Cloud NGFW is the industry’s only machine learning (ML)-powered NGFW delivered as a cloud-native service on AWS. With Cloud NGFW, you can run more apps securely at cloud speed and cloud-scale with an actual cloud-native experience. You get to experience the best of both worlds with natively integrated network security delivered as a service on AWS.

This page explains how to configure and integrate Cloud NGFW for AWS with Palo Alto Networks Panorama.

You can use a Panorama appliance to manage a shared set of security rules centrally on Cloud NGFW resources alongside your physical and virtual firewall appliances. You can also manage all aspects of shared objects and profiles configuration, push these rules, and generate reports on traffic patterns or security incidents of your Cloud NGFW resources, all from a single Panorama console.

Panorama provides a single location from which you can have centralized policy and firewall management across hardware firewalls, virtual firewalls, and cloud firewalls, which increases operational efficiency in managing and maintaining a hybrid network of firewalls.

You will continue to subscribe to the Cloud NGFW service using AWS Marketplace and create a tenant. Then you can link your Cloud NGFW tenant with your Panorama appliances. You can then manage a shared set of security rules centrally on Cloud NGFW resources you create on this tenant alongside your physical and virtual firewall appliances, and you can use logging, reporting and log analytics, all from a Panorama console.

Your Panorama appliances can reside in any Cloud region or in an on-premises environment. Panorama uses the AWS plugin to push policy and objects to the NGFW resources in AWS regions.

Integration between the Cloud NGFW and your Panorama appliance optionally allows your Cloud NGFW resources to stream logs to a Strata Logging Service account; you can then use the Strata Logging Service web interface, Panorama log viewer or the Application Command Center (ACC) to view and analyze the logs from Strata Logging Service. Panorama uses the Cloud Services plugin to query the logs from your Strata Logging Service account.

You can also configure the Cloud NGFW resources to stream logs to AWS log destinations such as S3, Cloudwatch, and Kinesis streams.

The image below shows how Cloud NGFW integrates with Panorama. Each of these components is described in the following section.

Palo Alto Networks policy Management is the primary and mandatory component of the solution. You must use the Panorama appliance to author and manage policy rules for your Cloud NGFW resources. The policy management component also helps to associate your authored policy rules and objects to multiple Cloud NGFW resources in different AWS regions.

Palo Alto Networks Log Management isn't a mandatory component for this solution. You can use the Strata Logging Service if you prefer to view logs in the Panorama console or use Application Command Center (ACC) in the Panorama console to gain insight into Cloud NGFW traffic or generate reports in Panorama. For this purpose, you must link your Panorama with a Strata Logging Service account using the Cloud Services plugin in Panorama. You can configure Cloud NGFW resources to simultaneously send logs to Strata Logging Service and one of the AWS log destinations (S3, CloudWatch, or Kinesis stream).

Panorama AWS plugin is a mandatory component of this solution. The Panorama AWS plugin enables you to create Cloud Device Groups and Cloud template stacks which help you manage policy rules and objects on NGFW resources of the Cloud NGFW tenants linked with Panorama. The Panorama AWS plugin internally uses the Cloud Connector plugin to communicate with the Cloud NGFW resources.

Cloud Device Groups (Cloud device group) are special-purpose Panorama Device groups that allow you to author rules and objects for Cloud NGFW resources. You can create Cloud DGs using the Panorama AWS plugin UI/APIs by specifying the Cloud NGFW tenant and AWS region information. Cloud device group manifests as a global rulestack in that tenant or region.

• You can create multiple Cloud Device Groups using the Panorama AWS plugin.
• You can use the native Panorama web interface’s device group page to manage policy and object configurations in Cloud Device Groups and their associated objects and Security Profiles.
• You can also leverage your existing shared objects and profiles in your existing Panorama device groups by referring to them in the security rules you create in your Cloud device groups.
• Alternatively, you can add these Cloud DGs to the device group hierarchy you manage in your Panorama to inherit the device group rules and objects. However, Cloud NGFWs currently can't enforce all inherited rules by the Cloud Device Group, such as those using security zones or users.
• You can associate the same Cloud device group with multiple regions of the Cloud NGFW tenant. This Cloud device group will manifest as a dedicated global rulestack in each AWS region of your Cloud NGFW tenant.

Cloud template stacks (Cloud TS) are special-purpose Panorama template stacks that allow your security rules in Cloud device groups to refer to object settings that Panorama allows you to manage using templates. When creating a Cloud device group, the Panorama AWS plugin enables you to create or specify a Cloud template stack. The plugin automatically creates this Cloud TS and adds it to the Cloud device group as a reference template stack. From now on, you can use the native Panorama web interface’s Template Stack page to configure your templates and add them to these Cloud TSs.

• Palo Alto Networks Cloud NGFW service manages most device and network configurations in your Cloud NGFW resources. Therefore, Cloud NGFW will ignore infrastructure settings such as interfaces, zones, and routing protocols if you have configured them in templates added to the Cloud TS.
• Cloud NGFW currently honors Certificate management and log settings in your templates as referenced by the Cloud device group configuration. It ignores all other settings.

There are a few steps to integrate Cloud NGFW with Panorama. After setting up your Panorama virtual appliance and installing the plugins, you will need to subscribe to Cloud NGFW using AWS Marketplace and create a tenant. After creating the Cloud NGFW tenant, link it with your Panorama virtual appliance. Once you have successfully linked Cloud NGFW, use Panorama to manage security objects and rules, and monitor logs and analytics.