Cloud NGFW for Azure
Cloud NGFW Native Policy Management
Table of Contents
Cloud NGFW Native Policy Management
Learn about Cloud NGFW for Azure native policy management.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
You can use Cloud NGFW for Azure native policy management:
![]()
On Cloud NGFW, you define security policy rules and group those rules together in a
rulestack.
Cloud NGFW uses your rulestack definitions to
protect your Azure Virtual Network (VNet) traffic. For more information, see Cloud NGFW for Azure Security
Services.
While security policy rules enable you to allow or block traffic on your
network, Security Profiles help you define an allow but scan rule,
which scans allowed applications for threats, such as malware, spyware, and DDoS
attacks. When traffic matches the allow rule defined in the Security
policy rule, the Security Profiles attached to the rule are applied for further content
inspection rules such as antivirus checks and data filtering.
Security Profiles are not used in the match criteria of a traffic flow.
The Security Profile is applied to scan traffic after the Security policy rule
allows the application or category.
The firewall provides default Security Profiles that you can use out of the box
to begin protecting your network from threats. See Set Up a Basic Security Policy for information
on using the default profiles in your Security policy rule.
For recommendations on the best practice settings for Security Profiles, review
the best practices for creating security
profiles.
You can add Security Profiles that are commonly applied together to Create a Security Profile Group; this set of
profiles are treated as a unit and added to Security policy rules in one step (or
included in Security policy rules by default, if you choose to set up a default Security
Profile Group).
Security profiles provide fundamental
protections by scanning traffic that you allow on the network for threats. Security
Profiles provide a full suite of coordinated threat prevention tools that block
peer-to-peer command and control (C2) application traffic, dangerous file types,
attempts to exploit vulnerabilities, and antivirus signatures, and also identify new and
unknown malware.
It takes relatively little effort to apply Security Profiles because Palo Alto
Networks provides predefined profiles that you can simply add to Security policy allow
rules. Customizing Security Profiles is easy because you can clone a predefined profile
and then edit it. You can also create a Security Profile from scratch on the firewall or
on Panorama.
To detect known and unknown threats in your network traffic, attach Security
Profiles to all Security policy rules that allow traffic on the network, so that the
firewall inspects all allowed traffic. The firewall applies Security Profiles to traffic
that matches the Security policy allow rule, scans traffic in accordance with the
Security Profile settings, and then takes appropriate actions to protect the network.
The recommendations for best practice Security Profiles apply to all four of the data
center traffic flows except as noted.
Download content updates automatically and install
them as soon as possible so that you have the latest threat prevention signatures
and content (antivirus, antispyware, vulnerabilities, malware, etc.) on the firewall
and block the latest threats.
Security Rule Objects
A security rule object is a single object or collective unit that groups
discrete identities such as IP addresses, FQDN, or certificates. Typically, when
creating a policy object, you group objects that require similar permissions in the
policy. For example, if your organization uses a set of server IP addresses for
authenticating users, you can group the set of server IP addresses as a prefix list
object and reference that prefix list in one or more security rules. Group object
allows you to significantly reduce the administrative overhead in creating
rules.
- Prefix and FQDN Lists—prefix and FQDN lists allow you to group specific source or destination IP addresses or FQDNs that require the same policy enforcement. A prefix list can contain one or more IP addresses or Internet Protocol netmask in CIDR notation. An address object of type Internet Protocol netmask requires you to enter the IP address or network using slash notation to indicate the IPv4 network. For example, 192.168.18.0/24. An FQDN (for example, paloaltonetworks.com) object provides further ease of use because DNS provides the FQDN resolution to the IP addresses instead of you needing to know the IP addresses and manually updating them every time the FQDN resolves to new IP addresses.
- Certificate—a certificate object is a reference to a TLS certificate stored in the Azure Key Vault in your Azure account, and is used in outbound decryption.PAN-OS version 11.0.x is required when using Azure Key Vault for outbound decryption.