Prepare for Panorama Integration
Focus
Focus
Cloud NGFW for AWS

Prepare for Panorama Integration

Table of Contents

Prepare for Panorama Integration

Prepare for Cloud NGFW and Panorama integration.
Where Can I Use This?What Do I Need?
  • Cloud NGFW for AWS
  • Cloud NGFW subscription
  • Palo Alto Networks Customer Support Account (CSP)
  • AWS Marketplace account
  • User role (either tenant or administrator)
To integrate the Cloud NGFW service with your Panorama virtual appliance:
  • Ensure you have a registered Panorama installed with licenses, activated using the support license on the Customer Support Portal (CSP), and using the software version 10.2.3 (or higher).
    Install the device certificate on the Panorama management server to successfully authenticate Panorama with the Palo Alto Networks Customer Support Portal (CSP) and leverage one or more cloud service.
  • If you choose to use Palo Alto Log Management, ensure you configure Panorama for Strata Logging Service .
  • Ensure you have subscribed to Cloud NGFW successfully to have a Cloud NGFW tenant. Use the Cloud NGFW subscription to successfully integrate with Panorama.
  • Ensure you have a tenant administrator role in your Cloud NGFW tenant.
  • Ensure you have a Panorama Administrator role on your Panorama.
  • Ensure you're a member of the Palo Alto Networks Customer Support Portal (CSP) account where your Organization has registered the Panorama appliance.
    The email used to register with the CSP account should be used for the Cloud NGFW tenant subscription. If this email differs, you won't be able to configure Cloud NGFW and integrate with Panorama.
  • Allow access to the domain https://storage.googleapis.com. This domain is used to access the AIOps for the Cloud NGFW application, regardless of your geographic location.

Additional Requirements

To prepare Panorama to link to Cloud NGFW:
  • Install the Cloud Connector plugin version 2.0.1 or later
    PAN-OS version 11.1.x is prepackaged with a Cloud Connector plugin (version 2.1.0-c98). This plugin version causes management problems for the Cloud NGFW resource that is linked to PAN-OS version 11.1.x. If you're using PAN-OS version 11.1.x Palo Alto Networks recommends that you downgrade the Cloud Connector plugin to version 2.0.1.
  • Install the AWS plugin version 5.1.1 or later.
  • After installing the Cloud Connector and AWS plugins, use the Panorama CLI to run the command request plugins cloudconnector enable cloudngfw.
  • View installed plugins in Panorama using the Dashboard.
  • Use the Panorama CLI to view the status of a Panorama plugin. For example, show plugins aws cngfw-status.
    show plugins aws cngfw-status CloudConnector plugin is enabled. Cloud NGFW functionality is enabled.

Important Considerations

The AWS plugin requires that you commit a configuration change to initiate Cloud NGFW functionality with Panorama. This commit isn't required if you're upgrading the AWS plugin.
In Panorama HA deployments, pushing a configuration change (for example, making a change to a Cloud Device Group) may cause the Panorama virtual appliance to hang. An error message similar to Push can't be processed, config upload not complete. Please try again later. To resolve this issue, use commit-force, then use commit-all.