https://www.paloaltonetworks.com/blog/network-security/vm-series-azure-gateway-load-balancer/
10.1.4
and vm-series plugin 2.1.4
Bootstrap Information
tar xvzf bootstrap.tgz
Create Storage Account for Bootstrapping.
If you are using the Panorama Software Firewall License Plugin follow the following Guide:
Configure the template Parameters for your Azure GWLB deployment
FirewallDnsName
Unique DNS Name for the Public IP used to access PAN Firewall VM.
vmName
Name for the VM-Series Firewall
adminUsername
The username for the account on the VM-Series firewall
adminPassword
Password for the account for the VM-Series firewall. Make this parameter Optional if you choose to use any other Authentication Type
bootstrapStorageAccount
The name of the storage account created in the Prerequisite step
bootstrapStorageAccountAccessKey
The value of the storage account access key created in the Prerequisite step
bootstrapFileShare
The name of the storage account file share created in the Prerequisite step
imageVersion
The Pan-OS image version. We support from 10.1.4
Add the required version in the allowed values to use Pan-OS version of your preference
imageSKU
Licensing model - byol, bundle1, bundle2
vmSize
Azure VMsize for the Firewall. Choose from the list allowed values.
AddressPrefix
The CIDR range for the Security network ex. "10.0.0.0/16"
ManagementSubnet
Subnet Prefix for Security management subnet ex "10.0.1.0/24"
DataSubnet
Subnet Prefix for Security data subnet ex "10.0.0.0/24"
init-cfg.txt
in the bootstrap folder should include this:
To deploy the solution with default ports
plugin-op-commands=azure-gwlb-inspect:enable
The port and VNI parameters when not specified will use the default values: Internal Port 2000 Internal VNI 800, External Port 2001 and External VNI 801. These parameters must match the GWLB backend pool tunnel interfaces properties to properly establish the service chain. If you use the custom ports, make sure to edit the security-stack.json with the custom ports in the below block.
To deploy the solution with custom ports edit the init-cfg.txt
to
plugin-op-commands=azure-gwlb-inspect:enable+internal-port-3000+external-port-3001+internal-vni-900,external-vni-901
"backendAddressPools": [
{
"name": "BackendPool1",
"properties": {
"tunnelInterfaces": [
{
"port": 2000, # Change the internal port here to 3000
"Identifier": 800, # Change the identifier to 900
"Protocol": "VxLan",
"Type": "Internal"
},
{
"port": 2001, # Change the external port here to 900
"Identifier": 801, # Change the identifier to 901
"Protocol": "VxLan",
"Type": "External"
}
]
}
}
],
securityResourceGroup
Name of the Security stack resource group deployed with security-stack.json template.
gwLBName
Name of the Gateway Loadbalancer deployed with security-stack.json template.
gwLBFrontendIPName
Name of your Gateway Loadbalancer Frontend Private IP deployed with security-stack.json template.
VNETPrefix
The CIDR range for the Application network ex. "10.240.0.0/16"
SubnetPrefix
Subnet Prefix for Application management subnet ex "10.240.0.0/24"
The ARM template deploys the Security stack with Gateway Loadbalancer, VM-Series firewall with GWLB bootstrap configuration , VM-Series firewall added in the backend pool of the Gateway Loadbalancer.
The ARM template deploys the Application stack with the Loadbalancer configured with the default Load Balancer rules, Linux VM with simpleHTTP service.
You can use the application-stack.json to deploy multiple spokes / application stacks.
To test the ingress traffic, issue the below command from a terminal
wget http://<FrontendIPofPublicLB:8081>
or
Use a browser, type in http://
You can see the secured ingress traffic sessions in the Firewall.