Prepare to Set Up VM-Series Firewalls on IBM Cloud
Create your project networks and subnetworks, and plan IP address assignments for the
VM-Series firewall before you deploy the VM-Series
firewall on IBM cloud.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- VM-Series License (BYOL)
- VM-Series plugin
- Panorama
- Panorama plugin for IBM Cloud
|
Deploying the VM-Series firewall from IBM Cloud Platform requires preparation tasks. If you're
deploying using the IBM Cloud catalog, you must create your project networks and
subnetworks, and plan IP address assignments for the VM-Series firewall interfaces in
advance. During the deployment, you must choose from existing networks and subnetworks.
Prerequisites
To set up the VM-Series firewall on IBM Cloud, you will need:
- Access to IBM Cloud Gen 2 VPC
- A VPC with at least two subnets and one IP address unassigned in each
subnet. The IP addresses to the VM-Series VSI will be assigned from the
user-provided subnets. For more information, see
- One of the following regions to install PAN-OS:
- us-east
- us-south
- ca-tor
- eu-gb
- eu-de
- eu-fr2
- au-syd
- jp-osa
- jp-tok
Dependencies
Before you can apply the template in IBM Cloud, complete
the following steps:
- Ensure that you have the following
permissions in IBM Cloud Identity and Access Management:
- Manager service
access role for IBM Cloud Schematics
- Operator platform role for VPC Infrastructure
- Ensure the following resources exist in your VPC Gen 2 environment:
- VPC
- SSH Key - Public SSH Key Doc
- VPC has two subnets - one for management, the other for dataplane traffic
- Floating IP (FIP) address to assign to the management interface
of VM-Series instance post deployment. FIP is used to access your
VPC virtual server instance over the public internet. For more information,
see Creating a floating IP address.
General Requirements
The components in this checklist are common to deploying
a VM-Series firewall that you manage directly or with Panorama.
Refer to the Compatibility Matrix for Panorama plugin information for
public clouds. This release requires the
following software:
IBM Cloud account—You
must have an IBM Cloud user account with a linked email address
and you must know the username and password for that email address.
IBM Cloud SDK—If you have not done so,
install the IBM Cloud Software,
which includes IBM Cloud APIs and command-line tools. You can use the
command-line interface to deploy the firewall template and other templates.
PAN-OS on VM-Series firewalls on IBM Cloud—VM-Series
firewalls running a PAN-OS version available from the IBM Cloud Catalog.
VM-Series firewalls—VM-Series firewalls that you want to
manage from Panorama must be deployed in IBM Cloud Platform using a
Palo Alto Networks image from the IBM Cloud Catalog. Firewalls must
meet the
minimum system
requirements.
VM-Series Licenses—You must
license a VM-Series
firewall to obtain a serial number. A serial number is required to
add a VM-Series firewall as a Panorama managed device. If you're
using the Panorama plugin for IBM Cloud to deploy VM-Series
firewalls, you must supply a BYOL auth code. The IBM Cloud handles
your service billing, but the firewalls you deploy will directly
interface with the Palo Alto Networks licensing server.
VM-Series plugin on the firewall—VM-Series firewalls running
PAN-OS 9.0 and later include the
VM-Series
plugin, which manages integration with public and private
clouds. As shown in the
Compatibility Matrix, the
VM-Series plugin has a
minimum version that corresponds to each PAN-OS release.
When there is a major PAN-OS upgrade the VM-Series plugin version is automatically
upgraded. For minor releases it's up to you to determine whether a
VM-Series plugin upgrade is necessary, and if so,
perform a manual upgrade.
Panorama running in Management mode—A Panorama physical or virtual appliance running a
PAN-OS version that is the same or later than the managed firewalls.
Virtual instances don't need to be deployed in IBM Cloud.
