Install the VM-Series Firewall in a Basic Gateway Deployment
Table of Contents
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- IPv6 Support on Public Cloud
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
- Enable NUMA Performance Optimization on the VM-Series
- Enable ZRAM on the VM-Series Firewall
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
- Use Panorama-Based Software Firewall License Management
-
- Maximum Limits Based on Tier and Memory
- Activate Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Register the VM-Series Firewall (Software NGFW Credits)
- Provision Panorama
- Migrate Panorama to a Software NGFW License
- Transfer Credits
- Renew Your Software NGFW Credits
- Deactivate License (Software NGFW Credits)
- Delicense Ungracefully Terminated Firewalls
- Set the Number of Licensed vCPUs
- Customize Dataplane Cores
- Migrate a Firewall to a Flexible VM-Series License
-
- Generate Your OAuth Client Credentials
- Manage Deployment Profiles Using the Licensing API
- Create a Deployment Profile Using the Licensing API
- Update a Deployment Profile Using the Licensing API
- Get Serial Numbers Associated with an Authcode Using the API
- Deactivate a VM-Series Firewall Using the API
- What Happens When Licenses Expire?
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Create Dynamic Address Groups
- Create Dynamic Address Group Membership Criteria
- Generate Steering Policy
- Generate Steering Rules
- Delete a Service Definition from Panorama
- Migrate from VM-Series on NSX-T Operation to Security Centric Deployment
- Extend Security Policy from NSX-V to NSX-T
- Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
- VM-Series Firewall Startup and Health Logs on AWS
-
- Use AWS Secrets Manager to Store VM-Series Certificates
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
- Intelligent Traffic Offload
- Software Cut-through Based Offload
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Deploy the VM-Series with the Azure Gateway Load Balancer
- Create a Custom VM-Series Image for Azure
- Deploy the VM-Series Firewall on Azure Stack
- Deploy the VM-Series Firewall on Azure Stack HCI
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use Azure Key Vault to Store VM-Series Certificates
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Azure Stack HCI
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
Install the VM-Series Firewall in a Basic Gateway Deployment
Complete the following steps to prepare the
heat templates, bootstrap files, and software images needed to deploy
the VM-Series firewall in OpenStack. After preparing the files,
deploy the VM-Series firewall and Linux server.
- Download the Heat template and bootstrap files.Download the Heat template package from the GitHub repository.
- Download the VM-Series base image.
- Login in to the Palo Alto Networks Customer Support Portal.
- Select Software Updates and choose PAN-OS for VM-Series KVM Base Images from the Filter By drop-down.
- Download the VM-Series for KVMqcow2 file.
- Download Ubuntu 14.04 and upload the image to the OpenStack
controller.The Heat template needs an Ubuntu image for launching the Linux server.
- Download Ubuntu 14.04.
- Log in to the Horizon UI.
- Select ProjectComputeImagesCreate Image.
- Name the image Ubuntu 14.04 to match the parameter in the pan_basic_gw_env.yaml file.
- Set Image Source to Image File.
- Click Choose File and navigate to your Ubuntu image file.
- Set the Format to match the file format of your Ubuntu image.
- Click Create Image.
- Upload the VM-Series for KVM base image to the OpenStack
controller.
- Log in to the Horizon UI.
- Select ProjectComputeImagesCreate Image.
- Name the image to match the image name in your Heat template.
- Set Image Source to Image File.
- Click Choose File and navigate to your VM-Series image file.
- Set the Format to QCOW2-QEMU Emulator.
- Click Create Image.
- Upload the bootstrap files. You have two options for
passing bootstrapping files to OpenStack—file injection (personality
files) or user data. To pass the bootstrap files using user-data, you
must place the files in a tar ball (.tgz file) and encode that tar
ball with base64.File injection is no longer supported beginning with OpenStack Queens; you must use user data instead.
- For file injection, upload the init-cfg.txt, bootstrap.xml, and your VM-Series auth codes to your OpenStack controller or a web server that the OpenStack controller can access.
- If using the --user-data method to pass the bootstrap package to the config-drive, you can use the following command to create the tar ball and encode the tar ball (.tgz file) with base64:
tar -cvzf <file-name>.tgz config/ license software content base64 -i <in-file> -o <outfile>
- Edit the pan_basic_gw.yaml template to point to the bootstrap
files and auth codes.
- If you are using personality files, specify the file path or web server address to the location of your files under personality. Uncomment whichever lines you are not using.
pan_fw_instance: type: OS::Nova::Server properties: image: { get_param: pan_image } flavor: { get_param: pan_flavor } networks: - network: { get_param: mgmt_network } - port: { get_resource: pan_untrust_port } - port: { get_resource: pan_trust_port } user_data_format: RAW config_drive: true personality: /config/init-cfg.txt: {get_file: "/opt/pan_bs/init-cfg.txt"} # /config/init-cfg.txt: { get_file: "http://web_server_name_ip/pan_bs/init-cfg.txt" } /config/bootstrap.xml: {get_file: "/opt/pan_bs/bootstrap.xml"} # /config/bootstrap.xml: { get_file: "http://web_server_name_ip/pan_bs/bootstrap.xml" } /license/authcodes: {get_file: "/opt/pan_bs/authcodes"} # /license/authcodes: {get_file: "http://web_server_name_ip/pan_bs/authcodes"}
- If you are using user-data, specify the file path or web server address to the location of your files under user_data. If you have more than one
pan_fw_instance: type: OS::Nova::Server properties: image: { get_param: pan_image } flavor: { get_param: pan_flavor } networks: - port: { get_resource: mgmt_port } - port: { get_resource: pan_untrust_port } - port: { get_resource: pan_trust_port } user_data_format: RAW config_drive: true user_data: # get_file: http://10.0.2.100/pub/repository/panos/images/openstack/userdata/boot.tgz get_file: /home/stack/newhot/bootfiles.tgz
- Edit the pan_basic_gw_env.yaml template environment file
to suit your environment. Make sure that the management and public
network values match those that you created in your OpenStack environment.
Set the pan_image to match the name you assigned to the VM-Series
base image file. You can also change your server key here.
root@node-2:~# cat basic_gateway/pan_basic_gw_env.yaml parameters: mgmt_network: mgmt_ext_net public_network: public_net pan_image: pa-vm-image pan_flavor: m1.medium server_image: Ubuntu-14.04 server_flavor: m1.small server_key: server_key
- Deploy the Heat template.
- Execute the command source openrc
- Execute the command heat stack-create <stack-name> -f <template> -e ./<env-template>
- Verify that your VM-Series firewall is deployed successfully.You can use the following commands to check the creation status of the stack.
- Check the stack status with heat stack-list
- View a detailed list of events that occurred during stack creation with heat event-list
- View details about your stack with heat stack-show
- Verify that the VM-Series firewall is bidirectionally
inspecting traffic accessing the Linux server.
- Log in to the firewall.
- Select MonitorLogsTraffic to view the SSH session.