Cloud NGFW for Azure
    : Sample Configuration for Post vNET Deployment
    Focus
    Download PDF
    Focus
    1. Home
    2. Azure
    3. Cloud NGFW for Azure
    4. Deploy Cloud NGFW for Azure
    5. Deploy the Cloud NGFW in a vNET
    6. Sample Configuration for Post vNET Deployment
    Download PDF

    Cloud NGFW for Azure

    Sample Configuration for Post vNET Deployment

    Table of Contents

    Sample Configuration for Post vNET Deployment

    Sample configuration for vNET deployments in CNGFW for Azure.
    After successfully deploying the Cloud NGFW in an Azure vNET, you can begin configuring the Cloud NGFW service. The information provided in this section illustrates common tasks to get the Cloud NGFW running in your Azure environment:

    Create or update a rulestack

    In this section you will update a local rulestack by adding a rule and enabling logging.
    To update an existing rulestack:
    1. In the Azure Resource Manager (ARM) console, click
      Rulestacks
      for the Cloud NGFW resource you want to configure. The rulestack associated with the Cloud NGFW service appears, along with the resource group.
    2. Modify the rulestack to add firewall rules. These rules allow some traffic while blocking specific traffic. By default, Cloud NGFW blocks all traffic. Search for the local rulestack using the global search option provided by the Azure portal.
    3. Select the local rulestack service to navigate to the list of local rulestacks associated with your Cloud NGFW subscription. Search for a local rulestack, and verify that the state is
      Succeeded
      .
    4. Click the rulestack to add rules. In the
      Add Rule
       window, modify the rules. For example, add a rule that allows traffic; complete the mandatory fields and use the default settings for remaining fields.
    5. Enable logging for the rule. In the Add Rule window, select
      Logging
      .
    6. Click
      Validate
      , then
      Add
      to add the rule to the rulestack.

    Add a FQDN list

    Add a FQDN list to the local rulestack that includes Facebook. Use this list to add a rule that blocks traffic to facebook.com
    1. In the local rulestack page for the Cloud NGFW resource, click
      FQDN List
      .
    2. Click
      Add
      .
    3. In the
      Add FQDN List
       screen, enter a name and description. In the FQDN field, enter one or more URLs, such as
      www.facebook.com
      . Only one FQDN URL can exist on a single line in the FQDN field.
    4. Click
      Add
      .
    5. Verify that the specified URLs appear in the FQDN list.

    Add a Rule

    Add a rule to the local rulestack that matches the FQDN list previously created. With the rule you can set an action, like dropping traffic. For example, you can apply an action to the FQDN rule to drop traffic attempting to access the URL www.facebook.com.
    1. In the local rulestack page for the Cloud NGFW resource, click
      Rules
      .
    2. Click
      Add
      .
    3. In the
      Add Rule
       screen, set the Match Criteria to Match. In the
      FQDN List
       field, use the drop-down menu to select Facebook
    4. In the
      Actions
      field, select
      Drop
      .
    5. Click
      Add
      .
      Both rules appear in the local rulestack header page.
      As part of this Cloud NGFW service, security profiles are enabled with best practice configurations by default. Traffic is secured with the best security profiles once the Cloud NGFW is deployed in the network. View these using the
      Profiles
      page for the local rulestack.
      After modifying rules,deploy them onto the local rulestack associated with the Cloud NGFW service.
    6. In the local rulestack, click
      Deployment
      . The deployment status page displays as Candidate; this means that the configuration was built but not deployed.
    7. Click
      Deploy Configuration
       to deploy the configuration onto the Cloud NGFW service. You must perform this step in order to deploy the rules onto the rulestack.
    8. After clicking
      Deploy Configuration
      , a pop-up message displays the firewalls associated with this rulestack. Click
      Deploy
      to configure this rulestack on all associated firewalls.
    9. After successfully deploying the configuration, the
      Deployment
      status is
      Running
      .

    Configure a source and destination NAT rule

    You can configure a destination NAT rule to address inbound traffic.
    1. Access the
      Networking and NAT
       settings for the Cloud NGFW resource. To determine if the Source NAT setting is enabled.
    2. Click
      Edit
      to add the destination NAT rule.
    3. Add a Destination NAT rule. The frontend IP represents the public IP address associated with the Cloud NGFW. Enter the frontend port number and click
      Add
      .
    4. After adding the destination NAT rule, click
      Save
       to deploy the configuration on the Cloud NGFW resource.
      The frontend address is now redirected through the configured port through Cloud NGFW. Inbound traffic is now flowing through the Cloud NGFW.

    Configure Logging

    Before configuring logging on the Cloud NGFW, create the Log Analytics workspace on Azure.
    1. In the Azure portal search for the
      Azure Log Analytics workspace
      . Click
      Log Analytics Workspaces
       to add it as a service.
    2. Click
      Create
      to establish a new
      Log Analytics
      workspace:
    3. In the Create Log Analytics workspace provide
      Instance
      details. Select the
      Name
      of the workspace from the drop-down menu, and specify the
      Region
      .
    4. Configure log settings in the Cloud NGFW resource. Select
      Log Settings
      . Click
      Edit
      .
    5. In the
      Log Settings
       field, select the Log Analytics workspace previously created, then click
      Save
      .

    Update the Network Security Group

    Update the network security group that was created as part of the Cloud NGFW deployment. This security group is associated with both private and public subnet as part of the vNET in the Cloud NGFW subscription.
    1. Allow traffic as part of the frontend (destination) NAT rule configuration. Allow HTTP and HTTPS traffic so that the internet is accessible from application vNETs through the Cloud NGFW.
    2. Click
      Add
       to incorporate this inbound security rule:

    Configure vNET peering

    To configure vNET peering:
    1. Locate your vNET and select
      Peerings
      .
    2. Click
      Add
      to create a new peering.
    3. Provide a name for the peering and retain the default settings.
    4. Select the hub vNET that you want to peer. When deploying the Cloud NGFW in a vNET using an existing vNET hub, the minimum size should be /25. You must have 2 subnets with the minimum size /26; these subnets must be delegated to the
      PaloAltoNetworks.Cloudngfw/firewalls
       service
    5. Configure vNET peering between additional vNETs by repeating the steps outlined in this section.

    Add a Route Table to route traffic through the Cloud NGFW

    1. Search for the
      Route table
       in the Azure portal search bar.
    2. Click
      Create
      to establish a new route table.
    3. Complete the route table fields, then click
      Review+create
      .
    4. After creating the route table, select the
      Subnets
       section and associate the table with the subnet.
    5. Configure the default route for outbound traffic, and route towards toward the subnet (for east-west traffic) with the next hop as the Cloud NGFW private IP address.
    6. Associate one or more route tables with another subnet from the vNET. Configure a default route (for outbound traffic) and route it towards a different subnet (for east-west traffic) with the next hop as the Cloud NGFW private IP address.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.