Cloud NGFW for AWS
    : Strata Cloud Manager Policy Management
    Focus
    Download PDF
    Focus
    1. Home
    2. AWS
    3. Cloud NGFW for AWS
    4. Strata Cloud Manager Policy Management
    Download PDF

    Cloud NGFW for AWS

    Strata Cloud Manager Policy Management

    Table of Contents

    Strata Cloud Manager Policy Management

    Link your Cloud NGFW resource with Strata Cloud Manager (SCM) for policy management.
    You can link your Cloud NGFW resource with Strata Cloud Manager (SCM) for policy management. Strata Cloud Manager provides unified management for your entire network security deployment, which allows you to easily manage your Palo Alto Networks security infrastructure from a single, streamlined user interface. With this interface you gain comprehensive visibility into users, branch sites, applications, and threats across all network security enforcement points. This functionality provides actionable insights, better security, and easy troubleshooting and problem resolution.
    When using SCM for Cloud NGFW policy management, consider the following:
    • When first connecting to SCM, Cloud NGFW resources (for example, the resource ID) may fail to display. These resources will appear after a few moments if there are no underlying connection issues.
    • Best practices for Cloud NGFW SCM policy management differ from those using Panorama policy management with your Cloud NGFW resource. For example, some pass-through traffic in a Panorama managed environment may be dropped in a SCM managed Cloud NGFW resource.
    • X-forwarded functionality is not supported in a SCM policy management for your Cloud NGFW resource.
    • Cloud certificate is not supported.
    • DLP is not supported.
    • When configuring security rules for your SCM managed Cloud NGFW resource, you must specify
      ANY
       for the security rule. However,
      from/to
       zone appears as the
      data zone
       in the Strata Logging Service.

    Link Your Cloud NGFW Resource with Strata Cloud Manager Policy Management

    To integrate your Cloud NGFW resource with Strata Cloud Manager Policy Management:
    1. Log in to the Cloud NGFW console.
    2. Select
      Integrations
      .
    3. In the
      Policy Manager
       screen, click
      Add Policy Manager
      .
    4. In the
      Add Policy Manager
       section, select
      Strata Cloud Manager
      for the
      Manage Type
      .
    5. Enter a descriptive name.
    6. Use the drop-down menu to select the SCM
      Tenant
      you want to associate with the resource.
      The Customer Support Portal (CSP) account must be the same for both SCM and CNGFW.
    7. Click
      Save
      . This effectively links your Cloud NGFW resource to the SCM tenant.
      After saving the configuration the
      Integrations
      page is updated to reflect the new policy management paradigm, along with the associated Link ID and SCM Serial Number/Tenant Name:
      To view information about an individual linked SCM tenant, click the
      Link ID
       in the
      Policy Manager
       screen. You can use the
      Edit Policy Management
       screen to change the
      Link Name
       and view information:

    Associate a Firewall with Strata Cloud Manager Policy Management

    After you establish a link to Strata Cloud Policy Management, you can associate a new firewall with the linked SCM tenant:
    1. Log in to the Cloud NGFW console.
    2. Select
      NGFWs
      .
    3. Click
      Create Firewall
      .
    4. In the
      Create Firewall
      screen, enter a name for the firewall.
    5. Optionally include a description.
    6. In the
      Policy Management
       section, select
      Strata Cloud Manager
      .
    7. In the
      Policy Manager
       drop-down menu, select the linked SCM tenant you want to associate with the firewall.
    8. Configure
      Endpoint Management
      to secure traffic in multiple AWS availability zones.
      1. Determine if you want Cloud NGFW to create endpoints automatically on your VPC subnets. Select
        Yes
        for service-managed endpoints
        .
        By default, the Cloud NGFW resource does not automatically create these endpoints; the radio button is set to
        No.
      2. Use the drop-down to select the
        AWS Account ID
        .
      3. Use the drop-down to select the
        VPC
        .
      4. Use the
        Subnet
        field to select an available subnet.
      5. Click
        Save
        .
      The NGFW screen changes to reflect the newly created firewall. It takes approximately 6-10 minutes to complete the process of creating a new firewall; the
      Status
      indicates
      CREATING
      :
      Click the
      NGFW Name
       to display detailed information about the firewall. Note that limited information is displayed as the firewall is being created:

    View the Firewall in Strata Cloud Manager

    After you have linked your Cloud NGFW resource to a SCM tenant and have created a firewall you can use SCM for policy management.
    When you log into Strata Cloud Manager, the dashboard fails to display the Cloud NGFW count under
    NGFW > Software
    .
    1. Log in to the Strata Cloud Manager app from the Palo Alto Networks hub directly at stratacloudmanager.paloaltonetworks.com.
    2. In the Strata Cloud Manager interface, locate your Cloud NGFW tenant using the left hand navigation option:
      This exposes the available tenants that are linked to your Cloud NGFW resource; you can alternately search for the tenant using the
      tenant name
       or
      id
      .
    3. Select
      Workflows > NGFW Setup > Device Management
      :
    4. The Device Management screen displays the
      NGFWs
       and
      Cloud NGFWs
      . Click
      Cloud NGFWs
       to display the firewalls associated with the SCM tenant:
      The
      Device Management
       screen displays the Cloud NGFW resources that are currently managed by SCM:
      The Device Management screen displays the following fields:
      • Name. Represents the name of the Cloud NGFW resource.
      • Resource ID. Indicates the resource ID associated with the NGFW resource.
      • CNGFW Tenant ID. The ID associated with the Cloud NGFW tenant that is linked to SCM.
      • CNGFW Tenant Serial Number. The serial number associated with the Cloud NGFW tenant.
      • Labels. An arbitrary label assigned to the Cloud NGFW.
      • Cloud Provider. Indicates the cloud provider associated with the Cloud NGFW resource.
      • Region/Location. The region in which the Cloud NGFW resource is located.
      • Config Sync Status. The status of the Cloud NGFW resource.
    5. The
      Device Management
      screen groups your Cloud NGFW resources into
      folders
      . To view the structure of these folders, select
      Workflows > Folder Management
      :
      The
      Folder Management
       screen displays the Cloud NGFW resources associated with the SCM tenant:

    Use Strata Cloud Manager for Cloud NGFW Policy Management

    You can use Strata Cloud Manager to globally apply security policies to the Cloud NGFW resources comprising a folder.
    1. In Strata Cloud Manager, select
      Manage > Configuration > NGFW and Prisma Access
      .
    2. Select
      Configuration Scope
      .
    3. In the drop-down list, locate the folder containing the
      Cloud NGFW AWS resources
      :
    4. In the
      Overview
      page, select
      Security Services
      :
    5. In the
      Security Services
       drop-down list, select
      Security Policy
      :
      For more information about configuring Security Policy using Strata Cloud Manager, see Manage Security Policy.

    Create a Folder for Your Cloud NGFW Resource using Strata Cloud Manager

    After configuring the appropriate subscription to use the Strata Cloud Manager service for your Cloud NGFW resource, you create a folder to view data associated with your firewall. Folders are used to logically group your firewalls or deployment types (for example, a service connection for your Cloud NGFW resource) for simplified configuration management. You can create a folder that contains multiple nested folders to group firewalls and deployments that require similar configurations. Folders that are already nested can have multiple nested folders as well.
    Folders for other Palo Alto Networks applications, like Prisma Access, and your NGFWs are separate; you can't group NGFWs in a folder with Prisma Access deployments. However, you can easily apply shared settings globally across all folders or use Manage: Snippets to easily apply standard settings and policy requirements across multiple folders.
    To create a folder for your Cloud NGFW resource:
    1. Log in to the Strata Cloud Manager app from the Palo Alto Networks hub directly at stratacloudmanager.paloaltonetworks.com.
    2. In the Strata Cloud Manager interface, select
      Workflows > NGFW Setup > Folder Management
       and click
      Add Folder
      .
    3. In the
      Create Folder
      screen:
      1. Enter a descriptive name for the folder.
      2. Optionally provide a description for the folder.
      3. Optionally assign one or more labels. You can select an existing label or create a new label by typing the label you want to create. For example, use the
        Labels
        drop-down to select
        cngfw
        .
      4. Specify where to create the folder using the drop-down menu. You can select
        All Firewalls
        , or select an existing folder to nest the folder under it. This is a required field.
      5. Click
        Create
        .
      Enter a descriptive name for the folder.

    Monitor and Troubleshoot using Strata Cloud Manager

    You can use Strata Cloud Manager to learn about the status of your Cloud NGFW resource. Use the
    Monitor
    functionality provided by SCM learn about:
    • Products and subscriptions you’re managing with Strata Cloud Manager.
    • The health and connectivity status of your Cloud NGFW devices.
    For more information, see Monitor in Strata Cloud Manager.
    To use Strata Cloud Manager to monitor your Cloud NGFW resource:
    1. Log in to the Strata Cloud Manager app from the Palo Alto Networks hub directly at stratacloudmanager.paloaltonetworks.com.
    2. In the interface, select
      Monitor
      :

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.