You can add Palo Alto Networks Panorama as a data source in VMware Aria Operations for Networks.

Prerequisites

You must ensure that:

  • The data source and its version is supported in VMware Aria Operations for Networks. For more information, see Supported Products and Versions.
  • The data source follows VMware Ports and Protocols supported in VMware Aria Operations for Networks. For more information, see VMware Ports and Protocols.
  • You have admin role with XML API access. For more details, see Palo Alto Firewall.
In the Panorama UI, perform the following steps to add an admin role for XML API.
  1. Select Panorama > Admin Roles.
  2. Click Add to add a new admin role.
  3. In the The Admin Role Profile window, enter the name to the role and select Panorama.
  4. Click the Web UI tab and deactivate all entries.
  5. Click the XML API tab and deactivate all entries, except Configuration and Operational Requests.
  6. Click OK to close the window.

    The new admin role appears in the list.

  7. Click Commit.
  8. Assign this role to an administrator account or create a new user and assign this role to the new user.
Note: VMware Aria Operations for Networks does not currently fetch local Palo Alto Network policies that are directly defined in the devices.
Note: VMware Aria Operations for Networks does not support the Palo Alto Panorama integration with multiple NSX managers.

Procedure

  1. From the left navigation pane, go to Settings > Accounts and Data Sources.
  2. Click Add Source.
  3. Under Firewalls, click Palo Alto Networks Panorama.
  4. In the Add a New Palo Alto Networks Panorama Account or Source page, provide the required information.
    Option Action
    Collector VM Select a collector VM from the drop-down menu.
    IP Address/FQDN Enter the IP address or the FQDN details.
    Username Enter the user name.
    Password Enter the password.
  5. Click Validate.
  6. Define the polling interval for the configuration data collection. You can set the polling interval from 10 minutes to 7 days.
    • Preset - Select the interval time from the predefined time set.
    • Custom Interval - Set a value and select Minutes, Hours, and Days.
    • Fixed Schedule - Select the days and set the time to schedule the interval.
  7. (Optional) In the Nickname text box, enter a nickname.
  8. (Optional) In the Tags (Optional) key-value pair text box, enter a key and a value.
    A key-value pair could be any text. For example, you can use Layer Access as key-value pair where layer is the key and access is the value.
    1. To apply the tag in all the associated entities, click the Apply above tag operations to all associated entities check box. When you select this option, the tag gets applied to all associated entities. For more details about the associated entities, see Working with Local Tags.
      If you clear the Apply above tag operations to all associated entities check box, the assigned tag is removed from all the associated entities.
  9. (Optional) In the Notes text box, add a note if necessary.
  10. Click Submit.

What to do next

VMware Aria Operations for Networks supports the following features of Palo Alto firewall:
  • Neighbor Discovery (LLDP)
  • Layer 3 Routing (IPv4)
  • Virtual Router
  • Virtual Wire (Supported only in network assurance and verification)
  • Security Policy
  • Security Zone
  • Virtual System (Not supported in network assurance and verification)
    Note: VMware Aria Operations for Networks does not support inter-vsys routing of Palo Alto firewalls.
  • High Availablility. This feature has limited support and is not supported in network assurance and verification.
    Note: VIP interfaces are not supported.