>
    Deploy Prisma AIRS AI Runtime: Network Intercept for Panorama Managed Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Deploy Prisma AIRS AI Runtime: Network Intercept for Panorama Managed Firewall
    Download PDF
    Prisma AIRS

    Deploy Prisma AIRS AI Runtime: Network Intercept for Panorama Managed Firewall

    Table of Contents

    Deploy Prisma AIRS AI Runtime: Network Intercept for Panorama Managed Firewall

    This page helps you to configure your Prisma AIRS AI Runtime: Network intercept deployment for Panorama support.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS managed by Panorama
    Navigate to Prisma AIRS: Network intercept deployment workflow in Strata Cloud Manager. Select the Manage by Panorama option, which generates the deployment Terraform with Panorama configurations. When you apply the deployment Terraform in your cloud environment, Panorama will manage your deployed Prisma AIRS AI Runtime: Network intercept. You can view the security threat logs on Panorama (Monitor > Logs > Threat) with 'ai-security' subtype.
    To manually deploy and bootstrap, refer to the section on Manually Deploy and Bootstrap Prisma AIRS AI Runtime: Network Intercept.
    1. Log in to Strata Cloud Manager.
    2. Navigate to Insights Prisma AIRS Prisma AIRS AI Runtime: Network Intercept.
    3. Click Add Protections ("+" icon).
    4. Refer to Deploy Prisma AIRS AI Runtime: Network Intercept for the configurations as per your cloud deployment.
    5. In Protection Settings:
    6. Select Manage by Panorama option (You can configure the deployment configuration for both Panorama standalone and Panorama High Availability (HA).
      Enter the following configurations:
    7. Select Next.
    8. In the Review Architecture screen:
      • Enter a unique Terraform template name. (Use only lowercase letters, numbers, and hyphens. (Don't use a hyphen at the beginning or end, and limit the name to under 19 characters).
      • Create terraform template.
      • Save and Download Terraform Template.
      • Close the deployment workflow to exit.
    9. Unzip the downloaded file. Navigate to <unzipped-folder> with 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment following the `README.md` file in the `architecture` folder.
    10. Initialize and apply the Terraform for the security_project.
      The security_project contains the Terraform plan to create a Prisma AIRS AI Runtime: Network intercept architecture. This Terraform plan creates the required resources to deploy network intercept inline prevention, including the managed instance groups, load balancers, and health checks.
      cd architecture //Change directory to architecture/security_project

cd security_project
terraform init
terraform plan
terraform apply
    11. Run the application Terraform to peer the application VPCs.
      cd ../application_project
terraform init
terraform plan
terraform apply
      The application_security Terraform generates the following output:
      Apply complete! Resources: 12 added, 0 changed, 0 destroyed.
    12. Configure Panorama to Secure VM Workloads and Kubernetes Clusters. Configure interfaces, zones, NAT policy, routers, and security policy rules.
    13. Optional Enable Prisma AIRS AI Runtime: Network intercept to connect with Panorama. See the section below.
      The Panorama deployment doesn't need IP-tags configuration. Panorama uses the existing Panorama Plugin for Kubernetes to pull the IP-tags and notify Device Groups to push the IP-tags to the managed firewalls.

    Enable Prisma AIRS AI Runtime: Network Intercept Connectivity to Panorama

    Follow these steps if your Panorama can’t connect to a Panorama managed Prisma AIRS AI Runtime: Network intercept.
    If you have a security group on the Panorama, add the Prisma AIRS AI Runtime: Network intercept in Panorama security group's IP address. This allows Panorama to communicate with the Prisma AIRS AI Runtime: Network intercept on the public IP address.
    This section shows an example of adding the IP address of an AI network intercept to Panorama in the AWS environment. Follow the similar steps for your cloud environment.
    Before you begin, ensure you deploy Prisma AIRS AI Runtime: Network intercept for Panorama support in your cloud environment.
    1. Sign in to the AWS Management Console.
    2. Navigate to EC2 > Instances.
    3. Search for the AI network intercept you deployed using the deployment Terraform in the above section.
    4. Copy the Public IPv4 address for this network intercept.
    5. Search for the Panorama instances (active/passive) deployed in AWS. Click on the Instance ID on one of the Panoramas.
    6. Select the Security tab and click on the Security groups link.
    7. Select the Inbound rules tab and click Edit inbound rules.
    8. Click Add rule.
    9. Select All traffic and add the public IP address of Prisma AIRS AI Runtime: Network intercept you copied above.
    10. Save rules.

    © 2025 Palo Alto Networks, Inc. All rights reserved.