The Cloud NGFW can be seamlessly deployed in the vWAN hub as a scalable firewall
solution to secure traffic between critical workloads hosted in a global hybrid
network between Azure and on-premises. For more information on Azure vWAN and
available features and capabilities, see the Azure Virtual WAN documentation.
Consider the following when deploying the Cloud NGFW in a vWAN:
One private IP address is used for an NGFW resource. For vWAN environments,
configure the vWAN hub routing policy to
hairpin
traffic for the
service. That is, the traffic exits an interface and returns before going
out to the Internet.
It may take approximately 30 minutes to provision a new vWAN hub. You can
verify the status of a newly created vWAN hub in the
Routing
Status
field in the
Essentials
section of the
Overview
page.
The Cloud NGFW for Azure vWAN deployment:
Is fully integrated into the Azure Virtual WAN using the SaaS
framework.
Is deployed right into the vWAN virtual hub.
Utilizes routing intent and policies to control which traffic gets inspected
by the Cloud NGFW service.
Enables enforcement of consistent security policy for the inter-hub and
inter-region traffic
Prerequisites
To deploy Cloud NGFW in a vWAN, you will need an Azure subscription. This
subscription should have an
owner
or a
contributor
role.
Throughput for a vWAN is limited to 50 Gbps. Palo Alto
Networks recommends using a hub address space of /16.
Log into the Azure portal and search for
Virtual WAN
. Click
Create
to create a Virtual WAN Service.
After successfully creating the Virtual WAN service, click
Go to
resource
.
Add a hub to the Virtual WAN you created. Select
Connectivity > Hubs
.
Click
New Hub
.
Configure
Virtual Hub Details
. Specify the
hub private address
and
virtual hub capacity
, then click
Next: Site to Site
.
After validating the configuration, click
Create
to create the virtual
WAN hub.
Verify that the
Routing status
is
Provisioned
.
It may take approximately 30 minutes to provision a
new vWAN hub. Use the
Overview
page to view routing
status.
Log into the Azure portal and search for
Cloud NGFWs by Palo Alto
Networks
.
Click
Cloud NGFWs by Palo Alto Networks
to start creating the Palo Alto
Networks Cloud NGFW service for Azure.
In the
Cloud NGFWs
screen, click
Create
; this landing page is
pre-populated with Cloud NGFW instances if you have previously created the
resource.
In the
Create Palo Alto Networks Cloud NGFW
screen, enter basic
configuration information in the
Project details
section.
Use the information in the following table to provide
Project
details
.
Field
Description
Subscription
Automatically selected based on the
subscription used while logged in.
Resource Group
Use one of the existing resource groups or
create a new one (using the
Create
New
option) in which the Cloud NGFW resource
is created.
Firewall Name
Name of the Cloud NGFW Firewall
resource.
Region
Region in which Cloud NGFW is provisioned.
Click
Next: Networking
. Provide information for your networking
environment. Choose the
Virtual WAN Hub
for the
Network Type
. In
the
Virtual WAN Hub Details
section, select the
virtual hub name
you created previously from the drop-down menu. Specify
public IP
addresses
, and the
Source NAT
option if address translation is
used on traffic going out to the internet.
Click
Next: Rulestack
to create a local rulestack where rules are
defined; this is a placeholder for local rulestack creation; click
Create
new
or
Use existing
(if a local rulestack already exists, select
it from the drop-down menu). After you create the Cloud NGFW resource, you can
modify this rulestack to add or edit rules, FQDN and the prefix list.
Click
Next: DNS Proxy
. By default, DNS proxy is disabled. You can
configure the Cloud NGFW to inspect all DNS traffic by acting as a proxy for
vWAN resources. When configured, the DNS Proxy forwards the DNS request to the
default Azure DNS server, or, a DNS server you specify.
Click
Next:Tags
to specify tags for your Azure requirements. Tags are
predefined labels that can help you manage the vulnerabilities in your
environment and view consolidated billing related to your
They are centrally defined and can be set to vulnerabilities and as
policy exceptions.
Tags are used as:
Vulnerability labels. They provide a convenient way to categorize the
vulnerabilities in your environment.
Policy exceptions. They can be a part of your rules in order to have a
specific effect on tagged vulnerabilities.
View consolidated billing for your Azure account.
Tags are useful when
you have large container deployments with multiple teams working in
the same environment. For example, you might have different teams
handling different types of vulnerabilities. Then you can set tags
in order to define responsibilities over vulnerabilities. Other uses
would be to set the status of fixing the vulnerability, or to mark
vulnerabilities to ignore when they are a known problem that can’t
be fixed in the near future.
You can
define as many tags as you like. For information about creating
tags for your Azure account, see
After creating the Cloud NGFW resource, select it to verify that the
provisioning state is Succeeded. This page also displays the public and private
IP addresses that are associated with the Cloud NGFW service. Make sure that the
Network type is vWAN.
Verify the Deployment of the Cloud NGFW in a vWAN
After successfully creating the Cloud NGFW service for the vWAN network type,
verify that the Cloud NGFW was added as a SaaS Solution for the vWAN.
Go to the Virtual Hub that was used while creating the Cloud NGFW service.
In the T
hird party providers
section, click
SaaS
Solutions
.
Verify that the Cloud NGFW was created; it is added as a SaaS solution to
this hub. In the
SaaS Solutions
section, select
Click
here
.
Information related to the vWAN deployment appears.
Deploying a Cloud NGFW resource takes approximately 30 minutes to complete.On a successful deployment, the following screen appears.
