Azure: Deploying Palo Alto Networks VM-series Part-2

Azure: Deploying Palo Alto Networks VM-series Part-2

Tai?? Tran Tai?? Tran

Tai?? Tran

Consulting Engineer at CDW

发布日期: 2023年6月28日
+ 关注

This is a continuation of Part-1.

Configure Security Zones

  • There should only be INSIDE (trust) and OUTSIDE (untrust) zones. No other zones (e.g., DMZ) are applicable as additional vNIC is not advisable in Azure deployment.
  • Network > Zones > Add

No alt text provided for this image

Configure Interfaces

  • There are only two interfaces to configured. Ethernet1/1 is always associated to the untrust vNIC. Ethernet1/2 is always associated to the trust vNIC.
  • Network > Interfaces > [select ethernet1/1]
  • Assign the Outside or Untrust security zone.
  • Add the IP address of the untrust vNIC (see diagram for this demo). The IP address for the untrust interface is always the IP address assigned to the untrust vNIC during deployment.
  • Repeat for ethernet1/2 with the respective security zone and IP address for trust (inside) vNIC.

No alt text provided for this image

Configure Virtual Router (VR)

It is best practice to have two separate VRs in Azure; one for routing traffic to the internet, one for routing traffic to the trust (inside) zone.

No alt text provided for this image
No alt text provided for this image

  • Network > Virtual Routers > Add (another VR as placeholder)
  • Network > Virtual Routers > [edit existing VR for routing to the untrust]
  • In Router Settings tab > General > Add ethernet1/1 (if not done so already)
  • In Static Routes > Add default route (0.0.0.0/0) with next-hop being the Azure default gateway for that subnet (which always ends in .1).
  • In Static Routes > Add inside route (RFC1918) with next-hop being the placeholder VR.

Likewise, the placeholder VR is now the new VR to route traffic inside.

The configuration is the exact opposite. Where the default route next-hop is the other VR. The inside (trust vNIC) next hop is Azure default gateway for that subnet.

领英推荐

No alt text provided for this image

In the end, there should be two VRs with two static routes:

No alt text provided for this image

Outbound security rules configuration remain unchanged compared to non-cloud based infrastructure.

No alt text provided for this image

NAT rules:

Source NAT

No alt text provided for this image

Destination NAT

See part 3 for destination NAT.

Now, you can have two-traffic (Tx and Rx) routing through the firewall.

No alt text provided for this image

That's it, the firewall is deployed.

要查看或添加评论,请登录

Tai?? Tran的更多文章

  • Wiz Security, an Intro to
    2024年8月20日

    Wiz Security, an Intro to

    Over the weekend, I had the chance to dive into a demo from Wiz.io, and it’s pretty damn cool! Wiz.

  • Azure: Deploying Palo Alto Networks VM-series Part-3
    2024年3月24日

    Azure: Deploying Palo Alto Networks VM-series Part-3

    In this article, we'll explore how to set up the VM-series firewall to protect your Azure resources. We will configure…

  • Azure: Creating a vnet Peering
    2024年3月21日

    Azure: Creating a vnet Peering

    Virtual network (vnet) peering enable communication between two different vnets. In this demo, I want to peer my vnet…

    1 条评论
  • Generate Certificate Request using OpenSSL
    2023年10月2日

    Generate Certificate Request using OpenSSL

    This article was written using chatGPT. You must have OpenSSL installed in your machine in order to do this.

  • Generating a server certificate
    2023年10月2日

    Generating a server certificate

    This article was written using chatGPT. Creating a server identity certificate involves purchasing one from a trusted…

  • TLS Certificates
    2023年9月29日

    TLS Certificates

    This article was written using chatGPT. Transport Layer Security (TLS) certificates play a crucial role in securing…

  • Crypto scam: pig butchering
    2023年7月7日

    Crypto scam: pig butchering

    Hi everyone! I want to talk to you about this thing called Pig Butchering, which is a scam with crypto money. You might…

    16 条评论
  • Azure: Deploying Palo Alto Networks VM-series Part-1
    2023年6月18日

    Azure: Deploying Palo Alto Networks VM-series Part-1

    This is Part 1 of 2-parts article. Refer to the diagram above for the design description: a Palo Alto Networks…

    2 条评论
  • Azure: Creating Network Security Group
    2023年4月27日

    Azure: Creating Network Security Group

    This article was written using chatGPT. To create a Network Security Group (NSG) in Azure, you can follow these steps:…

  • Azure: Creating Route Table
    2023年4月25日

    Azure: Creating Route Table

    This article was written using chatGPT. To create an Azure route table, you can follow these steps: Go to the Azure…

社区洞察

其他会员也浏览了