Apply Policies

Table of Contents

Enable Data Redistribution on Cloud NGFW for Azure

Apply Policies

Learn how to apply policies to your Cloud NGFW for Azure resource using Panorama policy management.

Where Can I Use This?	What Do I Need?
Cloud NGFW for Azure	Cloud NGFW subscription Palo Alto Networks Customer Support Portal account Azure Marketplace subscription

After linking your Cloud NGFW resource to the Panorama virtual appliance you can start using the integration for policy management tasks, applying policies to your Cloud NGFW for Azure resource.

For more information, see Defining Policies on Panorama.

Apply Policy

Cloud Device Groups on Panorama allow you to centrally manage firewall policy rules. You create policy rules on Panorama either as pre-rules or post-rules. These rules allow you to create a layered approach for implementing policy.

To configure policy rules for the cloud device group in Panorama:

Select Policies.
In the Device Group section, use the drop-down to select the Cloud Device Group previously created.

When you create a device group for Cloud NGFW, the name begins with cngfw. For example, cngfw-azure-demo
In the lower left portion of the console, click Add.
In the Security Policy Rule screen, configure elements of the policy you want to apply to the device group.
1. In the General tab, include a name for the policy. Optionally provide additional information.
2. Source policy defines the source zone or source address from which the traffic originates. For Source Zone, click Any. You can't add a specific source zone.
  
  Continue applying Source policy rules by including the Source Address. Click Any, or use the drop-down to select an existing address, or use options to add a new address or address group.
  
  For Source User and Source Device policy, click Any. Cloud NGFW does not support specifying specific source users or source devices.
3. Destination policy defines the destination zone or destination address for the traffic. Use the drop-down to select an existing address, or use the options to add a new address or address group. The Destination policy includes fields for the zone, address, and device.
  
  For the Destination Zone, click Any. Cloud NGFW does not support adding individual destination zones.
  
  For the Destination Address, click Any, or use the drop-down to select an existing zone. Click New to add a new address, address group, or region.
  
  For the Destination Device, click Any. Cloud NGFW does not support adding individual destination devices.
4. Configure an Application policy to have the policy action occur based on an application or application group. An administrator can also use an existing App-ID signature and customize it to detect proprietary applications or to detect specific attributes of an existing application. Custom applications are defined in ObjectsApplications.
  
  In the Application screen, click Any, or specify a specific application, like SSH. Click Add to include a new application policy.
5. Configure Service/URL Category policy rules for the firewall to specify a specific TCP or UDP port number or a URL category as match criteria in the policy. Specify Service level policy rules or URL Category policy rules by selecting Any, or use the drop-down options to individually select the policy elements you want to apply. Click Add to create new policy rules for Service or URL/Category.
After applying policy rules to the cloud device group for the Cloud NGFW resource and committing the change, push the changes. In the Push to Devices screen, click Edit Selections.
Select the cloud device groups you want to push to the resources, and click OK, then click Push.