Strata Cloud Manager Device Onboarding

In my last blog, I discussed SCM licensing and accessing the SCM tenant. Now we have the basics under our belts, I'm going to talk about device associations using Common Services. But first, let me explain what Common Services is and how its used. Palo Alto Networks Common Services provides centralised management and features for their cloud delivered network security products. These services include license activation, subscription management, device associations, tenant management, and identity & access management. Let me break this down further.

License Management:

• Activation & Subscription Management: Centralised location for activating and managing licenses. 
• Tenant Management: Create multiple tenants, build a hierarchy, and allocate license subscriptions. 

Device Management: 

• Device Associations: Centralised view of all devices in your deployment.

Identity & Access Management:

• Centralised Authentication: Authenticates users and services for all supported applications. 
• Access Control: Manages user roles and permissions to ensure proper access to platform resources. 
• Third-Party Identity Provider Integrations: Integrates with external identity providers for single sign-on (SSO). 

As a key feature of Palo Alto Networks Common Services, Device Associations offers a centralised view of all devices across your deployment. It allows you to efficiently organise devices into Tenant Service Groups (TSGs)—logical containers designed to streamline device management. This structure makes it easy to link your supported cloud-based security products with the appropriate devices, improving visibility, organisation, and operational efficiency.

Now we have a better idea of what Common services is used for, I can now explain how to associate firewall with a new tenant in order to onboard a firewall ready to be centrally managed by Strata Cloud Manager.

1. In Device Associations, you can view a list of all of the tenant service groups (TSGs) associated with your customer support account. Usually customers only have one Customer support account (CSP) however if the organisation is a MSSP I would expect to see multiple TSGs.
2. Select a TSG to view any firewalls or Panorama appliances associated with the TSG. If you don't see any, you can add devices from your customer support account.
3. Add Device, whenever you need to associate new devices with your TSG.
4. After you've added a firewall or Panorama appliance, you can Associate Products to begin using the device with products that you have activated. The app must be compatible with the hardware model of your device, otherwise the device will not appear during app association.

Once the firewall has been associated, There are a few prerequisites to consider before you jump in with two feet, make sure the firewall is running PAN-OS 10.2.3 or later and that you have planned the folder hierarchy and device labels in order to group firewalls that require similar settings. Take a look at this  Workflows: Folder Management guide. In a nutshell folders are used to logically group your firewalls, for example this could be based on geographical location, function or deployment type.

Once we are happy with the structure, you can move onto the Onboard your Next-Generation firewalls into SCM using the built in workflows.

If the onboarding guide was followed correctly the firewall will be connected and ready to be managed.

You should see at least one firewall in the Command Center dashboard. Here we can see traffic from the sources on the left being secured by the firewall in the centre destined to internet apps, SaaS apps and private apps on the right.

In my next blog I plan to talk about configuration scope and global policies, this will enable you to write and deploy consistent security polices across your entire Palo Alto Networks firewall estate.