How to onboard devices to Panorama in legacy and sc3 modes?

How to onboard devices to Panorama in legacy and sc3 modes?

2129
Created On 11/14/23 03:07 AM - Last Modified 08/06/25 03:43 AM


Objective


The onboarding process is already documented in the Admin Guide. This article provides clarification on some points.

Environment


  • PAN-OS
  • Panorama-managed devices
  • Panorama

Procedure


Device running PAN-OS version below 10.1 - legacy mode

  1. On the Panorama side: Add the serial number of the device
  2. On the device side: Add the IP address of the Panorama to join
  3. The communication between the Panorama and the managed device is secured using the legacy certificates.


Device onboarded on PAN-OS version below 10.1

Device running PAN-OS version 10.1 or above - sc3 mode

  1. PAN-OS 10.1 introduced some improvement in the device registration to Panorama.
  2. The device on-boarding is done by configuring:
  3. On Panorama side: Configure Authentication key for the device serial number
  4. Add the serial number of the device to add.
  5. On the device side: Add the authentication key and IP address of the Panorama to join.

Note that if a device already onboarding prior PAN-OS 10.1 will not re-onboarded.

  1. The communication between the Panorama and the managed device is secured using the sc3 certificates.
  2. The authentication key generated on Panorama is only good during its lifetime and for a limited count.
  3. If one of the 2 limits is meet, the authentication key cannot be used, and a new one needs to be created.
  4. The authentication key is not saved in the configuration, so it is not synchronized over Panorama HA.
  5. As a best practice, always do the device onboarding with the active Panorama.


Device on-boarding on PAN-OS 10.1 and above.

  1. Identify the onboarding method used by the device, by running the following command on the device
admin@firewall> show system state | match cfg.ms.
cfg.ms.ca: 2124fdae-97a0-4dc6-81b7-e64a50fe04f4
cfg.ms.cc: 737f26c8-9d89-4c18-9cef-1bb7a20afffb
    • If a response is returned (as above, there is an entry "cfg.ms.ca" and "cfg.ms.cc"), the onboarding is done as per PAN-OS 10.1 or above method.
    • Note: it may be possible to see those entries PAN-OS version below 10.1, that would mean the device has been downgraded from PAN-OS 10.1. sc3 mode has been implemented only from PAN-OS 10.1. 
  1. Move from legacy mode to sc3 mode
    • This migration is only possible for devices onboarded on legacy mode running on PAN-OS on 10.1 or above.
    • No logs will be saved on Panorama for the device during the move.
    • This move will consist in removing the Panorama IP from the device, then to adding it back.
    • The logs stored locally on the Panorama for the device may be deleted.
      1. on the device, remove the Panorama from the configuration
      2. on the device, commit
      3. on the Panorama, create an authkey

        admin@panorama> request authkey add name TAC lifetime 60 count 100
Added authkey 'TAC': '2:IST9rpegTcaBt-ZKUP4E9BeeFWnKYUbbgPoit9ptVvH0ZpU35FT-YJCiPsUz7gxhBcd5KmewMkLCC5MLwRmq2w'
      4. on the device, set the Panorama IP address and the authkey.
        admin@firewall> request authkey set '2:IST9rpegTcaBt-ZKUP4E9BeeFWnKYUbbgPoit9ptVvH0ZpU35FT-YJCiPsUz7gxhBcd5KmewMkLCC5MLwRmq2w'
      5. on the device, commit
      6. on the device, restart the management-server 
        admin@panorama> debug software restart process management-server

Additional Information


Admin Guide
Authentication Key for Secure Onboarding
Recover Managed Device Connectivity to Panorama
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008VqwCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language