topic Re: Panorama management for Cloud NGFW in Cloud NGFW for Azure Discussions

Panorama management for Cloud NGFW

santonic — Wed, 25 Oct 2023 08:35:14 GMT

We are deploying Cloud NGFW in Azure and want to manage it from Panorama. We have decided for Cloud NGFW in a vWAN option. We followed all the instructions and there weren't any issues. But we can't seem to push policy from Panorama to Cloud NGFW.

How can we verify the status of integration between Panorama and Cloud NGFW? As Panorama is in Azure as well and Cloud NGFW deployed as a vWAN there shouldn't be any communication issues between them.

If we select Commit and Push option, the Commit and Push button is unavailable. If we select Push to Devices and Edit Selections we don't have any DG to choose.

What should be the status in Azure plugin under Cloud NGFW?

Re: Panorama management for Cloud NGFW

TilRando — Wed, 25 Oct 2023 15:49:33 GMT

Are you running the recommended panorama version for cloud ngfw and have the appropriate azure plugin version 5.1.0?

The prereq's are listed here: https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure/panorama-policy-management/cngfw-panorama-integration-azure-prerequisites

You need to create a "Cloud Device Group" within the Azure Plugin under "Cloud NGFW" and that group will require keys from your CSP and panorama ip's that are reachable by your Palo Azure Cloud NGFW, you can find that process here https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure/panorama-policy-management/link-cngfw-to-panorama.

once all that's done use the generate a registration key from the "Cloud Device Group" under "Cloud NGFW" in the azure plugin

and use that key during the provisioning of the service in azure. I have not done this post deployment so I'm not sure of the process of post panorama integration.

Depending on how you connect to your managed firewalls be sure to allow the external source nat if public or internal ip block as the address are dynamic i believe.

If all works well then you should see the cngfw's connected under the cloud device group in panorama -> "managed devices" -> summary.

Re: Panorama management for Cloud NGFW

santonic — Thu, 26 Oct 2023 06:10:22 GMT

Yes, I have followed the instructions and have the recommended version of the plugin. The Cloud NGFW instance was provisioned with a registration key from Panorama and there were no issues during any part of the process. We even went through this process twice.

But I don't see any connected devices, I have nothing to select to when trying to push config to devices (Panorama will manage only this cloud NGFW for start). And under Cloud NGFW in Azure plugin I have nothing under "Associated Cloud NGFW Resources"

Re: Panorama management for Cloud NGFW

santonic — Thu, 02 Nov 2023 11:49:21 GMT

In the end it turned out it was just a connectivity issue; I got confirmation from customer that VNET with Panorama wasn't connected to the HUB where Cloud NGFW was deployed. Later they connected it and everything seems to work now.

However I now see 2 connected devices (VMs). Is it normal that a single deployment of Cloud NGFW shows as 2 VMs? The other explanation might be that we re-deployed Cloud NGFW again under same name and with same DG and template names. But the old deployment is now removed from Azure and I still see both VMs as connected.

Re: Panorama management for Cloud NGFW

TilRando — Thu, 02 Nov 2023 16:05:00 GMT

Glad you got it sorted and it was something as simple as connectivity. I had four on intialisation of the service but one disconnected as i think the service spins three up by default but as i understand it if any disconnect they will be removed after three days. I had a connectivity issue as well and i beleive that's why i had an addtional firewall over the standard three.

Re: Panorama management for Cloud NGFW

santonic — Fri, 03 Nov 2023 07:45:57 GMT

Ty for the info.

Well I only have 2, not 3. But both connected so I guess everything is in order. And I guess more will spin up as needed based on throughput needed.

Re: Panorama management for Cloud NGFW

MADHANKUMARRANGASAMY — Fri, 23 Feb 2024 06:07:23 GMT

Hi, This is useful for me as well. However I have one problem. Recently one of the VM instance went down. After logging a call with PA TAC , the TAC engineers rebooted the instance on the Azure side and now I am able to see the instance as connected. However I am unable to add the VM instance in to the Device group. If I am trying to push any policy, it is showing only the two instances under the selected device group. Any help to add the one instance in to the existing DG?. If I push the configuration only to the two VM Instances what will be happen?. this will impact the traffic flow?.

Thanks & Regards

Madhankumar.

Re: Panorama management for Cloud NGFW

santonic — Mon, 26 Feb 2024 11:27:33 GMT

I think this is PA (or TAC) responsibility. In this scenario you are just consuming their Cloud NGFW service. All the work under the hood should be handled by PA. Especially as this is managed via Panorama plugin and not as usual VM instance.