>
    Strata Copilot
    VM-Series and Azure Application Gateway Template Parameters
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on Azure
    4. Deploy the VM-Series and Azure Application Gateway Template
    5. VM-Series and Azure Application Gateway Template Parameters
    Download PDF
    VM-Series

    VM-Series and Azure Application Gateway Template Parameters

    Table of Contents

    VM-Series and Azure Application Gateway Template Parameters

    Use the Azure application gateway parameters to deploy the template to Azure.
    Where Can I Use This?What Do I Need?
    • Microsoft Azure
    • Microsoft Azure Stack
    • Azure® Marketplace
    • Azure Government Marketplace
    • VM-Series License (PAYG or BYOL)
    • VM-Series plugin
    • Panorama
    • Panorama plugin for Azure
    The following table lists the required and optional parameters and the default values:
    Parameter
    Description
    Resource group
    Create new or use existing (no default).
    Subscription
    The type of Azure subscription you will use to cover the cost of the resources deployed with the template.
    Location
    Select the Azure location to which you want to deploy the template (no default).
    Network Security Group
    Network Security Group Name
    The network security group limits the source IP addresses from which the VM-Series firewalls and web servers can be accessed.
    Default: nsg-mgmt
    Network Security Group Inbound Src IP
    The source IP addresses that can log in to the management port of the VMs deployed by the template.
    The default value 0.0.0.0/0 means you can log into the firewall management port from any IP address.
    Storage Account
    Storage Account Name
    Create new or enter the name of an existing Storage Account (no default). The name must be globally unique.
    Storage Account Type
    Choose between standard and premium storage and your data replication needs for local redundancy, geo-redundancy, and read-access geo-redundancy.
    The default option is Locally Redundant Storage (LRS). The other options are Standard GRS, Premium LRS, and Standard RAGRS.
    VNet
    Virtual Network
    Create a new or enter the name of an existing VNet.
    The default name for the VNet is vnet-FW
    Virtual Network Address Prefix
    192.168.0.0/16
    Azure Application Gateway
    App Gateway Name
    myAppGw
    App Gateway DNS Name
    Enter a globally unique DNS name for the Azure Application Gateway.
    App Gateway Subnet Name and Prefix
    Default name is AppGWSubnet and the subnet prefix is 192.168.3.0/24.
    Azure Load Balancer and Web Servers
    Internal Load Balancer Name
    myPrivateLB
    Internal Load Balancer Subnet Name and Prefix
    The default name is backendSubnet and the subnet prefix is 192.168.4.0/24.
    Backend VM Size
    The default size is Standard tier D1 Azure VM. Use the drop-down in the template to view the other Azure VM options available for the backend web servers.
    Firewalls
    Firewall Model
    Choose from BYOL or PAYG (bundle 1 or bundle 2, each bundle includes the VM-300 and a set of subscriptions).
    Firewall VM Name and Size
    The default name for the firewall is VM-Series, and the default size is Standard tier D3 Azure VM.
    Use the drop-down in the template to view the other Azure VM options available for the VM-Series firewalls
    Mgmt Subnet Name and Prefix
    The management subnet for the VM-Series firewalls and the web servers deployed in this solution.
    Default name is Mgmt and the subnet prefix is 192.168.0.0/24.
    Mgmt Public IP address Name
    Enter a hostname to access the management interface on each firewall. The names must be globally unique.
    Trusted Subnet Name and Prefix
    The subnet to which eth1/1 on the VM-Series firewall is connected; this subnet connects the VM-Series firewall to the Azure Application gateway. The firewall receives web traffic destined to the web servers on eth1/1.
    Default name is Trust and the subnet prefix is 192.168.2.0/24.
    Untrusted Subnet Name
    The subnet to which eth1/2 on the VM-Series firewall is connected. The firewall receives return and outbound web traffic on this interface.
    Default name is Untrust and the subnet prefix is 192.168.1.0/24. The name must be globally unique.
    Username
    Enter the username for the administrative account on the VM-Series firewalls and the web servers.
    Authentication Type
    Either enter a password for authentication or use an SSH public key (no default).

    Adapt the Template

    As your needs evolve, you can scope your capacity needs and extend the template for your deployment scenario. Here are some ways you can build on the starter template to meet your planned capacity needs:
    • Deploy additional VM-Series firewalls behind the Azure Application Gateway. You can manually install more VM-Series firewalls into the same Availability Set or launch a new Availability Set and manually deploy additional VM-Series firewalls.
    • Configure the VM-Series firewalls beyond the basic configuration provided in the sample configuration file in the GitHub repository.
    • Enable HTTPS load balancing (SSL offload) on the Azure Application Gateway. Refer to the Azure documentation for details.
    • Add or replace the sample web servers included with the template.

    Sample Configuration File

    To help you get started, the GitHub repository contains a sample configuration file named appgw-sample.xml that includes the following rules/objects:
    • Address objects—Two address objects, firewall-untrust-IP and internal-load-balancer-IP, which you will need to modify to match the IP addresses in your setup. You need to modify these address objects to use the private IP addresses assigned to eth1-VM-Series0 and eth1-VM-Series1 on the Azure portal.
    • Static route—The default virtual router on the firewall has a static route to 192.168.1.1, and this IP address is accurate if you use the default template values. If you have changed the Untrust subnet CIDR, you’ll need to update the IP address to match your setup. All traffic coming from the backend web servers, destined for the application gateway, uses this IP address as the next hop for delivering packets to the untrust interface on the firewall.
    • NAT policy Rule—The NAT policy rule enables destination NAT and source NAT.
      • The destination NAT rule is for all traffic that arrives on the firewall’s untrust interface (ethernet1/2), which is the firewall-untrust-IP address object. This rule translates the destination IP address on the packet to that of the internal load balancer so that all traffic is directed to the internal load balancer and thus to the backend web servers.
      • The source NAT rule is for all traffic from the backend web server and destined to the untrust network interface on the firewall. This rule translates the source address to the IP address of the trust interface on the firewall (ethernet1/2).
    • Security Policy Rule—Two Security policy rules are defined in the sample configuration file. The first rule allows all inbound web-browsing traffic and generates a log at the start of a session on the firewall. The second rule blocks all other traffic and generates a log at the start and end of a session on the firewall. You can use these logs to monitor all traffic to the web servers in this deployment.
    • Administrative User Credentials— The sample configuration file includes a username and password for logging in to the firewall, which is set to pandemo/demopassword. After you import the sample configuration, you must either change the password and set it to a strong, custom password or create a new administrator account and delete the pan demo account.

    © 2026 Palo Alto Networks, Inc. All rights reserved.