Prepare to Set Up the VM-Series Firewall on OCI

The process to deploy the VM-Series firewall on Oracle Cloud Infrastructure requires the completion of preparation tasks.

Virtual Cloud Networks

A virtual cloud network (VCN) is a virtual, private network that you set up in your OCI environment. To deploy the VM-Series firewall in OCI, your VCN must have at least three virtual network interfaces cards (VNICs) for the management interface and two data interfaces.
OCI uses a series of route tables to send traffic out of your VCN and one route table is added to each subnet. A subnet is a division of your VCN. If you do not specify a route table, the subnet uses the VCN’s default route table.Each route table rule specifies a destination CIDR block and a next hop (target) for any traffic that matches the CIDR. OCI only uses a subnet’s route table if the destination IP address is outside the VCN’s specified CIDR block; route rules are not required to enable traffic within the VCN. And, if traffic has overlapping rules, OCI use the most specific rule in the route table to route traffic.
If there is no route rule that matches the traffic that is attempting to leave the VCN, the traffic is dropped.
Each subnet requires a route table and once you have added a route table to a subnet, you cannot change it. However, you can add, remove, or edit rules in a route table after it has been created.

SSH Keys

You must create an SSH key pair to login to the firewall for the first time. You cannot use the default username and password to access the firewall for the first time. After the firewall boots up for the first time, you must access the firewall through the CLI and create a new username and password.
  1. Create an SSH key pair and store the SSH Key pair in the default location for your operating system.
    • On Linux or MacOS, use
      ssh-keygen
      to create the key pair in your .ssh directory.
    • On Windows, use PuTTYgen to create the key pair.
      The content of the
      Key comment
      field does not matter to the VM-Series firewall; you can accept the default (the key creation date) or enter a comment that helps you remember the name of the key pair. Use the
      Save private key
      button to store the private key in your .ssh directory.
  2. Select the full public key.
    • Linux or MacOS:
      Open your public key in a text editor and copy the public key.
    • Windows: You must use the PuTTY Key Generator to view the public key. Launch PuTTYgen, click Load, and browse to private key you saved in your .ssh directory.
      In PuTTYgen, scroll down to ensure you select the entire key, right click, and choose Copy.
      ssh-copy.png

Initial Configuration User Data

You must provide the following bootstrapping parameters when setting up the VM-Series firewall instance. OCI uses this information to perform the initial configuration of the firewall, which provides the firewall with a hostname and license and connects the firewall to Panorama, if applicable.
The Panorama-related fields are required only if you have a Panorama appliance and want use Panorama to manage your VM-Series firewall.
Field
Description
hostname=
Host name for the firewall.
vm-auth-key=
Virtual machine authentication key for registering the firewall with Panorama.
panorama-server=
IPv4 or IPv6 address of the primary Panorama server. This field is not required but recommended for centrally managing your firewalls.
panorama-server-2=
IPv4 or IPv6 address of the secondary Panorama server. This field is not required but recommended.
tplname=
Panorama template stack name. If you add a Panorama server IP address, as a best practice assign the firewall to a template stack on Panorama and enter the template stack name in this field so that you can centrally manage and push configuration settings to the firewall.
dgname=
Panorama device group name. If you add a Panorama server IP address, as a best practice create a device group on Panorama and enter the device group name in this field so that you can group the firewalls logically and push policy rules to the firewall.
authcodes=
Used to license the VM-Series firewall with the Palo Alto Networks licensing server.
op-command-modes=jumbo-frame
Used to enable jumbo frame mode on the VM-Series firewall. Because OCI deploys VM instances in jumbo mode by default, it is recommended that you launch the VM-Series firewall in jumbo mode to achieve the best throughput.
Paste the bootstrapping parameters into the OCI console in the following format.
hostname=<
fw-hostname
>
vm-auth-key=<
auth-key
>
panorama-server=<
panorama-ip
>
panorama-server-2=<
panorama2-ip
>
tplname=<
template-stack-name
>
dgname=<
device-group-name
>
authocodes=<
firewall-authcode
>
op-command-modes=jumbo-frame

Recommended For You