Skip to main content
McAfee Enterprise MVISION Cloud

Proxy Configuration for Palo Alto Networks Panorama

Panorama provides centralized management and visibility of Palo Alto Network's next-generation firewalls. You can push a custom category from MVISION Cloud’s dashboard to your Palo Alto Networks Panorama instance, as a prerequisite you must configure the integration within Cloud Connector.

  1. Open a web browser and enter the IP Address you set during installation into the address bar.
  2. Sign in using an email address and password with Cloud Connector permissions.
  3. Go to Blocking Configuration > Palo Alto Integration.
  4. For Integration Type select Panorama.
  5. Provide credentials to connect to Panorama. After successful communication, the Push to Device button for Palo Alto is displayed on the MVISION Cloud dashboard
.
    • Commit Level. Select the commit level you want to use:
    • Panorama and Device Group. Select this so that any time new URLs are pushed to the device through MVISION Cloud’s dashboard, the new URLs will be committed to Panorama.
    • Panorama only. Select this option to commit changes only to Panorama. 
    • Disabled. Do not commit any changes. 
  6. In the MVISION Cloud dashboard, select the CSPs for blocking and click Push Config.
    panorama_commit_level.png

Commit Levels

Panorama and Device Group

When you select Panorama and Device Group, the following steps are performed:

  1. Perform initial Panorama commit (both Panorama and Device Group commit). This approach helps to differentiate between errors introduced by MVISION Cloud commands vs other commands that were pushed to the device, but not yet committed. If the initial commit fails, data is not pushed to Panorama and the operation is aborted until the error is rectified by the admin. 
  2. Push the domains to Panorama. Push is a type of type merge, which means that the operation adds to the existing list.
  3. Perform next Panorama commit (both Panorama and Device Group commit). Status of the operation (success or failure) is updated for each CSP by MVISION Cloud Connector in MVISION Cloud. If there is a failure, Cloud Connector retries the push for the failed domains, along with the newly added ones (if any) in the next periodic run.

Panorama Only

When you select Panorama only, the following steps are performed:

  1. Perform initial Panorama Commit (only Panorama commit). This approach helps to differentiate between errors introduced by MVISION Cloud commands vs other commands that were pushed to the device, but not yet committed. If the initial commit fails, data is not pushed to Panorama and the operation is aborted until the error is rectified by the admin. 
  2. Push the domains to Panorama. Push is a type of merge, which means that the operation adds to the existing list.
  3. Perform next Panorama Commit (only Panorama commit). Status of the operation (success or failure) is updated for each CSP by MVISION Cloud Connector in MVISION Cloud. If there is a failure, Cloud Connector retries the push for the failed domains, along with the newly added ones (if any) in the next periodic run.

Disabled

When you select Disabled, the following steps are performed:

  1. URLs are added to the custom URL category, and no initial/next Panorama commit is performed.
  2. After URLs are added to the custom URL category, its status is updated in MVISION Cloud. If the status is SUCCESS, since commit was not done, there is no guarantee that the changes will persist. If the commit by admin fails for some reason, MVISION Cloud Connector will not resend these URLs again, as MVISION Cloud was informed that the push operation completed successfully.

Panorama Commit Frequency

MVISION Cloud Connector periodically queries MVISION Cloud to fetch the URLs for push. When Cloud Connector starts, it will wait for 5 minutes, and then run the job every 4 hours by default. To change the frequency, in the logprocessor.local.properties file, override the property:  

"pan_agent.frequency=<number of milliseconds>"

Panorama Commit Failure Messages

If the commit to Panorama fails, MVISION Cloud saves the failure messages, and displays them in the MVISION Cloud Connector user interface, as shown.  

panorama_error_message.png