https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/cngfw-integration-with-panorama/m-p/995870#M454 <P><SPAN>To integrate the Cloud NGFW service with Panorama virtual appliance, panorama running&nbsp;software version 10.2, 11.0, or 11.1 and not greater than 11.1 as per the below KB Article.</SPAN></P> <P><SPAN><A href="https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure/panorama-policy-management/cngfw-panorama-integration-azure-prerequisites" target="_blank" rel="nofollow noopener noreferrer">Panorama Integration Prerequisites</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>However, I recently deployed VM Series Panorama running on 11.2.4-h1, which being integrated with CNGFW (azure plugin version 5.2.1) and observed 3 VMs got created with same device name &amp; with different serial numbers which are in sync mode (green) in panorama (Manage device &gt; summary) and connected with Panorama. Commit has been successful upon test rule creation. Drawback I see that unable to access CNGFW via GUI &amp; CLI.</SPAN></P> <P><SPAN>Can anyone please give your inputs or share your experience on my below queries?</SPAN></P> <P>&nbsp;</P> <P><SPAN>1. Will this integration be stable as I made setup on higher versions than palo advised?</SPAN></P> <P><SPAN>2. How can we access to CNGFW? Is GUI &amp; CLI possible instead panorama management?</SPAN></P> <P><SPAN>3. Will cost or pricing or billing applicable to 3 VMs (but I created single CNGFW in Azure marketplace)?</SPAN></P> <P><SPAN>4. Will NGFW Credits be applied to 3 VMs or 3 Serial numbers if I register with CSP support account?</SPAN></P> Sun, 01 Dec 2024 12:54:38 GMT l.ellandula 2024-12-01T12:54:38Z https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/cngfw-integration-with-panorama/m-p/995870#M454 <P><SPAN>To integrate the Cloud NGFW service with Panorama virtual appliance, panorama running&nbsp;software version 10.2, 11.0, or 11.1 and not greater than 11.1 as per the below KB Article.</SPAN></P> <P><SPAN><A href="https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure/panorama-policy-management/cngfw-panorama-integration-azure-prerequisites" target="_blank" rel="nofollow noopener noreferrer">Panorama Integration Prerequisites</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>However, I recently deployed VM Series Panorama running on 11.2.4-h1, which being integrated with CNGFW (azure plugin version 5.2.1) and observed 3 VMs got created with same device name &amp; with different serial numbers which are in sync mode (green) in panorama (Manage device &gt; summary) and connected with Panorama. Commit has been successful upon test rule creation. Drawback I see that unable to access CNGFW via GUI &amp; CLI.</SPAN></P> <P><SPAN>Can anyone please give your inputs or share your experience on my below queries?</SPAN></P> <P>&nbsp;</P> <P><SPAN>1. Will this integration be stable as I made setup on higher versions than palo advised?</SPAN></P> <P><SPAN>2. How can we access to CNGFW? Is GUI &amp; CLI possible instead panorama management?</SPAN></P> <P><SPAN>3. Will cost or pricing or billing applicable to 3 VMs (but I created single CNGFW in Azure marketplace)?</SPAN></P> <P><SPAN>4. Will NGFW Credits be applied to 3 VMs or 3 Serial numbers if I register with CSP support account?</SPAN></P> Sun, 01 Dec 2024 12:54:38 GMT https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/cngfw-integration-with-panorama/m-p/995870#M454 l.ellandula 2024-12-01T12:54:38Z https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/cngfw-integration-with-panorama/m-p/1226261#M458 <P>1. Will this integration be stable as I made setup on higher versions than Palo advised?<BR />Short answer: It's not guaranteed.<BR />Explanation: Palo Alto typically certifies certain combinations of Panorama versions, Azure plugin versions, and CNGFW images for stability and support. Running Panorama 11.2.4-h1 with plugin 5.2.1 may not be an officially supported combination, especially with latest CNGFWs, so there may be bugs or unexpected behavior.<BR />Check the Compatibility Matrix on Palo's support site to verify compatibility. If not aligned, you’re in “best effort” support territory.<BR />If you're using CSP licensing or Premium Support, they may still assist, but they might ask you to downgrade to a certified version.</P> <P>2. How can we access the CNGFW? Is GUI &amp; CLI possible instead of Panorama management?<BR />Short answer: Yes, but it depends on deployment model.</P> <P>Explanation: By default, CNGFWs deployed from Azure Marketplace via templates may not expose their Mgmt interface to the internet or even internal subnets directly for security.<BR />To enable CLI/GUI access:<BR />Ensure Mgmt NIC has a public IP (if internet access is required).<BR />Add proper NSG rules or route tables to allow access (typically TCP 22 for SSH, TCP 443 for GUI).<BR />Confirm Panorama mode is not enforcing “panorama-only access” in the bootstrap config (check the init-cfg.txt or launch config).<BR />You can also create a jumpbox VM in the same subnet to access the CNGFW via private IP.<BR />CLI access (SSH) and GUI (HTTPS) are possible as long as the management interface is reachable.</P> <P>3. Will cost or pricing or billing apply to 3 VMs (but I created single CNGFW in Azure marketplace)?<BR />Short answer: Yes, Azure charges per running VM instance.</P> <P>Explanation: If 3 VMs were spun up, Azure will bill you for all 3, even if it was unintentional. This might have happened due to:<BR />HA or autoscale being enabled in the deployment template.<BR />Custom bootstrap config spinning up extra instances.</P> <P>You can check in Azure:<BR />Go to Azure Portal &gt; Resource Group where you deployed the CNGFW.<BR />Look for VMs prefixed with the same deployment name.<BR />Azure bills per VM-hour + potential extra storage/networking charges.</P> <P>4. Will NGFW Credits be applied to 3 VMs or 3 Serial Numbers if I register with CSP support account?<BR />Short answer: Yes – NGFW credits are applied per firewall instance/serial, not per deployment.</P> <P>Explanation: Each serial number represents a separate firewall instance in Palo Alto’s licensing model, so:<BR />If you see 3 serial numbers, registering them will consume 3x the credits.<BR />This is true even if they were deployed unintentionally or as part of an autoscale/HA pair.</P> <P>You can:<BR />Open a support case with Palo Alto CSP support to potentially reclaim credits for unintentional instances.<BR />Decommission unused VMs and remove serials from CSP portal.</P> <P>&nbsp;</P> <P>Suggested Actions:<BR />Verify version compatibility using Palo's Compatibility Matrix.<BR />Check Azure Resource Group for how/why 3 VMs were deployed.<BR />Use a jumpbox VM or open NSG temporarily to access CNGFW via CLI/GUI.<BR />In Panorama, compare config and logs across all 3 serials—see if any are idle or duplicates.<BR />Reach out to Palo support for help with credit disputes or deployment cleanup.</P> Thu, 10 Apr 2025 20:53:52 GMT https://live.paloaltonetworks.com/t5/cloud-ngfw-for-aws-discussions/cngfw-integration-with-panorama/m-p/1226261#M458 fcsexpert 2025-04-10T20:53:52Z