Does AIOPS generate security alerts for locally configured rules (that are misconfigured or in violation of BPAs) on firewalls managed by Panorama?

Does AIOPS generate security alerts for locally configured rules (that are misconfigured or in violation of BPAs) on firewalls managed by Panorama?

303
Created On 03/24/25 16:06 PM - Last Modified 08/25/25 20:31 PM


Question


  • Does AIOPS generate security alerts for locally configured rules (that are misconfigured or in violation of BPAs) on firewalls managed by Panorama?
  • Example: The AIOPS Alert "The source and destination address and zone should not be set to any with an allow action" was not pulling up a locally configured security policy (that is in violation of BPAs) for a Panorama managed firewall.

Environment


  • Panorama managed Firewalls
  • Supported PAN-OS
  • Strata Cloud manager (SCM)

Answer


  1. SCM does NOT generate security alerts for misconfigured rules on (Panorama) managed firewalls.
  2. The expectation is that these security alerts would be pulled from the Panorama that is managing the firewall itself.
  3. Hence local rules/config configured on the firewall, that are misconfigured or in violation, will not be showing up in SCM, if the firewall is Panorama managed.

Additional Information


  • Strata Cloud manager (SCM) will generate all of the other alerts and incidents for (Panorama) managed firewalls. Ex: CVE incidents, health issues such as certificate expirations, delayed telemetry, down interfaces, etc. 
  • Hence, anything that isn't a misconfiguration in the config, will alert as normal.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HFGUCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail