Home / Documentation / Azure / Networking / Virtual WAN / Palo Alto Networks

Palo Alto Networks Integration with Azure Virtual WAN

This guide provides step‑by‑step instructions to deploy Palo Alto Networks firewalls as a partner service in Azure Virtual WAN hubs, enabling centralized security and routing for branch and remote users.

Overview
Prerequisites
Deployment
Configuration
Monitoring
FAQ

What you’ll achieve

  • Secure traffic inspection across all spoke connections.
  • Centralized policy management via Palo Alto Panorama.
  • Automatic route propagation between Virtual WAN and firewall.

For a high‑level view, see the architecture diagram.

Prerequisites

  • Azure subscription with Contributor rights.
  • Existing Virtual WAN and at least one hub.
  • Palo Alto Networks VM‑Series firewall (1‑N series) deployed in the hub.
  • Panorama instance (optional) for centralized rule management.

Ensure the firewall SKU meets the throughput requirements of your workloads.

Deployment Steps

  1. Navigate to the Virtual WAN hub in the Azure portal.
  2. Select Partner integrations → Add partner.
  3. Choose Palo Alto Networks from the list.
  4. Provide the firewall’s resource ID and select the appropriate interface.
  5. Configure the inbound and outbound traffic policies (default allow‑all can be overridden later).
  6. Click Deploy and wait for the provisioning to complete.

Sample Azure CLI command:

az network vwan hub create \
    --resource-group MyRG \
    --name MyHub \
    --vwan MyWAN \
    --address-prefix 10.0.0.0/24

az network vwan hub connection create \
    --resource-group MyRG \
    --hub-name MyHub \
    --name PaloAltoPartner \
    --partner-type PaloAltoNetworks \
    --partner-resource-id /subscriptions/xxxx/resourceGroups/MyRG/providers/Microsoft.Network/virtualAppliances/PaloAltoVM

Post‑deployment Configuration

After the partnership is established, configure security policies on the firewall.

Basic Security Policy

# Example Panorama rule
set rulebase security rules "Allow‑All‑WAN" source zone "any"
set rulebase security rules "Allow‑All‑WAN" destination zone "any"
set rulebase security rules "Allow‑All‑WAN" action allow
commit

Integrate Azure route tables with the firewall using the az network firewall policy commands.

Monitoring & Logging

  • Enable Azure Monitor diagnostics on the Virtual WAN hub.
  • Stream firewall logs to Log Analytics workspace.
  • Use Palo Alto‑CloudWatch integration for real‑time alerts.

Dashboard example (embedded):

Frequently Asked Questions

Can I use a single firewall for multiple hubs?
Yes, you can place a shared firewall in a central hub and configure hub‑to‑hub VNET peering to route traffic through it.
What are the licensing considerations?
Palo Alto firewalls require BYOL or Pay‑As‑You‑Go licensing. Ensure the license covers the total throughput of all spokes.
How does Azure route propagation work?
When the partner is added, Azure automatically injects routes from the firewall into the hub’s route table and vice‑versa, enabling bidirectional traffic flow.

Related Documentation