This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Panorama managed template config

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama managed template config

jasonrakers
L2 Linker

‎08-09-2023 11:30 AM

Does anyone have any information on what configurations are needed in the Template stack associated with the Cloud NGFW?  Specifically I am looking for what the interface and vrouter settings will likely need to be, such as ethernet1/1 and 1/2 set to DHCP, vrouter next hop of X, or if we need to allow for the Azure load-balancer probe monitoring like for VM-based deployment.

0 Likes Likes
3 REPLIES 3

jasonrakers
L2 Linker

‎08-10-2023 09:15 AM

I did some testing.  The Azure plugin creates a special Cloud NGFW template/template stack (cngfw-az-_DEFAULT_TEMPLATE_).  You don't get to use an existing template, or add an existing base template into the special template stack.  In the special template, the only network options are security zones which are already pre-defined.  Interested to see how creating another Cloud NGFW works.

 

I am currently encountering issues with how the Cloud NGFW accesses External Dynamic Lists (internal to the org) and forwarding logs to a Log Collector.  It seems to give Panorama a "fake" management IP address, which complicates troubleshooting where management traffic for these services is coming from the Cloud NGFW. 

 

But the policy administration is standard PAN, which is most appreciated, compared to Azure firewall.  The Cloud NGFW onboarding also appears to take care of all the dynamic updates being installed as well.  Looking forward to validating this solution. 

0 Likes Likes

abudilovskiy
L3 Networker
In response to jasonrakers

‎09-06-2023 05:59 AM

Hi Jason,

 

Your findings regarding the template stack naming are 100% accurate. This is how the plugin distinguishes between a VM-series device and a Cloud NGFW.

 

Regarding the management IP address you see in Panorama, this address is not reachable externally and is only used by the service control plane. 

 

As for the internal EDLs, are you using an internal FQDN to access them?

0 Likes Likes

jasonrakers
L0 Member
In response to abudilovskiy

‎09-09-2023 05:23 PM

internal IP host, no DNS involved, to get to the web server hosting the internal EDL

0 Likes Likes
  • 1234 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks