Migrate an Azure Firewall Policy to Cloud NGFW for Azure

Table of Contents

Tag-based Policies in Strata Cloud Manager

Migrate an Azure Firewall Policy to Cloud NGFW for Azure

Migrate your Azure firewall policies to Cloud NGFW for Azure using Strata Cloud Manager for enhanced security and operational efficiency.

Where Can I Use This?	What Do I Need?
Cloud NGFW for Azure	Strata Cloud Manager Essential in a supported region (Canada, India, United Kingdom, Singapore, or United States) Security Administrator or Superuser role

Cloud Service Provider (CSP) Native Firewall Policy Migration enables the automated transfer of existing security policies from Azure Firewall to Palo Alto Networks® Software Firewalls (Cloud NGFW and VM-Series) through Strata™ Cloud Manager. This process transitions your security configurations from native cloud firewall services to a next-generation firewall platform, providing enhanced security and centralized policy management.

The migration follows a structured architectural flow. It begins with identifying policies in your Azure environment. Strata Cloud Manager then translates native Azure firewall logic into compatible Palo Alto Networks Software Firewall configurations. You can apply these configurations to existing or new Software Firewall resources to ensure a consistent security posture across your environment. Policy migration to Strata Cloud Manager is currently supported in the following regions: Canada, India, United Kingdom, Singapore, and United States.

The Policy Migration Engine processes your uploaded configuration files to translate native Azure firewall logic into Strata Cloud Manager snippets through these key steps:

Export Native Configuration: Use the Python script export_azr_fwpolicy.py to extract existing security policies from your Azure environment into a ZIP file.
Analyze and Convert: Upload the exported ZIP file to the Strata Cloud Manager Migration Catalog. The engine translates cloud-native logic into Strata Cloud Manager-compatible security rules and objects while identifying skipped items that require manual review.
Generate Configuration Snippets: Upon successful conversion, the tool creates a reusable Strata Cloud Manager snippet containing all migrated rules.
Associate with Folders: Link the generated snippet to a designated Strata Cloud Manager folder associated with your Software Firewall resources (Cloud NGFW or VM-Series).
Deploy and Verify: Initiate a Config Push to deploy the translated policy to your active firewall units and monitor the job log to confirm a successful transition.

Supported Features and Compatibility

The following table outlines the policy components supported for automated migration from Azure Firewall to Strata Cloud Manager.

Feature Category	Supported Components	Unsupported or Skipped
Rules	Network Rules and Application Rules	None
Services	DNS Proxy, Threat Intelligence, IDPS, SNAT Rules, and TLS Inspection	FQDN Tags
Objects	IP Groups, FQDNs, Web Categories, and Service Tags	None

For Azure D-NAT rules, apply the configuration based on the platform you intend to use. For Cloud NGFW, Terraform templates are provided to apply these rules within your Azure account. For VM-Series, D-NAT policies are included in the generated Strata Cloud Manager snippet.

Start the Azure policy migration.
1. In Strata Cloud Manager, select Migration Catalog and choose Azure Firewall.
2. Select Start migration to initiate the Azure policy migration workflow.
Download the Azure export script.
1. On the Azure migration page, select Download export scripts.
2. Follow the link to GitHub and download the Python script (export_azr_fwpolicy.py).
3. Save the file with a .py extension. This script extracts your Azure Firewall policy configurations.
Export the Azure Firewall policy.
1. Ensure Python 3 and Azure CLI are installed and configured on your local machine.
2. Log in to your Azure account using Azure CLI if you are not already logged in.
  az account show
3. In your Azure portal, identify the Azure Firewall policy you want to migrate, noting its subscription ID, resource group, and policy name.
4. Open your command-line interface and run the export script, replacing the placeholders with your values.
  python3 export_azr_fwpolicy.py --sub your-subscription-id --rg your-resource-group --name your-policy-name
5. Confirm that a ZIP file containing the exported configuration is generated in the export_policy folder. This ZIP file is the required input for the Strata Cloud Manager migration service.
Upload and convert the Azure configuration in Strata Cloud Manager.
1. Return to the Strata Cloud Manager Azure migration page.
2. Select Browse file and upload the ZIP file from your export_policy folder.
3. Click Analyze and convert.
4. Review the summary of advanced features, objects, and rules to be imported, noting any skipped items such as FQDN tags.
  
  Strata Cloud Manager processes your Azure policy for conversion into Cloud NGFW format, highlighting incompatibilities or unsupported features.
Review and import the converted configuration.
1. Select Review converted configuration and review the policy rules, objects, and skipped items with their reasons.
  
  Skipped items are available in the Skipped items tab.
2. Enter a descriptive Snippet Name (for example, azr-demo-1).
3. Select Import to Strata Cloud Manager to commit the converted policy elements to a Strata Cloud Manager snippet.
4. Click Summary to view the completed import summary.
  
  You can also click Download Terraform Template for NGFW to save a ZIP file of the Terraform templates to your local machine.
  
  Select the Snippet link to go to the snippet page.
  
  Do not close or navigate away from the Strata Cloud Manager migration summary page until you have completed snippet verification and downloaded all necessary artifacts. If you close the browser tab or navigate away before downloading, you cannot return to retrieve the Terraform ZIP file later. Keep the migration summary tab open while you verify the snippet in a separate window or tab.
Verify the migrated snippet.
1. Select ConfigurationNGFW and Prisma AccessSnippet.
2. Locate and select your newly created snippet (for example, azr-demo-1).
3. Review the Security Rules and Address Objects tabs to confirm the successful migration.
  
  Your Azure policy is now translated and stored as a reusable configuration snippet.
Push the configuration to Cloud NGFW.
1. Select Configuration Scope and choose Folder.
2. Select the folder associated with your Azure Cloud NGFW instances.
3. From the folder overview, select the Add icon next to Snippets.
4. Add your migrated snippet (for example, azr-demo-1) to the folder.
5. Select Close.
6. Select Push from the top-right corner.
7. Enter a Description and confirm the push to your Cloud NGFW units.
8. Monitor the job log to confirm the push is successful.
  
  This deploys your new Cloud NGFW policy to the active Azure firewall instances.
Download Terraform templates for Cloud NGFW.

Because Software Firewall D-NAT rules and DNS Proxy configurations are hosted on a public load balancer rather than managed directly through Strata Cloud Manager folders, you must use Terraform to apply these specific settings to your Azure environment. Strata Cloud Manager automatically generates these templates when D-NAT or DNS Proxy configurations are detected in your policy migration.
1. On the migration Summary page, locate the Generated Snippet section.
2. Click Download Terraform Templates for NGFW.
3. Save the ZIP file (for example, terraform-cngfw.zip) to your local machine.
4. Unzip the file to access the Terraform directory, which includes main.tf, variables.tf, and terraform.tfvars.
5. Open terraform.tfvars and provide the required parameters: subscription_id, resource_group_name, firewall_name, and public_ip_name for your D-NAT rules.
6. Authenticate your Azure CLI session before running Terraform.
  az login
  
  az account show
7. Run the following commands in your CLI to initialize and apply the Terraform configuration.
  terraform init terraform import azurerm_palo_alto_next_generation_firewall_virtual_network_strata_cloud_manager.firewall cngfw_resource_id terraform plan terraform apply -auto-approve
  
  A known issue may cause the push to fail on the firewall if the content version is lower than required. This is unrelated to the migration service itself.