Launch the VM-Series Firewall Using a Terraform Template

After modifying the templates for your OCI environment, you can launch the VM-Series firewall.
The VM-Series firewall image boots up with the default username and password (admin/admin). To ensure that your VM-Series firewall instance is protected until you can change the default password, restrict the security list of the management subnet to your source IP address before deploying the VM-Series firewall.
  1. If you have not done so already, install Terraform on your computer.
  2. In the command line on your computer, access the folder containing your Terraform Template files.
  3. Initialize and verify the provider; OCI in this case. Execute the following command:
    terraform init
    You see the following upon successful initialization:
    oci_terraform_init_success.png
  4. Validate the template files. Execute the following command to validate the files. If this command returns an error, correct the listed error in your files.
    terraform validate
  5. (optional) You can use the following command to display a plan of your deployment using the data from the templates.
    terraform plan
  6. Launch the VM-Series firewall instance. Enter yes when prompted.
    terrafom apply
    When the process is complete, the CLI displays the following:
    oci_terraform_apply_complete.png
  7. Verify that your VM-Series firewall instance was launched.
    1. Log in to the OCI console.
    2. Select ComputeInstances.
    3. Select Created Date (Desc) from the Sort By drop-down to see the most recently created instances.
      Your new VM-Series firewall instance should be listed first.
  8. Delete default security list rules to prevent access to the firewall until you have changed the default password.
    1. Select NetworkingVirtual Cloud Networks<your VCN>Security ListsDefault Security ListEdit All Rules.
    2. Click the delete icon to delete each rule.
      oci_security_list_delete.png
    3. After deleting each rule, click Save Security List Rules.
  9. Change the default password through a console connection to the firewall.
    1. Configure a console connection.
      1. Generate a public key and copy it.
      2. Log in to the OCI console.
      3. Select ComputeInstances and click your VM-Series firewall instance.
      4. Select Console ConnectionsCreate Console ConnectionPaste SSH Keys.
      5. Paste your key and click Create Console Connection.
      oci_create_console_connection.png
    2. Open a console connection to the VM-Series firewall.
      1. Select Connect with SSH.
        oci_connect_with_ssh.png
      2. Copy the string used to open the console connection to the VM-Series firewall.
        oci_copy_ssh.png
      3. Open a terminal on your computer and, from the directory containing your keypair, paste the string you copied above and hit Enter.
    3. Change the password.
      1. Enter config mode.
        admin@PA-VM> configure
      2. Execute the following command to change the password. When prompted, enter your new password and enter it again to confirm.
        admin@PA-VM# set mgt-config users admin password
      3. Commit your changes.
  10. Add route table rules to the management route table to give yourself SSH and web interface access to the firewall.
    1. Select NetworkingVirtual Cloud Networks and click your VCN.
    2. Select Route Tables and click your management route table.
    3. Select Edit Route Rules+ Another Route Rule.
    4. Select your compartment.
    5. Enter a descriptive Name for your route table.
    6. Select a target type. For subnets that are publicly accessible, select Internet Gateway.
    7. Enter a Destination CIDR Block.
    8. Select the internet gateway you created previously from the Target Internet Gateway drop-down.
    9. Click Create Save.
    oci_edit_mgmt_route_rule.png
  11. Edit security lists to give yourself SSH and web interface access to the firewall.
    1. From your VCN, select Security Listsmgmt-security-listEdit All Rules.
      mgmt-security-list is the default name used in the Terraform Template file. If you have changed this value, locate you management security list.
    2. Select CIDR from the Source Type drop-down and Source CIDR block.
    3. Select TCP from the IP Protocol drop-down.
    4. Enter source and destination ports or port ranges. If you leave these fields blank, all ports are allowed. Port 22 is required for SSH access and port 443 is required for SSL access to the firewall web interface.
    5. Click Create Security List.
    oci_add_security_rules_fw_access.png
  12. Configure the dataplane network interfaces as Layer 3 interfaces on the firewall.
    1. Log in to the firewall.
    2. Select NetworkInterfacesEthernet.
    3. Click the link for ethernet 1/1 and configure as follows:
      • Interface Type: Layer3
      • On the Config tab, assign the interface to the default router.
      • On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example untrust-zone, and then click OK.
      • On the IPv4 tab, select either Static or DHCP Client.
        If using the Static option, click Add in the IP section, and enter the IP address and network mask for the interface. Make sure that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For example, if you add this interface to your untrust zone, make sure you assign the untrust vNIC IP address configured in your VCN.
    4. Repeat this procedure for each vNIC configured in your VCN except your management vNIC.
  13. Create NAT rules to allow inbound and outbound traffic form the servers deployed in VCN.
    1. Select PoliciesNAT on the web interface of the firewall.
    2. Create a NAT rule that allows traffic from the external-facing or untrust dataplane network interface on the firewall to the trust interface in the VCN.
    3. Create a NAT rule that allows outbound access for traffic from inside the VCN to the internet.
  14. Disable DPDK on the firewall. The VM-Series firewall on OCI supports Packet MMAP only. DPDK is enabled by default and must be disabled.
    1. Log in to the firewall CLI.
    2. Enter config mode
      admin@PA-VM> configure
    3. Disable DPDK.
      admin@PA-VM# set system setting dpdk-pkt-io off
    4. Commit your change.
  15. (optional) If you need more storage than the minimum 60GB required by the VM-Series firewall, you can create and attach a storage volume to your VM-Series firewall instance.
    1. Log in to the OCI console.
    2. Select StorageBlock VolumesCreate Block Volume .
    3. Select your compartment.
    4. Enter a descriptive Name for your block storage volume.
    5. Select an Availability Zone.
    6. Enter the size for your block volume.
    7. Click Create Block Volume.
      oci_create_block_storage.png
    8. Select ComputeInstances, click on your newly-created instance, and select Attached Block VolumesAttach Block Volume.
    9. Select Paravirtualized.
    10. Select your compartment.
    11. Select the block volume you created previously from the Block Volume drop-down.
    12. Select Read/Write.
    13. Click Attach.
    14. Reboot the VM-Series firewall instance by clicking Reboot on the Instance Details page.
      oci_attach_block_volume.png

Related Documentation