Next-Generation Firewall
Create a Device Onboarding Rule
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
Create a Device Onboarding Rule
Create a device onboarding rule to automate NGFW onboarding to
Strata Cloud Manager
.Where Can I Use
This? | What Do I Need? |
---|---|
|
|
Use a device onboarding rule to automate parts of the Palo Alto Networks Next
Generation Firewall (NGFW) onboarding to
Strata Cloud Manager
whether you're
manually onboarding Palo Alto Networks NGFW or onboarding using Zero Touch
Provisioning (ZTP). This allows you to associate the firewall with a folder and push
a configuration when the firewall first connects to Strata Cloud Manager
. Device
onboarding rules are designed to simplify and greatly reduce the time spent
onboarding new Palo Alto Networks NGFW at scale and ensure the correct configuration
is applied to newly onboarded Palo Alto Networks NGFW. You can create multiple
device onboarding rules to define different match criteria that apply to different
Palo Alto Networks NGFW.The
Match Criteria
, Action
,
VPN Onboarding
, and User Context
Onboarding
configurations are optional and can be configured as
needed. If no Match Criteria
is specified then the device
onboarding rule applies to Any
Palo Alto Networks NGFW model
and serial number. The Palo Alto Networks NGFW must match all Match
Criteria
defined in the rule for Strata Cloud Manager
to take the
configured Action
or push the VPN
Onboarding
and User Context Onboarding
configurations. For example, you don't configure the
Match Criteria
and
configure only the Target Folder
in the rule
Action
. Additionally, you don't configure VPN
Onboarding
and User Context Onboarding
. In
this example Strata Cloud Manager
applies the rule to all Palo Alto Networks NGFW
onboarded to Strata Cloud Manager
and only adds them to the Target
Folder
. Another example is that you specify Palo Alto Networks NGFW
models and serial numbers in the Match Criteria
but you don't
configure the rule Action
at all. Additionally, you configure
VPN Onboarding
and User Context
Onboarding
. In this example Strata Cloud Manager
pushes the
VPN Onboarding
and User Context
Onboarding
configurations to only the Palo Alto Networks NGFW models
and serial numbers that match the Match Criteria
.- Log in toStrata Cloud Manager.
- Select.WorkflowsNGFW SetupDevice Onboarding
- Add Rule.
- Configure theGeneraldevice onboarding rule settings.
- The device onboarding rule isEnabledby default. Toggle theEnablesetting to disable the onboarding rule after youSave.
- Enter a descriptiveNamefor the onboarding rule.
- (Optional) Enter aDescriptionfor the onboarding rule.
- Define the onboarding ruleMatch Criteria.The match criteria define to which Palo Alto Networks NGFW the device onboarding rule applies.
- Specify which Palo Alto Networks NGFWModels.
- Any—Applies to all Palo Alto Networks NGFW onboarded toStrata Cloud Manager.
- Match—Inclusive condition that applies to the Palo Alto Networks NGFW models added to the match list. You can select one or multiple different Palo Alto Networks NGFW models.For example, if you addPA-1410andPA-3260, then the onboarding ruleActionapplies only to those Palo Alto Networks NGFW.
- Exclude (Negate)—Exclusive condition that applies to all Palo Alto Networks NGFW models not added to the exclude match list.For example, if you addPA-1410andPA-3260, then the onboarding ruleActionapplies to all Palo Alto Networks NGFW models except for those added to the exclude list.
- Specify theDevice S/N.This compliments theModelsmatch criteria by allowing you to identify specific serial numbers of Palo Alto Networks NGFWModelsthat the onboarding rule applies to.
- Any—Applies to all Palo Alto Networks NGFW serial numbers.
- Match—Enter a regular expression (regex) to identify Palo Alto Networks NGFW serial numbers.
- SpecifyLabelsapplied to Palo Alto Networks NGFW during onboarding that the onboarding rule applies to.You can useAnd,Or, andNotoperators to write a logical expression of labels to match. You can use parentheses (()) to group sets of labels and logical operators when writing your regular expression.
- Define the onboarding ruleAction.
- Select theTarget Folderthe firewall is added to if it matches the device onboarding rule.If noTarget Folderis specified, then the firewall is added to the defaultAll Firewallsfolder.() You can configure theVM-Series, funded with Software NGFW Creditsdgnamefield in theinit.cfg.txtbootstrap parameters to add theVM-Seriesfirewall to a target folder. In this case,Strata Cloud Managerprioritizes adding theVM-Seriesfirewall to the target folder configured in theinit.cfg.txtfile over the one configured in the device onboarding rule.
- ForSnippet Association, apply snippet configuration to the onboarded firewall after it successfully connects toStrata Cloud Manager.Snippets are a tool used to standardize a common base configuration for a set of firewalls or deployments. This allows you to quickly onboard a new firewall with a known good configuration and reduces the time required to onboard a new firewall.
- EnableVPN Onboardingif you have configured Auto VPN for secure hub-and-spoke connectivity betweenStrata Cloud Managerand your managed firewalls.If enabled, select theVPN Clusterto add the firewall to. This determines the gateway devices and automatically creates secure connections between the configured gateway and the newly onboarded firewall.ClickConfigureto configure the Palo Alto Networks NGFW as a hub or branch firewall.
- EnableUser Context Onboardingto configure the user and tag mappings required for User Context for Cloud Identity Engine (CIE).User Context provides simplified granular control over the data that is shared across your security devices. It provides your administrators the flexibility to specify the data types each device sends and receives.If enabled, you must configure theSegments to Contribute Data Toto customize the segment mappings the firewall sends to CIE and theSegments to Receive Data Fromto customize how CIE provides segment mappings to the firewall.
- Save.
- InDevice Onboarding, review your newly configured onboarding rule and verify it'sEnabled.Device onboarding rules are processed in a top-down priority.Strata Cloud Managerevaluates each onboarding ruleMatch Criteriastarting with the rule highest in the rule hierarchy until the Palo Alto Networks NGFW meets allMatch Criteria.Strata Cloud Managerthen takes theActionspecified in the matching rule. In the event two rules in the device onboarding rule hierarchy apply to the same firewall,Strata Cloud Managertakes theActionconfigured in the device onboarding rule higher up in the rule hierarchy.
- Onboard your Palo Alto Networks NGFW manually or using Zero Touching Provisioning (ZTP).