Launch the VM-Series Firewall in OCI

After uploading the KVM qcow2 image to OCI and configuring a Virtual Cloud Network (VCN), you are ready to launch the VM-Series firewall.
The VM-Series firewall image boots up with the default username and password (admin/admin). To ensure that your VM-Series firewall instance is protected until you can change the default password, restrict the security list of the management subnet to your source IP address before deploying the VM-Series firewall.
  1. Select ComputeInstances and click Create Instance.
  2. Enter a descriptive Name for your VM-Series firewall instance.
  3. Select an Availability Zone.
  4. Select your VM-Series image file.
    1. Select Change Image SourceCustom Images.
    2. Select your VM-Series image file.
    3. Click Select Image.
  5. Select Virtual Machine under Shape Type.
    oci_create_instance_1.png
  6. Select the shape with the number of CPUs, amount of RAM, and number of interfaces required for the VM-Series firewall model. See the Compute Shapes page for the amount resources provided by the different compute shapes. See VM-Series Systems Requirements for more information about the resources required for each VM-Series firewall model.
    oci_create_instance_2.png
  7. Under Networking, select your Virtual cloud network compartment, Virtual cloud network, Subnet compartment, and Subnet for your management interface.
    oci_create_instance_3.png
  8. Click Create Instance.
  9. (optional) If you need more storage than the minimum 60GB required by the VM-Series firewall, you can create and attach a storage volume to your VM-Series firewall instance.
    1. Select StorageBlock VolumesCreate Block Volume .
    2. Select your compartment.
    3. Enter a descriptive Name for your block storage volume.
    4. Select an Availability Zone.
    5. Enter the size for your block volume.
    6. Click Create Block Volume.
      oci_create_block_storage.png
    7. Select ComputeInstances, click on your newly-created instance, and select Attached Block VolumesAttach Block Volume.
    8. Select Paravirtualized.
    9. Select your compartment.
    10. Select the block volume you created previously from the Block Volume drop-down.
    11. Select Read/Write.
    12. Click Attach.
    13. Reboot the VM-Series firewall instance by clicking Reboot on the Instance Details page.
      oci_attach_block_volume.png
  10. Attach a vNIC to your VM-Series firewall instance for each subnet your created previously.
    1. Select your newly launched VM-Series firewall instance and select Attached VNICsCreate VNIC.
    2. Enter a descriptive Name for your vNIC.
    3. Select your VCN from the Virtual Cloud Network drop-down.
    4. Select your subnet from the Subnet drop-down.
    5. Specify a Private IP Address. This is only required if your want to choose a particular IP for the vNIC. If you do not specify an IP, OCI will assign an IP address from the CIDR block you assigned to the subnet.
    6. Select Assign Public IP Address for public facing vNICs such as your untrust subnet.
    7. Click Create VNIC.
    8. Repeat this procedure for each vNIC your deployment requires.
    oci_create_vnic.png
  11. Assign a private IP address to your trust subnet.
    1. Select NetworkingVirtual Cloud Networks<your VCN>Route Tables<your trust route table>Edit Route Rules.
    2. Change the Target Type to Private IP.
    3. Enter the IP address you assigned to your trust vNIC.
    4. Click Save.
    oci_edit_trust_route_table.png
  12. Change the default password through a console connection to the firewall.
    1. Configure a console connection.
      1. Generate a public key and copy it.
      2. Log in to the OCI console.
      3. Select ComputeInstances and click your VM-Series firewall instance.
      4. Select Console ConnectionsCreate Console ConnectionPaste SSH Keys.
      5. Paste your key and click Create Console Connection.
      oci_create_console_connection.png
    2. Open a console connection to the VM-Series firewall.
      1. Select Connect with SSH.
        oci_connect_with_ssh.png
      2. Copy the string used to open the console connection to the VM-Series firewall.
        oci_copy_ssh.png
      3. Open a terminal on your computer and, from the directory containing your keypair, paste the string you copied above and hit Enter.
    3. Change the password.
      1. Enter config mode.
        admin@PA-VM> configure
      2. Execute the following command to change the password. When prompted, enter your new password and enter it again to confirm.
        admin@PA-VM# set mgt-config users admin password
      3. Commit your changes.
  13. Disable DPDK on the firewall. The VM-Series firewall on OCI supports Packet MMAP only. DPDK is enabled by default and must be disabled.
    1. Log in to the firewall CLI.
    2. Enter config mode
      admin@PA-VM> configure
    3. Disable DPDK.
      admin@PA-VM# set system setting dpdk-pkt-io off
    4. Commit your change.
  14. Add route table rules to the management route table to give yourself SSH and web interface access to the firewall.
    1. Select NetworkingVirtual Cloud Networks and click your VCN.
    2. Select Route Tables and click your management route table.
    3. Select Edit Route Rules+ Another Route Rule.
    4. Select your compartment.
    5. Enter a descriptive Name for your route table.
    6. Select a target type. For subnets that are publicly accessible, select Internet Gateway.
    7. Enter a Destination CIDR Block.
    8. Select the internet gateway you created previously from the Target Internet Gateway drop-down.
    9. Click Create Save.
    oci_edit_mgmt_route_rule.png
  15. Edit security lists to give yourself SSH and web interface access to the firewall.
    1. From your VCN, select Security Listsmgmt-security-listEdit All Rules.
      mgmt-security-list is the default name used in the Terraform Template file. If you have changed this value, locate you management security list.
    2. Select CIDR from the Source Type drop-down and Source CIDR block.
    3. Select TCP from the IP Protocol drop-down.
    4. (Optional) Enter source and destination ports or port ranges. If you leave these fields blank, all ports are allowed. Port 22 is required for SSH access and port 443 is required for SSL access to the firewall web interface.
    5. Click Create Security List.
    oci_add_security_rules_fw_access.png
  16. Configure the dataplane network interfaces as Layer 3 interfaces on the firewall.
    1. Log in to the firewall.
    2. Select NetworkInterfacesEthernet.
    3. Click the link for ethernet 1/1 and configure as follows:
      • Interface Type: Layer3
      • On the Config tab, assign the interface to the default router.
      • On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example untrust-zone, and then click OK.
      • On the IPv4 tab, select either Static.
      • Click Add in the IP section and enter the IP address and network mask for the interface. Make sure that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For example, if you add this interface to your untrust zone, make sure you assign the untrust vNIC IP address configured in your VCN.
    4. Repeat this procedure for each vNIC configured in your VCN except your management vNIC.
    Always only delete interfaces at the bottom of the interface list. Deleting firewall interfaces in the wrong order results in a interface mismatch between the firewall and OCI. For example, say you have five data interfaces, then delete interface two on the firewall and add a new interface at the bottom. After rebooting the firewall, the newly added interface will take the place of the deleted interface two instead of taking a place at the bottom of the list.
  17. Create NAT rules to allow inbound and outbound traffic form the servers deployed in VCN.
    1. Select PoliciesNAT on the web interface of the firewall.
    2. Create a NAT rule that allows traffic from the external-facing or untrust dataplane network interface on the firewall to the trust interface in the VCN.
    3. Create a NAT rule that allows outbound access for traffic from inside the VCN to the internet.

Related Documentation