Sample Configuration for Post vWAN Deployment
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Sample Configuration for Post vWAN Deployment
Sample configuration for post vWAN deployments in CNGFW for Azure.
Post deployment
After verifying the deployment, perform the following post deployment tasks:
Create or update a rulestack
To update an existing rulestack:
- In the Azure Resource Manager (ARM) console, click Rulestacks for the Cloud NGFW resource you want to configure. The rulestack associated with the Cloud NGFW service appears, along with the resource group.Modify the rulestack to add firewall rules. These rules allow some traffic while blocking specific traffic. By default, Cloud NGFW blocks all traffic. Search for the local rulestack you created previously using the global search option provided by the Azure portal.Select the previously created local rulestack associated with your Cloud NGFW subscription, then select Rules.In the Local Rules section, click Add. In the Add Rule window, modify the rules. For example, add a rule that allows traffic; complete the mandatory fields and use the default settings for remaining fields.Enable logging for the rule. In the Add Rule window, select Logging.Click Validate, then Add to add the rule to the rulestack.Add a FQDN list that specifies a URL, then specify an action to take. For example, you can apply an action to the FQDN rule to drop traffic attempting to access the URL www.facebook.com.Verify that the URL you entered appears in the FQDN list.Return to the Rules setting page and add a rule that matches the newly created FQDN list. Set the action to Drop traffic.Both rules appear in the Local Rules page.As part of the Cloud NGFW service, security profiles are enabled with best practice configurations by default. Traffic is secured with the best security profiles when you start and deploy the service. Select Profiles to view these security profiles.After modifying rules, deploy them onto the local rulestack associated with the Cloud NGFW service. Click Deployment. The deployment status appears as Candidate; this means that the configuration was built but not yet deployed. Click Deploy Configuration to deploy the configuration onto the Cloud NGFW service. You must complete this step to deploy the rulestack.After clicking Deploy Configuration, a message displays the firewalls associated with the rulestack. Click Deploy to configure this rulestack on all the associated firewalls using the rulestack.After successfully deploying the configuration, the screen displays the deployment status as Running (the Cloud NGFW and local rulestack are successfully deployed).
Source/destination NAT rule on the Cloud NGFW
Configure a destination NAT rule with frontend configuration on the Cloud NGFW to direct inbound traffic towards an application on the vWAN.- Access the Networking & NAT settings screen for the Cloud NGFW resource. In this screen, determine if the network type is Virtual WAN Hub and the status of the Source NAT field (enabled or disabled); if Source NAT was enabled, it appears in this screen.Click Edit to add the Destination NAT rule.Add a Destination NAT rule for the frontend configuration. The frontend IP address represents the public IP address associated with the Cloud NGFW. Use the drop-down menu to select the address.Add frontend setting information to the rule, and click Add.Once the destination NAT rule is added, click Save to deploy the configuration to the Cloud NGFW resource.After successfully saving the configuration, the Destination Network Address Translation (DNAT) field displays the updates; the address http://frontendIP:8080 is redirected to the noted application on the specified port through the Cloud NGFW; inbound traffic is now flowing through the Cloud NGFW.
Configure Logging
Before configuring logging on the Cloud NGFW, create the Log Analytics workspace on Azure.- In the Azure portal search for the Azure Log Analytics workspace. Click Log Analytics Workspaces to add it as a service.Click Create to establish a new Log Analytics workspace.In the Create Log Analytics workspace provide Instance details. Select the Name of the workspace from the drop-down menu, and specify the Region.Configure log settings in the Cloud NGFW resource. Select Log Settings. Click Edit.In the Log Settings field, select the Log Analytics workspace previously created, then click Save.
Add application vNETs as Virtual Networks Connections to the Virtual WAN
Add an application vNET as Virtual Network Connections to the Virtual WAN hub.- In your vWAN resource, select Virtual Network Connections.Click Add connection.Select the vNET you want to configure as the Virtual Network, then click Create.Select another vNET for the second Virtual Network, then click Create.After successfully connecting the virtual networks to the vHub, verify that the status is Connected.
Configure vWAN Hub Routing Intent and Routing Policies
Routing policies within the virtual WAN hub are used to route traffic through the Cloud NGFW service. To route internet bound traffic and private traffic (spoke to spoke) you need to configure the next hop as the vWAN Cloud NGFW.vWAN routing intent, routing policies and SaaS functionality is currently being developed by Microsoft for the Azure Portal. The target availability date for every region where Cloud NGFW is available is Tuesday, May 9, 2023.- In your vWAN resource, select Routing Intent and Routing Policies.Select the Internet traffic and the Next Hop Resource from the drop-down menus, then click Save.After configuring routing policies, verify the routing table was updated to route traffic through Cloud NGFW. Click Route Tables and select Default in the Route Tables section.You can Edit the route table to provide details related to the routes associated with the Default Routing table. Traffic going out to the internet or to other vNETs is routed through the Cloud NGFW.Select another vNET for the second Virtual Network, then click Create.After successfully connecting the virtual networks to the virtual WAN hub, verify that the status is Connected.