Sample Configuration for Post vNET Deployment
Table of Contents
Expand all | Collapse all
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Sample Configuration for Post vNET Deployment
Sample configuration for vNET deployments in CNGFW for Azure.
After successfully deploying the Cloud NGFW in an Azure vNET, you can begin
configuring the Cloud NGFW service. The information provided in this section
illustrates common tasks to get the Cloud NGFW running in your Azure environment:
Create or update a rulestack
In this section you will update a local rulestack by adding a rule and enabling
logging.
To update an existing rulestack:
- In the Azure Resource Manager (ARM) console, clickRulestacksfor the Cloud NGFW resource you want to configure. The rulestack associated with the Cloud NGFW service appears, along with the resource group.
- Modify the rulestack to add firewall rules. These rules allow some traffic while blocking specific traffic. By default, Cloud NGFW blocks all traffic. Search for the local rulestack using the global search option provided by the Azure portal.
- Select the local rulestack service to navigate to the list of local rulestacks associated with your Cloud NGFW subscription. Search for a local rulestack, and verify that the state isSucceeded.
- Click the rulestack to add rules. In theAdd Rulewindow, modify the rules. For example, add a rule that allows traffic; complete the mandatory fields and use the default settings for remaining fields.
- Enable logging for the rule. In the Add Rule window, selectLogging.
- ClickValidate, thenAddto add the rule to the rulestack.
Add a FQDN list
Add a FQDN list to the local rulestack that includes Facebook. Use this list to
add a rule that blocks traffic to facebook.com
- In the local rulestack page for the Cloud NGFW resource, clickFQDN List.
- ClickAdd.
- In theAdd FQDN Listscreen, enter a name and description. In the FQDN field, enter one or more URLs, such aswww.facebook.com. Only one FQDN URL can exist on a single line in the FQDN field.
- ClickAdd.
- Verify that the specified URLs appear in the FQDN list.
Add a Rule
Add a rule to the local rulestack that matches the FQDN list previously created.
With the rule you can set an action, like dropping traffic. For example, you can
apply an action to the FQDN rule to drop traffic attempting to access the URL
www.facebook.com.
- In the local rulestack page for the Cloud NGFW resource, clickRules.
- ClickAdd.
- In theAdd Rulescreen, set the Match Criteria to Match. In theFQDN Listfield, use the drop-down menu to select Facebook
- In theActionsfield, selectDrop.
- ClickAdd.Both rules appear in the local rulestack header page.As part of this Cloud NGFW service, security profiles are enabled with best practice configurations by default. Traffic is secured with the best security profiles once the Cloud NGFW is deployed in the network. View these using theProfilespage for the local rulestack.After modifying rules,deploy them onto the local rulestack associated with the Cloud NGFW service.
- In the local rulestack, clickDeployment. The deployment status page displays as Candidate; this means that the configuration was built but not deployed.
- ClickDeploy Configurationto deploy the configuration onto the Cloud NGFW service. You must perform this step in order to deploy the rules onto the rulestack.
- After clickingDeploy Configuration, a pop-up message displays the firewalls associated with this rulestack. ClickDeployto configure this rulestack on all associated firewalls.
- After successfully deploying the configuration, theDeploymentstatus isRunning.
Configure a source and destination NAT rule
You can configure a destination NAT rule to address inbound traffic.
- Access theNetworking and NATsettings for the Cloud NGFW resource. To determine if the Source NAT setting is enabled.
- ClickEditto add the destination NAT rule.
- Add a Destination NAT rule. The frontend IP represents the public IP address associated with the Cloud NGFW. Enter the frontend port number and clickAdd.
- After adding the destination NAT rule, clickSaveto deploy the configuration on the Cloud NGFW resource.The frontend address is now redirected through the configured port through Cloud NGFW. Inbound traffic is now flowing through the Cloud NGFW.
Configure Logging
Before configuring logging on the Cloud NGFW, create the Log Analytics workspace
on Azure.
- In the Azure portal search for theAzure Log Analytics workspace. ClickLog Analytics Workspacesto add it as a service.
- ClickCreateto establish a newLog Analyticsworkspace:
- In the Create Log Analytics workspace provideInstancedetails. Select theNameof the workspace from the drop-down menu, and specify theRegion.
- Configure log settings in the Cloud NGFW resource. SelectLog Settings. ClickEdit.
- In theLog Settingsfield, select the Log Analytics workspace previously created, then clickSave.
Update the Network Security Group
Update the network security group that was created as part of the Cloud NGFW
deployment. This security group is associated with both private and public
subnet as part of the vNET in the Cloud NGFW subscription.
- Allow traffic as part of the frontend (destination) NAT rule configuration. Allow HTTP and HTTPS traffic so that the internet is accessible from application vNETs through the Cloud NGFW.
- ClickAddto incorporate this inbound security rule:
Configure vNET peering
To configure vNET peering:
- Locate your vNET and selectPeerings.
- ClickAddto create a new peering.
- Provide a name for the peering and retain the default settings.
- Select the hub vNET that you want to peer. When deploying the Cloud NGFW in a vNET using an existing vNET hub, the minimum size should be /25. You must have 2 subnets with the minimum size /26; these subnets must be delegated to thePaloAltoNetworks.Cloudngfw/firewallsservice
- Configure vNET peering between additional vNETs by repeating the steps outlined in this section.
Add a Route Table to route traffic through the Cloud NGFW
- Search for theRoute tablein the Azure portal search bar.
- ClickCreateto establish a new route table.
- Complete the route table fields, then clickReview+create.
- After creating the route table, select theSubnetssection and associate the table with the subnet.
- Configure the default route for outbound traffic, and route towards toward the subnet (for east-west traffic) with the next hop as the Cloud NGFW private IP address.
- Associate one or more route tables with another subnet from the vNET. Configure a default route (for outbound traffic) and route it towards a different subnet (for east-west traffic) with the next hop as the Cloud NGFW private IP address.