Link the Cloud NGFW to Palo Alto Networks Management
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Link the Cloud NGFW to Palo Alto Networks Management
Link Cloud NGFW to Panorama
Create a Cloud Device Group
After preparing your environment for integration, you can link your Cloud NGFW to
the Panorama virtual appliance and start using policy management. You start by
creating a Cloud Device Group.
With Panorama, you group firewalls in your network into logical units called
device groups. A device group enables grouping based on
network segmentation, geographic location, organizational function, or any other
common aspect of firewalls requiring similar policy configurations.
Using device groups, you can configure policy rules and the objects they
reference. Organize device groups hierarchically, with shared rules and objects
at the top, and device group-specific rules and objects at subsequent levels.
This enables you to create a hierarchy of rules that enforce how firewalls
handle traffic.
See Manage Device Groups for more
information.
To add a cloud device group and template stack using the Panorama console:
- In the Panorama console, select Panorama.In the navigation tree, select the Azure plugin.Expand the Azure plugin to display configuration options. Select Cloud NGFW to display the Cloud Device Group screen. If the Cloud NGFW option does not appear, verify that you have installed the Azure plugin successfully; select PanoramaPlugins to display the list of installed plugins.In the lower left portion of the Panorama console, click Add to create a new Cloud Device Group.In the Cloud Device Group screen:
- Enter a unique Name for the cloud device group.Enter a Description.Use the drop-down menu to select the Parent Device Group. By default, this value is shared.Select the Template Stack from the drop-down menu. Or, click Add to create a new one. You cannot change the template stack name after deploying the Cloud NGFW.Select the Panorama IP address used by the deployment. The drop-down menu allows you to select either the private or public IP address.Optionally select the Panorama HA Peer IP address.Optionally use the drop-down menu to select the Collector Group.Provide the PIN ID. This value is provided by the Customer Support Portal.To retrieve the PIN, you need a Palo Alto Networks Customer Support Portal (CSP) account.The PIN ID should have an expiration of one year. This is optional if you have already registered the Cloud NGFW serial number. If it is not already registered, register your Cloud NGFW using the serial number in for the same CSP account where you registered your Panorama virtual appliance.To retrieve the PIN ID and PIN Value, log into the Customer Support Portal as a registered user.On the Customer Support Portal page, select AssestsDevice Certificates.On the Device Certificate page, select Generate Registration PIN for the VM-Series firewall.Copy the newly created registration IDs, and paste it into the PIN ID and PIN Value field in the Cloud Device Group screen.Confirm the PIN ID and PIN Value.Optionally configure Zone Mapping for the Cloud Device Group. Only 2 zones are supported: public/private.Click OK.Commit your change in the Panorama console to create the cloud device group. Next, Generate the registration string to create the Cloud NGFW resource and deploy in Azure.In some cases, you may experience a validation error when configuring a Cloud Device Group. To resolve this issue, ensure that the Azure Plugin for Panorama is properly installed using administrator credentials. For HA environments, install the plugin on the secondary node, then install the plugin on the primary node.
Generate the registration string to create the Cloud NGFW and deploy in Azure
After you commit the change to create the cloud device group, you can generate the registration string. This string is used to create and deploy the Cloud NGFW in Azure.To retrieve the PIN:- In the Panorama console, locate the Cloud Device Group you created in the previous section.In the Registration String field, click Generate.Select Copy Registration String.After copying the registration string, access Azure Marketplace to create a Cloud NGFW resource.In Azure Marketplace, select Cloud NGFWs.Click + Create to create a new Cloud NGFW resource.Follow the setup instructions to Create Palo Alto Networks Cloud NGFW.
- Configure Basic information.Configure Networking.Configure Security Policies. In the Manged by section, select Palo Alto Networks Panorama.After selecting Managed by Palo Alto Networks Panorama, the Security Policies page changes to include the Panorama Registration String field. Enter the registration string you copied in Step 3 above.Continue creating the Cloud NGFW resource by specifying information for DNS Proxy, Tags, and Terms. Review your configuration, then click Create.Creating a Cloud NGFW resource may take approximately 10-15 minutes.The Panorama console is now linked to the Cloud NGFW resource.