Skip to main content

Welcome to our updated site!

Skyhigh Security

Proxy Configuration for Palo Alto Networks Panorama

  1. Last updated
  2. Save as PDF

Panorama provides centralized management and visibility of Palo Alto Network's next-generation firewalls. You can push a custom category from Skyhigh CASB’s dashboard to your Palo Alto Networks Panorama instance, as a prerequisite you must configure the integration within Cloud Connector.

  1. Open a web browser and enter the IP Address you set during installation into the address bar.
  2. Sign in using an email address and password with Cloud Connector permissions.
  3. Go to Blocking Configuration > Palo Alto Integration.
  4. For Integration Type select Panorama.
  5. Provide credentials to connect to Panorama. After successful communication, the Push to Device button for Palo Alto is displayed on the Skyhigh CASB dashboard
.
    • Commit Level. Select the commit level you want to use:
    • Panorama and Device Group. Select this so that any time new URLs are pushed to the device through Skyhigh CASB’s dashboard, the new URLs will be committed to Panorama.
    • Panorama only. Select this option to commit changes only to Panorama. 
    • Disabled. Do not commit any changes. 
  6. In the Skyhigh CASB dashboard, select the CSPs for blocking and click Push Config.
    panorama_commit_level.png

Commit Levels

Panorama and Device Group

When you select Panorama and Device Group, the following steps are performed:

  1. Perform initial Panorama commit (both Panorama and Device Group commit). This approach helps to differentiate between errors introduced by Skyhigh CASB commands vs other commands that were pushed to the device, but not yet committed. If the initial commit fails, data is not pushed to Panorama and the operation is aborted until the error is rectified by the admin. 
  2. Push the domains to Panorama. Push is a type of type merge, which means that the operation adds to the existing list.
  3. Perform next Panorama commit (both Panorama and Device Group commit). Status of the operation (success or failure) is updated for each CSP by Skyhigh Cloud Connector in Skyhigh CASB. If there is a failure, Cloud Connector retries the push for the failed domains, along with the newly added ones (if any) in the next periodic run.

Panorama Only

When you select Panorama only, the following steps are performed:

  1. Perform initial Panorama Commit (only Panorama commit). This approach helps to differentiate between errors introduced by Skyhigh CASB commands vs other commands that were pushed to the device, but not yet committed. If the initial commit fails, data is not pushed to Panorama and the operation is aborted until the error is rectified by the admin. 
  2. Push the domains to Panorama. Push is a type of merge, which means that the operation adds to the existing list.
  3. Perform next Panorama Commit (only Panorama commit). Status of the operation (success or failure) is updated for each CSP by Skyhigh Cloud Connector in Skyhigh CASB. If there is a failure, Cloud Connector retries the push for the failed domains, along with the newly added ones (if any) in the next periodic run.

Disabled

When you select Disabled, the following steps are performed:

  1. URLs are added to the custom URL category, and no initial/next Panorama commit is performed.
  2. After URLs are added to the custom URL category, its status is updated in Skyhigh CASB. If the status is SUCCESS, since commit was not done, there is no guarantee that the changes will persist. If the commit by admin fails for some reason, Skyhigh Cloud Connector will not resend these URLs again, as Skyhigh CASB was informed that the push operation completed successfully.

Panorama Commit Frequency

Skyhigh Cloud Connector periodically queries Skyhigh CASB to fetch the URLs for push. When Cloud Connector starts, it will wait for 5 minutes, and then run the job every 4 hours by default. To change the frequency, in the logprocessor.local.properties file, override the property:  

"pan_agent.frequency=<number of milliseconds>"

Panorama Commit Failure Messages

If the commit to Panorama fails, Skyhigh CASB saves the failure messages, and displays them in the Skyhigh Cloud Connector user interface, as shown.  

panorama_error_message.png