>
    Deploy a VM-Series Firewall from Strata Cloud Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Deploy a VM-Series Firewall from Strata Cloud Manager
    Download PDF
    Prisma AIRS

    Deploy a VM-Series Firewall from Strata Cloud Manager

    Table of Contents

    Deploy a VM-Series Firewall from Strata Cloud Manager

    This page guides you through deploying a Terraform template to add VM-Series firewall protection for your cloud resources.
    Where Can I Use This?What Do I Need?
    • Deploy VM-Series Firewall in your Cloud Environment
    In this section, you will configure a VM-Series firewall in Strata Cloud Manager, download the corresponding Terraform template, and deploy it in your cloud environment. This setup will integrate the VM-Series firewall into your cloud network architecture, enabling comprehensive monitoring and protection of your assets.
    1. Log in to Strata Cloud Manager.
    2. Navigate to Insights Prisma AIRS Prisma AIRS AI Runtime: Network Intercept.
    3. Select Add Protections ("+" icon).
    4. Select Cloud Service Provider and select Next.
    5. In Firewall Placement, select the network traffic type that the VM-Series firewall can inspect. Refer to the following table showing the network traffic type that the VM-Series firewall can support:
      Traffic TypeAI Runtime Security: Network interceptVM-Series
      AI Traffic - Traffic between your applications and AI Models
      Non-AI Traffic and namespaces (example, kube-system)
      Cluster Traffic
      Non-AI and non-cluster traffic
      When you select any namespace, the VM-Series firewall option becomes unavailable because only Prisma AIRS AI Runtime: Network intercept can secure these namespaces.
    6. Select Next.
    7. In Region & Application(s):
      1. Select your cloud account to secure from the onboarded cloud accounts list.
      2. Select a region in which you want to protect the applications.
      3. In Selected applications:
      4. Select the applications to secure from the available list. This list includes application workloads such as namespaces or VPCs.
        The available applications are determined by the application definition criteria you configured during cloud account onboarding in the “Application Definition” step.
      5. Set the Public IP address on the External Load Balancer (ELB) for each application by selecting:
        • Auto generate: Automatically assigns an ephemeral (temporary) IP address to your application.
        • Input manually: Create and assign a static IP address to your application.
          For more details, refer to the Google Cloud documentation for configuring static external IP addresses.
        Each application is mapped to one public ELB IP address.
      6. Configure Traffic Inspection (to protect your clusters at namespace-level only):
        Traffic inspection is available only when you select namespaces from the applications list. Select the namespace and configure how to handle traffic from specific network segments (Limit to 10 CIDRs per cluster that can be inspected or bypassed at any time):
        • Inspect certain CIDRs: Only inspect traffic from specified subnet ranges.
        • Bypass certain CIDRs: Exclude traffic from specified subnet ranges from inspection.
          For container applications, all traffic to and from the applications is protected by default. Use traffic inspection options only when you need granular control over which network segments are inspected or bypassed.
          When protecting traffic from namespaces using traffic inspection, select only the namespace and not its parent VPC to avoid deployment failures. The same GWLB endpoint can't be used for both VPC and namespace-level protection in the same zone.
      7. Select the Undiscovered VPC(s) tab for GCP and AWS, or the Added vNet tab for Azure.
    8. In Protection Settings:
      1. In the Deployment parameters, select VM-Series firewall type.
        The VM-Series firewall secures traffic from non-containerized workloads, such as VPCs, non-containerized Serverless and Lambda functions, and EC2s. Choose the VM-Series instance to analyze network traffic from AI workloads and containerized applications.
      2. Enter the Service account attached to security VM.
      3. Enter Number of firewalls to deploy.
      4. Select zones to deploy firewalls from the available zones.
      5. Choose the instance type for the security VM.
    9. Configure the following:
      IP addressing schemeLicensingSCM management parameters
      • CIDR value for untrust VPC.
      • CIDR value for trust VPC.
      • CIDR value for management VPC.
      Enter the following values:
      • PAN OS version for your image from the available list.
      • Flex authentication code (Copy AUTH CODE for the deployment profile you created for VM-Series firewall in Customer Support Portal).
      • Device Certificate PIN ID.
      • Device Certificate PIN value.
      In Management parameters, enter the following:
    10. Select Next.
    11. In the Review Architecture screen:
      • Enter a unique Terraform template name. (Use only lowercase letters, numbers, and hyphens. (Don't use a hyphen at the beginning or end, and limit the name to under 19 characters).
      • Create terraform template.
      • Save and Download Terraform Template.
      • Close the deployment workflow to exit.
    12. Unzip the downloaded file. Navigate to <unzipped-folder> with 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment following the `README.md` file in the `architecture` folder.
    13. Initialize and apply the Terraform for the security_project.
      The `security_project` contains the Terraform plan to deploy a VM-Series in your architecture. The Terraform plan creates the required resources to deploy VM-Series firewall with inline prevention mode, including the managed instance groups, load balancers, and health checks.
      cd architecture //Change directory to architecture/security_project

cd security_project
terraform init
terraform plan
terraform apply
      The security Terraform generates the following output. Ensure to record the IP addresses within the lbs_external_ips & lbs_internal_ips outputs.
        Apply complete! Resources: 36 added, 0 changed, 0 destroyed.

  Outputs:

  lbs_external_ips = {
    "external-lb" = {
      "airs001-all-ports" = "34.xx.xxx.xx"
    }
  }
  lbs_internal_ips = {
    "internal-lb" = "10.0.2.xxx"
  }
  pubsub_subscription_id = {
    "fw-autoscale-common" = "projects/$PROJECT_ID/subscriptions/airs001-fw-autoscale-common-mig"
  }
  pubsub_topic_id = {
    "fw-autoscale-common" = "projects/$PROJECT_ID/topics/airs001-fw-autoscale-common-mig"
  }
      The `security_project` Terraform also creates an IP-tag collector service, enabling you to retrieve IP-tag information from clusters. These tags populate dynamic address groups (DAGs) for automated security enforcement.
    14. Run the application Terraform to peer the application VPCs.
      cd ../application_project
terraform init
terraform plan
terraform apply
      The application_security Terraform generates the following output:
      Apply complete! Resources: 12 added, 0 changed, 0 destroyed.
    15. Configure Strata Cloud Manager or Panorama to secure VM workloads and Kubernetes clusters and deploy pods. Configure interfaces, zones, NAT policy, routers, and security policy rules.
    16. Navigate to Workflows→ NGFW Setup → Device Management. The VM-Series appears under Cloud Managed Devices.
    17. Switch to the Cloud Managed Devices tab to view and manage the connected state, the configuration sync state, and the deployed VM-Series licenses.
      It takes a while before the Device Status shows as connected.
      Next, view the threat logs and AI security logs for traffic inspection details.

    © 2025 Palo Alto Networks, Inc. All rights reserved.