Use Panorama for Cloud NGFW Policy Management
Manage Cloud NGFW with Panorama
After linking your Cloud NGFW tenant to the Panorama virtual appliance you can start using the integration for policy management tasks, such as adding device groups and applying policies to the device group for the Cloud NGFW tenant using the Panorama console.
When you use the Panorama console to configure the Cloud NGFW, the browser caches local information, like the cloud device group, template stack and region, so that as you switch between Panorama tasks, cached Cloud NGFW information is displayed in the Panorama console.
When you select a tenant from the
Cloud Device Groupsnode and navigate to another configuration option in Panorama, returning to the
Resourcesnode retains the tenant view you previously selected. For example, selecting a single tenant in a region displays the cloud device groups configured for that tenant.
When you navigate to another area in the Panorama console, then return to
Cloud NGFW > Cloud Device Groups, the console displays the single tenant you previously selected. For example, after displaying the cloud device groups for a tenant, select
AWS > Setup.
When you return to the
Cloud NGFW > Resourcesscreen, the Panorama console remembers the previously selected tenant rather than displaying all the tenants associated with the Cloud NGFW resource.
Refresh the browser to dynamically update the display.
Panorama integration displays only those configuration options available to the Cloud NGFW resource. For example, to display policy options available to the Cloud NGFW resource, select
Policies. The Panorama console only displays policies available to the Cloud NGFW cloud device group.
The device group name is prefixed with
To display device group objects supported by the Cloud NGFW resource, select
Objects. Only those objects supported by Cloud NGFW appear in the Panorama console.
To display templates supported by the Cloud NGFW resource, select
Network. Only those cloud templates supported by the Cloud NGFW appear.
When you provision a Cloud NGFW resource with a local rulestack, you cannot associate it with a cloud device group in Panorama; the firewall appears greyed out in the Panorama console. To resolve this issue, you can disassociate the local rulestack using the Cloud NGFW console, or, you can provision a new firewall resource without a local rulestack and associate it with a cloud device group in Panorama. Alternately, use a global rulestack.
For firewalls created using the AWS Firewall Manager Service (FMS), the rulestack cannot be deselected in the Panorama console. Select a Panorama pushed global rulestack from the FMS console. This process removes the associated rulestack and updates the firewall with a Panorama pushed global rulestack. For more information see the AWS FMS documentation.
Add Cloud Device Group
With Panorama, you group firewalls in your network into logical units called
. A device group enables grouping based on network segmentation, geographic location, organizational function, or any other common aspect of firewalls requiring similar policy configurations.
Using device groups, you can configure policy rules and the objects they reference. Organize device groups hierarchically, with shared rules and objects at the top, and device group-specific rules and objects at subsequent levels. This enables you to create a hierarchy of rules that enforce how firewalls handle traffic.
To add a cloud device group using the Panorama console:
- In theAWSplugin, selectCloud Device Group. The Cloud Device Group table is empty when you first select it. Previously created cloud device groups appear if they were established for the Cloud NGFW tenant using AWS.
- ClickAddin the lower left corner.
- In theCloud Device Groupscreen, use the drop-down menu to select theTenantyou want to use.TheRegionis automatically populated with the region where the tenant resides.
- Create a newTemplate Stack, or use the drop-down menu to select an existing template stack.
- Select theCloud Device Groupdrop-down menu and clickNew:
- Enter aDevice Group Namefor the device group, and clickCreate.
- ClickOKto apply the cloud device group to the tenant.
- Commit the change.
Delete a Cloud Device Group from a Resource
Use the Panorama console to delete a cloud device group. You can only delete a cloud device group if there are no firewalls attached to it.
To delete a cloud device group using the Panorama console:
- InPanorama, selectCloud Device Groups.
- Select theCloud Device Groupyou want to remove.
- In the lower portion of the Panorama console, clickDelete.
- ClickYesto confirm the deletion.
- Commit the change.
Associate a Cloud Device Group to a Resource
Use the Panorama console to associate a cloud device group to a Cloud NGFW resource. You can push a cloud device group without associating it with a resource, however, you must associate the cloud device group if you want the resource to use the cloud device group configuration
To associate a cloud device group to a Cloud NGFW resource using the Panorama console:
- InPanorama, selectResources.
- Select theIDof the resource you want to associate to a cloud device group.
- In theEdit Firewallscreen, use the drop-down menu to select the cloud device group you want to associate with the Cloud NGFW resource. ClickSave.
- Committhe changes.
- Pushthe change to your device.
Disassociate a Cloud Device Group from a Resource
To disassociate a Cloud Device Group from a Cloud NGFW resource using the Panorama console:
- InPanorama, selectResources.
- Select theIDof the NGFW resource.
- In theEdit Firewallscreen, selectNonefrom theDevice Groupdrop-down. ClickSave.
Cloud Device Groups on Panorama allow you to centrally manage firewall policies. You create policies on Panorama either as
Post Rules; Pre Rules and Post Rules allow you to create a layered approach for implementing policy. For more information, see
Defining Policies on Panorama.
A policy created on Panorama creates a global rulestack. A firewall cannot have rules generated on Panorama and rules generated on the tenant; rules must be created in either Cloud NGFW or Panorama.
To configure policies for the cloud device group in Panorama:
- In theDevice Groupsection, use the drop-down menu to select theCloud Device Grouppreviously created. When you create a device group for Cloud NGFW, the name begins withcngfw. For example,cngfw-aws-demo.
- In the lower left portion of the console, clickAdd.
- In theSecurity Policy Rulescreen, configure elements of the policy you want to apply to the device group:
- In theGeneraltab, include anamefor the policy.
- Configure aSourcepolicy.Sourcepolicy defines source zone or source address from which the traffic originates. ForSource Zone, clickAny. You cannot add a specific source address.
- Continue applyingSourcepolicies by including theSource Address. ClickAny, or use the drop-down menu to select an existing address, or, use options to add a new address or address group.
- ForSource UserandSource Devicepolicy, clickAny. Cloud NGFW does not support specifying specific source users or source devices
- Destinationpolicy defines the destination zone or destination address for the traffic. Use the drop-down menu to select an existing address, or, use options to add a new address or address group. The Destination policy includes fields for the zone, address, and device.
- For theDestination Zone, clickAny. Cloud NGFW does not support adding individual destination zones.
- For theDestination Address, clickAny, or, use the drop-down menu to select an existing zone. ClickNewto add a new address, address group, or region.
- For theDestination Device, clickAny. Cloud NGFW does not support adding individual destination devices.
- ConfigureApplicationpolicy to have the policy action occur based on an application or application group. An administrator can also use an existing App-ID™ signature and customize it to detect proprietary applications or to detect specific attributes of an existing application. Custom applications are defined inObjectsApplications.
- In theApplicationscreen, clickAny, or specify a specific application, like SSH. ClickAddto include a new application policy:
- ConfigureService/URL Categorypolicies for the firewall to specify a specific TCP and/or UDP port number or a URL category as match criteria in the policy. SpecifyServicelevel policies orURL Categorypolicies by selectingAny, or, use the drop-down options to individually select policy elements you want to apply. ClickAddto create new policies for Service or URL/Category.
- Configure anActionspolicy to determine the action taken based on traffic that matches the defined policy attributes. Some actions, likeWildfire Analysis, are not supported by Cloud NGFW.
- In theActionsscreen, select the action to take (for example, allow or deny), determine theProfile Setting, configure theLog Settingand other settings.For information about using Panorama logs, see Centralized Logging and Reporting andView logs
- You can optionally forward logs to CDL using theSecurity Policy Rulescreen. In theLog Settingfield, select theLog Forwardingdrop-down and clickNew Profile.In the Log Forwarding Profile, enter anamefor the log and selectEnable enhanced application logging to Cortex Data Lake (including traffic and url logs).ClickOK.For more information about CDL logging, see Explore Logs.
- Return to the Cloud NGFW console to view rules created in Panorama. ClickView XMLto display information about the rules pushed from Panorama to the global rulestack applied to the cloud device group:The rulestack is now associated with the policies applied to the Cloud Device Group created in Panorama:
- After applying policies to the cloud device group for the Cloud NGFW tenant, push the changes in the Panorama console.
- In thePush to Devicesscreen, clickEdit Selections.
- In thePush Scope Selectionscreen, clickCloud NGFW. TheCloud NGFWnode was added to thePush Scope Selectionscreen to facilitate Cloud NGFW and Panorama integration.
- Select the cloud device groups you want to push to the resources, and clickOK, then clickPush.
Use a Device Group Pushed from Panorama
The information in this section is provided for users who use the AWS Firewall Manager Service (FMS) to configure device groups pushed from Panorama.
If you are using FMS, you will not be able to associate a cloud device group with the Cloud NGFW from Panorama; this option is grayed out in the Panorama console. Use the FMS AWS console to create this association.
- Link a tenant to Panorama.
- Create a cloud device group and push it to the Cloud NGFW. This procedure is the same for users who are not using FMS.
- Navigate to the FMS AWS console and edit the policy.
- Select the global rulestack that was pushed from Panorama.
- Save your changes.
Recommended For You
Recommended videos not found.