Panorama

Security deployments can be complex, overloading IT teams with myriad

security rules and mountains of data from multiple sources. Panorama™
network security management empowers you with easy-to-implement,
consolidated policy creation and centralized management features. You can
provision firewalls centrally and use industry-leading functionality to create
effective security rules as well as gain insight into network traffic and threats.

Strata by Palo Alto Networks | Panorama | Datasheet 1

Key Features Enterprise-Class Management
Panorama keeps enterprise users in mind. You can control your
Management internet edge as well as your private and public cloud deploy-
• Device groups, hierarchies, and tags for organizing policies ments all from a single console. Panorama can be deployed via
• Template stacks for reusable network configuration virtual appliances, our purpose-built appliances, or a combi-
• Administrator-specific commits to avoid accidental changes nation of the two.

• Easy software updates and upgrades

• SD-WAN connectivity for branch offices Automated, Centralized Visibility
Visibility Automated threat correlation, with a predefined set of correla-
tion objects, cuts through the clutter of monstrous amounts
• Centralized visibility across the infrastructure
of data. It identifies compromised hosts and correlates mali-
• Correlated insights that can be acted upon cious behavior that would otherwise be lost in the noise. This
• Health profiling for improved understanding of device usage reduces the dwell time of critical threats in your network. The
clean, fully customizable Application Command Center (ACC)
Security provides comprehensive insight into your current as well as
• Easy transformation of legacy rules into application-based historical network and threat data.
rules using intelligence gathered by PAN-OS®
• Rule usage analysis to reduce the attack surface and improve
security posture
• Centralized deployment of the latest security content updates

Automation
• Log filtering and automated actions on third-party systems
• Automated policy deployments for dynamic environments
• XML- and JSON-based REST APIs for easy integration

Simplified, Powerful Policy

Panorama network security management provides consis-
tent rules in an ever-changing network and threat landscape.
Manage your network security with a single security rule
base for firewall, threat prevention, URL filtering, applica-
tion awareness, user identification, sandboxing, file blocking,
access control, and data filtering. This crucial simplification,
along with App-ID™ technology-based rules, dynamic secu-
rity updates, and rule usage analysis, reduces administrative
workload and improves your overall security posture. Figure 2: Application Command Center

Unmatched Scale
Use a single highly available pair of Panorama appliances to
Public cloud Cortex Data Lake Prisma Access
manage up to 5,000 Next-Generation Firewalls, or use the
­Panorama Interconnect plugin to centralize configuration man-
PN agement and access control for tens of thousands of devices.

Powerful Network Visibility

The ACC provides you an interactive, graphical view of appli-
cations, URLs, threats, data files, and patterns traversing your
Headquarters Data center Branch Palo Alto Networks firewalls. The ACC includes a tabbed view
of network activity, threat activity, and blocked activity, and
Figure 1: Panorama deployment each tab includes pertinent widgets for better visualization of
traffic patterns on your network. You can create custom tabs
with widgets that enable you to drill down into the information

Strata by Palo Alto Networks | Panorama | Datasheet 2

most important to the administrator. The ACC provides a com-
prehensive, fully customizable view of current and historical
Traffic Monitoring: Analysis,
data. ­Reporting, and Forensics
Additional data on URL categories and threats provides a com- Panorama pulls and stores logs from physical and virtual-
plete, well-rounded picture of network activity. The visibility ized firewalls, Cortex™ Data Lake, and Cortex XDR agents.
from the ACC helps you make informed policy decisions and As you perform log queries and generate reports, Panorama
respond quickly to potential security threats. dynamically pulls relevant logs from its storage and presents
the results to the user:

Reduced Response Times • Log viewer: For individual devices, all devices, or Cortex XDR
agents, you can quickly view log activities with dynamic log
The automated correlation engine built into the Next-­ filtering by clicking on a cell value and/or using the expres-
Generation Firewall surfaces critical threats that may be hid- sion builder to define sort criteria. You can also save results
den in your network. It includes correlation objects that iden- for future queries or export them for further analysis.
tify suspicious traffic patterns or sequences of events that • Custom reporting: Predefined reports can be used as is,
indicate malicious outcomes. Some correlation objects can customized, or grouped together as one report to suit spe-
identify dynamic patterns previously observed from malware cific requirements.
samples in WildFire® malware prevention service.
• User activity reports: These reports show the applications
used, URL categories visited, websites visited, and all URLs
Simple Policy Control visited over a specified period for individual users. Panorama
builds these reports using an aggregate view of user activity,
Safely enabling applications means allowing access to ­specific no matter the user’s device or IP, and no matter which fire-
applications and protecting them with specific policies for wall is protecting a given user.
Threat Prevention and access control as well as file, data, and
• SaaS reports: A software-as-a-service (SaaS) usage and
URL filtering. You can transform your bulky legacy rule base
threat report provides detailed visibility into all SaaS activity
into an intuitive policy that strengthens security and takes
on the firewalls as well as related threats.
much less time to manage. Panorama empowers you to set
policy with a single security rule base and simplifies the pro- • Log forwarding: Panorama can forward logs from Cortex
cess of importing, duplicating, or modifying rules across your XDR agents and your Palo Alto Networks firewalls for stor-
network. The combination of global and regional administra- age, foren­sics, reporting, etc. It can forward all or selected
tive control over policies and objects lets you strike a balance logs, SNMP traps, and email notifications to a remote desti-
between consistent security at the global level and flexibility nation over UDP, TCP, or SSL. Panorama can also send logs to
at the regional level. third-party providers of HTTP-based APIs, such as ticketing
services or systems management products.

Easy-to-Use, Centralized Global shared group

Management DG business unit X

DG branches DG data centers

Deploying hierarchical device groups ensures lower-­ level
DC west DC east
groups inherit the settings of higher-level groups. This DG headquarters

Finance Guest Web PCI Exch. PCI Exch.

streamlines central management and enables you to organize
devices based on function and location without redundant
configuration. Template stacking allows for streamlined con- Figure 3: Device group hierarchy
figuration of networks and devices. Furthermore, a common
user interface for Next-Generation Firewalls makes manage- Branch template Branch template DC template

ment intuitive. Features like Global Find, audit comments, West template East template
universal unique identifier (UUID) for all rules, and tag-based
Global template
rule grouping empower your IT administrators to take advan-
tage of all the information in your network with ease. Figure 4: Template stacking

Enhanced Visibility and Trouble- Panorama Management

shooting for Mobile Workers ­Architecture
GlobalProtect™ network security for endpoints extends Panorama enables you to manage your Palo Alto Networks
Next-Generation Firewall capabilities to mobile workers. By firewalls using a model that provides both global oversight
leveraging Panorama, you can get greater visibility into user and regional control. Panorama provides multiple tools for
connection failures at all stages, use authentication logs to global or centralized administration.
help you troubleshoot issues with user accounts, and enforce
access control based on specific data in GlobalProtect logs.

Strata by Palo Alto Networks | Panorama | Datasheet 3

Templates/Template Stacks Software, License Update, and Content
Panorama manages common device and network configura- ­Management
tion through templates, which can be used to manage config- As your deployment grows, you may want to make sure updates
uration centrally and push changes to managed firewalls. This are sent to downstream boxes in an organized manner. For in-
approach avoids the need to make the same individual firewall stance, security teams may prefer to centrally qualify a software
changes repeatedly across many devices. To make things even update before it is delivered via Panorama to all production fire-
easier, templates can be stacked and used like building blocks walls at once. Panorama lets you centrally manage the update
during device and network configuration. process for software updates, licenses, and content—including
application updates, antivirus signatures, threat signatures,
Hierarchical Device Groups URL Filtering database entries, etc.
Panorama manages common policies and objects through Using templates, device groups, role-based administration,
hierarchical device groups. Multilevel device groups are used and update management, you can delegate appropriate access
to centrally manage the policies across all deployment loca- to all management functions, visualization tools, policy cre-
tions with common requirements. Device group hierarchy ation, reporting, and logging at global as well as regional levels.
may be created geographically (e.g., Europe, North America,
and Asia); functionally (e.g., data center, main campus, and
branch offices); as a mix of both; or based on other crite- Deployment Flexibility
ria. This allows for common policy sharing across different
­virtual systems on a device. You can deploy Panorama either as a hardware or virtual
­appliance.
You can use shared policies for global control while still allow-
ing your regional firewall administrators autonomy to make Hardware Appliances
specific adjustments for their requirements. At the device
Panorama can be deployed as the M-200, M-500, or M-600
group level, you can create shared policies that are defined as
management appliance.
the first set of rules and the last set of rules—the pre-rules
and post-rules, respectively—to be evaluated against match Virtual Appliances
criteria. Pre- and post-rules can be viewed on a managed
Panorama can be deployed as a virtual appliance on VMware
firewall, but they can only be edited from Panorama within
ESXi™, KVM, and Microsoft Hyper-V®, or in public cloud envi-
the context of the administrative roles that have been defined.
ronments, including Google Cloud Platform (GCP™), Amazon
The device rules, that is, those between pre- and post-rules, Web Services (AWS®), AWS GovCloud, Microsoft Azure®, and
can be edited by either your regional firewall administrator Azure GovCloud.
or a Panorama administrator who has switched to a firewall
device context. In addition, an organization can use shared Deployment Modes
objects defined by a Panorama administrator, which can be You can separate management and logging functions of Pan-
referenced by regionally managed device rules. orama using deployment modes. The three supported d­eploy-
ment modes are:
Role-Based Administration
1. Management Only: Panorama manages configurations for
Role-based administration is used to delegate feature-­level
the managed devices but does not collect or manage logs.
administrative access, including the availability of data—­
­
enabled, read-only, or disabled and hidden from view—to dif- 2. Panorama: Panorama controls both policy and log man-
ferent members of your staff. agement functions for all managed devices.
You can give specific individuals appropriate access to the tasks 3. Log Collector: Panorama collects and manages logs from
pertinent to their job while making other access either hidden or managed devices. This assumes another deployment of
read-only. Administrators can commit or revert changes they Panorama is operating in Management Only mode.
make in a Panorama configuration independently of changes
made by other administrators.

PN

Log collector Log collector Log collector Cortex Data Lake

(hardware) (private cloud) (public cloud)

Figure 5: Panorama log management

Strata by Palo Alto Networks | Panorama | Datasheet 4

Deployment Scale
PN
The Panorama Interconnect plugin connects multiple P ­ anorama
Controller
instances to scale firewall management to tens of thousands of
firewalls. By leveraging the plugin, the Panorama Controller
allows you to synchronize the configuration, quickly onboard
firewalls, and schedule content updates from a central location
(see figure 6), in turn simplifying management of all your fire- PN PN PN PN
walls regardless of their location—on-premises or in the cloud. 1 2 3 4

Note: Panorama Interconnect is supported only on M-600 appli-

ances or similarly resourced VMs.

Figure 6: Synchronized configuration across all firewalls

Table 1: Panorama Appliance Hardware Specifications

M-200 M-500 M-600

10/100/1000 (4), DB9 console serial 10/100/1000 (4), DB9 console serial 10/100/1000 (4), DB9 console serial
I/O
port (1), USB port (1) port (1), USB port (1), 10 GigE ports (2) port (1), USB port (1), 10 GigE ports (2)
Maximum configuration: 8 TB RAID Maximum configuration: 2 TB RAID Maximum configuration: 8 TB RAID
Certified HDD (4) for 16 TB of RAID Certified HDD (24) for 24 TB of RAID Certified HDD (12) for 48 TB of RAID
storage storage storage
Storage
Default shipping configuration: 8 TB Default shipping configuration: 2 TB Default shipping configuration: 8
RAID Certified HDD (4) for 16 TB of RAID Certified HDD (4) for 4 TB of TB RAID Certified HDD (4) for 16 TB
RAID storage RAID storage of RAID storage
Power Supply/ Dual power supplies, hot swap Dual power supplies, hot swap Dual power supplies, hot swap
Max Power ­redundant configuration ­redundant configuration ­redundant configuration
Consumption 750 W / 300 W 1,200 W / 493 W (total system) 750 W / 486 W (total system)
Max BTU/hr 1,114 BTU/hr 1,681 BTU/hr 1,803 BTU/hr
Input Voltage
(Input 100–240 VAC (50–60 Hz) 100–240 VAC (50–60 Hz) 100–240 VAC (50–60 Hz)
Frequency)
Max Current
9.5 A @ 110 VAC 4.2 A @ 120 VAC 4.5 A @ 220 VAC
Consumption
Mean Time
­Between Failures 10 years 6 years 8 years
(MTBF)
Rack Mount 1U, 19” standard rack (1.7” H x 29” D 2U, 19” standard rack (3.5” H x 21” 2U, 19” standard rack (3.5” H x 28.46”
(Dimensions) x 17.2” W) D x 17.5” W) D x 17.2” W)
Weight 26 lbs 42.5 lbs 36 lbs
Safety UL, CUL, CB UL, CUL, CB UL, CUL, CB
EMI FCC Part 15, EN 55032, CISPR 32 FCC Class A, CE Class A, VCCI Class A FCC Part 15, EN 55032, CISPR 32

Operating temperature: 41° to 104° F, Operating temperature: 50° to 95° F, Operating temperature: 41° to 104° F,
5° to 40° C 10° to 35° C 5° to 40° C
Environment
Non-operating temperature: -40° to Non-operating temperature: -40° to Non-operating temperature: -40°
140° F, -40° to 60° C 158° F, -40° to 65° C to 140° F, -40° to 60° C

Strata by Palo Alto Networks | Panorama | Datasheet 5

Table 2: Other Panorama Specs Table 3: Private Hypervisor Specifications
Number of Devices Supported Management Log Collector
Panorama Mode
• Up to 5,000 Only Mode Mode
High Availability Cores
4 CPUs 8 CPUs 16 CPUs
• Active/Passive Supported
Administrator Authentication Memory
8 GB 32 GB 32 GB
• Local database (minimum)
• RADIUS
2 TB to 24 TB 2 TB to 24 TB
• SAML Disk Drive 81 GB system disk
log storage log storage
• LDAP
• TACACS+ Table 4: Public Clouds Supported
Management Tools and APIs
GCP, AWS, AWS GovCloud, Azure, Azure GovCloud
• Graphical user interface
• Command-line interface
• XML- and JSON-based REST API

3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 ­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 panorama-ds-020620
Support: +1.866.898.9087

www.paloaltonetworks.com