Cloud NGFW for Azure
    : Link the Cloud NGFW to Palo Alto Networks Management
    Focus
    Download PDF
    Focus
    1. Home
    2. Azure
    3. Cloud NGFW for Azure
    4. Panorama Policy Management
    5. Link the Cloud NGFW to Palo Alto Networks Management
    Download PDF

    Cloud NGFW for Azure

    Link the Cloud NGFW to Palo Alto Networks Management

    Table of Contents

    Link the Cloud NGFW to Palo Alto Networks Management

    Link Cloud NGFW to Panorama

    Create a Cloud Device Group

    After preparing your environment for integration, you can link your Cloud NGFW to the Panorama virtual appliance and start using policy management. You start by creating a Cloud Device Group.
    With Panorama, you group firewalls in your network into logical units called
    device groups
    . A device group enables grouping based on network segmentation, geographic location, organizational function, or any other common aspect of firewalls requiring similar policy configurations.
    Using device groups, you can configure policy rules and the objects they reference. Organize device groups hierarchically, with shared rules and objects at the top, and device group-specific rules and objects at subsequent levels. This enables you to create a hierarchy of rules that enforce how firewalls handle traffic.
    See Manage Device Groups for more information.
    To add a cloud device group and template stack using the Panorama console:
    1. In the Panorama console, select
      Panorama
      .
    2. In the navigation tree, select the
      Azure
       plugin.
    3. Expand the Azure plugin to display configuration options. Select
      Cloud NGFW
       to display the Cloud Device Group screen. If the Cloud NGFW option does not appear, verify that you have installed the Azure plugin successfully; select
      Panorama
      Plugins
       to display the list of installed plugins.
    4. In the lower left portion of the Panorama console, click
      Add
       to create a new Cloud Device Group.
    5. In the Cloud Device Group screen:
      1. Enter a unique
        Name
         for the cloud device group.
      2. Enter a
        Description
        .
      3. Use the drop-down menu to select the
        Parent Device Group
        . By default, this value is shared.
      4. Select the Template Stack from the drop-down menu. Or, click
        Add
         to create a new one. You cannot change the template stack name after deploying the Cloud NGFW.
      5. Select the
        Panorama IP
         address used by the deployment. The drop-down menu allows you to select either the
        private
        or
        public
        IP address.
      6. Optionally select the Panorama HA
        Peer IP
         address.
      7. Optionally use the drop-down menu to select the Collector Group.
      8. Provide the
        PIN ID
        . This value is provided by the Customer Support Portal.
        To retrieve the PIN, you need a Palo Alto Networks Customer Support Portal (CSP) account.
        The PIN ID should have an expiration of one year. This is optional if you have already registered the Cloud NGFW serial number. If it is not already registered, register your Cloud NGFW using the serial number in for the same CSP account where you registered your Panorama virtual appliance.
      9. To retrieve the PIN ID and PIN Value, log into the
        Customer Support Portal
         as a registered user.
      10. On the Customer Support Portal page, select
        Assests
        Device Certificates
        .
      11. On the
        Device Certificate
         page, select
        Generate Registration PIN
         for the VM-Series firewall.
      12. Copy the newly created registration IDs, and paste it into the
        PIN ID
         and
        PIN Value
         field in the Cloud Device Group screen.
      13. Confirm the PIN ID and PIN Value.
      14. Optionally configure Zone Mapping for the Cloud Device Group. Only 2 zones are supported:
        public
        /
        private
        .
      15. Click
        OK
        .
      16. Commit your change in the Panorama console to create the cloud device group. Next, Generate the registration string to create the Cloud NGFW resource and deploy in Azure.
        In some cases, you may experience a validation error when configuring a Cloud Device Group. To resolve this issue, ensure that the Azure Plugin for Panorama is properly installed using administrator credentials. For HA environments, install the plugin on the
        secondary
         node, then install the plugin on the
        primary
         node.

    Generate the registration string to create the Cloud NGFW and deploy in Azure

    After you commit the change to create the cloud device group, you can generate the registration string. This string is used to create and deploy the Cloud NGFW in Azure.
    To retrieve the PIN:
    1. In the Panorama console, locate the Cloud Device Group you created in the previous section.
    2. In the Registration String field, click
      Generate
      .
    3. Select
      Copy Registration String
      .
      After copying the registration string, access Azure Marketplace to create a Cloud NGFW resource.
    4. In Azure Marketplace, select
      Cloud NGFWs
      .
    5. Click
      + Create
       to create a new Cloud NGFW resource.
    6. Follow the setup instructions to
      Create Palo Alto Networks Cloud NGFW
      .
      1. Configure Basic information.
      2. Configure Networking.
      3. Configure Security Policies. In the
        Manged by
         section, select
        Palo Alto Networks Panorama
        .
    7. After selecting
      Managed by Palo Alto Networks Panorama
      , the Security Policies page changes to include the
      Panorama Registration String
       field. Enter the registration string you copied in Step 3 above.
    8. Continue creating the Cloud NGFW resource by specifying information for DNS Proxy, Tags, and Terms. Review your configuration, then click
      Create
      .
      Creating a Cloud NGFW resource may take approximately 10-15 minutes.
      The Panorama console is now linked to the Cloud NGFW resource.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.