VM-Series

The feature_Field in the response indicates the type of key that follows in the keyField. Copy each key to a text file and save it with the .key extension. Because the key is in json format, it does not have newlines; make sure to convert it to newlines if needed for your parser. Make sure to name each key appropriately and save it to the /license folder of the bootstrap package. For example, include the authcode with the type of key to name it as I3306691_1pa-vm.key (for the capacity license key), I3306691_1threat.key (for the Threat Prevention license key), I3306691_1wildfire.key (for the WildFire subscription license key). Sample API request for retrieving previously activated licenses using Curl: curl -i -H "apikey:$APIKEY" --data-urlencode serialNumber=007200006142 https://api/paloaltonetworks.com/api/license/activate Sample API response: [{"lfidField":"13365773","partidField":"PAN-SVC-PREM- VM-300","featureField":"Premium","feature_descField":"24 x 7 phone support; advanced replacement hardware service","keyField":"m4iZEL1t3n6Oa +6ll1L7itDZTphYw48N1AMOZXutDgExC5f5pOA52+Qg1jmAxanB \nKOyat4FJI4k2hWiBYz9cONuKoiaNOtAGhJvAuZmYgqAZejKueWrTzCuLrwxI/iEw \nkRGR3cYG+j6o84RitR937m2iOk2v9o8RSfLVilgX28nqmcO8LcAnTqbrRWdFtwVk \nluz47AUMXauuqwpMipouQYjk0ZL7fTHHslhyL7yFjCyxBoYXOt3JiqQ0OCDdBdDI \n91RkVPylEwTKgSXm3xpzbmC2ciUR5b235gyqdyW8eQXKvaThuR8YyHr1Pdw/lAjs \npyyIVFa6FufPacfB2RHApQ== \n","auth_codeField":"","errmsgField":null,"typeField":"SUP","regDateField":"2016-06-03T08:18:41","startDateField":"5/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseField":null,"mac_countField":null,"drrField":null, "expirationField":"8/29/2016 12:00:00 AM","PropertyChanged":null}, {"lfidField":"13365774","partidField":"PAN-VM-300-TP","featureField":"Threat Prevention","feature_descField":"Threat Prevention","keyField":"NqaXoaFG +9qj0t9Vu7FBMizDArj+pmFaQEd6I2OqfBfAibXrvuoFKeXX/K2yXtrl \n2qJhNq3kwXBDxn181z3nrUOsQd/eW68dyp4jb1MfAwEM8mlnCyLhDRM3EE+umS4b \ndZBRH5AQjPoaON7xZ46VMFovOR+asOUJXTptS/Eu1bLAI7PBp3+nm04dYTF9O50O \ndey1jmGoiBZ9wBkesvukg3dVZ7gxppDvz14+wekYEJqPfM0NZyxsC5dnoxg9pciF \ncFelhnTYlma1lXrCqjJcFdniHRwO0RE9CIKWe0g2HGo1uo2eq1XMxL9mE5t025im \nblMnhL06smrCdtXmb4jjtg== \n","auth_codeField":"","errmsgField":null,"typeField":"SUB","regDateField":"2016-06-03T08:18:41","startDateField":"5/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseField":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016 12:00:00 AM","PropertyChanged":null} ... Deactivate Licenses URL: https://api.paloaltonetworks.com/api/license/deactivate Parameters: encryptedToken 86 VM-SERIES DEPLOYMENT GUIDE | License the VM-Series Firewall © 2020 Palo Alto Networks, Inc.To deactivate the license(s) on a firewall that does not have direct internet access, you must generate the license token file locally on the firewall and then use this token file in the API request. For details on generating the license token file, see Deactivate VM or Deactivate a Feature License or Subscription Using the CLI. Header: apikey Request: https://api.paloaltonetworks.com/api/license/deactivate?encryptedtoken@ Sample API request for license deactivation using Curl: curl -i -H "apikey:$APIKEY" --data-urlencode encryptedtoken@dact_lic.05022016.100036.tok https:// api.paloaltonetworks.com/api/license/deactivate Sample API response: [{"serialNumField":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null}, {"serialNumField":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null}, {"serialNumField":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null}, {"serialNumField":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null}, {"serialNumField":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null}, {"serialNumField":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null}]$ Track License Usage URL: https://api.paloaltonetworks.com/api/license/get Parameters: authCode Header: apikey Request: https://api.paloaltonetworks.com/api/license/get?authCode= Sample API request for tracking license usage using Curl: curl -i -H "apikey:$APIKEY" --data-urlencode authcode=I9875031 https:// api.paloaltonetworks.com/api/license/get Sample API response: HTTP/1.1 200 OK Date: Thu, 05 May 2016 20:07:16 GMT Content-Length: 182 {"AuthCode":"I9875031","UsedCount":4,"TotalVMCount":10,"UsedDeviceDetails": [{"UUID":"420006BD-113D-081B-F500-2E7811BE80C 9","CPUID":"D7060200FFFBAB1F","SerialNumber":"007200006142"}]}..... Licensing API Error Codes The HTTP Error Codes that the licensing server returns are as follows: • 200 Success • 400 Error • 401 Invalid API Key • 500 Server Error VM-SERIES DEPLOYMENT GUIDE | License the VM-Series Firewall 87 © 2020 Palo Alto Networks, Inc.Licenses for Cloud Security Service Providers (CSSPs) The Palo Alto Networks CSSP partners program allows service providers to provide security as a service or as a hosted application to their end customers. The license offerings that Palo Alto Networks provides for authorized Cloud Security Service Provider (CSSP) partners are different from the offerings for enterprise users. For CSSP partners, Palo Alto Networks supports a usage-based model for the VM-Series firewalls bundled with subscriptions and support. CSSP partners can combine a term-based capacity license for the VM- Series Models with a choice of subscription licenses for Threat Prevention, URL Filtering, AutoFocus, GlobalProtect, and WildFire, and support entitlements that provide access to technical support and software updates. If you plan on deploying the firewalls in an HA configuration, you can purchase the cost- effective high availability option. • Get the Auth Codes for CSSP License Packages • Register the VM-Series Firewall with a CSSP Auth Code • Add End-Customer Information for a Registered VM-Series Firewall Get the Auth Codes for CSSP License Packages To be a CSSP Partner, you have to enroll in the Palo Alto Networks CSSP partners program. For information on enrolling in the CSSP program, contact your Palo Alto Networks Channel Business Manager. If you are enrolled, the Palo Alto Network Support portal provides tools that allow you to select a license package, track license usage, and apply license entitlements. A license package is a combination of the following options: • Usage term—The pay-per-use options are hourly, monthly, 1-year, and 3-years. • VM-Series firewall model—The VM-100, VM-200, VM-300, and VM-1000-HV that give you the model number and the capacities associated with each model. • Subscription bundle—The three options are basic, bundle 1, and bundle 2. The basic option does not include any subscriptions; bundle 1 has the Threat Prevention license that includes IPS, AV, malware prevention; bundle 2 has the Threat Prevention (includes IPS, AV, malware prevention), DNS Security, GlobalProtect, WildFire, and PAN-DB URL Filtering licenses. • Level of support—Premium support or backline support. • Redundant firewalls—The option are either high availability (HA) or without HA. This option is a cost- effective option if you plan to deploy a pair of redundant firewalls. The offering PAN-VM-300-SP-PREM-BND1-YU, for example, is a one-year term package that includes the VM-300 with premium support and the subscription bundle 1. Each package supports up to a maximum of 10,000 instances of the VM-Series firewall. After you select your license package, you receive an email with your auth code; the fulfillment process can take up to 48 hours. STEP 1 | Log in to the Palo Alto Networks Customer Support website with your account credentials. If you need a new account, see Create a Support Account. STEP 2 | Select CSSP > Order History, to view the list of auth codes registered to your support account. As you deploy firewalls, you must register each instance of the firewall against an auth code. 88 VM-SERIES DEPLOYMENT GUIDE | License the VM-Series Firewall © 2020 Palo Alto Networks, Inc.Register the VM-Series Firewall with a CSSP Auth Code To activate the license on your VM-Series firewall, you must have deployed the VM-Series firewall and completed initial configuration. As a CSSP partner, you can choose from the following options to register a firewall: • API—Use the Licensing API if you have a custom script or an orchestration service. With this option, the firewall does not need direct internet access. • Bootstrap—Use this option to automatically configure the firewall and license it on first boot. See Bootstrap the VM-Series Firewall. • Firewall web interface—You can Activate the License for the VM-Series Firewall (Standalone Version) using the firewall web interface. This workflow is valid for firewalls with or without internet access. • Customer Support Portal—Use this option to manually register the firewall on the Palo Alto Networks Customer Support portal, as shown below. STEP 1 | Log in to the Palo Alto Networks Customer Support website with your account credentials. If you need a new account, see Create a Support Account. STEP 2 | Select CSSP > Order History, to view the list of auth codes registered to your support account. STEP 3 | Select CSSP > VM Provisioning Auth Codes, select an Authorization Code and click Register VM. STEP 4 | Enter the UUID and CPUID of the VM instance and click Submit. The portal will generate a serial number for the firewall. You can track the number of VM-Series firewalls that have been deployed and the number of licenses that are still available for use against each auth code. To view all the total number of firewalls registered against a specific auth code, select CSSP > VM-SERIES DEPLOYMENT GUIDE | License the VM-Series Firewall 89 © 2020 Palo Alto Networks, Inc.VM Provisioning Auth Codes, then select an Authorization Code and click Provisioned Devices. Add End-Customer Information for a Registered VM-Series Firewall For CSSP licensees, after you register the firewall, you can use either the Palo Alto Networks Support portal or the Licensing API to link the serial number of the VM-Series firewall with the customer for whom you provisioned the firewall. • Add End-Customer Information for a Registered VM-Series Firewall (Customer Support Portal). The Support portal authenticates with user name and password. • Add End-Customer Information for a Registered VM-Series Firewall (API). The API authenticates using the Licensing API key. Add End-Customer Information for a Registered VM-Series Firewall (Customer Support Portal) Complete the following procedure to add end-customer information for a registered firewall through the Customer Support Portal. STEP 1 | Log in to the Palo Alto Networks Customer Support website with your account credentials. STEP 2 | Select CSSP > Provisioned Devices. STEP 3 | Select the Serial Number and click Add End User Info. STEP 4 | Enter the Account Information for the customer as follows. • Customer Reference Id: Required • Company Name: Required • DNB #: Data Universal Numbering System (D-U-N-S) number • Contact Email: Required, end-user email address • Contact Phone Number: End-user phone number • Address: Required, end-user address • Country: Required, ISO 2-letter country code • City: Required, end-user city name • Region/State: Required; for the United States and Canada, you must enter an ISO 2-letter subdivision code; for all other countries, any text string is valid • Postal Code: Required, end-user postal code • Company Website: End-user website URL • Industry: End-user industry type, such as networking or consultancy 90 VM-SERIES DEPLOYMENT GUIDE | License the VM-Series Firewall © 2020 Palo Alto Networks, Inc.Click Submit to save the details. After you add account information, you can find all firewalls registered to a customer. In Search Existing End User, enter the customer ID or customer name and click Search to find all firewalls provisioned for the customer. Add End-Customer Information for a Registered VM-Series Firewall (API) The URL for accessing the API is https://api.paloaltonetworks.com/api/license/ReportEndUserInfo. An API request must use the HTTP POST method, and you must include HTTP requests headers that include the API key and specify the content type as JSON. API responses are in JSON format. STEP 1 | Get your Licensing API key. STEP 2 | Use the ReportEndUserInfo API to add end-user information for a VM-Series Firewall that is registered to a CSSP. URL: https://api.paloaltonetworks.com/api/license/ReportEndUserInfo Headers: • Content-Type: application/json • apiKey: API Key Parameters: • SerialNumbers: Required, provide at least one valid firewall serial number • CustomerReferenceId: Required • CompanyName: Required, end-user company name • DnBNumber: Data Universal Numbering System (D-U-N-S) number • PhoneNumber: End-user phone number • EndUserContactEmail: Required, end-user email address • Address: Required, end-user address • Country: Required, ISO 2-letter country code • City: Required, end-user city name VM-SERIES DEPLOYMENT GUIDE | License the VM-Series Firewall 91 © 2020 Palo Alto Networks, Inc.• Region/State: Required; for the United States and Canada, you must enter an ISO 2-letter subdivision code; for all other countries, any alpha string is valid • PostalCode: Required, end-user postal code • Industry: End-user industry type, such as networking or consultancy • WebSite: End-user website URL • CreatedBy: System or person submitting this information Sample request to add end-user information for a registered VM-Series firewall using Curl: curl -X POST "http://api.paloaltonetworks.com/api/license/ ReportEndUserInfo" \-H "Content-Type: application/json" \-H "apikey: your_key_here" \--data-raw ''{ "SerialNumbers": ["0001A101234"], "CustomerAccountId": 12345, "CompanyName": "ExampleInc", "DnBNumber": "123456789", "Address": "123 Main St", "City": "Sunnydale", "Region": "CA", "State": "CA", "Country": "US", "PostalCode": "12345", "Industry": "Medical", "PhoneNumber": "4081234567", "WebSite": "example.com", "EndUserContactEmail": "admin@example.com", "CreatedBy": "Jane Doe"}'' Sample API response: "{"Message": "End User Information Updated Successfully"}" If you receive an error, see Licensing API Error Codes. 92 VM-SERIES DEPLOYMENT GUIDE | License the VM-Series FirewallSet Up a VM-Series Firewall on an ESXi Server The VM-Series firewall is distributed in the Open Virtualization Alliance (OVA) format, which is a standard method of packaging and deploying virtual machines. You can install this solution on any x86 device that is capable of running VMware ESXi. In order to deploy a VM-Series firewall you must be familiar with VMware and vSphere, including vSphere networking, ESXi host setup and configuration, and virtual machine guest deployment. If you want to automate the process of deploying a VM-Series firewall, you can create a gold standard template with the optimal configuration and policies, then use the vSphere API and the PAN-OS XML API to rapidly deploy new VM-Series firewalls in your network. For more information, see the article: VM-Series Data Center Automation. See the following topics for information: > Supported Deployments on VMware vSphere Hypervisor (ESXi) > VM-Series on ESXi System Requirements and Limitations > Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) > Set Up a VM-Series Firewall on an ESXi Server > VM Monitoring on vCenter > Troubleshoot ESXi Deployments > Performance Tuning of the VM-Series for ESXi 9394 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.Supported Deployments on VMware vSphere Hypervisor (ESXi) You can deploy one or more instances of the VM-Series firewall on the ESXi server. Where you place the VM-Series firewall on the network depends on your topology. Choose from the following options (for environments that are not using VMware NSX): • One VM-Series firewall per ESXi host—Every VM server on the ESXi host passes through the firewall before exiting the host for the physical network. VM servers attach to the firewall via virtual standard switches. The guest servers have no other network connectivity, therefore the firewall has visibility and control over all traffic leaving the ESXi host. One variation of this use case is to also require all traffic to flow through the firewall, including server to server (east-west) traffic on the same ESXi host. • One VM-Series firewall per virtual network—Deploy a VM-Series firewall for every virtual network. If you have designed your network such that one or more ESXi hosts has a group of virtual machines that belong to the internal network, a group that belongs to the external network, and a group that belongs to the DMZ, you can deploy a VM-Series firewall to safeguard the servers in each group. If a group or virtual network does not share a virtual switch or port group with any other virtual network, it is completely isolated from all other virtual networks within or across the host(s). Because there is no other physical or virtual path to any other network, the servers on each virtual network must use the firewall to talk to any other network. The firewall has visibility and control over all traffic leaving the virtual (standard or distributed) switch attached to each virtual network. • Hybrid environment—Both physical and virtual hosts are used. The VM-Series firewall can replace a physical firewall appliance in a traditional aggregation location. A hybrid environment achieves the benefits of a common server platform for all devices, and unlinks hardware and software upgrade dependencies. Continue with VM-Series on ESXi System Requirements and Limitations and Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi). VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 95 © 2020 Palo Alto Networks, Inc.VM-Series on ESXi System Requirements and Limitations This section lists requirements and limitations for the VM-Series firewall on VMware vSphere Hypervisor (ESXi). To deploy the VM-Series firewall, see Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi). • VM-Series on ESXi System Requirements • VM-Series on ESXi System Limitations VM-Series on ESXi System Requirements You can create and deploy multiple instances of the VM-Series firewall on an ESXi server. Because each instance of the firewall requires a minimum resource allocation—number of CPUs, memory and disk space— on the ESXi server, make sure to conform to the specifications below to ensure optimal performance. The VM-Series firewall has the following requirements: • The host CPU must be an x86-based Intel or AMD CPU with virtualization extension. • See the Compatibility Matrix for supported versions of ESXi. The support for the vmx version is based on the OVA that you use to deploy the VM-Series firewall, and you cannot modify this version. Upgrading or downgrading the VM-Series software version does not change the vmx version that was enabled at launch. • See VM-Series System Requirements for the minimum hardware requirements for your VM-Series model. • Minimum of two network interfaces (vNICs). One is a dedicated vNIC for the management interface and one is for the data interface. You can then add up to eight more vNICs for data traffic. For additional interfaces, use VLAN Guest Tagging (VGT) on the ESXi server or configure subinterfaces on the firewall. Hypervisor-assigned MAC address are enabled by default. vSphere assigns a unique vNIC MAC address to each dataplane interface of the VM-Series firewall. If you disable hypervisor assigned MAC addresses, the VM-Series firewall assigns each interface a MAC address from its own pool. Because this causes the MAC addresses on each interface to differ, you must enable promiscuous mode on the port group of the virtual switch to which the firewall’s dataplane interfaces are attached; this allows the firewall to receive frames (see Provision the VM-Series Firewall on an ESXi Server). If neither promiscuous mode nor hypervisor-assigned MAC address is enabled, the firewall does not receive any traffic. This is because vSphere does not forward frames to a virtual machine when the frame’s destination MAC address and the vNIC MAC address do not match. • Data Plane Development Kit (DPDK) is enabled by default on VM-Series firewalls on ESXi. For more information about DPDK, see Enable DPDK on ESXi. • To achieve the best performance out of the VM-Series firewall, you can make the following adjustments to the host before deploying the VM-Series firewall. See Performance Tuning of the VM-Series for ESXi for more information. • Enable DPDK. DPDK allows the host to process packets faster by bypassing the Linux kernel. Instead, interactions with the NIC are performed using drivers and the DPDK libraries. • Enable SR-IOV. Single root I/O virtualization (SR-IOV) allows a single PCIe physical device under a single root port to appear to be multiple separate physical devices to the hypervisor or guest. You can add an SR-IOV VF interface to the VM using an SR-IOV passthrough adapter. Refer to the VMware documentation at Assign a Virtual Function as SR-IOV Passthrough Adapter to a Virtual Machine. 96 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.• Enable multi-queue support for NICs. Multi-queue allows network performance to scale with the number of vCPUs and allows for parallel packet processing by creating multiple TX and RX queues. VM-Series on ESXi System Limitations The VM-Series firewall functionality is very similar to the Palo Alto Networks hardware firewalls, but with the following limitations: • Do not use the VMware snapshots functionality on the VM-Series on ESXi. Snapshots can impact performance and result in intermittent and inconsistent packet loss.See the VMware best practice recommendation for using snapshots. If you need configuration backups, use Panorama, or from the firewall, use Export named configuration snapshot (Device > Set up > Operations). Using Export named configuration snapshot exports the firewall’s active configuration (running-config.xml) and allows you to save it to any network location. • Dedicated CPU cores are recommended. • High Availability (HA) Link Monitoring is not supported on VM-Series firewalls on ESXi. Use Path Monitoring to verify connectivity to a target IP address or to the next hop IP address. • Up to 10 total ports can be configured; this is a VMware limitation. One port is used for management traffic and up to 9 can be used for data traffic. • Only the vmxnet3 driver is supported. • Virtual systems are not supported. • vMotion of the VM-Series firewall is not supported. However, the VM-Series firewall can secure guest virtual machines that have migrated to a new destination host, if the source and destination hosts are members of all vSphere Distributed Switches that the guest virtual machine used for networking. • Forged transmit and promiscuous mode must be enabled on the ESXi vSwitch port groups connected to Layer 2 and vwire interfaces on the VM-Series firewall. • To use PCI devices with the VM-Series firewall on ESXi, memory mapped I/O (MMIO) must be below 4GB. You can disable MMIO above 4GB in your server’s BIOS. This is an ESXi limitation. • When using ESXi 7.0, interfaces do not come up when attaching VFs to virtual machines with PCI device passthrough. VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 97 © 2020 Palo Alto Networks, Inc.Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi) To install a VM-Series firewall you must have access to the Open Virtualization Alliance format (OVA) template. Use the auth code you received in your order fulfillment email to register your VM-Series firewall and download the OVA template. The OVA template is a zip archive that contains three types of files: • .mf: OVF manifest file that contains the SHA-1 digests of individual files in the package • .ovf: OVF descriptor file that contains all metadata for the package and its contents • .vmdk: Virtual disk image file that contains the virtualized version of the firewall Complete the following tasks to install and configure the VM-Series firewall on ESXi. • Plan the Interfaces for the VM-Series for ESXi • Provision the VM-Series Firewall on an ESXi Server • Perform Initial Configuration on the VM-Series on ESXi • (Optional) Add Additional Disk Space to the VM-Series Firewall • Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air Plan the Interfaces for the VM-Series for ESXi By planning the mapping of VM-Series Firewall vNICs and interfaces, you can avoid reboots and configuration issues. The following table describes the default mapping between VMware vNICs and VM- Series interfaces when all 10 vNICs are enabled on ESXi. VMware vNIC VM-Series Interfaces 1 Ethernet 1/0 (mgmt) 2 Ethernet 1/1 (eth1) 3 Ethernet 1/2 (eth2) 4 Ethernet 1/3 (eth3) 5 Ethernet 1/4 (eth4) 6 Ethernet 1/5 (eth5) 7 Ethernet 1/6 (eth6) 8 Ethernet 1/7 (eth7) 9 Ethernet 1/8 (eth8) 10 Ethernet 1/9 (eth9) The mapping on the VM-Series Firewall remains the same no matter which vNICs you add on ESXi. Interfaces you activate on the firewall always take the next available vNIC on ESXi. 98 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.In the following diagram, eth3 and eth4 on the VM-Series Firewall are paired to vNICs 2 and 3 on ESXi, and eth1 and eth2 are unmapped, as shown on the left. If you want to add two additional interfaces while maintaining the current mapping, activate vNICs 4 and 5 and reboot down the firewall. The existing vNIC mapping is preserved because you added the interfaces after the last-mapped inteface. If you activate eth1 and eth2 on the VM-Series firewall, the interfaces reorder themselves as shown on the right, resulting in a mapping mismatch that impacts traffic. To avoid the issues described in the preceding example, you can do the following: • When provisioning your ESXi host for the first time, activate all nine vNICs beyond the first. Adding all nine vNICs as placeholders before powering on the VM-Series Firewall allows you to use any VM-Series interfaces regardless of order. • If all vNICs are active, adding additional interfaces no longer requires a reboot. Because each vNIC on ESXi requires that you choose a network, you can create an empty port group as a network placeholder. • Do not remove VM-Series firewall vNICs to avoid mapping mismatches. Provision the VM-Series Firewall on an ESXi Server Use these instructions to deploy the VM-Series firewall on a (standalone) ESXi server. For deploying the VM-Series NSX edition firewall, see Set Up the VM-Series Firewall on VMware NSX. STEP 1 | Download the OVA file. Register your VM-Series firewall and obtain the OVA file from the Palo Alto Networks Customer Support web site. The OVA file contains the base installation. After the base installation is complete, you must download and install the latest PAN-OS version from the support portal. This ensures that you have the latest fixes implemented since the base image was created. For instructions, see Upgrade the PAN-OS Software Version (Standalone Version). STEP 2 | Before deploying the OVA file, set up virtual standard switch(es) or virtual distributed switch(es) that you need for the VM-Series firewall. If you are deploying the VM-Series firewall with Layer 3 interfaces, your firewall uses Hypervisor Assigned MAC Addresses by default. If you choose to disable hypervisor assigned MAC address, or if you are deploying the firewall with Layer 2, virtual wire, or tap interfaces, you must configure (set to Accept) any virtual switch attached to the VM- VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 99 © 2020 Palo Alto Networks, Inc.Series firewall to allow the following modes: promiscuous mode, MAC address changes, and Forged transmits. Configure a virtual standard switch or a virtual distributed switch to receive frames for the VM-Series firewall. Virtual Standard Switch 1. Navigate to Home > Hosts and Clusters and select a host. 2. Click the Configure tab and view Virtual Switches. For each VM-Series firewall attached a virtual switch, click on Properties. 3. Highlight a port group corresponding to a virtual switch and click Edit Settings. In the vSwitch properties, click the Security tab and set Promiscuous Mode, MAC Address Changes and Forged Transmits to Accept and then click OK. This change propagates to all port groups on the virtual switch. Virtual Distributed Switch 1. Select Home > Networking. Select your virtual distributed switch and highlight the Distributed Port Group you want to edit. 2. Click Edit Settings, select Policies > Security, and set Promiscuous Mode, MAC Address Changes and Forged Transmits to Accept and click OK. STEP 3 | Deploy the OVA. If you add additional interfaces (vNICs) to the VM-Series firewall, you must reboot (because new interfaces are detected during the boot cycle). To minimize the need to reboot the firewall, activate the interfaces at initial deployment or during a maintenance window. To view the progress of the installation, monitor the Recent Tasks list. 1. Log in to vCenter using the vSphere client. You can also go directly to the target ESXi host if needed. 2. From the vSphere web client, go to Hosts and Clusters, right-click your host, and select Deploy OVF Template. 3. Browse to the OVA file that you downloaded in 1 Select the file, and click Next. Review the template’s details and click Next. 4. Name the VM-Series firewall instance, and in the Inventory Location window, select a Data Center and Folder, and click Next. 5. Select an ESXi host for the VM-Series firewall, and click Next. 6. Select the datastore to use for the VM-Series firewall, and click Next. 7. Leave the default settings for the datastore provisioning, and click Next. The default is Thick Provision Lazy Zeroed. 100 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.8. Select the networks to use for the two initial vNICs. The first vNIC is used for the management interface and the second vNIC for the first data port. Make sure that the Source Networks map to the correct Destination Networks. 9. Review the details, select Power on after deployment, and click Next. 10.When the deployment is complete, click the Summary tab to review the current status. Perform Initial Configuration on the VM-Series on ESXi Use the virtual appliance console on the ESXi server to set up network access to the VM-Series firewall. By default, the VM-Series firewall uses DHCP to obtain an IP address for the management interface, but, you can also assign a static IP address. After completing the initial configuration, access the web interface to complete further configuration tasks. If you have Panorama for central management, refer to the Panorama Administrator’s Guide for information on managing the device using Panorama. VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 101 © 2020 Palo Alto Networks, Inc.If you are using bootstrapping to perform the configuration of your VM-Series firewall on ESXi, refer to Bootstrap the VM-Series Firewall on ESXi. For general information about bootstrapping, see Bootstrap the VM-Series Firewall. STEP 1 | Gather the required information from your network administrator. • IP address for MGT port • Netmask • Default gateway • DNS server IP address STEP 2 | Access the console of the VM-Series firewall. 1. Select the Console tab on the ESXi server for the VM-Series firewall, or right click the VM-Series firewall and select Open Console. 2. Press Enter to access the login screen. 3. Enter the default username/password (admin/admin) to log in. 4. Enter configure to switch to configuration mode. STEP 3 | Configure the network access settings for the management interface. Enter the following commands: set deviceconfig system type static set deviceconfig system ip-address netmask default-gateway dns-setting servers primary STEP 4 | Commit your changes and exit the configuration mode. Enter commit. Enter exit. STEP 5 | Verify network access to external services required for firewall management, such as the Palo Alto Networks Update Server. 1. Use the ping utility to verify network connectivity to the Palo Alto Networks Update server as shown in the following example. Verify that DNS resolution occurs and the response includes the IP address for the Update server (the Update server does not respond to ping requests.) After verifying DNS resolution, press Ctrl+C to stop the ping request. admin@PA-220 > ping host updates.paloaltonetworks.com PING updates.paloaltonetworks.com (10.101.16.13) 56(84) bytes of data. From 192.168.1.1 icmp_seq=1 Destination Host Unreachable From 192.168.1.1 icmp_seq=2 Destination Host Unreachable From 192.168.1.1 icmp_seq=3 Destination Host Unreachable From 192.168.1.1 icmp_seq=4 Destination Host Unreachable 2. Use the following CLI command to retrieve information on the support entitlement for the firewall from the Palo Alto Networks update server: request support check If you have connectivity, the update server responds with the support status for your firewall. 102 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.STEP 6 | Apply the capacity auth code and retrieve a license before you begin testing the VM-Series firewall. An unlicensed VM-Series firewall can process up to approximately 1230 concurrent sessions. Depending on the environment, the session limit can be reached very quickly, causing unpredictable results. Add Additional Disk Space to the VM-Series Firewall The VM-Series firewall requires a 40GB virtual disk, of which 17GB is used for logging, by default. • For large deployments, use Panorama to aggregate data from all next-generation firewalls, and provide visibility across all the traffic on your network. Panorama provides centralized logging and reporting. • In smaller deployments where you do not use Panorama, you can add a new virtual disk to increase log storage capacity. The new virtual disk can support 40GB to 2TB of storage capacity for logs. This task is described below. When the virtual appliance is configured to use a virtual disk, the VM-Series firewall no longer stores logs. If the appliance loses connectivity to the virtual disk, logs can be lost during the failure interval. If necessary, place the newly created virtual disk on a datastore that provides RAID redundancy. RAID10 provides the best write performance for applications with high logging characteristics. STEP 1 | Power off the VM-Series firewall. STEP 2 | On the ESXi server, add the virtual disk to the firewall. 1. Select the VM-Series firewall on the ESXi server. 2. Click Edit Settings. 3. Click Add to launch the Add Hardware wizard, and select the following options when prompted: 1. Select Hard Disk for the hardware type. 2. Select Create a new virtual disk. 3. Select SCSI as the virtual disk type. 4. Select the Thick provisioning disk format. 5. In the location field, select Store with the virtual machine option. The datastore does not have to reside on the ESXi server. 6. Verify that the settings look correct and click Finish to exit the wizard. The new disk is added to the list of devices for the virtual appliance. STEP 3 | Power on the firewall. Powering on the firewall initializes the virtual disk for first-time use. The time that the initialization process takes to complete varies by the size of the new virtual disk. When the new virtual disk is initialized and ready, PAN-OS moves all logs from the existing disk to the new virtual disk. New log entries are now written to this new virtual disk. PAN-OS also generates a system log entry that records the new disk. If you reuse a virtual disk that was previously used for storing PAN-OS logs, all logs from the existing disk are overwritten. STEP 4 | Verify the size of the new virtual disk. VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 103 © 2020 Palo Alto Networks, Inc.1. Select Device > Setup > Management. 2. In the Logging and Reporting Settings section, verify that the Log Storage capacity accurately displays the new disk capacity. Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air The VMware Tools utility improves VM-Series firewall management from vCenter server and vCloud Director. VMware Tools are bundled with the software image for the VM-Series firewall, and all updates are made available with a new OVF image. You cannot manually install or upgrade VMware Tools using the vCenter server or vCloud Director. • View the IP address(es) on the management interface and the software version on the firewall and Panorama. In the Hosts and Cluster section on the vCenter server, select the firewall or Panorama and view the Summary tab for information on the IP address(es) assigned to the management interface and the software version currently installed. • View resource utilization metrics on hard disk, memory, and CPU. Use these metrics to enable alarms on the vCenter server. In the Hosts and Cluster section on the vCenter server, select the firewall or Panorama and view the Monitor > Utilization tab for information on hard disk, memory, and CPU usage. 104 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.• Gracefully shutdown or restart the firewall and Panorama from the vCenter server. In the Hosts and Cluster section on the vCenter server, select the firewall or Panorama and select the Actions > Power drop-down. • Create alarm definitions for events you want to be notified about, or events for which you want to specify an automated action. Refer to the VMware documentation for details on creating alarm definitions. In the Hosts and Cluster section on the vCenter server, select the firewall or Panorama and select the Manage > Alarm Definitions to add a new trigger and specify an action when a threshold is met. For example, missing heartbeats for a specified duration, or when memory resource usage exceeds a threshold. The following screenshot shows you how to use notifications for heartbeat monitoring on the firewall or Panorama. VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 105 © 2020 Palo Alto Networks, Inc.106 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.VM Monitoring on vCenter Install and configure the Panorama plugin for VMware vCenter to retrieve the IP addresses for guests in your vCenter environment and use that information to build policy using Dynamic Address Groups. The Panorama plugin for VMware vCenter requires Panorama 9.0.2 or later and VMware vCenter 6.5 or 6.7. The Panorama plugin for VMware vCenter does not support proxy servers. • About VM Monitoring on VMware vCenter • Install the Panorama Plugin for VMware vCenter • Configure the Panorama Plugin for VMware vCenter About VM Monitoring on VMware vCenter The Panorama plugin for VMware vCenter gives you the tools to build policy for your vCenter environment using Dynamic Address Groups. Dynamic address groups allow you to create policy that automatically adapts to changes in your environment, such as the addition or deletion of guests. The VMware vCenter plugin monitors for changes in your vCenter environment and shares that information with Panorama. The plugin processes the information it receives from vCenter and converts it into a set of tags on Panorama that you can use as match criteria for assigning IP address to dynamic address groups. Each tag has a prefix that describes the hierarchy above the VM. In this example, each tag in Panorama begins with the prefix shown below. Each tag includes the vCenter name, data center name, and cluster name; if you have folders in your vCenter hierarchy, tags will include the folder names. The order of the objects in the tag matches the order in the vCenter hierarchy. vcenter._ParentA_ParentB_Datacenter_CHILD1_CHILD2_Cluster_ The Panorama plugin for VMware vCenter does not support tags associated to vApps or resource pools. The tags are shown in Panorama in the following formats: • vcenter.___vmname.—this tag maps virtual machine IP addresses based on VM name. • vcenter.___guestos.—this tag maps virtual machine IP addresses based on guest operating system. • vcenter.___annotation.—this tag maps virtual machine IP addresses based on annotation. VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 107 © 2020 Palo Alto Networks, Inc.• vcenter.___vlanId.—this tag maps virtual machine IP addresses based on VLAN ID. • vcenter.___host-ip.—this tag maps virtual machine IP addresses based on host IP address. • vcenter.___.— this tag maps virtual machine IP addresses based on user-defined tags created in vCenter. The plugin supports a maximum of 16 user-defined tags per VM. Any user-defined tags beyond 16 are not processed. The Panorama plugin for vCenter cannot process tags that are longer than 128 characters; this includes letters, numbers, and special characters. Whitespace in vCenter object names is replaced with forward slashes. Additionally, Panorama does not support non-ASCII special characters or the following special characters—’<>&” in vCenter VM names and annotations. Panorama drops tags containing unsupported characters. To retrieve endpoint IP-address-to-tag mapping information, you must configure a Monitoring Definition for each vCenter in your virtual environment. The Monitoring Definition specifies the username and password that allows Panorama to connect to vCenter. It also specifies the device groups and corresponding notify groups containing the firewalls to which Panorama pushes the tags. After you configure the Monitoring Definition and the Panorama plugin for VMware vCenter retrieves the tags, you can create DAGs and add the tags as match criteria. Install the Panorama Plugin for VMware vCenter To get started with endpoint monitoring on vCenter, download and install the Panorama Plugin for VMware vCenter. If you have a Panorama HA configuration, repeat this installation process on each Panorama peer. When installing the plugin on Panoramas in an HA pair, install the plugin on the passive peer before the active peer. After installing the plugin on the passive peer, it will transition to a non-functional state. Installing the plugin on the active peer returns the passive peer to a functional state. STEP 1 | Select Panorama > Plugins. STEP 2 | Select Upload and click Browse to locate the plugin file. STEP 3 | Click OK to complete the upload. STEP 4 | Select the version of the plugin and click Install in the Action column to install the plugin. Panorama will alert you when the installation is complete. Configure the Panorama Plugin for VMware vCenter After installing the plugin, complete the following procedure to establish a connection between Panorama and vCenter. For the plugin to monitor virtual machines in your vCenter environment, you must have VMware tools installed. In vCenter, IP addresses of VMs are not externally retrievable; they are only visible through VMware tools. STEP 1 | Log in to the Panorama web interface. 108 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.STEP 2 | Enable monitoring and set the monitoring interval. 1. Select Panorama > VMware vCenter > Setup > General. 2. Select Enable Monitoring. This enables monitoring for all vCenters in your deployment. 3. Set the Monitoring Interval in seconds. The monitoring interval is how often Panorama retrieves updated network information from vCenter. The default value is 60 seconds and has a range of 60 to 84600 seconds. STEP 3 | Create a notify group. 1. Select Panorama > VMware vCenter > Setup > Notify Groups. 2. Click Add. 3. Enter a descriptive Name for your notify group. 4. Select the device groups in your vCenter deployment. STEP 4 | Add vCenter information. The Panorama plugin for VMware vCenter supports up to 16 vCenter instances. 1. Select Panorama > VMware vCenter > Setup > vCenter. 2. Enter a descriptive Name for your vCenter. 3. Enter the IP address or FQDN for vCenter and port, if applicable. 4. Enter your vCenter username. 5. Enter and confirm your vCenter password. 6. Click Validate to verify that Panorama can connect to vCenter using the login credentials you entered. 7. Click OK. STEP 5 | Configure up to 16 Monitoring Definitions. A vCenter instance can be assigned to only one Monitoring Definition. 1. Select Panorama > VMware vCenter > Monitoring Definition and click Add. 2. Enter a descriptive Name and optionally a description to identify the vCenter for which you use this definition. VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 109 © 2020 Palo Alto Networks, Inc.3. Select the vCenter and Notify Group. 4. Click OK. STEP 6 | Commit your changes. STEP 7 | Verify that you can view the VM information on Panorama, and define the match criteria for Dynamic Address Groups. You must use the OR operator when using more than one tag in the match criteria; using the AND operator does not work. Some browser extensions may block API calls between Panorama and vCenter which prevents Panorama from receiving match criteria. If Panorama displays no match criteria and you are using browser extensions, disable the extensions and Synchronize Dynamic Objects to populate the tags available to Panorama. STEP 8 | Verify that addresses in your VMs are added to DAGs. 1. Select Panorama > Objects > Address Groups. 2. Click More in the Addresses column of a DAG. Panorama displays a list of IP addresses added to that DAG based on the match criteria you specified. STEP 9 | Use dynamic address groups in policy. 1. Select Policies > Security. 2. Click Add and enter a Name and a Description for the policy. 3. Add the Source Zone to specify the zone from which the traffic originates. 4. Add the Destination Zone at which the traffic is terminating. 5. For the Destination Address, select the Dynamic address group you just created. 110 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.6. Specify the action— Allow or Deny—for the traffic, and optionally attach the default security profiles to the rule. 7. Repeats Steps 1 through 6 to create another policy rule. 8. Click Commit. STEP 10 | You can update the dynamic objects from vCenter at any time by synchronizing dynamic objects. Synchronizing dynamic objects enables you to maintain context on changes in the virtual environment and allows you to enable applications by automatically updating the Dynamic Address Groups used in policy rules. 1. Select Panorama > VMware vCenter > Monitoring Definition. 2. Click Synchronize Dynamic Objects. STEP 11 | If a firewall in your vCenter deployment restarts or disconnects from Panorama, that firewall goes out of sync with the Panorama plugin for vCenter and no receive updates. After the firewall reconnects with Panorama, you must manually synchronize Panorama and the firewall. 1. Log in to the Panorama CLI. 2. Execute the following command. admin@Panorama> request plugins vmware_vcenter sync VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 111 © 2020 Palo Alto Networks, Inc.Troubleshoot ESXi Deployments Many of the troubleshooting steps for the VM-Series firewall are very similar to the hardware versions of PAN-OS. When problems occur, you should check interface counters, system log files, and if necessary, use debug to create captures. The following sections describe how to troubleshoot some common problems: • Basic Troubleshooting • Installation Issues • Licensing Issues • Connectivity Issues Basic Troubleshooting Recommendation for Network Troubleshooting Tools It is useful to have a separate troubleshooting station to capture traffic or inject test packets in the virtualized environment. It can be helpful to build a fresh OS from scratch with common troubleshooting tools installed such as tcpdump, nmap, hping, traceroute, iperf, tcpedit, netcat, etc. This machine can then be powered down and converted to a template. Each time the tools are needed, the troubleshooting client (virtual machine) can be quickly deployed to the virtual switch(es) in question and used to isolate networking problems. When the testing is complete, the instance can simply be discarded and the template used again the next time it is required. For performance related issues on the firewall, first check the Dashboard from the firewall web interface. To view alerts or create a tech support or stats dump files navigate to Device > Support. For information in the vSphere client go to Home > Inventory > VMs and Templates, select the VM-Series firewall instance and click the Summary tab. Under Resources, check the statistics for consumed memory, CPU and storage. For resource history, click the Performance tab and monitor resource consumption over time. Installation Issues • Issues with Deploying the OVA • Why does the firewall boot into maintenance mode? • How do I modify the base image file for the VM-1000-HV license? Issues with Deploying the OVA • The VM-Series is delivered as a zip archive in the Open Virtualization Alliance (OVA) format that expands into three files. If you are having trouble deploying the OVA image, make sure the three files are unpacked and accessible. If necessary, download and extract the OVA image again. • The virtual disk in the OVA image is nearly 1GB. It must be present on the computer running the vSphere client, or it must be accessible as a URL for the OVA image. • Make sure the network connection between the vSphere client computer and the target ESXi host has low latency and sufficient bandwidth. If the connection is poor, the OVA deployment can take hours, or timeout and fail. 112 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.You can minimize this problem if you host the image on a device in the same network as the ESXi host. • Any firewalls in the path must allow TCP ports 902 and 443 from the vSphere client to the ESXi host(s). • ESX 6.5.0a build 4887370 limits you to 2 CPU cores per socket. If you are deploying a VM-300, VM-500 or VM-700 to which you want to allocate more than 2 vCPUs per socket, refer to the VMware KB: https://kb.vmware.com/s/article/53354, for a workaround. Why does the firewall boot into maintenance mode? If you have purchased the VM-1000-HV license and are deploying the VM-Series firewall in standalone mode on a VMware ESXi server, you must allocate the minimum memory your VM-Series model requires. To avoid booting in maintenance mode, you must either modify the base image file (see How do I modify the base image file for the VM-1000-HV license?), or, edit the settings on the ESXi host or the vCenter server before you power on the VM-Series firewall. Also, verify that the interface is VMXnet3. Setting the interface type to any other format causes the firewall to boot into maintenance mode. How do I modify the base image file for the VM-1000-HV license? If you have purchased the VM-1000-HV license and are deploying the VM-Series firewall in standalone mode on a VMware ESXi server, use these instructions to modify the following attributes that are defined in the base image file (.ova or .xva) of the VM-Series firewall. Important: Modifying values other than those listed here invalidates the base image file. STEP 1 | Open the base image file, for example 7.0.0, with a text editing tool such as notepad. STEP 2 | Search for 4096 and change the memory allocated to 5012 (that is 5 GB) as follows: byte * 2^20 Memory Size 4096MB of memory 2 4 4096 byte * 2^20 Memory Size 5120MB of memory 2 5 5120 STEP 3 | Change the number of virtual CPU cores allotted from 2 to 4 or 8 as desired for your deployment: hertz * 10^6 Number of Virtual CPUs 2 virtual CPU(s) 1 3 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 113 © 2020 Palo Alto Networks, Inc.2 2 hertz * 10^6 Number of Virtual CPUs 4 virtual CPU(s) 1 3 4 2 Alternatively, you can deploy the firewall, and before you power on the VM-Series firewall, edit the memory and virtual CPU allocation directly on the ESXi host or the vCenter server. Licensing Issues • Why am I unable to apply the support or feature license? • Why does my cloned VM-Series firewall not have a valid license? • Does moving the VM-Series firewall cause license invalidation? Why am I unable to apply the support or feature license? Have you applied the capacity auth-code on the VM-Series firewall? Before you can activate the support or feature license, you must apply the capacity auth-code so that the device can obtain a serial number. This serial number is required to activate the other licenses on the VM-Series firewall. Why does my cloned VM-Series firewall not have a valid license? VMware assigns a unique UUID to each virtual machine including the VM-Series firewall.So, when a VM- Series firewall is cloned, a new UUID is assigned to it. Because the serial number and license for each instance of the VM-Series firewall is tied to the UUID, cloning a licensed VM-Series firewallresults in a new firewall with an invalid license. You need a new auth-code to activate the license on the newly deployed firewall. You must apply the capacity auth-code and a new support license in order to obtain full functionality, support, and software upgrades on the VM-Series firewall. Does moving the VM-Series firewall cause license invalidation? If you are manually moving the VM-Series firewall from one host to another, be sure to select the option, This guest was moved to prevent license invalidation. Connectivity Issues • Why is the VM-Series firewall not receiving any network traffic? Why is the VM-Series firewall not receiving any network traffic? On the VM-Series firewall. check the traffic logs (Monitor > Logs). If the logs are empty, use the following CLI command to view the packets on the interfaces of the VM-Series firewall: show counter global filter delta yes Global counters: Elapsed time since last sampling: 594.544 seconds -------------------------------------------------------------------------------- 114 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.Total counters shown: 0 -------------------------------------------------------------------------------- In the vSphere environment, check for the following issues: • Check the port groups and confirm that the firewall and the virtual machine(s) are on the correct port group Make sure that the interfaces are mapped correctly. Network adapter 1 = management Network adapter 2= Ethernet1/1 Network adapter 3 = Ethernet1/2 For each virtual machine, check the settings to verify the interface is mapped to the correct port group. • Verify that either promiscuous mode is enabled for each port group or for the entire switch or that you have configured the firewall to Hypervisor Assigned MAC Addresses. Since the dataplane PAN-OS MAC addresses are different than the vNIC MAC addresses assigned by vSphere, the port group (or the entire vSwitch) must be in promiscuous mode if not enabled to use the hypervisor assigned MAC address: • Check the VLAN settings on vSphere. The use of the VLAN setting for the vSphere port group serves two purposes: It determines which port groups share a layer 2 domain, and it determines whether the uplink ports are tagged (802.1Q). • Check the physical switch port settings If a VLAN ID is specified on a port group with uplink ports, then vSphere uses 802.1Q to tag outbound frames. The tag must match the configuration on the physical switch or the traffic does not pass. Check the port statistics if using virtual distributed switches (vDS); Standard switches do not provide any port statistics VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 115 © 2020 Palo Alto Networks, Inc.Performance Tuning of the VM-Series for ESXi The VM-Series firewall for ESXi is a high-performance appliance but may require tuning of the hypervisor to achieve the best results. This section describes some best practices and recommendations for facilitating the best performance of the VM-Series firewall. For the best performance, ESXi 6.0.0.0 or later is recommended. • Install the NIC Driver on ESXi • Enable DPDK on ESXi • Enable SR-IOV on ESXi • Enable Multi-Queue Support for NICs on ESXi • VNF Tuning for Performance Install the NIC Driver on ESXi For the best performance, use SR-IOV with Intel 10GB network interfaces which requires the ixgbe 4.4.1 driver to support multiple queues for each interface. STEP 1 | Obtain a list of network interfaces on the ESXi host. 1. Log in to the ESXi host CLI. 2. Use the following command to return a list of network interfaces: $ esxcli network nic list STEP 2 | Determine the driver version for a particular interface. You can use either ethtool or esxcli to determine the currently-installed driver version. The following example uses vNIC4 and returns driver version 3.21.6. • ethtool—ethtool -l $ ethtool -I vNIC4 driver: ixgbe version: 3.21.6iov firmware-version: 0x80000389 bus-info: 0000:04:00.0 • esxcli—esxcli network nic get -n $ esxcli network nic get -n vNIC4 Advertised Auto Negotiation: true Advertised Link Modes: Auto Negotiation: true Cable Type: Current Message Level: 7 Driver Info: Bus Info: 0000:04:00.0 Driver: ixgbe Firmware Version: 0x80000389 Version: 3.21.6iov Link Detected: false Link Status: Down Name: vNIC4 PHYAddress: 0 116 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.Pause Autonegotiate: true Pause RX: true Pause TX: true Supported Ports: FIBRE Supports Auto Negotiation: true Supports Pause: true Supports Wakeon: false Transceiver: external Wakeon: None STEP 3 | Install the new driver. 1. Download the ixgbe 4.4.1 driver from the VMware website. Extract the contents to a local directory and find the .zip or .vib files for your driver. 2. Create a new folder in your ESXi host datastore. 3. Copy the local .zip or .vib file you extracted to the new folder in your ESXi host datastore. 4. Enable maintenance mode on the ESXi host. 5. Use one of the following commands to install the new driver, using -d for .zip files, or -v for .vib files. • $ esxcli software vib install -d • $ esxcli software vib install -v You must specify the absolute path to the .zip or .vib file. For example: $ esxcli software vib install -d "/vmfs/volumes/ Datastore/DirectoryName/DriverName.zip" 6. Verify the VIB installation. $ esxcli software vib list 7. Reboot the ESXi host. Enable DPDK on ESXi Data Plane Development Kit (DPDK) enhances VM-Series performance by increasing network interface card (NIC) packet processing speed. On the VM-Series firewall, DPDK is enabled by default on ESXi. All data interfaces must be using the same driver to support DPDK. To take advantage of DPDK, you must use a NIC with one of the DPDK drivers mentioned in DPDK Driver Versions: If you disable DPDK, the NIC uses packet mmap instead of DPDK. You can disable DPDK using the command set system setting dpdk-pkt-io off. See the Compatibility Matrix for ESXi hypervisor support and PacketMMAP and DPDK driver support by PAN-OS version. Enable SR-IOV on ESXi Single root I/O virtualization (SR-IOV) allows a single PCIe physical device under a single root port to appear to be multiple separate physical devices to the hypervisor or guest. VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 117 © 2020 Palo Alto Networks, Inc.SR-IOV on the VM-Series for ESXi requires one of the Intel NIC drivers mentioned in PacketMMAP Driver Versions. See the Compatibility Matrix for PacketMMAP and DPDK driver support by PAN-OS version. There are two ways to enable SR-IOV on ESXi. • SR-IOV passthrough—In this method you enable virtual function devices on the SR-IOV NIC and modify the guest settings in vCenter, adding the SR-IOV VF interface as adaptor type “SR-IOV passthrough”. Refer to Assign a Virtual Function as SR-IOV Passthrough Adapter to a Virtual Machine. This method, which is preferred for PAN-OS 8.1.2 and later, allows you to add the SR-IOV PF to a vSwitch or DvSwitch. • PCI Adaptor—This method was required for PAN-OS 8.0 through 8.1.1. You can view the PCI Adaptor workflow in Enable SR-IOV on ESXi in the 8.1 Deployment Guide. The PCI Adaptor method has the limitation that you cannot configure a vSwitch on the physical port on which you enable SR-IOV. The VM-Series firewall must have exclusive access to the physical port and associated virtual functions (VFs) on that interface so it can communicate with the host or other virtual machines on the network. Refer to Add a PCI Device in the vSphere Web Client. Enable Multi-Queue Support for NICs on ESXi Multi-queue allows network performance to scale with the number of vCPUs and allows for parallel packet processing by creating multiple TX and RX queues. Modify the .vmx file or access Advanced Settings to enable multi-queue. STEP 1 | Enable multi-queue. 1. Open the .vmx file. 2. Add the following parameter: ethernetX.pnicFeatures = “4” STEP 2 | Enable receive-side scaling (RSS). 1. Log in to the CLI on the ESXi host. 2. Execute the following command: $ vmkload_mod -u ixgbe $ vmkload_mod ixgbe RSS=”4,4,4,4,4,4” STEP 3 | For the best performance, allocate additional CPU threads per ethernet/vSwitch device. This is limited by the amount of spare CPU resources available on the ESXi host. 1. Open the .vmx file. 2. Add the following parameter: ethernetX.ctxPerDev = “1” VNF Tuning for Performance This topic provides VNF tuning guidance for VM-Series deployments. It is a reference to help administrators choose some of the parameter settings for a VM-Series deployment. Before attempting tuning, you should be familiar with the steps to Install a VM-Series firewall on VMware vSphere Hypervisor (ESXi), including how to configure tuning parameters, and attributes. 118 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.This guidance might not apply to VM-Series deployments on top of white-box or grey-box environments targeting SD-WAN, MSSP, or CSSP use-cases. VM-Series is a high-performance appliance and is available in various form-factors depending on size, hypervisor footprint, and its deployment location in either private or public cloud. Global and host-level configuration changes impact other VMs running on the same host. You should consider any trade-offs and prudently choose the parameters that best suit your deployment. ESXi Tuning Parameters To achieve best results in performance on VM-series, you can tune hardware, hypervisor, and network I/O parameters. The parameters mentioned here do not apply to every deployment model. BIOS Settings This section recommends BIOS Power Management, Hyperthreading, and Intel VT-D settings that can enhance VM-Series firewall performance, and concludes with a sample BIOS configuration. Power Management For latency-sensitive applications, any form of power management adds latency to the path where an idle system (in one of several power-saving modes) responds to an external event. VMware recommends setting the BIOS power management setting to “static high performance” (no OS-controlled power management), effectively disabling any form of active power management. Servers with Intel Nehalem class and later CPUs (Intel Xeon 55xx and later) offer two other power management options: C-states and Intel Turbo Boost. Leaving C-states enabled can increase memory latency and is therefore not recommended for low-latency workloads. Even the enhanced C-state, known as C1E, introduces longer latencies to wake up the CPUs from halt (idle) states to full-power. VMware recommends disabling C1E in the BIOS to further lower latencies. • For HP, set Power Regulator Mode to Static High Mode and disable QPI Processor, C-state support, and C1E Support. • For Dell, set Power Management Mode, CPU power, and Performance Management to Maximum Performance. Another parameter to consider is P-states. For outright performance considerations, disable P-state settings on BIOS. Intel Turbo Boost can lead to performance variations over a period of time. For consistent and deterministic performance, disable Turbo Boost. Hyperthreading If the hardware and BIOS support hyperthreading, ESXi automatically enables hyperthreading on hosts. For the best performance from VM series firewalls, disable hyperthreading on ESXi hosts. If the deployment environment warrants enabling hyperthreading, then ensure that all CPU resources for the VM-Series firewall are reserved from the same NUMA/Socket node that has access to the PCI devices. In general, configure the PA-VM as a single NUMA VM. As an exception, enable hyperthreading for VM-50/ VM50 Lite. VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 119 © 2020 Palo Alto Networks, Inc.Intel Virtualization Technology for Directed I/O Intel Virtualization Technology for Directed I/O (Intel VT-D) allows a LAN card to be dedicated to a guest system, which enables increased network performance beyond that of an emulated LAN card. Enable this feature at the BIOS. If you plan to leverage SR-IOV for performance (recommended), enable the SRI-OV BIOS setting. Sample BIOS Configuration The following screenshots show the system profile settings and the processor settings for a Dell BIOS. 120 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 121 © 2020 Palo Alto Networks, Inc.Physical Settings Most 1GbE or 10GbE network interface cards (NICs) support a feature called interrupt moderation or interrupt throttling, which coalesces interrupts from the NIC to the host so that the host doesn’t get overwhelmed and spend all its CPU cycles processing interrupts. However, for latency-sensitive workloads, the time the NIC is delaying the delivery of an interrupt for a received packet or a packet that has successfully been sent on the wire is the time that increases the latency of the workload. For best performance on PA-VM, disable interrupt moderation. For example, disable physical NIC interrupt moderation on the ESXi host as follows: # esxcli system module parameters set -m ixgbe -p "InterruptThrottleRate=0" Transmit Queue The ESXi uplink pNIC layer also maintains a software Tx queue of packets queued for transmission, which by default holds 500 packets. If the workload is I/O intensive with large bursts of transmit packets, this queue can overflow, leading to packets being dropped in the uplink layer. The Tx queue size can be increased up to 10,000 packets with the following ESXi command: # esxcli system settings advanced set -i 10000 -o /Net/MaxNetifTxQueueLen Depending on the physical NIC and the specific version of the ESXi driver being used on the ESXi host, sometimes packets can be dropped in the pNIC driver because the transmit ring on the pNIC is too small and is filled up. Most pNIC drivers allow you to increase the size of the transmit ring using the following command. 122 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.# ethtool -G vmnic0 tx 4096 This command increases the Tx ring size to 4096 entries. The maximum size you can set for a specific pNIC driver, as well as the current Tx ring size in effect, can be determined using the following command: # ethtool -g vmnic0 Ring parameters for vmnic0: Pre-set maximums: RX: 4096 RX Mini: 0 RX Jumbo: 0 TX: 4096 Current hardware settings: RX: 512 RX Mini: 0 RX Jumbo: 0 TX: 4096 Queue Pairing Some pNIC drivers, such as Intel’s ixgbe and Broadcom’s bnx2x, also support “queue pairing”, which indicates to the ESXi uplink layer that the receive thread (NetPoll) will also process completion of transmitted packets on a paired transmit queue. For certain transmit-heavy workloads, this can cause delays in processing transmit completions, causing the transmit ring for the vNIC to run out of room for transmitting additional packets, and forcing the vNIC driver in the guest OS to drop packets. Disabling queue pairing for all pNICs on an ESXi host creates a separate thread for processing pNIC transmit completions. As a result, completions are processed in a timely manner, freeing space in the vNIC’s transmit ring to transmit additional packets. The ESXi command to disable queue pairing is: # esxcli system settings advanced set -o /Net/NetNetqRxQueueFeatPairEnable -i 0 For this to take effect, you must reboot the ESXi host. If PCI-pass through on VM-700 is used on a dedicated host, no performance tuning of the NIC/NIC driver is needed. However, this deployment mode is not common. Virtual NIC Settings If possible, use SR-IOV for better performance. SR-IOV • Changing module parameters for an SR-IOV driver requires an ESXi host reboot. • Disable physical NIC interrupt moderation on ESXi host as follows: # esxcli system module parameters set -m ixgbe -p "InterruptThrottleRate=0“ • If you enable multiqueue support, you must also enable Receive-Side Scaling (RSS) for the driver. VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 123 © 2020 Palo Alto Networks, Inc.• To enable RSS, set the port value to 4. • Specify ports in a comma-separated string. Example—Set 3 NICs with 2 ports each. $ vmkload_mod -u ixgbe esxcli system module parameters set -m ixgbe -p RSS=”4,4,4,4,4,4” $ vmkload_mod ixgbe RSS=”4,4,4,4,4,4” Example—Set RSS for a single port: $ vmkload_mod -u ixgbe esxcli system module parameters set -m ixgbe -p RSS=”0,4,0,0,0,0” • The i40e driver defaults to 4 queue pairs per VF. You can increase the number of pairs as follows: 1. Edit i40e.h. 2. Locate #define I40E_DEFAULT_QUEUES_PER_VF 4, change the number of pairs, and save. 3. Compile, and load the modified file. VMXNET3/vSwitch and Virtual Interrupt Coalescing By default, VMXNET3 supports an interrupt coalescing algorithm (for the same reasons that physical NICs implement interrupt moderation). To avoid flooding the host system with too many interrupts, packets are collected and one single interrupt is generated for multiple packets. This is called interrupt coalescing. Interrupt coalescence refers to the amount of traffic that a network interface receives, or the amount of time that passes after traffic is received, before you issue a hard interrupt. Interrupting too soon or too frequently results in poor system performance, as the kernel stops (or “interrupts”) a running task to handle the interrupt request from the hardware. Interrupting too late can result in traffic loss if the traffic is not taken off the NIC soon enough—more traffic arrives, overwriting the previous traffic still waiting to be received into the kernel.To disable this functionality through the vSphere Web Client, go to VM Settings > Options > Advanced General > Configuration Parameters and add an entry for ethernetX.coalescingScheme with the value disabled. To disable virtual interrupt coalescing for all virtual NICs on the host (which affects all VMs, not just the latency-sensitive ones), set the advanced networking performance option. Go to Configuration > Advanced Settings > Net and set CoalesceDefaultOn to 0 (disabled). Enable Multiqueue Support on Intel x710/x520 Use ESXi 6.0.0 or later, with an ixgbe driver version with multiqueue support. See SR-IOV Driver Versions in the Compatibility Matrix. Modify the .vmx file or access Advanced Settings to enable multiqueue support: ethernetX.pnicFeatures = “4” To set multi-core affinity so a vSwitch can exceed 300K PPS, set: ethernetX.pnicFeatures = "4" ethernetX.ctxPerDev = "1" 124 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.Setting ethernetX.ctxPerDev = “1”, is like a binary flag (set to 1 to enable). This binary flag adds a CPU thread to process traffic only from the port ethernetX. This leads to improved traffic scheduling performance. If you enable multiqueue support you must also enable Receive-Side Scaling (RSS) for the driver. • To enable RSS, set the port value to 4. • Specify ports in a comma-separated string. Example—Set 3 NICs with 2 ports each. $ vmkload_mod -u ixgbe $ vmkload_mod -u ixgbe -p RSS=”4,4,4,4,4,4” For a single port, set RSS=”0,4,0,0,0,0”. NUMA Considerations NUMA is Non-Uniform Memory Access. Multi-Core processors have complicated designs. To tackle performance issues in such systems, you need to be aware of all NUMA and CPU Pinning nuances. Vital aspects to look for: • Which cores are our threads are running on? (if hyperthreading is enabled) • Which cores are our vCPUs are running on? (affinity) • Where has memory been allocated? (NUMA effects) Threads running on any socket see one unified memory space – therefore they can read/write to memory that is local to other Sockets. • Is memory shared between different sockets on a node? • It takes more time to access memory on different sockets than it takes to access local memory. NUMA effects occur when threads excessively access memory on a different NUMA domain. To avoid cross-NUMA issues, avoid Quick Path Interconnect (QPi) between Socket 0 communication and Socket 1. Use Cases Use Case 1: vSwitch Deployment The figure below shows a deployment of a PA-VM on an ESXi host where the data ports “Port 1” and “Port 2” are linked to eth1 and eth2 of the PA-VM. Each port hosts two queue pairs (for example, Tx0/Rx0, and Tx1/Rx1) or has multiqueue enabled. VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 125 © 2020 Palo Alto Networks, Inc.Enabling multiqueue and RSS for load balancing packets sent/received to/from multiple queues enhances processing performance. Based on an internal logic of vCPU to port/queue mapping (in this case) packets arriving and being sent out from P1/Q0 and P2/Q0 are processed by dataplane task T1 running on (i.e., pinned to) vCPU1. The data plane task T2 follows a similar association, as shown in the vSwitch deployment diagram above. The two data plane tasks are running on vCPU1 and vCPU2 and these are non-sibling CPUs (means that they do not share the same core in case of hyperthreading). This means that even with hyperthreading enabled the task assignment can be pinned to different cores for high performance. Also these dataplane task vCPUs all belong to the same NUMA node (or socket) to avoid NUMA-related performance issues. Two other performance bottlenecks can be addressed with increasing the queue sizes and dedicating a vCPU or thread to the ports that schedule traffic to and from these ports. Increasing the queue sizes (Qsize) will accommodate large sudden bursts of traffic and prevent packet drops under bursty traffic. Adding a dedicated CPU thread (ethernetX.ctxPerDev = 1) to port level packet processing will allow traffic to be processed at a higher rate, thereby increasing the traffic throughput to reach line rate. The PA-VM packet processing technique also determines performance. This can be set to either DPDK or PacketMMAP. DPDK uses a poll mode driver (depends on the driver type) to constantly poll for packets received in the queues. This leads to higher throughput performance. Depending on the poll period is latency observed by the packets. If the polling is continuous (i.e., busy-poll a setting from the PANOS cli) then the vCPU utilization for the data plane tasks will be a 100% but will yield the best performance. Internally the software uses a millisecond-level polling time to prevent unnecessary utilization of CPU resources. PacketMMAP, on the other hand, has a lower performance than DPDK but it works with any network level drivers. For DPDK the vSwitch driver must have support for DPDK. PacketMMAP works with interrupts that are raised when a packet is received by the port and placed in the receive queue. This means that for every packet, or group of packets, interrupts are raised and packets are drained off the receive queue for processing. This results in lower latency in packet processing, but reduced throughput, because interrupts must be processed every time, causing higher CPU overhead. In general PacketMMAP will have lower packet processing latency than DPDK (without busy poll modification). 126 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server © 2020 Palo Alto Networks, Inc.Use Case 2: SR-IOV Deployment The SR-IOV diagram below shows a PAVM deployment similar to the vSwitch use case, but in SR-IOV mode. In SR-IOV the compatible physical NIC port (manifests as a Physical Function) is essentially carved out into multiple interfaces (manifests as Virtual Functions). The figure above shows that NIC1 Port1 has a VF named VFX that is associated as one of the PAVM dataplane interfaces — eth1, for example. A similar association is created for Port2 VF to PAVM eth2.The chain of packet processing is similar to that of the deployment in the vSwitch environment. The only difference is that the SR-IOV VF drivers should be compatible with those used in PAN-OS. Also, since there is no internal vSwitch (in the host) switching traffic, there is no need to set a dedicated thread for traffic scheduling from a port (i.e., ethernetX.ctxPerDev = 1 is not required in this setting). Interfaces with SR-IOV and DPDK will yield even higher packet processing performance than the vSwitch use case. VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi Server 127 © 2020 Palo Alto Networks, Inc.128 VM-SERIES DEPLOYMENT GUIDE | Set Up a VM-Series Firewall on an ESXi ServerSet Up the VM-Series Firewall on vCloud Air The VM-Series firewall can be deployed in a virtual data center (vDC) on vCloud Air using the vCloud Air portal, from the vCloud Director portal or using the vCloud Air API. > About the VM-Series Firewall on vCloud Air > Deployments Supported on vCloud Air > Deploy the VM-Series Firewall on vCloud Air 129130 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on vCloud Air © 2020 Palo Alto Networks, Inc.About the VM-Series Firewall on vCloud Air You can deploy the VM-Series firewall in a virtual data center (vDC) on VMware vCloud Air using the vCloud Air portal or from the vCloud Director portal. And to centrally manage all your physical and VM- Series firewalls, you can use an existing Panorama or deploy a new Panorama on premise or on vCloud Air. The VM-Series firewall on vCloud Air requires the following: • ESXi version of the software image, an Open Virtualization Alliance (OVA) file, from the Palo Alto Networks Customer Support web site. Currently, the vCloud Air Marketplace does not host the software image. In order to efficiently deploy the VM-Series firewall, include the firewall software image in a vApp. A vApp is a container for preconfigured virtual appliances (virtual machines and operating system images) that is managed as a single object. For example, if your vApp includes a set of multi-tiered applications and the VM-Series firewall, each time you deploy the vApp, the VM-Series firewall automatically secures the web server and database server that get deployed with the vApp. • License and subscriptions purchased from a partner, reseller, or directly from Palo Alto Networks, in the Bring Your Own License (BYOL) model; the usage-based licensing for the VM-Series on vCloud Air is not available. • Due to the security restrictions imposed on vCloud Air, the VM-Series firewall on vCloud Air is best deployed with Layer 3 interfaces and the interfaces must be enabled to use the hypervisor assigned MAC address. If you do not enable hypervisor assigned MAC address, the VMware vSwitch cannot forward traffic to the dataplane interfaces on the VM-Series firewall because the vSwitch on vCloud Air does not support promiscuous mode or MAC forged transmits. The VM-Series firewall cannot be deployed with tap interfaces, Layer 2 interfaces, or virtual wire interfaces. The VM-Series firewall on vCloud Air can be deployed in an active/passive high availability configuration. However, the VM-Series firewall on vCloud Air does not support VM Monitoring capabilities for virtual machines that are hosted on vCloud Air. To learn all about vCloud Air, refer to the VMware vCloud Air documentation. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on vCloud Air 131 © 2020 Palo Alto Networks, Inc.Deployments Supported on vCloud Air To enable applications safely, block known and unknown threats, and to keep pace with changes in your environment, you can deploy the VM-Series firewall on vCloud Air with Layer 3 interfaces in the following ways: • Secure the virtual data center perimeter—Deploy the VM-Series firewall as a virtual machine that connects isolated and routed networks on vCloud Air. In this deployment the firewall secures all north- south traffic traversing the infrastructure on vCloud Air. • Set up a hybrid cloud—Extend your data center and private cloud into vCloud Air and use a VPN connection to enable communication between the corporate network and the data center. In this deployment, the VM-Series firewall uses IPSec to encrypt traffic and secure users accessing the cloud. • Secure traffic between application subnets in the vDC—To improve security, segment your network and isolate traffic by creating application tiers, and then deploy the VM-Series firewall to protect against lateral threats between subnets and application tiers. The following illustration combines all three deployments scenarios and includes Panorama. Panorama streamlines policy updates, centralizes policy management, and provides centralized logging and reporting. 132 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on vCloud Air © 2020 Palo Alto Networks, Inc.Deploy the VM-Series Firewall on vCloud Air Use the instructions in this section to deploy your VM-Series firewall in an on-demand or dedicated vDC on vCloud Air. This procedure assumes that you have set up your vDC, including the gateways required to allow traffic in and out of the vDC, and the networks required for routing management traffic and data traffic through the vDC. STEP 1 | Obtain the VM-Series OVA image from the Palo Alto Networks Customer Support web site; the vCloud Air Marketplace does not host the software image currently. 1. Go to: www.paloaltonetworks.com/services/support.html. 2. Filter by PAN-OS for VM-Series Base Images and download the OVA image. For example, PA-VM- ESX-9.0.0.ova. STEP 2 | Extract the Open Virtualization Format (OVF) file from the OVA image and import the OVF file in to your vCloud Air catalog. When extracting files from the OVA image, make sure to place all the files—.mf, .ovf, and .vmdk—within the same directory. For instructions to extract the OVF file from the OVA image, refer to the VMware documentation: https://www.vmware.com/support/developer/ovf/#sthash.WUp55ZyE.dpuf When you import the OVF file, the software image for the VM-Series firewall is listed in My Organization’s Catalogs. STEP 3 | Choose your workflow. A vApp is a collection of templates for preconfigured virtual appliances that contain virtual machines, and operating system images. • If you want to create a new vDC and a new vApp that includes the VM-Series firewall, go to step 4 . • If you have already deployed a vDC and have a vApp and now want to add the VM-Series firewall to the vApp to secure traffic, go to step 5 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on vCloud Air 133 © 2020 Palo Alto Networks, Inc.STEP 4 | Create a vDC and a vApp that includes the VM-Series firewall. 1. Log in to vCloud Air. 2. Select VPC OnDemand and select the location in which you want to deploy the VM-Series firewall. 3. Select Virtual Data Centers and click + to add a new Virtual Data Center. 4. Select the vDC, right click and select Manage Catalogs in vCloud Director. You will be redirected to the vCloud Director web interface. 5. Create a new vApp that contains one or more virtual machines including the VM-Series firewall: 1. Select My Cloud > vApps, and click Build New vApp. 2. Select Name and Location, and the Virtual Datacenter in which this vApp will run. By default, Leases for runtime and storage never expire and the vApp is not automatically stopped. 3. Add Virtual Machines. To add the VM-Series firewall image from the Look in: drop-down, select My Organization’s Catalog, select the image and click Add. Click Next 4. Configure Resources to specify the Storage Policies for the virtual machines when deployed. The VM-Series firewall uses the Standard option. 5. Configure the Virtual Machines. Name each virtual machine and select the network to which you want it to connect. You must connect NIC 0 (for management access) to the default routed network; NIC 1 is used for data traffic. You can add additional NICs later. 6. Verify the settings and click Finish. 7. Continue to step 6. STEP 5 | Add the VM-Series Firewall into a vApp. 1. Log in to vCloud Air. 2. Select your existing Virtual Data Center from the left pane, right click and select Manage Catalogs in vCloud Director. You will be redirected to the vCloud Director web interface. 3. Select My Cloud > vApps and click the Name of the vApp in which to include the VM-Series firewall. 4. Open the vApp (double-click on the name), select Virtual Machines and click to add a virtual machine. 134 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on vCloud Air © 2020 Palo Alto Networks, Inc.1. In the Look in: drop-down, choose My Organization’s Catalog, select the VM-Series firewall image and click Add. Click Next. 2. Click Next to skip Configure Resources. The VM-Series firewall uses the Standard option and you do not to modify the Storage Policy. 3. Enter a Name for the firewall and for management access (NIC 0), select the default routed network and the IP Mode— Static or DHCP. You can configure NIC 1 and add additional NICs in step 6. Click Next. 4. Verify how this vApp connects to the vDC— Gateway Address and Network Mask for the virtual machines in this vApp. 5. Verify that you have added the VM-Series firewall and click Finish. 6. Continue to step 6. STEP 6 | Connect the data interface(s) of the VM-Series firewall to an isolated or a routed network, as required for your deployment. 1. In vCloud Director, select My Cloud > vApps and select the vApp you just created or edited. 2. Select Virtual Machines and select the VM-Series firewall. Then, right-click and select Properties. 3. Select Hardware, scroll to the NICs section and select NIC 1. 4. Attach the dataplane network interface to a vApp network or an organizational VDC network based on your connectivity needs for data traffic to the VM-Series firewall. To create a new network: 1. In the Network drop-down, click Add Network. 2. Select the Network Type and give it a name and click OK. 3. Verify that the new network is attached to the interface. 5. To add additional NICs to the firewall, click Add and repeat step 4 above. You can attach a maximum of seven dataplane interfaces to the VM-Series firewall. 6. Verify that the management interface of the VM-Series firewall is attached to the default routed subnet on the vDC and at least one dataplane interface is connected to a routed or isolated network. 1. Select My Cloud > vApps and double-click the Name of the vApp you just edited. 2. Verify network connectivity in the vApp Diagram. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on vCloud Air 135 © 2020 Palo Alto Networks, Inc.STEP 7 | (Optional) Edit the hardware resources allocated for the VM-Series firewall. Required only if you need to allot additional CPU, memory, or hard disk to the firewall. 1. Select My Cloud > vApps and double-click the Name of the vApp you just deployed. 2. Select Virtual Machine and click on the Name of the VM-Series firewall to access the Virtual Machine Properties. 3. Add additional Hardware resources for the VM-Series firewall: • See VM-Series System Requirements for the minimum vCPU, memory, and disk requirements for your VM-Series model. • NICs: One management and up to seven dataplane interfaces. STEP 8 | Power on the VM-Series firewall. STEP 9 | Configure an IP address for the VM-Series firewall management interface. Perform Initial Configuration on the VM-Series on ESXi. The VM-Series firewall on vCloud Air supports VMware Tools, and you can Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air to view the management IP address of the VM-Series firewall. STEP 10 | Define NAT rules on the vCloud Air Edge Gateway to enable Internet access for the VM- Series firewall. 1. Select Virtual Data Centers > Gateways, select the gateway and double-click to add NAT Rules. 2. Create two DNAT rules. One for allowing SSH access and one for HTTPS access to the management port’s IP address on the VM-Series firewall. 136 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on vCloud Air © 2020 Palo Alto Networks, Inc.3. Create a SNAT rule for translating the internal source IP address for all traffic initiated from the management port on the VM-Series firewall to an external IP address. To send and receive traffic from the dataplane interfaces on the firewall, you must create additional DNAT and SNAT rules on the vCloud Air Edge Gateway. STEP 11 | Log in to the web interface of the firewall. In this example, the URL for the web interface is https://107.189.85.254 The NAT rule on the Edge Gateway translates the external IP address and port 107.189.85.254:443 to the private IP address and port 10.0.0.102:443. STEP 12 | Add the auth code(s) to activate the licenses on the firewall. Activate the License. STEP 13 | Configure the VM-Series firewall to use the hypervisor assigned MAC address. Hypervisor Assigned MAC Addresses STEP 14 | Configure the dataplane interfaces as Layer 3 interfaces. 1. Select Network > Interfaces > Ethernet. 2. Click the link for ethernet 1/1 and configure as follows: • Interface Type: Layer3 • Select the Config tab, assign the interface to the default router. • On the Config tab, select New Zone from the Security Zone drop-down. Define a new zone, for example untrust, and then click OK. • Select IPv4, assign a static IP address. • On Advanced > Other Info, expand the Management Profile drop-down, and select New Management Profile. • Enter a Name for the profile, such as allow_ping, and select Ping from the Permitted Services list, then click OK. • To save the interface configuration, click OK. 3. Repeat the process for each additional interface. 4. Click Commit to save the changes. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on vCloud Air 137 © 2020 Palo Alto Networks, Inc.138 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on vCloud AirSet Up the VM-Series Firewall on VMware NSX The VM-Series firewall can be deployed in both versions of VMware’s network virtualization solution—NSX-V and NSX-T. > Set Up the VM-Series Firewall on VMware NSX-V > Set Up the VM-Series Firewall on VMware NSX-T Data Center 139140 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.Set Up the VM-Series Firewall on VMware NSX-V The VM-Series firewall for VMware NSX-V is jointly developed by Palo Alto Networks and VMware. This solution uses the NetX API to integrate the Palo Alto Networks next-generation firewalls and Panorama with VMware ESXi servers to provide comprehensive visibility and safe application enablement of all data center traffic including intra-host virtual machine communications. The following topics provide information about the VM-Series for NSX-V: • VM-Series for Firewall NSX-V Overview • VM-Series Firewall for NSX-V Deployment Checklist • Install the VMware NSX Plugin • Register the VM-Series Firewall as a Service on the NSX-V Manager • Deploy the VM-Series Firewall • Create Security Groups and Steering Rules • Apply Security Policies to the VM-Series Firewall • Steer Traffic from Guests that are not Running VMware Tools • What is Multi-NSX Manager Support on the VM-Series for NSX-V? • Dynamically Quarantine Infected Guests • Migrate Operations-Centric Configuration to Security-Centric Configuration • Use Case: Shared Compute Infrastructure and Shared Security Policies • Use Case: Shared Security Policies on Dedicated Compute Infrastructure • Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama VM-Series for Firewall NSX-V Overview NSX-V, VMware''s Networking and Security platform designed for the software-defined data center (SDDC), offers the ability to deploy the Palo Alto Networks firewall as a service on a cluster of ESXi servers. The term SDDC is a VMware term that refers to a data center where infrastructure—compute resources, network and storage—is virtualized using VMware NSX-V. To keep pace with the changes in the agile SDDC, the VM-Series firewall for NSX-V simplifies the process of deploying a Palo Alto Networks next-generation firewall and continually enforcing security and compliance for the east-west traffic in the SDDC. For details on the VM-Series for NSX-V, see the following topics: • What are the Components of the VM-Series for NSX-V Solution? • How Do the Components in the VM-Series Firewall for NSX-V Solution Work Together? • What are the Benefits of the NSX-V VM-Series firewall for NSX-V Solution? • What is Multi-Tenant Support on the VM-Series Firewall for NSX-V? What are the Components of the VM-Series for NSX-V Solution? The following tables show the components of this joint Palo Alto Networks and VMware solution. The following topics describe each component in more detail: • vCenter Server • NSX-V Manager • Panorama • VM-Series Firewall for NSX-V • Ports/Protocols used Network Communication VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 141 © 2020 Palo Alto Networks, Inc.VMware Components vCenter Server The vCenter server is the centralized management tool for the vSphere suite. NSX-V Manager VMware''s Networking and Security platform must be installed and registered with the vCenter server. The NSX-V Manager is required to deploy the VM- Series firewall on the ESXi hosts within a ESXi cluster. ESXi Server ESXi is a hypervisor that enables compute virtualization. See the Palo Alto Networks Compatibility Matrix for supported software versions. Palo Alto Networks Components PAN-OS The VM-Series base image (PA-VM-NSX-9.0.zip) is used for deploying the VM- Series firewall for NSX-V with PAN-OS 9.0. The minimum system requirement for deploying the VM-Series firewall for NSX- V on the ESXi server depends on your VM-Series model. See VM-Series System Requirements for the minimum hardware requirements for your VM-Series model. Panorama Panorama is the centralized management tool for the Palo Alto Networks next- Panorama must be generation firewalls. In this solution, Panorama works with the NSX-V Manager running the same to deploy, license, and centrally administer—configuration and policies—on the release version or VM-Series firewall for NSX-V. later version that Panorama must be able to connect to the NSX-V Manager, the vCenter server, the firewalls that it the VM-Series firewalls and the Palo Alto Networks update server. will manage. The resources required by Panorama depend on the mode Panorama will run in: Legacy or Panorama (recommended). New Panorama installations run in Panorama mode. Panorama installations running in Legacy mode prior to upgrade remain in Legacy mode after upgrading to 9.0. For more information about the modes and the requirements associated with each mode, see Set Up the Panorama Virtual Appliance. In Panorama Mode, set the memory, number of CPUs, and storage based on the log storage capacity of Panorama: • 2TB storage—8 CPUs and 16GB memory • 4TB storage—8 CPUs and 32GB memory • 6 to 8TB storage—12 CPUs and 32GB memory • 10 to 16TB storage—12 CPUs and 64GB memory • 18 to 24TB storage—16 CPUs and 64GB memory • System Disk Space: 81GB • Log Storage Capacity: 2TB to 24TB In Legacy Mode, set the memory and the number of cores based on the number of firewalls that Panorama will manage: • 1 to 10 firewalls: 4 cores and 4GB memory • 11 to 50 firewalls: 8 cores and 8GB memory • 51 to 1,000 firewalls: 8 cores and 16GB memory 142 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.Palo Alto Networks Components • System Disk Space: 52GB • Log Storage Capacity: 11GB (default log storage on the system disk) to 8TB (if you add a virtual logging disk) VM-Series Firewall The VM-100, VM-200, VM-300, VM-500, and VM-1000-HV, support NSX-V. for NSX-V vCenter Server The vCenter server is required to manage the NSX-V Manager and the ESXi hosts in your data center. This joint solution requires that the ESXi hosts be organized into one or more clusters on the vCenter server and must be connected to a distributed virtual switch. For information on clusters, distributed virtual switch, DRS, and the vCenter server, refer to your VMware documentation: http://www.vmware.com/support/vcenter-server.html NSX-V Manager NSX-V is VMware’s network virtualization platform that is completely integrated with vSphere. The NSX- V Firewall and the Service Composer are key features of the NSX-V Manager. The NSX-V firewall is a logical firewall that allows you to attach network and security services to the virtual machines, and the Service Composer allows you to group virtual machines and create policy to redirect traffic to the VM- Series firewall (called the Palo Alto Networks NGFW service on the NSX-V Manager). Panorama Panorama is used to register the VM-Series firewall for NSX-V as the Palo Alto Networks NGFW service on the NSX-V Manager. Registering the Palo Alto Networks NGFW service on the NSX-V Manager allows the NSX-V Manager to deploy the VM-Series firewall for NSX-V on each ESXi host in the ESXi cluster. Panorama serves as the central point of administration for the VM-Series firewalls running on NSX-V. When a new VM-Series firewall is deployed in NSX-V, it communicates with Panorama to obtain the license and receives its configuration/policies from Panorama. All configuration elements, policies, and dynamic address groups on the VM-Series firewalls can be centrally managed on Panorama using Device Groups and Template Stacks. The REST-based XML API integration in this solution, enables Panorama to synchronize with the NSX-V Manager and the VM-Series firewalls to allow the use of dynamic address groups and share context between the virtualized environment and security enforcement. For more information, see Policy Enforcement using Dynamic Address Groups. VM-Series Firewall for NSX-V The VM-Series firewall for NSX-V is the VM-Series firewall that is deployed on the ESXi hypervisor. The integration with the NetX API makes it possible to automate the process of installing the VM-Series firewall directly on the ESXi hypervisor, and allows the hypervisor to forward traffic to the VM-Series firewall without using the vSwitch configuration; it therefore, requires no change to the virtual network topology. The VM-Series firewall for NSX-V only supports virtual wire interfaces. On this firewall, ethernet 1/1 and ethernet 1/2 are bound together through a virtual wire and use the NetX dataplane API to communicate with the hypervisor. Layer 2 or Layer 3 interfaces are neither required nor supported on the VM-Series firewall for NSX-V, and therefore no switching or routing actions can be performed by the firewall. For enabling traffic separation in a multi-tenancy environment, you can create additional zones that internally map to a pair of virtual wire subinterfaces on the parent virtual wire interfaces, ethernet 1/1 and ethernet 1/2. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 143 © 2020 Palo Alto Networks, Inc.Ports/Protocols used Network Communication In order to enable the network communication required to deploy the VM-Series firewall for NSX-V, you must allow the use of the following protocols/ports and applications. • Panorama—To obtain software updates and dynamic updates, Panorama uses SSL to access updates.paloaltonetworks.com on TCP/443; this URL leverages the CDN infrastructure. If you need a single IP address, use staticupdates.paloaltonetworks.com. The App-ID for updates is paloalto-updates. The NSX-V Manager and Panorama use SSL to communicate on TCP/443. • VM-Series Firewall for NSX-V—If you plan to use WildFire, the VM-Series firewalls must be able to access wildfire.paloaltonetworks.com on port 443. This is an SSL connection and the App-ID is paloalto- wildfire-cloud. The management interface on the VM-Series firewall uses SSL to communicate with Panorama over TCP/3978. • vCenter Server The vCenter Server must be able to reach the deployment web server that is hosting the VM-Series OVA. The port is TCP/80 by default or App-ID web-browsing. How Do the Components in the VM-Series Firewall for NSX-V Solution Work Together? To meet the security challenges in the software-defined data center, the NSX-V Manager, ESXi servers and Panorama work harmoniously to automate the deployment of the VM-Series firewall. 1. Register the Palo Alto Networks NGFW service—The first step is to register the Palo Alto Networks NGFW as a service on the NSX-V Manager. The registration process uses the NetX management plane API to enable bi-directional communication between Panorama and the NSX-V Manager. Panorama is configured with the IP address and access credentials to initiate a connection and register the Palo Alto Networks NGFW service on the NSX-V Manager. The service definition includes the URL for accessing the VM-Series base image that is required to deploy the VM-Series firewall for NSX-V, the authorization code for retrieving the license and the device group and template stacks to which the VM-Series firewalls will belong. The NSX-V manager uses this management plane connection to share updates on the changes in the virtual environment with Panorama. 2. Deploy the VM-Series automatically from NSX-V—The NSX-V Manager collects the VM-Series base image from the URL specified during registration and installs an instance of the VM-Series firewall on each ESXi host in the ESXi cluster. From a static management IP pool or a DHCP service (that you define on the NSX-V Manager), a management IP address is assigned to the VM-Series firewall and the Panorama IP address is provided to the firewall. When the firewall boots up, the NetX dataplane integration API connects the VM-Series firewall to the hypervisor so that it can receive traffic from the vSwitch. 144 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.3. Establish communication between the VM-Series firewall and Panorama—The VM-Series firewall then initiates a connection to Panorama to obtain its license. Panorama retrieves the license from the update server and pushes it to the firewall. The VM-Series firewall receives the license and reboots with a valid serial number. If your Panorama is offline, which means that it does not have direct Internet access to retrieve the licenses and push them to the firewalls, you must manually license each firewall. If your VM-Series firewall does not have internet access, you must add the serial number of the firewall to Panorama so that it is registered as a managed device, so that you can push the appropriate template stacks and device group settings from Panorama. 4. Install configuration/policy from Panorama to the VM-Series firewall—The VM-Series firewall reconnects with Panorama and provides its serial number. Panorama now adds the firewall to the device group and template stack that was defined in the service definition and pushes the configuration and policy rules to the firewall. The VM-Series firewall is now available as a security virtual machine that can be further configured to safely enable applications on the network. 5. Push traffic redirection rules to NSX-V Manager—Create security groups and define network introspection rules that specify the guests from which traffic will be steered to the VM-Series firewall. See Integrated Policy Rules for details. To ensure that traffic from the guests is steered to the VM-Series firewall, you must have VMware Tools installed on each guest. If VMware Tools is not installed, the NSX- V Manager does not know the IP address of the guest and therefore, the traffic cannot be steered to the VM-Series firewall. For more information, see Steer Traffic from Guests that are not Running VMware Tools. This is not required if you are running NSX-V Manager 6.2.4 or later. 6. Receive real-time updates from NSX-V Manager—The NSX-V Manager sends real-time updates on the changes in the virtual environment to Panorama. These updates include information on the security groups and IP addresses of guests that are part of the security group from which traffic is redirected to the VM-Series firewall. See Integrated Policy Rules for details. 7. Use dynamic address groups in policy and push dynamic updates from Panorama to the VM-Series firewalls—On Panorama, use the real-time updates on security groups to create dynamic address groups, bind them to security policies and then push these policies to the VM-Series firewalls. Every VM-Series firewall in the device group will have the same set of policies and is now completely marshaled to secure the SDDC. See Policy Enforcement using Dynamic Address Groups for details. Integrated Policy Rules Panorama serves as the single point of configuration that provides the NSX-V Manager with the contextual information required to redirect traffic from the guest virtual machines to the VM-Series firewall. The traffic steering rules are defined on Panorama and pushed to NSX-V Manager; these determine what traffic from which guests in the cluster are steered to the Palo Alto Networks NGFW service. Security enforcement rules are also defined on Panorama and pushed to the VM-Series firewalls for the traffic that is steered to the Palo Alto Networks NGFW service. • Steering Rules—The rules for directing traffic from the guests on each ESXi host are defined on Panorama and applied by NSX-V Manager as partner security services rules. For traffic that needs to be inspected and secured by the VM-Series firewall, the steering rules created on Panorama allow you to redirect the traffic to the Palo Alto Networks NGFW service. This traffic is then steered to the VM-Series firewall and is first processed by the VM-Series firewall before it goes to the virtual switch. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 145 © 2020 Palo Alto Networks, Inc.Traffic that does not need to be inspected by the VM-Series firewall, for example network data backup or traffic to an internal domain controller, does not need to be redirected to the VM-Series firewall and can be sent to the virtual switch for onward processing. • Rules centrally managed on Panorama and applied by the VM-Series firewall—The next- generation firewall rules are applied by the VM-Series firewall. These rules are centrally defined and managed on Panorama using template stacks and device groups and pushed to the VM-Series firewalls. The VM- Series firewall then enforces security policy by matching on source or destination IP address—the use of dynamic address groups allows the firewall to populate the members of the groups in real time—and forwards the traffic to the filters on the NSX-V Firewall. To understand how the NSX-V Manager and Panorama stay synchronized with the changes in the SDDC and ensure that the VM-Series firewall consistently enforces policy, see Policy Enforcement using Dynamic Address Groups. Policy Enforcement using Dynamic Address Groups Unlike the other versions of the VM-Series firewall, because both virtual wire interfaces (and subinterfaces) belong to the same zone, the VM-Series firewall for NSX-V uses dynamic address groups as the traffic segmentation mechanism. A security policy rule on the VM-Series firewall for NSX-V must have the same source and destination zone, therefore to implement different treatment of traffic, you use dynamic address groups as source or destination objects in security policy rules. Dynamic address groups offer a way to automate the process of referencing source and/or destination addresses within security policies because IP addresses are constantly changing in a data center environment. Unlike static address objects that must be manually updated in configuration and committed whenever there is an address change (addition, deletion, or move), dynamic address groups automatically adapt to changes. Any dynamic address groups created in a device group belonging to NSX-V configuration and configured with the match criterion _nsx_ trigger the creation on corresponding security groups on the NSX-V Manager. In an ESXi cluster with multiple customers or tenants, the ability to filter security groups for a service profile (zone on Panorama) on the NSX-V Manager allows you to enforce policy when you have overlapping IP addresses across different security groups in your virtual environment. If, for example, you have a multi-tier architecture for web applications, on Panorama you create three dynamic address groups for the WebFrontEnd servers, Application servers and the Database servers. When you commit these changes on Panorama, it triggers the creation of three corresponding security groups on NSX-V Manager. On NSX-V Manager, you can then add guest VMs to the appropriate security groups. Then, in security policy you can use the dynamic address groups as source or destination objects, define the applications that are permitted to traverse these servers, and push the rules to the VM-Series firewalls. 146 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.Each time a guest is added or modified in the ESXi cluster or a security group is updated or created, the NSX-V Manager uses the PAN-OS REST-based XML API to update Panorama with the IP address, and the security group to which the guest belongs. To trace the flow of information, see Dynamic Address Groups— Information Relay from NSX Manager to Panorama. To ensure that the name of each security group is unique, the vCenter server assigns a Managed Object Reference (MOB) ID to the name you define for the security group. The syntax used to display the name of a security group on Panorama is serviceprofileid- specified_name-securitygroup-number; for example, serviceprofile13-WebFrontEnd- securitygroup-47. When Panorama receives the API notification, it verifies/updates the IP address of each guest and the security group and the service profile to which that guest belongs. Then, Panorama pushes these real-time updates to all the firewalls that are included in the device group and notifies device groups in the service manager configuration on Panorama. On each firewall, all policy rules that reference these dynamic address groups are updated at runtime. Because the firewall matches on the security group tag to determine the members of a dynamic address group, you do not need to modify or update the policy when you make changes in the virtual environment. The firewall matches the tags to find the current members of each dynamic address group and applies the security policy to the source/destination IP address that are included in the group. What are the Benefits of the NSX-V VM-Series firewall for NSX-V Solution? The VM-Series firewall for VMware NSX-V is focused on securing east-west communication in the software-defined data center. Deploying the firewall has the following benefits: • Sturdier Centralized Management—The firewalls deployed using this solution are licensed and managed by Panorama, the Palo Alto Networks central management tool. Panorama serves as a single point of configuration for integration with NSX-V. It gives the NSX-V Manager the information is it needs to steer redirect traffic to the VM-Series firewall for inspection and enforcement. Using Panorama to manage both the perimeter and data center firewalls (the hardware-based and virtual firewalls) allows you to centralize policy management and maintain agility and consistency in policy enforcement throughout the network. • Automated Deployment—The NSX-V Manager automates the process of delivering next-generation firewall security services and the VM-Series firewall allows for transparent security enforcement. When a new ESXi host is added to a cluster, a new VM-Series firewall is automatically deployed, provisioned and available for immediate policy enforcement without any manual intervention. The automated workflow allows you to keep pace with the virtual machine deployments in your data center. The hypervisor mode on the firewall removes the need to reconfigure the ports/ vswitches/ network topology; because each ESXi host has an instance of the firewall, the traffic does not need to traverse the network or be backhauled for inspection and consistent enforcement of policies. • Ease in Administering Tenants in Shared and Dedicated Compute Infrastructure —This integration provides the flexibility in configuring the firewall to handle multiple zones for traffic segmentation, defining shared or specific policy sets for each tenant or sub-tenant, and includes support for overlapping IP addresses across tenants or sub-tenants. Whether you have a shared cluster and need to define tenant specific policies and logically isolate traffic for each tenant (or sub-tenant), or you have a dedicated cluster for each tenant, this solution enables you to configure the firewall for your needs. And if you need a dedicated instance of the VM-Series firewall for each tenant in a cluster that hosts the VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 147 © 2020 Palo Alto Networks, Inc.workloads for multiple tenants, you can deploy multiple instances of the VM-Series firewall on each host in an ESXi cluster. For more information, see What is Multi-Tenant Support on the VM-Series Firewall for NSX-V? • Tighter Integration Between Virtual Environment and Security Enforcement for Dynamic Security— Dynamic address groups maintain awareness of changes in the virtual machines/applications and ensure that security policy stays in tandem with the changes in the network. This awareness provides visibility and protection of applications in an agile environment. In summary, this solution ensures that the dynamic nature of the virtual network is secured with minimal administrative overhead. You can successfully deploy applications with greater speed, efficiency, and security. What is Multi-Tenant Support on the VM-Series Firewall for NSX-V? Multi-tenancy on the VM-Series firewall enables you to secure more than one tenant or more than one sub- tenant. A tenant is a customer or an organization such as Palo Alto Networks. A sub-tenant is a department or business unit within the organization such as Marketing, Accounting, or Human Resources. To allow you to secure multiple tenants, Panorama provides the flexibility to create multiple sets of security policy rules for each tenant, and multiple zones to isolate traffic from each sub-tenant and redirect traffic to the appropriately configured VM-Series firewall. You can also deploy more than one instance of the VM-Series firewall on each host within an ESXi cluster. Panorama and managed VM-Series firewalls must be running PAN-OS 7.1 or greater to support multi-tenancy. To deploy a multi-tenant solution, create one or more service definition(s) and service profile zone(s) on Panorama. A service definition on Panorama specifies the configuration of the VM-Series firewall using one device group and one template stack. This means that each instance of the VM-Series firewalls that is deployed using a service definition has one common set of policy rules for securing the tenants and sub- tenants in the ESXi cluster. A service profile zone within a Panorama template stack is used to segment traffic from each sub-tenant using virtual wire subinterfaces. When you create a new service profile zone, Panorama pushes the zone as a part of the template stack configuration to the firewall, and the firewall automatically creates a pair of virtual wire subinterfaces, for example ethernet1/1.3 and ethernet 1/2.3 so that the firewall can isolate traffic for a sub-tenant. Because a template stack supports up to 32 subinterface pairs, you can logically isolate traffic and secure up to 32 sub-tenants. Panorama registers each service definition as a service definition on the NSX-V Manager and each service profile zone as a service profile within the corresponding service definition. And, when you deploy the service definition from the NSX-V Manager, an instance of the VM-Series firewall is deployed on each host in the ESXi cluster. And you can use the steering rules defined on Panorama and applied to the NSX-V Manager to specify what traffic to redirect to the VM-Series firewall based on NSX-V security groups, and to which tenant or sub-tenant based on the service profile. Based on your requirements, you can choose from the following multi-tenancy options: • Shared cluster with shared VM-Series firewalls- Multiple tenants share the cluster and the VM- Series firewall. A single instance of the VM-Series firewall is deployed on each host in the cluster. In order to separate traffic from each tenant, you create a zone for each tenant, and you define a single, common set of policy rules to secure the virtual machines for all tenants. See Use Case: Shared Compute Infrastructure and Shared Security Policies. • Dedicated cluster with dedicated VM-Series firewalls- A single tenant occupies the cluster, and a single instance of the VM-Series firewall is deployed on each host in the cluster. In this deployment, the tenant can have a single zone and a single policy set, or the tenant can have multiple zones for sub- tenants that require traffic separation (one zone per sub-tenant) and a single policy set with zone-based 148 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.rules to secure traffic for each sub-tenant. Use Case: Shared Security Policies on Dedicated Compute Infrastructure. • Shared cluster with dedicated VM-Series firewalls- Multiple tenants share the cluster and multiple instances of the VM-Series firewalls are deployed on each host in a cluster so that each tenant can have a dedicated instance of the VM-Series firewall. This deployment provides scalability and better performance on shared infrastructure for each tenant. Based on each tenant’s needs, you will define two or more service definitions for the cluster. When deploying multiple instances of the VM-Series firewall, you must ensure that each ESXi host has the sufficient CPU, memory and hard disk resources required to support the VM-Series firewalls and the other virtual machines that will be running on it. VM-Series Firewall for NSX-V Deployment Checklist To deploy the VM-Series firewall for NSX-V, use the following workflow: Step 1: Set up the Components—To deploy the VM-Series firewall for NSX-V, set up the following components (see What are the Components of the VM-Series for NSX-V Solution?): • Set up the vCenter server, install and register the NSX-V Manager with the vCenter server. If you have not already set up the virtual switch(es) and grouped the ESXi hosts in to clusters, refer to the VMware documentation for instructions on setting up the vSphere environment. This document does not take you through the process of setting up the VMware components of this solution. Unless you Enable Large Receive Offload, do not modify the default value (1500 bytes) of the MTU on the virtual Distributed Switch (vDS) in the vSphere infrastructure. Modifying the MTU to any other value causes the VM-Series firewall for NSX-V to discard packets. • Upgrade Panorama. If you are new to Panorama, refer to the Panorama documentation for instructions on setting up and upgrading Panorama. See Migrate Operations-Centric Configuration to Security-Centric Configuration if you choose to migrate your Operations-Centric configuration to a Security-Centric configuration format. • Configure an SSL/TLS Service Profile. If you are running NSX-V Manager 6.2.3 or earlier, you must configure an SSL/TLS Service profile that allows TLSv1.0 and apply it to the Panorama management interface. If you are running NSX-V Manager 6.2.4 or later, an SSL/TLS Service profile is not required. • Install the VMware NSX Plugin. • Install a License Deactivation API Key. Deleting the Palo Alto Networks Service Deployment on NSX- V Manager automatically triggers license deactivation. A license deactivation API key is required to successfully deactivate the VM-Series license. • Download and save the ovf template for the VM-Series firewall for NSX-V on a web server. The ovf template must match your VM-Series model. If you are using the VM-200, select the VM-100 ovf. If using the VM-1000-HV, select the VM-300 ovf. The NSX-V Manager must have network access to this web server so that it can deploy the VM- Series firewall as needed. You cannot host the ovf template on Panorama. Give the ova filename a generic name that does not include a version number. Using a generic naming convention, such as https://acme.com/software/PA-VM-NSX.ova allows you to overwrite the ova each time a newer version becomes available. • Register the capacity auth-code for the VM-Series firewall for NSX-V with your support account on the Support Portal. For details, see Upgrade the VM-Series Firewall. Step 2: Register—Configure Panorama to Register the VM-Series Firewall as a Service on the NSX-V Manager. When registered, the VM-Series firewall is added to the list of network services that can be transparently deployed as a service by the NSX-V Manager. The connection between Panorama and the NSX-V Manager is also required for licensing and configuring the firewall. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 149 © 2020 Palo Alto Networks, Inc.• (On Panorama) Create a service manager to enable communication between Panorama and NSX-V Manager. • (On Panorama) Create the service definition. If you upgrade from an earlier version, your existing service definition is automatically migrated for you. For details, see changes to default behavior. Step 3: Deploy the VM-Series Firewall—Before you can deploy the VM-Series firewall in NSX-V, each host in the cluster must have the necessary NSX-V components required to deploy the firewall. • (On NSX-V Manager) Define the IP address pool. An IP address from the defined range is assigned to the management interface of each instance of the VM-Series firewall. The NSX-V Manager uses the IP address as a match criterion to steer traffic to the VM-Series firewall. If VMware tools is not installed on the guest, see Steer Traffic from Guests that are not Running VMware Tools. This is not required if you are running NSX-V Manager 6.2.4 or later. • (On NSX-V Manager) Prepare the ESXi host for the VM-Series firewall. • (On NSX-V Manager) Deploy the VM-Series firewall. The NSX-V Manager automatically deploys an instance of the VM-Series firewall on each ESXi host in the cluster. • (On NSX-V Manager) Add VMs to the relevant security groups. • (On Panorama) Apply policies to the VM-Series firewall. From Panorama, you define, push, and administer policies centrally on all the VM-Series firewalls. This centralized administration mechanism allows you to secure guests/applications with minimal administrative intervention. Step 4: Create Security Groups and Steering Rules—How you choose to deploy the security groups and steering rules depends on whether your deployment focus is Security Centric or Operations Centric. In a Security Centric deployment, your security administrator creates the security group and steering rules in Panorama. You might start with an existing set of security policies and a set of named source and destination groups. Any new dynamically deployed applications fit into predefined security policies defined on Panorama. Panorama pushes these named groups to NSX-V Manager, where the virtualization administrator picks up the group names and defines which VMs go into them. In an Operations Centric deployment, security groups are defined by a virtualization administrator based upon the need to classify and categorize VM workloads. In this case, security groups are defined and populated in the NSX-V Manager. Security groups created in NSX-V Manager must be associated with dynamic address groups on Panorama, which is completed after the firewalls are deployed. In this case, NSX-V base functionality is deployed first and the VM-Series firewalls are added later. You must decide whether a Security Centric or an Operations Centric deployment is right for your NSX-V environment before continuing. This document describes the procedure for a Security Centric deployment. Security Centric—Create the service definition(s) that specify the configuration for the VM-Series firewall, create dynamic address groups, and create policies to redirect traffic to the VM-Series firewall. See Create Security Groups and Steering Rules in a Security Centric Deployment. • (On Panorama) Set up the dynamic address groups that map to security groups on NSX-V Manager. A security group assembles the specified guests/applications so that you can apply policy to the group. • (On Panorama) Create the security policy rules to redirect traffic to the Palo Alto Networks service profile. Operations Centric—On the NSX-V Manager, create security groups and policies to redirect traffic to the VM-Series firewall. See Create Security Groups and Steering Rules in an Operations Centric Deployment. • (On NSX-V Manager) Set up the security groups. A security group assembles the specified guests/ applications so that you can apply policy to the group. • (On NSX-V Manager) Create the NSX-V Firewall policies to redirect traffic to the Palo Alto Networks service profile. 150 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.Step 5: Monitor and Maintain Network Security—Panorama provides a comprehensive, graphical view of network traffic. Using the visibility tools on Panorama—the Application Command Center (ACC), logs, and the report generation capabilities—you can centrally analyze, investigate and report on all network activity, identify areas with potential security impact, and translate them into secure application enablement policies. Refer to the Panorama Administrator’s Guide for more information. The following additional tasks are not required parts of the main VM-Series for NSX-V deployment procedure and should only be completed if and when necessary for your deployment. • Upgrade the Software Version—When upgrading the VM-Series firewalls for NSX-V, you must first upgrade Panorama before upgrading the firewalls. To upgrade the firewalls, see Upgrade the PAN-OS Software Version (VM-Series for NSX). • For upgrading the PAN-OS version on the firewall, do not modify the VM-Series OVA URL in Panorama > VMware Service Manager. • Do not use the VMware snapshots functionality on the VM-Series firewall for NSX-V. Snapshots can impact performance and result in intermittent and inconsistent packet loss. See VMware’s best practice recommendation with using snapshots. If you need configuration backups, use Panorama or Export named configuration snapshot from the firewall (Device > Set up > Operations). Using the Export named configuration snapshot exports the active configuration (running-config.xml) on the firewall and allows you to save it to any network location. • Migrate from Operations-Centric configuration to Security-Centric configuration—If you upgrade your existing Operations-Centric VM-Series firewall for NSX-V deployment and plan to use the Security Centric workflow going forward, Migrate Operations-Centric Configuration to Security-Centric Configuration. If you need to reinstall or remove the VM-Series from your NSX-V deployment, see the How to Remove VM-Series Integration from VMware NSX-V knowledge base article. Install the VMware NSX Plugin To deploy the VM-Series for NSX solution, you must install the VMware NSX plugin on Panorama. If another version of the plugin is currently installed, selecting Install removes it and installs the selected version. STEP 1 | Download the plugin. 1. Select Panorama > Plugins. 2. Select Check Now to retrieve a list of available updates. 3. Select Download in the Action column to download the plugin. 4. Select the version of the plugin and click Install in the Action column to install the plugin. Panorama will alert you when the installation is complete. When installing the plugin on Panoramas in an HA pair, install the plugin on the passive peer before the active peer. After installing the plugin on the passive peer, it will transition to a non-functional state. Installing the plugin on the active peer returns the passive peer to a functional state. STEP 2 | If you are upgrading your version of the VMware NSX plugin, complete a manual configuration sync. 1. Select Panorama > VMware > NSX-V > Service Managers. 2. Select NSX Config-Sync in the Action column. 3. Click Yes. 4. When the sync is complete, click OK. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 151 © 2020 Palo Alto Networks, Inc.Register the VM-Series Firewall as a Service on the NSX-V Manager You need to enable communication between Panorama and the NSX-V Manager and then register the VM- Series firewall as a service on the NSX-V Manager. When registered, the VM-Series firewall is added to the list of network services that can be transparently deployed as a service by the NSX-V Manager. • Enable Communication Between the NSX-V Manager and Panorama • Create Template(s) and Device Group(s) on Panorama • Create the Service Definitions on Panorama Enable Communication Between the NSX-V Manager and Panorama To automate the provisioning of the VM-Series firewall for NSX-V, enable communication between the NSX-V Manager and Panorama. This is a one-time setup, and only needs to be modified if the IP address of the NSX-V Manager changes or if the capacity license for deploying the VM-Series firewall is exceeded. STEP 1 | (Optional) Bypass proxy server settings, configured on Panorama under Panorama > Setup > Services > Proxy Server, for communication between Panorama and NSX-V Manager. This command allows Panorama to communicate directly with NSX-V Manager while maintaining proxied communication for other services. This feature requires Panorama plugin for VMware NSX 2.0.5. 1. Log in to the Panorama CLI. 2. Execute the following command to enable or disable proxy bypass. admin@Panorama> request plugins vmware_nsx global proxy bypass {yes | no} Select yes to enable proxy bypass and no to disable proxy bypass. STEP 2 | Log in to the Panorama web interface. Using a secure connection (https) from a web browser, log in using the IP address and password you assigned during initial configuration (https://). STEP 3 | Set up access to the NSX-V Manager. 1. Select Panorama > VMware > NSX-V > Service Managers and click Add. 2. Enter the Service Manager Name. On the NSX-V Manager, this name displays in the Service Manager column on Networking & Security > Service Definitions > Service Managers. 3. (Optional) Add a Description that identifies the VM-Series firewall as a service. 4. Enter the NSX Manager URL—IP address or FQDN—at which to access the NSX-V Manager. 5. Enter the NSX Manager Login credentials—the username and password for your Enterprise Administrator role on NSX Manager. This allows Panorama to authenticate with the NSX-V Manager. The ampersand (&) special character is not supported in the NSX-V manager account password. If a password includes an ampersand, the connection between Panorama and NSX-V manager fails. If you change your NSX-V Manager login password, ensure that you update the password on Panorama immediately. An incorrect password breaks the connection between Panorama and NSX-V Manager. Panorama does not receive updates about changes to your deployment while disconnected from NSX-V Manager. 6. Click OK. 152 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.STEP 4 | Commit your changes to Panorama. Select Commit and Commit Type: Panorama. STEP 5 | Verify the connection status on Panorama. To view the connection status between Panorama and the NSX-V Manager. 1. Select Panorama > VMware > NSX-V > Service Managers. 2. Verify the message in the Status column. When the connection is successful, the status displays as Registered. This indicates that Panorama and the NSX-V Manager are in sync and the VM-Series firewall is registered as a service on the NSX- V Manager. The unsuccessful status messages are: • Not connected: Unable to reach/establish a network connection to the NSX-V Manager. • Invalid Credentials: The access credentials (username and/or password) are incorrect. • Out of sync: The configuration settings defined on Panorama are different from what is defined on the NSX-V Manager.Click the link for details on the reasons for failure. For example, NSX- V Manager may have a service definition with the same name as defined on Panorama. To fix the error, use the service definition name listed in the error message to validate the service definition on the NSX-V Manager. Until the configuration on Panorama and the NSX-V Manager is synchronized, you cannot add a new service definition on Panorama. • No service/ No service profile: Indicates an incomplete configuration on the NSX-V Manager. If you make a change and need to manually sync, see 9 STEP 6 | Verify that the firewall is registered as a service on the NSX-V Manager. 1. On the vSphere web client, select Networking & Security > Service Definitions > Service Managers. 2. Verify that Palo Alto Networks displays as a vendor in the list of services available for installation. STEP 7 | If you are running VMware NSX plugin 2.0.4 or later, you can configure Panorama to automatically synchronize dynamic objects with NSX-V manager as if you issued an Synchronize Dynamic Objects. By default, the DAG Sync interval is disabled and the value is set to zero (0). To enable the DAG Sync, set the interval between one hour and 72 hours. Setting a value of zero hours disables the DAG sync. To configure or disable the interval, complete the following procedure. 1. Log in to the Panorama CLI. 2. Execute the following command. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 153 © 2020 Palo Alto Networks, Inc.request plugins vmware_nsx nsx_v dag-sync-interval interval You can view the configured value with the following show command. show plugins vmware_nsx nsx_v dag-sync-interval STEP 8 | (Optional) In large NSX-V environments with tens of thousands of IP addresses, allowing Panorama enough time to retrieve IP address updates from NSX-V Manager is essential. You can now configure the amount of time—up to 10 minutes—Panorama has to retrieve updates from NSX-V Manager. By default, Panorama waits up to two minutes (120 seconds) to get IP address updates from NSX-V Manager. However, if Panorama does not retrieve all the IP address updates within the alloted two minutes, Panorama times out and the update fails. You can determine if you are experiencing curl call failures through the Panorama error log. Curl call failures return the following message. 2019-05-23 06:50:15.780 -0700 ERROR: Curl call to NSX Manager failed Complete the following procedure to increase the amount of time Panorama has to process updates. This feature requires Panorama plugin for VMware NSX 2.0.5. 1. Log in to the Panorama CLI. 2. Execute the following command to set the curl call timeout. You can set the time out from 30 seconds to 600 seconds (10 minutes). admin@Panorama> request plugins vmware_nsx global curl-timeout timeout If Panorama is part of an HA pair, configure the same timeout value on the active and passive Panorama peers. Create Template(s), Template Stack(s), and Device Group(s) on Panorama To manage the VM-Series firewalls for NSX-V using Panorama, the firewalls must belong to a device group and a template that is a member of a template stack. Device groups allow you to assemble firewalls that need similar policies and objects as a logical unit; the configuration is defined using the Objects and Policies tabs on Panorama. Use template stacks to configure the settings that are required for the VM- Series firewalls to operate on the network and associate; the configuration is defined using the Device and Network tabs on Panorama. And each template stack with zones used in your NSX-V configuration on Panorama must be associated with a service definition; at a minimum, you must create a zone within the template stack so that the NSX-V Manager can redirect traffic to the VM-Series firewall. Each virtual wire zone belonging to the NSX-related template becomes available as a service profile on the Service Composer on the NSX-V Manager. When you create NSX-related zone on Panorama, Panorama pushes the zone as a part of the template stack configuration to the firewall, and the firewall automatically creates a pair of virtual wire subinterfaces, for example ethernet1/1.3 and ethernet 1/2.3, to isolate traffic for a tenant or sub-tenant. On the firewall, you can then Create Security Groups and Steering Rules to secure traffic that arrives on the virtual wire subinterface pair that maps to the zone. If you are new to Panorama, refer to the Panorama Administrator’s Guide for instructions on setting up Panorama. STEP 1 | Add a device group or a device group hierarchy. 154 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.1. Select Panorama > Device Groups, and click Add. You can also create a device group hierarchy. 2. Enter a unique Name and a Description to identify the device group. 3. Click OK. After the firewalls are deployed and provisioned, they will display under Panorama > Managed Devices and will be listed in the device group. 4. Click Commit and select Panorama as the Commit Type to save the changes to the running configuration on Panorama. STEP 2 | Add a template. 1. Select Panorama > Templates, and click Add. 2. Enter a unique Name and a Description to identify the template. 3. Click OK. 4. Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama. STEP 3 | Add a template stack. 1. Select Panorama > Templates, and click Add Stack. 2. Enter a unique Name and a Description to identify the template stack. 3. Click Add under Templates and select the template you created above. 4. Click OK. 5. Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama. STEP 4 | Create the zone(s) for each template. Each zone is mapped to a service profile on NSX-V Manager. To qualify, a zone must be of the virtual wire type and a template associated with a service definition. For a single-tenant deployment, create one zone. If you have multi-tenant deployment, create a zone for each sub-tenant. You can add up to 32 zones in each template. 1. Select Network > Zones. 2. Select the correct template in the Template drop-down. 3. Select Add and enter a zone Name. 4. Set the interface Type to Virtual Wire. 5. Click OK. 6. Verify that the zones are attached to the correct template. 7. Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama. Panorama creates a corresponding service profile on NSX-V Manager for each qualified zone upon commit. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 155 © 2020 Palo Alto Networks, Inc.Create the Service Definitions on Panorama A service definition specifies the configuration for the VM-Series firewalls installed on each host in an ESXi cluster. The service definition must include the device group, the license auth-codes for deploying the VM- Series firewalls, and a template stack with one or more NSX-V service profile zones. Typically, you create a service definition for the VM-Series firewall in an ESXi cluster. If you have different ESXi clusters that have workloads that require the VM-Series firewall to handle traffic differently, you can create multiple service definitions on Panorama. On a Panorama commit, each service definition is registered on the NSX-V Manager. On registration with the NSX-V Manager, the NetX API implementation makes each zone (defined within the template stack) available for redirecting traffic. When you deploy the VM-Series firewalls, you can select the profile name for the VM-Series firewall(s) to which you want to redirect traffic from the objects in NSX-V security groups. The appropriately configured firewall can then inspect the traffic and enforce policy from the virtual machines that belong to the NSX-V security groups. STEP 1 | (Optional) Configure a Notify Group Create a notify group by specifying devices groups that should be notified of changes in the virtual environment. The firewalls included in the specified device groups receive a real-time update of security groups and IP addresses of guest VMs in them. The firewalls use this update to determine the most current list of members that constitute dynamic address groups referenced in policy 1. Select Panorama > VMware > NSX-V > Notify Group and click Add. 2. Give your Notify Group a descriptive Name. 3. Select the boxes of all devices groups that should be notified of changes to the virtual environment. If a device group does not have a check box available, it means that the device group is automatically included by virtue of the device group hierarchy. 4. Click OK. STEP 2 | Add a new service definition. You can create up to 32 service definitions on Panorama. 1. Select Panorama > VMware > NSX-V > Service Definitions. 2. Select Add to create a new service definition. The maximum number of characters in a service definition name is 40. On the NSX-V Manager, this service definition name displays in the Services column on Networking & Security > Service Definitions > Services. 3. (Optional) Add a Description that identifies the function or purpose for the VM-Series firewalls that will be deployed using this service definition. STEP 3 | Assign a device group and a template stack to the service definition. Make sure to Create the zone(s) for each template stack. Because the firewalls deployed in this solution will be centrally administered from Panorama, you must specify the Device Group and the Template Stack that the firewalls belong to. All the firewalls that are deployed using this service definition belong to the specified template stack and device group. 1. Select the device group or device group hierarchy in the Device Group drop-down. 2. Select the template stack in the Template drop-down. You cannot reuse a template stack or a device group assigned to one service definition in another service definition. 156 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.STEP 4 | Specify the location of the OVF file. Download the zip file, unzip it to extract and save the .ovf, mf and .vmdk files to the same directory. Both the files are used to deploy each instance of the firewall. If needed, modify the security settings on the server so that you can download the file types. For example, on the IIS server modify the Mime Types configuration; on an Apache server edit the .htaccess file. In VM-Series OVF URL, add the location of the web server that hosts the ovf file. Both http and https are supported protocols. For example, enter https://acme.com/software/PA-VM-NSX.9.0.0.ovf Select the ovf file that matches the VM-Series model you plan to deploy. For the VM-200, use vm100.ovf. For the VM-1000-HV, use vm300.ovf. You can use the same ovf version or different versions across service definitions. Using different ovf versions across service definitions allows you to vary the PAN-OS version on the VM-Series firewalls in different ESXi clusters. STEP 5 | (Optional) Select a Notify Group. To create context awareness between the virtual and security environments so that policy is consistently applied to all traffic steered to the firewalls, select the device groups to notify when there are changes in the virtual environment. Select each device group to which you want to enable notifications in the Notify Device Groups drop-down. If a device group does not have a checkbox available, it means that the device group is automatically included by virtue of the device group hierarchy. The firewalls included in the specified device groups receive a real-time update of security groups and IP addresses. The firewalls use this update to determine the most current list of members that constitute dynamic address groups referenced in policy. STEP 6 | Save the service definition and attach it to the service manager. 1. Click OK. 2. Select Panorama > VMware > NSX-V > Service Manager and click the link of the service manager name. 3. Under Service Definitions, click Add and select your service definition from the drop-down. 4. Click OK. 5. Select Commit and Commit Type: Panorama. Committing the changes triggers the process of registering each service definition as a security service on the NSX-V Manager. STEP 7 | Add the authorization code to license the firewalls. The auth-code must be for the VM-Series model NSX bundle; for example, PAN-VM-300- PERP- BND-NSX. Verify that the order quantity/ capacity is adequate to support the number of firewall you need to deploy in your network. 1. Select Panorama > Device Groups and choose the device group you associated with the service definition you just created. 2. Under Dynamically Added Device Properties, add the authorization code you received with your order fulfillment email and select a PAN-OS software version from the SW Version drop-down. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 157 © 2020 Palo Alto Networks, Inc.When a new firewall is deployed under NSX-V and added to the selected device group, the authorization code is applied and the firewall is upgraded to the select version of PAN-OS. On the support portal, you can view the total number of firewalls that you are authorized to deploy and the ratio of the number of licenses that have been used to the total number of licenses enabled by your auth-code. 3. Synchronize the configuration between Panorama and the NSX-V Manager. 1. Select Panorama > VMware > NSX-V > Service Managers. 2. Select NSX Config-Sync under the Actions column. 3. Click Yes to confirm the sync. STEP 8 | Verify that the service definition and the NSX-V service profile that you defined on Panorama are registered on the NSX-V Manager. 1. On the NSX-V Manager, to verify that the service definition is available, select Networking & Security > Service Definitions > Services. The service definition is listed as a Service on the NSX-V Manager. 2. To verify that the zones are available on the NSX-V Manager: 1. Select Networking and Security > Service Composer > Security Policies, and click Create Security Policy. 2. Select Network Introspection Services, and click Add. 3. In the Service Name drop-down, select a Palo Alto Networks service that you verified in the step above. 4. In the Profile drop-down, verify that you can view all the zones you defined for that service definition on Panorama. STEP 9 | (Optional) Synchronize the configuration between Panorama and the NSX-V Manager. If you add or update the service definitions configured on Panorama, select NSX Config Sync in the Action column under Panorama > VMware > NSX-V > Service Managers to synchronize the changes on the NSX-V Manager. 158 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.This link is not available, if you have any pending commits on Panorama. If the synchronization fails, view the details to know whether to fix the error on Panorama or on the NSX-V Manager. For example, if you delete a service definition on Panorama, but the service definition cannot be deleted from the NSX-V Manager because it is referenced in a rule on the NSX-V Manager, the synchronization will fail with an error message that indicates the reason for failure. Deploy the VM-Series Firewall After registering the VM-Series firewall as a service (Palo Alto Networks NGFW) on the NSX-V Manager and creating security groups and steering rules, complete the following tasks on the NSX-V Manager. • Define an IP Address Pool (Required only if the management interface is not configured for DHCP) • Prepare the ESXi Host for the VM-Series Firewall • Deploy the Palo Alto Networks NGFW Service • Enable Large Receive Offload Support for vMotion of guest virtual machines in the vSphere/NSX-V Environment When a guest VM is vMotioned from one host to another within a cluster, the target host NSX-V distributed firewall will steer all new sessions to the VM-Series firewall on the destination host. To ensure that all active (existing sessions) remain uninterrupted during and after the guest vMotion, the NSX-V Manager polls the VM-Series firewall for existing allowed sessions and then shares these sessions with the NSX-V distributed firewall on the destination host. All existing sessions that were allowed by the original VM-Series will be allowed by the NSX-V distributed firewall (filtering module) on the destination host without steering to the target host VM-Series firewall to prevent session loss. The VM-Series firewall runs as a service on each host of the cluster and therefore is never vMotioned. Define an IP Address Pool You can configure the management interface on the VM-Series firewall to use an IP address from a static IP pool or to be a DHCP client. If you opt to use an IP pool, which is a range of (static) IP addresses that are reserved for establishing management access to the VM-Series firewalls, when the NSX-V Manager deploys a new VM-Series firewall, the first available IP address from this range is assigned to the management interface of the firewall. STEP 1 | In the Networking & Security Inventory, select the NSX Manager, and double click to open the configuration details of the NSX-V Manager. STEP 2 | Select Manage > Grouping Objects > IP Pools. STEP 3 | Click Add IP Pool and specify the network access details requested in the screen including the range of static IP addresses that you want to use for the Palo Alto Networks NGFW. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 159 © 2020 Palo Alto Networks, Inc.Prepare the ESXi Host for the VM-Series Firewall Before you deploy the VM-Series firewall, each host in the cluster must have the necessary NSX-V components that allow the NSX-V firewall and the VM-Series firewall to work together. The NSX-V Manager will install the components— the Ethernet Adapter Module (.eam) and the SDK —required to deploy the VM-Series firewall. STEP 1 | On the NSX-V Manager, select Networking and Security > Installation > Host Preparation. STEP 2 | Click Install and verify that the installation status is successful. As new ESXi hosts are added to a cluster, this process is automated and the necessary NSX-V components are automatically installed on each guest on the ESXi host. STEP 3 | If the Installation Status is not ready or a warning displays on screen, click the Resolve link. To monitor the progress of the re-installation attempt, click the More Tasks link and look for the successful completion of the following tasks: 160 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.Deploy the Palo Alto Networks NGFW Service Use the following steps to automate the process of deploying an instance of the VM-Series firewall for NSX-V on each ESXi host in the specified cluster. STEP 1 | Select Networking and Security > Installation > Service Deployments. STEP 2 | Click New Service Deployment (green plus icon), and select the service definition for the Palo Alto Networks next generation firewall you want to deploy, Palo Alto Networks NGFW service in this example. Click Next. STEP 3 | Select the Datacenter and the cluster(s) on which the service will be deployed. One instance of the firewall will be deployed on each host in the selected cluster(s). STEP 4 | Select the datastore from which to allocate disk space for the firewall. Select one of the following options depending on your deployment: • If you have allocated shared storage for the cluster, select an available shared datastore. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 161 © 2020 Palo Alto Networks, Inc.• If you have not allocated shared storage for the cluster, select the Specified-on-host option. Be sure to select the storage on each ESXi host in the cluster. Also select the network that will be used for the management traffic on the VM-Series firewall. STEP 5 | Select the port group that provides management network traffic access to the firewall. STEP 6 | Select the IP address pool assignment. • Use IP Pool (Define an IP Address Pool) from which to assign a management IP address for each firewall when it is being deployed. • Use DHCP on the management interface. If you use an IP pool, on deployment, the display name for the VM-Series firewall on Panorama includes the hostname of the ESXi host. For example: PA-VM:10.5.1.120. If you use DHCP, the display name for the VM-Series firewall does not include the name of the ESXi host. STEP 7 | Review the configuration and click Finish. 162 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.STEP 8 | Verify that the NSX-V Manager reports the Installation Status as Successful. This process can take a while; click the More tasks link on vCenter to monitor the progress of the installation. If the installation of VM-Series fails, the error message is displayed on the Installation Status column. You can also use the Tasks tab and the Log Browser on the NSX-V Manager to view the details for the failure and refer to the VMware documentation for troubleshooting steps. STEP 9 | Verify that the firewall is successfully deployed. 1. On the vCenter server, select Hosts and Clusters to check that every host in the cluster(s) has one instance of the firewall. 2. View the management IP address(es) and the PAN-OS version running on the firewall directly from vCenter server. VMware Tools is bundled with the PAN-OS software image and is automatically enabled when you launch the VM-Series firewall. With VMware Tools, you can view resource utilization metrics on hard disk, memory, and CPU, and use these metrics to enable alarms or actions on the vCenter server. The heartbeats allow you to verify that the firewall is live and trigger actions to ensure high availability. You can also perform a graceful shutdown and restart of the firewall using the power off function on vCenter. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 163 © 2020 Palo Alto Networks, Inc.STEP 10 | Access the Panorama web interface to make sure that the VM-Series firewalls are connected and synchronized with Panorama. 1. Select Panorama > Managed Devices to verify that the firewalls are connected and synchronized. If the firewall gets its IP address from an IP Pool, the Display Name for the firewall includes the hostname of the ESXi server on which it is deployed, for example PA-VM:ESX1.Sydney. If the firewall gets a DHCP assigned IP address, the hostname of the ESXi server does not display. If the ESXi server hostname is longer than 32 characters, the hostname will not be displayed in Panorama. Instead, only PA-VM is displayed. 2. Click Commit, and select Commit Type as Panorama. A periodic Panorama commit is required to ensure that Panorama saves the device serial numbers to configuration. If you reboot Panorama without committing the changes, the managed devices will not connect back to Panorama; although the Device Group will display the list of devices, the devices will not display in Panorama > Managed Devices. STEP 11 | Verify that the capacity license is applied and apply any additional licenses that you have purchased. At a minimum, you must activate the support license on each firewall. When Panorama does not have internet access (Offline), you must manually license each firewall, and then add the serial number of the firewall to Panorama so that it is registered as a managed device, and can receive the template stack and device group settings from Panorama. See Activate the License for the VM-Series Firewall for VMware NSX for more information. 1. Select Panorama > Device Deployment > Licenses to verify that the VM-Series capacity license is applied. 164 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.2. To apply additional licenses on the VM-Series firewalls: • Click Activate on Panorama > Device Deployment > Licenses. • Find or filter for the firewall, and in the Auth Code column, enter the authorization code for the license to activate. Only one authorization code can be entered at a time, for each firewall. 3. Click Activate, and verify that the result of the license activation was successful. STEP 12 | (Optional) Upgrade the PAN-OS version on the VM-Series firewalls, see Upgrade the PAN-OS Software Version (VM-Series for NSX). STEP 13 | Add guest VMs to the right security groups for traffic from those VMs to be redirected to the VM-Series firewall. 1. Log in to vCenter. 2. Select Networking & Security > Service Composer > Security Groups. 3. Highlight the security group to which you want to assign guest VMs and click the Edit Security Group icon. 4. Select Define dynamic membership and click the + icon. 5. Click Add. 6. Define the dynamic membership criteria that the guest VMs must meet to be part of the selected security group. The criteria you use depends on your network deployment. For example, you might choose to group VMs by an Entity such as Logical Switch or Distributed Port Group. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 165 © 2020 Palo Alto Networks, Inc.7. Click Finish. 8. Repeat this procedure for each security group that should have its traffic redirected to the VM-Series firewall. Enable Large Receive Offload Large receive offload (LRO) is a technique for increasing the inbound throughput on high-bandwidth network connections by decreasing CPU overhead. Without LRO, the firewall drops packets larger than the configured maximum transmission unit MTU, which is a maximum of 9216 bytes when the firewall is enabled for jumbo frames. With LRO enabled, the firewall accepts packets up to 64KB in size and the does not drop packets larger than the configured MTU. Instead, it segments the larger packets into smaller chunks of 9000 bytes. For example, if the VM1 sends a 64KB packet to VM2 and the packet is divided into eight segments. LRO is disabled by default on new NSX-V deployments and upon upgrade. You can enable or disable LRO and view the LRO status on through the CLI. Enabling LRO on the VM-Series firewall automatically enables jumbo frames. Additionally, LRO and TCP Segmentation Offload (TSO) must be enabled on VMXNET3 network adapter on the VM-Series firewall host machine. 166 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.STEP 1 | Verify that large receive offload and TCP segmentation offload is enabled on the host. For information about LRO and TSO on the host machine, see theVMware vSphere documentation. 1. Log in to vSphere and navigate to your host machine. 2. Select Manage > Settings > System > Advanced System Settings. 3. Locate the following parameters and verify that their value is set 1. A 1 indicates that the parameter is enabled on the VMXNET3 adapter. • For LRO—Net.Vmxnet3HwLRO • For TSO—Net.UseHwTSO and Net.UseHwTSO6 STEP 2 | Enable LRO on the VM-Series firewall. 1. Access the firewall CLI. 2. Use the following command to enable LRO: admin@PA-VM> set system setting lro enable 3. Reboot the firewall using the following command: > request restart system 4. Verify the LRO is enabled with the following command: admin@PA-VM> show system setting lro Device LRO mode: on Current device mtu size: 9192 You can disable LRO using the command set system setting lro disable. Create Security Groups and Steering Rules The following topics describe how to create security groups and policies to steer traffic to the VM-Series firewall. Follow the link below that matches your deployment process—Security Centric or Operations Centric. • Create Security Groups and Steering Rules in a Security Centric Deployment • Create Security Groups and Steering Rules in an Operations Centric Deployment Create Security Groups and Steering Rules in a Security Centric Deployment The following topics describe how to create policies on Panorama to steer traffic to the VM-Series firewall. In order for the VM-Series firewall to secure traffic, you must complete the following tasks: • Set Up Dynamic Address Groups on Panorama • Create Steering Rules on Panorama Set Up Dynamic Address Groups on Panorama A security group is a logical container that assembles guests across multiple ESXi hosts in the cluster. When you create a dynamic address group that meets the right criteria and commit your changes, a corresponding security group is created on the NSX-V Manager. Creating security groups are required to manage and VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 167 © 2020 Palo Alto Networks, Inc.secure the guests; to understand how security groups enable policy enforcement, see Policy Enforcement using Dynamic Address Groups. STEP 1 | Configure a dynamic address group for each security group required for your deployment. Shared dynamic address groups are not supported on the VM-Series for VMware NSX-V. 1. Select Objects > Address Groups. 2. Verify that you are configuring the dynamic address groups in a device group associated with an NSX-V service definition. 3. Click Add and enter a Name and Description for the address group. 4. Select Type as Dynamic. 5. Define the match criteria. For the dynamic address group to become a security group in NSX-V Manager, the match criteria string must be enclosed in single quotes with the prefix _nsx_ followed by the exact name of the Address Group. For example, ‘_nsx_PAN_APP_NSX’. 6. Repeat this process for each security group you require. STEP 2 | Verify that the corresponding security groups are created on the NSX-V Manager. 1. Select Network and Security > Service Composer > Security Groups. 2. Verify that your dynamic address groups appear as security groups on the Security Groups list. Each security group is prefixed with your service definition followed by an underscore and the dynamic address group name. Create Steering Rules on Panorama Do not apply the traffic redirection policies unless you understand how rules work on the NSX-V Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to 168 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped. To create policies on Panorama and push them to the VM-Series firewall, see Apply Policies to the VM-Series Firewall. Create security policy rules in the associated device group. For each security rule set the Rule Type to Intrazone, select one zone in the associated template stack, and select the dynamic address groups as the source and destination. Creating a qualifying security policy in Panorama helps in the creation of a corresponding steering rule on NSX-V Manager upon steering rule generation and commit in Panorama. STEP 1 | Create security policy. 1. In Panorama, select Policies > Security > Pre Rules. 2. Verify that you are configuring the dynamic address groups in a device group associated with an NSX-V service definition. 3. Click Add and enter a Name and Description for your security policy rule. 4. Set the Rule Type to intrazone (Devices with PAN-OS 6.1 or later). 5. In the Source tab, set the source zone to the zone from the template stack associated with the service definition. Then select a dynamic address group (NSX-V security group) you created previously as the Source Address. Do not add any static address groups, IP ranges, or netmasks as a Source Address. 6. In the Destination tab, Panorama does not allow you to set a destination zone because you set the rule type to intrazone. Then select a dynamic address group (NSX-V security group) you created previously as the Destination Address. Do not add any static address groups, IP ranges, or netmasks as a Destination Address. 7. Click OK. 8. Repeat steps 1 through 7 for each steering rule you require. 9. Commit your changes. STEP 2 | Generate steering rules. Panorama generates a steering rule for each qualifying security policy rule. 1. Select Panorama > VMware > NSX-V > Steering Rules. 2. Select Auto-Generate Steering Rules. Panorama will populate the list of steering rules based on qualified security policy rules in the device group attached in the service definition. 3. (Optional) Modify the NSX Traffic Direction and add NSX-V Services to a Steering Rule. By default, the NSX Traffic Direction is set to inout and no NSX-V Services are selected. When no NSX-V Services are specified, any type of traffic is redirected to the VM-Series firewall. 1. Select the auto-generated steering to be modified. 2. To change the traffic direction, select the direction from the NSX Traffic Direction drop-down. 3. Click Add under NSX Services and choose a service from the Services drop-down. Repeat this step to add additional services. 4. Click OK. 4. If you deleted any steering rules, click Auto-Generate Steering Rules before committing your changes. 5. Commit your changes. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 169 © 2020 Palo Alto Networks, Inc.STEP 3 | Verify that the corresponding traffic steering rules were created on the NSX-V Manager. 1. Select Network and Security > Firewall > Configuration > Partner Security Services. 2. Confirm that the traffic steering rules your created on Panorama are listed. Create Security Groups and Steering Rules in an Operations Centric Deployment In an operations-centric deployment, you create security groups and traffic redirection rules on the NSX- V Manager instead of Panorama. Then your security rules configured on Panorama enforce the traffic redirected to the VM-Series firewall. Complete the following tasks when deploying the VM-Series firewall for NSX-V in an operations-centric deployment: • Set Up Security Groups on the NSX-V Manager • Create Steering Rules on NSX-V Manager Set Up Security Groups on the NSX-V Manager A security group is a logical container that assembles guests across multiple ESXi hosts in the cluster. Creating security groups makes it easier to manage and secure the guests; to understand how security groups enable policy enforcement, see Policy Enforcement using Dynamic Address Groups. STEP 1 | Log in to the vSphere user interface. STEP 2 | Select Networking and Security > Service Composer > Security Groups, and add a New Security Group. STEP 3 | Add a Name and Description. This name will display in the match criteria list when defining dynamic address groups on Panorama. STEP 4 | Select the guests that constitute the security group. You can either add members dynamically or statically. You can Define Dynamic Membership by matching on security tags (recommended), or statically Select the Objects to Include. In the following screenshot, the guests that belong to the security group are selected using the Objects Type: Virtual Machine option. 170 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.STEP 5 | Review the details and click OK to create the security group. Create Steering Rules on NSX-V Manager Do not apply the traffic redirection policies unless you understand how rules work on the NSX-V Manager as well as on the VM-Series firewall and Panorama. The default policy on the VM-Series firewall is set to deny all traffic, which means that all traffic redirected to the VM-Series firewall will be dropped. To create policies on Panorama and push them to the VM-Series firewall, see Apply Security Policies to the VM-Series Firewall. STEP 1 | Select Networking and Security > Service Composer > Security Policies and click Create Security Policy ( ). STEP 2 | Add a rule Name. STEP 3 | Add a network introspective service. 1. Select Network Introspection Service and click the green plus icon. 2. Name the network introspection service and add a Description. 3. Select Redirect to Service under Action. 4. Select your service definition under Service Name. 5. Select you service profile under Profile. 6. Select a Source and a Destination. By default, traffic source is set to Policy’s Security Groups. This option dynamically includes all security groups where this policy is applied. Alternatively, you can choose to have traffic from any source redirected to the firewall or specify certain security groups. However, vSphere requires that Source or Destination (or bother) be set Policy’s Security Group. If you select Any or specific security groups for Destination, then Source must be set to Policy’s Security Group. 7. (Optional) Select specific network services to be redirected to the firewall. If you choose any service or services, all other traffic will not be redirect to the firewall. 8. Click OK. 9. Repeat steps 1 through 6 to add additional network introspection services. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 171 © 2020 Palo Alto Networks, Inc.10.Click Finish to save your configuration. STEP 4 | Apply redirection policy to security groups. 1. Highlight a security policy by clicking it. 2. Select Networking and Security > Service Composer > Security Policies and click Apply Security Policy ( ). 3. Apply the redirection rules by checking all appropriate zones. 4. Click OK. Apply Security Policies to the VM-Series Firewall Now that you have created the steering rules on Panorama and pushed them to the NSX-V Manager, you can now use Panorama for centrally administering policies on the VM-Series firewalls. To manage centralized policy, attach the dynamic address group as a source or destination address in security policy and push it to the firewalls; the firewalls can dynamically retrieve the IP addresses of the virtual machines that are included in each security group to enforce compliance for traffic that originates from or is destined to the virtual machines in the specified group. STEP 1 | Log in to Panorama. STEP 2 | (Operations-centric deployments only) Create dynamic-address groups. Skip this step for security-centric deployments. If you are performing a security-centric deployment, you have already created dynamic-address groups. After creating the security redirection rules on the NSX-V Manager, the names of the security groups that are referenced in security policy will be available on Panorama. Shared dynamic address groups are not supported on the VM-Series for VMware NSX-V. 1. Select Objects > Address Groups. 2. Select the Device Group you created for managing your VM-Series on NSX-V firewall from the Device Group drop-down. 172 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.3. Click Add and enter a Name and Description for the dynamic address group. 4. Select Type as Dynamic. 5. Add Match Criteria to your dynamic address group. Some browser extensions may block API calls between Panorama and NSX-V which prevents Panorama from receiving match criteria. If Panorama displays no match criteria and you are using browser extensions, disable the extensions and Synchronize Dynamic Objects to populate the tags available to Panorama. 6. Click Add Match Criteria. 7. Select the And or Or operator and click the plus (+) icon next to the security group name to add it to the dynamic address group. The security groups that display in the match criteria dialog are derived from the groups you defined on the Distributed Firewall Partner Security Services or on the Service Composer on the NSX-V Manager. Only the security groups that are referenced in the security policies and from which traffic is redirected to the VM-Series firewall are available here. 8. Click OK. 9. Repeat these steps to create the appropriate number of dynamic address groups required for your deployment. 10.Commit your changes. STEP 3 | Create security policy rules. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 173 © 2020 Palo Alto Networks, Inc.1. Select Policies > Security > Prerules. 2. Select the Device Group that you created for managing the VM-Series firewalls for NSX-V in Register the VM-Series Firewall as a Service on the NSX-V Manager. 3. Click Add and enter a Name and a Description for the rule. In this example, the security rule allows all traffic between the WebFrontEnd servers and the Application servers. 4. Select the Source Zone and Destination Zone. The zone name must be the same in both columns. 5. For the Source Address and Destination Address, select or type in an address, address group or region. In this example, we select an address group, the Dynamic address group you created previously. 6. Select the Application to allow. In this example, we create an Application Group that includes a static group of specific applications that are grouped together. 1. Click Add and select New Application Group. 2. Click Add to select the application to include in the group. In this example, we select the following: 3. Click OK to create the application group. 7. Specify the action— Allow or Deny—for the traffic, and optionally attach the default security profiles for antivirus, anti-spyware, and vulnerability protection, under Profiles. 8. Repeats the steps above to create the pertinent policy rules. 9. Click Commit, select Commit Type as Panorama. Click OK. STEP 4 | Apply the policies to the VM-Series firewalls for NSX-V. 1. Click Commit, and select Commit Type Device Groups. 174 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.2. Select the device group, NSX-V Device Group in this example and click OK. 3. Verify that the commit is successful. STEP 5 | Validate that the members of the dynamic address group are populated on the VM-Series firewall. 1. From Panorama, switch device context to launch the web interface of a firewall to which you pushed policies. 2. On the VM-Series firewall, select Policies > Security, and select a rule. 3. Select the drop-down arrow next to the address group link, and select Inspect. You can also verify that the match criteria is accurate. 4. Click the more link and verify that the list of registered IP addresses is displayed. Policy will be enforced for all IP addresses that belong to this address group, and are displayed here. STEP 6 | (Optional) Use template to push a base configuration for network and device configuration such as DNS server, NTP server, Syslog server, and login banner. Refer to the Panorama Administrator’s Guide for information on using templates. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 175 © 2020 Palo Alto Networks, Inc.STEP 7 | Create a Zone Protection profile and attach it to a zone. A zone protection profile provides flood protection and has the ability to protect against port scanning, port sweeps and packet-based attacks. It allows you to secure intra-tier and inter-tier traffic between virtual machines within your data center and traffic from the Internet that is destined to the virtual machines (workloads) in your data center. 1. Select your Template. 2. Select Network > Network Profiles > Zone Protection to add and configure a new profile. 3. Select Network > Zones, click the default-zone listed and select the profile in the Zone Protection Profile drop down. STEP 8 | Create a DoS Protection profile and attach it to DoS Protection policy rule. 1. Select your Device Group. 2. Select Objects > Security Profiles > DoS Protection to add and configure a new profile. • A classified profile allows the creation of a threshold that applies to a single source IP. For example, you can configure a max session rate for an IP address that matched the policy, and then block that single IP address once the threshold is triggered. • An aggregate profile allows the creation of a max session rate for all packets matching the policy. The threshold applies to new session rate for all IP addresses combined. Once the threshold is triggered it affects all traffic that matches the policy. 3. Create a new DoS Protection policy rule in Policy > DoS Protection, and attach the new profile to it. Steer Traffic from Guests that are not Running VMware Tools VMware Tools contains a utility that allows the NSX-V Manager to collect the IP address(es) of each guest running in the cluster. NSX-V Manager uses the IP address as a match criterion to steer traffic to the VM- Series firewall. If you do not have VMware tools installed on each guest, the IP address(es) of the guest is unavailable to the NSX-V Manager and traffic cannot be steered to the VM-Series firewall. The following steps allow you to manually provision guests without VMware Tools so that traffic from each of these guests can be managed by the VM-Series firewall. STEP 1 | Create an IP set that includes the guests that need to be secured by the VM-Series firewall. This IP set will be used as the source or destination object in an NSX-V distributed firewall rule in Step 2 below. 1. Select NSX Managers > Manage > Grouping Objects > IP Sets. 2. Click Add and enter the IP address of each guest that does not have VMware tools installed, and needs to be secured by the VM-Series firewall. Use commas to separate individual IP addresses; IP ranges or subnets are not valid. 176 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.STEP 2 | Attach the IP sets to the Security Groups on NSX-V, to enforce policy. 1. Select Networking and Security > Service Composer > Security Groups. 2. Select Select objects to include > IP Sets, add the IP set object to include. What is Multi-NSX Manager Support on the VM-Series for NSX- V? Multi-NSX Manager support on the VM-Series firewall for NSX-V allows you to connect a single Panorama to multiple NSX-V Managers running individual vCenter servers. Using a single Panorama allows you to manage common objects and policies and synchronize them across multiple vCenter servers. You can now configure and manage multiple NSX-V Managers in a single location, eliminating the need to replicate common configuration many times on multiple Panorama servers. • Plan Your Multi-NSX Deployment • Deploy the VM-Series Firewall in a Multi-NSX Manager Environment Plan Your Multi-NSX Deployment You must carefully plan your device group hierarchy and template stacks and consider how they interact with the other components needed for deployment. Service definitions reference device groups and template stacks and push that information to the firewalls in the related ESXi clusters. • Configure your device groups—Devices groups are logical units that group firewalls based on common aspects that require similar policy configurations. Each service definition requires a device group and each device group can only be referenced in one service definition. A device group inherits policy rules and object settings from device groups above it in the device group hierarchy. This allows you to configure common or shared settings in parent device groups and unique settings in child or grandchild device groups. By default, Panorama has a Shared device group and any configuration in the shared device group is pushed to all device groups. When configuring any policy rules or object settings, confirm that you have selected the right device group. See Managing Device Groups in the Panorama Administrator’s Guide for information on configuring and managing device groups. • Configure your template stacks—A template stack contains settings that enable a firewall to connect to your network, such as interface and zone configurations. Each service definition requires a template stack and each template stack can only be referenced in one service definition. When assigning a template stack to a service definition, consider the priority of the templates in the stack to ensure that the right configuration is pushed to the correct firewalls. If the templates in a stack contain overlapping configuration, the template with higher priority takes precedence and the same setting in lower templates are ignored. Therefore, ensure that template configuration unique to an NSX-V Manager is given higher priority in the template stack assigned to that NSX-V Manager’s service definition. See Manage Templates and Template Stacks in the Panorama Administrator’s Guide for information on configuring and managing template stacks. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 177 © 2020 Palo Alto Networks, Inc.• Create your service definition—A service definition specifies the configuration for the VM-Series firewalls on each host in the ESXi cluster. Each individual NSX-V manager configuration requires at least one service definition. A service manager can have multiple service definitions but each service definition can only have one device group and one template stack. After a device group or template stack has been assigned to a service definition, you can no longer select that device group or template stack for future service definitions. For example, in a disaster recovery deployment scenario, you would need to create identical device groups for each data center. Because all the policy rules and objects are the same for data centers, you can perform all you configuration in a single device group. However, you cannot use the same device group in two service definitions. To ensure that each data center gets the same policy rules, create a child device group for each data center under the device group with the common configuration. These child device groups do not need any configuration of their own because they inherit everything the VM-Series firewalls need from the parent device group. And because each data center is identical, configure your network settings in a template (Template 1). Create a template stack for each data center and assign Template 1 to each stack. 178 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.Deploy the VM-Series Firewall in a Multi-NSX Manager Environment Whether you are deploying a single NSX-V Manager or a multi-NSX Manager environment, set up the connection between an NSX-V Manager and Panorama before you continue on to set up the next NSX-V Manager with Panorama. STEP 1 | Install the VMware NSX Plugin version 2.0 as it allows you to connect up to 16 NSX-V Managers. This version of the plugin allows you to add more than one Service Manager to your VM-Series firewall for NSX-V configuration on Panorama. STEP 2 | Enable Communication Between the NSX-V Manager and Panorama. STEP 3 | Create Template(s) and Device Group(s) on Panorama. Device groups and template stacks push the security policy and network settings to the VM-Series firewalls in each ESXi cluster. When configuring policy rules and objects, verify that you have selected the correct device group. When configuring network and device settings, verify that you have selected the correct template stack. STEP 4 | Create the Service Definitions on Panorama and attach them to the service manager. Each service definition can reference one device group and one template stack. Panorama supports up to 32 service definitions across all service managers. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 179 © 2020 Palo Alto Networks, Inc.STEP 5 | Configure dynamic address groups or security groups and redirect traffic to the VM-Series firewall. • For security-centric deployments Set Up Dynamic Address Groups on Panorama and Create Steering Rules on Panorama. • For operations-centric deployments Set Up Security Groups on the NSX-V Manager and Create Steering Rules on NSX-V Manager. Verify that you have selected the correct device group so the right steering rules are sent to the corresponding NSX-V Manager. STEP 6 | Deploy the Palo Alto Networks NGFW Service on each ESXi cluster by using the relevant service definitions. STEP 7 | Repeat this process for each NSX-V Manager. 1. Select Panorama > VMware > NSX-V > Service Managers and click Add. 2. Enable Communication Between the NSX-V Manager and Panorama. Dynamically Quarantine Infected Guests Threat and traffic logs in PAN-OS include the source or destination universally unique identifier (UUID) of guest VMs in your NSX-V deployment. This allows the VM-Series for NSX-V to support the tagging of guest VMs with NSX-V security tags. With the guest VMs’ UUID now included in the log events, the firewall, based on the filtered log events, can tag the affected guest VM via NSX-V Manager API. This allows for automatic location of compromised VMs in the NSX-V environments. NSX-V can then put all associated UUIDs under policies to quarantine those VMs from the rest of the network. 180 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.Panorama includes predefined payload formats for threat and traffic logs in the HTTP Server Profile. These payload formats correspond to predefined security tags in NSX-V. When a guest VM is found in the threat or traffic logs, Panorama makes an API call to NSX-V Manager telling NSX-V Manager to tag the guest VM with the tag specified in the HTTP Server Profile. When the guest VM becomes tagged, NSX-V Manager dynamically moves the tagged guest VM into the quarantine security group, which places the guest VM into the quarantine dynamic address group. STEP 1 | Confirm that you have content update version 636 or later installed on Panorama. STEP 2 | Create a dynamic address group to be your quarantine dynamic address group. STEP 3 | Create an HTTP Server Profile to send API calls to NSX-V Manager. 1. Select Panorama > Server Profiles > HTTP and Add a new HTTP Server Profile. 2. Enter a descriptive Name. 3. Select Add to provide the details of NSX-V Manager. 4. Enter a Name for NSX-V Manager. 5. Enter the IP Address of NSX-V Manager. 6. Select the Protocol (HTTP or HTTPS). The default Port is 80 or 443 respectively. 7. Select PUT under the HTTP Method column. 8. Enter the username and password for NSX-V Manager. 9. Select Payload Format and choose an NSX-V payload format from the Pre-defined Formats drop- down. This populates the URI Format, HTTP Headers, and Payload fields with the correct information to send the HTTP API call to NSX-V Manager. Additionally, the chosen format determines which security tag NSX-V Manager applies to infected guest VMs. In the example below, NSX-V Anti-Virus Threat High is selected which corresponds to the ANTI_VIRUS.VirusFound.threat=high security tag on NSX-V Manager. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 181 © 2020 Palo Alto Networks, Inc.STEP 4 | Define the match criteria for when Panorama will forward logs to the NSX-V Manager, and attach the HTTP server profile to use. 1. Select Panorama > Collector Groups > Collector Log Forwarding for Threat or Traffic logs. 2. Click Traffic or Threat and Add. 3. Enter a descriptive name for the new log settings. 4. (Optional) Under Filter, you can add filters such as severity to narrow the logs that are forwarded to NSX-V Manager. If All Logs is selected, all threat or traffic logs that meet the criteria set in the HTTP Server profile are sent to NSX-V Manager. 5. Click Add under HTTP and select the HTTP Server Profile configured in Step 3. 6. Click OK. STEP 5 | Configure an NSX-V server certificate for Panorama to forward logs to NSX-V manager. 1. Select Panorama > Certificate Management > Certificates. 2. Create a root CA certificate with CN=IP address of Panorama. 3. Create a signed certificate with CN=IP address of NSX-V Manager. 4. Export the root CA certificate in PEM format without a private key. 182 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.5. Export the signed certificate in PEM format with a private key. 6. Using a tool such as OpenSSL, concatenate the exported certificates into a single PEM file for upload to NSX-V manager. Use the following commands in OpenSSL to complete this step. cat cert_NSX_Root_CA.crt cert_NSX_Signed1.pem > cert_NSX_cert_chain.pem openssl pkcs12 -export -in cert_NSX_cert_chain.pem -out cert_NSX_cert.p12 7. Log in to NSX-V Manager and select Manage Appliance Settings > SSL Certificates > Upload PKC#12 Keystore. Click Choose File, locate the p12 file you created in the previous step, and click Import. STEP 6 | Associate a security group with a security tag in vCenter. 1. Log in to vCenter. 2. Select Networking & Security > Service Composer > Security Groups. 3. Select a security group that is counterpart to the quarantine dynamic address group you created previously and click Edit Security Group. 4. Select Define dynamic membership and click the + icon. 5. Click Add. 6. Set the criteria details to Security Tag Contains and then enter the NSX-V security tag that corresponds to the NSX payload format you chose in 3. Each of the predefined NSX-V payload formats corresponds to an NSX-V security tag. To view the NSX-V security tags in NSX-V, select Networking & Security > NSX Managers > NSX Manager IP > Manage > Security Tags. In this example, NSX Anti-Virus Threat High is used in the HTTP Server Profile so ANTI_VIRUS.VirusFound.threat=high is the NSX-V Security Tag that is used here. 7. Click Finish. STEP 7 | After the guest VM is cleared for removal from quarantine, manually remove the NSX-V security tag from the guest VM in NSX-V. 1. Log in to vCenter. 2. Select VMs and Templates and choose the quarantined guest. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 183 © 2020 Palo Alto Networks, Inc.3. Select Summary > Security Tags > Manage. 4. Uncheck the security tag used by the quarantine security group and click OK. 5. Refresh the page and the quarantine security will no longer be listed under Summary > Security Group Membership. Source and destination UUID fields in threat and traffic logs may be blank after a guest VM is removed from quarantine. This can occur when running NSX-V 6.2.3 or earlier or if NSX-V steering rules do not use the inout direction. You can resolve this by upgrading NSX-V to 6.2.4 or issue an NSX Config-sync under Panorama > VMware > NSX-V > Service Manager and reboot the PA-VM to resolve this issue. Migrate Operations-Centric Configuration to Security-Centric Configuration Complete the following procedure to migrate your Operations Centric configuration into Security Centric formats. This migration is not required. The VM-Series firewall for VMware NSX-V supports both styles of configuration. However, using both styles of configuration in the same deployment is not recommended. STEP 1 | Upgrade Panorama. STEP 2 | Update the match criteria format in your dynamic address groups. 1. Select Objects > Address Groups and click the link name for your first dynamic address group. 2. Delete the existing match criteria entry. 3. Enter the new match criteria in the following format: ‘_nsx_’ 4. Click OK. 5. Repeat this process for each dynamic address group. STEP 3 | Change security policy used as NSX-V steering rules to intrazone. 1. Select Policies > Security > Pre Rules and click the link name for your first security policy rule. 2. On the General tab, change the Rule Type to intrazone. 184 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.3. Click OK. 4. Repeat this process for each security policy rule. STEP 4 | Generate new steering rules. 1. Select Panorama > VMware > NSX-V > Steering Rules. 2. Click Auto-Generate Steering Rules. STEP 5 | Commit your changes. When you commit your changes, Panorama pushes updates to NSX-V Manager. 1. Verify that NSX-V Manager created new security groups. 1. Login to vCenter and select Networking & Security > Security Groups. 2. The new security groups (mapped to the updated dynamic address groups) should appear in the following format: - 2. Verify that NSX-V Manager created new steering rules. 1. Select Networking & Security > Firewall > Configuration > Partner security services. 2. The new steering rules (mapped to the security policy rules you create on Panorama) are listed above the old steering rules. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 185 © 2020 Palo Alto Networks, Inc.STEP 6 | Add match criteria to the newly created security groups to ensure that your VMs are placed in the correct security group. There two ways to complete this task—recreate the match criteria from the old security group in the new security group or nest the old security group within the new security group. To recreate the match criteria from the old security group, complete the following procedure. 1. Select Network & Security > Service Composer > Security Groups. 2. Click on a new security group and select Edit Security Group. 3. Select Define dynamic membership and click the plus icon. 4. Add the same match criteria in the corresponding old security group. 5. Repeat this process for each new security group. 6. Delete the old security groups. To nest the old security group within the new security group, complete the following procedure. In this method, VMs in the old security group are added to the new security group. Additionally, any new VM that meets the criteria of the old security group is automatically added to the new security group. 1. Select Network & Security > Service Composer > Security Groups. 2. Click on a new security group and select Edit Security Group. 3. Select Select objects to include. 4. Select the Security Group Object Type. 5. Choose the corresponding old security group under Available Objects and move it to Selected Objects by clicking the right arrow icon. 6. Click Finish. 186 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.STEP 7 | Delete the old steering rules from vCenter. 1. Select Networking & Security > Firewall > Configuration > Partner security services. 2. Delete the old steering rules. Take care not to delete the Palo Alto Networks rules created by the Security-Centric workflow. These steering rule sections use the following naming convention. - Use Case: Shared Compute Infrastructure and Shared Security Policies This use case allows you to logically isolate traffic from two tenants that share an ESXi cluster and have a common set of security policies. In order to isolate traffic from each tenant you need to create a service definition with a template stack that includes two zones. Zone-based traffic separation makes it possible to distinguish traffic between virtual machines that belong to separate tenants, when it traverses through the firewall. The firewall is able to distinguish traffic between tenant virtual machines based on a service profiles and security groups created on the NSX-V Manager, which are available as match criteria in Dynamic Address Groups on the firewall. Therefore, even with overlapping IP addresses, you can segregate traffic from each tenant and secure each tenant’s virtual machines using zone-base policy rules (source and destination zones must be the same) and dynamic address groups. STEP 1 | Enable Communication Between the NSX-V Manager and Panorama. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 187 © 2020 Palo Alto Networks, Inc.This is one-time task and is required if you have not enabled access between the NSX-V Manager and Panorama. STEP 2 | Create Template(s) and Device Group(s) on Panorama. 1. Log in to the Panorama web interface. 2. Select Panorama > Templates to add a template stack. This use case has a template stack named NSX-Template. 3. Select Panorama > Device Groups and add device group. This use case has a device group named NSX-DG. 4. Create two zones within the template stack. To isolate traffic for each tenant, you need two zones in this use case. 1. Select Network > Zones. 2. Select the correct template stack in the Template drop-down. 3. Select Add and enter a zone Name. For example, Tenant1. 4. Sets the interface Type to Virtual Wire. 5. Click OK. 6. Repeat the steps to add another zone, for example, Tenant2. 7. Verify that the zones are attached to the correct template stack. STEP 3 | Create the Service Definitions on Panorama. 1. Select Panorama > VMware > NSX-V > Service Definitions. 2. Select Add and fill in the details. 3. Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama. STEP 4 | Create Security Groups and Steering Rules. 1. Select Objects > Address Groups and Set Up Dynamic Address Groups on Panorama for each tenant’s virtual machines. For example, this use case has two security groups per tenant; one security group for the web servers and the other security group for the application servers. 2. Select Policies > Security > Pre Rules to set up security policy rules for sending traffic to the VM- Series firewall. 3. Select Panorama > VMware > NSX-V > Steering Rules and click Auto-Generate Steering Rules. 188 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.4. Commit your changes STEP 5 | Prepare the ESXi Host for the VM-Series Firewall. The ESXi hosts in the cluster must have the necessary NSX-V components that allow the NSX-V firewall and the VM-Series firewall to work together. The NSX-V Manager will install the components— the Ethernet Adapter Module (.eam) and the SDK —required to deploy the VM-Series firewall. STEP 6 | Deploy the Palo Alto Networks NGFW Service. 1. Select Networking and Security > Installation > Service Deployments. 2. Click New Service Deployment (green plus icon), and select the service definition for the Palo Alto Networks next generation firewall you want to deploy, Palo Alto Networks NGFW Test 1 in this example, make your selections including the appropriate ESXi cluster to which you want to deploy the firewall and click Finish. 3. Verify that the NSX-V Manager reports the Installation Status as Successful. 4. Verify that the VM-Series firewall is successfully deployed. 1. On the vCenter server, select Hosts and Clusters to check that every host in the cluster(s) has one instance of the firewall. 2. View the management IP address(es) and the PAN-OS version running on the firewall directly from vCenter server. VMware Tools is bundled with the PAN-OS software image and is automatically enabled when you launch the VM-Series firewall. STEP 7 | Apply Security Policies to the VM-Series Firewall. 1. Create Dynamic Address groups for each tenant on Panorama. The dynamic address group(s) that match on the name of the security group(s) you defined on the NSX-V Manager. 1. On Panorama, select Objects > Address Groups. 2. Select the correct Device Group from the drop-down and click Add. 3. Add a Name for the address group and set Type as Dynamic and Add Match Criteria. Verify that you select the correct tags for each tenant, the tag includes the service profile ID, the security group name and the security group ID. For example, for this use case there are four dynamic address groups: VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 189 © 2020 Palo Alto Networks, Inc.2. On Panorama, create security policy rules and use the dynamic address groups as source or destination address objects in security policy rules and push it to the firewalls. 1. Select Policies > Security > Prerules and click Add. 2. Create rules for each tenant. This use case has the following policy rules: 3. Click Commit, and select Commit Type as Device Groups. Select the device group, NSX-DG in this example and click OK. STEP 8 | Verify that traffic from each tenant is secured. 1. Log in to the CLI on the firewall and enter the following command to view the subinterfaces on the firewall: show interface all total configured hardware interfaces: 2 name id speed/duplex/state mac address --------------------------------------------------- ethernet1/1 16 auto/auto/up d4:f4:be:c6:af:10 ethernet1/2 17 auto/auto/up d4:f4:be:c6:af:11 aggregation groups: 0 total configured logical interfaces: 6 name id vsys zone forwarding ------------------- ----- ---- ----------------- ethernet1/1 16 1 vwire:ethernet1/2 ethernet1/1.3 4099 1 TENANT-1 vwire:ethernet1/2.3 ethernet1/1.4 4100 1 TENANT-2 vwire:ethernet1/2.4 ethernet1/2 17 1 vwire:ethernet1/1 ethernet1/2.3 4355 1 TENANT-1 vwire:ethernet1/1.3 190 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.ethernet1/2.4 4356 1 TENANT-2 vwire:ethernet1/1.4 2. On the web interface of the VM-Series firewall, select Objects > Address Groups and verify that you can view the IP address for the members of each Dynamic Address Group. The following is an example of duplicate IP addresses in dynamic address groups across both tenants. 3. View the ACC and the Monitor > Logs > Traffic. Filter on the zone name to ensure that traffic from the virtual machines for each tenant is secured. Use Case: Shared Security Policies on Dedicated Compute Infrastructure If you are a Managed Service Provider who needs to secure a large enterprise (tenant) with multiple departments (sub-tenants), and each tenant requires dedicated compute infrastructure and security policy rules, you need to create a service definition for each tenant. In this use case, each tenant—Oak and Maple— has a dedicated ESXi cluster. And each tenant has sub- tenants—Dev, QA, and Prod—whose workloads are deployed in the cluster. You need to define two service definitions to allow the VM-Series firewalls for each tenant to have Security policies for their respective ESXi clusters. The service definition for each tenant includes multiple zones (with corresponding virtual wire subinterface pairs) for isolating traffic from each sub-tenant. Each zone is mapped to a service profile on the NSX-V Manager, which allows the firewall to distinguish traffic from the virtual machines for each sub- tenant and to enforce zone-based security policy rules within the common set of policy rules for the tenant. Zone-based policies in combination with the Dynamic Address groups also allow you to secure sub-tenants who may have overlapping networks, and hence have duplicate IP addresses. To uniquely identify virtual machines assigned to each sub-tenant and successfully enforce policy, the NSX-V Manager provides the service profile and security group to which a virtual machine belongs as match criteria in dynamic address groups on Panorama. For more information, see Policy Enforcement using Dynamic Address Groups. You can also configure role-based access control using access domains on Panorama. Access domains allow you to control administrative access to specific device groups (to manage policies and objects) and template stacks (to manage network and device settings), so that each tenant administrator can manage the configuration for their VM-Series firewalls. Role-based access also allows you to limit log visibility for the respective tenant only. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 191 © 2020 Palo Alto Networks, Inc.STEP 1 | Enable Communication Between the NSX-V Manager and Panorama. This is one-time task and is required if you have not enabled access between the NSX-V Manager and Panorama. STEP 2 | Create Template(s) and Device Group(s) on Panorama. 1. Log in to the Panorama web interface. 2. Select Panorama > Templates to add template stacks. This use case has two template stacks named NSX-Template-MAPLE and NSX-Template-OAK. 3. Select Panorama > Device Groups and add device groups. This use case has two device groups named NSX-DG-OAK and NSX-DG-MAPLE. 4. Create NSX-V service profile zones within each template stack. To isolate traffic for each tenant in this use case, you need three zones for each tenant. 1. Select Network > Zones. 2. Select the correct template stack in the Template drop-down. 3. Select Add and enter a zone Name. For example, Tenant1. 4. Sets the interface Type to Virtual Wire. 5. Click OK. 6. Repeat the steps a-e to add additional zones for each sub-tenant. 7. Verify that the zones are attached to the correct template stack. 192 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.5. Create a service profile zone for each other template stack. STEP 3 | Create the Service Definitions on Panorama. 1. Select Panorama > VMware > NSX-V > Service Definitions. 2. Select Add. Fill in the details for the service definition for each tenant. In this example, the two service definitions are Palo Alto Networks - Maple and Palo Alto Networks - Oak. 3. Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama. STEP 4 | Create Security Groups and Steering Rules. 1. Select Objects > Address Groups and Set Up Dynamic Address Groups on Panorama for each tenant’s virtual machines. For example, this use case has two security groups per tenant; one security group for the web servers and the other security group for the application servers. 2. Select Policies > Security > Pre Rules to set up security policy rules for sending traffic to the VM- Series firewall. 3. Select Panorama > VMware > NSX-V > Steering Rules and click Auto-Generate Steering Rules. 4. Commit your changes VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 193 © 2020 Palo Alto Networks, Inc.STEP 5 | Prepare the ESXi Host for the VM-Series Firewall The ESXi hosts in the cluster must have the necessary NSX-V components that allow the NSX-V firewall and the VM-Series firewall to work together. The NSX-V Manager will install the components— the Ethernet Adapter Module (.eam) and the SDK —required to deploy the VM-Series firewall. STEP 6 | Deploy the Palo Alto Networks NGFW Service 1. Select Networking and Security > Installation > Service Deployments. 2. Click New Service Deployment (green plus icon), and select the service definition for the Palo Alto Networks next generation firewall you want to deploy, Palo Alto Networks NGFW Test 1 in this example, make your selections and click Finish. 3. Verify that the NSX-V Manager reports the Installation Status as Successful. 4. Verify that the VM-Series firewall is successfully deployed. 1. On the vCenter server, select Hosts and Clusters to check that every host in each cluster has one instance of the firewall. 2. View the management IP address(es) and the PAN-OS version running on the firewall directly from vCenter server. VMware Tools is bundled with the PAN-OS software image and is automatically enabled when you launch the VM-Series firewall. STEP 7 | Apply Security Policies to the VM-Series Firewall 1. Create dynamic address groups for each sub-tenant on Panorama. The dynamic address group(s) match on the name of the security group(s) you defined on the NSX-V Manager. 1. On Panorama, select Objects > Address Groups. 2. Select a Device Group from the drop-down and click Add. 3. Add a Name for the address group and set Type as Dynamic and Add Match Criteria. For ease of managing these groups, use the same name for the dynamic address group as that of the security group on the NSX-V Manager. 194 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.4. Create the dynamic address groups for the sub-tenants for the other tenant, Oak in this example. 2. On Panorama, create Security policies and use the dynamic address groups as source or destination address objects in security policy rules and push it to the firewalls. 1. Select Policies > Security > Pre Rules. 2. Select a Device Group from the drop-down and click Add. 3. Create rules for each sub-tenant. Make sure to keep the source and destination zone the same in a policy rule. To ensure that only the application that is running on the server is allowed, allow the service on the application-default port only. This use case has the following policy rules for the tenant Maple: 3. Select the other Device Group from the drop-down and create the Security policies for the each sub- tenant for the other tenant, Oak in this example. 4. Click Commit, and select Commit Type as Device Groups. Select the device groups, NSX-DG-OAK and NSX-DG-MAPLE in this example and click OK. The commit pushes the Security policies to the firewalls that belong to each device group, and they can enforce policy on the traffic redirected by the NSX-V Manager. STEP 8 | Verify that traffic from each tenant is secured. 1. On Panorama, go to Monitor > Logs > Traffic and Monitor > Logs > Threat to view the Traffic logs and Threat logs. Select the device group for a tenant and sort on the Zone name for full visibility in to traffic from each sub-tenant. 2. On Panorama, use the ACC for visibility into traffic patterns and actionable information on threats. Use the widgets and filters to interact with the data on the ACC. 3. On the VM-Series firewall, select Objects > Address Groups to view the IP address for the members of each Dynamic Address Group. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 195 © 2020 Palo Alto Networks, Inc.STEP 9 | (Optional) Enable role-based access for tenant administrators to manage the configuration and policies for the VM-Series firewalls. 1. Create an access domain. An access domain allows you to restrict admin access to a specific device group and template stack. In this example, you create two access domains and restrict access to the device group and template stack for the respective tenant. 2. Configure an admin role for Device Group and Template role and allow the administrator to manage the access domain. The administrator can only manage the firewalls that belong to the access domain. 3. Create an administrative account and associate the access domain and admin role with the account. Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama To enforce security policies in a VM-Series and NSX-V integrated data center, Panorama must be able to obtain information on the changes in the virtual landscape. As new virtual machines are deployed, changed, or deleted, the NSX-V Manager informs Panorama of IP addresses added, removed from security groups on the NSX-V Manager. Panorama in turn then, pushes this information to the VM-Series firewalls. Dynamic address groups referenced in firewall policies match against this information to determine the members that belong to the group. This process allows the firewall to enforce context-aware security policy, which secures traffic to and from these virtual machines. For details on dynamic address groups, see Policy Enforcement using Dynamic Address Groups. The following diagram illustrates how the information is relayed from the NSX-V Manager to Panorama. 196 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.To understand this process, let’s trace the information update sent from the NSX-V Manager to Panorama when a new server is added to a security group. Use the elements highlighted within the output in each phase of this example, to troubleshoot where the process failed. STEP 1 | To view the updates in real-time, log in to the Panorama CLI. Log in to the Command Line Interface on Panorama. STEP 2 | Verify that the request from the NSX-V Manager is routed to the web server on Panorama. To check the webserver-log on Panorama during an NSX-V Security Group update, use the following command: admin@Panorama> tail follow yes webserver-log cmsaccess.log 127.0.0.1 - - [Wed Dec 03 14:24:11 2014 PST] "POST /unauth/php/ RestApiAuthenticator.php HTTP/1.1" 200 433 127.0.0.1 - - [Wed Dec 03 14:24:11 2014 PST] "PUT /api/index.php? client=wget&file-name=dummy&type=vmware/vmware/2.0/si/serviceprofile/ serviceprofile-1/containerset HTTP/1.0" 200 446 If your output does not include the elements above, check for routing issues. Ping the Panorama from the NSX-V Manager and check for ACLs or other network security devices that might be blocking the communication between the NSX-V Manager and Panorama. STEP 3 | Verify that the request is parsed by the PHP daemon on Panorama. 1. Enable debug using the following URL: https:///php/utils/debug.php 2. From the CLI, enter the following command to view the logs generated by the PHP server: admin@Panorama> tail follow yes mp-log php.debug.log [2014/12/03 14:24:11] VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 197 © 2020 Palo Alto Networks, Inc.... PUT update _vsm_admin 4006474760514053 /vmware/2.0/si/serviceprofile/serviceprofile-1/containerset securitygroup-10WebServers8IP

10.3.4.185

10.3.4.186

15.0.0.203

15.0.0.202]]> STEP 4 | The information is processed by the Management server on Panorama. 1. Enable debugging on the management server using the following command: admin@Panorama> debug management-server on debug 2. Enter the following command to view the logs generated by the configd log: admin@Panorama> tail follow yes mp-log configd.log 3. In the output check that the update was relayed from the PHP daemon to the management server daemon. 2014-12-03 14:24:11.143 -0800 debug: pan_job_progress_monitor(pan_job_mgr.c:3694): job-monitor: updated 0 jobs……2014-12-03 14:24:11.641 -0800 debug: recursive_add_params(pan_op_ctxt.c:158): > ''url''=''/vmware/2.0/si/ serviceprofile/serviceprofile-1/containerset'' 2014-12-03 14:24:11.641 -0800 debug: recursive_add_params(pan_op_ctxt.c:158): > ''data''='' securitygroup-10WebServers8IP

10.3.4.185

10.3.4.186

15.0.0.203

15.0.0.202'' 2014-12-03 14:24:11.641 -0800 Received vshield update: PUT /vmware/2.0/si/ serviceprofile/serviceprofile-1/containerset Received dynamic address update from VSM: PUT update 198 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc._vsm_admin 4006474760514053/vmware/2.0/si/serviceprofile/ serviceprofile-1/containersetsecuritygroup-10WebServers8IP

10.3.4.185

10.3.4.186

15.0.0.203

15.0.0.202]]> 4. Look for the list of IP addresses and security group tags. 2014-12-03 14:24:11.646 -0800 debug: pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/ pan_cfg_mongo_tables.c:3721): ip: 10.3.4.185 2014-12-03 14:24:11.646 -0800 debug: pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/ pan_cfg_mongo_tables.c:3738): tag: WebServers-securitygroup-10 2014-12-03 14:24:11.646 -0800 debug: pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/ pan_cfg_mongo_tables.c:3721): ip: 15.0.0.202 2014-12-03 14:24:11.646 -0800 debug: pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/ pan_cfg_mongo_tables.c:3738): tag: WebServers-securitygroup-10 pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/ pan_cfg_mongo_tables.c:3738): tag: DomainControllers-securitygroup-16 2014-12-03 14:24:11.647 -0800 debug: pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/ pan_cfg_mongo_tables.c:3721): ip: 15.0.0.201 2014-12-03 14:24:11.648 -0800 debug: pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/ pan_cfg_mongo_tables.c:3738): tag: SQLServers-securitygroup-11 2014-12-03 14:24:11.665 -0800 debug: pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/ pan_cfg_mongo_tables.c:3738): tag: SharePointServers-securitygroup-13 2014-12-03 14:24:11.665 -0800 debug: pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/ pan_cfg_mongo_tables.c:3721): ip: 10.3.4.187 2014-12-03 14:24:11.665 -0800 debug: pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/ pan_cfg_mongo_tables.c:3738): tag: SharePointServers-securitygroup-13 ... 5. Finally, verify that the update was relayed from the management server daemon to the managed firewalls. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 199 © 2020 Palo Alto Networks, Inc.Send to device: 007900002079 [UNREG: 0; REG: 2] with dynamic address update : WebServers-securitygroup-10 WebServers-securitygroup-10 200 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.Set Up the VM-Series Firewall on VMware NSX-T Data Center The VM-Series firewall on VMware NSX-T integrates the Palo Alto next-generation firewalls and Panorama with ESXi host servers to provide comprehensive visibility and safe application enablement of all north- south traffic in your NSX-T software-defined datacenter. The following topics provide information about the VM-Series firewall on VMware NSX-T: • Supported Deployments of the VM-Series Firewall on VMware NSX-T • Components of the VM-Series Firewall on NSX-T • Deploy the VM-Series Firewall on NSX-T Supported Deployments of the VM-Series Firewall on VMware NSX-T You can deploy one or more instances of the VM-Series firewall as a partner service in your VMware NSX-T Data Center. Attach a VM-Series firewall to any tier-0 or tier-1 logical router to protect north-south traffic. You can deploy the VM-Series firewall as standalone service instance or two firewalls in a high-availability (HA) pair. Panorama manages the connection with NSX-T Manager and the VM-Series firewalls deployed in your NSX-T software-defined datacenter. • Tier-0 Insertion—Tier-0 insertion deploys a VM-Series firewall to a tier-0 logical router, which processes traffic between logical and physical networks. When you deploy the VM-Series firewall with tier-0 insertion, NSX-T Manager uses the deployment information you configured on Panorama to attach a firewall to a tier-0 logical router in virtual wire mode. • Tier-1 Insertion—Tier-1 insertion deploys a VM-Series firewall to a tier-1 logical router, which provides downlink connections to segments and uplink connection to tier-0 logical routers. NSX-T Manager attaches VM-Series firewalls deployed with tier-1 insertions to a tier-1 logical router in virtual wire mode. After deploying the firewall, you configure traffic redirection rules that send traffic to the VM-Series firewall when crossing a tier-0 or tier-1 router. Security policy rules that you configure on Panorama are pushed to managed VM-Series firewalls and then applied to traffic passing through the firewall. Components of the VM-Series Firewall on NSX-T The following tables show the components of this joint Palo Alto Networks and VMware NSX-T solution. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 201 © 2020 Palo Alto Networks, Inc.VMware Components vCenter/ESXi The vCenter server is the centralized management tool for the vSphere suite. ESXi is a hypervisor that enables compute virtualization. Refer to VMware’s Compatibility Matrix for vCenter compatibility with your version of NSX-T. NSX-T Manager VMware NSX-T Data Center 2.4.0 and later must be installed and registered with the vCenter server. The NSX- T Manager is required to deploy the VM-Series firewall on the ESXi hosts within a ESXi cluster. Palo Alto Networks Components PAN-OS The VM-Series base image (PA-VM-NST-9.0.4.zip) is required for deploying the VM-Series firewall on NSX-T. The minimum system requirement for deploying the VM- Series firewall for NSX on the ESXi server depends on your VM-Series model. See VM-Series Models for the minimum hardware requirements for your VM-Series model. Panorama The VM-Series firewall on NSX-T requires Panorama 9.0.4 Panorama must be running the same or later. release version or later version that the Panorama is the centralized management tool for the Palo firewalls that it will manage. Alto Networks next-generation firewalls. In this solution, Panorama works with the NSX-T Manager to deploy, license, and centrally administer—configuration and policies —the VM-Series firewall for NSX-T. Panorama must be able to connect to the NSX-T Manager, the VM-Series firewalls and the Palo Alto Networks update server. See the 9.0 Panorama Administrator’s Guide for information about deploying your Panorama appliance. Panorama Plugin for VMware NSX 3.0.0 or later VM-Series Plugin 1.0.6 or later VM-Series Firewall Models The VM-100, VM-300, VM-500, and VM-700 support NSX-T. Deploy the VM-Series Firewall on NSX-T Complete the following tasks to secure North-South traffic in your NSX-T environment with the VM-Series firewall. • Install the Panorama Plugin for VMware NSX • Enable Communication Between NSX-T Manager and Panorama • Create Template Stacks and Device Groups on Panorama 202 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.• Configure the Service Definition on Panorama • Deploy the VM-Series Firewall • Direct Traffic to the VM-Series Firewall • Apply Security Policy to the VM-Series Firewall on NSX-T Install the Panorama Plugin for VMware NSX Download and install the Panorama Plugin for VMware NSX. See the Compatibility Matrix before installing or upgrading your plugin. If you have a Panorama HA configuration, repeat this installation process on each Panorama peer. When installing the plugin on Panorama HA peers, install the plugin on the passive peer before the active peer. After installing the plugin on the passive peer, it will transition to a non-functional state. Installing the plugin on the active peer returns the passive peer to a functional state. STEP 1 | Select Panorama > Plugins. STEP 2 | Select Check Now to retrieve a list of available updates. STEP 3 | Select Download in the Action column to download the plugin. STEP 4 | Select the version of the plugin and click Install in the Action column to install the plugin. Panorama will alert you when the installation is complete. Enable Communication Between NSX-T Manager and Panorama Complete the following procedure to enable communication between Panorama and NSX-T Manager. You can connect your Panorama to up to 16 NSX-T Managers. If you are connecting your Panorama to multiple NSX-T Managers, you must carefully plan your device group hierarchy and template stacks and consider how they interact with the other components needed for deployment. Service definitions reference device groups and template stacks and push that information to the firewalls in the related ESXi clusters. STEP 1 | (Optional) Bypass proxy server settings, configured on Panorama under Panorama > Setup > Services > Proxy Server, for communication between Panorama and NSX-T Manager. This command allows Panorama to communicate directly with NSX-T Manager while maintaining proxied communication for other services. 1. Log in to the Panorama CLI. 2. Execute the following command to enable or disable proxy bypass. admin@Panorama> request plugins vmware_nsx proxy bypass {yes | no} Select yes to enable proxy bypass and no to disable proxy bypass. This is set to no by default. STEP 2 | Log in to the Panorama web interface. Using a secure connection (https) from a web browser, log in using the IP address and password you assigned during initial configuration (https://). STEP 3 | Set up access to the NSX-T Manager. Repeat this procedure for each NSX-T Manager to which you will connect Panorama. 1. Select Panorama > VMware > NSX-T > Service Managers and click Add. 2. Enter a descriptive Name for your NSX-T Manager. 3. (Optional) Add a Description for NSX-T Manager. 4. Enter the NSX Manager URL—NSX-T Manager cluster virtual IP address or FQDN—at which to access the NSX-T Manager. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 203 © 2020 Palo Alto Networks, Inc.5. Enter the NSX Manager Login credentials—username and password, so that Panorama can authenticate to the NSX-T Manager. 6. Click OK. If you change your NSX-T Manager login password, ensure that you update the password on Panorama immediately. An incorrect password breaks the connection between Panorama and NSX-T Manager. STEP 4 | Commit your changes to Panorama. Select Commit and Commit to Panorama. STEP 5 | Verify the connection status on Panorama. 1. Select Panorama > VMware > NSX-T > Service Managers. 2. Verify the message in the Status column. When the connection is successful, the status displays as Registered. This indicates that Panorama and the NSX-T Manager are in sync. The unsuccessful status messages are: • No connection: Unable to reach/establish a network connection to the NSX-T Manager. • Invalid Credentials: The access credentials (username and/or password) are incorrect. • Out of sync: The configuration settings defined on Panorama are different from what is defined on the NSX-T Manager.Click the link for details on the reasons for failure. For example, NSX- T Manager may have a service definition with the same name as defined on Panorama. To fix the error, use the service definition name listed in the error message to validate the service definition on the NSX-T Manager. Until the configuration on Panorama and the NSX-T Manager is synchronized, you cannot add a new service definition on Panorama. • Connection Disabled: The connection between Panorama and the NSX-T Manager was manually disabled. Create Template Stacks and Device Groups on Panorama To manage the VM-Series firewalls on NSX-T using Panorama, the firewalls must belong to a device group and a template stack. Device groups allow you to assemble firewalls that need similar policies and objects as a logical unit; the configuration is defined using the Objects and Policies tabs on Panorama. Use template stacks to configure the settings that are required for the VM-Series firewalls to operate on the network; the configuration is defined using the Device and Network tabs on Panorama. Each template stack used in your NSX-T configuration must be associated with a service definition. Firewalls deployed in NSX-T have two default zones and two interfaces configured in virtual-wire mode. Ethernet1/1 is part of zone south and ethernet1/2 is part of zone north. To push policy rules from Panorama to managed firewalls, you must configure zones and interfaces matching those on the firewall in the corresponding template stack on Panorama. STEP 1 | Add a device group or a device group hierarchy. 1. Select Panorama > Device Groups, and click Add. You can also create a device group hierarchy. 2. Enter a unique Name and a Description to identify the device group. 3. Click OK. 4. Click Commit and select Panorama as the Commit Type to save the changes to the running configuration on Panorama. STEP 2 | Add a template. 1. Select Panorama > Templates, and click Add. 204 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.2. Enter a unique Name and a Description to identify the template. 3. Click OK. 4. Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama. STEP 3 | Create a template stack. 1. Select Panorama > Templates, and click Add Stack. 2. Enter a unique Name and a Description to identify the template. 3. Click Add to add the template you created previously. 4. Click OK. 5. Click Commit, and select Commit to Panorama to save the changes to the running configuration on Panorama. STEP 4 | Configure the virtual wire, interfaces, and zones. Ensure that you select the correct template from the drop-down shown below. The objects you create must meet the following criteria: If you change the default virtual wire or zone names, the virtual wire and zones on Panorama must match the names used on the firewall. • Use ethernet1/1 and ethernet1/2. • The virtual wire object named vw1. • The first zone named south, type virtual-wire, and contain ethernet1/1. • The second zone named north, type virtual-wire, and contain ethernet1/2. Repeat this process for each template in your deployment. STEP 5 | Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama. Configure the Service Definition on Panorama A service definition specifies the configuration for the VM-Series firewalls installed in your NSX-T data center environment. The service definition must include the device group, a template stack, and an OVF URL. STEP 1 | Add a new service definition. You can create up to 32 service definitions on Panorama. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 205 © 2020 Palo Alto Networks, Inc.1. Select Panorama > VMware > NSX-T > Service Definitions. 2. Select Add to create a new service definition. 3. Enter a descriptive Name for your service definition. 4. (Optional) Add a Description that identifies the function or purpose for the VM-Series firewalls that will be deployed using this service definition. STEP 2 | Assign a device group and a template stack to the service definition. Make sure to Create Template Stacks and Device Groups on Panorama. Because the firewalls deployed in this solution will be centrally administered from Panorama, you must specify the Device Group and the Template Stack that the firewalls belong to. All the firewalls that are deployed using this service definition belong to the specified template stack and device group. 1. Select the device group or device group hierarchy in the Device Group drop-down. 2. Select the template stack in the Template drop-down. You cannot reuse a template stack or a device group assigned to one service definition in another service definition. STEP 3 | Specify the location of the OVF file. Download the zip file, unzip it to extract and save the .ovf, mf and .vmdk files to the same directory. The ovf and vmdk files are used to deploy each instance of the firewall. If needed, modify the security settings on the server so that you can download the file types. For example, on the IIS server modify the Mime Types configuration; on an Apache server edit the .htaccess file. In OVF URL, add the location of the web server that hosts the ovf file. Both http and https are supported protocols. For example, enter https://acme.com/software/PA-VM-NST.9.0.4.ovf You can use the same ovf version or different versions across service definitions. Using different ovf versions across service definitions allows you to vary the PAN-OS version on the VM-Series firewalls in different ESXi clusters. STEP 4 | Select North South as the Insertion Type for your firewall. STEP 5 | Click OK to save the service definition. STEP 6 | Attach the service definition to the service manager. 1. Select Panorama > VMware > NSX-T > Service Manager and click the link of the service manager name. 2. Under Service Definitions, click Add and select your service definition from the drop-down. 3. Click OK. 206 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.STEP 7 | Add the authorization code to license the firewalls. 1. Select Panorama > Device Groups and choose the device group you associated with the service definition you just created. 2. Under Dynamically Added Device Properties, add the authorization code you received with your order fulfillment email and, optionally, select None from the SW Version drop-down. When a new firewall is deployed on NSX-T it is automatically added to the device group, licensed using the authorization code you provided, and upgraded to the PAN-OS version you specified. On the support portal, you can view the total number of firewalls that you are authorized to deploy and the ratio of the number of licenses that have been used to the total number of licenses enabled by your authorization code. STEP 8 | Commit to Panorama. STEP 9 | On the NSX-T Manager, verify that the service definition is available. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 207 © 2020 Palo Alto Networks, Inc.Select Advanced Networking & Security > Partner Services > Catalog. The service definition is listed as a Service Instance on the NSX-T Manager. Deploy the VM-Series Firewall After completing the configuration on Panorama, perform the following procedure to launch the VM-Series firewall in your NSX-T Data Center. STEP 1 | Log in to NSX-T Manager. STEP 2 | Select Advanced Networking & Security > Partner Services > Catalog. STEP 3 | Select the Registered Service that matches the service definition to be deployed. STEP 4 | Select the VM-Series firewall image from the drop-down in the Registered Service entry. STEP 5 | Click Deploy under the registered service for the service definition you want to use to launch the firewall. STEP 6 | Click Proceed. STEP 7 | Enter the Partner Service details. This information tells NSX-T Manager which Partner Service and logical router to use when deploying the VM-Series firewall. 1. Enter a descriptive Instance Name for your VM-Series firewall. 2. NSX-T Manager prepopulates the Partner Service field. Selecting a Partner Service populates the Deployment Specification field. 3. Click the Logical Router field and select a tier-0 or tier-1 router. NSX-T Manager attaches the VM- Series firewall to the selected router and redirects traffic passing through that router to the VM- Series firewall for inspection. You must select a router with no service insertion attached. 4. Click Next. 208 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.STEP 8 | Configure resource and storage settings. 1. Select a Compute Manager. The compute manager is the vCenter server managing your datacenter. 2. Select a Cluster. You can deploy the VM-Series firewall on any cluster that does not include any Edge Transport Nodes. 3. (Optional) Select the Resource Pool if you have created any on vCenter server. 4. Select a Datastore. 5. Select the Deployment Mode for your VM-Series firewall—Standalone or High Availability. 6. Set the Failure Policy to Allow or Block. The failure policy defines how NSX-T Manager handles traffic that is directed to the VM-Series firewall if the firewall becomes unavailable. 7. Enter the IP Address, Gateway, Subnet Mask, and Network ID for the VM-Series firewall management port. 8. If you are deploying the VM-Series firewall in HA mode, repeat the previous step for secondary firewall instance. 9. Click Next. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 209 © 2020 Palo Alto Networks, Inc.STEP 9 | Click on the Deployment Template field and select a deployment template. Choosing a deployment template automatically populates the template properties. Do not edit the Template Property settings. STEP 10 | Click Finish to deploy the VM-Series firewall. Direct Traffic to the VM-Series Firewall Complete the following procedure to direct traffic to your VM-Series firewall. For North-South traffic, redirection rules are stateless by default and cannot be changed. Additionally, NSX-T automatically creates a corresponding reflexive rule for return traffic. The reflexive rule does not appear in the NSX-T web interface. STEP 1 | Log in to NSX-T Manager. STEP 2 | Select Advanced Networking & Security > Partner Services > Service Instances. STEP 3 | Select your service instance and click Traffic Redirection. STEP 4 | Click the first default redirection rule. STEP 5 | Click Add Section and select Add Section Above from the drop-down. STEP 6 | Enter a descriptive Section Name. 210 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.STEP 7 | Click OK. STEP 8 | Select your newly created section. STEP 9 | Click Add Rule. If your NSX-T environment has Edge Nodes in active-standby HA, you must create a redirect rule for each Edge Node. NSX-T does not automatically apply a redirect rule to the standby node in the event of a failover. STEP 10 | Click on the Name field and enter a descriptive name for the rule. STEP 11 | By default, the source is set to Any. Complete the following steps to specify a different source. 1. Click on the edit button ( ) in the source column and click Edit Rule Source/Extended Source. 2. To specify container objects, click Container Objects. 1. Select an Object Type from the drop-down. 2. Select the an Available Objects. 3. Move the select objects to the Selected Objects column. 3. To specify IP Addresses, click IP Addresses. 1. Click Add. 2. Enter an IP address or IP address range. 4. Click OK. STEP 12 | By default, the destination is set to Any. Complete the following steps to specify a different destination. 1. Click on the edit button ( ) in the destination column and click Edit Rule Destination. 2. To specify container objects, click Container Objects. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 211 © 2020 Palo Alto Networks, Inc.1. Select an Object Type from the drop-down. 2. Select the an Available Objects. 3. Move the select objects to the Selected Objects column. 3. To specify IP Addresses, click IP Addresses. 1. Click Add. 2. Enter an IP address or IP address range. 4. Click OK. STEP 13 | By default, Any service is redirected to the firewall. Complete the following steps to specify certain services and protocols. 1. Click on the edit button ( ) in the destination column and click Edit Rule Service. 2. To specify container objects, click Service/Service Groups. 1. Select any Available Objects. 2. Move the select objects to the Selected Objects column. 3. To specify IP Addresses, click Raw Port-Protocols. 1. Click Add. 2. Select a Type of Service from the drop-down. 3. Select a Protocol from the drop-down. 4. Depending on the type of service and protocol you choose, there might be additional information required. Complete any additional fields. 5. Click OK. 4. Click OK. 212 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.STEP 14 | Click the Applied To field and select the router to which the VM-Series firewall is attached from the drop-down. STEP 15 | Select Redirect from the Action drop-down to send traffic to your VM-Series firewall. STEP 16 | Enable the rule. STEP 17 | Click Publish. NSX-T Manager publishes the redirection rule you just created and automatically creates a reflexive rule for return traffic. The reflexive rule does not appear in the NSX-T Manager web interface. If return traffic is not directed to the VM-Series firewall, manually configure a traffic redirection rule for return traffic. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 213 © 2020 Palo Alto Networks, Inc.Apply Security Policy to the VM-Series Firewall on NSX-T Now that you have deployed the VM-Series firewall and created traffic redirection rules to send traffic to the firewall, you can use Panorama to centrally manage security policy rules on the VM-Series firewall. STEP 1 | Log in to Panorama. STEP 2 | Create security policy rules. By default, the firewall creates a rule that allows Bidirectional Forwarding Detection (BFD). Do not create a rule that blocks BFD. If BFD is blocked, NSX-T thinks that the firewall is unavailable. 1. Select Policies > Security > Prerules. 2. Select the Device Group that you created for managing the VM-Series firewalls on NSX-T in Create Template Stacks and Device Groups on Panorama. 3. Click Add and enter a Name and a Description for the rule. In this example, the security rule allows all traffic between the WebFrontEnd servers and the Application servers. 4. Select the Source Zone and Destination Zone. 5. For the Source Address and Destination Address, select or type in an address, static address group, or region. The VM-Series firewall on NSX-T does not support dynamic address groups for North- South traffic. 6. Select the Application to allow. In this example, we create an Application Group that includes a static group of specific applications that are grouped together. 1. Click Add and select New Application Group. 2. Click Add to select the application to include in the group. 3. Click OK to create the application group. 7. Specify the action— Allow or Deny—for the traffic, and optionally attach the default security profiles for antivirus, anti-spyware, and vulnerability protection, under Profiles. 8. Click Commit, select Commit to Panorama. Click OK. STEP 3 | Apply the policies to the VM-Series firewalls on NSX-T. 1. Click Commit > Push to Devices > Edit Selections. 2. Select the device group and click OK. 3. Select Force Template Values. By default, Panorama does not override objects on the firewall with objects on Panorama that share a name. You must select Force Template Values to push policy to the managed firewalls. 4. Click Yes to confirm force template values. 5. Click OK. 6. Verify that the commit is successful. 214 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX © 2020 Palo Alto Networks, Inc.STEP 4 | (Optional) Use template to push a base configuration for network and device configuration such as DNS server, NTP server, Syslog server, and login banner. Refer to the Panorama Administrator’s Guide for information on using templates. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSX 215 © 2020 Palo Alto Networks, Inc.216 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on VMware NSXSet Up the VM-Series Firewall on AWS The VM-Series firewall can be deployed in the public Amazon Web Services (AWS) cloud and AWS GovCloud. It can then be configured to secure access to the applications that are deployed on EC2 instances and placed into a Virtual Private Cloud (VPC) on AWS. > About the VM-Series Firewall on AWS > Deployments Supported on AWS > Deploy the VM-Series Firewall on AWS > High Availability for VM-Series Firewall on AWS > Use Case: Secure the EC2 Instances in the AWS Cloud > Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC > Use Case: VM-Series Firewalls as GlobalProtect Gateways on AWS > VM Monitoring on AWS > Auto Scale VM-Series Firewalls with the Amazon ELB Service > Secure Kubernetes Services in an EKS Cluster > List of Attributes Monitored on the AWS VPC 217218 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.About the VM-Series Firewall on AWS The Amazon Web Service (AWS) is a public cloud service that enables you to run your applications on a shared infrastructure managed by Amazon. These applications can be deployed on scalable computing capacity or EC2 instances in different AWS regions and accessed by users over the internet. For networking consistency and ease of management of EC2 instances, Amazon offers the Virtual Private Cloud (VPC). A VPC is apportioned from the AWS public cloud, and is assigned a CIDR block from the private network space (RFC 1918). Within a VPC, you can carve public/private subnets for your needs and deploy the applications on EC2 instances within those subnets. To then enable access to the applications within the VPC, you can deploy the VM-Series firewall on an EC2 instance. The VM-Series firewall can then be configured to secure traffic to and from the EC2 instances within the VPC. The VM-Series firewall is available in both the public AWS cloud and on AWS GovCloud. The VM-Series firewall in public AWS and AWS GovCloud supports the Bring Your Own License (BYOL) model and the hourly Pay-As-You-Go (PAYG), the usage-based licensing model that you can avail from the AWS Marketplace. For licensing details, see VM-Series Firewall Licenses for Public Clouds. • AWS EC2 Instance Types • VM-Series Firewall on AWS GovCloud • VM-Series Firewall on AWS China • AWS Terminology • Management Interface Mapping for Use with Amazon ELB AWS EC2 Instance Types The VM-Series firewalls support the following Amazon EC2 Instance Types — C3, C4, C5, M3, M4, and M5. You can deploy the VM-Series firewall on an AWS instance size with more resources than the minimum VM-Series System Requirements. If you choose a larger instance size for the VM-Series firewall model, although the firewall only uses the max vCPU cores and memory shown in the table, it does take advantage of the faster network performance that AWS provides. If you want to change the instance type on your VM-Series firewall that is licensed with the BYOL option, you must deactivate the VM before you switch the instance type to ensure that your license is valid. See Upgrade the VM-Series Model to know why. The C3, C4, M3, M4 instance types support both DPDK and SR-IOV modes. The C5 and M5 instance types that have the Elastic Network Adapter (ENA) support SR-IOV mode only on PAN-OS 9.0.3 or earlier versions. DPDK support is available starting with PAN-OS 9.0.3.xfr. For SR-IOV and DPDK driver support by PAN-OS version, see PacketMMAP and DPDK Drivers on VM-Series Firewalls. For guidance with sizing the VM-Series firewall on AWS, refer to this article. VM-Series Firewall on AWS GovCloud AWS GovCloud is an isolated AWS region that meets the regulatory and compliance requirements of the US government agencies and customers. To secure your workloads that contain all categories of Controlled Unclassified Information (CUI) data and government-oriented, publicly available data in the AWS GovCloud (US) Region, the VM-Series firewall provides the same robust security features in the standard AWS public cloud and on AWS GovCloud. The VM-Series firewall on AWS GovCloud and the standard AWS public cloud support the same capabilities. See AMI on AWS GovCloud to Deploy the VM-Series Firewall on AWS. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 219 © 2020 Palo Alto Networks, Inc.VM-Series Firewall on AWS China The VM-Series firewall is available with the BYOL option on the AWS China Marketplace, and is available in the AWS China (Beijing) and the AWS China (Ningxia) regions. You must have an AWS China account that is separate from your global AWS account to access this image and use AWS resources on AWS China. Make sure to review the VM-Series System Requirements before Launch the VM-Series Firewall on AWS. AWS Terminology This document assumes that you are familiar with the networking and configuration of the AWS VPC. In order to provide context for the terms used in this section, here is a brief refresher on the AWS terms (some definitions are taken directly from the AWS glossary) that are referred to in this document: Term Description EC2 Elastic Compute Cloud A web service that enables you to launch and manage Linux/UNIX and Windows server instances in Amazon''s data centers. AMI Amazon Machine Image An AMI provides the information required to launch an instance, which is a virtual server in the cloud. The VM-Series AMI is an encrypted machine image that includes the operating system required to instantiate the VM-Series firewall on an EC2 instance. ELB Elastic Load Balancing ELB is an Amazon web service that helps you improve the availability and scalability of your applications by routing traffic across multiple Elastic Compute Cloud (EC2) instances. ELB detects unhealthy EC2 instances and reroutes traffic to healthy instances until the unhealthy instances are restored. ELB can send traffic only to the primary interface of the next hop load-balanced EC2 instance. So, to use ELB with a VM-Series firewall on AWS, the firewall must be able to use the primary interface for dataplane traffic. ENI Elastic Network Interface An additional network interface that can be attached to an EC2 instance. ENIs can include a primary private IP address, one or more secondary private IP addresses, a public IP address, an elastic IP address (optional), a MAC address, membership in specified security groups, a description, and a source/ destination check flag. IP address types for An EC2 instance can have different types of IP addresses. EC2 instances • Public IP address: An IP address that can be routed across the internet. • Private IP address: A IP address in the private IP address range as defined in the RFC 1918. You can choose to manually assign an IP address or to auto assign an IP address within the range in the CIDR block for the subnet in which you launch the EC2 instance. 220 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Term Description If you are manually assigning an IP address, Amazon reserves the first four (4) IP addresses and the last one (1) IP address in every subnet for IP networking purposes. • Elastic IP address (EIP): A static IP address that you have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with your account, not with a specific instance. They are elastic because you can easily allocate, attach, detach, and free them as your needs change. An instance in a public subnet can have a Private IP address, a Public IP address, and an Elastic IP address (EIP); an instance in a private subnet will have a private IP address and optionally have an EIP. Instance type Amazon-defined specifications that stipulate the memory, CPU, storage capacity, and hourly cost for an instance. Some instance types are designed for standard applications, whereas others are designed for CPU-intensive, memory-intensive applications, and so on. VPC Virtual Private Cloud An elastic network populated by infrastructure, platform, and application services that share common security and interconnection. IGW Internet gateway provided by Amazon. Connects a network to the internet. You can route traffic for IP addresses outside your VPC to the internet gateway. IAM Role Identity and Access Management Required for enabling High Availability for the VM-Series firewall on AWS. The IAM role defines the API actions and resources the application can use after assuming the role. On failover, the IAM Role allows the VM-Series firewall to securely make API requests to switch the dataplane interfaces from the active peer to the passive peer. An IAM role is also required for VM Monitoring. See List of Attributes Monitored on the AWS VPC. Subnets A segment of the IP address range of a VPC to which EC2 instances can be attached. EC2 instances are grouped into subnets based on your security and operational needs. There are two types of subnets: • Private subnet: The EC2 instances in this subnet cannot be reached from the internet. • Public subnet: The internet gateway is attached to the public subnet, and the EC2 instances in this subnet can be reached from the internet. Security groups A security group is attached to an ENI and it specifies the list of protocols, ports, and IP address ranges that are allowed to establish inbound/outbound connections on the interface. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 221 © 2020 Palo Alto Networks, Inc.Term Description In the AWS VPC, security groups and network ACLs control inbound and outbound traffic; security groups regulate access to the EC2 instance, while network ACLs regulate access to the subnet. Because you are deploying the VM-Series firewall, set more permissive rules in your security groups and network ACLs and allow the firewall to safely enable applications in the VPC. Route tables A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. A subnet can be associated with only one route table. Key pair A set of security credentials you use to prove your identity electronically. The key pair consists of a private key and a public key. At time of launching the VM-Series firewall, you must generate a key pair or select an existing key pair for the VM-Series firewall. The private key is required to access the firewall in maintenance mode. CloudWatch Amazon CloudWatch is a monitoring service that allows you to collect and track metrics for the VM-Series firewalls on AWS. When enabled, the firewalls use AWS APIs to publish native PAN-OS metrics to CloudWatch. Management Interface Mapping for Use with Amazon ELB By default, the elastic network interface (ENI) eth0 maps to the MGT interface on the firewall and ENI eth1 maps to ethernet 1/1 on the firewall. Because the ELB can send traffic only to the primary interface of the next hop load-balanced EC2 instance, the VM-Series firewall must be able to use the primary interface for dataplane traffic. The firewall can receive dataplane traffic on the primary interface in the following scenarios where the VM-Series firewall is behind the Amazon ELB Service (for a topology diagram, see Auto Scale VM-Series Firewalls with the Amazon ELB Service): • The VM-Series firewall(s) is securing traffic outbound directly to the internet without the need for using a VPN link or a Direct Connect link back to the corporate network. • The VM-Series firewall secures an internet-facing application when there is exactly one backend server, such as a web server, for each firewall. The VM-Series firewalls and web servers can scale linearly, in pairs, behind ELB. At present, for use cases that require an ELB sandwich-type deployment to scale out firewalls and application layer EC2 instances, swapping the management interface will not allow you to seamlessly deploy the ELB solution. The ability to swap the management interface only partially solves the integration with ELB. To allow the firewall to send and receive dataplane traffic on eth0 instead of eth1, you must swap the mapping of the ENIs within the firewall such that ENI eth0 maps to ethernet 1/1 and ENI eth1 maps to the MGT interface on the firewall as shown below. 222 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.If possible, swap the management interface before you configure the firewall or define policy rules. Swapping how the interfaces are mapped allows ELB to distribute and route traffic to healthy instances of the VM-Series firewall located in the same or different Availability Zones on AWS for increased capacity and fault tolerance. The interface swap is only required when the VM-Series firewall is behind the Amazon ELB Service. If your requirement is to deploy the VM-Series firewalls in a traditional high availability set up, you don’t need to configure the interface swap that is described in this section. Continue to High Availability for VM-Series Firewall on AWS. To swap the interfaces, you have the following options: • At launch—When you launch the firewall, you can either enter the mgmt-interface-swap=enable command in the User data field on the AWS management console (see Launch the VM-Series Firewall on AWS) or CLI or you can include the new mgmt-interface-swap operational command in the bootstrap configuration. • After launch—After you launch the firewall, Use the VM-Series Firewall CLI to Swap the Management Interface (set system setting mgmt-interface-swap enable yes operational command) on the firewall. • To prevent unpredictable behavior on the firewall, pick one method to consistently specify the interface swap setting—in the bootstrap configuration, from the CLI on the firewall, or using the Amazon EC2 User data field on the AWS console. • Ensure that you have access to the AWS console (management console or CLI) to view the IP address of the eth1 interface. Also, verify that the AWS Security Group rules allow connections (HTTPS and SSH) to the new management interface. • If you configured the firewall or defined policy rules before interface swap, check whether any IP address changes for eth0 or eth1 impact policy rules. Performance Tuning for the VM-Series on AWS Make sure that you do the following: • Pick the correct AWS Instance Types for your deployment. For example, you cannot deploy the c4.xlarge EC2 instance type because the VM-Series firewall requires 9G memory with 2 or 4 vCPUs, and the instance type only supports 4 vCPUs and 7.5G memory. The C5 and M5 instance types that have the Elastic Network Adapter support SR-IOV mode only on PAN-OS 9.0.3 and earlier versions. DPDK support is available starting with PAN-OS 9.0.3.xfr. • Select the VM-Series model and VM-Series firewall license that best suits your deployment needs. For help with sizing, refer to this article. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 223 © 2020 Palo Alto Networks, Inc.• Enable DPDK using the CLI command set system setting dpdk-pkt-io on or bootstrap the firewall to use DPDK at launch, except if deploying the firewalls in an HA configuration. See init-cfg.txt File Components. For SR-IOV and DPDK driver support by PAN-OS version, see SR-IOV and DPDK Drivers on VM-Series Firewalls. 224 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Deployments Supported on AWS The VM-Series firewall secures inbound and outbound traffic to and from EC2 instances within the AWS Virtual Private Cloud (VPC). Because the AWS VPC only supports an IP network (Layer 3 networking capabilities), the VM-Series firewall can only be deployed with Layer 3 interfaces. • Deploy the VM-Series firewall to secure the EC2 instances hosted in the AWS Virtual Private Cloud. If you host your applications in the AWS cloud, deploy the VM-Series firewall to protect and safely enable applications for users who access these applications over the internet. For example, the following diagram shows the VM-Series firewall deployed in the Edge subnet to which the internet gateway is attached. The application(s) are deployed in the private subnet, which does not have direct access to the internet. When users need to access the applications in the private subnet, the firewall receives the request and directs it to the appropriate application, after verifying security policy and performing Destination NAT. On the return path, the firewall receives the traffic, applies security policy and uses Source NAT to deliver the content to the user. See Use Case: Secure the EC2 Instances in the AWS Cloud. Figure 1: VM-Series for EC2 Instances • Deploy the VM-Series firewall for VPN access between the corporate network and the EC2 instances within the AWS Virtual Private Cloud. To connect your corporate network with the applications deployed in the AWS Cloud, you can configure the firewall as a termination point for an IPSec VPN tunnel. This VPN tunnel allows users on your network to securely access the applications in the cloud. For centralized management, consistent enforcement of policy across your entire network, and for centralized logging and reporting, you can also deploy Panorama in your corporate network. If you need to set up VPN access to multiple VPCs, using Panorama allows you to group the firewalls by region and administer them with ease. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 225 © 2020 Palo Alto Networks, Inc.Figure 2: VM-Series for VPN Access • Deploy the VM-Series firewall as a GlobalProtect gateway to secure access for remote users using laptops. The GlobalProtect agent on the laptop connects to the gateway, and based on the request, the gateway either sets up a VPN connection to the corporate network or routes the request to the internet. To enforce security compliance for users on mobile devices (using the GlobalProtect App), the GlobalProtect gateway is used in conjunction with the GlobalProtect Mobile Security Manager. The GlobalProtect Mobile Security Manager ensures that mobile devices are managed and configured with the device settings and account information for use with corporate applications and networks. In each of the use cases above, you can deploy the VM-Series firewall in an active/ passive high availability (HA) pair. For information on setting up the VM-Series firewall in HA, see Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC. • Deploy the VM-Series firewall with the Amazon Elastic Load Balancing (ELB) service, whereby the firewall can receive dataplane traffic on the primary interface in the following scenarios where the VM- Series firewall is behind the Amazon ELB: • The VM-Series firewall(s) is securing traffic outbound directly to the internet without the need for using a VPN link or a Direct Connect link back to the corporate network. • The VM-Series firewall secures an internet-facing application when there is exactly one back-end server, such as a web server, for each firewall. The VM-Series firewalls and web servers can scale linearly, in pairs, behind ELB. If you want to Auto Scale VM-Series Firewalls with the Amazon ELB Service, use the CloudFormation Template available in the GitHub repository repository to deploy the VM-Series in an ELB sandwich topology with an internet-facing classic ELB and an either an internal classic load balancer or an internal application load balancer (internal ELB). 226 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Figure 3: VM-Series with ELB You cannot configure the firewall to send and receive dataplane traffic on eth0 when the firewall is in front of ELB. The VM-Series firewall must be placed behind the Amazon ELB. You can either Use the VM-Series Firewall CLI to Swap the Management Interface or enable it on bootstrap. For details, see Management Interface Mapping for Use with Amazon ELB. If you want to deploy a load balancer sandwich topology, see Auto Scale VM-Series Firewalls with the Amazon ELB Service. In addition to the links above that are covered under the Palo Alto Networks official support policy, Palo Alto Networks provides Community supported templates in the Palo Alto Networks GitHub repository that allow you to explore the solutions available to jumpstart your journey into cloud automation and scale on AWS. See AWS Transit VPC for a hub and subscribing VPC deployment that enables you to secure traffic between VPCs, between a VPC and an on-prem/hybrid cloud resource, and secure outbound traffic to the internet. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 227 © 2020 Palo Alto Networks, Inc.Deploy the VM-Series Firewall on AWS • Obtain the AMI • Planning Worksheet for the VM-Series in the AWS VPC • Launch the VM-Series Firewall on AWS • Create a Custom Amazon Machine Image (AMI) • Encrypt EBS Volume for the VM-Series Firewall on AWS • Use the VM-Series Firewall CLI to Swap the Management Interface • Enable CloudWatch Monitoring on the VM-Series Firewall Obtain the AMI Get the Amazon Machine Image for the public AWS cloud and the AWS GovCloud from the respective Marketplace. • AMI in the Public AWS Cloud • AMI on AWS GovCloud • Get the VM-Series Firewall Amazon Machine Image (AMI) ID AMI in the Public AWS Cloud The AMI for the VM-Series firewall is available in the AWS Marketplace for both the Bring Your Own License (BYOL) and the Usage-based pricing options. For purchasing licenses with the BYOL option, contact your Palo Alto Networks sales engineer or reseller. AMI on AWS GovCloud The Bring Your Own License (BYOL) model and the usage-based model of the VM-Series firewall is available on the AWS GovCloud Marketplace. 228 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.With a GovCloud account, you can search for Palo Alto Networks and find the AMIs for the VM-Series firewall on the Marketplace. Make sure to review the supported EC2 instance types before you launch the firewall. For details, see Launch the VM-Series Firewall on AWS. Table 1: Review System Requirements and Limitations for VM-Series on AWS Requirement Details EC2 instance types The EC2 instance type you select must meet the VM-Series System Requirements for the VM-Series firewall model. If you deploy the VM-Series firewall on an EC2 instance type that does not meet these requirements, the firewall will boot into maintenance mode To support VM Monitoring and high availability on AWS, the VM-Series firewall must be able to directly reach the AWS API service endpoints without any proxy servers between the firewall management interface and the AWS API endpoints (such as ec2.us-west-2.amazonaws.com). Amazon Elastic Block The VM-Series firewall must use the Amazon Elastic Block Storage (EBS) Storage (EBS) volume for storage. EBS optimization provides an optimized configuration stack and additional, dedicated capacity for Amazon EBS I/O. Networking Because the AWS only supports Layer 3 networking capabilities, the VM-Series firewall can only be deployed with Layer 3 interfaces. Layer 2 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 229 © 2020 Palo Alto Networks, Inc.Requirement Details interfaces, virtual wire, VLANs, and subinterfaces are not supported on the VM-Series firewall deployed in the AWS VPC. Interfaces Support for a total of eight interfaces is available—one management interface and a maximum of seven Elastic Network Interfaces (ENIs) for data traffic. The VM-Series firewall does not support hot attachment of ENIs; to detect the addition or removal of an ENI you must reboot the firewall. Your EC2 instance type selection determines the total number of ENIs you can enable. For example, the c3.8xlarge supports eight (8) ENIs. Support entitlement For the Bring Your Own License model, a support account and a valid VM- and Licenses Series license are required to obtain the Amazon Machine Image (AMI) file, which is required to install the VM-Series firewall in the AWS VPC. The licenses required for the VM-Series firewall—capacity license, support license, and subscriptions for Threat Prevention, URL Filtering, WildFire, etc—must be purchased from Palo Alto Networks. To purchase the licenses for your deployment, contact your sales representative. See VM-Series Firewall Licenses for Public Clouds. For the usage-based licensing model, hourly and annual pricing bundles can be purchased and billed directly to AWS. You must however, register your support entitlement with Palo Alto Networks. For details see, Register the Usage-Based Model of the VM-Series Firewall for Public Clouds (no auth code). Get the VM-Series Firewall Amazon Machine Image (AMI) ID Use the following instructions to find the AMI ID for the VM-Series firewall that matches the PAN-OS version, license type, and AWS region in which you want to launch the VM-Series firewall. STEP 1 | Install AWS CLI on the client that you are using to retrieve the AMI ID, and login with your AWS credentials. Refer to the AWS documentation for instructions on installing the CLI. STEP 2 | Find the AMI-ID with the following CLI command. aws ec2 describe-images --filters "Name=product-code,Values=" Name=name,Values=PA-VM-AWS** --region -- output json You need to replace the value in the angle brackets <> with the relevant information as shown below: • Use the VM-Series product code for each license type. The values are: • Bundle 1— 6kxdw3bbmdeda3o6i1ggqt4km • Bundle 2— 806j2of0qy5osgjjixq9gqc6g 230 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.• BYOL— 6njl1pau431dv1qxipg63mvah • Use the PAN-OS version—9.0. If there are multiple feature releases within a PAN-OS version all the AMI-IDs are listed for you. For example, in 9.0.x, you will view a listing of the AMI IDs for PAN-OS versions 9.0, 9.0.3.xfr, 9.0.5.xfr, and 9.0.6, and you can use the AMI-ID for the PAN-OS version you need. • Get the AWS region details from: https://docs.aws.amazon.com/general/latest/gr/rande.html. For example: To find the AMI-ID for the VM-Series Bundle 1 for PAN-OS 9.0 in US California region, the CLI command is: aws ec2 describe-images --filters "Name=product- code,Values=6kxdw3bbmdeda3o6i1ggqt4km" "Name=name,Values=PA-VM-AWS*9.0*" --region us-west-1 --output json The output is: "Images": [ { "Architecture": "x86_64", "CreationDate": "2019-02-26T14:17:21.000Z", "ImageId": "ami-045f8b6e430535f0d", "ImageLocation": "aws- marketplace/PA-VM-AWS-9.0.0-6f2a9521-7dc3-46cc-8891-8c4d02d29666- ami-054da040447f62b2c Planning Worksheet for the VM-Series in the AWS VPC For ease of deployment, plan the subnets within the VPC and the EC2 instances that you want to deploy within each subnet. Before you begin, use the following table to collate the network information required to deploy and insert the VM-Series firewall into the traffic flow in the VPC: Configuration Item Value VPC CIDR Security Groups Subnet (public) CIDR Subnet (private) CIDR Subnet (public) Route Table Subnet (private) Route Table Security Groups • Rules for Management Access to the firewall (eth0/0) • Rules for access to the dataplane interfaces of the firewall VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 231 © 2020 Palo Alto Networks, Inc.Configuration Item Value • Rules for access to the interfaces assigned to the application servers. VM-Series firewall behind ELB EC2 Instance 1 (VM-Series firewall) Subnet: An EIP is only required Instance type: for the dataplane Mgmt interface IP: interface that is attached to the public Mgmt interface EIP: subnet. Dataplane interface eth1/1 • Private IP: • EIP (if required): • Security Group: Dataplane interface eth1/2 • Private IP: • EIP (if required): • Security Group: EC2 Instance 2 (Application to be Subnet: secured) Instance type: Repeat these set of values for additional application(s) being Mgmt interface IP: deployed. Default gateway: Dataplane interface 1 • Private IP: Requirements for HA If you are deploying the VM-Series firewalls in a high availability (active/passive) configuration, you must ensure the following: • Create an IAM role and assign the role to the VM-Series firewall when you are deploying the instance. See IAM Roles for HA. • Deploy the HA peers in the same AWS availability zone. • The active firewall in the HA pair must have at a minimum three ENIs: two dataplane interfaces and one management interface. The passive firewall in the HA pair, must have one ENI for management, and one ENI that functions as dataplane interface; you will configure the dataplane interface as an HA2 interface. Do not attach additional dataplane interfaces to the passive firewall in the HA pair. On failover, the dataplane interfaces from the previously active firewall are moved — 232 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Configuration Item Value detached and then attached—to the now active (previously passive) firewall. Launch the VM-Series Firewall on AWS If you have not already registered the capacity authcode that you received with the order fulfillment email, with your support account, see Register the VM-Series Firewall. After registering, deploy the VM-Series firewall using an AMI published in the Marketplace or Create a Custom Amazon Machine Image (AMI) in the AWS VPC as follows: STEP 1 | Access the AWS Console. Log in to the AWS console and select the EC2 Dashboard. STEP 2 | Set up the VPC for your network needs. Whether you launch the VM-Series firewall in an existing VPC or you create a new VPC, the VM-Series firewall must be able to receive traffic from the EC2 instances and perform inbound and outbound communication between the VPC and the internet. Refer to the AWS VPC documentation for instructions on creating a VPC and setting it up for access. For an example with a complete workflow, see Use Case: Secure the EC2 Instances in the AWS Cloud. 1. Create a new VPC or use an existing VPC. Refer to the AWS Getting Started documentation. 2. Verify that the network and security components are defined suitably. • Enable communication to the internet. The default VPC includes an internet gateway, and if you install the VM-Series firewall in the default subnet it has access to the internet. • Create subnets. Subnets are segments of the IP address range assigned to the VPC in which you can launch the EC2 instances. The VM-Series firewall must belong to the public subnet so that it can be configured to access the internet. • Create security groups as needed to manage inbound and outbound traffic from the EC2 instances/subnets. • Add routes to the route table for a private subnet to ensure that traffic can be routed across subnets and security groups in the VPC, as applicable. 3. If you want to deploy a pair of VM-Series firewalls in HA, you must define IAM Roles for HA before you can Configure Active/Passive HA on AWS. 4. (Optional) If you are using bootstrapping to perform the configuration of your VM-Series firewall, refer to Bootstrap the VM-Series Firewall on AWS. For more information about bootstrapping, see Bootstrap the VM-Series Firewall. STEP 3 | Launch the VM-Series firewall. Although you can add additional network interfaces (ENIs) to the VM-Series firewall when you launch, AWS releases the auto-assigned Public IP address for the management interface when you restart the firewall. Hence, to ensure connectivity to the management interface you must assign an Elastic IP address for the management interface, before attaching additional interfaces to the firewall. If you want to conserve EIP addresses, you can assign one EIP address to the eth 1/1 interface and use this interface for both management traffic and data traffic. To restrict services permitted on the VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 233 © 2020 Palo Alto Networks, Inc.interface or limit IP addresses that can log in the eth 1/1 interface, attach a management profile to the interface. 1. On the EC2 Dashboard, click Launch Instance. 2. Select the VM-Series AMI. To get the AMI, see Obtain the AMI. 3. Launch the VM-Series firewall on an EC2 instance. 1. Choose the EC2 instance type for allocating the resources required for the firewall, and click Next. See VM-Series System Requirements, for resource requirements. 2. Select the VPC. 3. Select the public subnet to which the VM-Series management interface will attach. 4. Select Automatically assign a public IP address. This allows you to obtain a publicly accessible IP address for the management interface of the VM-Series firewall. You can later attach an Elastic IP address to the management interface; unlike the public IP address that is disassociated from the firewall when the instance is terminated, the Elastic IP address provides persistence and can be reattached to a new (or replacement) instance of the VM-Series firewall without the need to reconfigure the IP address wherever you might have referenced it. 5. Select Launch as an EBS-optimized instance. 6. Add another network interface for deployments with ELB so that you can swap the management and data interfaces on the firewall. Swapping interfaces requires a minimum of two ENIs (eth0 and eth1). • Expand the Network Interfaces section and click Add Device to add another network interface. Make sure that your VPC has more than one subnet so that you can add additional ENIs at launch. If you launch the firewall with only one ENI: • The interface swap command will cause the firewall to boot into maintenance mode. • You must reboot the firewall when you add the second ENI. • Expand the Advanced Details section and in the User data field enter mgmt-interface- swap=enable as text to perform the interface swap during launch. If you are bootstrapping the firewall, you can also enter vmseries- bootstrap-aws-s3bucket= with a comma separator after mgmt-interface-swap=enable. 234 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.7. Accept the default Storage settings. The firewall uses volume type SSD (gp2) This key pair is required for first time access to the firewall. It is also required to access the firewall in maintenance mode. 8. (Optional) Tagging. Add one or more tags to create your own metadata to identify and group the VM-Series firewall. For example, add a Name tag with a Value that helps you remember that the ENI interfaces have been swapped on this VM-Series firewall. 9. Select an existing Security Group or create a new one. This security group is for restricting access to the management interface of the firewall. At a minimum consider enabling https and ssh access for the management interface. 10.If prompted, select an appropriate SSD option for your setup. 11.Select Review and Launch. Review that your selections are accurate and click Launch. 12.Select an existing key pair or create a new one, and acknowledge the key disclaimer. 13.Download and save the private key to a safe location; the file extension is .pem. You cannot regenerate this key, if lost. It takes 5-7 minutes to launch the VM-Series firewall. You can view the progress on the EC2 Dashboard.When the process completes, the VM-Series firewall displays on the Instances page of the EC2 Dashboard. STEP 4 | Configure a new administrative password for the firewall. On the VM-Series firewall CLI, you must configure a unique administrative password before you can access the web interface of the firewall. To log in to the CLI, you require the private key that you used to launch the firewall. 1. Use the public IP address to SSH into the Command Line Interface (CLI) of the VM-Series firewall. You will need the private key that you used or created in 3 above to access the CLI. If you added an additional ENI to support deployments with ELB, you must first create and assign an Elastic IP address to the ENI to access the CLI, see 6. If you are using PuTTY for SSH access, you must convert the .pem format to a .ppk format. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html 2. Enter the following command to log in to the firewall: VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 235 © 2020 Palo Alto Networks, Inc.ssh-i admin@ 3. Configure a new password, using the following command and follow the onscreen prompts: configure set mgt-config users admin password 4. If you have a BYOL that needs to be activated, set the DNS server IP address so that the firewall can aceess the Palo Alto Networks licensing server. Enter the following command to set the DNS server IP address: set deviceconfig system dns-setting servers primary 5. Commit your changes with the command: commit 6. Terminate the SSH session. STEP 5 | Shutdown the VM-Series firewall. 1. On the EC2 Dashboard, select Instances. 2. From the list, select the VM-Series firewall and click Actions > Stop. STEP 6 | Create and assign an Elastic IP address (EIP) to the ENI used for management access to the firewall and reboot the VM-Series firewall. 1. Select Elastic IPs and click Allocate New Address. 2. Select EC2-VPC and click Yes, Allocate. 3. Select the newly allocated EIP and click Associate Address. 4. Select the Network Interface and the Private IP address associated with the management interface and click Yes, Associate. STEP 7 | Create virtual network interface(s) and attach the interface(s) to the VM-Series firewall. The virtual network interfaces are called Elastic Network Interfaces (ENIs) on AWS, and serve as the dataplane network interfaces on the firewall. These interfaces are used for handling data traffic to/from the firewall. You will need at least two ENIs that allow inbound and outbound traffic to/from the firewall. You can add up to seven ENIs to handle data traffic on the VM-Series firewall; check your EC2 instance type to verify the maximum number supported on it. 1. On the EC2 Dashboard, select Network Interfaces, and click Create Network Interface. 2. Enter a descriptive name for the interface. 3. Select the subnet. Use the subnet ID to make sure that you have selected the correct subnet. You can only attach an ENI to an instance in the same subnet. 4. Enter the Private IP address to assign to the interface or select Auto-assign to automatically assign an IP address within the available IP addresses in the selected subnet. 5. Select the Security group to control access to the dataplane network interface. 6. Click Yes, Create. 7. To attach the ENI to the VM-Series firewall, select the interface you just created, and click Attach. 236 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.8. Select the Instance ID of the VM-Series firewall, and click Attach. 9. Repeat the steps above for creating and attaching at least one more ENI to the firewall. STEP 8 | (Not required for the Usage-based licensing model) Activate the licenses on the VM-Series firewall. This task is not performed on the AWS management console. Access to the Palo Alto Networks support portal and the web interface of the VM-Series firewall is required for license activation. See Activate the License. STEP 9 | Disable Source/Destination check on every firewall dataplane network interface(s). Disabling this option allows the interface to handle network traffic that is not destined to the IP address assigned to the network interface. 1. On the EC2 Dashboard, select the network interface, for example eth1/1, in the Network Interfaces tab. 2. In the Action drop-down, select Change Source/Dest. Check. 3. Click Disabled and Save your changes. 4. Repeat Steps 1-3 for each firewall dataplane interface. STEP 10 | Configure the dataplane network interfaces as Layer 3 interfaces on the firewall. For an example configuration, see steps 14 through 17 in Use Case: Secure the EC2 Instances in the AWS Cloud. On the application servers within the VPC, define the dataplane network interface of the firewall as the default gateway. 1. Using a secure connection (https) from your web browser, log in using the EIP address and password you assigned during initial configuration (https://). You will see a certificate warning; that is okay. Continue to the web page. 2. Select Network > Interfaces > Ethernet. 3. Click the link for ethernet 1/1 and configure as follows: • Interface Type: Layer3 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 237 © 2020 Palo Alto Networks, Inc.• On the Config tab, assign the interface to the default router. • On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example VM_Series_untrust, and then click OK. • On the IPv4 tab, select either Static or DHCP Client. If using the Static option, click Add in the IP section, and enter the IP address and network mask for the interface, for example 10.0.0.10/24. Make sure that the IP address matches the ENI IP address that you assigned earlier. If using DHCP, select DHCP Client; the private IP address that you assigned to the ENI in the AWS management console will be automatically acquired. 4. Click the link for ethernet 1/2 and configure as follows: • Interface Type: Layer3 • Security Zone: VM_Series_trust • IP address: Select the Static or DHCP Client radio button. For static, click Add in the IP section, and enter the IP address and network mask for the interface. Make sure that the IP address matches the attached ENI IP address that you assigned earlier. 5. Click Commit. Verify that the link state for the interfaces are up. For DHCP, clear the Automatically create default route to default gateway provided by server check box. For an interface that is attached to the private subnet in the VPC, disabling this option ensures that traffic handled by this interface does not flow directly to the internet gateway on the VPC. STEP 11 | Create NAT rules to allow inbound and outbound traffic from the servers deployed within the VPC. 1. Select Policies > NAT on the web interface of the firewall. 2. Create a NAT rule to allow traffic from the dataplane network interface on the firewall to the web server interface in the VPC. 3. Create a NAT rule to allow outbound access for traffic from the web server to the internet. STEP 12 | Create security policies to allow/deny traffic to/from the servers deployed within the VPC. 1. Select Policies > Security on the web interface of the firewall. 2. Click Add, and specify the zones, applications and logging options that you would like to execute to restrict and audit traffic traversing through the network. 238 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 13 | Commit the changes on the firewall. Click Commit. STEP 14 | Verify that the VM-Series firewall is securing traffic and that the NAT rules are in effect. 1. Select Monitor > Logs > Traffic on the web interface of the firewall. 2. View the logs to make sure that the applications traversing the network match the security policies you implemented. Create a Custom Amazon Machine Image (AMI) A custom VM-Series AMI gives you the consistency and flexibility to deploy a VM-Series firewall with the PAN-OS version you want to use on your network instead of being restricted to using only an AMI that is published to the AWS public Marketplace or to the AWS GovCloud Marketplace. Using a custom AMI speeds up the process of deploying a firewall with the PAN-OS version of your choice because it reduces the time to provision the firewall with an AMI published on the AWS public or AWS GovCloud marketplace, and then performing software upgrades to get to the PAN-OS version you have qualified or want to use on your network. Additionally, you can then use the custom AMI in the Auto Scaling VM-Series Firewalls CloudFormation Templates or any other templates that you have created. You can create a custom AMI with the BYOL, Bundle 1, or Bundle 2 licenses. The process of creating a custom AMI requires you to remove all configuration from the firewall and reset it to factory defaults, so in this workflow you’ll launch a new instance of the firewall from the AWS Marketplace instead of using an existing firewall that you have fully configured. When creating a custom AMI with a BYOL version of the firewall, you must first activate the license on the firewall so that you can access and download PAN-OS software updates to upgrade your firewall, and then deactivate the license on the firewall before you reset the firewall to factory defaults and create the custom AMI. If you do not deactivate the license, you lose the license that you applied on this firewall instance. STEP 1 | Launch the VM-Series firewall from the Marketplace. Follow steps 1 through 3 in Launch the VM-Series firewall. Do not continue on to configuring a new administrative password or committing any changes on the firewall. STEP 2 | (Only for BYOL) Activate the license. STEP 3 | Install software updates and upgrade the firewall to the PAN-OS version you plan to use. STEP 4 | (Only for BYOL) Deactivate the license. STEP 5 | Perform a private data reset. A private data reset removes all logs and restores the default configuration. The system disks are not erased, so the content updates from Step 3 are intact. 1. Access the firewall CLI. 2. Remove all logs and restore the default configuration. request system private-data-reset VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 239 © 2020 Palo Alto Networks, Inc.Enter y to confirm. The firewall reboots to initialize the default configuration. STEP 6 | Create the custom AMI. 1. Log in to the AWS Console and select the EC2 Dashboard. 2. Stop the VM-Series firewall. 3. Select the VM-Series firewall instance, and click Image > Create Image. 4. Enter a custom image name, and click Create Image. The disk space of 60GB is the minimum requirement. 5. Verify that the custom AMI is created and has the correct product code. 1. On the EC2 Dashboard, select AMI. 2. Select the AMI that you just created. Depending on whether you selected an AMI with the BYOL, Bundle 1, or Bundle 2 licensing options, you should see one of the following Product Codes in the details: • BYOL—6njl1pau431dv1qxipg63mvah • Bundle 1—6kxdw3bbmdeda3o6i1ggqt4km • Bundle 2—806j2of0qy5osgjjixq9gqc6g 240 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 7 | Encrypt EBS Volume for the VM-Series Firewall on AWS. If you plan to use the custom AMI with EBS encryption for an Auto Scaling VM-Series Firewalls with the Amazon ELB Service deployment, you must use the default master key for your AWS account. STEP 8 | Configure the administrative password on the firewall. See Configure a new administrative password on the firewall. Encrypt EBS Volume for the VM-Series Firewall on AWS EBS encryption is available for all AWS EC2 Instance Types on which you can deploy the VM-Series firewall. To securely store data on the VM-Series firewall on AWS, you must first create a copy of an AMI that is published on the AWS public or GovCloud Marketplace, or use a custom AMI, and then encrypt the EBS volume with a customer master key (CMK) on the AWS Key Management Service (KMS). You can use the default master key for your AWS account or any CMK that you have previously created using the AWS Key Management Service, and EBS the KMS interact to ensure data security. STEP 1 | Create an encryption key on AWS or skip this step if you want to use the default master key for your account. You will use this key to encrypt the EBS volume on the firewall. Note that the key is region specific. STEP 2 | Use the key to encrypt the EBS volume on the firewall. You must create a copy of the AMI that you want to encrypt. You can copy an AMI that is published on the AWS public or GovCloud Marketplace, or use a custom AMI (Create a Custom Amazon Machine Image (AMI)). 1. On the EC2 Dashboard, select the AMI and Copy AMI. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 241 © 2020 Palo Alto Networks, Inc.2. Set the details for the AMI. Make sure to select Encrypt target EBS snapshots. 3. Select the encryption key and Copy AMI to create an encrypted EBS snapshot. 4. Select EC2 Dashboard > Snapshots to verify that the EBS snapshot is encrypted with the key you selected above. 242 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Use the VM-Series Firewall CLI to Swap the Management Interface If you did not swap the management interface (MGT) with the dataplane interface (ethernet 1/1) when deploying the firewall, you can use the CLI to enable the firewall to receive dataplane traffic on the primary interface after launching the firewall. STEP 1 | Complete Steps 1 through 7 in Launch the VM-Series Firewall on AWS. Before you proceed, verify that the firewall has a minimum of two ENIs (eth0 and eth1). If you launch the firewall with only one ENI, the interface swap command will cause the firewall to boot into maintenance mode. STEP 2 | On the EC2 Dashboard, view the IP address of the eth1 interface and verify that the AWS Security Group rules allow connections (HTTPS and SSH) to the new management interface (eth1). STEP 3 | Log in to the VM-Series firewall CLI and enter the following command: set system setting mgmt-interface-swap enable yes STEP 4 | Confirm that you want to swap the interface and use the eth1 dataplane interface as the management interface. STEP 5 | Reboot the firewall for the swap to take effect. Use the following command: request restart system STEP 6 | Verify that the interfaces have been swapped. Use the following command: debug show vm-series interfaces all Phoenix_interface Base-OS_port Base-OS_MAC PCI-ID Driver mgt(interface-swap) eth0 0e:53:96:91:ef:29 0000:00:04.0 ixgbevf Ethernet1/1 eth1 0e:4d:84:5f:7f:4d 0000:00:03.0 ixgbevf Enable CloudWatch Monitoring on the VM-Series Firewall The VM-Series firewall on AWS can publish native PAN-OS metrics to AWS CloudWatch, which you can use to monitor the firewalls. These metrics allow you to assess performance and usage patterns that you can use to take action for launching or terminating instances of the VM-Series firewalls. The firewalls use AWS APIs to publish the metric to a namespace, which is the location on AWS where the metrics are collected at a specified time interval. When you configure the firewalls to publish metrics to AWS CloudWatch, there are two namespaces where you can view metrics— the primary namespace VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 243 © 2020 Palo Alto Networks, Inc.collects and aggregates the selected metric for all instances configured to use the namespace, and the secondary namespace that is automatically created with the suffix _dimensions allows you to filter the metrics using the hostname and AWS instance ID metadata (or dimensions) and get visibility into the usage and performance of individual VM-Series firewalls. You can monitor the metric in CloudWatch or create auto scaling policies to trigger alarms and take an action to manually deploy a new instance of the firewall when the monitored metric reaches a threshold value. Refer to the AWS CloudWatch and Auto Scaling Groups (ASG) documentation on best practices for setting the alarm conditions for a scale out or scale in action. For a description on the PAN-OS metrics that you can publish to CloudWatch, see Custom PAN-OS Metrics Published for Monitoring. STEP 1 | Assign the appropriate permissions for the AWS Identity and Access Management (IAM) user role that you use to deploy the VM-Series firewall on AWS. Whether you launch a new instance of the VM-Series firewall or upgrade an existing VM-Series firewall on AWS, the IAM role associated with your instance, must have permissions to publish metrics to CloudWatch. 1. On the AWS console, select IAM. 2. Edit the IAM role to grant the following permissions: You can copy and the paste the permissions here: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], 244 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc."Resource": [ "*" ] } ] } STEP 2 | Enable CloudWatch on the VM-Series firewall on AWS. 1. Log in to the web interface on the VM-Series firewall 2. Select Device > VM-Series. 3. In AWS CloudWatch Setup, click Edit ( ) and select Enable CloudWatch Monitoring. 1. Enter the CloudWatch Namespace to which the firewall can publish metrics. The namespace cannot begin with AWS. The aggregated metrics for all VM-Series firewall in an HA pair or auto scaling deployment are published to the namespace you entered above. The namespace with the _dimensions suffix that is automatically created enables you to filter and view metrics for an specific VM-Series firewall using the hostname or AWS instance ID metadata attached to the firewall. 2. Set the Update Interval to a value between 1-60 minutes. This is the frequency at which the firewall publishes the metrics to CloudWatch. The default is 5 minutes. 4. Commit the changes. Until the firewall starts to publish metrics to CloudWatch, you cannot configure alarms for PAN-OS metrics. STEP 3 | Verify that you can see the metrics on CloudWatch. 1. On the AWS console, select CloudWatch > Metrics, to view CloudWatch metrics by category. 2. From the Custom Metrics drop-down, select the namespace. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 245 © 2020 Palo Alto Networks, Inc.3. Verify that you can see PAN-OS metrics in the viewing list. To filter by hostname or AWS Instance ID of a specific firewall, select _dimensions. 246 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 4 | Configure alarms and action for PAN-OS metrics on CloudWatch. Refer to the AWS documentation: http://docs.aws.amazon.com/AmazonCloudWatch/latest/ monitoring/AlarmThatSendsEmail.html A VM-Series firewall with bootstrap configuration will take about 7-9 minutes to be available for service. So, here are some examples on how to set alarms that trigger auto scaling for the VM-Series firewall: • If you have deployed 2 instances of the VM-Series firewalls as Global Protect Gateways that secure remote users, use the GlobalProtect Gateway Active Tunnels metric. You can configure an alarm for when the number of active tunnels is greater than 300 for 15 minutes, you can deploy 2 new instances of the VM-Series firewall, which are bootstrapped and configured to serve as Global Protect Gateways. • If you are using the firewall to secure your workloads in AWS, use the Session Utilization metric to scale in or scale out the firewall based on resource usage. You can configure an alarm for when the session utilization metric is greater than 60% for 15 minutes, to deploy one instance of the VM-Series instance firewall. And conversely, if Session Utilization is less than 50% for 30 minutes, terminate an instance of the VM-Series firewall. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 247 © 2020 Palo Alto Networks, Inc.High Availability for VM-Series Firewall on AWS The VM-Series firewall on AWS supports active/passive HA only; if it is deployed with Amazon Elastic Load Balancing (ELB), it does not support HA (in this case ELB provides the failover capabilities). • Overview of HA on AWS • IAM Roles for HA • HA Links • Heartbeat Polling and Hello Messages • Device Priority and Preemption • HA Timers • Configure Active/Passive HA on AWS Overview of HA on AWS To ensure redundancy, you can deploy the VM-Series firewalls on AWS in an active/passive high availability (HA) configuration. The active peer continuously synchronizes its configuration and session information with the identically configured passive peer. A heartbeat connection between the two devices ensures failover if the active device goes down. When the passive peer detects this failure it becomes active and triggers API calls to the AWS infrastructure to move all the dataplane interfaces (ENIs) from the failed peer to itself. The failover time can vary from 20 seconds to over a minute depending on the responsiveness from the AWS infrastructure. To ensure that all traffic to your internet-facing applications passes through the firewall, you have two options. You can either configure the application’s public IP address on the Untrust interface (E1/2 in the illustration above) of the VM-Series firewall, or you can configure AWS ingress routing. The AWS ingress routing capability allows you to associate route tables with the AWS Internet gateway and add route rules to redirect the application traffic through the VM-Series firewall. This redirection ensures that all internet traffic passes through the firewall without having to reconfigure the application endpoints. 248 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.IAM Roles for HA AWS requires that all API requests must be cryptographically signed using credentials issued by them. In order to enable API permissions for the VM-Series firewalls that will be deployed as an HA pair, you must create a policy and attach that policy to a role in the AWS Identity and Access Management (IAM) service. The role must be attached to the VM-Series firewalls at launch. The policy gives the IAM role permissions for initiating API actions for detaching and attaching network interfaces from the active peer in an HA pair to the passive peer when a failover is triggered. For detailed instructions on creating policy, refer to the AWS documentation on Creating Customer Managed Polices. For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation on IAM Roles for Amazon EC2. The IAM policy, which is configured in the AWS console, must have permissions for the following actions and resources (at a minimum): • AttachNetworkInterface—For permission to attach an ENI to an instance. • DescribeNetworkInterface—For fetching the ENI parameters in order to attach an interface to the instance. • DetachNetworkInterface—For permission to detach the ENI from the EC2 instance. • DescribeInstances—For permission to obtain information on the EC2 instances in the VPC. • Wild card (*)—In the Amazon Resource Name (ARN) field use the * as a wild card. The following screenshot shows the access management settings for the IAM role described above: VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 249 © 2020 Palo Alto Networks, Inc.The permissions you need are: {"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["ec2:AttachNetworkInterface","ec2:DetachNetworkInterface","ec2:DescribeInstances","ec2:DescribeNetworkInterfaces"],"Resource": "*"}]} HA Links The devices in an HA pair use HA links to synchronize data and maintain state information. on AWS, the VM-Series firewall uses the following ports: • Control Link—The HA1 link is used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing and User-ID information. This link is also used to synchronize configuration changes on either the active or passive device with its peer. The Management port is used for HA1. TCP port 28769 and 28260 for cleartext communication; port 28 for encrypted communication (SSH over TCP). • Data Link—The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between devices in an HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive); it flows from the active device to the passive device. Ethernet1/1 must be assigned as the HA2 link. The HA data link can be configured to use either IP (protocol number 99) or UDP (port 29281) as the transport. The VM-Series firewall on AWS does not support backup links for HA1 or HA2. Heartbeat Polling and Hello Messages The firewalls use hello message and heartbeats to verify that the peer device is responsive and operational. Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the device. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds 250 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.to the ping to establish that the devices are connected and responsive. For details on the HA timers that trigger a failover, see HA Timers. (The HA timers for the VM-Series firewall are the same as that of the PA-5200 Series firewalls). Device Priority and Preemption The devices in an HA pair can be assigned a device priority value to indicate a preference for which device should assume the active role and manage traffic upon failover. If you need to use a specific device in the HA pair for actively securing traffic, you must enable the preemptive behavior on both the firewalls and assign a device priority value for each device. The device with the lower numerical value, and therefore higher priority, is designated as active and manages all traffic on the network. The other device is in a passive state, and synchronizes configuration and state information with the active device so that it is ready to transition to an active state should a failure occur. By default, preemption is disabled on the firewalls and must be enabled on both devices. When enabled, the preemptive behavior allows the firewall with the higher priority (lower numerical value) to resume as active after it recovers from a failure. When preemption occurs, the event is logged in the system logs. HA Timers High availability (HA) timers are used to detect a firewall failure and trigger a failover. To reduce the complexity in configuring HA timers, you can select from three profiles: Recommended, Aggressive, and Advanced. These profiles auto-populate the optimum HA timer values for the specific firewall platform to enable a speedier HA deployment. Use the Recommended profile for typical failover timer settings and the Aggressive profile for faster failover timer settings. The Advanced profile allows you to customize the timer values to suit your network requirements. HA Timer on the VM-Series on Default values for Recommended/Aggressive profiles AWS Promotion hold time 2000/500 ms Hello interval 8000/8000 ms Heartbeat interval 2000/1000 ms Max number of flaps 3/3 Preemption hold time 1/1 min Monitor fail hold up time 0/0 ms Additional master hold up time 500/500 ms Configure Active/Passive HA on AWS STEP 1 | Make sure that you have followed the prerequisites. For deploying a pair of VM-Series firewalls in HA in the AWS cloud, you must ensure the following: • Select the IAM role you created when launching the VM-Series firewall on an EC2 instance; you cannot assign the role to an instance that is already running. See IAM Roles for HA. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 251 © 2020 Palo Alto Networks, Inc.For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, and defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation. • DPDK cannot be enabled in a HA configuration. By default, DPDK is disabled on the VM-Series firewalls on AWS, and you do not need to disable it unless you enabled it manually. • The active firewall in the HA pair must have at a minimum three ENIs: two dataplane interfaces and one management interface. The passive firewall in the HA pair, must have one ENI for management, and one ENI that functions as dataplane interface; you will configure the dataplane interface as an HA2 interface. Do not attach additional dataplane interfaces to the passive firewall in the HA pair. On failover, the dataplane interfaces from the previously active firewall are moved — detached and then attached—to the now active (previously passive) firewall. • The HA peers must be deployed in the same AWS availability zone. STEP 2 | Launch the VM-Series Firewall on AWS. STEP 3 | Enable HA. 1. Select Device > High Availability > General, and edit the Setup section. 2. Select Enable HA. STEP 4 | Configure ethernet 1/1 as an HA interface. This interface must be used for HA2 communication. 1. Select Network > Interfaces. 2. Confirm that the link state is up on ethernet1/1. 3. Click the link for ethernet1/1 and set the Interface Type to HA. STEP 5 | Set up the Control Link (HA1) to use the management port. 1. Select Device > High Availability > General, and edit the Control Link (HA1) section. 2. (Optional) Select Encryption Enabled, for secure HA communication between the peers. To enable encryption, you must export the HA key from a device and import it into the peer device. 252 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.1. Select Device > Certificate Management > Certificates. 2. Select Export HA key. Save the HA key to a network location that the peer device can access. 3. On the peer device, navigate to Device > Certificate Management > Certificates, and select Import HA key to browse to the location that you saved the key and import it in to the peer device. STEP 6 | Set up the Data Link (HA2) to use ethernet1/1. 1. Select Device > High Availability > General, edit the Data Link (HA2) section. 2. Select Port ethernet1/1. 3. Enter the IP address for ethernet1/1. This IP address must be the same that assigned to the ENI on the EC2 Dashboard. 4. Enter the Netmask. 5. Enter a Gateway IP address if the HA1 interfaces are on separate subnets. 6. Select IP or UDP for Transport. Use IP if you need Layer 3 transport (IP protocol number 99). Use UDP if you want the firewall to calculate the checksum on the entire packet rather than just the header, as in the IP option (UDP port 29281). 7. (Optional) Modify the Threshold for HA2 Keep-alive packets. By default, HA2 Keep-alive is enabled for monitoring the HA2 data link between the peers. If a failure occurs and this threshold (default is 10000 ms) is exceeded, the defined action will occur. A critical system log message is generated when an HA2 keep-alive failure occurs. You can configure the HA2 keep-alive option on both devices, or just one device in the HA pair. If you enable this option on one device, only that device will send the keep- alive messages. STEP 7 | Set the device priority and enable preemption. Use this setting if you want to make sure that a specific device is the preferred active device. For information, see Device Priority and Preemption. 1. Select Device > High Availability > General and edit the Election Settings section. 2. Set the numerical value in Device Priority. Make sure to set a lower numerical value on the device that you want to assign a higher priority to. If both firewalls have the same device priority value, the firewall with the lowest MAC address on the HA1 control link will become the active device. 3. Select Preemptive. You must enable preemptive on both the active and the passive device. 4. Modify the failover timers. By default, the HA timer profile is set to the Recommended profile and is suited for most HA deployments. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 253 © 2020 Palo Alto Networks, Inc.STEP 8 | (Optional) Modify the wait time before a failover is triggered. 1. Select Device > High Availability > General and edit the Active/Passive Settings. 2. Modify the Monitor fail hold up time to a value between 1-60 minutes; default is 1 minute. This is the time interval during which the firewall will remain active following a link failure. Use this setting to avoid an HA failover triggered by the occasional flapping of neighboring devices. STEP 9 | Configure the IP address of the HA peer. 1. Select Device > High Availability > General, and edit the Setup section. 2. Enter the IP address of the HA1 port on the peer. This is the IP address assigned to the management interface (ethernet 0/0), which is also the HA1 link on the other firewall. 3. Set the Group ID number between 1 and 63. Although this value is not used on the VM-Series firewall on AWS, but cannot leave the field blank. STEP 10 | Configure the other peer. Repeat steps 3 to 9 on the HA peer. STEP 11 | After you finish configuring both devices, verify that the devices are paired in active/passive HA. 1. Access the Dashboard on both devices, and view the High Availability widget. 2. On the active device, click the Sync to peer link. 3. Confirm that the devices are paired and synced, as shown below: • On the passive device: The state of the local device should display passive and the configuration is synchronized. • On the active device: The state of the local device should display active and the configuration is synchronized. STEP 12 | Verify that failover occurs properly. 1. Shut down the active HA peer. 1. On the EC2 Dashboard, select Instances. 254 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.2. From the list, select the VM-Series firewall and click Actions > Stop. 2. Check that the passive peer assumes the role of the active peer and that the dataplane interfaces have moved over to the now active HA peer. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 255 © 2020 Palo Alto Networks, Inc.Use Case: Secure the EC2 Instances in the AWS Cloud In this example, the VPC is deployed in the 10.0.0.0/16 network with two /24 subnets: 10.0.0.0/24 and 10.0.1.0/24. The VM-Series firewall will be launched in the 10.0.0.0/24 subnet to which the internet gateway is attached. The 10.0.1.0/24 subnet is a private subnet that will host the EC2 instances that need to be secured by the VM-Series firewall; any server on this private subnet uses NAT for a routable IP address (which is an Elastic IP address) to access the internet. Use the Planning Worksheet for the VM- Series in the AWS VPC to plan the design within your VPC; recording the subnet ranges, network interfaces and the associated IP addresses for the EC2 instances, and security groups, will make the setup process easier and more efficient. The following image depicts the logical flow of traffic to/from the web server to the internet. Traffic to/ from the web server is sent to the data interface of the VM-Series firewall that is attached to the private subnet. The firewall applies policy and processes incoming/outgoing traffic from/to the internet gateway of the VPC. The image also shows the security groups to which the data interfaces are attached. 256 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 1 | Create a new VPC with a public subnet (or select an existing VPC). 1. Log in to the AWS console and select the VPC Dashboard. 2. Verify that you’ve selected the correct geographic area (AWS region). The VPC will be deployed in the currently selected region. 3. Select Start VPC Wizard, and select VPC with a Single Public Subnet. In this example, the IP CIDR block for the VPC is 10.0.0.0/16, the VPC name is Cloud DC, the public subnet is 10.0.0.0/24, and the subnet name is Cloud DC Public subnet. You will create a private subnet after creating the VPC. 4. Click Create VPC. STEP 2 | Create a private subnet. Select Subnets, and click Create a Subnet. Fill in the information. In this example, the Name tag for the subnet is Web/DB Server Subnet, it is created in the Cloud Datacenter VPC and is assigned a CIDR block of 10.0.1.0/24. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 257 © 2020 Palo Alto Networks, Inc.STEP 3 | Create a new route table for each subnet. Although a main route table is automatically created on the VPC, we recommend creating new route tables instead of modifying the default route table. To direct outbound traffic from each subnet, you will add routes to the route table associated with each subnet, later in this workflow. 1. Select Route Tables > Create Route Table. 2. Add a Name, for example CloudDC-public-subnet-RT, select the VPC you created in Step 1, and click Yes, Create. 3. Select the route table, click Subnet Associations and select the public subnet. 4. Select Create Route Table. 5. Add a Name, for example CloudDC-private-subnet-RT, select the VPC you created in Step 1, and click Yes, Create. 6. Select the route table, click Subnet Associations and select the private subnet. STEP 4 | Create Security Groups to restrict inbound/outbound internet access to the EC2 instances in the VPC. By default, AWS disallows communication between interfaces that do not belong to the same security group. Select Security Groups and click the Create Security Group button. In this example, we create three security groups with the following rules for inbound access: 258 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.• CloudDC-Management that specifies the protocols and source IP addresses that can connect to the management interface of the VM-Series firewall. At a minimum you need SSH, and HTTPS. In this example, we enable SSH, ICMP, HTTP, and HTTPS on the network interfaces that are attached to this security group. The management interface (eth 0/0) of the VM-Series firewall will be assigned to CloudDC- management-sg. • Public-Server-CloudDC that specifies the source IP addresses that can connect over HTTP, FTP, SSH within the VPC. This group allows traffic from the external network to the firewall. The dataplane interface eth1/1 of the VM-Series firewall will be assigned to Public-Server-CloudDC. • Private-Server-CloudDC that has very limited access. It only allows other EC2 instances on the same subnet to communicate with each other, and with the VM-Series firewall. The dataplane interface eth1/2 of the VM-Series firewall and the application in the private subnet will be attached to this security group. The following screenshot shows the security groups for this use case. STEP 5 | Deploy the VM-Series firewall. Only the primary network interface that will serve as the management interface will be attached and configured for the firewall during the initial launch. The network interfaces required for handling data traffic will be added in Step 6. See Step 3 in Launch the VM-Series Firewall on AWS. STEP 6 | Create and attach virtual network interface(s), referred to as Elastic Network Interfaces (ENIs), to the VM-Series firewall. These ENIs are used for handling data traffic to/from the firewall. 1. On the EC2 Dashboard, select Network Interfaces, and click Create Network Interface. 2. Enter a descriptive name for the interface. 3. Select the subnet. Use the subnet ID to make sure that you have selected the correct subnet. You can only attach an ENI to an instance in the same subnet. 4. Enter the Private IP address that you want to assign to the interface or select Auto-assign to automatically assign an IP address within the available IP addresses in the selected subnet. 5. Select the Security group to control access to the network interface. 6. Click Yes, Create. In this example, we create two interfaces with the following configuration: • For Eth1/1 (VM-Series-Untrust) • Subnet: 10.0.0.0/24 • Private IP:10.0.0.10 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 259 © 2020 Palo Alto Networks, Inc.• Security group: Public-Server-CloudDC • For Eth1/2 (VM-Series-Trust) • Subnet: 10.0.1.0/24 • Private IP: 10.0.1.10 • Security group: Private-Server-CloudDC 7. To attach the ENI to the VM-Series firewall, select the interface you just created, and click Attach. 8. Select the Instance ID of the VM-Series firewall, and click Attach. 9. Repeat steps 7 and 8 to attach the other network interface. STEP 7 | Create an Elastic IP address and attach it to the firewall dataplane network interface that requires direct internet access. In this example, VM-Series_Untrust is assigned an EIP. The EIP associated with the interface is the publicly accessible IP address for the web server in the private subnet. 1. Select Elastic IPs and click Allocate New Address. 2. Select EC2-VPC and click Yes, Allocate. 3. Select the newly allocated EIP and click Associate Address. 4. Select the Network Interface and the Private IP address associated with the interface and click Yes, Associate. In this example, the configuration is: STEP 8 | Disable Source/Destination check on each network interface attached to the VM-Series firewall. Disabling this attribute allows the interface to handle network traffic that is not destined to its IP address. 1. Select the network interface in the Network Interfaces tab. 2. In the Action drop-down, select Change Source/Dest. Check. 3. Click Disabled and Save your changes. 4. Repeat steps 1-3 for additional network interfaces, firewall-1/2 in this example. 260 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 9 | In the route table associated with the public subnet (from step 3), add a default route to the internet gateway for the VPC. 1. From the VPC Dashboard, select Route Tables and find the route table associated with the public subnet. 2. Select the route table, select Routes and click Edit. 3. Add a route to forward packets from this subnet to the internet gateway. In this example, 0.0.0.0.0 indicates that all traffic from/to this subnet will use the internet gateway attached to the VPC. STEP 10 | In the route table associated with the private subnet, add a default route to send traffic to the VM-Series firewall. Adding this route enables the forwarding of traffic from the EC2 instances in this private subnet to the VM-Series firewall. 1. From the VPC Dashboard, select Route Tables and find the route table associated with the private subnet. 2. Select the route table, select Routes and click Edit. 3. Add a route to forward packets from this subnet to the VM-Series firewall network interface that resides on the same subnet. In this example, 0.0.0.0/0 indicates that all traffic from/to this subnet will use eni-abf355f2 (ethernet 1/2, which is CloudDC-VM-Series-Trust) on the VM-Series firewall. For each web or database server deployed on an EC2 instance in the private subnet, you must define a default route to the IP address of the VM-Series firewall so that the firewall is the default gateway for the server. Perform steps 11 through 16 on the VM-Series firewall. STEP 11 | Configure a new administrative password for the firewall. An SSH tool such as PuTTY is required to access the CLI on the firewall and change the default administrative password. You cannot access the web interface until you SSH and change the default password. 1. Use the public IP address you configured on the firewall, to SSH into the Command Line Interface (CLI) of the VM-Series firewall. You will need the private key that you used or created in Launch the VM-Series Firewall on AWS, steps 3-12 to access the CLI. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 261 © 2020 Palo Alto Networks, Inc.2. Enter the following command to log in to the firewall: ssh-i admin@ 3. Configure a new password, using the following command and follow the onscreen prompts: configure set mgt-config users admin password commit 4. Terminate the SSH session. STEP 12 | Access the web interface of the VM-Series firewall. Open a web browser and enter the EIP of the management interface. For example: https://54.183.85.163 STEP 13 | Activate the licenses on the VM-Series firewall. This step is only required for the BYOL license; the usage-based licenses are automatically activated. See Activate the License. STEP 14 | On the VM-Series firewall, configure the dataplane network interfaces on the firewall as Layer 3 interfaces. 1. Select Network > Interfaces > Ethernet. 2. Click the link for ethernet 1/1 and configure as follows: • Interface Type: Layer3 • Select the Config tab, assign the interface to the default router. • On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example untrust, and then click OK. • Select IPv4, select DHCP Client; the private IP address that you assigned to the network interface in the AWS management console will be acquired automatically. • On the Advanced > Other Info tab, expand the Management Profile drop-down, and select New Management Profile. • Enter a Name for the profile, such as allow_ping, and select Ping from the Permitted Services list, then click OK. • To save the interface configuration, click OK. 3. Click the link for ethernet 1/2 and configure as follows: • Interface Type: Layer3 • Select the Config tab, assign the interface to the default router. • On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example trust, and then click OK. • Select IPv4, select DHCP Client. • On the IPv4 tab, clear the Automatically create default route to default gateway provided by server check box. For an interface that is attached to the private subnet in the VPC, disabling this option ensures that traffic handled by this interface does not flow directly to the IGW on the VPC. • On the Advanced > Other Info, expand the Management Profile drop-down, and select the allow_ping profile you created earlier. • Click OK to save the interface configuration. 4. Click Commit to save the changes. Verify that the Link state for the interface is up . If the link state is not up, reboot the firewall. 262 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 15 | On the VM-Series firewall, create Destination NAT and Source NAT rules to allow inbound/ outbound traffic to/from the applications deployed within the VPC. 1. Select Policies > NAT. 2. Create a Destination NAT rule that steers traffic from the firewall to the web server. 1. Click Add, and enter a name for the rule. For example, NAT2WebServer. 2. In the Original Packet tab, make the following selections: • Source Zone: untrust (where the traffic originates) • Destination Zone: untrust (the zone for the firewall dataplane interface with which the EIP for the web server is associated.) • Source Address: Any • Destination Address: 10.0.0.10 • In the Translated Packet tab, select the Destination Address Translation check box and set the Translated Address: to 10.0.1.62, which is the private IP address of the web server. 3. Click OK. 3. Create a Source NAT rule to allow outbound traffic from the web server to the internet. 1. Click Add, and enter a name for the rule. For example, NAT2External. 2. In the Original Packet tab, make the following selections: • Source Zone: trust (where the traffic originates) • Destination Zone: untrust (the zone for the firewall dataplane interface with which the EIP for the web server is associated.) • Source Address: Any • Destination Address: Any 3. In the Translated Packet tab, make the following selections in the Source Address Translation section: • Translation Type: Dynamic IP and Port • Address Type: Translated Address • Translated Address: 10.0.0.10 (the firewall dataplane interface in the untrust zone.) 4. Click OK. 4. Click Commit to save the NAT policies. STEP 16 | On the VM-Series firewall, create security policies to manage traffic. Instead of entering a static IP address for the web server, use a dynamic address group. Dynamic address groups allow you to create policy that automatically adapts to changes VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 263 © 2020 Palo Alto Networks, Inc.so that you do not need to update the policy when you launch additional web servers in the subnet. For details, see Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC. 1. Select Policies > Security. In this example, we have four rules. A rule that allows management access to the firewall traffic, a rule to allow inbound traffic to the web server, a third rule to allow internet access to the web server, and in the last rule we modify a predefined intrazone-default rule to log all traffic that is denied. 2. Create a rule to allow management access to the firewall. 1. Click Add and enter a Name for the rule. Verify that the Rule Type is universal. 2. In the Source tab, add untrust as the Source Zone. 3. In the Destination tab, add trust as the Destination Zone. 4. In the Applications tab, Add ping and ssh. 5. In the Actions tab, set the Action to Allow. 6. Click OK. 3. Create a rule to allow inbound traffic to the web server. 1. Click Add and enter a Name for the rule and verify that the Rule Type is universal. 2. In the Source tab, add untrust as the Source Zone. 3. In the Destination tab, add trust as the Destination Zone. 4. In the Applications tab, Add web-browsing. 5. In the Service/URL Category tab, verify that the service is set to application-default. 6. In the Actions tab, set the Action to Allow. 7. In the Profile Settings section of the Actions tab, select Profiles and then attach the default profiles for antivirus, anti-spyware, and vulnerability protection. 8. Click OK. 4. Create a rule to allow internet access to the web server. 1. Click Add and enter a Name for the rule and verify that the Rule Type is universal. 2. In the Source tab, add trust as the Source Zone. 3. In the Source Address section of the Source tab, add 10.0.1.62, the IP address of the web server. 4. In the Destination tab, add untrust as the Destination Zone. 5. In the Service/URL Category tab, verify that the service is set to application-default. 6. In the Actions tab, set the Action to Allow. 7. In the Profile Settings section of the Actions tab, select Profiles and then attach the default profiles for antivirus, anti-spyware, and vulnerability protection. 8. Click OK. 5. Edit the interzone-default rule to log all traffic that is denied. This predefined interzone rule is evaluated when no other rule is explicitly defined to match traffic across different zones. 1. Select the interzone-default rule and click Override. 2. In the Actions tab, select Log at session end. 3. Click OK. 264 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.6. Review the complete set of security rules defined on the firewall. 7. Click Commit to save the policies. STEP 17 | Verify that the VM-Series firewall is securing traffic. 1. Launch a web browser and enter the IP address for the web server. 2. Log in to the web interface of the VM-Series firewall and verify that you can see the traffic logs for the sessions at Monitor > Logs > Traffic. • Traffic inbound to the web server (arrives at EC2 instance in the AWS VPC): • Traffic outbound from the web server (EC2 instance in the AWS VPC): You have successfully deployed the VM-Series firewall as a cloud gateway! VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 265 © 2020 Palo Alto Networks, Inc.Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC In a dynamic environment such as the AWS-VPC where you launch new EC2 instances on demand, the administrative overhead in managing security policy can be cumbersome. Using Dynamic Address Groups in security policy allows for agility and prevents disruption in services or gaps in protection. In this example, you can use the VM Information Source on the firewall to monitor a VPC and use Dynamic Address Groups in security policy to discover and secure EC2 instances. As you spin up EC2 instances, the Dynamic Address Group collates the IP addresses of all instances that match the criteria defined for group membership, and then security policy is applied for the group. The security policy in this example allows internet access to all members of the group. Instead of using VM Information Source on the firewall, you can opt to use Panorama as the central point for communicating with your VPCs. Using the AWS plugin on Panorama, you can retrieve the IP address-to-tag mapping and register the information on the managed firewalls for which you configure notification. For more details on this option, see VM Monitoring with the AWS Plugin on Panorama. This workflow in the following section assumes that you have created the AWS VPC and deployed the VM- Series firewall and some applications on EC2 instances. For instructions on setting up the VPC for the VM- Series, see Use Case: Secure the EC2 Instances in the AWS Cloud. STEP 1 | Configure the firewall to monitor the VPC. 1. Select Device > VM Information Sources. 2. Click Add and enter the following information: 1. A Name to identify the VPC that you want to monitor. For example, VPC-CloudDC. 2. Set the Type to AWS VPC. 3. In Source, enter the URI for the VPC. The syntax is ec2..amazonaws.com 4. Add the credentials required for the firewall to digitally sign API calls made to the AWS services. You need the following: • Access Key ID: Enter the alphanumeric text string that uniquely identifies the user who owns or is authorized to access the AWS account. • Secret Access Key: Enter the password and confirm your entry. 5. (Optional) Modify the Update interval to a value between 5-600 seconds. By default, the firewall polls every 5 seconds. The API calls are queued and retrieved within every 60 seconds, so updates may take up to 60 seconds plus the configured polling interval. 266 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.6. Enter the VPC ID that is displayed on the VPC Dashboard in the AWS management console. 7. Click OK, and Commit the changes. 8. Verify that the connection Status displays as connected STEP 2 | Tag the EC2 instances in the VPC. For a list of tags that the VM-Series firewall can monitor, see List of Attributes Monitored on the AWS VPC. A tag is a name-value pair. You can tag the EC2 instances either on the EC2 Dashboard on the AWS management console or using the AWS API or AWS CLI. In this example, we use the EC2 Dashboard to add the tag: STEP 3 | Create a dynamic address group on the firewall. View the tutorial to see a big picture view of the feature. 1. Select Object > Address Groups. 2. Click Add and enter a Name and a Description for the address group. 3. Select Type as Dynamic. 4. Define the match criteria. 1. Click Add Match Criteria, and select the And operator. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 267 © 2020 Palo Alto Networks, Inc.2. Select the attributes to filter for or match against. In this example, we select the ExternalAccessAllowed tag that you just created and the subnet ID for the private subnet of the VPC. 5. Click OK. 6. Click Commit. STEP 4 | Use the dynamic address group in a security policy. To create a rule to allow internet access to any web server that belongs to the dynamic address group called ExternalServerAccess. 1. Select Policies > Security. 2. Click Add and enter a Name for the rule and verify that the Rule Type is universal. 3. In the Source tab, add trust as the Source Zone. 4. In the Source Address section of the Source tab, Add the ExternalServerAccess group you just created. 5. In the Destination tab, add untrust as the Destination Zone. 6. In the Service/URL Category tab, verify that the service is set to application-default. 7. In the Actions tab, set the Action to Allow. 8. In the Profile Settings section of the Actions tab, select Profiles and then attach the default profiles for antivirus, anti-spyware, and vulnerability protection. 9. Click OK. 10.Click Commit. STEP 5 | Verify that members of the dynamic address group are populated on the firewall. Policy will be enforced for all IP addresses that belong to this address group, and are displayed here. 1. Select Policies > Security, and select the rule. 2. Select the drop-down arrow next to the address group link, and select Inspect. You can also verify that the match criteria is accurate. 268 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.3. Click the more link and verify that the list of registered IP addresses is displayed. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 269 © 2020 Palo Alto Networks, Inc.Use Case: VM-Series Firewalls as GlobalProtect Gateways on AWS Securing mobile users from threats and risky applications is often a complex mix of procuring and setting up the security and IT infrastructure, ensuring bandwidth and uptime requirements in multiple locations around the globe while staying within your budget. The VM-Series firewall on AWS melds the security and IT logistics required to consistently and reliably protect devices used by mobile users in regions where you do not have a presence. By deploying the VM- Series firewall in the AWS cloud, you can quickly and easily deploy GlobalProtect™ gateways in any region without the expense or IT logistics that are typically required to set up this infrastructure using your own resources. To minimize latency, select AWS regions that are closest to your users, deploy the VM-Series firewalls on EC2 instances, and configure the firewalls as GlobalProtect gateways. With this solution, the GlobalProtect gateways in the AWS cloud enforce security policy for internet traffic so there is no need to backhaul that traffic to the corporate network. Additionally, for access to resources on the corporate network, the VM- Series firewalls on AWS leverage the LSVPN functionality to establish IPSec tunnels back to the firewall on the corporate network. For ease of deployment and centralized management of this distributed infrastructure, use Panorama to configure the GlobalProtect components used in this solution. Optionally, to ensure that mobile devices, such as smartphones and tablets, are safe for use on your network, use a Mobile Device Manager to configure and manage mobile devices. • Components of the GlobalProtect Infrastructure • Deploy GlobalProtect Gateways on AWS Components of the GlobalProtect Infrastructure To block risky applications and protect mobile users from malware, you must set up the GlobalProtect infrastructure, which includes the GlobalProtect portal, the GlobalProtect gateway, and the GlobalProtect app. Additionally, for access to corporate resources, you must set up an IPSec VPN connection between the 270 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.VM-Series firewalls on AWS and the firewall in the corporate headquarters using LSVPN (a hub and spoke VPN deployment). • The GlobalProtect agent/app is installed on each end-user system that is allowed to access corporate applications and resources. The agent first connects to the portal to obtain information on the gateways and then establishes a secure VPN connection to the closest GlobalProtect gateway. The VPN connection between the end-user system and the gateway ensures data privacy. • The GlobalProtect portal provides the management functions for the GlobalProtect infrastructure. Every end-user system receives configuration information from the portal, including information about available gateways as well as any client certificates that may be required to connect to the GlobalProtect gateway(s). In this use case, the GlobalProtect portal is a hardware-based firewall that is deployed in the corporate headquarters. • The GlobalProtect gateway delivers mobile threat prevention and policy enforcement based on applications, users, content, device, and device state. In this use case, the VM-Series firewalls on AWS function as the GlobalProtect gateways. The GlobalProtect gateway scans each user request for malware and other threats, and, if policy allows, sends the request to the internet or to the corporate network over the IPSec tunnel (to the LSVPN gateway). • For LSVPN, you must configure the GlobalProtect portal, GlobalProtect gateway for LSVPN (hub), and the GlobalProtect Satellites (spokes). In this use case, the hardware-based firewall in the corporate office is deployed as the GlobalProtect portal and the LSVPN gateway. The VM-Series firewalls on AWS are configured to function as GlobalProtect satellites. The GlobalProtect satellites and gateway are configured to establish an IPSec tunnel that terminates on the gateway. When a mobile user requests an application or resource that resides on the corporate network, the VM-Series firewall routes the request over the IPSec tunnel. Deploy GlobalProtect Gateways on AWS To secure mobile users, in addition to deploying and configuring the GlobalProtect gateways on AWS, you need to set up the other components required for this integrated solution. The following table includes the recommended workflow: • Deploy the VM-Series firewall(s) on AWS. See Deploy the VM-Series Firewall on AWS. • Configure the firewall at the corporate headquarters. In this use case, the firewall is configured as the GlobalProtect portal and the LSVPN gateway. • Configure the GlobalProtectportal. • Configure the GlobalProtectportal for LSVPN. • Configure the portal to authenticateLSVPN satellites. • Configure the GlobalProtectgateway for LSVPN. • Set up a template on Panorama for configuring the VM-Series firewalls on AWS as GlobalProtect gateways and LSVPN satellites. To easily manage this distributed deployment, use Panorama to configure the firewalls on AWS. • Create template(s) on Panorama. Then use the following links to define the configuration in the templates. • Configure the firewall asa GlobalProtect gateway. • Prepare the satellite tojoin the LSVPN. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 271 © 2020 Palo Alto Networks, Inc.• Create device groups on Panorama to define the network access policies and internet access rules and apply them to the firewalls on AWS. See Create device groups. • Apply the templates and the device groups to the VM-Series firewalls on AWS, and verify that the firewalls are configured properly. • Deploy the GlobalProtect client software. Every end-user system requires the GlobalProtect agent or app to connect to the GlobalProtect gateway. See Deploy the GlobalProtectclient software. 272 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.VM Monitoring on AWS As you deploy or terminate virtual machines in the AWS public cloud, you can either use the Panorama plugin for AWS or use the VM Information sources on the firewall to consistently enforce security policy rules on these workloads. See the Compatibility Matrix for Panorama plugin version information. The Panorama plugin for AWS version 2.0 is built for scale and allows you to monitor up to 1000 AWS VPCs on the AWS public cloud. With this plugin, you use Panorama as an anchor to poll your AWS accounts for tags, and then distribute the metadata (IP address-to-tag mapping) to many firewalls in a device group. Because Panorama communicates with your AWS accounts to retrieve VM information, you’re able to streamline the number of API calls made to the cloud environment. When using Panorama and the AWS plugin, you can centralize the retrieval of tags and Security policy management to ensure consistent policies for hybrid and cloud-native architectures. See VM Monitoring with the AWS Plugin on Panorama. If you do not have Panorama or you have a simpler deployment and need to monitor 10 VPCs or fewer, you can use the VM Information Source on the firewall (hardware or VM-Series firewall) to monitor your AWS workloads. You can use the metadata, which the firewall retrieves, in Dynamic Address Groups and reference them in Security policies to secure your VM workloads as they spin up or down and IP addresses change frequently. See Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 273 © 2020 Palo Alto Networks, Inc.VM Monitoring with the AWS Plugin on Panorama As you deploy or terminate virtual machines in the AWS public cloud, you need a way to synchronously update Security policy on your Palo Alto Networks® firewall(s) so that you can secure these EC2 instances. To enable this capability from Panorama, you must install the AWS plugin on Panorama and enable API communication between Panorama and your AWS VPCs. Panorama can then collect a predefined set of attributes (or metadata elements) as tags for your EC2 instances and register the information to your Palo Alto Networks® firewall(s). When you reference these tags in Dynamic Address Groups and match against them in Security policy rules, you can consistently enforce policy across all assets deployed within your AWS accounts. • Set Up the AWS Plugin for VM Monitoring on Panorama • List of Attributes Monitored on the AWS VPC Set Up the AWS Plugin for VM Monitoring on Panorama To find all the virtual machine workloads that your organization has deployed in the AWS public cloud, you need to install the AWS plugin on Panorama and configure Monitoring Definitions that enable Panorama to authenticate to your AWS VPC(s) and retrieve VM information on the workloads. Panorama retrieves the IP address of the VMs that are running— public IP address, and primary and secondary private IP addresses— and the associated tags. For a list of the metadata elements that Panorama supports, see List of Attributes Monitored on the AWS VPC. After Panorama fetches the attributes, to push the virtual machine information from Panorama to the firewalls, you must add the firewalls (hardware or VM-Series) as managed devices on Panorama, and group the firewalls into one or more Device Groups. You can then specify which device groups are part of the Notify Group, which is a configuration element in a Monitoring Definition, that Panorama uses to register the IP address-to-tag mapping it retrieves from AWS. Finally, to consistently enforce Security policies across the EC2 instances, you must set up Dynamic Address Groups and reference them in policy rules that allow or deny traffic to the IP addresses of the VMs. For streamlining your configuration and managing policies and objects centrally from Panorama, you can define 274 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.the Dynamic Address Groups and Security policy rules on Panorama and push them to the firewalls instead of managing the Dynamic Address Groups and Security policy rules locally on each firewall. The AWS plugin version 2.0 is for monitoring EC2 instances for up to 1000 VPCs on the AWS public cloud, AWS GovCloud, and AWS China. However, because Panorama cannot be deployed on AWS China, the IAM role does not support instance profiles on AWS China; you must provide the AWS credentials. • Planning Checklist for VM Monitoring on AWS • IAM Roles and Permissions for Panorama • Install the AWS Plugin • Configure the AWS Plugin for VM Monitoring Planning Checklist for VM Monitoring on AWS For Panorama to interact with the AWS APIs and collect information on your EC2 instances, you need to create an IAM role and assign the policies that grant the permissions required to authenticate to AWS and access the EC2 instances within your VPC. You can add 100 IAM Roles to manage up to 1000 VPCs on Panorama. • Gather the VPC ID. • Tag your EC2 instances on AWS. You can tag (define a name-value pair) the EC2 instances either on the EC2 Dashboard on the AWS management console or using the AWS API or AWS CLI. See List of Attributes Monitored on the AWS VPC for the list of supported attributes. • Check for duplicate IP addresses across the VPCs for which you will enable monitoring. If you have duplicate IP addresses across AWS VPCs, the metadata will be appended together or swapped and this may cause unexpected results in policy enforcement. Duplicate IP addresses are written to the plugin_aws_ret.log file that you can access from the CLI on Panorama. • Review the requirements for Panorama and the managed firewalls: • Minimum system requirements—Panorama virtual appliance or hardware-based Panorama appliance. Panorama Minimum Requirements System Memory CPUs Number of Number of Tags Resources Monitored VPCs Registered 16GB 4 1-100 Panorama 9.0.5 or later with 32 GB 8 100-500 AWS plugin v 2.0 is tested to 64 GB 16 500-1000 retrieve 10,000 IP addresses with 13 tags for each, or 5000 IP addresses with 25 tags for each, and successfully register them VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 275 © 2020 Palo Alto Networks, Inc.Panorama Minimum Requirements to the firewalls included within a device group.The tag length— includes name and value— for each EC2 instance is assumed to be 64 bytes per tag. The EC2 instance name tag is for example— aws.ec2.tag.Name.prod- web-app-4523- lvss6j. Panorama OS 9.0.6 or later version AWS plugin 2.0.0 or later version Licenses Active support license and a device management license on Panorama for managing the firewalls. Next-generation firewalls must also have a valid support license. Roles and See IAM Roles and Permissions for Panorama Permissions to retrieve metadata on the EC2 instances • You must add the firewalls as managed devices on Panorama and create Device Groups so that you can configure Panorama to notify these groups with the VM information it retrieves. Device groups can include VM-Series firewalls or virtual systems on the hardware firewalls. Make sure that the firewalls that are a part of the device group on Panorama are not enabled to use VM Information Source for AWS. You must disable VM Information Source for AWS on those firewalls to avoid conflicts and unexpected behavior with tags, before you enable the Panorama plugin for monitoring AWS VPCs. • If your Panorama appliances are in a high availability configuration, you must manually install the same version of the AWS plugin on both Panorama peers. Additionally, if you are using instance profiles, you must attach the same instance profile to both Panorama peers. You configure the AWS plugin on the active Panorama peer only. On commit, the configuration is synced to the passive Panorama peer. Only the active Panorama peer polls the AWS accounts you have configured for VM Monitoring. 276 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.• Set up the credentials/permissions that Panorama requires to digitally sign API calls to the AWS services. You can choose whether you want to provide the long-term credentials—Access Key ID and Secret Access Key—that enable access to the resources within each AWS account, or set up an Assume Role on AWS to allow access to defined AWS resources within the same AWS account or cross- accounts. With an Assume Role, you must set up a trust relationship and define the permissions while creating the role itself. This is specifically useful in a cross-account deployment where the querying account does not have permissions to see or handle data from the queried account. For the Panorama plugin to successfully authenticate to the VPC and retrieve the tags, you must configure the Assume Role to use the AWS Security Token Service (STS) API to any AWS service. And a user from the querying account must have STS permissions to query the Assume Role and obtain the temporary security credentials to access resources. If your Panorama is deployed on AWS, you can opt to use an instance profile instead of providing the AWS credentials for the IAM role. The instance profile includes the role information and associated credentials that Panorama needs to digitally sign API calls to the AWS services. See IAM Roles and Permissions for Panorama for more details. IAM Roles and Permissions for Panorama With the AWS plugin version 2.0, you can use IAM roles or instance profiles to enable Panorama to authenticate and retrieve metadata on the resources deployed within your AWS account(s). • When your Panorama is not deployed on AWS, you have two options. You can either provide the long- term IAM credentials for the AWS accounts you want to monitor, or set up an Assume Role on AWS to allow access to defined AWS resources within the same AWS account or cross-accounts. An Assume Role is recommended as the more secure option. • When your Panorama is deployed on AWS, in addition to the two options listed above, you can also add an instance profile that allows the IAM role to be passed to the EC2 instance. You can use an instance profile where all your monitored resources and Panorama are hosted within the same account, or an instance profile with Assume Role for cross account access where your Panorama and monitored resources are deployed across different AWS accounts. If you use the instance profile, you do not enter your AWS credentials on Panorama. Option 1: IAM role with long term credentials Roles and Permissions Required The AWS credentials associated with the AWS account that has the VPC/EC2 instances you want to monitor. The JSON format for the minimum permissions associated with the IAM role with long-term credentials is as follows - { "Path": "/", "UserName": "panorama_vm_programmatic", "UserId": "AIDAIZXXXXCR5JPII4XYZ", "Arn": "arn:aws:iam::412383210500:user/ panorama_vm_programmatic", VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 277 © 2020 Palo Alto Networks, Inc."CreateDate": "2018-07-06T19:14:31Z", "GroupList": [], "AttachedManagedPolicies": [ { "PolicyName": "ReadOnlyAccess", "PolicyArn": "arn:aws:iam::aws:policy/ReadOnlyAccess" } ] }, Inputs on Panorama Enter the Access Key ID and Secret Access Key for the user in Panorama > Plugins > AWS > Setup > IAM Role. Option 2: IAM role with Assume Role Roles and Permissions Required While you can use this option to monitor VPCs within the same or cross account, this option is recommended to enable cross account access by assuming a role that allows you to access resources to which you may normally have access. To assume a role from a different account, your AWS account must be trusted by that role and defined as a trusted entity in its trust policy. In addition, a user who wants to access a role in a different account must have a policy with secure token service (STS) access that specifies the role ARN. On Account 1 that you want to monitor: • Create an IAM role with required permissions. For VM Monitoring you need AmazonEC2ReadOnlyAccess. • Copy the Role ARN. • Create a user and add the Account ID for Account 2 as a trusted entity. This allows Account 2 the permissions to use this role to access the resources within your Account 1. On Account 2 that requires access to account 1 • Attach the following policy with STS permissions and modify the Role ARN to match what you created on Account 1. { "Version": "2012-10-17", "Statement": { "Effect": “Allow", Action": "sts:AssumeRole", "Resource":"arn:aws:iam::012347211234:role/ PAN-OS-assume-role"}} Inputs on Panorama • Enter the Access Key ID and Secret Access Key for the user on Account 2 on Panorama > Plugins > AWS > Setup > IAM Role. • Enter the Role ARN for the AWS account 1 which you want to monitor in the Panorama > Plugins > AWS > Monitoring Definitions. Option 3: Instance profile 278 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Roles and Permissions Required Only when Panorama is deployed as an EC2 instance on AWS Note that when you use the AWS Management console to create an IAM role, the console automatically creates an instance profile with the same name as the role. Because the role and the instance profile has the same name, when you launch tour Panorama (EC2 instance) with an IAM role, the instance profile of the same name is associated with it. When Panorama and the resources you want to monitor are all in a single AWS account. Create an IAM role with AmazonEC2ReadOnlyAccess. Inputs on Panorama Select Instance Profile as the option in Panorama > Plugins > AWS > Setup > IAM Role. Option 4: Instance profile with Assume Role Roles and Permissions Required Use instance profile with Assume role when Panorama and the resources you want to monitor are deployed across AWS accounts. For Panorama HA, make sure to attach the same instance profile to both Panorama peers. On Account 1, where your EC2 instances are deployed: • Create an IAM role. • To this role, add the AWS Account ID (Account 2) where your Panorama is deployed as a trusted entity. • Attach the JSON policies as detailed above for VM Monitoring. • Copy the Role ARN.This role is required for Panorama to retrieve metadata on your EC2 instances or EKS clusters. On Account 2, where your Panorama is deployed: • Create an IAM role and attach the JSON policy (with the STS policy and resource ARN you got from Account 1). • For each additional AWS account you want to monitor, copy the same STS policy and modify the Role ARN. Inputs on Panorama • Select Instance Profile as the option in Panorama > Plugins > AWS > Setup > IAM Role • Enter the Role ARN for the AWS account which you want to monitor in the Panorama > Plugins > AWS > Monitoring Definitions. For example Account 1 in this example. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 279 © 2020 Palo Alto Networks, Inc.Install the AWS Plugin To get started with monitoring your EC2 instances on AWS, you need to download and install the AWS plugin on Panorama. If you have a Panorama HA configuration, repeat this installation process on each Panorama peer. The plugin configuration is automatically synced across the Panorama peers. After you install the AWS plugin v2.0 you cannot downgrade to v1.0. If you are on Panorama 9.0.5 and have installed the AWS plugin v1.0, before you install the AWS plugin v2.0, make sure to remove the plugin configuration and uninstall v1.0. STEP 1 | Log in to the Panorama Web Interface, select Panorama > Plugins and click Check Now to get the AWS plugin . STEP 2 | Download and Install the plugin. On Panorama 9.0.5, before you install plugin version 2.0, remove the configuration and then uninstall the plugin v1.0. After you successfully install the plugin, Panorama refreshes and the latest AWS plugin displays on Panorama > Plugins. On the Panorama Dashboard you can verify Plugin AWS version that is installed on the General Information widget. STEP 3 | (Panorama in HA) Commit > Commit to Panorama. If your Panorama is in HA commit the changes to the Panorama configuration to ensure that tags are registered to the Panorama peer on failover. Configure the AWS Plugin for VM Monitoring To begin monitoring the virtual machines in your AWS public cloud deployment, after you Install the AWS Plugin you must create a Monitoring Definition. This definition specifies the IAM Role that is authorized to access the EC2 instances within the AWS VPC you want to monitor and the Notify Group that includes the firewalls to which Panorama should push all the IP-address-to-tag mappings it retrieves. In order to enforce 280 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.policy, you must then create Dynamic Address Groups and reference them in Security policy. The Dynamic Address Groups enable you to filter the tags you want to match on, so that the firewall can get the public and private IP addresses registered against each tag, and then allow or deny access to traffic to and from the workloads based on the policy rules you define. STEP 1 | Log in to the Panorama web interface. STEP 2 | Set up the following objects for enabling VM Monitoring on AWS. Add an IAM Role. An IAM role is an entity that allows you to delegate access so that Panorama can make service requests on your behalf to the AWS resources (virtual machines that are deployed as EC2 instances). 1. Select Panorama > Plugins > AWS > Setup > IAM Role > Add. 2. Enter a Name and optionally a Description to identify the IAM role. 3. Select Account Type—Instance Profile or AWS Account Credentials.If your Panorama is deployed on AWS, you can choose to either attach an instance profile with the correct permissions to your Panorama or add the credentials associated with the IAM role on Panorama. If your Panorama is not deployed on AWS, you must enter the credentials for the IAM role locally on Panorama. 4. For AWS Account Credentials only) Enter the Secret Access Key and re-enter it to confirm, and click OK. Add a notify group. 1. Select Panorama > Plugins > AWS > Setup > Notify Groups > Add. 2. Enter a Name to identify the group of firewalls to which Panorama pushes the VM information it retrieves. 3. Select the Device Groups, which are a group of firewalls or virtual systems, to which Panorama will push the VM information (IP address-to-tag mapping) it retrieves from your AWS VPCs. The firewalls use the update to determine the most current list of members that constitute dynamic address groups referenced in policy. If you are using the Panorama plugin for Azure and AWS, you can target the same firewall or virtual system with tags from both environments. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 281 © 2020 Palo Alto Networks, Inc.Think through your Device Groups carefully. • Because a Monitoring Definition can include only one notify group, make sure to select all the relevant Device Groups within your notify group. If you want to unregister the tags that Panorama has pushed to a firewall included in a notify group, you must delete the Monitoring Definition. • To register tags to all virtual systems on a firewall enabled for multiple virtual systems, you must add each virtual system to a separate device group on Panorama and assign the device groups to the notify group. If you assign all the virtual systems to one device group, Panorama will register tags to only one virtual system on the firewall. 4. Select the tags that you want to retrieve from the AWS VPCs. You can Select All 32 Tags (the default) or pick the Custom Tags you want to retrieve for your instances. With the Custom Tags option, you can Add the predefined tags and the user-defined tags that you want to use as match criteria in Security policy. If you are monitoring a large number of EC2 instances, reducing the number of tags you retrieve ensures more efficient use of the CPU and memory capacity on your Panorama. Refer to Planning Checklist for VM Monitoring on AWS for some guidelines. Verify that monitoring is enabled on the plugin. This setting must be enabled for Panorama to communicate with the AWS public cloud for VM Monitoring. The checkbox for Enable Monitoring is on Panorama > Plugins > AWS > Setup > General. STEP 3 | Create a Monitoring Definition for each VPC you want to monitor. When you add a new Monitoring definition, it is enabled by default. • Select Panorama > Plugins > AWS > Monitoring Definition, to Add a new definition. • Enter a Name and optionally a Description to identify the AWS VPC for which you use this definition. • Enter the Endpoint URI. The syntax is ec2..amazonaws.com; For AWS China, it is ec2..amazonaws.com.cn. 282 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.• (Optional) Enter the Role ARN, if you have set up role chaining and IAM roles with temporary credentials that have permissions to use the AWS STS API to access AWS resources with the same account or cross-account. The Role ARN must belong to the VPC you want to monitor. • Select the IAM Role, Add the VPC ID from the VPC Dashboard on the AWS management console, and Notify Group. STEP 4 | Commit the changes on Panorama. Verify that the status for the Monitoring Definition displays as Success. If it fails, verify that you entered the AWS VPC ID accurately and provided the correct keys and IDs for authorizing access. Click Validate to verify that Panorama can authenticate using the IAM role and keys and to communicate with the AWS VPCs you’ve entered above. STEP 5 | Verify that you can view the VM information on Panorama, and define the match criteria for Dynamic Address Groups. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 283 © 2020 Palo Alto Networks, Inc.On HA failover, the newly active Panorama attempts to reconnect to the AWS cloud and retrieve tags for all monitoring definitions. If Panorama is unable to reconnect with even one of the monitoring definitions that you have configured and enabled, Panorama generates a system log message Unable to process accounts after HA switch-over; user-intervention required. If this happens, you must log into Panorama and verify the monitoring definitions to fix invalid credentials or remove invalid accounts. Although Panorama is disconnected from the AWS cloud, all tags that were retrieved for the monitoring definitions before the failover, are retained and the firewalls can continue to enforce policy on that list of IP addresses. Panorama removes all tags associated with the accounts only when you delete a monitoring definition. As a best practice, to monitor this issue, you can configure action-oriented log forwarding to an HTTPS destination from Panorama so that you can take action immediately. STEP 6 | Know where to find the logs related to the AWS plugin on Panorama for troubleshooting. • Use the CLI command less plugins-log to view a list of all available logs plugin_aws_ret.log displays logs related to IP address and tag retrieval. plugin_aws_proc.log displays logs related to processing of the registered IP address and tags. plugin_aws.log displays logs related to the AWS plugin configuration and daemons. Use show plugins aws vm-mon-status for the status of the Monitoring Definitions. admin@Panorama> show plugins aws vm-mon-statusMon-Def Name VPC Status Last Updated Time Error Msg---------------------------------------------------------------------------------- MD-Ins-Prof-ARN-Vijayvpc-07986b091d25babcd Success 2019-12-02T10:24:56.007000MD-gov vpc-7ea1cf1a 284 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Success 2019-12-02T10:24:56.008000MD-IAM-ARN vpc-025a83c123 Success 2019-12-02T10:24:56.012000 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 285 © 2020 Palo Alto Networks, Inc.Auto Scaling VM-Series Firewalls with the Amazon ELB Service The Palo Alto Networks auto scaling templates for AWS help you deploy configure and deploy VM-Series firewalls to protect applications deployed in AWS. The templates leverage AWS scalability features to independently and automatically scale VM-Series firewalls deployed in AWS to meet surges in application workload resource demand. • VM-Series automation capabilities include the PAN-OS API and bootstrapping (using a bootstrap file for version 2.0, and Panorama for version 2.1). • AWS automation technology includes CloudFormation templates and scripts for AWS services such as Lambda, auto scaling groups (ASGs), Elastic Load Balancing (ELB), S3, and SNS. The templates are available on the Palo Alto Networks GitHub repository for Auto Scaling VM-Series Firewalls in AWS: • Version 2.0 provides a firewall template and an application template. These templates and the supporting scripts deploy VM-Series firewalls, an internet facing firewall, an internal firewall, and application ASGs in a single Virtual Private Cloud (VPC) or multiple VPCs. In version 2.0, Palo Alto Networks supports the firewall template while the application template is community-supported. See VM-Series Auto Scale Template for AWS Version 2.0 for deployment details. • Version 2.1 adds support for deployment in a single VPC and adds support for a load balancer sandwich topology that enables you to deploy the VM-Series firewalls in to a front-end VPC and the back-end applications in to one or more application VPCs connected by VPC peering or AWS PrivateLink. In version 2.1 you can implement both application load balancers (ALBs) and network load balancers (NLBs) in VPCs. Version 2.1 includes two firewall templates and five application templates. See VM- Series Auto Scaling Templates for AWS Version 2.1 for deployment details. If you have an existing template deployment, there is no migration procedure. The following table compares some high-level features of each template version. Features / Requirements Version 2.0 Version 2.1 Panorama running PAN-OS (Optional) If you choose to use Panorama, (Required) Deploy the 9.0.1 or a later release in you must configure VPC peering between Version 2.1 templates. Panorama mode. the VM-Series firewall VPC and the application VPCs. Peered traffic traverses On Panorama the public internet. Panorama, in a high you must availability manually (HA) install the configuration VM-Series is not plugin to supported. enable VM-Series firewalls to publish PAN-OS metrics 286 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Features / Requirements Version 2.0 Version 2.1 for auto scaling. Bootstrapping bootstrap.xml config file in an S3 An init-cfg.txt file bucket. for Panorama. Palo Alto Networks S3 bucket Use your own S3 bucket or use the Use your own S3 bucket sample sample in panw-aws-autoscale-v20-us- for the deployment. west-2. Single VPC or separate VPCs Yes Yes (hub and spoke) New VPC Yes Yes Existing VPC (brown field) No Yes Availability zones per VPC 2 2-4 External load balancer ALB only ALB or NLB Internal load balancer NLB only ALB or NLB AWS PrivateLink connection No Yes to the VM-Series firewall VPC and the backend servers. For details on the templates see: • VM-Series Auto Scaling Templates for AWS Version 2.0 • VM-Series Auto Scaling Templates for AWS Version 2.1 VM-Series Auto Scaling Templates for AWS Version 2.0 To help you manage increased application scaling, version 2.0 of the auto scaling VM-Series firewall template provides a hub and spoke architecture that simplifies deployment. This version of the solution provides two templates that support a single and multiple-VPC deployment both within a single AWS account and across multiple AWS accounts. • Firewall Template—The firewall template deploys an application load balancer (ALB) and VM-Series firewalls within auto scaling groups across two Availability Zones (AZs). This internet-facing ALB distributes traffic that enters the VPC across a pool of VM-Series firewalls. The VM-Series firewalls automatically publish custom PAN-OS metrics that enable auto scaling. Palo Alto Networks officially supports the firewall template and, with a valid support entitlement, you can request assistance from Palo Alto Networks Technical Support. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 287 © 2020 Palo Alto Networks, Inc.The following application template deploys the network load balancer depicted in the preceding image. • Application Template—The application template deploys a network load balancer (NLB) and one auto scaling group (ASG) with a web server in each AZ. The application template is community supported. This template is provided as an example to help you get started with a basic web application. For a production environment, either use your own application template or customize this template to meet your requirements. These templates allow you to deploy a load balancer sandwich topology with an internet-facing ALB and an internal NLB. The ALB is accessible from the internet and distributes traffic that enters the VPC across a pool of VM-Series firewalls. The firewalls then route traffic using NAT policy to NLBs, which distributes traffic to an auto scaling tier of web or application servers. The VM-Series firewalls are enabled to publish custom PAN-OS metrics to AWS CloudWatch where you can monitor the health and resource load on the VM-Series firewalls and then use that information to trigger auto scaling events in the appropriate ASGs on firewalls. 288 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.• What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage? • How Does the VM-Series Auto Scaling Template for AWS (v2.0) Enable Dynamic Scaling? • Plan the VM-Series Auto Scaling Template for AWS (v2.0) • Customize the Firewall Template Before Launch (v2.0) • Launch the VM-Series Auto Scaling Template for AWS (v2.0) • Customize the Bootstrap.xml File (v2.0) • Stack Update with VM-Series Auto Scaling Template for AWS (v2.0) • Modify Administrative Account and Update Stack What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage? The VM-Series Auto Scaling template for AWS includes the following building blocks: VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 289 © 2020 Palo Alto Networks, Inc.Building Block Description Firewall template The firewall-v2.0.template deploys a new VPC with subnets, route (Palo Alto Networks tables, an AWS NAT gateway, two Availability Zones (AZs), and security officially supported groups required for routing traffic across these AZs. This version 2.0 template template) also deploys an external ALB, and an ASG with a VM-Series firewall in each AZ. Due to the many variations in a production environment that includes but is not limited to a specific number components, such as subnets, availability zones, route tables, and security groups. You must deploy the firewall- v2.0.template in a new VPC. VM-Series Auto Scaling template for AWS does not deploy Panorama and Panorama is optional. Panorama provides ease of policy management and central visibility. If you want to use Panorama to manage the VM-Series firewalls that the solution deploys, you can either use an M-Series appliance or Panorama virtual appliance inside your corporate network or you can use a Panorama virtual appliance on AWS. This solution includes an AWS NAT gateway that the firewalls use to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch. Application template The application template deploys an NLB and an ASG with a web server (Community supported in each AZ. Because the NLB has a unique IP address for each AZ and the template) NAT policy rule on the firewalls must reference a single IP address, there is one ASG for each of the two AZs. All firewalls in an ASG use an identical configuration. Version 2.0 of the auto scaling solution includes two application templates: • The panw_aws_nlb-v2.0.template allows you to deploy the application template resources within the same VPC as the one in which you deployed the firewall template (same AWS account). • The panw_aws_nlb_vpcv-2.0.template allows you to deploy the application template resources in a separate VPC using the same AWS account or multiple AWS accounts. Lambda functions AWS Lambda provides robust, event-driven automation without the need for complex orchestration software. In the firewall-v2.0.template, AWS Lambda monitors a Simple Queue Service (SQS) to learn about NLBs that publish to the queue. When the Lambda function detects a new NLB, it creates a new NAT policy rule and applies it to the VM-Series firewalls within the ASG. The firewalls have a NAT policy rule for each application and the firewalls use the NAT policy rule (that maps the port to NLB IP address) to forward traffic to the NLB in front of the application web servers. You need to create the Security policy rule to allow or deny application traffic for your deployment. The sample bootstrap.xml file does not include any Security policy rules. You should use Panorama to centrally manage your firewalls and simplify creating Security policy rules. There are additional functions: 290 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Building Block Description • Adds or removes an interface (ENI) when a firewall is launched or terminated. • Deletes all the associated resources when you delete a stack or terminate an instance. • Removes a firewall as a Panorama managed device when there is a scale-in event. • Deactivates the BYOL license when a scale-in event results in a firewall termination. To learn more about the Lambda functions, refer to http://paloaltonetworks- aws-autoscale-2-0.readthedocs.io/en/latest/ Bootstrap files This solution requires the init-cfg.txt file and the bootstrap.xml file so that the The bootstrap.xml VM-Series firewall has the basic configuration for handling traffic. file provided in the • The init-cfg.txt file includes the mgmt-interface-swap operational GitHub repository is command to enable the firewall to receive dataplane traffic on its primary provided for testing and interface (eth0). This auto-scaling solution requires the swapping of the evaluation only. For a dataplane and management interfaces to enable the ALB to forward web production deployment, traffic to the auto-scaling tier of VM-Series firewalls. For details, see you must modify the Management Interface Mapping for Use with Amazon ELB. sample credentials in • The bootstrap.xml file enables basic connectivity for the firewall the bootstrap.xml prior network interfaces and allows the firewall to connect to the AWS to launch. CloudWatch namespace that matches the stack name you enter when you launch the template. To deploy the solution, see Launch the VM-Series Auto Scaling Template for AWS (v2.0). How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling? VM-Series firewall scale in and scale out using VM-Series firewalls that are deployed using auto scaling templates based on custom PAN-OS metrics. The VM-Series firewalls natively publish these metrics to the Amazon CloudWatch console and, based on the metrics you choose for the scaling parameters, you can define CloudWatch alarms and policies to dynamically deploy or terminate instances for managing the application traffic in your AWS deployment. The firewalls publish metrics to AWS CloudWatch every five minutes (by default). When a monitored metric reaches the configured threshold for the defined time interval, CloudWatch triggers an alarm and initiates an auto-scaling event. When the auto-scaling event triggers the deployment of a new firewall, the new instance bootstraps at launch and an AWS Lambda function configures the firewall with NAT policy rules. A NAT policy rule is created for each application and the rule references the IP addresses for each network load balancer in your deployment. When the application load balancer receives a request, it forwards the request to the firewall on the assigned TCP port. The firewall then inspects the traffic and forwards it to the corresponding network load balancer, which then forwards the request to a web server in its target group. Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) The items in this checklist are actions and choices you must make to implement this solution. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 291 © 2020 Palo Alto Networks, Inc.Planning Checklist for Templates v2.0 and v2.1 Verify the The auto scaling template requires AWS Lambda and S3 Signature versions requirements for 2 or 4, and can deploy VM-Series firewalls running supported PAN-OS deploying the VM- versions. You need to look up the list of supported regions and the AMI IDs, Series Auto Scaling to provide as an input in the firewall template. template. Assign the The user who deploys the VM-Series Auto Scaling template must either have appropriate administrative privileges or have the permissions listed in the iam-policy.json permissions for the to launch this solution successfully. Copy and paste the permissions from this IAM user role. file in to a new IAM policy and then attach the policy to a new or existing IAM role. For a cross-account deployment, to access resources that are in a different AWS accounts, the IAM role for the user who deploys the application template must have full SQS access permissions and a trust relationship that authorizes her to write to the SQS queue that belongs to the firewall template. Collect the details For a deployment where the firewall template and the application template required for a are in different accounts, the account that hosts the firewall template cross-account resources is the trusting account and the other AWS account(s) that hold deployment. the application template resources are the trusted accounts. To launch the application template in a cross-account deployment, you need the following information: • Cross-account Role Amazon Resource Name (ARN) of the account in which you are deploying the application template. • External ID, which you defined when creating the IAM role that grants full SQS access to the trusting account. • The 10-digit account number for every AWS account in which you plan to launch the application template. Because the account that hosts the firewall template resources serves as a trusting account, and it owns the resources that the users of the application template need, you need to list the account number for each trusted account that can access the firewall resources. Create a support You can opt for the BYOL or PAYG licenses. account on the Palo Alto Networks • For BYOL, you must register an auth code to your Palo Alto Networks Support portal, if support account prior to launching the VM-Series Auto Scaling template you don’t already and add the auth-code to the /license folder with filename as have one. authcodes in the bootstrap package. See Launch the VM-Series Auto Scaling Template for AWS (v2.0) or Launch the Firewall Template (v2.1) for details. • For PAYG, you must register the VM-Series firewalls to activate your support entitlement. (For PAYG only) In the AWS Marketplace, search for Palo Alto Networks, and select the Review and accept bundle you plan to use. The VM-Series firewalls will fail to deploy if you have the End User not accepted the EULA for the bundle you plan to use. License Agreement (EULA). • Search for VM-Series Next Generation Firewall Bundle 2, for example. 292 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Planning Checklist for Templates v2.0 and v2.1 Required, if you are launching a VM- Series firewall in an AWS account for the first time. • Click Continue, and select Manual Launch. Review the agreement and click Accept Software Terms to accept the EULA. You can now close the browser. Decide whether Palo Alto Networks provides public S3 buckets in all AWS regions included in you plan to use the supported regions list. These S3 buckets include all the templates, AWS the public S3 Lambda code, and the bootstrap files that you need. buckets or your private S3 bucket Palo Alto Networks recommends using the bootstrap files in for AWS Lambda, the public S3 bucket only for evaluating this solution. For a Python scripts, and production deployment, you must create a private S3 bucket templates. for the bootstrap package. The naming convention for the S3 bucket is panw-aws-autoscale- v20-. For example, the bucket in the AWS Oregon region is panw-aws-autoscale-v20-us-west-2. To use your private S3 bucket, you must download and copy the templates, AWS Lambda code, and the bootstrap files to your private S3 bucket. You can place all the required files for both the firewall template and the application template in one S3 bucket or place them in separate S3 buckets. Download the • Get the files for deploying the firewall template (application load balancer templates, AWS and the VM-Series firewalls) from the GitHub repository. Lambda code, and the bootstrap files. Do not mix and match files across VM-Series Auto Scaling template versions. • Templates and Lambda code: VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 293 © 2020 Palo Alto Networks, Inc.Planning Checklist for Templates v2.0 and v2.1 • panw-aws.zip • firewall-v2.X.template • Bootstrap files: • init-cfg.txt • bootstrap.xml The bootstrap.xml file bundled with this solution is designed to help you get started, and is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch. • iam-policy: The user who deploys the VM-Series Auto Scaling template must have either the administrative privileges or the permissions listed in this file to successfully launch this solution. The firewall template is supported by Palo Alto Networks Technical Support. • Get the files for deploying the NLB and the web servers from the GitHub repository versions 2.0 or 2.1. • Templates: • pan_aws_nlb-2.X.template—Use this template to deploy the application template resources within same VPC as the one in which you deployed the firewall template (same AWS account). • pan_aws_nlb_vpc-2.X.template—Use this template to deploy the application template resources in a different VPC. This template allows you to deploy the resources within the same AWS account or in a different AWS account as long as you have the appropriate permissions to support a cross-account deployment. • pan_nlb_lambda.template—Creates an AWS Network Load balancer, which multiplexes traffic to register scaled-out backend web servers. • Lambda code and Python scripts. Customize the To ensure that your production environment is secure, you must customize bootstrap.xml file the bootstrap.xml file with a unique administrative username and password for your production for production deployments. The default username and password are environment. pandemo/demopassword. You can also use this opportunity to create an optimal firewall configuration with interfaces, zones, and security policy rules that meet your application security needs. Decide whether Panorama is an option for administrative ease and is the best practice for you want to managing the firewalls. It is not required to manage the auto scaling tier of use Panorama VM-Series firewalls deployed in this solution. for centralized logging, reporting, If you want to use Panorama, you can either a Panorama virtual appliance on and firewall AWS or use an M-Series appliance or a Panorama virtual appliance inside your management. corporate network. The Panorama must be in Panorama mode and not Management Only mode. 294 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Planning Checklist for Templates v2.0 and v2.1 To successfully register the firewalls with Panorama, you must collect the following details: • API key for Panorama—So that AWS Lambda can make API requests to Panorama, you must provide an API key when you launch the VM-Series Auto Scaling template. As a best practice, in a production deployment, create a separate administrative account just for the API call and generate an associated API key. • Panorama IP address—You must include the IP address in the configuration (init-cfg.txt) file. The firewalls must be able to access this IP address from the VPC; to ensure a secure connection, use a direct connect link or an IPSec tunnel. • VM auth key—Allows Panorama to authenticate the firewalls so that it can add each firewall as a managed device. You must include this key in the configuration (init-cfg.txt) file. The vm auth key is required for the lifetime of the deployment. Without a valid key in the connection request, the VM-Series firewall will be unable to register with Panorama. For details on the key, see Generate VM Auth Key. • Template stack name and the device group name to which to assign the firewalls—You must first add a template and assign it to a template stack, create a device group on Panorama, and then include the template stack name and the device group name in the configuration (init-cfg.txt) file. In order to reduce the cost and scale limits of using Elastic IP addresses, the firewalls do not have public IPs. If you are not using Panorama to manage the firewalls, you must deploy a jump server (a bastion host with an EIP address) that attaches to the Untrust subnet within the VPC to enable SSH and/or HTTPS access to the VM-Series firewalls. By default, this solution includes an AWS NAT gateway that the firewalls use to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch. Get started Launch the VM-Series Auto Scaling Template for AWS (v2.0). Customize the Firewall Template Before Launch (v2.0 and v2.1) To simplify the deployment workflow, the firewall displays a limited set of parameters for which you need to provide inputs when launching the template. If you would like to view and customize other options included in the template, you can use a text editing tool such as Notepad or Visual Studio Code to specify values that you prefer before you launch the VM-Series Auto Scaling template for AWS v2.0 or 2.1. Use the following table to view the list of parameters that you are allowed to customize for your deployment of the auto scaling firewall template for AWS. Modifying parameters from this list is within the official support policy of Palo Alto Networks through the support options that you''ve purchased. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 295 © 2020 Palo Alto Networks, Inc.Parameter Description Default Value CIDR Block for the VPC The IP address space that you want to use for 192.168.0.0/16 the VPC. The subnets you modify below must belong to this VPC CIDR block and be unique. Management Subnet CIDR Comma-delimited list of CIDR blocks for the 192.168.0.0/24, Block management subnet of the firewalls. 192.168.10.0/24 Untrust Subnet CIDR Block Comma-delimited list of CIDR blocks for the 192.168.1.0/24, Untrust subnet. 192.168.11.0/24 Trust Subnet CIDR Block Comma-delimited list of CIDR blocks for the 192.168.2.0/24, Trust subnet. 192.168.12.0/24 NAT Gateway Subnet CIDR Comma-delimited list of CIDR blocks for the 192.168.100.0/24, Block AWS NAT Gateway. 192.168.101.0/24 Lambda Subnet CIDR Block Comma-delimited list of CIDR blocks for the 192.168.200.0/24, Lambda functions. 192.168.201.0/24 Firewall Instance size AWS Instance Types and size that you M4.xlarge want for the VM-Series firewalls in your deployment. Choose your Scaling The template publishes all the following Dataplane CPU Parameter metrics to AWS CloudWatch: Utilization You do not • CPU—DataPlane CPU Utilization need to modify • AS—Active Sessions the template • SU—Session Utilization for the scaling • SSPU—SSL Proxy Utilization parameter. • GPU—GlobalProtect Gateway Utilization You can • GPAT—GlobalProtect Gateway Utilization set AWS ActiveTunnels CloudWatch • DPB—Dataplane Packet Buffer Utilization alarms on the AWS console for one or more custom PAN- OS metrics on which you want to trigger autoscaling. Choose time in seconds for The period in seconds over which the 900 Scaling Period average statistic is applied. Must be a multiple of 60. 296 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Parameter Description Default Value Maximum VM-Series Maximum number of VM-Series firewalls in 3 Instances the auto scaling group. Minimum VM-Series Minimum number of VM-Series firewalls in 1 Instances the auto scaling group. ScaleDown threshold value in Value at which a scale in event is triggered. 20 percentage/value ScaleUp threshold value in Value at which scale out event is triggered. 80 percentage/value Launch the VM-Series Auto Scaling Template for AWS (v2.0) You can choose to deploy the firewall template in one VPC and the sample application template in the same VPC as the one in which you deployed the firewalls, or in a different VPC. If the applications that you want to secure belong to a separate AWS account, the sample application template includes support for cross-account deployments. The solution supports a hub and spoke architecture whereby you can deploy the firewall template in one AWS account and use it as a hub to secure your applications (spokes) that belong to the same or to different AWS accounts. • Launch the VM-Series Firewall Template • Launch the Application Template • (Required only if you deploy more than one internal load balancer) Enable Traffic to the ELB Service (v2.0 and v2.1) Launch the VM-Series Firewall Template This workflow tells you how to deploy the application load balancer and the VM-Series firewalls using the firewall template. This firewall template includes an AWS NAT gateway that the firewalls use to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch. If you are not using Panorama to manage the firewalls, you must deploy a jump server (a bastion host with an EIP address) that attaches to the Untrust subnet within the VPC to enable SSH and/or HTTPS access to the VM-Series firewalls. This jump server is required because the management interface on the VM-Series firewalls has a private IP address only. STEP 1 | Review the checklist for Plan the VM-Series Auto Scaling Template for AWS (v2.0). Make sure that you have completed the following tasks: • (For PAYG only) Reviewed and accepted the EULA for the PAYG bundle you plan to use. • (For BYOL only) Obtained the auth code. You need to enter this auth code in the /license folder of the bootstrap package. • Downloaded the files required to launch the VM-Series Auto Scaling template from the GitHub repository. STEP 2 | (Optional) Modify the init-cfg.txt file. For more details read about the bootstrapping process and the init-cfg.txt file. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 297 © 2020 Palo Alto Networks, Inc.If you’re using Panorama to manage the firewalls, complete the following tasks: 1. Generate the VM-auth key on Panorama. The firewalls must include a valid key in the connection request to Panorama. Set the lifetime for the key to 8760 hours (1 year). 2. Open the init-cfg.txt file with a text editor, such as Notepad. Make sure that you do not alter the format as this causes a failure in deploying the VM-Series Auto Scaling template. Add the following information as name-value pairs: • IP addresses for the primary Panorama and optionally a secondary Panorama. Enter: panorama-server= panorama-server-2= • Specify the template stack name and the device group to which you want to assign the firewall. Enter: tplname= dgname= • VM auth key. Enter: vm-auth-key= 3. Verify that you have not deleted the command for swapping the management interface (mgmt) and the dataplane interface (ethernet 1/1) on the VM-Series firewall on AWS. For example, the file must include name-value pairs as shown here: op-command-modes=mgmt-interface-swap vm-auth-key=755036225328715 panorama-server=10.5.107.20 panorama-server-2=10.5.107.21 tplname=FINANCE_TG4 dgname=finance_dg 4. Save and close the file. STEP 3 | (For BYOL only) Add the license auth code in the /license folder of the bootstrap package. For more information see prepare the bootstrap package. 1. Create a new .txt file with a text editor, such as Notepad. 2. Add the authcode for your BYOL licenses to this file,then save the file with authcodes (no file extension) and upload it to the /license folder. The auth code must support the number of firewalls that may be required for your deployment. You must use an auth code bundle instead of individual auth codes so that the firewall can simultaneously fetch all license keys associated with a firewall. If you use individual auth codes instead of a bundle, the firewall retrieves only the license key for the first auth code included in the file. 298 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 4 | Change the default credentials for the VM-Series firewall administrator account defined in the bootstrap.xml file. Required for using the VM-Series Auto Scaling template in a production environment. The bootstrap.xml file in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must Customize the Bootstrap.xml File (v2.0) prior to launch. STEP 5 | Prepare the Amazon Simple Storage (S3) buckets for launching the VM-Series Auto Scaling template to a production environment. Make sure to create the S3 buckets in the same region in which you plan to deploy the template; the bootstrapping files hosted in the public S3 bucket are provided only to make it easier for you to evaluate the template. 1. Create a new S3 bucket for the bootstrap files. 1. Sign in to the AWS Management Console and open the S3 console. 2. Click Create Bucket. 3. Enter a Bucket Name and a Region, and click Create. The bucket must be at the S3 root level. If you nest the bucket, bootstrapping fails because you cannot specify a path to the location of the bootstrap files. 2. Upload the bootstrap files to the S3 bucket. The bootstrap folders must be in the root folder of the S3 bucket. 1. Click the name of bucket and then click Create folder. 2. Create the following folder structure for bootstrapping. 3. Click the link to open the config folder. 4. Select Actions > Upload and Add Files, browse to select the init-cfg.txt file and bootstrap.xml file, and click Open. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 299 © 2020 Palo Alto Networks, Inc.5. Click Start Upload to add the files to the config folder. The folder can contain only two files: init- cfg.txt and the bootstrap.xml. 6. (For BYOL only) Click the link to open the license folder and upload the txt file with the auth code required for licensing the VM-Series firewalls. 3. Upload the AWS Lambda code (panw-aws.zip file) to an S3 bucket. In this example, the AWS Lambda code is in the same S3 bucket as the bootstrap package. 1. Click the bucket name. 2. Click Add Files to select the panw-aws.zip file, click Open. 3. Click Start Upload to add the zip file to the S3 bucket. STEP 6 | Select the firewall template. If you need to Customize the Firewall Template Before Launch (v2.0), do that now and select the modified template. 1. In the AWS Management Console, select CloudFormation > Create Stack. 2. Select Upload a template to Amazon S3, choose the firewall-v2.0.template and click Open and Next. 3. Specify the Stack name. The stack name allows you to uniquely identify all the resources that this template deploys. STEP 7 | Configure the parameters for the VPC. 1. Enter the parameters for the VPC Configuration as follows: 1. Enter a VPCName. 2. Select the two Availability Zones that your setup spans in Select two AZs. 300 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 8 | Select your preferences for the VM-Series firewalls. 1. Look up the AMI ID for the VM-Series firewall and enter it. Make sure that the AMI ID matches the AWS region, PAN-OS version and the BYOL or PAYG licensing option you opted to use. 2. Select the EC2 Key pair (from the drop-down) for launching the firewall. To log in to the firewalls, you must provide the name of this key pair and the private key associated with it. 3. Restrict SSH access to the firewall’s management interface. Make sure to supply a CIDR block that corresponds to your dedicated management IP addresses or network. Do not make the allowed source network range larger than necessary and do not ever configure the allowed source as 0.0.0.0/0. Verify your IP address before configuring it on the template to make sure that you do not lock yourself out. 4. Select Yes if you want to Enable Debug Log. Enabling the debug log generates more verbose logs that help with troubleshooting issues with the deployment. These logs are generated using the stack name and are saved in AWS CloudWatch. By default, the template uses CPU utilization as the scaling parameter for the VM-Series firewalls. Custom PAN-OS metrics are automatically published to the CloudWatch namespace that matches the stack name you specified earlier. STEP 9 | Specify the name of the Amazon S3 bucket(s). You can use one S3 bucket for the bootstrap package and the zip file. 1. Enter the name of the S3 bucket that contains the bootstrap package. If the bootstrap bucket is not set up properly or if you enter the bucket name incorrectly, the bootstrap process fails and you cannot be able to log in to the firewall. Health checks for the load balancers also fail. 2. Enter the name of the S3 bucket that contains the panw-aws.zip file. STEP 10 | Specify the keys for enabling API access to the firewall and Panorama. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 301 © 2020 Palo Alto Networks, Inc.1. Enter the key that the firewall must use to authenticate API calls. The default key is based on the sample bootstrap.xml file and you should only use it for testing and evaluation. For a production deployment, you must create a separate PAN-OS login just for the API call and generate an associated key. 2. Enter the API Key to allow AWS Lambda to make API calls to Panorama, if you are using Panorama for centralized management. For a production deployment, you should create a separate login just for the API call and generate an associated key. 3. Copy and paste the license deactivation API key for your account. This key is required to successfully deactivate licenses on your firewalls when a scale-in event occurs. To get this key: 1. Log in to the Customer Support Portal. 2. From the Go To drop-down, select License API. 3. Copy the API key. STEP 11 | Enter the name for the application load balancer. STEP 12 | (Optional) Apply tags to identify the resources associated with the VM-Series Auto Scaling template. Add a name-value pair to identify and categorize the resources in this stack. STEP 13 | Review the template settings and launch the template. 1. Select I acknowledge that this template might cause AWS CloudFormation to create IAM resources. 2. Click Create to launch the template. The CREATE_IN_PROGRESS event displays. 3. On successful deployment the status updates to CREATE_COMPLETE. Unless you customized the template, the VM-Series Auto Scaling template launches an ASG that includes one VM-Series firewall in each AZ, behind the application load balancer. STEP 14 | Verify that the template has launched all required resources. 1. On the AWS Management Console, select the stack name to view the Output for the list of resources. 302 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.2. On the EC2 Dashboard, select Auto Scaling Groups. Verify that in each AZ, you have one ASG for the VM-Series firewalls with the one firewall in each ASG. The ASG name prefix includes the stack name. 3. Log in to the VM-Series firewall. You must deploy a jump server or use Panorama to access the web interface on the firewall. • It can take up to 20 minutes for the firewalls to boot up and be available to handle traffic. • When you finish testing or a production deployment, the only way to ensure charges stop occurring is to completely delete the stack. Shutting down instances, or changing the ASG maximum to 0 is not sufficient. STEP 15 | Save the following information. You need to provide these values as inputs when deploying the application template. • IP addresses of the NAT Gateway in each AZ. You need this IP address to restrict HTTP access to the web servers if you deploy the application in a different VPC. Specifying this IP address ensures that the firewall secures access your applications in a different VPC, and that nobody can bypass the firewall to directly access the web server. The sample application template (panw_aws_nlb_vpc-2.0.template) displays a template validation error if you do not enter the NAT Gateway IP addresses; you must enter the IP addresses as a comma-separated list. • Network Load Balancer SQS URL. An AWS Lambda function in the firewall stack monitors this queue so that it can learn about any network load balancers that you deploy, and create NAT policy rules (one per application) on the VM-Series firewalls that enable the firewalls to send traffic to the network load balancer IP address. Launch the Application Template The application template allows you to complete the sandwich topology and is provided so that you can evaluate the auto scaling solution. This application template deploys a network load balancer and a pair of web servers behind the auto scaling group of VM-Series firewalls, which you deployed using the firewall template. The web servers in this template have a public IP address for direct outbound access to retrieve software updates. Use this template to evaluate the solution, but build your own template to deploy to production. For a custom template, make sure to enable SQS Messaging Between the Application Template and Firewall Template. When launching the application template, you must select the template based on whether you want to deploy the application template within the same VPC (panw_aws_nlb-2.0.template) in which you deployed the firewall template or in a separate VPC (panw_aws_nlb_vpc-2.0.template). For a separate VPC, the VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 303 © 2020 Palo Alto Networks, Inc.template provides supports for cross-account deployments. A cross-account deployment requires you to create an IAM role and enable permissions and trust relationship between the trusting AWS account and the trusted AWS account, and the account information is required as input when launching the template. STEP 1 | (Required only for a cross-account deployment) Create the IAM role. Refer to AWS documentation. This role grants access to a user who belongs to a different AWS account. This user requires permissions to access the Simple Queue Service (SQS) resource in the firewall template. The firewall uses this queue to learn about each network load balancer that you deploy so that it can create NAT policy to send traffic to the web servers that are behind the network load balancer. • For Account ID, type the AWS account ID of the account into which you are deploying the application template. Specifying that account ID allows you to grant access to the resources in your account that hosts the firewall template resources. • Select Require external ID and enter a value that is a shared secret. Specifying an external ID allows the user to assume the role only if the request includes the correct value. • Choose Permissons to allow Amazon SQS Full Access. STEP 2 | Use the Palo Alto Networks public S3 bucket or prepare your private (S3) bucket for launching the application template. 1. Create a zip file with all the files in the GitHub repository, excluding the three .template files, named nlb.zip in the screenshot below. 2. Upload the zip file to the S3 bucket you created earlier or to a new bucket. 304 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.3. Copy the pan_nlb_lambda template into the same bucket to which you copied the nlb.zip file. STEP 3 | Select the application template to launch. 1. In the AWS Management Console, select CloudFormation > Create Stack. 2. Select Upload a template to Amazon S3, to choose the panw_aws_nlb-2.0.template to deploy the resources that the template launches within the same VPC as the firewalls, or the panw_aws_nlb_vpc-2.0.template to deploy the resources in to a different VPC. Click Open and Next. 3. Specify the Stack name. The stack name allows you to uniquely identify all the resources that are deployed using this template. STEP 4 | Configure the parameters for the VPC and network load balancer. 1. Select the two Availability Zones that your setup will span in Select list of AZ. If you are deploying within the same VPC make sure to select the same Availability Zones that you selected for the firewall template. 2. Enter a CIDR Block for the VPC. The default CIDR is 192.168.0.0/16. 3. (Only if you are using the panw_aws_nlb-2.0.template to deploy the applications within the same VPC) Select the VPC ID and the Subnet IDs associated with the trust subnet on the firewalls in each AZ. The network load balancer is attached to the trust subnet on the firewalls, to complete the load balancer sandwich topology. 4. Enter a name for the network load balancer. STEP 5 | Configure the parameters for AWS Lambda. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 305 © 2020 Palo Alto Networks, Inc.1. Enter the S3 bucket name where nlb.zip and the pan_nlb_lambda.template is stored. 2. Enter the name of the pan_nlb_lambda.template and the zip file name. 3. Paste the SQS URL that you copied earlier. 4. Enter a unique TableName. This table stores a mapping of the port and IP address for the applications associated with the network load balancer in your deployment. When you delete the application stack this table is deleted. Therefore, if multiple instances of the network load balancer write to the same table and the table is deleted, the NAT rules on the firewalls not function properly and the application traffic maybe be inaccurately forwarded to the wrong port/ network load balancer. STEP 6 | Modify the web server EC2 instance type to meet your deployment needs. STEP 7 | Select the EC2 Key pair (from the drop-down) for launching the web servers. To log in to the web servers, you must provide the key pair name and the private key associated with it. STEP 8 | (Only if you are using the panw_aws_nlb_vpc-2.0.template) Lock down access to the web servers. 1. Restrict SSH From access to the web servers. Only the IP addresses you list here can log in to the web servers. 2. Restrict HTTP access to the web servers. Enter the public IP addresses of the NAT gateway from the firewall template output, and make sure to separate IP addresses with commas. Entering the NAT gateway IP address allows you to ensure that all web traffic to the application servers are secured by the VM-Series firewalls. STEP 9 | (Only if you are using the panw_aws_nlb_vpc-2.0.template) Configure the other parameters requires to launch the application template stack in a different VPC. 1. Select SameAccount true if you are deploying this application template within the same AWS account as the firewall template, and leave the cross account role and external ID blank; select false for a cross-account deployment. For a cross-account deployment, enter the Amazon Resource Number (ARN) for the CrossAccountRole and ExternalId that you defined in (Required only for a cross-account deployment) 306 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Create the IAM role. Refer to AWS documentation.You can get the ARN from Support > Support Center on the AWS Management Console. 2. Enter the VPC Namein which you want to deploy the application template resources. 3. Optional Change the NLBSubnetIPBlocks for the Management subnet for the network load balancer. STEP 10 | Review the template settings and launch the template. STEP 11 | Verify that the network load balancer is deployed and in a ready state. STEP 12 | Get the DNS name for the application load balancer, and enter it into a web browser. For example: http://MVpublic-elb-123456789.us-east-2.elb.amazonaws.com/ When the web page displays, you have successfully launched the auto scaling template. STEP 13 | Verify that each firewall has a NAT policy rule to the IP address of each network load balancer. When you deploy the application template to launch another instance of a network load balancer and pair of web servers, the firewall learns about the port allocated for the next network load balancer instance and creates another NAT policy rule. So, if you deploy the application template three times, the firewall has three NAT policy rules for ports 81, 82, and 83. STEP 14 | If you have launched the application template more than once, you need to Enable Traffic to the ELB Service. Enable Traffic to the ELB Service (v2.0 and v2.1) If you add a second or additional internal load balancers (ILBs) in your deployment, you must complete additional configuration so that the internal load balancer, the VM-Series firewalls auto scaling groups, and the web servers can report as healthy and traffic is load balanced across all your AWS resources. In v2.0, the ILB can only be a network load balancer. In v2.1 the ILB can be an application load balancer or a network load balancer. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 307 © 2020 Palo Alto Networks, Inc.STEP 1 | On the AWS management console, verify the ports allocated for each network balancer on the DynamoDB table. When you launch a new internal load balancer, the application template must send an SQS message to the SQS URL you provided as input when you launched the template. The AWS Lambda function in the firewall template monitors the SQS and adds the port mapping to the DynamoDB table for the firewall template. Starting at port 81, the port allocated for every additional internal load balancer you deploy increments by 1. So, the second internal load balancer uses port 82, and the third port uses port 83. 1. Select the DynamoDB service on the AWS management console. 2. Select Tables and click the table that matches the stack name for your firewall template. For example, MV-CFT20-firewall-us-east-2. In the Items list, view the ports used by the internal load balancers that are publishing to the SQS associated with the firewall template. STEP 2 | Create a target group. The internal load balancer sends requests to registered targets using the port and protocol that you specify for the servers in the target group. When you add a new target group, use the port information that you verified on the DynamoDB table. STEP 3 | Edit the listener rules on the internal load balancer to route requests to the target web servers. 1. On the AWS management console, select Load Balancers in the Load Balancing section, and select the internal load balancer that matches your stack name. 2. Select View/edit rules to modify the rules for the listener. 308 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.3. Select Insert rule and add a path-based route to forward traffic to the target group you defined above as follows: STEP 4 | Attach the target group to both VM-Series firewalls auto scaling groups. 1. Select Auto Scaling Groups in the Auto Scaling section and select an auto scaling group that matches the stack name. 2. Select Details > Editand select the new target group from the Target Groups drop-down. STEP 5 | Log in to each web server that was deployed by the application template, create a new directory with the target group name and copy the index.html file into the directory. Until you set up the path to the index.html file, the health check for this web server reports as unhealthy. sudo su cd/var/www/html mkdir cp index.html STEP 6 | Verify the health status of the web servers. Select Auto Scaling Groups, and use the application stack name to find the webserver auto scaling group to verify that the web servers are reporting healthy. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 309 © 2020 Palo Alto Networks, Inc.Customize the Bootstrap.xml File (v2.0) The bootstrap.xml file provided in the GitHub repository uses a default username and password for the firewall administrator. Before deploying the VM-Series Auto Scaling template in a production environment, at a minimum, you must create a unique username and password for the administrative account on the VM- Series firewall. Optionally, you can fully configure the firewall with zones, policy rules, security profiles and export a golden configuration snapshot. You can then use this configuration snapshot as the bootstrap.xml file for your production environment. You have two ways to customize the bootstrap.xml file for use in a production environment: • Option 1: Launch a VM-Series firewall on AWS using the bootstrap files provided in the GitHub repository, modify the firewall configuration and export the configuration to create a new bootstrap.xml file for the VM-Series Auto Scaling template. See Use the GitHub Bootstrap Files as Seed. • Option 2: Launch a new VM-Series firewall on AWS without using the bootstrap files, add a NAT policy rule to ensure that the VM-Series firewall handles traffic properly, and export the configuration to create a new bootstrap.xml file for the VM-Series Auto Scaling template. See Create a new Bootstrap File from Scratch. If you have deployed the template and now need to change the credentials for the administrative user or add a new administrative user and update the template stack, see Modify Administrative Account and Update Stack. Create a new Bootstrap File from Scratch Launch a new VM-Series firewall on AWS using the AMI for a supported PAN-OS version (see the compatibility matrix for Panorama plugins), without using the sample bootstrap.xml file, and export the configuration to create a new bootstrap.xml file for use with the VM-Series Auto Scaling template v2.0. STEP 1 | Deploy the VM-Series Firewall on AWS (no bootstrapping required) and use the public IP address to SSH into the Command Line Interface (CLI) of the VM-Series firewall. You will need to configure a new administrative password for the firewall. STEP 2 | Log in to the firewall web interface. STEP 3 | (Optional) Configure the firewall. You can configure the dataplane interfaces, zones and policy rules. STEP 4 | Commit the changes on the firewall. STEP 5 | Export the configuration file and name it as bootstrap.xml. (Device > Setup > Operation > Export Named Configuration Snapshot). 310 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 6 | Download the bootstrap.xml file from the GitHub repository, open it with a text editing tool, and copy lines 353 to 356. These lines define the AWS CloudWatch namespace to which the firewall publishes custom PAN-OS metrics that are required for the firewalls to auto scale. STEP 7 | Edit the configuration file you exported earlier to include the AWS CloudWatch information. Search for and paste the lines 353 to 356 after . STEP 8 | Delete the management interface configuration. 1. Search for and delete the ip-address, netmask and default gateway that follow. 2. Search for and delete the ip-address, netmask, default gateway, and public-key that follow. STEP 9 | Save the file. You can now proceed with Launch the VM-Series Auto Scaling Template for AWS (v2.0). Use the GitHub Bootstrap Files as Seed Launch a VM-Series firewall on AWS from the AWS Marketplace using the bootstrap files provided in the GitHub repository, modify the firewall configuration for your production environment. Then, export the configuration to create a new bootstrap.xml file that you can now use for the VM-Series Auto Scaling template. STEP 1 | To launch the firewall see Bootstrap the VM-Series Firewall on AWS. STEP 2 | Add an elastic network interface (ENI) and associate an elastic IP address (EIP) to it, so that you can access the web interface on the VM-Series firewall. See Launch the VM-Series Firewall on AWS for details. STEP 3 | Use the EIP address to log in to the firewall web interface with admin as the username and password. STEP 4 | Add a secure password for the administrative user account (Device > Local User Database > Users). VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 311 © 2020 Palo Alto Networks, Inc.STEP 5 | (Optional) Configure the firewall for securing your production environment. STEP 6 | Commit the changes on the firewall. STEP 7 | Generate a new API key for the administrator account. Copy this new key to a new file. You will need to enter this API key when you launch the VM-Series Auto Scaling template; the AWS services use the API key to deploy the firewall and to publish metrics for auto scaling. STEP 8 | Export the configuration file and save it as bootstrap.xml. (Device > Setup > Operation > Export Named Configuration Snapshot). STEP 9 | Open the bootstrap.xml file with a text editing tool and delete the management interface configuration. STEP 10 | (Required if you exported a PAN-OS 8.0 configuration) Ensure that the setting to validate the Palo Alto Networks servers is disabled. Look for no. STEP 11 | If the check is yes, change it to no. STEP 12 | Save the file. You can now proceed with Launch the VM-Series Auto Scaling Template for AWS (v2.0). SQS Messaging Between the Application Template and Firewall Template So that the VM-Series firewalls deployed using the firewall-v2.0.template can detect and send traffic to the network load balancers to which you want to automatically distribute incoming traffic, the firewall template includes a lambda function that monitors a Simple Queue Service for messages. The message allows the lambda function to learn about a new network load balancer and then automatically create a NAT policy rule on the firewall to send traffic to the IP address of the network load balancer. In order to route traffic properly within the AWS infrastructure, the message must also include basic information on the DNS, VPC ID, and the AZ to which the network load balancer belongs. If you are building your own application template, you must set up your application template to post two types of messages to the SQS URL that the firewall template in the VM-Series autoscaling template version 2.0 uses to learn about network load balancers to which it must distribute traffic in your environment: • ADD-NLB message that informs the firewalls when a new network load balancer is available. • DEL-NLB message that informs the firewalls when a network load balancer has been terminated and is no longer available. 312 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.The following examples of each message type includes sample values. You need to modify these message with values that match your deployment. ADD-NLB Message msg_add_nlb= { ''MSG-TYPE'': ''ADD-NLB'', ''AVAIL-ZONES'': [{''NLB- IP'':''192.168.2.101'', ''ZONE-NAME'':''us-east-2a'', ''SUBNET-ID'': ''subnet-2a566243''}, {''NLB-IP'':''192.168.12.101'', ''ZONE-NAME'':''us-east-2b'', ''SUBNET-ID'': ''subnet-2a566243 ''}], ''DNS-NAME'': ''publicelb1-2119989486.us- east-2.elb.amazonaws.com'', ''VPC-ID'': ''vpc-42ba9f2b'', ''NLB-NAME'': ''publicelb1'' } DEL-NLB Message msg_del_nlb= { ''MSG-TYPE'': ''DEL-NLB'', ''DNS-NAME'': ''publicelb1-2119989486.us- east-2.elb.amazonaws.com'', } Refer to the AWS documentation for details on how to send a message to an Amazon SQS Queue, or review the describe_nlb_dns.py in the sample application template package to see how the application template constructs the messages. Stack Update with VM-Series Auto Scaling Template for AWS (v2.0) A stack update allows you to modify the resources that the VM-Series Auto Scaling template—firewall- v2.0.template—deploys. Instead of deleting your existing deployment and redeploying the solution, use the stack update to modify the following parameters: • License—Switch from BYOL to PAYG and vice versa or switch from one PAYG bundle to another. • Other stack resources— Change the launch configuration parameters such as the Amazon Machine Image (AMI) ID, the AWS instance type, key pair for your auto scaling groups. You can also update the API key associated with the administrative user account on the firewall. Changing the AMI-ID allows you to deploy new instances of the VM-Series firewalls with a different PAN-OS version. When you deploy the VM-Series Auto Scaling template, the auto scaling groups and the launch configuration are automatically created for you. The launch configuration is a template that an auto scaling group uses to launch EC2 instance, and it specifies parameters such as the AMI ID, the instance type, key pair for your auto scaling group. To launch VM-Series firewalls with your updated parameters, you must first update the stack and then delete the existing auto scaling groups in each AZ. To prevent service disruption, delete the auto scaling group in one AZ first, and wait for the new firewall instances to launch with the updated stack parameters. Then, verify that the firewalls have inherited the updates you made before you proceed to complete the changes in the other AZ. For critical applications, perform a stack update during a maintenance window. You can update stack directly or create change sets. The workflow in this document takes you through the manual stack update. STEP 1 | In the AWS CloudFormation console, select the parent stack that you want to update and choose Actions > Update Stack. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 313 © 2020 Palo Alto Networks, Inc.STEP 2 | Modify the resources that you want to update. • PAN-OS version—To modify the PAN-OS version look up the AMI ID for the version you want to use and enter the ID. • License option—Switch from BYOL to PAYG or across PAYG bundles 1 and 2. If you’re switching to BYOL, make sure to include the auth code in the bootstrap package (See steps 3 and 5). If you’re switching between PAYG bundle version 1 and 2, look up the AMI ID for the VM-Series firewall. • Other stack resources— You can modify the AMI ID, the instance type, security group, key pair for the stack resources, or the API key associated with the administrative user account on the firewall. If you create a new administrative user account or modify the credentials of the existing administrator on the firewall, in order to update that stack and deploy new firewalls with the updated API key, you need to follow the workflow in Modify Administrative Account and Update Stack. STEP 3 | Acknowledge the notifications and review the changes and click Update to initiate the stack update. STEP 4 | On the EC2 dashboard > Auto Scaling Groups and pick an AZ in which to delete the ASG. Deleting an ASG automatically triggers the process of redeploying a new ASG. The firewalls in the new ASG use the updated stack configuration. 314 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 5 | Verify that the updated parameters are used to launch the VM-Series firewalls in the new ASG. Use a phased rollout process, where you test the new ASG thoroughly and ensure that the firealls are properly handling traffic. Then, wait one hour before continuing to the next ASG. STEP 6 | Repeat steps 4 and 5 to replace the ASG in the other AZ. Modify Administrative Account and Update Stack (v2.0) If you have already deployed the template and now want to change the password for the administrative account or create a new administrative user account on the VM-Series firewall, you must generate a new API key and update the template stack with the new API key for the administrative user account. And in order to ensure that new firewall instances are configured with the updated administrative user account, you need to export the firewall configuration and rename it to bootstrap.xml, then upload it to the S3 bootstrap folder that the VM-Series AutoScaling template uses. STEP 1 | Log in to the web interface of the firewall and change the credentials for an existing administrative user or create a new account. STEP 2 | Generate the API key. STEP 3 | Export the current running configuration and rename it to bootstrap.xml. STEP 4 | Upload this bootstrap.xml file to the S3 bootstrap folder; see Customize the Bootstrap.xml File (v2.0). STEP 5 | Update the API key in the stack to ensure that newly launched firewalls will have the updated administrator account. See Stack Update with VM-Series Auto Scaling Template for AWS (v2.0). VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 315 © 2020 Palo Alto Networks, Inc.VM-Series Auto Scaling Templates for AWS Version 2.1 The VM-Series Auto Scaling templates enable you to deploy a single auto scaling group (ASG) of VM-Series firewalls to secure inbound traffic from the internet to your application workloads on AWS. You can deploy the VM-Series firewall ASG and the application workloads within a single VPC as shown below. You can also deploy the firewall ASG in a centralized VPC and your application workloads in separate VPCs within the same region, forming a hub and spoke architecture, as shown below. With the hub and spoke architecture you can streamline the delivery of centralized security and connectivity for AWS deployments with many applications, VPCs, or accounts. This architecture can 316 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.increase agility. Your network security administrators manage the firewall VPC, and DevOps administrators or application developers can manage the application VPCs. Ensure that the application VPCs connected to the firewall VPC, do not have an Internet Gateway (IGW), and use a continuous monitoring and security compliance service such as Prisma Public Cloud. You can use a single AWS account or multiple AWS accounts to monitor and secure traffic between VPCs and the internet. Centralizing firewalls in a single VPC can reduce costs for deployments with multiple VPCs and/or multiple accounts. To provide flexibility with securing your application workloads, version 2.1 allows you to deploy an application load balancer or a network load balancer for both the external load balancer that fronts your VM-Series firewall ASG, and the internal load balancer (ILB) that fronts your application workloads. When an application load balancer fronts the application workloads, you can connect the firewall VPC to the application VPC using VPC peering. When an NLB fronts the application workloads you can use VPC Peering or an AWS Private Link to connect the firewall and application VPCs, as summarized below: Firewall VPC LB(External) Application VPC LB (Internal) Connection Method ALB NLB AWS Private Link NLB NLB AWS Private Link NLB ALB VPC Peering ALB ALB VPC Peering If you deploy in a single VPC you can use all the load balancing combinations in the previous table. You can deploy the templates in both and greenfield (new VPC and applications) and brownfield (existing VPC and applications) use cases. Template New Existing Firewall firewall-new-vpc-v2.1.template firewall-existing-vpc-v2.1.template panw-aws-same-vpc-v2.1.template panw-aws-same-vpc-v2.1.template Application panw-aws-nlb-new-vpc-v2.1.template panw-aws-alb-existing-vpc-v2.1.template panw-aws-alb-new-vpc-v2.1.template panw-aws-nlb-existing-vpc-v2.1.template What Components Do the VM-Series Auto Scaling Template for AWS (v2.1) Leverage? The VM-Series Auto Scaling template for AWS includes the following building blocks. • VM-Series Firewall Templates • Application Templates • Lambda Functions • Panorama • Bootstrap Files VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 317 © 2020 Palo Alto Networks, Inc.VM-Series Firewall Templates The firewall templates deploy an internet-facing external load balancer and VM-Series firewalls within an auto scaling group that spans a minimum of two Availability Zones (AZs). The external load balancer distributes incoming VPC traffic across the pool of VM-Series firewalls. It can be an application load balancer (ALB) or a network load balancer (NLB). The VM-Series firewalls automatically publish custom PAN-OS metrics that enable auto scaling. Template Description firewall-new-vpc-v2.1.template Deploys a firewall stack with two to four availability zones in a new VPC. firewall-existing-vpc-v2.1.template Deploys a firewall stack with two to four availability zones in an existing VPC. To deploy in an existing VPC you must enter: • VPC ID • Internet Gateway ID. This is an existing gateway. • Subnet CIDR lists for the Management, Untrust, Trust, NAT Gateway and Lambda subnets. The template uses the CIDRs to create these subnets. If you choose to create a new ELB, the template connects the firewall ASG to the ELB backend pool. If you use an existing ELB, you must manually connect the firewall ASG to the existing load balancer backend. See Customize the Firewall Template Before Launch (v2.0 and v2.1) for more on these parameters. Application Templates The application template deploys an internal load balancer (ILB) and one auto scaling group with a web server in each availability zone (AZ). Template Description panw-aws-same-vpc-v2.1.template Deploy application in same VPC as the firewall VPC. You can choose a network or application load balancer. panw-aws-alb-new-vpc-v2.1.template Deploy application in a new VPC, using ALB as the internal load balancer, and using VPC Peering between the firewall VPC and application VPC. Supports both same account and cross-account deployments. You must supply the following parameters: • Hub account ID • Hub VPC ID for VPC peering • Hub VPC trust subnet CIDRs. The template uses these for route table construction after VPC peering is established, one CIDR per availability zone. • StsAssumeRoleARN (output from the Hub template for SQS access) 318 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Template Description panw-aws-nlb-new-vpc-v2.1.template Deploy application in a new VPC, using NLB as the internal load balancer, and using NLB Endpoint Services/Interfaces to communicate between the firewall VPC and application VPC. You must supply these parameters. • Hub account ID • StsAssumeRoleARN (output from the Hub template for SQS access) panw-aws-alb-existing-vpc-v2.1.template Deploy ALB in an existing Application VPC. You must supply the VPC ID for your application, and an existing Subnet ID. This template deploys the load balancer in the application VPC and establishes the lambda resources. You must detach your target workload from any existing load balancer, and connect it to the new load balancer. panw-aws-nlb-existing-vpc-v2.1.template Deploy NLB in an existing Application VPC. Deploy application in a new VPC, using NLB as the internal load balancer, and using NLB Endpoint Services/ Interfaces to communicate between the firewall VPC and application VPC. Lambda Functions AWS Lambda provides robust, event-driven automation without the need for complex orchestration software. AWS Lambda monitors a Simple Queue Service (SQS) to learn about load balancers (ALBs or NLBs) that publish to the queue. When the Lambda function detects a new load balancer, it creates a new NAT policy rule and applies it to the VM-Series firewalls within the ASG. The firewalls have a NAT policy rule for each application, and the firewalls use the NAT policy rule (that maps the port to the load balancer IP address) to forward traffic to the load balancer in front of the application web servers. The Lambda functions also delete all the configuration items that Lambda added to the device group and template stack in Panorama. This includes the NAT rule, Address Object, and Static Routes that were pushed to the VM-Series firewall. The Lambda function handles delicensing as well. To learn more about the Lambda functions, refer to the Palo Alto Networks AWS AutoScale Documentation. Panorama You must have Panorama management server in Panorama mode to configure Auto Scaling v2.1. The Panorama management server provides centralized monitoring and management of multiple Palo Alto Networks next-generation firewalls from a single location. Panorama allows you to oversee all applications, users, and content traversing your network, and use this knowledge to create application enablement policies that protect and control the network. If you are not familiar with Panorama please see the Panorama Administrator’s Guide. Managed firewalls are bootstrapped with an init-config.txt file. A sample file is included in the GitHub repository so that you can copy the configuration from the template stack and device group when you create them in your existing Panorama. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 319 © 2020 Palo Alto Networks, Inc.The untrust and trust zones created in Panorama must be all lower case. In Panorama you must configure your network interfaces using DHCP. • Only eth1/1 should automatically create default route trust and untrust zones. • The Security Policy zones are named untrust and trust. All zone names must be lower case • The templates configure an Administrator account named pandemo and the password demopassword. • Create a virtual router with the naming convention VR-. On the virtual router ECMP tab, enable ECMP. • To set the DNS server address on Panorama, select Device > Setup > Services. Set the Primary DNS Server to 169.254.169.253, the Secondary DNS Server to 8.8.8.8, and the FQDN Refresh Time (sec) to 60. Panorama requires the AWS DNS server IP address to resolve the FQDN of the internal load balancer on AWS. The FQDN refresh time is the interval at which Panorama commits newly detected internal load balancers. After the application template has launched, Lambda populates the following in Panorama: • NAT policy • Address object for LB in Application Template • Static routes in the virtual router • Tcp81 service object The v2.1 firewall template includes an AWS NAT gateway that the firewalls use to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch. The NAT Gateways also have Elastic IP addresses attached to them for each zone. You need the following Panorama resources to work with the Auto Scale templates for AWS. Panorama API Key You need a Panorama API key to authenticate the API. Lambda uses your API key to autoconfigure template and device group options. To generate the API key, see Get Your API Key. Panorama License The template requires a license deactivation API key and the “Verify Update Deactivation Key Server Identity” to be enabled to deactivate the license keys from Panorama. The license deactivation key should be obtained from Palo Alto Customer Support Portal as described in Install a License Deactivation API Key. Panorama VM-Auth- You need a vm-auth-key to enable bootstrapped firewalls to connect to Key Panorama and receive their bootstrap configuration. See Generate the VM Auth Key on Panorama. Panorama Management • Port 443 (HTTPS)—Upon initial deployment of the firewall template, leave Interface Access HTTPS open so Lambda can connect to Panorama. Wait to receive the following confirmation of connection in Panorama: When you secure port 443 you specify an IP address range from which you will allow connections, as well as the EIPs assigned to the NAT 320 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.gateways. There are two NAT gateways and the EIPs associated with them. To find NAT gateway EIPs in AWS, go to VPC > NAT Gateways. Note the EIP information for the security group for HTTPS. • Port 3978—Port 3978 must be able to receive traffic from any IP address. Bootstrap Files The GitHub auto scaling repository includes an init-cfg.txt file so that the VM-Series firewall has the basic configuration to: • Perform interface swap so the VM-Series firewall untrust traffic uses AWS ENI for eth0. • Communicate to Panorama for device group and template configuration. The auto scaling GitHub repository has the basic configuration to get started. This auto scaling solution requires swapping the dataplane and management interfaces to enable the load balancer to forward web traffic to the VM-Series firewall auto scaling tier. For details on management interface mapping with the Amazon ELB as shown in Managment Interface Mapping for Use with Amazon ELB. Plan to Deploy VM-Series Auto Scaling Templates for AWS (v2.1) Before starting the deployment, review the following resources. See Auto Scaling VM-Series Firewalls with the Amazon ELB Service for an overview of template features, and account planning. Customize the Firewall Template Before Launch (v2.0 and v2.1). The basic parameters in this topic apply to all template versions. How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling? These concepts apply to all template versions. Launch the Firewall Template (v2.1) You can choose to deploy the firewall and application templates in the same VPC or in separate VPCs. The templates support a hub and spoke architecture in which you can deploy the firewall template in one AWS account and use it as a hub to secure applications (spokes) that belong to the same or to different AWS accounts. This workflow tells you how to deploy the external load balancer and the VM-Series firewalls using the firewall template. The vm-auth-key must be configured on Panorama prior to launching this template. STEP 1 | Review the checklists in Plan to Deploy VM-Series Auto Scaling Templates for AWS (v2.1) and Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1). Verify that you have completed the following tasks: • (For PAYG only) Review and accept the EULA for the PAYG bundle you plan to use. • (For BYOL only) Obtain the auth code for a bundle that supports the number of firewalls that might be required for your deployment. You must save this auth code in a text file named authcodes (no extensions), and put the authcodes file in the /license folder of the bootstrap package. If you use individual auth codes instead of a bundle, the firewall only retrieves the license key for the first auth code in the file. • Download the files required to launch the VM-Series Auto Scaling v2.1 template from the GitHub repository. STEP 2 | Modify the init-cfg.txt file and upload it to the /config folder. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 321 © 2020 Palo Alto Networks, Inc.Because you use Panorama to bootstrap the VM-Series firewalls, your init-cfg.txt file should be modified as follows. No bootstrap.xml file is needed. type=dhcp-client ip-address= default-gateway= netmask= ipv6-address= ipv6-default-gateway= hostname= vm-auth-key= panorama-server= panorama-server-2= tplname=AWS-tmplspoke1 dgname=AWS-dgspoke1 dns-primary=169.254.169.253 dns-secondary=8.8.8.8 op-command-modes=mgmt-interface-swap dhcp-send-hostname=yes dhcp-send-client-id=yes dhcp-accept-server-hostname=yesdhcp-accept-server-domain=yes 322 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Verify that op-command-modes=mgmt-interface-swap exists. This is the command for swapping the management interface (mgmt) and the dataplane interface (ethernet 1/1) on the VM-Series firewall on AWS. Use the AWS DNS server IP address of 169.254.169.253 for faster load balancer DNS name resolution. STEP 3 | (For BYOL only) Add the license auth code in the /license folder of the bootstrap package. 1. Use a text editor to create a new text file named authcodes (no extension). 2. Add the authcode for your BYOL licenses to this file, and save. The authcode must represent a bundle, and it must support the number of firewalls that might be required for your deployment. If you use individual authcodes instead of a bundle, the firewall only retrieves the license key for the first authcode in the file. STEP 4 | Upload Lambda code for the firewall template (panw-aws-zip) and the Application template (ilb.zip) to an S3 bucket. You can use the same S3 bucket that you use for bootstrapping. If the Application stack is managed by a different account than the firewall, use the Application account to create another s3 bucket in the same AWS region as the firewall template and copy ilb.zip to that s3 bucket. STEP 5 | Select the firewall template. 1. In the AWS Management Console, select CloudFormation > Create Stack. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 323 © 2020 Palo Alto Networks, Inc.2. Select Upload a template to Amazon S3, to choose the application template to deploy the resources that the template launches within the same VPC as the firewalls, or to a different VPC. Click Open and Next. 3. Specify the Stack name. The stack name allows you to uniquely identify all the resources that are deployed using this template. STEP 6 | Configure the parameters for the VPC. 1. Be sure to select at least two availability zones 2. Look up the AMI ID for the VM-Series firewall and enter it. Make sure that the AMI ID matches the AWS region, PAN-OS version and the BYOL or PAYG licensing option you opted to use. 3. Select the EC2 Key pair (from the drop-down) for launching the firewall. To log in to the firewalls, you must provide the name of this key pair and the private key associated with it. 4. For the SSH from field, the firewalls will be managed by Panorama and do NOT have an EIP for the management interface. But just in case you decide to assign an EIP configure the IP range you would connect from. 5. Select Yes if you want to Enable Debug Log. Enabling the debug log generates more verbose logs that help with troubleshooting issues with the deployment. These logs are generated using the stack name and are saved in AWS CloudWatch. 324 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.By default, the template uses CPU utilization as the scaling parameter for the VM-Series firewalls. Custom PAN-OS metrics are automatically published to the CloudWatch namespace that matches the stack name you specified earlier. STEP 7 | Specify the name of the Amazon S3 bucket(s). 1. Enter the name of the S3 bucket that contains the bootstrap package. If the bootstrap bucket is not set up properly or if you enter the bucket name incorrectly, the bootstrap process fails, and you cannot log in to the firewall. Health checks for the load balancers also fail. 2. Enter the name of the S3 bucket that contains the panw-aws.zip file. As mentioned earlier you can use one S3 bucket for the Bootstrap and Lambda code. STEP 8 | Specify the keys for enabling API access to the firewall and Panorama. 1. Enter the key that the firewall must use to authenticate API calls. The default key is based on the sample file and you should only use it for testing and evaluation. For a production deployment, you must create a separate PAN-OS login just for the API call and generate an associated key. 2. Enter the API Key to allow AWS Lambda to make API calls to Panorama. For a production deployment, you should create a separate login just for the API call and generate an associated key. STEP 9 | Enter the name for the application load balancer. STEP 10 | Review the template settings and launch the template. 1. Select I acknowledge that this template might cause AWS CloudFormation to create IAM resources. 2. Click Create to launch the template. The CREATE_IN_PROGRESS event displays. 3. On successful deployment the status updates to CREATE_COMPLETE. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 325 © 2020 Palo Alto Networks, Inc.STEP 11 | Verify that the template has launched all required resources. 1. On the EC2 Dashboard, select Auto Scaling Groups. Verify that in each AZ, you have one ASG for the VM-Series firewalls. The ASG name prefix includes the stack name. 2. On the AWS Management Console, select the stack name to view the Output for the list of resources. 3. Your output should look similar to the output in the following image. • Take note of the Network Load Balancer Queue name. • Take note of the Elastic Load Balancer public DNS name. It may take up to 20 minutes for the firewalls to boot up and be available to handle traffic. When you are finished with a testing or a production deployment, the only way to ensure charges stop occurring is to completely delete the stack. Shutting down instances, or changing the ASG maximum to 0 is not sufficient. STEP 12 | Save the following firewall template information. You must provide these values as inputs when deploying the application template. • IP addresses of the NAT Gateway in each AZ—You need this IP address to restrict HTTPS access to your Panorama so that Lambda can use the EIPs for the NAT Gateway to communicate with Panorama when needed. • Network Load Balancer SQS URL—A Lambda function in the firewall stack monitors this queue so that it can learn about any network load balancers that you deploy and create NAT policy rules (one per application) in the Panorama that enable the firewalls to send traffic to the network load balancer IP address. 326 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Launch the Application Template (v2.1) The application templates allow you to complete the sandwich topology and are provided so that you can evaluate the auto scaling solution. This application template deploys either an application or network load balancer and a pair of web servers behind the auto scaling group of VM-Series firewalls, which you deployed using the firewall template. Use this template to evaluate the solution but customize your own template to deploy to production. For a custom template, make sure to enable SQS messaging between the Application template and the Firewall template. When launching the application template, you must select the template based on whether you want to deploy the application template within the same VPC in which you deployed the firewall template or in a separate VPC. See Enable Traffic to the ELB Service (v2.0 and v2.1). STEP 1 | Create an S3 bucket from which you will launch the application template. • If this is a cross-account deployment, create a new bucket. • If there is one account you can create a new bucket or use the S3 bucket you created earlier (you can use one bucket for everything). STEP 2 | Upload the ilb.zip file into the S3 bucket. STEP 3 | Select the application launch template you want you launch. 1. In the AWS Management Console, select CloudFormation > CreateStack 2. Select Upload a template to Amazon S3, to choose the application template to deploy the resources that the template launches within the same VPC as the firewalls, or to a different VPC. Click Open and Next. 3. Specify the Stack name. The stack name allows you to uniquely identify all the resources that are deployed using this template. STEP 4 | Configure the parameters for the VPC and network load balancer. 1. Select the two Availability Zones that your setup will span in Select list of AZ. If you are deploying within the same VPC make sure to select the same Availability Zones that you selected for the firewall template. 2. If deploying to a new VPC enter a CIDR Block for the VPC. The default CIDR is 192.168.0.0/16. 3. If deploying to the same VPC you will select the previous VPC and use the Trust subnets. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 327 © 2020 Palo Alto Networks, Inc.STEP 5 | Select the load balancer type. STEP 6 | Configure the parameters for Lambda. 1. Enter the S3 bucket name where ilb.zip is stored. 2. Enter the name of the zip file name. 3. Paste the SQS URL that you copied earlier. STEP 7 | Modify the web server EC2 instance type to meet your needs. STEP 8 | Select the EC2 Key pair (from the drop-down) for launching the web servers. To log in to the web servers, you must provide the key pair name and the private key associated with it. STEP 9 | Select the IP address of the network you will be accessing the servers from for management access only. Web traffic comes through the ELBDNS name you copied when you launched the firewall template. 328 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 10 | Review the template settings and launch the template. STEP 11 | After completion of the application template it can take up to 20 minutes for the web pages to become active. 1. Verify that the application template load balancer is marked active. 2. Verify that Panorama has a NAT object in the device group. 3. Verify that Panorama has an address object in the device group. 4. Verify that Panorama has static routes in the template stack. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 329 © 2020 Palo Alto Networks, Inc.STEP 12 | Get the DNS name you saved earlier for the application load balancer and enter it into a web browser. STEP 13 | Upon successful launch your browser should look like this output. Create a Custom Amazon Machine Image (v2.1) A custom VM-Series AMI gives you the consistency and flexibility to deploy a VM-Series firewall with the PAN-OS version you want to use on your network instead of being restricted to using only an AMI that is published to the AWS public Marketplace or to the AWS GovCloud Marketplace. Using a custom AMI speeds up the process of deploying a firewall with the PAN-OS version of your choice because it reduces the time to provision the firewall with an AMI published on the AWS public or AWS GovCloud marketplace, and then perform software upgrades to get to the PAN-OS version you want to use on your network. Additionally, you can use the custom AMI in the Auto Scaling VM-Series Firewalls CloudFormation Templates or any other templates that you have created. You can create a custom AMI with the BYOL, Bundle 1, or Bundle 2 licenses. The process of creating a custom AMI requires you to remove all configuration from the firewall and perform a private data reset, so in this workflow you’ll launch a new instance of the firewall from the AWS Marketplace instead of using an existing firewall that you have fully configured. When creating a custom AMI with a BYOL version of the firewall, you must first activate the license on the firewall so that you can access and download PAN-OS content and software updates to upgrade your firewall, and then deactivate the license on the firewall before performing the private data reset and creating the custom AMI. If you do not deactivate the license, you lose the license that you applied on this firewall instance. STEP 1 | Launch the VM-Series firewall from the Marketplace. See Launch the VM-Series firewall. STEP 2 | Configure the administrative password on the firewall. See Configure a new administrative password on the firewall. STEP 3 | (Only for BYOL) Activate the license. 330 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 4 | Install latest content on the firewall. STEP 5 | (Only for BYOL) Deactivate the license. STEP 6 | Perform a private data reset. A private data reset removes all logs and restores the default configuration. The system disks are not erased, so the content updates from Step 4 are intact. 1. Access the firewall CLI. 2. Export a copy of the configuration. 3. Remove all logs and restore the default configuration. request system private-data-reset Enter y to confirm. The firewall reboots to initialize the default configuration. STEP 7 | Create the custom AMI. 1. Log in to the AWS Console and select the EC2 Dashboard. 2. Stop the VM-Series firewall. 3. Select the VM-Series firewall instance, and click Image > Create Image. 4. Enter a custom image name, and click Create Image. The disk space of 60GB is the minimum requirement. 5. Verify that the custom AMI is created and has the correct product code. 1. On the EC2 Dashboard, select AMI. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 331 © 2020 Palo Alto Networks, Inc.2. Select the AMI that you just created. Depending on whether you selected an AMI with the BYOL, Bundle 1, or Bundle 2 licensing options, you should see one of the following Product Codes in the details: • BYOL—6njl1pau431dv1qxipg63mvah • Bundle 1—6kxdw3bbmdeda3o6i1ggqt4km • Bundle 2—806j2of0qy5osgjjixq9gqc6g STEP 8 | Encrypt EBS Volume for the VM-Series Firewall on AWS. If you plan to use the custom AMI with EBS encryption for an Auto Scaling VM-Series Firewalls with the Amazon ELB Service deployment, you must use the default master key for your AWS account. VM-Series Auto Scaling Template Cleanup (v2.1) If you deployed the templates as a test, delete them to save resources and lower costs. STEP 1 | In the AWS Management Console, select Cloud Formation > Create Stack. STEP 2 | Locate the firewall template and application template you launched previously and delete both templates. For more information on deleting template stacks see, “What is AWS CloudFormation?“ Failure to delete your template stack incurs charges from AWS. SQS Messaging Between the Application Template and Firewall Template (v2.1) VM-Series firewalls deployed using one of the firewall templates can detect and send traffic to the load balancers to which you want to automatically distribute incoming traffic. To accomplish this, the firewall template includes a lambda function that monitors a Simple Queue Service for messages. The message allows the lambda function to learn about a new load balancer and then automatically create a NAT policy rule on the firewall to send traffic to the load balancer’s IP address. To route traffic properly within the AWS infrastructure, the message must also include basic information on the DNS, VPC ID, and the AZ to which the load balancer belongs. If you are building your own application template, you must set up your application template to post ADD and DEL messages to the SQS URL that the firewall template uses to learn about load balancers to which it must distribute traffic in your environment: 332 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.• ADD-NLB message that informs the firewalls when a new network load balancer is available. • DEL-NLB message that informs the firewalls when a network load balancer has been terminated and is no longer available. • ADD-ALB message that informs the firewalls when a new application load balancer is available. • DEL-ALB message that informs the firewalls when a application load balancer has been terminated and is no longer available. The following examples of each message type include sample values. You must modify these messages with values that match your deployment. ADD-NLB Message msg_add_nlb= { "MSG-TYPE": "ADD-NLB", "AVAIL-ZONES": [ { "NLB-IP":"192.168.2.101", "ZONE-NAME":"us-east-2a", "SUBNET-ID": "subnet-2a566243" }, { "NLB-IP":"192.168.12.101", "ZONE-NAME":"us-east-2b", "SUBNET-ID": "subnet-2a566243 " } ], "DNS-NAME": "publicelb1-2119989486.us-east-2.elb.amazonaws.com", VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 333 © 2020 Palo Alto Networks, Inc."VPC-ID": "vpc-42ba9f2b", "NLB-NAME": "publicelb1" } DEL-NLB Message msg_del_nlb= { "MSG-TYPE": "DEL-NLB", "DNS-NAME": "publicelb1-2119989486.us-east-2.elb.amazonaws.com", } ADD-ALB { "AVAIL-ZONES": [ { "SUBNET-CIDR": "172.32.0.0/24", "SUBNET-ID": "subnet-0953a3a8e2a8208a9", "ZONE-NAME": "us-east-2a" }, { "SUBNET-CIDR": "172.32.2.0/24", "SUBNET-ID": "subnet-0a9602e4fb0d88baa", "ZONE-NAME": "us-east-2c" }, 334 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.{ "SUBNET-CIDR": "172.32.1.0/24", "SUBNET-ID": "subnet-0b31ed16f308b3c4d", "ZONE-NAME": "us-east-2b" } ], "VPC-PEERCONN-ID": "pcx-0538bb05dbe2e1b8e", "VPC-CIDR": "172.32.0.0/16", "ALB-NAME": "appILB-908-0", "ALB-ARN":"arn:aws:elasticloadbalancing:us- east-2:018147215560:loadbalancer/app/appILB-908-0/1997ed20eeb5bcef", "VPC-ID": "vpc-0d9234597da6d9147", "MSG-TYPE": "ADD-ALB", "DNS-NAME": "internal-appILB-908-0-484644265.us-east-2.elb.amazonaws.com" } DEL-ALB Message { "MSG-TYPE": "DEL-ALB", "DNS-NAME": "internal-appILB-908-0-484644265.us-east-2.elb.amazonaws.com" } Refer to the AWS documentation for details on how to send a message to an Amazon SQS Queue. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 335 © 2020 Palo Alto Networks, Inc.Stack Update with VM-Series Auto Scaling Template for AWS (v2.1) A stack update allows you to modify the resources that the VM-Series Auto Scaling template firewall template deploys. Instead of deleting your existing deployment and redeploying the solution, use the stack update to modify launch configuration parameters. You can modify the AWS instance type, the key pair for your auto scaling groups, and the APi key associated with the adminstrative user account on the firewall. You do not have to update the stack to modify default notifications or create auto scaling alarms. See Change Scaling Parameters and CloudWatch Metrics (v2.1). When you deploy the VM-Series Auto Scaling template, the auto scaling groups and the launch configuration are automatically created for you. The launch configuration is a template that an auto scaling group uses to launch EC2 instance, and it specifies parameters such as the instance type, the key pair for your auto scaling group, or the API key associated with the administrative user account on the firewall. For critical applications, perform a stack update during a maintenance window. You can update your stack directly or create change sets. The workflow in this document takes you through the manual stack update. STEP 1 | In the AWS CloudFormation console, select the parent stack that you want to update and choose Actions > Update Stack. STEP 2 | Modify the resources that you want to update. You can modify the instance type, security group, key pair for the stack resources, or the API key associated with the administrative user account on the firewall. If you create a new administrative user account or modify the credentials of the existing administrator on the firewall, in order to update that stack and deploy new firewalls with the updated API key, you need to follow the workflow in Modify Administrative Account (v2.1). STEP 3 | Acknowledge the notifications and review the changes and click Update to initiate the stack update. 336 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Modify Administrative Account (v2.1) If you have already deployed the template and now want to change the password for the administrative account or create a new administrative user account on the VM-Series firewall, you must generate a new API key and update the template stack with the new API key for the administrative user account. STEP 1 | Log in to the web interface of the firewall and change the credentials for an existing administrative user or create a new account. STEP 2 | Generate the API key. STEP 3 | Update the API key in the stack to ensure that newly launched firewalls have the updated administrator account. See Stack Update with VM-Series Auto Scaling Template for AWS (v2.0). Change Scaling Parameters and CloudWatch Metrics (v2.1) This task describes how to use custom PAN-OS metrics as scaling parameters to trigger auto scale actions. When you launch the firewall template, the template creates a namespace with scale-in and scale-out policies that you can use to define auto scaling actions. The policy names include the namespace, as shown below: • -scalein - Remove 1 instance • -scaleout - Add 1 instance Each PAN-OS metric has a default notification that you can delete and replace with auto scale actions. For each metric, create two actions: one that determines when to add a VM-Series firewall, and another that determines when to remove a VM-Series firewall. STEP 1 | In AWS, select Services > CloudWatch > Metrics. STEP 2 | Choose a Custom Namespace link, and select the metrics link to view the custom PAN- OS metrics. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 337 © 2020 Palo Alto Networks, Inc.STEP 3 | Check a box to select a metric, then select the Graphed metrics tab. 1. In the Statistics column, choose a statistic criteria (such as average, minimum and maximum) and choose a time period. 2. In the Actions column select the bell (Create alarm). STEP 4 | Define an alarm that removes a firewall when CPU utilization meets or falls below the criteria you set, over the time frame you set. 1. Select Edit to change the graph title. 2. Under Alarm details fill in the Name and Description, choose an operator, and set the minimum value to maintain the current instances. If the minimum value is not maintained, an instance is removed. 3. Under Actions, delete the default notification. 4. Select +AutoScaling Action. • Use the From the list to select your namespace. • From Take this action, select the policy to remove an instance. 5. Select Create Alarm. STEP 5 | Create a second alarm that adds a firewall when CPU utilization meets or exceeds the criteria you set. STEP 6 | To view your alarms, select Services > CloudWatch > Alarms. To edit an alarm from this window, check the box next to the alarm and select Action > Edit. 338 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Secure Kubernetes Services in an EKS Cluster The AWS plugin enables you to secure North-South traffic destined to container services and workloads in Amazon Elastic Kubernetes Service (EKS) environments in which you have deployed VM-Series firewalls. You can also monitor outbound traffic from an EKS cluster. After you configure the plugin on Panorama to communicate with an EKS cluster, the plugin uses the Kubernetes APIs to retrieve information from each service that has an exposed IP address or fully-qualified domain name (FQDN). With this information the plugin creates NAT rules in Panorama to enforce Security policy and ensure inbound service traffic passes through the VM-Series firewalls. To secure inbound traffic to the cluster, push your configuration to managed VM-Series firewalls. • How Does the Panorama Plugin for Amazon Secure Elastic Kubernetes Services? • Secure an EKS Cluster with VM-Series Firewall and AWS Plugin on Panorama How Does the Panorama Plugin for Amazon Secure Elastic Kubernetes Services? You can use VM-Series firewalls to secure inbound traffic for Amazon Elastic Kubernetes Service (EKS) clusters. The Panorama plugin for Amazon EKS secures inbound traffic to Kubernetes clusters, and provides outbound monitoring for traffic exiting the cluster. Outbound traffic can return through the VM-Series firewall, provided firewall rules applied to outbound traffic permit Kubernetes control plane traffic to function. You can use Palo Alto Networks templates to deploy your VM-Series firewall (or firewall set) in the same VPC as your EKS cluster. You can create up to 16 clusters in the same VPC and secure them with the same firewall or firewall set. This chapter reviews different components that enable the AWS Plugin for Panorama to secure an EKS cluster. • System Architecture • EKS Components and Planning Checklist • Templates System Architecture The following diagram illustrates a sample deployment that secures inbound traffic for Amazon EKS clusters —a load balancer sandwich. You can use one of the Palo Alto networks firewall templates to deploy the firewalls and the external load balancer (ELB). In the template you can set the ELBType variable to specify an application load balancer (ALB) or a network load balancer (NLB). The internal load balancer (ILB) for each service must be an NLB. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 339 © 2020 Palo Alto Networks, Inc.In the above diagram, the ELBs that face the internet are ALBs. The VM-Series firewall set is sandwiched between the ALBs and the internal NLBs to provide inbound security to the cluster. Because this diagram uses ALBs, the inputs are a path—for example, fqdn1/path1. When the ELB is an NLB, the path must include the port. For example, if the default NLB path is fqdn1:80, an additional port is expressed as fqdn1:81/path1. Inbound Security To secure traffic without interrupting communication flows, the VM-Series firewall set is programmed with static routes that properly route traffic to the desired destination, and NAT rules to perform source and destination NATs on the inbound packets, ensuring that traffic to the application and return traffic from the application pass through the firewall set. To register a service with the firewall, you must label each service with panw-tg-port- and a port value. This label is applied when the service launches. You must also configure a target group for the ALB with the destination of the firewall set and a destination port matching the service label. When the traffic hits the firewall, the port that receives it tells the firewall which NAT rule to apply. Source and Destination NAT rules are programmed on the firewall to ensure the inbound traffic for the service goes through the firewall. The source changes from the ALB to the firewall trust interface, ensuring that return traffic hits the firewall for inspection. The destination then changes from the firewall untrust interface to the ILB. Outbound Traffic To route the traffic from the trust to untrust interface, The template ensures the virtual router on the VM- Series firewall has a default route pointed to untrust. Static routes are programmed for each cluster subnet so that traffic returning to the firewall is routed properly to its destination. To ensure return traffic passes through a single firewall, the outbound NAT rule does a source translation, redirecting the source from the Node IP address to the managed firewall’s untrust interface. If you have a firewall set, the return traffic must go through only one of the firewalls in the set. 340 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.AWS Plugin on Panorama The AWS Plugin on Panorama manages the VM-Series firewall set for the services deployed in a cluster. It creates inbound NAT rules for services, outbound NAT rules (one for each cluster subnet), and static routes for each cluster subnet. The plugin uses the Kubernetes Python SDK to retrieve information related to services deployed in your cluster. The plugin queries for services that are labeled panw-tg-port- and have been assigned a valid port value. The plugin uses the port to create an inbound NAT rule that is programmed on the VM-Series firewall. When traffic hits the firewall on that specified port, the firewall applies the inbound NAT rule for that port and routes the packet to its destination. For each service port the plugin creates: • An address object created with the FQDN of the service ILB. • A service object created for each port specified in the label. • An inbound NAT rule which creates source and destination NAT using the address object and service object just created. The plugin is also responsible for adding configuration when a new cluster is added. The plugin uses the AWS API to retrieve cluster information, such as subnets, and VM-Series firewall information, such as the instance ID. The plugin uses the information to create one route per firewall, per cluster subnet. For example, if there are two Availability Zones (AZs), each containing firewalls, and three cluster subnets, the plugin creates six static routes. Additionally, for every cluster subnet, the plugin creates an outbound NAT rule. The NAT rule is applied to any traffic originating from these subnets and it does a source NAT to change the source from the Node IP address to the firewall untrust interface. In Panorama, the plugin provides visibility into discovered services and service ports that are currently protected. EKS Components and Planning Checklist Securing EKS requires the following components. Review these components before you plan your EKS deployment. Consult the Compatibility Matrix for Panorama Plugins for Public Clouds. Panorama plugin for AWS from version 1.0.0 users must upgrade Panorama to the PAN- OS version in the Compatibility Matrix before upgrading the plugin from version 1.0.0 to version 2.0.0. If you do not, the upgrade occurs but the 1.0.0 configuration fails to migrate to 2.0.0 and it cannot be recovered. Panorama—A Panorama virtual appliance or hardware-based appliance running the PAN-OS minimum version or later. Your Panorama PAN-OS version must be the same version or a later version than the VM-Series firewalls you want to manage. Panorama cannot manage firewalls that run a later PAN-OS version than the Panorama version. • Panorama Licenses—You need an active support license and a device management license for managing VM-Series firewalls. • AWS Plugin on Panorama v2.0.0—For an explanation of how the plugin secures EKS services, see AWS Plugin on Panorama. • Panorama HA—If you plan to configure Active/Passive HA or Active/Active HA for Panorama, make sure to install the plugin on BOTH Panorama appliances and do a commit immediately after each plugin installation. • VM-Series Plugin—Manually install the plugin version recommended in the Compatibility Matrix for Panorama Plugins for Public Clouds. VM-Series firewalls—Managed VM-Series firewalls require a PAN-OS version that is the same or earlier than the Panorama version. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 341 © 2020 Palo Alto Networks, Inc.• You must be able to license your VM-Series firewalls (see VM-Series Firewall Licenses for Public Clouds). • If you have a BYOL license, you must know the auth code so that you can use it to bootstrap the firewall. AWS components—You need an AWS account with sufficient permissions to deploy the firewalls, run the templates to create EKS clusters, and create policies and roles that permit Panorama to view EKS metadata. Depending on the security policies in your organization, you might have to work with other administrators to be granted the permissions you need. • AWS account—You must know your user name and password. You must also know your AWS Access Key, which is comprised of the access key ID and the secret access key. If you have an account but do not know your secret access key, you can create an access key and save the .csv file in a secure place. • Amazon EC2 Key Pair—A public-key cryptography pair allows you to encrypt and decrypt login information for an EC2 instance. If you do not have a key pair, create one using Amazon EC2. • AWS policies and roles—Your AWS account must be able to access the service policies for the EKS cluster creator and the Panorama administrator managing the firewall deployment. EKS cluster role—To deploy and manage an EKS cluster, create an IAM role and bind it to a cluster. This procedure, detailed in Set Up Kubectl and Configure Your Cluster, grants access to the Kubernetes APIs. Panorama administrator—To view and obtain EKS metadata, create an IAM role as described inIAM Roles and Permissions for Panorama. • AWS CLI—Most actions can be performed in the AWS console or the AWS CLI. If you prefer the CLI, install or update the AWS CLI, ensuring that you have a supported version of Python. • AWS Kubernetes and kubectl—View the available Amazon EKS versions and install kubectl for your local OS. The version you install must be within one minor version of the EKS version (you choose the Kubernetes version when you create the cluster). Templates—Palo Alto networks supports the VM-Series firewall templates, while the EKS templates are community supported. See Templates for a description of each template from github.com/ PaloAltoNetworks/aws-eks. Templates To simplify securing an EKS deployment, you can use templates to deploy the VM Series firewalls in a new VPC or existing VPC, create an EKS cluster, and configure an EKS node. You can download the templates from github.com/PaloAltoNetworks/aws-eks. Palo Alto Networks supports the VM-Series firewall templates, while the EKS cluster and node templates are community supported. The template files are as follows: • firewall-new-vpc-v1.0.template (greenfield deployment) Creates a new VPC and deploys a VM-Series firewall set that can be managed from Panorama. • firewall-existing-vpc-v1.0.template (brownfield deployment) Deploys a VM-Series firewall set in an existing VPC. To use this template you supply a VPC ID and an internet gateway ID (IGW ID). 342 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.A brownfield deployment works with an existing VPC and related resources such as the IGW. It does not work with existing EKS clusters or nodes created before the VM-Series firewalls are deployed in the VPC. • eks-cluster-v1.0.template • Creates an EKS cluster. • Creates control plane security group. • Creates private cluster subnets. • Creates a route table associated with cluster subnets. The default route points to the IGW. • eks-node-v1.0.template • Creates nodes. • Adds node auto scaling group. • Adds node security group. • Configures access between the control plane security group and Kubernetes resources. Secure an EKS Cluster with VM-Series Firewall and AWS Plugin on Panorama To enable Panorama to monitor and secure Elastic Kubernetes Services, you must install the Panorama plugin for AWS version recommended in the Compatibility Matrix for public clouds and add your cluster service account credentials. You must also associate your cluster credentials with a Panorama device group and a template stack to which the firewall set protecting the cluster belongs. • Set Up Your Panorama Configuration • Set Up Your AWS Bootstrap Bucket • Deploy the Firewall Template on AWS • Deploy the Cluster Stack • Set Up Kubectl and Configure Your Cluster • Add an EKS Cluster • Configure Inbound Protection and Outbound Monitoring • Configure the ELB • Test the Outbound Workflow Set Up Your Panorama Configuration Configure these Panorama elements before you use the templates to deploy firewalls. STEP 1 | Add a template. In Panorama, go to Panorama > Templates and Add a template. STEP 2 | Add a stack. Select Panorama > Templates and Add Stack. In the Templates pane, Add the template you created in Step 1. STEP 3 | Add a device group. Select Panorama > Device Groups and Add a device group. You don’t need to enter anything yet. STEP 4 | Configure the DNS server to point to the AWS DNS server. 1. In the Device context, from the Template menu, select the template stack you created in Step 2. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 343 © 2020 Palo Alto Networks, Inc.2. Select Services and click the Edit gear. 3. Under Services select Servers and add the IP address of the AWS DNS server— 169.254.169.253 4. Click OK. STEP 5 | Configure untrust and trust interfaces, virtual routers, and zones to push to your managed firewalls. 1. Select Network > Interfaces, and from the Template menu, select the template you created in Step 1 (not the template stack). 2. Select Ethernet > Add Interface to configure the untrust interface. 1. Slot—Select Slot 1. 2. Interface Name—Select ethernet1/1. 3. Interface Type—Select Layer3. 4. To create the virtual router, select Config and under Assign Interface To > Virtual Router choose New Virtual Router. To name the router, prefix your template stack name with VR-. For example: VR-. The plugin searches for this specific router name. Select ECMP and select Enable, then click OK to return to the Config tab. 5. Go to Assign Interface > Security Zone, choose New Zone, name the zone untrust, and click OK. 6. Select IPV4 > DHCP Client. Leave Enable and Automatically create default route pointing to default gateway provided by server checked. This sets the default route to point to the untrust interface. 7. Click OK. 3. Configure the trust interface. 1. Select Interfaces > Ethernet > Add Interface. 2. Slot—Select Slot 1. 3. Interface Name—Select ethernet1/2. 4. Interface Type—Select Layer3. 5. Select Config and under Assign Interface > Virtual Router choose the router you just created (VR- ). 6. Select Security Zone > New Zone, name the zone trust, and click OK. 7. Select IPV4, choose DHCP Client, and disable (uncheck) Automatically create default route pointing to default gateway provided by server. 8. Click OK. 4. (Optional) To configure outbound monitoring you need to create a default allow-all-outbound policy from the Trust zone to the Untrust zone. Without the default allow-all policy the firewall will block Kubernetes orchestration traffic leaving the worker nodes. 1. Select Policies and from the Device Group menu, select the Device Group you made in step 3. 2. Select Security > Pre Rules and Add a security policy rule with the following values. • General—Name the policy allow-all-outbound. • Source—Select Trust. • Destination—Select Untrust. • Service/URL Category—Select Any. • Click OK. STEP 6 | Commit your changes. 344 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Set Up Your AWS Bootstrap Bucket STEP 1 | Create an Amazon S3 bucket and Bootstrap Package as described in Bootstrap the VM-Series Firewall on AWS. STEP 2 | Download eks.zip from https://github.com/PaloAltoNetworks/aws-eks. In a local directory, extract the contents: \cfg init-cfg.txt \templates panw-aws.zip STEP 3 | Upload panw-aws.zip to your S3 bucket. This file contains the AWS Lambda code for the templates. STEP 4 | Edit the init-cfg.txt file to supply the values for vm-auth-key, panorama-server, panorama- server-2, tplname, and dgname. • vm-auth-key • If you have an auth-key, log on to your Panorama CLI and type: request bootstrap vm-auth-key show • If you don’t have an auth-key, to generate one from the CLI, type: request bootstrap vm-auth-key generate lifetime <1-8768> • panorama-server—The IP address of your Panorama server. • panorama-server-2—The IP address of the other server in your HA pair. If you have only one server you can leave this value undefined. • tplname—The name of the template stack you created. • dgname—The name of the device group you created. Save the file. STEP 5 | In your Amazon S3 bucket, add files to your bootstrap package as follows— 1. Upload the edited init-cfg.txt file to \config. 2. Upload authcodes to \license. authcodes (no extension) is a text file you create that contains the VM auth code you received when you purchased your license.The authcodes file ensures bootstrapped firewalls are licensed. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 345 © 2020 Palo Alto Networks, Inc.You can leave the \content and \software directories empty. Deploy the Firewall Template on AWS This task uses the firewall-new-vpc-v1.0.template to create an AWS VPC, create networks and subnetworks, and configure a firewall stack (greenfield deployment). See Deploy the Firewall Template in an Existing VPC for a brownfield deployment. STEP 1 | In AWS, ensure that you are working in a region that supports EKS. See the region table. STEP 2 | In AWS go to AWS Services > Management & Governance > Cloud Formation > Stacks > Create stack. If you completed the steps in Set Up Your AWS Bootstrap Bucket, your template is ready. STEP 3 | Select template. Select Upload a template file and upload firewall-new-vpc-v1.0.template from your local drive. Click Next. STEP 4 | Specify the Stack Name. STEP 5 | Configure the VPC. • VPCName—panwVPC (the default). • Number of AZs—The number of availability zones in the region you chose for your S3 bucket (two, three, or four). • Select AZs—From the list, select the available AZs for your region. Enter the number of AZs you specified in the previous step. • VPCCIDR—Supply the CIDR for the VPC. • NumberofFWs—Enter the number of firewalls (minimum 2, maximum 6). • MgmtSubnetIpBlocks—List the IP CIDRs for the VM-Series firewall management subnets separated by commas. The number of CIDRs must match the number of AZs. • UntrustSubnetIpBlocks—List the IP CIDRs for the VM-Series firewall untrust subnets separated by commas. The number of CIDRs must match the number of AZs. • TrustSubnetIpBlocks—List the IP CIDRs for the VM-Series firewall trust subnets separated by commas. The number of CIDRs must match the number of AZs. 346 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.• NATGWSubnetIpBlocks—List the IP CIDRs for the NAT gateway subnets separated by commas. The number of CIDRs must match the number of AZs. • Name of External Load Balancer—Name the external load balancer. • ELBType—Choose either application or network. For this sample, choose application. STEP 6 | Configure the VM-Series firewall instance. • AMIID of PANFW image—Go to the AMI list, copy the AMI corresponding to your PAN-OS version for the BYOL license, and paste it here. • Key pair—Select an Amazon EC2 key pair. • SSH From—Enter your public IP address. This address is added to the security group to allow SSH access. To find it, type https://www.whatsmyip.org/ in a browser. If you are specifying a new VPC you must enter a valid CIDR range. For example, x.x.x.x/x. STEP 7 | Provide S3 Bucket details—Supply the name of your bucket from Set Up Your AWS Bootstrap Bucket, which contains both firewall and Lambda code. • Bootstrap bucket for VM-Series firewalls—Your bucket name. • S3 Bucket Name for Lambda Code—Your bucket name. • Click Next. • Click Next. Skip configuring stack options. • Click Next. STEP 8 | On the review page, scroll down and check I acknowledge that AWS CloudFormation might create IAM resources and click Create stack. Creation can take up to ten minutes. STEP 9 | In CloudFormation > Stacks confirm that the stack is active and the status is CREATE_COMPLETE. STEP 10 | In Panorama, confirm the firewalls are up and connected to Panorama. This can take 20-30 minutes. 1. Select Panorama > Device Groups, and choose the device group you created. In the Devices/Virtual System column, verify that you have two IP addresses. 2. Select Panorama > Templates, select the template stack you created earlier and you also see the two IP addresses. Deploy the Firewall Template in an Existing VPC This task uses the firewall-existing-vpc-v1.0.template to deploy VM-Series firewalls in an existing VPC (brownfield deployment). STEP 1 | In AWS, your VPC must be in a region that supports EKS. See the region table. STEP 2 | In AWS go to AWS Services > Management & Governance > Cloud Formation > Stacks > Create stack. If you completed the steps in Set Up Your AWS Bootstrap Bucket, your template is ready. STEP 3 | Select template. Select Upload a template file. Upload firewall-existing-vpc-v1.0.template from your local drive. Click Next. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 347 © 2020 Palo Alto Networks, Inc.STEP 4 | Specify the stack name. STEP 5 | Configure the VPC. • VPCID—Your VPC ID. • VPCCIDR—Supply the CIDR block for the VPC. • InternetGatewayID—Enter the Internet Gateway ID for your VPC. • MgmtSubnetIpBlocks—List the IP CIDRs for the VM-Series firewall management subnets separated by commas. The number of CIDRs must match the number of AZs. • UntrustSubnetIpBlocks—List the IP CIDRs for the VM-Series firewall untrust subnets separated by commas. The number of CIDRs must match the number of AZs. • TrustSubnetIpBlocks—List the IP CIDRs for the VM-Series firewall trust subnets separated by commas. The number of CIDRs must match the number of AZs. • NATGWSubnetIpBlocks—List the IP CIDRs for the NAT gateway subnets separated by commas. The number of CIDRs must match the number of AZs. • Number of AZs—The number of availability zones in the region you chose for your S3 bucket (two, three, or four). • Select AZs—From the list, select the available AZs for your region. Enter the number of AZs you specified in the previous step. • ELBType—Choose either application or network. For this sample, choose application. STEP 6 | Configure the VM-Series firewall instance. • AMIID of PANFW image—Go to the AMI list, copy the AMI corresponding to your PAN-OS version for the BYOL license, and paste it here. • Key pair—Select an Amazon EC2 key pair. • SSH From—Enter your public IP address. This address is added to the security group to allow SSH access. To find it, type https://www.whatsmyip.org/ in a browser. If you are specifying a new VPC you must enter a valid CIDR range. For example, x.x.x.x/x. • NumberofFWs—Enter the number of firewalls (minimum 2, maximum 6). STEP 7 | Provide S3 Bucket details—Supply the name of your bucket from Set Up Your AWS Bootstrap Bucket, which contains both firewall and Lambda code. • Bootstrap bucket for VM-Series firewalls—Your bucket name. • S3 Bucket Name for Lambda Code—Your bucket name. • Click Next. • Click Next. Skip configuring stack options. • Click Next. STEP 8 | Configure other parameters. • Name of External Load Balancer—Name the external load balancer. STEP 9 | On the review page, scroll down and check I acknowledge that AWS CloudFormation might create IAM resources and click Create stack. Creation can take up to ten minutes. STEP 10 | In CloudFormation > Stacks confirm that the stack is active and the status is CREATE_COMPLETE. STEP 11 | In Panorama, confirm the firewalls are up and connected to Panorama. This can take 20-30 minutes. 348 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.1. Select Panorama > Device Groups, and choose the device group you created. In the Devices/Virtual System column, verify that you have two IP addresses. 2. Select Panorama > Templates, select the template stack you created earlier and you also see the two IP addresses. Deploy the Cluster Stack This task uses eks-cluster-v1.0.template to set up the cluster subnets and the control plane. STEP 1 | Deploy the cluster stack. Your template is ready. 1. In Specify a template, select Upload a template file and upload eks-cluster-v1.0.template from your local drive. 2. In AWS go to AWS Services > Management & Governance > Cloud Formation > Stacks > Create stack. 3. Click Next. 4. Name the stack. STEP 2 | Configure the cluster. 1. Fill out the template as follows: • Cluster Name—Name your EKS cluster. • Kubernetes Version—Enter the Kubernetes version for your EKS cluster. • VPCID—Select the VPC you just deployed with the firewall template. • Number of Cluster Subnets—Choose at most one subnet per availability zone, based on your choice in the next step. • AZs for cluster subnets—Two, three, or four, depending on the region. • Private Subnet IP Blocks—Enter a CIDR for each cluster subnet. For example, 192.168.110.0/24, 192.168.111.0/24. • Internet Gateway ID of VPC—Enter the internet ID for the stack you just created. To find the ID in AWS, go to Services > VPC > Internet Gateways, and copy the ID (igw-*) corresponding to the firewall stack you created when you deployed the firewall templates. 1. Click Next, and Next again. STEP 3 | On the review page, scroll down and check I acknowledge that AWS CloudFormation might create IAM resources and click Create. STEP 4 | In CloudFormation > Stacks confirm that the stack is active and the status is CREATE_COMPLETE. STEP 5 | In the cluster you just deployed, note the API server endpoint and your subnets. Set Up Kubectl and Configure Your Cluster Set up a Kubectl config file so you can use Kubectl commands locally to configure your cluster (when you do not have the AWS CLI installed). If you prefer the AWS CLI, follow the instructions in Configuring the AWS CLI. STEP 1 | Set up your Kubectl configuration. 1. Go to Create a kubeconfig for Amazon EKS and follow the directions in “To create your kubeconfig file manually.” VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 349 © 2020 Palo Alto Networks, Inc.• Copy the sample .config file from “To use the AWS IAM Authenticator for Kubernetes.” • On the command line, open a text file. vi ~/.kube/config- 2. Paste in the sample configuration. 3. Edit the sample config file. • server—In the AWS console, view your EKS cluster, copy the API server endpoint (https://...) and paste it into your config file. • certificate-authority-data—View your EKS cluster, copy the certificate authority, and paste it into your config file. • args—Replace the cluster name variable with your cluster name. • Save the file. 4. Set an environment variable for AWS authentication. export AWS_ACCESS_KEY_ID= export AWS_SECRET_ACCESS_KEY_ID= 5. Apply the configuration. export KUBECONFIG=$KUBECONFIG:~/.kube/config- 6. Print the current service. kubectl get svc STEP 2 | Create credentials and assign permissions. 1. Create a service account for a specific EKS cluster user. kubectl create serviceaccount 2. Create a yaml file to define the cluster role. In the following sample, the role name is eks_cluster_role vi eks_cluster_role.yaml kubectl create -f eks_cluster_role.yaml Here is a sample eks_cluster_role.yaml file. apiVersion: rbac.authorization.k8s.io/v1beta kind: ClusterRole metadata: name: eks-cluster-role - apiGroups: - "" resources: - services verbs: - list 3. Associate (bind) the service account to the cluster role you just created. vi eks_cluster_role_binding.yaml 350 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.create -f eks_cluster_role_binding.yaml Here is a sample eks_cluster_role_binding.yaml file for the cluster role. apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: eks-cluster-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: eks-cluster-role subjects: - kind: ServiceAccount name: namespace: default In the above sample, the is the name you created in Step 2.a. STEP 3 | Export the service account credentials for your . 1. Get your service accounts: MY_TOKEN=`kubectl get serviceaccounts -o json- path=''{.secrets[0].name}'''' 2. Get your secret token: kubectl get secret $MY_TOKEN -o json > In the above, is the name of your credential file. Add an EKS Cluster Add your configuration to the Panorama plugin for AWS. The configuration requires the access information from your account, which is typically governed by an IAM role. For each cluster you can either use an IAM role you created or assume a role. To perform this task you must know your AWS Access Key, which is comprised of the access key ID and the secret access key. If you do not know your access key, you can create an access key and save the .csv file in a secure place. STEP 1 | Select Panorama > AWS > Setup > IAM Role. Supply values for Name, Access Key ID, Secret Access Key, and Confirm Secret Access Key. STEP 2 | Select Panorama > AWS > Setup > EKS Service Account and click Add. Enter your service account information. • Name—Your choice. The plugin does not use the name. • Description— Your choice. • API server address—In EKS, this is the API server endpoint for your cluster. • EKS Credential—Upload the JSON file you exported in step 3 of Set Up Kubectl and Configure Your Cluster. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 351 © 2020 Palo Alto Networks, Inc.STEP 3 | Select Panorama > EKS Clusters and add a cluster. Enter the following values. • Cluster Name—The exact name of your EKS cluster. • (Optional) Description—Your choice. • AWS FW Stack Name—Name of CloudFormation stack in which you deployed your firewalls. • Region—The region for your VPC and S3 bucket. • EKS Service Account—Select the account you created in the previous step. • IAM Role—Choose the EKS role or the role you want to assume. • Assume Role ARN—Leave this field blank if you chose the EKS role. If you choose to assume a role, view the role, copy the Role ARN, and paste it here. • Device Group—Choose the device group you created earlier. • Template Stack—Choose the template stack you created earlier. • Enable—Check this box to enable monitoring for the EKS cluster. Commit your changes. STEP 4 | After you add the EKS cluster definition, verify plugin actions. When you add a new cluster, the plugin creates a NAT rule for every cluster subnet that you created, and configures a static route for each firewall to tell it how to how to access each subnet and the cluster. In this case there are two outbound NAT rules under in the device group. Select Policies > Device Group > > NAT and view two outbound NAT rules static route for each firewall. It may take up to two minutes for the result to populate. Configure Inbound Protection and Outbound Monitoring With the EKS cluster deployed and configured, you can now configure outbound monitoring, deploy a node stack with eks-node-v1.0.template, and associate nodes with the cluster you configure. • Configure Outbound Monitoring • Deploy a Node Stack • Associate the Nodes with the Cluster • Use the Guestbook Application to Verify the Deployment • View the Cluster in Panorama Configure Outbound Monitoring To configure outbound monitoring, add a public IP address to the eth0 on the outbound firewall, and route the cluster subnets to the trust interface (eth2). STEP 1 | Add a public IP address to eth0 on the outbound firewall. 1. Go to AWS > EC2 > Instances and search for firewalls you deployed with the templates. If you used the template naming conventions, search for your VPC name. 2. Select one firewall to be the outbound firewall and attach a tag. • Select the Tags group and click Add/Edit Tags. • (Optional) Edit the name to append -outbound. This is a convenience; the plugin does not require it. 3. Select ENI eth0 and attach a public IP address. 1. Copy the ENI ID and choose Network & Security > Elastic IPs. 2. Select an available IP address and choose Actions > Associate Address. 352 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.• Select Network Interface and paste the ENI that you copied. • From the drop menu, select the public IP address. • Click Associate and choose the network interface. • Return to Instances. The outbound instance has an IPv4 public IP address. View eth0. STEP 2 | Change the default route of cluster subnets to point to the trust interface, in this case eth2. 1. Copy the ENI from the outbound firewall you tagged in step 1, go to Amazon Container Services > Amazon EKS > Clusters, and choose the cluster the template created. Under Networking, select one of the subnets to open Virtual Private Cloud > Subnets. (There are two subnets and they both share the same routing table.) 2. Click the Route Table tab, and click the route table link to modify the route table. 3. Click Routes to see the default route 0.0.0.0/0 points to the IGW, causing all outbound traffic to go to the internet. 4. Click Edit routes and change the target from the IGW to the ENI of the trust interface of your outbound firewall (see the previous step). Save the routes. Deploy a Node Stack STEP 1 | Go to CloudFormation > Stacks. Click Create Stack. STEP 2 | Select Choose a template > Upload a template to Amazon S3. 1. Choose eks-node-v1.0.template and click Open, then Next. 2. Specify the stack details. • Stack Name—Enter The exact name of the cluster stack you deployed. • Enter cluster information— • Cluster Name—Must match the cluster name exactly or it will not associate correctly. • Cluster Stack Name—Your choice. • VPC ID—Select your VPC. • Configure the node. • Node Group Name—Your choice. • SSH Key—Select an SSH key (so that you can log into the nodes). • Node Image ID you need to specify the Amazon Machine Image when the node boots up and runs a bootstrap script to associate with the cluster. Go to https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html, find NodeImageId, and locate the AMI table. Choose a Kubernetes version. Select View AMI ID for your region. Under Value, copy the AMI ID, then paste it into the Node Image ID field. • Node Instance Type—t2.medium. • Max Number of Nodes—Enter the maximum number of nodes after scale out events. • Min Number of Nodes—Enter the minimum number of nodes after scale in events (minimum of one). • Node Subnets— Return to CloudFormation and select the stack where you deployed your cluster. On the Outputs tab, choose the IDs for all subnets and copy them, one at a time, into the Node Subnets field. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 353 © 2020 Palo Alto Networks, Inc.• Click Next. • Click Create. On the Stacks page you see CREATE_IN_PROGRESS in yellow, then CREATE_COMPLETE in green. • When your stack has finished creating, select it in the console and choose the Outputs tab. Record the NodeInstanceRole for the node group that was created. You need this when you configure your Amazon EKS worker nodes. Associate the Nodes with the Cluster After the nodes come up, apply a configuration map that tells the cluster the nodes are active and they must be associated with the cluster. STEP 1 | Return to https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html and find “enable worker nodes to join your cluster”. STEP 2 | Get the sample YAML file from AWS. curl -o aws-auth-cm.yaml https://amazon-eks.s3-us-west-2.amazonaws.com/ cloudformation/2019-02-11/aws-auth-cm.yaml View the file with a text editor: apiVersion: v1 kind: ConfigMap metadata: name: aws-auth namespace: kube-system data: mapRoles: arn:aws:iam::############:role/-NodeInstanceRole- CEMFVNZGL5XL - rolearn: username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes STEP 3 | Return to CloudFormation > Stacks and choose the node you deployed. On the Outputs tab, the ARN Value is in the center column. Copy the ARN Value. STEP 4 | Return to aws-auth-cm.yaml, paste in the ARN, save, and close. STEP 5 | Apply aws-auth-cm.yam using Kubectl commands. kubectl apply -f aws-auth-cm.yaml You see a confirmation that the file is created: configmap/aws-auth created STEP 6 | Get the nodes, and view the progress as the node comes up. 354 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.kubectl get nodes --watch As the node starts to come up the STATUS is NotReady. After it switches to Ready, you can deploy a service to this node. Use the Guestbook Application to Verify the Deployment This task is optional. In this task you adapt and deploy the Kubernetes tutorial Create a Guestbook with Redis and PHP. The tutorial has five objectives, but you only need the first four: 1. Set up a Redis master. 2. Set up Redis workers. 3. Set up the Guestbook web frontend. 4. Visit the Guestbook website. Follow the tutorial to configure your environment and download the configuration files. The following workflow highlights exceptions or alternatives for your AWS deployment. STEP 1 | Before you begin. Follow the Create a Guestbook with Redis and PHP tutorial to configure your environment and download the configuration files. • Ignore any gcloud instructions. You can use Kubectl or the AWS console. You should already have Kubectl if you installed the EKS Components and Planning Checklist. • Billing is beyond the scope of this task. This tutorial deploys a load balancer, which requires an external IP address. See the targetPort property, as described in Set up the guestbook web frontend. • Download the configuration files as directed. • Instead of creating a GKE cluster, use the EKS cluster you created earlier. STEP 2 | Follow the instructions in Set up a Redis master and Set up Redis workers. STEP 3 | Set up the guestbook web frontend. Follow the instructions up to Expose frontend on an external IP address. STEP 4 | Use a text editor to modify frontend-service.yaml as follows: • Add annotations. • service.beta.kubernetes/aws-load-balancer-type must be: nlb. ALB is not supported for the ILB. • service.beta.kubernetes/aws-load-balancer-internal must be: 0.0.0.0/0 • The spec type must be: LoadBalancer • Add the label panw-tg-port- and specify a port name and value—for example, panw-tg-port-myport1:102. When traffic hits port 102, your firewall applies a NAT rule to forward the traffic to this service. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 355 © 2020 Palo Alto Networks, Inc.STEP 5 | Deploy the service. kubectl create -f frontend-service.yaml You see the following message when the service is created: service/frontend created STEP 6 | View the FQDN for all services. kubectl get svc View the Cluster in Panorama STEP 1 | Return to Panorama and select Panorama > EKS Clusters. STEP 2 | Select the cluster you just deployed and in the Action column, select Show Port Mapping. For the frontend service, the protected column should show True. STEP 3 | Under Policies look at the NAT rule. Choose your device group and select NAT > Pre Rules. The rule is frontend-82-inbound. To test that you can reach the service through the firewall, use: 356 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.curl http://:82 If the HTML prints, you are successful. STEP 4 | Log in to the firewall CLI and type: show session all Look for "web-browsing" in the application field. Configure the ELB This task demonstrates how to send traffic to your ELB then forward it to firewalls and services deployed in the cluster. When you configured the firewall template in Deploy the Firewall Template on AWS Step 5, you chose application or network for the type. There are some small differences in how you configure each load balancer type. • ALB—An ALB uses the HTTP or HTTPS protocol and determines the backend destination based on the FQDN. An ALB always has the same listener. • NLB—An NLB uses the TCP protocol (although there are other protocols for AWS NLBs, the plugin only supports TCP). The NLB determines the backend destination based on the port number, so you can change the listener. STEP 1 | Create a target group for every service that you are securing with managed firewalls. Every service for which you create a NAT rule for must have its own target group. 1. Create a target group. Select EC2 > Load Balancing > Target Groups > Create target group. Fill out the form as follows: • Target group name—Enter a name. In this sample, the name is frontend-demo-service. • Target type—Instance. • Protocol—Choose the protocol for the ELB type you specified in Deploy the Firewall Template on AWS, step 5: • ALB—HTTP or HTTPS. • NLB—TCP. • Port—Enter the port number on the firewall that will receive traffic when this target group is applied. • VPC—Select the VPC you created. 2. Click Create. STEP 2 | Edit the firewall auto scaling group. Select EC2 > Auto Scaling Group. • Select the auto scaling group you deployed previously and select Actions > Edit. • Under Target Groups, choose the target group you created in the previous step. • Click Save. Wait a minute before continuing. STEP 3 | Verify the targets are registered. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 357 © 2020 Palo Alto Networks, Inc.• Return to Load Balancing > Target Groups. • Select your service, and on the Targets tab below, verify the targets are registered. STEP 4 | Verify load balancing. • Go to EC2 > Load Balancing > Load Balancers. • Choose your load balancer (check your Cloud Formation template for the name you supplied), select Listeners, go to your listener, and in the Rules column, choose View/edit rules. If there are no rules to match the traffic, traffic is forwarded to the default rule. • Create or edit a rule to forward traffic to the target group you created in step 1.a (frontend-demo- service). Once you create the rule, if traffic hitting the ELB on the port you specified in 1.a does not meet any rules, it forwards traffic to front end-demo-service, which forwards traffic to port 82 on the firewall. From there, it goes to the service. You can edit the default rule, or add your own rule. Choose one of the following: • Edit the default rule—Click the pencil to edit the default rule. Forward too... the target group you created in 1.a (frontend-demo-service) and click Update. If traffic hitting the ELB on the port you specified in 1.a does not meet any rules, it forwards traffic to front end-demo-service, which forwards traffic to port 82 on the firewall. From there, it should go to the service. • Add a new rule—Click + to add a rule and click Insert Rule. Add a condition and an action (Forward too...). • View the load balancer description to get the DNS name for the ELB. Issue a curl command to ping the DNS name. curl http://######-1219937001.us-west-2.elb-amazonws.com You receive a response from the Guestbook demo application, meaning the traffic entered successfully. STEP 5 | Log in to the firewall CLI to confirm traffic is directed to the correct port. show session all View web-browsing traffic originating from the untrust network and directed to port 80 on the firewall. You can also go to Panorama > Monitor and switch to the device context to view traffic. Test the Outbound Workflow This optional task demonstrates how you can test your outbound workflow. STEP 1 | To configure outbound traffic, change the cluster subnet default route to point to the trust interface on one of the firewalls in the firewall set. On that same firewall, add the public IP address to the untrust interface. STEP 2 | Log in to the outbound firewall, and from the CLI, show session all. You should see SSL traffic originating from the cluster subnets. View the node IP address, and notice that it sends outbound traffic to communicate with the master node. 358 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.STEP 3 | Deploy a pod that you can log in to. 1. Deploy a pod. kubectl create -f shell-demo.yaml 2. Log in to the demo. kubectl exec -it shell-demo – /bin/bash You are logged in. STEP 4 | Use apt-get to test the session. 1. From the OS, type: apt-get update 2. In the firewall CLI, type: show session all On the bash shell you can see the apt-get update goes to the firewall and apt-get requests are registered. STEP 5 | You can also curl something from the internet to demonstrate traffic is going in and out. For example: 1. From the OS, type: apt-get install curl curl an FQDN using the proper format for your ELB. • ALB—curl • NLB—curl 2. From the firewall, type: show session all You see a request originating from your node IP address. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 359 © 2020 Palo Alto Networks, Inc.List of Attributes Monitored on the AWS VPC As you provision or modify virtual machines in your AWS VPCs, you have two ways of monitoring these instances and retrieving the tags for use as match criteria in dynamic address groups. • VM Information Source—On a next-gen firewall, you can monitor up to a total of 32 tags—14 pre- defined and 18 user-defined key-value pairs (tags). • AWS Plugin on Panorama—The Panorama plugin for Microsoft AWS allows you to connect Panorama to your AWS VPC on the public cloud and retrieve the IP address-to-tag mapping for your virtual machines. Panorama then registers the VM information to the managed Palo Alto Networks® firewall(s) that you have configured for notification. With the plugin, Panorama can retrieve a total of 32 tags for each virtual machine, 11 predefined tags and up to 21 user-defined tags. The maximum length of the tag-value (name and value included) must be 116 characters or less. If a tag is longer than 116 characters, Panorama does not retrieve the tag and register it on the firewalls. Attributes VM AWS Plugin on Monitored on the Information Panorama AWS-VPC Source on the Firewall AMI ID ImageId. Yes Yes Architecture Architecture. Yes No Availability Zone AvailabilityZone. Yes Yes Guest OS GuestOS. Yes No IAM Instance Iam-instance-profile. No Yes Profile Instance ID InstanceId. Yes No Instance State InstanceState. Yes No Instance Type InstanceType. Yes No Key Name KeyName. Yes Yes Owner ID Account-number. No Yes The value for this attribute is fetched from the ENI. Placement Placement.Tenancy. Yes Yes Tenancy, Group Placement.GroupName. Name 360 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS © 2020 Palo Alto Networks, Inc.Attributes VM AWS Plugin on Monitored on the Information Panorama AWS-VPC Source on the Firewall Private DNS PrivateDnsName. Yes No Name Public DNS PublicDnsName. Yes Yes Name Subnet ID SubnetID. Yes Yes Security Group Sg-id. No Yes ID Security Group Sg-name. No Yes Name VPC ID VpcId. Yes Yes Tag (key, value) aws-tag.. Yes; Yes; Up to a Up to a maximum maximum of 21 user of 18 user defined tags are defined supported. The tags are user-defined supported. tags are sorted The user- alphabetically, and defined tags the first 21 tags are sorted are available for alphabetically, use on Panorama and the first and the firewalls. 18 tags are available for use on the firewalls. IAM Permissions Required for Monitoring the AWS VPC In order to enable VM Monitoring the user’s AWS login credentials tied to the AWS Access Key and Secret Access Key must have permissions for the attributes listed above. These privileges allow the firewall to initiate API calls for monitoring the virtual machines in the AWS VPC. The IAM policy associated with the user must either have global read-only access such as AmazonEC2ReadOnlyAccess, or must include individual permissions for all of the monitored attributes. The following IAM policy example lists the permissions for initiating the API actions for monitoring the resources in the AWS VPC: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWS 361 © 2020 Palo Alto Networks, Inc."Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeKeyPairs", "ec2:DescribePlacementGroups", "ec2:DescribeRegions", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVpcs" ], "Resource": [ "*" ] } ] } 362 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on AWSSet Up the VM-Series Firewall on KVM Kernel-based Virtual Machine (KVM) is an open-source virtualization module for servers running Linux distributions. The VM-Series firewall can be deployed on a Linux server that is running the KVM hypervisor. This guide assumes that you have an existing IT infrastructure that uses Linux and have the foundation for using Linux/Linux tools. The instructions only pertain to deploying the VM- Series firewall on KVM. > VM-Series on KVM— Requirements and Prerequisites > Supported Deployments on KVM > Install the VM-Series Firewall on KVM > Performance Tuning of the VM-Series for KVM 363364 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc.VM-Series on KVM— Requirements and Prerequisites • Options for Attaching the VM-Series on the Network • Prerequisites for VM-Series on KVM Table 2: VM-Series on KVM System Requirements Requirements Description Hardware Resources See VM-Series System Requirements for the minimum hardware requirements for your VM-Series model. Software Versions See the supported KVM software versions in the Compatibility Matrix. SR-IOV Drivers See PacketMMAP Driver Versions in the Compatibility Matrix. DPDK Drivers See DPDK Driver Versions in the Compatibility Matrix. If you use one of the supported NIC drivers on VM-Series on KVM, DPDK is enabled by default. Network Interfaces The VM-Series on KVM supports a total of 25 interfaces — 1 management —Network Interface interface and a maximum of 24 network interfaces for data traffic. Cards and Software Bridges VM-Series deployed on KVM supports software-based virtual switches such as the Linux bridge or the Open vSwitch bridge, and direct connectivity to PCI passthrough or an SR-IOV capable adapter. • On the Linux bridge and OVS, the e1000 and Virtio drivers are supported; the default driver rtl8139 is not supported. • For PCI passthrough/SR-IOV support, the VM-Series firewall has been tested for the following network cards: • Intel 82576 based 1G NIC: SR-IOV support on all supported Linux distributions; PCI-passthrough support • Intel 82599 based 10G NIC: SR-IOV support on all supported Linux distributions; PCI-passthrough support • Broadcom 57112 and 578xx based 10G NIC: SR-IOV support on all supported Linux distributions; No PCI-passthrough support. • Refer to PacketMMAP Driver Versions in the Compatibility Matrix SR-IOV capable interfaces assigned to the VM-Series firewall, must be configured as Layer 3 interfaces or as HA interfaces. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 365 © 2020 Palo Alto Networks, Inc.Options for Attaching the VM-Series on the Network • With a Linux bridge or OVS, data traffic uses the software bridge to connect guests on the same host. For external connectivity, data traffic uses the physical interface to which the bridge is attached. • With PCI passthrough, data traffic is passed directly between the guest and the physical interface to which it is attached. When the interface is attached to a guest, it is not available to the host or to other guests on the host. • With SR-IOV, data traffic is passed directly between the guest and the virtual function to which it is attached. Prerequisites for VM-Series on KVM Before you install the VM-Series firewall on the Linux server, review the following sections: • Prepare the Linux Server • Prepare to Deploy the VM-Series Firewall Prepare the Linux Server Check the Linux distribution version. For a list of supported versions, see VM-Series on KVM System Requirements. Verify that you have installed and configured KVM tools and packages that are required for creating and managing virtual machines, such as Libvirt. If you want to use a SCSI disk controller to access the disk to which the VM-Series firewall stores data, you must use virsh to attach the virtio-scsi controller to the VM-Series firewall. You can then edit the XML template of the VM-Series firewall to enable the use of the virtio-scsi controller. For instructions, see Enable the Use of a SCSI Controller. KVM on Ubuntu 12.04 does not support the virtio-scsi controller. 366 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc.Verify that you have set up the networking infrastructure for steering traffic between the guests and the VM-Series firewall and for connectivity to an external server or the Internet. The VM-Series firewall can connect using a Linux bridge, the Open vSwitch, PCI passthrough, or SR-IOV capable network card. • Make sure that the link state for all interfaces you plan to use are up, sometimes you have to manually bring them up. • Verify the PCI ID of all the interfaces. To view the list, use the command: Virsh nodedev-list – tree • If using a Linux bridge or OVS, verify that you have set up the bridges required to send/receive traffic to/from the firewall. If not, create bridge(s) and verify that they are up before you begin installing the firewall. • If using PCI-passthrough or SR-IOV, verify that the virtualization extensions (VT-d/IOMMU) are enabled in the BIOS. For example, to enable IOMMU, intel_iommu=on must be defined in /etc/ grub.conf. Refer to the documentation provided by your system vendor for instructions. • If using PCI-passthrough, ensure that the VM-Series firewall has exclusive access to the interface(s) that you plan to attach to it. To allow exclusive access, you must manually detach the interface(s) from the Linux server; Refer to the documentation provided by your network card vendor for instructions. To manually detach the interface(s) from the server., use the command: Virsh nodedev-detach For example, pci_0000_07_10_0 In some cases, in /etc/libvirt/qemu.conf, you may have to uncomment relaxed_acs_check = 1. • If using SR-IOV, verify that the virtual function capability is enabled for each port that you plan to use on the network card. With SR-IOV, a single Ethernet port (physical function) can be split into multiple virtual functions. A guest can be mapped to one or more virtual functions. To enable virtual functions, you need to: 1. Create a new file in this location: /etc/modprobe.d/ 2. Modify the file using the vi editor to make the functions persistent: vim /etc/modprobe.d/igb.conf 3. Enable the number of number of virtual functions required: options igb max_vfs=4 After you save the changes and reboot the Linux server, each interface (or physical function) in this example will have 4 virtual functions. Refer to the documentation provided by your network vendor for details on the actual number of virtual functions supported and for instructions to enable it. Configure the host for maximum VM-Series performance. Refer to Performance Tuning of the VM- Series for KVM for information about configuring each option. • Enable DPDK. DPDK allows the host to process packets faster by bypassing the Linux kernel. Instead, interactions with the NIC are performed using drivers and the DPDK libraries. Open vSwitch is required to use DPDK with the VM-Series firewall. • Enable SR-IOV. Single root I/O virtualization (SR-IOV) allows a single PCIe physical device under a single root port to appear to be multiple separate physical devices to the hypervisor or guest. • Enable multi-queue support for NICs. Multi-queue virtio-net allows network performance to scale with the number of vCPUs and allows for parallel packet processing by creating multiple TX and RX queues. • Isolate CPU Resource in a NUMA Node. You can improve performance of VM-Series on KVM by isolating the CPU resources of the guest VM to a single non-uniform memory access (NUMA) node. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 367 © 2020 Palo Alto Networks, Inc.Prepare to Deploy the VM-Series Firewall Purchase the VM-Series model and register the authorization code on the Palo Alto Networks Customer Support web site. See Create a Support Account and Register the VM-Series Firewall. Obtain the qcow2 image and save it on the Linux server. As a best practice, copy the image to the folder: /var/lib/libvirt/qemu/images. If you plan to deploy more than one instance of the VM-Series firewall, make the required number of copies of the image. Because each instance of the VM-Series firewall maintains a link with the .qcow2 image that was used to deploy the firewall, to prevent any data corruption issues ensure that each image is independent and is used by a single instance of the firewall. 368 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc.Supported Deployments on KVM You can deploy a single instance of the VM-Series firewall per Linux host (single tenant) or multiple instances of the VM-Series firewalls on a Linux host. The VM-Series firewall can be deployed with virtual wire, Layer 2, or Layer 3 interfaces. If you plan on using SR-IOV capable interfaces on the VM-Series firewall, you can only configure the interfaces as Layer 3 interfaces. • Secure Traffic on a Single Host • Secure Traffic Across Linux hosts Secure Traffic on a Single Host To secure east west traffic across guests on a Linux server, the VM-Series firewall can be deployed with virtual wire, Layer 2, or Layer 3 interfaces. The illustration below shows the firewall with Layer 3 interfaces, where the firewall and the other guests on the server are connected using Linux bridges. In this deployment, all traffic between the web servers and the database servers is routed through the firewall; traffic across the database servers only or across the web servers only is processed by the bridge and is not routed through the firewall. Secure Traffic Across Linux hosts To secure your workloads, more than one instance of the VM-Series firewalls can be deployed on a Linux host. If, for example, you want to isolate traffic for separate departments or customers, you can use VLAN tags to logically isolate network traffic and route it to the appropriate VM-Series firewall. In the following example, one Linux host hosts the VM-Series firewalls for two customers, Customer A and Customer B, and the workload for Customer B is spread across two servers. In order to isolate traffic and direct it to the VM- Series firewall configured for each customer, VLANs are used. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 369 © 2020 Palo Alto Networks, Inc.In another variation of this deployment, a pair of VM-Series firewalls are deployed in a high availability set up. The VM-Series firewalls in the following illustration are deployed on a Linux server with SR-IOV capable adapters. With SR-IOV, a single Ethernet port (physical function) can be split into multiple virtual functions. Each virtual function attached to the VM-Series firewall is configured as a Layer 3 interface. The active peer in the HA pair secures traffic that is routed to it from guests that are deployed on a different Linux server. 370 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc.Install the VM-Series Firewall on KVM The libvirt API that is used to manage KVM includes a host of tools that allow you to create and manage virtual machines. To install the VM-Series firewall on KVM you can use any of the following methods. • virt-manager—Deploy the VM-Series using the virt-manager virtual machine manager. Virt-manager provides a convenient wizard to help you through the installation process. • virsh—Deploy the VM-Series using the KVM command line. Create an XML file that defines the virtual machine instance and bootstrap XML file that defines the initial configuration settings of the firewall. Then install the firewall by mounting an ISO image as a CD-ROM. • virt-install—Another option to deploy the VM-Series firewall using the KVM command line. Use this option to create the definition for the VM-Series firewall and install it. This document provides steps for installing the VM-Series firewall on KVM using virt-manager and virsh. • Install the VM-Series Firewall Using Virt-Manager • Install the VM-Series Firewall Using an ISO Install the VM-Series Firewall Using Virt-Manager Use the following procedure uses virt-manager to install the VM-Series firewall on a server running KVM on RHEL. • Provision the VM-Series Firewall on a KVM Host • Perform Initial Configuration of the VM-Series Firewall on KVM Provision the VM-Series Firewall on a KVM Host Use the following instructions to provision the KVM host for the VM-Series firewall. STEP 1 | Create a new virtual machine and add the VM-Series Firewall for KVM image to virt-mgr. 1. On the Virt-manager, select Create a new virtual machine. 2. Add a descriptive Name for the VM-Series firewall. 3. Select Import existing disk image, browse to the image, and set the OS Type: Linux and Version: Red Hat Enterprise Linux 6. If you prefer, you can leave the OS Type and Version as Generic. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 371 © 2020 Palo Alto Networks, Inc.4. To add network adapters for the data interfaces: STEP 2 | Configure the memory and CPU settings. 1. Set the Memory to the minimum memory based on the VM-Series System Requirements of your VM- Series model. 2. Set CPU to the minimum CPUs based on the VM-Series System Requirements of your VM-Series model. STEP 3 | Enable configuration customization and select the management interface bridge. 1. Select Customize configuration before install. 2. Under Advanced options, select the bridge for the management interface, and accept the default settings. 372 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc.STEP 4 | Configure virtual disk settings. 1. Select Disk, expand Advanced options and select Storage format — qcow2; Disk Bus—Virtio or IDE, based on your set up. If you want to use a SCSI disk bus, see Enable the Use of a SCSI Controller. 2. Expand Performance options, and set Cache mode to writethrough. This setting improves installation time and execution speed on the VM-Series firewall. STEP 5 | Configure network adapters. 1. Select Add Hardware > Network if you are using a software bridge such as the Linux bridge or the Open vSwitch. 2. For Host Device, enter the name of the bridge or select it from the drop down list. 3. To specify the driver, set Device Model to e-1000 or virtio. These are the only supported virtual interface types. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 373 © 2020 Palo Alto Networks, Inc.4. Select Add Hardware > PCI Host Device for PCI-passthrough or an SR-IOV capable device. 5. In the Host Device list, select the interface on the card or the virtual function. 6. Click Apply or Finish. STEP 6 | Click Begin Installation . Wait 5-7 minutes for the installation to complete. By default, the XML template for the VM-Series firewall is created and stored at etc/libvirt/ qemu. 374 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc.STEP 7 | (Optional) Bootstrap the VM-Series firewall If you are using bootstrapping to perform the configuration of your VM-Series firewall on KVM, refer to Bootstrap the VM-Series Firewall on KVM. For more information about bootstrapping, see Bootstrap the VM-Series Firewall. STEP 8 | Configure the network access settings for the management interface. 1. Open a connection to the console. 2. Log into the firewall with username/password: admin/admin. 3. Enter configuration mode with the following command: configure 4. Use the following commands to configure the management interface: 1. set deviceconfig system type static 2. set deviceconfig system ip-address netmask default-gateway dns-setting servers primary where is the IP address you want to assign to the management interface, is the subnet mask, is the IP address of the network gateway, and is the IP address of the DNS server. 3. commit STEP 9 | Verify which ports on the host are mapped to the interfaces on the VM-Series firewall. In order to verify the order of interfaces on the Linux host, see Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall. To make sure that traffic is handled by the correct interface, use the following command to identify which ports on the host are mapped to the ports on the VM-Series firewall. admin@PAN-VM> debug show vm-series interfaces all Phoenix_interface Base-OS_port Base-OS_MAC PCI-ID mgt eth0 52:54:00:d7:91:52 0000:00:03.0 Ethernet1/1 eth1 52:54:00:fe:8c:80 0000:00:06.0 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 375 © 2020 Palo Alto Networks, Inc.Ethernet1/2 eth2 0e:c6:6b:b4:72:06 0000:00:07.0 Ethernet1/3 eth3 06:1b:a5:7e:a5:78 0000:00:08.0 Ethernet1/4 eth4 26:a9:26:54:27:a1 0000:00:09.0 Ethernet1/5 eth5 52:54:00:f4:62:13 0000:00:10.0 STEP 10 | Access the web interface of the VM-Series firewall and configure the interfaces and define security rules and NAT rules to safely enable the applications that you want to secure. Refer to the PAN-OS Administrator’s Guide. Perform Initial Configuration of the VM-Series Firewall on KVM Use the virtual appliance console on the KVM server to set up network access to the VM-Series firewall. By default, the VM-Series firewall uses DHCP to obtain an IP address for the management interface. However, you can assign a static IP address. After completing the initial configuration, access the web interface to complete further configurations tasks. If you have Panorama for central management, refer to the Panorama Administrator’s Guide for more information on managing the device using Panorama. If you are using bootstrapping to perform the configuration of your VM-Series firewall on KVM, refer to Bootstrap the VM-Series Firewall on KVM. For general information about bootstrapping, see Bootstrap the VM-Series Firewall. STEP 1 | Gather the required information from your network administrator. • IP address for MGT port • Netmask • Default gateway • DNS server IP address STEP 2 | Access the console of the VM-Series firewall. 1. Select the Console tab on the KVM server for the VM-Series firewall, or right-click the VM-Series firewall and select Open Console. 2. Press enter to access the login screen. 3. Enter the default username/password (admin/admin) to log in. 4. Enter configure to switch to configuration mode. STEP 3 | Configure the network access settings for the management interface. Enter the following commands: set deviceconfig system type static set deviceconfig system ip-address netmask default-gateway dns-setting servers primary STEP 4 | Commit your changes and exit the configuration mode. Enter commit. Enter exit. 376 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc.Install the VM-Series Firewall Using an ISO Manually create the XML definition of the VM-Series firewall, then use virsh to import the definition as an ISO. Virsh is the most powerful tool that allows for full administration of the virtual machine. • Use an ISO File to Deploy the VM-Series Firewall • Sample XML file for the VM-Series Firewall Use an ISO File to Deploy the VM-Series Firewall If you want to pass a script to the VM-Series firewall at boot time, you can mount a CD-ROM with an ISO file. The ISO file allows you to define a bootstrap XML file that includes the initial configuration parameters for the management port of the firewall. The VM-Series firewall on first boot checks for the bootstrap- networkconfig.xml file, and uses the values defined in it. If a single error is encountered in parsing the bootstrap file, the VM-Series firewall will reject all the configuration in this file and boot with default values. STEP 1 | Create the XML file and define it as a virtual machine instance. For a sample file, see Sample XML file for the VM-Series Firewall. In this example, the VM-Series firewall is called PAN_Firewall_DC1. For example: user-PowerEdge-R510:~/kvm_script$ sudo vi /etc/libvirt/qemu/ PAN_Firewall_DC1.xml user-PowerEdge-R510:~/kvm_script$ sudo virsh define/etc/libvirt/qemu/ PAN_Firewall_DC1.xml Domain PAN_Firewall_DC1_bootstp defined from /etc/libvirt/qemu/ PAN_Firewall_DC1.xml user-PowerEdge-R510:~/kvm_script$ sudo virsh -q attach-interface PAN_Firewall_DC1_bootstp bridge br1 --model=virtio --persistent user-PowerEdge-R510:~/kvm_script$ virsh list --all Id Name State --------------------------------------------- - PAN_Firewall_DC1_bootstp shut off STEP 2 | Create the bootstrap XML file. You can define the initial configuration parameters in this file and name it bootstrap-networkconfig. If you do not want to include a parameter, for example panorama-server-secondary. Delete the entire line from the file. If you leave the IP address field empty, the file will not be parsed successfully. Use the following example as a template for the bootstrap-networkconfig file. The bootstrap- networkconfig file can include the following parameters only: VM_ABC_Company 10.5.132.162 255.255.254.0 10.5.132.1 10.44.2.10 8.8.8.8 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 377 © 2020 Palo Alto Networks, Inc.10.5.133.4 10.5.133.5 STEP 3 | Create the ISO file. In this example, we use mkisofs. Save the ISO file in the images directory (/var/lib/libvirt/image) or the qemu directory (/etc/ libvirt/qemu) to ensure that the firewall has read access to the ISO file. For example: # mkisofs -J -R -v -V "Bootstrap" -A "Bootstrap" -ldots -l -allow-lowercase -allow-multidot -o bootstrap-networkconfig.xml STEP 4 | Attach the ISO file to the CD-ROM. For example: # virsh -q attach-disk sdc --type cdrom --mode readonly –persistent\ Sample XML file for the VM-Series Firewall PAN_Firewall_DC1 4194304 4194304 2 hvm destroy restart restart /usr/libexec/qemu-kvm 378 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc. To modify the number of vCPUs assigned on the VM-Series firewall, change the value 2 to 4 or 8 vCPUs in this line of the sample XML file: 2 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 379 © 2020 Palo Alto Networks, Inc.Enable the Use of a SCSI Controller If you want the VM-Series firewall to use the disk bus type SCSI to access the virtual disk, use the following instructions to attach the virtio scsi controller to the firewall and then enable the use of the virtio-scsi controller. KVM on Ubuntu 12.04 does not support the virtio-scsi controller; the virtio-scsi controller can only be enabled on the VM-Series firewall running on RHEL or CentOS. This process requires virsh because Virt manager does not support the virtio-scsi controller. STEP 1 | Create an XML file for the SCSI controller. In this example, it is called virt-scsi.xml. [root@localhost~]# cat /root/virt-scsi.xml

Make sure that the slot used for the virtio-scsi controller does not conflict with another device. STEP 2 | Associate this controller with the XML template of the VM-Series firewall. [root@localhost~]# virsh attach-device --config /root/virt- scsi.xml Device attached successfully STEP 3 | Enable the firewall to use the SCSI controller. [root@localhost~]# virsh attach-disk /var/lib/libvirt/ images/PA-VM-6.1.0-c73.qcow2 sda --cache none --persistent Disk attached successfully STEP 4 | Edit the XML template of the VM-Series firewall. In the XML template, you must change the target disk and the disk bus, used by the firewall. By default, the XML template is stored at etc/libvirt/qemu.

380 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc.Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall Regardless of whether you use a virtual interfaces (Linux/OVS bridge) or PCI devices (PCI-passthrough or SR-IOV capable adapter) for connectivity to the VM-Series firewall, the VM-Series firewall treats the interface as a PCI device. The assignment of an interface on the VM-Series firewall is based on PCI-ID which is a value that combines the bus, device or slot, and function of the interface. The interfaces are ordered starting at the lowest PCI-ID, which means that the management interface (eth0) of the firewall is assigned to the interface with the lowest PCI-ID. Let''s say you assign four interfaces to the VM-Series firewall, three virtual interfaces of type virtio and e1000 and the fourth is a PCI device. To view the PCI-ID for each interface, enter the command virsh dumpxml $ domain on the Linux host to view the list of interfaces attached to the VM-Series firewall. In the output, check for the following networking configuration:

In this case, the PCI-ID of each interface is as follows: • First virtual interface PCI-ID is 00:03:00 • Second virtual interface PCI-ID is 00:10:00 • Third virtual interface PCI-ID is 00:06:00 • Fourth interface PCI-ID is 00:07:00 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 381 © 2020 Palo Alto Networks, Inc.Therefore, on the VM-Series firewall, the interface with PCI-ID of 00:03:00 is assigned as eth0 (management interface), the interface with PCI-ID 00:06:00 is assigned as eth1 (ethernet1/1), the interface with PCI-ID 00:07:00 is eth2 (ethernet1/2) and the interface with PCI-ID 00:10:00 is eth3 (ethernet1/3). 382 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc.Performance Tuning of the VM-Series for KVM The VM-Series firewall for KVM is a high-performance appliance but may require tuning of the hypervisor to achieve the best results. This section describes some best practices and recommendations for facilitating the best performance of the VM-Series firewall. By default, KVM uses a linux bridge for VM networking. However, the best performance in a virtual environment is realized with dedicated I/O interfaces (PCI passthrough or SR-IOV). If a virtual switch is required, use a performance-optimized virtual switch (such as Open vSwitch with DPDK). • Install KVM and Open vSwitch on Ubuntu 16.04.1 LTS • Enable Open vSwitch on KVM • Integrate Open vSwitch with DPDK • Enable SR-IOV on KVM • Enable VLAN Access Mode with SR-IOV • Enable Multi-Queue Support for NICs on KVM • Isolate CPU Resources in a NUMA Node on KVM Install KVM and Open vSwitch on Ubuntu 16.04.1 LTS For ease of installation, Ubuntu 16.04.1 LTS is recommended for use as the KVM hypervisor platform. STEP 1 | Install KVM and OVS. 1. Log in to the Ubuntu CLI. 2. Execute the following commands: $ sudo apt-get install qemu-kvm libvirt-bin ubuntu-vm-builder bridge- utils $ sudo apt-get install openvswitch-switch STEP 2 | Check and compare the versions of relevant packages. Execute the following commands: $ virsh --version 1.3.1 $ libvirtd --version libvirtd (libvirt) 1.3.1 $ /usr/bin/qemu-system-x86_64 --version QEMU emulator version 2.5.0 (Debian 1:2.5+dfsg-5ubuntu10.6), Copyright (c) 2003-2008 Fabrice Bellard $ ovs-vsctl --version ovs-vsctl (Open vSwitch) 2.5.0 Compiled Mar 10 2016 14:16:49 DB Schema 7.12.1 Enable Open vSwitch on KVM Enable OVS by modifying the guest XML definition network settings. Modify the guest XML definition as follows. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 383 © 2020 Palo Alto Networks, Inc.[...]

[...] Integrate Open vSwitch with DPDK To integrate Open vSwitch (OVS) with DPDK, you must install the required components and then configure OVS. DPDK is enabled by default on the VM-Series firewall for KVM. • Install QEMU, DPDK, and OVS on Ubuntu • Configure OVS and DPDK on the Host • Edit the VM-Series Firewall Configuration File Install QEMU, DPDK, and OVS on Ubuntu Before you can enable DPDK on OVS, you must install QEMU 2.5.0, DPDK 2.2.0, and OVS 2.5.1. Complete the following procedures to install the components. STEP 1 | Log in to the KVM host CLI. STEP 2 | Install QEMU 2.5.0 by executing the following commands: apt-get install build-essential gcc pkg-config glib-2.0 libglib2.0-dev libsdl1.2-dev libaio-dev libcap-dev libattr1-dev libpixman-1-dev apt-get build-dep qemu apt-get install qemu-kvm libvirt-bin wget http://wiki.qemu.org/download/qemu-2.5.0.tar.bz2 tar xjvf qemu-2.5.0.tar.bz2 cd qemu-2.5.0 ./configure make make install STEP 3 | Install dpdk-2.2.0. 1. Execute the following commands: wget http://dpdk.org/browse/dpdk/snapshot/dpdk-2.2.0.tar.gz tar xzvf dpdk-2.2.0.tar.gz cd dpdk-2.2.0 vi config/common_linuxapp 2. Change CONFIG_RTE_APP_TEST=y to CONFIG_RTE_APP_TEST=n 3. Change CONFIG_RTE_BUILD_COMBINE_LIBS=n to CONFIG_RTE_BUILD_COMBINE_LIBS=y 4. Execute the following command: vi GNUmakefile 384 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc.5. Change ROOTDIRS-y := lib drivers app to ROOTDIRS-y := lib drivers 6. Execute the following command: make install T=x86_64-native-linuxapp-gcc STEP 4 | Install OVS 2.5.1 by executing the following commands: wget http://openvswitch.org/releases/openvswitch-2.5.1.tar.gz tar xzvf openvswitch-2.5.1.tar.gz cd openvswitch-2.5.1 ./configure –with-dpdk=”/root/dpdk-2.2.0/x86_64-native-linuxapp-gcc/” make make install Configure OVS and DPDK on the Host After installing the necessary components to support OVS and DPDK, you must configure the host to use OVS and DPDK. STEP 1 | Log in to the KVM host CLI. STEP 2 | If you are replacing or reconfiguring an existing OVS-DPDK setup, execute the following commands to reset any previous configuration. Repeat the command for each interface. rm /usr/local/var/run/openvswitch/ STEP 3 | Configure initial huge pages for OVS. echo 16384 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages STEP 4 | Mount huge pages for QEMU: mkdir /dev/hugepages mkdir /dev/hugepages/libvirt mkdir /dev/hugepages/libvirt/qemu mount -t hugetlbfs hugetlbfs /dev/hugepages/libvirt/qemu STEP 5 | Use the following command to kill any currently existing OVS daemon. killall ovsdb-server ovs-vswitchd STEP 6 | Create directories for the OVS daemon. mkdir -p /usr/local/etc/openvswitch mkdir -p /usr/local/var/run/openvswitch STEP 7 | Clear old directories. rm -f /var/run/openvswitch/vhost-user* VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 385 © 2020 Palo Alto Networks, Inc.rm -f /usr/local/etc/openvswitch/conf.db STEP 8 | Initialize the configuration database. ovsdb-tool create /usr/local/etc/openvswitch/conf.db\ /usr/local/share/openvswitch/vswitch.ovsschema STEP 9 | Create an OVS DB server. ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \ --remote=db:Open_vSwitch,Open_vSwitch,manager_options \ --private-key=db:Open_vSwitch,SSL,private_key \ --certificate=db:Open_vSwitch,SSL,certificate \ --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \ --pidfile --detach STEP 10 | Initialize OVS. ovs-vsctl --no-wait init STEP 11 | Start the database server. export DB_SOCK=/usr/local/var/run/openvswitch/db.sock STEP 12 | Install the igb_uio module (network device driver) for DPDK. cd ~/dpdk-2.2.0/x86_64-native-linuxapp-gcc/kmod modprobe uio insmod igb_uio.ko cd ~/dpdk-2.2.0/tools/ STEP 13 | Enable DPDK on interfaces using PCI-ID or interface name. ./dpdk_nic_bind.py --bind=igb_uio ./dpdk_nic_bind.py --bind=igb_uio STEP 14 | Start the OVS daemon in DPDK mode. You can change the number of cores for ovs-vswitchd. By changing -c 0x1 to -c 0x3, you can have two core run this daemon. ovs-vswitchd --dpdk -c 0x3 -n 4 -- unix:$DB_SOCK --pidfile --detach echo 50000 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages STEP 15 | Create the OVS bridge and attach ports to the OVS bridge. ovs-vsctl add-br ovs-br0 -- set bridge ovs-br0 datapath_type=netdev ovs-vsctl add-port ovs-br0 dpdk0 -- set Interface dpdk0 type=dpdk ovs-vsctl add-br ovs-br1 -- set bridge ovs-br1 datapath_type=netdev ovs-vsctl add-port ovs-br1 dpdk1 -- set Interface dpdk1 type=dpdk 386 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc.STEP 16 | Create DPDK vhost user ports for OVS. ovs-vsctl add-port ovs-br0 vhost-user1 -- set Interface vhost-user1 type=dpdkvhostuser ovs-vsctl add-port ovs-br1 vhost-user2 -- set Interface vhost-user2 type=dpdkvhostuser STEP 17 | Set the number of hardware queues of the NIC used by the host. ovs-vsctl set Open_vSwitch . other_config:n-dpdk-rxqs=8 ovs-vsctl set Open_vSwitch . other_config:n-dpdk-txqs=8 STEP 18 | Set the CPU mask used for OVS. ovs-vsctl set Open_vSwitch . other_config:pmd-cpu-mask=0xffff STEP 19 | Set the necessary permissions for DPDK vhost user ports. In the example below, 777 is used to give read, write, and executable permissions. chmod 777 /usr/local/var/run/openvswitch/vhost-user1 chmod 777 /usr/local/var/run/openvswitch/vhost-user2 chmod 777 /dev/hugepages/libvirt/qemu Edit the VM-Series Firewall Configuration File Edit the VM-Series firewall XML configuration file to support OVS and DPDK. You can access the XML configuration file or after deploying the VM-Series firewall. If you do this after deploying the firewall, be sure to shut down the firewall before making any changes. The values below are examples, your values for each parameter will vary based on your VM-Series model. STEP 1 | Log in to the KVM host CLI. STEP 2 | Edit the XML configuration file of your VM-Series firewall. 1. Open the XML config file using virsh edit $. 2. Sets the memory backing for the hugepage. Ensure that you provide enough memory to support the VM-Series firewall model you are deploying on the host. See VM-Series System Requirements for more information. 12582912 6291456 3. Set the necessary CPU flags for VM. 4. Enable memory sharing between the VM and the host. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 387 © 2020 Palo Alto Networks, Inc. 5. Set the DPDK vhost user ports as the VM -series firewall’s network interfaces. Additionally, set the number of virtio virtual queues provided to the VM-Series firewall by the host.

Enable SR-IOV on KVM Single root I/O virtualization (SR-IOV) allows a single PCIe physical device under a single root port to appear to be multiple separate physical devices to the hypervisor or guest. To enable SR-IOV on a KVM guest, define a pool of virtual function (VF) devices associated with a physical NIC and automatically assign VF devices from the pool to PCI IDs. For SR-IOV with Intel 10GB network interfaces (ixgbe driver), the driver version must be 4.2.5 or later to support multiple queues for each NIC interface. See the Compatibility Matrix for PacketMMAP and DPDK driver support by PAN-OS version. STEP 1 | Define a network for a pool of VFs. 1. Generate an XML file with text similar to the following example. Change the value of pf dev to the ethdev corresponding to your SR-IOV device’s physical function. passthrough 2. Save the XML file. 3. Execute the following commands: $ virsh net-define $ virsh net-autostart passthrough $ virsh net-start passthrough 388 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc.STEP 2 | To ensure that the VM-Series firewall boots in DPDK mode, edit the guest VM XML configuration on the KVM hypervisor to add the following: This ensures that the CPU flags are exposed. To verify that the CPU flags are exposed on the VM: cat /proc/cpuinfo In the flags output for PAN-OS 9.0 with DPDK version 16.07, you need the AVX or SSE flags. STEP 3 | After defining and starting the network, modify the guest XML definition to specify the network. When the guest starts, a VF is automatically assigned to the guest. STEP 4 | Add the multicast MAC address to the host. When SR-IOV is enabled, multicast traffic is filtered by the PF. This filtering causes applications that rely on multicast, such as OSPF, to fail. To prevent this filtering, you must manually add the multicast MAC address to the host using the following command: #ip maddress add dev Enable VLAN Access Mode with SR-IOV The VM-Series firewalls on KVM can operate in VLAN access mode to support use cases where it is deployed as a virtual network function (VNF) that offers security-as-a-service in a multi-tenant cloud/data center environment. In VLAN access mode, each VNF has dedicated virtual network interfaces (VNIs) for each network and it sends and receives packets to/from SR-IOV virtual functions (VFs) without VLAN tags; you must enable this capability on the physical and virtual functions on the host hypervisor. When you, then enable VLAN access mode on the VM-Series firewall, the firewall can send and receive traffic without VLAN tags across all its dataplane interfaces. Additionally, if you configure QoS policies, the firewall can enforce QoS on the access interface and provide differentiated treatment of traffic in a multi-tenant deployment. By default, the VM-Series firewall on KVM operates in VLAN trunk mode. On PAN-OS 9.0.4 or later with VM-Series plugin 1.0.5 or later, you can enable VLAN access mode. STEP 1 | On the host system, set up the physical and virtual function to operate in VLAN access mode. ip link set [inf_name] vf [vf_num] vlan [vlan_id]. For best performance on the VM-Series firewall, make sure to: • Enable CPU pinning. See Isolate CPU Resources in a NUMA Node on KVM. • Disable Replay Protection, if you have configured IPSec Tunnels. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 389 © 2020 Palo Alto Networks, Inc.On the firewall web interface, select Network > IPSec Tunnels select an IPSec tunnel, and click General, and select Show Advanced Options and clear Enable Replay Protection. STEP 2 | Access the CLI on the VM-Series firewall. STEP 3 | Enable VLAN access mode. request plugins vm-series vlan-mode access-mode on on enables VLAN access mode; to use VLAN trunk mode, enter request plugins vm-series vlan-mode access-mode off. STEP 4 | Reboot the firewall. Enterrequest restart system. STEP 5 | Verify the VLAN mode configuration. show plugins vm-series vlan-mode Enable Multi-Queue Support for NICs on KVM Modify the guest XML definition to enable multi-queue virtio-net. Multi-queue virtio-net allows network performance to scale with the number of vCPUs and allows for parallel packet processing by creating multiple TX and RX queues. Modify the guest XML definition. Insert a value from 1 to 256 for N to specify the number of queues. For the best results, match the number of queues with number of dataplane cores configured on the VM. Isolate CPU Resources in a NUMA Node on KVM You can improve performance of VM-Series on KVM by isolating the CPU resources of the guest VM to a single non-uniform memory access (NUMA) node. On KVM, you can view the NUMA topology virsh. The following example is from a two-node NUMA system: STEP 1 | View the NUMA topology. In the example below, there are two NUMA nodes (sockets), each with a four-core CPU with hyperthreading enabled. All the even-numbered CPU IDs belong to one node and all the odd-numbered CPU IDs belong to the other node. % virsh capabilities <…> 33027228 8256807 0 390 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM © 2020 Palo Alto Networks, Inc. 32933812 8233453 0 STEP 2 | Pin vCPUs in a KVM guest to specific physical vCPUs, use the cpuset attribute in the guest xml definition. In this example, all 8 vCPUs are pinned to physical CPUs in the first NUMA node. If you do not wish to explicitly pin the vCPUs, you can omit the cputune block, in which case, all vCPUs will be pinned to the range of CPUs specified in cpuset, but will not be explicitly mapped. 8 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVM 391 © 2020 Palo Alto Networks, Inc.392 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on KVMSet Up the VM-Series Firewall on Hyper-V The VM-Series firewall can be deployed on a server running Microsoft Hyper-V. Hyper-V is packaged as a standalone hypervisor or as an add-on/role for Windows Server. > Supported Deployments on Hyper-V > System Requirements on Hyper-V > Linux Integration Services > Install the VM-Series Firewall on Hyper-V 393394 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on Hyper-V © 2020 Palo Alto Networks, Inc.Supported Deployments on Hyper-V You can deploy one or more instances of the VM-Series on hosts running Hyper-V. Where you place the VM-Series firewall depends on your network topology. VM-Series supports tap, virtual wire, Layer 2, and Layer 3 interface deployments. • Secure Traffic on a Single Hyper-V Host • Secure Traffic Across Multiple Hyper-V Hosts Secure Traffic on a Single Hyper-V Host The VM-Series firewall is deployed on a single Hyper-V host along with other guest VMs. In the example below, the VM-Series firewall has a Layer 3 interfaces and the VM-Series and other guest VMs are connected by Hyper-V vSwitches. All traffic between the web servers and database servers is routed through the firewall. Traffic across the database servers only or across the web servers only is processed by the external vSwitch and not routed through the firewall. Secure Traffic Across Multiple Hyper-V Hosts You can deploy your VM-Series firewall to secure the traffic of multiple Hyper-V hosts. In the example below, the VM-Series is deployed in Layer 2 mode protecting traffic to and from the guest VMs. A single VM-Series firewall protects traffic between four guest VMs spread across two Hyper-V hosts. VLAN tagging is used to logically isolate traffic and direct it to the firewall. Additionally, management traffic is decoupled from all other traffic by placing it on its own external vSwitch. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on Hyper-V 395 © 2020 Palo Alto Networks, Inc.396 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on Hyper-V © 2020 Palo Alto Networks, Inc.System Requirements on Hyper-V The VM-Series requires a minimum resource allocation on the Hyper-V host, so make sure to conform to the requirements listed below to ensure optimal performance. • The host CPU must be a 64-bit x86-based Intel or AMD CPU with virtualization extension. • See VM-Series System Requirements for the minimum hardware requirements for your VM-Series model. • Minimum of two network adapters. The VM-Series firewall supports synthetic network adapters, which provide better performance than emulated network adapters. Hyper-V supports up to eight synthetic network adapters. • Refer to the Compatibility matrix for the Windows Server versions supported. Hyper-V Server does not have a native graphical user interface; all configuration is done through PowerShell. However, you can use Hyper-V Manager running on a remote machine to manage the firewall.If you use the Hyper-V role add-on, you can manage the firewall using Hyper-V Manager or PowerShell. • The VM-Series firewall does not support Legacy Network Adapter or SR-IOV/PCI-Passthrough. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on Hyper-V 397 © 2020 Palo Alto Networks, Inc.Linux Integration Services Linux Integration Services (LIS) is a package of drivers and services that enhance the performance of Linux- based virtual machines on Hyper-V. The VM-Series firewall supports the following services to improve the integration between the host and the virtual machine: • Graceful Shutdown—Allows you to perform a graceful shutdown of the VM-Series firewall from the Hyper-V management interface without having to log into the guest. • Heartbeat to Hyper-V Manager—Provides heartbeat monitoring of the running status of guest VMs from the Hyper-V management interface. • Firewall Management IP Address Visibility—Allows you to use Hyper-V Manager to view the IP address assigned to the management interface on the firewall. 398 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on Hyper-V © 2020 Palo Alto Networks, Inc.Install the VM-Series Firewall on Hyper-V Use the instructions in this section to deploy your VM-Series firewall on a Hyper-V host. A Palo Alto Networks support account and a valid VM-Series license are required to download the VHDX image file and install the VM-Series on the Hyper-V host. If you have not already registered the capacity auth-code that you received with the order fulfillment email, with your support account, see Register the VM-Series Firewall. After completing the registration continue to the following tasks: • Before You Begin • Performance Tuning of the VM-Series Firewall on Hyper-V • Provision the VM-Series Firewall on a Hyper-V host with Hyper-V Manager • Provision the VM-Series Firewall on a Hyper-V host with PowerShell • Perform Initial Configuration on the VM-Series Firewall Before You Begin Before installing and configuring your VM-Series firewall, know and account for the following items as needed when you configure your VM-Series firewall: • Virtual Switch Types • MAC Address Spoofing Virtual Switch Types Before installing the VM-Series, you must create the vSwitches required for providing external connectivity for management access and for routing traffic from and to the virtual machines that the firewall will secure. Hyper-V allows you to create three types of vSwitches: • External vSwitch—binds to a physical network adapter and provides the vSwitch access to a physical network. • Internal vSwitch—passes traffic between the virtual machines and the Hyper-V host. This type of vSwitch does not provide connectivity to a physical network connection. • Private vSwitch—passes traffic between the virtual machines on the Hyper-V host only. An external vSwitch is required for management of the VM-Series firewall. Other vSwitches connected to the VM-Series firewall can be of any type and will depend on your network topology. MAC Address Spoofing If you are deploying the VM-Series firewall with interfaces enabled in Layer 3 mode, make sure to enable use of hypervisor assigned MAC addresses so that the hypervisor and the firewall can properly handle packets. Alternatively, use the Hyper-V Manager to enable MAC address spoofing on the virtual network adapter for each dataplane interface on the firewall. For more information, see Hypervisor Assigned MAC Addresses. If you are deploying the VM-Series firewall with interfaces enabled in Layer 2 mode or virtual-wire mode, you must enable MAC address spoofing on the virtual network adapter in Hyper-V for each dataplane interface on the firewall. This setting is required to ensure that packets sent by the VM-Series are not dropped by the virtual network adapter if the source MAC address does not match the outgoing interface MAC address. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on Hyper-V 399 © 2020 Palo Alto Networks, Inc.Performance Tuning of the VM-Series Firewall on Hyper-V The VM-Series firewall for Hyper-V is a high-performance appliance but may require tuning of the hypervisor to achieve the best results. This section describes some best practices and recommendations for facilitating the best performance of the VM-Series firewall. • Disable Virtual Machine Queues • Isolate CPU Resources in a NUMA Node Disable Virtual Machine Queues Palo Alto Networks recommends disabling virtual machine queues (VMQ) for all NICs on the Hyper-V host. This option is prone to misconfiguration and can cause reduced network performance when enabled. STEP 1 | Login to Hyper-V Manager and select your VM. STEP 2 | Select Settings > Hardware > Network Adapter > Hardware Acceleration. STEP 3 | Under Virtual machine queue, uncheck Enable virtual machine queue. STEP 4 | Click Apply save your changes and OK to exit the VM settings. Isolate CPU Resources in a NUMA Node You can improve performance of VM-Series for Hyper-V by isolating the CPU resources of the guest VM to a single non-uniform memory access (NUMA) node. You can view the NUMA settings of your VM in Hyper- V Manager by selecting Settings > Hardware > Processor > NUMA. Provision the VM-Series Firewall on a Hyper-V host with Hyper-V Manager Use these instructions to deploy the VM-Series firewall on Hyper-V using Hyper-V Manager. STEP 1 | Download the VHDX file. Register your VM-Series firewall and obtain the VHDX file. 1. Go to https://www.paloaltonetworks.com/services/support. 2. Filter by PAN-OS for VM-Series Base Images and download the VHDX file. For example, PA-VM- HPV-7.1.0.vhdx. STEP 2 | Set up any vSwitch(es) that you will need. To create a vSwitch: 1. From Hyper-V Manager, select the host and select Action > Virtual Switch Manager to open the Virtual Switch Manager window. 2. Under Create virtual switch, select the type of vSwitch (external, internal, or private) to create and click Create Virtual Switch. STEP 3 | Install the firewall. 1. On the Hyper-V Manager, select the host and select Action > New > Virtual Machine. Configure the following settings in the New Virtual Machine Wizard: 1. Choose a Name and Location for the VM-Series firewall. The VM-Series firewall stores the VHDX file at the specified location. 400 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on Hyper-V © 2020 Palo Alto Networks, Inc.2. Choose Generation 1. This is the default option and the only version supported. 3. For Startup Memory, assign the memory based on the VM-Series System Requirements of your VM-Series model. Do not enable dynamic memory; the VM-Series firewall requires static memory allocation. 4. Configure Networking. Select an external vSwitch to connect the management interface on the firewall. 5. To connect the Virtual Hard Disk, select Use an existing virtual hard disk and browse to the VHDX file you downloaded earlier. 6. Review the summary and click Finish. 2. Assign virtual CPUs to the firewall. 1. Select the VM you created and navigate to Action > Settings. 2. Select Processor and enter the minimum number of CPUs based on the VM-Series System Requirements of your VM-Series model.. 3. Click OK. STEP 4 | Connect at least one network adapter for the dataplane interface on the firewall. 1. Select Settings > Hardware > Add Hardware and select the Hardware type for your network adapter. Legacy Network Adapter and SR-IOV are not supported. If selected, the VM-Series firewall will boot into maintenance mode. 2. Click OK. STEP 5 | (Optional) Enable MAC address spoofing on Hyper-V if you are not using Layer 3 with hypervisor assigned MAC address. 1. Double click the dataplane virtual network adapter and click Advanced Settings. 2. Click the Enable MAC address spoofing check box and click Apply. STEP 6 | Power on the firewall. Select the firewall from the list of Virtual Machines and navigate to Action > Start to power on the firewall. Provision the VM-Series Firewall on a Hyper-V host with PowerShell Use these instructions to deploy the VM-Series firewall on Hyper-V using PowerShell. STEP 1 | Download the VHDX file. Register your VM-Series firewall and obtain the VHDX file. 1. Go to https://www.paloaltonetworks.com/services/support. 2. Filter by PAN-OS for VM-Series Base Images and download the VHDX file. For example, PA-VM- HPV-7.1.0.vhdx. STEP 2 | Set up any vSwitch(es) that you will need. Create a vSwitch by using the following commands. Give the vSwitch a name and choose the switch type. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on Hyper-V 401 © 2020 Palo Alto Networks, Inc.> New-VMSwitch -Name <"switch-name"> -SwitchType STEP 3 | Install the VM-Series firewall. 1. Create the new virtual machine and set the memory based on the VM-Series System Requirements of your VM-Series model. > NEW-VM -Name -MemoryStartupBytes 4GB -VHDPath 2. Set processor count based on the VM-Series System Requirements of your VM-Series model. > SET-VMProcessor –VMName –Count 2 STEP 4 | Connect at least one network adapter for the management interface on the firewall. Connect the default network adapter created during VM creation to management vSwitch. > connect-VMNetworkAdapter -vmname -Name <"network-adapter-name"> -SwitchName <"management-vswitch"> STEP 5 | (Optional) Enable MAC address spoofing on Hyper-V if you are not using Layer 3 with hypervisor assigned MAC address. > Set-VMNetworkAdapter -vmname -Name <"network-adapter-name"> - MacAddressSpoofing On STEP 6 | Power on the firewall. For example: > Start-VM -vmname Perform Initial Configuration on the VM-Series Firewall Use these instructions to perform the initial configuration of your VM-Series firewall. By default, the VM- Series firewall uses DHCP to obtain an IP address for the management interface. However, you can assign a static IP address. After completing the initial configuration, access the web interface to complete further configurations tasks. If you have Panorama for central management, refer to the Panorama Administrator’s Guide for information on managing the device using Panorama. If you are using bootstrapping to perform the configuration of your VM-Series firewall on Hyper-V, refer to Bootstrap the VM-Series Firewall on Hyper-V. For general information about bootstrapping, see Bootstrap the VM-Series Firewall. STEP 1 | Gather the required information from your network administrator. • Management port IP address • Netmask • Default gateway • DNS server IP address 402 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on Hyper-V © 2020 Palo Alto Networks, Inc.STEP 2 | Access the console of the VM-Series firewall. 1. In Hyper-V Manager, select the VM-Series firewall and click Connect from the Actions list. 2. Log in to the firewall with the default username and password: admin/admin 3. Enter configuration mode using the following command: configure STEP 3 | Configure the network access settings for the management interface. Enter the following commands: set deviceconfig system type static set deviceconfig system ip-address netmask default-gateway dns-settingservers primary where is the IP address you want to assign to the management interface, is the subnet mask, is the IP address of the network gateway, and is the IP address of the DNS server. STEP 4 | Commit your changes and exit the configuration mode. 1. Enter commit. 2. Enter exit. STEP 5 | Verify that you can view the management interface IP address from the Hyper-V Manager. 1. Select the VM-Series firewall from the list of Virtual Machines. 2. Select Networking. The first network adapter that displays in the list is used for management access to the firewall; subsequent adapters in the list are used as the dataplane interfaces on the firewall. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on Hyper-V 403 © 2020 Palo Alto Networks, Inc.STEP 6 | Verify network access to external services required for firewall management, such as the Palo Alto Networks Update Server. 1. Use the ping utility to verify network connectivity to the Palo Alto Networks Update server as shown in the following example. Verify that DNS resolution occurs and the response includes the IP address for the Update server; the update server does not respond to a ping request. admin@PA-220 > ping host updates.paloaltonetworks.com PING updates.paloaltonetworks.com (10.101.16.13) 56(84) bytes of data. From 192.168.1.1 icmp_seq=1 Destination Host Unreachable From 192.168.1.1 icmp_seq=2 Destination Host Unreachable From 192.168.1.1 icmp_seq=3 Destination Host Unreachable From 192.168.1.1 icmp_seq=4 Destination Host Unreachable After verifying DNS resolution, press Ctrl+C to stop the ping request. 2. Use the following CLI command to retrieve information on the support entitlement for the firewall from the Palo Alto Networks update server: request support check If you have connectivity, the update server will respond with the support status for your firewall. STEP 7 | (Optional) Verify that your VM-Series jumbo frame configuration does not exceed the maximum MTU supported on Hyper-V. The VM-Series has a default MTU size of 9216 bytes when jumbo frames are enabled. However, the maximum MTU size supported by the physical network adapter on the Hyper-V host is 9000 or 9014 bytes depending on the network adapter capabilities. To verify the configured MTU on Hyper-V: 1. In Windows Server 2012 R2, open the Control Panel and navigate to Network and Internet > Network and Sharing Center > View network status and tasks. 2. Click on a network adapter or virtual switch from the list. 3. Click Properties. 4. Click Configure. 5. On the Advanced tab, select Jumbo Packet from the list. 6. Select 9000 or 9014 bytes from the Value drop-down menu. 7. Click OK. If you have enabled jumbo frames on Hyper-V, Enable Jumbo Frames on the VM-Series Firewall and set the MTU size to match that configured on the Hyper-V host. STEP 8 | Access the web interface of the VM-Series firewall and configure the interfaces and define security rules and NAT rules to safely enable the applications you want to secure. Refer to the PAN-OS Administrator’s Guide. 404 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on Hyper-VSet up the VM-Series Firewall on Azure VM-Series firewall on Azure brings the security features of Palo Alto Networks next generation firewall as a virtual machine in the Azure Marketplace. The VM-Series firewall provides a complete set of security functionality to ensure that your virtual machine workloads and data are protected, and the capabilities that the firewall enables are different from native security features such as Security Groups, Web Application Firewalls and native, port-based firewalls. On Azure, the VM-Series firewall is available in the bring your own license (BYOL) model or in the pay-as-you-go (PAYG) hourly model. Microsoft Azure allows you to deploy the firewall to secure your workloads within the virtual network in the cloud, so that you can deploy a public cloud solution or you can extend the on-premises IT infrastructure to create a hybrid solution. > About the VM-Series Firewall on Azure > Deployments Supported on Azure > Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template) > Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template) > Use Azure Security Center Recommendations to Secure Your Workloads > Deploy the VM-Series Firewall on Azure Stack > Enable Azure Application Insights on the VM-Series Firewall > VM Monitoring on Azure > Set up Active/Passive HA on Azure > Use the ARM Template to Deploy the VM-Series Firewall > Deploy the VM-Series and Azure Application Gateway Template > Auto Scaling the VM-Series Firewall on Azure > Secure Kubernetes Services on Azure 405406 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.About the VM-Series Firewall on Azure The VM-Series firewall on Azure must be deployed in a virtual network (VNet) using the Resource Manager deployment mode. You can deploy the VM-Series firewall on the standard Azure public cloud, Azure China, and Azure Government—including DoD on Azure Government, which meets the security requirements for DoD Impact Level 5 data and FedRAMP High standards. The VM-Series firewall on the marketplace for the Azure public cloud, Azure Government, and Azure DoD regions, supports both the Bring Your Own License (BYOL) model and the hourly Pay-As-You-Go (PAYG) option (usage-based licensing) For licensing details, see License Types—VM-Series Firewalls, and refer to the list of supported Azure regions in which you can deploy the VM-Series firewall. For Azure China, the VM-Series firewall is available in the BYOL option only. See Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template) for the workflow. You can also deploy the VM-Series firewall on Azure Stack, Microsoft''s private cloud solution that enables you to use Azure services within your organization''s datacenter. With Azure Stack, you can build out a hybrid cloud solution that unifies your public Azure deployment with your on-premise Azure Stack set up. You can download the VM-Series firewall BYOL offer from the Azure Marketplace and make it available to your tenants on Azure Stack. For instructions, see Deploy the VM-Series Firewall on Azure Stack. • Azure Networking and VM-Series Firewall • Azure Security Center Integration • VM-Series Firewall Templates on Azure • Minimum System Requirements for the VM-Series on Azure • Support for High Availability on VM-Series on Azure Azure Networking and VM-Series Firewall The Azure VNet infrastructure does not require virtual machines to have a network interface in each subnet. The architecture includes an internal route table (called system routes) that directly connects all virtual machines within a VNet such that traffic is automatically forwarded to a virtual machine in any subnet. For a destination IP address that is not within the VNet, the traffic is sent to the default Internet gateway or to a VPN gateway, if configured. In order to route traffic through the VM-Series firewall, you must create user defined routes (UDRs) that specify the next hop for traffic leaving a subnet. This route forces traffic destined to another subnet to go to the VM-Series firewall instead of using the system routes to directly access the virtual machine in the other subnet. For example, in a two-tiered application with a web tier and a database tier, you can set up UDRs for directing traffic from the web subnet to the DB subnet through the VM-Series firewall. On Azure, UDRs are for traffic leaving a subnet only. You cannot create user defined routes to specify how traffic comes into a subnet from the Internet or to route traffic to virtual machines within a subnet. UDRs allow you to direct outbound traffic to an interface on the VM-Series firewall so that you can always ensure that the firewall secures traffic to the internet also. For documentation on Microsoft Azure, refer to https://azure.microsoft.com/en-us/ documentation/. The solution templates for deploying the VM-Series firewall that are available in the Azure Marketplace, have three network interfaces. To Set up Active/Passive HA on Azure, you will need to add an additional interface for the HA2 link. If you want to customize the template, use the ARM templates that are available in the GitHub repository. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 407 © 2020 Palo Alto Networks, Inc.Azure Security Center Integration Microsoft has deprecated Azure Security Center support for partner security solutions and replaced it with Azure Sentinel. The VM-Series firewall is integrated with Azure Security Center to provide a unified view for monitoring and alerting on the security posture of your Azure workloads. On Azure Security Center, the VM-Series firewall is available as a partner security solution that protects your Azure workloads from threats and mitigates any gaps in securing your business and intellectual property in the public cloud. To enable this integration and display logs as security alerts directly on the Azure Security Center dashboard, the VM- Series firewall on Azure includes a Log Forwarding profile. To get started, you need to enable Azure Security Center on your Azure subscription. You then have two ways in which you can enable this integration: • Deploy the VM-Series firewall based on a recommendation on the Azure Security Center dashboard. When the Azure Security Center dashboard recommends that you deploy a VM-Series firewall to secure a workload that is exposed to the internet, you can only deploy the firewall in an new resource group or an existing resource group that is empty. This is because Azure currently restricts you from deploying a multi NIC appliance in an existing resource group. Therefore, after you deploy the VM-Series firewall you must manually configure it to be in the path of traffic of the workload that you need to secure. When you deploy the firewall from Azure Security Center, the firewall is launched with three network interfaces—management, external facing (untrust) and internal facing (trust)—and a user defined route (UDR) that sends all outbound traffic from the trust subnet to the trust interface on the firewall so that internet-bound traffic is always inspected by the firewall. The default configuration includes two example Security Policy rules—the outbound-default rule allows all traffic from the trust zone to the untrust zone on the application default port, and the inbound-default rule allows all web-browsing traffic from the untrust zone to the trust zone, after inspecting traffic with the default Antivirus, Anti-spyware, and Vulnerability Protection security profiles. The firewall also forwards all files that are intercepted with the inbound or outbound rule to the WildFire public cloud for analysis. Both rules include a URL Filtering profile that blocks all traffic to the URL categories copyright-infringement, dynamic-dns, extremism, malware, phishing, and unknown. In addition to these security profiles, both Security policy rules are enabled to log at session end and to forward Threat and WildFire Submissions logs as security alerts to the Azure Security Center dashboard. To make practical use of this integration and Deploy a VM-Series Firewall Based on an Azure Security Center Recommendationwithin the same resource group as the workloads you want to secure, you can stage a workload with a public IP address that is exposed to the internet. When Azure Security Center detects the security risk, it triggers a recommendation to deploy a next-generation firewall, and you can 408 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.then deploy the VM-Series firewall in a new resource group into which you can add your workloads later. You must then delete the workload that you staged to trigger the recommendation. • Select a VM-Series firewall that you have already deployed for securing your workloads. If you have a Standard tier of Azure Security Center subscription, Azure Security Center discovers and displays all existing VM-Series firewalls that you have deployed either from the Azure Marketplace or using a customized deployment with Azure CLI, PowerShell or ARM template. The firewalls within your Azure subscription are grouped under Security Solutions on the Azure Security Center dashboard. Microsoft Azure does not support the discovery of existing firewalls with the Free tier subscription. To Connect an Existing VM-Series Firewall From Azure Security Center, you must set up a Linux virtual machine and configure Syslog forwarding to forward firewall logs in the Common Event Format as alerts to Azure Security Center. The additional configuration enables a single pane of glass view for monitoring all your Azure assets. Forwarding a large volume of logs to Azure Security Center, may result in additional subscription cost to you. VM-Series Firewall Templates on Azure You can deploy the VM-Series firewall on Azure using templates. Palo Alto Networks provides two kinds of templates—Solution templates and ARM templates. • Solution Templates in the Azure Marketplace —The solution templates that are available in the Azure Marketplace allow you to deploy the VM-Series firewall using the Azure portal. You can use an existing resource group and storage account (or create them new) to deploy the VM-Series firewall with the following default settings for all regions except Azure China: • VNet CIDR 10.8.0.0/16; you can customize the CIDR to a different private IP address range. • Three subnets— 10.8.0.0/24 (management), 10.8.1.0/24 (untrust), 10.8.2.0/24 (trust) • Three network interfaces, one in each subnet. If you customize the VNet CIDR, the subnet ranges map to your changes. To use the solution template, see Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template) for Azure China, see Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template). VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 409 © 2020 Palo Alto Networks, Inc.• ARM Templates in the GitHub Repository—In addition to Marketplace based deployments, Palo Alto Networks provides Azure Resource Manager templates in the GitHub Repository to simplify the process of deploying the VM-Series firewall on Azure. • Use the ARM Template to Deploy the VM-Series Firewall—The basic ARM template includes two JSON files (a Template file and a Parameters File) to help you deploy and provision all the resources within the VNet in a single, coordinated operation. These templates are provided under an as-is, best effort, support policy. If you want to use the Azure CLI to locate all the images available from Palo Alto Networks, you the need the following details to complete the command (show vm- image list): • Publisher: paloaltonetworks • Offer: vmseries1 • SKU: byol, bundle1, bundle 2 • Version: 9.0.0, 8.1.0, 8.0.0, 7.1.1, or latest • Deploy the VM-Series and Azure Application Gateway Template to support a scale out security architecture that protects your internet-facing web applications using two VM-Series firewalls between a pair of (external and internal) Azure load balancers VM-Series and Azure Application Gateway. This template is currently not available for Azure China. • Use the ARM template to deploy the VM-Series firewall in to an existing Resource Group, for example when you want to Set up Active/Passive HA on Azure. In addition to the ARM templates above that are covered under the Palo Alto Networks official support policy, Palo Alto Networks provides Community supported templatesin the Palo Alto Networks GitHub repository that allow you to explore the solutions available to jumpstart your journey in to cloud automation and scale on Azure. Minimum System Requirements for the VM-Series on Azure You must deploy the VM-Series firewall in the Azure Resource Manager (ARM) mode only; the classic mode (Service Management based deployments) is not supported. The VM-Series firewall on Azure must meet the following requirements: • Azure Linux VMs of the following types: • Standard_D3_v2 (default) • Standard_D4_v2 • Standard_D5_v2 • Standard_D4_v3 • Standard_D16_v3 • Standard_DS3_v2 • Standard_DS4_v2 • Standard_DS5_v2 These types include support for Accelerated Networking (SR-IOV). • For memory, disk and CPU cores required to deploy the VM-Series firewall, see VM-Series System Requirements. You can add additional disk space of 40GB to 8TB for logging purposes. The VM-Series firewall uses Azure managed disks where available; it does not utilize the temporary disk that Azure provides with some instance types. • Up to eight network interfaces (NICs). A primary interface is required for management access and up to seven interfaces for data traffic. 410 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.On Azure, because a virtual machine does not require a network interface in each subnet, you can set up the VM-Series firewall with three network interfaces (one for management traffic and two for dataplane traffic). To create zone-based policy rules on the firewall, in addition to the management interface, you need at least two dataplane interfaces so that you can assign one dataplane interface to the trust zone, and the other dataplane interface to the untrust zone. For an HA deployment, you will need another interface for the HA2 link between the HA peers. Because the Azure VNet is a Layer 3 network, the VM-Series firewall on Azure supports Layer 3 interfaces only. Support for High Availability on VM-Series on Azure To ensure availability, you can Set up Active/Passive HA on Azurein a traditional configuration with session synchronization, or use a scale out architecture using cloud-native load balancers such as the Azure Application Gateway or Azure Load Balancer to distribute traffic across a set of healthy instances of the firewall. For details, see Deploy the VM-Series and Azure Application Gateway Template. VM-Series on Azure Service Principal Permissions For Panorama to interact with the Azure APIs and collect information on your workloads, you need to create an Azure Active Directory Service Principal. This Service Principal has the permissions required to authenticate to the Azure AD and access the resources within your subscription. To complete the set up, you must have permissions to register an application with your Azure AD tenant, and assign the application to a role in your subscription. If you don''t have the necessary permissions, ask your Azure AD or subscription administrator to create a Service Principal. The following table lists the minimumbuilt-in roles required and the granular permissions if you would like to customize the role. To support Permissions Azure High Availability Set up Active/ Microsoft.Authorization/*/read Passive HA on Azure Microsoft.Network/networkInterfaces/* Microsoft.Network/networkSecurityGroups/* Microsoft.Network/virtualNetworks/* Microsoft.Compute/virtualMachines/read Azure Application InsightsEnable Microsoft.Authorization/*/read Azure Application Insights on the VM- Series Firewall Microsoft.Network/networkInterfaces/* Microsoft.Network/networkSecurityGroups/* Microsoft.Network/virtualNetworks/* Microsoft.Compute/virtualMachines/read Azure Auto ScalingAuto Scaling the Requires a minimum Role of Contributor for Service VM-Series Firewall on Azure Principal.Alternatively, you can add the following custom permissions: Microsoft.Network/virtualNetworks/read Microsoft.Network/routeTables/read Microsoft.Network/loadBalancers/read Microsoft.Insights/components/read VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 411 © 2020 Palo Alto Networks, Inc.To support Permissions Microsoft.Network/publicIPAddresses/read Microsoft.Network/applicationGateways/read Microsoft.Compute/virtualMachineScaleSets/read Microsoft.Insights/autoscalesettings/read Azure VM MonitoringSet Up the Requires a minimum Role of Reader for Service Azure Plugin for VM Monitoring on Principal.Alternatively, you can add the following custom Panorama permissions: Microsoft.Compute/virtualMachines/read Microsoft.Network/networkInterfaces/read Microsoft.Network/virtualNetworks/read 412 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.Deployments Supported on Azure Use the VM-Series firewall on Azure to secure your network users in the following scenarios: • Hybrid and VNet to VNet—The VM-Series firewall on Azure allows you to securely extend your physical data center/private cloud into Azure using IPSec and ExpressRoute. To improve your data center security, if you have segmented your network and deployed your workloads in separate VNets, you can secure traffic flowing between VNets with an IPSec tunnel and policies that allow application traffic. • Inter-Subnet —The VM-Series firewall can front your servers in a VNet and protects against lateral threats for inter-subnet traffic between applications in a multi-tier architecture. • Gateway—The VM-Series firewall serves as the VNet gateway to protect Internet-facing deployments in the Azure Virtual Network (VNet). The VM-Series firewall secures traffic destined to the servers in the VNet and it also protects against lateral threats for inter-subnet traffic between applications in a multi- tier architecture. • GlobalProtect—Use the Azure infrastructure to quickly and easily deploy the VM-Series firewall as GlobalProtect™ and extend your gateway security policy to remote users and devices, regardless of location. You can continue with Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template) or Deploy the VM-Series Firewall on Azure Stack and configure the firewall for your deployment needs, or learn about the VM-Series Firewall Templates on Azure that you can use to deploy the firewall. For information on bootstrapping, see Bootstrap the VM-Series Firewall on Azure. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 413 © 2020 Palo Alto Networks, Inc.Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template) The following instructions describe how to deploy the solution template for the VM-Series firewall that is available in the Azure® Marketplace and the Azure Government Marketplace. To use the customizable Azure Resource Manager (ARM) templates available in the GitHub repository, see Use the ARM Template to Deploy the VM-Series Firewall. STEP 1 | Set up an Azure account. 1. If you don’t have one already, create a Microsoft® account. 2. Log in to the Azure portal (https://portal.azure.com or https://portal.azure.us) using your Microsoft account credentials. If you are using a trial subscription, you may need to open a support request (Help + Support > New Support Request) to increase the quota of allocated VM cores. STEP 2 | Find the VM-Series solution template in the Azure Marketplace. 1. Select Marketplace > Virtual Machines. 2. Search for Palo Alto Networks® and a list of offerings for the VM-Series firewall will display. For the differences in the BYOL (bring your own license) and PAYG (pay as you go) models, see VM-Series Firewall Licenses for Public Clouds. 3. Select an offering and Create a new VM-Series firewall. STEP 3 | Deploy the firewall. 414 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.1. Configure basic settings for the firewall. 1. Enter a Username for the firewall administrator. 2. Enter a Password (up to 31 characters) or copy and paste an SSH public key for securing administrative access to the firewall. 3. Select your Azure Subscription. 4. Create a new resource group or select an existing resource group that is empty. The resource group will hold all the resources associated with the VM-Series firewall for this deployment. Azure has removed the option to select an existing resource group for Marketplace solutions that enable multiple network interface controllers (NICs). To deploy the firewall into an existing resource group, use the ARM template in the GitHub Repository or use your own custom ARM template. 5. Select the Azure Location. This is the region in which you are deploying the firewall. 2. Configure networking. 1. Select an existing Azure Virtual Network (VNet) or create a new one and enter the IP address space for the VNet. By default, the Classless Inter-Domain Routing (CIDR) IP address is 10.8.0.0/16. 2. Configure the subnets for the network interfaces. If you use the default subnets, you must review the configuration. If you use an existing VNet, you must have set up three subnets: one each for the management,trust, and untrust interfaces. If you create a new VNet, verify or change the prefixes for each subnet. The default subnets are 10.8.0.0/24 for the management subnet, 10.8.1.0/24 for the untrust subnet, and 10.8.2.0/24 for the trust subnet. 3. Enter the source IP address or IP range (include the CIDR block) that can access the VNet. Network Security Group: inbound source IP allows you to restrict inbound access to the Azure VNet. Restrict access to the firewall. Make sure to supply a CIDR block that corresponds to your dedicated management IP addresses or network. Do not make the allowed source network range larger than necessary and never configure the allowed source as 0.0.0.0/0. Verify your IP address before you configure it on the template to make sure that you do not lock yourself out. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 415 © 2020 Palo Alto Networks, Inc.3. Define management access to the firewall. 1. Use the default variable ((new) fwMgmtPublicIP)) to assign a Public IP address to the management interface (eth0) of the firewall. Azure accelerated networking is not supported on the management interface. 2. Enter a prefix to access the firewall using a DNS name. You must combine the prefix you enter with the suffix displayed on screen to access the web interface of the firewall. For example: .cloudapp.azure.com 3. Select latest VM-Series Version. 4. Enter a display name to identify the VM-Series firewall within the resource group. 4. Add the information to configure the firewall at launch. See Bootstrap the VM-Series Firewall on Azure. 1. Select yes to Enable Bootstrap. 2. Enter the Storage Account Name that holds the bootstrap package. 3. Enter the Storage Account Access Key. This firewall needs this access key to authenticate to the storage account and access the files stored within. 4. Add the File share name to which you have uploaded the files required for bootstrapping the firewall. The storage account must be in the same region in which you are deploying the firewall and it must have the correct folder structure for bootstrapping. 5. Select the Azure virtual machine tier and size to meet your needs. Use the Change size link to view supported instance types, and to review the Minimum System Requirements for the VM- Series on Azure. 5. Review the summary, and OK. Then accept the terms of use and privacy policy, and Create to launch the firewall. 416 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.6. Verify that you have successfully deployed the VM-Series firewall. 1. Select Dashboard > Resource Groups and select the resource group. 2. Select your resource group and see the Overview for detailed status on which resources are deployed successfully. STEP 4 | Attach a public IP address for the untrust interface of the VM-Series firewall. When you create a new public IP address, you get one from the block of IP addresses that Microsoft owns, so you can’t choose a specific one. The maximum number of public IP addresses you can assign to an interface is based on your Azure subscription. 1. On the Azure portal, select the network interface for which you want to add a public IP address (such as the eth1 interface). 2. Select IP Configurations > Add and, for Public IP address, select Enabled. Create a new public IP address or select one that you have available. 3. Verify that you can view the secondary IP address associated with the interface. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 417 © 2020 Palo Alto Networks, Inc.When you attach a secondary IP address to a network interface, the VM-Series firewall does not automatically acquire the private IP address assigned to the interface. You will need to manually configure the private IP address using the VM-Series firewall web interface. See Configure the dataplane network interfaces as Layer 3 interfaces on the firewall. STEP 5 | Log in to the web interface of the firewall. 1. On the Azure portal, in All Resources, select the VM-Series firewall and view the full DNS name for the firewall. 1. Using a secure (https) connection from your web browser, log in to the DNS name for the firewall. 2. Enter the usernamepassword that you defined in the parameters file. You will see a certificate warning but that is OK—continue to the web page. STEP 6 | Activate the licenses on the VM-Series firewall. For the BYOL version 1. Create a Support Account. 2. Register the VM-Series Firewall (with auth code). 3. On the firewall web interface, select Device > Licenses and select Activate feature using authentication code. 4. Enter the capacity authentication code (auth-code) that you registered on the support portal. The firewall will connect to the update server (updates.paloaltonetworks.com), and download the license and reboot automatically. 5. Log back in to the web interface and confirm the following on the Dashboard: • A valid serial number displays in Serial#. 418 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.If the term Unknown displays, it means the firewall is not licensed. To view traffic logs on the firewall, you must install a valid capacity license. • The VM Mode displays as Microsoft Azure. For the PAYG version 1. Create a Support Account. 2. Register the Usage-Based Model of the VM-Series Firewall for Public Clouds (no auth code). STEP 7 | Configure the dataplane network interfaces as Layer 3 interfaces on the firewall. If you are hosting multiple websites or services with different IP addresses and SSL certificates on a single server, you might need to configure more than one IP address on the VM-Series firewall interfaces. 1. Select Network > Interfaces > Ethernet. 2. Click ethernet 1/1 and configure as follows: • Set Interface Type to Layer3 (default). • On the Config tab, assign the interface to the default router. • Also on the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone called UnTrust, and then click OK. • On the IPv4 tab, select DHCP Client if you plan to assign only one IP address on the interface —the firewall will automatically acquire the private IP address assigned in the ARM template. If you plan to assign more than one IP address, select Static and manually enter the primary and secondary IP addresses assigned to the interface on the Azure portal. • Disable (clear) the Automatically create default route to default gateway provided by server to ensure that traffic handled by this interface does not flow directly to the default gateway in the VNet. 3. Click ethernet 1/2 and configure as follows: • Set Interface Type to Layer3 (default). • Set Security Zone to Trust. • Set IP address DHCP Client or Static. • Disable (clear) the Automatically create default route to default gateway provided by serverto ensure that traffic handled by this interface does not flow directly to the default gateway in the VNet. 4. Commit your changes and verify that the link state for the interfaces is up. 5. Add a static route on the virtual router of the VM-Series firewall for any networks that the firewall needs to route. For example, to add a default route to the destination subnets for the servers that the firewall secures: • Select Network > Virtual Router > default > • Select Static Routes > IPv4, and add the next hop IP address for the destination servers. You can set x.x.x.1 as the next hop IP address for all traffic (destined to 0.0.0.0/0 from interface ethernet1/1). STEP 8 | Configure the firewall for your specific deployment. • Gateway—Deploy a third-party load balancer in front of the UnTrust zone. • Hybrid and Inter-VNet—Deploy an Azure VPN Gateway or a NAT virtual machine in front the UnTrust zone. • Inter-Subnet—On the VM-Series firewall, add an intrazone Security policy rule to allow traffic based on the subnets attached to the Trust interface. • GlobalProtect™—Deploy a NAT virtual machine in front of the UnTrust zone. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 419 © 2020 Palo Alto Networks, Inc.STEP 9 | Direct traffic to the VM-Series firewall. 1. To ensure that the VM-Series firewall secures all traffic within the Azure resource group, configure static routes on the firewall. 2. Configure user defined routes to direct all traffic through the interfaces on the VM-Series firewall. Refer to the Azure documentation on UDRs for details. The user defined routes on the internal subnets must send all traffic through the Trust interface. The user defined routes on the UnTrust side direct all traffic from the Internet through the UnTrust interface on the VM-Series firewall. The traffic from the Internet may be coming from an Azure Application Gateway or Azure Load Balancer, or through the Azure VPN Gateway in the case of a hybrid deployment that connects your on-premise network with the Azure cloud. STEP 10 | To publish PAN-OS® metrics to Azure Application Insights, see Enable Azure Application Insights on the VM-Series Firewall. 420 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template) The following instructions show you how to deploy the solution template for the VM-Series firewall that is available in the Azure China Marketplace. The Azure China Marketplace supports only the BYOL model of the VM-Series firewall. You can deploy the firewall in a existing resource group that is empty or into a new resource group. The default VNet in the template is 10.0.0.0/16, and it deploys a VM-Series firewall has 3 network interfaces, one management and two dataplane interfaces as shown below. To use the customizable ARM templates available in the GitHub repository, see Use the ARM Template to Deploy the VM-Series Firewall. STEP 1 | Set up an Azure account. 1. Create a Microsoft account. 2. Log in to the Azure portal (https://portal.azure.com) using your Microsoft account credentials. If you are using a trial subscription, you may need to open a support request (Help + Support > New Support Request) to increase the quota of allocated VM cores. STEP 2 | Find the VM-Series solution template in the Azure Marketplace. 1. Search for Palo Alto Networks on the Azure China marketplace (https://market.azure.cn). The offering for the different PAN-OS versions of the VM-Series firewalls displays. 2. Select an offering and click Immediate deployment of. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 421 © 2020 Palo Alto Networks, Inc.STEP 3 | Deploy the firewall. 1. Select your Azure Subscription. 2. Select a resource group for holding all the resources associated with the VM-Series firewall in this deployment. You can deploy the VM-Series firewall into a new Resource Group, or an existing Resource Group that is empty. To deploy the firewall into an existing resource group that has other resources, use the ARM template in the GitHub Repository or your own custom ARM template. Ensure that the existing resources match the parameter values you provide in the ARM template. 1. If you create a new resource group, enter a name for the resource group and select the Azure China region where you want to deploy the firewall. 2. If you select an existing resource group, select the Azure China region for this resource group, and select complete deployment. 3. Configure basic settings for the firewall. 1. Enter the storage account name for an existing account or create a new one. 2. Enter the name for the blob storage container to which the firewall vhd mage will be copied and saved. 3. Enter a DNS name for accessing the Public IP address on the management interface (eth0) of the firewall. To access the web interface of the firewall, you must combine the prefix you enter with the suffix, for example .cloudapp.azure.com. 4. Enter a Username for the firewall administrator. 5. Enter a Password for securing administrative access to the firewall. 6. Select the Azure virtual machine tier and size to meet your needs. See Minimum System Requirements for the VM-Series on Azure. 7. Enter a VmName, which is a display name to identify the VM-Series firewall within the resource group. 8. Use a PublicIPAddressName to label the firewall management interface within the resource group. Microsoft Azure binds the DNS name that you defined with this name so that you can access the management interface on the firewall from the public internet. 9. Enter a VirtualNetworkName to identify your VNet. The default IP Address Prefix for the VNet is 10.0.0.0/16. You can change this to meet your IP addressing needs. 10.Configure the subnets for the network interfaces. If you use an existing VNet, you must have defined three subnets, one each for the management, trust and untrust interfaces. If you create a new VNet, verify or change the prefixes for each subnet. The default subnets are 10.0.1.0/24, 10.0.2.0/24, and 10.0.3.0/24. You can allocate these subnets to the management, trust, and untrust interfaces as you would like. 4. Review the summary, accept the terms of use and privacy policy, and click Immediate deployment to deploy the firewall. The deployment maybe take 20 minutes and you can use the link on the page to verify progress. 5. Verify that you have successfully deployed the VM-Series firewall. 1. Log in to the Azure China portal (https://portal.azure.cn) using your Microsoft account credentials. 2. Select Dashboard > Resource Groups, select the resource group. 3. Select All Settings > Deployments > Deployment History for detailed status 422 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.STEP 4 | Attach a public IP address for the untrust interface of the VM-Series firewall. This allows you to access the interface from the public internet and is useful for any internet-facing application or service. 1. On the Azure portal, select the network interface for which you want to add a public IP address. For example the eth1 interface. 2. Select IP Configurations > Add and for Public IP address, select Enabled. Create a new public IP address or select one that you have available. 3. Verify that you can view the secondary IP address associated with the interface. When you attach a secondary IP address to a network interface, the VM-Series firewall does not automatically acquire the private IP address assigned to the interface. You will need to manually configure the private IP address using the VM-Series firewall web interface. See Configure the dataplane network interfaces as Layer 3 interfaces on the firewall. Each interface on the VM-Series firewall on Azure can have one dynamic (default) or static private IP address, and multiple public IP addresses (static or dynamic) associated with it. The maximum number of public IP addresses you can assign to an interface is based on your Azure subscription. When you create a new public IP address you get one from the block of IP addresses Microsoft owns, so you can’t choose a specific one. STEP 5 | Log in to the web interface of the firewall. 1. On the Azure portal, in All Resources, select the VM-Series firewall and view the full DNS name for the firewall. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 423 © 2020 Palo Alto Networks, Inc.2. Using a secure connection (https) from your web browser, log in to the DNS name for the firewall. 3. Enter the username/password you defined earlier. You will see a certificate warning; that is okay. Continue to the web page. STEP 6 | Activate the licenses on the VM-Series firewall. 1. Create a Support Account. 2. Register the VM-Series Firewall (with auth code). 3. On the firewall web interface, select Device > Licenses and select Activate feature using authentication code. 4. Enter the capacity auth-code that you registered on the support portal. The firewall will connect to the update server (updates.paloaltonetworks.com), and download the license and reboot automatically. 5. Log back in to the web interface and confirm the following on the Dashboard: • A valid serial number displays in Serial#. If the term Unknown displays, it means the device is not licensed. To view traffic logs on the firewall, you must install a valid capacity license. • The VM Mode displays as Microsoft Azure. STEP 7 | Configure the dataplane network interfaces as Layer 3 interfaces on the firewall. If you are hosting multiple websites or services with different IP addresses and SSL certificates on a single server, you might need to configure more than one IP address on the VM-Series firewall interfaces. 1. Select Network > Interfaces > Ethernet. 2. Click the link for ethernet 1/1 and configure as follows: • Interface Type: Layer3 (default). • On the Config tab, assign the interface to the default router. • On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone called UnTrust, and then click OK. • On the IPv4 tab, select DHCP Client if you plan to assign only one IP address on the interface. The private IP address assigned in the ARM template will be automatically acquired. If you plan to assign more than one IP address select Static and manually enter the primary and secondary IP addresses assigned to the interface on the Azure portal. • Clear the Automatically create default route to default gateway provided by server check box. Disabling this option ensures that traffic handled by this interface does not flow directly to the default gateway in the VNet. 3. Click the link for ethernet 1/2 and configure as follows: • Set Interface Type to Layer3 (default). • Security Zone: Trust • IP address: Select DHCP Client or Static. 424 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.• Clear the Automatically create default route to default gateway provided by server check box. Disabling this option ensures that traffic handled by this interface does not flow directly to the default gateway in the VNet. 4. Click Commit. Verify that the link state for the interfaces is up. STEP 8 | Configure the firewall for your specific deployment. • Gateway—Deploy a 3rd party load balancer in front of the UnTrust zone. • Hybrid and Inter-VNet—Deploy an Azure VPN Gateway or a NAT virtual machine in front the UnTrust zone. • Inter-Subnet—On the VM-Series firewall, add an intra-zone security policy rule to allow traffic based on the subnets attached to the Trust interface. • GlobalProtect—Deploy a NAT virtual machine in front of the UnTrust zone. STEP 9 | Direct traffic to the VM-Series firewall. 1. To ensure that the VM-Series firewall secures all traffic within the Azure resource group, configure static routes on the firewall. 2. Configure UDRs to direct all traffic through the interfaces on the VM-Series firewall. Refer to the Azure documentation on UDRs for details. The UDRs on the internal subnets must send all traffic through the Trust interface. The UDRs on the UnTrust side direct all traffic from the Internet through the UnTrust interface on the VM-Series firewall. The traffic from the Internet may be coming from an Azure Application Gateway or Azure Load Balancer, or through the Azure VPN Gateway in case of a hybrid deployment that connects your on-premises network with the Azure cloud. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 425 © 2020 Palo Alto Networks, Inc.Use Azure Security Center Recommendations to Secure Your Workloads Microsoft has deprecated Azure Security Center support for partner security solutions and replaced it with Azure Sentinel. When you deploy new workloads within your Azure subscription that is enabled for Azure Security Center, Azure Security Center enables you to secure these workloads in two ways. In one workflow, Azure Security Center recommends you to deploy a new instance of the VM-Series firewall to secure an internet-facing application workload. In the other workflow, Azure Security Center discovers VM-Series firewalls (partner security solutions) that you have deployed within the Azure subscription and you have to then perform additional configuration to connect the VM-Series firewall to Azure Security Center so that you can view alerts on the dashboard. See Azure Security Center Integration for details on the integration and the pros and cons of each workflow: • Deploy a VM-Series Firewall Based on an Azure Security Center Recommendation • Connect an Existing VM-Series Firewall From Azure Security Center Deploy a VM-Series Firewall Based on an Azure Security Center Recommendation Azure Security Center scans your Azure resources and provides recommendations to secure workloads that need a next-generation firewall. The recommendation displays on the dashboard and you can then either deploy a new instance of the VM-Series firewall from the Azure marketplace or you can use the Azure CLI, Powershell, or an ARM template. The advantage of using a customized deployment using Azure CLI, Powershell, or an ARM template is that you can deploy the VM-Series firewall within the same resource group as the workload that you need to secure. When you deploy the VM-Series firewall using the Azure marketplace, Azure requires that you deploy the firewall into a new resource group or an empty resource group only. Therefore, the marketplace deployment requires you to then ensure that the traffic from the workload you want to secure is steered to the firewall that is in a different resoource group. STEP 1 | Log in to your Azure portal and access the Security Center dashboard. STEP 2 | Select Recommendations. STEP 3 | Select Add a Next Generation Firewall, select the workload you want to secure. 426 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.STEP 4 | Choose whether you want to deploy a new instance of the VM-Series firewall or use an existing instance of the VM-Series firewall. To use this workflow, stage a workload with a public IP address that is exposed to the internet and deploy an instance of the VM-Series firewall in a new resource group. Then, delete the workload you staged, and deploy your production workloads within the resource group in which you deployed the VM-Series firewall. • To Create New, see Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template). • To Use existing solution, select the VM-Series firewall that you have previously deployed. Connect an Existing VM-Series Firewall From Azure Security Center When Azure Security Center detects that you have deployed the VM-Series firewall within the Azure subscription, it displays the firewall as a security solution. You can then connect the VM-Series firewall to Security Center using the Common Event Format (CEF) over Syslog, and view firewall logs as alerts on the Security Center dashboard. STEP 1 | Log in to your Azure portal and access the Security Center dashboard. STEP 2 | Select Security Solutions to view all available VM-Series firewalls within this Azure subscription. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 427 © 2020 Palo Alto Networks, Inc.STEP 3 | Expand Discovered solutions, and select the VM-Series firewall instance that is in the same resource group as the workload you want to secure and click Connect. To view firewall logs as alerts on the Security Center dashboard, you need to follow the four-step process that displays on screen. STEP 4 | On successfully connecting the VM-Series firewall to Security Center, the VM-Series firewall displays in the Connected solutions list. Click View to verify that the firewall is protecting the workload that you need to secure. 428 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.Use Panorama to Forward Logs to Azure Security Center If you are using Panorama to manage your firewalls, you can use templates and device groups to forward firewall logs to Azure Security Center. With the default Azure Security Center Log Forwarding profile, Threat and WildFire Submissions logs of low, medium, high, or critical severity generated on the firewall are displayed as security alerts on the Azure Security Center dashboard. So that you can focus and triage alerts more efficiently, you can set up granular log filters to only forward logs of interest to you, or forward high and critical severity logs only. You can also selectively attach the log forwarding profile to a few Security policy rules based on your applications and security needs. To enable the Azure Security Center integration from Panorama, use the following workflow. STEP 1 | Add the firewall as a managed device on Panorama. STEP 2 | From Panorama, create a template and a device group to push log forwarding settings to the firewalls that will be forwarding logs to Azure Security Center. STEP 3 | Specify the log types to forward to the Logging Service. The way you enable forwarding depends on the log type. For logs that are generated based on a policy match, you use a log forwarding profile within a device group, and for other logs types you use the Log Settings configuration within a template. 1. Configure forwarding of System, Configuration, User-ID, and HIP Match logs. 1. Select Device > Log Settings. 2. Select the Template that contains the firewalls you want to forward logs to the Logging Service. 3. For each log type that you to forward to the Logging Service, Add a match list filter. Give it a Name, optionally define a Filter. 4. Add Built-in Actions and enter a Name. The Azure-Security-Center-Integration action will be auto selected. Click OK. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 429 © 2020 Palo Alto Networks, Inc.5. Click OK. 2. Configure forwarding of all other log types that are generated when a policy match occurs such as Traffic, Threat, WildFire Submission, URL Filtering, Data Filtering, and Authentication logs. To forward these logs, you must create and attach a log forwarding profile to each policy rule for which you want to forward logs. 1. Select the Device Group, and then select Objects > Log Forwarding to Add a profile. In the log forwarding profile match list, add each log type that you want to forward. 2. Select Add in Built-in Actions to enable the firewalls in the device group to forward the logs to Azure Security Center. 3. Create basic security policy rules in the device group you just created and select Actions to attach the Log Forwarding profile you created for forwarding logs to Azure Security Center. Until the firewall has interfaces and zones and a basic security policy, it will not let any traffic through, and only traffic that matches a security policy rule will be logged (by default). 4. For each rule you create, select Actions and select the Log Forwarding profile that allows the firewall to forward logs to Azure Security Center. STEP 4 | Commit your changes to Panorama and push them to the template and device group you created. 430 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.STEP 5 | Verify that the firewall logs are being forwarded to Azure Security Center. 1. Log in the Azure portal, select Azure Security Center. 2. Verify that you can see firewall logs as Security alerts on the Azure Security Center dashboard. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 431 © 2020 Palo Alto Networks, Inc.Deploy the VM-Series Firewall on Azure Stack You can deploy the VM-Series firewall on Azure Stack to secure inter-subnet traffic between applications in a multi-tier architecture and outbound traffic from servers within your Azure Stack deployment. If you want to use the VM-Series firewall as a gateway that secures inbound traffic destined to the servers within your Azure Stack deployment, you must deploy a NAT appliance in front of the firewall that receives inbound traffic and forwards it to the firewall. The NAT appliance is required because on Azure Stack you cannot assign a public IP address to a non-primary interface of a virtual machine, such as the VM-Series firewall. Unlike on public Azure, you do not have a solution template to deploy the VM-Series firewall on Azure Stack. Therefore, you must use an ARM template to deploy the VM-Series firewall. To get started, you can use the community supported sample ARM template on GitHub, and then develop your own ARM template for production deployments. The VM-Series firewall on Azure stack does not have support for bootstrapping, Azure Application Insights, or the Azure Security Center integration. STEP 1 | Download marketplace items from Azure to AzureStack. To deploy the VM-Series firewall on Azure Stack, you need access to the BYOL offer of the VM-Series firewall PAN-OS image (8.1 or later). You can download the image directly from the Azure Marketplace to Azure Stack in a connected deployment. STEP 2 | Access the Azure Stack portal. Your Azure Stack operator (either a service provider or an administrator in your organization), should provide the correct URL to access the portal. STEP 3 | Deploy the VM-Series firewall. A solution template for the VM-Series firewall is not available on Azure Stack. Therefore, you must reference the image that you downloaded in the previous step, in an ARM template to deploy the VM- Series firewall. To get started, you can deploy the sample ARM template that is available on GitHub under the community supported policy: 1. Get the sample Azure Stack GitHub template. • Select azurestackdeploy.json to view the contents. • Click Raw and copy the contents of the JSON file. 2. Deploy the sample GitHub template. You can deploy the firewall in a existing resource group that is empty or into a new resource group. The default VNet in the template is 192.168.0.0/16, and it deploys a VM-Series firewall has three network interfaces, one management interface on 192.168.0.0/24 subnet and two dataplane interfaces on 192.168.1.0/24 and 192.168.2.0/24 subnets. You can customize these subnets to match your needs. • Log in to the Azure Stack portal. • Select New > Custom > Template deployment. 432 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.• Edit template, delete all existing content in the template, and paste the JSON template contents you copied earlier andSave. • Edit parameters, enter the values for the required parameters and modify the defaults if you need to, then click OK. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 433 © 2020 Palo Alto Networks, Inc.• Choose the Subscription you want to use, and then click OK. • Choose an existing Resource Group that is empty or create a new one, and click OK. • Click Create. A new tile on the dashboard displays the progress of the template deployment. STEP 4 | Next Steps: 1. Log in to the web interface of the firewall. Using a secure connection (https) from your web browser, log in to the DNS name for the firewall. Enter the username/password you defined earlier. You will see a certificate warning; that is okay. Continue to the web page. 2. Activate the licenses on the VM-Series firewall. 1. Create a Support Accountand Register the VM-Series Firewall (with auth code) 2. On the firewall web interface, select Device > Licenses and select Activate feature using authentication code. 3. Enter the capacity auth-code that you registered on the support portal. The firewall will connect to the update server (updates.paloaltonetworks.com), and download the license and reboot automatically. 4. Log back in to the web interface on the Dashboard, confirm that a valid Serial# displays. The VM Mode displays as Microsoft Azure. If the term Unknown displays, it means the device is not licensed. To view traffic logs on the firewall, you must install a valid capacity license. 434 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.STEP 5 | 7 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 435 © 2020 Palo Alto Networks, Inc.Enable Azure Application Insights on the VM- Series Firewall The VM-Series firewall on Azure can publish custom PAN-OS metrics natively to Azure Application Insights that you can use to monitor the firewalls directly from the Azure portal. These metrics allow you to assess performance and usage patterns that you can use to set alarms and take action to automate events such as launching or terminating instances of the VM-Series firewalls. See Custom PAN-OS Metrics Published for Monitoring for a description on the metrics that are available. STEP 1 | On the Azure portal, create your Application Insights instance to monitor the firewall and copy the Instrumentation Key from Configure > Properties. The firewall needs this key to authenticate to the Application Insights instance and publish metrics to it. See VM-Series on Azure Service Principal Permissions for details on the permissions required. STEP 2 | Enable the firewall to publish metrics to your Application Insights instance. 1. Log in to the VM-Series firewall on Azure. 2. Select Device > VM-Series > Azure. 3. Edit Azure Application Insights and enter the Instrumentation Key you copied earlier. The default interval for publishing metrics is five minutes. You can change this to vary from 1-60 minutes. 436 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.4. Commit your changes. The firewall generates a system log to it record the success or failure to authenticate to Azure Application Insights. STEP 3 | Verify that you can view the metrics on the Azure Application Insights dashboard. 1. On the Azure portal. select the Application insights instance, and select Overview > Metrics Explorer to view the PAN-OS custom metrics. 2. Select the metric(s) that you want to monitor for trends and trigger alerts. Refer to the Microsoft Azure documentation for details on exploring metrics on Application Insights. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 437 © 2020 Palo Alto Networks, Inc.VM Monitoring on Azure VM Monitoring on Microsoft® Azure® enables you to dynamically update security policy rules to consistently enforce Security policy across all assets deployed within your Azure subscription. To enable this capability, you need to install the Azure plugin on Panorama and enable API communication between Panorama and your Azure subscriptions. Panorama can then collect the IP address-to-tag mapping for all your Azure assets and push or distribute the VM information to your Palo Alto Networks® firewall(s). • About VM Monitoring on Azure • Set Up the Azure Plugin for VM Monitoring on Panorama • Attributes Monitored Using the Panorama Plugin on Azure About VM Monitoring on Azure As you deploy or terminate virtual machines in the Azure public cloud, you can use the Panorama plugin for Azure to consistently enforce security policy rules on these workloads. The Panorama plugin for Azure is built for scale and allows you to monitor up to 100 Azure subscriptions on the Azure public cloud. With this plugin, you use Panorama as an anchor to poll your subscriptions for tags, and then distribute the metadata (IP address-to-tag mapping) to many firewalls in a device group. Because Panorama communicates with your Azure subscriptions to retrieve VM information, you’re able to streamline the number of API calls made to the cloud environment. Although you can define Security policy locally on the firewall, using Panorama and the plugin centralizes Security policy management, ensuring consistent policies for hybrid and cloud-native architectures. See the Panorama plugin version information in the Compatibility Matrix. Set Up the Azure Plugin for VM Monitoring on Panorama To find all the virtual machine workloads that your organization has deployed in the Azure cloud, you need to install the Azure plugin on Panorama and configure Monitoring Definitions that enable Panorama to authenticate to your Azure subscription(s) and retrieve VM information on the Azure workloads. Panorama retrieves the primary private IP address of the VMs—stopped and running— and the associated tags. For a list of the metadata elements that Panorama supports, see Attributes Monitored Using the Panorama Plugin on Azure. After Panorama fetches the attributes, to push the virtual machine information from Panorama to the firewalls, you must add the firewalls (hardware or VM-Series) as managed devices on Panorama, and group the firewalls into one or more Device Groups. You can then specify which device groups are part of the Notify Group, which is a configuration element in a Monitoring Definition, that Panorama uses to register the IP address-to-tag mapping it retrieves from Azure. Finally, to consistently enforce Security policies across your Azure workloads, you must set up Dynamic Address Groups and reference them in policy rules that allow or deny traffic to the IP addresses of the VMs. For streamlining your configuration and managing policies and objects centrally from Panorama, you can define the Dynamic Address Groups and Security policy rules on Panorama and push them to the firewalls instead of managing the Dynamic Address Groups and Security policy rules locally on each firewall. The Azure plugin is for monitoring VMs on the Azure public cloud. Version 1.0 does not support Azure Government or Azure China. • Planning Checklist for VM Monitoring with the Azure Plugin • Install the Azure Plugin 438 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.• Configure the Azure Plugin for VM Monitoring Planning Checklist for VM Monitoring with the Azure Plugin • Set up the Active Directory application and a Service Principal to enable API access—For Panorama to interact with the Azure APIs and collect information on your workloads, you need to create an Azure Active Directory Service Principal. This Service Principal has the permissions required to authenticate to the Azure AD and access the resources within your subscription. To complete this set up, you must have permissions to register an application with your Azure AD tenant, and assign the application to a role in your subscription. If you don''t have the necessary permissions, ask your Azure AD or subscription administrator to create a Service Principal with an IAM role of reader or a set of custom permissions as defined in VM-Series on Azure Service Principal Permissions: • Make sure that the subscription ID is unique across Service Principals. Panorama allows you to use only one service principal to monitor an Azure subscription. You can monitor up to 100 Azure subscriptions, with 100 Service principal resources. • If you are using the Panorama plugin for Azure and AWS, you cannot target the same firewall or virtual system with tags from both environments. Ensure that there is no overlap of the Device Groups that you add to the Monitoring definitions for AWS and Azure. • If you are using the Panorama plugin for Azure and AWS, you cannot target the same firewall or virtual system with tags from both environments. Ensure that there is no overlap of the Device Groups that you add to the Monitoring definitions for AWS and Azure. • Panorama can push up to 8000 IP address-to tag mappings to the firewalls or virtual system assigned to a device group. Review the requirements for Panorama and the managed firewalls: • Minimum system requirements (see the Panorama Plugin information in the Compatibility Matrix): Panorama virtual appliance or hardware-based Panorama appliance running Panorama 8.1.3 or later, with an active support license and a device management license for managing firewalls. Licensed next-generation firewalls running PAN-OS 8.0 or 8.1. • You must add the firewalls as managed devices on Panorama and create Device Groups so that you can configure Panorama to notify these groups with the VM information it retrieves. Device groups can include VM-Series firewalls or virtual systems on the hardware firewalls. • The number of tags that the Panorama plugin can retrieve and register is as follows: On Panorama running 8.1.3 or later managing firewalls running PAN-OS 8.1.3 or lower, the firewalls or virtual systems included within a device group can have 7000 IP addresses with 10 tags each, or 6500 IP addresses with 15 tags each. On Panorama 8.1.3 or later managing firewalls running PAN-OS 8.0.x, 2500 IP addresses with 10 tags each. • If your Panorama appliances are in a high availability configuration, you must manually install the same version of the Azure plugin on both Panorama peers. You configure the Azure plugin on the active Panorama peer only. On commit, the configuration is synced to the passive Panorama peer. Only the active Panorama peer polls the Azure subscriptions you have configured for VM Monitoring. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 439 © 2020 Palo Alto Networks, Inc.Install the Azure Plugin To get started with VM Monitoring on Azure, you need to download and install the Azure plugin on Panorama. If you have a Panorama HA configuration, repeat this installation process on each Panorama peer. If you currently have installed a Panorama plugin, the process of installing (or uninstalling) another plugin requires a Panorama reboot to enable you to commit changes. So, install additional plugins during a planned maintenance window to allow for a reboot. STEP 1 | Log in to the Panorama Web Interface, select Panorama > Plugins and click Check Now to get the list of available plugins. STEP 2 | Select Download and Install the plugin. After you successfully install, Panorama refreshes and the Azure plugin displays on the Panorama tab. STEP 3 | Restart Panorama. Select Panorama > Setup > Operations > Reboot Panorama Configure the Azure Plugin for VM Monitoring To begin monitoring the virtual machines in your Azure public cloud deployment, after you Install the Azure Plugin you must create a Monitoring Definition. This definition specifies the Service Principal that is authorized to access the resources within the Azure subscription you want to monitor and the Notify Group that includes the firewalls to which Panorama should push all the IP-address-to-tag mappings it retrieves. In order to enforce policy, you must then create Dynamic Address Groups and reference them in Security policy. The Dynamic Address Groups enable you to filter the tags you want to match on, so that the firewall can get the primary private IP address registered for the tags, and then allow or deny access to traffic to and from the workloads based on the policy rules you define. STEP 1 | Log in to the Panorama web interface. STEP 2 | Set up the following objects for enabling VM Monitoring on Azure. Add a Service Principal. The Service Principal is the service account that you created on the Azure portal. This account is attached to the Azure AD and has limited permissions to access and monitor the resources in your Azure subscription. 1. Select Panorama > Plugins > Azure > Setup > Service Principal > Add. 440 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.2. Enter a Name and optionally a Description to identify the service account. 3. Enter the Subscription ID for the Azure subscription you want to monitor. You must login to your Azure portal to get this subscription ID. 4. Enter the Client Secret and re-enter it to confirm. 5. Enter the Tenant ID. The tenant ID is the Directory ID you saved when you set up the Active Directory application. 6. Click Validate to verify that the keys and IDs you entered are valid ,and Panorama can communicate with the Azure subscription using the API. Add a notify group. 1. Select Panorama > Plugins > Azure > Setup > Notify Groups > Add. 2. Enter a Name and optionally a Description to identify the group of firewalls to which Panorama pushes the VM iniformation it retrieves. 3. Select the Device Groups, which are a group of firewalls or virtual systems, to which Panorama will push the VM information (IP address-to-tag mapping) it retrieves from your Azure subscriptions. The firewalls use the update to determine the most current list of members that constitute dynamic address groups referenced in policy. Think through your Device Groups carefully. • Because a Monitoring Definition can include only one notify group, make sure to select all the relevant Device Groups within your notify group. If you want to deregister the tags that Panorama has pushed to a firewall included in a notify group, you must delete the Monitoring Definition. • To register tags to all virtual systems on a firewall enabled for multiple virtual systems, you must add each virtual system to a separate device group on Panorama and assign the device groups to the notify group. Panorama will register tags to only one virtual system, if you assign all the virtual systems to one device group. 4. Verify that monitoring is enabled on the plugin. This setting must be enabled for Panorama to communicate with the Azure public cloud for VM Monitoring. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 441 © 2020 Palo Alto Networks, Inc.The checkbox for Enable Monitoring is on Panorama > Plugins > Azure > Setup > General. STEP 3 | Create a Monitoring Definition. When you add a new Monitoring definition, it is enabled by default. • Select Panorama > Plugins > Azure > Monitoring Definition, to Add a new definition. • Enter a Name and optionally a Description to identify the Azure subscription for which you use this definition. • Select the Service Principal and Notify Group. Panorama requires the keys and IDs that you specify in the Service Principal configuration to generate an Azure Bearer Token which is used in the header of the API call to collect information on your workloads. STEP 4 | Commit the changes on Panorama. Verify that the status for the Monitoring Definition displays as Success. If it fails, verify that you entered the Azure Subscription ID accurately and provided the correct keys and IDs for the Service Principal. STEP 5 | Verify that you can view the VM information on Panorama, and define the match criteria for Dynamic Address Groups. Some browser extensions may block API calls between Panorama and Azure which prevents Panorama from receiving match criteria. If Panorama displays no match criteria and you are using browser extensions, disable the extensions and Synchronize Dynamic Objects to populate the tags available to Panorama. 442 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.On HA failover, the newly active Panorama attempts to reconnect to the Azure cloud and retrieve tags for all monitoring definitions. If there is an error with reconnecting even one monitoring definition, Panorama generates a system log message Unable to process subscriptions after HA switch-over; user- intervention required. When you see this error, you must log in to Panorama and fix the issue, for example remove an invalid subscription or provide valid credentials, and commit your changes to enable Panorama to reconnect and retrieve the tags for all monitoring definitions. Even when Panorama is disconnected from the Azure cloud, the firewalls have the list of all tags that had been retrieved before failover, and can continue to enforce policy on that list of IP addresses. Panorama removes all tags associated with the subscription only when you delete a monitoring definition. As a best practice, to monitor this issue, configure action-oriented log forwarding to an HTTPS destination from Panorama so that you can take immediate action. Attributes Monitored Using the Panorama Plugin on Azure When using the Panorama plugin for Azure, Panorama gathers the following set of metadata elements or attributes on the virtual machines in your Microsoft® Azure® deployment. Panorama can retrieve a total of 32 tags for each VM, 11 predefined tags and up to 21 user-defined tags. The maximum length of a tag can be 127 characters. If a tag is longer than 127 characters, Panorama does not retrieve the tag and register it on the firewalls. Also the tags should not include non-ASCII special characters such as { or ". Attributes Monitored Example VM Name azure-tag.vm-name.web_server1 Network Security Group Name azure-tag.nsg-name.myNSG OS Type azure-tag.os-type.Linux OS Publisher azure-tag.os-publisher.Canonical OS Offer azure-tag.os-offer.UbuntuServer OS SKU azure-tag.os-sku.14.04.5-LTS Subnet azure-tag.subnet.webtier VNet azure-tag.vnet.untrustnet Azure Region azure-tag.region.east-us Resource Group Name azure-tag.resource-group.myResourceGroup Subscription ID azure.sub-id.93486f84-8de9-44f1-b4a8- f66aed312b64 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 443 © 2020 Palo Alto Networks, Inc.Attributes Monitored Example User Defined Tags azure-tag.mytag.value Up to a maximum of 21 user defined tags are supported. The user-defined tags are sorted alphabetically, and the first 21 tags are available for use on Panorama and the firewalls. 444 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.Set up Active/Passive HA on Azure With the VM-Series Plugin, you can configure a pair of VM-Series firewalls on Azure in an active/passive high availability (HA) configuration. For HA on Azure, you must deploy both firewall HA peers within the same Azure Resource Group. To ensure uptime in an HA setup on Azure, you need floating IP addresses that can quickly move from one peer to the other. Because you cannot move the IP address associated with the primary interface of the firewall on Azure, you need to assign a secondary IP address that can function as a floating IP address. When the active firewall goes down, the floating IP address moves from the active to the passive firewall so that the passive firewall can seamlessly secure traffic as soon as it becomes the active peer. In addition to the floating IP address, the HA peers also need HA links—a control link (HA1) and a data link (HA2)—to synchronize data and maintain state information. • Set up Active/Passive HA on Azure • Set up the Firewalls for Enabling HA • Configure Active/Passive HA on the VM-Series Firewall on Azure Set up the Firewalls for Enabling HA Gather the following details for configuring HA on the VM-Series firewalls on Azure. • Set up the Active Directory application and a Service Principal to enable programmatic API access. • For the firewall to interact with the Azure APIs, you need to create an Azure Active Directory Service Principal. This Service Principle has the permissions required to authenticate to the Azure AD and access the resources within your subscription.To complete this set up, you must have permissions to register an application with your Azure AD tenant, and assign the application to a role in your subscription. If you don''t have the necessary permissions, ask your Azure AD or subscription administrator to create a Service Principal with the required permissions VM-Series on Azure Service Principal Permissions. Copy the following details for use later in this workflow: • Client ID—The Application ID associated with the Active Directory (Azure Active Directory > App registrations, select your application and copy the ID). • Tenant ID—The Directory ID (Azure Active Directory > Properties > Directory ID on the Azure portal). VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 445 © 2020 Palo Alto Networks, Inc.• Azure Subscription ID—The Azure subscription in which you have deployed the firewalls. You must login to your Azure portal to get this subscription ID. • Resource Group Name— The resource group name in which you have deployed the firewalls that you want to configure as HA peers. Both firewalls must be in the same resource group. • Secret Key—The authentication key associated with the Active Directory application. To log in as the application, you must provide both the key value and the Application ID. • Know where to get the templates you need to deploy the VM-Series firewalls within the same Azure Resource Group. For an HA configuration, both HA peers must belong to the same Azure Resource Group. If you deploy the first instance of the firewall from the Azure Marketplace, and must use your custom ARM template or the Palo Alto Networks sample GitHub template for deploying the second instance of the firewall into the existing Resource Group. The reason you need a custom template or the Palo Alto Networks sample template is because Azure does not support the ability to deploy the firewall in to an Resource Group that is not empty. Copy the deployment information for the first firewall instance. For example: • Match the VM Name of VM-Series firewall as shown in the screenshot above with the Hostname on the firewall web interface. You must add the same name on Device > Setup > Management, because the hostname of the firewall is used to trigger failover. • Plan the network interface configuration on the VM-Series firewalls on Azure. To set up HA, you must deploy both HA peers within the same Azure Resource Group and both firewalls must have the same number of network interfaces. A minimum of four network interfaces is required on each HA peer: • Management interface (eth0)—Private and public IP address associated with the primary interface. The public IP address enables access to the firewall web interface and SSH access. You can use the private IP interface on the management interface as the HA1 peer IP address for the control link communication between the active/passive HA peers. If you want a dedicated HA1 interface, you must attach an additional network interface on each firewall, and this means that you need five interfaces on each firewall. • Untrust interface (eth1/1)—Primary private IP address with /32 netmask, and secondary IP configuration with both a private IP address (any netmask) and a public IP address. 446 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.On failover, when the passive peer transitions to the active state, the public IP address associated with the secondary IP configuration is detached from the previously active peer and attached to the now active HA peer. • Trust interface (eth1/2)—Primary and secondary private IP addresses. On failover, when the passive peer transitions to the active state, the secondary private IP address is detached from the previously active peer and is attached to the now active HA peer. • HA2 (eth 1/3)—Primary private IP address. The HA2 interface is the data link that the HA peers use for synchronizing sessions, forwarding tables, IPSec security associations and ARP tables. Interface Active firewall peer Passive firewall peer Description Trust Secondary IP address — The trust interface of the active peer requires a secondary IP configuration that can float to the other peer on failover. This secondary IP configuration on the trust interface must be a private IP address with the netmask of the servers that it secures. On failover, the VM-Series plugin calls the Azure API to detach this secondary private IP address from the active peer and attach it to the passive peer. Attaching this IP address to the now active peer ensures that the firewall can receive traffic on the floating IP on the untrust interface and send it through to the floating IP on the trust interface and on to the workloads. Untrust Secondary IP address — The untrust interface of the firewall requires a secondary IP configuration that includes a static private IP address with a netmask for the untrust subnet, and a public IP address for accessing the back-end servers or workloads over the internet. On failover, the VM-Series plugin VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 447 © 2020 Palo Alto Networks, Inc.Interface Active firewall peer Passive firewall peer Description calls the Azure API to detach the secondary IP configuration from the active peer and attach it to the passive peer before it transitions to the active state. This process of floating the secondary IP configuration, enables the now active firewall to continue processing inbound traffic that is destined to the workloads. HA2 Add a NIC to the Add a NIC to the On the active and firewall from the Azure firewall from the passive peers, add a management console. Azure management dedicated HA2 link console. to enable session synchronization. The default interface for HA1 is the management interface, and you can opt to use the management interface instead of adding an additional interface to the firewall. For enabling data flow over the HA2 link, you need to add an additional network interface on the Azure portal and configure the interface for HA2 on the firewall. Configure Active/Passive HA on the VM-Series Firewall on Azure In this workflow, you deploy the first instance of the VM-Series firewall using the VM-Series firewall solution template in the Azure marketplace, and the second instance of the firewall using the sample GitHub template. The authentication key (client secret) associated with the Active Directory application required for setting up the VM-Series firewall in an HA configuration, is encrypted with VM- Series plugin version 1.0.4 on the firewall and on Panorama. Because the key is encrypted in VM-Series plugin version 1.0.4, you must install the same version of the plugin on Panorama and the managed VM-Series firewalls in order to centrally manage the firewalls from Panorama. 448 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.STEP 1 | Deploy the VM-Series firewall using the Solution template and set up the network interfaces for HA. 1. Add a secondary IP configuration to the untrust interface of the firewall. You must attach the secondary IP configuration—with a private IP address (any netmask) and a public IP address—to the firewall that will be designated as the active peer. The secondary IP configuration always stays with the active HA peer, and moves from one peer to the another when a failover occurs. In this workflow, this firewall will be designated as the active peer. The active HA peer has a lower numerical value for device priority that you configure as a part of the HA configuration on the firewall, and this value indicates a preference for which firewall assumes the role of the active peer. 2. Add a secondary IP configuration to the trust interface of the firewall. The secondary IP configuration for the trust interface requires a static private IP address only. This IP address moves from the active firewall to the passive firewall on failover so that traffic flows through from the untrust to the trust interface and to the destination subnets that the firewall secures. 3. Attach a network interface for the HA2 communication between the firewall HA peers. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 449 © 2020 Palo Alto Networks, Inc.1. Add a subnet within the virtual network. 2. Create and attach a network interface to the firewall. STEP 2 | Configure the interfaces on the firewall. Complete these steps on the active HA peer, before you deploy and set up the passive HA peer. 1. Log in to the firewall web interface. 2. Configure ethernet 1/1 as the untrust interface and ethernet 1/2 as the trust interface. Select Network > Interfaces and configure as follows: 3. Configure ethernet 1/3 as the HA interface. To set up the HA2 link, select the interface and set Interface Type to HA. Set link speed and duplex to auto. STEP 3 | Configure the VM-Series plugin to authenticate to the Azure resource group in which you have deployed the firewall. 450 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.Set up the Azure HA configuration on the VM-Series plugin. To encrypt the client secret, use the VM-Series plugin version 1.0.4 or later. If using Panorama to manage your firewalls, you must install the VM-Series plugin version 1.0.4 or later. 1. Select Device > VM-Series to enable programmatic access between the firewall plugin and the Azure resources. 2. Enter the Client ID. The client ID is the Application ID associated with your Azure Active Directory application. 3. Enter the Subscription ID for the Azure subscription you want to monitor. 4. Enter the Client Secret and re-enter it to confirm. 5. Enter the Tenant ID. The tenant ID is the Directory ID you saved when you set up the Active Directory application. 6. Click Validate to verify that the keys and IDs you entered are valid, and that VM-Series plugin can successfully communicate with the Azure resources using the API. STEP 4 | Enable HA. 1. Select Device > Setup > HA. 2. Enter Peer HA1 IP address as the private IP address of the passive peer. 3. (Optional) Edit the Control Link (HA1). If you do not plan to use the management interface for the control link and have added an additional interface (for example ethernet 1/4), edit this section to select the interface to use for HA1 communication. 4. Edit the Data Link (HA2) to use Port ethernet 1/3 and add the IP address of this peer and the Gateway IP address for the subnet. STEP 5 | Commit the changes. STEP 6 | Set up the passive HA peer within the same Azure Resource Group. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 451 © 2020 Palo Alto Networks, Inc.1. Deploy the second instance of the firewall. • Download the custom template and parameters file from GitHub. • Log in to the Azure Portal. • Search for custom template and select Deploy from a custom template. • Select Build your own template in the editor > Load file. • Select the azuredeploy.json that you downloaded earlier, and Save. • Complete the inputs, agree to the terms and Purchase. Make sure to match the following inputs to that of the firewall instance you have already deployed— Azure subscription, name of the Resource Group, location of the Resource Group, name of the existing VNet into which you want to deploy the firewall, VNet CIDR, Subnet names, Subnet CIDRs, and start the IP address for the management, trust and untrust subnets. 2. Repeat Step 1and Step 2to set up the interfaces and configure the firewall as the passive HA peer. 3. Skip Step 3 and complete Enable HA (Step 5). In Step 4 modify the IP addresses as appropriate for this passive HA peer. STEP 7 | After you finish configuring both firewalls, verify that the firewalls are paired in active/passive HA. 1. Access the Dashboard on both firewalls, and view the High Availability widget. 2. On the active firewall, click the Sync to peer link. 3. Confirm that the firewalls are paired and synced, as shown as follows: • On the passive firewall: the state of the local firewall should display passive and the Running Config should show as synchronized. 452 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.• On the active firewall: The state of the local firewall should display active and the Running Config should show as synchronized. 4. On the passive peer, verify that the VM-Series plugin configuration is now synced. Select Device > VM-Series and validate that you can view the Azure HA configuration that you had omitted configuring on the passive peer. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 453 © 2020 Palo Alto Networks, Inc.Use the ARM Template to Deploy the VM- Series Firewall In addition to Marketplace based deployments, Palo Alto Networks provides a GitHub repository which hosts sample ARM templates that you can download and customize for your needs. ARM templates are JSON files that describe the resources required for individual resources such as network interfaces, a complete virtual machine or even an entire application stack with multiple virtual machines. ARM templates are for advanced users, and Palo Alto Networks provides the ARM template under the community supported policy. To learn about ARM templates, refer to the Microsoft documentation on ARM Templates. To simplify the deployment of all the required resources, the two-tier sample template (https://github.com/ PaloAltoNetworks/azure/tree/master/two-tier-sample) includes two json files: • Template File—The azureDeploy.json is the main resources file that deploys all the components within the resource group. • Parameters File—The azureDeploy.parameters.json is the file that includes the parameters required to successfully deploy the VM-Series firewall in the VNet. It includes details such as the virtual machine tier and size, username and password for the firewall, the name of the storage container for the firewall. You can customize this file for your Azure VNet deployment. To help you deploy the firewall as a gateway for Internet-facing applications, the template provisions the VM-Series firewall, a database server, and a web server. The VNet uses the private non-routable IP address space 192.168.0.0/16. You can modify the template to use 172.16.0.0/12, or 10.0.0.0/8. The ARM template also provides the necessary user-defined rules and IP forwarding flags to enable the VM-Series firewall to secure the Azure resource group. For the five subnets—Trust, Untrust, Web, DB, and NAT—included in the template, you have five route tables, one for each subnet with user defined rules for routing traffic to the VM-Series firewall and the NAT virtual machine. For the four subnets—Trust, Untrust, Web, and DB—included in the template, you have four route tables, one for each subnet with user defined rules for routing traffic to the VM-Series firewall. Figure 4: Deploying VM-Series Firewall using the ARM Template STEP 1 | Download the two-tier sample ARM template from the GitHub repository. Download and save the files to a local client: https://github.com/PaloAltoNetworks/azure/tree/master/ two-tier-sample For Azure China: github.com/PaloAltoNetworks/Azure-China 454 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.STEP 2 | (Only for Azure China) Copy the VHD image for the VM-Series firewall to your Azure storage account. STEP 3 | Create a Resource Group on Azure. 1. Log in to the Azure CLI using the command: azurelogin If you need help, refer to the Azure documentation on installing the CLI, or for details on how to access the CLI on Azure Government or Azure China. 2. Switch to Resource Manager mode using the command:azureconfig mode arm 3. Create a resource group. STEP 4 | Deploy the ARM template. 1. Open the Parameters File with a text editor and modify the values for your deployment: In Azure China, you must edit the path for the storage account that hosts the VHD image required to deploy the VM-Series firewall. In the variables section of the template file, find the parameter called userImageNameURI and replace the value with the location where you saved the VHD image. 2. Deploy the template in the resource group you created. azure group create -v -n “” -l “” -d “” -f azureDeploy.json -e azureDeploy.parameters.json 3. Check the progress/status of the deployment from the Azure CLI: azure group deployment show "" ““ When the template is successfully deployed the ProvisioningStateis Running. If the ProvisioningStateis Failed, you must check for errors on the Azure portal at Resource Group > Events. Filter for only events in the last one hour, select the most recent events, and drill down to find the errors. 4. Verify that you have successfully deployed the VM-Series firewall. 1. Select Dashboard > Resource Groups, select the resource group. 2. Select All Settings > Deployments > Deployment History for detailed status. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 455 © 2020 Palo Alto Networks, Inc.The address space within the VNet uses the prefix 192.168, which is defined in the ARM template. 5. Attach a public IP address to the untrust interface on the firewall. STEP 5 | Configure the firewall as a VNet gateway to protect your Internet-facing deployment. 1. Log in to the management interface IP address on the firewall. 2. Configure the dataplane network interfaces as Layer 3 interfaces on the firewall (Network > Interfaces > Ethernet). 3. Add static rules to the virtual router on the firewall. To route traffic through the firewall in this example, you need three static routes on the firewall (Network > Virtual Routers, select the router and click Static Routes): 1. Route all outbound traffic through the UnTrust zone, ethernet1/1 to the Azure router at 192.168.1.1. 2. Route all inbound traffic destined to the web server subnet through the Trust zone, ethernet1/2 to the Azure router at 192.168.2.1. 3. Route all inbound traffic destined to the database server subnet through the Trust zone, ethernet1/2 to the Azure router at 192.168.2.1. 4. Create security policy rules (Policies > Security) to allow inbound and outbound traffic on the firewall. You also need security policy rules to allow appropriate traffic from the web server subnet to the database server subnet and vice versa. 5. Commit the changes on the firewall. 6. Verify that the VM-Series firewall is securing traffic (Monitor > Logs > Traffic). 456 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.Deploy the VM-Series and Azure Application Gateway Template The VM-Series and Azure Application Gateway template is a starter kit that you can use to deploy VM- Series firewalls to secure web workloads for internet-facing deployments on Microsoft Azure (currently not available for Azure China). This template deploys two VM-Series firewalls between a pair of (external and internal) Azure load balancers. The external load balancer is an Azure Application Gateway, which is an HTTP (Layer 7) load balancer that also serves as the internet-facing gateway, which receives traffic and distributes it through the VM-Series firewall on to the internal load balancer. The internal load balancer is an Azure Load Balancer (Layer 4) that fronts a pair of web servers. The template supports the BYOL and the Azure Marketplace versions of the VM-Series firewall. As demand on your web workloads increases and you increase capacity for the web server tier you can manually deploy additional VM-Series firewalls to secure your web server tier. • VM-Series and Azure Application Gateway Template • Start Using the VM-Series & Azure Application Gateway Template VM-Series and Azure Application Gateway Template The VM-Series and Azure Application Gateway template launches an Azure Application Gateway (Layer 7 load balancer) and an Azure (Layer 4) load balancer. Nested between the Application gateway and the load balancer are a pair of VM-Series firewalls in an Availability Set, and a pair of sample web servers running VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 457 © 2020 Palo Alto Networks, Inc.Apache2 on Ubuntu in another Availability Set. The Availability Sets provide protection from planned and unplanned outages. The following topology diagram shows the resources that the template deploys: You can use a new or an existing storage account and resource group in which to deploy all the resources for this solution within an Azure location. It does not provide default values for the resource group name and storage account name, you must enter a name for them. While you can create a new or use an existing VNet, the template creates a default VNet named vnet-FW with the CIDR block 192.168.0.0/16, and allocates five subnets (192.168.1.0/24 - 192.168.5.0/24) for deploying the Azure Application Gateway, the VM-Series firewalls, the Azure load balancer and the web servers. Each VM-Series firewall is deployed with three network interfaces—ethernet0/1 in Mgmt subnet (192.168.0.0/24), ethernet1/1 in Untrust subnet (192.168.1.0/24), and ethernet1/2 in the Trust subnet (192.168.2.0/24). The template creates a Network Security Group (NSG) that allows inbound traffic from any source IP address on ports 80,443, and 22. It also deploys the pair of VM-Series firewalls and the web server pair in their respective Availability Sets to ensure that at least one instance of each is available during a planned or unplanned maintenance window. Each Availability Set is configured to use three fault domains and five update domains. The Azure Application Gateway acts as a reverse-proxy service, which terminates a client connection and forwards the requests to back-end web servers. The Azure Application Gateway is set up with an HTTP listener and uses a default health probe to test that the VM-Series firewall IP address (for ethernet1/1) is healthy and can receive traffic. The template does not provide an auto-scaling solution; you must plan your capacity needs and then deploy additional resources to Adapt the Template for your deployment. The VM-Series firewalls are not configured to receive and secure web traffic destined to the web servers. Therefore, at a minimum, you must configure the firewall with a static route to send traffic from the VM- Series firewalls to the default router, configure destination NAT policy to send traffic back to the IP address of the load balancer, and configure Security policy rules. The NAT policy rule is also required for the firewall to send responses back to the health probes from the HTTP listener on the Azure Application Gateway. To assist you with a basic firewall configuration, the GitHub repository includes a sample configuration file called appgw-sample.xml that you can use to get started. 458 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.Start Using the VM-Series & Azure Application Gateway Template The VM-Series & Azure Application Gateway template launches all the resources you need to deploy and secure your web workloads for Internet facing deployments on Microsoft Azure, excluding Azure China. This section provides details on how to deploy the template, configure the firewalls to route and secure traffic destined to the web servers, and extend the capabilities and resources that this template provides to accommodate your deployment needs. • Deploy the Template to Azure • VM-Series and Azure Application Gateway Template Parameters • Sample Configuration File • Adapt the Template Deploy the Template to Azure Use the following instructions to deploy the template to Azure. STEP 1 | Deploy the template. Currently not available for deploying in Azure China. 1. Access the template from https://github.com/PaloAltoNetworks/azure-applicationgateway 2. Click Deploy to Azure. 3. Fill in the details for deploying the template. See VM-Series and Azure Application Gateway Template Parameters for a description and the default values, if any, for each parameter. At a minimum, you have to pick the Azure Subscription, Resource Group, Location, Storage Account Name, and a Username/password or SSH Key for the administrative account on the VM-Series firewalls. 4. Click Purchase to accept the terms and conditions and deploy the resources. If you have validation errors, click to view the details and fix your errors. 5. On the Azure portal, verify that you have successfully deployed the template resources, including the VM-Series firewalls. 1. Select Dashboard > Resource Groups, select the resource group. 2. Select Overview to review all the resources that have been deployed. The deployment status should display Succeeded. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 459 © 2020 Palo Alto Networks, Inc.3. Note the Public IP address or the DNS name assigned to eth0-VM-Series0 and eth0-VM-Series1 to access the management interface of the VM-Series firewalls. STEP 2 | Log in to the firewalls. 1. Using a secure connection (https) from your web browser, log in to the IP address for eth0-VM- Series0 or the DNS name for the firewall. 2. Enter the username/password you defined in the parameters file. You will see a certificate warning; that is okay. Continue to the web page. STEP 3 | Configure the VM-Series firewall. You can either configure the firewall manually or import the Sample Configuration File provided in the GitHub repository and customize it for your security needs. • Configure the firewall manually—You must do the following at a minimum: 1. Configure the dataplane network interfaces as Layer 3 interfaces on the firewall (Network > Interfaces > Ethernet). 460 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.2. Add a static rule to the virtual router on the firewall. This static rule specifies the firewall’s untrust interface IP address as the nexthop address for any traffic destined for ethernet1/1. (Network > Virtual Routers, select the router and click Static Routes). 3. Create security policy rules (Policies > Security) to allow inbound and outbound traffic on the firewall. 4. Add NAT policies (Policies > NAT). You must create destination NAT and source NAT rules on the firewall to send traffic to the web servers and back out to the client who initiated the request. The destination NAT rule is for all traffic that arrives on the firewall’s untrust interface. This rule is required to translate the destination IP address on the packet to that of the internal load balancer so that all traffic is directed to the internal load balancer and on to the backend web servers. The source NAT rule is for all traffic from the backend web server and destined to the untrust interface on the firewall. This rule translates the source address to the IP address of the trust interface on the firewall 5. Commit your changes. • Import the sample configuration file: 6. Download and save the Sample Configuration File to your local client. 7. Select Device > Setup > Operations, click Import named configuration snapshot, Browse to the sample configuration file that you have saved locally, and click OK. 8. Click Load named configuration snapshot, select the Name of the sample configuration file you just imported, and click OK. 9. Change the IP address of the address objects and the static route to match the IP address from the CIDR block you used. Update address objects to use the private IP addresses for eth1-VM-Series0 and eth1-VM-Series1. 10.Important! Create a new admin user account. Select Device > Administrators and Add a new account. 11.Modify the Hostname in the General Settings widget in Device > Setup > Management. 12.Commit your changes, and log out. The commit overwrites the running configuration with the sample configuration file and updates you just made. On commit, the hostname and the administrator user account that you specified when deploying the template are overwritten. You will now need to log in using the new admin user account and password. • Log in to the firewall—Use the credentials you created and delete the pandemo administrative account imported as part of the sample configuration file. STEP 4 | Log in and configure the other instance of the VM-Series firewall. See step Configure the VM-Series firewall. STEP 5 | Verify that you have configured the firewalls properly. From your web browser, use http to access the IP address or DNS name for the app gateway. You should be able to view the default Apache 2 Ubuntu web page. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 461 © 2020 Palo Alto Networks, Inc.If you have used the sample configuration firewall, log in to the firewall and view the Traffic logs generated on session start in Monitor > Logs > Traffic. VM-Series and Azure Application Gateway Template Parameters The following table lists the required and optional parameters and the default values, if any. Parameter Description Resource group Create new or use existing (no default). Subscription The type of Azure subscription you will use to cover the cost of the resources deployed with the template. Location Select the Azure location to which you want to deploy the template (no default). Network Security Group Network Security Group The network security group limits the source IP addresses from which the Name VM-Series firewalls and web servers can be accessed. Default: nsg-mgmt Network Security Group The source IP addresses that can log in to the management port of the Inbound Src IP VMs deployed by the template. The default value 0.0.0.0/0 means you can log into the firewall management port from any IP address. Storage Account 462 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.Parameter Description Storage Account Name Create new or enter the name of an existing Storage Account (no default). The name must be globally unique. Storage Account Type Choose between standard and premium storage and your data replication needs for local redundancy, geo-redundancy, and read-access geo- redundancy. The default option is Locally Redundant Storage (LRS). The other options are Standard GRS, Premium LRS, and Standard RAGRS. VNet Virtual Network Create new or enter the name of an existing VNet. The default name for the VNet is vnet-FW Virtual Network Address 192.168.0.0/16 Prefix Azure Application Gateway App Gateway Name myAppGw App Gateway DNS Name Enter a globally unique DNS name for the Azure Application Gateway. App Gateway Subnet Name Default name is AppGWSubnet and the subnet prefix is 192.168.3.0/24. and Prefix Azure Load Balancer and Web Servers Internal Load Balancer myPrivateLB Name Internal Load Balancer Default name is backendSubnet and the subnet prefix is 192.168.4.0/24. Subnet Name and Prefix Backend Vm Size The default size is Standard tier D1 Azure VM. Use the drop-down in the template to view the other Azure VM options available for the backend web servers. Firewalls Firewall Model Choose from BYOL or PAYG (bundle 1 or bundle 2, each bundle includes the VM-300 and a set of subscriptions). Firewall Vm Name and Size The default name for the firewall is VM-Series, and the default size is Standard tier D3 Azure VM. Use the drop-down in the template to view the other Azure VM options available for the VM-Series firewalls Mgmt Subnet Name and The management subnet for the VM-Series firewalls and the web servers Prefix deployed in this solution. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 463 © 2020 Palo Alto Networks, Inc.Parameter Description Default name is Mgmt and the subnet prefix is 192.168.0.0/24. Mgmt Public IP Address Enter a hostname to access the management interface on each firewall. Name The names must be globally unique. Trusted Subnet Name and The subnet to which eth1/1 on the VM-Series firewall is connected; Prefix this subnet connects the VM-Series firewall to the Azure Application gateway. The firewall receives web traffic destined to the web servers on eth1/1. Default name is Trust and the subnet prefix is 192.168.2.0/24. Untrusted Subnet Name The subnet to which eth1/2 on the VM-Series firewall is connected. The firewall receives return and outbound web traffic on this interface. Default name is Untrust and the subnet prefix is 192.168.1.0/24. The name must be globally unique. Username Enter the username for the administrative account on the VM-Series firewalls and the web servers. Authentication Type You must either enter a password for authentication or use an SSH public key (no default). Sample Configuration File To help you get started, the GitHub repository contains a sample configuration file named appgw- sample.xml that includes the following rules/objects: • Address objects—Two address objects, firewall-untrust-IP and internal-load-balancer- IP, which you will need to modify to match the IP addresses in your setup. You need to modify these address objects to use the private IP addresses assigned to eth1-VM-Series0 and eth1-VM-Series1 on the Azure portal. • Static route—The default virtual router on the firewall has a static route to 192.168.1.1, and this IP address is accurate if you use the default template values. If you have changed the Untrust subnet CIDR, you’ll need to update the IP address to match your setup. All traffic coming from the backend web servers, destined for the application gateway, uses this IP address as the next hop for delivering packets to the untrust interface on the firewall. • NAT Policy Rule—The NAT policy rule enables destination NAT and source NAT. • The destination NAT rule is for all traffic that arrives on the firewall’s untrust interface (ethernet1/2), which is the firewall-untrust-IP address object. This rule translates the destination IP address on the packet to that of the internal load balancer so that all traffic is directed to the internal load balancer and thus to the backend web servers. • The source NAT rule is for all traffic from the backend web server and destined to the untrust network interface on the firewall. This rule translates the source address to the IP address of the trust interface on the firewall (ethernet1/2). • Security Policy Rule—Two Security policy rules are defined in the sample configuration file. The first rule allows all inbound web-browsing traffic and generates a log at the start of a session on the firewall. The second rule blocks all other traffic and generates a log at the start and end of a session on the firewall. You can use these logs to monitor all traffic to the web servers in this deployment. • Administrative User Credentials— The sample configuration file includes a username and password for logging in to the firewall, which is set to pandemo/demopassword. After you import the sample 464 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.configuration, you must either change the password and set it to a strong, custom password or create a new administrator account and delete the pandemo account. Adapt the Template As your needs evolve, you can scope your capacity needs and extend the template for your deployment scenario. Here are some ways you can build on the starter template to meet your planned capacity needs: • Deploy additional VM-Series firewalls behind the Azure Application Gateway. You can manually install more VM-Series firewalls into the same Availability Set or launch a new Availability Set and manually deploy additional VM-Seri es firewalls. • Configure the VM-Series firewalls beyond the basic configuration provided in the sample configuration file in the GitHub repository. • Enable HTTPS load balancing (SSL offload) on the Azure Application Gateway. Refer to the Azure documentation for details. • Add or replace the sample web servers included with the template. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 465 © 2020 Palo Alto Networks, Inc.Auto Scaling the VM-Series Firewall on Azure Palo Alto Networks provides templates to help you deploy an auto-scaling tier of VM-Series firewalls using Azure services such as Virtual Machine Scale Sets, Application Insights, Azure load balancers, Azure functions, Panorama and the Panorama plugin for Azure, and VM-Series automation capabilities—including the PAN-OS API and bootstrapping. The templates leverage Azure scalability features designed to manage sudden surges in demand for application workload resources, allowing you to independently scale the VM- Series firewalls in response to changing workloads. • Auto Scaling on Azure - Components and Planning Checklist • Deploy Azure Auto Scaling Template • Parameters in the Auto Scaling Templates for Azure Auto Scaling on Azure - Components and Planning Checklist To deploy VM-Series firewalls in an auto scaling set up where the firewalls can scale with your application workloads and ensure high availability for your services, you need to understand the following concepts: • Virtual Machine Scale Sets (VMSS)— A VMSS is a group of individual virtual machines (VMs) within the Microsoft Azure public cloud that administrators can configure and manage as a single unit. The firewall templates provided for auto scaling, create and manage a group of identical, load balanced VM- Series firewalls that are scaled up or down based on custom metrics published by the firewalls to Azure Application Insights. The scaling-in and scaling out operation can be based on configurable thresholds. • Azure Application Insights—The VM-Series firewall on Azure can publish custom PAN-OS metrics natively to Azure Application Insights that you can use to monitor the firewalls directly from the Azure portal. These metrics allow you to assess performance and usage patterns that you can use to set alarms and take action to automate events such as launching or terminating instances of the VM-Series firewalls. See Custom PAN-OS Metrics Published for Monitoring for a description on the metrics that are available. • Panorama, Panorama plugin for Azure, and VM-Series plugin—Panorama is required to enable centralized management of the auto scaling VM-Series firewalls that are deployed in the VMSS. The Azure plugin on Panorama enables you to set up communication between Panorama and the resources 466 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.within your Azure subscription. The plugin takes care of the interactions required to license, bootstrap and configure the VM-Series firewalls using device groups and template stacks on Panorama. It also programs the Azure static routes and the Azure Application Insights Instrumentation Key to the firewalls in the VMSS. You also need to install the VM-Series plugin on Panorama, if you are managing firewalls running PAN- OS 9.0.0 or later. Panorama requires the VM-Series plugin to push the Azure Application Insights instrumentation key to managed firewalls. On earlier versions of PAN-OS, the VM-Series plugin is not relevant as the VM-Series plugin was introduced in PAN-OS 9.0.0. This plugin enables publishing custom metrics to cloud monitoring services (such as Azure Application Insights), bootstrapping, configuring user credential provisioning information from public cloud environments, and seamless updates for cloud libraries or agents on PAN-OS. • Azure Functions and Service Bus—Azure Service Bus enables message-based communication between the Azure plugin on Panorama and the Azure resources. The Azure Function is a publicly accessible webhook that publishes messages to the message queue. When you configure the Azure plugin to subscribe to that queue, it can read messages to learn when a new application template is deployed (as long as it has the Panorama managed tag) and when a firewall was scaled in events so that it can contact the Palo Alto Networks licensing server and deactivate the license. The Panorama plugin and the Azure function use a Shared Access Signature (SAS) token to authenticate to the Service Bus and write or read messages from the queue. • Templates—For deploying the auto scaling VM-Series firewalls to secure your application server pool on Azure, four templates are available to you—Inbound firewall template, Hub firewall template, Infrastructure template, and the sample app template. • Infrastructure template—The template deploys the Azure Service Bus and messaging infrastructure to enable message-based communication between the Azure plugin on Panorama and the Azure resources. You can reuse this messaging infrastructure across multiple Azure subscriptions. Because this infrastructure does not have a 1:1 relationship with Panorama, you do not have to deploy the template multiple times. Inbound firewall template—The template deploys an Azure Application Gateway (L7 load balancer), VMSS for the VM-Series firewalls, new VNET with three subnets for the Trust, Untrust, and Management interfaces on the firewall, and an Application Insights instance. The VM-Series firewalls in this template enable you to secure inbound traffic from the Internet to your application. • Hub firewall template—The template deploys an Standard internal load balancer, VMSS for the VM- Series firewalls, new VNET with three subnets for the Trust, Untrust, and Management interfaces on the firewall, and an Application Insights instance. The VM-Series firewalls that this template deploys enable you to secure outbound traffic (traffic originating from the application servers), and east-west traffic between the application tiers. • App template—This template is provided as an example to help you try the VM-Series auto scaling solution on Azure. When deploying this application template, you can choose whether you want to secure inbound traffic only or secure both inbound and outbound traffic. The template deploys an internal load balancer (Standard) and a sample web application. If you opt to secure outbound traffic, it also creates User Defined Routes (UDRs) to forward outgoing traffic from the application server through the hub firewall VMSS. See Tags to learn about the labels that Panorama requires to identify the application traffic that it secures. • Azure VNet Peering—Azure VNet peering enables you to connect virtual networks within the Azure public cloud. The traffic between virtual machines in peered virtual networks is routed directly through the Microsoft backbone infrastructure, instead of using a gateway or going over the public internet. In peered VNets, all subnets within the virtual network have routes with next hop type VNet peering for each address space within these networks. If your applications and the VM-Series firewall VMSS are in different VNets, VNet peering between the application and the Inbound and Hub firewall VMSS virtual networks is required to successfully route traffic between them. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 467 © 2020 Palo Alto Networks, Inc.• Azure Load Balancers—Internal load balancer and the Azure Application gateway to redistribute traffic to the firewall VMSS or to the backend application server pool. • Tags—The firewalls in the VMSS and the sample application have tags that are used for identification. When you deploy the firewall templates—Inbound or Hub—the VMSS, the VNet, and the Azure Application Gateway (external load balancer) have a tag called PanoramaManaged=True. This tag enables the Azure plugin on Panorama to identify the resources and retrieve information such as the subnet CIDR and the information required to manage the static routes and deactivate the license on the firewalls. In addition to the PanoramaManaged=Yes tag, the internal load balancer that fronts the application requires two more tags. To secure inbound traffic, you must add the tag SpokeRG=; and HubRG= if you have deployed the Hub firewall template and want to secure outbound traffic. • Sample firewall configuration— The sample configuration includes a virtual router with eth1/1 (Untrust) and eth1/2 (Trust) interfaces in a zone. You can use this configuration as a starting point so that Panorama can push the static routes that enable the firewalls to forward inbound/outbound traffic through the correct interface on the firewall. See Azure Auto Scaling Deployment Use Cases for greenfield and brownfield deployments scenarios. Plan Your Deployment Before you begin, use the following checklist to think through your auto scaling deployment and collect the details required to continue with Deploy Azure Auto Scaling Template. The Azure subscription and region in which you want to deploy the applications and the VM-Series firewalls. The firewalls and the applications must be deployed in the same region and within the same subscription. Cross subscription deployments are not supported in the Azure Inbound firewall or Hub firewall template version 1.0. Panorama appliance running a PAN-OS version that supports auto scaling (see the Panorama plugin version information in the Compatibility Matrix). The Panorama must either have a public IP address to route over the internet or another way to establish connectivity with the VM-Series firewalls. To complete the bootstrapping flow and ensure that the firewalls are licensed, the management interface on the Panorama appliance must be able to communicate with the management interface on the VM-Series. Additionally, the VM-Series firewall must be able to access the Palo Alto Networks servers to retrieve the license successfully. Plan the device groups and templates/template stack on Panorama. On Panorama, you must assign firewalls to a template stack and a device group in order to push network configuration and policies. You must first add a template and assign it to a template stack, create a device group on Panorama, and then include the template stack name and the device group name in the configuration (init-cfg.txt) file. If you are deploying the Hub firewall template and an Inbound firewall template to deploy auto scaling VM-Series firewalls that protect inbound and outbound traffic to the applications in your Azure subscription, you must set up a two sets of template stack, templates and device groups. One for managing the VM-Series firewall configuration for the Hub firewall VMSS and another for the Inbound firewall VMSS. There is a 1:1 relationship between an Azure subscription and an auto scaling definition on Panorama. If you have more than one VMSS in an Azure subscription, you must use a single Panorama appliance to manage both VMSS in the Azure subscription. For each firewall VMSS that you want to add to Panorama, you must provide the Resource Group name, Resource Group type - Hub or Inbound, device group name and template stack name with which to associate the firewalls so that Panorama can push the configuration. As a part of the auto scaling 468 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.definition, you can specify whether you want Panorama to create and push the static routes required to forward inbound/outbound traffic through the firewall. You must also add a virtual router to the template stack. Create a storage account on the Azure portal and set up the Azure Files service to contain the folder structure required to Bootstrap the VM-Series Firewall on Azure. Gather the information you need as inputs in the init-cfg.txt file. You must include the following: • Panorama IP address—The IP address of the Panorama appliance that the firewalls must connect with for the license and configuration. • VM auth key—The VM auth key allows Panorama to authenticate the newly bootstrapped VM-Series firewall. So, to manage the firewall using Panorama, you must include the IP address for Panorama and the VM auth key in the basic configuration file as well as the license auth codes in the /license folder of the bootstrap package. The firewall can then provide the IP address, serial number, and the VM auth key in its initial connection request to Panorama so that Panorama can verify the validity of the VM auth key and add the firewall as a managed device. If you provide a device group and template in the basic configuration file, Panorama will assign the firewall to the appropriate device group and template so that you can centrally configure and administer the firewall using Panorama. • Auth codes, if using BYOL • Device group name • Template stack name (If you want to secure an application that you have already deployed) Collect the application details required to configure the Azure Application Gateway in the Inbound firewall template to steer the application traffic to the internal load balancer that fronts the application which you want to secure. Refer to the Azure Application Gateway documentation for details on the frontend- and backend-server configuration. For an example configuration, see onboard an app. When you use the sample app template, the relevant tags are automatically defined and the plugin creates the static routes required to redirect traffic through the firewall before it is routed to the application server pool. In the case of a brownfield deployment or when you deploy your own application template, to enable the inbound firewall VMSS to support multiple applications in the backend pool, you must manually configure the public load balancer that fronts your application server pool. The Azure plugin on Panorama needs an Active Directory application and a Service Principal to execute Azure APIs and access Azure resources. When you create the Active Directory application and Service Principal, make sure that the Service Principal the required permissions (VM-Series on Azure Service Principal Permissions), and save the following details from that process. This information is required as inputs to the Azure plugin on Panorama. • Application ID • Secret key (Copy this key; the secret key is no longer visible after you navigate away from the page) • Tenant ID • Subscription ID Download the templates and files that enable this auto scaling deployment from the GitHub repository. Record the Service Bus Key Name and Shared Access Signature. After you deploy the Infrastructure template, you must gather the Service Bus Key Name and Shared Access Signature details for configuring the auto scaling definition. Azure Auto Scaling Deployment Use Cases A greenfield deployment is a fresh deployment in to a new VNet. A brownfield deployment, in contrast, is an upgrade or addition to an existing VNet that has some existing components. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 469 © 2020 Palo Alto Networks, Inc.• Secure inbound traffic in a greenfield deployment—If you are starting from scratch and need to secure inbound web traffic for an internet-facing application, you require Panorama, the Azure plugin for Panorama, the Infrastructure template, and the Inbound Firewall template. Use the sample App template to verify the tags and try the solution before you deploy your applications and enable VNet Peering between the VNet that hosts your Inbound Firewall VMSS and the application VNet(s). When providing the inputs for the Inbound Firewall template, you must provide the details for creating a new VNet. For details on what components are included in each template, see Auto Scaling on Azure - Components and Planning Checklist and Deploy Azure Auto Scaling Template. • Secure inbound traffic in a brownfield deployment—If you have applications deployed in one or more VNets that are peered with the VNet which hosts an Application Gateway and directs traffic to these applications, you can now deploy an auto scaling set of VM-Series firewalls to create a security VNet topology as shown in the following topology diagram. To secure inbound web traffic for an internet- facing application in a brownfield deployment, you require Panorama, the Azure plugin for Panorama, the Infrastructure template, and the Inbound Firewall template. When providing the inputs for the Inbound Firewall template, you must provide the details for the existing VNet. You will also need to complete additional configuration to connect the applications to the Inbound firewall VMSS, for example you must add a UDR to redirect the inbound application traffic through the firewall VMSS. See Deploy Azure Auto Scaling Template for details. • Secure outbound traffic in greenfield and brownfield deployments—To secure web traffic originating from applications within your VNets, you require Panorama, the Azure plugin for Panorama, the Infrastructure template, and the Hub Firewall template. You will also need to complete additional 470 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.configuration to connect the applications to the Hub firewall VMSS. See Auto Scaling on Azure—How it Works and Deploy Azure Auto Scaling Template. Auto Scaling on Azure—How it Works The primary reason you want to deploy an auto scaling set of VM-Series firewalls is to ensure operational efficiency and to secure traffic to your highly available internet-facing applications when demand spikes, and to maintain cost efficiency when demand drops and the application workloads scale in. The first step in the process of enabling auto scaling with the VM-Series firewalls is to launch the infrastructure template which provides the messaging infrastructure. The Panorama plugin for Azure uses this infrastructure to learn about the VM-Series firewall VMSS that are deployed when you launch the Hub or Inbound firewall templates and to learn when a new application server pool is added and needs to be secured by the Hub or Inbound firewall templates or both. Then, you set up the Auto Scaling definition on Panorama to authorize access using the Service Bus name, Service Bus Key Name, the Shared Access Token, and the Service Principal for the Azure subscription. These details enable Panorama to access the metadata on your Azure resources and to read the messages that the Azure function publishes to the Service Bus. When you deploy the Inbound firewall template to secure all inbound traffic to the application server pool, the VMSS for the VM-Series firewalls is launched along with the Azure Application Insights instance to which these firewalls publish the PAN-OS metric that you want to trigger auto scaling. As a part of the template inputs, you choose the PAN-OS scaling metric and threshold values for the Application Insights alarms that trigger the scaling process. The firewalls are automatically bootstrapped using your inputs in the template and added as managed devices to Panorama. On Panorama, you can now add the Inbound firewall Resource Group details and enable the auto- programming of routes. The Inbound firewall template has three static routes. • A default route to forward traffic to the trust interface, and when enabled this route is used if a more specific route is not available. • A route to send return traffic from the application back to the Application Gateway IP address in the Inbound firewall VMSS. • A route to perform health checks, which enable load balancing to the firewall instances in the VMSS. When the newly launched firewall connects to Panorama, Panorama pushes the device group and template stack configuration which includes the virtual router and policy rules you’ve defined and the auto programmed static routes. In addition, the Panorama plugin also retrieves that Application Insights instrumentation key and adds it to the template stack to which the firewall are assigned. When the firewall reaches the configured threshold, and a scale out event occurs, a new instance of the VM-Series firewall VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 471 © 2020 Palo Alto Networks, Inc.is launched. The firewall is bootstrapped, connects to Panorama and gets its license and configuration to ensure that it can secure your applications. When a scale in event occurs, the Panorama plugin deactivates the license on the firewall and manages the lifecycle of the firewall. The IP address of the firewall is removed from the VMSS and the internal load balancer does not route traffic to the firewall. The flow in the Hub firewall template is similar, with a slight difference in the static routes configuration. In order to direct traffic through the Inbound firewall or Hub VMSS to the applications, there is some configuration that you need to complete: To secure inbound application traffic, the application must be connected to the Inbound firewall VMSS. When you onboard your application, you need to do the following: • Configure the Application Gateway with the frontend and backend configuration to point to the internal load balancer that fronts the application server pool. Refer to the Azure Application Gateway documentation. • In the default BackendUDR, add a route with application subnet as the destination, and the next hop IP address as that of the internal load balancer that fronts the firewall VMSS. • Set up VNet peering between the application VNet and the Inbound firewall VMSS VNet, if they are in different VNets. When you use the sample application template included in the GitHub repository, VNet peering is set up for you. • Tag the internal load balancer that fronts the application with these name-value pairs. PanoramaManaged-yes InboundRG- To secure outbound traffic, you need to complete the following to connect the Hub firewall VMSS to the application VNet: • Add a UDR in the route table and associate the application’s subnet to the route table. Refer to the Azure documentation. • On the Azure portal, add a default route (0.0.0.0/0) to forward all traffic to the internal load balancer that fronts the Hub firewall VMSS. • Tag the internal load balancer that fronts the application with the following name-value pair. HubRG- When you tag the internal load balancer in the Application VNet, Panorama learns this and automatically creates a static route in the Hub firewall template stack to direct return traffic to the application workloads. Otherwise, you must add a static route on the template stack that manages the configuration of the firewalls in the Hub VMSS, to enable the firewalls in the Hub VMSS to direct traffic back to the application workloads. Deploy Azure Auto Scaling Template The Azure auto scaling template leverages multiple components including native Azure services to auto scale the VM-Series firewall to secure your application workloads as they scale in or out to meet the needs of your enterprise. To enable the Azure VM Scale Sets (VMSS) to auto scale VM-Series firewalls, custom firewall metrics are published to Azure Application Insights which allows for firewalls to scale in or scale out based on the monitored thresholds. For this auto scaling mechanism to work, you require Panorama 472 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.and the Azure plugin on Panorama. For details on all the components you need to secure your application workloads with an auto-scaling tier of VM-Series firewalls, see Auto Scaling on Azure - Components and Planning Checklist. Watch the videos on deploying the Azure autoscaling templates. • Before You Begin • Deploy the Auto Scaling VM-Series Firewalls to Secure Your Applications Before You Begin Get started with the deploying the VM-Series firewalls that auto scale with your application workloads on Azure. • Review the checklist in Plan Your Deployment . Be sure to check the Panorama plugin version information in the Compatibility Matrix. • Download the templates and files from the GitHub repository. • Install the Panorama plugin for Azure on Panorama. • On Panorama create the following: 1. In a template stack create a virtual router. Make sure to add the virtual router to the template stack and not to the template. If you do not the create the virtual router in the template stack, the static routes that the Inbound firewall template automatically creates will not be added to the virtual router, and your application template may not launch successfully. 2. In a template, create two interfaces—ethernet1/1(Untrust) and ethernet1/2 (Trust) interfaces. On each interface, Enable DHCP and clear Automatically create default route pointing to default gateway provided by server. 3. Assign the interfaces to the virtual router. 4. Create a NAT policy rule. • Select the device group that you plan to use for the configuration of the Inbound Firewall template, and add a NAT policy rule to direct traffic from the untrust zone to the trust zone, and set the translated packet to use the trust interface (ethernet1/2) IP address so that the return traffic is sent back to the trust interface on the firewall. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 473 © 2020 Palo Alto Networks, Inc.• Select the device group that you plan to use for the configuration of the Hub Firewall template, and add a NAT policy rule to direct traffic from the trust zone to the untrust zone, and set the translated packet to use the untrust interface (ethernet1/1) IP address so that the return traffic is sent back to the untrust interface on the firewall. 474 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.• 5. Create Security policy rules to allow traffic for the application(s) you are deploying. Deploy the Auto Scaling VM-Series Firewalls to Secure Your Applications The following workflow takes you through the process of setting up the Azure Service Bus infrastructure that is required to support the messaging system required for detecting scale-in and scale-out events, auto programming the static routes and licensing the firewalls. It then helps you deploy the ARM templates that configure the VM-Series firewalls in VMSS where the firewalls can scale with your application workloads and ensure high availability for your services. Finally, it also details how you must configure your custom application to direct traffic to the VM-Series firewalls and secure the flow. STEP 1 | Launch the Infrastructure template. This allows you to launch the Azure Service Bus and the Azure function. You need to get the SB name, SB credentials (shared access key) for use later on the Panorama Azure plugin. You will also need the Function URL to deploy the firewall template (for inbound and hub). STEP 2 | Log in to the Panorama, and for every VMSS group of firewalls, create a device group, a template stack and one or more templates. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 475 © 2020 Palo Alto Networks, Inc.STEP 3 | Set up your Service Principal on the Azure plugin on Panorama. The Service Principal is the service account that you created on the Azure portal. This account is attached to the Azure AD and has limited permissions to access and monitor the resources in your Azure subscription. For this auto scaling deployment, make sure that the Service Principal has Contributor rights, at a minimum. 1. Select Panorama > Plugins > Azure > Setup > Service Principal > Add. 2. Enter a Name and optionally a Description to identify the service account. 3. Enter the Subscription ID for the Azure subscription you want to monitor. You must login to your Azure portal to get this subscription ID. 4. Enter the Client Secret and re-enter it to confirm. 5. Enter the Tenant ID. The tenant ID is the Directory ID you saved when you set up the Active Directory application. 6. Click Validate to verify that the keys and IDs you entered are valid, and Panorama can communicate with the Azure subscription using the API. STEP 4 | Create your Azure auto scaling definition for the Azure subscription. You can add up to 10 Autoscaling Definitions and each definition can include up to 25 Virtual Machine Scale Sets (VMSS). The firewalls in a VMSS map to one device group and one template stack on Panorama. 1. Select Panorama > Plugins > Azure > Autoscaling > Add. 2. Enter a Name and Description for the auto scaling definition. 3. Add the Service Bus Name—Enter the Service Bus Name that you defined when you launched the Infrastructure template from the GitHub repository. You must copy this name from the from the Azure portal and paste it here. 476 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.4. Add the Shared Access Token and Service Bus Key Name— You need to get these from the Infrastructure template on the Azure portal. 5. Select the Service Principal that enables Panorama to authenticate to your Azure subscription. 6. Add the firewall Resource Group to Panorama. 1. Enter a name to identify the Firewall Resource Group, and optionally a Description. 2. Select the Resource Group Type: Hub—These firewalls secure outbound traffic and east-west traffic between the VMs in your Azure deployment. Inbound—These firewalls secure inbound traffic to the application VMs in your Azure deployment. 3. Select the Device Group. and the Template Stack that you created for the firewalls deployed within the Resource Group above. 4. Verify that Push static routes automatically to the template stack is enabled. This option is enabled by default, and it enables Panorama to push static routes to the firewalls that belong to the Inbound Firewall VMSS and the Hub Firewall VMSS. In the Inbound Firewall template, the static routes enable the firewalls to direct inbound traffic to the backend application server pool, route return traffic to the client, and route the health probe initiated by the Azure load balancer. In the Hub Firewall template, the static routes enable the firewalls to route the health probe initiated by the Azure load balancer and direct outbound traffic (that is traffic originating from the applications/services) to the internet. STEP 5 | Launch the Azure Inbound Firewall template. Whether you want to secure a greenfield deployment or a brownfield deployment, you need the Azure Inbound Firewall template to secure inbound traffic to an internet-facing application. 1. Launch the Inbound Firewall template. For a description of the input parameters, see Inbound Firewall Template Parameters. And skip to onboard an app, if you do not want to secure outbound traffic (that is secure traffic originating from your application workloads within a Resource Group). 2. To secure inbound application traffic, you must connect the application to the Inbound firewall VMSS. When you onboard your application, you need to do the following: • Configure the Application Gateway with the frontend and backend configuration to point to the internal load balancer that fronts the application server pool. Refer to the Azure Application Gateway documentation. • In the default BackendUDR, add a route with application subnet as the destination, and the next hop IP address as that of the internal load balancer that fronts the firewall VMSS. • Set up VNet peering between the application VNet and the Inbound firewall VMSS VNet, if they are in different VNets. When you use the sample application template included in the GitHub repository, VNet peering is set up for you. • Tag the internal load balancer that fronts the application with these name-value pairs. PanoramaManaged-yes VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 477 © 2020 Palo Alto Networks, Inc.InboundRG- The Inbound template assigns a public IP address to VMSS PA-VM management interface. Make sure to configure the Network Security Group inbound source IP in the template. STEP 6 | Launch the Azure Hub Firewall template. You need to deploy this template, only if you want to secure traffic originating from your application workloads within a Resource Group. 1. Launch the Hub autoscaling firewall template. For a description of the input parameters, see Hub Template Parameters. 2. Connect the Hub firewall VMSS to the application VNet. Complete the following on the Azure portal: • Add a UDR in the route table and associate the application’s subnet to the route table. Refer to the Azure documentation. • On the Azure portal, add a default route (0.0.0.0/0) to forward all traffic to the internal load balancer that fronts the Hub firewall VMSS. • Tag the internal load balancer that fronts the application with these name-value pairs. HubRG- On Panorama, you must add a static route to enable the firewalls in the Hub VMSS to direct traffic back to the application workloads (as shown below in this step). Make sure to define the static route on the template stack that manages the configuration of the firewalls in the Hub VMSS. 3. Verify that the auto-programmed routes are in the virtual router on Panorama. After you deploy the Hub template, a default route and a route for health checks to the managed firewalls is automatically added to the virtual router in the template stack for the VM-Series firewalls launched with the Hub template. And the Azure Application Insights instrumentation key is also automatically available. You need to verify that these routes and the are included so that the firewalls are properly configured and can send metrics for monitoring the autoscaling thresholds. the Synchronizing Config with Azure button. Follow the same procedure if you do not see routes populated for the Hub template stack as well. 1. Log in to Panorama and select Network. 2. Select the template stack associated with the Hub firewall VMSS in the Template drop-down. 3. Select Virtual Router and select the virtual router. 4. Select Static Routes and verify that you can see two routes. 5. Select Device > VM-Series and view the value for the Azure Instrumentation Key. 478 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.If you do not see the static routes or the Azure Instrumentation Key, on Panorama > Plugins > Azure > AutoScaling, and click the Synchronizing Config with Azure link that corresponds to the autoscaling definition you want to update. 4. Verify that you have a static route to direct return traffic from the internet back to the application. On Panorama, the virtual router associated with the template stack for the Hub firewall must have a static route to direct return traffic to the application workloads. This static route is automatically created when you tag the internal load balancer in the Application VNet with HubRG- Otherwise, you must add the static route as follows. 1. Log in to Panorama and select Network. 2. Select the template stack associated with the Hub firewall VMSS in the Template drop-down. 3. Select Virtual Router and select the virtual router you are configuring. 4. Select Static Routes and add a route with the destination IP address as the subnet for the application, set the outgoing interface as the trust interface on the firewall and the Next Hop IP address for the internal load balancer that fronts your application workloads in the application Resource Group. The Inbound template assigns a public IP address to VMSS PA-VM management interface. Make sure to configure the Network Security Group inbound source IP in the template. STEP 7 | To onboard an app, complete the following on the Inbound Firewall Resource Group. 1. Access the Application Gateway. 2. Add the Load balancer IP address for the sample application to the Application Gateway backend pool. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 479 © 2020 Palo Alto Networks, Inc.3. Add a route to the defaultBackendUDR to direct traffic through the firewall to the application you want to secure. You need to add a route that specifies the address prefix of the internal load balancer IP address for the application gateway that was created when you launched the App template, and the next hop IP address should match the IP address of the load balancer that fronts the VM-Series firewall VMSS in the Inbound firewall resource group. This route allows the Application Gateway to send traffic to the Inbound firewall VMSS before routing it to the load balancer in the application resource group. If you have your own app and you want to configure it to secure traffic to it using the VM- Series firewalls that you deployed using the hub or the firewall template, you must do the following: • Set up VNET peering between the application VNet and the VNet in which your firewall VMSS are deployed. If you are securing inbound and outbound application traffic, on the Azure portal select the virtual network for the application and verify that VNet peering status is connected for the Hub and the Inbound firewall VNets. • Add the IP address of the internal Load Balancer that fronts the application to the Application gateway configuration in the inbound firewall Resource Group. • Add a route to the defaultBackend UDR table to direct traffic through the firewall. You need to add a route that specifies the IP address of the load balancer that fronts the application, and specify the IP address load balancer that fronts the firewall VMSS as the next hop. This route allows the Application Gateway to send traffic to the firewall VMSS before routing it to the load balancer in the application resource group. • Add the following tags to the internal load balancer that fronts your application workloads. 480 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.• HubRG: Enter the name of the Hub firewall Resource Group • PanoramaManaged: yes • InboundRG: Enter the name of the Inbound firewall Resource Group STEP 8 | To onboard an app, complete the following on the Hub Firewall Resource Group. 1. Access the Application Gateway. 2. Add the Load balancer IP address for the sample application to the Application Gateway backend pool. 3. Add a route to the defaultBackendUDR to direct traffic through the firewall to the application you want to secure. You need to add a route that specifies the address prefix of the internal load balancer IP address for the application gateway that was created when you launched the App template, and the next hop IP address should match the IP address of the load balancer that fronts the VM-Series firewall VMSS in the Inbound firewall resource group. This route allows the Application Gateway to send traffic to the Inbound firewall VMSS before routing it to the load balancer in the application resource group. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 481 © 2020 Palo Alto Networks, Inc.If you have your own app and you want to configure it to secure traffic to it using the VM- Series firewalls that you deployed using the hub or the firewall template, you must do the following: • Set up VNET peering between the application VNet and the VNet in which your firewall VMSS are deployed. If you are securing inbound and outbound application traffic, on the Azure portal select the virtual network for the application and verify that VNet peering status is connected for the Hub and the Inbound firewall VNets. • Add the IP address of the internal Load Balancer that fronts the application to the Application gateway configuration in the inbound firewall Resource Group. • Add a route to the defaultBackend UDR table to direct traffic through the firewall. You need to add a route that specifies the IP address of the load balancer that fronts the application, and specify the IP address load balancer that fronts the firewall VMSS as the next hop. This route allows the Application Gateway to send traffic to the firewall VMSS before routing it to the load balancer in the application resource group. • Add the following tags to the internal load balancer that fronts your application workloads. • HubRG: Enter the name of the Hub firewall Resource Group • PanoramaManaged: yes • InboundRG: Enter the name of the Inbound firewall Resource Group 482 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.STEP 9 | On Panorama, create Security policy rules. For securing inbound application traffic, you can specify the source zone and destination zones as any, and add the destination IP addresses as a dynamic address group object and reference it in the Security policy rule. Parameters in the Auto Scaling Templates for Azure This section describes the values you need to provide as input when you deploy the template resources that enable you to auto scale the VM-Series firewalls on Azure with your application workloads. • Infrastructure Template Parameters • Inbound Firewall Template Parameters • Hub Template Parameters • Application Template Parameters Infrastructure Template Parameters Inputs for the infrastructure template are as follows: • Panorama Plugin Message Handler Name—The name of the Azure Function that will pass messages to the Panorama plugin for Azure. The Azure function URL will begin with this name. • Storage Account Type—Select the type you want to use. • Repo URL—The URL for the parent GitHub repository that hosts the templates. The location where Palo Alto Networks posts these templates is: https://github.com/PaloAltoNetworks/azure-autoscaling/tree/ master/Version-1-0 • Branch—leave as is. • Service Bus Name—The name of the Service Bus to which Panorama subscribes for notifications from Azure. The value must be between 6 and 50 characters long. This name has to be globally unique, must start and end with a letter or number, and can contain letters, numbers, and hyphens only. Inbound Firewall Template Parameters The inputs for the Inbound Firewall template vary depending on whether you are starting from scratch and are using the template for a greenfield deployment or you have an existing VNet with an Azure Application Gateway and want to deploy the VM-Series firewalls along with the associated subnets and internal load balancer for the VMSS. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 483 © 2020 Palo Alto Networks, Inc.• Inputs for a greenfield deployment • Inputs for a brownfield deployment Inputs for the Inbound Firewall template for a greenfield deployment are as follows: • Resource Group Name and Location—Create a new Resource group and pick a location. • App GatewayDns Name—A name for the Azure Application Gateway. • Network Security Group Inbound Src IP: To restrict inbound access to the firewall management interface. CIDR format for example 199.16.5.122/32. • Fw Load Balancer IP: Enter an IP address from the Untrust subnet CIDR to assign to the Azure load balancer that fronts the firewall VMSS. The Azure Application Gateway will use this IP address to send traffic onward to the firewall. For example: 192.168.1.4 • Deploy Into Existing Vnet—No A new VNet with all the components listed in the Inbound firewall template are deployed for you. See Auto Scaling on Azure - Components and Planning Checklist. • virtualNetworkName—The name of the VNet in which you want to deploy the resources in this template. • virtualNetworkAddressPrefix—For example: 192.168.0.0/21 • mgmtSubnetPrefix—For example:192.168.0.0/24 • untrustSubnetPrefix—For example: 192.168.1.0/24 • trustSubnetPrefix—For example: 192.168.2.0/24 • appGatewaySubnetPrefix: For example: 192.168.3.0/24 • vmSeriesFirewallModel: BYOL or PAYG bundles • vmSeriesImageVersion: 8.1 or 9.0. See the Panorama plugin version information in the Compatibility Matrix. If you choose PAN-OS 9.0, you must install the VM-Series plugin on Panorama. See Auto Scaling on Azure - Components and Planning Checklist for details. • vmSeriesFirewallVmSize: Standard_D3_v2 (default). See VM instance types for minimum system requirements on the VM-Series firewall on Azure, and refer to Azure Virtual Machines for a list of instance types available for your region. • Username—Enter a username for logging in to the firewall web interface. • Authentication Type: password or SSH key • Bootstrap Storage Account—Enter the Name of the storage account. • Bootstrap Storage Account Access Key—Specify the storage account key. • bootstrapFileShare—The name of the fileshare that holds the bootstrap folder structure. • bootstrapSharedDir—This directory name is optional. • VM Scale Set Min Count—Enter a value between 1 and 3. Default is 1 • VM Scale Set Max Count— Enter a value between 1 and 3. Default is 1. • Auto Scale Metric—Active Sessions (default). To view all the supported metrics, see Custom PAN-OS Metrics Published for Monitoring. • scaleInThreshold—Enter the threshold for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above. • scaleOutThreshold—Enter the threshold for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above. • Panorama Plugin Message Handler URL: This is the name for the Azure Function that entered in the infrastructure template. This URL allows the Service Bus queue and the Panorama plugin for Azure to send messages about your Azure resources. For example: https://test-asc-function- handler.azurewebsites.net/api/infra?code=IKDDx5U2HddsabcdE== Inputs for the Inbound Firewall template for a brownfield deployment are as follows: • Resource Group Name and Location—Create a new Resource group and pick a location. 484 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.• App GatewayDns Name—Leave the default value. In a brownfield deployment, this template assumes that you have already deployed the Application Gateway, so this value is not relevant. • Network Security Group Inbound Src IP: To restrict inbound access to the firewall management interface. CIDR format for example 199.16.5.122/32. • Fw Load Balancer IP: Enter an IP address from the Untrust subnet CIDR to assign to the Azure load balancer that fronts the firewall VMSS. The Azure Application Gateway will use this IP address to send traffic onward to the firewall. For example: 192.168.1.4 • Deploy Into Existing Vnet— Yes • virtualNetworkName—The name of the existing VNet in which you want to deploy the firewall VMSS resources. • virtualNetworkAddressPrefix—For example: 192.168.0.0/21 • mgmtSubnetPrefix—For example:192.168.0.0/24 • untrustSubnetPrefix—For example: 192.168.1.0/24 • trustSubnetPrefix—For example: 192.168.2.0/24 • appGatewaySubnetPrefix: Enter the subnet in which your Application Gateway is deployed. For example: 192.168.3.0/24 • vmSeriesFirewallModel: BYOL or PAYG bundles • vmSeriesImageVersion: 8.1 or 9.0. If you choose PAN-OS 9.0, you must install the VM-Series plugin on Panorama. See Auto Scaling on Azure - Components and Planning Checklist for details. • vmSeriesFirewallVmSize: Standard_D3_v2 (default). See VM instance types for minimum system requirements on the VM-Series firewall on Azure, and refer to Azure Virtual Machines for a list of instance types available for your region. • Username—Enter a username for logging in to the firewall web interface. • Authentication Type: password or SSH key • Bootstrap Storage Account—Enter the Name of the storage account. • Bootstrap Storage Account Access Key—Specify the storage account key. • bootstrapFileShare—The name of the fileshare that holds the bootstrap folder structure. • bootstrapSharedDir—This directory name is optional. • VM Scale Set Min Count—Enter a value between 1 and 3. Default is 1 • VM Scale Set Max Count— Enter a value between 1 and 3. Default is 1. • Auto Scale Metric—Active Sessions (default). To view all the supported metrics, see Custom PAN-OS Metrics Published for Monitoring. • scaleInThreshold—Enter the threshold for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above. • scaleOutThreshold—Enter the threshold for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above. • Panorama Plugin Message Handler URL: This is the name for the Azure Function that entered in the infrastructure template. This URL allows the Service Bus queue and the Panorama plugin for Azure to send messages about your Azure resources. For example: https://test-asc-function- handler.azurewebsites.net/api/infra?code=IKDDx5U2HddsabcdE== Hub Template Parameters Inputs for the Hub firewall template that enables you to secure outbound traffic and east-west traffic between the application tiers are as follows: • virtualNetworkName—The name of the VNet in which you want to deploy the resources in this template. • virtualNetworkAddressPrefix— • mgmtSubnetPrefix— • untrustSubnetPrefix— VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 485 © 2020 Palo Alto Networks, Inc.• trustSubnetPrefix— • Load Balancer IP—Enter an IP address from the Trust subnet CIDR. The Load balancer will use this IP address to send traffic to the trust interface on the firewall. • Network Security Group Inbound Src IP: To restrict inbound access to the firewall management interface. CIDR format, for example: 199.16.5.122/32. • Bootstrap Storage Account—Enter the Name of the storage account. • Bootstrap Storage Account Access Key—Specify the storage account key. • bootstrapFileShare—The name of the fileshare that holds the bootstrap folder structure. • bootstrapSharedDir—This directory name is optional. • VM Scale Set Min Count—Enter a value between 1 and 3. Default is 1 • VM Scale Set Max Count— Enter a value between 1 and 3. Default is 1. • Auto Scale Metric—Active Sessions (default). To view all the supported metrics, see Custom PAN-OS Metrics Published for Monitoring. • scaleInThreshold—Enter the threshold for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above. • scaleOutThreshold—Enter the threshold for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above. • Panorama Plugin Message Handler URL: This is the name for the Azure Function that entered in the infrastructure template. This URL allows the Service Bus queue and the Panorama plugin for Azure to send messages about your Azure resources. For example: https://test-asc-function- handler.azurewebsites.net/api/infra?code=IKDDx5U2HddsabcdE== Application Template Parameters The inputs for the App template are: • Connect to Hub: yes or no. • Hub Resource Group Name—Required only if yes. The name of the Resource Group that hosts the resources you deployed with the Hub Firewall template. • Hub VNET Name—Required only if yes. The name of the VNet that hosts the resources you deployed with the Hub Firewall template. • Hub Load Balancer IP—Required only if yes. This is the IP address that you had assigned to the load balancer when you launched the Hub Firewall template. • Application Load Balancer IP—Enter an IP address that belongs to the trust subnet. The application gateway that is in the Inbound Firewall Resource Group will use this IP address to send traffic to the firewall and then on to the application workloads. • Inbound Firewall Resource Group Name— • Inbound Firewall VNet Name— • virtualNetworkAddressPrefix—The CIDR of the VNet in which you want to deploy the resources in this template. • virtualNetworkName—The name of the VNet in which you want to deploy the resources in this template. • mgmtSubnetPrefix— • trustedSubnetPrefix— • backendSubnetPrefix—The subnet in which your application workloads are deployed. • username—To log in to the sample application server. • password—The password for the administrative user you entered above. 486 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.Secure Kubernetes Services on Azure The Azure plugin for Panorama supports tag-based VM monitoring and auto scaling, secures inbound traffic for Azure Kubernetes Service (AKS) clusters, and monitors outbound traffic from AKS clusters. When you deploy the Azure auto scaling templates, you can leverage Azure auto scale metrics and scale-in and scale- out thresholds so that you can automatically scale your VM-Series firewalls to accommodate surges in demand for application workload resources. The Palo Alto Networks Azure Auto Scaling templates work with Azure services and components to gather information about your network and resources, and create an auto-scaling tier of VM-Series firewalls. The auto-scaling tier provides a network infrastructure you can use to secure your Kubernetes services. Palo Alto Networks provides an AKS template that deploys an AKS cluster in a new Azure VNet. The Azure plugin on Panorama helps you set up a connection that can monitor Azure Kubernetes cluster workloads, gathering services you have annotated as “internal load balancer” and creating tags you can use in Panorama dynamic address groups. You can leverage Dynamic Address Groups to apply Security policy on inbound traffic routed to services running on your AKS cluster. • How Does the Panorama Plugin for Azure Secure Kubernetes Services? • Secure an AKS Cluster How Does the Panorama Plugin for Azure Secure Kubernetes Services? You can use VM-Series firewalls to secure services with internet access independent of the Kubernetes cluster. VM-Series firewalls can secure inbound traffic for Azure Kubernetes Service (AKS) clusters exposed by a load balancer (such as an Azure Load Balancer). Outbound traffic can only be monitored. The following topics review different components that enable the Azure plugin for Panorama to connect to and obtain information from an AKS cluster. • AKS Components and Planning Checklist • A Sample Hub-and-Spoke Topology to Secure AKS Clusters • AKS User-Defined Routing • AKS Cluster Communication • View Dynamic Address Groups with Kubernetes Labels • Add the Subnet Address Group to the Top-Level Policy • Create Separate Address Groups for Traffic from Workloads and AKS • View Dynamic Address Groups with Kubernetes Labels AKS Components and Planning Checklist This solution requires the following components. See the Palo Alto Networks Compatibility Matrix, to verify the minimum OS, plugin, and template versions required to configure auto scaling and secure AKS clusters. Azure—Because the AKS template relies on an auto scaling deployment, you must fulfill the auto scaling requirements from Auto Scaling on Azure - Components and Planning Checklist and Plan Your Deployment . In addition, your account must have the permissions required to create an AKS cluster and enable AKS advanced networking (CNI) for the cluster. Panorama—Your Panorama version must be the same or greater than the PAN-OS version on your managed VM-Series firewalls. You must install compatible versions of the following plugins: VM-Series plugin on Panorama—See Install the VM-Series Plugin on Panorama. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 487 © 2020 Palo Alto Networks, Inc.Azure plugin on Panorama—See Install the Azure Plugin. Templates—See the Compatibilty Matrix for the current template version. Azure Auto Scaling template—Use the Azure Auto Scaling template to create an auto scale deployment in an Azure region that supports AKS. Azure AKS template—Use the Azure AKS template to create an AKS cluster. An AKS deployment requires advanced networking to configure VNet peering for the hub and spoke VNets (see A Sample Hub-and-Spoke Topology to Secure AKS Clusters). VM-Series firewalls—For managed firewalls, the PAN-OS version must not exceed your Panorama version, and your firewalls must be running the minimum VM-Series plugin version (or later) designated in the Panorama plugin compatibility matrix. A Sample Hub-and-Spoke Topology to Secure AKS Clusters The following diagram illustrates a sample auto scale deployment that secures inbound traffic for Azure AKS clusters. This deployment demonstrates a hub-and-spoke topology. Let’s review some of the components. • Auto Scaling Infrastructure—The Azure Auto Scaling templates create the messaging infrastructure and the basic hub and spoke architecture. • AKS Clusters—The Palo Alto Networks AKS template creates an AKS cluster in a new VNet. Given the name of the spoke resource group, the template tags the VNet and AKS cluster with the spoke resource group name, so the resource group can be discovered by the Azure Auto Scaling plugin for Panorama. The Azure plugin for Panorama queries service IP addresses on the Staging ILB to learn about AKS cluster services. Only one spoke firewall scale set can be associated with an AKS cluster; if you expose multiple services in a single AKS cluster, they must be protected by the same spoke. 488 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.For each resource group, create a subnet-based address group. In the above diagram, for example, create an address group for 10.240.0.0/24 (AKS Cluster 1). • VNet Peering—You must manually configure VNET peering to communicate with other VNets in the same region. Cross-region peering is not supported. You can use other automation tools to deploy AKS clusters. If you deploy in an existing VNet (the Hub Firewall VNet, for example) you must manually configure VNet peering to the Inbound and Outbound hub and spoke resource groups, and manually tag the VNet and AKS cluster with the resource group name. • User Defined Routes and Rules—You must manually configure user-defined routes and rules (see AKS User-Defined Routing and Azure Networking and VM-Series Firewall). In the diagram above, incoming traffic can be redirected, according to UDR rules, to the Firewall ILB for inspection. Azure user-defined routing (UDR) rules redirect outbound traffic exiting an AKS cluster to the Hub Firewall ILB. The solution assumes allow all as a default policy for Kubernetes orchestration to function as-is, but to apply policy you can use an allowlist or a denylist to allow or deny outbound traffic. AKS User-Defined Routing You must manually create user-defined routing and routing rules to govern inbound traffic to and monitor outbound traffic from an AKS cluster. Inbound In the above diagram, inbound traffic from the Application Gateway is driven to the back-end pool, and based on UDR rules, redirected to the Firewall ILB. For example, create a UDR pointing to the VNet subnet so that the traffic for Kubernetes services is directed to the Firewall ILB. Outbound On the Hub firewall set, for each AKS cluster being protected, you must create static routes for the cluster subnet CIDR, with the next hop being the gateway address of the Hub VNet trust subnet. All outbound traffic for an AKS cluster is directed to the Hub firewall set with a single UDR rule. AKS Cluster Communication The Panorama plugin for Azure can only communicate with the AKS master node for a given AKS cluster. For outbound AKS traffic, the next hop is the Hub Firewall ILB. Because outbound traffic is monitored, you must allow all traffic. The following topics emphasize common practices that help you establish connectivity. Keep them in mind when you plan your networks and subnets. • Create AKS Cluster Authentication • Create An Address Group to Identify VNet Subnet Traffic • Add the Subnet Address Group to the Top-Level Policy • Create Separate Address Groups for Traffic from Workloads and AKS Create AKS Cluster Authentication When you connect the AKS cluster in Azure plugin for Panorama you must enter a secret authorization token. Create a .yaml file to create a ClusterRoleBinding and save the service account credential to a JSON file. STEP 1 | Create a ClusterRole. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 489 © 2020 Palo Alto Networks, Inc.STEP 2 | Create a ClusterRoleBinding. 1. Create a .yaml file for the ClusterRoleBinding. For example, create a text file named crb.yaml. apiVersion: rbac.authorization.k8s.io kind: ClusterRoleBinding metadata: name: default-view roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects: - kind: ServiceAccount name: default namespace: default 2. Use Azure Cloud Shell to apply the crb.yaml role binding. kubectl apply -f crb.yaml 3. View the service account you just created. kubectl get serviceaccounts STEP 3 | Save the service account credential to a .json file. 1. On your local machine, change to the directory in which you want to save the credential. 2. Use kubectl commands to create the token. MY_SA_TOKEN=‘kubectl get serviceaccounts default -o jsonpath=’{.secrets[0].name}’‘ 3. View the token name. $ echo $MY_SA_TOKEN 4. Display the credential. kubectl get secret $MY_SA_TOKEN -o json You need this token when you connect the AKS cluster in Azure plugin for Panorama, in Step 3.d. Create An Address Group to Identify VNet Subnet Traffic To create some granularity for monitored Outbound traffic, create an address group specifically for the AKS cluster VNet subnet (for example, 10.240.0.97/32 in the above diagram). You can then write rules that allow incoming or returning traffic rather than using allow all. If you create an address group, be careful to maintain the communication between the AKS Master and any worker nodes. See Add the Subnet Address Group to the Top-Level Policy. If communication is interrupted, application traffic can be lost or your application deployment might have problems. Add the Subnet Address Group to the Top-Level Policy To maintain connectivity, the subnet address group must be part of the top-level policy in Panorama. You can configure the cluster address group, or bootstrap the cluster to configure the cluster address group. Add the address group to the top-level policy before you configure VNet peering or AKS User-Defined Routing. 490 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.Create Separate Address Groups for Traffic from Workloads and AKS If an AKS cluster co-exists with VM workloads that run in separate VNets, and the VNet is peered with both the workload spoke (Inbound) and the Hub (Outbound), you must create address groups to distinguish the workloads and the AKS traffic. Add the address groups to your top-level policy as described in Add the Subnet Address Group to the Top-Level Policy. This prevents application disruption when workload and AKS cluster VNets are peered. View Dynamic Address Groups with Kubernetes Labels When monitoring an AKS cluster resource, the Azure plugin automatically generates the following IP address tags for AKS services. aks.. Tags are not generated for nodes, pods, or other resources. If the AKS service has any labels, the tag is as follows (one per label): aks..svc.. For example: aks.prod-cluster.azure-voteback.svc.tier.stagingapp If a labelSelector tag is defined for a cluster, the plugin generates the following IP address tag: aks_.. Secure an AKS Cluster To enable Panorama to connect to the load balancers in an Azure Kubernetes Services (AKS) cluster, you must configure the Azure plugin on Panorama to establish a connection with your AKS cluster. You must also configure the device groups and templates to which the firewalls belong so that Panorama can push configuration objects and policy rules to your managed firewalls. • Plan Your AKS Deployment • Use the Template to Deploy an AKS Cluster • Connect the AKS Cluster in Azure Plugin on Panorama • Set Up VNet Peering • Redirect Traffic to a Firewall ILB • Apply Policy to Your AKS Service • Deploy and Secure AKS Services Plan Your AKS Deployment To secure a web application running as a service within a Kubernetes cluster you must first plan connectivity for your VNets, subnets, and UDRs. VM-Series firewalls and Panorama provide security for and visibility into your Kubernetes services. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 491 © 2020 Palo Alto Networks, Inc.To deploy the Azure auto scaling solution, follow the instructions in “Auto Scaling the VM-Series Firewall on Azure.” You must have AKS advanced networking to use the Palo Alto Networks AKS template. Review “How Does the Panorama Plugin for Azure Secure Kubernetes Services?” Design your AKS subnets before you deploy AKS clusters. Plan your virtual networks and review “A Sample Hub-and-Spoke Topology to Secure AKS Clusters, and AKS Cluster Communication”. The template creates a single AKS cluster (a service) as a sample. You must specify CIDR ranges for the VNet, VNet subnet, and the service. The CIDR ranges must not overlap. Size your subnets to your requirements. Avoid unnecessarily large ranges, as they can affect performance. See AKS User-Defined Routing. Specify specific UDR routes rather than broad subnet-specific routes. See AKS User-Defined Routing. Plan how you want to peer your VNets. If you are peering AKS clusters, see AKS Cluster Communication. Think about the ways in which you want to identify traffic (and write rules). Address Groups—If you plan to use an address group on Outbound AKS traffic, see Add the Subnet Address Group to the Top-Level Policy and Create Separate Address Groups for Traffic from Workloads and AKS. Namespaces and Tags—If you have service names or tags that are not unique across namespaces, you can use the label selector to filter both a tag and a namespace so that you get a unique result. Use the Template to Deploy an AKS Cluster The Azure AKS template is a sample that provisions a cluster in a new VNet. You must specify CIDR ranges for the VNet, VNet subnet, and the service. The CIDR ranges must not overlap. STEP 1 | On GitHub, go to PaloAltoNetworks/azure-aks and locate the build package in the repository. STEP 2 | Unzip the build package. Edit the files azuredeploy.json and parameters.json for your own deployment, and save. STEP 3 | Issue the following Azure CLI commands to deploy the template. az group deployment validate --resource-group RG_NAME --template-file azuredeploy.json --parameters @parameters.json az group deployment create --name DEPLOYMENT_NAME --resource-group RG_NAME --template-file azuredeploy.json --parameters @parameters.json STEP 4 | Deploy your applications or services on the AKS cluster. 1. Annotate your service YAML file so that the type is load balancer, and annotate it as service.beta.kubernetes.io/azure-load-balancer-internal: "true". For example: apiVersion: v1 492 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.kind: Service metadata: name: azure-vote-front labels: service: "azure-vote-front" tier: "stagingapp" annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true" spec: type: LoadBalancer ports: - port: 80 selector: app: azure-vote-front 2. If you have not done so, create AKS cluster authentication before continuing. 3. Deploy your service on your AKS cluster. For example, you can deploy your application through kubectl: kubectl apply -f myapplication.yaml For a sample, see: https://github.com/Azure-Samples/azure-voting-app-redis/blob/master/azure- vote-all-in-one-redis.yaml 4. Use kubectl to get the IP address for the deployed service. kubectl get services -o wide In the EXTERNAL-IP column 10.240.0.97 is for the ILB, according to your annotation in Step a. Use the service IP address to create a user-defined route on Azure. STEP 5 | Create a UDR rule to point your service to the Firewall ILB behind the Application Gateway. In Azure, go to your inbound spoke resource group, view the route table and add a new route based on the destination service IP address. In the following screen, the value in the tov1service ADDRESS PREFIX column is the service IP address. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 493 © 2020 Palo Alto Networks, Inc.Connect the AKS Cluster in Azure Plugin on Panorama This task assumes you have deployed the Auto Scaling solution, and that you have created templates, template stacks and device groups. See the Panorama online help for more on filling out each form. STEP 1 | Select Panorama > Azure > AutoScaling to view the auto scaling definition you created when you configured Auto Scaling. As shown below, if Auto Program Routes is enabled, the firewall routes are programmed for you. 494 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.STEP 2 | In AKS, tag your Resource Groups. The tags are name/value pairs. 1. Select Home > Resource groups and choose a resource group. 2. Select Tags and define name/value pairs. As shown in the following figure, the tag names must be inboundgrouprg and HubRG: • inboundgrouprg—Your spoke resource group name. • HubRG—Your hub resource group name. The template takes the spoke resource group name as a parameter and uses it to tag the VNet and the AKS cluster so the Azure auto scaling plugin for Panorama can discover them. The templates deploy resources in separate VNets. If you manually deploy the AKS cluster and service in the same VNet as the spoke firewall set, you must manually create tags for the spoke resource group name. STEP 3 | In Panorama, select Panorama > Azure > Setup. 1. On the General tab, enable monitoring. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 495 © 2020 Palo Alto Networks, Inc.2. On the Notify Groups tab, Add a notification group and select the device groups to be notified. 3. On the Service Principal tab, Add and Validate a service principal. Use the service principal you created when you configured auto scaling. 4. On the AKS Cluster tab, Add an AKS cluster. • Enter the exact name of the AKS cluster. • Enter the API server address. To find the address in Azure, view your AKS service and select Overview. • Upload the AKS credential JSON file (see Create AKS Cluster Authentication). 5. Fill in the remaining fields and Add one or more tags. If you have service names or tags that are not unique across namespaces, use the label selector to filter both a tag and a namespace so that you get a unique result. 496 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.STEP 4 | Select Panorama > Azure > Monitoring Definition 1. Add a Monitoring definition. 2. Enter a name and description, and select AKS Cluster Monitoring. 3. Select an AKS Cluster and a Notify Group, check Enable, and click OK. Set Up VNet Peering If you plan to use an address group to identify traffic, be sure to add the subnet address group to your top- level Panorama policy before you configure peering. After deploying an AKS cluster, set up VNet peering from the inbound VNet to your cluster, and from your cluster to the firewall VNet. Redirect Traffic to a Firewall ILB You must manually create user defined routes (UDRs) and routing rules to redirect traffic to a particular ILB. For an example, see how the diagram in “How Does the Panorama Plugin for Azure Secure Kubernetes Services?” depicts an inbound UDR. STEP 1 | Create URL routing rules that redirect web traffic to the appropriate backend pool. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 497 © 2020 Palo Alto Networks, Inc.STEP 2 | Update the UDR rules for the Application Gateway subnet to add a route for the service CIDR, with the next hop being the inbound firewall load balancer from the spoke firewall resource group. Apply Policy to Your AKS Service STEP 1 | In Panorama, select Policies. STEP 2 | In the Device Group list, choose the device group for your AKS service. STEP 3 | Add a Security policy rule. Fill out the form, and on the Destination tab Add the destination address or address group. Deploy and Secure AKS Services These steps outline how you can secure inbound and outbound traffic traversing to Kubernetes services using VM-Series firewall and the Azure plugin for Panorama. STEP 1 | In the application deployment environment, create a YAML file for the application or use a file that already exists. The following is a sample application YAML file: apiVersion: apps/v1 kind: Deployment metadata: name: azure-vote-back spec: replicas: 1 selector: matchLabels: app: azure-vote-back 498 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.template: metadata: labels: app: azure-vote-back spec: containers: - name: azure-vote-back image: redis resources: requests: cpu: 100m memory: 128Mi limits: cpu: 250m memory: 256Mi ports: - containerPort: 6379 name: redis --- apiVersion: v1 kind: Service metadata: name: azure-vote-back labels: service: backend spec: ports: - port: 6379 selector: app: azure-vote-back --- apiVersion: apps/v1 kind: Deployment metadata: name: azure-vote-front spec: replicas: 5 selector: matchLabels: app: azure-vote-front template: metadata: labels: app: azure-vote-front spec: containers: - name: azure-vote-front image: microsoft/azure-vote-front:v1 resources: requests: cpu: 100m memory: 128Mi limits: cpu: 250m memory: 256Mi ports: - containerPort: 80 env: - name: REDIS value: "azure-vote-back" ---apiVersion: v1 kind: Service VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 499 © 2020 Palo Alto Networks, Inc.metadata: name: azure-vote-front labels: service: "azure-vote-front" type: "production" providesecurity: "yes" a: "value" b: "value" c: "value" tier: "stagingapp" annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true" spec: type: LoadBalancer ports: - port: 80 selector: app: azure-vote-front STEP 2 | Edit your YAML file to label Kubernetes services. Labels enable the corresponding tag-to-IP mapping to be created when you use the Panorama plugin for AKS to connect to the cluster. For example, in the above sample file look for the application labels in the service metadata. They are: azure-vote-back and azure-vote-front. STEP 3 | In your AKS cluster, apply the YAML file. STEP 4 | In Panorama, create an address group using a resource group tag. 1. On the Objects tab, select a device group from the Device Group list. 2. Select Address Groups and Add an address group. 1. Specify a name, and select the Dynamic type. 2. Add addresses. Opens a window that lists detected addresses. Populating the list can take several minutes. 3. You can choose one or more addresses for the Match criteria. Select AND or OR for the criteria relationship. 4. If you have many addresses, enter a string in the search box to filter the output, as shown in the following figure. 5. In the address list, click the + to include the address in the address group match criteria. 6. When the Match criteria is complete, click OK. 500 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure © 2020 Palo Alto Networks, Inc.STEP 5 | Show Policy using the address group. STEP 6 | View secured AKS services. In Panorama > Azure > AutoScaling, view your monitoring definition, and in the Action column select the Protected Applications and Services link. The Protected? column summarizes the security status of your resource groups. It might take several minutes for the window to populate. If you have many resource groups, enter a string in the search box to filter the output. This output is based on the Azure resource group configuration; it does not query the device group or template stack membership. VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on Azure 501 © 2020 Palo Alto Networks, Inc.502 VM-SERIES DEPLOYMENT GUIDE | Set up the VM-Series Firewall on AzureSet Up the VM-Series Firewall on OpenStack The VM-Series firewall for OpenStack allows you to provide secure application delivery along with network security, performance and visibility. > VM-Series Firewall for OpenStack > Components of the VM-Series for OpenStack Solution > Heat Template for a Basic Gateway Deployment > Heat Templates for Service Chaining and Service Scaling > Install the VM-Series Firewall in a Basic Gateway Deployment > Install the VM-Series Firewall with Service Chaining or Scaling 503504 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack © 2020 Palo Alto Networks, Inc.VM-Series Deployments in OpenStack The Heat Orchestration templates provided by Palo Alto Networks allow you to deploy the VM-Series firewall individually, through service chaining, or dynamically with service scaling. • Basic Gateway • Service Chaining and Service Scaling Basic Gateway The VM-Series firewall for OpenStack allows you to deploy the VM-Series firewall on the KVM hypervisor running on a compute node in your OpenStack environment. This solution uses Heat Orchestration Templates and bootstrapping to deploy the VM-Series firewall and a Linux server. The VM-Series firewall protects the deployed Linux server by inspecting the traffic going in and out of the server. The sample bootstrap files allow the VM-Series firewall to boot with basic configuration for handling traffic. These heat template files and the bootstrap files combine to create two virtual machines, the VM-Series firewall and Linux server, in a network configuration similar to that shown below. Service Chaining and Service Scaling Deploying the VM-Series firewall through service chaining or service scaling is not supported on OpenStack Queens. Service chaining is a Contrail feature that deploys a VM-Series firewall as a service instance in your OpenStack environment. A service chain is a set of service virtual machines, such as firewalls or load balancers, and each virtual machine in the service chain is a service instance. Service scaling allows you to dynamically deploy additional instances of the VM-Series firewall. Using CPU utilization or incoming bytes per second metrics gathered by Ceilometer, OpenStack deploys or shuts down additional instances of the VM-Series firewall to meet the current needs of your network. The VM-Series firewall in OpenStack solution leverages heat orchestration templates to configure and deploy the components required for service chaining and service scaling. The heat templates provided by Palo Alto networks create a service template, service instance, and service policy (to direct traffic to the VM-Series firewall) to deploy two Linux servers and the VM-Series firewall service instance between them. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack 505 © 2020 Palo Alto Networks, Inc.506 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack © 2020 Palo Alto Networks, Inc.Components of the VM-Series for OpenStack Solution The VM-Series firewall in an OpenStack environment has been tested with the following components. Component Description Software See the Compatibility Matrix for details about supported software versions. VM-Series Hardware See VM-Series System Requirements for the minimum hardware Resources requirements for your VM-Series model. In OpenStack, flavors define the CPU, memory, and storage capacity of a compute instance. When setting up your Heat template, choose the compute flavor that meets or exceeds the hardware requirements for the VM-Series model. Fuel Master Fuel is a web UI-driven deployment and management tool for OpenStack. OpenStack Controller This node runs most of the shared OpenStack services, such API and scheduling. Additionally, the Horizon UI runs on this node. OpenStack Compute The compute node contains the virtual machines, including the VM-Series firewall, in the OpenStack deployment. The compute node that houses the VM-Series must meet the following criteria: • Instance type OS::Nova::Server • Allow configuration of at least three interfaces • Accept the VM-Series qcow2 image • Accept the compute flavor parameter Install the OpenStack compute node on a bare-metal server because the VM-Series firewall does not support nested virtualization. Contrail Controller The Contrail controller node is a software-defined networking controller used for management, control, and analytics for the virtualized network. It provides routing information to the compute and gateway nodes. Additionally, the Contrail controller provides the necessary support for service chaining and service scaling. Contrail Gateway The Contrail gateway node provides IP connectivity to external networks from virtual networks. MPLS over GRE tunnels from the virtual machines terminate at the gateway node, where packets are decapsulated and sent to their destinations on IP networks. Ceilometer (OpenStack In the case of the VM-Series firewall for OpenStack, Ceilometer monitors Telemetry) CPU utilization for service scaling. When CPU utilization meets the VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack 507 © 2020 Palo Alto Networks, Inc.Component Description defined thresholds, a new service instance of the VM-Series firewall is deployed or shut down. Heat Orchestration Palo Alto Networks provides a sample Heat template for deploying the Template Files VM-Series firewall. This template is made up of a main template and an environment template. These files instantiate one VM-Series instance with one management interface and two data interfaces. In a basic gateway deployment, the template instantiates a Linux server with one interface. The interface of the server attaches to the private network created by the template. In a service chaining or service scaling deployment, the templates instantiate two Linux servers with one server attached to each data interface of the firewall. VM-Series Firewall The VM-Series firewall bootstrap files consist of a init-cfg.txt file, Bootstrap Files bootstrap.xml file, and VM-Series auth codes. Along with the Heat template files, Palo Alto Networks provides a sample init-cfg.txt and bootstrap.xml files. You must provide your own auth codes to license your VM-Series firewall and activate any subscriptions. See Bootstrap the VM-Series Firewall for more information about VM-Series bootstrap files. 508 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack © 2020 Palo Alto Networks, Inc.Heat Template for a Basic Gateway Deployment The heat template file includes the following four files to help you launch the VM-Series firewall on KVM in OpenStack. All four files are required to deploy the VM-Series firewall and Linux server. • pan_basic_gw.yaml—Defines the resources created to support the VM-Series firewall and Linux server on the compute node, such as interfaces and IP addresses. • pan_basic_gw_env.yaml—Defines the environment that the VM-Series firewall and Linux server exist in. Many parameters in the pan_basic_gw.yaml file reference the parameters defined in this file, such as flavor for the VM-Series and the Linux server. • init-cfg.txt—Includes the operational command to enable DHCP on the firewall management interface. • bootstrap.xml—Provides basic configuration for the VM-Series firewall. The bootstrap.xml file configures the data interfaces and IP addresses. These values must match the corresponding values in the pan_basic_gw.yaml file. Additionally, the bootstrap.xml file includes a NAT rule called untrust2trust. This rule translate the trust port on the server to the untrust port of the VM-Series firewall. You have two options for passing bootstrapping files to OpenStack—file injection (personality files) or user data. File injection is no longer supported beginning with OpenStack Queens; you must use user data instead. The table below describes resources that the pan_basic_gw.yaml template file creates and provides the default value, if applicable. Resource Description pan_fw_instance VM-Series firewall with a management interface and two data interfaces. server_instance A Linux server with a single interface. pan_trust_net A connection to the internal network to which the trust interface of the firewall and trust interface of the server are attached. pan_trust_subnet Subnet attached to the trust interface on the firewall (pan_trust_net) and has a CIDR value of 192.168.100.0/24. pan_untrust_net Untrust network to which the untrust port of the firewall is attached. pan_untrust_subnet Subnet attached to the untrust interface of the firewall (pan_untrust_net) and has a CIDR value of 192.168.200.0/24. allow_ssh_https_icmp_secgroup Security group that allows TCP on ports 22 and 443 and ICMP traffic. pan_untrust_port The untrust port of the VM-Series firewall deployed in Layer 3 mode. The Heat template provides a default IP address of 192.168.200.10 to this port. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack 509 © 2020 Palo Alto Networks, Inc.Resource Description If you change this IP address in the heat template, you must change the IP address in the bootstrap.xml file. pan_untrust_floating_ip A floating IP address assigned from the public_network. pan_untrust_floating_ip_assoc This associates the pan_untrust_floating_ip to the pan_untrust_port. pan_trust_port The trust port of the VM-Series firewall Layer 3 mode. server_trust_port The trust port of the Linux server Layer 3 mode. The Heat template provides a default IP address of 192.168.100.10 to this port. If you change this IP address in the heat template, you must change the IP address in the bootstrap.xml file. The pan_basic_gw.yaml file references the pan_basic_gw_env.yaml for many of the values needed to create the resources need to deploy the VM-Series firewall and Linux server. The heat template environment file contains the following parameters. Parameter Description mgmt_network The VM-Series firewall management interface attaches to the network specified in this parameter. The template does not create the management network; you must create this before deploying the heat templates. The default value is mgmt_ext_net. public_network Addresses that the OpenStack cluster and the virtual machines in the cluster use to communicate with the external or public network. The public network provides virtual IP addresses for public endpoints, which are used to connect to OpenStack services APIs. The template does not create the public network; you must create this before deploying the heat templates. The default value is public_net. pan_image This parameter specifies the VM-Series base image used by the Heat template when deploying the VM-Series firewall. The default value is pa- vm-7.1.4. pan_flavor This parameter defines the hardware resources allocated to the VM-Series firewall. The default value is m1.medium. This value meets the VM-Series on KVM System Requirements described in the Set Up the VM-Series Firewall on KVM chapter. server_image This parameter tells the Heat template which image to use for the Linux server. The default value is Ubuntu-14.04. server_flavor This parameter defines the hardware resources allocated to the Linux server. The default value is m1.small. server_key The server key is used for accessing the Linux server through ssh. The default value is server_key. You can change this value by entering a new server key in the environment file. 510 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack © 2020 Palo Alto Networks, Inc.Heat Templates for Service Chaining and Service Scaling Deploying the VM-Series firewall through service chaining or service scaling is not supported on OpenStack Queens. The heat template environment file defines the parameters specific to the VM-Series firewall instance deployed through service chaining or service scaling. The parameters defined in the environment file are divided into sections described below. There are two versions of the heat templates for service chaining— vwire and L3— and one for service scaling. Service chaining requires the heat template files and two bootstrap files to launch the VM-Series firewall service instance and two Linux servers in the left and right networks. • Template files—This template defines the resources created to support the VM-Series firewall and two Linux servers, such as interfaces and IP addresses. • service_chaining_template_vm.yaml for vwire deployments. • service_chaining_template_L3.yaml for L3 deployments. • service_scaling_template.yaml for service scaling deployments. • Environment file—This environment file defines the environment that the VM-Series firewall and Linux servers exist in. Many parameters in the template reference the parameters defined in this file, such as flavor for the VM-Series and the names of the Linux servers. • service_chaining_env_vm.yaml for vwire deployments. • service_chaining_env_L3.yaml for L3 deployments. • service_scaling_env.yaml for service scaling deployments. • service_instance.yaml—(Service Scaling only) This is a nested heat template that is reference by Service_Scaling_template.yaml to deploy the service instance. It provides the necessary information to deploy service instances for scaling events. • init-cfg.txt—Provides the minimum information required to bootstrap a VM-Series firewall. The init- cfg.txt provided only includes the operational command to enable DHCP on the firewall management interface. • _bootstrap.xml—Provides basic configuration for the VM-Series firewall. The bootstrap.xml file configures the data interfaces. These values must match the corresponding values in the heat templates files. For more information about the init-cfg.txt and bootstrap.xml files, see Bootstrap Configuration Files. The following tables describe the parameters of the environment file. • Virtual Network • Virtual Machine • Service Template • Service Instance • IPAM • Service Policy • Alarm VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack 511 © 2020 Palo Alto Networks, Inc.Virtual Network The virtual network configuration paramaters in the heat template environment file define the virtual network that connects the VM-Series firewall and the two Linux servers deployed by the heat template. Virtual Network (VN Config) management_network The VM-Series firewall management interface attaches to the network specified in this parameter. left_vn or left_network Name of the left virtual network. right_vn or Name of the right virtual network. right_network left_vn_fqdn Fully qualified domain name of the left virtual network. right_vn_fqdn Fully qualified domain name of the right virtual network route_target Edit this value so route target configuration matches that of your external gateway. Virtual Machine The virtual machine parameters define the left and right Linux servers. The name of the port tuple is defined here and referenced by the heat template. In Contrail, a port tuple is an ordered set of virtual network interfaces connected to the same virtual machine. With a port tuple, you can create ports and pass that information when creating a service instance. The heat template creates the left, right, and management ports and adds them to the port tuple. The port tuple is then linked to the service instance. When you launch the service instance using the heat templates, the port tuple maps the service virtual machine to the virtual machine deployed in OpenStack. Virtual Machine (VM Config) flavor The flavor of the left and right virtual machines. The default value is m1.small. left_vm_image or The name of the software image for the left and right virtual machines. right_vm_image or Change this value to match the file name of the image you uploaded. image The default is TestVM, which is a default image provided by OpenStack. svm_name The name applied to the VM-Series firewall. left_vm_name and The name of the left and right virtual machines. right_vm_name port_tuple_name The name of the port tuple used by the two Linux servers and the VM-Series firewall. server_key The server key is used for accessing virtual machines through SSH. The default value is server_key. You can change this value by entering a new server key in the environment file. 512 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack © 2020 Palo Alto Networks, Inc.Service Template The service template defines the parameters of the service instance, such as the software image, virtual machine flavor, service type, and interfaces. Service templates are configured within the scope of a domain and can be used on all projects within the specified domain. Service Template (ST Config) S_Tmp_name The name of the service template. S_Tmp_version The service template version. The default value is 2. Do not change this parameter because service template version 2 is required to support port tuples. S_Tmp_service_mode Service mode is the network mode used by the VM-Series firewall service instance. For the L3 network template, the default value is in-network. For the virtual wire template, the default value is transparent. S_Tmp_service_type The type of service being deployed by the template. The default value is firewall and should not be changed when deploying the VM-Series firewall. S_Tmp_image_name This parameter specifies the VM-Series base image used by the Heat template when deploying the VM-Series firewall. Edit this parameter to match the name of the VM-Series firewall image uploaded to your OpenStack environment. S_Tmp_flavor This parameter defines the hardware resources allocated to the VM-Series firewall. The default value is m1.large. S_Tmp_interface_type_mgmTthe parameters define the interface type for management, left, and right S_Tmp_interface_type_left interfaces. S_Tmp_interface_type_right domain The domain where this service template is tied to. The default value is default-domain. Service Instance The service instance portion of the heat template environment file provides the name of the individual instance deployed by the heat template and service template. Service Instance (SI Config) S_Ins_name The service instance name. This is the name of the VM-Series firewall instance in Contrail. S_Ins_fq_name The fully qualified name of the service instance. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack 513 © 2020 Palo Alto Networks, Inc.IPAM IP address management (IPAM) provides the IP address information for the interfaces of the service instance. Changes these parameters to best suit your environment. IPAM (IPAM Config) NetIPam_ip_prefix_mgmt The IP prefix of the management interface on the VM-Series firewall. The default value is 172.2.0.0. NetIPam_ip_prefix_len_mgmThte IP prefix length of the management interface on the VM-Series firewall. The default value is /24. NetIPam_ip_prefix_left The IP prefix of the left interface on the VM-Series firewall. The default value is 10.10.1.0. NetIPam_ip_prefix_len_leftThe IP prefix length of the left interface on the VM-Series firewall. The default value is /24. NetIPam_ip_prefix_right The IP prefix of the right interface on the VM-Series firewall. The default value is 10.10.2.0. NetIPam_ip_prefix_len_righTthe IP prefix length of the right interface on the VM-Series firewall. The default value is /24. NetIPam_addr_from_start_tTrhuies parameter determines how IP addresses are assigned to VMs on the subnets described above. If true, any new VM takes the next available IP address. If false, any new VM is assigned an IP address at random. The default value is true. Service Policy The service policy defines the traffic redirection rules and policy that point traffic passing between the left and right virtual machines to the VM-Series firewall service instance. Service Policy (Policy Config) policy_name The name of the service policy in Contrail that redirects traffic through the VM-Series firewall. For the L3 template, the default value is PAN_SVM_policy-L3. For the virtual wire template, the default value is PAN_SVM_policy-vw. policy_fq_name The fully qualified name of the service policy. simple_action The default action Contrail applies to traffic going to the VM-Series firewall service instance. The default value is pass because the VM-Series firewall will apply its own security policy to the traffic. protocol The protocols allowed by Contrail to pass to the VM-Series firewall. The default value is any. 514 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack © 2020 Palo Alto Networks, Inc.Service Policy (Policy Config) src_port_end and Use this parameter to specify source port(s) that should be associated with src_port_start the policy rule. You can enter a single port, a list of ports separated with commas, or a range of ports in the form of -. The default value is -1 in the provided heat templates; meaning any source port. direction This parameter defines the direction of traffic that is allowed by Contrail to pass to the VM-Series firewall. The default value is <> or bidirectional traffic. dst_port_end and Use this parameter to specify destination port(s) that should be associated dst_port_start with the policy rule. You can enter a single port, a list of ports separated with commas, or a range of ports in the form of -. The default value is -1 in the provided heat templates; meaning any destination port. Alarm The alarm parameters are used in service scaling and are not included in the service chaining environment files. These parameters define the thresholds used by Contrail to determine when scaling should take place. This set of parameters is only used the service scaling heat template. The default time configured under the cooldown parameters is intended to allow the firewall enough time to boot up. If you change the cooldown values, leave sufficient time for each new firewall instance to boot up. Alarm meter_name The metric monitored by Ceilometer and used by contrail to determine when an additional VM-Series firewall should be deployed or brought down. The heat template uses CPU utilization or bytes per second as metrics for service scaling. cooldown_initial The amount time Contrail waits before launching a additional service instance after the initial service instance is launched. The default is 1200 seconds. cooldown_scaleup The amount of time Contrail waits between launching additional service instance after the first scale up service instance launch. The default is 1200 seconds. cooldown_scaledown The amount of time Contrail waits between shutting down additional service instances after the first scale up service instance shut down. The default is 1200 seconds. period_high The interval during which the average CPU load is calculated as high before triggering an alarm. The default value is 300 seconds. period_low The interval during which the average CPU load is calculated as low before triggering an alarm. The default value is 300 seconds. VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack 515 © 2020 Palo Alto Networks, Inc.Alarm threshold_high The value of CPU utilization in percentage or bytes per second that Contrail references before launching a scale up event. The default is 40% CPU utilization or 2800 bytes per second. threshold_low The value of CPU utilization in percentage or bytes per second that Contrail references before launching a scale down event. The default is 20% CPU utilization or 12000 bytes per second. 516 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack © 2020 Palo Alto Networks, Inc.Install the VM-Series Firewall in a Basic Gateway Deployment Complete the following steps to prepare the heat templates, bootstrap files, and software images needed to deploy the VM-Series firewall in OpenStack. After preparing the files, deploy the VM-Series firewall and Linux server. STEP 1 | Download the Heat template and bootstrap files. Download the Heat template package from the GitHub repository. STEP 2 | Download the VM-Series base image. 1. Login in to the Palo Alto Networks Customer Support Portal. 2. Select Software Updates and choose PAN-OS for VM-Series KVM Base Images from the Filter By drop-down. 3. Download the VM-Series for KVMqcow2 file. STEP 3 | Download Ubuntu 14.04 and upload the image to the OpenStack controller. The Heat template needs an Ubuntu image for launching the Linux server. 1. Download Ubuntu 14.04. 2. Log in to the Horizon UI. 3. Select Project > Compute > Images > Create Image. 4. Name the image Ubuntu 14.04 to match the parameter in the pan_basic_gw_env.yaml file. 5. Set Image Source to Image File. 6. Click Choose File and navigate to your Ubuntu image file. 7. Set the Format to match the file format of your Ubuntu image. 8. Click Create Image. STEP 4 | Upload the VM-Series for KVM base image to the OpenStack controller. 1. Log in to the Horizon UI. 2. Select Project > Compute > Images > Create Image. 3. Name the image to match the image name in your Heat template. 4. Set Image Source to Image File. 5. Click Choose File and navigate to your VM-Series image file. 6. Set the Format to QCOW2-QEMU Emulator. 7. Click Create Image. STEP 5 | Upload the bootstrap files. You have two options for passing bootstrapping files to OpenStack —file injection (personality files) or user data. To pass the bootstrap files using user-data, you must place the files in a tar ball (.tgz file) and encode that tar ball with base64. File injection is no longer supported beginning with OpenStack Queens; you must use user data instead. • For file injection, upload the init-cfg.txt, bootstrap.xml, and your VM-Series auth codes to your OpenStack controller or a web server that the OpenStack controller can access. • If using the --user-data method to pass the bootstrap package to the config-drive, you can use the following command to create the tar ball and encode the tar ball (.tgz file) with base64: VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack 517 © 2020 Palo Alto Networks, Inc.tar -cvzf .tgz config/ license software content base64 -i -o STEP 6 | Edit the pan_basic_gw.yaml template to point to the bootstrap files and auth codes. • If you are using personality files, specify the file path or web server address to the location of your files under personality. Uncomment whichever lines you are not using. pan_fw_instance: type: OS::Nova::Server properties: image: { get_param: pan_image } flavor: { get_param: pan_flavor } networks: - network: { get_param: mgmt_network } - port: { get_resource: pan_untrust_port } - port: { get_resource: pan_trust_port } user_data_format: RAW config_drive: true personality: /config/init-cfg.txt: {get_file: "/opt/pan_bs/init-cfg.txt"} # /config/init-cfg.txt: { get_file: "http://web_server_name_ip/ pan_bs/init-cfg.txt" } /config/bootstrap.xml: {get_file: "/opt/pan_bs/bootstrap.xml"} # /config/bootstrap.xml: { get_file: "http://web_server_name_ip/ pan_bs/bootstrap.xml" } /license/authcodes: {get_file: "/opt/pan_bs/authcodes"} # /license/authcodes: {get_file: "http://web_server_name_ip/pan_bs/ authcodes"} • If you are using user-data, specify the file path or web server address to the location of your files under user_data. If you have more than one pan_fw_instance: type: OS::Nova::Server properties: image: { get_param: pan_image } flavor: { get_param: pan_flavor } networks: - port: { get_resource: mgmt_port } - port: { get_resource: pan_untrust_port } - port: { get_resource: pan_trust_port } user_data_format: RAW config_drive: true user_data: # get_file: http://10.0.2.100/pub/repository/panos/images/ openstack/userdata/boot.tgz get_file: /home/stack/newhot/bootfiles.tgz STEP 7 | Edit the pan_basic_gw_env.yaml template environment file to suit your environment. Make sure that the management and public network values match those that you created in your OpenStack environment. Set the pan_image to match the name you assigned to the VM-Series base image file. You can also change your server key here. root@node-2:~# cat basic_gateway/pan_basic_gw_env.yaml 518 VM-SERIES DEPLOYMENT GUIDE | Set Up the VM-Series Firewall on OpenStack © 2020 Palo Alto Networks, Inc.parameters: mgmt_network: mgmt_ext_net public_network: public_net pan_image: pa-vm-image pan_flavor: m1.medium server_image: Ubuntu-14.04 server_flavor: m1.small server_key: server_key STEP 8 | Deploy the Heat template. 1. Execute the command source openrc 2. Execute the command heat stack-create -f