Deploy Prisma AIRS AI Runtime Firewall in Azure with Terraform

Where Can I Use This?	What Do I Need?
Prisma AIRS AI Runtime Firewall deployment in Azure	Onboard Cloud Account in Azure

In this section, you will configure Prisma AIRS AI Runtime Firewall in Strata Cloud Manager, download the corresponding Terraform template, and deploy it in your cloud environment. This setup will integrate the AI network intercept in your cloud network architecture, enabling comprehensive monitoring and protection of your assets.

After onboarding the cloud account, the Strata Cloud Manager command center dashboard will show asset discovery with no firewall protection deployed. Unprotected traffic paths to and from apps, models, and the internet are marked in red until you add firewall protection. For more details, see Discover Your Cloud Resources.

1. Log in to Strata Cloud Manager.
2. Navigate to AI Security AI Runtime Firewall.
3. Select Add Protections ("+" icon).
4. Select Cloud Service Provider as Azure and select Next.
5. In Firewall Placement, select one or more traffic flows to inspect.

   The following table shows the network traffic type that the Prisma AIRS AI Runtime Firewall or the VM-Series firewall can support:

   Traffic Type	Prisma AIRS AI Runtime Firewall	VM-Series
   AI Traffic - Traffic between your applications and AI Models	✅
   Non-AI Traffic and namespaces (example, kube-system)	✅
   Cluster Traffic	✅
   Non-AI and non-cluster traffic	✅	✅

   When you select any namespace, the VM-Series firewall option becomes unavailable because only Prisma AIRS AI Runtime Firewall can secure these namespaces.
6. Select Next.
7. In Region & application(s):

   • Select your cloud account to secure from the onboarded cloud accounts list.
   • Select a region in which you want to protect the applications.
   • In Selected applications, select the applications to secure from the available list.

   This list includes application workloads such as namespaces or vNets. If you select the kube-system namespace, the VM-Series firewall option will be grayed out, as only Prisma AIRS AI Runtime Firewall can protect these namespaces.

   The available applications are determined by the application definition criteria you configured during cloud account onboarding in the “Application Definition” step.

   When you configure your container workloads to be identified by the "Cluster Name" method, you must enable "Bring your own Azure virtual network" for your Kubernetes service. This ensures the clusters are discoverable in this list.
8. Configure Traffic Inspection (to protect your clusters at namespace-level only):

   Traffic steering inspection is available only when you select namespaces from the applications list. Select the namespace and configure how to handle traffic from specific network segments (Limit to 10 CIDRs per cluster that can be inspected or bypassed at any time):

   • Inspect certain CIDRs: Only inspect traffic from specified subnet ranges.
   • Bypass certain CIDRs: Exclude traffic from specified subnet ranges from inspection.
     For container applications, all traffic to and from the applications is protected by default. Use traffic inspection options only when you need granular control over which network segments are inspected or bypassed.

     When protecting traffic from namespaces using traffic inspection, select only the namespace and not its parent VPC to avoid deployment failures. The same GWLB endpoint cannot be used for both VPC and namespace-level protection in the same zone.

   To configure Traffic Steering with Panorama, you need to:

   • Modify the Container Network Interface (CNI) to read a Palo Alto Networks customer resource. After reading the annotation, the CNI programs the routing on the app pods based on the option of FIREWALL INSPECT/BYPASS.
   • Update the custom resource file (Helm folder > Templates > Create CustomerResource.YAML). In the custom resource file, you can use FIREWALL to inspect limited CIDRs and BYPASS to avoid certain CIDRs. The appname/bypassfirewall keyword is used for both inspect and bypass traffic operations.
9. Select the Added vNet tab if you want to secure a vNet. Enter the following values:

   • Enter the vNet Name. Get the vNet name from Azure portal → Virtual Networks page.
   • Enter the vNet CIDR. To view the vNet CIDR, go to the Azure portal → Virtual networks and Select your virtual network. Under Settings, click on the Address space to view the CIDR block.
   • In Resource group name, enter the Azure Resource Group Name.
   • Cluster Id.
   • CIDR ranges to be inspected in the Inspect certain CIDRs field.
   • CIDR ranges to be bypassed in the Bypass certain CIDRs field.
   • Select Submit.
10. In Protection Settings:

    1. In the Deployment parameters, select AI Runtime Security or VM-Series firewall type based on the type of traffic you decided to protect in the Firewall Placement step.
    2. Enter the number of firewalls to deploy.
    3. Select zones to deploy firewalls from the available zones.
    4. Choose the instance type for the security VM (See D-family size series - Azure Virtual Machines for details).
    5. Enter the Azure Resource group name.
    6. In Firewall Scaling, select Static or Dynamic to configure autoscaling.

       With autoscaling, you can choose between static or dynamic scaling models during deployment. Dynamic scaling allows you to select from several metrics to base your autoscaling decisions on, giving you fine-grained control over how your security infrastructure adapts to changing conditions. This approach ensures that your security posture remains robust during traffic surges while optimizing license consumption during periods of lower demand. After traffic decreases and firewalls are deactivated, the system automatically removes the firewalls from inventory and returns licenses to your pool for future scaling events.

       Selecting Dynamic firewall scaling allows you to configure additional metrics:

       • Specify the Number of Firewalls to Deploy by entering a range (minimum to maximum).
       • Set the Update Interval; 1-60 minutes.
       • Use the drop-down menu to select Autoscaling Metrics.
         The firewall publishes autoscaling metrics to the respective cloud. Within SCM, this implementation allows you to choose one or more autoscaling metric and the corresponding threshold to trigger scale-in, scale-out actions.

       The table below describes autoscaling metrics:

       Metric	Description
       Dataplane CPU Utilization (%)	Monitors dataplane CPU usage and measures the traffic load on the firewall.
       Dataplane Packet Buffer Utilization (%)	Monitors dataplane buffer usage and measures buffer utilization. If you have a sudden burst in traffic, monitoring your buffer utilization allows you to ensure that the firewall does not deplete the dataplane buffer, which results in dropped packets.
       GlobalProtect™ Gateway Active Tunnels	Monitors the number of active GlobalProtect sessions on a firewall deployed as a GlobalProtect gateway. Use this metric if you use this VM-Series firewall as a VPN gateway to secure remote users. Check the datasheet for the maximum number of active tunnels supported for your firewall model.
       GlobalProtect Gateway Tunnel Utilization (%)	Monitors the active GlobalProtect tunnels on a gateway and measures tunnel utilization. Use this metric if you use this VM-Series firewall as a VPN gateway to secure remote users.
       panSessionConnectionsPerSecond	Monitors the new connection establish rate per second.
       panSessionThroughputKbps	Monitors the throughput in Kbps.
       panSessionThroughputPps	Monitors the number of packets per second.
       Sessions Active	Monitors the total number of sessions that are active on the firewall. An active session is a session that is in the flow lookup table for which packets will be inspected and forwarded, as required by policy.
       Session Utilization (%)	Monitors the TCP, UDP, ICMP and SSL sessions that are currently active and the packet rate, new connection establish rate, and firewall throughput to determine session utilization.
       SSLProxyUtilization (%)	Monitors the percentage of SSL forward proxy sessions with clients for SSL/TLS decryption.

       • Click Apply.

       After completing the Firewall Information section you can configure IP Addressing, Licensing and Management Parameters.
11. Configure the following:

    IP addressing scheme	Licensing	Management parameters
    Enter the CIDR of Security vNet.	Enter the following values: PAN OS version for your image from the available list. Flex authentication code (Copy AUTH CODE for the deployment profile you created for Prisma AIRS AI Runtime Firewall in Customer Support Portal). Device Certificate PIN ID. Device Certificate PIN value.	In Management parameters, enter the following: List CIDR ranges to be allowed access to the management interface. The SSH key to be used for login (see how to Create SSH keys). Manage by SCM, then select the SCM folder to group the Prisma AIRS AI Runtime Firewall. Refer to Workflows: Folders - Strata Cloud Manager. Manage by Panorama: For firewall management through Panorama, refer to the section on configuring your firewall to be managed by Panorama.

12. Select Next.
13. In the Review Architecture screen:

    • Enter a unique Terraform template name. (Use only lowercase letters, numbers, and hyphens. (Don't use a hyphen at the beginning or end, and limit the name to under 19 characters).
    • Review the topology for your AI network architecture.
    • Click Create terraform template.
    • Click Download terraform template.
    • Close the deployment workflow to exit.
14. Run the following commands in the Azure CLI to accept the Prisma AIRS AI Runtime Firewall subscription:

    
    az vm image accept-terms --urn publisher:offer:sku:version
    
    az vm image accept-terms --urn paloaltonetworks:airs-flex:airs-byol:version

    Get the version from the `vmseries_version` value in the Terraform file: `<azure-deployment-terraform-path>/architecture/security_project/terraform.tfvars`
15. Unzip the downloaded file. Navigate to <unzipped-folder> with 2 directories: `architecture` and `modules`. Deploy the Terraform templates in your cloud environment following the `README.md` file in the `architecture` folder.
16. Initialize and apply the Terraform for the security_project.

    The security_project contains the Terraform plan to deploy the Prisma AIRS AI Runtime Firewall in your architecture.

    cd architecture
    
    cd security_project
    terraform init
    terraform plan
    terraform apply
    

    Note: After applying the Terraform, note the IP addresses from lbs_external_ips and lbs_internal_ips outputs. You will need these later while configuring Strata Cloud Manager.

    The `security_project` Terraform also creates an IP-tag collector service, enabling you to retrieve IP-tag information from clusters. These tags are used to populate dynamic address groups (DAGs) for automated security enforcement. Refer to the section on Harvest IP-Tags from Public and Hybrid Kubernetes Clusters to Enforce Security Policy Rules for details.
17. Run the application Terraform to peer the application VNets with the security VNet.

    cd ../application_project
    terraform init
    terraform plan
    terraform apply

    The security_project Terraform templates create the resources in the gray box.

    The application_project Terraform templates create the peering connections.
18. The Azure deployment Terraform creates a route table. Use it to direct your outbound traffic to the firewall.
    Associate the route table created by the deployment Terraform with the subnet of your application to protect your resources and direct outbound traffic through the firewall.

    1. In the Azure portal, search for and select Virtual networks.
    2. Select the virtual network that contains your application subnet.
    3. In the virtual network menu bar, choose Subnets.
    4. On the Subnets page, select the subnet where your application resources are deployed.
    5. In the Route table, choose the route table created by the deployment Terraform. This route table is typically named with a prefix related to your Prisma AIRS AI Runtime Firewall deployment.
    6. Save.

    By associating this specific route table, you ensure that all outbound traffic from your application subnet is directed through the Prisma AIRS AI Runtime Firewall.

19. Configure Strata Cloud Manager or Panorama to secure VM workloads and Kubernetes clusters and deploy pods. Configure interfaces, zones, NAT policy, routers, and security policy rules.
20. Navigate to Workflows→ NGFW Setup → Device Management. The Prisma AIRS AI Runtime Firewall appears under Cloud Managed Devices.
21. Switch to the Cloud Managed Devices tab to view and manage the connected state, the configuration sync state, and the deployed Prisma AIRS AI Runtime Firewall licenses.

    It takes a while before the Device Status shows as connected.

    Next, view the threat logs and AI security logs for traffic inspection details.