Achieve More With Panorama 8.0

Jayant Thakre


Earlier this year, we launched PAN-OS 8.0, which included an upgrade to Panorama. This post explains how users can get the most out of Panorama 8.0 by using its new features.

Observe More                                   

  • With 8.0, Panorama can process logs from our PA-7000 Series next-generation firewalls. Panorama has been able to process logs from all other hardware and virtual next-generation firewalls for years. Now, users can do the same for PA-7000 Series devices by forwarding their logs to Panorama.
  • Most users want to interact with all their Palo Alto Networks security logs in one place and we have accomplished that with Panorama 8.0. Now, Panorama can process logs from next-generation firewalls as well as Traps, our advanced endpoint protection offering. Starting with 8.0, Panorama can be your single pane of glass for all network and endpoint events. Panorama will not only process and aggregate but also correlate network and endpoint logs to show you a complete picture. For example, if Traps triggers a WildFire event, Panorama will correlate all network and endpoint activity associated with that malware sample allowing you to quickly figure out what happened and where.
  • Apart from supporting these new device types, we also brought in the capability to de-capsulate and observe all traffic inside null encrypted tunnels, such as GRE or non-encrypted IPsec tunnels. Previously, tunnels such as GRE would have been seen as single session/log, providing no visibility into any inner tunnel flow. With this feature, admins can observe what’s going on inside the tunnels as well as enforce policies on those inner flows. We have also added a dedicated tab in the Application Control Center for admins to be able to answer questions like, “what was going through a given GRE tunnel?”

Automate More

To automate more workflows on most third-party systems are triggered when a specific log/event is observed in the network. The new HTTP log forwarding capability enables such automation as it allows log forwarding to any HTTP API-based system. You can choose to forward a couple of fields of the log or the whole event/log. Out of the box, PAN-OS 8.0 includes support for ServiceNow and VMware NSX workflow automation. You can send log data in perdefined format to ServiceNow for creating an incident report or for tagging virtual machines on the VMware NSX Manager. You can send an SMS when a critical event occurs or even stop a user from using wireless when a threat is detected. Those are just a few examples. The feature itself is customizable, so you can use it to integrate with any other system.

  • Dynamic Address Groups allow admins to create policy that automatically adapts to changes (e.g., addition, moving or deletion of servers). Dynamic Address Groups use the concept of tags to identify their members. With Panorama 8.0, based on a specific predefined event, our next-generation firewalls can automatically add or remove tags from an IP address. This new capability can be used to programmatically quarantine a host or start a host vulnerability scan whenever you see a set of specific events. The awesome part is, the feature doesn’t require any configuration commit on the firewall.
  • In previous versions of Panorama, you could forward logs based on factors such as rule, log type or log severity, but with 8.0, you can forward logs based on any field in the log. You also have the flexibility to forward what you want to multiple recipients in a Syslog, SNMP Trap or in an email format. Forwarding what you want to whom you want, in the format you want, is key to being able to automate more.

Collaborate Better

  • When multiple administrators manage next-generation firewalls, the ability to choose whose configuration changes get deployed at the time of deployment is important. This scenario is common in enterprises, with admins finding that another team member is in the middle of a configuration change when they want to make an urgent change themselves. Panorama 8.0 solves that problem by letting the admin commit his or her changes while preserving the changes of other admins without committing them.
  • We understand thart every Panorama user has a unique workstyle, so we already offer personalization capabilities. Panorama 8.0 enhances personalization of the Application Control Center wherein you can save the exact state of any widget as well as select your own default ACC tab to appear post-login. You can also share your personalized ACC view with other users. These custom ACC tabs will synchronize across HA pairs so that when the standby Panorama becomes primary, you will still get your own custom view.

Report Better

  • In the past, Panorama provided visibility into SaaS application usage via the SaaS Application Usage Report and allowed you to tag SaaS applications as sanctioned or unsanctioned. Panorama 8.0 now allows you to interact with SaaS application data via the ACC. Since we have added more aggregate data points, it will be possible to obtain details such as number of unique users for an application or unique applications for a specific user, helping you understand SaaS usage within your organization. This in turn will help you answer questions like how many employees are using unsanctioned applications, or which users are using specific unsanctioned applications.

Be Quicker

  • Panorama 8.0 also has a technology upgrade, which makes Panorama quicker. The new big data query and reporting engine provides up to 40x improvement in query performance. Most UI views/edits/query operations now take a tenth of the time they took in previous versions of Panorama. The best way to compare results is with a before-and-after comparison, so here are some statistics on sample queries:
Query               Type of Data Before 8.0 After 8.0
Traffic from IP A to B for an application on a specific port Traffic logs 440 seconds 11 seconds
Traffic from IP A to B for a protocol on a specific port Traffic logs 51 seconds 6 seconds
Search (possibly a host) with an IP address Data filtering 104 seconds 9 seconds
Search an IP address which has Alerts Data filtering 23 seconds 4 seconds
Search for URLs visited from IP A to IP B URL logs 35 seconds 4 seconds
Search for traffic going to a specific URL URL logs 35 seconds 4 seconds

 

Now that you have a better understanding of why Panorama 8.0 is a crucial upgrade, give it a try and let us know what you think.

To learn more about Panorama, visit:

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS