Cloud NGFW for AWS
    : Strata Cloud Manager Policy Management
    Focus
    Download PDF
    Focus
    1. Home
    2. AWS
    3. Cloud NGFW for AWS
    4. Strata Cloud Manager Policy Management
    Download PDF

    Cloud NGFW for AWS

    Strata Cloud Manager Policy Management

    Table of Contents

    Strata Cloud Manager Policy Management

    Link your Cloud NGFW resource with Strata Cloud Manager (SCM) for policy management.
    You can link your Cloud NGFW resource with Strata Cloud Manager (SCM) for policy management. Strata Cloud Manager provides unified management for your entire network security deployment, which allows you to easily manage your Palo Alto Networks security infrastructure from a single, streamlined user interface. With this interface you gain comprehensive visibility into users, branch sites, applications, and threats across all network security enforcement points. This functionality provides actionable insights, better security, and easy troubleshooting and problem resolution.
    When using SCM for Cloud NGFW policy management, consider the following:
    • When first connecting to SCM, Cloud NGFW resources (for example, the resource ID) may fail to display. These resources will appear after a few moments if there are no underlying connection issues.
    • Best practices for Cloud NGFW SCM policy management differ from those using Panorama policy management with your Cloud NGFW resource. For example, some pass-through traffic in a Panorama managed environment may be dropped in a SCM managed Cloud NGFW resource.
    • X-forwarded functionality is not supported in a SCM policy management for your Cloud NGFW resource.
    • Cloud certificate is not supported.
    • DLP is not supported.
    • When configuring security rules for your SCM managed Cloud NGFW resource, you must specify ANY for the security rule. However, from/to zone appears as the data zone in the Strata Logging Service.

    Link Your Cloud NGFW Resource with Strata Cloud Manager Policy Management

    To integrate your Cloud NGFW resource with Strata Cloud Manager Policy Management:
    1. Log in to the Cloud NGFW console.
    2. Select Integrations.
    3. In the Policy Manager screen, click Add Policy Manager.
    4. In the Add Policy Manager section, select Strata Cloud Manager for the Manage Type.
    5. Enter a descriptive name.
    6. Use the drop-down menu to select the SCM Tenant you want to associate with the resource.
      The Customer Support Portal (CSP) account must be the same for both SCM and CNGFW.
    7. Click Save. This effectively links your Cloud NGFW resource to the SCM tenant.
      After saving the configuration the Integrations page is updated to reflect the new policy management paradigm, along with the associated Link ID and SCM Serial Number/Tenant Name:
      To view information about an individual linked SCM tenant, click the Link ID in the Policy Manager screen. You can use the Edit Policy Management screen to change the Link Name and view information:

    Associate a Firewall with Strata Cloud Manager Policy Management

    After you establish a link to Strata Cloud Policy Management, you can associate a new firewall with the linked SCM tenant:
    1. Log in to the Cloud NGFW console.
    2. Select NGFWs.
    3. Click Create Firewall.
    4. In the Create Firewall screen, enter a name for the firewall.
    5. Optionally include a description.
    6. In the Policy Management section, select Strata Cloud Manager.
    7. In the Policy Manager drop-down menu, select the linked SCM tenant you want to associate with the firewall.
    8. Configure Endpoint Management to secure traffic in multiple AWS availability zones.
      1. Determine if you want Cloud NGFW to create endpoints automatically on your VPC subnets. Select Yes for service-managed endpoints.
        By default, the Cloud NGFW resource does not automatically create these endpoints; the radio button is set to No.
      2. Use the drop-down to select the AWS Account ID.
      3. Use the drop-down to select the VPC.
      4. Use the Subnet field to select an available subnet.
      5. Click Save.
      The NGFW screen changes to reflect the newly created firewall. It takes approximately 6-10 minutes to complete the process of creating a new firewall; the Status indicates CREATING:
      Click the NGFW Name to display detailed information about the firewall. Note that limited information is displayed as the firewall is being created:

    View the Firewall in Strata Cloud Manager

    After you have linked your Cloud NGFW resource to a SCM tenant and have created a firewall you can use SCM for policy management.
    When you log into Strata Cloud Manager, the dashboard fails to display the Cloud NGFW count under NGFW > Software.
    1. Log in to the Strata Cloud Manager app from the Palo Alto Networks hub directly at stratacloudmanager.paloaltonetworks.com.
    2. In the Strata Cloud Manager interface, locate your Cloud NGFW tenant using the left hand navigation option:
      This exposes the available tenants that are linked to your Cloud NGFW resource; you can alternately search for the tenant using the tenant name or id.
    3. Select Workflows > NGFW Setup > Device Management:
    4. The Device Management screen displays the NGFWs and Cloud NGFWs. Click Cloud NGFWs to display the firewalls associated with the SCM tenant:
      The Device Management screen displays the Cloud NGFW resources that are currently managed by SCM:
      The Device Management screen displays the following fields:
      • Name. Represents the name of the Cloud NGFW resource.
      • Resource ID. Indicates the resource ID associated with the NGFW resource.
      • CNGFW Tenant ID. The ID associated with the Cloud NGFW tenant that is linked to SCM.
      • CNGFW Tenant Serial Number. The serial number associated with the Cloud NGFW tenant.
      • Labels. An arbitrary label assigned to the Cloud NGFW.
      • Cloud Provider. Indicates the cloud provider associated with the Cloud NGFW resource.
      • Region/Location. The region in which the Cloud NGFW resource is located.
      • Config Sync Status. The status of the Cloud NGFW resource.
    5. The Device Management screen groups your Cloud NGFW resources into folders. To view the structure of these folders, select Workflows > Folder Management:
      The Folder Management screen displays the Cloud NGFW resources associated with the SCM tenant:

    Use Strata Cloud Manager for Cloud NGFW Policy Management

    You can use Strata Cloud Manager to globally apply security policies to the Cloud NGFW resources comprising a folder.
    1. In Strata Cloud Manager, select Manage > Configuration > NGFW and Prisma Access.
    2. Select Configuration Scope.
    3. In the drop-down list, locate the folder containing the Cloud NGFW AWS resources:
    4. In the Overview page, select Security Services:
    5. In the Security Services drop-down list, select Security Policy:
      For more information about configuring Security Policy using Strata Cloud Manager, see Manage Security Policy.

    Create a Folder for Your Cloud NGFW Resource using Strata Cloud Manager

    After configuring the appropriate subscription to use the Strata Cloud Manager service for your Cloud NGFW resource, you create a folder to view data associated with your firewall. Folders are used to logically group your firewalls or deployment types (for example, a service connection for your Cloud NGFW resource) for simplified configuration management. You can create a folder that contains multiple nested folders to group firewalls and deployments that require similar configurations. Folders that are already nested can have multiple nested folders as well.
    Folders for other Palo Alto Networks applications, like Prisma Access, and your NGFWs are separate; you can't group NGFWs in a folder with Prisma Access deployments. However, you can easily apply shared settings globally across all folders or use Manage: Snippets to easily apply standard settings and policy requirements across multiple folders.
    To create a folder for your Cloud NGFW resource:
    1. Log in to the Strata Cloud Manager app from the Palo Alto Networks hub directly at stratacloudmanager.paloaltonetworks.com.
    2. In the Strata Cloud Manager interface, select Workflows > NGFW Setup > Folder Management and click Add Folder.
    3. In the Create Folder screen:
      1. Enter a descriptive name for the folder.
      2. Optionally provide a description for the folder.
      3. Optionally assign one or more labels. You can select an existing label or create a new label by typing the label you want to create. For example, use the Labels drop-down to select cngfw.
      4. Specify where to create the folder using the drop-down menu. You can select All Firewalls, or select an existing folder to nest the folder under it. This is a required field.
      5. Click Create.
      Enter a descriptive name for the folder.

    Monitor and Troubleshoot using Strata Cloud Manager

    You can use Strata Cloud Manager to learn about the status of your Cloud NGFW resource. Use the Monitor functionality provided by SCM learn about:
    • Products and subscriptions you’re managing with Strata Cloud Manager.
    • The health and connectivity status of your Cloud NGFW devices.
    For more information, see Monitor in Strata Cloud Manager.
    To use Strata Cloud Manager to monitor your Cloud NGFW resource:
    1. Log in to the Strata Cloud Manager app from the Palo Alto Networks hub directly at stratacloudmanager.paloaltonetworks.com.
    2. In the interface, select Monitor:

    © 2024 Palo Alto Networks, Inc. All rights reserved.