Deploy the Template to Azure

Use the following instructions to deploy the template to Azure.
All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
  1. Deploy the template.
    Currently not available for deploying in Azure China.
    1. Click
      Deploy to Azure
    2. Fill in the details for deploying the template. See VM-Series and Azure Application Gateway Template Parameters for a description and the default values, if any, for each parameter.
      At a minimum, you have to pick the
      Azure Subscription
      Resource Group
      Storage Account Name
      , and a
      SSH Key
      for the administrative account on the VM-Series firewalls.
    3. Click
      to accept the terms and conditions and deploy the resources.
      If you have validation errors, click to view the details and fix your errors.
    4. On the Azure portal, verify that you have successfully deployed the template resources, including the VM-Series firewalls.
      1. Select
        Resource Groups
        , select the resource group.
      2. Select
        to review all the resources that have been deployed. The deployment status should display
      3. Note the Public IP address or the DNS name assigned to
        to access the management interface of the VM-Series firewalls.
  2. Log in to the firewalls.
    1. Using a secure connection (https) from your web browser, log in to the IP address for eth0-VM-Series0 or the DNS name for the firewall.
    2. Enter the username/password you defined in the parameters file. You will see a certificate warning; that is okay. Continue to the web page.
  3. Configure the VM-Series firewall.
    You can either configure the firewall manually or import the Sample Configuration File provided in the GitHub repository and customize it for your security needs.
    • Configure the firewall manually
      —You must do the following at a minimum:
    1. Configure the dataplane network interfaces as Layer 3 interfaces on the firewall (
    2. Add a static rule to the virtual router on the firewall. This static rule specifies the firewall’s untrust interface IP address as the nexthop address for any traffic destined for ethernet1/1. (
      Virtual Routers
      , select the router and click
      Static Routes
    3. Create security policy rules (
      ) to allow inbound and outbound traffic on the firewall.
    4. Add NAT policies (
      ). You must create destination NAT and source NAT rules on the firewall to send traffic to the web servers and back out to the client who initiated the request.
      The destination NAT rule is for all traffic that arrives on the firewall’s untrust interface. This rule is required to translate the destination IP address on the packet to that of the internal load balancer so that all traffic is directed to the internal load balancer and on to the backend web servers.
      The source NAT rule is for all traffic from the backend web server and destined to the untrust interface on the firewall. This rule translates the source address to the IP address of the trust interface on the firewall
    5. Commit
      your changes.
      • Import the sample configuration file:
    6. Download and save the Sample Configuration File to your local client.
    7. Select
      , click
      Import named configuration snapshot
      to the sample configuration file that you have saved locally, and click
    8. Click
      Load named configuration snapshot
      , select the
      of the sample configuration file you just imported, and click
    9. Change the IP address of the address objects and the static route to match the IP address from the CIDR block you used. Update address objects to use the private IP addresses for eth1-VM-Series0 and eth1-VM-Series1.
    10. Important!
      Create a new admin user account. Select
      a new account.
    11. Modify the
      in the General Settings widget in
    12. Commit
      your changes, and log out. The commit overwrites the running configuration with the sample configuration file and updates you just made. On commit, the hostname and the administrator user account that you specified when deploying the template are overwritten. You will now need to log in using the new admin user account and password.
      • Log in to the firewall
        —Use the credentials you created and delete the pandemo administrative account imported as part of the sample configuration file.
  4. Log in and configure the other instance of the VM-Series firewall.
  5. Verify that you have configured the firewalls properly.
    From your web browser, use http to access the IP address or DNS name for the app gateway. You should be able to view the default Apache 2 Ubuntu web page.
    If you have used the sample configuration firewall, log in to the firewall and view the Traffic logs generated on session start in

Recommended For You