Azure-GWLB

Template for deploying Palo Alto VM Series FW with Azure Gateway Load Balancer

Download

View on GitHub

Azure Gateway Load Balancer

Requirements:

Minimum version of PAN-OS 10.1.4 and vm-series plugin 2.1.4

Bootstrap Information

After cloning the repository, extract the contents of bootstrap.tgz by tar xvzf bootstrap.tgz
The contents of extracted archive should be uploaded in the storage account as shown in the below step.
Create Storage Account for Bootstrapping.

How To: https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/bootstrap-the-vm-series-firewall/bootstrap-the-vm-series-firewall-in-azure.html

If you are using the Panorama Software Firewall License Plugin follow the following Guide:

https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/license-the-vm-series-firewall/use-panorama-based-software-firewall-license-management

Steps to deploy the template

Security Stack Template Parameters

Configure the template Parameters for your Azure GWLB deployment

FirewallDnsName

Unique DNS Name for the Public IP used to access PAN Firewall VM.
vmName

Name for the VM-Series Firewall
adminUsername

The username for the account on the VM-Series firewall
adminPassword

Password for the account for the VM-Series firewall. Make this parameter Optional if you choose to use any other Authentication Type
bootstrapStorageAccount

The name of the storage account created in the Prerequisite step
bootstrapStorageAccountAccessKey

The value of the storage account access key created in the Prerequisite step
bootstrapFileShare

The name of the storage account file share created in the Prerequisite step
imageVersion

The Pan-OS image version. We support from 10.1.4 Add the required version in the allowed values to use Pan-OS version of your preference
imageSKU

Licensing model - byol, bundle1, bundle2
vmSize

Azure VMsize for the Firewall. Choose from the list allowed values.
AddressPrefix

The CIDR range for the Security network ex. "10.0.0.0/16"
ManagementSubnet

Subnet Prefix for Security management subnet ex "10.0.1.0/24"
DataSubnet

Subnet Prefix for Security data subnet ex "10.0.0.0/24"

NOTE

init-cfg.txt in the bootstrap folder should include this:

To deploy the solution with default ports

plugin-op-commands=azure-gwlb-inspect:enable

The port and VNI parameters when not specified will use the default values: Internal Port 2000 Internal VNI 800, External Port 2001 and External VNI 801. These parameters must match the GWLB backend pool tunnel interfaces properties to properly establish the service chain. If you use the custom ports, make sure to edit the security-stack.json with the custom ports in the below block.

To deploy the solution with custom ports edit the init-cfg.txt to

plugin-op-commands=azure-gwlb-inspect:enable+internal-port-3000+external-port-3001+internal-vni-900,external-vni-901

"backendAddressPools": [
          {
            "name": "BackendPool1",
            "properties": {
              "tunnelInterfaces": [
                {
                  "port": 2000,        # Change the internal port here to 3000
                  "Identifier": 800,   # Change the identifier to 900
                  "Protocol": "VxLan",
                  "Type": "Internal"
                },
                {
                  "port": 2001,       # Change the external port here to 900
                  "Identifier": 801,  # Change the identifier to 901
                  "Protocol": "VxLan",
                  "Type": "External"
                }
              ]
            }
          }
        ],

Application Stack Template Parameters

securityResourceGroup

Name of the Security stack resource group deployed with security-stack.json template.
gwLBName

Name of the Gateway Loadbalancer deployed with security-stack.json template.
gwLBFrontendIPName

Name of your Gateway Loadbalancer Frontend Private IP deployed with security-stack.json template.
VNETPrefix

The CIDR range for the Application network ex. "10.240.0.0/16"
SubnetPrefix

Subnet Prefix for Application management subnet ex "10.240.0.0/24"

Part 1: Deploy Security Stack Resources

The ARM template deploys the Security stack with Gateway Loadbalancer, VM-Series firewall with GWLB bootstrap configuration , VM-Series firewall added in the backend pool of the Gateway Loadbalancer.

Part 2: Deploy Application Stack Resources

The ARM template deploys the Application stack with the Loadbalancer configured with the default Load Balancer rules, Linux VM with simpleHTTP service.

You can use the application-stack.json to deploy multiple spokes / application stacks.

Traffic Test

To test the ingress traffic, issue the below command from a terminal

wget http://<FrontendIPofPublicLB:8081>

Use a browser, type in http://<FrontendIPofPublicLB:8081>

You can see the secured ingress traffic sessions in the Firewall.

Azure-GWLB .css-17neft0{box-sizing:border-box;margin:0;min-width:0;max-width:100%;height:auto;position:relative;top:3px;}