Panorama Integration Prerequisites
Table of Contents
Expand all | Collapse all
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Panorama Integration Prerequisites
Cloud NGFW Panorama Prerequisites.
To integrate the Cloud NGFW service with your Panorama virtual appliance:
- Setup Panorama.
- Deploy Panorama running software version 11.0.1-h1 and later or 10.2.4-h2 or later.
- Ensure you have a registered Panorama installed with licenses with the necessary capacity to support your Cloud NGFW for Azure deployment and activated using the support license on the Customer Support Portal (CSP).You must install the device certificate on the Panorama management server to successfully authenticate Panorama with the Palo Alto Networks Customer Support Portal (CSP) and leverage one or more cloud service.
- Ensure you are a member of the Palo Alto Networks Customer Support Portal (CSP) account where your Organization has registered the Panorama appliance.The email used to register with the CSP account should be used for the Cloud NGFW and Panorama integration. If this email differs, you will not be able to configure Cloud NGFW and integrate with Panorama.
- Install the Azure plugin version 5.0.0.
- Ensure you have a Panorama Administrator role on your Panorama.
- Ensure that your network allows traffic that target the following ports to your Panorama virtual appliance to ensure communication between Cloud NGFW and Panorama: 3978, 28443, 28270.
Connectivity Scenarios
In addition to the items listed above, you must also consider how your Cloud NGFW
resources connect to Panorama. To manage Cloud NGFW policy using Panorama, Panorama
must have connectivity with your VNet. However, depending on your network topology,
connectivity between Panorama and your VNet is enabled differently.
- Private Network Access with Panorama Private IP—you can deploy Panorama directly in your hub VNet private subnet or in another VNet peered with the Cloud NGFW VNet.When deployed directly in your hub VNet private subnet, Panorama connects directly with your Cloud NGFW resources because they are in the same subnet. When you deploy Panorama in a VNet peered with the private subnet of the hub VNet associated with Cloud NGFW, VNet peering enables the Cloud NGFW resource to reach the Panorama private IP address.
- On-Prem Panorama Access via VPN—if your Panorama instance is deployed on-premises, Cloud NGFW resources can reach Panorama's private IP address through a VPN. Additionally, this scenario supports VNet peering.In this scenario, Panorama is deployed in your on-premises network and uses a VPN gateway connection directly to the Cloud NGFW hub VNet or to a hub VNet peered with the Cloud NGFW hub VNet. In each case, the hub VNet must have a route that pointing the VPN tunnel with Panorama's private IP address as the destination. See Configure VPN gateway transit for virtual network peering for more information about configuring this setup.
- Panorama Public IP Access via the internet—if there is no VNet peering, VPN, or VWAN connectivity between Panorama and your Cloud NGFW hub VNet, your Cloud NGFW resources can connect to Panorama's public IP address over the internet. To allow this connectivity, you must create a Network Security Group rule in Azure to allow inbound traffic from the Cloud NGFW public IP address to Panorama the ports used by Panorama.
- Access Panorama from Anywhere (VWAN)—Cloud NGFW for Azure is deployed as a managed SaaS service in the Azure VWAN, so it is able to secure all traffic going through the VWAN hub. Your Cloud NGFW resources can connect to the private IP address of a Panorama instance deployed at any location connected to your VWAN hub.If your Azure VWAN deployment has a Network Security Group for east-west traffic, you must create a Network Security Group rule allowing inbound traffic from the Cloud NGFW resource private IP address to the Panorama private IP address.