: Panorama Integration Prerequisites
Focus
Focus

Panorama Integration Prerequisites

Table of Contents

Panorama Integration Prerequisites

Cloud NGFW Panorama Prerequisites.
To integrate the Cloud NGFW service with your Panorama virtual appliance:
  • Setup Panorama.
    • Deploy Panorama running software version 10.2, 11.0, or 11.1.
      By default, Azure automatically selects Panorama version 11.2. This version is not yet supported by Cloud NGFW for Azure.
    • Ensure you have a registered Panorama installed with licenses with the necessary capacity to support your Cloud NGFW for Azure deployment and activated using the support license on the Customer Support Portal (CSP).
      You must install the device certificate on the Panorama management server to successfully authenticate Panorama with the Palo Alto Networks Customer Support Portal (CSP) and leverage one or more cloud service.
    • Ensure you are a member of the Palo Alto Networks Customer Support Portal (CSP) account where your Organization has registered the Panorama appliance.
      The email used to register with the CSP account should be used for the Cloud NGFW and Panorama integration. If this email differs, you will not be able to configure Cloud NGFW and integrate with Panorama.
  • Install the Azure plugin version 5.1.2.
  • Ensure you have a Panorama Administrator role on your Panorama.
  • Ensure that your network allows traffic that target the following ports to your Panorama virtual appliance to ensure communication between Cloud NGFW and Panorama: 3978, 28443, 28270.

Connectivity Scenarios

In addition to the items listed above, you must also consider how your Cloud NGFW resources connect to Panorama. To manage Cloud NGFW policy using Panorama, Panorama must have connectivity with your VNet. However, depending on your network topology, connectivity between Panorama and your VNet is enabled differently.
  • Private Network Access with Panorama Private IP—you can deploy Panorama directly in your hub VNet private subnet or in another VNet peered with the Cloud NGFW VNet.
    When deployed directly in your hub VNet private subnet, Panorama connects directly with your Cloud NGFW resources because they are in the same subnet. When you deploy Panorama in a VNet peered with the private subnet of the hub VNet associated with Cloud NGFW, VNet peering enables the Cloud NGFW resource to reach the Panorama private IP address.
  • On-Prem Panorama Access via VPN—if your Panorama instance is deployed on-premises, Cloud NGFW resources can reach Panorama's private IP address through a VPN. Additionally, this scenario supports VNet peering.
    In this scenario, Panorama is deployed in your on-premises network and uses a VPN gateway connection directly to the Cloud NGFW hub VNet or to a hub VNet peered with the Cloud NGFW hub VNet. In each case, the hub VNet must have a route that pointing the VPN tunnel with Panorama's private IP address as the destination. See Configure VPN gateway transit for virtual network peering for more information about configuring this setup.
  • Panorama Public IP Access via the internet—if there is no VNet peering, VPN, or VWAN connectivity between Panorama and your Cloud NGFW hub VNet, your Cloud NGFW resources can connect to Panorama's public IP address over the internet. To allow this connectivity, you must create a Network Security Group rule in Azure to allow inbound traffic from the Cloud NGFW public IP address to Panorama the ports used by Panorama.
  • Access Panorama from Anywhere (VWAN)—Cloud NGFW for Azure is deployed as a managed SaaS service in the Azure VWAN, so it is able to secure all traffic going through the VWAN hub. Your Cloud NGFW resources can connect to the private IP address of a Panorama instance deployed at any location connected to your VWAN hub.
    If your Azure VWAN deployment has a Network Security Group for east-west traffic, you must create a Network Security Group rule allowing inbound traffic from the Cloud NGFW resource private IP address to the Panorama private IP address.