>
    Strata Copilot
    Prepare for Panorama Integration
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for AWS
    3. Cloud NGFW for AWS Administration
    4. Protect
    5. Panorama Policy Management
    6. Prepare for Panorama Integration
    Download PDF
    Cloud NGFW for AWS

    Prepare for Panorama Integration

    Table of Contents

    Prepare for Panorama Integration

    Prepare for Cloud NGFW and Panorama integration.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for AWS
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Account (CSP)
    • AWS Marketplace account
    • User role (either tenant or administrator)
    To integrate the Cloud NGFW service with your Panorama virtual appliance:
    • Ensure you have a registered Panorama installed with licenses, activated using the support license on the Customer Support Portal (CSP), and using the software version 10.2.3 (or higher).
      Install the device certificate on the Panorama management server to successfully authenticate Panorama with the Palo Alto Networks Customer Support Portal (CSP) and leverage one or more cloud service.
    • Your Panorama must be onboarded to a Strata tenant that includes Strata Cloud Manager (SCM). Strata Tenant is also known as a Tenant Service Group (TSG).
      If you do not have a Strata Cloud Manager, you can activate a new Strata Cloud Manager Essentials and then onboard your Panorama (steps 1-9) to use with Cloud NGFW.
      In either case, the integration automatically enables additional features such as the Strata Logging service for Cloud NGFW.
      Existing subscribers without a Strata Logging Service (SLS) account must have a Strata tenant with Strata Cloud Manager (SCM)/Essentials to add the service. Additionally, ensure you unlink and then relink your Panorama.
    • Ensure you have subscribed to Cloud NGFW successfully to have a Cloud NGFW tenant. Use the Cloud NGFW subscription to successfully integrate with Panorama.
    • Ensure you have a tenant administrator role in your Cloud NGFW tenant.
    • Ensure you have a Panorama Administrator role on your Panorama.
    • Ensure you're a member of the Palo Alto Networks Customer Support Portal (CSP) account where your Organization has registered the Panorama appliance.
      The email used to register with the CSP account should be used for the Cloud NGFW tenant subscription. If this email differs, you won't be able to configure Cloud NGFW and integrate with Panorama.
    • Allow access to the domain https://storage.googleapis.com. This domain is used to access the AIOps for the Cloud NGFW application, regardless of your geographic location.

    Additional Requirements

    To prepare Panorama to link to Cloud NGFW:
    • Install the Cloud Connector plugin version 2.0.1 or later
      PAN-OS version 11.1.x is prepackaged with a Cloud Connector plugin (version 2.1.0-c98). This plugin version causes management problems for the Cloud NGFW resource that is linked to PAN-OS version 11.1.x. If you're using PAN-OS version 11.1.x Palo Alto Networks recommends that you downgrade the Cloud Connector plugin to version 2.0.1.
    • Install the AWS plugin version 5.1.1 or later.
      AWS plugin version 5.4.0 should not be used for Panorama policy management.
    • After installing the Cloud Connector and AWS plugins, use the Panorama CLI to run the command request plugins cloudconnector enable cloudngfw.
    • View installed plugins in Panorama using the Dashboard.
    • Use the Panorama CLI to view the status of a Panorama plugin. For example, show plugins aws cngfw-status. 
      show plugins aws cngfw-status

CloudConnector plugin is enabled. Cloud NGFW functionality is enabled.

    Important Considerations

    The AWS plugin requires that you commit a configuration change to initiate Cloud NGFW functionality with Panorama. This commit isn't required if you're upgrading the AWS plugin.
    In Panorama HA deployments, pushing a configuration change (for example, making a change to a Cloud Device Group) may cause the Panorama virtual appliance to hang. An error message similar to Push can't be processed, config upload not complete. Please try again later. To resolve this issue, use commit-force, then use commit-all.
    If your Panorama is not part of a Strata tenant, the integration will fail with an error message:
    Failed to get TSG ID for Panorama Panorama_ID. Please ensure that Panorama is added to TSG invalid request.
    If your Panorama is associated with a Strata tenant that does not have a valid Strata Cloud Manager (SCM) or Strata Stratta Logging Service, the linking process will fail with the following error message:
    Failed to get TSG ID for Panorama Panorama_ID. Please ensure that Panorama is added to TSG and SCM is provisioned invalid request to mgmt API.

    © 2025 Palo Alto Networks, Inc. All rights reserved.