VM-Series Deployment Guide
    : Deploy the VM-Series Firewall From the Oracle Cloud Marketplace
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set up the VM-Series Firewall on Oracle Cloud Infrastructure
    5. Deploy the VM-Series Firewall From the Oracle Cloud Marketplace
    Download PDF

    VM-Series Deployment Guide

    Deploy the VM-Series Firewall From the Oracle Cloud Marketplace

    Table of Contents

    Deploy the VM-Series Firewall From the Oracle Cloud Marketplace

    Complete the following procedure to deploy the VM-Series firewall in OCI from the Oracle Cloud Marketplace.
    All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
    1. Log in to the Oracle Cloud Marketplace.
    2. Find the VM-Series firewall application in the Oracle Cloud Marketplace.
      1. Search for Palo Alto Networks and a list of offerings for the VM-Series firewall will display.
      2. Select an offering.
      3. Click Get App.
      4. Select your Region and click Sign In.
      5. Select the Version and Compartment.
      6. Accept the Oracle and Partner terms.
      7. Click Launch Instance.
    3. Enter a descriptive Name for your VM-Series firewall instance.
    4. Select an Availability Domain.
    5. Select Virtual Machine under Shape Type.
    6. Select the shape with the number of CPUs, amount of RAM, and number of interfaces required for the VM-Series firewall model. See the Compute Shapes page for the amount resources provided by the different compute shapes. See VM-Series System Requirements for more information about the resources required for each VM-Series firewall model.
    7. Under Networking, select your Virtual cloud network compartment, Virtual cloud network, Subnet compartment, and Subnet for your management interface. You can only add one interface when creating the VM-Series firewall instance. You will add additional interfaces later.
    8. (Optional) Set the boot volume to a size larger than the default. By default, the boot volume is set to 60GB. Complete this procedure if you require a larger boot volume to support features such as attaching logs.
      1. Select Custom boot volume size (in GB).
      2. Enter 60 or greater. 60 GB is the minimum hard drive size required by the VM-Series firewall.
    9. Add your SSH key.
      1. Under Add SSH Key, select Paste SSH Key.
      2. Paste your SSH key into the field provided.
    10. Add the bootstrapping parameters.
      1. Click Show Advanced Options.
      2. Under User data, select Paste cloud-init script.
      3. Paste the boostrap parameters into the field provided.
        hostname=<fw-hostname>
        vm-auth-key=<auth-key>
        panorama-server=<panorama-ip>
        panorama-server-2=<panorama2-ip>
        tplname=<template-stack-name>
        dgname=<device-group-name>
        authcodes=<firewall-authcode>
        op-command-modes=jumbo-frame
    11. Click Create.
      When the VM-Series firewall is launched, OCI creates and attaches a primary VNIC to the instance. This VNIC resides in the subnet you specified in the instance network setting and connects to the VM-Series firewall’s management interface.
    12. Configure a new administrative password for the firewall.
      1. Use the management IP address to SSH into the command line interface (CLI) of the VM-Series firewall.
      2. Enter the following command to log in to the firewall:
        ssh-i <private_key.pem> admin@<public-ip_address>
      3. Configure a new password, using the following command and follow the onscreen prompts:
        configure
        set mgt-config users admin password
    13. Attach a vNIC to your VM-Series firewall instance for each data interface. You must attach at least two data interfaces to your firewall instance—untrust and trust.
      1. Select your newly launched VM-Series firewall instance and select Attached VNICsCreate VNIC.
      2. Enter a descriptive Name for your vNIC.
      3. Select your VCN from the Virtual Cloud Network drop-down.
      4. Select your subnet from the Subnet drop-down.
      5. Specify a Private IP Address. This is only required if your want to choose a particular IP for the vNIC. If you do not specify an IP, OCI will assign an IP address from the CIDR block you assigned to the subnet.
      6. Select Assign Public IP Address for public facing vNICs such as your untrust subnet.
      7. Click Create VNIC.
      8. Repeat this procedure for each vNIC your deployment requires.
    14. Configure the dataplane network interfaces as Layer 3 interfaces on the firewall.
      1. Log in to the firewall.
      2. Select NetworkInterfacesEthernet.
      3. Click the link for ethernet 1/1 and configure as follows:
        • Interface Type: Layer3
        • On the Config tab, assign the interface to the default router.
        • On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example untrust-zone, and then click OK.
        • On the IPv4 tab, select either Static.
        • Click Add in the IP section and enter the IP address and network mask for the interface. Make sure that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For example, if you add this interface to your untrust zone, make sure you assign the untrust vNIC IP address configured in your VCN.
      4. Repeat this procedure for each vNIC configured in your VCN except your management vNIC.
      Always only delete interfaces at the bottom of the interface list. Deleting firewall interfaces in the wrong order results in a interface mismatch between the firewall and OCI. For example, say you have five data interfaces, then delete interface two on the firewall and add a new interface at the bottom. After rebooting the firewall, the newly added interface will take the place of the deleted interface two instead of taking a place at the bottom of the list.

    © 2024 Palo Alto Networks, Inc. All rights reserved.