1. Home
    2. AWS
    3. Cloud NGFW for AWS
    4. Panorama Policy Management
    5. Integrating Panorama
    6. Use Panorama for Cloud NGFW Policy Management

    Use Panorama for Cloud NGFW Policy Management

    Manage Cloud NGFW with Panorama
    After linking your Cloud NGFW tenant to the Panorama virtual appliance you can start using the integration for policy management tasks, such as adding device groups and applying policies to the device group for the Cloud NGFW tenant using the Panorama console.
    When you use the Panorama console to configure the Cloud NGFW, the browser caches local information, like the cloud device group, template stack and region, so that as you switch between Panorama tasks, cached Cloud NGFW information is displayed in the Panorama console.
    When you select a tenant from the
    Cloud Device Groups
     node and navigate to another configuration option in Panorama, returning to the
    Resources
     node retains the tenant view you previously selected. For example, selecting a single tenant in a region displays the cloud device groups configured for that tenant.
    When you navigate to another area in the Panorama console, then return to
    Cloud NGFW > Cloud Device Groups
    , the console displays the single tenant you previously selected. For example, after displaying the cloud device groups for a tenant, select
    AWS > Setup
    .
    When you return to the
    Cloud NGFW > Resources
     screen, the Panorama console remembers the previously selected tenant rather than displaying all the tenants associated with the Cloud NGFW resource.
    Refresh the browser to dynamically update the display.
    Panorama integration displays only those configuration options available to the Cloud NGFW resource. For example, to display policy options available to the Cloud NGFW resource, select
    Policies
    . The Panorama console only displays policies available to the Cloud NGFW cloud device group.
    The device group name is prefixed with
    cngfw-aws
    .
    To display device group objects supported by the Cloud NGFW resource, select
    Objects
    . Only those objects supported by Cloud NGFW appear in the Panorama console.
    To display templates supported by the Cloud NGFW resource, select
    Network
    . Only those cloud templates supported by the Cloud NGFW appear.
    Rulestack considerations
    When you provision a Cloud NGFW resource with a local rulestack, you cannot associate it with a cloud device group in Panorama; the firewall appears greyed out in the Panorama console. To resolve this issue, you can disassociate the local rulestack using the Cloud NGFW console, or, you can provision a new firewall resource without a local rulestack and associate it with a cloud device group in Panorama. Alternately, use a global rulestack.
    For firewalls created using the AWS Firewall Manager Service (FMS), the rulestack cannot be deselected in the Panorama console. Select a Panorama pushed global rulestack from the FMS console. This process removes the associated rulestack and updates the firewall with a Panorama pushed global rulestack. For more information see the AWS FMS documentation.
    Add Cloud Device Group
    With Panorama, you group firewalls in your network into logical units called
    device groups
    . A device group enables grouping based on network segmentation, geographic location, organizational function, or any other common aspect of firewalls requiring similar policy configurations.
    Using device groups, you can configure policy rules and the objects they reference. Organize device groups hierarchically, with shared rules and objects at the top, and device group-specific rules and objects at subsequent levels. This enables you to create a hierarchy of rules that enforce how firewalls handle traffic.
    See Manage Device Groups for more information.
    To add a cloud device group using the Panorama console:
    1. In the
      AWS
       plugin, select
      Cloud Device Group
      . The Cloud Device Group table is empty when you first select it. Previously created cloud device groups appear if they were established for the Cloud NGFW tenant using AWS.
    2. Click
      Add
      in the lower left corner.
    3. In the
      Cloud Device Group
       screen, use the drop-down menu to select the
      Tenant
      you want to use.
      The
      Region
       is automatically populated with the region where the tenant resides.
    4. Create a new
      Template Stack
      , or use the drop-down menu to select an existing template stack.
    5. Select the
      Cloud Device Group
       drop-down menu and click
      New
      :
    6. Enter a
      Device Group Name
       for the device group, and click
      Create
      .
    7. Click
      OK
      to apply the cloud device group to the tenant.
    8. Commit the change.

    Delete a Cloud Device Group from a Resource

    Use the Panorama console to delete a cloud device group. You can only delete a cloud device group if there are no firewalls attached to it.
    To delete a cloud device group using the Panorama console:
    1. In
      Panorama
      , select
      Cloud Device Groups
      .
    2. Select the
      Cloud Device Group
       you want to remove.
    3. In the lower portion of the Panorama console, click
      Delete
      .
    4. Click
      Yes
      to confirm the deletion.
    5. Commit the change.

    Associate a Cloud Device Group to a Resource

    Use the Panorama console to associate a cloud device group to a Cloud NGFW resource. You can push a cloud device group without associating it with a resource, however, you must associate the cloud device group if you want the resource to use the cloud device group configuration
    To associate a cloud device group to a Cloud NGFW resource using the Panorama console:
    1. In
      Panorama
      , select
      Resources
      .
    2. Select the
      ID
       of the resource you want to associate to a cloud device group.
    3. In the
      Edit Firewall
      screen, use the drop-down menu to select the cloud device group you want to associate with the Cloud NGFW resource. Click
      Save
      .
    4. Click
      Save
      .
    5. Commit
       the changes.
    6. Push
       the change to your device.

    Disassociate a Cloud Device Group from a Resource

    To disassociate a Cloud Device Group from a Cloud NGFW resource using the Panorama console:
    1. In
      Panorama
      , select
      Resources
      .
    2. Select the
      ID
       of the NGFW resource.
    3. In the
      Edit Firewall
      screen, select
      None
       from the
      Device Group
       drop-down. Click
      Save
      .

    Apply Policy

    Cloud Device Groups on Panorama allow you to centrally manage firewall policies. You create policies on Panorama either as
    Pre Rules
     or
    Post Rules
    ; Pre Rules and Post Rules allow you to create a layered approach for implementing policy. For more information, see
    Defining Policies on Panorama
    .
    A policy created on Panorama creates a global rulestack. A firewall cannot have rules generated on Panorama and rules generated on the tenant; rules must be created in either Cloud NGFW or Panorama.
    To configure policies for the cloud device group in Panorama:
    1. Select
      Policies
      .
    2. In the
      Device Group
       section, use the drop-down menu to select the
      Cloud Device Group
       previously created. When you create a device group for Cloud NGFW, the name begins with
      cngfw
      . For example,
      cngfw-aws-demo.
    3. In the lower left portion of the console, click
      Add
      .
    4. In the
      Security Policy Rule
       screen, configure elements of the policy you want to apply to the device group:
    5. In the
      General
       tab, include a
      name
       for the policy.
    6. Configure a
      Source
       policy.
      Source
      policy defines source zone or source address from which the traffic originates. For
      Source Zone
      , click
      Any
      . You cannot add a specific source address.
      1. Continue applying
        Source
        policies by including the
        Source Address
        . Click
        Any
        , or use the drop-down menu to select an existing address, or, use options to add a new address or address group.
      2. For
        Source User
         and
        Source Device
         policy, click
        Any
        . Cloud NGFW does not support specifying specific source users or source devices
    7. Destination
      policy defines the destination zone or destination address for the traffic. Use the drop-down menu to select an existing address, or, use options to add a new address or address group. The Destination policy includes fields for the zone, address, and device.
      1. For the
        Destination Zone
        , click
        Any
        . Cloud NGFW does not support adding individual destination zones.
      2. For the
        Destination Address
        , click
        Any
        , or, use the drop-down menu to select an existing zone. Click
        New
        to add a new address, address group, or region.
      3. For the
        Destination Device
        , click
        Any
        . Cloud NGFW does not support adding individual destination devices.
    8. Configure
      Application
      policy to have the policy action occur based on an application or application group. An administrator can also use an existing App-ID™ signature and customize it to detect proprietary applications or to detect specific attributes of an existing application. Custom applications are defined in
      ObjectsApplications
      .
      1. In the
        Application
        screen, click
        Any
        , or specify a specific application, like SSH. Click
        Add
        to include a new application policy:
    9. Configure
      Service/URL Category
       policies for the firewall to specify a specific TCP and/or UDP port number or a URL category as match criteria in the policy. Specify
      Service
      level policies or
      URL Category
       policies by selecting
      Any
      , or, use the drop-down options to individually select policy elements you want to apply. Click
      Add
      to create new policies for Service or URL/Category.
    10. Configure an
      Actions
      policy to determine the action taken based on traffic that matches the defined policy attributes. Some actions, like
      Wildfire Analysis
      , are not supported by Cloud NGFW.
      1. In the
        Actions
        screen, select the action to take (for example, allow or deny), determine the
        Profile Setting
        , configure the
        Log Setting
         and other settings.
        For information about using Panorama logs, see Centralized Logging and Reporting and
        View logs
      2. You can optionally forward logs to CDL using the
        Security Policy Rule
         screen. In the
        Log Setting
         field, select the
        Log Forwarding
         drop-down and click
        New Profile.
         In the Log Forwarding Profile, enter a
        name
        for the log and select
        Enable enhanced application logging to Cortex Data Lake (including traffic and url logs)
        .Click
        OK
        .
        For more information about CDL logging, see Explore Logs.
    11. Return to the Cloud NGFW console to view rules created in Panorama. Click
      View XML
       to display information about the rules pushed from Panorama to the global rulestack applied to the cloud device group:
      The rulestack is now associated with the policies applied to the Cloud Device Group created in Panorama:
    12. After applying policies to the cloud device group for the Cloud NGFW tenant, push the changes in the Panorama console.
    13. In the
      Push to Devices
       screen, click
      Edit Selections
      .
    14. In the
      Push Scope Selection
       screen, click
      Cloud NGFW
      . The
      Cloud NGFW
       node was added to the
      Push Scope Selection
      screen to facilitate Cloud NGFW and Panorama integration.
    15. Select the cloud device groups you want to push to the resources, and click
      OK
      , then click
      Push
      .

    Use a Device Group Pushed from Panorama

    The information in this section is provided for users who use the AWS Firewall Manager Service (FMS) to configure device groups pushed from Panorama.
    If you are using FMS, you will not be able to associate a cloud device group with the Cloud NGFW from Panorama; this option is grayed out in the Panorama console. Use the FMS AWS console to create this association.
    1. Link a tenant to Panorama.
    2. Create a cloud device group and push it to the Cloud NGFW. This procedure is the same for users who are not using FMS.
    3. Navigate to the FMS AWS console and edit the policy.
    4. Select the global rulestack that was pushed from Panorama.
    5. Save your changes.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo