: Prepare to Set Up VM-Series Firewalls on IBM Cloud
Focus
Focus

Prepare to Set Up VM-Series Firewalls on IBM Cloud

Table of Contents

Prepare to Set Up VM-Series Firewalls on IBM Cloud

Deploying the VM-Series Firewall from IBM Cloud Platform requires preparation tasks. If you are deploying using the IBM Cloud catalog, you must create your project networks and subnetworks, and plan IP address assignments for the VM-Series firewall interfaces in advance. During the deployment, you must choose from existing networks and subnetworks.

Prerequisites

To set-up the VM-Series Firewall on IBM Cloud, you will need:
  • Access to IBM Cloud Gen 2 VPC
  • A VPC with at least two subnets and one IP address unassigned in each subnet. The IP Addresses to the VM-Series VSI will be assigned from the user provided subnets. For more information, see
  • One of the following regions to install PAN-OS:
    • us-east
    • us-south
    • ca-tor
    • eu-gb
    • eu-de
    • eu-fr2
    • au-syd
    • jp-osa
    • jp-tok

Dependencies

Before you can apply the template in IBM Cloud, complete the following steps:
  • Ensure that you have the following permissions in IBM Cloud Identity and Access Management:
    • Manager service access role for IBM Cloud Schematics
    • Operator platform role for VPC Infrastructure
  • Ensure the following resources exist in your VPC Gen 2 environment:
    • VPC
    • SSH Key - Public SSH Key Doc
    • VPC has 2 subnets - one for management, the other for data plane traffic
    • Floating IP (FIP) address to assign to the management interface of VM-Series instance post deployment. FIP is used to access your VPC virtual server instance over the public internet. For more information, see Creating a floating IP address.

General Requirements

The components in this checklist are common to deploying a VM-Series firewall that you manage directly or with Panorama.
Refer to the Compatibility Matrix for Panorama plugin information for public clouds.This release requires the following software:
  • IBM Cloud account—You must have an IBM Cloud user account with a linked email address and you must know the username and password for that email address.
    IBM Cloud SDK—If you have not done so, install the IBM Cloud Software, which includes IBM Cloud APIs and command line tools. You can use the command line interface to deploy the firewall template and other templates.
  • PAN-OS on VM-Series firewalls on IBM Cloud—VM-Series firewalls running a PAN-OS version available from the IBM Cloud Catalog.
    • VM-Series firewalls—VM-Series firewalls that you want to manage from Panorama must be deployed in IBM Cloud Platform using a Palo Alto Networks image from the IBM Cloud Catalog. Firewalls must meet the Minimum System Requirements for the VM-Series Firewall.
    • VM-Series Licenses—You must license a VM-Series firewall to obtain a serial number. A serial number is required to add a VM-Series firewall as a Panorama managed device. If you are using the Panorama plugin for IBM Cloud to deploy VM-Series firewalls, you must supply a BYOL auth code. The IBM Cloud handles your service billing, but the firewalls you deploy will directly interface with the Palo Alto Networks licensing server.
    • VM-Series plugin on the firewall—VM-Series firewalls running PAN-OS 9.0 and later include the VM-Series plugin, which manages integration with public and private clouds. As shown in the Compatibility Matrix, the VM-Series plugin has a minimum version that corresponds to each PAN-OS release.
      When there is a major PAN-OS upgrade the VM-Series plugin version is automatically upgraded. For minor releases it is up to you to determine whether a VM-Series plugin upgrade is necessary, and if so, perform a manual upgrade.
    • Panorama running in Management mode—A Panorama physical or virtual appliance running a PAN-OS version that is the same or later than the managed firewalls. Virtual instances do not need to be deployed in IBM Cloud.
      You must have: