Create and Configure the VM-Series Firewall

Learn how to create a VM-Series instance in Alibaba Cloud, and create the network interfaces for the VM-Series firewall.
This task uses the ECS console to create a VM-Series firewall instance with a minimum of three interfaces: management, untrust, and trust. An ECS instance supports a single NIC by default, and automatically attaches an Elastic Network Interface (ENI) to it. To support the VM-Series firewall, you must separately create the Untrust and Trust Elastic Network Interfaces (ENIs) and attach them to your instance.
  1. From the Alibaba Cloud console home page, select
    Elastic Compute Service
    Instances & Images
    Instances
    , and click
    Create Instance
    on the upper right.
  2. Select
    Custom Launch
    .
  3. Basic Configurations.
    1. Fill in the following values. For example:
      Property
      Value
      Billing Method
      Subscription.
      Region
      Your choice. You can also select a Zone. The region you select must provide one of the required instance types.
      Instance Type
      One of the types in Alibaba Cloud Instance Type Recommendations for the VM-Series Firewall. You can use Type-based Selection to search for the instance type.
      Image
      Select
      Marketplace Image
      and search the Alibaba Marketplace for “VM-Series”. The image combines the OS and the VM-Series firewall.
      Storage
      Choose a disk type and specify 60 GB.
      Snapshot
      Your choice.
      Duration
      Your choice.
    2. Select
      Next: Networking
      .
  4. On the Networking page, supply the following values.
    1. Network (select VPC).
    2. Public IP Address.
      If you do not have a public IP address, enable
      Assign Public IP address
      and the system will allocate one. If you must use a specific IP address, or an address in a specific range, you can request a custom IP address. Refer to the Elastic IP Address User Guide.
    3. Security Group.
      Select the Management security group.
    4. Elastic Network Interface.
      The Management interface is already attached to eth0.
    5. Select
      Next: System Configurations
      .
  5. On the System Configurations page, fill in the following values.
    1. Logon Credentials: Select
      Key Pair
      .
      Password authentication is not supported.
    2. Name the VM-Series firewall instance and supply a Host name.
      Make any corrections.
      Select
      Preview
      to view your settings thus far.
    3. Following
      Advanced (based or instance RAM roles or cloud-init)
      click
      Show
      .
      • The RAM role is optional.
      • In the User Data field, enter basic bootstrap information as key-value pairs separated by newlines. See Enter a Basic Configuration as User Data (Public Clouds). For example, enter the following in the
        User Data
        field.
        type=dhcp-client hostname=Ca-FW-DC1 vm-auth-key=7550362253**** panorama-server=10.*.*.20 panorama-server-2=10.*.*.21 tplname=FINANCE_TG4 dgname=finance_dg op-cmd-dpdk-pkt-io=on dhcp-send-hostname=yes dhcp-send-client-id=yes dhcp-accept-server-hostname=yes dhcp-accept-server-domain=yes authcodes=I7115398 vm-series-auto-registration-pin-id=abcdefgh1234**** vm-series-auto-registration-pin-value=zyxwvut-0987****
        op-command-modes
        (mgmt-interface-swap and jumbo frame) are not supported for Alibaba Cloud.
        op-cmd-dpdk-pkt-io=on
        supports DPDK. If you want to specify PacketMMAP, specify op-cmd-dpdk-pkt-io=off
        Grouping is Optional. Select
        Preview
        to view the configuration before ordering.
  6. View the terms of service, and select
    Create Order
    to create the VM-Series firewall instance.
    View the purchase order and select
    Subscribe
    .
  7. From the console home page, choose
    Elastic Compute Service
    Networks and Security
    ENIs
    and select
    Create ENI
    in the top right corner. Create elastic network interfaces for the Untrust and Trust interfaces.
    1. Create the Untrust ENI.
      In the
      Actions
      column, select
      Bind to Instance
      and select the instance you just created.
    2. Create the Trust ENI and bind it to the instance.
  8. Allocate Elastic IP (EIP) addresses.
    Allocate EIP addresses for the VM-Series firewall Management interface and the Untrust network interface. In this example the Trust interface is not exposed to the internet, so you don’t need a third IP address.
    If you already have two EIPs, go to the next step.
    1. Associate an EIP with the VM-Series firewall Management interface.
    2. Associate an EIP with the VM-Series firewall Untrust network interface.
      The second interface you attach is assigned to network interface 1 on the VM-Series firewall.
  9. Restart your instance to attach the new network interfaces.
    On the Instances list, select your instance, select
    Manage
    , and select
    Restart
    on the upper right.
  10. SSH in to the VM-Series firewall with the security key and set the admin password:
    developer1$
    ssh -i dev1-vpc1.pem admin@18.***.145.153
    Welcome admin. admin>
    configure
    Entering configuration mode [edit] admin#
    set mgt-config users admin password
    Enter password:
    <password>
    Confirm password:
    <password>
    [edit] admin#
    commit
  11. Access the VM-Series firewall web interface.
    Open a web browser and enter the EIP for the management interface.

Recommended For You