Panorama Integration
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Panorama Integration
Cloud NGFW and Panorama Integration
Cloud NGFW is the industry’s only machine learning (ML)-powered NGFW delivered as a
cloud-native service on Azure. With Cloud NGFW, you can run more apps securely at cloud
speed and cloud-scale with an actual cloud-native experience. You get to experience the
best of both worlds with natively integrated network security delivered as a service on
Azure.
This document explains how to configure and integrate Cloud NGFW for Azure with Palo Alto
Networks Panorama.
You can use a Panorama appliance to manage a shared set of security rules centrally on
Cloud NGFW resources alongside your physical and virtual firewall appliances. You can
also manage all aspects of shared objects and profiles configuration, push these rules,
and generate reports on traffic patterns or security incidents of your Cloud NGFW
resources, all from a single Panorama console.
Panorama provides a single location from which you can have centralized policy and
firewall management across hardware firewalls, virtual firewalls and cloud firewalls
which increases operational efficiency in managing and maintaining a hybrid network of
firewalls.
How does integration work?
When you create a Cloud NGFW resource using the Azure Portal, you have the option to use Palo Alto Networks
Panorama to manage your security policies. You can then manage a shared set of security
rules centrally on Cloud NGFW resources you create alongside your physical and virtual
firewall appliances, and you can use logging, reporting and log analytics, all from
a single Panorama console.
When a firewall reaches an unhealthy state and
is disconnected, it is removed from Panorama after a period of time, typically 3
days. This ensures that the firewall is not deleted prematurely.
Integration Components
The following Palo Alto Networks components are used to integrate your Cloud NGFW resource
with Panorama.
Palo Alto Networks Policy Management is the primary and mandatory component of the
solution. You must use a Panorama appliance to author and manage policies for
your Cloud NGFW resources. The policy management component also helps to associate your
authored policies and objects to multiple Cloud NGFW resources in different Azure
regions.
Panorama Azure Plugin is a mandatory component of this solution. The Panorama
Azure plugin enables you to create Cloud Device Groups and Cloud Template stacks which
help you manage policies and objects on NGFW resources linked with Panorama.
Cloud Device Groups (Cloud DG) are special-purpose Panorama Device groups that
allow you to author rules and objects for Cloud NGFW resources. You create Cloud DGs
using the Panorama Azure Plugin UI by specifying the Cloud NGFW resource and Azure
region information. Cloud DG manifests as a global rulestack in that region.
- You can create multiple Cloud Device Groups using the Panorama Azure plugin.
- You can use the native Panorama UI’s device-group page to manage policy and object configurations in Cloud Device Groups and their associated objects and security profiles.
- You can also leverage your existing shared objects and profiles in your existing Panorama device groups by referring to them in the security rules you create in your Cloud Device groups.
- Alternatively, you can add these Cloud DGs to the device-group hierarchy you manage in your Panorama to inherit the DG rules and objects. However, Cloud NGFWs currently cannot enforce all inherited rules by the Cloud Device Group, such as those using security zones or users.
- You can associate the same Cloud DG with multiple regions of the Cloud NGFW resource. This Cloud DG will manifest as a dedicated global rulestack in each Azure region of your Cloud NGFW resource.
Cloud Template Stacks (Cloud TS) are special-purpose Panorama Template stacks that
allow your security rules in Cloud Device groups to refer to object settings that
Panorama allows you to manage using templates. When creating a Cloud DG, the Panorama
Azure plugin enables you to create or specify a Cloud Template Stack. The plugin
automatically creates this Cloud TS and adds it to the Cloud device group as a reference
template stack. From now on, you can use the native Panorama UI’s Template Stack page to
configure your templates and add them to these Cloud template stacks.
You cannot change the template stack name after deploying the
Cloud NGFW.
- Palo Alto Networks Cloud NGFW service manages most device and network configurations in your Cloud NGFW resources. Therefore Cloud NGFW will ignore infrastructure settings such as interfaces, zones, and routing protocols if you have configured them in templates added to the Cloud TS.
- Cloud NGFW currently honors Certificate management and log settings in your templates as referenced by the Cloud DG configuration. It ignores all other settings.
You do not assign managed devices to Cloud Device Groups and Cloud Template
Stacks.
Integration Steps
There are a few steps to integrate Cloud NGFW with Panorama. You first prepare your
Panorama virtual appliance for this integration by installing the Azure plugin. Once you
have successfully linked Cloud NGFW, use Panorama to manage security objects and
rules.
To integrate the Cloud NGFW service with your Panorama virtual appliance:
- Verify Panorama meets the Panorama Integration Prerequisites.
- Link Panorama to the Cloud NGFW.
- Use Panorama for Cloud NGFW policy management.
Consider the following when integrating your
Cloud NGFW resource with Panorama:
- To move a Cloud NGFW resource to another Panorama, you must redeploy it.
- If you add a log collector after deploying the Cloud NGFW resource you must redeploy it.
- If you change the Panorama IP address must also redeploy it.