CNGFW integration with Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CNGFW integration with Panorama

L0 Member

To integrate the Cloud NGFW service with Panorama virtual appliance, panorama running software version 10.2, 11.0, or 11.1 and not greater than 11.1 as per the below KB Article.

Panorama Integration Prerequisites

 

However, I recently deployed VM Series Panorama running on 11.2.4-h1, which being integrated with CNGFW (azure plugin version 5.2.1) and observed 3 VMs got created with same device name & with different serial numbers which are in sync mode (green) in panorama (Manage device > summary) and connected with Panorama. Commit has been successful upon test rule creation. Drawback I see that unable to access CNGFW via GUI & CLI.

Can anyone please give your inputs or share your experience on my below queries?

 

1. Will this integration be stable as I made setup on higher versions than palo advised?

2. How can we access to CNGFW? Is GUI & CLI possible instead panorama management?

3. Will cost or pricing or billing applicable to 3 VMs (but I created single CNGFW in Azure marketplace)?

4. Will NGFW Credits be applied to 3 VMs or 3 Serial numbers if I register with CSP support account?

1 REPLY 1

L1 Bithead

1. Will this integration be stable as I made setup on higher versions than Palo advised?
Short answer: It's not guaranteed.
Explanation: Palo Alto typically certifies certain combinations of Panorama versions, Azure plugin versions, and CNGFW images for stability and support. Running Panorama 11.2.4-h1 with plugin 5.2.1 may not be an officially supported combination, especially with latest CNGFWs, so there may be bugs or unexpected behavior.
Check the Compatibility Matrix on Palo's support site to verify compatibility. If not aligned, you’re in “best effort” support territory.
If you're using CSP licensing or Premium Support, they may still assist, but they might ask you to downgrade to a certified version.

2. How can we access the CNGFW? Is GUI & CLI possible instead of Panorama management?
Short answer: Yes, but it depends on deployment model.

Explanation: By default, CNGFWs deployed from Azure Marketplace via templates may not expose their Mgmt interface to the internet or even internal subnets directly for security.
To enable CLI/GUI access:
Ensure Mgmt NIC has a public IP (if internet access is required).
Add proper NSG rules or route tables to allow access (typically TCP 22 for SSH, TCP 443 for GUI).
Confirm Panorama mode is not enforcing “panorama-only access” in the bootstrap config (check the init-cfg.txt or launch config).
You can also create a jumpbox VM in the same subnet to access the CNGFW via private IP.
CLI access (SSH) and GUI (HTTPS) are possible as long as the management interface is reachable.

3. Will cost or pricing or billing apply to 3 VMs (but I created single CNGFW in Azure marketplace)?
Short answer: Yes, Azure charges per running VM instance.

Explanation: If 3 VMs were spun up, Azure will bill you for all 3, even if it was unintentional. This might have happened due to:
HA or autoscale being enabled in the deployment template.
Custom bootstrap config spinning up extra instances.

You can check in Azure:
Go to Azure Portal > Resource Group where you deployed the CNGFW.
Look for VMs prefixed with the same deployment name.
Azure bills per VM-hour + potential extra storage/networking charges.

4. Will NGFW Credits be applied to 3 VMs or 3 Serial Numbers if I register with CSP support account?
Short answer: Yes – NGFW credits are applied per firewall instance/serial, not per deployment.

Explanation: Each serial number represents a separate firewall instance in Palo Alto’s licensing model, so:
If you see 3 serial numbers, registering them will consume 3x the credits.
This is true even if they were deployed unintentionally or as part of an autoscale/HA pair.

You can:
Open a support case with Palo Alto CSP support to potentially reclaim credits for unintentional instances.
Decommission unused VMs and remove serials from CSP portal.

 

Suggested Actions:
Verify version compatibility using Palo's Compatibility Matrix.
Check Azure Resource Group for how/why 3 VMs were deployed.
Use a jumpbox VM or open NSG temporarily to access CNGFW via CLI/GUI.
In Panorama, compare config and logs across all 3 serials—see if any are idle or duplicates.
Reach out to Palo support for help with credit disputes or deployment cleanup.

  • 929 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!