Deploy the Cloud NGFW in a vWAN
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Deploy the Cloud NGFW in a vWAN
Deploy CNGFW in a vWAN.
You can deploy the Cloud NGFW in the vWAN hub as a scalable firewall solution to
secure traffic between critical workloads hosted in a global hybrid network between
Azure and on-premises. For more information on Azure vWAN and available features and
capabilities, see the Azure Virtual WAN documentation.
Consider the following when deploying the Cloud NGFW in a vWAN:
- One private IP address is used for an NGFW resource. For vWAN environments, configure the vWAN hub routing policy to hairpin traffic for the service. That is, the traffic exits an interface and returns before going out to the internet.
- It may take approximately 30 minutes to provision a new vWAN hub. You can verify the status of a newly created vWAN hub in the Routing Status field in the Essentials section of the Overview page.
The Cloud NGFW for Azure vWAN deployment:
- Fully integrates into the Azure Virtual WAN using the SaaS framework.
- Deploys into the vWAN virtual hub.
- Utilizes routing intent and policy rules to control which traffic gets inspected by the Cloud NGFW service.
- Enables enforcement of consistent Security policy for the inter-hub and interregion traffic
When configuring DNAT rules in a vWAN hub, the
ingress flow works regardless of the routing intent due to SNAT performed on the
trust interface.
Prerequisites
To deploy Cloud NGFW in a vWAN, you will need an Azure subscription. This
subscription should have an owner or a contributor role.
- Log in to the Azure portal and search for Virtual WAN. Click Create to create a Virtual WAN Service.After successfully creating the Virtual WAN service, click Go to resource.Add a hub to the Virtual WAN you created. Select Connectivity > Hubs. Click New Hub.Configure Virtual Hub Details. Specify the hub private address and virtual hub capacity, then click Next: Site to Site.After validating the configuration, click Create to create the virtual WAN hub.Verify that the Routing status is Provisioned.It may take approximately 30 minutes to provision a new vWAN hub. Use the Overview page to view routing status.Log in to the Azure portal and search for Cloud NGFWs by Palo Alto Networks.Click Cloud NGFWs by Palo Alto Networks to start creating the Palo Alto Networks Cloud NGFW service for Azure.In the Cloud NGFWs screen, click Create; this landing page is prepopulated with Cloud NGFW instances if you have previously created the resource.In the Create Palo Alto Networks Cloud NGFW screen, enter basic configuration information in the Project details section.Use the information in the following table to provide Project details.
Field Description Subscription Automatically selected based on the subscription used while logged in. Resource Group Use one of the existing resource groups or create a new one (using the Create New option) in which the Cloud NGFW resource is created. Firewall Name Name of the Cloud NGFW firewall resource. Region Region in which Cloud NGFW is provisioned. Click Next: Networking. Provide information for your networking environment. Choose the Virtual WAN Hub for the Network Type. In the Virtual WAN Hub Details section, select the virtual hub name you created previously from the drop-down menu. Specify public IP addresses, and the Source NAT option if address translation is used on traffic going out to the internet.Click Next: Rulestack to create a local rulestack where rules are defined; this is a placeholder for local rulestack creation; click Create new or Use existing (if a local rulestack already exists, select it from the drop-down menu). After you create the Cloud NGFW resource, you can modify this rulestack to add or edit rules, FQDN, and the prefix list.Click Next: DNS Proxy. By default, the DNS proxy is disabled. You can configure the Cloud NGFW to inspect all DNS traffic by acting as a proxy for vWAN resources. When configured, the DNS Proxy forwards the DNS request to the default Azure DNS server, or a DNS server you specify.Click Next: Tags to specify tags for your Azure requirements. Tags are predefined labels that can help you manage the vulnerabilities in your environment and view consolidated billing related to your Azure account They are centrally defined and are set to vulnerabilities and as policy exceptions.Use tags for:- Vulnerability labels. They provide a convenient way to categorize the vulnerabilities in your environment.
- Policy exceptions. They can be a part of your rules to have a specific effect on tagged vulnerabilities.
- View consolidated billing for your Azure account.Tags are useful when you have large container deployments with multiple teams working in the same environment. For example, you might have different teams handling different types of vulnerabilities. Then you can set tags to define responsibilities over vulnerabilities. Other uses would be to set the status of fixing the vulnerability, or to mark vulnerabilities to ignore when they are a known problem that can't be fixed in the near future.You can define as many tags as you like. For information about creating tags for your Azure account, see Use tags to organize your Azure resources and management hierarchy.
Click Next:Terms and accept the terms and the conditions for the deployment.Click Review + create to validate your Azure subscription for the Cloud NGFW resource. The resource is validated first, then created. The screen shows Validation Passed. Click Create to deploy the Cloud NGFW service.After creating the Cloud NGFW service the deployment progress is displayed.Deploying a Cloud NGFW resource takes approximately 30 minutes to complete.On a successful deployment, the following screen appears.Four resources are created, including Cloud NGFW, a local rulestack, public IP address and the Cloud-nva.After creating the Cloud NGFW resource, select it to verify that the provisioning state is Succeeded. This page also displays the public and private IP addresses that are associated with the Cloud NGFW service. Make sure that the Network type is vWAN.Verify the Deployment of the Cloud NGFW in a vWAN
After successfully creating the Cloud NGFW service for the vWAN network type, verify that the Cloud NGFW was added as a SaaS Solution for the vWAN.- Go to the Virtual Hub that was used while creating the Cloud NGFW service. In the Third-party providers section, click SaaS Solutions.Verify that the Cloud NGFW was created; it's added as a SaaS solution to this hub. In the SaaS Solutions section, select Click here.Information related to the vWAN deployment appears.