Panorama Integration Prerequisites
Learn about Cloud NGFW Panorama Prerequisites.
Where Can I Use This? | What Do I Need? |
|
- Cloud NGFW subscription
- Palo Alto Networks Customer Support Portal account
- Azure Marketplace subscription
|
To integrate the Cloud NGFW service with your Panorama virtual appliance:
- Setup Panorama.
- Deploy Panorama running
software version 10.2, 11.0, 11.1, or 11.2.
Upgrading to PAN-OS version 11.2.6 resolves an issue where Cloud
NGFW devices were included in the Panorama licenses device
count.
- Use the Azure plugin for Cloud NGFW version 5.2.2 or greater.
- Ensure you have a registered Panorama installed with
licenses with the necessary capacity to support your Cloud
NGFW for Azure deployment and activated using the support
license on the Customer Support Portal
(CSP).
You must install the
device certificate on the
Panorama management server to successfully authenticate Panorama
with the Palo Alto Networks Customer Support Portal (CSP) and
leverage one or more
cloud service.
- Ensure you are a member of the Palo Alto Networks Customer Support
Portal (CSP) account where your Organization has registered the Panorama
appliance.
The email used to register
with the CSP account should be used for the Cloud NGFW and Panorama
integration. If this email differs, you will not be able to
configure Cloud NGFW and integrate with Panorama.
- Ensure you have a Panorama Administrator role on your
Panorama.
- Ensure that your network allows traffic that target the following ports to your
Panorama virtual appliance to ensure communication between Cloud NGFW and
Panorama: 3978, 28443, 28270.
Consider the following when integrating your
Cloud NGFW resource with Panorama:
- To move a Cloud NGFW resource to another Panorama, you must redeploy
it.
- If you add a log collector after deploying the Cloud NGFW resource you must
redeploy it.
- If you change the Panorama IP address must also redeploy it.
Connectivity Scenarios
In addition to the items listed above, you must also consider how your Cloud NGFW
resources connect to Panorama. To manage Cloud NGFW policy using Panorama, Panorama
must have connectivity with your VNet. However, depending on your network topology,
connectivity between Panorama and your VNet is enabled differently.
- Private Network Access with Panorama Private IP—you can deploy Panorama
directly in your hub VNet private subnet or in another VNet peered with the Cloud NGFW
VNet.
When deployed directly in your hub VNet private subnet, Panorama
connects directly with your Cloud NGFW resources because they are in the
same subnet. When you deploy Panorama in a VNet peered with the private
subnet of the hub VNet associated with Cloud NGFW, VNet peering enables the
Cloud NGFW resource to reach the Panorama private IP address.
- On-Prem Panorama Access via VPN—if your Panorama instance is deployed
on-premises, Cloud NGFW resources can reach Panorama's private IP address
through a VPN. Additionally, this scenario supports VNet peering.
In this
scenario, Panorama is deployed in your on-premises network and uses a VPN
gateway connection directly to the Cloud NGFW hub VNet or to a hub VNet
peered with the Cloud NGFW hub VNet. In each case, the hub VNet must have a
route that pointing the VPN tunnel with Panorama's private IP address as the
destination. See
Configure VPN gateway transit for virtual
network peering for more information about configuring this
setup.
- Panorama Public IP Access via the internet—if there is no VNet peering,
VPN, or VWAN connectivity between Panorama and your Cloud NGFW hub VNet, your
Cloud NGFW resources can connect to Panorama's public IP address over the
internet. To allow this connectivity, you must create a Network Security Group
rule in Azure to allow inbound traffic from the Cloud NGFW public IP address to
Panorama the ports used by Panorama.
- Access Panorama from Anywhere (VWAN)—Cloud NGFW for Azure is deployed as
a managed SaaS service in the Azure VWAN, so it is able to secure all traffic
going through the VWAN hub. Your Cloud NGFW resources can connect to the private
IP address of a Panorama instance deployed at any location connected to your
VWAN hub.
If your Azure VWAN deployment has a
Network Security Group for east-west traffic, you must create a Network
Security Group rule allowing inbound traffic from the Cloud NGFW resource
private IP address to the Panorama private IP address.