Cloud NGFW for Azure
    : Sample Configuration for Post vWAN Deployment
    Focus
    Download PDF
    Focus
    1. Home
    2. Azure
    3. Cloud NGFW for Azure
    4. Deploy Cloud NGFW for Azure
    5. Deploy the Cloud NGFW in a vWAN
    6. Sample Configuration for Post vWAN Deployment
    Download PDF

    Cloud NGFW for Azure

    Sample Configuration for Post vWAN Deployment

    Table of Contents

    Sample Configuration for Post vWAN Deployment

    Sample configuration for post vWAN deployments in CNGFW for Azure.

    Post deployment

    Create or update a rulestack

    To update an existing rulestack:
    1. In the Azure Resource Manager (ARM) console, click
      Rulestacks
      for the Cloud NGFW resource you want to configure. The rulestack associated with the Cloud NGFW service appears, along with the resource group.
    2. Modify the rulestack to add firewall rules. These rules allow some traffic while blocking specific traffic. By default, Cloud NGFW blocks all traffic. Search for the local rulestack you created previously using the global search option provided by the Azure portal.
    3. Select the previously created local rulestack associated with your Cloud NGFW subscription, then select
      Rules
      .
    4. In the
      Local Rules
       section, click
      Add
      . In the
      Add Rule
       window, modify the rules. For example, add a rule that allows traffic; complete the mandatory fields and use the default settings for remaining fields.
    5. Enable logging for the rule. In the Add Rule window, select
      Logging
      .
    6. Click
      Validate
      , then
      Add
      to add the rule to the rulestack.
    7. Add a
      FQDN list
       that specifies a URL, then specify an action to take. For example, you can apply an action to the FQDN rule to drop traffic attempting to access the URL www.facebook.com.
      Verify that the URL you entered appears in the FQDN list.
    8. Return to the
      Rules
      setting page and add a rule that matches the newly created FQDN list. Set the action to
      Drop
      traffic.
      Both rules appear in the Local Rules page.
    9. As part of the Cloud NGFW service, security profiles are enabled with best practice configurations by default. Traffic is secured with the best security profiles when you start and deploy the service. Select
      Profiles
       to view these security profiles.
    10. After modifying rules, deploy them onto the local rulestack associated with the Cloud NGFW service. Click
      Deployment
      . The deployment status appears as
      Candidate
      ; this means that the configuration was built but not yet deployed. Click
      Deploy Configuration
      to deploy the configuration onto the Cloud NGFW service.
      You must complete this step to deploy the rulestack
      .
    11. After clicking
      Deploy Configuration
      , a message displays the firewalls associated with the rulestack. Click
      Deploy
       to configure this rulestack on all the associated firewalls using the rulestack.
      After successfully deploying the configuration, the screen displays the deployment status as Running (the Cloud NGFW and local rulestack are successfully deployed).

    Source/destination NAT rule on the Cloud NGFW

    Configure a destination NAT rule with frontend configuration on the Cloud NGFW to direct inbound traffic towards an application on the vWAN.
    1. Access the
      Networking & NAT
       settings screen for the Cloud NGFW resource. In this screen, determine if the network type is
      Virtual WAN Hub
       and the status of the
      Source NAT
       field (enabled or disabled); if Source NAT was enabled, it appears in this screen.
    2. Click
      Edit
      to add the Destination NAT rule.
    3. Add
      a Destination NAT rule for the frontend configuration. The frontend IP address represents the public IP address associated with the Cloud NGFW. Use the drop-down menu to select the address.
    4. Add frontend setting information to the rule, and click
      Add
      .
      Once the destination NAT rule is added, click Save to deploy the configuration to the Cloud NGFW resource.
      After successfully saving the configuration, the Destination Network Address Translation (DNAT) field displays the updates; the address http://frontendIP:8080 is redirected to the noted application on the specified port through the Cloud NGFW; inbound traffic is now flowing through the Cloud NGFW.

    Configure Logging

    Before configuring logging on the Cloud NGFW, create the
    Log Analytics
     workspace on Azure.
    1. In the Azure portal search for the
      Azure Log Analytics workspace
      . Click
      Log Analytics Workspaces
       to add it as a service.
    2. Click
      Create
      to establish a new
      Log Analytics
      workspace.
    3. In the Create Log Analytics workspace provide
      Instance
      details. Select the
      Name
      of the workspace from the drop-down menu, and specify the
      Region
      .
    4. Configure log settings in the Cloud NGFW resource. Select
      Log Settings
      . Click
      Edit
      .
    5. In the
      Log Settings
       field, select the Log Analytics workspace previously created, then click
      Save
      .

    Add application vNETs as Virtual Networks Connections to the Virtual WAN

    Add an application vNET as Virtual Network Connections to the Virtual WAN hub.
    1. In your vWAN resource, select
      Virtual Network Connections
      .
    2. Click
      Add connection
      .
    3. Select the vNET you want to configure as the
      Virtual Network
      , then click
      Create
      .
    4. Select another vNET for the second Virtual Network, then click
      Create
      .
    5. After successfully connecting the virtual networks to the vHub, verify that the status is
      Connected
      .

    Configure vWAN Hub Routing Intent and Routing Policies

    Routing policies within the virtual WAN hub are used to route traffic through the Cloud NGFW service. To route internet bound traffic and private traffic (spoke to spoke) you need to configure the next hop as the vWAN Cloud NGFW.
    vWAN routing intent, routing policies and SaaS functionality is currently being developed by Microsoft for the Azure Portal. The target availability date for every region where Cloud NGFW is available is Tuesday, May 9, 2023.
    1. In your vWAN resource, select
      Routing Intent and Routing Policies
      .
    2. Select the Internet traffic and the Next Hop Resource from the drop-down menus, then click
      Save
      .
    3. After configuring routing policies, verify the routing table was updated to route traffic through Cloud NGFW. Click
      Route Tables
       and select
      Default
      in the
      Route Tables
       section.
      You can
      Edit
       the route table to provide details related to the routes associated with the Default Routing table. Traffic going out to the internet or to other vNETs is routed through the Cloud NGFW.
    4. Select another vNET for the second Virtual Network, then click
      Create
      .
    5. After successfully connecting the virtual networks to the virtual WAN hub, verify that the status is
      Connected
      .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.