Palo Alto Panorama: multi-site design that scales

Panorama is what separates a Palo Alto stack from a fleet of snowflakes. The hierarchy you build on day one defines years of operations.

Device-group hierarchy

• Shared > Region > Country > Site > Device.
• Pre-rules at top for global allow/deny; post-rules at bottom for cleanup.

Template stacks

• Base template (NTP, DNS, syslog) + region overlay + site overlay.
• Variables for per-device addresses.

Log Collectors

• At least one per region; high disk I/O matters.
• Forwarding profiles aligned with retention policy.

RBAC

• Admin roles by region/team; auditable changes.
• SAML/MFA mandatory.

HA

• Active/passive Panorama with sync.
• Test failover and rollback yearly.

Train multi-site policy reasoning in a TechLeague tournament.