Palo Alto Networks | Panorama | Datasheet 1
PANORAMASecurity deployments are complex and can overload IT teams with complex securityrulesandmountainsofdatafrommultiplesources.Panorama™networksecurity management empowers you with easy-to-implement, consolidated policy creationandcentralizedmanagementfeatures.Setupandcontrolfirewallscentrallywithindustry-leadingfunctionalityandanefficientrulebase,andgaininsightintonetwork-widetrafficandthreats.
Key Security Features
Management• Deploy corporate policies centrally tobeusedinconjunctionwithregional or functional policies for maximumflexibility.
• Delegate appropriate levels of administrative control at the regional levelorgloballywithrole-basedmanagement.
• Group devices into logical, hier-archical device groups for greater managementflexibility.
• Utilizetemplatestacksforeasydeviceandnetworkconfiguration.
• Easily import existing device configurationsintoPanorama.
Visibility and Security• Automatically correlate indicators ofthreatsforimprovedvisibilityandconfirmation of compromised hosts acrossyournetwork.
• Centrallyanalyze,investigateandreportnetworktraffic,securityincidents and administrative modifications.
• Viewahighlycustomizablegraphicalsummary of applications, users, contentandsecuritythreats.
• Generateactionable,customizablereports to view application and threat traffic, SaaS usage, and user behavioracrossyourconfiguration.
Figure 1: Panorama deployment
Simplified Powerful Policy:Panoramanetworksecuritymanagementprovidesstaticrulesinanever-changingnetworkandthreatlandscape.Manageyournetworksecuritywithasinglesecurityrulebaseforfirewall,threatprevention,URLfiltering,applicationawareness,useridentification,sandboxing,fileblockinganddatafiltering.Thiscrucialsimplification,alongwithdynamicsecurityupdates,reducesworkloadonadministratorswhileimprovingyouroverallsecurityposture.
Enterprise Class Management: Panoramakeepstheenterpriseuserinmind.Controlyourinternetanddatacenteredge,andyourprivateandpublicclouddeployments,allfromonesingleconsole.Panoramacanbedeployedviavirtualappliances,ourpurpose-builtappliancesoracombinationofthetwo.UseappliancesasPanoramamanagementunitsoraslogcollectorsinhierarchicaldeploymentoptions.Asyournetworkgrows,youjustneedtoaddthelogcollectors–wetakecareoftherest.
Unmatched Automated Visibility and Awareness: Automated threat correla-tion,withapredefinedsetofcorrelationobjects,cutsthroughtheclutterofmonstrousamountsofdata.Itidentifiescompromisedhostsandsurfacescorrelatedmaliciousbehaviorthatwouldotherwisebeburiedinthenoiseoftoomuchinformation.Thisreducesthedwelltimeofcriticalthreatsinyournetwork.AcleanandfullycustomizableApplicationCommandCenterprovidescomprehensiveinsightintocurrentandhistoricalnetworkandthreatdata.
PN
BranchData CenterHeadquarters
Public Cloud Logging Service GlobalProtectCloud Service
Palo Alto Networks | Panorama | Datasheet 2
Powerful Network Visibility: Application Command CenterUsingApplicationCommandCenterfromPanoramaprovidesyouwithahighlyinteractive,graphicalviewofapplications,URLs,threatsanddata(filesandpatterns)traversingyourPaloAltoNetworks®firewalls.TheACCincludesatabbedviewofnetworkactivity,threatactivityandblockedactivity,andeachtabincludespertinentwidgetsforbettervisualizationoftrafficpatternsonyournetwork.Customtabscanbecreated,whichincludewidgetsthatenableyoutodrilldownintotheinformationthatismostimportanttotheadministrator.TheACCprovidesacomprehensive,fullycustomizableviewofnotonlycurrentbutalsohistoricaldata.
AdditionaldataonURLcategoriesandthreatsprovidesacompleteandwell-roundedpictureofnetworkactivity.ThevisibilityfromtheACCenablesyoutomakeinformedpolicydecisionsandrespondquicklytopotentialsecuritythreats.
Reduced Response Times: Automated Correlation EngineTheautomatedcorrelationenginebuiltintothenext-generationfirewallsurfacescriticalthreatsthatmaybehiddeninyournetwork.ItincludescorrelationobjectsthataredefinedbythePaloAltoNetworksthreatresearchteam.Theseobjectsidentifysuspicioustrafficpatternsorasequenceofeventsthatindicatesamaliciousoutcome.SomecorrelationobjectscanidentifydynamicpatternsthathavebeenobservedfrommalwaresamplesinWildFire®cloud-basedthreatanalysisservice.
Simple Policy Control: Safely Enable ApplicationsSafelyenablingapplicationsmeansallowingaccesstospecificapplicationsandprotectingthemwithspecificthreatpre-vention,QoS,andfile,dataorURLfilteringpolicies.Panoramaempowersyoutosetpolicywithasinglesecurityrulebase,andsimplifiestheprocessofimporting,duplicatingormodifyingrulesacrossyournetwork.Thecombinationofglobalandregionaladministrativecontroloverpoliciesandobjectsletsyoustrikeabalancebetweenconsistentsecurityatthegloballevelandflexibilityattheregionallevel.
Enterprise Class ManagementDeployinghierarchicaldevicegroupsensuresthatlower-levelgroupsinheritthesettingsofhigher-levelgroups.Thisstreamlinescentralmanagementandenablesyoutoorganizedevicesbasedonfunctionandlocationwithoutredundantconfiguration.Templatestackingallowsforstreamlinedconfigurationofnetworksanddevices.Furthermore,acommonuserinterfaceforbothnext-generationfirewallsandmanagementmakesmanagementintuitive.FeaturessuchasGlobalFindandtag-basedrulegroupingempoweryourITadministratorstotakeadvantageofalltheinformationinyournetworkwithease.
Figure 2: Application Command Center
Palo Alto Networks | Panorama | Datasheet 3
Traffic Monitoring: Analysis, Reporting and ForensicsPanoramapullsinlogsfromfirewalls,bothphysicalandvirtual,andfromTraps™advancedendpointprotectionandstorestheminitsownlogstorage.Asyouperformlogqueriesandgener-ate reports, Panorama dynamically pulls the relevant logs from its log storage andpresentstheresultstotheuser.
• Log viewer:Foranindividual device, all devices or Traps, you can quicklyviewlogactivitiesusingdynamiclogfilteringbyclickingon a cell value and/or using the expressionbuildertodefinethesortcriteria.Resultscanbesavedforfuturequeriesorexportedforfurtheranalysis.
• Custom reporting:Predefinedreportscanbeusedasis,customized,orgroupedtogetherasonereportinordertosuitspecificrequirements.
• User activity reports:Auseractivityreportshowstheapplicationsused,URLcategoriesvisited,websitesvisited,andallURLsvisitedoveraspecifiedperiodoftimeforindividualusers.Panoramabuildsthereportsusinganaggregateviewofusers’activity,nomatterwhichfirewalltheyareprotectedby,orwhichIPordevicetheymaybeusing.
• SaaS reports:ASaaSusageandthreatreportprovidesdetailedvisibilityintoallSaaSactivityonthefirewalls,andrelatedthreats.
• Log forwarding:PanoramacanforwardlogscollectedfromallofyourPaloAltoNetworksfirewallsandTrapstore-motedestinationsforpurposessuchaslong-termstorage,forensicsorcompliancereporting.Panoramacanforwardallorselectedlogs,SNMPtraps,andemailnotificationstoaremoteloggingdestination,suchasasyslogserver(overUDP,TCPorSSL).Additionally,Panoramacankickoffaworkflowandsendlogstoathird-partyservicethatprovidesanHTTP-basedAPI,forexample,aticketingserviceorasystemsmanagementproduct.
Panorama Management ArchitecturePanoramaenablesorganizationstomanagetheirPaloAltoNetworksfirewallsusingamodelthatprovidesbothglobaloversightandregionalcontrol.Panoramaprovidesanumberoftoolsforglobalorcentralizedadministration:
• Templates/Template stacks:Panoramamanagescommondeviceandnetworkconfigurationthroughtemplates.Tem-platescanbeusedtomanageconfigurationcentrallyandthenpushthechangestomanagedfirewalls.Thisapproachavoidsmakingthesameindividualfirewallchangerepeatedlyacrossmanydevices.Tomakethingseveneasier,tem-platescanbestackedandusedlikebuildingblocksduringdeviceandnetworkconfiguration.
• Hierarchical device groups:Panoramamanagescommonpoliciesandobjectsthroughhierarchicaldevicegroups.Multi-leveldevicegroupsareusedtocentrallymanagethepoliciesacrossalldeploymentlocationswithcommonrequirements.Devicegrouphierarchymaybecreatedgeographically(e.g.,Europe,NorthAmericaandAsia),func-tionally(e.g.datacenter,maincampusandbranchoffices),asamixofbothorbasedonothercriteria.Thisallowsforcommonpolicysharingacrossdifferentvirtualsystemsonadevice.
Youcanusesharedpoliciesforglobalcontrolwhilestillprovidingyourregionalfirewalladministratorswiththeautonomytomakespecificadjustmentsfortheirrequirements.Atthedevicegrouplevel,youcancreatesharedpoliciesthataredefinedasthefirstsetofrules(pre-rules)andthelastsetofrules(post-rules)tobeevaluatedagainstmatchcriteria.Pre-andpost-rulescanbeviewedonamanagedfirewall,buttheycanonlybeeditedfromPanoramawithinthecontextoftheadministrativerolesthathavebeendefined.Thedevicerules(thosebetweenpre-andpost-rules)canbeeditedbyeitheryourregionalfirewalladministratororaPanoramaadministratorwhohasswitchedtoafirewalldevicecontext.Inaddition,anorganizationcanusesharedobjectsdefinedbyaPanoramaadministrator,whichcanbereferencedbyregionallymanageddevicerules.
• Role-based administration:Role-basedadministrationisusedtodelegatefeature-leveladministrativeaccess,includ-ingtheavailabilityofdata(enabled,read-only,ordisabledandhiddenfromview)todifferentmembersofyourstaff.
Specificindividualscanbegivenappropriateaccesstothetasksthatarepertinenttotheirjobwhilemakingotheraccesseitherhiddenorread-only.AdministratorscancommitandrevertchangesthattheymadeinaPanoramaconfigurationindependentlyofchangesmadebyotheradministrators.
Global Shared Group
DG Business Unit X
DG Data Centers DG Branches
DC East DG Headquarters DC West
Exch. PCI Exch. PCI Web Guest Finance
Figure 3: Device Group Hierarchy
Global Template
West Template East Template
Branch Template DC Template Branch Template
Figure 3: Template stacking
Palo Alto Networks | Panorama | Datasheet 4
Software, Content and License-Update ManagementAsyourdeploymentgrowsinsize,youmaywanttomakesurethatupdatesaresenttodownstreamboxesinanorganizedmanner.Forinstance,securityteamsmayprefertocentrallyqualifyasoftwareupdatebeforeitisdeliveredviaPanoramatoallproductionfirewallsatonce.UsingPanorama,theupdateprocesscanbecentrallymanagedforsoftwareupdates,content(applicationupdates,antivirussignatures,threatsignatures,URLfilteringdatabase,etc.)andlicenses.
Usingtemplates,devicegroups,role-basedadministrationandupdatemanagement,youcandelegateappropriateaccesstoallmanagementfunctions,visualizationtools,policycreation,reportingandloggingatagloballevelaswellastheregionallevel.
Deployment FlexibilityYoucandeployPanoramaeitherasahardwareorvirtualappliance.
Hardware AppliancesPanoramacanbedeployedastheM-100,M-200,M-500orM-600managementappliance.
Virtual AppliancesPanoramacanbedeployedasavirtualapplianceonVMware®ESXi™orinpubliccloudenvironments,includingAmazonAWSandMicrosoftAzure.
Deployment ModesYoucanseparatemanagementandloggingfunctionsofPanoramausingDeploymentMode.Thethreesupported deployment modes are:
1. Panorama
2. Management Only
3. LogCollector
InthePanoramadeploymentmode,Panoramacontrolsbothpolicyandlogmanagementfunctionsforallthemanageddevices.
IntheManagementOnlydeploymentmode,Panoramamanagesconfigurationsforthemanageddevicesbutdoesnotcollectormanagelogs.
IntheLogCollectordeploymentmode,Panoramacollectsandmanageslogsfromthemanageddevices.ThisassumesthatanotherdeploymentofPanoramaisoperatinginManagementOnlydeploymentmode.
TheseparationofmanagementandlogcollectionenablesthePanoramadeploymenttomeetscalability,organizationalandgeographicalrequirements.ThechoiceofformfactoranddeploymentmodegivesyouthemaximumflexibilityformanagingPaloAltoNetworksNext-GenerationFirewallsinadistributednetwork.
PN
Log Collector(hardware)
Log Collector(public cloud)
Logging ServiceLog Collector(private cloud)
Figure 4: Panorama log management
Palo Alto Networks | Panorama | Datasheet 5
M-200 ApplianceI/O
• (4) 10/100/1000, [1] DB9 console serial port, (1) USB portStorage
• Maximum confi gurati on: RAID: 4 x 8 TB RAID Certi fi ed HDD for 16 TB of RAID Storage
Power Supply/Max Power Consumpti on • Dual Power Supplies, hot swap redundant confi gurati on• 750W/300W
Max BTU/hr• 1,114 BTU/hr
Input Voltage (Input Frequency)
• 100-240 VAC (50-60Hz)Max Current Consumpti on
• 9.5A@110 VAC Mean Time Between Failures (MTBF)
• 10 yearsRack Mount (Dimensions)
• 1U, 19” standard rack ( 1.7”H X 29”D X 17.2” W)Weight
• 26 lbsSafety
• UL, CUL, CBEMI
• FCC Part 15, EN 55032, CISPR 32Environment
• Operati ng temperature: 41° to 104° F, 5 to 40° C• Non-operati ng temperature: -40° to 140° F, -40° to 60° C
M-200 Panorama Appliance M-600 Panorama Appliance
M-600 ApplianceI/O
• (4) 10/100/1000, (1) DB9 console serial port, (1) USB port, (2) 10 GigE ports
Storage• Maximum confi gurati on: RAID: 12 x 8 TB RAID Certi fi ed
HDD for 48 TB of RAID storagePower Supply/Max Power Consumpti on
• Dual Power Supplies, hot swap redundant confi gurati on• 750W/486W (total system)
Max BTU/hr• 1,803 BTU/hr
Input Voltage (Input Frequency)• 100-240 VAC (50-60 Hz)
Max Current Consumpti on• 4.5A @ 220 V
Mean Time Between Failures (MTBF)• 8 years
Rack Mount (Dimensions)• 2 U, 19” standard rack ( 3.5”H X 28.46”D X 17.2”W)
Weight• 36 lbs
Safety• UL, CUL, CB
EMI• FCC Part 15, EN 55032, CISPR 32
Environment• Operati ng temperature: 41° to 104° F, 5 to 40° C• Non-operati ng temperature: -40° to 140° F, -40° to 60° C
Panorama SpecificationsNumber of Devices Supported
• Up to 1,000High Availability
• Acti ve/Passive
Administrator Authenti cati on• Local database• RADIUS• SAML• LDAP• TACACS+
Management Tools and APIs
• Graphical User Interface (GUI)• Command Line Interface (CLI)• XML-based REST API
Private Hypervisor Specifications
Management Only Mode
Panorama Mode Log Collector Mode
Cores Support-ed (min-max)
4 CPUs 8 CPUs 16 CPUs
Memory (minimum)
8 GB 32 GB 32 GB
Disk Drive 81 GB System disk 2 TB to 24 TB log storage
2 TB to 24 TB log storage
Public Cloud Instance Types (BYOL License)
Management Only Mode
Panorama Mode Log Collector Mode
Amazon AWS t2.xlarge c5.xlargem5.2xlargem4.2xlarge
m5.2xlargem4.2xlargem5.4xlargem4.4xlarge
c5.4xlargem5.4xlargem4.4xlargec4.8xlarge
Microsoft Azure D4S_V3 Standard D16S_V3 Standard D16S_V3 StandardD32S_V3 Exceeds
Public Clouds SupportedAmazon AWS
Microsoft Azure
3000 Tannery WaySanta Clara, CA 95054
Main: +1.408.753.4000Sales: +1.866.320.4788Support: +1.866.898.9087
www.paloaltonetworks.com
© 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. panorama-ds-021618
M-100 ApplianceI/O
• (4)10/100/1000,[1]DB9consoleserialport,(1)USB
Storage
• Maximumconfiguration:RAID:8x2TBRAIDCertifiedHDDfor8TBofRAIDstorage
Power Supply/Max Power Consumption
• 500W/500W
Max BTU/hr
• 1,705BTU/hr
Input Voltage (Input Frequency)
• 100-240VAC(50-60Hz)
Max Current Consumption
• 10A@100VAC
Mean Time Between Failures (MTBF)
• 14.5years
Rack Mount (Dimensions)
• 1U,19”standardrack(1.75"Hx23"Dx17.2"W)
Weight
• 26.7lbs.
Safety
• UL,CUL,CB
EMI
• FCCClassA,CEClassA,VCCIClassA
Environment
• OperatingTemperature:40°to104°F,5°to40°C• Non-operatingTemperature:-40°to149°F,-40°to65°C
M-100 Panorama Appliance M-500 Panorama Appliance
M-500 ApplianceI/O
• (4)10/100/1000,(1)DB9consoleserialport,(1)USBport,(2)10GigEports
Storage
• Maximumconfiguration:RAID:24x2TBRAIDCertifiedHDDfor24TBofRAIDstorage
• Defaultshippingconfiguration:4TB:8x1TBRAIDCertifiedHDDfor4TBofRAIDstorage
Power Supply/Max Power Consumption
• Dualpowersupplies,hotswapredundantconfiguration• 1200W/493W(totalsystem)
Max BTU/hr
• 1,681BTU/hr
Input Voltage (Input Frequency)
• 100-240VAC(50-60Hz)
Max Current Consumption
• 4.2A@120VAC
Mean Time Between Failures (MTBF)
• 6years
Rack Mount (Dimensions)
• 2U,19”standardrack(3.5”Hx21”Dx17.5”W)
Weight
• 42.5lbs.
Safety
• UL,CUL,CB
EMI
• FCCClassA,CEClassA,VCCIClassA
Environment
• Operatingtemperature50°to95°F,10°to35°C• Non-operatingtemperature-40°to158°F,-40°to65°C