Focus

Cloud NGFW for Azure

Use Panorama for Cloud NGFW Policy Management

Table of Contents

Use Panorama for Cloud NGFW Policy Management

Manage Cloud NGFW with Panorama.

Add a Cloud Device Group

After linking your Cloud NGFW resource to the Panorama virtual appliance you can start using the integration for policy management tasks, such as adding device groups and applying policy rules to the device group.

With Panorama, you group firewalls in your network into logical units called device groups
. A device group enables grouping based on network segmentation, geographic location, organizational function, or any other common aspect of firewalls requiring similar policy configurations.

Using device groups, you can configure policy rules and the objects they reference. Organize device groups hierarchically, with shared rules and objects at the top, and device group-specific rules and objects at subsequent levels. This enables you to create a hierarchy of rules that enforce how firewalls handle traffic.

See Manage Device Groups for more information.

To add a cloud device group using the Panorama console:

In the Azure
plugin, select Cloud NGFW
.

The Cloud Device Group table is empty when you first select it. Previously created cloud device groups appear if they were established for the Cloud NGFW resource using Azure.

Click Add
in the lower left corner.

In the Cloud Device Group
screen:

Enter a unique name
for the cloud device group.

Enter a description
.

Use the drop-down to select the Parent Device Group
. By default, this value is shared.

Select the Template Stack from the drop-down. Or, click Add
to create a new one.

Select the Panorama IP
address used by the deployment. The drop-down allows you to select either the private
or public
IP address.

Optionally select the Panorama HA
Peer IP
address.

Optionally use the drop-down to select the Collector Group.

Optionally configure Zone Mapping for the Cloud Device Group. Only two zones are supported: public or private

.

Click OK
.

Commit your change in the Panorama console to create the cloud device group. Next, Generate the registration string to create the Cloud NGFW resource and deploy in Azure.

Delete a Cloud Device Group

Use the Panorama console to delete a cloud device group. You can only delete a cloud device group if there are no firewalls attached to it.

To delete a cloud device group from a resource using the Panorama console:

In Panorama
, select Cloud Device Groups
.

Select the Cloud Device Group
you want to remove.

In the lower portion of the Panorama console, click Delete
.

Click Yes
to confirm the deletion.

Commit the change.

Apply Policy

Cloud Device Groups on Panorama allow you to centrally manage firewall policy rules. You create policy rules on Panorama either as pre-rules or post-rules. These rules allow you to create a layered approach for implementing policy. For more information, see

Defining Policies on Panorama

To configure policy rules for the cloud device group in Panorama:

Select Policies
.

In the Device Group
section, use the drop-down to select the Cloud Device Group
previously created.

When you create a device group for Cloud NGFW, the name begins with cngfw
. For example, cngfw-azure-demo

In the lower left portion of the console, click Add
.

In the

Security Policy Rule

screen, configure elements of the policy you want to apply to the device group.

In the General
tab, include a name for the policy. Optionally provide additional information.

Source
policy defines the source zone or source address from which the traffic originates. For Source Zone
, click Any
. You can't add a specific source zone.

Continue applying Source
policy rules by including the Source Address
. Click Any
, or use the drop-down to select an existing address, or use options to add a new address or address group.

For Source User
and Source Device
policy, click Any
. Cloud NGFW does not support specifying specific source users or source devices.

Destination
policy defines the destination zone or destination address for the traffic. Use the drop-down to select an existing address, or use the options to add a new address or address group. The Destination policy includes fields for the zone, address, and device.

For the Destination Zone
, click Any
. Cloud NGFW does not support adding individual destination zones.

For the Destination Address
, click Any
, or use the drop-down to select an existing zone. Click New
to add a new address, address group, or region.

For the Destination Device
, click Any
. Cloud NGFW does not support adding individual destination devices.

Configure an Application
policy to have the policy action occur based on an application or application group. An administrator can also use an existing App-ID signature and customize it to detect proprietary applications or to detect specific attributes of an existing application. Custom applications are defined in ObjectsApplications
.

In the Application
screen, click Any, or specify a specific application, like SSH. Click Add
to include a new application policy.

Configure
Service/URL Category
policy rules for the firewall to specify a specific TCP or UDP port number or a URL category as match criteria in the policy. Specify Service
level policy rules or URL Category
policy rules by selecting Any
, or use the drop-down options to individually select the policy elements you want to apply. Click Add
to create new policy rules for Service or URL/Category.

After applying policy rules to the cloud device group for the Cloud NGFW resource, push the changes in the Panorama console. In the Push to Devices
screen, click Edit Selections
.

Select the cloud device groups you want to push to the resources, and click OK
, then click Push
.

Link the Cloud NGFW to Palo Alto Networks Management

Enable User-ID on the Cloud NGFW for Azure

Cloud NGFW for Azure

Use Panorama for Cloud NGFW Policy Management

Use Panorama for Cloud NGFW Policy Management

Add a Cloud Device Group

Delete a Cloud Device Group

Apply Policy

Recommended For You