Cloud NGFW for Azure
    : Link the Cloud NGFW to Palo Alto Networks Management
    Focus
    Download PDF
    Focus
    1. Home
    2. Azure
    3. Cloud NGFW for Azure
    4. Panorama Policy Management
    5. Link the Cloud NGFW to Palo Alto Networks Management
    Download PDF

    Cloud NGFW for Azure

    Link the Cloud NGFW to Palo Alto Networks Management

    Table of Contents

    Link the Cloud NGFW to Palo Alto Networks Management

    Link Cloud NGFW to Panorama

    Create a Cloud Device Group

    After preparing your environment for integration, you can link your Cloud NGFW to the Panorama virtual appliance and start using policy management. You start by creating a Cloud Device Group.
    With Panorama, you group firewalls in your network into logical units called device groups. A device group enables grouping based on network segmentation, geographic location, organizational function, or any other common aspect of firewalls requiring similar policy configurations.
    Using device groups, you can configure policy rules and the objects they reference. Organize device groups hierarchically, with shared rules and objects at the top, and device group-specific rules and objects at subsequent levels. This enables you to create a hierarchy of rules that enforce how firewalls handle traffic.
    See Manage Device Groups for more information.
    To add a cloud device group and template stack using the Panorama console:
    1. In the Panorama console, select Panorama.
    2. In the navigation tree, select the Azure plugin.
    3. Expand the Azure plugin to display configuration options. Select Cloud NGFW to display the Cloud Device Group screen. If the Cloud NGFW option does not appear, verify that you have installed the Azure plugin successfully; select PanoramaPlugins to display the list of installed plugins.
    4. In the lower left portion of the Panorama console, click Add to create a new Cloud Device Group.
    5. In the Cloud Device Group screen:
      1. Enter a unique Name for the cloud device group.
      2. Enter a Description.
      3. Use the drop-down menu to select the Parent Device Group. By default, this value is shared.
      4. Select the Template Stack from the drop-down menu. Or, click Add to create a new one. You cannot change the template stack name after deploying the Cloud NGFW.
      5. Select the Panorama IP address used by the deployment. The drop-down menu allows you to select either the private or public IP address.
      6. Optionally select the Panorama HA Peer IP address.
      7. Optionally use the drop-down menu to select the Collector Group.
      8. Provide the PIN ID. This value is provided by the Customer Support Portal.
        To retrieve the PIN, you need a Palo Alto Networks Customer Support Portal (CSP) account.
        The PIN ID should have an expiration of one year. This is optional if you have already registered the Cloud NGFW serial number. If it is not already registered, register your Cloud NGFW using the serial number in for the same CSP account where you registered your Panorama virtual appliance.
      9. To retrieve the PIN ID and PIN Value, log into the Customer Support Portal as a registered user.
      10. On the Customer Support Portal page, select AssestsDevice Certificates.
      11. On the Device Certificate page, select Generate Registration PIN for the VM-Series firewall.
      12. Copy the newly created registration IDs, and paste it into the PIN ID and PIN Value field in the Cloud Device Group screen.
      13. Confirm the PIN ID and PIN Value.
      14. Optionally configure Zone Mapping for the Cloud Device Group. Only 2 zones are supported: public/private.
      15. Click OK.
      16. Commit your change in the Panorama console to create the cloud device group. Next, Generate the registration string to create the Cloud NGFW resource and deploy in Azure.
        In some cases, you may experience a validation error when configuring a Cloud Device Group. To resolve this issue, ensure that the Azure Plugin for Panorama is properly installed using administrator credentials. For HA environments, install the plugin on the secondary node, then install the plugin on the primary node.

    Generate the registration string to create the Cloud NGFW and deploy in Azure

    After you commit the change to create the cloud device group, you can generate the registration string. This string is used to create and deploy the Cloud NGFW in Azure.
    To retrieve the PIN:
    1. In the Panorama console, locate the Cloud Device Group you created in the previous section.
    2. In the Registration String field, click Generate.
    3. Select Copy Registration String.
      After copying the registration string, access Azure Marketplace to create a Cloud NGFW resource.
    4. In Azure Marketplace, select Cloud NGFWs.
    5. Click + Create to create a new Cloud NGFW resource.
    6. Follow the setup instructions to Create Palo Alto Networks Cloud NGFW.
      1. Configure Basic information.
      2. Configure Networking.
      3. Configure Security Policies. In the Manged by section, select Palo Alto Networks Panorama.
    7. After selecting Managed by Palo Alto Networks Panorama, the Security Policies page changes to include the Panorama Registration String field. Enter the registration string you copied in Step 3 above.
    8. Continue creating the Cloud NGFW resource by specifying information for DNS Proxy, Tags, and Terms. Review your configuration, then click Create.
      Creating a Cloud NGFW resource may take approximately 10-15 minutes.
      The Panorama console is now linked to the Cloud NGFW resource.

    © 2024 Palo Alto Networks, Inc. All rights reserved.