Palo Alto Networks | Panorama | Datasheet 1

PANORAMASecurity deployments are complex and can overload IT teams with complex ­security­rules­and­mountains­of­data­from­multiple­sources.­Panorama™­­network­security management empowers you with easy-to-implement, consolidated policy creation­and­centralized­management­features.­Set­up­and­control­firewalls­­centrally­with­industry-leading­functionality­and­an­efficient­rule­base,­and­gain­insight­into­network-wide­traffic­and­threats.

Key Security Features

Management• Deploy corporate policies centrally to­be­used­in­conjunction­with­regional or functional policies for maximum­flexibility.

• Delegate appropriate levels of administrative control at the regional level­or­globally­with­role-based­management.

• Group devices into logical, hier-archical device groups for greater management­flexibility.

• Utilize­template­stacks­for­easy­device­and­network­configuration.

• Easily import existing device ­­­configurations­into­Panorama.

Visibility and Security• Automatically correlate indicators of­threats­for­improved­visibility­and­confirmation of compromised hosts across­your­network.

• Centrally­analyze,­investigate­and­report­network­traffic,­security­incidents and administrative modifications.

• View­a­highly­customizable­graphical­summary of applications, users, content­and­security­threats.

• Generate­actionable,­customizable­reports to view application and threat traffic, SaaS usage, and user behavior­across­your­configuration.

Figure 1: Panorama deployment

Simplified Powerful Policy:­Panorama­network­security­management­provides­static­rules­in­an­ever-changing­network­and­threat­landscape.­Manage­your­network­security­with­a­single­security­rule­base­for­firewall,­threat­prevention,­URL­filtering,­application­awareness,­user­identification,­sandboxing,­file­blocking­and­data­filtering.­This­crucial­simplification,­along­with­dynamic­security­updates,­reduces­workload­on­administrators­while­improving­your­overall­security­posture.

Enterprise Class Management: Panorama­keeps­the­enterprise­user­in­mind.­Control­your­internet­and­data­center­edge,­and­your­private­and­public­cloud­deployments,­all­from­one­single­console.­Panorama­can­be­deployed­via­virtual­appliances,­our­purpose-built­appliances­or­a­combination­of­the­two.­Use­appliances­as­Panorama­management­units­or­as­log­collectors­in­hierarchical­deployment­options.­As­your­network­grows,­you­just­need­to­add­the­log­collectors­–­we­take­care­of­the­rest.

Unmatched Automated Visibility and Awareness: Automated threat correla-tion,­with­a­predefined­set­of­correlation­objects,­cuts­through­the­clutter­of­monstrous­amounts­of­data.­It­identifies­compromised­hosts­and­surfaces­correlated­malicious­behavior­that­would­otherwise­be­buried­in­the­noise­of­too­much­information.­This­reduces­the­dwell­time­of­critical­threats­in­your­network.­A­clean­and­fully­customizable­Application­Command­Center­provides­comprehensive­insight­into­current­and­historical­network­and­threat­data.

PN

BranchData CenterHeadquarters

Public Cloud Logging Service GlobalProtectCloud Service

Palo Alto Networks | Panorama | Datasheet 2

Powerful Network Visibility: Application Command CenterUsing­Application­Command­Center­from­Panorama­provides­you­with­a­highly­interactive,­graphical­view­of­applications,­URLs,­threats­and­data­(files­and­patterns)­traversing­your­Palo­Alto­Networks®­firewalls.­The­ACC­includes­a­tabbed­view­of­network­activity,­threat­activity­and­blocked­activity,­and­each­tab­includes­pertinent­widgets­for­better­visualization­of­traffic­patterns­on­your­network.­Custom­tabs­can­be­created,­which­include­widgets­that­enable­you­to­drill­down­into­the­information­that­is­most­important­to­the­administrator.­The­ACC­provides­a­comprehensive,­fully­customizable­view­of­not­only­current­but­also­historical­data.

Additional­data­on­URL­categories­and­threats­provides­a­complete­and­well-rounded­picture­of­network­activity.­The­visibility­from­the­ACC­enables­you­to­make­informed­policy­decisions­and­respond­quickly­to­potential­security­threats.

Reduced Response Times: Automated Correlation EngineThe­automated­correlation­engine­built­into­the­next-generation­firewall­surfaces­critical­threats­that­may­be­hidden­in­your­network.­It­includes­correlation­objects­that­are­defined­by­the­Palo­Alto­Networks­threat­research­team.­These­objects­identify­suspicious­traffic­patterns­or­a­sequence­of­events­that­indicates­a­malicious­outcome.­Some­correlation­objects­can­identify­dynamic­patterns­that­have­been­observed­from­malware­samples­in­WildFire®­cloud-based­threat­analysis­service.

Simple Policy Control: Safely Enable ApplicationsSafely­enabling­applications­means­allowing­access­to­specific­applications­and­protecting­them­with­specific­threat­pre-vention,­QoS,­and­file,­data­or­URL­filtering­policies.­Panorama­empowers­you­to­set­policy­with­a­single­security­rule­base,­and­simplifies­the­process­of­importing,­duplicating­or­modifying­rules­across­your­network.­The­combination­of­global­and­regional­administrative­control­over­policies­and­objects­lets­you­strike­a­balance­between­consistent­security­at­the­global­level­and­flexibility­at­the­regional­level.

Enterprise Class ManagementDeploying­hierarchical­device­groups­ensures­that­lower-level­groups­inherit­the­settings­of­higher-level­groups.­This­streamlines­central­management­and­enables­you­to­organize­devices­based­on­function­and­location­without­redundant­configuration.­Template­stacking­allows­for­streamlined­configuration­of­networks­and­devices.­Furthermore,­a­common­user­interface­for­both­next-generation­firewalls­and­management­makes­management­intuitive.­Features­such­as­Global­Find­and­tag-based­rule­grouping­empower­your­IT­administrators­to­take­advantage­of­all­the­information­in­your­network­with­ease.

Figure 2: Application Command Center

Palo Alto Networks | Panorama | Datasheet 3

Traffic Monitoring: Analysis, Reporting and ForensicsPanorama­pulls­in­logs­from­firewalls,­both­physical­and­virtual,­and­from­Traps™­advanced­endpoint­protection­and­stores­them­in­its­own­log­storage.­As­you­perform­log­queries­and­gener-ate reports, Panorama dynamically pulls the relevant logs from its log storage and­presents­the­results­to­the­user.

• Log viewer:­For­an­individual­ device, all devices or Traps, you can quickly­view­log­activities­using­dynamic­log­filtering­by­clicking­on a cell value and/or using the expression­builder­to­define­the­sort­criteria.­Results­can­be­saved­for­future­queries­or­exported­for­further­analysis.

• Custom reporting:­Predefined­re­ports­can­be­used­as­is,­customized,­or­grouped­together­as­one­report­in­order­to­suit­specific­requirements.

• User activity reports:­A­user­activity­report­shows­the­applications­used,­URL­categories­visited,­websites­visited,­and­all­URLs­visited­over­a­specified­period­of­time­for­individual­users.­Panorama­builds­the­reports­using­an­aggregate­view­of­users’­activity,­no­matter­which­firewall­they­are­protected­by,­or­which­IP­or­device­they­may­be­using.

• SaaS reports:­A­SaaS­usage­and­threat­report­provides­detailed­visibility­into­all­SaaS­activity­on­the­firewalls,­and­related­threats.

• Log forwarding:­Panorama­can­forward­logs­collected­from­all­of­your­Palo­Alto­Networks­firewalls­and­Traps­to­re-mote­destinations­for­purposes­such­as­long-term­storage,­forensics­or­compliance­reporting.­Panorama­can­forward­all­or­­selected­logs,­SNMP­traps,­and­email­notifications­to­a­remote­logging­destination,­such­as­a­syslog­server­(over­UDP,­TCP­or­SSL).­Additionally,­Panorama­can­kick­off­a­workflow­and­send­logs­to­a­third-party­service­that­provides­an­HTTP-based­API,­for­example,­a­ticketing­service­or­a­systems­management­product.

Panorama Management ArchitecturePanorama­enables­organizations­to­manage­their­Palo­Alto­Networks­firewalls­using­a­model­that­provides­both­global­oversight­and­regional­control.­Panorama­provides­a­number­of­tools­for­global­or­centralized­administration:

• Templates/Template stacks:­Panorama­manages­common­device­and­network­configuration­through­templates.­Tem-plates­can­be­used­to­manage­configuration­centrally­and­then­push­the­changes­to­managed­firewalls.­This­approach­avoids­making­the­same­individual­firewall­change­repeatedly­across­many­devices.­To­make­things­even­easier,­tem-plates­can­be­stacked­and­used­like­building­blocks­during­device­and­network­configuration.

• Hierarchical device groups:­Panorama­manages­common­policies­and­objects­through­hierarchical­device­groups.­Multi-level­device­groups­are­used­to­centrally­manage­the­policies­across­all­deployment­locations­with­common­requirements.­Device­group­hierarchy­may­be­created­geographically­(e.g.,­Europe,­North­America­and­Asia),­func-tionally­(e.g.­data­center,­main­campus­and­branch­offices),­as­a­mix­of­both­or­based­on­other­criteria.­This­allows­for­common­policy­sharing­across­different­virtual­systems­on­a­device.

You­can­use­shared­policies­for­global­control­while­still­providing­your­regional­firewall­administrators­with­the­autonomy­to­make­specific­adjustments­for­their­requirements.­At­the­device­group­level,­you­can­create­shared­policies­that­are­defined­as­the­first­set­of­rules­(pre-rules)­and­the­last­set­of­rules­(post-rules)­to­be­evaluated­against­match­criteria.­Pre-­and­post-rules­can­be­viewed­on­a­managed­firewall,­but­they­can­only­be­edited­from­Panorama­within­the­context­of­the­administrative­roles­that­have­been­defined.­The­device­rules­(those­between­pre-­and­post-rules)­can­be­edited­by­either­your­regional­firewall­administrator­or­a­Panorama­administrator­who­has­switched­to­a­firewall­device­context.­In­addition,­an­organization­can­use­shared­objects­defined­by­a­Panorama­administrator,­which­can­be­referenced­by­regionally­managed­device­rules.

• Role-based administration:­Role-based­administration­is­used­to­delegate­feature-level­administrative­access,­includ-ing­the­availability­of­data­(enabled,­read-only,­or­disabled­and­hidden­from­view)­to­different­members­of­your­staff.

Specific­individuals­can­be­given­appropriate­access­to­the­tasks­that­are­pertinent­to­their­job­while­making­other­access­either­hidden­or­read-only.­Administrators­can­commit­and­revert­changes­that­they­made­in­a­Panorama­configuration­independently­of­changes­made­by­other­administrators.

Global Shared Group

DG Business Unit X

DG Data Centers DG Branches

DC East DG Headquarters DC West

Exch. PCI Exch. PCI Web Guest Finance

Figure 3: Device Group Hierarchy

Global Template

West Template East Template

Branch Template DC Template Branch Template

Figure 3: Template stacking

Palo Alto Networks | Panorama | Datasheet 4

Software, Content and License-Update ManagementAs­your­deployment­grows­in­size,­you­may­want­to­make­sure­that­updates­are­sent­to­downstream­boxes­in­an­organized­manner.­For­instance,­security­teams­may­prefer­to­centrally­qualify­a­software­update­before­it­is­delivered­via­Panorama­to­all­production­firewalls­at­once.­Using­Panorama,­the­update­process­can­be­centrally­managed­for­software­updates,­content­(application­updates,­antivirus­signatures,­threat­signatures,­URL­filtering­database,­etc.)­and­licenses.

Using­templates,­device­groups,­role-based­administration­and­update­management,­you­can­delegate­appropriate­access­to­all­management­functions,­visualization­tools,­policy­creation,­reporting­and­logging­at­a­global­level­as­well­as­the­regional­level.

Deployment FlexibilityYou­can­deploy­Panorama­either­as­a­hardware­or­virtual­appliance.

Hardware AppliancesPanorama­can­be­deployed­as­the­M-100,­M-200,­M-500­or­M-600­management­appliance.

Virtual AppliancesPanorama­can­be­deployed­as­a­virtual­appliance­on­VMware®­ESXi™­or­in­public­cloud­environments,­including­Amazon­AWS­and­Microsoft­Azure.

Deployment ModesYou­can­separate­management­and­logging­functions­of­Panorama­using­Deployment­Mode.­The­three­supported­ deployment modes are:

1.­ Panorama

2.­ Management Only

3.­ Log­Collector

In­the­Panorama­deployment­mode,­Panorama­controls­both­policy­and­log­management­functions­for­all­the­managed­devices.

In­the­Management­Only­deployment­mode,­Panorama­manages­configurations­for­the­managed­devices­but­does­not­collect­or­manage­logs.

In­the­Log­Collector­deployment­mode,­Panorama­collects­and­manages­logs­from­the­managed­devices.­This­assumes­that­another­deployment­of­Panorama­is­operating­in­Management­Only­deployment­mode.

The­separation­of­management­and­log­collection­enables­the­Panorama­deployment­to­meet­scalability,­organizational­and­geographical­requirements.­The­choice­of­form­factor­and­deployment­mode­gives­you­the­maximum­flexibility­for­managing­Palo­Alto­Networks­Next-Generation­Firewalls­in­a­distributed­network.

PN

Log Collector(hardware)

Log Collector(public cloud)

Logging ServiceLog Collector(private cloud)

Figure 4: Panorama log management

Palo Alto Networks | Panorama | Datasheet 5

M-200 ApplianceI/O

• (4) 10/100/1000, [1] DB9 console serial port, (1) USB portStorage

• Maximum confi gurati on: RAID: 4 x 8 TB RAID Certi fi ed HDD for 16 TB of RAID Storage

Power Supply/Max Power Consumpti on • Dual Power Supplies, hot swap redundant confi gurati on• 750W/300W

Max BTU/hr• 1,114 BTU/hr

Input Voltage (Input Frequency)

• 100-240 VAC (50-60Hz)Max Current Consumpti on

• 9.5A@110 VAC Mean Time Between Failures (MTBF)

• 10 yearsRack Mount (Dimensions)

• 1U, 19” standard rack ( 1.7”H X 29”D X 17.2” W)Weight

• 26 lbsSafety

• UL, CUL, CBEMI

• FCC Part 15, EN 55032, CISPR 32Environment

• Operati ng temperature: 41° to 104° F, 5 to 40° C• Non-operati ng temperature: -40° to 140° F, -40° to 60° C

M-200 Panorama Appliance M-600 Panorama Appliance

M-600 ApplianceI/O

• (4) 10/100/1000, (1) DB9 console serial port, (1) USB port, (2) 10 GigE ports

Storage• Maximum confi gurati on: RAID: 12 x 8 TB RAID Certi fi ed

HDD for 48 TB of RAID storagePower Supply/Max Power Consumpti on

• Dual Power Supplies, hot swap redundant confi gurati on• 750W/486W (total system)

Max BTU/hr• 1,803 BTU/hr

Input Voltage (Input Frequency)• 100-240 VAC (50-60 Hz)

Max Current Consumpti on• 4.5A @ 220 V

Mean Time Between Failures (MTBF)• 8 years

Rack Mount (Dimensions)• 2 U, 19” standard rack ( 3.5”H X 28.46”D X 17.2”W)

Weight• 36 lbs

Safety• UL, CUL, CB

EMI• FCC Part 15, EN 55032, CISPR 32

Environment• Operati ng temperature: 41° to 104° F, 5 to 40° C• Non-operati ng temperature: -40° to 140° F, -40° to 60° C

Panorama SpecificationsNumber of Devices Supported

• Up to 1,000High Availability

• Acti ve/Passive

Administrator Authenti cati on• Local database• RADIUS• SAML• LDAP• TACACS+

Management Tools and APIs

• Graphical User Interface (GUI)• Command Line Interface (CLI)• XML-based REST API

Private Hypervisor Specifications

Management Only Mode

Panorama Mode Log Collector Mode

Cores Support-ed (min-max)

4 CPUs 8 CPUs 16 CPUs

Memory (minimum)

8 GB 32 GB 32 GB

Disk Drive 81 GB System disk 2 TB to 24 TB log storage

2 TB to 24 TB log storage

Public Cloud Instance Types (BYOL License)

Management Only Mode

Panorama Mode Log Collector Mode

Amazon AWS t2.xlarge c5.xlargem5.2xlargem4.2xlarge

m5.2xlargem4.2xlargem5.4xlargem4.4xlarge

c5.4xlargem5.4xlargem4.4xlargec4.8xlarge

Microsoft Azure D4S_V3 Standard D16S_V3 Standard D16S_V3 StandardD32S_V3 Exceeds

Public Clouds SupportedAmazon AWS

Microsoft Azure

3000 Tannery WaySanta Clara, CA 95054

Main: +1.408.753.4000Sales: +1.866.320.4788Support: +1.866.898.9087

www.paloaltonetworks.com

© 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. panorama-ds-021618

M-100 ApplianceI/O

• (4)­10/100/1000,­[1]­DB9­console­serial­port,­(1)­USB

Storage

• Maximum­configuration:­RAID:­8­x­2TB­RAID­Certified­HDD­for­8TB­of­RAID­storage

Power Supply/Max Power Consumption

• 500W/500W

Max BTU/hr

• 1,705­BTU/hr

Input Voltage (Input Frequency)

• 100-240­VAC­(50-60Hz)­

Max Current Consumption

• 10A­@­100­VAC­

Mean Time Between Failures (MTBF)

• 14.5­years

Rack Mount (Dimensions)

• 1U,­19”­standard­rack­(1.75"­H­x­23"­D­x­17.2"­W)

Weight

• 26.7­lbs.

Safety

• UL,­CUL,­CB

EMI

• FCC­Class­A,­CE­Class­A,­VCCI­Class­A

Environment

• Operating­Temperature:­40°­to­104°­F,­5°­to­40°­C• Non-operating­Temperature:­-40°­to­149°­F,­-40°­to­65°­C

M-100 Panorama Appliance M-500 Panorama Appliance

M-500 ApplianceI/O

• (4)­10/100/1000,­(1)­DB9­console­serial­port,­(1)­USB­port,­(2)­10­GigE­ports

Storage

• Maximum­configuration:­RAID:­24­x­2TB­RAID­Certified­HDD­for­24TB­of­RAID­storage

• Default­shipping­configuration:­4TB:­8­x­1TB­RAID­­Certified­HDD­for­4TB­of­RAID­storage

Power Supply/Max Power Consumption

• Dual­power­supplies,­hot­swap­redundant­configuration• 1200W/493W­(total­system)

Max BTU/hr

• ­1,681­BTU/hr

Input Voltage (Input Frequency)

• ­100-240­VAC­(50-60Hz)­

Max Current Consumption

• 4.2A­@­120­VAC­

Mean Time Between Failures (MTBF)

• ­6­years

Rack Mount (Dimensions)

• ­2U,­19”­standard­rack­(3.5”­H­x­21”­D­x­17.5”­W)

Weight

• ­42.5­lbs.

Safety

• UL,­CUL,­CB

EMI

• ­FCC­Class­A,­CE­Class­A,­VCCI­Class­A

Environment

• ­Operating­temperature­50°­to­95°­F,­10°­to­35°­C• ­Non-operating­temperature­-40°­to­158°­F,­-40°­to­65°­C