AI Runtime Security
Deploy AI Runtime Security: Network Intercept for Panorama Managed Firewall
Table of Contents
Deploy AI Runtime Security: Network Intercept for Panorama Managed Firewall
This page helps you to configure your AI Runtime Security: Network
intercept deployment for Panorama support.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
- Log in to Strata Cloud Manager.
- Select Insights → AI Runtime Security
- Select Network from the AI Runtime Security drop-down list at the top.
- Select Add Protections ("+" icon).
- Refer to Deploy AI Runtime Security: Network Intercept for the configurations as per your cloud deployment.
- Select "Manage by Panorama" option (You can configure the deployment configuration for both Panorama standalone and Panorama High Availability (HA).
- Enter an Active Panorama IP address. (Copy the Panorama active/passive IP addresses by navigating to Panorama web interface → PANORAMA→ High availability.
- Optional Enter the Passive Panorama IP address.
- Enter the Panorama VM auth code (Generate the VM Auth Key on Panorama).
- Enter Device Group.
- Enter the Template Stack name.
- Select Next.
- In Review Architecture screen:
- Enter a unique Terraform template name. (Use only lowercase letters, numbers, and hyphens. Don't use a hyphen at the beginning or end, and limit the name under 19 characters).
- Create terraform template.
- Save and Download Terraform Template.
- Close the deployment workflow to exit.
- Unzip the downloaded file. Navigate to <unzipped-folder> with 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment following the `README.md` file in the `architecture` folder.
- Initialize and apply the Terraform for the security_project.The security_project contains the Terraform plan to create an AI network intercept (AI firewall) architecture. This Terraform plan creates the required resources to deploy network intercept inline prevention, including the managed instance groups, load balancers, and health checks.cd architecture //Change directory to architecture/security_project cd security_project terraform init terraform plan terraform apply
- Run the application Terraform to peer the application VPCs.
The application_security Terraform generates the following output:cd ../application_project terraform init terraform plan terraform applyApply complete! Resources: 12 added, 0 changed, 0 destroyed. - Configure Panorama to Secure VM Workloads and Kubernetes Clusters. Configure interfaces, zones, NAT policy, routers, and security policy rules.
- Optional Enable AI network intercept to connect with Panorama. See the section below.The Panorama deployment doesn't need IP-tags configuration. Panorama uses the existing Panorama Plugin for Kubernetes to pull the IP-tags and notify Device Groups to push the IP-tags to the managed firewalls.
Enable AI Runtime Security: Network Intercept (Firewall) Connectivity to Panorama
If you have a
security group on the Panorama, add the IP address of the AI network intercept
(AI network intercept) in the Panorama security group. This allows the Panorama
to communicate with the AI network intercept on the public IP address.
This section shows an example of adding the IP
address of an AI network intercept to Panorama in the AWS environment.
Follow the similar steps for your cloud environment.
Before you begin, ensure you deploy AI network intercept for
Panorama support in your cloud environment.
- Sign in to the AWS Management Console.
- Navigate to EC2 > Instances.
- Search for the AI network intercept you deployed using the deployment Terraform in the above section.
- Copy the Public IPv4 address for this network intercept.
- Search for the Panorama instances (active/passive) deployed in AWS. Click on the Instance ID on one of the Panoramas.
- Select the Security tab and click on the Security groups link.
- Select the Inbound rules tab and click Edit inbound rules.
- Add rule and select All traffic and add the public IP address of the AI network intercept you copied above.
- Save rules.