Deploy the VM-Series with the Azure Gateway Load Balancer

You can now deploy the VM-Series firewall for Azure in integration with the Azure gateway load balancer (GWLB). By integrating with the Azure GWLB, you are no longer required to use a standard load balancer, which requires the VM-Series firewall to apply source NAT on the traffic to maintain flow symmetry. The application of source NAT to traffic obfuscates the source’s identity from applications. By using the Azure GWLB, traffic’s packet header and payload remains intact, which provides complete visibility of the source’s identity to the destination. When Azure GWLB integration is enabled, the VM-Series uses vxlan packets to inspect the inner packet of traffic and apply policy to that packet.
When deployed behind a Azure GWLB, you must create subinterfaces on the firewall to enforce zone-based security policy. Additionally, you must apply the VLAN-ID 1 and 2 to the respective subinterfaces.
With this integration, you can deploy the VM-Series firewall as a backend to the Azure GWLB in all supported regions.
VM-Series firewall integration with the Azure gateway load balancer requires PAN-OS 10.1.4 or later.
  1. Create the custom PA-VM vhd image for Azure.
    az image create -g <resource-group> <image-name> --os-type Linux --source <vhd_path>
  2. Create the management virtual network before deploying the VM-Series firewall. See the Azure documentation for more information.
    Ensure that the managment subnet allows https and ssh traffic for management access.
  3. Deploy the VM-Series firewall in the management virtual network using the custom PA-VM image using the Azure Portal.
    1. On the
      Networking
      tab, set the management public IP address SKU type to
      Standard
      .
    2. On the
      Advanced
      tab, configure the VNIs and ports for the internal and external tunnels.
      The VNI and port information is defined using the Custom Data field in the Azure portal. You must define the internal and external port and VNI numbers in the range of 800 to 1000.
      plugin-op-commands=azure-gwlb-inspect:enable+internal-port-<internalport>+external-port-<externalport>+internal-vni-<internalvni>+external-vni-<internalvni>
  4. Configure the dataplane network interface as a Layer 3 interface on the firewall.
    1. Log in to the VM-Series firewall user interface.
    2. Select
      Network
      Interfaces
      Ethernet
      .
    3. Click the link for
      ethernet 1/1
      and configure as follows:
      • Interface Type
        :
        Layer3
      • On the
        Config
        tab, assign the interface to the default router.
      • On the
        Config
        tab, expand the
        Security Zone
        drop-down and select
        New Zone
        . Define a new zone and then click
        OK
        .
      • On the
        IPv4
        tab, select
        DHCP Client
        .
        If using DHCP, select
        DHCP Client
        ; the private IP address that you assigned to the ENI in the AWS management console will be automatically acquired.
      • On the Advanced tab, create a management profile to allow health checks to be received by the firewall.
    4. Click
      Commit
      . Verify that the link state for the interface is up.
  5. (
    Optional
    ) If you enable health probes on the GWLB, you must create a static route and disable
    Automatically create default route pointing to default gateway provided by server
    on the VM-Series firewall.
    1. Log in to the VM-Series firewall user interface.
    2. Select
      Network
      Interfaces
      and select your data interface.
    3. On the IPv4 tab, uncheck
      Automatically create default route pointing to default gateway provided by server
      .
    4. Click
      OK
      .
    5. Select
      Network
      Virtual Routers
      and select the virtual router associated with the data interface.
    6. Select
      Static Routes
      and click
      Add
      .
    7. Configure the static route.
    8. Click
      OK
      .
    9. Commit
      your changes.
  6. To enforce zone-based security policies, create two subinterfaces under eth1/1.
    1. Log in to the firewall web interface.
    2. Select
      Network
      Interface
      .
    3. Highlight
      ethernet1/1
      and click
      Add Subinterface
      .
    4. Enter a numerical suffix (1 to 9,999) to identify the subinterface.
    5. Enter a
      VLAN Tag
      (1 to 4,094) for the subinterface. This field is required but the VLAN is not used.
    6. Select a
      Virtual Router
      .
    7. Select a
      Security Zone
      .
    8. On the
      IPv4
      tab, set the
      Type
      to
      DHCP Client
      .
    9. Click
      OK
      .
    10. Repeat this command for the second subinterface.
    11. Commit
      your changes.

Recommended For You