Deploy the VM-Series Firewall on Azure Stack
Azure Stack is Microsoft’s Azure cloud within your own datacenter. Deploy the firewall to secure your workloads in your Azure Stack (on-premise) implementation and shift into the public Azure cloud as needed.
You can deploy the VM-Series firewall on Azure Stack to secure inter-subnet traffic between applications in a multi-tier architecture and outbound traffic from servers within your Azure Stack deployment. If you want to use the VM-Series firewall as a gateway that secures inbound traffic destined to the servers within your Azure Stack deployment, you must deploy a NAT appliance in front of the firewall that receives inbound traffic and forwards it to the firewall. The NAT appliance is required because on Azure Stack you cannot assign a public IP address to a non-primary interface of a virtual machine, such as the VM-Series firewall.
Unlike on public Azure, you do not have a solution template to deploy the VM-Series firewall on Azure Stack. Therefore, you must use an ARM template to deploy the VM-Series firewall. To get started, you can use the community supported sample ARM template on GitHub, and then develop your own ARM template for production deployments.
The VM-Series firewall on Azure stack does not have support for bootstrapping, Azure Application Insights, or the Azure Security Center integration.
- To deploy the VM-Series firewall on Azure Stack, you need access to the BYOL offer of the VM-Series firewall PAN-OS image (8.1 or later). You can download the image directly from the Azure Marketplace to Azure Stack in a connected deployment.
- Access the Azure Stack portal.Your Azure Stack operator (either a service provider or an administrator in your organization), should provide the correct URL to access the portal.
- Deploy the VM-Series firewall.A solution template for the VM-Series firewall is not available on Azure Stack. Therefore, you must reference the image that you downloaded in the previous step, in an ARM template to deploy the VM-Series firewall. To get started, you can deploy the sample ARM template that is available on GitHub under the community supported policy:
- Get the sample Azure Stack GitHub template.
- Select azurestackdeploy.json to view the contents.
- Click Raw and copy the contents of the JSON file.
- Deploy the sample GitHub template.You can deploy the firewall in a existing resource group that is empty or into a new resource group. The default VNet in the template is 192.168.0.0/16, and it deploys a VM-Series firewall has three network interfaces, one management interface on 192.168.0.0/24 subnet and two dataplane interfaces on 192.168.1.0/24 and 192.168.2.0/24 subnets. You can customize these subnets to match your needs.
- Log in to the Azure Stack portal.
- Select.NewCustomTemplate deployment
- Edit template, delete all existing content in the template, and paste the JSON template contents you copied earlier andSave.
- Edit parameters, enter the values for the required parameters and modify the defaults if you need to, then clickOK.
- Choose theSubscriptionyou want to use, and then clickOK.
- Choose an existingResource Groupthat is empty or create a new one, and clickOK.
- ClickCreate. A new tile on the dashboard displays the progress of the template deployment.
- Next Steps:
- Log in to the web interface of the firewall.Using a secure connection (https) from your web browser, log in to the DNS name for the firewall. Enter the username/password you defined earlier. You will see a certificate warning; that is okay. Continue to the web page.
- Activate the licenses on the VM-Series firewall.
- On the firewall web interface, selectand selectDeviceLicensesActivate feature using authentication code.
- Enter the capacity auth-code that you registered on the support portal. The firewall will connect to the update server (updates.paloaltonetworks.com), and download the license and reboot automatically.
- Log back in to the web interface on theDashboard, confirm that a validSerial#displays.TheVM Modedisplays as Microsoft Azure.If the term Unknown displays, it means the device is not licensed. To view traffic logs on the firewall, you must install a valid capacity license.
Use the ARM Template to Deploy the VM-Series Firewall
Use the ARM Template to Deploy the VM-Series Firewall In addition to Marketplace based deployments, Palo Alto Networks provides a GitHub repository which hosts sample ...
About the VM-Series Firewall on Azure
About the VM-Series Firewall on Azure The VM-Series firewall on Azure must be deployed in a virtual network (VNet) using the Resource Manager deployment mode. ...
VM-Series Firewall Templates on Azure
VM-Series Firewall Templates on Azure You can deploy the VM-Series firewall on Azure using templates. Palo Alto Networks provides two kinds of templates—Solution templates and ...
Set up the VM-Series Firewall on Azure
Set Up the VM-Series Firewall on Azure VM-Series firewall on Azure brings the security features of Palo Alto Networks next generation firewall as a virtual ...
Use Azure Security Center Recommendations to Secure Your Workloads
Based on a recommendation from the Azure Security Center dashboard, you can either deploy a new instance of the VM-Series firewall or connect your existing ...
Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template) The following instructions show you how to deploy the solution template for the VM-Series ...
Start Using the VM-Series & Azure Application Gateway Template
Start Using the VM-Series & Azure Application Gateway Template The VM-Series & Azure Application Gateway template launches all the resources you need to deploy and ...
Deploy the VM-Series and Azure Application Gateway Template
Deploy the VM-Series and Azure Application Gateway Template The VM-Series and Azure Application Gateway template is a starter kit that you can use to deploy ...
VM-Series and Azure Application Gateway Template
VM-Series and Azure Application Gateway Template The VM-Series and Azure Application Gateway template launches an Azure Application Gateway (Layer 7 load balancer) and an Azure ...