Focus

Next-Generation Firewall

Create a Device Onboarding Rule

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Onboard Your Devices

Onboard a Firewall

Create a Device Onboarding Rule

Create a device onboarding rule to automate NGFW onboarding to

Strata Cloud Manager

Where Can I Use This?	What Do I Need?
`NGFW (Managed by Strata Cloud Manager)` `VM-Series, funded with Software NGFW Credits`	`AIOps for NGFW Premium license (use the Strata Cloud Manager app)` Strata Logging Service license

Use a device onboarding rule to automate parts of the Palo Alto Networks Next Generation Firewall (NGFW) onboarding to

Strata Cloud Manager

whether you're manually onboarding Palo Alto Networks NGFW or onboarding using Zero Touch Provisioning (ZTP). This allows you to associate the firewall with a folder and push a configuration when the firewall first connects to

Strata Cloud Manager

. Device onboarding rules are designed to simplify and greatly reduce the time spent onboarding new Palo Alto Networks NGFW at scale and ensure the correct configuration is applied to newly onboarded Palo Alto Networks NGFW. You can create multiple device onboarding rules to define different match criteria that apply to different Palo Alto Networks NGFW.

The

Match Criteria

Action

VPN Onboarding

, and

User Context Onboarding

configurations are optional and can be configured as needed. If no

Match Criteria

is specified then the device onboarding rule applies to

Any

Palo Alto Networks NGFW model and serial number. The Palo Alto Networks NGFW must match all

Match Criteria

defined in the rule for

Strata Cloud Manager

to take the configured

Action

or push the

VPN Onboarding

and

User Context Onboarding

configurations.

For example, you don't configure the

Match Criteria

and configure only the

Target Folder

in the rule

Action

. Additionally, you don't configure

VPN Onboarding

and

User Context Onboarding

. In this example

Strata Cloud Manager

applies the rule to all Palo Alto Networks NGFW onboarded to

Strata Cloud Manager

and only adds them to the

Target Folder

. Another example is that you specify Palo Alto Networks NGFW models and serial numbers in the

Match Criteria

but you don't configure the rule

Action

at all. Additionally, you configure

VPN Onboarding

and

User Context Onboarding

. In this example

Strata Cloud Manager

pushes the

VPN Onboarding

and

User Context Onboarding

configurations to only the Palo Alto Networks NGFW models and serial numbers that match the

Match Criteria

Strata Cloud Manager

Select

Workflows

NGFW Setup

Device Onboarding

Add Rule

Configure the

General

device onboarding rule settings.

The device onboarding rule is

Enabled

by default. Toggle the

Enable

setting to disable the onboarding rule after you

Save

Enter a descriptive

Name

for the onboarding rule.

(Optional) Enter a

Description

for the onboarding rule.

Define the onboarding rule

Match Criteria

The match criteria define to which Palo Alto Networks NGFW the device onboarding rule applies.

Specify which Palo Alto Networks NGFW

Models

Any

—Applies to all Palo Alto Networks NGFW onboarded to

Strata Cloud Manager

Match

—Inclusive condition that applies to the Palo Alto Networks NGFW models added to the match list. You can select one or multiple different Palo Alto Networks NGFW models.

For example, if you add

PA-1410

and

PA-3260

, then the onboarding rule

Action

applies only to those Palo Alto Networks NGFW.

Exclude (Negate)

—Exclusive condition that applies to all Palo Alto Networks NGFW models not added to the exclude match list.

For example, if you add

PA-1410

and

PA-3260

, then the onboarding rule

Action

applies to all Palo Alto Networks NGFW models except for those added to the exclude list.

Specify the

Device S/N

This compliments the

Models

match criteria by allowing you to identify specific serial numbers of Palo Alto Networks NGFW

Models

that the onboarding rule applies to.

Any

—Applies to all Palo Alto Networks NGFW serial numbers.

Match

—Enter a regular expression (regex) to identify Palo Alto Networks NGFW serial numbers.

Specify

Labels

applied to Palo Alto Networks NGFW during onboarding that the onboarding rule applies to.

You can use

And

, and

Not

operators to write a logical expression of labels to match. You can use parentheses (

()

) to group sets of labels and logical operators when writing your regular expression.

Define the onboarding rule

Action

Select the

Target Folder

the firewall is added to if it matches the device onboarding rule.

If no

Target Folder

is specified, then the firewall is added to the default

All Firewalls

folder.

(VM-Series, funded with Software NGFW Credits) You can configure the

dgname

field in the

init.cfg.txt

bootstrap parameters to add the

VM-Series

firewall to a target folder. In this case,

Strata Cloud Manager

prioritizes adding the

VM-Series

firewall to the target folder configured in the

init.cfg.txt

file over the one configured in the device onboarding rule.

For

Snippet Association

, apply snippet configuration to the onboarded firewall after it successfully connects to

Strata Cloud Manager

Snippets are a tool used to standardize a common base configuration for a set of firewalls or deployments. This allows you to quickly onboard a new firewall with a known good configuration and reduces the time required to onboard a new firewall.

Enable

VPN Onboarding

if you have configured Auto VPN for secure hub-and-spoke connectivity between

Strata Cloud Manager

and your managed firewalls.

If enabled, select the

VPN Cluster

to add the firewall to. This determines the gateway devices and automatically creates secure connections between the configured gateway and the newly onboarded firewall.

Click

Configure

to configure the Palo Alto Networks NGFW as a hub or branch firewall.

Enable

User Context Onboarding

to configure the user and tag mappings required for User Context for Cloud Identity Engine (CIE).

User Context provides simplified granular control over the data that is shared across your security devices. It provides your administrators the flexibility to specify the data types each device sends and receives.

If enabled, you must configure the

Segments to Contribute Data To

to customize the segment mappings the firewall sends to CIE and the

Segments to Receive Data From

to customize how CIE provides segment mappings to the firewall.

Save

Device Onboarding

, review your newly configured onboarding rule and verify it's

Enabled

Device onboarding rules are processed in a top-down priority.

Strata Cloud Manager

evaluates each onboarding rule

Match Criteria

starting with the rule highest in the rule hierarchy until the Palo Alto Networks NGFW meets all

Match Criteria

Strata Cloud Manager

then takes the

Action

specified in the matching rule. In the event two rules in the device onboarding rule hierarchy apply to the same firewall,

Strata Cloud Manager

takes the

Action

configured in the device onboarding rule higher up in the rule hierarchy.

Onboard your Palo Alto Networks NGFW manually or using Zero Touching Provisioning (ZTP).

Onboard Your Devices

Onboard a Firewall

Next-Generation Firewall Docs

Create a Device Onboarding Rule

Next-Generation Firewall Docs

Create a Device Onboarding Rule

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner