Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
Use Google® Cloud Platform Marketplace to deploy the VM-Series firewall with a minimum of three interfaces (Management, Trust, and Untrust).
You can use Google® Cloud Platform Marketplace to deploy the VM-Series firewall on a VM-300 capacity license. The licensed images available from Cloud are:
- VM-Series Next-Generation Firewall Bundle 1
- VM-Series Next-Generation Firewall Bundle 2
- VM-Series Next-Generation Firewall (BYOL)
See VM-Series Firewall Licenses for Public Clouds for more about these license options.
The Marketplace deploys an instance of the VM-Series firewall with a minimum of one management interface and two dataplane interfaces (Trust and Untrust). You can add additional dataplane interfaces for up to five Google Compute Engine instances in your virtual private cloud (VPC).
Before you deploy the VM-Series firewall, you must create or choose a project in your organization and create any networks and subnets that will connect to the firewall, as described in VPC Network Planning and Network Interface Planning.
You cannot attach multiple network interfaces to the same VPC network. Every interface you create must have a dedicated network with at least one subnet. Ensure that your networks include any additional dataplane instances you create.
- Locate the VM-Series firewall listing in the Marketplace.
- Log in to the Google Cloud Console.
- From the Products and Services menu, select Marketplace.
- Search for VM-Series.
- Select one of the VM-Series firewall licensing options.
- Click Launch on Compute Engine.
- Name the instance and choose resources.
- Enter the Deployment Name (this name is displayed in the Deployment Manager). The name must be unique and cannot conflict with any other deployment in the project.
- Select a Zone. See Regions and Zones for a list of supported zones.
- Select a Machine Type based on the VM-Series System Requirements for your license and the Minimum System Requirements for the VM-Series Firewall on Google Cloud Platform.
- Specify instance metadata. The options Bootstrap
Bucket and Interface Swap affect
the initial configuration the first time the VM-Series firewall
- Bootstrap Bucket (Optional)—If you plan to use a bootstrap file, enter the name of a storage bucket with the bootstrap configuration described in Bootstrap Package.
- Interface Swap (Optional)—Swap the Management interface (eth0) and the first dataplane interface (eth1) at deployment time. Interface swap is only necessary when you deploy the VM-Series firewall behind Google Cloud Platform HTTP(S) Load Balancing. For details, see Management Interface Swap for Google Cloud Platform Load Balancing.
- SSH key—Paste in the public
key from an SSH key pair. Follow the instructions for your OS in SSH Key Pair, to create,
copy, and paste the key. Windows users must view the key in PuTTY,
copy from the user interface, and paste into Marketplace deployment.If the key is not formatted properly, the VM-Series firewall does not allow you to log in. You must delete the deployment and start over.
- Click More to reveal additional metadata options. The options blockProjectKeys, and enableSerialConsole are properties of the instance; you can change these metadata values after a successful deployment.
- Configure the boot disk.
- Boot disk type—Select from SSD Persistent disk or Standard Persistent Disk. See Storage Options.
- Enter the Boot disk size—60GB is the minimum size. You can edit the disk size later but you must stop the VM to do so.
- Configure the management interface.
- Management VPC Network name—Choose an existing network
- Management Subnet name—Choose an existing subnet.
- Enable External IP for Management interface (Optional)—If you enable this option, you can use the IP address assigned to the VM-Series firewall management interface to use SSH to access the VM-Series firewall web interface.
- Enable GCP Firewall rule for connections to Management interface (Optional)—This option automatically creates a GCP firewall Allow rule for an external source IP address that you supply.
- Source IP in GCP Firewall rule for connections
to Management Interface—If you Enable GCP
Firewall rule for connections to Management interface, enter
a source IP address or a CIDR block.
- Do not use 0.0.0.0/0. Supply an IP address or a CIDR block that corresponds to your dedicated management IP addresses or network. Do not make the source network range larger than necessary.
- Verify the address to ensure that you do not lock yourself out.
- Configure the Untrust dataplane interface.
- Untrust VPC Network name—Choose an existing network.
- Untrust Subnet name—Choose an existing subnet.
- Enable External IP for Untrust—Enable GCP to provide an ephemeral IP address to act as the external IP address.
- Configure the Trust dataplane interface.
- Configure additional interfaces. You must enter the number
of dataplane interfaces you want to add; the default is 0 (none).
The deployment page always displays fields for five additional dataplanes
numbered 4 through 8.
- Additional Dataplane interfaces—Enter
the number of additional dataplane instances.If this number is 0 (default), dataplane numbers 4 through 8 are ignored even if you fill out the interface fields. If, for example, you specify 2 and then fill out information for three interfaces, only the first two are created.
- Additional Dataplane # VPC name—Choose an existing network.
- Dataplane # Subnet name—Choose a subnet that exists.
- Enable External IP for dataplane # interface—Enable GCP to provide an ephemeral IP address to act as the external IP address.
- Additional Dataplane interfaces—Enter the number of additional dataplane instances.
- Deploy the instance.
- Use Google Cloud Deployment Manager to view and manage your deployment.
- Use the CLI to change the administrator password on the
- Log in to the VM-Series firewall from the
command line. In your SSH tool, connect to the External IP for the
management interface, and specify the path to your private key.Windows users: Use PuTTY to connect to the VM-Series firewall and issue command line instructions. To specify the path to the private key, select ConnectionSSHAuth. In Private key file for authentication: click Browse to select your private key.
- Enter configuration mode:VMfirewall> configure
- Enter the following command:VMfirewall# set mgt-config users admin password
- Enter and confirm a new password for the administrator.
- Commit your new password:VMfirewall# commit
- Return to command mode:VMfirewall# exit
- (Optional) If you used a bootstrap file for
interface swap, use the following command to view the interface
mapping:VMfirewall> debugshow vm-series interfaces all
- Log in to the VM-Series firewall from the command line. In your SSH tool, connect to the External IP for the management interface, and specify the path to your private key.
- Access the VM-Series firewall web interface.
After you log in to the firewall, you can add administrators and create interfaces, zones, NAT rules, and policy rules, just as you would on a physical firewall.
- In a browser, create a secure (https) connection
to the IP address for the management interface.If you get a network error, check to see that you have a GCP firewall rule that allows the connection.
- When prompted, enter the username (admin) and the administrator password you specified from the CLI.
- (Optional) If you bootstrapped, then Verify Bootstrap Completion.If you see problems, search the log information on the VM-Series firewall. Choose MonitorSystem and, in the manual search field, enter description contains 'bootstrap' and look for a message in the results that indicates that the bootstrap was successful.
- In a browser, create a secure (https) connection to the IP address for the management interface.
Prepare to Set Up the VM-Series Firewall on Google Public Cloud
Information to gather and tasks to complete before deploying the VM-series firewall on a Google Compute Engine instance. ...
VM-Series Firewall on Google Cloud Platform
Deploy the VM-Series firewall from Google Cloud Platform Marketplace, enable Google Stackdriver monitoring, and enable VM-Series firewalls to monitoring Google Compute Engine instances. ...
Management Interface Swap for Google Cloud Platform Load Balancing
Learn about management interface swap for Google Compute Engine. ...
Use the VM-Series Firewall CLI to Swap the Management Interface
Use the VM-Series Firewall CLI to Swap the Management Interface This task is only required if your architecture places the VM-Series firewall behind the Google ...
Set Up the VM-Series Firewall on Google Cloud Platform
Deploy the VM-Series Firewall on a Google Cloud Engine Instance. ...
About the VM-Series Firewall on Google Cloud Platform
Prepare to deploy a VM-Series firewall on a Google Compute Engine instance. ...
Bootstrap the VM-Series Firewall on Google Cloud Platform
Bootstrap the VM-Series Firewall on Google Cloud Platform To bootstrap you must create a specific file structure in a Google storage bucket. You provide the ...
Interface Used for Accessing External Services on the VM-Se...
Interfaces that the VM-Series firewall uses for making API calls. ...
Launch the VM-Series Firewall on AWS
Launch the VM-Series Firewall on AWS If you have not already registered the capacity auth-code that you received with the order fulfillment email, with your ...