PaloAltoNetworks / azure

VM-Series ARM Templates for Microsoft Azure
https://github.com/PaloAltoNetworks/azure
117 stars 156 forks source link

Deployment suceeds but firewall dosent start properly #26

Open akingscote opened 4 years ago

akingscote commented 4 years ago

Describe the bug

Password requirement inconsistency, palo alto portal and terraform images differ in availability.

I am deploying via terraform so my deployment is consistent. I normally use the latest tag for the PA image.

  vm_size                      = "Standard_D3_v2"
  sku                             = "bundle2"
  publisher                    = "paloaltonetworks"
  product                      = "vmseries1"
  version                       = "latest"

I recently updated my password to be alpha numeric 32 characters. E.g. Password1234password1234password1234. If i try and set a password without a capital letter, i get the following error

Error: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidParameter" Message="The supplied password must be between 6-72 characters long and must satisfy at least 3 of password complexity requirements from the following:\r\n1) Contains an uppercase character\r\n2) Contains a lowercase character\r\n3) Contains a numeric digit\r\n4) Contains a special character\r\n5) Control characters are not allowed" Target="adminPassword"

So the password policy is 6-72 characters with numbers, capital and lower case letters.

If i set the password to Password1234password1234password1234 the deployment succeeds, but i cannot log in via the SSH prompt (says incorrect password) despite the password conforming with the password policy. The web UI never loads, i always get a HTTP timeout.

I tried to deploy via the portal and i couldnt find a suitable version. It only gives me an option of 9.1.2 and not the large option list i get via terraform. I also noticed that via the portal the VM type that gets deployed is vmseries-flexible and not vmseries1 or vmseries2. I cant find any documentation on this type. Im assuming flexible means that its either 1 or 2.

So i changed my deployment to:

  vm_size                      = "Standard_D3_v2"
  sku                            = "bundle1"
  publisher                    = "paloaltonetworks"
  product                      = "vmseries-flex"
  version                       = "9.1.2"

With password Password1234password1234password1234 i get the same behaviour, but with password Password1234 the web UI loads and the SSH prompt allows me to log in!

Expected behavior

32 length character password dosent cause deployment issues despite conforming to password requirements.

Current behavior

A long password somehow breaks the deployment.

Possible solution

The current workaround i have is to use a small (12 character) alpha numeric password rather than a 32 character one.

Your Environment

experienced with:

  vm_size                      = "Standard_D3_v2"
  sku                             = "bundle2"
  publisher                    = "paloaltonetworks"
  product                      = "vmseries1"
  version                       = "latest"

and also:

  vm_size                      = "Standard_D3_v2"
  sku                            = "bundle1"
  publisher                    = "paloaltonetworks"
  product                      = "vmseries-flex"
  version                       = "9.1.2"

With deployments via the portal and by terraform. Seems to be a problem with the core palo alto images.

welcome[bot] commented 4 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!