Azure Deployment Guide Shared R1 Aug 2018

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 150 [warning: Documents this large are best viewed by clicking the View PDF Link!]

DEPLOYMENT GUIDE FOR
MICROSOFT AZURE—
SHARED DESIGN MODEL
RELEASE 1
AUGUST 2018
Palo Alto Networks
Table of Contents
Table of Contents
Purpose of This Guide ........................................................................................................................................................ 1
Objecves .............................................................................................................................................................................................................. 1
Audience ................................................................................................................................................................................................................ 2
Related Documentaon ..................................................................................................................................................................................... 2
Deployment Overview ....................................................................................................................................................... 3
Choosing A Design Model ................................................................................................................................................................................. 3
Design Models ..................................................................................................................................................................... 4
Shared Design Model .......................................................................................................................................................................................... 4
Assumpons and Prerequisites........................................................................................................................................ 9
Deployment Details for Panorama ................................................................................................................................10
Creang and Conguring Azure Common Resources ...............................................................................................................................10
Deploying Panorama on Azure ....................................................................................................................................................................... 21
Deployment Details for VM-Series ...............................................................................................................................37
Creang and Conguring Azure Common Resource for VM-Series .......................................................................................................38
Deploying VM-Series on Azure ......................................................................................................................................................................46
Preparing VM-Series Firewall Conguraons Using Panorama ............................................................................................................... 52
Managing VM-Series with Panorama ............................................................................................................................................................ 63
Deployment Details for Azure Networking and Firewall Policies .......................................................................... 69
Conguring Azure Networking and Services ............................................................................................................................................... 70
Using Panorama to Congure Centralized Security Policy and NAT Policy ..........................................................................................86
Palo Alto Networks
Table of Contents
Deployment Details for Backhaul Connecon .........................................................................................................101
Conguring Azure Networking for Backhaul Connecon ...................................................................................................................... 102
Conguring On-site Firewall for VPN Access to Azure .......................................................................................................................... 113
Conguring Resilient Backhaul Connecon .............................................................................................................................................. 126
Using Panorama to Congure Security and NAT for Backhaul Connecon ...................................................................................... 131
Deployment Details for Automated Bootstrapping ................................................................................................136
Preparing For Bootstrapping ........................................................................................................................................................................ 136
Deploying the VM-Series with Bootstrap.................................................................................................................................................. 140
What’s New in This Release .........................................................................................................................................146
1Palo Alto Networks
Purpose of This Guide
Purpose of This Guide
This guide provides design and deployment details for Palo Alto Networks® Security Operang Plaorm on Microso
Azure. This deployment guide focuses specically on the shared design model. Details for the scaled design model are
included in a separate deployment guide.
This deployment guide:
Provides architectural guidance and deployment details for using Palo Alto Networks next-generaon rewalls
to provide visibility, control, and protecon to your applicaons built on Microso Azure.
Requires that you rst read the
Reference Architecture Guide for Azure
. The reference architecture guide pro-
vides architectural insight and guidance for your organizaon to plan linkage of pernent features with the next-
generaon rewall in a scalable and highly available design.
Provides decision criteria for deployment scenarios, as well as procedures for programming features of Microso
Azure and the Palo Alto Networks VM-Series next-generaon rewall in order to achieve an integrated design.
Focuses specically on the shared design model. Details for the scaled design model are included in a separate
deployment guide.
OBJECTIVES
Compleng the procedures in this guide, you can successfully deploy a Palo Alto Networks VM-series next-generaon
rewall in the Azure environment. The main objecves are to enable the following funconality:
Protecon and inspecon of ows inbound from the internet, outbound and east-west from private networks
and for secure communicaon with on-premise devices
Applicaon layer visibility and control for all ows
Preparing the rewalls to parcipate in the full Security Operang Plaorm with WildFire® analycs, URL lter-
ing, identy-based services, and the full Threat Prevenon services
Resilient and scalable operaon through integraon with Azure load-balancer
Panorama™ centralized management using templates and device groups
Centralized reporng with Palo Alto Networks cloud-delivered Logging Service
Automac rewall conguraon through bootstrapping
2Palo Alto Networks
Purpose of This Guide
AUDIENCE
This deployment guide is wrien for technical readers, including system architects and design engineers, who want to
deploy the Palo Alto Networks Security Operang Plaorm within a public cloud datacenter infrastructure. It assumes
the reader is familiar with the basic concepts of applicaons, networking, virtualizaon, security, and high availability, as
well as a basic understanding of network and data center architectures.
To be successful, you must have a working knowledge of networking and policy in PAN-OS®.
RELATED DOCUMENTATION
The following documents support this deployment guide:
Palo Alto Networks Security Operang Plaorm Overview
—Introduces the various components of the Security
Operang Plaorm and describes the roles they can serve in various designs.
Reference Architecture Guide for Azure
—Presents a detailed discussion of the available design consideraons and
opons for the next-generaon VM-Series rewall on Microso Azure. If you are unable to access the URL for
the reference architecture guide, please ask your account team to assist you.
3Palo Alto Networks
Deployment Overview
Deployment Overview
There are many ways to use the concepts discussed in the Security Operang Plaorm on Azure Design Guide to
achieve an architecture that secures applicaons deployed on Azure. Each of the design models in the design guide
provide an example architecture that secures inbound access to an applicaon in Azure, the communicaon between
private virtual machines and workloads, and the connecon to your on-site networks.
This guide is specic to the Shared Design model, the key design consideraons for when to choose this model follow.
CHOOSING A DESIGN MODEL
As discussed in the reference architecture guide, when choosing a design model, consider the following factors:
Scale—What are the expected number of sessions and bandwidth required for the applicaons? Is this deploy-
ment for a proof-of-concept? Are the trac proles for inbound, outbound, east-west and on-premise com-
municaon balanced? The shared model does not dierenate between trac ows, and resources consumed
by one trac prole may aect overall performance. The shared model provides linear scaling across all trac
proles by adding addional rewalls to the load-balancer backend pools. To provide increased scale for a specif-
ic trac prole, consider the scaled and dedicated models.
Complexity—Is it more important to keep individual device conguraon simple and permit easier trouble-
shoong, or is it acceptable to take on a somewhat higher administrave workload in order to reduce the total
number of deployed devices? The shared model combines the conguraons for all funcons to a single set of
devices with uni-direconal and bi-direconal ows across mulple zones. Careful consideraon of any changes
is necessary in order to evaluate overall impact, and conguraon errors may be more likely. For simplied con-
guraon and/or reduced impact of conguraon errors, consider the scaled and dedicated models.
Resiliency and high availability—Are there dierenated availability requirements for dierent trac proles?
The shared model provides the same level of availability for all proles. To provide dierenated availability for
high priority trac proles, consider using the scaled and dedicated models.
4Palo Alto Networks
Design Models
Design Models
The design models primarily dier in how trac ows are divided amongst VM-Series rewalls while oering you ex-
ibility in the number of rewalls, scale, and operaonal resiliency. Consider which model best ts your needs and use it
as a starng point for your design. The design models in this reference design are the:
Shared model—In this model, all trac ows through a single set of rewalls. This model keeps the number of
rewalls low for small deployments and proof-of-concepts. However, the technical integraon complexity is
high. The deployment details for this design model only are covered in this guide.
Scaled modelThe model separates inbound trac ows onto a dedicated set of rewalls while all other trac
ows through a shared rewall set. This design reduces technical integraon complexity and increases scale
compared to the shared model. The deployment details for this design model are covered in the Security Oper-
ang Plaorm on Azure Deployment Guide (Scaled Design Model).
Dedicated model—Inbound, outbound and east-west, and backhaul trac are each on dedicated sets of re-
walls. This model oers increased operaonal resiliency and reduces the chances of high bandwidth use from
one trac prole aecng another. This design model does not currently have a deployment guide.
SHARED DESIGN MODEL
In the shared design model, a common set of rewalls provides visibility and control of all trac proles (inbound,
outbound, east-west, backhaul). The rewalls are members of an availability set that distributed their virtual machines
across the Azure infrastructure to avoid downme caused by infrastructure maintenance or failure.
Figure 1 Shared design model
192.168.1.6
192.168.1.7
Ma nagem en t 192.168.1.0/24
172.16.1.6
(e th 1)
10.5.0.6
(e th 2)
Virtual Network
172.16.1.7
(e th 1)
10.5.0.7
(e th 2)
191.237.87.98
191.237.87.98
We b - 10. 5 . 1. 0 / 24
Business - 1 0. 5 . 2.0 / 24
DB - 1 0. 5 . 3. 0 / 24
10.5.15.6
(e th 3)
10.5.15.7
(e th 3)
Gateway - 10.5.16.0/24
VPN - 10.5.15.0/24
Private
1 0. 5 .0. 0 / 24
Pub lic
1 72 . 16 .1 . 0/ 24
Local Network 1 0.6 . 0. 0 / 16
191.237.87.98
(tcp/80)
10.5.0.21
10.5.15.21
10.5.0.21
10.5.15.21
Azure Internal Load Balancer
(2 ) Fro nt e nd IPs
(2) Backend Pools
5Palo Alto Networks
Design Models
Inbound Trac
For inbound trac, a public load-balancer distributes trac to the rewalls. To simplify rewall conguraon, the fron-
tend public IP address is associated with a DNS name and oang IP is enabled on the load-balancer rules. The public
load-balancer’s health probes monitor rewall availability through the HTTPS service acvated in the interface manage-
ment prole. Connecvity to the HTTPS service is limited to trac sourced from the health probe IP address.
User-dened routes direct trac from the subnet that contains the public interfaces to the other networks in the
VNet to the next-hop of none. This ensures the public subnet can only communicate to private resources through the
rewall.
Figure 2 Health probe failures with single virtual router
VR: def ault - Ro ute T able
Destination Next Hop I n t e r f ac e
0.0.0.0/0
10.5.0.0/24
10.5.15.0/24
1 72 . 16 . 1 .0/ 24
172.16.1.1 ethernet1 /1
10.5.0.5 ethernet1/ 2
10.5.15.5 eth ernet1/3
172.16.1.5 ethernet1 /1
e1 /2
10.5.0.0/24
(.5)
e1 /1
1 72 . 16 .1 . 0/ 24
(.5)
10.5.15.0/24
e1 /3 (.5)
Public
Load Balancer
In tern a l
Load Balancer
VR: def ault
10.5.0.5
172.16.1.5
10.5.0.5
10.5.15.5
172.16.1.5
172.16.1.5 Av ailable
10.5.0.5 Unavailable
10.5.15.5 Unavailable
Azure LB Health Probe src IP = 168.63.129.16
Probe Response dst IP = 168.63.129.16
Probe Response (failed) dst IP = 168.63.129.16
10.5.15.5
The public interface uses a dedicated virtual router. Stac routes dene a default route out the public interface as well
as a route to private networks through the virtual router dedicated to the private interface. Dedicated virtual routers
are required in the shared design model because Azure always sources load-balancer health probes from the same
IP address. Dedicated virtual routers allow the rewall to have the interface that received the health probe to source
responses.
6Palo Alto Networks
Design Models
Figure 3 Health probes with mulple virtual routers
VR: VR-VP N - Ro ute Table
Destination Next Hop I n t e r f ac e
168.63.129.16/32
10.5.15.0/24
10.5.15.1 eth ernet1/3
10.5.15.5 eth ernet1/3
VR: VR-Private - Ro ute Table
Destination Next Hop I n t e r f ac e
168.63.129.16/32
10.5.0.0/24
10.5.0.1 ethernet1/ 2
10.5.0.5 ethernet1/ 2
VR: VR-Pu bl ic VR: VR-Private
VR: VR-VP N
10.5.15.0/24
e1 /3 (.5)
e1 /2
10.5.0.0/24
(.5)
e1 /1
1 72 . 16 .1 . 0/ 24
(.5)
Public
Load Balancer
172.16.1.5
172.16.1.5 Available
10.5.0.5
Internal
Load Balancer
10.5.0.5 Available
10.5.15.5 Available
10.5.15.5
VR: VR-Pu bl ic - Ro ut e T able
Destination Next Hop I n t e r f ac e
0.0.0.0/0
168.63.129.16/32
1 72 . 16 . 1 .0/ 24
172.16.1.1 ethernet1 /1
172.16.1.1 ethernet1 /1
172.16.1.5 ethernet1 /1
172.16.1.5 10.5.0.5
10.5.15.5
Azure LB Health Probe src IP = 168.63.129.16
Probe Response dst IP = 168.63.129.16
The rewall applies both a desnaon and source NAT to inbound trac. Desnaon NAT translates the FQDN ad-
dress object associated with the load-balancer public DNS name to the virtual machine or load-balancer on the private
network. The source NAT translates the source to be the IP address of the private interface of the rewall, ensuring
return trac ows symmetrically.
The rewall security policy allows appropriate applicaon trac to the resources in the private network while rewall
security proles prevent known malware and vulnerabilies from entering the network in trac allowed in the security
policy.
Outbound Trac
For outbound trac, an internal load-balancer distributes trac to the rewalls. User-dened routes on the private
subnets direct trac to the load-balancer’s frontend IP address, which shares a subnet with the rewall private inter-
faces. Load-balancer rules forward all TCP and UDP ports to the rewalls. Common ports required for outbound trac
include UDP/123 (NTP), TCP/80 (HTTP), and TCP/443 (HTTPS). DNS is not needed, because virtual machines com-
municate to Azure name services directly through the Azure network fabric. The internal load-balancer’s health probes
monitor rewall availability through the HTTPS service enabled in the interface management prole. Connecvity to
the HTTPS service is limited to trac sourced from the health probe IP address.
The private interface uses a dedicated virtual router. Stac routes are dened for the health probe IP address and
private network range out the private interface. Addionally, a stac default route forwards trac to the virtual router
dedicated to the public interface.
7Palo Alto Networks
Design Models
The rewall applies source NAT to outbound trac. When the outbound trac originates from a resource that is
associated with a public IP address, source NAT translates outbound trac to the FQDN address object. For private
resources not associated with a public IP address, the rewall translates the source address to its public interface. An
Azure public IP address is associated with each rewall’s public interface which is required when the interface is also
associated with an inbound public load-balancer’s backend pool.
Because bi-direconal NAT matches trac on any zone, do not enable bi-direconal
NAT in NAT policy rules. Otherwise, the NAT policy may incorrectly translate east-west
trac.
Caution
The rewall security policy allows appropriate applicaon trac from the resources in the private network to the inter-
net. You should implement the security policy by using posive security policies (whitelisng). Security proles prevent
known malware and vulnerabilies from entering the network in return trac allowed in the security policy. URL lter-
ing, le blocking, and data ltering protect against data exltraon.
East-West Trac
East-west trac, or trac between private subnets, uses the same internal load-balancer to distribute trac to the
rewalls as the outbound trac. User-dened routes to the private network subnets are applied to the private subnets
and direct trac to the load-balancer’s frontend IP address. The exisng load-balancer rules for outbound trac apply
to east-west trac as well, and apply to all TCP and UDP ports.
The rewall should not translate the desnaon for trac between private subnets. Like inbound trac, source NAT is
required for return trac to ow symmetrically. A posive control security policy should allow only appropriate applica-
on trac between private resources and requires that the default intrazone security policy rules be overridden and
modied to deny trac. Security proles should also be enabled to prevent known malware and vulnerabilies from
moving laterally in the private network through trac allowed in the security policy.
Backhaul and Management Trac
User-dened routes applied to the gateway subnet direct trac that has a desnaon in the private network range to
the internal load-balancer with an addional frontend IP dedicated to incoming trac from the backhaul connecon.
The load-balancer then distributes trac to a new backend pool with dedicated interfaces on the rewalls. Dedicated
rewall interfaces are used for the backhaul trac because they allow for enhanced security policies that can take zone
into account.
On the rewall, a dedicated virtual router for the backhaul interface and stac routes provides reachability to the on-
site networks and health probe IP address. Stac routes on both the backhaul and private virtual routers provide bi-di-
reconal trac ow between the on-site and private network ranges. Trac originang in private subnets and desned
to on-site networks follows the same path as east-west trac. All that is required is the addion of user-dened routes
that forward on-site network ranges to the outbound/east-west load-balancer frontend.
8Palo Alto Networks
Design Models
Trac from the on-site networks communicates to the management subnet directly. This allows on-site administrators
to manage the rewalls even when a misconguraon occurs in user-dened roung or load-balancers.
User-dened routes blackhole the trac to the on-site networks from public subnets by sending the trac to a next-
hop of none.
9Palo Alto Networks
Assumpons and Prerequisites
Assumpons and Prerequisites
Microso Azure:
Your organizaon has a valid acve subscripon associated with your Azure user account.
Two resources groups are used—one for Panorama and common resources and a separate resource group for
dataplane devices
Uses Standard-SKU IP addresses and load-balancers, except where specically noted in the guide.
Only IPv4 networking is used.
Web servers are already deployed with their own dedicated load-balancer.
Business and DB servers are already deployed.
Palo Alto Networks next-generaon rewalls and Panorama:
Device conguraon is centrally managed with Panorama using templates and device groups.
Panorama will be deployed on Azure in management-only mode.
Firewall logging uses the Palo Alto Networks cloud-based Logging Service.
The PAN-OS version tested in this deployment guide is 8.1.2 for all devices.
The Cloud services plugin for Panorama is 1.1.0.
The on-premise rewalls for backhaul trac are already deployed with a set of interfaces connected to the pub-
lic and private zones and integrated into the on-premise dynamic roung protocol.
Palo Alto Networks licensing:
Your organizaon has a Panorama license for the current and expected number of managed VM-Series rewalls.
Sucient VM-Series licensing for the current and expected number of VM-Series rewalls. This guide assumes
you are using the BYOL licensing opon.
Requires a bundled auth-key for VM-Series if you intend to use bootstrapping.
Logging Service instance is provisioned with sucient storage to support the required data retenon period and
auth-code has been issued.
Logging Service region used is americas.
10Palo Alto Networks
Deployment Details for Panorama
Deployment Details for Panorama
Panorama is deployed in a new dedicated Azure Resource Group which includes the VNet used for the Shared Design
Model. You must complete two complementary procedure groups in order to deploy Panorama. The rst procedure
group congures the Azure environment. Once Azure is congured, then Panorama may be deployed.
Figure 4 Panorama high-availability mode deployed on Azure
Virtual Network
192.168.1.4
(active)
192.168.1.5
(p a ss ive)
Ma nagemen t 192.168.1.0/24
High
Av ailability
Several of the resources created on Azure are used by procedures later in this guide When the resource already exists,
you will be instructed to modify an exisng resource rather than create a new resource.
Creang and Conguring Azure Common Resources
1.1 Create the Resource Group
1.2 Create the Virtual Network
1.3 Create the Public IP Address for Panorama
1.4 Create and Apply the Network Security Group
1.5 Create the Availability Set
1.6 Create the Storage Account
1.7 Verify Resource Creaon Completed
Procedures
The following procedures are completed using the Azure Resource Manager. Sign in to Azure at
hps://portal.azure.com
.
11Palo Alto Networks
Deployment Details for Panorama
Some Azure templates provide an opon to create a new resource when needed at de-
ployment me and other templates require resources to be created in advance. Where
possible, this guide creates the resource in advance and then references the exisng
resource at deployment me.
Note
This procedure group creates the resources listed in the following table as preparaon for deploying Panorama.
Table 1 Azure resources required for deployment
Parameter Value Comments
Resource group AzureRefArch
Subscripon <value> Must have a valid Azure subscripon
Resource group locaon <locaon> Tested in West US
Virtual network AzureRefArch-VNET
Public IP for Panorama management
(primary)
Azure-Panorama-1 Panorama, or primary Panorama when using
Panorama High Availability
Public IP for Panorama management
(secondary)
Azure-Panorama-2 Oponal—secondary Panorama when using
Panorama High Availability
Availability set AzureRefArch-AS Suggested if planning for Panorama High Avail-
ability
Diagnoscs storage account azurerefarchv2diag
1.1 Create the Resource Group
All resources deployed in this guide should use the same locaon. The deployment in this guide was tested in West US.
Step 1: In Home > Resource groups, click Add.
12Palo Alto Networks
Deployment Details for Panorama
Step 2: In the Resource group name box, enter AzureRefArch and select the desired values for the Resource group
locaon. Click Create.
1.2 Create the Virtual Network
The virtual network (VNet) is created with an inial IP address space and a subnet that must be within the IP address
space. The VNet can be modied aer creaon to add addional IP address space and subnets. Only the rst entry in
the following table is congured in this procedure.
Table 2 Virtual network IP addressing and subnets
Address space Subnet Address range Comments
192.168.1.0/24 Management 192.168.1.0/24 Inial address space, subnet, and range
172.16.0.0/23 Shared-Public 172.16.1.0/24 Congured in a separate procedure
10.5.0.0/16 Shared-Private
Shared-Web
Shared-Business
Shared-DB
Shared-VPN
10.5.0.0/24
10.5.1.0/24
10.5.2.0/24
10.5.3.0/24
10.5.15.0/24
Congured in separate procedures
Step 1: In Home > Virtual networks, click Add.
Step 2: In the Name box, enter AzureRefArch-VNET.
Step 3: In the Address space box, enter 192.168.1.0/24.
13Palo Alto Networks
Deployment Details for Panorama
Azure Resource Manager provides a warning if the proposed address space overlaps
with address space already assigned in another VNet within the same subscripon.
These warnings can be ignored if communicaon between these VNets is not required.
Otherwise, choose a dierent non-overlapping address space.
Note
Step 4: In the Resource Group secon, choose Use Exisng and then select AzureRefArch.
Step 5: In the Subnet secon Name box, enter Management.
Step 6: In the Subnet secon Address Range box, enter 192.168.1.0/24.
Step 7: Click Create.
14Palo Alto Networks
Deployment Details for Panorama
1.3 Create the Public IP Address for Panorama
The Panorama virtual machines deployed on Azure are managed using public IP addresses unless on-site network con-
necvity has been established. The process to congure on-site network connecvity is included later in this guide.
This procedure creates a public IP address that is associated with the management interface of the primary Panorama
system at deployment me. If necessary, this procedure is repeated to create an addional public IP address for the
secondary Panorama system. The parameters listed in Table 1 are used to complete this procedure.
This guide uses Standard-SKU IP addresses in all procedures except where specically
noted.
Note
Take note of the fully qualied domain name (FQDN) that is dened by adding the locaon specic sux to your DNS
name label. We recommend managing your devices by using the DNS name rather than the public IP address, which
may change.
Step 1: In Home > Public IP addresses, click Add.
Step 2: In the Name box, enter Azure-Panorama-1.
Step 3: Select Standard SKU.
Step 4: In the DNS name label box, enter ara-panorama-1.
Step 5: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch.
15Palo Alto Networks
Deployment Details for Panorama
Step 6: Click Create.
1.4 Create and Apply the Network Security Group
Azure requires that a network security group (NSG) must be applied on a subnet or NIC of your virtual machine re-
source or trac is not permied to reach the resource when Standard SKU public IP addresses are associated with the
resource.
This guide uses Standard-SKU IP addresses in all procedures except where specically
noted.
Note
16Palo Alto Networks
Deployment Details for Panorama
This procedure creates NSGs for use with the management subnet. Each NSG includes default rules that allow for traf-
c within the VNET and from the Azure Load Balancer health probes.
Step 1: In Home > Network Security groups, click Add.
Step 2: In the Name box, enter AllowManagement-Subnet.
Step 3: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch.
Step 4: In Home > Network security groups > AllowManagement-Subnet, in the SETTINGS secon, click Inbound
security rules.
Step 5: Click Add. The Add inbound security rule pane appears.
Step 6: In the Desnaon port ranges box, enter 443.
Step 7: In the Protocol secon, select TCP.
Step 8: In the Name box, enter AllowHTTPS-Inbound.
17Palo Alto Networks
Deployment Details for Panorama
Step 9: Click Add.
Step 10: Repeat Step 4 through Step 9 with the following values:
Desnaon port ranges22
Priority110
NameAllowSSH-Inbound
Azure presents warning messages when the NSG rules expose various ports to the
Internet. We advise using more restricve rules outside of a tesng environment.
Note
18Palo Alto Networks
Deployment Details for Panorama
Step 11: In Home > Network security groups > AllowManagement-Subnet, in the SETTINGS secon, click Subnets.
Step 12: In the AllowAll-Subnet — Subnets pane, click Associate.
Step 13: Click on the Virtual network — Choose a virtual network secon. From the Choose virtual network list,
select AzureRefArch-VNET.
Step 14: Click on the Subnet — Choose a subnet secon. From the Choose subnet list, select Management, and then
click OK.
19Palo Alto Networks
Deployment Details for Panorama
1.5 Create the Availability Set
The Panorama high-availability model benets from the use of an availability set with two fault domains. This ensures
that the primary and secondary Panorama systems are deployed on dierent fault domains.
You can only congure an availability set on a virtual machine during its inial deploy-
ment. You can’t modify a virtual machine’s availability-set conguraon aer the virtual
machine is deployed.
Note
Step 1: In Home > Availability sets, click Add.
Step 2: In the Name box, enter AzureRefArch-AS.
Step 3: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch.
Step 4: Click Create.
20Palo Alto Networks
Deployment Details for Panorama
1.6 Create the Storage Account
Panorama and other resources require general purpose storage for diagnoscs and bootstrapping.
Step 1: In Home > Storage accounts, click Add.
Step 2: In the Name box, enter azurerefarchv2diag.
Step 3: In the Account kind list, select StorageV2 (general purpose v2).
Step 4: In the Replicaon list, select Locally-redundant storage (LRS).
Step 5: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch.
Step 6: Click Create.
21Palo Alto Networks
Deployment Details for Panorama
1.7 Verify Resource Creaon Completed
Some Azure deployments are me consuming, and if any resources are missing, the deployment fails. It is quicker to
verify that all of the necessary resources exist before proceeding with a deployment than waing unl a deployment
fails.
Step 1: In Home > Resource Groups, select AzureRefArch.
Step 2: Verify that the resource group, NSGs, public IP addresses, availability set, storage account, and VNet have been
successfully created.
Deploying Panorama on Azure
2.1 Create Panorama Virtual Machine
2.2 Change Azure Assigned IP Address from Dynamic to Stac
2.3 License Panorama on Azure
2.4 Update Panorama Soware to Recommended Version
2.5 Congure Panorama High Availability (oponal)
2.6 Acvate Logging Service
2.7 Install Cloud Service Plugin Version 1.1.0
Procedures
The following procedures use the Azure Resource Manager and the Panorama device portal. Sign in to Azure at
hps://
portal.azure.com
. Details on how to access Panorama aer deployment are included in the relevant procedures.
22Palo Alto Networks
Deployment Details for Panorama
This procedure deploys Panorama in management mode. Panorama defaults to management mode when it detects that
there is not sucient log storage capacity to run in Panorama mode.
Table 3 Panorama deployment parameters
Parameter Value Comments
Name Azure-Panorama-1
Azure-Panorama-2
Primary system
Secondary system (oponal for high availability)
VM disk type Standard HDD Required for D3_v2 Standard.
Username refarchadmin May not use “admin”
Authencaon type <password> Complex password required
Subscripon <value> Must have a valid Azure subscripon
Resource group name Use exisng
AzureRefArch
Locaon <locaon> Tested in West US
Panorama VM size D3_v2 Standard
Setup Prerequisites for the Panorama Virtual Appliance
Availability set AzureRefArch-AS Recommend to use Availability Set if planning for acve/
standby Panorama. Cannot change seng aer deploy-
ment.
Storage
Use managed disks
Yes
Virtual Network AzureRefArch-VNET
Subnet Management
Public IP Azure-Panorama-1
Azure-Panorama-2
DNS congured as: ara-panorama-1
DNS congured as: ara-panorama-2
Network security group None NSG is applied at subnet level
Auto-shutdown No
Monitoring
boot diagnoscs
On
Diagnoscs storage account azurerefarchv2diag
2.1 Create Panorama Virtual Machine
Use the parameters in Table 3 to deploy Panorama.
Step 1: In Home > Virtual machines, click Add.
Step 2: In the Search compute box, enter Panorama, and then and press Enter to search.
23Palo Alto Networks
Deployment Details for Panorama
Step 3: In the search results, click Panorama (BYOL).
Step 4: In Home > Virtual machines > Compute > Panorama (BYOL), click Create.
Step 5: In the Name box, enter Azure-Panorama-1.
Step 6: In the VM disk type list, select Standard HDD.
Step 7: In the Username box, enter refarchadmin.
Step 8: For Authencaon type, select Password.
Step 9: In the Password and Conrm Password boxes, enter the password.
Step 10: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch and click OK.
Step 11: From the Available sizes, select D3_v2 Standard, and then click Select.
Step 12: Click the Availability set secon to modify the default seng. From the Change availability set list, select
AzureRefArch-AS.
Step 13: Click the Virtual network secon to modify the default seng. From the Choose virtual network list, select
AzureRefArch-VNET.
Step 14: Click the Subnet secon to modify the default seng. From the Choose subnet list, select Management.
Step 15: Click the Public IP address secon to modify the default seng. From the Choose public IP address list,
select Azure-Panorama-1. Dismiss the dialog box warning for “Your unsaved edits will be discarded.” by clicking OK.
Step 16: Click the Network security group (rewall) secon to modify the default seng. From the Choose network
security group list, select None. The subnet already has an associated NSG.
Step 17: Click the Diagnoscs storage account secon to modify the default seng. From the Choose storage ac-
count list, select azurerefarchv2diag, and then click OK.
Step 18: Aer validaon passes, review the Oer details, Summary, and Terms of use secons. If the informaon is
correct and acceptable, then click Create.
24Palo Alto Networks
Deployment Details for Panorama
2.2 Change Azure Assigned IP Address from Dynamic to Stac
You must congure Panorama with a stac IP address. Azure networking provides the IP address to Panorama using
DHCP but by default is congured to use dynamic assignment. If the current IP address is acceptable, convert the
address assignment to stac. To change the IP address, convert the assignment to stac and then assign an available
address. Any IP address changes require a restart of the Panorama virtual machine.
Step 1: In Home > Virtual machines > Azure-Panorama-1, click Networking.
Step 2: Click the Network interface name (example: azure-panorama-1268).
Step 3: Click IP conguraons.
25Palo Alto Networks
Deployment Details for Panorama
Step 4: Click the IP conguraon row to edit the sengs.
Step 5: In the Private IP address sengs secon, click Stac to convert from dynamic to stac conguraon.
Step 6: (Oponal—change the stac IP address to preferred value.) In the IP address box, enter a new IP address. The
chosen IP address must be unassigned in Azure.
Changing an IP address forces a restart of the virtual machine.
Caution
Step 7: Click Save. The virtual machine restarts if the IP address is changed.
26Palo Alto Networks
Deployment Details for Panorama
2.3 License Panorama on Azure
Panorama is now running on Azure but is unlicensed and using a factory default conguraon. Based on the size se-
lected for the Panorama virtual machine, the System Mode is management-only.
This procedure assumes that you have a valid serial number for your Panorama device(s) and that registraon on the
customer support portal (
hps://support.palotaltonetworks.com
) is complete.
Step 1: Log in to Panorama (example:
hps://ara-panorama-1.westus.cloudapp.azure.com
)
You will see a series of dialog boxes and warnings.
Step 2: Click OK to accept the There are no device groups dialog box.
Step 3: Click OK to accept the Retrieve Panorama License warning dialog box.
27Palo Alto Networks
Deployment Details for Panorama
Step 4: Click Complete Manually to accept the next Retrieve Panorama License warning dialog box.
Step 5: Click OK to accept the Oine Licensing Informaon dialog box.
28Palo Alto Networks
Deployment Details for Panorama
Step 6: In Panorama > Setup > Management > General Sengs, click the Edit cog.
Step 7: In the Domain box, enter the domain sux.
Step 8: In the Time Zone list, select the appropriate me zone (example: US/Pacic).
Step 9: In the Serial Number box, enter the serial number from the customer support portal, and then click OK.
Step 10: In Panorama > Setup > Services, click the Edit cog.
Step 11: In the Primary DNS Server box, enter 168.63.129.16.
Step 12: Change to the NTP tab. In the Primary NTP Server secon NTP Server Address box, enter 0.pool.ntp.org.
29Palo Alto Networks
Deployment Details for Panorama
Step 13:  In the Secondary NTP Server secon NTP Server Address box, enter 1.pool.ntp.org, and then click OK.
Step 14: On the Commit menu, click Commit to Panorama.
Step 15: In Panorama > Licenses, click Retrieve license keys from license server.
Step 16: Verify Device Management License is acve.
2.4 Update Panorama Soware to Recommended Version
Step 1: Navigate to Panorama > Soware.
If you receive an Operaon Failed warning with the message No update informaon
available, you may click Close to acknowledge. No acon is required.
Note
Step 2: In Panorama > Soware, click Check Now.
Step 3: For version 8.1.2, in the Acons column, click Download. Click Close when complete.
Step 4: Aer the status in the Available column has changed to Downloaded, and then in the Acon column, click
Install.
Step 5: When prompted to Reboot Panorama, click Yes.
30Palo Alto Networks
Deployment Details for Panorama
2.5 Congure Panorama High Availability (oponal)
This procedure is necessary only to deploy Panorama in a high availability conguraon. Panorama supports an HA
conguraon in which one peer is the acve-primary and the other is the passive-secondary. If a failure occurs on the
primary peer, it automacally fails over and the secondary peer becomes acve.
The Panorama HA peers synchronize the running conguraon each me you commit changes on the acve Panorama
peer. The candidate conguraon is synchronized between the peers each me you save the conguraon on the ac-
ve peer or just before a failover occurs.
Sengs that are common across the pair, such as shared objects and policy rules, device group objects and rules, tem-
plate conguraon, and administrave access conguraon, are synchronized between the Panorama HA peers.
Perform Step 1 through Step 6 on the primary Panorama.
Step 1: In Panorama > High Availability > Setup, click the Edit cog.
Step 2: Select Enable HA.
Step 3: In the Peer HA IP Address box, enter 192.168.1.5, and then click OK.
Step 4: In Panorama > High Availability > Elecon Sengs, click the Edit cog.
Step 5: In the Priority list, select primary, and then click OK.
Step 6: On the Commit menu, click Commit to Panorama.
Perform Step 7 through Step 12 on the secondary Panorama.
Step 7: In Panorama > High Availability>Setup, click the Edit cog.
Step 8: Select Enable HA.
31Palo Alto Networks
Deployment Details for Panorama
Step 9: In the Peer HA IP Address box, enter 192.168.1.4, and then click OK.
Step 10: In Panorama > High Availability > Elecon Sengs, click the Edit cog.
Step 11: In the Priority list, select secondary, and then click OK.
Step 12: On the Commit menu, click Commit to Panorama.
Step 13: On the primary Panorama, in Dashboard > Widgets > System, click High Availability to enable the High Avail-
ability dashboard widget. This adds a dashboard pane that displays the status of the Panorama peers.
Step 14: Repeat Step 13 on the secondary Panorama.
Step 15: On the primary Panorama, in Dashboard > High Availability, click Sync to peer.
32Palo Alto Networks
Deployment Details for Panorama
Step 16: Click Yes to accept the Overwrite Peer Conguraon warning and proceed with the synchronizaon.
2.6 Acvate Logging Service
The Logging Service requires an authorizaon code, which is used to acvate the service. This procedure also assumes
that you have a valid serial number for your Panorama device(s) and that registraon on the customer support portal is
complete.
The Logging Service instance is associated with the serial number of the primary Panorama. This procedure is not re-
peated for the secondary Panorama.
Step 1: Log in to the Customer Support Portal at
hps://support.paloaltonetworks.com
.
Step 2: Select Assets > Cloud Services.
Step 3: Click Acvate Cloud Services Auth-Code.
Step 4: In the Cloud Services window, in the Authorizaon Code box, enter the authorizaon code (example:
I7654321), and then press Tab key to advance. The Panorama and Logging Region boxes appear.
Step 5: In the Cloud Services window, in the Panorama list, select the value that corresponds to the serial number as-
signed to your primary Panorama.
33Palo Alto Networks
Deployment Details for Panorama
Step 6: In the Cloud Services window, in the Logging Region list, select the value that corresponds to your region
(example: Americas).
Step 7: Accept the EULA by clicking on Agree and Submit.
2.7 Install Cloud Service Plugin Version 1.1.0
If running Panorama in high availability mode, perform this procedure on the primary Panorama rst. Then repeat this
procedure for the secondary Panorama.
Step 1: In Panorama > Plugins, click Check Now.
Step 2: For cloud _services-1.1.0, in the Acons column, click Download.
Step 3: Aer the download is completed, click Close.
Step 4: Aer the status in the Available column changes to a check, and then in the Acon column, click Install.
34Palo Alto Networks
Deployment Details for Panorama
Step 5: Click OK to close the dialog box that indicates a successful installaon.
Perform Step 6 through Step 8 on the customer support portal (
hps://support.paloaltonetworks.com
) to complete the
associaon of Panorama to the cloud service.
Step 6: In Assets > Cloud Services, click Generate OTP.
Step 7: In the Generate Cloud Services One Time Password window, in the Panorama list, select the serial number for
the primary Panorama, and then click Generate OTP.
35Palo Alto Networks
Deployment Details for Panorama
Step 8: In the Generate Cloud Services One Time Password window, click Copy to Clipboard.
Step 9: On Panorama, navigate to Panorama > Cloud Services > Status, and then click Verify.
36Palo Alto Networks
Deployment Details for Panorama
Step 10: In the One-Time Password box, paste the OTP that was generated from the Customer Support Portal.
Step 11: In Panorama > Cloud Service > Status, verify the status.
Step 12: If necessary, repeat this procedure for the secondary Panorama.
37Palo Alto Networks
Deployment Details for VM-Series
Deployment Details for VM-Series
The VM-Series rewalls are deployed in a new dedicated Azure Resource Group for the shared design model. Some
Azure resources, such as the VNet, have already been allocated within the Azure Resource Group used for Panorama.
You must complete mulple complementary procedure groups in order to deploy and congure the VM-Series.
The rst procedure group modies and congures the Azure environment. Aer Azure is congured, the second pro-
cedure group deploys the VM-Series and minimally congures each device to prepare for central management through
Panorama.
Figure 5 Shared model—VM-Series deployment parameters
192.168.1.6
192.168.1.7
Ma nagemen t 192.168.1.0/24
172.16.1.6
(et h 1)
10.5.0.6
(et h 2)
Virtual Network
172.16.1.7
(et h 1)
10.5.0.7
(et h 2)
10.5.15.6
(et h 3)
10.5.15.7
(et h 3)
Shared-VPN - 10.5.15.0/24
Shared-Private
1 0. 5 .0. 0 / 24
Shared-Pub lic
1 72 . 16 .1 . 0/ 24
The third procedure group congures the Panorama conguraon templates used by the each of VM-Series devices. All
template based conguraon is common across all VM-Series devices and only takes eect once pushed from Panora-
ma to the VM-Series. Aer the templates are complete, the fourth procedure group registers the individual VM-Series
devices with Panorama, associates them with the templates and placeholder device groups, pushes the conguraons,
and refreshes the licenses.
38Palo Alto Networks
Deployment Details for VM-Series
Creang and Conguring Azure Common Resource for VM-Series
3.1 Create Whitelist Network Security Group
3.2 Add Address Space and Subnets to the Virtual Network
3.3 Create the Resource Group for the Shared Design Model
3.4 Create the Storage Account
3.5 Create the Availability Set
3.6 Create the Public IP Address for VM-Series
3.7 Verify Resource Creaon Completed
Procedures
Azure has removed the opon to select an exisng resource group for marketplace soluons that enable mulple NICs.
To deploy the rewall into an exisng resource group, use the ARM template in the
GitHub Repository
or your own
custom ARM template.
This procedure group creates the resources listed in the following table as preparaon for deploying the VM-Series
rewalls.
Table 4 Azure resources required for deployment
Parameter Value Comments
Virtual network AzureRefArch-VNET Exisng VNet in the AzureRefArch resource group, in
which Panorama is already deployed
Resource Group AzureRefArch-Shared New resource group specically for the shared design
model
Storage account azurerefarchv2shared General purpose storage for VM-Series virtual le sys-
tems
Availability set AzureRefArch-Shared-AS New availability set for the VM-Series in the shared
design model
Public IP for VM-Series 1 aras-vmfw1 Public IP for management interface
Public IP for VM-Series 2 aras-vmfw2 Public IP for management interface
39Palo Alto Networks
Deployment Details for VM-Series
3.1 Create Whitelist Network Security Group
Azure requires that an NSG must be applied on a subnet or NIC of your virtual machine resource, or trac is not per-
mied to reach the resource when Standard SKU public IP addresses are associated with the resource.
This guide uses Standard-SKU IP addresses in all procedures except where specically
noted.
Note
This procedure creates a whitelist NSG for use with tesng, which is applied to all dataplane subnets. The intent of this
NSG is to simplify the troubleshoong process during early stages of deployment and tesng.
An Allow-ALL NSG permits access to devices with public IP addresses from the Inter-
net. We advise using more restricve rules outside of a tesng environment.
Caution
Step 1: In Home > Network Security groups, click Add.
Step 2: In the Name box, enter AllowAll-Subnet.
Step 3: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch.
Step 4: Click Create.
Step 5: In Home > Network Security groups, click Add.
Step 6: In the Name box, enter AllowAll-Subnet.
Step 7: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch.
Step 8: In Home > Network security groups > AllowAll-Subnet, in the SETTINGS secon, click Inbound security rules.
Step 9: Click Add. The Add inbound security rule pane appears.
Step 10: In the Desnaon port ranges box, enter *.
40Palo Alto Networks
Deployment Details for VM-Series
Step 11: In the Name box, enter AllowAll-Inbound.
Step 12: Click Add.
Azure presents warning messages when the Network Security Group rules expose vari-
ous ports to the Internet.
Note
3.2 Add Address Space and Subnets to the Virtual Network
The exisng virtual network (VNet) is modied to add addional IP address space and subnets. The rst entry in Table 5
has already been congured in a prior procedure.
Table 5 Virtual network IP addressing and subnets
Address space Subnet Address range Comments
192.168.1.0/24 Management 192.168.1.0/24 Inial address space, subnet and range (already
congured).
172.16.0.0/23 Shared-Public 172.16.1.0/24 New subnet
10.5.0.0/16 Shared-Private
Shared-Web
Shared-Business
Shared-DB
Shared-VPN
10.5.0.0/24
10.5.1.0/24
10.5.2.0/24
10.5.3.0/24
10.5.15.0/24
New subnet
New subnet
New subnet
New subnet
New subnet
Step 1: In Home > Virtual networks > AzureRefArch-VNET, click Address space.
Step 2: In the Add addional address space box, enter 172.16.0.0/23. A new box appears below.
41Palo Alto Networks
Deployment Details for VM-Series
Step 3: In the Add addional address space box, enter 10.5.0.0/16, and then click Save.
Step 4: In Home > Virtual networks > AzureRefArch-VNET, click Subnets.
Step 5: Click Subnet to add a new subnet.
Step 6: In the Name box, enter Shared-Public.
Step 7: In the Address Range (CIDR block) box, enter 172.16.1.0/24.
Step 8: Click in the Network security group secon. In the Resource list, select AllowAll-Subnet, and click OK.
Step 9: Repeat Step 4 through Step 8 for all of the subnets listed as New subnet in Table 5.
An NSG is not explicitly assigned to newly created subnets. You must assign an NSG to
any subnet that uses an Azure Standard SKU public IP address.
Azure documentaon states “If you do not have an NSG on a subnet or NIC of your
virtual machine resource, trac is not allowed to reach this resource.
During inial deployment and troubleshoong you may want to congure and use a
whitelist “Allow All” NSG to simplify vericaon.
This guide does not provide further recommendaons on how to properly cra and
congure the NSGs.
Caution
Step 10: Verify all subnets are created with the correct IP ranges and security group.
42Palo Alto Networks
Deployment Details for VM-Series
3.3 Create the Resource Group for the Shared Design Model
This guide uses two resource groups, one has already been created for Panorama and common resources. This proce-
dure creates a new resource group which contains all of the VM-Series devices and Azure load-balancer resources for
the Shared Design Model.
Resource groups are an administrave concept. Resources and devices in dierent
resource groups can communicate if they are located within a common VNet, or if their
VNets are interconnected.
Note
Step 1: In Home > Resource groups, click Add.
Step 2: In the Resource group name box, enter AzureRefArch-Shared and select the desired values for Subscripon
and Resource group locaon. Click Create.
3.4 Create the Storage Account
The VM-Series rewalls require general purpose storage for their virtual le systems and bootstrapping.
Step 1: In Home > Storage accounts, click Add.
Step 2: In the Name box, enter azurerefarchv2shared.
Step 3: In the Account kind list, select StorageV2 (general purpose v2).
Step 4: In the Replicaon box, select Locally-redundant storage (LRS).
Step 5: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch-Shared.
43Palo Alto Networks
Deployment Details for VM-Series
Step 6: Click Create.
44Palo Alto Networks
Deployment Details for VM-Series
3.5 Create the Availability Set
The VM-Series resiliency model for Azure benets from the use of an availability set with two fault domains. This en-
sures that the VM-Series systems are distributed across dierent fault domains.
You can only congure an availability set on a virtual machine during its inial deploy-
ment. You can’t modify a virtual machine’s availability set conguraon aer the virtual
machine is deployed.
Note
Step 1: In Home > Availability sets, click Add.
Step 2: In the Name box, enter AzureRefArch-Shared-AS.
Step 3: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch-Shared.
Step 4: In Use managed disks, select No (classic). This is required for the ARM template.
Step 5: Click Create.
3.6 Create the Public IP Address for VM-Series
The VM-Series devices deployed on Azure are managed using public IP addresses unless on-site network connecvity
has been established. The process to congure on-site network connecvity is included later in this guide.
This procedure creates a public IP address that is associated to the management interface of the VM-Series at deploy-
ment me. If necessary, this procedure is repeated to create addional public IP addresses for addional VM-Series
devices. The parameters listed in Table 4 are used to complete this procedure.
Take note of the FQDN that is dened by adding the locaon specic sux to your DNS name label. We recommend
managing your devices using the DNS name rather than the public IP address, which may change.
Step 1: In Home > Public IP addresses, click Add.
Step 2: In the Name box, enter aras-vmfw1.
Step 3: Select Standard SKU.
Step 4: In the DNS name label box, enter aras-vmfw1.
45Palo Alto Networks
Deployment Details for VM-Series
Step 5: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch-Shared.
Step 6: Click Create.
3.7 Verify Resource Creaon Completed
Some Azure deployments are me consuming and if any resources are missing, the deployment fails. It is quicker to
verify that all of the necessary resources exist before proceeding with a deployment than waing unl a deployment
fails.
46Palo Alto Networks
Deployment Details for VM-Series
Step 1: In Home > Resource Groups, select AzureRefArch-Shared.
Step 2: Verify that the resource group, public IP addresses, availability set, and storage account have been successfully
created.
Deploying VM-Series on Azure
4.1 Deploy VM-Series using Custom ARM Template
4.2 License VM-Series on Azure
4.3 Update Device Soware
Procedures
The following procedures are completed using the Azure Resource Manager deployed from an Azure Resource Man-
ager Template posted at GitHub. If you are already signed in to Azure at
hps://portal.azure.com
, the deployment from
GitHub uses the same session authorizaon.
Table 6 VM-Series deployment parameters
Parameter Value Comments
Resource group AzureRefArch-Shared Exisng
Locaon Tested in West US
VM name ARAS-VMFW1
ARAS-VMFW2
First device
Second device
Storage account name azurerefarchv2shared
Storage account exisng RG AzureRefArch-Shared
Fw Av Set AzureRefArch-Shared-AS
Table connued on next page
47Palo Alto Networks
Deployment Details for VM-Series
Connued table
Parameter Value Comments
VM size Standard_D3_v2 hps://www.paloaltonetworks.com/docu-
mentaon/80/virtualizaon/virtualizaon/
set-up-the-vm-series-rewall-on-azure/about-
the-vm-series-rewall-on-azure/minimum-sys-
tem-requirements-for-the-vm-series-on-azure
Public IP type standard Standard IP SKU required for use with Azure
Standard load-balancer
Image version latest
Image SKU byol
Virtual network name AzureRefArch-VNET Uses AzureRefArch-VNET in resource group
AzureRefarch
Virtual network address
prex
192.168.1.0/24 Match the inial IP address space from AzureRe-
fArch-VNET
Virtual network exisng RG
name
AzureRefArch
Subnet0Name Management
Subnet1Name Shared-Public
Subnet2Name Shared-Private
Subnet3Name Shared-VPN
Subnet0Prex 192.168.1.0/24
Subnet1Prex 172.16.1.0/24
Subnet2Prex 10.5.0.0/24
Subnet3Prex 10.5.15.0/24
Subnet0Start Address 192.168.1.6
192.168.1.7
First device
Second device
(start assignment from .6)
Subnet1Start Address 172.16.1.6
172.16.1.7
First device
Second device
(start assignment from .6)
Subnet2Start Address 10.5.0.6
10.5.0.7
First device
Second device
(start assignment from .6)
Subnet3Start address 10.5.15.6
10.5.15.7
First device
Second device
(start assignment from .6)
Admin username refarchadmin
Admin password <password>
Public IP address name aras-vmfw1
aras-vmfw2
First device
Second device
Nsg name None NSG is applied at subnet level
48Palo Alto Networks
Deployment Details for VM-Series
4.1 Deploy VM-Series using Custom ARM Template
Repeat this procedure for all VM-Series. This guide assumes that at least two VM-Series devices are created.
The custom Azure Resource Manager template used in this procedure has been developed and validated specically for
this deployment guide.
For template details and features, see :
hps://github.com/PaloAltoNetworks/ReferenceArchitectures/tree/master/Azure-1FW-4-interfaces-exisng-environment
Use the parameters in Table 6 to deploy each VM-Series.
Step 1: Deploy the VM-Series by clicking on the Deploy to Azure buon.
Step 2: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch-Shared.
Step 3: In the Vm Name box, enter ARAS-VMFW1.
Step 4: In the Storage Account Name box, enter azurerefarchv2shared.
Step 5: In the Storage Account Exisng RG box, enter AzureRefArch-Shared.
Step 6: In the Fw Av Set box, enter AzureRefArch-Shared-AS.
Step 7: In the Vm Size list, select Standard_D3_v2.
Step 8: In the Public IP Type list, select standard.
Step 9: In the Image Version list, select latest.
Step 10: In the Image Sku list, select byol.
Step 11: In the Virtual Network Name box, enter AzureRefArch-VNET.
Step 12: In the Virtual Network Address Prex box, enter 192.168.1.0/24.
Step 13: In the Virtual Network Exisng RG Name box, enter AzureRefArch.
Step 14: In the Subnet0Name box, enter Management.
Step 15: In the Subnet1Name box, enter Shared-Public.
49Palo Alto Networks
Deployment Details for VM-Series
Step 16: In the Subnet2Name box, enter Shared-Private.
Step 17: In the Subnet3Name box, enter Shared-VPN.
Step 18: In the Subnet0Prex box, enter 192.168.1.0/24.
Step 19: In the Subnet1Prex box, enter 172.16.1.0/24.
Step 20: In the Subnet2Prex box, enter 10.5.0.0/24.
Step 21: In the Subnet3Prex box, enter 10.5.15.0/24.
Step 22: In the Subnet0Start Address box, enter 192.168.1.6.
Step 23: In the Subnet1Start Address box, enter 172.16.1.6.
Step 24: In the Subnet2Start Address box, enter 10.5.0.6.
Step 25: In the Subnet3Start Address box, enter 10.5.15.6.
Step 26: In the Admin Username box, enter refarchadmin.
Step 27: In the Admin Password box, enter the password.
Step 28: In the Public IP Address Name box, enter aras-vmfw1.
Step 29: In the Network Security Group box, enter None.
Step 30: Review the terms and condions. If they are acceptable, select I agree to the terms and condions.
Step 31: Click Purchase.
4.2 License VM-Series on Azure
Your VM-Series is now running on Azure but is unlicensed and using a factory default conguraon.
This procedure assumes that you have a valid authorizaon code for your VM-Series device(s) and have registered the
code on the Palo Alto Networks customer support portal (
hps://support.palotaltonetworks.com
).
Step 1: Log in to your VM-Series device (example:
hps://aras-vmfw1.westus.cloudapp.azure.com
).
50Palo Alto Networks
Deployment Details for VM-Series
Step 2: In Device > Setup > Management > General Sengs, click the edit cog.
Step 3: In the Domain box, enter the domain sux.
Step 4: In the Time Zone list, select the appropriate me zone (example: US/Pacic).
Step 5: In Device > Setup > Services > Services, click the edit cog.
Step 6: In the Primary DNS Server box, enter 168.63.129.16.
Step 7: Change to the NTP tab. In the Primary NTP Server secon NTP Server Address box, enter 0.pool.ntp.org.
Step 8:  In the Secondary NTP Server secon NTP Server Address box, enter 1.pool.ntp.org, and then click OK.
Step 9: Click Commit.
Step 10: In Device > Licenses, click Acvate feature using authorizaon code.
Step 11: In the Update License window, in the Authorizaon Code box, enter the authorizaon code (example
I1234567), and then click OK.
51Palo Alto Networks
Deployment Details for VM-Series
Step 12: Click OK to acknowledge the PAN services restart warning.
The VM-Series services are restarted aer the license is installed. Your management
session to the VM-Series must be refreshed aer the restart; this may take a few min-
utes.
Note
4.3 Update Device Soware
Step 1: Navigate to Device > Soware.
If you receive an Operaon Failed warning with the message No update informaon
available, you may click Close to acknowledge. No acon is required.
Note
Step 2: In Device > Soware, click Check Now.
Step 3: For version 8.1.2, in the Acons column, click Download. Click Close when complete.
Step 4: Aer the status in the Available column has changed to Downloaded, in the Acon column, click Install.
52Palo Alto Networks
Deployment Details for VM-Series
Step 5: When prompted to reboot the device, click Yes.
Step 6: Aer the reboot, in Device > Dynamic Updates, click Check Now.
Preparing VM-Series Firewall Conguraons Using Panorama
5.1 Congure Device Group
5.2 Congure Panorama Templates and Device Group
5.3 Select Azure-3-Zone Template for Conguraon
5.4 Congure Device Parameters
5.5 Create Zones and Virtual Routers
5.6 Create Management Proles
5.7 Create Ethernet Interfaces
5.8 Add Stac Routes to Virtual Routers
5.9 Commit Changes
5.10 Retrieve and Verify Logging Service License
5.11 Congure Logging-Service Template
Procedures
53Palo Alto Networks
Deployment Details for VM-Series
Panorama provides a number of tools for centralized administraon:
Hierarchical device groups—Panorama manages common policies and objects through hierarchical device
groups. Mul-level device groups are used to centrally manage the policies across all deployment locaons with
common requirements
Templates/template stacks—Panorama manages common device and network conguraon through templates.
You can use templates to manage conguraon centrally and then push the changes to all managed rewalls.
This approach avoids your making the same individual rewall change repeatedly across many devices. To make
things easier, you can stack templates and use them as building blocks for device and network conguraon.
5.1 Congure Device Group
This guide uses a single device group specic to the shared design model. The objects and policies are created in the
procedures that require them.
Step 1: In Panorama > Device Groups, click Add.
Step 2: In the Name box, enter Azure-Shared.
Step 3: In the Descripon box, enter a valid descripon.
Step 4: In the Parent Device Group box, verify the value is set to Shared, and then click OK.
5.2 Congure Panorama Templates and Device Group
The templates include conguraon for all funcons that are common across all the VM-Series devices in the shared
design model.
Two templates are used. The Azure-3-Zone template includes rewall networking funcons including interfaces,
zones, and virtual routers. The Logging Service template includes device funcons to enable the Logging Service. Both
templates are applied to devices using a Panorama template stack, which logically merges the assigned templates and
associates them with the relevant devices.
This procedure creates the templates that are used for subsequent procedures in this guide. The specic conguraons
for these templates are created within the relevant procedures. You create the template stack later in this guide, when
associang the rst device to the templates.
Step 1: In Panorama > Templates, click Add.
Step 2: In the Name box, enter Azure-3-Zone.
54Palo Alto Networks
Deployment Details for VM-Series
Step 3: In the Descripon box, enter a valid descripon, and then click OK.
Step 4: In Panorama > Templates, click Add.
Step 5: In the Name box, enter Logging Service.
Step 6: In the Descripon box, enter a valid descripon, and then click OK.
Step 7: On the Commit menu, click Commit to Panorama.
Step 8: Verify the addional tabs for Device Groups (Policies and Objects) and Templates (Network and Device) are
now visible on the Panorama management portal.
You may need to refresh the screen on the secondary Panorama and navigate to a dif-
ferent tab before the addional tabs becomes visible.
Note
5.3 Select Azure-3-Zone Template for Conguraon
Step 1: Log in to your Panorama (example:
hps://ara-panorama-1.westus.cloudapp.azure.com
)
Step 2: Navigate to Templates > Device.
Step 3: In the Template list, select Azure-3-Zone.
5.4 Congure Device Parameters
This procedure ensures that DNS and NTP are congured consistently across all devices.
Step 1: In Templates > Device > Setup > Services > Global > Services, click the Edit cog.
Step 2: In the Primary DNS Server box, enter 168.63.129.16
55Palo Alto Networks
Deployment Details for VM-Series
Step 3: Change to the NTP tab. In the Primary NTP Server secon NTP Server Address box, enter 0.pool.ntp.org.
Step 4:  In the Secondary NTP Server secon NTP Server Address box, enter 1.pool.ntp.org, and then click OK.
5.5 Create Zones and Virtual Routers
Table 7 Zone and virtual router sengs
Zone name Zone type Virtual router name
Public Layer3 VR-Public
Private Layer3 VR-Private
VPN Layer3 VR-VPN
Step 1: In Templates > Network > Zones, click Add. The Zone window appears.
Step 2: In the Name box, enter Public.
Step 3: In the Type list, select Layer3, and then click OK.
Step 4: In Templates > Network > Virtual Routers, click Add. The Virtual Router conguraon window appears.
56Palo Alto Networks
Deployment Details for VM-Series
Step 5: In the Name box, enter VR-Public, and then click OK.
Step 6: Repeat Step 1 through Step 5 for all rows in Table 7.
5.6 Create Management Proles
The load-balancer health-checks use HTTPS probes towards the rewall’s dataplane interfaces. The rewall blocks
responses to these probes by default. Interface management proles are used to override the default block operaon.
A single management prole may be applied to mulple interfaces. We recommend
separate management proles per interface, if required, to allow for dierent manage-
ment policies.
Note
Step 1: In Templates > Network > Network Proles > Interface Mgmt, click Add. The Interface Management Prole
conguraon window appears.
Step 2: In the Name box, enter MP-Public.
Step 3: In the Administrave Management Services secon, select HTTPS.
Step 4: In the Permied IP Addresses pane, click Add.
57Palo Alto Networks
Deployment Details for VM-Series
Step 5: Enter 168.63.129.16/32, and then click OK.
Step 6: Repeat Step 1 through Step 5 for MP-Private and MP-VPN.
5.7 Create Ethernet Interfaces
Although the VM-Series is not a modular hardware plaorm, assign interfaces to Slot 1
when using Panorama templates for the VM-Series.
Note
Table 8 Azure-3-zone template interface sengs
Slot Interface Interface type Virtual router Security zone IPv4
Management
profile
Slot 1 ethernet1/1 Layer3 VR-Public Public DHCP Client MP-Public
Slot 1 ethernet1/2 Layer3 VR-Private Private DHCP Client MP-Private
Slot 1 ethernet1/3 Layer3 VR-VPN VPN DHCP Client MP-VPN
58Palo Alto Networks
Deployment Details for VM-Series
Step 1: In Templates > Network > Interfaces > Ethernet, click Add Interface. The Ethernet Interface conguraon
window appears.
Step 2: In the Slot list, select Slot 1.
Step 3: In the Interface Name list, select ethernet1/1.
Step 4: In the Interface Type list, select Layer3.
Step 5: In the Assign Interface To Virtual Router list, select VR-Public.
Step 6: In the Assign Interface To Security Zone list, select Public.
Step 7: Change to the IPv4 tab.
Step 8: Select DHCP client.
Step 9: Select Enable and clear Automacally create default route poinng to default gateway provided by server.
Step 10: Change to the Advanced tab.
59Palo Alto Networks
Deployment Details for VM-Series
Step 11: In the Management Prole list, select MP-Public, and then click OK.
Step 12: Click Yes to accept the interface management prole Warning.
Step 13: Repeat Step 1 through Step 11 for all rows in Table 8.
5.8 Add Stac Routes to Virtual Routers
Each of the three virtual routers requires stac route conguraon. Repeat this procedure three mes, using the values
in the appropriate table:
When conguring stac routes for VR-Public, use the values in Table 9.
When conguring stac routes for VR-Private, use the values in Table 10.
When conguring stac routes for VR-VPN, use the values in Table 11.
60Palo Alto Networks
Deployment Details for VM-Series
Table 9 VR-Public IPv4 stac routes
Name Destination prefix Interface Next-hop Next-hop value
default 0.0.0.0/0 ethernet1/1 IP Address 172.16.1.1
Azure-Probe 168.63.129.16/32 ethernet1/1 IP Address 172.16.1.1
Net-10.5.0.0 10.5.0.0/16 None Next VR VR-Private
Table 10 VR-Private IPv4 stac routes
Name Destination prefix Interface Next-hop Next-hop value
default 0.0.0.0/0 None Next VR VR-External
Azure-Probe 168.63.129.16/32 ethernet1/2 IP Address 10.5.0.1
Net-10.5.1.0 10.5.1.0/24 ethernet1/2 IP Address 10.5.0.1
Net-10.5.2.0 10.5.1.0/24 ethernet1/2 IP Address 10.5.0.1
Net-10.5.3.0 10.5.1.0/24 ethernet1/2 IP Address 10.5.0.1
Net-10.6.0.0 10.6.0.0/24 None Next VR VR-VPN
Table 11 VR-VPN IPv4 stac routes
Name Destination prefix Interface Next-hop Next-hop value
Azure-Probe 168.63.129.16/32 ethernet1/3 IP Address 10.5.15.1
Net-10.6.0.0 10.6.0.0/24 ethernet1/3 IP Address 10.5.15.1
Net-10.5.0.0 10.5.0.0/16 None Next VR VR-Private
Step 1: In Templates > Network > Virtual Routers, click VR-Public. The Virtual Router conguraon window appears.
Step 2: On the Stac Routes tab, click Add. The Virtual Router —Stac Route—IPv4 conguraon window appears.
Step 3: In the Name box, enter default.
Step 4: In the Desnaon box, enter 0.0.0.0/0.
Step 5: In the Interface list, select ethernet1/1.
Step 6: In the Next Hop list, select IP Address and enter 172.16.1.1, click OK, and then click OK again.
61Palo Alto Networks
Deployment Details for VM-Series
Step 7: Aer adding all routes for this virtual router, click OK to close the Virtual Router window.
5.9 Commit Changes
Step 1: On the Commit menu, click Commit to Panorama.
5.10 Retrieve and Verify Logging Service License
Step 1: In Panorama > Licenses, click Retrieve license keys from license server.
Step 2: Verify that the Logging Service license is acve.
62Palo Alto Networks
Deployment Details for VM-Series
5.11 Congure Logging-Service Template
Step 1: Navigate to Templates > Device.
Step 2: In the Template list, select Logging-Service.
Step 3: In Templates > Device > Setup > Management > Logging Service, click the Edit cog.
Step 4: Select Enable Logging Service.
Step 5: Select Enable Enhanced Applicaon Logging.
Step 6: In Region list, select americas, and then click OK.
Step 7: In Templates > Device > Log Sengs > System, click Add. The Log Sengs—System conguraon window
appears.
Step 8: In the Name box, enter System Logs.
63Palo Alto Networks
Deployment Details for VM-Series
Step 9: Select Panorama/Logging Service, and then click OK.
Step 10: In Templates > Device > Log Sengs > Conguraon, click Add. The Log Sengs—Conguraon window
appears.
Step 11: In the Name box, enter Conguraon Logs.
Step 12: Select Panorama/Logging Service, and then click OK.
Step 13: On the Commit menu, click Commit to Panorama.
Managing VM-Series with Panorama
6.1 Add VM-Series to Panorama
6.2 Add VM-Series to Template Stack and Device Group
6.3 Refresh License to Enable Logging Service
Procedures
6.1 Add VM-Series to Panorama
This procedure is required for each new VM-Series device that is added to Azure. Later in this guide, you perform the
procedure to automacally bootstrap the VM-Series to register with Panorama.
64Palo Alto Networks
Deployment Details for VM-Series
Step 1: Log in to your VM-Series device (example:
hps://aras-vmfw1.westus.cloudapp.azure.com
).
Step 2: In Dashboard > General Informaon, record the Serial #.
Step 3: In Device > Setup > Management > Panorama Sengs, click the edit cog.
Step 4: In the Panorama Servers secon, in the top box, enter 192.168.1.4.
Step 5: If you are using Panorama High Availability, in the boom box, enter 192.168.1.5, and then click OK.
Step 6: Click Commit.
Step 7: Log in to Panorama (example:
hps://ara-panorama-1.westus.cloudapp.azure.com
)
Step 8: In Panorama > Managed Devices > Summary, click Add.
65Palo Alto Networks
Deployment Details for VM-Series
Step 9: In the Devices box, enter the serial number from Step 2, and then click OK.
Step 10: On the Commit menu, click Commit to Panorama.
Step 11: In Panorama > Managed Devices > Summary, verify that the device state of the VM-Series is Connected. It
may take a few minutes for the state to change.
6.2 Add VM-Series to Template Stack and Device Group
This procedure adds devices to the template stack and device groups. The template stack is created and congured
when you add the rst VM-Series device only.
Step 1: Log in to Panorama (example:
hps://ara-panorama-1.westus.cloudapp.azure.com
).
Opon 1: Template stack does not already exist
This opon creates a template stack.
Step 1: In Panorama > Templates, click Add Stack.
Step 2: In the Name box, enter Azure-Shared-Model.
Step 3: In the Templates pane, click Add. Enter Azure-3-Zone.
Step 4: In the Templates pane, click Add. Enter Logging-Service.
66Palo Alto Networks
Deployment Details for VM-Series
Opon 2: Template stack has already been created
This opon modies the exisng template stack.
Step 1: In Panorama > Templates, click Azure-Shared-Model.
Proceed with conguring the template stack.
Step 2: In the Devices pane, select ARAS-VMFW1 to assign it to the template stack, and then click OK.
Step 3: On the Commit menu, click Commit and Push.
The local conguraon on each VM-Series should now reect the template-based conguraon that was created on
Panorama. This includes interfaces, zones, virtual routers, management proles, and Logging Service.
Step 4: In Panorama > Device Groups, click Azure-Shared.
67Palo Alto Networks
Deployment Details for VM-Series
Step 5: In the Devices pane, select ARAS-VMFW1 to assign it to the device group, and then click OK.
Step 6: On the Commit menu, click Commit and Push.
Device group policies and objects are created in procedures later in this guide. The policies and objects for the Azure-
Shared device group are automacally pushed to the local devices from Panorama as they are created.
6.3 Refresh License to Enable Logging Service
Step 1: Log in to Panorama (example:
hps://ara-panorama-1.westus.cloudapp.azure.com
).
Step 2: In Panorama > Device Deployment > Licenses, click Refresh. The Refresh License Deployment window ap-
pears.
68Palo Alto Networks
Deployment Details for VM-Series
Step 3: In the Device Name column, select the VM-Series, and then click Refresh.
Step 4: Verify the details include Successfully installed license ‘Logging Service, and then click Close.
69Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Deployment Details for Azure Networking and
Firewall Policies
The VM-Series devices do not acvely forward trac within Azure unl they have been integrated into Azure network-
ing and the rewall policies for each trac prole have been created. You must complete the complementary proce-
dure groups in order support the trac proles in the shared design model.
Resiliency for the trac proles is implemented using Azure user-dened routes and Azure Load-Balancer these pro-
cedures are included in the rst procedure group. The trac proles within the shared design model each require a
unique rewall policy. A second procedure group congures the policies required for each trac prole.
Figure 6 Azure networking for shared design model
192.168.1.6
192.168.1.7
Ma nagemen t 192.168.1.0/24
172.16.1.6
(et h 1)
10.5.0.6
(et h 2)
Virtual Network
172.16.1.7
(et h 1)
10.5.0.7
(et h 2)
We b - 1 0. 5 . 1.0 / 24
Business - 1 0.5 . 2. 0 / 24
DB - 1 0. 5 .3. 0 / 24
10.5.15.6
(et h 3)
10.5.15.7
(et h 3)
VPN - 10.5.15.0/24
Private
1 0. 5 .0. 0 / 24
Pub lic
1 72 . 16 .1 . 0/ 24
10.5.0.21
aras-public-sh ar ed -we b
aras-public-sh ar ed -we b
aras-public-sh ar ed -we b
70Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Conguring Azure Networking and Services
7.1 Create the Public IP Address for the Azure Public Load-Balancer
7.2 Create the Azure Public Load-Balancer
7.3 Congure the Azure Public Load-Balancer
7.4 Create the Azure Internal Load-Balancer
7.5 Congure the Azure Internal Load-Balancer for Outbound Access
7.6 Congure the Azure Internal Load-Balancer for Inbound Access
7.7 Congure Azure User Dened Routes
7.8 Apply Route Tables to Subnets
Procedures
The following procedures are completed using the Azure Resource Manager. Sign in to Azure at
hps://portal.azure.com
.
7.1 Create the Public IP Address for the Azure Public Load-Balancer
This procedure creates a public IP address that is assigned as the frontend IP address for the Azure public load-balancer
for inbound trac to the web server resources.
Note the FQDN that is dened by adding the locaon specic sux to your DNS name label. You use this value in a
subsequent procedure when you create Panorama IP address objects for the Inbound Access trac prole.
Step 1: In Home > Public IP addresses, click Add.
Step 2: In the Name box, enter AzureRefArch-Public-Shared-Web.
Step 3: Select Standard SKU.
Step 4: In the DNS name label box, enter aras-public-shared-web.
Step 5: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch-Shared.
Step 6: Click Create.
Step 7: Record the value for the FQDN (example: aras-public-shared-web.westus.cloudapp.azure.com).
71Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
7. 2 Create the Azure Public Load-Balancer
You create the Azure Public Load-Balancer with a single public frontend IP address and associate it with the public
interfaces of a pair of VM-Series rewalls using oang IP.
Figure 7 Azure public load-balancer
172.16.1.6
(et h 1)
Virtual Network
172.16.1.7
(et h 1)
Pub lic
1 72 . 16 .1 . 0/ 24
aras-public-sh ar ed -we b
aras-public-sh ar ed -we b
aras-public-sh ar ed -we b
Step 1: In Home > Load Balancers, click Add.
Step 2: In the Name box, enter AzureRefArch-Shared-Public.
Step 3: In the Type secon, select Public.
Step 4: In the SKU secon, select Standard.
Step 5: Click the Public IP address secon, and then select AzureRefArch-Public-Shared-Web.
This address is associated with the default frontend IP conguraon (LoadBalancerFrontEnd). You may add addional
frontend IP addresses to the load-balancer if necessary aer it has been created.
Step 6: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch-Shared.
72Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 7: Click Create.
7. 3 Congure the Azure Public Load-Balancer
This procedure assumes that all of the VM-Series rewalls that are to be associated to the load-balancer have already
been deployed and does not include the steps to add a new rewall to an exisng backend pool.
Step 1: In Home > Load Balancers > AzureRefArch-Shared-Public, click Health probes.
Step 2: Click Add.
Step 3: In the Name box, enter HTTPS-Probe.
Step 4: In the Port box, enter 443, and then click OK.
73Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 5: In Home > Load Balancers > AzureRefArch-Shared-Public, click Backend pools.
Step 6: Click Add.
Step 7: In the Name box, enter Firewall-Layer.
Step 8: In the Virtual network list, select azurerefarch-vnet (X VM), where X is the total number of VM-Series re-
walls and Panorama virtual machines already deployed in your VNet.
Step 9: In the VIRTUAL MACHINE column, select a VM-Series to be added to this backend pool (example: aras-vm-
fw1).
Step 10: In the IP ADDRESS column, select the IP conguraon that is associated to the Shared-Public subnet. (ex-
ample: ipcong-untrust).
Step 11: Repeat Step 9 and Step 10 for all VM-Series rewalls that are to be assigned to this backend pool.
Step 12: Click Add.
Next, you create a load balancing rule for each required TCP port (Example: TCP/80, TCP/443).
Step 13: In Home > Load Balancers > AzureRefArch-Shared-Public, click Load balancing rules.
Step 14: Click Add.
74Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 15: In the Name box, enter AzureRefArch-Shared-Public-Web-80.
Step 16: In the Frontend IP address list, select LoadBalancerFrontEnd.
Step 17: In the Port box, enter 80.
Step 18: In the Backend port box, enter 80.
Step 19: In the Backend pool list, select Firewall-Layer.
Step 20: In the Health probe list, select HTTPS-Probe.
Step 21: In the Floang IP (direct server return) secon, select Enabled, and then click OK.
75Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
7.4 Create the Azure Internal Load-Balancer
You create the Azure Internal Load-Balancer with a single private frontend IP address and associate it with the private
interfaces of a pair of VM-Series rewalls.
Figure 8 Azure internal load-balancer for outbound access
10.5.0.6
(et h 2)
Virtual Network
10.5.0.7
(et h 2)
We b - 1 0. 5 .1. 0 / 24
Business - 1 0.5 . 2.0 / 24
DB - 1 0. 5 .3. 0 / 24
Private
1 0. 5 .0. 0 / 24
10.5.0.21
You use the frontend IP address as the roung next-hop for desnaon addresses on the public networks and the
internet.
Step 1: In Home > Load Balancers, click Add.
Step 2: In the Name box, enter AzureRefArch-Shared-Internal.
Step 3: In the Type secon, select Internal.
Step 4: In the SKU secon, select Standard.
Step 5: Click the Virtual network Choose a virtual network secon, and select AzureRefArch-VNET.
Step 6: Click the Subnet Choose a subnet secon, and select Shared-Private.
Step 7: In the IP address assignment secon, select Stac.
Step 8: In the Private IP address box, enter 10.5.0.21. This address is associated with the default frontend IP congu-
raon (LoadBalancerFrontEnd), which is used for outbound access. Addional frontend IP addresses may be added to
the load-balancer if necessary aer it has been created.
76Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 9: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch-Shared.
Step 10: Click Create.
7. 5 Congure the Azure Internal Load-Balancer for Outbound Access
Step 1: In Home > Load Balancers > AzureRefArch-Shared-Internal, click Health probes.
Step 2: Click Add.
Step 3: In the Name box, enter HTTPS-Probe.
77Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 4: In the Port box, enter 443, and then click OK.
Step 5: In Home > Load Balancers > AzureRefArch-Shared-Internal, click Backend pools.
Step 6: Click Add.
Step 7: In the Name box, enter Firewall-Layer-Private.
Step 8: In the Virtual network list, select azurerefarch-vnet (X VM), where X is the total number of VM-Series re-
walls and Panorama virtual machines already deployed in your VNet.
Step 9: In the VIRTUAL MACHINE column, select a VM-Series to be added to this backend pool (example: aras-vm-
fw1).
Step 10: In the IP ADDRESS column, select the IP conguraon that is associated to the Shared-Private subnet. (ex-
ample: ipcong-trust).
Step 11: Repeat Step 9 and Step 10 for all VM-Series rewalls that are to be assigned to this backend pool.
Step 12: Click Add.
Step 13: In Home > Load Balancers > AzureRefArch-Shared-Internal, click Load balancing rules.
Step 14: Click Add.
Step 15: In the Name box, enter Private-All-Ports.
Step 16: In the Frontend IP address list, select LoadBalancerFrontEnd.
Step 17: Select HA ports.
Step 18: In the Backend pool list, select Firewall-Layer-Private.
78Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 19: In the Health probe list, select HTTPS-Probe, and then click OK.
7. 6 Congure the Azure Internal Load-Balancer for Inbound Access
This procedure is required only if you have resources in the Shared-Public subnet that need access to the private net-
works. Because this subnet uses Azure internal addressing, you cannot use the public load-balancer but instead use an
addional frontend IP address and backend pool on the internal load-balancer.
79Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Figure 9 Azure internal load-balancer for inbound access
172.16.1.6
(et h 1)
Virtual Network
172.16.1.7
(et h 1)
Pub lic
1 72 . 16 .1 . 0/ 24
172.16.1.21
The frontend IP address is used as the roung next-hop for desnaon address on the private networks.
Step 1: In Home > Load Balancers > AzureRefArch-Shared-Internal, click Frontend IP conguraon.
Step 2: Click Add.
Step 3: In the Name box, enter Internal-Frontend-Public.
Step 4: In the Subnet list, select Shared-Public.
Step 5: In the Assignment secon, select Stac.
Step 6: In the IP address box, enter 172.16.1.21.
Step 7: In Home > Load Balancers > AzureRefArch-Shared-Internal, click Backend pools.
Step 8: Click Add.
Step 9: In the Name box, enter Firewall-Layer-Public.
Step 10: In the Virtual network list, select azurerefarch-vnet (X VM), where X is the total number of VM-Series re-
walls and Panorama virtual machines already deployed in your VNet.
80Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 11: In the VIRTUAL MACHINE column, select a VM-Series to be added to this backend pool (example: aras-
vmfw1).
Step 12: In the IP ADDRESS column, select the IP conguraon that is associated to the Shared-Public subnet. (ex-
ample: ipcong-untrust).
Step 13: Repeat Step 11 and Step 12 for all VM-Series rewalls that are to be assigned to this backend pool.
Step 14: Click Add.
Step 15: In Home > Load Balancers > AzureRefArch-Shared-Internal, click Load balancing rules.
Step 16: Click Add.
Step 17: In the Name box, enter Public-All-Ports.
Step 18: In the Frontend IP address list, select Internal-Frontend-Public.
Step 19: Select HA ports.
Step 20: In the Backend pool list, select Firewall-Layer-Public.
Step 21: In the Health probe list, select HTTPS-Probe, and then click OK.
7.7 Congure Azure User Dened Routes
Azure Networking automacally creates system routes for the address space dened in the VNet. Addional system
routes are also added to the Azure route table, including a default route to the internet and null routes for RFC-1918
and RFC-6598 ranges.
Override the Azure system routes with user-dened routes (UDRs) in order to isolate subnets and to logically insert
virtual devices such as load-balancers and rewalls into the trac forwarding path.
Data trac is not forwarded to the rewalls within the VNet unl UDRs are created to
direct trac to the rewalls. In a resilient environment, data trac is directed to load-
balancers that act as frontends for the rewalls contained in their backend pools.
Note
81Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Table 12 Azure system routes
Address space Address prefix Next-hop type
VNet dened 192.168.1.0/24 Virtual Network
VNet dened 172.16.0.0/23 Virtual Network
VNet dened 10.5.0.0/16 Virtual Network
Default (Azure dened) 0.0.0.0/0 Internet
RFC-1918 (Azure dened) 10.0.0.0/8 None
RFC-1918 (Azure dened) 172.16.0.0/12 None
RFC-1918 (Azure dened) 192.168.0.0/16 None
RFC-6598 (Azure dened) 100.64.0.0/10 None
If you add a UDR with the same prex and prex-length as a system route, the UDR becomes the acve route, and the
state of the original system route changes to an Invalid state.
If you add a UDR with a more specic prex that falls within the address space of a system route, the UDR becomes an
acve route, and the original system route also remains in an Acve state.
The use of UDR summary routes may have unexpected consequences. If you apply
a UDR summary to a subnet that falls within the summary but does not have a more
specic UDR, trac within the subnet (host to host) is controlled by the UDR.
As an example, if you applied a UDR for 10.5.0.0/16 with a next-hop of 10.5.0.21 (re-
wall load-balancer) to the 10.5.1.0/24 subnet, then trac between host 10.5.1.4 and
host 10.5.1.5 is routed through the rewall as intrazone trac. This eecvely causes
microsegmentaon.
Caution
Azure networking does not have a concept of equal cost paths; you cannot add mulple UDRs with same prex and
prex-length with dierent next-hops to perform trac load-balancing. The only method by which you may perform
load-balancing is by using UDRs to forward trac to an Azure load-balancing resource.
The eecve roung table aer adding UDRs is evaluated using tradional roung rules based on longest match of the
desnaon address.
82Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Figure 10 User-dened routes with shared design model
Virtual Network
Additional Private UDRsP ri vate UDRP ub li c UD RMg mt U DR
Internet
0.0.0.0/0
Publi c Ra ng e
172.16.0.0/23
Mg mt R ange
192.168.1.0/24
10.5.0.6 10.5.0.6None Virtual Network
Syst em Route
Virtual Network
Syst em Route
10.5.0.6 10.5.0.6
Virtual Network
Syst em Route
Virtual Network
Syst em Route
NoneNone None
10.5.0.6 Virtual Network
Syst em Route
10.5.0.6
Virtual Network
Syst em Route
172.16.1.6
10.5.0.6 10.5.0.6 Virtual Network
Syst em Route
Virtual Network
Syst em Route
10.5.0.6
Internet
Syst em Route
Internet
Syst em Route
10.5.0.6
Private Range
10.5.0.0/20
Private Range
10.5.0.0/2 0
Mgmt Range
192.168.1.0/24
P ub li c Ra nge
172.16.0.0/23
Management
Subnet
192.168.1.0/24
P ub l i c
Subnet
172.16.1.0/24
P ri v at e -FW
Subnet
10.5.0.0/2 4
DB
Subnet
10.5.3.0/2 4
Business
Subnet
10.5.2.0/2 4
Web
Subnet
10.5.1.0/2 4
Web Ran ge
10.5.1.0/24
Business Range
10.5.2.0/24
DB R ange
10.5.3.0/24
None
Table 13 Azure route tables
Subnet Route table name Resource group Table of UDRs
Management AzureRefArch-Management AzureRefArch Table 14
Shared-Public AzureRefArch-Shared-Public AzureRefArch-Shared Table 15
Shared-Private AzureRefArch-Shared-Private AzureRefArch-Shared Table 16
Shared-Web AzureRefArch-Shared-Web AzureRefArch-Shared Table 17
Shared-Business AzureRefArch-Shared-Business AzureRefArch-Shared Table 18
Shared-DB AzureRefArch-Shared-DB AzureRefArch-Shared Table 19
Table 14 Management subnet UDRs (192.168.1.0/24)
Route name Address prefix Next-hop type
Next-hop
address Comments
Blackhole-Public 172.16.0.0/23 None Block trac to Public IP address space
Blackhole-Private 10.5.0.0/20 None Block trac to Private IP address space
Table 15 Public subnet UDRs (172.16.1.0/24)
Route name Address prefix Next-hop type
Next-hop
address Comments
Blackhole-Management 192.168.1.0/24 None Block trac to Management IP
address space
Net-10.5.0.0 10.5.0.0/20 Virtual
Appliance
172.16.1.21 Frontend IP of load-balancer
83Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Table 16 Private subnet UDRs (10.5.0.0/24)
Route name Address prefix Next-hop type
Next-hop
address Comments
Blackhole-Management 192.168.1.0/24 None Block trac to Management IP
address space
Net-172.16.0.0 172.16.0.0/23 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer
UDR-default 0.0.0.0/0 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer.
Overrides system route
Table 17 Web subnet UDRs (10.5.1.0/24)
Route name Address prefix Next-hop type
Next-hop
address Comments
Blackhole-Management 192.168.1.0/24 None Block trac to Management IP
address space
Net-172.16.0.0 172.16.0.0/23 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer
UDR-default 0.0.0.0/0 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer
Overrides system route
Net-10.5.2.0
(oponal for intrazone)
10.5.2.0/24 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer
Net-10.5.3.0
(oponal for intrazone)
10.5.3.0/24 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer
Table 18 Business subnet UDRs (10.5.2.0/24)
Route name Address prefix Next-hop type
Next-hop
address Comments
Blackhole-Management 192.168.1.0/24 None Block trac to Management IP
address space
Net-172.16.0.0 172.16.0.0/23 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer
UDR-default 0.0.0.0/0 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer. Over-
rides system route
Net-10.5.1.0
(oponal for intrazone)
10.5.1.0/24 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer
Net-10.5.3.0
(oponal for intrazone)
10.5.3.0/24 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer
84Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Table 19 DB subnet UDRs (10.5.3.0/24)
Route name Address Prefix Next-hop type
Next-hop
address Comment
Blackhole-Management 192.168.1.0/24 None Block trac to Management IP
address space
Net-172.16.0.0 172.16.0.0/23 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer
UDR-default 0.0.0.0/0 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer. Over-
rides system route
Net-10.5.1.0
(oponal for intrazone)
10.5.1.0/24 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer
Net-10.5.2.0
(oponal for intrazone)
10.5.2.0/24 Virtual
Appliance
10.5.0.21 Frontend IP of load-balancer
Repeat this procedure for each entry in Table 13:
Step 1: In Home > Route tables, click Add.
Step 2: In the Name box, enter AzureRefArch-Management.
Step 3: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch, then click Create.
Step 4: In Home > Route tables > AzureRefArch-Management, click Routes.
85Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 5: Repeat these substeps for all entries in the table of UDRs:
In Home > Routes tables > AzureRefArch-Management—Routes, click Add.
In the Route name box, enter Blackhole-Public.
In the Address prex box, enter 172.16.0.0/23.
In the Next hop type list, select None.
If the Next-hop type is Virtual appliance, then enter the Next hop address value and click OK.
7. 8 Apply Route Tables to Subnets
The UDRs take eect only aer the route table is associated with the subnet.
Step 1: In Home > Virtual networks > AzureRefArch-VNET, click Subnets.
Step 2: Click Management.
Step 3: Click the Route table secon, and then in the Resource pane, select AzureRefArch-Management.
Step 4: Click Save, and then click X to Close.
Step 5: Repeat Step 2 through Step 4 for each entry in Table 13.
86Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Using Panorama to Congure Centralized Security Policy and NAT Policy
8.1 Create Logging Prole for Logging Service
8.2 Inbound Access—Create Address Objects
8.3 Inbound Access—Congure NAT Policy
8.4 Inbound Access—Congure Security Policy
8.5 Outbound Access—Create Public IP Address and Associate with Firewall
8.6 Outbound Access—Create Address Objects
8.7 Outbound Access—Congure NAT Policy
8.8 Outbound Access—Congure Security Policy
8.9 East/West Trac
Procedures
This procedure group includes the objects, NAT policy rules, and security policy rules for each of the trac proles in
the shared design model:
Inbound access trac prole
Outbound access trac prole
East/West trac prole
Each trac prole is described and congured separately so that you can cover the signicant dierences in detail and
in context.
All procedures and steps in this procedure group are performed on Panorama.
Verify that you have selected the proper device group for the following procedures.
Note
8.1 Create Logging Prole for Logging Service
This procedure creates the log-forwarding prole to send security policy logs to Logging Service. This prole is associ-
ated to security policy rules used in each of three trac proles. Because the log forwarding prole is referenced in
every security policy rule, you must complete this procedure rst.
87Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 1: Log in to Panorama (example:
hps://ara-panorama-1.westus.cloudapp.azure.com
).
Step 2: Navigate to Device Groups > Objects.
Step 3: In the Device Group list, select Azure-Shared.
Step 4: In Device Groups > Objects > Log Forwarding, click Add.
Step 5: In the Name box, enter LoggingService-Prole.
Step 6: Select Enable enhanced applicaon logging to Logging Service (including trac and url logs), and then click
OK.
8.2 Inbound Access—Create Address Objects
This procedure assumes that you have already deployed a set of web server resources in the Shared-Web subnet. In
a resilient web server model, the web servers are in a backend pool of an Azure internal load-balancer. The load-bal-
ancer frontend IP is referenced by security and NAT policy rules and should be dened as an address object (example:
10.5.0.20). This guide does not include the procedure to create this load-balancer or to create the web server resourc-
es.
88Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Table 20 Inbound trac address objects
Object name Description Type Type value
Host-Shared-Public-Web FQDN of public web
server
FQDN aras-public-shared-web.westus.cloudapp.azure.
com
Host-Shared-Private-
Web-ILB
IP address of private
internal load-balancer
IP Netmask 10.5.0.20
Step 1: Log in to Panorama (example:
hps://ara-panorama-1.westus.cloudapp.azure.com
).
Step 2: Navigate to Device Groups > Objects.
Step 3: In the Device Group list, select Azure-Shared.
Step 4: In Device Groups > Objects > Addresses, click Add.
Step 5: In the Name box, enter Host-Shared-Public-Web.
Step 6: In the Type list, select FQDN.
Step 7: In the Type value box, enter aras-public-shared-web.westus.cloudapp.azure.com, and then click OK.
Step 8: Repeat Step 4 through Step 7 for all rows in Table 20.
8.3 Inbound Access—Congure NAT Policy
This procedure uses NAT Pre Rules. These rules are logically evaluated prior to local rules and cannot be locally overrid-
den on the local device.
Step 1: Log in to Panorama (example:
hps://ara-panorama-1.westus.cloudapp.azure.com
).
89Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 2: Navigate to Device Groups > Policies.
Step 3: In the Device Group list, select Azure-Shared.
Step 4: In Device Groups > Policies > NAT > Pre Rules, click Add.
Step 5: In the Name box, enter Inbound-Shared-Web.
Step 6: Change to the Original Packet tab.
Step 7: In the Source Zone pane, click Add and select Public.
Step 8: In the Desnaon Zone list, select Public.
Step 9: In the Desnaon Address pane, click Add and select Host-Shared-Public-Web.
Step 10: Change to the Translated Packet tab.
Step 11: In the Source Address Translaon secon, in the Translaon Type list, select Dynamic IP And Port.
Step 12: In the Source Address Translaon secon, in the Address Type list, select Interface Address.
Step 13: In the Source Address Translaon secon, in the Interface box, enter ethernet1/2.
Step 14: In the Desnaon Address Translaon secon, in the Translaon Type list, select Stac IP.
90Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 15: In the Desnaon Address Translaon secon, in the Translated Address list, select Host-Shared-Private-
Web-ILB.
Step 16: Change to the Ta rge t tab.
Step 17: Verify that Any (target to all devices) is selected.
Make sure to target all devices in the device group; otherwise, the policy rule will not be
automacally applied to new group members.
Caution
8.4 Inbound AccessCongure Security Policy
This procedure uses security Pre Rules. These rules are logically evaluated prior to local rules and cannot be locally
overridden on the local device.
The security policy example for the Inbound Access Prole permits these applicaons:
web-browsing
SSL (ssl)
Add addional applicaons to your policy as required.
Step 1: In Device Groups > Policies > Security > Pre Rules, click Add.
91Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 2: In the Name box, enter Inbound-Shared-Web.
Step 3: Change to the Source tab.
Step 4: In the Source Zone pane, click Add and select Public.
Step 5: Change to the Desnaon tab.
Step 6: In the Desnaon Zone pane, click Add and select Private.
Step 7: In the Desnaon Address pane, click Add and select Host-Shared-Public-Web.
Step 8: Change to the Applicaon tab.
Step 9: In the Applicaons pane, click Add and enter/search/select web-browsing.
Step 10: In the Applicaons pane, click Add and enter/search/select ssl.
Step 11: Change to the Service/URL Category tab.
Step 12: In the Service pane, select applicaon-default.
Step 13: Change to the Acons tab.
Step 14: In the Acon Seng secon, in the Acon list, select Allow.
Step 15: In the Log Seng secon, in the Log Forwarding list, select LoggingService-Prole.
Step 16: Change to the Ta rge t tab.
Step 17: Verify that Any (target to all devices) is selected, and then click OK.
92Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Make sure to target all devices (any) in the device group; otherwise, the policy rule will
not be automacally applied to new group members.
Caution
Step 18: On the Commit menu, click Commit and Push.
8.5 Outbound Access—Create Public IP Address and Associate with Firewall
For virtual machines behind the rewall to communicate to devices on the internet, the rewall must translate the
source IP address of the outbound trac to an IP address on the public subnet. The simplest method is to use dynamic
IP and port translaon to the rewall’s public interface IP address.
Azure then translates the source IP address again as the outbound trac leaves the VNet. Because the rewall’s public
interface is a member of the Azure public load-balancer backend pool, Azure networking performs translaon for only
TCP/UDP ports referenced in the acve load balancing rules. To support a broad range of services, create a new public
IP address for the public interface of each rewall used for outbound access. This method supports all TCP/UDP ports.
Step 1: In Home > Public IP addresses, click Add.
Step 2: In the Name box, enter aras-vmfw1-outbound.
Step 3: Select Standard SKU.
Step 4: In the DNS name label box, enter aras-vmfw1-outbound.
Step 5: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch-Shared.
Step 6: Click Create.
Step 7: Aer the address has been successfully created, in Home > Public IP address > aras-vmfw1-outbound, click
Associate.
Step 8: In the Associate Public IP address pane, in the Resource type list, select Network interface.
Step 9: In the Choose Network Interface pane, select the public interface of aras-vmfw1 (example: aras-vmfw1-eth1),
and then click OK.
93Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 10: Repeat this procedure for any addional rewalls used for outbound access.
8.6 Outbound Access—Create Address Objects
Network objects are created to simplify the creaon of NAT and security policy rules.
Table 21 Outbound trac address objects
Object name Description Type Type value
Net-10.5.1.0 Web subnet IP Netmask 10.5.1.0/24
Net-10.5.2.0 Business subnet IP Netmask 10.5.2.0/24
Net-10.5.3.0 DB subnet IP Netmask 10.5.3.0/24
Step 1: Log in to Panorama (example:
hps://ara-panorama-1.westus.cloudapp.azure.com
).
Step 2: Navigate to Device Groups > Objects.
Step 3: In the Device Group list, select Azure-Shared.
Step 4: In Device Groups > Objects > Addresses, click Add.
Step 5: In the Name box, enter Net-10.5.1.0.
Step 6: In the Type list, select IP Netmask.
Step 7: In the Type value box, enter 10.5.1.0/24, and then click OK.
Step 8: Repeat Step 4 through Step 7 for all rows in Table 21.
8.7 Outbound Access—Congure NAT Policy
This procedure uses NAT Pre Rules. These rules are logically evaluated prior to local rules and cannot be locally overrid-
den on the local device.
Step 1: Log in to Panorama (example:
hps://ara-panorama-1.westus.cloudapp.azure.com
).
Step 2: Navigate to Device Groups > Policies.
94Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 3: In the Device Group list, select Azure-Shared.
Step 4: In Device Groups > Policies > NAT > Pre Rules, click Add.
Step 5: In the Name box, enter Outbound-Internet.
Step 6: Change to the Original Packet tab.
Step 7: In the Source Zone pane, click Add and select Private.
Step 8: In the Desnaon Zone list, select Public.
Step 9: In the Source Address pane, click Add and select Net-10.5.1.0. Repeat this step for all objects in Table 21.
Step 10: Change to the Translated Packet tab.
Step 11: In the Source Address Translaon secon, in the Translaon Type list, select Dynamic IP And Port.
Step 12: In the Source Address Translaon secon, in the Address Type list, select Interface Address.
95Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 13: In the Source Address Translaon secon, in the Interface box, enter ethernet1/1.
Step 14: Change to the Ta rge t tab.
Step 15: Verify that Any (target to all devices) is selected.
Make sure to target all devices in the device group. Otherwise, the policy rule will not
be automacally applied to new group members.
Caution
8.8 Outbound Access—Congure Security Policy
This procedure uses security Pre Rules. These rules are logically evaluated prior to local rules and cannot be locally
overridden on the local device. This example uses a common outbound policy for all private subnets. If you wish to use
a dierenated policy, create separate rules for each subnet.
The security policy example for the Outbound Access Prole permits these applicaons:
web-browsing
SSL (ssl)
google-base
Add addional applicaons to your policy as required.
Step 1: In Device Groups > Policies > Security > Pre Rules, click Add.
Step 2: In the Name box, enter Outbound-Internet.
Step 3: Change to the Source tab.
96Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 4: In the Source Zone pane, click Add and select Private.
Step 5: In the Source Address pane, click Add and select Net-10.5.1.0. Repeat this step for all objects in Table 21
Step 6: Change to the Desnaon tab.
Step 7: In the Desnaon Zone pane, click Add and select Public.
Step 8: Change to the Applicaon tab.
Step 9: In the Applicaons pane, click Add and enter/search/select web-browsing.
Step 10: In the Applicaons pane, click Add and enter/search/select ssl.
Step 11: In the Applicaons pane, click Add and enter/search/select google-base.
Step 12: Change to the Service/URL Category tab.
Step 13: In the Service pane, select applicaon-default.
Step 14: Change to the Acons tab.
Step 15: In the Acon Seng secon, in the Acon list, select Allow.
Step 16: In the Log Seng secon, in the Log Forwarding list, select LoggingService-Prole.
Step 17: Change to the Ta rge t tab.
Step 18: Verify that Any (target to all devices) is selected, and then click OK.
Make sure to target all devices (any) in the device group; otherwise, the policy rule will
not be automacally applied to new group members.
Caution
Step 19: On the Commit menu, click Commit and Push.
97Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
8.9 East/West Trac
Trac that originates from a virtual machine within a private subnet—and is desned to a virtual machine in dierent
private subnet—routes to the rewall through a user-dened route table applied to the virtual machine’s subnet. Virtual
machines that can communicate to each other without the need for a rewall to protect the trac can be on the same
subnet, and virtual machines that do need trac protecon should be on dierent subnets.
Because the trac ow for the East/West Trac Prole always stays within the Private zone, the rewall security
policy uses a Rule Type of intrazone.
Because both ends of the communicaon are within the VNet, the rewall should not apply a NAT policy to trac
between private subnets.
Azure networking does not require the use of source NAT on the rewall to enforce
symmetry if both direcons of the ow pass through the same Azure internal load-bal-
ancer. The private subnets have UDRs direcng East/West trac to the rewall layer,
so NAT is not required.
Note
This procedure reuses objects already created in Procedure 8.6. If necessary, create addional objects using the same
procedure.
This procedure uses security Pre Rules. These rules are logically evaluated prior to local rules and cannot be locally
overridden on the local device. The example policy assumes three subnets with a granular policy with each as a source
to the other two desnaons.
Table 22 East/West security policy rules (example)
Source Destination Rule
Net-10.5.1.0 (web) Net-10.5.2.0 (business) Web-to-Business
Net-10.5.1.0 (web) Net-10.5.3.0 (DB) Web-to-DB
Net-10.5.2.0 (business) Net-10.5.1.0 (web) Business-to-Web
Net-10.5.2.0 (business) Net-10.5.3.0 (DB) Business-to-DB
Net-10.5.3.0 (DB) Net-10.5.1.0 (web) DB-to-Web
Net-10.5.3.0 (DB) Net-10.5.2.0 (business) DB-Business
The example security policy for the East/West Access Prole permits these applicaons:
SSH (ssh)
RDP (ms-rdp)
98Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Add addional required applicaons to your policy as needed.
Step 1: In Device Groups > Policies > Security > Pre Rules, click Add.
Step 2: In the Name box, enter Web-to-Business.
Step 3: In the Rule Type list, select intrazone.
Step 4: Change to the Source tab.
Step 5: In the Source Zone pane, click Add and select Private.
Step 6: In the Source Address pane, click Add and select Net-10.5.1.0.
Step 7: Change to the Desnaon tab.
99Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 8: In the Desnaon Address pane, click Add and select Net-10.5.2.0.
Step 9: Change to the Applicaon tab.
Step 10: In the Applicaons pane, click Add and enter/search/select ssh.
Step 11: In the Applicaons pane, click Add and enter/search/select ms-rdp.
Step 12: Change to the Service/URL Category tab.
Step 13: In the Service pane, select applicaon-default.
Step 14: Change to the Acons tab.
Step 15: In the Acon Seng secon, in the Acon list, select Allow.
Step 16: In the Log Seng secon, in the Log Forwarding list, select LoggingService-Prole.
Step 17: Change to the Ta rge t tab.
100Palo Alto Networks
Deployment Details for Azure Networking and Firewall Policies
Step 18: Verify that Any (target to all devices) is selected, and then click OK.
Make sure to target all devices (any) in the device group; otherwise, the policy rule will
not be automacally applied to new group members.
Caution
Step 19: On the Commit menu, click Commit and Push.
101Palo Alto Networks
Deployment Details for Backhaul Connecon
Deployment Details for Backhaul Connecon
Use the following procedure groups to build an IPSec VPN connecon for backhaul between Azure and your on-site
network over the internet. The VPN endpoints used are the Azure Virtual Network Gateway (VNG) and an on-site Lo-
cal Network Gateway (LNG). The LNG used in this guide is a Palo Alto Networks next-generaon rewall.
Figure 11 Backhaul connecon to on-site network
192.168.1.6
192.168.1.7
Ma nagement 192.168.1.0/24
10.5.0.6
(et h 2)
Virtual Network
10.5.0.7
(et h 2)
We b - 1 0. 5 . 1.0 / 24
Business - 1 0.5 . 2. 0 /24
DB - 1 0. 5 . 3. 0 / 24
10.5.15.6
(et h 3)
10.5.15.7
(et h 3)
VPN - 10.5.15.0/24
Private
1 0. 5 .0. 0 / 24
10.5.0.21
10.5.15.21
VNG
104.42.215.219
LNG
(firewall)
Gateway Sub ne t - 10.5.40.0/24
104.42.56.196
Internet
Local Network 1 0. 6 .0. 0 / 16
The connecon from Azure to the on-site network was tested and validated only with a
specic design and includes two opons: stac roung and BGP roung. Other variants
to the backhaul design may work with similar conguraons but have not been explicitly
tested.
Note
A resilient design for the backhaul uses a pair of connecons from Azure to the on-site network and must use BGP
roung. An addional LNG is deployed on-site to terminate the second connecon from the Azure VNG. Roung will
be congured to prefer the rst connecon as acve and the second connecon as standby to ensure that trac is
routed symmetrically between the on-site network and Azure.
Every Azure VPN gateway consists of two instances in an acve-standby congura-
on. For any planned maintenance or unplanned disrupon that happens to the acve
instance, the standby instance would take over automacally and resume the VPN
connecons.
Note
102Palo Alto Networks
Deployment Details for Backhaul Connecon
Figure 12 Resilient backhaul connecon
Virtual Network
VNG
104.42.215.219
Gateway Sub ne t - 10.5.40.0/24
Internet
Local Network 1 0. 6 .0. 0 / 16
LNG-2
(firewall)
104.42.56.197
LNG-1
(firewall)
104.42.56.196
Conguring Azure Networking for Backhaul Connecon
9.1 Congure the Azure Internal Load-Balancer for Backhaul
9.2 Congure Azure User Dened Routes
9.3 Apply Route Tables to Subnets
9.4 Modify Exisng Route Tables
9.5 Create the VPN Gateway Subnet.
9.6 Create Public IP for VPN Gateway
9.7 Deploy Virtual Network Gateway on Azure
9.8 Create Local Network Gateway
9.9 Create VPN Connecon from VNG to LNG
Procedures
103Palo Alto Networks
Deployment Details for Backhaul Connecon
This procedure group relies on the following assumpons:
The on-site local network IP address block is 10.6.0.0/16.
The exisng on-site rewall must have a stacally assigned public IP address.
The Azure subnet reachable for Panorama and VM-Series management is 192.168.1.0/24.
The Azure subnets reachable for in-band access (Web, DB, Business) included within the IP address range are
10.5.0.0/20.
Use the Azure Resource Manager to complete the following procedures. Sign in to Azure at
hps://portal.azure.com
.
9.1 Congure the Azure Internal Load-Balancer for Backhaul
Because the VPN gateway subnet uses Azure internal addressing, you use an addional frontend IP address and back-
end pool on the internal load-balancer.
Figure 13 Azure internal load-balancer for backhaul
Virtual Network
10.5.15.6
(et h 3)
10.5.15.7
(et h 3)
VPN - 10.5.15.0/24
10.5.15.21
VNG
104.42.215.219
LNG
(firewall)
Gateway Sub ne t - 10.5.40.0/24
104.42.56.196
Internet
Local Network 1 0. 6 .0. 0 / 16
The frontend IP address is used as the roung next-hop for desnaon addresses on the private networks.
Step 1: In Home > Load Balancers > AzureRefArch-Shared-Internal, click Frontend IP conguraon.
Step 2: Click Add.
Step 3: In the Name box, enter Internal-Frontend-VPN.
Step 4: In the Subnet list, select Shared-VPN.
104Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 5: In the Assignment secon, select Stac.
Step 6: In the IP address box, enter 10.5.15.21.
Step 7: In Home > Load Balancers > AzureRefArch-Shared-Internal, click Backend pools.
Step 8: Click Add.
Step 9: In the Name box, enter Firewall-Layer-VPN.
Step 10: In the Virtual network list, select azurerefarch-vnet (X VM), where X is the total number of VM-Series re-
walls and Panorama virtual machines already deployed in your VNet.
Step 11: In the VIRTUAL MACHINE column, select a VM-Series to be added to this backend pool (example: aras-
vmfw1).
Step 12: In the IP ADDRESS column, select the IP conguraon that is associated to the Shared-Public subnet. (ex-
ample: ipcong-dmz).
Step 13: Repeat Step 11 and Step 12 for all VM-Series rewalls that are to be assigned to this backend pool.
Step 14: Click Add.
Step 15: In Home > Load Balancers > AzureRefArch-Shared-Internal, click Load balancing rules.
Step 16: Click Add.
Step 17: In the Name box, enter VPN-All-Ports.
Step 18: In the Frontend IP address list, select Internal-Frontend-VPN.
Step 19: Select HA ports.
Step 20: In the Backend pool list, select Firewall-Layer-VPN.
Step 21: In the Health probe list, select HTTPS-Probe, and then click OK.
105Palo Alto Networks
Deployment Details for Backhaul Connecon
9. 2 Congure Azure User Dened Routes
This procedure relies on the following assumpons:
The on-site local network IP address block is 10.6.0.0/16.
The exisng on-site rewall BGP peer address (assigned to tunnel interface) is 10.6.2.255.
The exisng on-site rewall must have a stacally assigned public IP address.
The Azure subnet reachable for Panorama and VM-Series management is 192.168.1.0/24.
The Azure subnets reachable for in-band access (Web, DB, Business) included within the IP address range are
10.5.0.0/20.
Table 23 Azure route tables
Subnet Route table name Resource group Table of UDRs
Shared-VPN AzureRefArch-Shared-VPN AzureRefArch-Shared Table 24
GatewaySubnet AzureRefArch-VPNGateway AzureRefArch Table 25
Table 24 VPN subnet UDRs (10.5.15.0/24)
Route name Address prefix Next-hop type
Next-hop
address Comments
Blackhole-Management 192.168.1.0/24 None Block trac to Management IP
address space
Blackhole-Public 172.16.0.0/23 None Block trac to Public IP address
space
Table 25 VPN gateway subnet UDRs (10.5.40.0/24)
Route name Address prefix Next-hop type
Next-hop
address Comments
Blackhole-Public 172.16.0.0/23 None Block trac to Public IP address
space
Net-10.5.0.0 10.5.0.0/20 Virtual
Appliance
10.5.15.21 Frontend IP of load-balancer
106Palo Alto Networks
Deployment Details for Backhaul Connecon
Repeat this procedure for each entry in Table 23:
Step 1: In Home > Route tables, click Add.
Step 2: In the Name box, enter AzureRefArch-Shared-VPN.
Step 3: In the Resource Group secon, choose Use Exisng, select AzureRefArch-Shared, and then click Create.
Step 4: In Home > Route tables > AzureRefArch-Shared-VPN, click Routes.
Step 5: Repeat these substeps for all entries in the table of UDRs:
In Home > Routes tables > AzureRefArch-VPN—Routes, click Add.
In the Route name box, enter Blackhole-Public.
In the Address prex box, enter 172.16.0.0/23.
In the Next hop type list, select None.
If the Next-hop type is Virtual appliance, then enter the Next-hop address value and click OK.
9.3 Apply Route Tables to Subnets
The UDRs only take eect aer the route table is associated with the subnet.
Step 1: In Home > Virtual networks > AzureRefArch-VNET, click Subnets.
Step 2: Click Shared-VPN.
Step 3: Click the Route table secon, and in the Resource pane, select AzureRefArch-Shared-VPN.
Step 4: Click Save, and then click X to Close.
9.4 Modify Exisng Route Tables
Azure networking routes trac from all subnets to the on-site network range directly to the VNG by default. This
design allows implicit access for the Management subnet to support in-band management of Panorama and the VM-
Series.
To block the trac or enforce a rewall policy requires that you create UDRs. Congure the UDRs to explicitly blocked
trac to the on-site network from the public subnet. Congure the UDRs to redirect trac from all other subnets to
the rewall layer for policy enforcement.
107Palo Alto Networks
Deployment Details for Backhaul Connecon
The route tables in Table 26 were originally created in Procedure 7.7. Modify the route tables listed in Table 26 by
adding the addional specied routes. If you have addional on-site prexes, then each prex requires a UDR in each
roung table.
When adding addional on-site networks, you must manually update the route tables
to block and redirect to the new prexes as they are added. This step is required even
when running dynamic BGP roung.
Caution
Table 26 Route table modicaons for backhaul
Route table name Route name
Address
prefix
Next-hop
type
Next-hop
address Comments
AzureRefArch-Shared-Public Blackhole-
OnSite
10.6.0.0/16 None Block trac to On-site IP
address space
AzureRefArch-Shared-Private Net-10.6.0.0 10.6.0.0/16 Virtual
appliance
10.5.0.21 Frontend IP of load-
balancer
Access to on-site network
through the rewall layer
AzureRefArch-Shared-Web Net-10.6.0.0 10.6.0.0/16 Virtual
appliance
10.5.0.21 Frontend IP of load-
balancer
Access to on-site network
through the rewall layer
AzureRefArch-Shared-Busi-
ness
Net-10.6.0.0 10.6.0.0/16 Virtual
appliance
10.5.0.21 Frontend IP of load-
balancer
Access to on-site network
through the rewall layer
AzureRefArch-Shared-DB Net-10.6.0.0 10.6.0.0/16 Virtual
appliance
10.5.0.21 Frontend IP of load-
balancer
Access to on-site network
through the rewall layer
9. 5 Create the VPN Gateway Subnet.
This procedure adds a new subnet for the VPN Gateway to the exisng VNet.
Step 1: In Home > Virtual networks > AzureRefArch-VNET, click Subnets.
Step 2: Click Gateway subnet to add a new gateway subnet.
108Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 3: In the Address Range (CIDR block) box, enter 10.5.40.0/24.
Step 4: Click the Route table secon, select AzureRefArch-VPNGateway, and then click OK.
9.6 Create Public IP for VPN Gateway
Step 1: In Home > Public IP addresses, click Add.
Step 2: In the Name box, enter AzureRefArch-VNG-Public.
Step 3: Select Basic SKU.
Do not choose a Standard IP SKU for the public IP address of your Virtual Network
Gateway. The Standard IP SKU uses only stac IP address assignment. Azure Resource
Manager does not permit this selecon and presents the following error: “Stac public
IP address can only be assigned to load-balancers.
Note
Step 4: In the IP address assignment secon, select Dynamic.
In the DNS name label box, do not enter a value. Azure does not support dynamic reso-
luon of the FQDN for a VPN gateway.
Note
Step 5: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch.
Step 6: Click Create.
The on-premise rewall requires a peer IP address for the Azure VNG. The actual IP address is not assigned by Azure
unl the VNG is created and the public IP address is associated.
9.7 Deploy Virtual Network Gateway on Azure
This procedure includes two roung opons, stac roung and dynamic roung with BGP. The stac roung opon
is simpler to congure but requires manual modicaon for any roung changes. The BGP opon is more complex to
inially congure but is easier to operate and maintain in a rapidly changing environment.
Refer to Figure 14 for this and the following procedures.
109Palo Alto Networks
Deployment Details for Backhaul Connecon
Figure 14 Backhaul roung opons—stac and BGP
Option 2: BGP Routing
Option 1: Static Routing
Red istribute routes
into BGP
VNG
LNG
Internet
P ub l i c I P:
104.42.215.219
BGP AS : 65 5 15
(10.5.40.254) BG P AS : 65 5 01
(10.6.1.255)
P ub l i c I P:
104.42.56.196
VN ET Ad dres s S pac e:
192.168.1.0/24
1 72 . 16 .1 . 0/ 23
10.5.0.0/16
LNG A ddre ss Space:
1 0. 6 .1. 2 5 5/ 32
VNG
LNG
Internet
P ub l i c I P:
104.42.215.219
P ub l i c I P:
104.42.56.196
VN ET Ad dres s S pac e:
192.168.1.0/24
1 72 . 16 .1 . 0/ 23
10.5.0.0/16
LNG A ddre ss Space:
10.6.0.0/16
Step 1: In Home > Virtual networks gateways, click Add.
Step 2: In the Name box, enter AzureRefArch-VNG.
Step 3: In the Gateway type secon, select VPN.
Step 4: In the VPN type secon, select Route-based.
Step 5: In the SKU list, select VpnGw1. The basic SKU does not support BGP or IKEv2.
Step 6: Click the Virtual Network secon, and then select AzureRefArch-VNET.
Step 7: Click the Public IP address secon, select Use exisng, and then select AzureRefArch-VNG-Public.
Step 8: If you’re conguring dynamic roung with BGP, select Congure BGP ASN, and then in the Autonomous sys-
tem number (ASN) box, accept the proposed default value of 65515.
110Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 9: Click Create.
Step 10: In Home > Public IP addresses > AzureRefArch-VNG-Public, record the IP address (Example:
104.42.215.219).
Step 11: If you congured BGP, then in Home > Virtual network gateways > AzureRefArch-VNG, click Conguraon.
111Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 12: Record the BGP peer IP address assigned to the virtual network gateway (Example: 10.5.40.254).
9.8 Create Local Network Gateway
The local network gateway corresponds to the on-premise rewall that terminates the IPSec VPN tunnel from Azure.
Step 1: In Home > Local network gateways, click Add.
Step 2: In the Name box, enter AzureRefArch-LNG-OnPrem.
Step 3: In the IP address box, enter the public IP address of the on-premise IPSec VPN peer (Example: 104.42.56.196).
Opon 1: Stac Roung
Step 1: In the Address space box, enter the IP prex that is reachable through the VPN tunnel. (Example: 10.6.0.0/16).
If mulple IP prexes are reachable, you must add the addional prexes by repeang this step mulple mes.
Step 2: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch.
112Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 3: Click Create.
Opon 2: Dynamic Roung with BGP
Step 1: In the Address space box, enter only the IP prex for the BGP peer address from the on-premise rewall this
LNG corresponds to. (Example: 10.6.1.255/32)
Step 2: Select Congure BGP sengs.
Step 3: In the Autonomous system number (ASN) box, enter 65501.
Step 4: In the BGP peer IP address box, enter 10.6.1.255.
Step 5: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch.
Step 6: Click Create.
113Palo Alto Networks
Deployment Details for Backhaul Connecon
9.9 Create VPN Connecon from VNG to LNG
Step 1: In Home > Connecons, click Add.
Step 2: In Home > Connecons > Create connecon > Basics, in the Connecon type list, select Site-to-site (IPsec).
Step 3: In the Resource Group secon, choose Use Exisng, select AzureRefArch, and then click OK.
Step 4: In Home > Connecons > Create connecon > Sengs, click the Virtual network gateway secon, and then
select AzureRefArch-VNG.
Step 5: Click the Local network gateway secon, and then select AzureRefArch-LNG-OnPrem.
Step 6: In the Connecon name box, enter AzureRefarch-to-OnPrem.
Step 7: In the Shared key (PSK) box, enter the value for the pre-shared key (complex password).
Step 8: If you congured BGP, select Enable BGP.
Step 9: Click OK.
Step 10: Review the Summary and if acceptable, click OK.
Conguring On-site Firewall for VPN Access to Azure
10.1 Congure Objects and Interfaces
10.2 Congure IKEv2 and IPSec
10.3 Congure Roung
10.4 Congure BGP
Procedures
These procedures assume the on-site rewall is congured and running with a public interface reachable from the
internet and a private interface with access to internal subnets. The rewall is already congured with a default virtual
router. DNS and NTP are congured.
The following procedures are completed on the on-site next-generaon rewall or VM-Series device. If you are using a
second resilient on-site rewall, this procedure group is repeated.
114Palo Alto Networks
Deployment Details for Backhaul Connecon
10.1 Congure Objects and Interfaces
Step 1: In Objects > Addresses, click Add.
Step 2: In the Name box, enter AzureRefArch-VNG-Public.
Step 3: In the Type list, select IP Netmask.
Step 4: In the Type value box, enter the public IP address that was assigned by Azure (Example: 104.42.215.219), and
then click OK.
Step 5: In Network > Zones, click Add. The Zone conguraon window appears.
Step 6: In the Name box, enter VPN.
Step 7: In the Type list, select Layer3, and then click OK.
Step 8: In Network > Interfaces, change to the Tunnel tab, and then click Add. The Tunnel Interface conguraon
window appears.
Step 9: In the Interface Name.subinterface box, enter 10.
Step 10: In the Virtual Router list, select default.
115Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 11: In the Security Zone list, select VPN.
If you are conguring the second device for resilient backhaul, use the value of
10.6.1.254/32 in Step 12.
Note
Step 12: If you congured BGP, change to the IPv4 tab. In the IP pane, click Add, enter 10.6.1.255/32, and then click
OK.
Step 13: Change to the Advanced tab.
Step 14: In the MTU box, enter 1424, and then click OK.
This value is used to minimize IP packet fragmentaon due to the tunnel and IPSec encapsulaon overhead.
Step 15: In Network Interfaces, click the public-facing Ethernet interface (example: ethernet1/1).
Step 16: Change to the Advanced tab.
Step 17: In the Other Info secon, select Adjust TCP MSS, and then click OK.
This feature is enabled to minimize IP packet fragmentaon due to the tunnel and IPSec encapsulaon overhead.
116Palo Alto Networks
Deployment Details for Backhaul Connecon
10.2 Congure IKEv2 and IPSec
Use the values specied in Table 27 for the steps in this procedure. The rewall can successfully negoate these values
with the Azure VNG without requiring any modicaon of the Azure default sengs. The strongest authencaon and
encrypon values that are compable with Azure are listed.
Table 27 IKEv2 and IPSec parameters
Parameter Value Description
IKEv2 DH group group2 Die-Helman Group 2
IKEv2 authencaon sha256 Secure Hash Algorithm 2 (SHA-2) with 256-bit digest
IKEv2 encrypon aes-256-cbc Advanced Encrypon Standard (AES) Cipher Block Chain-
ing (CBC) with 256-bit key
IKEv2 key lifeme mer 28800 Seconds
IKEv2 mer authencaon mulple 3 —
IPSec encrypon aes-256-gcm AES Galois Counter Mode (GCM) with 256-bit key
IPSec authencaon sha512 Secure Hash Algorithm 2 (SHA-2) with 512-bit digest
IPSec DH group no-pfs Perfect Forward Secrecy disabled
IPSec lifeme 3600 Seconds
Step 1: In Network > Network Proles > IKE Crypto, click Add. The IKE Crypto Prole conguraon window appears.
Step 2: In the Name box, enter Azure-IKEv2.
Step 3: In the DH Group pane, click Add and select group2.
Step 4: In the Authencaon pane, click Add and select sha256.
Step 5: In the Encrypon pane, click Add and select aes-256-cbc.
Step 6: In the Timers secon, in the Key Lifeme list, select Seconds and enter 28800.
117Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 7: In the Timers secon, in the IKEv2 Authencaon Mulple box, enter 3, and then click OK.
Step 8: In Network > Network Proles > IPSec Crypto, click Add. The IPSec Crypto Prole conguraon window ap-
pears.
Step 9: In the Name box, enter Azure-IPSec.
Step 10: In the Encrypon pane, click Add and select aes-256-gcm.
Step 11: In the Authencaon pane, click Add and select sha512.
Step 12: In the DH Group list, select no-pfs.
Step 13: In the Lifeme list, select Seconds and enter 3600, and then click OK.
118Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 14: In Network > Network Proles > IKE Gateways, click Add. The IKE Gateway conguraon window appears.
Step 15: In the Name box, enter OnPrem-to-AzureRefArch-IKEv2.
Step 16: In the Version list, select IKEv2 only mode.
Step 17: In the Interface list, select the public interface of the rewall (example: ethernet1/1).
Step 18: In the Peer IP Address Type secon, select IP.
Step 19: In the Peer Address list, select AzureRefArch-VNG-Public.
Step 20: In the Pre-shared Key box, enter the Shared key (PSK) that matches the VPN connecon congured on
Azure.
Step 21: In the Conrm Pre-shared Key box, re-enter the key.
Step 22: Change to the Advanced Opons tab.
Step 23: Select Enable NAT Traversal.
119Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 24: In the IKE Crypto Prole list, select Azure-IKEv2, and then click OK.
Step 25: In Network > IPSec Tunnels, click Add.
Step 26: In the Name box, enter OnPrem-to-AzureRefArch.
Step 27: In the Tunnel Interface list, select tunnel.10.
Step 28: In the IKE Gateway list, select OnPrem-to-AzureRefArch-IKEv2.
Step 29: In the IPSec Crypto Prole list, select Azure-IPSec.
Step 30: Select Show Advanced Opons.
120Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 31: Select Copy TOS Header, and then click OK.
10.3 Congure Roung
The stac roung opon requires the creaon of explicit stac routes for all Azure desnaon prexes. The dynamic
roung opon requires the creaon of a single stac route that corresponds to the Azure roung peer prex. All other
desnaons are dynamically learned using the roung protocol.
Table 28 Stac routes for on premise rewall
Name
Destination
prefix Interface Next-hop Next-hop value
Azure-192.168.1.0 192.168.1.0/24 tunnel.10 None
Azure-10.5.0.0 10.5.0.0/16 tunnel.10 None
Step 1: In Network > Virtual Routers, click default. The Virtual Router—default window appears.
Step 2: Change to the Stac Routes tab.
Opon 1: Stac Roung
Step 1: Click Add. The Virtual Router—Stac Route—IPv4 window appears.
Step 2: In the Name box, enter Azure-10.5.0.0.
Step 3: In the Desnaon box, enter 10.5.0.0/16.
121Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 4: In the Interface list, select tunnel.10.
Step 5: In the Next Hop list, select None, and then click OK.
Step 6: Repeat Step 1 through Step 5 for all stac routes in Table 28.
Step 7: Aer adding all routes for this virtual router, click OK to close the Virtual Router window.
Step 8: Click Commit.
Opon 2: Dynamic Roung with BGP
The BGP opon requires a stac host route to reach the Azure BGP peer.
Step 1: Click Add. The Virtual Router —Stac Route—IPv4 window appears.
Step 2: In the Name box, enter Azure-BGP-Router-ID.
Step 3: In the Desnaon box, enter 10.5.40.254/32.
122Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 4: In the Interface list, select tunnel.10.
Step 5: In the Next Hop list, select None, and then click OK.
Step 6: Click OK to close the Virtual Router window.
Step 7: Click Commit.
10.4 Congure BGP
(Oponal)
If you are using stac roung, skip this procedure.
This procedure requires that you have a BGP autonomous system number; the example uses 65501 for the on-site
rewall. The BGP peering conguraon uses the tunnel interface IP address of the rewall as the BGP Router ID.
Step 1: In Network > Virtual Routers, click default. The Virtual Router—default window appears.
Step 2: Change to the Redistribuon Prole tab, and click Add. The Redistribuon Prole IPv4 window appears.
This example redistributes the directly connected route for the subnet assigned to the
Private zone interface (ethernet1/2). If you are running a dynamic roung protocol in
your on-site network and rewall, then redistribute the routes from the roung protocol
instead of the connected route.
The use of a dynamic roung protocol is required to ensure symmetric roung when
using a resilient backhaul connecon.
Note
Step 3: In the Name box, enter Connected.
Step 4: In the Redistribute secon, select Redist.
Step 5: In the Priority box, enter 1.
Step 6: In the Source Type pane, select connect.
123Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 7: In the Interface pane, click Add, select ethernet1/2, and click OK.
Step 8: Change to the BGP tab.
Step 9: Select Enable.
If you are conguring the second device for resilient backhaul, use the value of
10.6.1.254 in Step 10.
Note
Step 10: In the Router ID box, enter 10.6.1.255.
Step 11: In the AS Number box, enter 65501.
124Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 12: In the Opons pane, select Install Route.
Step 13: Change to the Peer Group tab, and then click Add. The Virtual Router—BGP—Peer Group/Peer window ap-
pears.
Step 14: In the Name box, enter Azure.
Step 15: In the Peer pane, click Add. The Virtual Router—BGP—Peer Group—Peer window appears.
Step 16: In the Name box, enter AzureRefArch.
Step 17: In the Peer AS box, enter the autonomous system number assigned to the Azure virtual network gateway.
The default is 65515.
Step 18: In the Local Address pane, in the Interface list, select tunnel.10.
If you are conguring the second device for resilient backhaul, use the value of
10.6.1.254/32 in Step 19.
Note
Step 19: In the Local Address pane, in the IP list, select 10.6.1.255/32.
Step 20: In the Peer Address pane, in the IP box, enter the BGP peer IP address assigned by Azure to the virtual net-
work gateway (example: 10.5.40.254).
Step 21: Change to the Connecon Opons tab.
125Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 22: In the Mul Hop box, enter 2, and then click OK.
Step 23: Click OK to close the Virtual Router—BGP—Peer Group/Peer window.
126Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 24: Change to the Redist Rules tab, and then click Add. The Virtual Router—BGP—Redistribute Rules—Rule win-
dow appears.
Step 25: In the Name list, select Connected, and then click OK.
Step 26: Click OK to close the Virtual Router—default window.
Step 27: Click Commit.
Conguring Resilient Backhaul Connecon
11.1 Create the Second Local Network Gateway
11.2 Create VPN Connecon from VNG to LNG-2
11.3 Congure addional on-site rewall
Procedures
This procedure group includes the necessary steps to add a second backhaul connecon and congure BGP roung for
Azure to prefer the rst connecon if both LNGs are connected. The rst connecon must already be congured with
the BGP roung opon.
This procedure relies on the following assumpons:
The exisng on-site rewall BGP peer address (assigned to tunnel interface) is 10.6.2.254.
The second exisng on-site rewall must have a stacally assigned public IP address.
The on-site network is congured to use dynamic roung between the on-site rewalls and the internal private
network. The downstream router learns the Azure routes from both on-site rewalls and is congured to use
roung metrics to select the preferred path through the rst connecon.
BGP AS-Prepend is used to make the second connecon less preferred.
127Palo Alto Networks
Deployment Details for Backhaul Connecon
Figure 15 Resilient roung for backhaul connecon
LNG-1
BGP AS : 65 5 01
(10.6.1.255)
VN ET Ad dres s S pace:
192.168.1.0/24
1 72 . 16 .1 . 0/ 23
10.5.0.0/16
LNG-1 Ad dres s S pace:
1 0. 6 .1. 2 5 5/ 32
LNG-2
VNG
BGP AS : 65 5 15
(10.5.40.254)
BGP AS : 65 5 01
(10.6.1.254)
LNG-2 Ad dres s S pace:
1 0. 6 .1. 2 5 4/ 32
Dyn a mic
Ro uting
10.6.0.4
10.6.0.5
10.6.0.6
On-site Tran sit - 1 0. 6 .0. 0 / 24
11.1 Create the Second Local Network Gateway
The local network gateway corresponds to the second on-premise rewall that terminates the resilient IPSec VPN tun-
nel from Azure.
Step 1: In Home > Local network gateways, click Add.
Step 2: In the Name box, enter AzureRefArch-LNG-OnPrem-2.
Step 3: In the IP address box, enter the public IP address of the on-premise IPSec VPN peer (Example: 104.42.56.197).
Step 4: In the Address space box, enter only the IP prex for the BGP peer address from the on-premise rewall this
LNG corresponds to. (Example: 10.6.1.254/32)
Step 5: Select Congure BGP sengs.
Step 6: In the Autonomous system number (ASN) box, enter 65501.
Step 7: In the BGP peer IP address box, enter 10.6.1.254.
Step 8: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch.
Step 9: Click Create.
128Palo Alto Networks
Deployment Details for Backhaul Connecon
11.2 Create VPN Connecon from VNG to LNG-2
Step 1: In Home > Connecons, click Add.
Step 2: In Home > Connecons > Create connecon > Basics, in the Connecon type list, select Site-to-site (IPsec).
Step 3: In the Resource Group secon, choose Use Exisng, select AzureRefArch, and then click OK.
Step 4: In Home > Connecons > Create connecon > Sengs, click the Virtual network gateway secon, and then
select AzureRefArch-VNG.
Step 5: Click the Local network gateway secon, and then select AzureRefArch-LNG-OnPrem-2.
Step 6: In the Connecon name box, enter AzureRefarch-to-OnPrem.
Step 7: In the Shared key (PSK) box, enter the value for the pre-shared key (complex password).
Step 8: If you congured BGP, select Enable BGP.
Step 9: Click OK.
Step 10: Review the Summary and if acceptable, click OK.
11.3 Congure addional on-site rewall
This procedure congures a second on-site rewall to be used for the resilient backhaul connecon. Aer this rewall
is congured by repeang earlier procedures, then BGP is congured to make the second connecon less preferred.
The BGP conguraon prepends a second AS number to the routes adversed from the second rewall. Azure re-
ceive all prexes from both LNGs and uses the AS-path length to make its roung decision. This roung conguraon
ensures that Azure chooses the rst connecon when both are available when sending trac from Azure to the on-site
networks. This does not inuence the path secon in the opposite direcon.
If you do not congure on-site roung to prefer the rst connecon then asymmetric
roung will occur. Network trac is dropped because the rewalls don’t see both direc-
ons of the ow.
Caution
129Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 1: Repeat Procedure 10.1 through Procedure 10.4 to congure the second rewall using new values as specied
in the notes.
Step 2: In Network > Virtual Routers, click default. The Virtual Router—default window appears.
Step 3: Change to the BGP tab.
Step 4: Change to the Export tab.
Step 5: Click Add, The Virtual Router—BGP—Export Rule window appears.
Step 6: In the Rules box, enter AS-Prepend.
Step 7: In the Used By pane, click Add, and select Azure.
Step 8: Change to the Match tab.
130Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 9: In the AS Path Regular Expression box, enter ^$. This regular expression matches all prexes that are local to
this autonomous system.
Step 10: Change to the Acon tab.
Step 11: In the AS Path secon, in the Type list, select Prepend. In the Type value box, enter 2.
Step 12: Click OK to close the Virtual Router—BGP—Export Rule window.
131Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 13: Click OK to close the Virtual Router—default window.
Step 14: Click Commit.
Using Panorama to Congure Security and NAT for Backhaul Connecon
12.1 Backhaul Connecon—Create Address Objects
12.2 Backhaul Connecon—Congure NAT Policy
12.3 Backhaul Connecon—Congure Security Policy
Procedures
The security policy for the backhaul connecon is enforced at mulple locaons. The on-site rewall that terminates
the VPN tunnel to Azure can use security policy rules between the private zone and the VPN zone. The VM-Series
rewalls on Azure can use security policy rules between the VPN zone and the private zone.
Only the VM-Series policy is included in this guide.
12.1 Backhaul Connecon—Create Address Objects
This procedure reuses objects already created in Procedure 8.6. If necessary, create addional objects using the same
procedure. The table of objects (Table 21) is repeated here.
Table 29 Outbound trac address objects
Object name Description Type Type value
Net-10.5.1.0 Web subnet IP Netmask 10.5.1.0/24
Net-10.5.2.0 Business subnet IP Netmask 10.5.2.0/24
Net-10.5.3.0 DB subnet IP Netmask 10.5.3.0/24
Step 1: Log in to Panorama (example:
hps://ara-panorama-1.westus.cloudapp.azure.com
).
Step 2: Navigate to Device Groups > Objects.
Step 3: In the Device Group list, select Azure-Shared.
Step 4: In Device Groups > Objects > Addresses, click Add.
132Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 5: In the Name box, enter Net-10.6.0.0.
Step 6: In the Type list, select IP Netmask.
Step 7: In the Type value box, enter 10.6.0.0/16, and then click OK.
12.2 Backhaul Connecon—Congure NAT Policy
This procedure uses NAT Pre Rules. These rules are logically evaluated prior to local rules and cannot be locally overrid-
den on the local device.
Step 1: Log in to Panorama (example:
hps://ara-panorama-1.westus.cloudapp.azure.com
).
Step 2: Navigate to Device Groups > Policies.
Step 3: In the Device Group list, select Azure-Shared.
Step 4: In Device Groups > Policies > NAT > Pre Rules, click Add.
Step 5: In the Name box, enter VPN-to-Private.
Step 6: Change to the Original Packet tab.
Step 7: In the Source Zone pane, click Add and select VPN.
Step 8: In the Desnaon Zone list, select Private.
Step 9: In the Source Address pane, click Add and select Net-10.6.0.0.
133Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 10: In the Desnaon Address pane, click Add and select Net-10.5.1.0. Repeat this step for all objects in Table
29.
Step 11: Change to the Translated Packet tab.
Step 12: In the Source Address Translaon secon, in the Translaon Type list, select Dynamic IP And Port.
Step 13: In the Source Address Translaon secon, in the Address Type list, select Interface Address.
Step 14: In the Source Address Translaon secon, in the Interface box, enter ethernet1/2.
Step 15: Change to the Ta rge t tab.
134Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 16: Verify that Any (target to all devices) is selected.
Make sure to target all devices in the device group; otherwise, the policy rule will not be
automacally applied to new group members.
Caution
12.3 Backhaul Connecon—Congure Security Policy
This procedure uses Security Pre Rules. These rules are logically evaluated prior to local rules and cannot be locally
overridden on the local device.
The security policy example for the Backhaul Connecon Prole permits these applicaons:
SSH (ssh)
RDP (ms-rdp)
web-browsing
Add addional required applicaons to your policy as needed.
Step 1: In Device Groups > Policies > Security > Pre Rules, click Add.
Step 2: In the Name box, enter VPN-to-Private.
Step 3: Change to the Source tab.
Step 4: In the Source Zone pane, click Add and select VPN.
Step 5: In the Source Address pane, click Add and select 10.6.0.0.
Step 6: Change to the Desnaon tab.
Step 7: In the Desnaon Zone pane, click Add and select Private.
Step 8: In the Desnaon Address pane, click Add and select 10.5.1.0. Repeat this step for all objects in Table 29.
Step 9: Change to the Applicaon tab.
135Palo Alto Networks
Deployment Details for Backhaul Connecon
Step 10: In the Applicaons pane, click Add and enter/search/select ssh
Step 11: In the Applicaons pane, click Add and enter/search/select ms-rdp.
Step 12: In the Applicaons pane, click Add and enter/search/select web-browsing.
Step 13: Change to the Service/URL Category tab.
Step 14: In the Service pane, select applicaon-default.
Step 15: Change to the Acons tab.
Step 16: In the Acon Seng secon, in the Acon list, select Allow.
Step 17: In the Log Seng secon, in the Log Forwarding list, select LoggingService-Prole.
Step 18: Change to the Ta rge t tab.
Step 19: Verify that Any (target to all devices) is selected, and then click OK.
Make sure to target all devices (any) in the device group; otherwise, the policy rule will
not be automacally applied to new group members.
Caution
Step 20: On the Commit menu, click Commit and Push.
136Palo Alto Networks
Deployment Details for Automated Bootstrapping
Deployment Details for Automated Bootstrapping
Preparing For Bootstrapping
13.1 Create the Bootstrap Package
13.2 Deploy the Bootstrap Package to Azure Storage
13.3 Create the Public IP Address for VM-Series
Procedures
This procedure group provides an alternate deployment method to Procedure 4.1. In addion to deploying the VM-
Series using the ARM template, the automated bootstrap process licenses the VM-Series and registers the VM-Series
device with Panorama with the designated templates and device group. This opon would not typically be chosen to
deploy the inial devices, but it is an eecve opon for scaling performance by adding addional rewalls aer the
rst pair have been deployed.
Aer deployment using the bootstrap, a new VM-Series is added to the Azure public and internal load-balancers back-
end pools to complete the integraon and make the VM-Series acve.
13.1 Create the Bootstrap Package
Step 1: Generate VM Auth Key on Panorama.
The next step requires the use of the command line. (You can also do it via API, but that opon is not covered by this
guide.)
Step 2: Using SSH, log in to the Panorama command line.
Step 3: Request the VM auth key by using the following command. The lifeme of the key can vary between 1 hour
and 8760 hours (1 year). Aer the specied me, the key expires. Panorama does not register VM-Series rewalls with-
out a valid auth-key in the connecon request.
request bootstrap vm-auth-key generate lifetime 8760
VM auth key 123456789012345 generated. Expires at: 2019/06/07 14:15:56
Step 4: Create init-cfg.txt le.
137Palo Alto Networks
Deployment Details for Automated Bootstrapping
The following table includes the parameters required for successful bootstrap on Azure. The VM-Series registers with
Panorama and is assigned to the listed template stack and device group. Create the le by using a text editor and save
as init-cfg.txt
Table 30 Required parameters for Azure bootstrap
Description Parameter Value
Type of management IP address type dhcp-client
Virtual machine authencaon key vm-auth-key (generated on Panorama)
Panorama IP address panorama-server 192.168.1.4
Panorama IP address (secondary) panorama-server-2
(oponal for H/A only)
192.168.1.5
(oponal for H/A only)
Template stack name tplname Azure-Shared-Model
Device group name dgname Azure-Shared
Step 5: If you are using BYOL, create the authcodes le. An auth code bundle includes all of the VM-Series feature
licenses with a single auth code.
Example: I1234567
The lename for the authcodes le must not include any extension such as .txt. If you
save the le with an extension, the bootstrap process fails.
Caution
138Palo Alto Networks
Deployment Details for Automated Bootstrapping
Create the le using a text editor and save as authcodes.
13.2 Deploy the Bootstrap Package to Azure Storage
This procedure creates a new le share for the bootstrap package in an exisng storage account.
Step 1: In Home > Storage accounts > azurerefarchv2 > FILE SERVICE > Files, click File share.
Step 2:  In the Name box, enter vmseries-bootstrap, and click OK.
Step 3: In Home > Storage accounts > azurerefarchv2 > FILE SERVICE > Files, click vmseries-bootstrap.
Table 31 Bootstrap package structure
Directory name File
cong init-cfg.txt
content
license authcodes
soware
139Palo Alto Networks
Deployment Details for Automated Bootstrapping
Step 4: Click Add directory.
Step 5: In the Name box, enter cong, and then click OK.
Step 6: If a File is listed for a corresponding directory in Table 31, then complete these substeps for the le:
Click cong.
Click Upload.
In the Upload les pane, browse to your local lesystem and select init-cfg.txt.
Click Upload.
Step 7: Repeat Step 4 through Step 6 for each entry in Table 31.
Step 8: In Home > Storage accounts > azurerefarchv2 > FILE SETTINGS > Access keys, record the access key for the
storage account (either key1 or key2) by using Click to copy.
You will need to provide the Storage Account, valid Storage Account access key, and File
Share at deployment me.
Example:
Storage Account Name: azurerefarchv2
Access Key: <key>
File Share Name: vmseries-bootstrap
Note
140Palo Alto Networks
Deployment Details for Automated Bootstrapping
13.3 Create the Public IP Address for VM-Series
This procedure is idencal to Procedure 3.6. It is repeated here for completeness.
The VM-Series devices deployed on Azure are managed using public IP addresses unless on-site network connecvity
has been established. The process to congure on-site network connecvity is included later in this guide.
This procedure creates a public IP address that is associated to the management interface of the VM-Series at deploy-
ment me. If necessary, this procedure is repeated to create addional public IP addresses for addional VM-Series
devices. The parameters listed in Table 4 are used to complete this procedure.
Take note of the fully qualied domain name (FQDN) that is dened by adding the locaon specic sux to your DNS
name label. We recommend managing your devices using the DNS name rather than the public IP address, which may
change.
Step 1: In Home > Public IP addresses, click Add.
Step 2: In the Name box, enter aras-vmfw3.
Step 3: Select Standard SKU.
Step 4: In the DNS name label box, enter aras-vmfw3.
Step 5: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch-Shared.
Step 6: Click Create.
Deploying the VM-Series with Bootstrap
14.1 Deploy the VM-Series
14.2 Add VM-Series to Load-Balancer Backend Pools
Procedures
The following procedures are completed using the Azure Resource Manager deployed from an Azure Resource Man-
ager Template posted at GitHub. If you are already signed in to Azure at
hps://portal.azure.com
, then the deployment
from GitHub uses the same session authorizaon.
141Palo Alto Networks
Deployment Details for Automated Bootstrapping
14.1 Deploy the VM-Series
This procedure is essenally idencal to Procedure 4.1, with addional steps to provide the bootstrap informaon.
Table 32 VM-Series bootstrap deployment parameters
Parameter Value Comments
Resource group AzureRefArch-Shared Exisng
Locaon Tested in West US
VM name ARAS-VMFW3 First bootstrap device. Assumes two rewalls
already deployed
Storage account name azurerefarchv2shared
Storage account exisng RG AzureRefArch-Shared
Fw Av set AzureRefArch-Shared-AS
VM size Standard_D3_v2 hps://www.paloaltonetworks.com/docu-
mentaon/80/virtualizaon/virtualizaon/
set-up-the-vm-series-rewall-on-azure/about-
the-vm-series-rewall-on-azure/minimum-sys-
tem-requirements-for-the-vm-series-on-azure
Public IP type standard Standard IP SKU required for use with Azure
Standard load-balancer
Image version latest
Image Sku byol
Bootstrap rewall yes
Bootstrap storage account azurerefarchv2 The bootstrap storage account may be in any
resource group within the same Azure sub-
scripon and locaon.
Storage account access key <key> Use value recorded from Procedure 13.2, Step
8
Storage account le share vmseries-bootstrap Created in Procedure 13.2
Virtual network name AzureRefArch-VNET Uses AzureRefArch-VNET in resource group
AzureRefarch
Virtual network address prex 192.168.1.0/24 Match the inial IP address space from
AzureRefArch-VNET
Virtual network exisng RG name AzureRefArch
Subnet0Name Management
Subnet1Name Shared-Public
Subnet2Name Shared-Private
Subnet3Name Shared-VPN
Table connued on next page
142Palo Alto Networks
Deployment Details for Automated Bootstrapping
Connued table
Parameter Value Comments
Subnet0Prex 192.168.1.0/24
Subnet1Prex 172.16.1.0/24
Subnet2Prex 10.5.0.0/24
Subnet3Prex 10.5.15.0/24
Subnet0Start Address 192.168.1.8 First bootstrap device
Subnet1Start Address 172.16.1.8 First bootstrap device
Subnet2Start Address 10.5.0.8 First bootstrap device
Subnet3Start Address 10.5.15.8 First bootstrap device.
Admin username refarchadmin
Admin password <password>
Public IP address name aras-vmfw3 First bootstrap device
Nsg name None NSG is applied at subnet level
The custom Azure Resource Manager template used in this procedure has been developed and validated specically for
this deployment guide.
For template details and features, see :
hps://github.com/PaloAltoNetworks/ReferenceArchitectures/tree/master/Azure-1FW-4-interfaces-exisng-environment-BS
Use the parameters in Table 32 to deploy each VM-Series with bootstrap conguraon.
Step 1: Deploy the VM-Series by clicking Deploy to Azure.
Step 2: In the Resource Group secon, choose Use Exisng, and then select AzureRefArch-Shared.
Step 3: In the Vm Name box, enter ARAS-VMFW3.
Step 4: In the Storage Account Name box, enter azurerefarchv2shared.
Step 5: In the Storage Account Exisng RG box, enter AzureRefArch-Shared.
Step 6: In the Fw Av Set box, enter AzureRefArch-Shared-AS.
Step 7: In the Vm Size list, select Standard_D3_v2.
Step 8: In the Public IP Type list, select standard.
143Palo Alto Networks
Deployment Details for Automated Bootstrapping
Step 9: In the Image Version list, select latest.
Step 10: In the Image Sku list, select byol.
Step 11: In the Bootstrap Firewall list, select yes.
Step 12: In the Bootstrap Storage Account box, enter azurerefarchv2.
Step 13: In the Storage Account Access Key box, enter the key value.
Step 14: In the Storage Account File Share box, enter vmseries-bootstrap.
Step 15: In the Virtual Network Name box, enter AzureRefArch-VNET.
Step 16: In the Virtual Network Address Prex box, enter 192.168.1.0/24.
Step 17: In the Virtual Network Exisng RG Name box, enter AzureRefArch.
Step 18: In the Subnet0Name box, enter Management.
Step 19: In the Subnet1Name box, enter Shared-Public.
Step 20: In the Subnet2Name box, enter Shared-Private.
Step 21: In the Subnet3Name box, enter Shared-VPN.
Step 22: In the Subnet0Prex box, enter 192.168.1.0/24.
Step 23: In the Subnet1Prex box, enter 172.16.1.0/24.
Step 24: In the Subnet2Prex box, enter 10.5.0.0/24.
Step 25: In the Subnet3Prex box, enter 10.5.15.0/24.
Step 26: In the Subnet0Start Address box, enter 192.168.1.8.
Step 27: In the Subnet1Start Address box, enter 172.16.1.8.
Step 28: In the Subnet2Start Address box, enter 10.5.0.8.
144Palo Alto Networks
Deployment Details for Automated Bootstrapping
Step 29: In the Subnet3Start Address box, enter 10.5.15.8.
Step 30: In the Admin Username box, enter refarchadmin.
Step 31: In the Admin Password box, enter the password.
Step 32: In the Public IP Address Name box, enter aras-vmfw3.
Step 33: In the Network Security Group box, enter None.
Step 34: Review the terms and condions. If they are acceptable, select I agree to the terms and condions.
Step 35: Click Purchase.
Aer deployment, the device registers with Panorama by using the provided bootstrap informaon. The device is au-
tomacally licensed using the bundled auth-code in the bootstrap package. Aer the services are restarted, the device
receives template and device group conguraon from Panorama and is ready to be managed.
The soware should be upgraded to the same version as other VM-Series rewalls. This procedure is idencal to Pro-
cedure 4.3 in this guide.
14.2 Add VM-Series to Load-Balancer Backend Pools
You already created the public and private load-balancers in Procedure 7.2 and Procedure 7.4, as well as performing
other conguraons and updates throughout the guide. Now you integrate addional rewall resources into the design
by adding the VM-Series devices to the load-balancer backend pools.
This procedure only includes the steps to add an addional VM-Series device to exisng backend pools. Repeat this
procedure for each VM-Series device as required.
Step 1: In Home > Load Balancers > AzureRefArch-Shared-Public, click Backend pools.
Step 2: Click Firewall-Layer.
Step 3: In the VIRTUAL MACHINE column, in the rst blank row, select a VM-Series to be added to this backend pool
(example: aras-vmfw3).
Step 4: In the IP ADDRESS column, select the IP conguraon that is associated to the Shared-Public subnet. (ex-
ample: ipcong-untrust).
Step 5: Click Save, and then click X to exit.
145Palo Alto Networks
Deployment Details for Automated Bootstrapping
Step 6: In Home > Load Balancers > AzureRefArch-Shared-Internal, click Backend pools.
Step 7: Click Internal-Firewall-Layer.
Step 8: In the VIRTUAL MACHINE column, in the rst blank row, select a VM-Series to be added to this backend pool
(example: aras-vmfw3).
Step 9: In the IP ADDRESS column, select the IP conguraon that is associated to the Shared-Private subnet. (ex-
ample: ipcong-trust).
Step 10: Click Save, and then click X to exit.
Step 11: If you have addional backend pools for your internal load-balancer for Inbound Access and Backhaul and
Management trac, then repeat Step 6 through Step 10 for the Public-Firewall-Layer backend pool on the Shared-
Public subnet and the VPN-Firewall-Layer backend pool on the Shared-VPN subnet.
146Palo Alto Networks
What’s New in This Release
What’s New in This Release
Palo Alto Networks made the following changes since the last version of this guide:
This is a new guide.
Headquarters
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054, USA
www.paloaltonetworks.com
© 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trade-
marks can be found at
hp://www.paloaltonetworks.com/company/trademarks.html
. All other marks menoned herein may
be trademarks of their respecve companies. Palo Alto Networks reserves the right to change, modify, transfer, or other-
wise revise this publicaon without noce.
Phone: +1 (408) 753-4000
Sales: +1 (866) 320-4788
Fax: +1 (408) 753-4001
info@paloaltonetworks.com
You can use the
feedback form
to send comments
about this guide.
B-000116P-1 08/18

Navigation menu