Link the Cloud NGFW to Palo Alto Networks Management
Table of Contents
Expand all | Collapse all
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Link the Cloud NGFW to Palo Alto Networks Management
Link Cloud NGFW to Panorama
Create a Cloud Device Group
After preparing your environment for integration, you can link your Cloud NGFW to
the Panorama virtual appliance and start using policy management. You start by
creating a Cloud Device Group.
With Panorama, you group firewalls in your network into logical units called
. A device group enables grouping based on
network segmentation, geographic location, organizational function, or any other
common aspect of firewalls requiring similar policy configurations.
device groups
Using device groups, you can configure policy rules and the objects they
reference. Organize device groups hierarchically, with shared rules and objects
at the top, and device group-specific rules and objects at subsequent levels.
This enables you to create a hierarchy of rules that enforce how firewalls
handle traffic.
See Manage Device Groups for more
information.
To add a cloud device group and template stack using the Panorama console:
- In the Panorama console, selectPanorama.
- In the navigation tree, select theAzureplugin.
- Expand the Azure plugin to display configuration options. SelectCloud NGFWto display the Cloud Device Group screen. If the Cloud NGFW option does not appear, verify that you have installed the Azure plugin successfully; selectto display the list of installed plugins.PanoramaPlugins
- In the lower left portion of the Panorama console, clickAddto create a new Cloud Device Group.
- In the Cloud Device Group screen:
- Enter a uniqueNamefor the cloud device group.
- Enter aDescription.
- Use the drop-down menu to select theParent Device Group. By default, this value is shared.
- Select the Template Stack from the drop-down menu. Or, clickAddto create a new one. You cannot change the template stack name after deploying the Cloud NGFW.
- Select thePanorama IPaddress used by the deployment. The drop-down menu allows you to select either theprivateorpublicIP address.
- Optionally select the Panorama HAPeer IPaddress.
- Optionally use the drop-down menu to select the Collector Group.
- Provide thePIN ID. This value is provided by the Customer Support Portal.To retrieve the PIN, you need a Palo Alto Networks Customer Support Portal (CSP) account.The PIN ID should have an expiration of one year. This is optional if you have already registered the Cloud NGFW serial number. If it is not already registered, register your Cloud NGFW using the serial number in for the same CSP account where you registered your Panorama virtual appliance.
- To retrieve the PIN ID and PIN Value, log into theCustomer Support Portalas a registered user.
- On the Customer Support Portal page, select.AssestsDevice Certificates
- On theDevice Certificatepage, selectGenerate Registration PINfor the VM-Series firewall.
- Copy the newly created registration IDs, and paste it into thePIN IDandPIN Valuefield in the Cloud Device Group screen.
- Confirm the PIN ID and PIN Value.
- Optionally configure Zone Mapping for the Cloud Device Group. Only 2 zones are supported:public/private.
- ClickOK.
- Commit your change in the Panorama console to create the cloud device group. Next, Generate the registration string to create the Cloud NGFW resource and deploy in Azure.In some cases, you may experience a validation error when configuring a Cloud Device Group. To resolve this issue, ensure that the Azure Plugin for Panorama is properly installed using administrator credentials. For HA environments, install the plugin on thesecondarynode, then install the plugin on theprimarynode.
Generate the registration string to create the Cloud NGFW and deploy in Azure
After you commit the change to create the cloud device group, you can generate
the registration string. This string is used to create and deploy the Cloud NGFW
in Azure.
To retrieve the PIN:
- In the Panorama console, locate the Cloud Device Group you created in the previous section.
- In the Registration String field, clickGenerate.
- SelectCopy Registration String.After copying the registration string, access Azure Marketplace to create a Cloud NGFW resource.
- In Azure Marketplace, selectCloud NGFWs.
- Click+ Createto create a new Cloud NGFW resource.
- Follow the setup instructions toCreate Palo Alto Networks Cloud NGFW.
- Configure Basic information.
- Configure Networking.
- Configure Security Policies. In theManged bysection, selectPalo Alto Networks Panorama.
- After selectingManaged by Palo Alto Networks Panorama, the Security Policies page changes to include thePanorama Registration Stringfield. Enter the registration string you copied in Step 3 above.
- Continue creating the Cloud NGFW resource by specifying information for DNS Proxy, Tags, and Terms. Review your configuration, then clickCreate.Creating a Cloud NGFW resource may take approximately 10-15 minutes.The Panorama console is now linked to the Cloud NGFW resource.