Cloud NGFW for Azure
About the Cloud NGFW for Azure.
Where Can I Use This? | What Do I Need? |
|
- Cloud NGFW subscription
- Palo Alto Networks Customer Support Portal (CSP) account
- Azure Marketplace subscription
|
Cloud NGFW is a machine learning (ML) next-generation firewall delivered as a
cloud-native service. With Cloud NGFW, you can run multiple applications securely at
cloud speed and scale with a true cloud-native experience. Cloud NGFW combines
best-in-class network security with ease of use to deliver a fully managed cloud-native
service. It extends Palo Alto Networks threat prevention capabilities to cloud
providers, while being natively integrated into the cloud providers various service
offerings. Cloud NGFW:
- Minimizes infrastructure management.
- Stops zero-day, web-based threats in real-time.
- Secures applications as they connect to legitimate web-based services.
- Simplifies the native cloud provider experience with simple, consistent firewall
policy management across multiple accounts.
- Automates end-to-end workflows with support for API, ARM templates, and
Terraform.
The Cloud NGFW stops web-based attacks, vulnerabilities, exploits, and other known
evasions, including sophisticated file-based attacks, using patented
App-ID traffic classification technology. Cloud NGFW:
- Secures traffic while crossing trust boundaries, like Azure VNets and vWANs. The
managed service provided by Cloud NGFW blocks attackers from gaining access to
resources, and stops data exfiltration and command and control (C2) traffic. It's
purpose-built to stop unauthorized or east-west lateral movement.
- Is designed with automation in mind. With rulestack configuration and automated
Security Profiles, Cloud NGFW is designed to meet network security requirements
easily with an intuitive web interface that simplifies the creation of resilient
firewall resources that scale with your network traffic.
- Incorporates an automated cloud firewall model that dynamically scales with your
network traffic and meets unpredictable throughput demands with Gateway Load
Balancing (GWLB) for on-demand high availability and elastic scaling. You can access
as much or as little capacity as you need, and scale up and down as required.
- Integrates security with workflows managed by cloud providers. With Cloud NGFW, the
first next-generation firewall to integrate with cloud providers, you can avoid
lengthy deployment cycles and get up and running quickly, even when setting up
required rulestacks and automated Security Profiles. You can leverage the security
model provided by the chosen cloud provider while integrating with their onboarding,
monitoring, and logging capabilities. Cloud NGFW provides a unique benefit when
integrating with cloud providers. You can take advantage of automatic scaling and
high availability with no maintenance requirements. This integration enables
consistent firewall policy management across multiple cloud provider accounts.
You can use the Cloud NGFW for Azure. With the Cloud NGFW, you can access core NGFW
capabilities including App-ID, URL filtering based on URL categories and geolocations,
and SSL/TLS decryption.
Supported features
The Cloud NGFW for Azure provides the following features:
- Cloud-native deployment and management. Enable next-generation firewall
capabilities in your Azure environment while managing day 0 and day N operations
on Cloud NGFW resources seamlessly, as you would with any other Azure service.
For permissions, use Azure role-based access control (RBAC)
to control Cloud NGFW resources.
- Advanced application visibility and control. Cloud NGFW offers advanced
application awareness and access control using App-ID and URL filtering
techniques
- Next generation threat prevention. Palo Alto Networks NGFW features, with
cloud-delivered security services and threat prevention signatures are provided
across the physical and software-installed base.
The Cloud NGFW for Azure Model
The Cloud NGFW is an
Azure Native ISV Service. This approach allows
Palo Alto Networks to develop and manage the FWaaS by using hooks provided by the Azure
service to leverage the FWaaS natively through the Azure web interface and APIs. The
Cloud NGFW for Azure is accessible in
Azure Marketplace. You can use all the
benefits of Palo Alto Networks NGFW for Azure’s VNets and vWANs.
Cloud NGFW Components
The Cloud NGFW for Azure includes the following key components:
- The Cloud NGFW. The Cloud NGFW is a managed Azure regional service, available
in select key Azure regions.
- NGFW. Palo Alto Networks uses the NGFW as the resource associated with the
customer’s VNet or vWAN hub. It provides resiliency, scalability, and lifecycle
management. The NGFW manifests as private IP addresses in the NGFW subnet specified
by the user. To use the NGFW resource, update VNet UDRs to send traffic through the
private IP addresses.
- NGFW rulestack. This resource includes a set of security rules along with
associated objects and Security Profiles to enable advanced access control, using
App-ID and URL filtering, and threat prevention features. You can associate a local
rulestack with one or more NGFWs.
Securing traffic with the Cloud NGFW
Cloud NGFW provides you with the tools and functionality to secure inbound traffic,
outbound traffic, and East-West traffic.
Inbound traffic refers to any traffic originating outside of your Azure region and
bound for resources inside your application VNets, such as servers or load balancers.
Cloud NGFW can prevent malware and vulnerabilities from entering your VNet in the
inbound traffic allowed by Azure security groups.
Outbound traffic refers to traffic originating within your application VNet and is
bound for destinations outside of the Azure region. Cloud NGFW protects outbound traffic
flows by ensuring that resources in your VNet application connect to allowed services
and allowed URLs while preventing exfiltration of sensitive data and information.
East-West traffic moves within an Azure region. Specifically, traffic between
source and destination is deployed in two different application VNets or in two
different subnets in the same VNet. Cloud NGFW can stop the propagation of malware
within your Azure environment.