Deploy the VM-Series Firewall From the Oracle Cloud Marketplace
Complete the following procedure to deploy the VM-Series firewall in OCI from the Oracle Cloud Marketplace.
All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
- Log in to the Oracle Cloud Marketplace.
- Find the VM-Series firewall application in the Oracle Cloud Marketplace.
- Search for Palo Alto Networks and a list of offerings for the VM-Series firewall will display.
- Select an offering.
- ClickGet App.
- Select yourRegionand clickSign In.
- Select theVersionandCompartment.
- Accept the Oracle and Partner terms.
- ClickLaunch Instance.
- Enter a descriptiveNamefor your VM-Series firewall instance.
- Select anAvailability Domain.
- SelectVirtual MachineunderShape Type.
- Select the shape with the number of CPUs, amount of RAM, and number of interfaces required for the VM-Series firewall model. See the Compute Shapes page for the amount resources provided by the different compute shapes. See VM-Series System Requirements for more information about the resources required for each VM-Series firewall model.
- Under Networking, select yourVirtual cloud network compartment,Virtual cloud network,Subnet compartment, andSubnetfor your management interface. You can only add one interface when creating the VM-Series firewall instance. You will add additional interfaces later.
- (Optional) Set the boot volume to a size larger than the default. By default, the boot volume is set to 60GB. Complete this procedure if you require a larger boot volume to support features such as attaching logs.
- SelectCustom boot volume size (in GB).
- Enter 60 or greater. 60 GB is the minimum hard drive size required by the VM-Series firewall.
- Add your SSH key.
- UnderAdd SSH Key, selectPaste SSH Key.
- Paste your SSH key into the field provided.
- Add the bootstrapping parameters.
- ClickShow Advanced Options.
- UnderUser data, selectPaste cloud-init script.
- Paste the boostrap parameters into the field provided.hostname=<fw-hostname>vm-auth-key=<auth-key>panorama-server=<panorama-ip>panorama-server-2=<panorama2-ip>tplname=<template-stack-name>dgname=<device-group-name>authcodes=<firewall-authcode>op-command-modes=jumbo-frame
- ClickCreate.When the VM-Series firewall is launched, OCI creates and attaches a primary VNIC to the instance. This VNIC resides in the subnet you specified in the instance network setting and connects to the VM-Series firewall’s management interface.
- Configure a new administrative password for the firewall.
- Use the management IP address to SSH into the command line interface (CLI) of the VM-Series firewall.
- Enter the following command to log in to the firewall:ssh-i<private_key.pem>admin@<public-ip_address>
- Configure a new password, using the following command and follow the onscreen prompts:configureset mgt-config users admin password
- Attach a vNIC to your VM-Series firewall instance for each data interface. You must attach at least two data interfaces to your firewall instance—untrust and trust.
- Select your newly launched VM-Series firewall instance and select.Attached VNICsCreate VNIC
- Enter a descriptiveNamefor your vNIC.
- Select your VCN from theVirtual Cloud Networkdrop-down.
- Select your subnet from theSubnetdrop-down.
- Specify aPrivate IP Address. This is only required if your want to choose a particular IP for the vNIC. If you do not specify an IP, OCI will assign an IP address from the CIDR block you assigned to the subnet.
- SelectAssign Public IP Addressfor public facing vNICs such as your untrust subnet.
- ClickCreate VNIC.
- Repeat this procedure for each vNIC your deployment requires.
- Configure the dataplane network interfaces as Layer 3 interfaces on the firewall.
Always only delete interfaces at the bottom of the interface list. Deleting firewall interfaces in the wrong order results in a interface mismatch between the firewall and OCI. For example, say you have five data interfaces, then delete interface two on the firewall and add a new interface at the bottom. After rebooting the firewall, the newly added interface will take the place of the deleted interface two instead of taking a place at the bottom of the list.
- Log in to the firewall.
- Click the link forethernet 1/1and configure as follows:
- Interface Type:Layer3
- On theConfigtab, assign the interface to the default router.
- On theConfigtab, expand theSecurity Zonedrop-down and selectNew Zone. Define a new zone, for example untrust-zone, and then clickOK.
- On theIPv4tab, select eitherStatic.
- ClickAddin the IP section and enter the IP address and network mask for the interface. Make sure that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For example, if you add this interface to your untrust zone, make sure you assign the untrust vNIC IP address configured in your VCN.
- Repeat this procedure for each vNIC configured in your VCN except your management vNIC.
Recommended For You
Recommended videos not found.