>
    Strata Copilot
    Deploy Prisma AIRS AI Runtime, VM-Series, and CNGFW Firewalls
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Deploy Prisma AIRS AI Runtime, VM-Series, and CNGFW Firewalls
    Download PDF
    Prisma AIRS

    Deploy Prisma AIRS AI Runtime, VM-Series, and CNGFW Firewalls

    Table of Contents

    Deploy Prisma AIRS AI Runtime, VM-Series, and CNGFW Firewalls

    Deploy Prisma AIRS AI Runtime and VM-Series firewalls in public clouds.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime Security
    This section provides an overview of the deployment workflow overview for Prisma AIRS AI Runtime Firewall, VM-Series and CNGFW firewalls in public cloud environments. It can be deployed in-line with your traffic to actively monitor and protect your network in real-time.
    You can use the deployment workflow in Strata Cloud Manager (AI Security > AI Runtime Firewall) to generate a Terraform template. This template deploys either Prisma AIRS AI Runtime Firewall or VM-Series firewalls in your cloud environment.
    Additionally, you Auto-Execute the deployment of AI Runtime firewalls and VM-Series firewalls in AWS and Azure.
    Management: Depending on the deployment Terraform type that you create and deploy in your environment, the firewall can be managed by either Strata Cloud Manager or Panorama.
    The following sections summarize the deployment workflow, provide links to detailed steps, and explain how to view and manage your deployment Terraform templates.
    Additional Deployment Options:

    Deploy Cloud NGFW from Strata Cloud Manager

    In addition to using cloud-native portals, you can initiate the deployment of Cloud NGFW directly from the Strata Cloud Manager (SCM) unified workflow.
    1. Access the Deployment Workflow:
      • Log in to the Strata Cloud Manager console.
      • Go to Insights > Discovery.
      • Click Add Firewall (+) icon and select Add Firewall Deployment.
    2. Select Management Type:
      • In the Firewall Management section, select PANW Managed.
    3. Choose Your Cloud Provider:
      • For CNGFW for AWS:
        • Select Amazon Cloud Platform.
        • Click Create Firewall.
          SCM redirects you to the integrated Cloud NGFW for AWS setup wizard within the SCM console to finalize your tenant and regional configuration. For more information, see Deploy and Manage Cloud NGFW resources.
      • For CNGFW for Azure:
        • Select Azure.
        • Click Go to Microsoft Azure Portal. You will be redirected to the Microsoft Azure Portal to complete resource provisioning for the managed service.

    Deploy, Configure, and Secure High-Level Workflow

    This is the high-level workflow to:
    • Deploy Prisma AIRS AI Runtime Firewall and VM-Series firewall.
      Select the deployment workflow for your chosen platform and cloud provider.
    • Configure Strata Cloud Manager or Panorama to secure your resources: VM workloads and Kubernetes clusters (at the namespace level with traffic steering inspection). Also, configure interfaces, zones, NAT policy, and routers.
      Enable SSL/TLS decryption on Prisma AIRS Firewall to decrypt traffic between AI applications and the AI models to detect and enforce AI security protection.
    • (Optional) Configure IP-tag harvesting to collect the application tags from your public and hybrid Kubernetes clusters and enforce security policy rules based on these harvested application tags.
    • Create security policy rules to inspect AI and traditional traffic.
    • Monitor: Threat Logs and AI Security Logs.

    View and Manage Terraform Templates

    1. Log in to Strata Cloud Manager.
    2. Navigate to AI Security AI Runtime Firewall.
    3. Select Network from the AI Runtime Security drop-down list at the top.
    4. Click on the Terraform deployment shield icon on the top right.
    5. View a list of Terraform templates under the Firewall Protection tab:
      1. Terraform template name.
      2. Deployment Status (deployed or not deployed).
      3. Application Type (AI Runtime Security or VMSeries).
        To confirm that the Prisma AIRS AI Runtime Firewall is deployed in your cloud environment, ensure that the Application Type is listed as "AI Runtime Security."
      4. Cloud type, which the network intercept will protect.
      5. Strata Cloud Manager Region.
      6. Managed by column indicates the platform used to manage your firewall:
        • cloud for firewalls managed by Strata Cloud Manager.
        • panorama:<ip-address> for firewalls managed by Panorama.
        For Panorama managed firewalls, the dashboard displays a status of "Not Deployed". To verify successful deployment, check that the Managed By field shows the IP address of your Panorama instance.
      7. Number of Applications discovered (protected and unprotected).
      8. Terraform Creation date.
      9. In the Actions tab you can:
        • Download Terraform templates
        • Delete Terraform templates
        • View associated firewalls for each template

    © 2026 Palo Alto Networks, Inc. All rights reserved.