Cloud NGFW for Azure
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Cloud NGFW for Azure
The Cloud NGFW for Azure
Cloud NGFW is a machine learning (ML) next-generation firewall delivered as a
cloud-native service. With Cloud NGFW, you can run multiple applications securely at
cloud speed and scale with a true cloud-native experience. Cloud NGFW combines
best-in-class network security with ease of use to deliver a fully managed cloud native
service. It extends Palo Alto Networks threat prevention capabilities to cloud
providers, while being natively integrated into the cloud providers various service
offerings. Cloud NGFW:
- Minimizes infrastructure management.
- Stops zero-day, web-based threats in real-time.
- Secures applications as they connect to legitimate web-based services.
- Simplifies the native cloud provider experience with simple, consistent firewall policy management across multiple accounts.
- Automates end-to-end workflows with support for API, ARM templates and Terraform.
The Cloud NGFW stops web-based attacks, vulnerabilities, exploits and other known
evasions, including sophisticated file-based attacks, using patented App-ID traffic classification technology. Cloud
NGFW:
- Secures traffic while crossing trust boundaries, like Azure VNets and vWANs. The managed service provided by Cloud NGFW blocks attackers from gaining access to resources, and stops data exfiltration and command-and-control (C2) traffic. It is purpose-built to stop unauthorized or east-west lateral movement.
- Is designed with automation in mind. With rulestack configuration and automated security profiles, Cloud NGFW is designed to meet network security requirements easily with an intuitive user interface that simplifies the creation of resilient firewall resources that scale with your network traffic.
- Incorporates an automated cloud firewall model that dynamically scales with your network traffic and meets unpredictable throughput demands with Gateway Load Balancing (GWLB) for on-demand high availability and elastic scaling. You can access as much or as little capacity as you need, and scale up and down as required.
- Integrates security with workflows managed by cloud providers. With Cloud NGFW, the first next-generation firewall to integrate with cloud providers, you can avoid lengthy deployment cycles and get up and running quickly, even when setting up required rulestacks and automated security profiles. You can leverage the security model provided by the chosen cloud provider while integrating with their onboarding, monitoring and logging capabilities. Cloud NGFW provides a unique benefit when integrating with cloud providers. You can take advantage of automatic scaling and high availability with no maintenance requirements. This integration enables consistent firewall policy management across multiple cloud provider accounts.
You can use the Cloud NGFW for Azure. With the Cloud NGFW, you can access core NGFW
capabilities including App-ID, URL filtering based on URL categories and geolocations,
and SSL/TLS Decryption.
Supported features
The Cloud NGFW for Azure provides the following features:
- Cloud-native deployment and management. Enable next-generation firewall capabilities in your Azure environment while managing day 0 and day N operations on Cloud NGFW resources seamlessly, as you would with any other Azure service. For permissions, use Azure role-based access control (RBAC) to control Cloud NGFW resources.
- Advanced application visibility and control. Cloud NGFW offers advanced application awareness and access control using App-ID and URL filtering techniques
- Next-generation threat prevention. Palo Alto Networks NGFW features, with cloud-delivered security services and threat prevention signatures are provided across the physical and software installed base.
The Cloud NGFW for Azure Model
The Cloud NGFW is an Azure Native ISV Service. This approach allows
Palo Alto Networks to develop and manage the FWaaS by using hooks provided by the Azure
service to leverage the FWaaS natively through the Azure UI and APIs. The Cloud NGFW for
Azure is accessible in Azure Marketplace. You can use all the
benefits of Palo Alto Network’s NGFW for Azure’s VNets and vWANs.
Cloud NGFW Components
The Cloud NGFW for Azure includes the following key components:
- The Cloud NGFW. The Cloud NGFW is a managed Azure regional service, available in select key Azure regions.
- NGFW. Palo Alto Networks uses the NGFW as the resource associated with the customer’s vNET or vWAN hub. It provides resiliency, scalability, and lifecycle management. The NGFW manifests as private IP addresses in the NGFW subnet specified by the user. To use the NGFW resource, update VNet UDRs to send traffic through the private IP addresses.
- NGFW rulestack. This resource includes a set of security rules along with associated objects and security profiles to enable advanced access control, using App-ID and URL filtering, and threat prevention features. You can associate a local rulestack with one or more NGFWs.
Securing traffic with the Cloud NGFW
Cloud NGFW provides you with the tools and functionality to secure inbound traffic,
outbound traffic, and East-West traffic.
Inbound traffic refers to any traffic originating outside of your Azure region and
bound for resources inside your application VNets, such as servers or load balancers.
Cloud NGFW can prevent malware and vulnerabilities from entering your VNet in the
inbound traffic allowed by Azure security groups.
Outbound traffic refers to traffic originating within your application VNet and is
bound for destinations outside of the Azure region. Cloud NGFW protects outbound traffic
flows by ensuring that resources in your application VNet connect to allowed services
and allowed URLs while preventing exfiltration of sensitive data and information.
East-West traffic moves within an Azure region. Specifically, traffic between
source and destination deployed in two different application VNets or in two different
subnets in the same VNet. Cloud NGFW can stop the propagation of malware within your
Azure environment.