VM-Series Active/Passive HA on Google Cloud
This tutorial creates a pair of Active/Passive VM-Series firewalls on Google Cloud. This architecture provides the following benefits:
- Configuration sync between the VM-Series firewalls.
- State synchronization between instances to maintain state on failover.
The autoscale architecture is recommended in most use-cases. Please see VM-Series on Google Cloud for more information on VM-Series deployment models.
This deployment model provides solutions for the following key use-cases:
- IPSec termination of site-to-site VPNs.
- Legacy applications that need visibility of the original source client IP (No SNAT solution) for inbound traffic flows.
- Requirements for session fail-over on failure of VM-Series.
Prepare for deployment
Enable the required APIs, generate an SSH key, and clone the repository.
gcloud services enable compute.googleapis.com ssh-keygen -f ~/.ssh/vmseries-tutorial -t rsa git clone https://github.com/PaloAltoNetworks/google-cloud-vmseries-ha-tutorial cd google-cloud-vmseries-ha-tutorial
cp terraform.tfvars.example terraform.tfvars
terraform.tfvarsfile and set values for the following variables:
Set to your Google Cloud deployment project.
Set to match the full path you created previously.
Set to a list of IPv4 ranges that can access the VM-Series management interface.
(Optional) If set, this string will be prepended to the created resources.
(Optional) Defines the VM-Series image to deploy. A full list of images can be found here.
(Optional) If you are using BYOL image (i.e.
vmseries-flex-byol-*), the license can be applied during deployment by adding your VM-Series authcode to
When no further changes are necessary in the configuration, deploy the resources:
Initialize and apply the Terraform plan.
terraform init terraform apply
yesto start the deployment.
After all the resources are created, Terraform displays the following message:
Apply complete! Outputs: EXTERNAL_LB_IP = "ssh email@example.com -i ~/.ssh/vmseries-tutorial" EXTERNAL_LB_URL = "https://18.104.22.168" VMSERIES_ACTIVE = "https://22.214.171.124" VMSERIES_PASSIVE = "https://126.96.36.199"
Test the deployment
We can now test the deployment by accessing the
workload-vm that resides in the trust VPC network. All of the
workload-vm traffic is routed directly through the VM-Series HA pair.
Use the output
EXTERNAL_LB_URLto access the web service on the
workload-vmthrough the VM-Series firewall.
Use the output
EXTERNAL_LB_SSHto open an SSH session through the VM-Series to the
ssh firstname.lastname@example.org -i ~/.ssh/vmseries-tutorial
On the workload VM, run a preloaded script to test the failover mechanism across the VM-Series firewalls.
You will see output like this where
x.x.x.xis the IP address is
Wed Mar 12 16:40:18 UTC 2023 -- Online -- Source IP = x.x.x.x Wed Mar 12 16:40:19 UTC 2023 -- Online -- Source IP = x.x.x.x Wed Mar 12 16:40:20 UTC 2023 -- Online -- Source IP = x.x.x.x Wed Mar 12 16:40:21 UTC 2023 -- Online -- Source IP = x.x.x.x
Login to the VM-Series firewalls using the
UN: admin PW: Pal0Alt0@123
After login, take note of the HA Status in the bottom right corner on each firewall.
Perform a user initiated failover.
- On the Active Firewall, go to the Device → High Availability → Operational Commands.
- Click Suspend local device for high availability.
- When prompted, click OK to initiate the failover.
- You should notice your SSH session to the
workload-vmis still active. This indicates the session successfully failed over between the VM-Series firewalls. The script output should also display the same source IP address.
Wed Mar 12 16:47:18 UTC 2023 -- Online -- Source IP = x.x.x.x Wed Mar 12 16:47:19 UTC 2023 -- Online -- Source IP = x.x.x.x Wed Mar 12 16:47:21 UTC 2023 -- Offline Wed Mar 12 16:47:22 UTC 2023 -- Offline Wed Mar 12 16:47:23 UTC 2023 -- Online -- Source IP = x.x.x.x Wed Mar 12 16:47:24 UTC 2023 -- Online -- Source IP = x.x.x.x
(Optional) Onboard Internet Applications
You can onboard and secure multiple internet facing applications through the VM-Series firewall. This is done by mapping forwarding rules on the external load balancer to NAT policies defined on the VM-Series firewall.
In Cloud Shell, deploy a virtual machine into a subnet within the trust VPC network. The virtual machine in this example runs a sample application for you.
gcloud compute instances create my-app2 \ --network-interface subnet="panw-us-central1-trust",no-address \ --zone=us-central1-a \ --image-project=panw-gcp-team-testing \ --image=ubuntu-2004-lts-apache-ac \ --machine-type=f1-micro
INTERNAL_IPaddress of the new virtual machine.
NAME: my-app2 ZONE: us-central1-a MACHINE_TYPE: f1-micro PREEMPTIBLE: INTERNAL_IP: 10.0.2.4 EXTERNAL_IP: STATUS: RUNNING
Create a new forwarding rule on the external TCP load balancer.
gcloud compute forwarding-rules create panw-vmseries-extlb-rule2 \ --load-balancing-scheme=EXTERNAL \ --region=us-central1 \ --ip-protocol=L3_DEFAULT \ --ports=ALL \ --backend-service=panw-vmseries-extlb
Retrieve and record the address of the new forwarding rule.
gcloud compute forwarding-rules describe panw-vmseries-extlb-rule2 \ --region=us-central1 \ --format='get(IPAddress)'
On the active VM-Series, go to Policies → NAT. Click Add and enter a name for the rule.
Configure the Original Packet as follows:
- Source Zone:
- Destination Zone:
- Destination Address: Set to the forwarding rule's IP address (i.e.
- Source Zone:
In the Translated Packet tab, configure the Destination Address Translation as follows:
- Translated Type:
- Translated Address: Set to the
INTERNAL_IPof the sample application (i.e.
- Translated Type:
Click OK and Commit the changes.
Access the sample application using the forwarding rule's address.
To avoid incurring charges to your Google Cloud account for the resources you created in this tutorial, delete all the resources when you no longer need them.
(Optional) If you onboarded an additional application, delete the forwarding rule and sample application machine.
gcloud compute forwarding-rules delete panw-vmseries-extlb-rule2 \ --region=us-central1 gcloud compute instances delete my-app2 \ --zone=us-central1-a
Run the following command.
At the prompt to perform the actions, enter
After all the resources are deleted, Terraform displays the following message:
- Learn about the VM-Series on Google Cloud.
- Getting started with Palo Alto Networks PAN-OS.
- Read about securing Google Cloud Networks with the VM-Series.
- Learn about VM-Series licensing on all platforms.
- Use the VM-Series Terraform modules for Google Cloud.