Link the Cloud NGFW to Palo Alto Networks Management

Table of Contents

Link Multiple Panorama to a Cloud NGFW Tenant

Link the Cloud NGFW to Palo Alto Networks Management

Link Cloud NGFW to Panorama.

Where Can I Use This?	What Do I Need?
Cloud NGFW for AWS	Cloud NGFW subscription Palo Alto Networks Customer Support Account (CSP) AWS Marketplace account User role (either tenant or administrator)

You have two options for linking:

Link the Cloud NGFW tenant to Palo Alto Networks with Panorama for policy management only.
Link the Cloud NGFW tenant with Panorama for policy management and Strata Logging Service for log management.

You must be subscribed to the Cloud NGFW service using AWS Marketplace to integrate Cloud NGFW with Panorama. After linking your Cloud NGFW tenant to Panorama, you can view the tenants and resources, along with their status, in the Panorama console under the AWS plugin.

To link your Cloud NGFW tenant to Panorama using the Cloud NGFW:

Select Integrations.
In the Integrations page, click Add Policy Manager.

If you're using a tenant linked to Panorama that was created using the AWS Firewall Manager you can't unlink the Cloud NGFW resource.
In the Add Policy manager screen, enter a Link Name. Select the Primary Panorama Serial Number from the drop-down. For HA environments, select the Secondary Panorama Serial Number from the drop-down.

The Cloud NGFW tenant automatically pulls the Strata Logging Service information from Panorama. If you don't plan to use Strata Logging Service, you can send logs to AWS. For more information, see Configure Logging for Cloud NGFW on AWS.
The Integrations page displays the Link ID and the linked Panorama Serial Number

.
For additional information, including the Strata Logging Service ID associated with the linked Panorama, click the Link ID in the Integrations page. The Link Panorama window appears:

Create a Support Case to Unlink Panorama from Cloud NGFW When Using AWS Firewall Manager

If you're using AWS Firewall Manager and linked a Cloud NGFW resource to Panorama, you must contact Palo Alto Networks Support to unlink the Cloud NGFW resource from Panorama. When creating the support case, you may be asked to provide additional information, like the AWS account ID, and the tenant ID for the resource.

To create a support case using the Cloud NGFW console:

Locate your AWS Account ID. Select AWS Accounts.
If required, use the Panorama console to determine additional information for the support case, like the tenant ID, or the Panorama serial number.
Locate the Panorama serial number using the Dashboard:

Locate the Tenant ID for the Cloud NGFW resource:
On the Overview page in the Cloud NGFW console, click Create a case.