Use the following workflow to integrate your Cloud NGFW for AWS with Panorama:

You will continue to subscribe to the Cloud NGFW service using AWS Marketplace and create a tenant. Then you can link your Cloud NGFW tenant with your Panorama appliances. You can then manage a shared set of security rules centrally on Cloud NGFW resources you create on this tenant alongside your physical and virtual firewall appliances, and you can use logging, reporting and log analytics, all from a Panorama console.

Your Panorama appliances can reside in any Cloud region or in an on-premises environment. Panorama uses the AWS plugin to push policy and objects to the NGFW resources in AWS regions.

Integration between the Cloud NGFW and your Panorama appliance optionally allows your Cloud NGFW resources to stream logs to a Strata Logging Service account; you can then use the Strata Logging Service web interface, Panorama log viewer or the Application Command Center (ACC) to view and analyze the logs from Strata Logging Service. Panorama uses the Cloud Services plugin to query the logs from your Strata Logging Service account.

You can also configure the Cloud NGFW resources to stream logs to AWS log destinations such as S3, Cloudwatch, and Kinesis streams.

The image below shows how Cloud NGFW integrates with Panorama. Each of these components is described in the following section.

Palo Alto Networks policy Management is the primary and mandatory component of the solution. You must use the Panorama appliance to author and manage policy rules for your Cloud NGFW resources. The policy management component also helps to associate your authored policy rules and objects to multiple Cloud NGFW resources in different AWS regions.

Integrating Cloud NGFW for AWS with Panorama streamlines policy management, logging, and security operations. When you onboard a Panorama to a Strata tenant with Strata Cloud Manager/Essentials and then integrate with Cloud NGFW, the Strata Logging Service is automatically configured. This provides a unified view of logs in Panorama without requiring a separate logging license.

Key Benefits:

• Simplified Onboarding: Integrating Cloud NGFW with Panorama automatically enables Strata Logging service and other Strata services. You no longer need to procure additional licenses.
• Unified Logging: Forward logs directly to the Strata Logging Service and view them within Panorama.
• Pay-as-you-go and Credit Model: The integration supports both the pay-as-you-go and credit consumption models.

Panorama AWS plugin is a mandatory component of this solution. The Panorama AWS plugin enables you to create Cloud Device Groups and Cloud template stacks which help you manage policy rules and objects on NGFW resources of the Cloud NGFW tenants linked with Panorama. The Panorama AWS plugin internally uses the Cloud Connector plugin to communicate with the Cloud NGFW resources.

Cloud Device Groups (Cloud device group) are special-purpose Panorama Device groups that allow you to author rules and objects for Cloud NGFW resources. You can create Cloud DGs using the Panorama AWS plugin UI/APIs by specifying the Cloud NGFW tenant and AWS region information. Cloud device group manifests as a global rulestack in that tenant or region.

• You can create multiple Cloud Device Groups using the Panorama AWS plugin.
• You can use the native Panorama web interface’s device group page to manage policy and object configurations in Cloud Device Groups and their associated objects and Security Profiles.
• You can also leverage your existing shared objects and profiles in your existing Panorama device groups by referring to them in the security rules you create in your Cloud device groups.
• Alternatively, you can add these Cloud DGs to the device group hierarchy you manage in your Panorama to inherit the device group rules and objects. However, Cloud NGFWs currently can't enforce all inherited rules by the Cloud Device Group, such as those using security zones or users.
• You can associate the same Cloud device group with multiple regions of the Cloud NGFW tenant. This Cloud device group will manifest as a dedicated global rulestack in each AWS region of your Cloud NGFW tenant.

Cloud template stacks (Cloud TS) are special-purpose Panorama template stacks that allow your security rules in Cloud device groups to refer to object settings that Panorama allows you to manage using templates. When creating a Cloud device group, the Panorama AWS plugin enables you to create or specify a Cloud template stack. The plugin automatically creates this Cloud TS and adds it to the Cloud device group as a reference template stack. From now on, you can use the native Panorama web interface’s Template Stack page to configure your templates and add them to these Cloud TSs.

• Palo Alto Networks Cloud NGFW service manages most device and network configurations in your Cloud NGFW resources. Therefore, Cloud NGFW will ignore infrastructure settings such as interfaces, zones, and routing protocols if you have configured them in templates added to the Cloud TS.
• Cloud NGFW currently honors Certificate management and log settings in your templates as referenced by the Cloud device group configuration. It ignores all other settings.

There are a few steps to integrate Cloud NGFW with Panorama. After setting up your Panorama virtual appliance and installing the plugins, you will need to subscribe to Cloud NGFW using AWS Marketplace and create a tenant. After creating the Cloud NGFW tenant, link it with your Panorama virtual appliance. Once you have successfully linked Cloud NGFW, use Panorama to manage security objects and rules, and monitor logs and analytics.