1. Introduction
This document outlines the step-by-step procedures required to establish a secure and functional connection between the Albarius platform and Palo Alto Networks Panorama.
Objective: Enable Albarius to interact with Palo Alto Panorama for [Insert specific purpose, e.g., automated policy provisioning, object syncing, log retrieval, device group management].
2. Prerequisites
Before initiating the connection setup, ensure the following requirements are met:
Panorama Version: PAN-OS [Insert minimum supported version, e.g., 9.0 or higher].
Network Access: Albarius must have routeability to the Panorama Management IP address.
Credentials: Administrator account on Panorama with appropriate XML API / REST API permissions for the intended operations.
Albarius Access: Administrator access to the Albarius configuration console.
3. Network and Firewall Configuration
To allow Albarius to communicate with Panorama, specific ports must be permitted through any intermediate firewalls.
Navigate to the firewall policy managing traffic between the Albarius platform and the Panorama server.
Create a rule to permit the necessary traffic:
Source: Albarius IP Address ([Insert Albarius IP/Subnet])
Destination: Panorama Management IP Address ([Insert Panorama IP])
Service/Ports: * HTTPS / TCP 443 (For XML/REST API Access)
[Insert any other specific ports needed, e.g., SSH / TCP 22 or Syslog / UDP 514]
3. Additional ports:
Src: Clients | Dst: Albarius Server | Svc: TCP-2345
Src: Panorama/Pan-os | Dst: Albarius Server | Svc: 5518 UDP
3. Install the policy (Commit & Push).
4. Palo Alto Panorama Configuration
4.1 Create an API Administrator Role Profile
To ensure least-privilege access, create a custom role specifically for Albarius API interactions.
Log in to the Palo Alto Panorama web interface.
Navigate to Panorama > Admin Roles.
Click Add to create a new Admin Role Profile.
Enter a Name (e.g., Albarius-API-Role) and an optional description.
Navigate to the XML API tab and enable the necessary permissions for the integration. Typically, this includes:
Configuration
Operational Requests
Commit (Note: If Albarius only requires read-only access, adjust these permissions accordingly or use a default Superuser read-only role).
Click OK.
4.2 Create the Integration User
Assign the newly created API role to a dedicated service account.
Navigate to Panorama > Administrators.
Click Add to create a new administrator account.
Configure the username (e.g., albarius-svc) and set a strong password.
Set the Administrator Type to Custom Panorama Admin (or equivalent based on your PAN-OS version) and select the Albarius-API-Role profile created in the previous step.
Click OK.
Click Commit on the top right, select Commit to Panorama, and execute the commit to save the new user.
4.3 Configure Permitted IP Addresses (Optional but Recommended)
If Panorama is configured to restrict management access by IP, you must add the Albarius platform's IP address.
Navigate to Panorama > Setup > Management.
Edit the Management Interface Settings.
Under the Permitted IP Addresses list, click Add.
Enter the Albarius IP address ([Insert Albarius IP]).
Click OK and Commit the changes.
4.4 Send Logs to Albarius Server
Step 1: Syslog Server Profile
1. Click Panorama > Syslog > Add.
2. Set Name to Syslog Server Profile.
3. Set Name | Syslog Server “IP” | Transport “UDP” | Port “5518”| Format “BSD”.
4. Click Ok.
Step 2: Log Forwarding
1. Click Objects > Log Forwarding > Use existing Profile / Add New.
2. Click Add “Log Forwarding Profile Match List”.
3. Set Name | Log Type “Traffic”.
4. Click Add and Select the Syslog Profile.
5. Click Ok.
Step 3: Collector Groups
1. Click Panorama > Collector Groups > Use existing Profile / Add New.
2. Click Collector Log Forwarding > Traffic > Use existing Profile / Add New.
3. Click Add and Select the Syslog Profile.
4. Click Ok.
Step 4: Policies Rules Actions
1. Click Policies > Pre Rules / Post Rules > Select rule specific > Actions > Log Forwarding.
2. Select the Log Forwarding Profile that was created.
3. Click Actions and Select the Log Forwarding Profile.
5. Albarius Platform Configuration
With the Panorama side prepared, configure the connection within the Albarius platform.
Log in to the Albarius portal.
Navigate to Firewalls -> Add New.
Select Palo Alto Panorama from the available integration types.
Enter the following details:
Hostname / IP Address: [Insert Panorama Management Server IP]
Username: [Insert the account created in step 4.2]
Password: [Insert credentials]
Click Save Configuration.
6. Verification and Testing
To ensure the connection is fully operational:
Within the Albarius integration page, click the Test Connection button.
Verify that a "Success" message is returned.
Navigate to [Insert Albarius Verification Screen, e.g., Dashboard or Logs] to confirm that data (firewall rules, device groups, objects, or logs) is successfully synchronizing from Panorama.
7. Troubleshooting
If the connection test fails, verify the following:
API Reachability: From the Albarius appliance/server, run a connectivity test (telnet [Panorama IP] 443 or curl -k https://[Panorama IP]) to verify network reachability and that port 443 is open.
Authentication/Permissions: Log in to Panorama and check the system logs (Monitor > Logs > System) for any failed login attempts or API authorization errors originating from the Albarius IP address.
Permitted IPs: Double-check that the Albarius IP is correctly listed in Panorama's Permitted IP Addresses if that feature is actively used.