Deploy the Cloud NGFW in a vWAN
Table of Contents
Expand all | Collapse all
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Deploy the Cloud NGFW in a vWAN
Deploy CNGFW in a vWAN.
The Cloud NGFW can be seamlessly deployed in the vWAN hub as a scalable firewall
solution to secure traffic between critical workloads hosted in a global hybrid
network between Azure and on-premises. For more information on Azure vWAN and
available features and capabilities, see the Azure Virtual WAN documentation.
Consider the following when deploying the Cloud NGFW in a vWAN:
- One private IP address is used for an NGFW resource. For vWAN environments, configure the vWAN hub routing policy tohairpintraffic for the service. That is, the traffic exits an interface and returns before going out to the Internet.
- It may take approximately 30 minutes to provision a new vWAN hub. You can verify the status of a newly created vWAN hub in theRouting Statusfield in theEssentialssection of theOverviewpage.
The Cloud NGFW for Azure vWAN deployment:
- Is fully integrated into the Azure Virtual WAN using the SaaS framework.
- Is deployed right into the vWAN virtual hub.
- Utilizes routing intent and policies to control which traffic gets inspected by the Cloud NGFW service.
- Enables enforcement of consistent security policy for the inter-hub and inter-region traffic
Prerequisites
To deploy Cloud NGFW in a vWAN, you will need an Azure subscription. This
subscription should have an
owner
or a contributor
role.Throughput for a vWAN is limited to 50 Gbps. Palo Alto
Networks recommends using a hub address space of /16.
- Log into the Azure portal and search forVirtual WAN. ClickCreateto create a Virtual WAN Service.
- After successfully creating the Virtual WAN service, clickGo to resource.
- Add a hub to the Virtual WAN you created. SelectConnectivity > Hubs. ClickNew Hub.
- ConfigureVirtual Hub Details. Specify thehub private addressandvirtual hub capacity, then clickNext: Site to Site.
- After validating the configuration, clickCreateto create the virtual WAN hub.
- Verify that theRouting statusisProvisioned.It may take approximately 30 minutes to provision a new vWAN hub. Use theOverviewpage to view routing status.
- Log into the Azure portal and search forCloud NGFWs by Palo Alto Networks.
- ClickCloud NGFWs by Palo Alto Networksto start creating the Palo Alto Networks Cloud NGFW service for Azure.
- In theCloud NGFWsscreen, clickCreate; this landing page is pre-populated with Cloud NGFW instances if you have previously created the resource.
- In theCreate Palo Alto Networks Cloud NGFWscreen, enter basic configuration information in theProject detailssection.Use the information in the following table to provideProject details.FieldDescriptionSubscriptionAutomatically selected based on the subscription used while logged in.Resource GroupUse one of the existing resource groups or create a new one (using theCreate Newoption) in which the Cloud NGFW resource is created.Firewall NameName of the Cloud NGFW Firewall resource.RegionRegion in which Cloud NGFW is provisioned.
- ClickNext: Networking. Provide information for your networking environment. Choose theVirtual WAN Hubfor theNetwork Type. In theVirtual WAN Hub Detailssection, select thevirtual hub nameyou created previously from the drop-down menu. Specifypublic IP addresses, and theSource NAToption if address translation is used on traffic going out to the internet.
- ClickNext: Rulestackto create a local rulestack where rules are defined; this is a placeholder for local rulestack creation; clickCreate neworUse existing(if a local rulestack already exists, select it from the drop-down menu). After you create the Cloud NGFW resource, you can modify this rulestack to add or edit rules, FQDN and the prefix list.
- ClickNext: DNS Proxy. By default, DNS proxy is disabled. You can configure the Cloud NGFW to inspect all DNS traffic by acting as a proxy for vWAN resources. When configured, the DNS Proxy forwards the DNS request to the default Azure DNS server, or, a DNS server you specify.
- ClickNext:Tagsto specify tags for your Azure requirements. Tags are predefined labels that can help you manage the vulnerabilities in your environment and view consolidated billing related to yourAzure accountThey are centrally defined and can be set to vulnerabilities and as policy exceptions.Tags are used as:
- Vulnerability labels. They provide a convenient way to categorize the vulnerabilities in your environment.
- Policy exceptions. They can be a part of your rules in order to have a specific effect on tagged vulnerabilities.
- View consolidated billing for your Azure account.Tags are useful when you have large container deployments with multiple teams working in the same environment. For example, you might have different teams handling different types of vulnerabilities. Then you can set tags in order to define responsibilities over vulnerabilities. Other uses would be to set the status of fixing the vulnerability, or to mark vulnerabilities to ignore when they are a known problem that can’t be fixed in the near future.You can define as many tags as you like. For information about creating tags for your Azure account, seeUse tags to organize your Azure resources and management hierarchy.
- ClickNext:Termsand accept the terms and the conditions for the deployment.
- ClickReview + createto validate your Azure subscription for the Cloud NGFW resource. The resource is validated first, then created. The screen showsValidation Passed. ClickCreateto deploy the Cloud NGFW service.After creating the Cloud NGFW service the deployment progress is displayed.Deploying a Cloud NGFW resource takes approximately 30 minutes to complete.On a successful deployment, the following screen appears.
- Four resources are created, including Cloud NGFW, a local rulestack, public IP address and theCloud-nva.
- After creating the Cloud NGFW resource, select it to verify that the provisioning state is Succeeded. This page also displays the public and private IP addresses that are associated with the Cloud NGFW service. Make sure that the Network type is vWAN.
Verify the Deployment of the Cloud NGFW in a vWAN
After successfully creating the Cloud NGFW service for the vWAN network type,
verify that the Cloud NGFW was added as a SaaS Solution for the vWAN.
- Go to the Virtual Hub that was used while creating the Cloud NGFW service. In the Third party providerssection, clickSaaS Solutions.
- Verify that the Cloud NGFW was created; it is added as a SaaS solution to this hub. In theSaaS Solutionssection, selectClick here.Information related to the vWAN deployment appears.