Azure: Deploying Palo Alto Networks VM-series Part-1

This is Part 1 of 2-parts article.

Refer to the diagram above for the design description: a Palo Alto Networks VM-series and a Windows virtual machine (VM) are part of the same virtual network (vnet); note that having the Windows VM and Palo Atlo Networks VM-series in the same vnet is for demo only, in production use, it is recommended to have the Palo Alto Networks VM-series in its own vnet. Each virtual network interface card (vNIC) has its own subnet. The VM-series have an out-of-band management interface, associated vNIC, and public IP address resources. The VM-series OUTSIDE interface and associated vNIC also have a public IP address resource. There are two network security groups (NSGs) attached to each of the vNIC with a public IP address resource. The Windows-VM access the internet by routing to the INSIDE interface of the VM-series as shown using user defined route.

Everything in the diagram sits in a singular resource group, all in the same region (see Step 7 of Resource Group for further discussion regarding having resources being in the same region). Having all resources in the same resource group allow ease of maintaining by deleting the resource group when this demo wraps up. Having everything in the same region ensure resource availabilities (US East region was used in this demo). Due to how the VM-series is provided in Azure marketplace, it is not possible to use a resource group that already have other resources in it. The resource group used for deploying VM-series must be empty.

Note that the design diagram above was developed prior to any deployment. It is not possible to move vNIC to a different vnet after deployment; assigning a previously created vnet during VM-series creation may result in reference error when Azure goes through its deployment process.

This part of the article was written using chatGPT.

To deploy a Palo Alto Networks VM-Series firewall in Azure, you can follow these steps:

1. Go to the Azure portal at https://portal.azure.com/ and log in with your Azure account.
2. Click on "+ Create a resource" and search for "Palo Alto Networks VM-Series" in the search bar.
3. Select the Palo Alto Networks VM-Series firewall from the list of results and click on "Create" to begin the deployment process. For this demo, we are doing BYOL and ELA.
4. In the "Basics" tab of the deployment page, fill out the following information:
5. Subscription: Select the Azure subscription that you want to use.
6. Resource group: Select create a new one. NOTE: Choosing an existing resource group with resources in it may result in deployment error. Instead, we will use a empty resource group. (I called mine dumbpalo_rg as I will be deleting all of this when I am done with the demo).
7. Region: Select the Azure region where you want to deploy the firewall. Make sure this region is also being used by the other resources discussed above. One way to check is to go through each resource on your diagram and attempt to create. Azure will ask for a region selection within the first two tabs. Take note of the regions available for each resource and compare that way.
8. Authentication type: Choose password.
9. Username and password: Enter the administrator username and password for the firewall instance.
10. Click on "Next: Networking" to continue.
11. In the "Networking" tab, configure the following settings:
12. Virtual network: Options are to use the default i.e., create a new vnet. Or if there is a vnet created prior (even if that vnet is in a different resource group), that is available for use. However, note that choosing this option may results in a deployment error!
13. Public IP address: Options are to use the default i.e., create a new vnet. Or use one created prior.
14. DNS Name: Enter a dns name.
15. Name: Enter a name for the VM-series.
16. Click on "Review + create" to review the configuration settings for the firewall instance.
17. Once you have reviewed the settings, click on "Create" to deploy the VM-Series firewall in Azure.

After the firewall is deployed, you can access the management interface using the public IP address (or domain name; however, this will take some time to replicate to the A-record) that you configured during the deployment process.

From there, you can configure the firewall policies and settings to secure your Azure resources.

Once your VM-series is deployed, create and assign a public IP address and NSG to the untrust (Outside) vNIC as shown in the diagram. Unlike the management vNIC, this will not be done automatically. This is absolutely necessary; otherwise, you will not have two-way internet traffic through this VM-series.

Below lists articles on how to do this for a generic VM. The process works the same as for a VM-series as this is done from within Azure environment.

See vnet, subnets, vNICs, public IP addresses, route table and VM articles.

Phew! You read a lot! Now that you deployed everything, why did it not work? That's part 2 to this. You need to configure the VM-series network and policies to work correctly.