Panorama Policy Management
Cloud NGFW and Panorama policy management
Cloud NGFW is the industry’s only machine learning (ML)-powered NGFW delivered as a
cloud-native service on AWS. With Cloud NGFW, you can run more apps securely at cloud
speed and cloud-scale with an actual cloud-native experience. You get to experience the
best of both worlds with natively integrated network security delivered as a service on
AWS.
This article explains how to configure and integrate Cloud NGFW for AWS with Palo Alto
Networks Panorama.
You can use a Panorama appliance to manage a shared set of security rules centrally on
Cloud NGFW resources alongside your physical and virtual firewall appliances. You can
also manage all aspects of shared objects and profiles configuration, push these rules,
and generate reports on traffic patterns or security incidents of your Cloud NGFW
resources, all from a single Panorama console.
Panorama provides a single location from which you can have centralized policy and
firewall management across hardware firewalls, virtual firewalls and cloud firewalls
which increases operational efficiency in managing and maintaining a hybrid network of
firewalls.
How does integration work?
You will continue to subscribe to the Cloud NGFW service using AWS
Marketplace and create a tenant. Then you can link your Cloud NGFW tenant with your
Panorama appliance. You can then manage a shared set of security rules centrally on
Cloud NGFW resources you create on this tenant alongside your physical and virtual
firewall appliances, and you can use logging, reporting and log analytics, all from
a single Panorama console.
Your Panorama appliance can reside in any Cloud region or in an on-premise environment.
Panorama uses the AWS plugin to push policy and objects to the NGFW resources in AWS
regions.
Integration between the Cloud NGFW and your Panorama appliance optionally allows your
Cloud NGFW resources to stream logs to a Cortex Data Lake (CDL) account; you can then
use the CDL UI, Panorama log viewer or the Application Command Center (ACC) to view and
analyze the logs from CDL. Panorama uses the Cloud Services plugin to query the logs
from your CDL account.
You can also configure the Cloud NGFW resources to stream logs to AWS log destinations
such as S3, Cloudwatch and Kinesis streams.
Integration Components
The image below shows how Cloud NGFW integrates with Panorama. Each of these components
are described in the following section.
Palo Alto Networks Policy Management
is the primary and mandatory component of the
solution. You must use a Panorama
appliance to author and manage policies for
your Cloud NGFW resources. The policy management component also helps to associate your
authored policies and objects to multiple Cloud NGFW resources in different AWS
regions.Palo Alto Networks Log Management
is not a mandatory component for this solution.
You use Cortex Data Lake (CDL) if you prefer to view logs in the Panorama console or use
Application Command Center (ACC) in the Panorama console to gain insight into Cloud NGFW
traffic or generate reports in Panorama. For this purpose, you must link your Panorama
with a Cortex Data Lake account using the Cloud Services Plugin in Panorama. You can
configure Cloud NGFW resources to simultaneously send logs to Cortex Data Lake and one
of AWS log destinations (S3, Cloudwatch, or Kinesis stream).Panorama AWS Plugin
is a mandatory component of this solution. The Panorama AWS
plugin enables you to create Cloud Device Groups and Cloud Template stacks which help
you manage policies and objects on NGFW resources of the Cloud NGFW tenant(s) linked
with Panorama. The Panorama AWS plugin internally uses the Cloud Connector plugin to
communicate with the Cloud NGFW resources.Cloud Device Groups (Cloud DG)
are special-purpose Panorama Device groups that
allow you to author rules and objects for Cloud NGFW resources. You create Cloud DGs
using the Panorama AWS Plugin UI/APIs by specifying the Cloud NGFW tenant and AWS region
information. Cloud DG manifests as a global rulestack in that tenant/region.- You can create multiple Cloud Device Groups using the Panorama AWS plugin.
- You can use the native Panorama UI’s device-group page to manage policy and object configurations in Cloud Device Groups and their associated objects and security profiles.
- You can also leverage your existing shared objects and profiles in your existing Panorama device groups by referring to them in the security rules you create in your Cloud Device groups.
- Alternatively, you can add these Cloud DGs to the device-group hierarchy you manage in your Panorama to inherit the DG rules and objects. However, Cloud NGFWs currently cannot enforce all inherited rules by the Cloud Device Group, such as those using security zones or users.
- You can associate the same Cloud DG with multiple regions of the Cloud NGFW tenant. This Cloud DG will manifest as a dedicated global rulestack in each AWS region of your Cloud NGFW tenant.
Cloud Template Stacks (Cloud TS)
are special-purpose Panorama Template stacks that
allow your security rules in Cloud Device groups to refer to object settings that
Panorama allows you to manage using templates. When creating a Cloud DG, the Panorama
AWS plugin enables you to create or specify a Cloud Template Stack. The plugin
automatically creates this Cloud TS and adds it to the Cloud DG as a reference template
stack. From now on, you can use the native Panorama UI’s Template Stack page to
configure your templates and add them to these Cloud TSs.- Palo Alto Networks Cloud NGFW service manages most device and network configurations in your Cloud NGFW resources. Therefore Cloud NGFW will ignore infrastructure settings such as interfaces, zones, and routing protocols if you have configured them in templates added to the Cloud TS.
- Cloud NGFW currently honors Certificate management and log settings in your templates as referenced by the Cloud DG configuration. It ignores all other settings.
You do not assign managed devices to Cloud Device Groups and Cloud Template
Stacks.
There are a few steps to integrate Cloud NGFW with Panorama. After setting up your
Panorama virtual appliance and installing the plugins, you'll need to subscribe to Cloud NGFW using AWS Marketplace and
create a tenant. After creating the Cloud NGFW tenant, link it with your
Panorama virtual appliance. Once you have successfully linked Cloud NGFW, use Panorama
to manage security objects and rules, and monitor logs and analytics. Each of these
steps are described below.
