51 Security

Learning, Sharing, Creating

Palo Alto

Palo Alto VM-Series Firewall Configuration in Azure

ByJon

Nov 15, 2022

There are some configuration on Azure network to get your Palo Alto firewall working well for the passing through traffic. Especially for ping traffic, by default, you wont be able to ping Internet ip through Palo Alto firewall. 

In this post, it will give you some small tricks to get ping working for local interfaces and internet. 

For other basic configuration, please check this post: https://blog.51sec.org/2021/12/deploy-palo-alto-vm-series-firewall.html

Topology

Web Gui Overview

ACC Tab:  The default ACC view will show you the network, threat, blocked and tunnel activity in four separate tabs for the past hour. The time frame and each tab can be customized to display the relevant application, threat, and user activity depending upon the user role.

The Monitor tab is where you can perform log analysis and generate reports on all of the traffic flowing through the VM-Series. Logs are stored on the box and can also be forwarded to either Panorama, our centralized management solution, or forwarded to a syslog server for analysis and reporting by 3rd party offerings.
The Policies tab is where you will define all of your policies. The default view will be your security policies, all of which can be based on the application, the content within, and the user. Click Reports to see the various pre-defined reports you can use.
The Objects, Network, and Device tabs provide you with the various management capabilities. The Objects tab allows you to manage the building blocks for creating policies such as address objects, custom applications, and security profiles. The network tab allows you to create and manage interfaces, security zones, VLANs and other elements that enable connectivity. The device tab allows you to manage high availability, users, software and content updates.
  • The Objects tab allows you to manage the building blocks for creating policies such as address objects, custom applications, and security profiles.
  • The Network tab allows you to create and manage interfaces, security zones, VLANs and other elements that enable connectivity.
  • The Device tab is where configuration items like DNS, service routes, etc.  are managed. The device tab also allows you to manage high availability, users, software and content updates.

Enable Ping on Interfaces

To allow Ping and other management traffic, configure an Interface Management Profile and apply it to the interface.

Steps

    1. Go to Network > Network Profiles > Interface Mgmt
    2. Create a profile allowing ping:

    1. Go to Network > Interfaces and assign the profile, created above, to the interface under the Advanced tab:
      Capture.PNG
    2. Commit the changesFrom CLI: 
      > configure
# set network profiles interface-management-profile mgmt ping yes
# set network interface ethernet ethernet1/3 layer3 interface-management-profile mgmt

Add a Route Table and Route

A subnet is a range of IP addresses in the virtual network. You can divide a virtual network into multiple subnets for organization and security. Each NIC in a VM is connected to one subnet in one virtual network. NICs connected to subnets (same or different) within a virtual network can communicate with each other without any extra configuration. By default all Azure subnet traffic will go to Azure default gateway for that subnet, which is .1 ip address. 

If we will need to re-route traffic to our virtual appliance, such as our Palo Alto firewall, we will need to create a separate route table and add a new route in it. 

Create a new route to reroute all default traffic to Palo Alto firewall interface which is 10.0.2.4
Associate your subnet which will use this  routing table. 

Add Public IP Address To Untrusted Interface

By default Azure vnet will not allow ping or tracert packet going through well. 

To make ping working through Azure network and Palo Alto firewall, you will have to assign a public ip to untrusted interface on Palo Alto

Associate this new public ip with Palo Alto’s untrusted interface, which is eth1:

Now you should be able to use Ping to Internet through Palo Alto firewall.

Updates

After did Check Now from Device -> Dynamic Updates page, you will be able to see some updates available for downloading.  You can install them after downloaded. 

Even the VM firewall is not able to connect to Palo Alto networks update server, you will be still able to proceed with installation without validingthe content. 

Basic Steps to Setup VM-Series Firewall and Register it with Credits

Steps: 

Support Portl : https://support.paloaltonetworks.com/
a. Log into support portal : asset -> Software NGFW Credits
b. Create Deployment Profile
c.Chose VM-Series vCPU number and features, then calculate the credits you will need.
d. You will use the auth code from this profile for licensing any firewall you create with it. An auth code for a flexible firewall license begins with the letter D.
Asset-> Sofware NGFW Credits -> Details, there are three dots at the end of each profile which allows you to Register Firewall, Edit Profile, Delete, Transfer Profile and Clone Profiles
e. Select DeviceSetupServices. Confirm that Update Server is set to updates.paloaltonetworks.com. Confirm that Verify Update Server Identity is selected.

f. Enter the autorization code which you got from Support Portal’s deployment profile.

Click OK to confirm the license upgrade.The firewall contacts the Palo Alto Networks update server and consumes the tokens required for your firewall based on the VM-Series model.

Videos

By Jon

Related Post

Palo Alto

Palo Alto UserID Agent Configure Steps

Dec 25, 2019 Jonny
Palo Alto

Palo Alto Firewall Migration Plan Tasks List

Dec 25, 2019 Jonny
Palo Alto

Sophos Update Error – Troubleshooting with Palo Alto Firewall

Feb 12, 2018 Jon
One thought on “Palo Alto VM-Series Firewall Configuration in Azure”

  1. So with the section on adding the route to the palo vm in the route table using UDR, does this mean that two vms in the SAME subnet will have to go through the firewall to talk to each other?

    Reply

Leave a Reply