Merge pull request #246637 from wtnlee/pansaasga

prmerger-automator[bot] · web-flow · commit 2996d56687b9 · 2023-07-31T17:42:03.000Z
saasga
diff --git a/articles/virtual-wan/how-to-palo-alto-cloud-ngfw.md b/articles/virtual-wan/how-to-palo-alto-cloud-ngfw.md
@@ -7,14 +7,13 @@ author: wtnlee
 
 ms.service: virtual-wan
 ms.topic: how-to
-ms.date: 05/02/2023
+ms.date: 07/31/2023
 ms.author: wellee
 ms.custom : references_regions
 
 ---
-# Configure Palo Alto Networks Cloud NGFW in Virtual WAN (preview)
-> [!IMPORTANT]
-> Palo Alto Cloud NGFW for Virtual WAN is currently in preview. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+# Configure Palo Alto Networks Cloud NGFW in Virtual WAN 
+
 
 [Palo Alto Networks Cloud Next Generation Firewall (NGFW)](https://aka.ms/pancloudngfwdocs) is a cloud-native software-as-a-service (SaaS) security offering that can be deployed into the Virtual WAN hub as a bump-in-the-wire solution to inspect network traffic. The following document describes some of the key features, critical use cases and how-to associated with using Palo Alto Networks Cloud NGFW in Virtual WAN.
 
@@ -63,6 +62,7 @@ For more information on internet-outbound capabilities and available settings, s
 :::image type="content" source="./media/how-to-palo-alto-cloudngfw/internet-outbound-cloud-ngfw.png" alt-text="Screenshot showing internet-outbound traffic flows with Cloud NGFW." lightbox="./media/how-to-palo-alto-cloudngfw/internet-outbound-cloud-ngfw.png":::
 
 #### Internet ingress (DNAT)
+
 You can also configure Palo Alto Networks for Destination-NAT (DNAT). Destination NAT allows a user to access and communicate with an application hosted on-premises or in an Azure Virtual Network via the public IPs associated with the Cloud NGFW.  
 
 For more information on internet-inbound (DNAT) capabilities and available settings, see [Palo Alto Networks documentation](https://aka.ms/pancloudngfwdocs). 
@@ -79,9 +79,8 @@ To create a new virtual WAN, use the steps in the following article:
 
 ## Known limitations
 
-* Palo Alto Networks Cloud NGFW is only available in the following Azure regions: Central US, East US, East US 2, West US, West Europe, Australia East, Australia Southeast, UK South, UK West, Canada Central and East Asia. Other Azure regions are on the roadmap.
-* Palo Alto Networks Cloud NGFW can only be deployed in new Virtual WAN hubs deployed with Azure resource tag **"hubSaaSPreview : true"**. Using existing Virtual Hubs with Palo Alto Networks Cloud NGFW is on the roadmap.
-* Palo Alto Networks Cloud NGFW can't be deployed with Network Virtual Appliances in the Virtual WAN hub. 
+* Palo Alto Networks Cloud NGFW is only available in the following Azure regions: Central US, East US, East US 2, West US, West US 3, West Europe, Australia East, Australia Southeast, UK South, UK West, Canada Central and East Asia. Other Azure regions are on the roadmap.
+* Palo Alto Networks Cloud NGFW can't be deployed with Network Virtual Appliances in the Virtual WAN hub.
 * For routing between Virtual WAN and Palo Alto Networks Cloud NGFW to work properly, your entire network (on-premises and Virtual Networks) must be within RFC-1918 (subnets within 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12). For example, you may not use a subnet such as 40.0.0.0/24 within your Virtual Network or on-premises. Traffic to 40.0.0.0/24 may not be routed properly.  
 * All other limitations in the [Routing Intent and Routing policies documentation limitations section](how-to-routing-policies.md) apply to Palo Alto Networks Cloud NGFW deployments in Virtual WAN.
 
@@ -98,11 +97,9 @@ The following steps describe how to deploy a Virtual Hub that can be used with P
 1. Navigate to your Virtual WAN resource.
 1. On the left hand menu, select **Hubs** under **Connectivity**.
 1. Click on **New Hub**.
-1. Under **Basics** specify a region for your Virtual Hub. Make sure the region is Central US, East US, East US 2, West Europe or Australia East. Additionally, specify a name, address space, Virtual hub capacity and Hub routing preference for your hub.
+1. Under **Basics** specify a region for your Virtual Hub. Make sure the region is Central US, East US, East US 2, West US, West US 3, West Europe, Australia East, Australia Southeast, UK South, UK West, Canada Central or East Asia. Additionally, specify a name, address space, Virtual hub capacity and Hub routing preference for your hub.
     :::image type="content" source="./media/how-to-palo-alto-cloudngfw/create-hub.png" alt-text="Screenshot showing hub creation page. Region selector box is highlighted." lightbox="./media/how-to-palo-alto-cloudngfw/create-hub.png":::
 1. Select and configure the Gateways (Site-to-site VPN, Point-to-site VPN, ExpressRoute) you want to deploy in the Virtual Hub. You can deploy Gateways later if you wish.
-1. Apply an Azure Resource tag to your Virtual Hub **"hubSaaSPreview":"true"**. This tag must be specified at hub deployment time  to use Palo Alto Networks Cloud NGFW.
-        :::image type="content" source="./media/how-to-palo-alto-cloudngfw/apply-tags.png" alt-text="Screenshot showing hub tag creation page." lightbox="./media/how-to-palo-alto-cloudngfw/apply-tags.png":::
 1. Click **Review + create**.
 1. Click **Create**
 1. Navigate to your newly created hub and wait for the **Routing Status** to be **Provisioned**. This step can take up to 30 minutes.  
@@ -113,7 +110,7 @@ The following steps describe how to deploy a Virtual Hub that can be used with P
 > You must wait for the routing status of the hub to be "Provisioned" before deploying Cloud NGFW. 
  
 1. Navigate to your Virtual Hub and click on **SaaS solutions** under **Third-party providers**.
-1. Click **Create SaaS** and select **Palo Alto Networks Cloud NGFW (preview)**.
+1. Click **Create SaaS** and select **Palo Alto Networks Cloud NGFW**.
 1. Click **Create**.
     :::image type="content" source="./media/how-to-palo-alto-cloudngfw/create-saas.png" alt-text="Screenshot showing SaaS creation page." lightbox="./media/how-to-palo-alto-cloudngfw/create-saas.png":::
 1. Provide a name for your Firewall. Make sure the region of the Firewall is the same as the region of your Virtual Hub. For more information on the available configuration options for Palo Alto Networks Cloud NGFW, see [Palo Alto Networks documentation for Cloud NGFW](https://aka.ms/pancloudngfwdocs).
@@ -160,8 +157,7 @@ The following section describes common issues seen when using Palo Alto Networks
 
 ### Troubleshooting Cloud NGFW creation
 
-* Ensure your Virtual Hubs are deployed in one of the following regions: Central US, East US, East US 2, West Europe or Australia East. Cloud NGFW deployment fails in other regions.
-* Ensure your Virtual Hub was created with the Azure Resource Tag **"hubSaaSPreview" : "true"**. Hubs created without this tag aren't eligible to be used with Cloud NGFW. These tags must be specified at hub creation time and can't be provided after hub deployment. To use Cloud NGFW, you need to create a new Virtual Hub.
+* Ensure your Virtual Hubs are deployed in one of the following regions: Central US, East US, East US 2, West US, West US 3, West Europe, Australia East, Australia Southeast, UK South, UK West, Canada Central and East Asia. Other regions are in the roadmap.
 * Ensure the Routing status of the Virtual Hub is "Provisioned." Attempts to create Cloud NGFW prior to routing being provisioned will fail.
 * Ensure registration to the **PaloAltoNetworks.Cloudngfw** resource provider is successful.
 
@@ -174,6 +170,7 @@ The following section describes common issues seen when using Palo Alto Networks
 ### Troubleshooting Routing intent and policies
 
 * Ensure Cloud NGFW deployment is completed successfully before attempting to configure Routing Intent.
+* Ensure all your on-premises and Azure Virtual Networks are in RFC1918 (subnets within 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12).
 * For more information about troubleshooting routing intent, see [Routing Intent documentation](how-to-routing-policies.md). This document describes pre-requisites,  common errors associated with configuring routing intent and troubleshooting tips.
 
 ### Troubleshooting Palo Alto Networks Cloud NGFW configuration
diff --git a/articles/virtual-wan/whats-new.md b/articles/virtual-wan/whats-new.md
@@ -35,9 +35,9 @@ You can also find the latest Azure Virtual WAN updates and subscribe to the RSS
 
 | Type |Area |Name |Description | Date added | Limitations |
 | --- |---|---|---|---|---|
+|Feature|Software-as-a-service|Palo Alto Networks Cloud NGFW|General Availability of [Palo Alto Networks Cloud NGFW](https://aka.ms/pancloudngfwdocs), the first software-as-a-serivce security offering deployable within the Virtual WAN hub.|July 2023|Palo Alto Networks Cloud NGFW is now deployable in all  Virtual WAN hubs (new and old). See [Limitations of Palo Alto Networks Cloud NGFW](how-to-palo-alto-cloud-ngfw.md) for a full list of limitations and regional availability. Same limitations as routing intent.|
 |Feature|Network Virtual Appliances (NVAs)/Integrated Third-party solutions in Virtual WAN hubs|[Fortinet NGFW](https://www.fortinet.com/products/next-generation-firewall)|General Availability of [Fortinet NGFW](https://aka.ms/fortinetngfwdocumentation) and [Fortinet SD-WAN/NGFW dual-role](https://aka.ms/fortinetdualroledocumentation) NVAs.|May 2023| Same limitations as routing intent. Doesn't support internet inbound scenario.|
 |Feature|Network Virtual Appliances (NVAs)/Integrated Third-party solutions in Virtual WAN hubs|[Check Point CloudGuard Network Security for Azure Virtual WAN](https://www.checkpoint.com/cloudguard/microsoft-azure-security/wan/) |General Availability of [Check Point CloudGuard Network Security NVA deployable from Azure Marketplace](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_vWAN_AdminGuide/Content/Topics-Azure-vWAN/Introduction.htm) within the Virtual WAN hub in all Azure regions.|May 2023|Same limitations as routing intent. Doesn't support internet inbound scenario.|
-|Feature|Software-as-a-service|Palo Alto Networks Cloud NGFW|Public preview of [Palo Alto Networks Cloud NGFW](https://aka.ms/pancloudngfwdocs), the first software-as-a-serivce security offering deployable within the Virtual WAN hub.|May 2023|Palo Alto Networks Cloud NGFW is only deployable in newly created Virtual WAN hubs in some Azure regions. See [Limitations of Palo Alto Networks Cloud NGFW](how-to-palo-alto-cloud-ngfw.md) for a full list of limitations.|
 |Feature |Network Virtual Appliances (NVAs)/Integrated Third-party solutions in Virtual WAN hubs| [Versa SD-WAN](about-nva-hub.md#partners)|Preview of Versa SD-WAN.|November 2021| |
 |Feature|Network Virtual Appliances (NVAs)/Integrated Third-party solutions in Virtual WAN hubs|[Cisco Viptela, Barracuda and VMware (Velocloud) SD-WAN](about-nva-hub.md#partners) |General Availability of SD-WAN solutions in Virtual WAN.|June/July 2021| |
 
@@ -82,10 +82,6 @@ The following features are currently in gated public preview. After working with
 |---|---|---|---|---|
 | Managed preview | Route-maps | This feature allows you to perform route aggregation, route filtering, and modify BGP attributes for your routes in Virtual WAN. | preview-route-maps@microsoft.com | Known limitations are displayed here: [About Route-maps (preview)](route-maps-about.md#key-considerations).
 |Managed preview|Aruba EdgeConnect SD-WAN| Deployment of Aruba EdgeConnect SD-WAN NVA into the Virtual WAN hub| preview-vwan-aruba@microsoft.com| |
-|Managed preview|Checkpoint NGFW|Deployment of Checkpoint NGFW NVA into the Virtual WAN hub|DL-vwan-support-preview@checkpoint.com, previewinterhub@microsoft.com|Same limitations as routing intent. Doesn't support internet inbound scenario.|
-|Managed preview|Fortinet NGFW/SD-WAN|Deployment of Fortinet dual-role SD-WAN/NGFW NVA into the Virtual WAN hub|azurevwan@fortinet.com, previewinterhub@microsoft.com|Same limitations as routing intent. Doesn't support internet inbound scenario.|
-|Public preview/Self serve|Virtual hub routing preference|This feature allows you to influence routing decisions for the virtual hub router. For more information, see [Virtual hub routing preference](about-virtual-hub-routing-preference.md).|For questions or feedback, contact preview-vwan-hrp@microsoft.com|If a route-prefix is reachable via ER or VPN connections, and via virtual hub SD-WAN NVA, then the latter route is ignored by the route-selection algorithm. Therefore, the flows to prefixes reachable only via virtual hub. SD-WAN NVA takes the route through the NVA. This is a limitation during the preview phase of the hub routing preference feature.|
-|Public preview/Self serve|Hub-to-hub traffic flows instead of an ER circuit connected to different hubs (Hub-to-hub over ER)|This feature allows traffic between 2 hubs traverse through the Azure Virtual WAN router in each hub and uses a hub-to-hub path, instead of the ExpressRoute path (which traverses through Microsoft's edge routers/MSEE). For more information, see the [Hub-to-hub over ER](virtual-wan-faq.md#expressroute-bow-tie) preview link.|For questions or feedback, contact preview-vwan-hrp@microsoft.com|
 
 ## Known issues
 
