To help you get started, the GitHub repository contains
a sample configuration file named
includes the following rules/objects:
—Two address objects,
which you will need to modify to match the IP addresses in your
setup. You need to modify these address objects to use the private
IP addresses assigned to eth1-VM-Series0 and eth1-VM-Series1 on
the Azure portal.
—The default virtual router on the firewall
has a static route to 192.168.1.1, and this IP address is accurate
if you use the default template values. If you have changed the
Untrust subnet CIDR, you’ll need to update the IP address to match your
setup. All traffic coming from the backend web servers, destined
for the application gateway, uses this IP address as the next hop
for delivering packets to the untrust interface on the firewall.
NAT Policy Rule
—The NAT policy rule enables destination
NAT and source NAT.
The destination NAT rule is for
all traffic that arrives on the firewall’s untrust interface (ethernet1/2),
which is the firewall-untrust-IP address object. This rule translates
the destination IP address on the packet to that of the internal
load balancer so that all traffic is directed to the internal load balancer
and thus to the backend web servers.
The source NAT rule is for all traffic from the backend web
server and destined to the untrust network interface on the firewall.
This rule translates the source address to the IP address of the
trust interface on the firewall (ethernet1/2).
Security Policy Rule
—Two Security policy rules are
defined in the sample configuration file. The first rule allows
all inbound web-browsing traffic and generates a log at the start
of a session on the firewall. The second rule blocks all other traffic
and generates a log at the start and end of a session on the firewall.
You can use these logs to monitor all traffic to the web servers
in this deployment.
Administrative User Credentials
— The sample configuration
file includes a username and password for logging in to the firewall,
which is set to pandemo/demopassword. After you import the sample
configuration, you must either change the password and set it to
a strong, custom password or create a new administrator account
and delete the pandemo account.