Panorama management for Cloud NGFW

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama management for Cloud NGFW

L6 Presenter

We are deploying Cloud NGFW in Azure and want to manage it from Panorama. We have decided for Cloud NGFW in a vWAN option. We followed all the instructions and there weren't any issues. But we can't seem to push policy from Panorama to Cloud NGFW.

 

How can we verify the status of integration between Panorama and Cloud NGFW? As Panorama is in Azure as well and Cloud NGFW deployed as a vWAN there shouldn't be any communication issues between them.

 

If we select Commit and Push option, the Commit and Push button is unavailable. If we select Push to Devices and Edit Selections we don't have any DG to choose.

 

What should be the status in Azure plugin under Cloud NGFW?

 

Cloud NGFW for Azure #

7 REPLIES 7

L1 Bithead

Are you running the recommended panorama version for cloud ngfw and have the appropriate azure plugin version 5.1.0?

The prereq's are listed here: https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure/panorama-policy-management/c...

 

You need to create a "Cloud Device Group" within the Azure Plugin under "Cloud NGFW" and that group will require keys from your CSP and panorama ip's that are reachable by your Palo Azure Cloud NGFW, you can find that process here https://docs.paloaltonetworks.com/cloud-ngfw/azure/cloud-ngfw-for-azure/panorama-policy-management/l...

once all that's done use the generate a registration key from the "Cloud Device Group"  under "Cloud NGFW" in the azure plugin

and use that key during the provisioning of the service in azure. I have not done this post deployment so I'm not sure of the process of post panorama integration.

 

Depending on how you connect to your managed firewalls be sure to allow the external source nat if public or internal ip block as the address are dynamic i believe.

 

If all works well then you should see the cngfw's connected under the cloud device group in panorama -> "managed devices" -> summary.

 

L6 Presenter

Yes, I have followed the instructions and have the recommended version of the plugin. The Cloud NGFW instance was provisioned with a registration key from Panorama and there were no issues during any part of the process. We even went through this process twice.

 

But I don't see any connected devices, I have nothing to select to when trying to push config to devices (Panorama will manage only this cloud NGFW for start). And under Cloud NGFW in Azure plugin I have nothing under "Associated Cloud NGFW Resources"

santonic_0-1698300543847.png

 

L6 Presenter

In the end it turned out it was just a connectivity issue; I got confirmation from customer that VNET with Panorama wasn't connected to the HUB where Cloud NGFW was deployed. Later they connected it and everything seems to work now.

However I now see 2 connected devices (VMs). Is it normal that a single deployment of Cloud NGFW shows as 2 VMs? The other explanation might be that we re-deployed Cloud NGFW again under same name and with same DG and template names. But the old deployment is now removed from Azure and I still see both VMs as connected.

L1 Bithead

Glad you got it sorted and it was something as simple as connectivity. I had four on intialisation of the service but one disconnected as i think the service spins three up by default but as i understand it if any disconnect they will be removed after three days. I had a connectivity issue as well and i beleive that's why i had an addtional firewall over the standard three.

L6 Presenter

Ty for the info.

Well I only have 2, not 3. But both connected so I guess everything is in order. And I guess more will spin up as needed based on throughput needed. 

Hi, This is useful for me as well. However I have one problem. Recently one of the VM instance went down. After logging a call with PA TAC , the TAC engineers rebooted the instance on the Azure side and now I am able to see the instance as connected. However I am unable to add the VM instance in to the Device group. If I am trying to push any policy, it is showing only the two instances under the selected device group. Any help to add the one instance in to the existing DG?. If I push the configuration only to the two VM Instances what will be happen?. this will impact the traffic flow?. 

 

Thanks & Regards

Madhankumar.

L6 Presenter

I think this is PA (or TAC) responsibility. In this scenario you are just consuming their Cloud NGFW service. All the work under the hood should be handled by PA. Especially as this is managed via Panorama plugin and not as usual VM instance.

  • 3449 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!