What is Palo Alto Cloud NGFW?
In this blog
What is Cloud NGFW from Palo Alto Networks?
Cloud NGFW is a firewall service built using the same PAN-OS used by every Palo Alto NGFW solution. It has the same components and features as a physical firewall hosted in your data center. This means it has the same set of policies, profiles, logging, etc.; the only difference is that it is a virtual machine running in Amazon's AWS or Microsoft's Azure virtual data centers. So far, this doesn't make Cloud NFGW any different from the other VM-Series firewalls from Palo Alto Networks that can be added as a node in public clouds. What makes it unique?
Cloud NGFW is a hybrid solution. The cloud provider manages and maintains the infrastructure required to host the VM, the PAN-OS system, and all related components needed to leverage this system, taking this level of detail off your plate. You no longer must manage PAN-OS, dynamic updates, or other typical tasks. Because admins do not directly manage Cloud NGFW, most vulnerabilities found for PAN-OS do not apply to this platform. Firewall policy management is performed using the cloud provider, meaning the solution is managed by the cloud-native firewall management solution for either AWS or Azure. However, if you want to manage Cloud NGFW with Panorama, this is fully supported through the Cloud Connector plug-in and is recommended for larger enterprises. Strata Cloud Manager can also manage cloud NGFW for enterprises using the new management platform.
Why use Cloud NGFW vs other options?
For small, static deployments in public clouds, using a dedicated transit network where you manage the load balancers, firewall VMs, routing tables, etc., it's not too difficult to go the more basic route of managing it all yourself. However, in midsize or larger environments, or any environment where the traffic volume can change dynamically, Cloud NGFW is a much better way to go. The main reason for this is that as part of the service offering, the cloud providers and Palo Alto Networks perform autoscaling automatically for you. This means you do not have to spend time and effort building, managing, and maintaining any autoscaling infrastructure or licenses because Cloud NGFW does all that work for you. You purchase a pool of Cloud NGFW Flex credits, allowing Palo Alto Networks and the cloud providers to do all the hard work for you. They even manage all the load balancer rules, infrastructure, and complexity that come with this typical environment so you can focus on the security posture of your environment.
What else does Cloud NGFW offer?
Cloud NGFW also natively integrates with AWS and Azure routing programs, allowing easy and automatic internet routing and, if configured, private network traffic through the Cloud NGFW. This will ensure that every device in your environment is correctly configured to allow direct internet access and offers the opportunity to leverage the Cloud NGFW, such as the internal segmentation firewall for VNET to VNET or VPC to VPC traffic, for additional security. Using the Cloud NGFW for internal segmentation is an excellent opportunity to increase security visibility and protection. Still, you must secure the appropriate number of Flex Credits to support the additional firewall load.
What are the limitations?
Since this is a managed platform and you do not have direct access to the VMs, Cloud NGFW cannot participate today as an IPSec VPN termination node for business-to-business VPN solutions. It also cannot be a GlobalProtect Portal or Gateway for remote access VPN. In short, it cannot be used by any service that needs to connect directly to a specific firewall since that layer is not exposed to users.
How do I learn more about Cloud NGFW?
If you are interested in learning more about Cloud NGFW, contact your WWT or local Palo Alto Networks account team. We have resources available to answer your questions and provide insights into getting the most out of the solution, and we look forward to working with you.