Strata Cloud Manager Policy Management
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for AWS Pricing
- Cloud NGFW Credit Distribution and Management
- Link Your PAYG Account with Cloud NGFW Credits
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Configure Automated Account Onboarding
- Usage Explorer
- Create a Support Case
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Strata Logging Service
- Tag Based Policies
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
- Strata Cloud Manager Policy Management
Strata Cloud Manager Policy Management
Link your Cloud NGFW resource with Strata Cloud Manager (SCM) for policy management.
You can link your Cloud NGFW resource with Strata Cloud Manager (SCM) for policy management. Strata
Cloud Manager provides unified management for your entire network security
deployment, which allows you to easily manage your Palo Alto Networks security
infrastructure from a single, streamlined user interface. With this interface you
gain comprehensive visibility into users, branch sites, applications, and threats
across all network security enforcement points. This functionality provides
actionable insights, better security, and easy troubleshooting and problem
resolution.
When using SCM for Cloud NGFW policy management, consider the following:
- When first connecting to SCM, Cloud NGFW resources (for example, the resource ID) may fail to display. These resources will appear after a few moments if there are no underlying connection issues.
- Best practices for Cloud NGFW SCM policy management differ from those using Panorama policy management with your Cloud NGFW resource. For example, some pass-through traffic in a Panorama managed environment may be dropped in a SCM managed Cloud NGFW resource.
- X-forwarded functionality is not supported in a SCM policy management for your Cloud NGFW resource.
- Cloud certificate is not supported.
- DLP is not supported.
- When configuring security rules for your SCM managed Cloud NGFW resource, you must specifyANYfor the security rule. However,from/tozone appears as thedata zonein the Strata Logging Service.
Link Your Cloud NGFW Resource with Strata Cloud Manager Policy Management
To integrate your Cloud NGFW resource with Strata Cloud Manager Policy
Management:
- Log in to the Cloud NGFW console.
- SelectIntegrations.
- In thePolicy Managerscreen, clickAdd Policy Manager.
- In theAdd Policy Managersection, selectStrata Cloud Managerfor theManage Type.
- Enter a descriptive name.
- Use the drop-down menu to select the SCMTenantyou want to associate with the resource.The Customer Support Portal (CSP) account must be the same for both SCM and CNGFW.
- ClickSave. This effectively links your Cloud NGFW resource to the SCM tenant.After saving the configuration theIntegrationspage is updated to reflect the new policy management paradigm, along with the associated Link ID and SCM Serial Number/Tenant Name:To view information about an individual linked SCM tenant, click theLink IDin thePolicy Managerscreen. You can use theEdit Policy Managementscreen to change theLink Nameand view information:
Associate a Firewall with Strata Cloud Manager Policy Management
After you establish a link to Strata Cloud Policy Management, you can associate a
new firewall with the linked SCM tenant:
- Log in to the Cloud NGFW console.
- SelectNGFWs.
- ClickCreate Firewall.
- In theCreate Firewallscreen, enter a name for the firewall.
- Optionally include a description.
- In thePolicy Managementsection, selectStrata Cloud Manager.
- In thePolicy Managerdrop-down menu, select the linked SCM tenant you want to associate with the firewall.
- ConfigureEndpoint Managementto secure traffic in multiple AWS availability zones.
- Determine if you want Cloud NGFW to create endpoints automatically on your VPC subnets. SelectYesfor service-managed endpoints.By default, the Cloud NGFW resource does not automatically create these endpoints; the radio button is set toNo.
- Use the drop-down to select theAWS Account ID.
- Use the drop-down to select theVPC.
- Use theSubnetfield to select an available subnet.
- ClickSave.
The NGFW screen changes to reflect the newly created firewall. It takes approximately 6-10 minutes to complete the process of creating a new firewall; theStatusindicatesCREATING:Click theNGFW Nameto display detailed information about the firewall. Note that limited information is displayed as the firewall is being created:
View the Firewall in Strata Cloud Manager
After you have linked your Cloud NGFW resource to a SCM tenant and have created a
firewall you can use SCM for policy management.
When
you log into Strata Cloud Manager, the dashboard fails to display the Cloud
NGFW count under
NGFW > Software
.- Log in to the Strata Cloud Manager app from the Palo Alto Networks hub directly at stratacloudmanager.paloaltonetworks.com.
- In the Strata Cloud Manager interface, locate your Cloud NGFW tenant using the left hand navigation option:This exposes the available tenants that are linked to your Cloud NGFW resource; you can alternately search for the tenant using thetenant nameorid.
- SelectWorkflows > NGFW Setup > Device Management:
- The Device Management screen displays theNGFWsandCloud NGFWs. ClickCloud NGFWsto display the firewalls associated with the SCM tenant:TheDevice Managementscreen displays the Cloud NGFW resources that are currently managed by SCM:The Device Management screen displays the following fields:
- Name. Represents the name of the Cloud NGFW resource.
- Resource ID. Indicates the resource ID associated with the NGFW resource.
- CNGFW Tenant ID. The ID associated with the Cloud NGFW tenant that is linked to SCM.
- CNGFW Tenant Serial Number. The serial number associated with the Cloud NGFW tenant.
- Labels. An arbitrary label assigned to the Cloud NGFW.
- Cloud Provider. Indicates the cloud provider associated with the Cloud NGFW resource.
- Region/Location. The region in which the Cloud NGFW resource is located.
- Config Sync Status. The status of the Cloud NGFW resource.
- TheDevice Managementscreen groups your Cloud NGFW resources intofolders. To view the structure of these folders, selectWorkflows > Folder Management:TheFolder Managementscreen displays the Cloud NGFW resources associated with the SCM tenant:For information about creating folders, see Create a Folder for Your Cloud NGFW Resource Using Strata Cloud Manager.
Use Strata Cloud Manager for Cloud NGFW Policy Management
You can use Strata Cloud Manager to globally apply security policies to the Cloud
NGFW resources comprising a folder.
- In Strata Cloud Manager, selectManage > Configuration > NGFW and Prisma Access.
- SelectConfiguration Scope.
- In the drop-down list, locate the folder containing theCloud NGFW AWS resources:
- In theOverviewpage, selectSecurity Services:
- In theSecurity Servicesdrop-down list, selectSecurity Policy:For more information about configuring Security Policy using Strata Cloud Manager, see Manage Security Policy.
Create a Folder for Your Cloud NGFW Resource using Strata Cloud Manager
After configuring the appropriate subscription to use the Strata Cloud Manager
service for your Cloud NGFW resource, you create a folder to view data
associated with your firewall. Folders are used to logically group your
firewalls or deployment types (for example, a service connection for your Cloud
NGFW resource) for simplified configuration management. You can create a folder
that contains multiple nested folders to group firewalls and deployments that
require similar configurations. Folders that are already nested can
have multiple nested folders as well.
Folders for other Palo Alto Networks applications, like
Prisma Access, and your NGFWs are separate; you can't group NGFWs in a folder
with Prisma Access deployments. However, you can easily apply shared settings
globally across all folders or use Manage: Snippets to easily apply
standard settings and policy requirements across multiple folders.
To create a folder for your Cloud NGFW resource:
- Log in to the Strata Cloud Manager app from the Palo Alto Networks hub directly at stratacloudmanager.paloaltonetworks.com.
- In the Strata Cloud Manager interface, selectWorkflows > NGFW Setup > Folder Managementand clickAdd Folder.
- In theCreate Folderscreen:
- Enter a descriptive name for the folder.
- Optionally provide a description for the folder.
- Optionally assign one or more labels. You can select an existing label or create a new label by typing the label you want to create. For example, use theLabelsdrop-down to selectcngfw.
- Specify where to create the folder using the drop-down menu. You can selectAll Firewalls, or select an existing folder to nest the folder under it. This is a required field.
- ClickCreate.
Enter a descriptive name for the folder.
Monitor and Troubleshoot using Strata Cloud Manager
You can use Strata Cloud Manager to learn about the status of your Cloud NGFW
resource. Use the
Monitor
functionality provided by SCM
learn about:- Products and subscriptions you’re managing with Strata Cloud Manager.
- The health and connectivity status of your Cloud NGFW devices.
For more information, see Monitor in Strata Cloud Manager.
To use Strata Cloud Manager to monitor your Cloud NGFW resource:
- Log in to the Strata Cloud Manager app from the Palo Alto Networks hub directly at stratacloudmanager.paloaltonetworks.com.
- In the interface, selectMonitor: