Panorama Integration Prerequisites
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Panorama Integration Prerequisites
Cloud NGFW Panorama Prerequisites.
To integrate the Cloud NGFW service with your Panorama virtual appliance:
- Setup Panorama.
- Deploy Panorama running
software version 10.2, 11.0, or 11.1.By default, Azure automatically selects Panorama version 11.2. This version is not yet supported by Cloud NGFW for Azure.
- Ensure you have a registered Panorama installed with
licenses with the necessary capacity to support your Cloud
NGFW for Azure deployment and activated using the support
license on the Customer Support Portal
(CSP).You must install the device certificate on the Panorama management server to successfully authenticate Panorama with the Palo Alto Networks Customer Support Portal (CSP) and leverage one or more cloud service.
- Ensure you are a member of the Palo Alto Networks Customer Support
Portal (CSP) account where your Organization has registered the Panorama
appliance.The email used to register with the CSP account should be used for the Cloud NGFW and Panorama integration. If this email differs, you will not be able to configure Cloud NGFW and integrate with Panorama.
- Deploy Panorama running
software version 10.2, 11.0, or 11.1.
- Install the Azure plugin version 5.1.2.
- Ensure you have a Panorama Administrator role on your Panorama.
- Ensure that your network allows traffic that target the following ports to your Panorama virtual appliance to ensure communication between Cloud NGFW and Panorama: 3978, 28443, 28270.
Connectivity Scenarios
In addition to the items listed above, you must also consider how your Cloud NGFW
resources connect to Panorama. To manage Cloud NGFW policy using Panorama, Panorama
must have connectivity with your VNet. However, depending on your network topology,
connectivity between Panorama and your VNet is enabled differently.
- Private Network Access with Panorama Private IP—you can deploy Panorama
directly in your hub VNet private subnet or in another VNet peered with the Cloud NGFW
VNet.When deployed directly in your hub VNet private subnet, Panorama connects directly with your Cloud NGFW resources because they are in the same subnet. When you deploy Panorama in a VNet peered with the private subnet of the hub VNet associated with Cloud NGFW, VNet peering enables the Cloud NGFW resource to reach the Panorama private IP address.
- On-Prem Panorama Access via VPN—if your Panorama instance is deployed
on-premises, Cloud NGFW resources can reach Panorama's private IP address
through a VPN. Additionally, this scenario supports VNet peering. In this scenario, Panorama is deployed in your on-premises network and uses a VPN gateway connection directly to the Cloud NGFW hub VNet or to a hub VNet peered with the Cloud NGFW hub VNet. In each case, the hub VNet must have a route that pointing the VPN tunnel with Panorama's private IP address as the destination. See Configure VPN gateway transit for virtual network peering for more information about configuring this setup.
- Panorama Public IP Access via the internet—if there is no VNet peering, VPN, or VWAN connectivity between Panorama and your Cloud NGFW hub VNet, your Cloud NGFW resources can connect to Panorama's public IP address over the internet. To allow this connectivity, you must create a Network Security Group rule in Azure to allow inbound traffic from the Cloud NGFW public IP address to Panorama the ports used by Panorama.
- Access Panorama from Anywhere (VWAN)—Cloud NGFW for Azure is deployed as
a managed SaaS service in the Azure VWAN, so it is able to secure all traffic
going through the VWAN hub. Your Cloud NGFW resources can connect to the private
IP address of a Panorama instance deployed at any location connected to your
VWAN hub. If your Azure VWAN deployment has a Network Security Group for east-west traffic, you must create a Network Security Group rule allowing inbound traffic from the Cloud NGFW resource private IP address to the Panorama private IP address.