Adding Palo Alto Networks PAN-OS Systems

Overview

To manage Palo Alto Networks PAN-OS accounts, you need to specify a valid local administrative account and password. See Specifying Local Admin Accounts for more information. The account used must be a superuser account.

For any account you add, you can also choose whether or not you want the Privileged Access Service to manage the account password. If you select Manage this credential, the Privileged Access Service automatically resets the password after the account and system are added and each time the account is checked in.

If you select Manage this credential for Palo Alto Networks PAN-OS systems, keep in mind that the Privileged Access Service can only manage passwords for administrator accounts with local authentication (password). Accounts with an authentication profile set (including local user databases) are not supported.

For more information about password and system management for Palo Alto Networks PAN-OS systems, see the following topics:

• Setting up Certificates for Palo Alto Networks PAN-OS Systems
• Password Complexity Rules
• Changing Palo Alto Networks PAN-OS System Settings

Setting up Certificates for Palo Alto Networks PAN-OS Systems

You must set up the certificate and SSL/TLS Service Profile on the PAN-OS system before you can connect using Privileged Access Service.

For configuration information, see the PAN-OS Web Interface Reference and the PAN-OS Admin Guide:

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-certificate-management-ssltls-service-profile

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/certificate-management/replace-the-certificate-for-inbound-management-traffic

Once the PAN-OS system is configured, the same certificate must also be trusted in all connector systems that are connected to the PAN-OS system. In most cases, PAN-OS systems should use a certificate obtained from an Enterprise Certificate Authority (CA), or a trusted external CA, like VeriSign. Since the certificate is trusted already, it simplifies the certificate setup on connector systems. You can also export the certificate from the PAN-OS system and import it into all systems running the connector. Self-signed certificates should not be used in production environments.

Palo Alto Networks PAN-OS system accounts are managed using an API via HTTPS. A secure channel is required between the connector and the Palo Alto Networks PAN-OS system. Certificates are typically issued to a fully qualified domain name (FQDN). Therefore, if an IP address is provided instead, the server certificate may not be validated.

Verifying Certificate Configuration

To verify that the certificate is trusted in the connector, connect to the PAN-OS Web UI ("https://<PAN-OS hostname/IP Address>") using a browser and verify that the connection is secure. If the connection is secure, the SSL/TLS secure management channel is established.

• If an error occurs while establishing the SSL connection, review the supported SSL/TLS protocol versions and cipher suites.
• If an error occurs indicating that the server certificate cannot be validated, check the connector and target certificate settings, including root CA, subject names, and validity.

For more information about password and system management for Palo Alto Networks PAN-OS systems, see the following topics:

• Password Complexity Rules
• Changing Palo Alto Networks PAN-OS System Settings

Password Complexity Rules

All managed passwords generated by the Privileged Access Service consist of at least one upper case letter, one lower case letter, one number, one special character, and allow consecutive repeated characters regardless of the system type. Palo Alto Networks PAN-OS systems, restrict passwords to a maximum of 31 characters. The following additional password rules apply:

• Minimum password length: 12 characters.
• Maximum password length: 31 characters.
• Supported special characters: !$%&()*+,-./:;<=>?[]^_{|}~

You should keep in mind that only the Privileged Access Service will know the managed password being generated and stored. You should not select this option if you don’t want the Privileged Access Service to manage the password for the account.

For additional information on Palo Alto Networks PAN-OS system password requirements, see the PAN-OS Web Interface Reference:

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-password-profiles/username-and-password-requirements

Changing Palo Alto Networks PAN-OS System Settings

In addition to the common system settings you can change for any type of system, there are a few Palo-Alto Networks PAN-OS system settings. For example, you can use System Settings to update the following types of information after adding a system:

• Change the session type or port number for remote connections

  You can manually select secure shell or remote desktop and change the port number for remote sessions. If you don’t specify a session type and port, the secure shell client and port 22 are used by default.

• Select a system time zone

  You can manually select the time zone you want to use for any system. If you don’t specify a time zone, the local time zone of the system is used by default.

• Account Management Settings

  For password management, port 443 is used. If you changed the port assignment used for password management, you need to manually set the Management Port field to match the setting of the PAN-OS system. Contact Palo Alto Networks Support if you want to change the port setting.