multiple devices. This feature can be divided between Panorama manager and Panorama log collector.

Panorama Manager: Panorama Manager does not store log data locally; it saves log separately. Manager analyzes the data saved in the log collectors for centralized reporting.

Panorama Log Collector: Dedicated log collector device deployed to collect high logging volume that will aggregate log information from multiple managed firewalls.

Virtual Appliance:

Panorama can be deployed as a virtual appliance on VMware ESXi to support virtualization initiatives and integrates the rack space which is limited and costly in a data center. Virtual Appliance can be deployed in following two ways:

Centralized: All Panorama management and logging functions are combined centrally in the single device with the option of HA.

Distributed: Management and logging function can be parted across multiple devices. It supports a combination of the hardware and virtual appliance.

Panorama Manager: Virtual appliance acts as a Panorama manager and is responsible for handling the tasks associated with policy and device configuration across all managed devices.

Panorama Log Collector: Panorama log collectors are responsible for offloading log collection and processing tasks and may be deployed using the M-100. Virtual appliance is not to be used as a Panorama log collector.

PANORAMA SPECIFICATIONS
Number of Devices Supported	Up to 1,000
Administrator Authentication	Local database, RADIUS
High Availability	Active/Passive
Log Storage	Maximum of 2 Terabytes (TB)
Command Line Interface	SSHv2, Telnet or Console
Web Interface	HTTPS, HTTP
Device Connection	SSLv2
Management Tools and APIS	Graphical User Interface (GUI) Command Line Interface (CLI) XML-Based Rest API
VIRTUAL APPLIANCE SPECIFICATIONS
Minimum Server Hardware Requirements	40 GB 4 GB RAM Quad-Core CPU (2GHz+)
VMware Support	VMware ESX 4.1 or greater
Browser Support	IE v7 or greater Firefox v3.6 or greater Safari v5.0 or greater Chrome v11.0 or greater
Log Storage	VMware Virtual Disk: 2TB maximum NFS

Conclusion

Panorama manages multiple Palo Alto Networks firewalls all from a central location and provides features such as templates, device groups, role-based administration and update management. Organizations can delegate appropriate access to all management functions; visualization tools, policy creation, reporting and logging at both a global level and local level.

If you want to learn more about Palo Alto, then check our e-book on Palo Alto Interview Questions & Answers in easy to understand PDF Format explained with relevant Diagrams (where required) for better ease of understanding.