Use Panorama for Cloud NGFW Policy Management
Table of Contents
Expand all | Collapse all
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Use Panorama for Cloud NGFW Policy Management
Manage Cloud NGFW with Panorama.
Add a Cloud Device Group
After linking your Cloud NGFW resource to the Panorama
virtual appliance you can start using the integration for policy management
tasks, such as adding device groups and applying policy rules to the device
group.
With Panorama, you group firewalls in your network into logical units called
. A device group enables grouping based on
network segmentation, geographic location, organizational function, or any other
common aspect of firewalls requiring similar policy configurations.
device groups
Using device groups, you can configure policy rules and the objects they
reference. Organize device groups hierarchically, with shared rules and objects
at the top, and device group-specific rules and objects at subsequent levels.
This enables you to create a hierarchy of rules that enforce how firewalls
handle traffic.
See Manage Device Groups for more
information.
To add a cloud device group using the Panorama console:
- In theAzureplugin, selectCloud NGFW.The Cloud Device Group table is empty when you first select it. Previously created cloud device groups appear if they were established for the Cloud NGFW resource using Azure.
- ClickAddin the lower left corner.
- In theCloud Device Groupscreen:
- Enter a uniquenamefor the cloud device group.
- Enter adescription.
- Use the drop-down to select theParent Device Group. By default, this value is shared.
- Select the Template Stack from the drop-down. Or, clickAddto create a new one.
- Select thePanorama IPaddress used by the deployment. The drop-down allows you to select either theprivateorpublicIP address.
- Optionally select the Panorama HAPeer IPaddress.
- Optionally use the drop-down to select the Collector Group.
- Optionally configure Zone Mapping for the Cloud Device Group. Only two zones are supported:public or private.
- ClickOK.
- Commit your change in the Panorama console to create the cloud device group. Next, Generate the registration string to create the Cloud NGFW resource and deploy in Azure.
Delete a Cloud Device Group
Use the Panorama console to delete a cloud device group. You can only delete a
cloud device group if there are no firewalls attached to it.
To delete a cloud device group from a resource using the Panorama console:
- InPanorama, selectCloud Device Groups.
- Select theCloud Device Groupyou want to remove.
- In the lower portion of the Panorama console, clickDelete.
- ClickYesto confirm the deletion.
- Commit the change.
Apply Policy
Cloud Device Groups on Panorama allow you to centrally manage firewall policy
rules. You create policy rules on Panorama either as pre-rules or post-rules.
These rules allow you to create a layered approach for implementing policy. For
more information, see
Defining Policies on Panorama
. To configure policy rules for the cloud device group in Panorama:
- SelectPolicies.
- In theDevice Groupsection, use the drop-down to select theCloud Device Grouppreviously created.When you create a device group for Cloud NGFW, the name begins withcngfw. For example,cngfw-azure-demo
- In the lower left portion of the console, clickAdd.
- In theSecurity Policy Rulescreen, configure elements of the policy you want to apply to the device group.
- In theGeneraltab, include a name for the policy. Optionally provide additional information.
- Sourcepolicy defines the source zone or source address from which the traffic originates. ForSource Zone, clickAny. You can't add a specific source zone.Continue applyingSourcepolicy rules by including theSource Address. ClickAny, or use the drop-down to select an existing address, or use options to add a new address or address group.ForSource UserandSource Devicepolicy, clickAny. Cloud NGFW does not support specifying specific source users or source devices.
- Destinationpolicy defines the destination zone or destination address for the traffic. Use the drop-down to select an existing address, or use the options to add a new address or address group. The Destination policy includes fields for the zone, address, and device.For theDestination Zone, clickAny. Cloud NGFW does not support adding individual destination zones.For theDestination Address, clickAny, or use the drop-down to select an existing zone. ClickNewto add a new address, address group, or region.For theDestination Device, clickAny. Cloud NGFW does not support adding individual destination devices.
- Configure anApplicationpolicy to have the policy action occur based on an application or application group. An administrator can also use an existing App-ID signature and customize it to detect proprietary applications or to detect specific attributes of an existing application. Custom applications are defined inObjectsApplications.In theApplicationscreen, click Any, or specify a specific application, like SSH. ClickAddto include a new application policy.
- ConfigureService/URL Categorypolicy rules for the firewall to specify a specific TCP or UDP port number or a URL category as match criteria in the policy. SpecifyServicelevel policy rules orURL Categorypolicy rules by selectingAny, or use the drop-down options to individually select the policy elements you want to apply. ClickAddto create new policy rules for Service or URL/Category.
- After applying policy rules to the cloud device group for the Cloud NGFW resource, push the changes in the Panorama console. In thePush to Devicesscreen, clickEdit Selections.
- Select the cloud device groups you want to push to the resources, and clickOK, then clickPush.