Prerequisites

• PAN-OS version 10.2.14 or above
  PAN-OS version 11.1.8 or above
• PAN-OS version 11.2.5 or above

• BYOL (Bring your own license)
• PAYG (Pay-as-you-go)

Simplified Onboarding for VM Series Solution templates on Azure Marketplace

1. Navigate to Azure Marketplace.
   1. Log in to the Azure portal.
   2. In the Azure portal dashboard, click the search bar at the top.
   3. Search for VM-Series Next-Generation Firewall and select the listing titled VM-Series Next-Generation Firewall by Palo Alto Networks.

   4. In the Plan drop down menu, select High Resiliency with Load Balancers.
   5. Click Create on the marketplace overview page.
2. Basic configuration.
   Configure basic settings for the firewall.
   1. Select your Azure Subscription.
   2. Create a new resource group or select an existing resource group that is empty. The resource group will hold all the resources associated with the VM-Series firewall for this deployment.
   3. Azure has removed the option to select an existing resource group for Marketplace solutions that enable multiple network interface controllers (NICs). To deploy the firewall into an existing resource group, use the ARM template in the GitHub Repository or use your own custom ARM template.
   4. Select the Azure Region in which you are deploying the firewall.
   5. Enter a Username for the firewall administrator.
   6. Select the Authentication type—Password or SSH Public Key.
   7. Enter a Password (up to 31 characters) or copy and paste an SSH public key for securing administrative access to the firewall.
   8. Confirm the password.
   9. Select the License Type.
   10. Enter the Deployment Tag that you specified while creating the resource group.
   11. Click Next.
3. Configure networking.
   You can see that the Virtual Network, management subnet, public subnet, private subnet, and Network Security group IP addresses are already populated.
   1. Select the Deployment architecture.
      VM-Series with high resiliency load balancers support four different deployment architectures: Common firewall set with LB, Dedicated inbound firewall set with Public LB, Dedicated outbound and east-west firewall set with ILB, and Dedicated inbound and outbound firewalls sets with public LB and ILB. Select one of these for your deployment architecture. For more information, see Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template).
   2. Click Next.
4. VM-Series Configuration.
   1. Select the VM-Series Version.
   2. Select the Default configuration - outbound and E/W bootstrap option to boot the firewalls with default pre-configurations needed for outbound traffic inspection.

   3. Select the Availability Option
   4. Click Next.
   5. Review the summary, and OK. Then accept the terms of use and privacy policy, and click Create to launch the firewall.
5. Optional
   Validate Firewall Configuration
   1. Log in to the VM-Series firewall web interface. For more information, see Launch the firewall web interface.
   2. Go to the Network tab.
   3. Click interfaces and verify if the interfaces are correctly assigned:
      • Ethernet1/1 should be in the Untrust zone.
      • Ethernet1/2 should be in the Trust zone.
   4. Verify Routing. In the Virtual Router section, ensure static routes for outbound and east-west traffic are present.

   5. Verify Security Policies.
      Navigate to the Policies tab and confirm default rules are present:
      • Intra-zone traffic is allowed.
      • Inter-zone traffic is denied.
      Verify the presence of a NAT policy for outbound internet traffic.
6. Peer Application VNet with the trust Vnet
   1. Navigate to the Azure portal and open the FirewallVNet resource.
   2. Go to the Peerings section.

   3. Click Add.
   4. Enter a name.
   5. Select the application VNet whose traffic you wish to inspect
   6. Click Add to create the peering.
   You can repeat the above process to peer the FirewallVNet with AppVNet2.
7. Configure Route Tables for each application subnet.

   1. Create Route tables for each application subnet:
      • Go to Route Tables in the Azure portal and click Create.
      • Enter the Region and Name the table (e.g., AppVM1RouteTable) and associate it with the subnet of AppVNet1.
      • Repeat the process for AppVNet2.
   2. Add Routes:
      You must add two routes to each table:
      Route 1- Outbound Traffic:
      • Enter the Destination IP address.
      • Enter the Next Hop type.
      • Enter the Next Hop IP Address. This should be the frontend IP of the firewall’s load balancer.
      • Click Add.
      Route 2 - East-West Traffic:
      • Enter the Destination IP address. This is the subnet of the other application VNet.
      • Enter the Next Hop type.
      • Enter the Next Hop IP Address. This should be the frontend IP of the firewall’s load balancer.
      Click Add.
   You must add two routes to each table:
   Route 1- Outbound Traffic:
   • Enter the Destination IP address.
   • Enter the Next Hop type.
   • Enter the Next Hop IP Address. This should be the frontend IP of the firewall’s load balancer.
   • Click Add.
   Route 2 - East-West Traffic:
   • Enter the Destination IP address. This is the subnet of the other application VNet.
   • Enter the Next Hop type.
   • Enter the Next Hop IP Address. This should be the frontend IP of the firewall’s load balancer.
   • Click Add.