Deploying Paloalto on Azure in HA
Hiraman Sharma
CISSP | Sr. Cybersecurity Advisor | GRC | IT and Operational Technology (OT) | IEC 62443 | Critical infrastructure | NIST
When the world is taking the cloud first strategy, it is very obvious to see vendors trying to clone their traditional on premise solution, out there in the sky. This article will take you through the high level process of creating a platform on Microsoft Azure cloud and deploying paloalto firewall in a high-availability mode.
What you need
- Deployment guide from Paloalto.
- A trial subscription from Microsoft Azure, upgraded to "Pay-as-you-go". This won't cost anything, until the free credit expires. It is noticed, that an Upgradation of the subscription is required, before you could create a paloalto firewall with a valid bundle1 licenses.
Once, you have a trial subscription created (upgraded to Pay-as-you-go) on Microsoft Azure, you can go to Marketplace and search for paloalto networks. Below are the three license options available.
We selected Bundle1 license, while deploying the paloalto firewall VM from the MS Azure Market place. It takes 5-10 minutes for a VM to be created loaded with respective PANOS. Once the Firewall is ready, you can log on to it from your web browser on it's Public DNS url. The firewall should now have a valid serial number and the licenses applied.
In order to create the second firewall, you would need to use template from github, as the Marketplace won't allow to launch another VM firewall in an existing resource group. Even after the template is imported for the secondary firewall, certain variables have to be updated like plan, resource group etc. Once both Firewall's VMs are created, we need to create an additional network interface, so that it could be used for HA2 connection. In regards to IP addressing, the Host VM would need IP addressing, so as the tenant paloalto firewall. This is where, the configuration approach of paloalto firewalls changes in cloud infrastructure. While configuring IP addresses on Paloalto firewall, it is a recommended to do it on the primary firewall only. This is because, as we get the HA up and running, the passive/secondary firewall will automatically get a copy of the configuration from the active/primary firewall.
HA1 connection can be configured using one more additional interface, but in our case, the management interface has been leveraged for it. Finally, VM plugins on the firewalls are key for the failover to work on Azure cloud.
Senior Presales & PS Consultant at Redington Gulf
4 年Hiraman Sharma have you experienced azure making false api calls for failover even when active fw is up and running and results in floating ip getting attached to the passive fw causing the traffic to drop as it routed on the passive fw.