Orchestrate a VM-Series Firewall Deployment in Azure

1. Create a service principal.

   Onboard your created service principal credentials to give the Panorama Plugin permissions to make necessary API calls to orchestrate your deployment

   1. Select SetupService PrincipalAdd.
   2. Enter a Name and an optional Description to identify the service account.
   3. Enter the Subscription ID for the Azure subscription you want to monitor.
      You must login to your Azure portal to get this subscription ID.
   4. Enter the Client ID.The client ID is the Application ID associated with your Azure Active Directory application.
   5. Enter the Client Secret and re-enter it to confirm.
   6. Enter the Tenant ID.
      The tenant ID is the Directory ID you saved when you set up the Active Directory application.
   7. Click Validate to verify that the keys and IDs you entered are valid, and Panorama can communicate with the Azure subscription using the API.
      It can take up to a minute to validate. You can update the page to check your progress.
   8. When the service principal is valid, commit your changes.
      The commit ensures the service principal is available when you configure the deployment.

2. Configure your Azure deploymenet.

   1. Select Deployments and Add a configuration.
   2. Select BuildGeneral.

      • Supply a Name and an optional Description.
      • Choose a service principal from the drop list.
        You must select a valid service principal to enable the Azure tab.
        If you don’t see your service principal, return to Step 1 and ensure the service principal is valid and committed.

   3. On the BuildAzure tab, select a region.

      The drop list is dynamic—it lists all regions that have a Palo Alto Networks VM-Series Next Generation Firewall image.

      • Existing VNET.
        • Select No to create a new VNET.
          The plugin uses the VNET CIDR and Directory Domain to create a VNET for you.
        • Select Yes to indicate an existing VNET.
      • VNET CIDR—Enter your CIDR range. The prefix must be smaller than or equal to /22. For example, 192.168.0.0/22.
      • Directory Domain—See Find Your Azure Directory Domain Name. This string is part of the URL for all resources in the subscription, and it helps the plugin link to your deployments.

      If you selectYes the plugin asks for the VNET Resource Group, the VNET Name, the Security CIDR, and the Directory Domain.

      • VNET Resource Group—Choose from a list of all resource groups in your selected region.
      • VNET Name—Choose from a list of VNETS in your chosen resource group.
      • Security CIDR—Enter your CIDR range. The prefix must be smaller than or equal to /22. For example, 192.168.0.0/22.
      • Directory Domain—See Find Your Azure Directory Domain Name. This string is part of the URL for all resources in the subscription, and it helps the plugin link to your deployments.

      The VNET Resource Group and VNET name help the plugin locate your existing VNET. Anything the plugin deploys goes into a resource group that the plugin manages.

3. Configure the VM-Series firewall stacks for your deployment.

   You can deploy the Hub stack to protect Outbound/East-West traffic. You can deploy the Inbound stack to protect inbound traffic. You can also deploy both stacks if all traffic flows need to be protected.

   The configuration parameters are the same for both stacks.

   • License Type—Select BYOL, Bundle 1, or Bundle 2.
   • License Authcode—(BYOL only). Enter the authcode sent in your Welcome letter.
   • VM Size
     • The drop list displays the VM sizes that correlate with the authcode you entered.
     • Bundle1 or Bundle2—Choose any VM size.

   Existing Device Group—The device group must be unique across both stacks and deployments. That is, you need a separate dedicated device group for each stack in each deployment.

   If you select No the plugin creates a device group.

   If you select Yes, select an existing device group from the dropdown list.

   • Min Firewalls— A value between 1 and 25 for a VMSS.
   • Max Firewall— A value between 1 and 25 for a VMSS.
4. Select BuildFirewallBasic to configure information common to both Stacks.

   For Image Type, select Marketplace Image or Custom Image.

   • Image Resource Group—(custom image only) Choose the resource group containing your custom image. For a custom image, the list displays all resource groups that contain an image from the region you selected in Step 2.b.
   • Image—(custom image only) The dropdown list displays all images in your chosen resource group.
   • Software Version—(Marketplace Image) Only valid software versions are displayed. Consult the Compatibility Matrix for the minimum PAN-OS version.
   • Username—The administrator user name for the firewall you create. The name must be legal for both VM-Series firewall and Azure. Refer to What are the user name requirments when creating a VM?
   • Password—The administrator password for the firewall you create. The password must meet the character and length requirements (31 characters) for both VM-Series firewall and Azure. Refer to What are the password requirements when creating a VM?.
   • Confirm Password—Re-enter your password.
   • Primary Panorama IP—Specify the Panorama IP address the firewall can use to connect to the Panorama when it boots up. Choose between the public or private IP address displayed in the dropdown list, or type in the Panorama IP address.
   • Secondary Panorama IP—(Only if Panorama is in HA setup.) Specify the Secondary Panorama IP the firewall can use to connect to the Panorama when it boots up. Choose from dropdown list or type in the correct IP.
   • Configure Device Certificate PIN. Because these values are encrypted you must enter and confirm each value.
     • Device Certificate PIN ID—The device certificate ID.
     • Confirm Device Certificate PIN ID
     • Device Certificate PIN Value—The certificate PIN value.
     • Confirm Device Certificate PIN Value
5. Select BuildFirewallAdvanced optional default values.

   Check Advanced to edit the default values.

   • Autoscaling Metric—Default is Data Plane CPU Util Percent.
   • Scale In Threshold—Accept the default or define a scale in thresholdt.
   • Scale Out Threshold—Accept the default or define a scale in threshold.
   • Jumbo Frame—Disabled by default.

   Click OK and commit your changes. Refresh the page until you can see the Deploy button, and click Deploy to launch the deployment. Once the deployment starts, information is written to the Deployments page.

   Deployment takes 15-20 minutes to complete.

   If there is an entry in the Deployment Status column, click the hyperlink to view the deployment details.

   The possible status messages are:

   • Commit changes—You have added a deployment for the first time but have not yet committed the changes.
     Every configuration change for the deployment must be committed so that the plugin can pick up your changes.
   • Deploying—The plugin is deploying or updating the deployment. For more information, click the hyperlink to view the detailed status.
   • Failure—Deployment has failed. Click the hyperlink and view the Detailed Status for the Security stack.
   • Not Deployed—The plugin is ready to deploy the configuration, but the deployment has not begun.
   • Success—The plugin has successfully deployed the Security stack and the firewalls have connected to Panorama. The firewalls can pass traffic.
   • Warning—Deployment has successfully finished but something external to the deployment has failed. For example, you might see this message:
     FWs have not connected after 20 minutes of the deployment completing.
     Click the hyperlink and view the Security stack.

   Once the deployment is deployed, the plugin allows you to modify a certain subset of parameters. Once the changes have been made, you must do a commit before clicking the Redeploy button. When an update happens, the plugin makes sure the Panorama config is created and accurate.

   • Deploy—After you commit your initial configuration, select Deploy to launch the deployment.
   • Redeploy—Modify a deployment, commit your changes, and select Redeploy.
     You must commit changes to the deployment before you click Redeploy.
   • Undeploy—Delete a deployment, but keep the configuration so it can be redeployed at a later time.

   To remove an existing deployment and its configuration, check a deployment and select Delete at the bottom of the Deployments page.
6. Select AzureDeployments to view deployment status.

   • The Resource Group column displays resource groups the plugin has created.
   • The firewall’s management interface uses the Firewall Access IP to connect to Panorama. You must whitelist this address to ensure that Panorama can connect with Panorama to get the needed configuration.
     If Panorama is deployed in a Public Cloud, make sure to add the Firewall Access IP to the Panorama security group.
     See Ports Used for Panorama to determine which ports you need to open to allow traffic.
   • Open the link in the Deployment Status column for additional details for each stack.
     • Hub-Stack—The Hub stack Public IP matches the Firewall Access IP in the deployment summary because the NAT gateway is the same for egress traffic from the deployment and the management traffic from the firewalls.
       All outbound and East-West traffic should be routed to the Egress Private IP for inspection. You can direct traffic to this address if you configured UDRs.
     • Inbound-Stack—The Private IP is the address on the Azure internal load balancer that fronts the firewalls. You can direct traffic to this address if you are configuring UDRs.
   • Follow the links to view deployment information and Application Insights on Azure.
   • The Deployment details can show Success, Warning, and Failure messages
7. Configure inbound protection for backend TCP/UDP applications.

   The public load balancer that fronts the inbound firewall stack is the entry point for any back-end UDP or TCP applications. Add the following configuration to allow the plugin to manage the necessary load balancer and firewall configuration to route to your backend application.

   1. Select AzureDeployments and select your deployment.
   2. Select the Protect tab and click Add.
   3. Supply the application Name and choose a Protocol.

      Enter the protection details:

      • Frontend IP Type—Select one of New Public IP, Existing Frontend, and Existing Public IP.
        If you select Existing Frontend, the Frontend Name lists all known front ends on the load balancer.
      • Resource Group—(Existing Public IP only) From the dropdown list, select the resource group where your desired frontend IP address exists.
      • IP Name—(Existing Public IP only) Use to map IP to a frontend on the load balancer, configure the load balancer, and create a NAT rule.
      • Frontend Port—Add the frontend port that should be configured to receive traffic on the public load balancer.
      • Backend IP—Add the IP address of your backend application.
      • Backend Port—Add the port your backend application is expecting to receive traffic on.

      Click OK.
   4. Commit to add the configuration on the load balancer and push to the firewalls.