Launch the VM-Series Firewall in OCI

After uploading the KVM qcow2 image to OCI and configuring a Virtual Cloud Network (VCN), you are ready to launch the VM-Series firewall.
The VM-Series firewall image boots up with the default username and password (admin/admin). To ensure that your VM-Series firewall instance is protected until you can change the default password, restrict the security list of the management subnet to your source IP address before deploying the VM-Series firewall.
  1. Select
    Compute
    Instances
    and click
    Create Instance
    .
  2. Enter a descriptive
    Name
    for your VM-Series firewall instance.
  3. Select an
    Availability Zone
    .
  4. Select your VM-Series image file.
    1. Select
      Change Image Source
      Custom Images
      .
    2. Select your VM-Series image file.
    3. Click
      Select Image
      .
  5. Select
    Virtual Machine
    under
    Shape Type
    .
    oci_create_instance_1.png
  6. Select the shape with the number of CPUs, amount of RAM, and number of interfaces required for the VM-Series firewall model. See the Compute Shapes page for the amount resources provided by the different compute shapes. See VM-Series Systems Requirements for more information about the resources required for each VM-Series firewall model.
    oci_create_instance_2.png
  7. Under Networking, select your
    Virtual cloud network compartment
    ,
    Virtual cloud network
    ,
    Subnet compartment
    , and
    Subnet
    for your management interface.
    oci_create_instance_3.png
  8. Click
    Create Instance
    .
  9. (
    optional
    ) If you need more storage than the minimum 60GB required by the VM-Series firewall, you can create and attach a storage volume to your VM-Series firewall instance.
    1. Select
      Storage
      Block Volumes
      Create Block Volume
      .
    2. Select your compartment.
    3. Enter a descriptive
      Name
      for your block storage volume.
    4. Select an
      Availability Zone
      .
    5. Enter the size for your block volume.
    6. Click
      Create Block Volume
      .
      oci_create_block_storage.png
    7. Select
      Compute
      Instances
      , click on your newly-created instance, and select
      Attached Block Volumes
      Attach Block Volume
      .
    8. Select
      Paravirtualized
      .
    9. Select your compartment.
    10. Select the block volume you created previously from the Block Volume drop-down.
    11. Select
      Read/Write
      .
    12. Click
      Attach
      .
    13. Reboot the VM-Series firewall instance by clicking
      Reboot
      on the Instance Details page.
      oci_attach_block_volume.png
  10. Attach a vNIC to your VM-Series firewall instance for each subnet your created previously.
    1. Select your newly launched VM-Series firewall instance and select
      Attached VNICs
      Create VNIC
      .
    2. Enter a descriptive
      Name
      for your vNIC.
    3. Select your VCN from the
      Virtual Cloud Network
      drop-down.
    4. Select your subnet from the
      Subnet
      drop-down.
    5. Specify a
      Private IP Address
      . This is only required if your want to choose a particular IP for the vNIC. If you do not specify an IP, OCI will assign an IP address from the CIDR block you assigned to the subnet.
    6. Select
      Assign Public IP Address
      for public facing vNICs such as your untrust subnet.
    7. Click
      Create VNIC
      .
    8. Repeat this procedure for each vNIC your deployment requires.
    oci_create_vnic.png
  11. Assign a private IP address to your trust subnet.
    1. Select
      Networking
      Virtual Cloud Networks
      <your VCN>
      Route Tables
      <your trust route table>
      Edit Route Rules
      .
    2. Change the Target Type to
      Private IP
      .
    3. Enter the IP address you assigned to your trust vNIC.
    4. Click
      Save
      .
    oci_edit_trust_route_table.png
  12. Change the default password through a console connection to the firewall.
    1. Configure a console connection.
      1. Generate a public key and copy it.
      2. Log in to the OCI console.
      3. Select
        Compute
        Instances
        and click your VM-Series firewall instance.
      4. Select
        Console Connections
        Create Console Connection
        Paste SSH Keys
        .
      5. Paste your key and click
        Create Console Connection
        .
      oci_create_console_connection.png
    2. Open a console connection to the VM-Series firewall.
      1. Select
        Connect with SSH
        .
        oci_connect_with_ssh.png
      2. Copy the string used to open the console connection to the VM-Series firewall.
        oci_copy_ssh.png
      3. Open a terminal on your computer and, from the directory containing your keypair, paste the string you copied above and hit Enter.
    3. Change the password.
      1. Enter config mode.
        admin@PA-VM> configure
      2. Execute the following command to change the password. When prompted, enter your new password and enter it again to confirm.
        admin@PA-VM# set mgt-config users admin password
      3. Commit your changes.
  13. Disable DPDK on the firewall. The VM-Series firewall on OCI supports Packet MMAP only. DPDK is enabled by default and must be disabled.
    1. Log in to the firewall CLI.
    2. Disable DPDK.
      admin@PA-VM> set system setting dpdk-pkt-io off
    3. Restart the firewall.
  14. Add route table rules to the management route table to give yourself SSH and web interface access to the firewall.
    1. Select
      Networking
      Virtual Cloud Networks
      and click your VCN.
    2. Select
      Route Tables
      and click your management route table.
    3. Select
      Edit Route Rules
      + Another Route Rule
      .
    4. Select your compartment.
    5. Enter a descriptive
      Name
      for your route table.
    6. Select a target type. For subnets that are publicly accessible, select Internet Gateway.
    7. Enter a
      Destination CIDR Block
      .
    8. Select the internet gateway you created previously from the
      Target Internet Gateway
      drop-down.
    9. Click Create
      Save
      .
    oci_edit_mgmt_route_rule.png
  15. Edit security lists to give yourself SSH and web interface access to the firewall.
    1. From your VCN, select
      Security Lists
      mgmt-security-list
      Edit All Rules
      .
      mgmt-security-list is the default name used in the Terraform Template file. If you have changed this value, locate you management security list.
    2. Select CIDR from the
      Source Type
      drop-down and
      Source CIDR
      block.
    3. Select TCP from the
      IP Protocol
      drop-down.
    4. (Optional) Enter source and destination ports or port ranges. If you leave these fields blank, all ports are allowed. Port 22 is required for SSH access and port 443 is required for SSL access to the firewall web interface.
    5. Click
      Create Security List
      .
    oci_add_security_rules_fw_access.png
  16. Configure the dataplane network interfaces as Layer 3 interfaces on the firewall.
    1. Log in to the firewall.
    2. Select
      Network
      Interfaces
      Ethernet
      .
    3. Click the link for
      ethernet 1/1
      and configure as follows:
      • Interface Type
        :
        Layer3
      • On the
        Config
        tab, assign the interface to the default router.
      • On the
        Config
        tab, expand the
        Security Zone
        drop-down and select
        New Zone
        . Define a new zone, for example untrust-zone, and then click
        OK
        .
      • On the
        IPv4
        tab, select either
        Static
        .
      • Click
        Add
        in the IP section and enter the IP address and network mask for the interface. Make sure that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For example, if you add this interface to your untrust zone, make sure you assign the untrust vNIC IP address configured in your VCN.
    4. Repeat this procedure for each vNIC configured in your VCN except your management vNIC.
    Always only delete interfaces at the bottom of the interface list. Deleting firewall interfaces in the wrong order results in a interface mismatch between the firewall and OCI. For example, say you have five data interfaces, then delete interface two on the firewall and add a new interface at the bottom. After rebooting the firewall, the newly added interface will take the place of the deleted interface two instead of taking a place at the bottom of the list.
  17. Create NAT rules to allow inbound and outbound traffic form the servers deployed in VCN.
    1. Select
      Policies
      NAT
      on the web interface of the firewall.
    2. Create a NAT rule that allows traffic from the external-facing or untrust dataplane network interface on the firewall to the trust interface in the VCN.
    3. Create a NAT rule that allows outbound access for traffic from inside the VCN to the internet.

Related Documentation