Cloud NGFW for AWS
    : Prepare for Panorama Integration
    Focus
    Download PDF
    Focus
    1. Home
    2. AWS
    3. Cloud NGFW for AWS
    4. Panorama Policy Management
    5. Integrating Panorama
    6. Prepare for Panorama Integration
    Download PDF

    Cloud NGFW for AWS

    Prepare for Panorama Integration

    Table of Contents

    Prepare for Panorama Integration

    Prepare for Cloud NGFW and Panorama integration.
    To integrate the Cloud NGFW service with your Panorama virtual appliance:
    • Ensure you have a registered Panorama installed with licenses, activated using the support license on the Customer Support Portal (CSP), and using the software version 10.2.3 (or higher).
      You must install the device certificate on the Panorama management server to successfully authenticate Panorama with the Palo Alto Networks Customer Support Portal (CSP) and leverage one or more cloud service.
    • If you choose to use Palo Alto Log Management, ensure you configure Panorama for Strata Logging Service .
    • Ensure you have subscribed to Cloud NGFW successfully to have a Cloud NGFW tenant. You must use the Cloud NGFW subscription to successfully integrate with Panorama.
    • Ensure you have a tenant administrator role in your Cloud NGFW tenant.
    • Ensure you have a Panorama Administrator role on your Panorama.
    • Ensure you are a member of the Palo Alto Networks Customer Support Portal (CSP) account where your Organization has registered the Panorama appliance.
      The email used to register with the CSP account should be used for the Cloud NGFW tenant subscription. If this email differs, you will not be able to configure Cloud NGFW and integrate with Panorama.
    • Allow access to the domain https://storage.googleapis.com. This domain is used to access the AIOps for the Cloud NGFW application, regardless of your geographic location.

    Additional requirements

    To prepare Panorama to link to Cloud NGFW:
    • Install the Cloud Connector plugin version 2.0.1 or later
      PAN-OS version 11.1.x is pre-packaged with a Cloud Connector plugin (version 2.1.0-c98). This plugin version causes management problems for the Cloud NGFW resource that is linked to PAN-OS version 11.1.x. If you are using PAN-OS version 11.1.x Palo Alto Networks recommends that you downgrade the Cloud Connector plugin to version 2.0.1.
    • Install the AWS plugin version 5.1.1 or later.
    • After installing the Cloud Connector and AWS plugins, use the Panorama CLI to run the command request plugins cloudconnector enable cloudngfw.
    • View installed plugins in Panorama using the Dashboard.
    • Use the Panorama CLI to view the status of a Panorama plugin. For example, show plugins aws cngfw-status. 
      show plugins aws cngfw-status

CloudConnector plugin is enabled. Cloud NGFW functionality is enabled.

    Important considerations

    The AWS plugin requires that you commit a configuration change to initiate Cloud NGFW functionality with Panorama. This commit is not required if you are upgrading the AWS plugin.
    In Panorama HA deployments, pushing a configuration change (for example, making a change to a Cloud Device Group) may cause the Panorama virtual appliance to hang. An error message similar to Push cannot be processed, config upload not complete. Please try again later. To resolve this issue, use commit-force, then use commit-all.

    © 2024 Palo Alto Networks, Inc. All rights reserved.