>
    Strata Copilot
    Panorama Integration Prerequisites
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for Azure Administration
    3. Protect Traffic with Cloud NGFW for Azure
    4. Panorama Policy Management
    5. Panorama Integration Prerequisites
    Download PDF
    Cloud NGFW for Azure

    Panorama Integration Prerequisites

    Table of Contents

    Panorama Integration Prerequisites

    Learn about Cloud NGFW Panorama Prerequisites.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for Azure
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Portal account
    • Azure Marketplace subscription
    To integrate the Cloud NGFW service with your Panorama virtual appliance:
    • Setup Panorama.
      • Deploy Panorama running software version 10.2, 11.0, 11.1, or 11.2.
        Upgrading to PAN-OS version 11.2.6 resolves an issue where Cloud NGFW devices were included in the Panorama licenses device count.
      • Use the Azure plugin for Cloud NGFW version 5.2.2 or greater.
      • Ensure you have a registered Panorama installed with licenses with the necessary capacity to support your Cloud NGFW for Azure deployment and activated using the support license on the Customer Support Portal (CSP).
        You must install the device certificate on the Panorama management server to successfully authenticate Panorama with the Palo Alto Networks Customer Support Portal (CSP) and leverage one or more cloud service.
      • Ensure you are a member of the Palo Alto Networks Customer Support Portal (CSP) account where your Organization has registered the Panorama appliance.
        The email used to register with the CSP account should be used for the Cloud NGFW and Panorama integration. If this email differs, you will not be able to configure Cloud NGFW and integrate with Panorama.
    • Ensure you have a Panorama Administrator role on your Panorama.
    • Ensure that your network allows traffic that target the following ports to your Panorama virtual appliance to ensure communication between Cloud NGFW and Panorama: 3978, 28443, 28270.
    Consider the following when integrating your Cloud NGFW resource with Panorama:
    • To move a Cloud NGFW resource to another Panorama, you must redeploy it.
    • If you add a log collector after deploying the Cloud NGFW resource you must redeploy it.
    • If you change the Panorama IP address must also redeploy it.

    Connectivity Scenarios

    In addition to the items listed above, you must also consider how your Cloud NGFW resources connect to Panorama. To manage Cloud NGFW policy using Panorama, Panorama must have connectivity with your VNet. However, depending on your network topology, connectivity between Panorama and your VNet is enabled differently.
    • Private Network Access with Panorama Private IP—you can deploy Panorama directly in your hub VNet private subnet or in another VNet peered with the Cloud NGFW VNet.
      When deployed directly in your hub VNet private subnet, Panorama connects directly with your Cloud NGFW resources because they are in the same subnet. When you deploy Panorama in a VNet peered with the private subnet of the hub VNet associated with Cloud NGFW, VNet peering enables the Cloud NGFW resource to reach the Panorama private IP address.
    • On-Prem Panorama Access via VPN—if your Panorama instance is deployed on-premises, Cloud NGFW resources can reach Panorama's private IP address through a VPN. Additionally, this scenario supports VNet peering.
      In this scenario, Panorama is deployed in your on-premises network and uses a VPN gateway connection directly to the Cloud NGFW hub VNet or to a hub VNet peered with the Cloud NGFW hub VNet. In each case, the hub VNet must have a route that pointing the VPN tunnel with Panorama's private IP address as the destination. See Configure VPN gateway transit for virtual network peering for more information about configuring this setup.
    • Panorama Public IP Access via the internet—if there is no VNet peering, VPN, or VWAN connectivity between Panorama and your Cloud NGFW hub VNet, your Cloud NGFW resources can connect to Panorama's public IP address over the internet. To allow this connectivity, you must create a Network Security Group rule in Azure to allow inbound traffic from the Cloud NGFW public IP address to Panorama the ports used by Panorama.
    • Access Panorama from Anywhere (VWAN)—Cloud NGFW for Azure is deployed as a managed SaaS service in the Azure VWAN, so it is able to secure all traffic going through the VWAN hub. Your Cloud NGFW resources can connect to the private IP address of a Panorama instance deployed at any location connected to your VWAN hub.
      If your Azure VWAN deployment has a Network Security Group for east-west traffic, you must create a Network Security Group rule allowing inbound traffic from the Cloud NGFW resource private IP address to the Panorama private IP address.

    © 2025 Palo Alto Networks, Inc. All rights reserved.