Launch the VM-Series Firewall Using a Terraform Template

After modifying the templates for your OCI environment, you can launch the VM-Series firewall.
The VM-Series firewall image boots up with the default username and password (admin/admin). To ensure that your VM-Series firewall instance is protected until you can change the default password, restrict the security list of the management subnet to your source IP address before deploying the VM-Series firewall.
  1. If you have not done so already, install Terraform on your computer.
  2. In the command line on your computer, access the folder containing your Terraform Template files.
  3. Initialize and verify the provider; OCI in this case. Execute the following command:
    terraform init
    You see the following upon successful initialization:
    oci_terraform_init_success.png
  4. Validate the template files. Execute the following command to validate the files. If this command returns an error, correct the listed error in your files.
    terraform validate
  5. (
    optional
    ) You can use the following command to display a plan of your deployment using the data from the templates.
    terraform plan
  6. Launch the VM-Series firewall instance. Enter yes when prompted.
    terrafom apply
    When the process is complete, the CLI displays the following:
    oci_terraform_apply_complete.png
  7. Verify that your VM-Series firewall instance was launched.
    1. Log in to the OCI console.
    2. Select
      Compute
      Instances
      .
    3. Select
      Created Date (Desc)
      from the
      Sort By
      drop-down to see the most recently created instances.
      Your new VM-Series firewall instance should be listed first.
  8. Delete default security list rules to prevent access to the firewall until you have changed the default password.
    1. Select
      Networking
      Virtual Cloud Networks
      <your VCN>
      Security Lists
      Default Security List
      Edit All Rules
      .
    2. Click the delete icon to delete each rule.
      oci_security_list_delete.png
    3. After deleting each rule, click
      Save Security List Rules
      .
  9. Change the default password through a console connection to the firewall.
    1. Configure a console connection.
      1. Generate a public key and copy it.
      2. Log in to the OCI console.
      3. Select
        Compute
        Instances
        and click your VM-Series firewall instance.
      4. Select
        Console Connections
        Create Console Connection
        Paste SSH Keys
        .
      5. Paste your key and click
        Create Console Connection
        .
      oci_create_console_connection.png
    2. Open a console connection to the VM-Series firewall.
      1. Select
        Connect with SSH
        .
        oci_connect_with_ssh.png
      2. Copy the string used to open the console connection to the VM-Series firewall.
        oci_copy_ssh.png
      3. Open a terminal on your computer and, from the directory containing your keypair, paste the string you copied above and hit Enter.
    3. Change the password.
      1. Enter config mode.
        admin@PA-VM> configure
      2. Execute the following command to change the password. When prompted, enter your new password and enter it again to confirm.
        admin@PA-VM# set mgt-config users admin password
      3. Commit your changes.
  10. Add route table rules to the management route table to give yourself SSH and web interface access to the firewall.
    1. Select
      Networking
      Virtual Cloud Networks
      and click your VCN.
    2. Select
      Route Tables
      and click your management route table.
    3. Select
      Edit Route Rules
      + Another Route Rule
      .
    4. Select your compartment.
    5. Enter a descriptive
      Name
      for your route table.
    6. Select a target type. For subnets that are publicly accessible, select Internet Gateway.
    7. Enter a
      Destination CIDR Block
      .
    8. Select the internet gateway you created previously from the
      Target Internet Gateway
      drop-down.
    9. Click Create
      Save
      .
    oci_edit_mgmt_route_rule.png
  11. Edit security lists to give yourself SSH and web interface access to the firewall.
    1. From your VCN, select
      Security Lists
      mgmt-security-list
      Edit All Rules
      .
      mgmt-security-list is the default name used in the Terraform Template file. If you have changed this value, locate you management security list.
    2. Select CIDR from the
      Source Type
      drop-down and
      Source CIDR
      block.
    3. Select TCP from the
      IP Protocol
      drop-down.
    4. Enter source and destination ports or port ranges. If you leave these fields blank, all ports are allowed. Port 22 is required for SSH access and port 443 is required for SSL access to the firewall web interface.
    5. Click
      Create Security List
      .
    oci_add_security_rules_fw_access.png
  12. Configure the dataplane network interfaces as Layer 3 interfaces on the firewall.
    1. Log in to the firewall.
    2. Select
      Network
      Interfaces
      Ethernet
      .
    3. Click the link for
      ethernet 1/1
      and configure as follows:
      • Interface Type
        :
        Layer3
      • On the
        Config
        tab, assign the interface to the default router.
      • On the
        Config
        tab, expand the
        Security Zone
        drop-down and select
        New Zone
        . Define a new zone, for example untrust-zone, and then click
        OK
        .
      • On the
        IPv4
        tab, select either
        Static
        or
        DHCP Client
        .
        If using the
        Static
        option, click
        Add
        in the IP section, and enter the IP address and network mask for the interface. Make sure that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For example, if you add this interface to your untrust zone, make sure you assign the untrust vNIC IP address configured in your VCN.
    4. Repeat this procedure for each vNIC configured in your VCN except your management vNIC.
  13. Create NAT rules to allow inbound and outbound traffic form the servers deployed in VCN.
    1. Select
      Policies
      NAT
      on the web interface of the firewall.
    2. Create a NAT rule that allows traffic from the external-facing or untrust dataplane network interface on the firewall to the trust interface in the VCN.
    3. Create a NAT rule that allows outbound access for traffic from inside the VCN to the internet.
  14. Disable DPDK on the firewall. The VM-Series firewall on OCI supports Packet MMAP only. DPDK is enabled by default and must be disabled.
    1. Log in to the firewall CLI.
    2. Disable DPDK.
      admin@PA-VM> set system setting dpdk-pkt-io off
    3. Restart the firewall.
  15. (
    optional
    ) If you need more storage than the minimum 60GB required by the VM-Series firewall, you can create and attach a storage volume to your VM-Series firewall instance.
    1. Log in to the OCI console.
    2. Select
      Storage
      Block Volumes
      Create Block Volume
      .
    3. Select your compartment.
    4. Enter a descriptive
      Name
      for your block storage volume.
    5. Select an
      Availability Zone
      .
    6. Enter the size for your block volume.
    7. Click
      Create Block Volume
      .
      oci_create_block_storage.png
    8. Select
      Compute
      Instances
      , click on your newly-created instance, and select
      Attached Block Volumes
      Attach Block Volume
      .
    9. Select
      Paravirtualized
      .
    10. Select your compartment.
    11. Select the block volume you created previously from the Block Volume drop-down.
    12. Select
      Read/Write
      .
    13. Click
      Attach
      .
    14. Reboot the VM-Series firewall instance by clicking
      Reboot
      on the Instance Details page.
      oci_attach_block_volume.png

Related Documentation