Cloud NGFW is the industry’s only machine learning (ML)-powered NGFW delivered as a cloud-native service on AWS. With Cloud NGFW, you can run more apps securely at cloud speed and cloud-scale with an actual cloud-native experience. You get to experience the best of both worlds with natively integrated network security delivered as a service on AWS.

This page explains how to configure and integrate Cloud NGFW for AWS with Palo Alto Networks Panorama.

You can use a Panorama appliance to manage a shared set of security rules centrally on Cloud NGFW resources alongside your physical and virtual firewall appliances. You can also manage all aspects of shared objects and profiles configuration, push these rules, and generate reports on traffic patterns or security incidents of your Cloud NGFW resources, all from a single Panorama console.

Panorama provides a single location from which you can have centralized policy and firewall management across hardware firewalls, virtual firewalls and cloud firewalls which increases operational efficiency in managing and maintaining a hybrid network of firewalls.

You will continue to subscribe to the Cloud NGFW service using AWS Marketplace and create a tenant. Then you can link your Cloud NGFW tenant with your Panorama appliance(s). You can then manage a shared set of security rules centrally on Cloud NGFW resources you create on this tenant alongside your physical and virtual firewall appliances, and you can use logging, reporting and log analytics, all from a Panorama console.

Your Panorama appliance(s) can reside in any Cloud region or in an on-premise environment. Panorama uses the AWS plugin to push policy and objects to the NGFW resources in AWS regions.

Integration between the Cloud NGFW and your Panorama appliance(s) optionally allows your Cloud NGFW resources to stream logs to a Cortex Data Lake (CDL) account; you can then use the CDL UI, Panorama log viewer or the Application Command Center (ACC) to view and analyze the logs from CDL. Panorama uses the Cloud Services plugin to query the logs from your CDL account.

You can also configure the Cloud NGFW resources to stream logs to AWS log destinations such as S3, Cloudwatch and Kinesis streams.

The image below shows how Cloud NGFW integrates with Panorama. Each of these components are described in the following section.

Palo Alto Networks Policy Management

is the primary and mandatory component of the solution. You must use

Panorama

appliance(s) to author and manage policies for your Cloud NGFW resources. The policy management component also helps to associate your authored policies and objects to multiple Cloud NGFW resources in different AWS regions.

Palo Alto Networks Log Management

is not a mandatory component for this solution. You use Cortex Data Lake (CDL) if you prefer to view logs in the Panorama console or use Application Command Center (ACC) in the Panorama console to gain insight into Cloud NGFW traffic or generate reports in Panorama. For this purpose, you must link your Panorama with a Cortex Data Lake account using the Cloud Services Plugin in Panorama. You can configure Cloud NGFW resources to simultaneously send logs to Cortex Data Lake and one of AWS log destinations (S3, Cloudwatch, or Kinesis stream).

Panorama AWS Plugin

is a mandatory component of this solution. The Panorama AWS plugin enables you to create Cloud Device Groups and Cloud Template stacks which help you manage policies and objects on NGFW resources of the Cloud NGFW tenant(s) linked with Panorama. The Panorama AWS plugin internally uses the Cloud Connector plugin to communicate with the Cloud NGFW resources.

Cloud Device Groups (Cloud DG)

are special-purpose Panorama Device groups that allow you to author rules and objects for Cloud NGFW resources. You create Cloud DGs using the Panorama AWS Plugin UI/APIs by specifying the Cloud NGFW tenant and AWS region information. Cloud DG manifests as a global rulestack in that tenant/region.

You can create multiple Cloud Device Groups using the Panorama AWS plugin.
You can use the native Panorama UI’s device-group page to manage policy and object configurations in Cloud Device Groups and their associated objects and security profiles.
You can also leverage your existing shared objects and profiles in your existing Panorama device groups by referring to them in the security rules you create in your Cloud Device groups.
Alternatively, you can add these Cloud DGs to the device-group hierarchy you manage in your Panorama to inherit the DG rules and objects. However, Cloud NGFWs currently cannot enforce all inherited rules by the Cloud Device Group, such as those using security zones or users.
You can associate the same Cloud DG with multiple regions of the Cloud NGFW tenant. This Cloud DG will manifest as a dedicated global rulestack in each AWS region of your Cloud NGFW tenant.

Cloud Template Stacks (Cloud TS)

are special-purpose Panorama Template stacks that allow your security rules in Cloud Device groups to refer to object settings that Panorama allows you to manage using templates. When creating a Cloud DG, the Panorama AWS plugin enables you to create or specify a Cloud Template Stack. The plugin automatically creates this Cloud TS and adds it to the Cloud DG as a reference template stack. From now on, you can use the native Panorama UI’s Template Stack page to configure your templates and add them to these Cloud TSs.

Palo Alto Networks Cloud NGFW service manages most device and network configurations in your Cloud NGFW resources. Therefore Cloud NGFW will ignore infrastructure settings such as interfaces, zones, and routing protocols if you have configured them in templates added to the Cloud TS.
Cloud NGFW currently honors Certificate management and log settings in your templates as referenced by the Cloud DG configuration. It ignores all other settings.

There are a few steps to integrate Cloud NGFW with Panorama. After setting up your Panorama virtual appliance and installing the plugins, you'll need to subscribe to Cloud NGFW using AWS Marketplace and create a tenant. After creating the Cloud NGFW tenant, link it with your Panorama virtual appliance. Once you have successfully linked Cloud NGFW, use Panorama to manage security objects and rules, and monitor logs and analytics.