Configuring Operations Director to commit firewall rules to Panorama
Operations Director
to commit firewall rules to PanoramaYou must perform this step only if you have
Palo Alto Networks Next Generation Firewall
configured.Panorama is the centralized management console for
Palo Alto Networks Next Generation Firewall
.Operations Director
can orchestrate with Panorama to apply firewall policies for new applications. By default, Operations Director
is configured to only update Panorama with firewall rules but not commit them to the firewall. This is to enable the firewall administrator to review the rules before committing them. If you configure
Operations Director
to not commit rules to Panorama, the changes may be lost in an event when Panorama gets restarted before a commit is performed. However, you can configure Operations Director
to commit firewall rules after the security administrator's approval in Operations Director
. You can do so by editing the Operations Director
configuration file.- To configureOperations Directorto commit changes to Panorama
- Log in to theOperations Directorappliance as ODAdmin user which was created duringOperations Directorappliance deployment and the password that was provided then.
- Edit theOperations Directorappliance file.sudo vi /usr/local/Symantec/so/config/od.properties
- Change the value of the following parameters from:od.provisioningservice.panplugin.commitoperation.configtopanaroma.enable=nood.provisioningservice.panplugin.commitoperation.panaromatofirewalldevices.enable=notood.provisioningservice.panplugin.commitoperation.configtopanaroma.enable=yesod.provisioningservice.panplugin.commitoperation.panaromatofirewalldevices.enable=yes
- Enter the values for retry count and retry interval in the following parameters:Retry count is the number of times the commit operation is retried.od.provisioningservice.panplugin.httpclient.commitoperationretrycount=3Retry interval is the number of seconds after which the commit operation is retried.od.provisioningservice.panplugin.httpclient.commitoperation.retryinterval=120
- Save theod.propertiesfile.
You must restart the security orchestration services by restarting the Apache Tomcat Web server for the changes to take effect. To do this, run the following commands from the appliance:
sh /opt/apache-tomcat-7.0.62/bin/shutdown.sh
sh /opt/apache-tomcat-7.0.62/bin/startup.sh