Azure

1. Log in to Strata Cloud Manager.
2. Navigate to AI Security AI Runtime Firewall.
3. Select Add Protections ("+" icon).
4. Select Cloud Service Provider as Azure and choose Next.

   If you arrived at the Firewall Deployment wizard from the Cloud Asset Map, the cloud service is already selected.
5. In Firewall Placement, select:

   1. Select the Traffic Streams to Inspect:

      • AI queries and responses: traffic between your applications and AI models
      • Inbound traffic to cloud applications: user to application traffic
      • Outbound traffic from cloud applications: application to the internet traffic
      • Inter VPC/VNet communication: application to application traffic
      • Select All Traffic: select this option to inspect all traffic streams.
   2. Select your Azure Account and the Region.
   3. Select Auto-Execute as your Deploy Type.
   4. Click Next.
6. Choose Applications to Protect. Specify which discovered applications you want to secure with this firewall cluster.

   1. On the Applications tab, use the Select Application(s) drop-down to specify the discovered applications to secure. The selected application appears in the Applications list.

      The available applications are determined by the application definition criteria you configured during cloud account onboarding in the “Application Definition” step.
   2. Click Next.
7. Configure the Deployment Parameters. The Auto-Execute deployment option supports AI Runtime Security; not VM-Series. The Firewall Type option is pre-selected based on the traffic types you previously selected on the Choose Traffic Flows to Inspect screen. If you select AI queries and responses, the Firewall Type is pre-selected and cannot be changed.

   1. Specify the Number of firewall to deploy.
   2. Select zones to deploy firewalls. The selected zones should consist of all availability zones of the applications you want to protect.
   3. Choose the instance type for the security VM used by the deployed firewalls.
   4. Optional Enable Multi-Cloud Mesh.
8. Configure the IP Addressing Scheme by entering the CIDR IP address of an unused VNet.
9. Enter your Licensing information.

   • PAN-OS Software Version for your image from the available list.
   • Flex authentication code (Copy AUTH CODE for the deployment profile you created for AI Runtime Security Firewall in Customer Support Portal).
   • Enter your Device Certificate PIN ID and Device Certificate PIN Value associated with Customer Support Portal account.
10. Configure your Management Parameters. Firewalls deployed using the Auto-Execute workflow must be managed by Strata Cloud Manager; Panorama management is not supported.

    • Enter the CIDRs that can access the management interface of the firewall under Allowed Management Access.
    • The SSH key to be used for login (see how to Create SSH keys).
    • Manage by SCM and then select the SCM folder to group the Prisma AIRS AI Runtime Firewall.
      For Multi-Cloud Mesh to be deployed, you must select the folder that contains the required Auto-VPN configuration.
      Refer to Workflows: Folders - Strata Cloud Manager.
11. Select Next.
12. In Review architecture: