Cloud NGFW Native Policy Management
Focus
Focus
Cloud NGFW for Azure

Cloud NGFW Native Policy Management

Table of Contents

Cloud NGFW Native Policy Management

Learn about Cloud NGFW for Azure native policy management.
Where Can I Use This?What Do I Need?
  • Cloud NGFW for Azure
  • Cloud NGFW subscription
  • Palo Alto Networks Customer Support Portal account
  • Azure Marketplace subscription
You can use Cloud NGFW for Azure native policy management:
On Cloud NGFW, you define security policy rules and group those rules together in a rulestack.
Cloud NGFW uses your rulestack definitions to protect your Azure Virtual Network (VNet) traffic. For more information, see Cloud NGFW for Azure Security Services.
While security policy rules enable you to allow or block traffic on your network, Security Profiles help you define an allow but scan rule, which scans allowed applications for threats, such as malware, spyware, and DDoS attacks. When traffic matches the allow rule defined in the Security policy rule, the Security Profiles attached to the rule are applied for further content inspection rules such as antivirus checks and data filtering.
Security Profiles are not used in the match criteria of a traffic flow. The Security Profile is applied to scan traffic after the Security policy rule allows the application or category.
The firewall provides default Security Profiles that you can use out of the box to begin protecting your network from threats. See Set Up a Basic Security Policy for information on using the default profiles in your Security policy rule.
For recommendations on the best practice settings for Security Profiles, review the best practices for creating security profiles.
You can add Security Profiles that are commonly applied together to Create a Security Profile Group; this set of profiles are treated as a unit and added to Security policy rules in one step (or included in Security policy rules by default, if you choose to set up a default Security Profile Group).
Security profiles provide fundamental protections by scanning traffic that you allow on the network for threats. Security Profiles provide a full suite of coordinated threat prevention tools that block peer-to-peer command and control (C2) application traffic, dangerous file types, attempts to exploit vulnerabilities, and antivirus signatures, and also identify new and unknown malware.
It takes relatively little effort to apply Security Profiles because Palo Alto Networks provides predefined profiles that you can simply add to Security policy allow rules. Customizing Security Profiles is easy because you can clone a predefined profile and then edit it. You can also create a Security Profile from scratch on the firewall or on Panorama.
To detect known and unknown threats in your network traffic, attach Security Profiles to all Security policy rules that allow traffic on the network, so that the firewall inspects all allowed traffic. The firewall applies Security Profiles to traffic that matches the Security policy allow rule, scans traffic in accordance with the Security Profile settings, and then takes appropriate actions to protect the network. The recommendations for best practice Security Profiles apply to all four of the data center traffic flows except as noted.
Download content updates automatically and install them as soon as possible so that you have the latest threat prevention signatures and content (antivirus, antispyware, vulnerabilities, malware, etc.) on the firewall and block the latest threats.

Security Rule Objects

A security rule object is a single object or collective unit that groups discrete identities such as IP addresses, FQDN, or certificates. Typically, when creating a policy object, you group objects that require similar permissions in the policy. For example, if your organization uses a set of server IP addresses for authenticating users, you can group the set of server IP addresses as a prefix list object and reference that prefix list in one or more security rules. Group object allows you to significantly reduce the administrative overhead in creating rules.
  • Prefix and FQDN Lists—prefix and FQDN lists allow you to group specific source or destination IP addresses or FQDNs that require the same policy enforcement. A prefix list can contain one or more IP addresses or Internet Protocol netmask in CIDR notation. An address object of type Internet Protocol netmask requires you to enter the IP address or network using slash notation to indicate the IPv4 network. For example, 192.168.18.0/24. An FQDN (for example, paloaltonetworks.com) object provides further ease of use because DNS provides the FQDN resolution to the IP addresses instead of you needing to know the IP addresses and manually updating them every time the FQDN resolves to new IP addresses.
  • Certificate—a certificate object is a reference to a TLS certificate stored in the Azure Key Vault in your Azure account, and is used in outbound decryption.
    PAN-OS version 11.0.x is required when using Azure Key Vault for outbound decryption.