Configuring
Operations Director
to commit firewall rules to Panorama

You must perform this step only if you have
Palo Alto Networks Next Generation Firewall
configured.
Panorama is the centralized management console for
Palo Alto Networks Next Generation Firewall
.
Operations Director
can orchestrate with Panorama to apply firewall policies for new applications. By default,
Operations Director
is configured to only update Panorama with firewall rules but not commit them to the firewall. This is to enable the firewall administrator to review the rules before committing them.
If you configure
Operations Director
to not commit rules to Panorama, the changes may be lost in an event when Panorama gets restarted before a commit is performed. However, you can configure
Operations Director
to commit firewall rules after the security administrator's approval in
Operations Director
. You can do so by editing the
Operations Director
configuration file.
  1. To configure
    Operations Director
    to commit changes to Panorama
  2. Log in to the
    Operations Director
    appliance as ODAdmin user which was created during
    Operations Director
    appliance deployment and the password that was provided then.
  3. Edit the
    Operations Director
    appliance file.
    sudo vi /usr/local/Symantec/so/config/od.properties
  4. Change the value of the following parameters from:
    od.provisioningservice.panplugin.commitoperation.configtopanaroma.enable=no
    od.provisioningservice.panplugin.commitoperation.panaromatofirewalldevices.enable=no
    to
    od.provisioningservice.panplugin.commitoperation.configtopanaroma.enable=yes
    od.provisioningservice.panplugin.commitoperation.panaromatofirewalldevices.enable=yes
  5. Enter the values for retry count and retry interval in the following parameters:
    Retry count is the number of times the commit operation is retried.
    od.provisioningservice.panplugin.httpclient.commitoperationretrycount=3
    Retry interval is the number of seconds after which the commit operation is retried.
    od.provisioningservice.panplugin.httpclient.commitoperation.retryinterval=120
  6. Save the
    od.properties
    file.
You must restart the security orchestration services by restarting the Apache Tomcat Web server for the changes to take effect. To do this, run the following commands from the appliance:
sh /opt/apache-tomcat-7.0.62/bin/shutdown.sh
sh /opt/apache-tomcat-7.0.62/bin/startup.sh