VM‐Series Deployments

VM‐Series Deployments
VM‐Series
Deployment
Guide
Version 7.1
Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact‐us
About this Guide
This guide describes how to set up and license the VM‐Series firewall; it is intended for administrators who want to deploy the VM‐Series firewall.
For more information, refer to the following sources:

For information on the additional capabilities of and instructions for configuring the features on your firewall, refer to https://www.paloaltonetworks.com/documentation.

For access to the knowledge base, complete documentation set, discussion forums, and videos, refer to https://live.paloaltonetworks.com.

For contacting support, for information on support programs, to manage your account or devices, or to open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.

For the most current PAN‐OS 7.1 release notes, go to https://www.paloaltonetworks.com/documentation/71/pan‐os/pan‐os‐release‐notes.html.
To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Revision Date: June 12, 2017
2 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Table of Contents
About the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
VM‐Series Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
VM‐Series Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
VM‐Series in High Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Upgrade the VM‐Series Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Upgrade the PAN‐OS Software Version (Standalone Version) . . . . . . . . . . . . . . . . . . . . . . . 14
Upgrade the PAN‐OS Software Version (NSX Edition) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Upgrade the VM‐Series Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Enable Jumbo Frames on the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Enable Use of Hypervisor Assigned MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
License the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
License Types—VM‐Series Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
VM‐Series NSX Edition Firewall Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
VM‐Series Firewall in Amazon Web Services (AWS) and Azure Licenses . . . . . . . . . . . . . . 20
Create a Support Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Register the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Register the VM‐Series Firewall (with auth code) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Register the Usage‐Based Model of the VM‐Series Firewall in AWS and Azure (no auth code)24
Switch Between the BYOL and the PAYG Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Activate the License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Activate the License for the VM‐Series Firewall (Standalone Version). . . . . . . . . . . . . . . . . 28
Activate the License for the VM‐Series NSX Edition Firewall . . . . . . . . . . . . . . . . . . . . . . . . 30
Deactivate the License(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Install a License Deactivation API Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Deactivate a Feature License or Subscription Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . 33
Deactivate VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Licensing API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Manage the Licensing API Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Use the Licensing API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Licensing API Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Licenses for Cloud Security Service Providers (CSSPs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Get the Auth Codes for CSSP License Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Register the VM‐Series Firewall with a CSSP Auth Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Add End‐Customer Information for a Registered VM‐Series Firewall . . . . . . . . . . . . . . . . . 45
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 3
Table of Contents
Set Up a VM‐Series Firewall on an ESXi Server . . . . . . . . . . . . . . . . . . . . . . . . . .49
Supported Deployments on VMware vSphere Hypervisor (ESXi) . . . . . . . . . . . . . . . . . . . . . . . . . 50
VM‐Series on ESXi System Requirements and Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi) . . . . . . . . . . . . . . . . . . . . . . . 53
Plan the Interfaces for the VM‐Series for ESXi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Provision the VM‐Series Firewall on an ESXi Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Perform Initial Configuration on the VM‐Series on ESXi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Add Additional Disk Space to the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Use VMware Tools on the VM‐Series Firewall on ESXi and vCloud Air . . . . . . . . . . . . . . . . 59
Troubleshoot ESXi Deployments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Basic Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Installation Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Licensing Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Connectivity Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Set Up the VM‐Series Firewall in vCloud Air. . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
About the VM‐Series Firewall in vCloud Air . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Deployments Supported in vCloud Air. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Deploy the VM‐Series Firewall in vCloud Air . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Set Up a VM‐Series Firewall on the Citrix SDX Server . . . . . . . . . . . . . . . . . . . .77
About the VM‐Series Firewall on the SDX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
System Requirements and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Supported Deployments—VM Series Firewall on Citrix SDX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Scenario 1—Secure North‐South Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Scenario 2—Secure East‐West Traffic (VM‐Series Firewall on Citrix SDX) . . . . . . . . . . . . . 84
Install the VM‐Series Firewall on the SDX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Upload the Image to the SDX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Provision the VM‐Series Firewall on the SDX Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Secure North‐South Traffic with the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Deploy the VM‐Series Firewall Using L3 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Deploy the VM‐Series Firewall Using Layer 2 (L2) or Virtual Wire Interfaces . . . . . . . . . . . 91
Deploy the VM‐Series Firewall Before the NetScaler VPX . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Secure East‐West Traffic with the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Set Up a VM‐Series NSX Edition Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
VM‐Series NSX Edition Firewall Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
What are the Components of the NSX Edition Solution? . . . . . . . . . . . . . . . . . . . . . . . . . . .100
How Do the Components in the NSX Edition Solution Work Together? . . . . . . . . . . . . . .103
What are the Benefits of the NSX Edition Solution? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
What is Multi‐Tenant Support on the VM‐Series NSX Edition Firewall? . . . . . . . . . . . . . .110
4 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Table of Contents
VM‐Series NSX Edition Firewall Deployment Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Register the VM‐Series Firewall as a Service on the NSX Manager . . . . . . . . . . . . . . . . . . . . . . 114
Enable Communication Between the NSX Manager and Panorama . . . . . . . . . . . . . . . . . . 114
Create Template(s), and Device Group(s) on Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Create the Service Definitions on Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Deploy the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Enable SpoofGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Define an IP Address Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Prepare the ESXi Host for the VM‐Series Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Deploy the Palo Alto Networks NGFW Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Create Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Define Policies on the NSX Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Apply Policies to the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Steer Traffic from Guests that are not Running VMware Tools . . . . . . . . . . . . . . . . . . . . . . . . . 139
Use Case: Shared Compute Infrastructure and Shared Security Policies . . . . . . . . . . . . . . . . . 140
Use Case: Shared Security Policies on Dedicated Compute Infrastructure. . . . . . . . . . . . . . . . 147
Dynamic Address Groups—Information Relay from NSX Manager to Panorama . . . . . . . . . . 155
Set Up the VM‐Series Firewall in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
About the VM‐Series Firewall in AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
VM‐Series Firewall in AWS GovCloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
AWS Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Management Interface Mapping for Use with Amazon ELB . . . . . . . . . . . . . . . . . . . . . . . . 164
Deployments Supported in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Deploy the VM‐Series Firewall in AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Obtain the AMI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Review System Requirements and Limitations for VM‐Series in AWS. . . . . . . . . . . . . . . . 170
Planning Worksheet for the VM‐Series in the AWS VPC . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Launch the VM‐Series Firewall in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Use the VM‐Series Firewall CLI to Swap the Management Interface. . . . . . . . . . . . . . . . . 179
High Availability for VM‐Series Firewall in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Overview of HA in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
IAM Roles for HA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
HA Links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Heartbeat Polling and Hello Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Device Priority and Preemption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
HA Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Configure Active/Passive HA in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Use Case: Secure the EC2 Instances in the AWS Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC . . . 202
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applica‐
tions in AWS206
Solution Overview—Secure Highly Available Internet‐Facing Applications. . . . . . . . . . . . 206
Deploy the Solution Components for Highly Available Internet‐Facing Applications in AWS
208
Set Up the VPC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 5
Table of Contents
Deploy the VM‐Series Firewalls in the VPC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Launch the VM‐Series Firewalls and the NetScaler VPX . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Configure the VM‐Series Firewall for Securing Outbound Access from the VPC. . . . . . .215
Configure the Firewalls that Secure the Web Farm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Configure the Firewall that Secures the RDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
Deploy the Web Farm in the VPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220
Set Up the Amazon Relational Database Service (RDS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Configure the Citrix NetScaler VPX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Set up Amazon Route 53. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
Verify Traffic Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Port Translation for Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Use Case: VM‐Series Firewalls as GlobalProtect Gateways in AWS. . . . . . . . . . . . . . . . . . . . . .230
Components of the GlobalProtect Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Deploy GlobalProtect Gateways in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Auto Scale VM‐Series Firewalls with the Amazon ELB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
What Components Does the VM‐Series Auto Scaling Template for AWS Deploy? . . . . .234
How Does the VM‐Series Auto Scaling Template for AWS Enable Dynamic Scaling?. . .236
Plan the VM‐Series Auto Scaling Template for AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
Launch the the VM‐Series Auto Scaling Template for AWS . . . . . . . . . . . . . . . . . . . . . . . . .243
Customize the Bootstrap.xml File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Use the GitHub Bootstrap Files as Seed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Create a new Bootstrap File from Scratch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
NAT Policy Rule and Address Objects in the Auto Scaling Template . . . . . . . . . . . . . . . . .261
Stack Update with VM‐Series Auto Scaling Template for AWS (v1.2) . . . . . . . . . . . . . . . .262
Troubleshoot the VM‐Series Auto Scaling CFT for AWS . . . . . . . . . . . . . . . . . . . . . . . . . . .266
List of Attributes Monitored on the AWS VPC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
IAM Permissions Required for Monitoring the AWS VPC. . . . . . . . . . . . . . . . . . . . . . . . . . .273
Set Up the VM‐Series Firewall on KVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
VM‐Series on KVM— Requirements and Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Options for Attaching the VM‐Series on the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
Prerequisites for VM‐Series on KVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
Supported Deployments on KVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Secure Traffic on a Single Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Secure Traffic Across Linux hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Install the VM‐Series Firewall on KVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Enable the Use of a SCSI Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Verify PCI‐ID for Ordering of Network Interfaces on the VM‐Series Firewall . . . . . . . . .288
Use an ISO File to Deploy the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289
Set Up the VM‐Series Firewall on Hyper‐V . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Supported Deployments on Hyper‐V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Secure Traffic on a Single Hyper‐V Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Secure Traffic Across Multiple Hyper‐V Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
System Requirements on Hyper‐V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Linux Integration Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
6 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Table of Contents
Install the VM‐Series Firewall on Hyper‐V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Provision the VM‐Series Firewall on a Hyper‐V host with Hyper‐V Manager . . . . . . . . . 298
Provision the VM‐Series Firewall on a Hyper‐V host with PowerShell . . . . . . . . . . . . . . . 299
Perform Initial Configuration on the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Set up the VM‐Series Firewall in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
About the VM‐Series Firewall in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Azure Networking and VM‐Series. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
VM‐Series Firewall Templates in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Minimum System Requirements for the VM‐Series in Azure . . . . . . . . . . . . . . . . . . . . . . . . 305
Deployments Supported in Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Deploy the VM‐Series Firewall in Azure (Solution Template) . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Use the ARM Template to Deploy the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Deploy the VM‐Series and Azure Application Gateway Template . . . . . . . . . . . . . . . . . . . . . . . 317
VM‐Series and Azure Application Gateway Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Start Using the VM‐Series & Azure Application Gateway Template. . . . . . . . . . . . . . . . . . 319
Deploy the Template to Azure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
VM‐Series and Azure Application Gateway Template Parameters . . . . . . . . . . . . . . . . . . . 322
Sample Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Adapt the Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Set Up the VM‐Series Firewall on OpenStack . . . . . . . . . . . . . . . . . . . . . . . . . .327
VM‐Series Firewall for OpenStack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Components of the VM‐Series for OpenStack Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Orchestration with the Heat Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
VM‐Series Firewall on OpenStack Deployment Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Install the VM‐Series Firewall in OpenStack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Bootstrap the VM‐Series Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
VM‐Series Firewall Bootstrap Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Bootstrap Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Bootstrap Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Generate the VM Auth Key on Panorama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Create the init‐cfg.txt File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Create the bootstrap.xml File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Prepare the Licenses for Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Prepare the Bootstrap Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Bootstrap the VM‐Series Firewall on ESXi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Bootstrap the VM‐Series Firewall on Hyper‐V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Bootstrap the VM‐Series Firewall on KVM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Bootstrap the VM‐Series Firewall on KVM in OpenStack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Bootstrap the VM‐Series Firewall in AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 7
Table of Contents
Bootstrap the VM‐Series Firewall in Azure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357
Verify Bootstrap Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
Bootstrap Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
8 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
About the VM‐Series Firewall
The Palo Alto Networks VM‐Series firewall is the virtualized form of the Palo Alto Networks next‐generation firewall. It is positioned for use in a virtualized or cloud environment where it can protect and secure east‐west and north‐south traffic. 
VM‐Series Models

VM‐Series Deployments

VM‐Series in High Availability

Upgrade the VM‐Series Firewall

Enable Jumbo Frames on the VM‐Series Firewall

Enable Use of Hypervisor Assigned MAC Addresses
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 9
VM‐Series Models
About the VM‐Series Firewall
VM‐Series Models
The VM‐Series firewall is available in four models—VM‐100, VM‐200, VM‐300, and VM‐1000‐HV. All four models can be deployed as guest virtual machines on VMware ESXi and vCloud Air, Citrix NetScaler SDX, Amazon Web Services, KVM and KVM in OpenStack, and Microsoft Hyper‐V and Azure; on VMWare NSX, only the VM‐1000‐HV is supported. The software package (.xva, .ova, or .vhdx file) that is used to deploy the VM‐Series firewall is common across all models.
When you apply the capacity license on the VM‐Series firewall, the model number and the associated capacities are implemented on the firewall. Capacity is defined in terms of the number of sessions, rules, security zones, address objects, IPSec VPN tunnels, and SSL VPN tunnels that the VM‐Series firewall is optimized to handle. To make sure that you purchase the correct model for your network requirements, use the following table to understand the maximum capacity for each model and the capacity differences by model:
Model
Sessions
Security Rules
Dynamic IP Addresses Security Zones
IPSec VPN Tunnels
SSL VPN Tunnels
VM‐100
50000
250
1000
10
25
25
VM‐200
100000
2000
1000
20
500
200
VM‐300
250000
5000
1000
40
2000
500
VM‐1000‐HV
250000
10000
100000
40
2000
500
For information on the platforms on which you can deploy the VM‐Series firewall, see VM‐Series Deployments. For general information, see About the VM‐Series Firewall.
10 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
About the VM‐Series Firewall
VM‐Series Deployments
VM‐Series Deployments
The VM‐Series firewall can be deployed on the following platforms:
 VM‐Series for VMware vSphere Hypervisor (ESXi) and vCloud Air
VM‐100, VM‐200, VM‐300, or VM‐1000‐HV is deployed as guest virtual machine on VMware ESXi; ideal for cloud or networks where virtual form factor is required. For details, see Set Up a VM‐Series Firewall on an ESXi Server and Set Up the VM‐Series Firewall in vCloud Air.
 VM‐Series for VMware NSX
The VM‐1000‐HV is deployed as a network introspection service with VMware NSX, and Panorama. This deployment is ideal for east‐west traffic inspection, and it also can secure north‐south traffic.
For details, see Set Up a VM‐Series NSX Edition Firewall  VM‐Series for Citrix SDX
VM‐100, VM‐200, VM‐300, or VM‐1000‐HV is deployed as guest virtual machine on Citrix NetScaler SDX; consolidates ADC and security services for multi‐tenant and Citrix XenApp/XenDesktop deployments. For details, see Set Up a VM‐Series Firewall on the Citrix SDX Server © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 11
VM‐Series Deployments
About the VM‐Series Firewall
 VM‐Series for Amazon Web Services (AWS)
VM‐100, VM‐200, VM‐300, or VM‐1000‐HV can be deployed on EC2 instances in the AWS Cloud.
For details, see Set Up the VM‐Series Firewall in AWS.
 VM‐Series for Kernel Virtualization Module (KVM)
VM‐100, VM‐200, VM‐300, or VM‐1000‐HV can be deployed on a Linux server that is running the KVM hypervisor. For details, see Set Up the VM‐Series Firewall on KVM.
 VM‐Series for Microsoft Hyper‐V VM‐100, VM‐200, VM‐300, or VM‐1000‐HV can be deployed on a Windows Server 2012 R2 server with the Hyper‐V role add‐on enable or a standalone Hyper‐V 2012 R2 server. For details, see Set Up the VM‐Series Firewall on Hyper‐V.
 VM‐Series for Microsoft Azure
VM‐100, VM‐200, VM‐300, or VM‐1000‐HV can be deployed in the Azure VNet.
For details, see Set up the VM‐Series Firewall in Azure.
 VM‐Series for OpenStack
VM‐100, VM‐200, VM‐300, or VM‐1000‐HV can be deployed on KVM in your OpenStack environment. For details, see Set Up the VM‐Series Firewall on OpenStack
For hypervisor version support on the VM‐Series firewall, refer to the Compatibility Matrix.
12 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
About the VM‐Series Firewall
VM‐Series in High Availability
VM‐Series in High Availability
High availability (HA) is a configuration in which two firewalls are placed in a group and their configuration is synchronized to prevent a single point of failure on your network. A heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes down. Setting up the firewalls in a two‐device cluster provides redundancy and allows you to ensure business continuity. In an HA configuration on the VM‐Series firewalls, both peers must be deployed on the same type of hypervisor, have identical hardware resources (such as CPU cores/network interfaces) assigned to them, and have the set same of licenses/subscriptions. For general information about HA on Palo Alto Networks firewalls, see High Availability.
The VM‐Series firewalls support stateful active/passive or active/active high availability with session and configuration synchronization. The only exceptions are the following:


The VM‐Series firewall in the Amazon Web Services (AWS) cloud supports active/passive HA only. For details, see High Availability for VM‐Series Firewall in AWS.
HA is not relevant for the VM‐Series NSX Edition firewall.
The active/active deployment is supported in virtual wire and Layer 3 deployments, and is only recommended for networks with asymmetric routing.
Features/ Links Supported
ESX
KVM
SDX
AWS
NSX
Hyper‐V
Azure
Active/Passive HA
Yes
Yes
Yes
Yes
No
Yes
No
Active/Active HA
Yes
Yes
Yes
No
No
Yes
No
HA 1
Yes
Yes
Yes
Yes
No
Yes
No
HA2—(session synchronization and keepalive)
Yes
Yes
Yes
Yes
No
Yes
No
HA3
Yes
Yes
Yes
No
No
Yes
No
For instructions on configuring the VM‐Series firewall as an HA pair, see Configure Active/Passive HA and Configure Active/Active HA.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 13
Upgrade the VM‐Series Firewall
About the VM‐Series Firewall
Upgrade the VM‐Series Firewall

Upgrade the PAN‐OS Software Version (Standalone Version)

Upgrade the PAN‐OS Software Version (NSX Edition)

Upgrade the VM‐Series Model
For instructions on installing your VM‐Series firewall, see VM‐Series Deployments.
Upgrade the PAN‐OS Software Version (Standalone Version)
Now that the VM‐Series firewall has network connectivity and the base PAN‐OS software is installed, consider upgrading to the latest version of PAN‐OS. Use the following instructions for firewalls that are not deployed in a high availability (HA) configuration. For firewalls deployed in HA, refer to the PAN‐OS 7.1 New Features Guide.
Upgrade PAN‐OS Version (Standalone Version)
Step 1
From the web interface, navigate to Device > Licenses and make sure you have the correct VM‐Series firewall license and that the license is activated.
On the VM‐Series firewall standalone version, navigate to Device > Support and make sure that you have activated the support license.
Step 2
(Required for a firewall that is in production) Save a backup of the current configuration file.
1. Select Device > Setup > Operations and click Export named configuration snapshot.
2. Select the XML file that contains your running configuration (for example, running-config.xml) and click OK to export the configuration file. 3. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
Step 3
Check the Release Notes to verify the Content Release version required for the PAN‐OS version. The firewalls you plan to upgrade must be running the Content Release version required for the PAN‐OS version.
1. Select Device > Dynamic Updates.
2. Check the Applications and Threats or Applications section to determine what update is currently running.
3. If the firewall is not running the required update or later, click Check Now to retrieve a list of available updates.
4. Locate the desired update and click Download.
5. After the download completes, click Install.
Step 4
Upgrade the PAN‐OS version on the VM‐Series firewall.
1. Select Device > Software.
2. Click Refresh to view the latest software release and also review the Release Notes to view a description of the changes in a release and to view the migration path to install the software.
3. Click Download to retrieve the software then click Install.
14 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
About the VM‐Series Firewall
Upgrade the VM‐Series Firewall
Upgrade the PAN‐OS Software Version (NSX Edition)
For the VM‐Series Firewall NSX edition, use Panorama to upgrade the software version on the firewalls.
Upgrade VM‐Series NSX Edition Firewalls Using Panorama Step 1
Step 2
Step 3
Save a backup of the current 1.
configuration file on each managed firewall that you plan to upgrade.
Although the firewall will automatically create a backup of the configuration, it is a best 2.
practice to create a backup prior to upgrade and store it externally.
Select Device > Setup > Operations and click Export
Panorama and devices config bundle. This option is used to manually generate and export the latest version of the configuration backup of Panorama and of each managed device. Save the exported file to a location external to the firewall. You can use this backup to restore the configuration if you have problems with the upgrade.
Check the Release Notes to verify the 1.
Content Release version required for the 2.
PAN‐OS version. The firewalls you plan to upgrade must be running the Content Release version required for the PAN‐OS version. Select Panorama > Device Deployment > Dynamic Updates.
3.
Click Download to download a selected version. After successful download, the link in the Action column changes from Download to Install.
4.
Click Install and select the devices on which you want to install the update. When the installation completes, a check mark displays in the Currently Installed column.
Deploy software updates to selected 1.
firewalls.
2.
If your firewalls are configured in HA, make sure to clear the Group
HA Peers check box and upgrade one HA peer at a time.
3.
© Palo Alto Networks, Inc.
Check for the latest updates. Click Check Now (located in the lower left‐hand corner of the window) to check for the latest updates. The link in the Action column indicates whether an update is available. If a version is available, the Download link displays.
Select Panorama > Device Deployment > Software.
Check for the latest updates. Click Check Now (located in the lower left‐hand corner of the window) to check for the latest updates. The link in the Action column indicates whether an update is available. Review the File Name and click Download. Verify that the software versions that you download match the firewall models deployed on your network. After successful download, the link in the Action column changes from Download to Install.
4.
Click Install and select the devices on which you want to install the software version. 5.
Select Reboot device after install, and click OK. 6.
If you have devices configured in HA, clear the Group HA
Peers check box and upgrade one HA peer at a time. VM‐Series 7.1 Deployment Guide • 15
Upgrade the VM‐Series Firewall
About the VM‐Series Firewall
Upgrade VM‐Series NSX Edition Firewalls Using Panorama (Continued)
Step 4
Verify the software and Content Release 1.
version running on each managed device. 2.
Select Panorama > Managed Devices.
Locate the device(s) and review the content and software versions on the table.
Upgrade the VM‐Series Model
The licensing process for the VM‐Series firewall uses the UUID and the CPU ID to generate a unique serial number for each VM‐Series firewall. Hence, when you generate a license, the license is mapped to a specific instance of the VM‐Series firewall and cannot be modified. In order to apply a new capacity license to a firewall that has been previously licensed, you need to clone the existing (fully configured) VM‐Series firewall. During the cloning process, the firewall is assigned a unique UUID, and you can therefore apply a new license to the cloned instance of the firewall.
Use the instructions in this section, if you are:


Migrating from an evaluation license to a production license.
Upgrading the model to allow for increased capacity. For example you want to upgrade from the VM‐200 to the VM‐1000‐HV license.
Migrate the License on the VM‐Series Firewall
Step 1
Power off the VM‐Series firewall.
Step 2
Clone the VM‐Series firewall. If you are manually cloning, when prompted indicate that you are copying and not moving the firewall. Step 3
Power on the new instance of the VM‐Series firewall.
1.
Launch the serial console of the firewall on the vSphere/SDX web interface and enter the following command:
show system info
2.
Verify that:
• the serial number is unknown
• the firewall has no licenses
• the configuration is intact
Step 4
Register the new auth‐code on the Palo Alto Networks Customer Support web site.
See Register the VM‐Series Firewall.
Step 5
Apply the new license.
See Activate the License.
After you successfully license the new firewall, delete the previous instance of the firewall to prevent conflict in configuration or IP address assignments.
16 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
About the VM‐Series Firewall
Enable Jumbo Frames on the VM‐Series Firewall
Enable Jumbo Frames on the VM‐Series Firewall
By default, the maximum transmission unit (MTU) size for packets sent on a Layer 3 interface is 1500 bytes. This size can be manually set to any size from 512 to 1500 bytes on a per‐interface basis. Some configurations require Ethernet frames with an MTU value greater than 1500 bytes. These are called jumbo frames.
To use jumbo frames on a firewall you must specifically enable jumbo frames at the global level. When this is enabled, the default MTU size for all Layer 3 interfaces is set to a value of 9192 bytes. This default value can then be set to any value in the range of 512 to 9216 bytes.
After setting a global jumbo frame size it becomes the default value for all Layer 3 interfaces that have not explicitly had an MTU value set at the interface configuration level. This can become a problem if you only want to exchange jumbo frames on some interfaces. In these situations, you must set the MTU value at every Layer 3 interface that you do not want to use the default value.
The following procedure describes how to enable jumbo frames on a firewall, set the default MTU value for all Layer 3 interfaces and to then set a different value for a specific interface. Enable Jumbo Frames and Set MTU Values
Step 1
Step 2
Enable jumbo frames and 1.
set a default global MTU 2.
value.
3.
Set the MTU value for a Layer 3 interface and reboot the firewall.
The value set for the interface overrides the global MTU value.
© Palo Alto Networks, Inc.
Select Device > Setup > Session and edit the Session Settings section.
Select Enable Jumbo Frame.
Enter a value for Global MTU. The default value is 9192. The range of acceptable values is: 512 ‐ 9216.
4.
Click OK.
A message is displayed that informs you that enabling or disabling Jumbo Frame mode requires a reboot and that Layer 3 interfaces inherit the Global
MTU value.
5.
Click Yes.
A message is displayed to inform you that Jumbo Frame support has been enabled and reminds you that a device reboot is required for this change to be activated.
6.
Click OK.
7.
Click Commit.
1.
Select Network > Interfaces.
2.
Select an interface of the Layer3 Interface type.
3.
Select Advanced > Other Info.
4.
Enter a value for MTU. The default value is 9192. The range of acceptable values is: 512 ‐ 9216.
5.
Click OK.
6.
Click Commit.
7.
Select Device > Setup > Operations and select Reboot Device.
VM‐Series 7.1 Deployment Guide • 17
Enable Use of Hypervisor Assigned MAC Addresses
About the VM‐Series Firewall
Enable Use of Hypervisor Assigned MAC Addresses
The VM‐Series firewall supports the ability to detect the MAC address assigned to the physical interface by the host/hypervisor and use that MAC address on the VM‐Series firewall deployed with Layer 3 interfaces. The firewall can then use the hypervisor assigned MAC address in its ARP responses. This capability allows non‐learning switches, such as the VMware vSwitch to forward traffic to the dataplane interface on the firewall without requiring that promiscuous mode be enabled on the vSwitch. If neither promiscuous mode nor the use of hypervisor assigned MAC address is enabled, the host will drop the frame when it detects a mismatch between the destination MAC address for an interface and the host‐assigned MAC address.
There is no option to enable or disable the use of hypervisor assigned MAC addresses on AWS and Azure. It is enabled by default for both platforms and cannot be disabled. If you are deploying the VM‐Series firewall in Layer 2, virtual wire, or tap interface modes, you must enable promiscuous mode on the virtual switch to which the firewall is connected. Enabling hypervisor assigned MAC address is only relevant for Layer 3 deployments where the firewall is typically the default gateway for the guest virtual machines.
If you enable the hypervisor assigned MAC address functionality on the VM‐Series firewall, make note of the following requirements:



IPv6 Address on an Interface—In an active/passive HA configuration, Layer 3 interfaces using IPv6 addresses must not use the EUI‐64 generated address as the interface identifier (Interface ID). Because the EUI‐64 uses the 48‐bit MAC address of the interface to derive the IPv6 address for the interface, the IP address is not static. This results in a change in the IP address for the HA peer when the hardware hosting the VM‐Series firewall changes on failover, and leads to an HA failure.
Lease on an IP Address—When the MAC address changes, DHCP client, DHCP relay and PPPoE interfaces might release the IP address because the original IP address lease could terminate.
MAC address and Gratuitous ARP—VM‐Series firewalls with hypervisor assigned MAC addresses in a high‐availability configuration behave differently than the hardware appliances with respect to MAC addressing. Hardware firewalls use self‐generated floating MAC addresses between devices in an HA pair, and the unique MAC address used on each dataplane interface (say eth 1/1) is replaced with a virtual MAC address that is common to the dataplane interface on both HA peers. When you enable the use of the hypervisor assigned MAC address on the VM‐Series firewall in HA, the virtual MAC address is not used. The dataplane interface on each HA peer is unique and as specified by the hypervisor. Because each dataplane interface has a unique MAC address, when a failover occurs, the now active VM‐Series firewall must send a gratuitous ARP so that neighboring devices can learn the updated MAC/IP address pairing. Hence, to enable a stateful failover, the internetworking devices must not block or ignore gratuitous ARPs; make sure to disable the anti‐ARP poisoning feature on the internetworking devices, if required.
Enable Use of Hypervisor Assigned MAC Address
To allow the VM‐Series firewall to use the interface MAC addresses provided by the host/hypervisor:
Step 1
Select Device > Management > Setup. Step 2
Select Use Hypervisor Assigned MAC Address.
When the MAC address change occurs, the firewall generates a system log to record this transition and the interface generates a gratuitous ARP.
Step 3
Commit the change on the firewall. You do not need to reboot the firewall.
18 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Before you can start using your VM‐Series firewall to secure east‐west and north‐south traffic on your network, you must activate the licenses for the services you purchased to secure your network. If you are an authorized CSSP partner, see Licenses for Cloud Security Service Providers (CSSPs) for information that pertains to you. For details on creating a support account and activating the licenses: 
License Types—VM‐Series Firewalls

Create a Support Account

Register the VM‐Series Firewall

Switch Between the BYOL and the PAYG Licenses

Activate the License

Deactivate the License(s) (to release the licenses attributed to a firewall)

Licensing API

Licenses for Cloud Security Service Providers (CSSPs)
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 19
License Types—VM‐Series Firewalls
License the VM‐Series Firewall
License Types—VM‐Series Firewalls
The following licenses and subscriptions are available for the VM‐Series firewall: 


Capacity License—The VM‐Series firewall requires a base license, also called a capacity license, to enable the model number (VM‐100, VM‐200, VM300, VM‐1000‐HV) and the associated capacities on the firewall. Capacity licenses can be perpetual or term‐based:
– Perpetual License—A license with no expiration date, it allows you to use the VM‐Series firewall at the licensed capacity, indefinitely. Perpetual licenses are available for the VM‐Series capacity license only. – Term‐Based License—A term‐based license allows you to use the VM‐Series firewall for a specified period of time. It has an expiration date and you will be prompted to renew the license before it expires. Term‐based licenses are available for the capacity licenses, support entitlements, and subscriptions. Further, capacity licenses are available as an Individual version or an Enterprise version. The Individual version is in multiples of 1. The orderable SKU, for example PA‐VM‐300, includes an auth code to license one instance of the VM‐Series firewall. The Enterprise version is available in multiples of 25. For example, the orderable SKU PAN‐VM‐100‐ENT has a single auth code that allows you to register 25 instances of the VM‐100. Support—In addition to the capacity license, you need a support entitlement that provides access to technical support and software updates. Subscriptions—Optionally, you may purchase one or more subscription licenses for Threat Prevention, URL Filtering, AutoFocus, GlobalProtect, and WildFire. These subscriptions allow you to enforce policies that safely enable applications and content on the network. For example, the Threat Prevention subscription, allows you to obtain content updates that include the most up‐to‐date threat information for malware detection.
VM‐Series NSX Edition Firewall Licenses
In order to automate the provisioning and licensing of the VM‐Series NSX Edition firewall in the VMware integrated NSX solution, two license bundles are available:


One bundle includes the VM‐Series capacity license (VM‐1000‐HV only), Threat Prevention license and a premium support entitlement.
Another bundle includes the VM‐Series capacity license (VM‐1000‐HV only) with the complete suite of licenses that include Threat Prevention, GlobalProtect, WildFire, PAN‐DB URL Filtering, and a premium support entitlement.
VM‐Series Firewall in Amazon Web Services (AWS) and Azure Licenses
You can license the VM‐Series firewall in AWS and Azure in two ways:

Bring Your Own License (BYOL)—A license that is purchased from a partner, reseller, or directly from Palo Alto Networks. Capacity license, support license, and subscription licenses are supported for BYOL. With this option, you must apply the license after you deploy the VM‐Series firewall. 20 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
License the VM‐Series Firewall

License Types—VM‐Series Firewalls
Usage‐Based License—Also called a pay‐per‐use or pay‐as‐you‐go (PAYG) license. This type of license can be purchased from the AWS Marketplace and the Azure public Marketplace. Usage‐based licenses are not available on Azure Government Cloud.
AWS supports hourly and annual PAYG options; Azure public Marketplace supports the hourly PAYG option only.
For usage‐based models of the VM‐Series firewall in AWS, the longer AWS instance IDs are not supported; use the shorter 8‐character instance ID format.
With the usage‐based licenses, the firewall is prelicensed and ready for use as soon as you deploy it; you do not receive an auth code. When the firewall is stopped or terminated on the AWS or Azure console, the usage‐based licenses are suspended or terminated. Usage‐based licenses are available in the following pricing bundles:
–
–
Bundle 1: Includes the VM‐Series capacity license (VM‐300 only), Threat Prevention license that includes IPS, AV, malware prevention, and a premium support entitlement.
Bundle 2: Includes the VM‐Series capacity license (VM‐300 only), Threat Prevention (includes IPS, AV, malware prevention), GlobalProtect, WildFire, PAN‐DB URL Filtering licenses, and a premium support entitlement.
If you have an evaluation copy of the VM‐Series firewall and would like to convert it to a fully licensed (purchased) copy, clone your VM‐Series firewall and use the instructions to register and license the purchased copy of your VM‐Series firewall. For instructions, see Upgrade the VM‐Series Firewall.
You cannot switch between the PAYG and the BYOL licenses. To move from PAYG to BYOL, contact your Palo Alto Networks channel partner or sales representative to purchase a BYOL license and get an BYOL auth code that you can use to license your firewall. If you have deployed your firewall and want to switch the license, see Switch Between the BYOL and the PAYG Licenses.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 21
Create a Support Account
License the VM‐Series Firewall
Create a Support Account
A support account is required to access software updates and to get technical support or open a case with Palo Alto Networks technical support. For all licensing options except for usage‐based licenses that are currently only available in AWS, you require a support account so that you can download the software package required to install the VM‐Series firewall. The support account also allows you to view and manage all assets—appliances, licenses, and subscriptions—
that you have registered with Palo Alto Networks.
If you have an existing support account, continue with Register the VM‐Series Firewall. Create a Support Account
Step 1
Go to https://www.paloaltonetworks.com/support/tabs/overview.html.
Step 2
Click the Register link (bottom of the page), and enter the corporate email address to associate with the support account.
Step 3 Pick one of the following options and fill in the details in the user registration form:
• (For the usage‐based license in AWS) 1. Click Register your Amazon Web Services VM-Series Instance
2. On the AWS Management Console, find the AWS Instance ID, AWS Product Code, and the AWS Zone in which you deployed the firewall.
3. Fill in the other details.
• (For all other licenses) 1. Click Register device using Serial Number or Authorization Code
2. Enter the capacity auth code and the sales order number or customer ID.
3. Fill in the other details.
Step 4
Submit the form. You will receive an email with a link to activate the user account; complete the steps to activate the account. After your account is verified and the registration is complete, you can log in to the support portal.
22 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Register the VM‐Series Firewall
Register the VM‐Series Firewall
When you purchase a VM‐Series firewall, you receive an email that includes an auth code for a capacity license for the VM‐Series model, a support entitlement auth code (for example, PAN‐SVC‐PREM‐VM‐100 SKU), and one or more auth codes for the subscription licenses. To use the auth code(s), you must register the code to the support account on the Palo Alto Networks Customer Support web site. In the case of the VMware integrated NSX solution, the email contains a single authorization code that bundles the capacity license for one or more instances of the VM‐1000‐HV model, the support entitlement, and one or more subscription licenses.
For the usage‐based licenses in AWS, you do not receive an auth code. However, in order to activate your premium support entitlement with Palo Alto Networks, you must create a support account and register the VM‐Series firewall on the Palo Alto Networks Customer Support web site.
Use the instructions in this section to register the capacity auth code or firewall with your support account:

Register the VM‐Series Firewall (with auth code)

Register the Usage‐Based Model of the VM‐Series Firewall in AWS and Azure (no auth code)
Register the VM‐Series Firewall (with auth code)
Register the VM‐Series Firewall (with auth code)
Step 1
Log in to the Palo Alto Networks Customer Support web site with your account credentials. If you need a new account, see Create a Support Account.
Step 2
Select Assets and click Add VM-Series Auth-Codes.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 23
Register the VM‐Series Firewall
License the VM‐Series Firewall
Register the VM‐Series Firewall (with auth code)
Step 3
In the Add VM-Series Auth-Code field, enter the capacity auth code you received by email, and click the checkmark on the far right to save your input. The page will display the list of auth codes registered to your support account.
You can track the number of VM‐Series firewalls that have been deployed and the number of licenses that are still available for use against each auth code. When all the available licenses are used, the auth code does not display on the VM‐Series Auth‐Codes page. To view all the assets that are deployed, select Assets > Devices.
Register the Usage‐Based Model of the VM‐Series Firewall in AWS and Azure (no auth code)
Before you begin the registration process, log in to the VM‐Series firewall and jot down the serial number and the CPU ID (UUID is optional) from the dashboard.
Register the Usage‐Based Model of the VM‐Series Firewall in AWS and Azure (no auth code) Step 1
On the Assets tab (after you log in to the Palo Alto Networks Customer Support web site), click Register
New Device.
Step 2
Select Register usage-based VM-Series models (hourly/annual) purchased from public cloud
Marketplace.
Step 3
Select your Cloud Marketplace vendor and Submit.
24 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Register the VM‐Series Firewall
Register the Usage‐Based Model of the VM‐Series Firewall in AWS and Azure (no auth code) (Continued)
Step 4
Enter the Serial #, the CPU ID, and the UUID of the VM‐Series firewall. For example, from the Dashboard of the VM‐Series firewall on Azure you will see the following information.
Step 5
Agree and Submit the EULA.
Step 6
Verify that the details on the licenses you purchased are displayed on the Assets page of the support portal.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 25
Switch Between the BYOL and the PAYG Licenses
License the VM‐Series Firewall
Switch Between the BYOL and the PAYG Licenses
There is no migration path between the BYOL and PAYG licensing options. If you have already deployed and configured a VM‐Series firewall with the PAYG or BYOL option in AWS or Azure, and now want to switch to the other option, use the following instructions to save and export the configuration on your existing firewall, deploy a new firewall, and then restore the configuration on the new firewall.
Switch Between the PAYG License and the BYOL License
Step 1
Step 2
Save a backup of the current configuration file and store it to an external server.
Deploy a new firewall and register or activate the license, as appropriate.
1.
Select Device > Setup > Operations and Export named configuration snapshot.
2.
Select the XML file that contains your running configuration (for example, running‐config.xml) and click OK to export the configuration file.
3.
Save the exported file to a location external to the firewall. For a new PAYG instance:
1.
In the AWS or Azure Marketplace, select the software image for the PAYG licensing bundle you want to deploy.
2.
Deploy a new VM‐Series firewall in the AWS or Azure public cloud. See Set Up the VM‐Series Firewall in AWS or Set up the VM‐Series Firewall in Azure.
3.
Register the Usage‐Based Model of the VM‐Series Firewall in AWS and Azure (no auth code).
For a new BYOL instance:
26 • VM‐Series 7.1 Deployment Guide
1.
Contact your sales representative or reseller to purchase a BYOL license, and get a BYOL auth code that you can use to license your firewall. 2.
Register the VM‐Series Firewall (with auth code).
3.
Deploy a new VM‐Series firewall in the AWS or Azure public cloud. See Set Up the VM‐Series Firewall in AWS or Set up the VM‐Series Firewall in Azure.
4.
Activate the License for the VM‐Series Firewall (Standalone Version).
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Switch Between the BYOL and the PAYG Licenses
Switch Between the PAYG License and the BYOL License
Step 3
On the newly deployed firewall, restore 1.
the configuration that you exported.
© Palo Alto Networks, Inc.
Access the web interface of the newly deployed firewall.
2.
Select Device > Setup > Operations, click Import named configuration snapshot, Browse to the configuration file on the external host, and click OK. 3.
Click Load named configuration snapshot, select the Name of the configuration file you just imported, and click OK.
4.
Click Commit to overwrite the running configuration with the snapshot you just imported. 5.
Verify that the configuration on the new firewall matches the firewall that you are replacing, before you delete the firewall or deactivate the licenses on the replaced firewall.
VM‐Series 7.1 Deployment Guide • 27
Activate the License
License the VM‐Series Firewall
Activate the License
To activate the license on your VM‐Series firewall, you must have deployed the VM‐Series firewall and completed initial configuration. To deploy the firewall, see VM‐Series Deployments.
Use the instructions in this section for all the BYOL models including AWS and Azure; for usage‐based licensing in AWS and Azure, you do not need to activate the license. For the usage‐based licenses, you must Register the Usage‐Based Model of the VM‐Series Firewall in AWS and Azure (no auth code) in order to activate your premium support entitlement.
For usage‐based models of the VM‐Series firewall in the AWS Marketplace, the longer AWS instance IDs are not supported; use the shorter 8‐character instance ID format.
To disable longer instance IDs in each AWS region where you deploy the VM‐Series firewall: Select your AWS region on the EC2 dashboard, select Resource ID length management and clear the check box for Instance ID. Because the longer instance ID is currently optional, you can disable it without limiting functionality in AWS or on the VM‐Series firewall. The VM‐Series firewall will be be updated to support the longer instance IDs, and your VM‐Series firewalls with shorter instance IDs will continue to be operational after the update.
Until you activate the license on the VM‐Series firewall, the firewall does not have a serial number, the MAC address of the dataplane interfaces are not unique, and only a minimal number of sessions are supported. Because the MAC addresses are not unique until the firewall is licensed, to prevent issues caused by overlapping MAC addresses, make sure that you do not have multiple, unlicensed VM‐Series firewalls.
When you activate the license, the licensing server uses the UUID and the CPU ID of the virtual machine to generate a unique serial number for the VM‐Series firewall. The capacity auth code in conjunction with the serial number is used to validate your entitlement.
After you license a VM‐Series firewall, if you need to delete and redeploy the VM‐Series firewall, make sure to Deactivate the License(s) on the firewall. Deactivating the license allows you to transfer the active licenses to a new instance of the VM‐Series firewall without help from technical support.

Activate the License for the VM‐Series Firewall (Standalone Version)

Activate the License for the VM‐Series NSX Edition Firewall
Activate the License for the VM‐Series Firewall (Standalone Version)
To activate the license on your VM‐Series firewall, you must have deployed the VM‐Series firewall and completed initial configuration. 28 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Activate the License
Activate the License • If your VM‐Series firewall has direct internet 1.
access.
To activate the license, the firewall must be 2.
configured with an IP address, netmask, default gateway, and DNS server IP address.
• If your VM‐Series firewall does not have internet access.
© Palo Alto Networks, Inc.
Select Device >Licenses and select the Activate feature using
authentication code link.
Enter the capacity auth code that you registered on the support portal. The firewall will connect to the update server (updates.paloaltonetworks.com), and download the license and reboot automatically.
3.
Log back in to the web interface and confirm that the Dashboard displays a valid serial number. If the term Unknown displays, it means the device is not licensed.
4.
On Device > Licenses, verify that PA-VM license is added to the device.
1.
Select Device > Licenses and click the Activate Feature using
Auth Code link.
2.
Click Download Authorization File, and download the authorizationfile.txt on the client machine.
3.
Copy the authorizationfile.txt to a computer that has access to the internet and log in to the support portal. Click My
VM-Series Auth-Codes link and select the applicable auth code from the list and click the Register VM link.
4.
On the Register Virtual Machine tab upload the authorization file. This will complete the registration process and the serial number of your VM‐Series firewall will be attached to your account records.
5.
Navigate to Assets > My Devices and search for the VM‐Series device just registered and click the PA-VM link. This will download the VM‐Series license key to the client machine.
6.
Copy the license key to the machine that can access the web interface of the VM‐Series firewall and navigate to Device >
Licenses.
7.
Click Manually Upload License link and enter the license key. When the capacity license is activated on the firewall, a reboot occurs.
8.
Log in to the device and confirm that the Dashboard displays a valid serial number and that the PA-VM license displays in the Device > Licenses tab.
VM‐Series 7.1 Deployment Guide • 29
Activate the License
License the VM‐Series Firewall
Activate the License for the VM‐Series NSX Edition Firewall
Panorama serves as the central point of administration for the VM‐Series NSX edition firewalls and the license activation process is automated when Panorama has direct internet access. Panorama connects to the Palo Alto Networks update server to retrieve the licenses, and when a new VM‐Series NSX edition firewall is deployed, it communicates with Panorama to obtain the license. If Panorama is not connected to the internet, you need to manually license each instance of the VM‐Series firewall so that the firewall can connect to Panorama. For an overview of the components and requirements for deploying the VM‐Series NSX edition firewall, see VM‐Series NSX Edition Firewall Overview.
For this integrated solution, the auth code (for example, PAN‐VM‐1000‐HV‐SUB‐BND‐NSX2) includes licenses for threat prevention, URL filtering and WildFire subscriptions and premium support for the requested period.
In order to activate the license, you must have completed the following tasks:


Registered the auth code to the support account. If you don’t register the auth code, the licensing server will fail to create a license.
Entered the auth code in the Service Definition on Panorama. On Panorama, select VMWare Service
Manager to add the Authorization Code to the VMware Service Definition.
If you have purchased an evaluation auth code, you can license up to 5 VM‐Series firewalls with the VM‐1000‐HV capacity license for a period of 30 or 60 days. Because this solution allows you to deploy one VM‐Series firewall per ESXi host, the ESXi cluster can include a maximum of 5 ESXi hosts when using an evaluation license.
The following process of activating the licenses is manual. If you have a custom script or an orchestration service, you can use the Licensing API to automate the process of retrieving the licenses for the VM‐Series firewalls.
Activate the Licenses on the VM‐Series NSX Edition Firewall
When Panorama has internet access (Online)
Step 1
Step 2
Verify that the VM‐Series firewall is connected to Panorama.
Verify that each firewall is licensed.
1.
Log in to Panorama.
2.
Select Panorama > Managed Devices and check that the firewall displays as Connected.
Select Panorama > Device Deployment > Licenses and verify that Panorama has matched the auth code and applied the licenses to each firewall.
If you do not see the licenses, click Refresh. Select the VM‐Series firewalls for which to retrieve subscription licenses and click OK.
When Panorama does not have internet access (Offline)
Step 1
Locate the CPU ID and UUID of the VM‐Series firewall.
30 • VM‐Series 7.1 Deployment Guide
1. From the vCenter server obtain the IP address of the firewall.
2.
Log into the web interface and select Dashboard.
3.
Get the CPU ID and the UUID for the firewall from the General Information widget.
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Activate the License
Activate the Licenses on the VM‐Series NSX Edition Firewall
Step 2
Step 3
Step 4
Activate the auth code and generate the 1.
license keys.
Upload the keys to the firewall.
Log in to the Palo Alto Networks Customer Support web site with your account credentials. If you need a new account, see Create a Support Account.
1.
Select Assets > VM-Series Auth Codes, click Add VM-Series
Auth Codes to enter the auth code. 2.
Select Register VM in the row that corresponds to the auth code that you just registered, enter the CPU ID and the UUID of the firewall and click Submit. The portal will generate a serial number for the firewall.
3.
Select Assets > Devices and search for the serial number.
4.
Click the link the Actions column to download each key locally to your laptop. In addition to the subscription license key, you must get the capacity license and the support license keys.
1.
Log in to the firewall web interface.
2.
Select Device > Licenses, and select Manually upload license
key.
3.
Browse to select a key and click OK to install the license on the firewall.
Install the capacity license key file (pa‐vm.key) first. When you apply the capacity license key, the VM‐Series firewall will reboot. On reboot, the firewall will have a serial number that you can use to register the firewall as a managed device on Panorama.
4.
Repeat the process to install each key on the firewall. 5.
Select Dashboard and verify that you can see the Serial # in the General Information widget.
Add the serial number of the firewall on Select Panorama > Managed Devices and click Add to enter the serial number for the VM‐Series NSX edition firewall. The firewall Panorama.
should now be able to connect with Panorama so that it can obtain its configuration and policy rules.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 31
Deactivate the License(s)
License the VM‐Series Firewall
Deactivate the License(s)
The license deactivation process enables you to self‐manage licenses. Whether you want to remove one or more active licenses or subscriptions attributed to a firewall (hardware‐based or VM‐Series firewall) or you want to deactivate the VM‐Series firewall and unassign all active licenses and subscriptions, begin the deactivation process on the firewall or Panorama (not on the Palo Alto Networks Customer Support web site). The VM‐Series firewall requires a license deactivation API key and it must be able to verify the identify of the license server, to automatically deactivate a license. The firewall uses this deactivation API key to authenticate with all update and license services. The deactivation API is key is not required for manual license deactivation, where there is not connectivity between the firewall and license server. If the firewall/Panorama has internet access and can communicate with the Palo Alto Networks Licensing servers, the license removal process completes automatically with a click of a button. If the firewall/Panorama does not have internet access, you must complete the process manually in a two‐step process. In the first step, from the firewall or Panorama, you generate and export a license token file that includes information on the deactivated keys. In the second step, while logged in to the Palo Alto Networks Customer Support web site, upload the token file to dissociate the license keys from the firewall.

Install a License Deactivation API Key

Deactivate a Feature License or Subscription Using the CLI

Deactivate VM
Install a License Deactivation API Key
Retrieve your license deactivation API key from the Customer Support Portal and install it using the CLI on the firewall and Panorama. You must have superuser privileges on the firewall or Panorama to install the license API key. When you install a license API key on Panorama, Panorama pushes the API key to its managed devices. If the managed device has an API key installed, Panorama overwrites the old API key with the new one. Install the API Key
Step 1
Retrieve the license deactivation API key from the Customer Support Portal.
1. Log in to the Customer Support Portal.
2. From the Go To drop‐down, select Licensing API.
3. Copy the API key.
32 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Deactivate the License(s)
Install the API Key
Step 2
Use the CLI to install the API key on the firewall or Panorama.
request license api-key set key <key>
Step 3
Use the CLI to delete an installed API key if you need to replace it.
request license api-key delete
To deactivate a VM‐Series firewall after deleting the API key, you must install a new one. Deactivate a Feature License or Subscription Using the CLI
If you accidentally installed a license/subscription on a firewall and need to reassign the license to another firewall, you can deactivate an individual license and re‐use the same authorization code on another firewall without help from Technical Support. This capability is supported on the CLI only; this process is supported both on the hardware‐based firewalls and on the VM‐Series firewall. Deactivate a Feature License or Subscription Using the CLI Step 1
Log into the CLI on the firewall.
If your firewall has direct internet access, use the following commands:
Step 2 View the name of the license key file for the feature you want to deactivate.
request license deactivate key features ?
Step 3 Deactivate the license or subscription.
request license deactivate key features <name> mode auto
where, name is the full name for the license key file.
For example: admin@vmPAN2> request license deactivate key features
WildFire_License_2015_01_28_I5820573.key mode auto
007200002599 WildFire License Success
Successfully removed license keys
If your firewall does not have direct internet access, use the following commands:
Step 4 View the name of the license key file for the feature you want to deactivate.
request license deactivate key features Step 5 Deactivate the license manually.
request license deactivate key features <name> mode manual
For example: admin@PA-VM> request license deactivate key features
PAN_DB_URL_Filtering_2015_01_28_I6134084.key mode manual
Successfully removed license keys
dact_lic.01282015.100502.tok
The token file uses the format dact_lic.timestamp.tok, where the timestamp is in the dmmyyyy.hrminsec format.
Step 6 Verify that the token file was generated. show license‐token‐files
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 33
Deactivate the License(s)
License the VM‐Series Firewall
Deactivate a Feature License or Subscription Using the CLI (Continued)
Step 7 Export the token file to an SCP or TFTP server and save it to your computer.
scp export license‐token‐file to <username@serverIP> from <token_filename>
For example: scp export license-token-file to admin@10.1.10.55:/tmp/ from
dact_lic.01282015.100502.tok
Step 8
Log into the Palo Alto Networks Customer Support web site.
Step 9
Click the Deactivate License(s) link on the Assets tab.
Step 10 While logged in to the Palo Alto Networks Customer Support web site, upload the token file to complete the deactivation.
Deactivate VM
When you no longer need an instance of the VM‐Series firewall, you can free up all active licenses—
subscription licenses, VM‐Capacity licenses, and support entitlements— using the web interface, CLI, or the XML API on the firewall or Panorama. The licenses are credited back to your account and you can use the same authorization codes on a different instance of the VM‐Series firewall.
Deactivating a VM removes all the licenses/entitlements and places the VM‐Series firewall in an unlicensed state; the firewall will not have a serial number and can support only a minimal number of sessions. Because the configuration on the firewall is left intact, you can re‐apply a set of licenses and restore complete functionality on the firewall, if needed. Make sure to deactivate licenses before you delete the VM‐Series firewall. If you delete the firewall before deactivating the licenses you have two options:
• If the device was managed by Panorama, you can deactivate the license from Panorama.
• If the device was not managed by Panorama, you must contact Palo Alto Networks Customer Support.
34 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Deactivate the License(s)
Deactivate VM • From the firewall
© Palo Alto Networks, Inc.
1.
Log into the web interface and select Device > Licenses.
2.
Select Deactivate VM in the License Management section.
3.
Verify the list of licenses/entitlements that will be deactivated on the firewall.
4.
Pick one of the following options to start deactivating the VM:
• Click Continue, if the firewall can communicate directly with the Palo Alto Networks Licensing server. You will be prompted to reboot the firewall; on reboot the licenses are deactivated.
• Click Complete Manually, if the firewall does not have internet access. Click the Export license token link to save the token file to your local computer. For example, the token filename is 20150128_1307_dact_lic.01282015.130737.tok. You will be prompted to reboot the firewall; on reboot the licenses are deactivated.
5.
(For the manual process only) Complete the following tasks to register the changes with the Licensing server:
a. Log into the Palo Alto Networks Customer Support web site.
b. Click the Deactivate License(s) link on the Assets tab.
c. While logged in to the Palo Alto Networks Customer Support web site, upload the token file to complete the deactivation.
VM‐Series 7.1 Deployment Guide • 35
Deactivate the License(s)
License the VM‐Series Firewall
Deactivate VM (Continued)
• From Panorama
36 • VM‐Series 7.1 Deployment Guide
1.
Log in to the Panorama web interface and select Panorama >
Device Deployment > Licenses.
2.
Click Deactivate VMs, and select the VM‐Series firewall that you want to deactivate.
3.
Pick one of the following options to deactivate the VM:
• Click Continue, if Panorama can communicate directly with the Palo Alto Networks Licensing servers and can register the changes. To verify that the licenses have been deactivated on the firewall, click Refresh on Panorama >
Device Deployment > Licenses. The firewall is automatically rebooted.
• Click Complete Manually, if Panorama does not have internet access. Panorama generates a token file. Click the Export license token link to save the token file to your local computer. The successful completion message is displayed on‐screen, and the firewall will be automatically rebooted.
4.
(For the manual process only) To use the token file register the changes with the licensing server, see step 5 above.
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Deactivate the License(s)
Deactivate VM (Continued)
5.
© Palo Alto Networks, Inc.
Remove the deactivated VM‐Series firewall as a managed device on Panorama. a. Select Panorama > Managed Devices.
b. Select the firewall that you deactivated from the list of managed devices, and click Delete. Instead of deleting the firewalls, if you prefer, you can create a separate device group and assign the deactivated VM‐Series firewalls to this device group.
VM‐Series 7.1 Deployment Guide • 37
Licensing API
License the VM‐Series Firewall
Licensing API
To successfully license firewalls that do not have direct internet access, Palo Alto Networks provides a licensing API. You can use this API with a custom script or an orchestration service to register auth codes, retrieve licenses attached to an auth code, renew licenses, and to deactivate all licenses on a VM‐Series firewall (Deactivate VM). The API also allows you to view the details of an auth code so that you can track the number of unused licenses attached to an auth‐code or auth‐code bundle that enables you to license more than one instance of the firewall. An auth‐code bundle includes the VM‐Series model, subscriptions and support in a single, easy to order format; you can use this bundle multiple times to license VM‐Series firewalls as you deploy them.
To use the API, each support account is assigned a unique key. Each API call is a POST request, and the request must include the API key to authenticate the request to the licensing server. When authenticated, the licensing server sends the response in json (content‐type application/json). 
Manage the Licensing API Key

Use the Licensing API

Licensing API Error Codes
Manage the Licensing API Key
Manage the Licensing API Key Step 1
Get your Licensing API key.
38 • VM‐Series 7.1 Deployment Guide
1.
Log in to the Palo Alto Networks Support portal.
2.
Select Licensing API from the —Go To— drop‐down.
3.
Click Enable to view your key and copy it for use. Once you generate a key, the key is enabled until you regenerate or disable it.
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Licensing API
Manage the Licensing API Key (Continued)
Step 2
Regenerate or revoke the API key.
1.
You can generate a new API key or revoke the use of the key.
• Click Regenerate to generate a new key. If you suspect that an API key may be compromised, you can generate a new key, which process automatically invalidates the old key.
• Select Disable if you no longer plan to use the key. Disabling the API key revokes it.
Use the Licensing API
The base URI for accessing the licensing API is https://api.paloaltonetworks.com/api/license; based on the task you want to perform, for example activate licenses, deactivate licenses, or track license use—the URL will change. An API request must use the HTTP POST method, and you must include the API key in the apikey HTTP request header and pass the request parameters as URL‐encoded form data with content‐type application/x‐www‐form‐urlencoded.
The API Version is optional and can include the following values—0 or 1. If specified, it must be included in the version HTTP request header. The current API version is 1; if you do not specify a version, or specify version 0, the request uses the current API version.
All API responses are represented in json.
Use the Licensing API Step 1
Step 2
Get your Licensing API key.
Select the task you want to perform. – Activate Licenses
– Deactivate Licenses
– Track License Usage
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 39
Licensing API
License the VM‐Series Firewall
Use the Licensing API (Continued)
Activate Licenses
URL: https://api.paloaltonetworks.com/api/license/activate
Parameters: uuid, cpuid, authCode, and serialNumber. Use these parameters to accomplish the following:
• For first time or initial license activation, provide the cpuid, uuid, auth‐code in the API request.
• If you did not save the license keys or had a network connection trouble during initial license activation, to retrieve the license(s) again for a firewall that you have previously activated, you can either provide the cpuid and uuid in the API request, or provide the serial number of the firewall in the API request.
Header: apikey
Sample request for initial license activation using Curl:
curl -i -H "apikey:$APIKEY" --data-urlencode cpuid=51060400FFFBAB1F
--data-urlencode uuid=564D0E5F-3F22-5FAD-DA58-47352C6229FF --data-urlencode
authCode=I7115398 https://api.paloaltonetworks.com/api/license/activate
Sample API response:
[{"lfidField":"13365773","partidField":"PAN-SVC-PREM-VM-300","featureField":"Premi
um","feature_descField":"24 x 7 phone support; advanced replacement hardware
service","keyField":"m4iZEL1t3n6Oa+6ll1L7itDZTphYw48N1AMOZXutDgExC5f5pOA52+Qg1jmAx
anB\nKOyat4FJI4k2hWiBYz9cONuKoiaNOtAGhJvAuZmYgqAZejKueWrTzCuLrwxI/iEw\nkRGR3cYG+j6
o84RitR937m2iOk2v9o8RSfLVilgX28nqmcO8LcAnTqbrRWdFtwVk\nluz47AUMXauuqwpMipouQYjk0ZL
7fTHHslhyL7yFjCyxBoYXOt3JiqQ0OCDdBdDI\n91RkVPylEwTKgSXm3xpzbmC2ciUR5b235gyqdyW8eQX
KvaThuR8YyHr1Pdw/lAjs\npyyIVFa6FufPacfB2RHApQ==\n","auth_codeField":"","errmsgFiel
d":null,"typeField":"SUP","regDateField":"2016-06-03T08:18:41","startDateField":"5
/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseFiel
d":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016
12:00:00
AM","PropertyChanged":null},{"lfidField":"13365774","partidField":"PAN-VM-300-TP",
"featureField":"Threat Prevention","feature_descField":"Threat
Prevention","keyField":"NqaXoaFG+9qj0t9Vu7FBMizDArj+pmFaQEd6I2OqfBfAibXrvuoFKeXX/K
2yXtrl\n2qJhNq3kwXBDxn181z3nrUOsQd/eW68dyp4jb1MfAwEM8mlnCyLhDRM3EE+umS4b\ndZBRH5AQ
jPoaON7xZ46VMFovOR+asOUJXTptS/Eu1bLAI7PBp3+nm04dYTF9O50O\ndey1jmGoiBZ9wBkesvukg3dV
Z7gxppDvz14+wekYEJqPfM0NZyxsC5dnoxg9pciF\ncFelhnTYlma1lXrCqjJcFdniHRwO0RE9CIKWe0g2
HGo1uo2eq1XMxL9mE5t025im\nblMnhL06smrCdtXmb4jjtg==\n","auth_codeField":"","errmsgF
ield":null,"typeField":"SUB","regDateField":"2016-06-03T08:18:41","startDateField"
:"5/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseF
ield":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016
12:00:00 AM","PropertyChanged":null}
...<truncated>
The feature_Field in the response indicates the type of key that follows in the keyField. Copy each key to a text file and save it with the .key extension. Because the key is in json format, it does not have newlines; make sure to convert it to newlines if needed for your parser. Make sure to name each key appropriately and save it to the /license folder of the bootstrap package. For example, include the authcode with the type of key to name it as I3306691_1pa‐vm.key (for the capacity license key), I3306691_1threat.key (for the Threat Prevention license key), I3306691_1wildfire.key (for the WildFire subscription license key).
Sample API request for retrieving previously activated licenses using Curl:
curl -i -H "apikey:$APIKEY" --data-urlencode serialNumber=007200006142
https://api/paloaltonetworks.com/api/license/activate
40 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Licensing API
Use the Licensing API (Continued)
Sample API response:
[{"lfidField":"13365773","partidField":"PAN-SVC-PREM-VM-300","featureField":"Premi
um","feature_descField":"24 x 7 phone support; advanced replacement hardware
service","keyField":"m4iZEL1t3n6Oa+6ll1L7itDZTphYw48N1AMOZXutDgExC5f5pOA52+Qg1jmAx
anB\nKOyat4FJI4k2hWiBYz9cONuKoiaNOtAGhJvAuZmYgqAZejKueWrTzCuLrwxI/iEw\nkRGR3cYG+j6
o84RitR937m2iOk2v9o8RSfLVilgX28nqmcO8LcAnTqbrRWdFtwVk\nluz47AUMXauuqwpMipouQYjk0ZL
7fTHHslhyL7yFjCyxBoYXOt3JiqQ0OCDdBdDI\n91RkVPylEwTKgSXm3xpzbmC2ciUR5b235gyqdyW8eQX
KvaThuR8YyHr1Pdw/lAjs\npyyIVFa6FufPacfB2RHApQ==\n","auth_codeField":"","errmsgFiel
d":null,"typeField":"SUP","regDateField":"2016-06-03T08:18:41","startDateField":"5
/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseFiel
d":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016
12:00:00
AM","PropertyChanged":null},{"lfidField":"13365774","partidField":"PAN-VM-300-TP",
"featureField":"Threat Prevention","feature_descField":"Threat
Prevention","keyField":"NqaXoaFG+9qj0t9Vu7FBMizDArj+pmFaQEd6I2OqfBfAibXrvuoFKeXX/K
2yXtrl\n2qJhNq3kwXBDxn181z3nrUOsQd/eW68dyp4jb1MfAwEM8mlnCyLhDRM3EE+umS4b\ndZBRH5AQ
jPoaON7xZ46VMFovOR+asOUJXTptS/Eu1bLAI7PBp3+nm04dYTF9O50O\ndey1jmGoiBZ9wBkesvukg3dV
Z7gxppDvz14+wekYEJqPfM0NZyxsC5dnoxg9pciF\ncFelhnTYlma1lXrCqjJcFdniHRwO0RE9CIKWe0g2
HGo1uo2eq1XMxL9mE5t025im\nblMnhL06smrCdtXmb4jjtg==\n","auth_codeField":"","errmsgF
ield":null,"typeField":"SUB","regDateField":"2016-06-03T08:18:41","startDateField"
:"5/29/2016","vm_capacityField":null,"uuidField":null,"cpuidField":null,"mac_baseF
ield":null,"mac_countField":null,"drrField":null,"expirationField":"8/29/2016
12:00:00 AM","PropertyChanged":null}
...<truncated>
Deactivate Licenses
URL: https://api.paloaltonetworks.com/api/license/deactivate
Parameters: encryptedToken To deactivate the license(s) on a firewall that does not have direct internet access, you must generate the license token file locally on the firewall and then use this token file in the API request. For details on generating the license token file, see Deactivate VM or Deactivate a Feature License or Subscription Using the CLI.
Header: apikey
Request: https://api.paloaltonetworks.com/api/license/deactivate?encryptedtoken@<token>
Sample API request for license deactivation using Curl: curl -i -H "apikey:$APIKEY" --data-urlencode
encryptedtoken@dact_lic.05022016.100036.tok
https://api.paloaltonetworks.com/api/license/deactivate
Sample API response:
[{"serialNumField":"007200006150","featureNameField":"","issueDateField":"","succe
ssField":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null},{"seri
alNumField":"007200006150","featureNameField":"","issueDateField":"","successField
":"Y","errorField":null,"isBundleField":null,"PropertyChanged":null},{"serialNumFi
eld":"007200006150","featureNameField":"","issueDateField":"","successField":"Y","
errorField":null,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"0
07200006150","featureNameField":"","issueDateField":"","successField":"Y","errorFi
eld":null,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"00720000
6150","featureNameField":"","issueDateField":"","successField":"Y","errorField":nu
ll,"isBundleField":null,"PropertyChanged":null},{"serialNumField":"007200006150","
featureNameField":"","issueDateField":"","successField":"Y","errorField":null,"isB
undleField":null,"PropertyChanged":null}]$
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 41
Licensing API
License the VM‐Series Firewall
Use the Licensing API (Continued)
Track License Usage
URL: https://api.paloaltonetworks.com/api/license/get
Parameters: authCode
Header: apikey
Request: https://api.paloaltonetworks.com/api/license/get?authCode=<authcode>
Sample API request for tracking license usage using Curl: curl -i -H "apikey:$APIKEY" --data-urlencode authcode=I9875031
https://api.paloaltonetworks.com/api/license/get
Sample API response:
HTTP/1.1 200 OK
Date: Thu, 05 May 2016 20:07:16 GMT
Content-Length: 182
{"AuthCode":"I9875031","UsedCount":4,"TotalVMCount":10,"UsedDeviceDetails":[{"UUID
":"420006BD-113D-081B-F500-2E7811BE80C
9","CPUID":"D7060200FFFBAB1F","SerialNumber":"007200006142"}]}.....
Licensing API Error Codes
The HTTP Error Codes that the licensing server returns are as follows:

200 Success

400 Error

401 Invalid API Key

500 Server Error 42 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Licenses for Cloud Security Service Providers (CSSPs)
Licenses for Cloud Security Service Providers (CSSPs)
The Palo Alto Networks CSSP partners program allows service providers to provide security as a service or as a hosted application to their end customers. The license offerings that Palo Alto Networks provides for authorized Cloud Security Service Provider (CSSP) partners is different from the offerings for enterprise users. For CSSP partners, Palo Alto Networks supports a usage‐based model for the VM‐Series firewalls bundled with subscriptions and support. For CSSP partners, you can combine a term‐based capacity license for the VM‐Series Models along with a choice of subscription licenses for Threat Prevention, URL Filtering, AutoFocus, GlobalProtect, and WildFire, and support entitlements that provide access to technical support and software updates. For cost‐effectiveness, you can also opt for a high availability (HA) option, if you plan on deploying the firewalls in an HA configuration. 
Get the Auth Codes for CSSP License Packages

Register the VM‐Series Firewall with a CSSP Auth Code

Add End‐Customer Information for a Registered VM‐Series Firewall
Get the Auth Codes for CSSP License Packages
To be a CSSP Partner, you have to enroll in the Palo Alto Networks CSSP partners program. For information on enrolling in the CSSP program, contact your Palo Alto Networks Channel Business Manager. If you are enrolled, the Palo Alto Network Support portal provides tools that allow you to select a license package, track license usage, and apply license entitlements.
A license package is a combination of the following options:





Usage term—The pay‐per‐use options are hourly, monthly, 1‐year, and 3‐years.
VM‐Series firewall model—The VM‐100, VM‐200, VM‐300, and VM‐1000‐HV that give you the model number and the capacities associated with each model.
Subscription bundle—The three options are basic, bundle 1, and bundle 2. The basic option does not include any subscriptions; bundle 1 has the Threat Prevention license that includes IPS, AV, malware prevention; bundle 2 has the Threat Prevention (includes IPS, AV, malware prevention), GlobalProtect, WildFire, and PAN‐DB URL Filtering licenses.
Level of support—Premium support or backline support.
Redundant firewalls—The option are either high availability (HA) or without HA. This option is a cost‐effective option if you plan to deploy a pair of redundant firewalls.
The offering PAN‐VM‐300‐SP‐PREM‐BND1‐YU, for example, is a one‐year term package that includes the VM‐300 with premium support and the subscription bundle 1. Each package supports up to a maximum of 10,000 instances of the VM‐Series firewall.
After you select your license package, you receive an email with your auth code; the fulfillment process can take up to 48 hours. Get the Auth Codes for the CSSP License Packages
Step 1
Log in to the Palo Alto Networks Customer Support web site with your account credentials. If you need a new account, see Create a Support Account.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 43
Licenses for Cloud Security Service Providers (CSSPs)
License the VM‐Series Firewall
Get the Auth Codes for the CSSP License Packages
Step 2
Select CSSP > Order History, to view the list of auth codes registered to your support account. As you deploy firewalls, you must register each instance of the firewall against an auth code.
Register the VM‐Series Firewall with a CSSP Auth Code
To activate the license on your VM‐Series firewall, you must have deployed the VM‐Series firewall and completed initial configuration. As a CSSP partner, you can choose from the following options to register a firewall:




API—Use the Licensing API if you have a custom script or an orchestration service. With this option, the firewall does not need direct internet access.
Bootstrap—Use this option to automatically configure the firewall and license it on first boot. See Bootstrap the VM‐Series Firewall.
Firewall web interface—You can Activate the License for the VM‐Series Firewall (Standalone Version) using the firewall web interface. This workflow is both for firewalls with or without internet access.
Customer Support Portal—Use this option to manually register the firewall on the Palo Alto Networks Customer Support portal, as shown below. Register the VM‐Series Firewall on the Customer Support Portal for CSSPs
Step 1
Log in to the Palo Alto Networks Customer Support web site with your account credentials. If you need a new account, see Create a Support Account.
Step 2
Select CSSP > Order History, to view the list of auth codes registered to your support account.
Step 3
Select CSSP > VM Provisioning Auth Codes, select an Authorization Code and click Register VM.
44 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Licenses for Cloud Security Service Providers (CSSPs)
Register the VM‐Series Firewall on the Customer Support Portal for CSSPs
Step 4
Enter the UUID and CPUID of the VM instance and click Submit. The portal will generate a serial number for the firewall.
You can track the number of VM‐Series firewalls that have been deployed and the number of licenses that are still available for use against each auth code. To view all the total number of firewalls registered against a specific auth code, select CSSP > VM Provisioning Auth Codes, then select an Authorization Code and click Provisioned Devices.
Add End‐Customer Information for a Registered VM‐Series Firewall
For the CSSP licenses, after you register the firewall, you can use the Palo Alto Networks Support portal to link the serial number of the VM‐Series firewall with the customer for whom you provisioned the firewall. 
Add End‐Customer Information for a Registered VM‐Series Firewall (Customer Support Portal)

Add End‐Customer Information for a Registered VM‐Series Firewall (API)
Add End‐Customer Information for a Registered VM‐Series Firewall (Customer Support Portal)
Add End‐User Information for a Registered VM‐Series Firewall (Customer Support Portal)
Step 1
Log in to the Palo Alto Networks Customer Support web site with your account credentials.
Step 2
Select CSSP > Provisioned Devices.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 45
Licenses for Cloud Security Service Providers (CSSPs)
License the VM‐Series Firewall
Add End‐User Information for a Registered VM‐Series Firewall (Customer Support Portal)
Step 3
Select the Serial Number and click Add End User Info.
Step 4
Enter the Account Information for the customer and click Submit to save the details. After you add account information, you can find all firewalls registered to a customer. In Search Existing End User, enter the customer ID or customer name and click Search to find all firewalls provisioned for the customer.
Add End‐Customer Information for a Registered VM‐Series Firewall (API)
The URL for accessing the API is https://api.paloaltonetworks.com/api/license/ReportEndUserInfo. An API request must use the HTTP POST method, and you must include HTTP requests headers that include the API key and specify the content type as JSON. API responses are in JSON format.
Add End‐User Information for a Registered VM‐Series Firewall (ReportEndUserInfo API)
Step 1
Get your Licensing API key.
46 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
License the VM‐Series Firewall
Licenses for Cloud Security Service Providers (CSSPs)
Add End‐User Information for a Registered VM‐Series Firewall (ReportEndUserInfo API)
Step 2
Use the ReportEndUserInfo API to add end‐user information for a VM‐Series Firewall that is registered to a CSSP.
URL: https://api.paloaltonetworks.com/api/license/ReportEndUserInfo
Headers:
• Content‐Type: application/json
• apiKey: API Key
Parameters: • SerialNumbers: Required, provide at least one valid firewall serial number
• CustomerAccountId: Required
• CompanyName: Required, end‐user company name
• EndUserContactEmail: Required, end‐user email address
• Address: Required, end‐user address
• Country: Required, 2‐digit end‐user country code, currently “US” is the only valid value
• Region: Required, AWS region of the VM‐Series firewall deployment
• City: Required, end‐user city name
• State: Required, 2‐digit state code, currently “CA” is the only valid value
• PostalCode: Required, end‐user postal code
• DnBNumber: Data Universal Numbering System (D‐U‐N‐S) number
• Industry: End‐user industry type, such as networking or consultancy
• PhoneNumber: End‐user phone number • WebSite: End‐user website URL
• CreatedBy: System or person submitting this information
Sample request to add end‐user information for a registered VM‐Series firewall using Curl:
curl -X POST -H "Content-Type: application/json" -H
"apiKey:921d4450e988397138ca8a68vf2fc5d687870b3f11cb9439946a521dc4dc7cd8"
"http://api.paloaltonetworks.com/api/license/ReportEndUserInfo?serialNumbers=0001A
101234&CustomerAccountId=12345&CompanyName=ExampleInc&DnBNumber=123456789&Address=
123 Main
St&Country=US&Region=CA&City=Sunnydale&State=CA&PostalCode=12345&Industry=Medical&
PhoneNumber=4081234567&WebSite=example.com&EndUserContactEmail=admin@example.com&C
reatedBy=Jane Doe"
Sample API response:
"{"Message": "End User Information Updated Successfully"}"
If you receive an error, see Licensing API Error Codes.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 47
Licenses for Cloud Security Service Providers (CSSPs)
48 • VM‐Series 7.1 Deployment Guide
License the VM‐Series Firewall
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on an ESXi Server The VM‐Series firewall is distributed using the Open Virtualization Alliance (OVA) format, which is a standard method of packaging and deploying virtual machines. You can install this solution on any x86 device that is capable of running VMware ESXi.
In order to deploy a VM‐Series firewall you must be familiar with VMware and vSphere including vSphere networking, ESXi host setup and configuration, and virtual machine guest deployment. If you would like to automate the process of deploying a VM‐Series firewall, you can create a gold standard template with the optimal configuration and policies, and use the vSphere API and the PAN‐OS XML API to rapidly deploy new VM‐Series firewalls in your network. For more information, see the article: VM‐Series Data Center Automation.
See the following topics for information on:

Supported Deployments on VMware vSphere Hypervisor (ESXi)

VM‐Series on ESXi System Requirements and Limitations

Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi)

Troubleshoot ESXi Deployments
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 49
Supported Deployments on VMware vSphere Hypervisor (ESXi)
Set Up a VM‐Series Firewall on an ESXi Server
Supported Deployments on VMware vSphere Hypervisor (ESXi)
You can deploy one or more instances of the VM‐Series firewall on the ESXi server. Where you place the VM‐Series firewall on the network depends on your topology. Choose from the following options (for environments that are not using VMware NSX):



One VM‐Series firewall per ESXi host—Every VM server on the ESXi host passes through the firewall before exiting the host for the physical network. VM servers attach to the firewall via virtual standard switches. The guest servers have no other network connectivity and therefore the firewall has visibility and control to all traffic leaving the ESXi host. One variation of this use case is to also require all traffic to flow through the firewall, including server to server (east‐west traffic) on the same ESXi host. One VM‐Series firewall per virtual network—Deploy a VM‐Series firewall for every virtual network. If you have designed your network such that one or more ESXi hosts has a group of virtual machines that belong to the internal network, a group that belongs to the external network, and some others to the DMZ, you can deploy a VM‐Series firewall to safeguard the servers in each group. If a group or virtual network does not share a virtual switch or port group with any other virtual network, it is completely isolated from all other virtual networks within or across the host(s). Because there is no other physical or virtual path to any other network, the servers on each virtual network, must use the firewall to talk to any other network. Therefore, it allows the firewall visibility and control to all traffic leaving the virtual (standard or distributed) switch attached to each virtual network. Hybrid environment—Both physical and virtual hosts are used, the VM‐Series firewall can be deployed in a traditional aggregation location in place of a physical firewall appliance to achieve the benefits of a common server platform for all devices and to unlink hardware and software upgrade dependencies. Continue with VM‐Series on ESXi System Requirements and Limitations and Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi).
50 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on an ESXi Server
VM‐Series on ESXi System Requirements and Limitations
VM‐Series on ESXi System Requirements and Limitations
This section lists requirements and limitations for the VM‐Series firewall on VMware vSphere Hypervisor (ESXi). To deploy the VM‐Series firewall, see Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi).

Requirements

Limitations
Requirements
You can create and deploy multiple instances of the VM‐Series firewall on an ESXi server. Because each instance of the firewall requires a minimum resource allocation—number of CPUs, memory and disk space—
on the ESXi server, make sure to conform to the specifications below to ensure optimal performance.
The VM‐Series firewall has the following requirements:


The host CPU must be a x86‐based Intel or AMD CPU with virtualization extension.
VMware ESXi with vSphere 5.1, 5.5, 6.0, or 6.5 for VM‐Series running PAN‐OS 7.1. Note that the minimum supported version of the virtual hardware family type (also known as the VMware virtual hardware version) on the ESXi server is vmx‐09. Use of vSphere 6.5 requires PA‐VM‐ESX‐7.1.0‐u1.ova.


Minimum of two vCPUs per VM‐Series firewall. One for the management plane and one for the dataplane.
You can assign 2 or 6 additional vCPUs to allocate a total of 2, 4 or 8 vCPUs to the firewall; the management plane only uses one vCPU and any additional vCPUs are assigned to the dataplane.
Minimum of two network interfaces (vmNICs). One will be a dedicated vmNIC for the management interface and one for the data interface. You can then add up to eight more vmNICs for data traffic. For additional interfaces, use VLAN Guest Tagging (VGT) on the ESXi server or configure subinterfaces on the firewall.
By default, the VM‐Series firewall assigns a unique MAC address for each dataplane interface from its own pool. This causes the destination MAC addresses assigned by PAN‐OS to be different from the vmNIC MAC addresses assigned by vSphere. Therefore based on your deployment, to allow the firewall to receive frames, you must either Enable Use of Hypervisor Assigned MAC Addresses on the VM‐Series firewall or enable promiscuous mode (see Step 2) on the port group of the virtual switch to which the dataplane interfaces of the firewall are attached. If neither promiscuous mode nor hypervisor assigned MAC address is enabled, the firewall will not receive any traffic. This is because vSphere will not forward frames to a virtual machine when the destination MAC address of the frame does not match the vmNIC MAC address.


Minimum of 4GB of memory for all models except the VM‐1000‐HV, which needs 5GB. Any additional memory will be used by the management plane only. If you are applying the VM‐1000‐HV license, see How do I modify the base image file for the VM‐1000‐HV license?
Minimum of 40GB of virtual disk space. You can add additional disk space of 40GB to 2TB for logging purposes.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 51
VM‐Series on ESXi System Requirements and Limitations
Set Up a VM‐Series Firewall on an ESXi Server
Do not use the VMware snapshots functionality on the VM‐Series on ESXi. Snapshots can impact performance and result in intermittent and inconsistent packet loss.See VMWare’s best practice recommendation with using snapshots. If you need configuration backups, use Panorama or Export named configuration snapshot from the firewall (Device > Set up > Operations). Using the Export named configuration snapshot exports the active configuration (running‐config.xml) on the firewall and allows you to save it to any network location.
Limitations
The VM‐Series firewall functionality is very similar to the Palo Alto Networks hardware firewalls, but with the following limitations:



Dedicated CPU cores are recommended. High Availability (HA) Link Monitoring is not supported on VM‐Series firewalls on ESXi. Use Path Monitoring to verify connectivity to a target IP address or to the next hop IP address.
Up to 10 total ports can be configured; this is a VMware limitation. One port will be used for management traffic and up to 9 can be used for data traffic.

Only the vmxnet3 driver is supported.

Virtual systems are not supported.


vMotion of the VM‐Series firewall is not supported. However, the VM‐Series firewall can secure guest virtual machines that have migrated to a new destination host, if the source and destination hosts are members of all vSphere Distributed Switches that the guest virtual machine used for networking.
VLAN trunking must be enabled on the ESXi vSwitch port‐groups that are connected to the interfaces (if configured in vwire mode) on the VM‐Series firewall.
52 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on an ESXi Server
Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi)
Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi)
To install a VM‐Series firewall you must have access to the Open Virtualization Alliance format (OVA) template. Use the auth code you received in your order fulfillment email to register your VM‐Series firewall and gain access to the OVA template. The OVA is downloaded as a zip archive that is expanded into three files: the .ovf extension is for the OVF descriptor file that contains all metadata about the package and its contents; the .mf extension is for the OVF manifest file that contains the SHA‐1 digests of individual files in the package; and the .vmdk extension is for the virtual disk image file that contains the virtualized version of the firewall.

Plan the Interfaces for the VM‐Series for ESXi

Provision the VM‐Series Firewall on an ESXi Server

Perform Initial Configuration on the VM‐Series on ESXi

(Optional) Add Additional Disk Space to the VM‐Series Firewall

Use VMware Tools on the VM‐Series Firewall on ESXi and vCloud Air
Plan the Interfaces for the VM‐Series for ESXi
By planning the mapping of VM‐Series Firewall vNICs and interfaces, you can avoid reboots and configuration issues. The following table describes the default mapping between VMware vNICs and VM‐Series interfaces when all 10 vNICs are enabled on ESXi. VMware vNIC
VM‐Series Interfaces
1
Ethernet 1/0 (mgmt)
2
Ethernet 1/1 (eth1)
3
Ethernet 1/2 (eth2)
4
Ethernet 1/3 (eth3)
5
Ethernet 1/4 (eth4)
6
Ethernet 1/5 (eth5)
7
Ethernet 1/6 (eth6)
8
Ethernet 1/7 (eth7)
9
Ethernet 1/8 (eth8)
10
Ethernet 1/9 (eth9)
The mapping on the VM‐Series Firewall remains the same no matter which vNICs you add on ESXi. No matter which interfaces you activate on the firewall, they always take the next available vNIC on ESXi. In the following example, eth3 and eth4 on the VM‐Series Firewall are paired to vNICs 2 and 3 on ESXi © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 53
Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi)
Set Up a VM‐Series Firewall on an ESXi Server
respectively. If you add want to add two additional interfaces, you must activate vNICs 4 and 5; doing this requires you to power down the VM‐Series firewall. If you activate eth1 and eth2 on the VM‐Series Firewall, the interfaces will reorder themselves. This can result in a mapping mismatch and impact traffic. To avoid issues like those described in the preceding example, you can do the following:



Activate all nine vNICs beyond the first when provisioning your ESXi host. Adding all nine vNICs as placeholders before powering on the VM‐Series Firewall allows you to use any VM‐Series interfaces regardless of order. By activating the vNICs before powering on the VM‐Series Firewall, adding additional interfaces in the future no longer requires a reboot. Because each vNIC on ESXi requires that you choose a network, you can create an empty port group as a network placeholder.
Do not remove VM‐Series Firewall vNICs to avoid mapping mismatches. Provision the VM‐Series Firewall on an ESXi Server
Use these instruction to deploy the VM‐Series firewall on a (standalone) ESXi server. For deploying the VM‐Series NSX edition firewall, see Set Up a VM‐Series NSX Edition Firewall.
Provision a VM‐Series Firewall Step 1
Download the OVA file.
Register your VM‐Series firewall and obtain the OVA file from the If you are using vSphere 6.5, you Palo Alto Networks Customer Support web site:
https://www.paloaltonetworks.com/support/tabs/overview.html.
must download PA‐VM‐ESX‐7.1.0‐u1.ova.
The file contains the base installation. After the base installation is complete, you will need to download and install the latest PAN‐OS version from the support portal. This will ensure that you have the latest fixes that were implemented since the base image was created. For instructions, see Upgrade the PAN‐OS Software Version (Standalone Version).
54 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on an ESXi Server
Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi)
Provision a VM‐Series Firewall (Continued)
Step 2
Before deploying the OVA file, set up virtual standard switch(es) and virtual distributed switch(es) that you will need for the VM‐Series firewall. If you are deploying the VM‐Series firewall with Layer 3 interfaces, you should Enable Use of Hypervisor Assigned MAC Addresses on the firewall. If you choose to not enable the use of hypervisor assigned MAC address, you must configure (set to Accept) any virtual switch attached to the VM‐Series firewall to allow the following modes:
– Promiscuous mode
– MAC address changes
– Forged transmits
If you are deploying the firewall with Layer 2, virtual wire, or tap interfaces, you must configure any virtual switch attached to the VM‐Series firewall to allow (set to Accept) the modes listed above.
To configure a virtual standard switch to receive frames for the VM‐Series firewall:
1.
Configure a virtual standard switch from the vSphere Client by navigating to Home > Inventory > Hosts and Clusters.
2.
Click the Configuration tab and under Hardware click Networking. For each VM‐Series firewall attached virtual switch, click on Properties.
3.
Highlight the virtual switch and click Edit. In the vSwitch properties, click the Security tab and set Promiscuous Mode,
MAC Address Changes and Forged Transmits to Accept and then click OK. This change will propagate to all port groups on the virtual switch.
To configure a virtual distributed switch to receive frames for the VM‐Series firewall:
© Palo Alto Networks, Inc.
1.
Select Home > Inventory > Networking. Highlight the Distributed Port Group you want to edit and select the Summary tab.
2.
Click Edit Settings and select Policies > Security and set Promiscuous Mode, MAC Address Changes and Forged
Transmits to Accept and then click OK. VM‐Series 7.1 Deployment Guide • 55
Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi)
Set Up a VM‐Series Firewall on an ESXi Server
Provision a VM‐Series Firewall (Continued)
Step 3
Deploy the OVA.
If you add additional interfaces (vmNICs) to the VM‐Series firewall, a reboot is required because new interfaces are detected during the boot cycle. To avoid the need to reboot the firewall, make sure to add the interfaces at initial deployment or during a maintenance window so that you can reboot the firewall.
1.
Log in to vCenter using the vSphere client. You can also go directly to the target ESXi host if needed.
2.
From the vSphere client, select File > Deploy OVF Template.
3.
Browse to the OVA file that you downloaded in Step 1, select the file and then click Next. Review the templates details window and then click Next again.
4.
Name the VM‐Series firewall instance and in the Inventory
Location window, select a Data Center and Folder and click Next
5.
Select an ESXi host for the VM‐Series firewall and click Next.
6.
Select the datastore to use for the VM‐Series firewall and click Next.
7.
Leave the default settings for the datastore provisioning and click Next. The default is Thick Provision Lazy Zeroed. Do not configure CPU affinity for the VM‐Series firewall. The vCenter/ESXi server optimizes the CPU placement for the VM‐Series and the firewall performs best when you do not modify the non‐uniform memory access (NUMA) configuration.
8.
Select the networks to use for the two initial vmNICs. The first vmNIC will be used for the management interface and the second vmNIC for the first data port. Make sure that the Source Networks maps to the correct Destination Networks.
9.
Review the details window, select the Power on after
deployment check box and then click Next.
To view the progress of the installation, monitor the Recent
Tasks list. 56 • VM‐Series 7.1 Deployment Guide
10. When the deployment is complete, click the Summary tab to review the current status.
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on an ESXi Server
Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi)
Perform Initial Configuration on the VM‐Series on ESXi
Use the virtual appliance console on the ESXi server to set up network access to the VM‐Series firewall. You must first configure the management interface, and then access the web interface to complete further configurations tasks. If you have Panorama for central management, refer to the Panorama Administrator’s Guide for information on managing the device using Panorama.
If you are using bootstrapping to perform the configuration of your VM‐Series firewall on ESXi, refer to Bootstrap the VM‐Series Firewall on ESXi. For more information about bootstrapping, see Bootstrap the VM‐Series Firewall. Configure the Management Interface
Step 1
Gather the required information from your network administrator.
• • • • Step 2
Access the console of the VM‐Series firewall.
1.
Select the Console tab on the ESXi server for the VM‐Series firewall, or right click the VM‐Series firewall and select Open
Console.
2.
Press enter to access the login screen.
3.
Enter the default username/password (admin/admin) to log in.
4.
Enter configure to switch to configuration mode.
Step 3
Configure the network access settings for the management interface. IP address for MGT port
Netmask
Default gateway
DNS server IP address
Enter the following command:
set deviceconfig system ip-address <Firewall-IP>
netmask <netmask> default-gateway <gateway-IP>
dns-setting servers primary <DNS-IP>
where <Firewall-IP> is the IP address you want to assign to the management interface, <netmask> is the subnet mask, <gateway-IP> is the IP address of the network gateway, and <DNS-IP> is the IP address of the DNS server.
Step 4
Commit your changes and exit the configuration mode.
© Palo Alto Networks, Inc.
Enter commit.
Enter exit.
VM‐Series 7.1 Deployment Guide • 57
Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi)
Set Up a VM‐Series Firewall on an ESXi Server
Configure the Management Interface
Step 5
Verify network access to external services required for firewall management, such as the Palo Alto Networks Update Server.
1.
Use the ping utility to verify network connectivity to the Palo Alto Networks Update server as shown in the following example. Verify that DNS resolution occurs and the response includes the IP address for the Update server; the update server does not respond to a ping request. admin@PA-200 > ping host
updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (10.101.16.13)
56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
After verifying DNS resolution, press Ctrl+C to stop the ping request.
2.
Use the following CLI command to retrieve information on the support entitlement for the firewall from the Palo Alto Networks update server:
request support check
If you have connectivity, the update server will respond with the support status for your firewall.
An unlicensed VM‐Series firewall can process up to approximately 1245 concurrent sessions. Depending on the environment, the session limit can be reached very quickly. Therefore, apply the capacity auth‐code and retrieve a license before you begin testing the VM‐Series firewall; otherwise, you might have unpredictable results, if there is other traffic on the port group(s).
Add Additional Disk Space to the VM‐Series Firewall
The VM‐Series firewall requires a virtual disk 40GB, of which 17GB is used for logging. For larger deployments, to aggregate data from all next‐generation firewalls and provide visibility across all the traffic on your network, use Panorama for centralized logging and reporting. In smaller deployments, where you do not use Panorama but require more log storage capacity, use the following procedure to add a new virtual disk that can support 40GB to 2TB of storage capacity for logs.
When configured to use a virtual disk, the virtual appliance does not use the default 17GB storage for logging. Therefore, if it loses connectivity to the virtual disk, logs could be lost during the failure interval.
To allow for redundancy, place the newly created virtual disk on a datastore that provides RAID redundancy. RAID10 provides the best write performance for applications with high logging characteristics.
58 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on an ESXi Server
Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi)
Add a Virtual Disk to the VM‐Series Firewall
Step 1
Power off the VM‐Series firewall.
Step 2
On the ESX(i) server, add the virtual disk 1.
to the firewall.
2.
3.
Step 3
Power on the firewall.
Select the VM‐Series firewall on the ESX(i) server.
Click Edit Settings.
Click Add to launch the Add Hardware wizard, and select the following options when prompted:
a. Select Hard Disk for the hardware type.
b. Select Create a new virtual disk.
c. Select SCSI as the virtual disk type.
d. Select the Thick provisioning disk format.
e. In the location field, select Store with the virtual machine
option. The datastore does not have to reside on the ESX(i) server.
f. Verify that the settings look correct and click Finish to exit the wizard. The new disk is added to the list of devices for the virtual appliance.
When powered on, the virtual disk is initialized for first‐time use. The time that the initialization process takes to complete varies by the size of the new virtual disk.
When the new virtual disk is initialized and ready, all logs from the existing disk will be moved over to the new virtual disk. Newly generated log entries will now be written to this new virtual disk.
A system log entry that records the new disk is also generated. If you reuse a virtual disk, that is if the disk was previously used for storing PAN‐OS logs, all logs from the existing disk will not be moved over to the virtual disk.
Step 4
Verify the size of the new virtual disk.
1.
Select Device > Setup > Management.
2.
In the Logging and Reporting Settings section, verify that the Log Storage capacity accurately displays the new disk capacity.
Use VMware Tools on the VM‐Series Firewall on ESXi and vCloud Air
VMware Tools is a utility that improves the ability to manage the VM‐Series firewall from vCenter server and vCloud Director. VMware Tools is bundled with the software image for the VM‐Series firewall and all updates will be made available with a new ovf image; you cannot manually install or upgrade VMware Tools using the vCenter server or vCloud Director.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 59
Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi)
Set Up a VM‐Series Firewall on an ESXi Server
Use VMware Tools on the VM‐Series Firewall on ESXi and vCloud Air
• View the IP address(es) on the management interface and the software version on the firewall and Panorama.
In the Hosts and Cluster section on the vCenter server, select the firewall or Panorama and view the Summary tab for information on the IP address(es) assigned to the management interface and the software version currently installed.
• View resource utilization metrics on hard disk, In the Hosts and Cluster section on the vCenter server, select the memory, and CPU.
firewall or Panorama and view the Monitor > Utilization tab for Use these metrics to enable alarms on the information on hard disk, memory, and CPU usage.
s
vCenter server.
• Gracefully shutdown or restart the firewall and In the Hosts and Cluster section on the vCenter server, select the Panorama from the vCenter server.
firewall or Panorama and select the Actions > Power drop‐down.
s
60 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on an ESXi Server
Install a VM‐Series firewall on VMware vSphere Hypervisor (ESXi)
Use VMware Tools on the VM‐Series Firewall on ESXi and vCloud Air
• Create alarm definitions for events you want to In the Hosts and Cluster section on the vCenter server, select the be notified on, or for which you want to specify firewall or Panorama and select the Manage > Alarm Definitions to an automated action.
add a new trigger and specify an action when a threshold is met. Refer to the VMware documentation for details on For example, missing heartbeats for a specified duration, or when memory resource usage exceeds a threshold. The following creating alarm definitions.
screenshot shows you how to use notifications for heartbeat monitoring on the firewall or Panorama. s
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 61
Troubleshoot ESXi Deployments
Set Up a VM‐Series Firewall on an ESXi Server
Troubleshoot ESXi Deployments
Many of the troubleshooting steps for the VM‐Series firewall are very similar to the hardware versions of PAN‐OS. When problems occur, you should check interface counters, system log files, and if necessary, use debug to create captures. For more details on PAN‐OS troubleshooting, refer to the article on Packet Based Troubleshooting.
The following sections describe how to troubleshoot some common problems:

Basic Troubleshooting

Installation Issues

Licensing Issues

Connectivity Issues
Basic Troubleshooting Recommendation for Network Troubleshooting Tools
It is useful to have a separate troubleshooting station to capture traffic or inject test packets in the virtualized environment. It can be helpful to build a fresh OS from scratch with common troubleshooting tools installed such as tcpdump, nmap, hping, traceroute, iperf, tcpedit, netcat, etc. This machine can then be powered down and converted to a template. Each time the tools are needed, the troubleshooting client (virtual machine) can be quickly deployed to the virtual switch(es) in question and used to isolate networking problems. When the testing is complete, the instance can simply be discarded and the template used again the next time it is required.
For performance related issues on the firewall, first check the Dashboard from the firewall web interface. To view alerts or create a tech support or stats dump files navigate to Device > Support.
For information in the vSphere client go to Home > Inventory > VMs and Templates, select the VM‐Series firewall instance and click the Summary tab. Under Resources, check the statistics for consumed memory, CPU and storage. For resource history, click the Performance tab and monitor resource consumption over time.
Installation Issues

Issues with deploying the OVA

Why does the firewall boot into maintenance mode?

How do I modify the base image file for the VM‐1000‐HV license?
62 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on an ESXi Server
Troubleshoot ESXi Deployments
Issues with deploying the OVA
The VM‐Series is delivered as a file in the Open Virtualization Alliance (OVA) format. The OVA image is downloaded as a zip archive that is expanded into three files. If you are having trouble deploying the OVA image, make sure the three files are unpacked and present and, if necessary, download and extract the OVA image again.



The ovf extension is for the OVF descriptor file that contains all metadata about the package and its contents.
The mf extension is for the OVF manifest file that contains the SHA‐1 digests of individual files in the package.
The vmdk extension is for the virtual disk image file. The virtual disk in the OVA image is large for the VM‐Series; this file is nearly 900MB and must be present on the computer running the vSphere client or must be accessible as a URL for the OVA image. Make sure the network connection is sufficient between the vSphere client computer and the target ESXi host. Any firewalls in the path will need to allow TCP ports 902 and 443 from the vSphere client to the ESXi host(s).There needs to be sufficient bandwidth and low latency on the connection otherwise the OVA deployment can take hours or timeout and fail.
Why does the firewall boot into maintenance mode?
If you have purchased the VM‐1000‐HV license and are deploying the VM‐Series firewall in standalone mode on a VMware ESXi server or on a Citrix SDX server, you must allocate a minimum of 5GB memory to the VM‐Series firewall. To fix this issue, you must either modify the base image file (see How do I modify the base image file for the VM‐1000‐HV license?) or edit the settings on the ESXi host or the vCenter server before you power on the VM‐Series firewall.
Also, verify that the interface is VMXnet3; setting the interface type to any other format will cause the firewall to boot into maintenance mode.
How do I modify the base image file for the VM‐1000‐HV license?
If you have purchased the VM‐1000‐HV license and are deploying the VM‐Series firewall in standalone mode on a VMware ESXi server or on a Citrix SDX server, use these instructions to modify the following attributes that are defined in the base image file (.ova or .xva) of the VM‐Series firewall.
Important: Modifying the values other than those listed hereunder will invalidate the base image file.
Modify the base image file (only if using the VM‐1000‐HV license in standalone mode)
Step 1
Open the base image file, for example 7.0.0, with a text editing tool such as notepad.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 63
Troubleshoot ESXi Deployments
Set Up a VM‐Series Firewall on an ESXi Server
Modify the base image file (only if using the VM‐1000‐HV license in standalone mode)
Step 2
Search for 4096 and change the memory allocated to 5012 (that is 5 GB) here:
<Item>
<rasd:AllocationUnits>byte * 2^20</rasd:AllocationUnits>
<rasd:Description>Memory Size</rasd:Description>
<rasd:ElementName>4096MB of memory</rasd:ElementName>
<rasd:InstanceID>2</rasd:InstanceID>
<rasd:ResourceType>4</rasd:ResourceType>
<rasd:VirtualQuantity>4096</rasd:VirtualQuantity>
<Item>
<rasd:AllocationUnits>byte * 2^20</rasd:AllocationUnits>
<rasd:Description>Memory Size</rasd:Description>
<rasd:ElementName>5120MB of memory</rasd:ElementName>
<rasd:InstanceID>2</rasd:InstanceID>
<rasd:ResourceType>5</rasd:ResourceType>
<rasd:VirtualQuantity>5120</rasd:VirtualQuantity>
Step 3
Change the number of virtual CPU cores allotted from 2 to 4 or 8 as desired for your deployment:
<Item>
<rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
<rasd:Description>Number of Virtual CPUs</rasd:Description>
<rasd:ElementName>2 virtual CPU(s)</rasd:ElementName>
<rasd:InstanceID>1</rasd:InstanceID>
<rasd:ResourceType>3</rasd:ResourceType>
<rasd:VirtualQuantity>2</rasd:VirtualQuantity>
<vmw:CoresPerSocket ova:required="false">2</vmw:CoresPerSocket>
</Item>
<Item>
<rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
<rasd:Description>Number of Virtual CPUs</rasd:Description>
<rasd:ElementName>4 virtual CPU(s)</rasd:ElementName>
<rasd:InstanceID>1</rasd:InstanceID>
<rasd:ResourceType>3</rasd:ResourceType>
<rasd:VirtualQuantity>4</rasd:VirtualQuantity>
<vmw:CoresPerSocket ova:required="false">2</vmw:CoresPerSocket>
</Item>
Alternatively you can deploy the firewall and before you power on the VM‐Series firewall, edit the memory and virtual CPU allocation directly on the ESXi host or the vCenter server. Licensing Issues

Why am I unable to apply the support or feature license?

Why does my cloned VM‐Series firewall not have a valid license?

Will moving the VM‐Series firewall cause license invalidation?
64 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on an ESXi Server
Troubleshoot ESXi Deployments
Why am I unable to apply the support or feature license?
Have you applied the capacity auth‐code on the VM‐Series firewall? Before you can activate the support or feature license, you must apply the capacity auth‐code so that the device can obtain a serial number. This serial number is required to activate the other licenses on the VM‐Series firewall.
Why does my cloned VM‐Series firewall not have a valid license?
VMware assigns a unique UUID to each virtual machine including the VM‐Series firewall.So, when a VM‐Series firewall is cloned, a new UUID is assigned to it. Because the serial number and license for each instance of the VM‐Series firewall is tied to the UUID, cloning a licensed VM‐Series firewall will result in a new firewall with an invalid license. You will need a new auth‐code to activate the license on the newly deployed firewall. You must apply the capacity auth‐code and a new support license in order to obtain full functionality, support, and software upgrades on the VM‐Series firewall.
Will moving the VM‐Series firewall cause license invalidation?
If you are manually moving the VM‐Series firewall from one host to another, be sure to select the option, This guest was moved to prevent license invalidation. Connectivity Issues
Why is the VM‐Series firewall not receiving any network traffic?
On the VM‐Series firewall. check the traffic logs (Monitor > Logs). If the logs are empty, use the following CLI command to view the packets on the interfaces of the VM‐Series firewall:
show counter global filter delta yes
Global counters:
Elapsed time since last sampling: 594.544 seconds
-------------------------------------------------------------------------------Total counters shown: 0
-------------------------------------------------------------------------------In the vSphere environment, check for the following issues:

Check the port groups and confirm that the firewall and the virtual machine(s) are on the correct port group
Make sure that the interfaces are mapped correctly.
Network adapter 1 = management
Network adapter 2= Ethernet1/1
Network adapter 3 = Ethernet1/2
For each virtual machine, check the settings to verify the interface is mapped to the correct port group.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 65
Troubleshoot ESXi Deployments

Set Up a VM‐Series Firewall on an ESXi Server
Verify that either promiscuous mode is enabled for each port group or for the entire switch or that you have configured the firewall to Enable Use of Hypervisor Assigned MAC Addresses.
Since the dataplane PAN‐OS MAC addresses are different than the VMNIC MAC addresses assigned by vSphere, the port group (or the entire vSwitch) must be in promiscuous mode if not enabled to use the hypervisor assigned MAC address:
–
–
Check the VLAN settings on vSphere.
The use of the VLAN setting for the vSphere port group serves two purposes: It determines which port groups share a layer 2 domain, and it determines whether the uplink ports are tagged (802.1Q).
Check the physical switch port settings
If a VLAN ID is specified on a port group with uplink ports, then vSphere will use 802.1Q to tag outbound frames. The tag must match the configuration on the physical switch or the traffic will not pass.
Check the port statistics if using virtual distributed switches (vDS); Standard switches do not provide any port statistics
66 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in vCloud Air
The VM‐Series firewall can be deployed in a virtual data center (vDC) in vCloud Air using the vCloud Air portal, from the vCloud Director portal or using the vCloud Air API. 
About the VM‐Series Firewall in vCloud Air

Deployments Supported in vCloud Air

Deploy the VM‐Series Firewall in vCloud Air
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 67
About the VM‐Series Firewall in vCloud Air
Set Up the VM‐Series Firewall in vCloud Air
About the VM‐Series Firewall in vCloud Air
You can deploy the VM‐Series firewall in a virtual data center (vDC) in VMware vCloud Air using the vCloud Air portal or from the vCloud Director portal. And to centrally manage all your physical and VM‐Series firewalls, you can use an existing Panorama or deploy a new Panorama on premise or in vCloud Air. The VM‐Series firewall in vCloud Air requires the following:



ESXi version of the software image, an Open Virtualization Alliance (OVA) file, from the Palo Alto Networks Customer Support web site. Currently, the vCloud Air Marketplace does not host the software image. In order to efficiently deploy the VM‐Series firewall, include the firewall software image in a vApp. A vApp is a container for preconfigured virtual appliances (virtual machines and operating system images) that is managed as a single object. For example, if your vApp includes a set of multi‐tiered applications and the VM‐Series firewall, each time you deploy the vApp, the VM‐Series firewall automatically secures the web server and database server that get deployed with the vApp.
License and subscriptions purchased from a partner, reseller, or directly from Palo Alto Networks, in the Bring Your Own License (BYOL) model; the usage‐based licensing for the VM‐Series on vCloud Air is not available.
Due to the security restrictions imposed in vCloud Air, the VM‐Series firewall in vCloud Air is best deployed with Layer 3 interfaces and the interfaces must be enabled to use the hypervisor assigned MAC address. If you do not enable hypervisor assigned MAC address, the VMware vSwitch cannot forward traffic to the dataplane interfaces on the VM‐Series firewall because the vSwitch in vCloud Air does not support promiscuous mode or MAC forged transmits. The VM‐Series firewall cannot be deployed with tap interfaces, Layer 2 interfaces, or virtual wire interfaces.
The VM‐Series firewall in vCloud Air can be deployed in an active/passive high availability configuration. However, the VM‐Series firewall in vCloud Air does not support VM Monitoring capabilities for virtual machines that are hosted in vCloud Air.
To learn all about vCloud Air, refer to the VMware vCloud Air documentation
68 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in vCloud Air
Deployments Supported in vCloud Air
Deployments Supported in vCloud Air
To enable applications safely, block known and unknown threats, and to keep pace with changes in your environment, you can deploy the VM‐Series firewall in vCloud Air with Layer 3 interfaces in the following ways: 


Secure the virtual data center perimeter—Deploy the VM‐Series firewall as a virtual machine that connects isolated and routed networks in vCloud Air. In this deployment the firewall secures all north‐south traffic traversing the infrastructure in vCloud Air.
Set up a hybrid cloud—Extend your data center and private cloud into vCloud Air and use a VPN connection to enable communication between the corporate network and the data center. In this deployment, the VM‐Series firewall uses IPSec to encrypt traffic and secure users accessing the cloud.
Secure traffic between application subnets in the vDC—To improve security, segment your network and isolate traffic by creating application tiers, and then deploy the VM‐Series firewall to protect against lateral threats between subnets and application tiers.
The following illustration combines all three deployments scenarios and includes Panorama. Panorama streamlines policy updates, centralizes policy management, and provides centralized logging and reporting.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 69
Deploy the VM‐Series Firewall in vCloud Air
Set Up the VM‐Series Firewall in vCloud Air
Deploy the VM‐Series Firewall in vCloud Air
Use the instructions in this section to deploy your VM‐Series firewall in an on‐demand or dedicated vDC in vCloud Air. This procedure assumes that you have set up your vDC, including the gateways required to allow traffic in and out of the vDC, and the networks required for routing management traffic and data traffic through the vDC. Deploy the VM‐Series Firewall in vCloud Air Step 1
Obtain the VM‐Series OVA image from 1.
the Palo Alto Networks Customer Support web site; the vCloud Air 2.
Marketplace does not host the software image currently.
Go to: www.paloaltonetworks.com/support/tabs/overview.html.
Filter by PAN-OS for VM-Series Base Images and download the OVA image. For example, PA‐VM‐ESX‐7.0.1.ova.
Step 2
Extract the Open Virtualization Format (OVF) file from the OVA image and import the OVF file in to your vCloud Air catalog.
When extracting files from the OVA image, make sure to place all the files—
.mf, .ovf, and .vmdk—within the same directory. For instructions to extract the OVF file from the OVA image, refer to the VMware documentation: http://www.vmware.com/go/ovf_guide#sthash.WUp55ZyE.dpuf
When you import the OVF file, the software image for the VM‐Series firewall is listed in My Organization’s Catalogs.
Step 3
Choose your workflow.
A vApp is a collection of templates for preconfigured virtual appliances that contain virtual machines, and operating system images.
• If you want to create a new vDC and a new vApp that includes the VM‐Series firewall, go to Step 4. • If you have already deployed a vDC and have a vApp and now want to add the VM‐Series firewall to the vApp to secure traffic, go to Step 5.
70 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in vCloud Air
Deploy the VM‐Series Firewall in vCloud Air
Deploy the VM‐Series Firewall in vCloud Air (Continued)
Step 4
Create a vDC and a vApp that includes the VM‐Series firewall.
1.
Log in to vCloud Air.
2.
Select VPC OnDemand and select the location in which you want to deploy the VM‐Series firewall.
3.
Select Virtual Data Centers and click + to add a new Virtual Data Center.
4.
Select the vDC, right click and select Manage Catalogs in
vCloud Director. You will be redirected to the vCloud Director web interface.
5.
Create a new vApp that contains one or more virtual machines including the VM‐Series firewall:
a. Select My Cloud > vApps, and click Build New vApp.
b. Select Name and Location, and the Virtual Datacenter in which this vApp will run. By default, Leases for runtime and storage never expire and the vApp is not automatically stopped.
c. Add Virtual Machines. To add the VM‐Series firewall image from the Look in: drop‐down, select My Organization’s
Catalog, select the image and click Add. Click Next
d. Configure Resources to specify the Storage Policies for the virtual machines when deployed. The VM‐Series firewall uses the Standard option.
e. Configure the Virtual Machines. Name each virtual machine and select the network to which you want it to connect. You must connect NIC 0 (for management access) to the default routed network; NIC 1 is used for data traffic. You can add additional NICs later.
f. Verify the settings and click Finish.
g. Continue to Step 6.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 71
Deploy the VM‐Series Firewall in vCloud Air
Set Up the VM‐Series Firewall in vCloud Air
Deploy the VM‐Series Firewall in vCloud Air (Continued)
Step 5
Add the VM‐Series Firewall into a vApp. 1.
72 • VM‐Series 7.1 Deployment Guide
Log in to vCloud Air.
2.
Select your existing Virtual Data Center from the left pane, right click and select Manage Catalogs in vCloud Director. You will be redirected to the vCloud Director web interface.
3.
Select My Cloud > vApps and click the Name of the vApp in which to include the VM‐Series firewall. 4.
Open the vApp (double‐click on the name), select Virtual
Machines and click to add a virtual machine.
a. In the Look in: drop‐down, choose My Organization’s
Catalog, select the VM‐Series firewall image and click Add. Click Next.
b. Click Next to skip Configure Resources. The VM‐Series firewall uses the Standard option and you do not to modify the Storage Policy.
c. Enter a Name for the firewall and for management access (NIC 0), select the default routed network and the IP
Mode— Static or DHCP. You can configure NIC 1 and add additional NICs in Step 6. Click Next.
d. Verify how this vApp connects to the vDC— Gateway Address and Network Mask for the virtual machines in this vApp.
e. Verify that you have added the VM‐Series firewall and click Finish.
f. Continue to Step 6.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in vCloud Air
Deploy the VM‐Series Firewall in vCloud Air
Deploy the VM‐Series Firewall in vCloud Air (Continued)
Step 6
Connect the data interface(s) of the VM‐Series firewall to an isolated or a routed network, as required for your deployment.
© Palo Alto Networks, Inc.
1.
In vCloud Director, select My Cloud > vApps and select the vApp you just created or edited.
2.
Select Virtual Machines and select the VM‐Series firewall. Then, right‐click and select Properties.
3.
Select Hardware, scroll to the NICs section and select NIC 1.
4.
Attach the dataplane network interface to a vApp network or an organizational VDC network based on your connectivity needs for data traffic to the VM‐Series firewall. To create a new network:
a. In the Network drop‐down, click Add Network.
b. Select the Network Type and give it a name and click OK.
c. Verify that the new network is attached to the interface.
5.
To add additional NICs to the firewall, click Add and repeat step 4 above. You can attach a maximum of seven dataplane interfaces to the VM‐Series firewall.
6.
Verify that the management interface of the VM‐Series firewall is attached to the default routed subnet on the vDC and at least one dataplane interface is connected to a routed or isolated network.
a. Select My Cloud > vApps and double‐click the Name of the vApp you just edited.
b. Verify network connectivity in the vApp Diagram. VM‐Series 7.1 Deployment Guide • 73
Deploy the VM‐Series Firewall in vCloud Air
Set Up the VM‐Series Firewall in vCloud Air
Deploy the VM‐Series Firewall in vCloud Air (Continued)
Step 7
(Optional) Edit the hardware resources 1.
allocated for the VM‐Series firewall. Required only if you need to allot additional CPU, memory, or hard disk to the firewall.
Step 8
Power on the VM‐Series firewall.
Step 9
Configure an IP address for the VM‐Series firewall management interface.
74 • VM‐Series 7.1 Deployment Guide
Select My Cloud > vApps and double‐click the Name of the vApp you just deployed.
2.
Select Virtual Machine and click on the Name of the VM‐Series firewall to access the Virtual Machine Properties.
3.
Add additional Hardware resources for the VM‐Series firewall:
• CPUs: 2, 4 or 8
• Memory: 4 GB; 5GB for the VM‐1000‐HV license
• Hard Disks: 40GB to 2TB
• NICs: One management and up to seven dataplane interfaces.
Perform Initial Configuration on the VM‐Series on ESXi.
The VM‐Series firewall in vCloud Air supports VMware Tools, and you can Use VMware Tools on the VM‐Series Firewall on ESXi and vCloud Air to view the management IP address of the VM‐Series firewall.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in vCloud Air
Deploy the VM‐Series Firewall in vCloud Air
Deploy the VM‐Series Firewall in vCloud Air (Continued)
Step 10 Define NAT rules on the vCloud Air Edge 1.
Gateway to enable Internet access for the VM‐Series firewall.
2.
3.
Select Virtual Data Centers > Gateways, select the gateway and double‐click to add NAT Rules.
Create two DNAT rules. One for allowing SSH access and one for HTTPS access to the management port’s IP address on the VM‐Series firewall.
Create a SNAT rule for translating the internal source IP address for all traffic initiated from the management port on the VM‐Series firewall to an external IP address.
To send and receive traffic from the dataplane interfaces on the firewall, you must create additional DNAT and SNAT rules on the vCloud Air Edge Gateway.
Step 11 Log in to the web interface of the firewall.
In this example, the URL for the web interface is https://107.189.85.254
The NAT rule on the Edge Gateway translates the external IP address and port 107.189.85.254:443 to the private IP address and port 10.0.0.102:443.
Step 12 Add the auth code(s) to activate the licenses on the firewall.
Activate the License.
Step 13 Configure the VM‐Series firewall to use Enable Use of Hypervisor Assigned MAC Addresses
the hypervisor assigned MAC address.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 75
Deploy the VM‐Series Firewall in vCloud Air
Set Up the VM‐Series Firewall in vCloud Air
Deploy the VM‐Series Firewall in vCloud Air (Continued)
Step 14 Configure the dataplane interfaces as Layer 3 interfaces.
76 • VM‐Series 7.1 Deployment Guide
1.
Select Network > Interfaces > Ethernet.
2.
Click the link for ethernet 1/1 and configure as follows:
• Interface Type: Layer3
• Select the Config tab, assign the interface to the default router.
• On the Config tab, select New Zone from the Security Zone
drop‐down. Define a new zone, for example untrust, and then click OK.
• Select IPv4, assign a static IP address.
• On Advanced > Other Info, expand the Management
Profile drop‐down, and select New Management Profile.
• Enter a Name for the profile, such as allow_ping, and select Ping from the Permitted Services list, then click OK.
• To save the interface configuration, click OK.
3.
Repeat the process for each additional interface.
4.
Click Commit to save the changes.
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on the Citrix SDX Server
To reduce your carbon footprint and consolidate key functions on a single server, you can deploy one or more instances of the VM‐Series firewall on the Citrix SDX server. Deploying the VM‐Series firewall in conjunction with the NetScaler VPX secures application delivery along with network security, availability, performance, and visibility. 
About the VM‐Series Firewall on the SDX Server

System Requirements and Limitations

Supported Deployments—VM Series Firewall on Citrix SDX

Install the VM‐Series Firewall on the SDX Server

Secure North‐South Traffic with the VM‐Series Firewall

Secure East‐West Traffic with the VM‐Series Firewall
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 77
About the VM‐Series Firewall on the SDX Server
Set Up a VM‐Series Firewall on the Citrix SDX Server
About the VM‐Series Firewall on the SDX Server
One or more instances of the VM‐Series firewall can be deployed to secure east‐west and/or north‐south traffic on the network; virtual wire interfaces, Layer 2 interfaces, and Layer 3 interfaces are supported. To deploy the firewall, see Install the VM‐Series Firewall on the SDX Server. Once deployed the VM‐Series firewall works harmoniously with the NetScaler VPX (if needed), which is a virtual NetScaler appliance deployed on the SDX server. The NetScaler VPX provides load balancing and traffic management functionality and is typically deployed in front of a server farm to facilitate efficient access to the servers. For a complete overview of NetScaler feature/functionality, refer to http:www.citrix.com/netscaler. When the VM‐Series is paired to work with the NetScaler VPX, the complementary capabilities enhance your traffic management, load balancing, and application/network security needs.
This document assumes that you are familiar with the networking and configuration on the NetScaler VPX. In order to provide context for the terms used in this section, here is a brief refresher on the NetScaler owned IP addresses that are referred to in this document:




NetScaler IP address (NSIP): The NSIP is the IP address for management and general system access to the NetScaler itself, and for HA communication.
Mapped IP address (MIP): A MIP is used for server‐side connections. It is not the IP address of the NetScaler. In most cases, when the NetScaler receives a packet, it replaces the source IP address with a MIP before sending the packet to the server. With the servers abstracted from the clients, the NetScaler manages connections more efficiently.
Virtual server IP address (VIP): A VIP is the IP address associated with a vserver. It is the public IP address to which clients connect. A NetScaler managing a wide range of traffic may have many VIPs configured.
Subnet IP address (SNIP): When the NetScaler is attached to multiple subnets, SNIPs can be configured for use as MIPs providing access to those subnets. SNIPs may be bound to specific VLANs and interfaces.
For examples on deploying the VM‐Series firewall and the NetScaler VPX together, see Supported Deployments—VM Series Firewall on Citrix SDX.
78 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on the Citrix SDX Server
System Requirements and Limitations
System Requirements and Limitations
This section lists requirements and limitations for the VM‐Series firewall on the Citrix SDX server. 
Requirements

Limitations
Requirements
You can deploy multiple instances of the VM‐Series firewall on the Citrix SDX server. Because each instance of the firewall requires a minimum resource allocation—number of CPUs, memory and disk space—on the SDX server, make sure to conform to the specifications below to ensure optimal performance.
Requirement Details
SDX platforms
• • • • • SDX version
10.1+
10.1 is not supported; a software version higher than 10.1. is required.
Citrix XenServer version
6.0.2 or later
Minimum System Resources
Plan and allocate the total number of data interfaces that you might require on the VM‐Series firewall. This task is essential during initial deployment, because adding or removing interfaces to the VM‐Series firewall after initial deployment will cause the data interfaces (Eth 1/1 and Eth 1/2) on the VM‐Series firewall to re‐map to the adapters on the SDX server. Each data interface sequentially maps to the adapter with the lowest numerical value, and this remapping can cause a configuration mismatch on the firewall.
• The host CPU must be a x86‐based Intel or AMD CPU with virtualization extension.
• Two vCPUs per VM‐Series firewall. One will be used for the for the management plane and one for the dataplane. You can add vCPUs in the following combinations: 2, 4, or 8 vCPUs; additional vCPUs are assigned to the dataplane.
• Two network interfaces: one dedicated for management traffic and one for data traffic. For management traffic, you can use the 0/x interfaces on the management plane or the 10/x interfaces on the dataplane. Assign additional network interfaces for data traffic, as required for your network topology.
• 4GB of memory (5GB for VM‐1000‐HV). If you allocate additional memory, it will be used by the management plane only.
• 40GB of virtual disk space. You can add additional disk space of 40GB or 60 GB on the Citrix SDX server. The additional disk space is used for logging purposes only.
11500, 11515, 11520, 11530, 11540, 11542
13500, 14500, 16500, 18500, 20500
22040, 22060, 22080, 22100, 22120
24100, 24150
17550, 19550, 20550, 21550
Limitations
The VM‐Series firewall deployed on the Citrix SDX server has the following limitations:
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 79
System Requirements and Limitations


Set Up a VM‐Series Firewall on the Citrix SDX Server
Up to 24 total ports can be configured. One port will be used for management traffic and up to 23 can be used for data traffic.
Link aggregation is not supported.
For the supported deployments, see Supported Deployments—VM Series Firewall on Citrix SDX. To deploy the firewall, see Install the VM‐Series Firewall on the SDX Server.
80 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on the Citrix SDX Server
Supported Deployments—VM Series Firewall on Citrix SDX
Supported Deployments—VM Series Firewall on Citrix SDX In the following scenarios, the VM‐Series firewall secures traffic destined to the servers on the network. It works in conjunction with the NetScaler VPX to manage traffic before or after it reaches the NetScaler VPX. 
Scenario 1—Secure North‐South Traffic

Scenario 2—Secure East‐West Traffic (VM‐Series Firewall on Citrix SDX)
Scenario 1—Secure North‐South Traffic
To secure north‐south traffic using a VM‐Series firewall on an SDX server, you have the following options:

VM‐Series Firewall Between the NetScaler VPX and the Servers

VM‐Series Firewall Before the NetScaler VPX
VM‐Series Firewall Between the NetScaler VPX and the Servers
The perimeter firewall gates all traffic in to the network. All traffic permitted into the network flows through the NetScaler VPX and then through the VM‐Series firewall before the request is forwarded to the servers.
In this scenario, the VM‐Series firewall secures north‐south traffic and can be deployed using virtual wire, L2, or L3 interfaces.

VM‐Series Firewall with L3 Interfaces

VM‐Series Firewall with L2 or Virtual Wire Interfaces
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 81
Supported Deployments—VM Series Firewall on Citrix SDX
Set Up a VM‐Series Firewall on the Citrix SDX Server
VM‐Series Firewall with L3 Interfaces
Deploying the firewall with L3 interfaces allows you to scale more easily as you deploy new servers and new subnets. You can deploy multiple instances of the firewall to manage traffic to each new subnet and then configure the firewalls as a high availability pair, if needed.
Using an L3 interface allows you make minimal changes to the SDX server/network configuration because the SNIP to reach the servers is removed from the NetScaler VPX and is configured on the VM‐Series firewall. With this approach, only one data interface is used on the VM‐Series firewall, hence only one zone can be defined. As a result, when defining the policy rules you must specify the source and destination IP address/subnets across which to enforce security rules. For details, see Deploy the VM‐Series Firewall Using L3 Interfaces.
Topology After Adding the VM‐Series Firewall with L3 Interfaces
In this example, the public IP address that the clients connect to (VIP on the NetScaler VPX), is 192.168.1.10. For providing access to the servers on subnet 192.168.2.x, the configuration on the VPX references the subnets (SNIP) 192.168.1.1 and 192.168.2.1. Based on your network configuration and default routes, the routing on servers might need to be changed.
When you set up the VM‐Series firewall, you must add a data interface (for example eth1/1), and assign two IP addresses to the interface. One IP address must be on the same subnet as the VIP and the other must be on the same subnet as the servers. In this example, the IP addresses assigned to the data interfaces are 192.168.1.2 and 192.168.2.1. Because only one data interface is used on the VM‐Series firewall, all traffic belongs to a single zone, and all intra zone traffic is implicitly allowed in policy. Therefore, when defining the policy rules you must specify the source and destination IP address/subnets across which to enforce security rules.
Even after you add the VM‐Series firewall on the SDX server, the IP address that the clients continue to connect to is the VIP of the NetScaler VPX (192.168.1.10). However, to route all traffic through the firewall, on the NetScaler VPX you must define a route to the subnet 192.168.2.x. In this example, to access the servers this route must reference the IP address 192.168.1.2 assigned to the data interface on the VM‐Series firewall. Now all traffic destined for the servers is routed from the NetScaler VPX to the firewall and then on to the servers. The return traffic uses the interface 192.168.2.1 on the VM‐Series and uses the SNIP 192.168.1.1 as its next hop.
82 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on the Citrix SDX Server
Supported Deployments—VM Series Firewall on Citrix SDX
For security compliance, if USIP (Use client Source IP) is enabled on the NetScaler VPX, then the VM‐Series firewall requires a default route that points to the SNIP 192.168.1.1, in this example. If a default NAT (mapped/SNIP) IP address is used, then you do not need to define a default route on the VM‐Series firewall.
For instructions, see Deploy the VM‐Series Firewall Using L3 Interfaces.
VM‐Series Firewall with L2 or Virtual Wire Interfaces
Deploying the VM‐Series firewall using L2 interfaces or virtual wire interfaces requires reconfiguration on the NetScaler VPX to remove direct connection to the servers. The VM‐Series firewall can then be cabled and configured to transparently intercept and enforce policy on traffic destined to the servers. In this approach two data interfaces are created on the firewall and each belongs to a distinct zone. The security policy is defined to allow traffic between the source and destination zones. For details, see Deploy the VM‐Series Firewall Using Layer 2 (L2) or Virtual Wire Interfaces.
Topology After Adding the VM‐Series Firewall with L2 or Virtual Wire Interfaces
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 83
Supported Deployments—VM Series Firewall on Citrix SDX
Set Up a VM‐Series Firewall on the Citrix SDX Server
VM‐Series Firewall Before the NetScaler VPX
In this scenario, the perimeter firewall is replaced with the VM‐Series firewall that can be deployed using L3, L2, or virtual wire interfaces. All traffic on your network is secured by the VM‐Series firewall before the request reaches the NetScaler VPX and is forwarded to the servers. For details, see Deploy the VM‐Series Firewall Before the NetScaler VPX.
Scenario 2—Secure East‐West Traffic (VM‐Series Firewall on Citrix SDX)
The VM‐Series firewall is deployed along with two NetScaler VPX systems that service different server segments on your network or operate as termination points for SSL tunnels. In this scenario, the perimeter firewall secures incoming traffic. Then, the traffic destined to the DMZ servers flows to a NetScaler VPX that load balances the request. To add an extra layer of security to the internal network, all east‐west traffic between the DMZ and the corporate network are routed through the VM‐Series firewall. The firewall can enforce network security and validate access for that traffic. For details, see Secure East‐West Traffic with the VM‐Series Firewall.
84 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on the Citrix SDX Server
Install the VM‐Series Firewall on the SDX Server
Install the VM‐Series Firewall on the SDX Server
A support account and a valid VM‐Series license are required to obtain the .xva base image file that is required to install the VM‐Series firewall on the SDX server. If you have not already registered the capacity auth‐code that you received with the order fulfillment email, with your support account, see Register the VM‐Series Firewall. After registration is completed, continue to the following tasks:

Upload the Image to the SDX Server

Provision the VM‐Series Firewall on the SDX Server Upload the Image to the SDX Server
To provision the VM‐Series firewall, you need to obtain the .xva image file and upload it to the SDX server.
Upload the XVA Image to the SDX Server
Step 1
Step 2
Download and extract the base image zip file to a local computer.
Upload the image from the local computer onto the Citrix SDX server.
1.
Go to https://support.paloaltonetworks.com/ and download the VM-Series Citrix SDX Base Image zip file.
2.
Unzip the base image zip file, and extract the .xva file.
This .xva file is required for installing the VM‐Series firewall.
1.
Launch the web browser and log in to the SDX server.
2.
Select Configuration > Palo Alto VM-Series > Software
Images.
3.
In the Action drop‐down, select Upload... and Browse to the location of the saved .xva image file.
4.
Select the image and click Open. 5.
Upload the image to the SDX server.
Provision the VM‐Series Firewall on the SDX Server
Provision the VM‐Series Firewall on the SDX Server
Step 1
Access the SDX server.
© Palo Alto Networks, Inc.
Launch the web browser and connect to the SDX server.
VM‐Series 7.1 Deployment Guide • 85
Install the VM‐Series Firewall on the SDX Server
Set Up a VM‐Series Firewall on the Citrix SDX Server
Provision the VM‐Series Firewall on the SDX Server
Step 2
Create the VM‐Series firewall.
1.
Select Configuration > Palo Alto VM-Series > Instances.
2.
Click Add.
3.
Enter a name for the VM‐Series firewall.
4.
Select the .xva image that you uploaded earlier. This image is required to provision the firewall.
5.
Allocate the total number of data interfaces that you might require on the VM‐Series firewall during 6.
initial deployment. Adding or removing interfaces to the VM‐Series firewall after initial deployment will cause the data interfaces (Eth 1/1 and Eth 1/2) on the VM‐Series firewall to re‐map to the adapters on the SDX server. Each data interface sequentially maps to the adapter with the lowest numerical value, and can therefore cause a configuration mismatch on the firewall.
Allocate the memory, additional disk space, and the virtual CPUs for the VM‐Series firewall. To verify resource allocation recommendations, see Requirements.
7.
Review the summary and click Finish to begin the installation process. It takes 5‐8 minutes to provision the firewall. When completed, use the management IP address to launch the web interface of the firewall.
Select the network interfaces: • Use the management interfaces 0/1 or 0/2 and assign an IP address, netmask, and gateway IP address.
If needed, you can use a data interface on the SDX server for managing the firewall.
• Select the data interfaces that will be used for handling traffic to and from the firewall.
If you plan to deploy the interfaces as Layer 2 or virtual wire interfaces, select the Allow L2 Mode option so that the firewall can receive and forward packets for MAC addresses other than its own MAC address.
Continue with Activate the License.
86 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on the Citrix SDX Server
Secure North‐South Traffic with the VM‐Series Firewall
Secure North‐South Traffic with the VM‐Series Firewall This section includes information on deploying the NetScaler VPX and the VM‐Series firewall on the Citrix SDX server:

Deploy the VM‐Series Firewall Using L3 Interfaces

Deploy the VM‐Series Firewall Using Layer 2 (L2) or Virtual Wire Interfaces

Deploy the VM‐Series Firewall Before the NetScaler VPX (Using Virtual Wire Interfaces)
Deploy the VM‐Series Firewall Using L3 Interfaces
To secure north‐south traffic, this scenario shows you how to deploy the VM‐Series firewall as a L3 deployment; the VM‐Series firewall is placed to secure traffic between the NetScaler VPX and the servers on your network.
Topology Before Adding the VM‐Series Firewall
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 87
Secure North‐South Traffic with the VM‐Series Firewall
Set Up a VM‐Series Firewall on the Citrix SDX Server
Topology After Adding the VM‐Series Firewall
The following table includes the tasks you must perform to deploy the VM‐Series firewall. For firewall configuration instructions refer to the PAN‐OS Documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation. 88 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on the Citrix SDX Server
Secure North‐South Traffic with the VM‐Series Firewall
Set up the VM‐Series Firewall to Process North‐South Traffic Using L3 interfaces
Step 1
Install the VM‐Series Firewall on the SDX Server.
When provisioning the VM‐Series firewall on the SDX server, you must ensure that you select the data interface accurately so that the firewall can access the server(s).
Step 2
Configure the data interface on the firewall.
1.
Select Network > Virtual Router and then select the default link to open the Virtual Router dialog and Add the interface to the virtual router.
2.
(Required only if the USIP option is enabled on the NetScaler VPX) On the Static Routes tab on the virtual router, select the interface and add the NetScaler SNIP (192.68.1.1 in this example) as the Next Hop. The static route defined here will be used to route traffic from the firewall to the NetScaler VPX.
3.
Select Network > Interfaces> Ethernet and then select the interface you want to configure.
4.
Select the Interface Type. Although your choice here depends on your network topology, this example uses Layer3.
5.
On the Config tab, in the Virtual Router drop‐down, select default.
6.
Select New Zone from the Security Zone drop‐down. In the Zone dialog, define a Name for new zone, for example default, and then click OK.
7.
Select the IPv4 or IPv6 tab, click Add in the IP section, and enter two IP addresses and network mask to the interface—
one for each subnet that is being serviced. For example, 192.168.1.2 and 192.168.2.1.
8.
(Optional) To enable you to ping or SSH in to the interface, select Advanced > Other Info, expand the Management Profile drop‐down, and select New Management Profile. Enter a Name for the profile, select Ping and SSH and then click OK.
9.
To save the interface configuration, click OK.
10. Click Commit to save your changes to the firewall.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 89
Secure North‐South Traffic with the VM‐Series Firewall
Set Up a VM‐Series Firewall on the Citrix SDX Server
Set up the VM‐Series Firewall to Process North‐South Traffic Using L3 interfaces (Continued)
Step 3
Create a basic policy to allow traffic between the NetScaler VPX and the web servers.
In this example, because we have set up only one data interface, we specify the source and destination IP address to allow traffic between the NetScaler VPX and the servers. 1.
Select Policies > Security, and click Add.
2.
Give the rule a descriptive name in the General tab.
3.
In the Source tab, select Add in the Source Address section and select the New Address link. 4.
Create a new address object that specifies the SNIP on the NetScaler VPX. In this example, this IP address is the source for all requests to the servers.
5.
In the Destination tab, select Add in the Destination Address section and select the New Address link. 6.
Create a new address object that specifies the subnet of the web servers. In this example, this subnet hosts all the web servers that service the requests.
7.
In the Application tab, select web‐browsing.
8.
In the Actions tab, complete these tasks:
a. Set the Action Setting to Allow. b. Attach the default profiles for antivirus, anti‐spyware, and vulnerability protection, under Profile Setting.
9.
Verify that logging is enabled at the end of a session under Options. Only traffic that matches a security rule will be logged.
10. Create another rule to deny all other traffic from any source and any destination IP address on the network. Because all intra‐zone traffic is allowed by default, in order to deny traffic other that web‐browsing, you must create a deny rule that explicitly blocks all other traffic.
Go back to Secure North‐South Traffic with the VM‐Series Firewall, or see Secure East‐West Traffic with the VM‐Series Firewall.
For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.
90 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on the Citrix SDX Server
Secure North‐South Traffic with the VM‐Series Firewall
Deploy the VM‐Series Firewall Using Layer 2 (L2) or Virtual Wire Interfaces
To secure north‐south traffic, this scenario shows you how to deploy the VM‐Series firewall in a L2 or a virtual wire deployment. The VM‐Series firewall secures traffic destined to the servers. The request arrives at the VIP address of the NetScaler VPX and is processed by the VM‐Series firewall before it reaches the servers. On the return path, the traffic is directed to the SNIP on the NetScaler VPX and is processed by the VM‐Series firewall before it is sent back to the client. For the topology before adding the VM‐Series firewall, see Topology Before Adding the VM‐Series Firewall.
Topology After Adding the VM‐Series Firewall
The following table includes the basic configuration tasks you must perform to deploy the VM‐Series firewall. For firewall configuration instructions refer to the PAN‐OS documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation.
Set up the VM‐Series Firewall to Process North‐South Traffic Using L2 or Virtual Wire Interfaces
Step 1
Install the VM‐Series Firewall on the SDX Server.
On the SDX server, make sure to enable Allow L2 Mode on each data interface. This setting allows the firewall to bridge packets that are destined for the VIP of the NetScaler VPX.
Step 2
Re‐cable the server‐side interface assigned to the NetScaler VPX.
Because the NetScaler VPX will reboot when recabled, evaluate whether you would like to perform this task during a maintenance window.
If you have already deployed a NetScaler VPX and are now adding the VM‐Series firewall on the SDX server, you have two ports assigned to the VPX. When you deploy the VM‐Series firewall, the NetScaler VPX will now only require one port for handling client‐side traffic.
Therefore, before you configure the data interfaces the VM‐Series, you must remove the cable from the interface that connects the VPX to the server farm and attach it to the firewall so that all traffic to the server farm is processed by the firewall.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 91
Secure North‐South Traffic with the VM‐Series Firewall
Set Up a VM‐Series Firewall on the Citrix SDX Server
Set up the VM‐Series Firewall to Process North‐South Traffic Using L2 or Virtual Wire Interfaces (Continued)
Step 3
Configure the data interfaces. This example shows the configuration for virtual wire interfaces.
1.
Launch the web interface of the firewall.
2.
Select Network > Interfaces> Ethernet.
3.
Click the link for an interface (for example ethernet 1/1) and select the Interface Type as Layer2 or Virtual Wire. Virtual Wire Configuration
Each virtual wire interface (ethernet 1/1 and ethernet 1/2) must be connected to a security zone and a virtual wire. To configure these settings, select the Config tab and complete the following tasks:
a. In the Virtual wire drop‐down click New Virtual Wire, define a Name and assign the two data interfaces (ethernet 1/1 and ethernet 1/2) to it, and then click OK.
When configuring ethernet 1/2, select this virtual wire.
b. Select New Zone from the Security Zone drop‐down, define a Name for new zone, for example client, and then click OK.
Layer 2 Configuration
For each Layer 2 interface, you require a security zone. Select the Config tab and complete the following tasks:
a. Select New Zone from the Security Zone drop‐down, define a Name for new zone, for example client, and then click OK. Step 4
4.
Repeat steps 2 and 3 above for the other interface.
5.
Click Commit to save changes to the firewall.
Create a basic policy rule to allow traffic 1.
through the firewall.
2.
This example shows how to enable traffic 3.
between the NetScaler VPX and the web servers.
4.
Select Policies > Security, and click Add.
Give the rule a descriptive name in the General tab.
In the Source tab, set the Source Zone to the client‐side zone you defined. In this example, select client.
In the Destination tab, set the Destination Zone to the server‐side zone you defined. In this example, select server.
5.
In the Application tab, click Add to select the applications to which you want to allow access.
6.
In the Actions tab, complete these tasks:
a. Set the Action Setting to Allow. b. Attach the default profiles for antivirus, anti‐spyware, vulnerability protection and URL filtering, under Profile
Setting.
7.
Verify that logging is enabled at the end of a session under Options. Only traffic that matches a security rule will be logged.
Go back to Secure North‐South Traffic with the VM‐Series Firewall, or see Secure East‐West Traffic with the VM‐Series Firewall.
For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.
92 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on the Citrix SDX Server
Secure North‐South Traffic with the VM‐Series Firewall
Deploy the VM‐Series Firewall Before the NetScaler VPX The following example shows how to deploy the VM‐Series firewall to process and secure traffic before it reaches the NetScaler VPX. In this example, the VM‐Series firewall is deployed with virtual wire interfaces, and the client connection requests are destined to the VIP on the NetScaler VPX. Note that you can deploy the VM‐Series firewall using L2 or L3 interfaces, based on your specific needs.
Topology Before Adding the VM‐Series Firewall
Topology after adding the VM‐Series firewall
The following table includes the basic configuration tasks you must perform on the VM‐Series firewall. For firewall configuration instructions refer to the PAN‐OS documentation. The workflow and configuration on the NetScaler VPX is beyond the scope of this document; for details on configuring the NetScaler VPX, refer to the Citrix documentation.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 93
Secure North‐South Traffic with the VM‐Series Firewall
Set Up a VM‐Series Firewall on the Citrix SDX Server
Set up the VM‐Series Firewall Before the NetScaler VPX with Virtual Wire Interfaces Step 1
Install the VM‐Series Firewall on the SDX Server.
On the SDX server, make sure to enable Allow L2 Mode on the data interface. This setting allows the firewall to bridge packets that are destined for the VIP of the NetScaler VPX.
Step 2
Re‐cable the client‐side interface assigned to the NetScaler VPX.
Because the NetScaler VPX will reboot when recabled, evaluate whether you would like to perform this task during a maintenance window.
If you have already deployed a NetScaler VPX and are now adding the VM‐Series firewall on the SDX server, you have two ports assigned to the VPX. When you deploy the VM‐Series firewall, the NetScaler VPX will now only require one port that connects it to the server farm.
Therefore, before you configure the data interfaces the VM‐Series, you must remove the cable from the interface that connects the VPX to the client‐side traffic and attach it to the firewall so that all incoming traffic is processed by the firewall.
Step 3
Configure the data interfaces.
1.
Launch the web interface of the firewall.
2.
Select Network > Interfaces> Ethernet.
3.
Click the link for an interface, for example ethernet 1/1, and select the Interface Type as Virtual Wire. 4.
Click the link for the other interface and select the Interface
Type as Virtual Wire.
5.
Each virtual wire interface must be connected to a security zone and a virtual wire. To configure these settings, select the Config tab and complete the following tasks:
• In the Virtual wire drop‐down click New Virtual Wire, define a Name and assign the two data interfaces (ethernet 1/1 and ethernet 1/2) to it, and then click OK.
When configuring ethernet 1/2, select this virtual wire.
• Select New Zone from the Security Zone drop‐down, define a Name for new zone, for example client, and then click OK.
6.
Repeat step 5 for the other interface. 7.
Click Commit to save changes to the firewall.
Step 4
Create a basic policy rule to allow traffic 1.
through the firewall.
2.
This example shows how to enable traffic 3.
between the NetScaler VPX and the web servers.
4.
94 • VM‐Series 7.1 Deployment Guide
Select Policies > Security, and click Add.
Give the rule a descriptive name in the General tab.
In the Source tab, set the Source Zone to the client‐side zone you defined. In this example, select client.
In the Destination tab, set the Destination Zone to the server‐side zone you defined. In this example, select server.
5.
In the Application tab, click Add to select the applications to which you want to allow access.
6.
In the Actions tab, complete these tasks:
a. Set the Action Setting to Allow. b. Attach the default profiles for antivirus, anti‐spyware, vulnerability protection and URL filtering, under Profile
Setting.
7.
Verify that logging is enabled at the end of a session under Options. Only traffic that matches a security rule will be logged.
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on the Citrix SDX Server
Secure North‐South Traffic with the VM‐Series Firewall
Go back to Secure North‐South Traffic with the VM‐Series Firewall, or see Secure East‐West Traffic with the VM‐Series Firewall.
For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 95
Secure East‐West Traffic with the VM‐Series Firewall
Set Up a VM‐Series Firewall on the Citrix SDX Server
Secure East‐West Traffic with the VM‐Series Firewall
The following example shows you how to deploy your VM‐Series firewall to secure the application or database servers on your network. This scenario is relevant to you if you have two NetScaler VPX instances, where one instance authenticates users and terminates SSL connections and then load balances requests to the DMZ servers and the other VPX instance load balances connections to the corporate servers that host the application and database servers on your network.
Topology Before Adding the VM‐Series Firewall
The communication between the servers in the DMZ and the servers in the corporate datacenter is processed by both instances of the NetScaler VPX. For content that resides in the corporate datacenter, a new request in handed off to the other instance of the NetScaler VPX which forwards the request to the appropriate server.
When the VM‐Series firewall is deployed (this example uses L3 interfaces), the flow of traffic is as follows:


All incoming requests are authenticated and the SSL connection is terminated on the first instance of the NetScaler VPX. For content that resides in the DMZ, the NetScaler VPX initiates a new connection to the server to fetch the requested content. Note that the north‐south traffic destined to the corporate datacenter or to the servers in the DMZ are handled by the edge firewall and not by the VM‐Series firewall.
For example, when a user (source IP 1.1.1.1) requests content from a server on the DMZ, the destination IP is 20.5.5.1 (VIP of the NetScaler VPX). The NetScaler VPX then replaces the destination IP address, based on the protocol to the internal server IP address, say 192.168.10.10. The return traffic from the server is sent back to the NetScaler VPX at 20.5.5.1 and sent to the user with IP address 1.1.1.1.
All requests between the DMZ servers and the Corporate datacenter are processed by the VM‐Series firewall. For content that resides in the corporate datacenter, the request is transparently processed (if deployed using L2 or virtual wire interfaces) or routed (using Layer3 interfaces) by the VM‐Series firewall. 96 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series Firewall on the Citrix SDX Server
Secure East‐West Traffic with the VM‐Series Firewall
It is then handed off to the second instance of the NetScaler VPX. This instance of the NetScaler VPX load balances the request across the servers in the corporate datacenter and services the request. The return traffic uses the same path as the incoming request.
For example, when a server on the DMZ (say 192.168.10.10) needs content from a server in the corporate datacenter (say 172.16.10.20), the destination IP address is 172.168.10.3 (the VIP on the second NetScaler). The request is sent to the VM‐Series firewall at 192.168.10.2, where the firewall performs a policy lookup and routes the request to 172.168.10.3. The second NetScaler VPX replaces the destination IP address, based on protocol, to the internal server IP address 172.16.10.20. The return traffic from 172.168.10.20 is then sent to the NetScaler VPX at 172.168.10.3, and the source IP address for the request is set as 172.168.10.3 and is routed to the VM‐Series firewall at 172.168.10.2. On the VM‐Series firewall, a policy lookup is again performed and the traffic is routed to the server in the DMZ (192.168.10.10). In order to filter and report on user activity on your network, because all requests are initiated from the NetScaler VPX, you must enable HTTP Header insertion or the TCP Option for IP
Insertion on the first instance of the NetScaler VPX.
.
Set up the VM‐Series Firewall to Secure East‐West Traffic
Step 1
Install the VM‐Series Firewall on the SDX Server
If you plan to deploy the VM‐Series firewall using virtual wire or L2 interfaces, make sure to enable L2 Mode on each data interface on the SDX server.
Step 2
Re‐cable the interfaces assigned to the NetScaler VPX.
Because the NetScaler VPX will reboot when recabled, evaluate whether you would like to perform this task during a maintenance window.
Step 3
Configure the data interfaces.
Select Network > Interfaces and assign the interfaces as type Layer3 (see Step 2, Layer2 (see Step 3) or virtual wire (see Step 3).
Step 4
Create security policy to allow application traffic between the DMZ and the corporate data center.
Zone: DMZ to Corporate
Note that the implicit deny rule will deny all inter‐zone traffic except what is explicitly allowed by security policy.
1.
Click Add in the Policies > Security section.
2.
Give the rule a descriptive name in the General tab.
3.
In the Source tab, set the Source Zone to DMZ and Source
Address to 192.168.10.0/24.
4.
In the Destination tab, set the Destination Zone to Corporate and the Destination Address to 172.168.10.0/24 5.
In the Application tab, select the applications that you want to allow. For example, Oracle.
6.
Set the Service to application-default
7.
In the Actions tab, set the Action Setting to Allow.
8.
Leave all the other options at the default values.
9.
Click Commit to save your changes.
For securing north‐south traffic, see Secure North‐South Traffic with the VM‐Series Firewall.
For an overview of the deployments, see Supported Deployments—VM Series Firewall on Citrix SDX.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 97
Secure East‐West Traffic with the VM‐Series Firewall
98 • VM‐Series 7.1 Deployment Guide
Set Up a VM‐Series Firewall on the Citrix SDX Server
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall The VM‐Series NSX edition firewall is jointly developed by Palo Alto Networks and VMware. This solution uses the NetX API to integrate the Palo Alto Networks next‐generation firewalls and Panorama with VMware ESXi servers to provide comprehensive visibility and safe application enablement of all data center traffic including intra‐host virtual machine communications. The following topics provide information about the VM‐Series NSX edition firewall:

VM‐Series NSX Edition Firewall Overview

VM‐Series NSX Edition Firewall Deployment Checklist

Register the VM‐Series Firewall as a Service on the NSX Manager

Deploy the VM‐Series Firewall

Create Policies

Steer Traffic from Guests that are not Running VMware Tools

Use Case: Shared Compute Infrastructure and Shared Security Policies

Use Case: Shared Security Policies on Dedicated Compute Infrastructure

Dynamic Address Groups—Information Relay from NSX Manager to Panorama
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 99
VM‐Series NSX Edition Firewall Overview
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall Overview
NSX, VMware's Networking and Security platform designed for the software‐defined data center (SDDC), offers the ability to deploy the Palo Alto Networks firewall as a service on a cluster of ESXi servers. The term SDDC is a VMware term that refers to a data center where infrastructure—compute resources, network and storage—is virtualized using VMware NSX. To keep pace with the changes in the agile SDDC, the NSX edition of the VM‐Series firewall simplifies the process of deploying a Palo Alto Networks next‐generation firewall and continually enforcing security and compliance for the east‐west traffic in the SDDC. For details on the VM‐Series NSX edition, see the following topics:

What are the Components of the NSX Edition Solution?

How Do the Components in the NSX Edition Solution Work Together?

What are the Benefits of the NSX Edition Solution?

What is Multi‐Tenant Support on the VM‐Series NSX Edition Firewall?
What are the Components of the NSX Edition Solution?
Table: VMware Components and Table: Palo Alto Networks Components show the components of this joint Palo Alto Networks and VMware solution. The following topics describe each component in more detail:

vCenter Server

NSX Manager

Panorama

VM‐Series NSX Edition

Ports/Protocols used Network Communication
Table: VMware Components
Component
Description
vCenter Server
The vCenter server is the centralized management tool for the vSphere suite.
NSX Manager
VMware's Networking and Security platform must be installed and registered with the vCenter server. The NSX Manager is required to deploy the VM‐Series NSX edition firewall on the ESXi hosts within a ESXi cluster.
ESXi Server
ESXi is a hypervisor that enables compute virtualization. 100 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall Overview
Table: Palo Alto Networks Components
Component
Description
PAN‐OS The VM‐Series base image (PA‐VM‐NSX‐7.0.1.zip) is used for deploying the VM‐Series NSX edition firewall with PAN‐OS 7.0.
The minimum system requirement for deploying the VM‐Series NSX edition firewall on the ESXi server is as follows: • Two vCPUs. One for the management plane and one for the dataplane. You can assign 2 or 6 additional vCPUs to allocate a total of 2, 4 or 8 vCPUs to the firewall; the management plane only uses one vCPU and any additional vCPUs are assigned to the dataplane.
• 5GB of memory. Any additional memory will be used by the management plane only.
• 40GB of virtual disk space. Panorama
Panorama must be running the same release version or later version that the firewalls that it will manage.
Panorama is the centralized management tool for the Palo Alto Networks next‐generation firewalls. In this solution, Panorama works with the NSX Manager to deploy, license, and centrally administer—configuration and policies—on the VM‐Series NSX edition firewall.
Panorama must be able to connect to the NSX Manager, the vCenter server, the VM‐Series firewalls and the Palo Alto Networks update server. The minimum system requirement for Panorama is as follows:
• Two 8‐Core vCPUs (2.2GHz); use 3GHz if you have 10 or more firewalls.
• 4GB RAM; 16GB recommended if have 10 or more firewalls.
• 40GB disk space; To expand log capacity, you must add a virtual disk or set up access to an NFS datastore. For details, refer to the Panorama documentation.
VM‐Series NSX Edition
The only VM‐Series license available in this solution is the VM‐1000 in hypervisor mode (VM‐1000‐HV). Table: Versions Supported
Component
Versions Supported
vCenter Server
5.5, 6.0
If using vCenter Server 6.0 and ESXi 6.0, you must use Panorama 7.0.1 or later.
ESXi Server
5.5, 6.0
NSX Manager
6.1, 6.2
vCenter Server
The vCenter server is required to manage the NSX Manager and the ESXi hosts in your data center. This joint solution requires that the ESXi hosts be organized into one or more clusters on the vCenter server and must be connected to a distributed virtual switch. For information on clusters, distributed virtual switch, DRS, and the vCenter server, refer to your VMware documentation: http://www.vmware.com/support/vcenter‐server.html.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 101
VM‐Series NSX Edition Firewall Overview
Set Up a VM‐Series NSX Edition Firewall
NSX Manager
NSX is VMware’s network virtualization platform that is completely integrated with vSphere. The NSX Firewall and the Service Composer are key features of the NSX Manager. The NSX firewall is a logical firewall that allows you to attach network and security services to the virtual machines, and the Service Composer allows you to group virtual machines and create policy to redirect traffic to the VM‐Series firewall (called the Palo Alto Networks NGFW service on the NSX Manager).
Panorama
Panorama is used to register the NSX edition of the VM‐Series firewall as the Palo Alto Networks NGFW service on the NSX Manager. Registering the Palo Alto Networks NGFW service on the NSX Manager allows the NSX Manager to deploy the NSX edition of the VM‐Series firewall on each ESXi host in the ESXi cluster. Panorama serves as the central point of administration for the VM‐Series NSX edition firewalls. When a new VM‐Series NSX edition firewall is deployed, it communicates with Panorama to obtain the license and receives its configuration/policies from Panorama. All configuration elements, policies, and dynamic address groups on the VM‐Series NSX edition firewalls can be centrally managed on Panorama using Device Groups and Templates. The REST‐based XML API integration in this solution, enables Panorama to synchronize with the NSX Manager and the VM‐Series NSX edition firewalls to allow the use of dynamic address groups and share context between the virtualized environment and security enforcement. For more information, see Policy Enforcement using Dynamic Address Groups.
VM‐Series NSX Edition
The VM‐Series NSX edition is the VM‐Series firewall that is deployed on the ESXi hypervisor. The integration with the NetX API makes it possible to automate the process of installing the VM‐Series firewall directly on the ESXi hypervisor, and allows the hypervisor to forward traffic to the VM‐Series firewall without using the vSwitch configuration; it therefore, requires no change to the virtual network topology.
The VM‐Series NSX edition only supports virtual wire interfaces. In this edition, ethernet 1/1 and ethernet 1/2 are bound together through a virtual wire and use the NetX dataplane API to communicate with the hypervisor. Layer 2 or Layer 3 interfaces are neither required nor supported on the VM‐Series NSX edition, and therefore no switching or routing actions can be performed by the firewall. For enabling traffic separation in a multi‐tenancy environment, you can create additional zones that internally map to a pair of virtual wire subinterfaces on the parent virtual wire interfaces, ethernet 1/1 and ethernet 1/2.
The only license available for this version of the VM‐Series firewall is the VM‐1000‐HV. For a brief summary on the capacity, see VM‐Series Models; for complete information on the maximum capacities supported on the VM‐1000‐HV license refer to the VM‐Series Specsheet.
102 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall Overview
Ports/Protocols used Network Communication
In order to enable the network communication required to deploy the VMWare NSX edition firewall, you must allow the use of the following protocols/ports and applications.



Panorama—To obtain software updates and dynamic updates, Panorama uses SSL to access updates.paloaltonetworks.com on TCP/443; this URL leverages the CDN infrastructure. If you need a single IP address, use staticupdates.paloaltonetworks.com. The App‐ID for updates is paloalto‐updates.
The NSX Manager and Panorama use SSL to communicate on TCP/443.
VM‐Series NSX Edition—If you plan to use WildFire, the VM‐Series firewalls must be able to access wildfire.paloaltonetworks.com on port 443. This is an SSL connection and the App‐ID is paloalto‐wildfire‐cloud.
The management interface on the VM‐Series firewall uses SSL to communicate with Panorama over TCP/3789. vCenter Server The vCenter Server must be able to reach the deployment web server that is hosting the VM‐Series OVA. The port is TCP/80 by default or App‐ID web‐browsing. How Do the Components in the NSX Edition Solution Work Together?
To meet the security challenges in the software‐defined data center, the NSX Manager, ESXi servers and Panorama work harmoniously to automate the deployment of the VM‐Series firewall.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 103
VM‐Series NSX Edition Firewall Overview
Set Up a VM‐Series NSX Edition Firewall
1. Register the Palo Alto Networks NGFW service—The first step is to register the Palo Alto Networks NGFW as a service on the NSX Manager. The registration process uses the NetX management plane API to enable bi‐directional communication between Panorama and the NSX Manager. Panorama is configured with the IP address and access credentials to initiate a connection and register the Palo Alto Networks NGFW service on the NSX Manager. The service definition includes the URL for accessing the VM‐Series base image that is required to deploy the VM‐Series NSX edition firewall, the authorization code for retrieving the license and the device group and template to which the VM‐Series firewalls will belong. The NSX manager uses this management plane connection to share updates on the changes in the virtual environment with Panorama.
2. Deploy the VM‐Series automatically from NSX—The NSX Manager collects the VM‐Series base image from the URL specified during registration and installs an instance of the VM‐Series firewall on each ESXi host in the ESXi cluster. From a static management IP pool or a DHCP service (that you define on the NSX Manager), a management IP address is assigned to the VM‐Series firewall and the Panorama IP address is provided to the firewall. When the firewall boots up, the NetX dataplane integration API connects the VM‐Series firewall to the hypervisor so that it can receive traffic from the vSwitch.
104 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall Overview
3. Establish communication between the VM‐Series firewall and Panorama: The VM‐Series firewall then initiates a connection to Panorama to obtain its license. Panorama retrieves the license from the update server and pushes it to the firewall. The VM‐Series firewall receives the license (VM‐1000‐HV) and reboots with a valid serial number. If your Panorama is offline, which means that it does not have direct Internet access to retrieve the licenses and push them to the firewalls, you must manually license each firewall. When Panorama does not have internet access (Offline), you must add the serial number of the firewall to Panorama so that it is registered as a managed device, so that you can push the appropriate template and device group settings from Panorama.
4. Install configuration/policy from Panorama to the VM‐Series firewall: The VM‐Series firewall reconnects with Panorama and provides its serial number. Panorama now adds the firewall to the device group and template that was defined in the service definition and pushes the configuration and policy rules to the firewall. The VM‐Series firewall is now available as a security virtual machine that can be further configured to safely enable applications on the network. 5. Push traffic redirection rules from NSX Firewall: On the Service Composer on the NSX Firewall, create security groups and define network introspection rules that specify the guests from which traffic will be steered to the VM‐Series firewall. See Integrated Policy Rules for details. To ensure that traffic from the guests is steered to the VM‐Series firewall, you must have VMware Tools installed on each guest.If VMware Tools is not installed, the NSX Manager does not know the IP address of the guest and therefore, the traffic cannot be steered to the VM‐Series firewall. For more information, see Steer Traffic from Guests that are not Running VMware Tools.
6. Receive real‐time updates from NSX Manager: The NSX Manager sends real‐time updates on the changes in the virtual environment to Panorama. These updates include information on the security groups and IP addresses of guests that are part of the security group from which traffic is redirected to the VM‐Series firewall. See Integrated Policy Rules for details.
7. Use dynamic address groups in policy and push dynamic updates from Panorama to the VM‐Series firewalls: On Panorama, use the real‐time updates on security groups to create dynamic address groups, bind them to security policies and then push these policies to the VM‐Series firewalls. Every VM‐Series firewall in the device group will have the same set of policies and is now completely marshaled to secure the SDDC. See Policy Enforcement using Dynamic Address Groups for details.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 105
VM‐Series NSX Edition Firewall Overview
Set Up a VM‐Series NSX Edition Firewall
Integrated Policy Rules The NSX Firewall and the VM‐Series firewall work in concert to enforce security; each provides a set of traffic management rules that are applied to the traffic on each ESXi host. The first set of rules is defined on the NSX Firewall; these rules determine traffic from which guests in the cluster are steered to the VM‐Series firewall. The second set of rules (Palo Alto Networks next‐generation firewall rules) is defined on Panorama and pushed to the VM‐Series firewalls. These are security enforcement rules for the traffic that is steered to the Palo Alto Networks NGFW service. These rules determine how the VM‐Series firewall must process—
that is allow, deny, inspect, and constrain—the application for enabling it safely on your network.

Rules defined on the NSX Firewall—The rules for directing traffic from the guests on each ESXi host are configured on the NSX Manager. The Service Composer on the NSX Manager allows you to define what kind of security protection, such as firewall rules to be applied to the guests in the ESXi cluster. To define the rules on the NSX Firewall, you must first aggregate the guests into security groups, and then create NSX service composer policies to redirect the traffic from these security groups to the Palo Alto Networks NGFW service and/or the NSX Firewall.
The following diagram illustrates how security groups can be composed of guests across different ESXi hosts within a cluster.
For traffic that needs to be inspected and secured by the VM‐Series firewall, the NSX service composer policies allow you to redirect the traffic to the Palo Alto Networks NGFW service and corresponding service profile. This traffic is then steered to the VM‐Series firewall and is first processed by the VM‐Series firewall before it goes to the virtual switch.
106 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall Overview
Traffic that does not need to be inspected by the VM‐Series firewall, for example network data backup or traffic to an internal domain controller, does not need to be redirected to the VM‐Series firewall and can be sent to the virtual switch for onward processing.

Rules centrally managed on Panorama and applied by the VM‐Series firewall—The next‐ generation firewall rules are applied by the VM‐Series firewall. These rules are centrally defined and managed on Panorama using templates and device groups and pushed to the VM‐Series firewalls. The VM‐Series firewall then enforces security policy by matching on source or destination IP address—the use of dynamic address groups allows the firewall to populate the members of the groups in real time—and forwards the traffic to the filters on the NSX Firewall. To understand how the NSX Manager and Panorama stay synchronized with the changes in the SDDC and ensure that the VM‐Series firewall consistently enforces policy, see Policy Enforcement using Dynamic Address Groups.
Policy Enforcement using Dynamic Address Groups
Unlike the other versions of the VM‐Series firewall, because both virtual wire interfaces (and subinterfaces) belong to the same zone, the NSX edition uses dynamic address groups as the traffic segmentation mechanism. A security policy rule on the VM‐Series NSX edition firewall must have the same source and destination zone, therefore to implement different treatment of traffic, you use dynamic address groups as source or destination objects in security policy rules.
Dynamic address groups offer a way to automate the process of referencing source and/or destination addresses within security policies because IP addresses are constantly changing in a data center environment. Unlike static address objects that must be manually updated in configuration and committed whenever there is an address change (addition, deletion, or move), dynamic address groups automatically adapt to changes.
All security groups defined on the NSX Manager are automatically provided as updates to Panorama using the NetX API management plane integration and can be used as filter criteria to create dynamic address groups; the firewall uses the name of the security group (which is a tag) to filter for all the members that belong to a security group. In a ESXi cluster with multiple customers or tenants, the ability to filter security groups for a specific zone (service profile on the NSX Manager) allows you to enforce policy when you have overlapping IP addresses across different security groups in your virtual environment.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 107
VM‐Series NSX Edition Firewall Overview
Set Up a VM‐Series NSX Edition Firewall
If, for example, you have a multi‐tier architecture for web applications, on the NSX Manager you create three security groups for the WebFrontEnd servers, Application servers and the Database servers. The NSX Manager updates Panorama with the service profile ID, name of the security group, and the IP address of the guests that are included in each security group. On Panorama, you can then create three dynamic address groups to match objects that are tagged as Database, Application and WebFrontEnd. Then, in security policy you can use the dynamic address groups as source or destination objects, define the applications that are permitted to traverse these servers, and push the rules to the VM‐Series firewalls. Each time a guest is added or modified in the ESXi cluster or a security group is updated or created, the NSX Manager uses the PAN‐OS REST‐based XML API to update Panorama with the IP address, and the security group to which the guest belongs. To trace the flow of information, see Dynamic Address Groups—
Information Relay from NSX Manager to Panorama.
To ensure that the name of each security group is unique, the vCenter server assigns a Managed Object Reference (MOB) ID to the name you define for the security group. The syntax used to display the name of a security group on Panorama is
serviceprofileid‐specified_name‐securitygroup‐number; for example, serviceprofile13‐WebFrontEnd‐securitygroup‐47.
108 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall Overview
When Panorama receives the API notification, it verifies/updates the IP address of each guest and the security group and the service profile to which that guest belongs. Then, Panorama pushes these real‐time updates to all the firewalls that are included in the device group and notifies device groups in the service manager configuration on Panorama.
On each firewall, all policy rules that reference these dynamic address groups are updated at runtime. Because the firewall matches on the security group tag to determine the members of a dynamic address group, you do not need to modify or update the policy when you make changes in the virtual environment. The firewall matches the tags to find the current members of each dynamic address group and applies the security policy to the source/destination IP address that are included in the group.
What are the Benefits of the NSX Edition Solution?
The NSX edition of the VM‐Series firewall is focused on securing east‐west communication in the software‐defined data center. Deploying the firewall has the following benefits:




Automated Deployment—The NSX Manager automates the process of delivering next‐generation firewall security services and the VM‐Series firewall allows for transparent security enforcement. When a new ESXi host is added to a cluster, a new VM‐Series firewall is automatically deployed, provisioned and available for immediate policy enforcement without any manual intervention. The automated workflow allows you to keep pace with the virtual machine deployments in your data center. The hypervisor mode on the firewall removes the need to reconfigure the ports/ vswitches/ network topology; because each ESXi host has an instance of the firewall, the traffic does not need to traverse the network or be backhauled for inspection and consistent enforcement of policies. Ease in Administering Tenants in Shared and Dedicated Compute Infrastructure —This integration provides the flexibility in configuring the firewall to handle multiple zones for traffic segmentation, defining shared or specific policy sets for each tenant or sub‐tenant, and includes support for overlapping IP addresses across tenants or sub‐tenants. Whether you have a shared cluster and need to define tenant specific policies and logically isolate traffic for each tenant (or sub‐tenant), or you have a dedicated cluster for each tenant, this solution enables you to configure the firewall for your needs. And if you need a dedicated instance of the VM‐Series firewall for each tenant in a cluster that hosts the workloads for multiple tenants, you can deploy multiple instances of the VM‐Series firewall on each host in an ESXi cluster. For more information, see What is Multi‐Tenant Support on the VM‐Series NSX Edition Firewall?
Tighter Integration Between Virtual Environment and Security Enforcement for Dynamic Security—
Dynamic address groups maintain awareness of changes in the virtual machines/applications and ensure that security policy stays in tandem with the changes in the network. This awareness provides visibility and protection of applications in an agile environment.
Sturdier Centralized Management—The firewalls deployed using this solution are licensed and managed by Panorama, the Palo Alto Networks central management tool. Using Panorama to manage both the perimeter and data center firewalls (the hardware‐based and virtual firewalls) allows you to centralize policy management and maintain agility and consistency in policy enforcement throughout the network.
In summary, this solution ensures that the dynamic nature of the virtual network is secured with minimal administrative overhead. You can successfully deploy applications with greater speed, efficiency, and security. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 109
VM‐Series NSX Edition Firewall Overview
Set Up a VM‐Series NSX Edition Firewall
What is Multi‐Tenant Support on the VM‐Series NSX Edition Firewall?
Multi‐tenancy on the VM‐Series firewall enables you to secure more than one tenant or more than one sub‐tenant. A tenant is a customer or an organization such as Palo Alto Networks. A sub‐tenant is a department or business unit within the organization such as Marketing, Accounting, or Human Resources. To allow you to secure multiple tenants, Panorama provides the flexibility to create multiple sets of security policy rules for each tenant, and multiple zones to isolate traffic from each sub‐tenant and redirect traffic to the appropriately configured VM‐Series firewall. You can also deploy more than one instance of the VM‐Series firewall on each host within an ESXi cluster. Panorama and the VM‐Series firewalls must be running PAN‐OS 7.1 or greater to support multi‐tenancy.
To deploy a multi‐tenant solution, create one or more service definition(s) and service profile zone(s) on Panorama. A service definition on Panorama specifies the configuration of the VM‐Series firewall using one device group and one template. This means that each instance of the VM‐Series firewalls that is deployed using a service definition has one common set of policy rules for securing the tenants and sub‐tenants in the ESXi cluster. A service profile zone within a Panorama template is used to segment traffic from each sub‐tenant using virtual wire subinterfaces. When you create a new service profile zone, Panorama pushes the zone as a part of the template configuration to the firewall, and the firewall automatically creates a pair of virtual wire subinterfaces, for example ethernet1/1.3 and ethernet 1/2.3 so that the firewall can isolate traffic for a sub‐tenant. Because a template supports up to 32 subinterface pairs, you can logically isolate traffic and secure up to 32 sub‐tenants.
Panorama registers each service definition as a service definition on the NSX Manager and each service profile zone as a service profile within the corresponding service definition. And, when you deploy the service definition from the NSX Manager, an instance of the VM‐Series firewall is deployed on each host in the ESXi cluster. And you can use the steering rules on the NSX Manager to specify what traffic to redirect to the VM‐Series firewall based on NSX security groups, and to which tenant or sub‐tenant based on the service profile. Based on your requirements, you can choose from the following multi‐tenancy options:



Shared cluster with shared VM‐Series firewalls‐ Multiple tenants share the cluster and the VM‐Series firewall. A single instance of the VM‐Series firewall is deployed on each host in the cluster. In order to separate traffic from each tenant, you create a zone for each tenant, and you define a single, common set of policy rules to secure the virtual machines for all tenants. See Use Case: Shared Compute Infrastructure and Shared Security Policies.
Dedicated cluster with dedicated VM‐Series firewalls‐ A single tenant occupies the cluster, and a single instance of the VM‐Series firewall is deployed on each host in the cluster. In this deployment, the tenant can have a single zone and a single policy set, or the tenant can have multiple zones for sub‐tenants that require traffic separation ( one zone per sub‐tenant) and a single policy set with zone‐based rules to secure traffic for each sub‐tenant. Use Case: Shared Security Policies on Dedicated Compute Infrastructure.
Shared cluster with dedicated VM‐Series firewalls‐ Multiple tenants share the cluster and multiple instances of the VM‐Series firewalls are deployed on each host in a cluster so that each tenant can have a dedicated instance of the VM‐Series firewall. This deployment provides scalability and better performance on shared infrastructure for each tenant. Based on each tenant’s needs, you will define two or more service definitions for the cluster.
110 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall Overview
When deploying multiple instances of the VM‐Series firewall, you must ensure that each ESXi host has the sufficient CPU, memory and hard disk resources required to support the VM‐Series firewalls and the other virtual machines that will be running on it.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 111
VM‐Series NSX Edition Firewall Deployment Checklist
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall Deployment Checklist
To deploy the NSX edition of the VM‐Series firewall, use the following workflow:
 Step 1: Set up the Components—To deploy the VM‐Series NSX edition, set up the following components (see What are the Components of the NSX Edition Solution?):
–
Set up the vCenter server, install and register the NSX Manager with the vCenter server.
If you have not already set up the virtual switch(es) and grouped the ESXi hosts in to clusters, refer to the VMware documentation for instructions on setting up the vSphere environment. This document does not take you through the process of setting up the VMware components of this solution.
Do not modify the default value (1500 bytes) of the MTU on the virtual Distributed Switch (vDS) in the vSphere infrastructure. Modifying the MTU to any other value causes the VM‐Series NSX edition firewall to discard packets.
–
Upgrade Panorama to version 7.1. If you are new to Panorama, refer to the Panorama documentation for instructions on setting up and upgrading Panorama.
– Download and save the ovf template for the NSX edition of the VM‐Series firewall on a web server. The NSX Manager must have network access to this web server so that it can deploy the VM‐Series firewall as needed. You cannot host the ovf template on Panorama. Give the ova filename a generic name that does not include a version number. Using a generic naming convention, such as https://acme.com/software/PA-VM-NSX.ova allows you to overwrite the ova each time a newer version becomes available.
– Register the capacity auth‐code for the VM‐Series NSX edition firewall with your support account on the Support Portal. For details, see Upgrade the VM‐Series Firewall.
Step 2: Register—Configure Panorama to Register the VM‐Series Firewall as a Service on the NSX Manager. When registered, the VM‐Series firewall is added to the list of network services that can be transparently deployed as a service by the NSX Manager. The connection between Panorama and the NSX Manager is also required for licensing and configuring the firewall.
If you had configured Panorama to register the VM‐Series firewall as a service on the NSX Manager in an earlier version, see Changes to default behavior to learn about the changes upon upgrade to version 7.1.
 Step 3: Deploy the Firewalls and Create Policies—On Panorama, create the service definition(s) that specify the configuration for the VM‐Series firewall. On the NSX Manager, install the VM‐Series firewall, and create policies to redirect traffic to the VM‐Series firewall. See Deploy the VM‐Series Firewall and Create Policies.
–
–
–
–
–
(On Panorama) Create the service definition. If you upgrade from an earlier version, your existing service definition is automatically migrated for you. For details, see changes to default behavior. (On the NSX Manager) Enable SpoofGuard and define rules to block non‐IP protocols. (On the NSX Manager) Define the IP address pool. An IP address from the defined range is assigned to the management interface of each instance of the VM‐Series firewall.
(On the NSX Manager) Deploy the VM‐Series firewall. The NSX Manager automatically deploys an instance of the VM‐1000‐HV on each ESXi host in the cluster.
(On the NSX Manager) Set up the security groups. A security group assembles the specified guests/applications so that you can apply policy to the group. Then create the NSX Firewall policies to redirect traffic to the Palo Alto Networks service profile.
112 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall Deployment Checklist
The NSX Manager uses the IP address as a match criterion to steer traffic to the VM‐Series firewall. If VMware tools is not installed on the guest, see Steer Traffic from Guests that are not Running VMware Tools.
–
(On Panorama) Apply policies to the VM‐Series firewall. From Panorama, you define, push, and administer policies centrally on all the VM‐Series firewalls. On Panorama, create dynamic address groups for each security group and reference the dynamic address groups in policy, and then push the policies to the managed firewalls. This centralized administration mechanism allows you to secure guests/applications with minimal administrative intervention.
 Step 4: Monitor and Maintain Network Security—Panorama provides a comprehensive, graphical view of network traffic. Using the visibility tools on Panorama—the Application Command Center (ACC), logs, and the report generation capabilities—you can centrally analyze, investigate and report on all network activity, identify areas with potential security impact, and translate them into secure application enablement policies. Refer to the Panorama Administrator’s Guide for more information.
 Step 5: Upgrade the software version—When upgrading the VM‐Series NSX edition firewalls, you must first upgrade Panorama before upgrading the firewalls. To upgrade the firewalls, see Upgrade the PAN‐OS Software Version (NSX Edition). • For upgrading the PAN‐OS version on the firewall, do not modify the VM-Series OVA URL in Panorama >
VMware Service Manager. • Do not use the VMware snapshots functionality on the VM‐Series NSX edition firewall. Snapshots can impact performance and result in intermittent and inconsistent packet loss.See VMWare’s best practice recommendation with using snapshots. If you need configuration backups, use Panorama or Export named configuration snapshot from the firewall (Device > Set up > Operations). Using the Export named configuration snapshot exports the active configuration (running‐config.xml) on the firewall and allows you to save it to any network location.
If you need to reinstall or remove the VM‐Series from your NSX deployment, see the How to Remove VM‐Series Integration from VMware NSX knowledge base article. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 113
Register the VM‐Series Firewall as a Service on the NSX Manager
Set Up a VM‐Series NSX Edition Firewall
Register the VM‐Series Firewall as a Service on the NSX Manager
You need to enable communication between Panorama and the NSX Manager and then register the VM‐Series firewall as a service on the NSX Manager. When registered, the VM‐Series firewall is added to the list of network services that can be transparently deployed as a service by the NSX Manager. 
Enable Communication Between the NSX Manager and Panorama

Create Template(s), and Device Group(s) on Panorama

Create the Service Definitions on Panorama
Enable Communication Between the NSX Manager and Panorama
To automate the provisioning of the VM‐Series NSX edition firewall, enable communication between the NSX Manager and Panorama. This is a one‐time setup, and only needs to be modified if the IP address of the NSX Manager changes or if the capacity license for deploying the VM‐Series firewall is exceeded.
Use Panorama to Register the VM‐Series Firewall as a Service Step 1
Log in to the Panorama web interface.
Using a secure connection (https) from a web browser, log in using the IP address and password you assigned during initial configuration (https://<IP address>).
Step 2
Set up access to the NSX Manager.
1.
Select Panorama > VMware Service Manager.
2.
Enter the Service Manager Name. On the NSX Manager, this name displays in the Service Manager column on Networking & Security > Service
Definitions.
3.
(Optional) Add a Description that identifies the VM‐Series firewall as a service.
4.
Enter the NSX Manager URL—IP address or FQDN—at which to access the NSX Manager.
5.
Enter the NSX Manager Login credentials—username and password, so that Panorama can authenticate to the NSX Manager.
The ampersand (&) special character is not supported in the NSX manager account password. If a password includes an ampersand, the connection between Panorama and NSX manager fails.
6.
Click OK.
Step 3
Commit your changes to Panorama.
114 • VM‐Series 7.1 Deployment Guide
Select Commit and Commit Type: Panorama.
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Register the VM‐Series Firewall as a Service on the NSX Manager
Use Panorama to Register the VM‐Series Firewall as a Service (Continued)
Step 4
Verify the connection status on Panorama.
© Palo Alto Networks, Inc.
To view the connection status between Panorama and the NSX Manager.
1.
Select Panorama > VMware Service Manager.
2.
Verify the message in the Status field. When the connection is successful, the status displays as Registered. This indicates that Panorama and the NSX Manager are in sync and the VM‐Series firewall is registered as a service on the NSX Manager.
The unsuccessful status messages are: • Not connected: Unable to reach/establish a network connection to the NSX Manager.
• Not authorized: The access credentials (username and/or password) are incorrect.
• Not registered: The service, service manager, or service profile is unavailable or was deleted on the NSX Manager. • Out of sync: The configuration settings defined on Panorama are different from what is defined on the NSX Manager.Click the link for details on the reasons for failure. For example, NSX Manager may have a service definition with the same name as defined on Panorama. To fix the error, use the service definition name listed in the error message to validate the service definition on the NSX Manager. Until the configuration on Panorama and the NSX Manager is synchronized, you cannot add a new service definition on Panorama. • No service/ No service profile: Indicates an incomplete configuration on the NSX Manager.
If you make a change and need to manually sync, see (Optional) Synchronize the configuration between Panorama and the NSX Manager.
VM‐Series 7.1 Deployment Guide • 115
Register the VM‐Series Firewall as a Service on the NSX Manager
Set Up a VM‐Series NSX Edition Firewall
Use Panorama to Register the VM‐Series Firewall as a Service (Continued)
Step 5
Verify that the firewall is registered as a service on the NSX Manager.
1. On the vSphere web client, select Networking & Security > Service Definitions > Service
Managers.
2. Verify that Palo Alto Networks displays as a vendor in the list of services available for installation.
Create Template(s), and Device Group(s) on Panorama
To manage the VM‐Series NSX edition firewalls using Panorama, the firewalls must belong to a device group and a template. Device groups allow you to assemble firewalls that need similar policies and objects as a logical unit; the configuration is defined using the Objects and Policies tabs on Panorama. You use Templates to configure the settings that are required for the VM‐Series firewalls to operate on the network; the configuration is defined using the Device and Network tabs on Panorama. At a minimum, you must create a zone within the template so that the NSX Manager can redirect traffic to the VM‐Series firewall. You can also use templates to define administrative access to the firewall or to define log settings and server profiles on the managed firewalls.
In each template, you must specify one or more zones of type NSX service profile so that the VM‐Series firewalls can receive traffic from the guests in the vSphere environment. Each NSX service profile zone becomes available as a service profile on the Service Composer on the NSX Manager. When you create an NSX service profile zone on Panorama, Panorama pushes the zone as a part of the template configuration to the firewall, and the firewall automatically creates a pair of virtual wire subinterfaces, for example ethernet1/1.3 and ethernet 1/2.3, to isolate traffic for a tenant or sub‐tenant. On the firewall, you can then Create Policies to secure traffic that arrives on the virtual wire subinterface pair that maps to the zone. If you are new to Panorama, refer to the Panorama Administrator’s Guide for instructions on setting up Panorama.
116 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Register the VM‐Series Firewall as a Service on the NSX Manager
Create a Device Group and a Template on Panorama
Step 1
Step 2
Step 3
Add a device group or a device group hierarchy.
Add a template or a template stack.
Create the NSX service profile zone(s) for each template. For a single‐tenant deployment, create one zone. If you have multi‐tenant deployment, create a zone for each sub‐tenant.
You can add up to 32 zones in each template.
© Palo Alto Networks, Inc.
1.
Select Panorama > Device Groups, and click Add. You can also create a device group hierarchy. 2.
Enter a unique Name and a Description to identify the device group.
3.
Click OK.
After the firewalls are deployed and provisioned, they will display under Panorama > Managed Devices and will be listed in the device group.
4.
Click Commit and select Panorama as the Commit Type to save the changes to the running configuration on Panorama.
1.
Select Panorama > Templates, and click Add. You can also configure a template stack.
2.
Enter a unique Name and a Description to identify the template.
3.
Click OK.
4.
Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama.
1.
Select Network > Zones.
2.
Select the correct template in the Template drop‐down.
3.
Select Add and enter a zone Name.
4.
Select the Service Profile Zone for NSX check box. This selection automatically sets the interface Type to Virtual Wire.
5.
Click OK.
6.
Verify that the zones are attached to the correct template.
7.
Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama.
VM‐Series 7.1 Deployment Guide • 117
Register the VM‐Series Firewall as a Service on the NSX Manager
Set Up a VM‐Series NSX Edition Firewall
Create the Service Definitions on Panorama
A service definition specifies the configuration for the VM‐Series firewalls installed on each host in an ESXi cluster. The service definition must include the device group, the license auth‐codes for deploying the VM‐Series firewalls, and a template with one or more NSX service profile zones. Typically, you create a service definition for the VM‐Series firewall in an ESXi cluster. If you have different ESXi clusters that have workloads that require the VM‐Series firewall to handle traffic differently, you can create multiple service definitions on Panorama.
On a Panorama commit, each service definition is registered on the NSX Manager. On registration with the NSX Manager, the NetX API implementation makes each zone (defined within the template) available for redirecting traffic. When you deploy the VM‐Series firewalls, you can select the profile name for the VM‐Series firewall(s) to which you want to redirect traffic from the objects in NSX security groups. The appropriately configured firewall can then inspect the traffic and enforce policy from the virtual machines that belong to the NSX security groups. Create the Service Definition on Panorama
Step 1
Step 2
Add a new service definition.
You can create up to 32 service definitions on Panorama.
Assign a device group and a template for the service definition.
Make sure to Create the NSX service profile zone(s) for each template.
118 • VM‐Series 7.1 Deployment Guide
1.
Select Panorama > VMware Service Manager.
2.
Select Add in the VMware Service Definitions section to create a new service definition. The maximum number of characters in a service definition name is 40.
On the NSX Manager, this service definition name displays in the Services column on Networking & Security > Service
Definitions > Services.
3.
(Optional) Add a Description that identifies the function or purpose for the VM‐Series firewalls that will be deployed using this service definition.
Because the firewalls deployed in this solution will be centrally administered from Panorama, you must specify the Device Group
and the Template that the firewalls belong to. All the firewalls that are deployed using this service definition belong to the specified template and device group.
1.
Select the device group or device group hierarchy in the Device Group drop‐down.
2.
Select the template or the template stack in the Template drop‐down.
You cannot reuse a template or a device group assigned to one service definition in another service definition.
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Register the VM‐Series Firewall as a Service on the NSX Manager
Create the Service Definition on Panorama
Step 3
Specify the location of the OVF file. Download the zip file, unzip it to extract and save the .ova, mf and .vmdk files to the same directory. Both the files are used to deploy each instance of the firewall. If needed, modify the security settings on the server so that you can download the file types. For example, on the IIS server modify the Mime Types configuration; on an Apache server edit the .htaccess file.
In VM-Series OVF URL, add the location of the web server that hosts the ova file. Both http and https are supported protocols. For example, enter https://acme.com/software/PA-VM-NSX.7.1.0.ovf
To want to deploy a multi‐tenant solution, the ovf file must be PAN‐OS 7.1.0 or a later version.
You can use the same ovf version or different versions across service definitions. Using different ovf versions across service definitions allows you to vary the PAN‐OS version on the VM‐Series firewalls in different ESXi clusters.
Step 4
Add the authorization code to license the firewalls.
The auth‐code must be for the VM‐Series model NSX bundle; for example, PAN‐VM‐1000‐HV‐PERP‐ BND‐NSX
Verify that the order quantity/ capacity is adequate to support the number of firewall you need to deploy in your network.
Enter the auth‐code that you received with your order fulfillment email. You can use the same auth‐code or different auth‐codes across service definitions. The auth‐code is used to license each instance of the VM‐Series firewall.
On the support portal, you can view the total number of firewalls that you are authorized to deploy and the ratio of the number of licenses that have been used to the total number of licenses enabled by your auth‐code.
Step 5
Set up notification to different device groups as new virtual machines are provisioned or as changes occur on the network. To create context awareness between the virtual and security environments so that policy is consistently applied to all traffic steered to the firewalls, select the device groups to notify when there are changes in the virtual environment. Select each device group to which you want to enable notifications in the Notify Device Groups drop‐down. If a device group does not have a checkbox available, it means that the device group is automatically included by virtue of the device group hierarchy.
The firewalls included in the specified device groups receive a real‐time update of security groups and IP addresses. The firewalls use this update to determine the most current list of members that constitute dynamic address groups referenced in policy.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 119
Register the VM‐Series Firewall as a Service on the NSX Manager
Set Up a VM‐Series NSX Edition Firewall
Create the Service Definition on Panorama
Step 6
Save the service definition.
120 • VM‐Series 7.1 Deployment Guide
1.
Click OK.
2.
Select Commit and Commit Type: Panorama.
Committing the changes triggers the process of registering each service definition as a security service on the NSX Manager. © Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Register the VM‐Series Firewall as a Service on the NSX Manager
Create the Service Definition on Panorama
Step 7
Verify that the service definition and the 1.
NSX service profile that you defined on Panorama are registered on the NSX Manager.
2.
© Palo Alto Networks, Inc.
On the NSX Manager, to verify that the service definition is available, select Networking & Security > Service Definitions
> Services. The service definition is listed as a Service on the NSX Manager.
To verify that the zones are available on the NSX Manager:
a. Select Networking and Security > Service Composer >
Security Policies, and click Create Security Policy.
b. Select Network Introspection Services, and click Add.
c. In the Service Name drop‐down, select a Palo Alto Networks service that you verified in the step above.
d. In the Profile drop‐down, verify that you can view all the NSX service profile zones you defined for that service definition on Panorama.
VM‐Series 7.1 Deployment Guide • 121
Register the VM‐Series Firewall as a Service on the NSX Manager
Set Up a VM‐Series NSX Edition Firewall
Create the Service Definition on Panorama
Step 8
(Optional) Synchronize the configuration If you add or update the service definitions configured on between Panorama and the NSX Panorama, select NSX Config Sync in the Operations section to Manager.
synchronize the changes on the NSX Manager. This link is not available, if you have any pending commits on Panorama.
If the synchronization fails, view the details to know whether to fix the error on Panorama or on the NSX Manager. For example, if you delete a service definition on Panorama, but the service definition cannot be deleted from the NSX Manager because it is referenced in a rule on the NSX Manager, the synchronization will fail with an error message that indicates the reason for failure.
122 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Deploy the VM‐Series Firewall
Deploy the VM‐Series Firewall
After registering the VM‐Series firewall as a service (Palo Alto Networks NGFW) on the NSX Manager, complete the following tasks on the NSX Manager. 
Enable SpoofGuard

Define an IP Address Pool (Required only if the management interface is not configured for DHCP)

Prepare the ESXi Host for the VM‐Series Firewall

Deploy the Palo Alto Networks NGFW Service
Support for vMotion of guest virtual machines in the vSphere/NSX Environment
When a guest VM is vMotioned from one host to another within a cluster, the target host NSX distributed firewall will steer all new sessions to the VM‐Series firewall on the destination host. To ensure that all active (existing sessions) remain uninterrupted during and after the guest vMotion, the NSX Manager polls the VM‐Series firewall for existing allowed sessions and then shares these sessions with the NSX distributed firewall on the destination host. All existing sessions that were allowed by the original VM‐Series will be allowed by the NSX distributed firewall (filtering module) on the destination host without steering to the target host VM‐Series firewall to prevent session loss.
The VM‐Series firewall runs as a service on each host of the cluster and therefore is never vMotioned.
Enable SpoofGuard
The NSX distributed firewall can only redirect traffic to the VM‐series firewall when it matches an IP address that is known to the vCenter Server. This means that any non‐IP L2 traffic, or IP traffic that does not match the IP addresses known to the vCenter Server, will not match the redirection rules defined on the NSX Manager and be steered to the VM‐Series firewall. Therefore, to ensure that all traffic is correctly filtered, you need to perform the following steps:


Enable SpoofGuard to prevent unknown IP traffic that might otherwise bypass the VM‐series firewall.
When SpoofGuard is enabled if the IP address of a virtual machine changes, traffic from the virtual machine will be blocked until you inspect and approve the change in IP address in the NSX SpoofGaurd interface. Configure the NSX firewall rules to block non‐IP L2 traffic that cannot be steered to the VM‐Series firewall.
vCenter uses VMware Tools to learn the IP address(es) of each guest. If VMware Tools is not installed on some of your guests, see Steer Traffic from Guests that are not Running VMware Tools.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 123
Deploy the VM‐Series Firewall
Set Up a VM‐Series NSX Edition Firewall
Enable SpoofGuard and Block Non‐IP L2 Traffic Step 1
Enable SpoofGuard for the port group(s) containing the guests. When enabled, for each network adapter, SpoofGuard inspects packets for the prescribed MAC and its corresponding IP address.
1. Select Networking and Security > SpoofGuard.
2. Click Add to create a new policy, and select the following options:
• SpoofGuard: Enabled
• Operation Mode: Automatically trust IP assignments on their first use.
• Allow local address as valid address in this namespace.
• Select Networks: Select the port groups to which the guests are connected.
Step 2
Select the IP protocols to allow.
1. Select Networking and Security > Firewall > Ethernet.
2. Add a rule that allows ARP, IPv4 and IPv6 traffic.
3. Add a rule that blocks everything else.
Define an IP Address Pool You can configure the management interface on the VM‐Series firewall to use an IP address from a static IP pool or to be a DHCP client. If you opt to use an IP pool, which is a range of (static) IP addresses that are reserved for establishing management access to the VM‐Series firewalls, when the NSX Manager deploys a new VM‐Series firewall, the first available IP address from this range is assigned to the management interface of the firewall.
Define an IP Address Pool
Step 1
In the Networking & Security Inventory, select the NSX Manager, and double click to open the configuration details of the NSX Manager.
124 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Deploy the VM‐Series Firewall
Define an IP Address Pool
Step 2
Select Manage > Grouping Objects > IP Pools.
Step 3
Click Add IP Pool and specify the network access details requested in the screen including the range of static IP addresses that you want to use for the Palo Alto Networks NGFW.
Prepare the ESXi Host for the VM‐Series Firewall
Before you deploy the VM‐Series firewall, each host in the cluster must have the necessary NSX components that allow the NSX firewall and the VM‐Series firewall to work together. The NSX Manager will install the components— the Ethernet Adapter Module (.eam) and the SDK —required to deploy the VM‐Series firewall.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 125
Deploy the VM‐Series Firewall
Set Up a VM‐Series NSX Edition Firewall
Prepare the ESXi Hosts for the VM‐Series Firewall
Step 1
On the NSX Manager, select Networking and Security > Installation > Host Preparation.
Step 2
Click Install and verify that the installation status is successful.
As new ESXi hosts are added to a cluster, this process is automated and the necessary NSX components are automatically installed on each guest on the ESXi host.
Step 3
If the Installation Status is not ready or a warning displays on screen, click the Resolve link. To monitor the progress of the re‐installation attempt, click the More Tasks link and look for the successful completion of the following tasks:
Deploy the Palo Alto Networks NGFW Service
Use the following steps to automate the process of deploying an instance of the VM‐Series NSX edition firewall on each ESXi host in the specified cluster.
Deploy the Palo Alto Networks NGFW Service Step 1
Select Networking and Security > Installation > Service Deployments.
126 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Deploy the VM‐Series Firewall
Deploy the Palo Alto Networks NGFW Service (Continued)
Step 2
Click New Service Deployment (green plus icon), and select the service definition for the Palo Alto Networks next generation firewall you want to deploy, Palo Alto Networks NGFW service in this example. Click Next.
Step 3
Select the Datacenter and the cluster(s) on which the service will be deployed. One instance of the firewall will be deployed on each host in the selected cluster(s).
Step 4
Select the datastore from which to allocate disk space for the firewall. Select one of the following options depending on your deployment:
• If you have allocated shared storage for the cluster, select an available shared datastore.
• If you have not allocated shared storage for the cluster, select the Specified-on-host option. Be sure to select the storage on each ESXi host in the cluster. Also select the network that will be used for the management traffic on the VM‐Series firewall. Step 5
Select the port group that provides management network traffic access to the firewall.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 127
Deploy the VM‐Series Firewall
Set Up a VM‐Series NSX Edition Firewall
Deploy the Palo Alto Networks NGFW Service (Continued)
Step 6
Select the IP address pool assignment.
• Use IP Pool (Define an IP Address Pool ) from which to assign a management IP address for each firewall when it is being deployed.
• Use DHCP on the management interface.
If you use an IP pool, on deployment, the display name for the VM‐Series firewall on Panorama includes the hostname of the ESXi host. For example: PA‐VM:10.5.1.120.
If you use DHCP, the display name for the VM‐Series firewall does not include the name of the ESXi host.
Step 7
Review the configuration and click Finish.
Step 8
Verify that the NSX Manager reports the Installation Status as Successful. This process can take a while; click the More tasks link on vCenter to monitor the progress of the installation. If the installation of VM‐Series fails, the error message is displayed on the Installation Status column. You can also use the Tasks tab and the Log Browser on the NSX Manager to view the details for the failure and refer to the VMware documentation for troubleshooting steps.
128 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Deploy the VM‐Series Firewall
Deploy the Palo Alto Networks NGFW Service (Continued)
Step 9
Verify that the firewall is successfully deployed.
1. On the vCenter server, select Hosts and Clusters to check that every host in the cluster(s) has one instance of the firewall. 2. View the management IP address(es) and the PAN‐OS version running on the firewall directly from vCenter server. VMware Tools is bundled with the PAN‐OS software image and is automatically enabled when you launch the VM‐Series firewall. With VMware Tools, you can view resource utilization metrics on hard disk, memory, and CPU, and use these metrics to enable alarms or actions on the vCenter server. The heartbeats allow you to verify that the firewall is live and trigger actions to ensure high availability. You can also perform a graceful shutdown and restart of the firewall using the power off function on vCenter. Step 10 Access the Panorama web interface to make sure that the VM‐Series firewalls are connected and synchronized with Panorama.
1. Select Panorama > Managed Devices to verify that the firewalls are connected and synchronized. If the firewall gets its IP address from an IP Pool, the Display Name for the firewall includes the hostname of the ESXi server on which it is deployed, for example PA‐VM:ESX1.Sydney. If the firewall gets a DHCP assigned IP address, the hostname of the ESXi server does not display.
2. Click Commit, and select Commit Type as Panorama.
A periodic Panorama commit is required to ensure that Panorama saves the device serial numbers to configuration. If you reboot Panorama without committing the changes, the managed devices will not connect back to Panorama; although the Device Group will display the list of devices, the devices will not display in Panorama > Managed Devices. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 129
Deploy the VM‐Series Firewall
Set Up a VM‐Series NSX Edition Firewall
Deploy the Palo Alto Networks NGFW Service (Continued)
Step 11 Verify that the capacity license is applied and apply any additional licenses that you have purchased. At a minimum, you must activate the support license on each firewall.
When Panorama does not have internet access (Offline), you must manually license each firewall, and then add the serial number of the firewall to Panorama so that it is registered as a managed device, and can receive the template and device group settings from Panorama.
1. Select Panorama > Device Deployment > Licenses to verify that the VM‐Series capacity license is applied.
2. To apply additional licenses on the VM‐Series firewalls:
• Click Activate on Panorama > Device Deployment > Licenses.
• Find or filter for the firewall, and in the Auth Code column, enter the authorization code for the license to activate. Only one authorization code can be entered at a time, for each firewall.
3. Click Activate, and verify that the result of the license activation was successful.
Step 12 (Optional) Upgrade the PAN‐OS version on the VM‐Series firewalls, see Upgrade the PAN‐OS Software Version (NSX Edition).
130 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Create Policies
Create Policies
The following topics describe how to create policies on the NSX Manager to redirect traffic to the VM‐Series firewall and how to create policies on Panorama and apply them on the VM‐Series firewall so that the VM‐Series firewall can enforce policy on the traffic that is redirected to it.

Define Policies on the NSX Manager

Apply Policies to the VM‐Series Firewall
Define Policies on the NSX Manager
In order for the VM‐Series firewall to secure the traffic, you must complete the following tasks:  Set Up Security Groups on the NSX Manager
 Redirect Traffic to the VM‐Series Firewall
 Apply Policies to the VM‐Series Firewall. Set Up Security Groups on the NSX Manager
A security group is a logical container that assembles guests across multiple ESXi hosts in the cluster. Creating security groups makes it easier to manage and secure the guests; to understand how security groups enable policy enforcement, see Policy Enforcement using Dynamic Address Groups. Set up Security Groups on the NSX Manager Step 1
Select Networking and Security > Service Composer > Security Groups, and add a New Security Group.
Step 2
Add a Name and Description. This name will display in the match criteria list when defining dynamic address groups on Panorama. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 131
Create Policies
Set Up a VM‐Series NSX Edition Firewall
Set up Security Groups on the NSX Manager (Continued)
Step 3
Select the guests that constitute the security group. You can either add members dynamically or statically. You can Define Dynamic Membership by matching on Security tags (recommended), or statically Select the
Objects to Include. In the following screenshot, the guests that belong to the security group are selected using the Objects Type: Virtual Machine option.
Step 4
Review the details and click OK to create the security group.
Redirect Traffic to the VM‐Series Firewall
Do not apply the traffic redirection policies unless you understand how rules work on the NSX Manager as well as on the VM‐Series firewall and Panorama. The default policy on the VM‐Series firewall is set to deny all traffic, which means that all traffic redirected to the VM‐Series firewall will be dropped. To create policies on Panorama and push them to the VM‐Series firewall, see Apply Policies to the VM‐Series Firewall. Define NSX Firewall Rules to Redirect Traffic to the VM‐Series Firewall Step 1
Select Networking and Security > Service Composer > Security Policies and click Create Security Policy
( ). Step 2
Add a rule Name. 132 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Create Policies
Define NSX Firewall Rules to Redirect Traffic to the VM‐Series Firewall (Continued)
Step 3
Add a network introspection service.
1. Select Network Introspection Services and click the green plus icon.
2. Name the network introspection service and add a Description.
3. Select Redirect to Service under Action.
4. Select your service definition under Service Name.
5. Select your service profile under Profile.
6. Select a Source and a Destination. By default, traffic source is set to Policy’s Security Groups. This option dynamically includes all security groups where this policy is applied. Alternatively, you can choose to have traffic from any source redirected to the firewall or specify certain security groups. However, vSphere requires that Source or Destination (or both) be set Policy’s Security Group. If you select Any or specific security groups for Destination, then Source must be set to Policy’s Security Group.
7. (Optional) Select specific network services to be redirected to the firewall. If you choose any service or services, all other traffic will not be redirected to the firewall. 8. Click OK.
9. Repeat steps 1 through 6 to add additional network introspection services.
10. Click Finish to save your configuration.
Step 4
Apply redirection policy to security groups.
1. Highlight a security policy by clicking it. 2. Select Networking and Security > Service Composer > Security Policies and click Apply Security Policy
( ). 3. Apply the redirection rules by checking all appropriate zones. 4. Click OK.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 133
Create Policies
Set Up a VM‐Series NSX Edition Firewall
Apply Policies to the VM‐Series Firewall
Now that you have created the security policies on the NSX Manager, the names of the security groups that are referenced in security policy will be available on Panorama. You can now use Panorama for centrally administering policies on the VM‐Series firewalls.
To manage centralized policy, you must first create dynamic address group(s) that match on the name of the security group(s) you defined on the NSX Manager. Then, you attach the dynamic address group as a source or destination address in security policy and push it to the firewalls; the firewalls can dynamically retrieve the IP addresses of the virtual machines that are included in each security group to enforce compliance for traffic that originates from or is destined to the virtual machines in the specified group.
134 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Create Policies
Define Policy on Panorama Step 1
Create dynamic address groups.
© Palo Alto Networks, Inc.
1.
Log in to the Panorama web interface.
2.
Select Object > Address Groups.
3.
Select the Device Group that you created for managing the VM‐Series NSX edition firewalls in Register the VM‐Series Firewall as a Service on the NSX Manager.
4.
Click Add and enter a Name and a Description for the address group.
5.
Select Type as Dynamic.
6.
Click Add Match Criteria. Select the And or Or operator and select the next to the security group name(s) to match against. The security groups that display in the match criteria dialog are derived from the groups you defined on the Distributed Firewall Partner Security Services or on the Service Composer on the NSX Manager. Only the security groups that are referenced in the security policies and from which traffic is redirected to the VM‐Series firewall are available here. 7.
Click OK.
8.
Repeat Steps 4‐7, to create the appropriate number of dynamic address groups for your network.
9.
Click Commit.
VM‐Series 7.1 Deployment Guide • 135
Create Policies
Set Up a VM‐Series NSX Edition Firewall
Define Policy on Panorama (Continued)
Step 2
Create security policy rules.
136 • VM‐Series 7.1 Deployment Guide
1.
Select Policies > Security > Prerules.
2.
Select the Device Group that you created for managing the VM‐Series NSX edition firewalls in Register the VM‐Series Firewall as a Service on the NSX Manager.
3.
Click Add and enter a Name and a Description for the rule. In this example, the security rule allows all traffic between the WebFrontEnd servers and the Application servers.
4.
Select the Source Zone and Destination Zone. The zone name must be the same in both columns.
5.
For the Source Address and Destination Address, select or type in an address, address group or region. In this example, we select an address group, the Dynamic address group you created in Step 1 above.
6.
Select the Application to allow. In this example, we create an Application Group that includes a static group of specific applications that are grouped together.
a. Click Add and select New Application Group.
b. Click Add to select the application to include in the group. In this example, we select the following:
c. Click OK to create the application group.
7.
Specify the action— Allow or Deny—for the traffic, and optionally attach the default security profiles for antivirus, anti‐spyware, and vulnerability protection, under Profiles.
8.
Repeats Steps 3‐ 7 above to create the pertinent policy rules. 9.
Click Commit, select Commit Type as Panorama. Click OK.
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Create Policies
Define Policy on Panorama (Continued)
Step 3
Apply the policies to the VM‐Series NSX 1.
edition firewalls.
2.
3.
Step 4
Click Commit, and select Commit Type as Device Groups. Select the device group, NSX Device Group in this example and click OK.
Verify that the commit is successful.
1.
Validate that the members of the dynamic address group are populated on the VM‐Series firewall.
From Panorama, switch device context to launch the web interface of a firewall to which you pushed policies.
2.
On the VM‐Series firewall, select Policies > Security, and select a rule. 3.
Select the drop‐down arrow next to the address group link, and select Inspect. You can also verify that the match criteria is accurate.
4.
Click the more link and verify that the list of registered IP addresses is displayed. Policy will be enforced for all IP addresses that belong to this address group, and are displayed here.
Step 5
(Optional) Use template to push a base configuration for network and device configuration such as DNS server, NTP server, Syslog server, and login banner.
© Palo Alto Networks, Inc.
Refer to the Panorama Administrator’s Guide for information on using templates.
VM‐Series 7.1 Deployment Guide • 137
Create Policies
Set Up a VM‐Series NSX Edition Firewall
Define Policy on Panorama (Continued)
Step 6
Step 7
Create a Zone Protection profile and 1.
attach it to a zone.
2.
A zone protection profile provides flood protection and has the ability to protect 3.
against port scanning, port sweeps and packet‐based attacks. It allows you to secure intra‐tier and inter‐tier traffic between virtual machines within your data center and traffic from the Internet that is destined to the virtual machines (workloads) in your data center.
Create a DoS Protection profile and attach it to DoS Protection policy rule.
138 • VM‐Series 7.1 Deployment Guide
Select your Template.
Select Network > Network Profiles > Zone Protection to add and configure a new profile.
Select Network > Zones, click the default‐zone listed and select the profile in the Zone Protection Profile drop down.
1.
Select your Device Group.
2.
Select Objects > Security Profiles > DoS Protection to add and configure a new profile.
• A classified profile allows the creation of a threshold that applies to a single source IP. For example, you can configure a max session rate for an IP address that matched the policy, and then block that single IP address once the threshold is triggered.
• An aggregate profile allows the creation of a max session rate for all packets matching the policy. The threshold applies to new session rate for all IP addresses combined. Once the threshold is triggered it affects all traffic that matches the policy.
3.
Create a new DoS Protection policy rule in Policy > DoS
Protection, and attach the new profile to it.
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Steer Traffic from Guests that are not Running VMware Tools
Steer Traffic from Guests that are not Running VMware Tools
VMware Tools contains a utility that allows the NSX Manager to collect the IP address(es) of each guest running in the cluster. NSX Manager uses the IP address as a match criterion to steer traffic to the VM‐Series firewall. If you do not have VMware tools installed on each guest, the IP address(es) of the guest is unavailable to the NSX Manager and traffic cannot be steered to the VM‐Series firewall. The following steps allow you to manually provision guests without VMware Tools so that traffic from each of these guests can be managed by the VM‐Series firewall. Steer Traffic from Guests that are not Running VMware Tools
Step 1
Create an IP set that includes the guests that need to be secured by the VM‐Series firewall. This IP set will be used as the source or destination object in an NSX distributed firewall rule in Step 4 below. 1. Select NSX Managers > Manage > Grouping Objects > IP Sets.
2. Click Add and enter the IP address of each guest that does not have VMware tools installed, and needs to be secured by the VM‐Series firewall. Use commas to separate individual IP addresses; IP ranges or subnets are not valid.
Step 2
Verify that SpoofGaurd is enabled. If not enabled, see Enable SpoofGuard.
Step 3
Manually approve the IP address(es) for each guest in SpoofGuard; this validates that the approved IP addresses is the accurate address for that network adapter. For a manually‐configured IP address, make sure to add the IP address to the IP set before approving it in SpoofGuard.
1. Select the new SpoofGuard policy you created to earlier and View: Inactive Virtual NICs.
2. Select the guest and add the IP address in the Approved IP field and Publish changes.
3. Review and approve all previously approved IP addresses too.
Step 4
Attach the IP sets to the Security Groups on NSX, to enforce policy.
1. Select Networking and Security > Service Composer > Security Groups.
2. Select Select objects to include > IP Sets, add the IP set object to include.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 139
Use Case: Shared Compute Infrastructure and Shared Security Policies
Set Up a VM‐Series NSX Edition Firewall
Use Case: Shared Compute Infrastructure and Shared Security Policies
This use case allows you to logically isolate traffic from two tenants that share an ESXi cluster and have a common set of security policies. In order to isolate traffic from each tenant you need to create a service definition with a template that includes two zones. Zone‐based traffic separation makes it possible to distinguish traffic between virtual machines that belong to separate tenants, when it traverses through the firewall. The firewall is able to distinguish traffic between tenant virtual machines based on a service profiles and security groups created on the NSX Manager, which are available as match criteria in Dynamic Address Groups on the firewall. Therefore, even with overlapping IP addresses, you can segregate traffic from each tenant and secure each tenant’s virtual machines using zone‐base policy rules (source and destination zones must be the same) and dynamic address groups.
VM‐Series NSX Edition Firewall —Per Tenant Zone with Unified Security Policy on Shared Infrastructure Step 1
Enable Communication Between the NSX Manager and Panorama. 140 • VM‐Series 7.1 Deployment Guide
This is one‐time task and is required if you have not enabled access between the NSX Manager and Panorama.
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Use Case: Shared Compute Infrastructure and Shared Security Policies
VM‐Series NSX Edition Firewall —Per Tenant Zone with Unified Security Policy on Shared Infrastructure (Continued)
Step 2
Create Template(s), and Device Group(s) 1.
on Panorama.
2.
Log in to the Panorama web interface.
Select Panorama > Templates to add a template. This use case has a template named NSX‐Template.
3.
Select Panorama > Device Groups and add device group. This use case has a device group named NSX‐DG.
4.
Create two NSX service profile zones within the Template. To isolate traffic for each tenant, you need two zones in this use case.
a. Select Network > Zones.
b. Select the correct template in the Template drop‐down.
c. Select Add and enter a zone Name. For example, Tenant1.
d. Select the Service Profile Zone for NSX check box. This selection automatically sets the interface Type to Virtual
Wire.Click OK.
e. Repeat the steps to add another zone, for example, Tenant2.
f. Verify that the zones are attached to the correct template.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 141
Use Case: Shared Compute Infrastructure and Shared Security Policies
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall —Per Tenant Zone with Unified Security Policy on Shared Infrastructure (Continued)
Step 3
Step 4
Create the Service Definitions on Panorama.
1.
Select Panorama > VMware Service Manager.
2.
Select Add in the VMware Service Definition section and fill in the details.
3.
Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama.
Prepare the ESXi Host for the VM‐Series The ESXi hosts in the cluster must have the necessary NSX Firewall
components that allow the NSX firewall and the VM‐Series firewall to work together. The NSX Manager will install the components— the Ethernet Adapter Module (.eam) and the SDK —required to deploy the VM‐Series firewall.
142 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Use Case: Shared Compute Infrastructure and Shared Security Policies
VM‐Series NSX Edition Firewall —Per Tenant Zone with Unified Security Policy on Shared Infrastructure (Continued)
Step 5
Deploy the Palo Alto Networks NGFW Service
© Palo Alto Networks, Inc.
1.
Select Networking and Security > Installation > Service
Deployments.
2.
Click New Service Deployment (green plus icon), and select the service definition for the Palo Alto Networks next generation firewall you want to deploy, Palo Alto Networks
NGFW Test 1 in this example, make your selections including the appropriate ESXi cluster to which you want to deploy the firewall and click Finish.
3.
Verify that the NSX Manager reports the Installation Status as Successful. 4.
Verify that the VM‐Series firewall is successfully deployed.
a. On the vCenter server, select Hosts and Clusters to check that every host in the cluster(s) has one instance of the firewall. b. View the management IP address(es) and the PAN‐OS version running on the firewall directly from vCenter server. VMware Tools is bundled with the PAN‐OS software image and is automatically enabled when you launch the VM‐Series firewall. VM‐Series 7.1 Deployment Guide • 143
Use Case: Shared Compute Infrastructure and Shared Security Policies
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall —Per Tenant Zone with Unified Security Policy on Shared Infrastructure (Continued)
Step 6
Define Policies on the NSX Manager
1.
Do not apply the traffic redirection policies unless you understand how rules work on the NSX Manager as well as on the VM‐Series firewall and Panorama. The default policy on the VM‐Series firewall is set to deny all traffic, which means that all traffic redirected to the VM‐Series firewall will be dropped. Select Networking and Security > Service Composer >
Security Groups, and add new NSX Security Groups for each tenant’s virtual machines. For example, this use case has two security groups per tenant; one security group for the web servers and the other security group for the application servers.
2.
Select Networking and Security > Firewall > Configuration, and click Partner Security Services, to set up redirection rules for sending traffic to the VM‐Series firewall. You will select the service profile associated with each tenant for which you want to redirect traffic.
The service profile names on the NSX Manager must match the zone names you defined in the template on Panorama.
144 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Use Case: Shared Compute Infrastructure and Shared Security Policies
VM‐Series NSX Edition Firewall —Per Tenant Zone with Unified Security Policy on Shared Infrastructure (Continued)
Step 7
Apply Policies to the VM‐Series Firewall 1.
Create Dynamic Address groups for each tenant on Panorama. The dynamic address group(s) that match on the name of the security group(s) you defined on the NSX Manager. a. On Panorama, select Objects > Address Groups.
b. Select the correct Device Group from the drop‐down and click Add. c. Add a Name for the address group and set Type as Dynamic and Add Match Criteria. Verify that you select the correct tags for each tenant, the tag includes the service profile ID, the security group name and the security group ID. For example, for this use case there are four dynamic address groups:
2.
On Panorama, create security policy rules and use the dynamic address groups as source or destination address objects in security policy rules and push it to the firewalls.
a. Select Policies > Security > Prerules and click Add. b. Create rules for each tenant. This use case has the following policy rules:
3.
Click Commit, and select Commit Type as Device Groups. Select the device group, NSX‐DG in this example and click OK.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 145
Use Case: Shared Compute Infrastructure and Shared Security Policies
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall —Per Tenant Zone with Unified Security Policy on Shared Infrastructure (Continued)
Step 8
Verify that traffic from each tenant is secured.
1.
Log in to the CLI on the firewall and enter the following command to view the subinterfaces on the firewall:
show interface all
total configured hardware interfaces: 2
name id
speed/duplex/state
mac address
-------------------------------------------------------------ethernet1/1
16
auto/auto/up d4:f4:be:c6:af:10
ethernet1/2
17
auto/auto/up d4:f4:be:c6:af:11
aggregation groups: 0
total configured logical interfaces: 6
name
id vsys zone
forwarding
------------------- ----- ---- ----------------ethernet1/1
16
1
vwire:ethernet1/2
ethernet1/1.3
ethernet1/1.4
ethernet1/2
ethernet1/2.3
ethernet1/2.4
146 • VM‐Series 7.1 Deployment Guide
4099
1
4100
17
4355
4356
TENANT-1
1
TENANT-2
vwire:ethernet1/2.3
vwire:ethernet1/2.4
1 vwire:ethernet1/1
1
TENANT-1 vwire:ethernet1/1.3
1 TENANT-2 vwire:ethernet1/1.4
2.
On the web interface of the VM‐Series firewall, select Objects
> Address Groups and verify that you can view the IP address for the members of each Dynamic Address Group. The following is an example of duplicate IP addresses in dynamic address groups across both tenants.
3.
View the ACC and the Monitor > Logs > Traffic. Filter on the zone name to ensure that traffic from the virtual machines for each tenant is secured. © Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Use Case: Shared Security Policies on Dedicated Compute Infrastructure
Use Case: Shared Security Policies on Dedicated Compute Infrastructure
If you are a Managed Service Provider who needs to secure a large enterprise (tenant) with multiple departments (sub‐tenants), and each tenant requires dedicated compute infrastructure and security policy rules, you need to create a service definition for each tenant. In this use case, each tenant—BMW and Toyota— has a dedicated ESXi cluster. And each tenant has sub‐tenants—Dev, QA, and Prod—whose workloads are deployed in the cluster. You need to define two service definitions to allow the VM‐Series firewalls for each tenant to have Security policies for their respective ESXi clusters. The service definition for each tenant includes multiple zones (with corresponding virtual wire subinterface pairs) for isolating traffic from each sub‐tenant. Each zone is mapped to a service profile on the NSX Manager, which allows the firewall to distinguish traffic from the virtual machines for each sub‐tenant and to enforce zone‐based security policy rules within the common set of policy rules for the tenant. Zone‐based policies in combination with the Dynamic Address groups also allow you to secure sub‐tenants who may have overlapping networks, and hence have duplicate IP addresses. To uniquely identify virtual machines assigned to each sub‐tenant and successfully enforce policy, the NSX Manager provides the service profile and security group to which a virtual machine belongs as match criteria in dynamic address groups on Panorama. For more information, see Policy Enforcement using Dynamic Address Groups.
You can also configure role‐based access control using access domains on Panorama. Access domains allow you to control administrative access to specific device groups (to manage policies and objects) and templates (to manage network and device settings), so that each tenant administrator can manage the configuration for their VM‐Series firewalls. Role‐based access also allows you to limit log visibility for the respective tenant only.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 147
Use Case: Shared Security Policies on Dedicated Compute Infrastructure
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall —Per Tenant Security Policy on Dedicated Infrastructure Step 1
Enable Communication Between the NSX Manager and Panorama. This is one‐time task and is required if you have not enabled access between the NSX Manager and Panorama.
Step 2
Create Template(s), and Device Group(s) 1.
on Panorama.
2.
Log in to the Panorama web interface.
Select Panorama > Templates to add templates. This use case has two template named NSX‐Template‐TOYOTA and NSX‐Template‐BMW.
3.
Select Panorama > Device Groups and add device groups. This use case has two device groups named NSX‐DG‐BMW and NSX‐DG‐TOYOTA.
4.
Create NSX service profile zones within each template. To isolate traffic for each tenant in this use case, you need three zones for each tenant.
a. Select Network > Zones.
b. Select a template in the Template drop‐down.
c. Select Add and enter a zone Name. For example, Tenant1.
d. Select the Service Profile Zone for NSX check box. This selection automatically sets the interface Type to Virtual
Wire. Click OK.
e. Repeat the steps a‐d to add additional zones for each sub‐tenant.
f. Verify that the zones are attached to the correct template.
5.
148 • VM‐Series 7.1 Deployment Guide
Repeat step 4 for the other template.
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Use Case: Shared Security Policies on Dedicated Compute Infrastructure
VM‐Series NSX Edition Firewall —Per Tenant Security Policy on Dedicated Infrastructure (Continued)
Step 3
Step 4
Create the Service Definitions on Panorama.
1.
Select Panorama > VMware Service Manager.
2.
Select Add in the VMware Service Definition section. Fill in the details for the service definition for each tenant. In this example, the two service definitions are Palo Alto Networks ‐ Toyota and Palo Alto Networks ‐ BMW.
3.
Click Commit, and select Panorama as the Commit Type to save the changes to the running configuration on Panorama.
Prepare the ESXi Host for the VM‐Series The ESXi hosts in the cluster must have the necessary NSX Firewall
components that allow the NSX firewall and the VM‐Series firewall to work together. The NSX Manager will install the components— the Ethernet Adapter Module (.eam) and the SDK —required to deploy the VM‐Series firewall.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 149
Use Case: Shared Security Policies on Dedicated Compute Infrastructure
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall —Per Tenant Security Policy on Dedicated Infrastructure (Continued)
Step 5
Deploy the Palo Alto Networks NGFW Service
150 • VM‐Series 7.1 Deployment Guide
1.
Select Networking and Security > Installation > Service
Deployments.
2.
Click New Service Deployment (green plus icon), and select the service definition for the Palo Alto Networks next generation firewall you want to deploy, Palo Alto Networks
NGFW Test 1 in this example, make your selections and click Finish.
3.
Verify that the NSX Manager reports the Installation Status as Successful. 4.
Verify that the VM‐Series firewall is successfully deployed.
a. On the vCenter server, select Hosts and Clusters to check that every host in each cluster has one instance of the firewall. b. View the management IP address(es) and the PAN‐OS version running on the firewall directly from vCenter server. VMware Tools is bundled with the PAN‐OS software image and is automatically enabled when you launch the VM‐Series firewall. © Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Use Case: Shared Security Policies on Dedicated Compute Infrastructure
VM‐Series NSX Edition Firewall —Per Tenant Security Policy on Dedicated Infrastructure (Continued)
Step 6
Define Policies on the NSX Manager
1.
Do not apply the traffic redirection policies unless you understand how rules work on the NSX Manager as well as on the VM‐Series firewall and Panorama. The default policy on the VM‐Series firewall is set to deny all traffic, which means that all traffic redirected to the VM‐Series firewall will be dropped. Select Networking and Security > Service Composer >
Security Groups, and add new NSX Security Groups for each tenant’s virtual machines. For example, this use case has nine security groups for each tenant. Each sub‐tenant has three security groups—one security group for the application servers, one for the database servers the third security group for the web servers.
2.
Select Networking and Security > Firewall > Configuration, and click Partner Security Services, to set up redirection rules for sending traffic to the VM‐Series firewall. You will select the service definition and the service profile associated with each tenant for which you want to redirect traffic.
The service profile names on the NSX Manager must match the zone names you defined in the template on Panorama.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 151
Use Case: Shared Security Policies on Dedicated Compute Infrastructure
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall —Per Tenant Security Policy on Dedicated Infrastructure (Continued)
Step 7
Apply Policies to the VM‐Series Firewall 1.
Create dynamic address groups for each sub‐tenant on Panorama. The dynamic address group(s) match on the name of the security group(s) you defined on the NSX Manager. a. On Panorama, select Objects > Address Groups.
b. Select a Device Group from the drop‐down and click Add. c. Add a Name for the address group and set Type as Dynamic and Add Match Criteria. For ease of managing these groups, use the same name for the dynamic address group as that of the security group on the NSX Manager.
d. Create the dynamic address groups for the sub‐tenants for the other tenant, BMW in this example.
2.
152 • VM‐Series 7.1 Deployment Guide
On Panorama, create Security policies and use the dynamic address groups as source or destination address objects in security policy rules and push it to the firewalls.
a. Select Policies > Security > Pre Rules.
b. Select a Device Group from the drop‐down and click Add. c. Create rules for each sub‐tenant. Make sure to keep the source and destination zone the same in a policy rule. To ensure that only the application that is running on the server is allowed, allow the service on the application‐default port only. This use case has the following policy rules for the tenant Toyota:
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition Firewall
Use Case: Shared Security Policies on Dedicated Compute Infrastructure
VM‐Series NSX Edition Firewall —Per Tenant Security Policy on Dedicated Infrastructure (Continued)
Step 8
Step 9
Verify that traffic from each tenant is secured.
(Optional) Enable role‐based access for tenant administrators to manage the configuration and policies for the VM‐Series firewalls.
© Palo Alto Networks, Inc.
3.
Select the other Device Group from the drop‐down and create the Security policies for the each sub‐tenant for the other tenant, BMW in this example.
4.
Click Commit, and select Commit Type as Device Groups. Select the device groups, NSX‐DG‐BMW and NSX‐DG‐TOYOTA in this example and click OK. The commit pushes the Security policies to the firewalls that belong to each device group, and they can enforce policy on the traffic redirected by the NSX Manager.
1.
On Panorama, go to Monitor > Logs > Traffic and Monitor >
Logs > Threat to view the Traffic logs and Threat logs. Select the device group for a tenant and sort on the Zone name for full visibility in to traffic from each sub‐tenant.
2.
On Panorama, use the ACC for visibility into traffic patterns and actionable information on threats. Use the widgets and filters to interact with the data on the ACC.
3.
On the VM‐Series firewall, select Objects > Address Groups to view the IP address for the members of each Dynamic Address Group.
1.
Create an access domain. An access domain allows you to restrict admin access to a specific device group and template. In this example, you create two access domains and restrict access to the device group and template for the respective tenant.
2.
Configure an admin role for Device Group and Template role and allow the administrator to manage the access domain. The administrator can only manage the firewalls that belong to the access domain.
3.
Create an administrative account and associate the access domain and admin role with the account.
VM‐Series 7.1 Deployment Guide • 153
Use Case: Shared Security Policies on Dedicated Compute Infrastructure
Set Up a VM‐Series NSX Edition Firewall
VM‐Series NSX Edition Firewall —Per Tenant Security Policy on Dedicated Infrastructure (Continued)
154 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition FirewallDynamic Address Groups—Information Relay from NSX Manager to Panorama
Dynamic Address Groups—Information Relay from NSX Manager to Panorama
To enforce security policies in a VM‐Series and NSX integrated data center, Panorama must be able to obtain information on the changes in the virtual landscape. As new virtual machines are deployed, changed, or deleted, the NSX Manager informs Panorama of IP addresses added, removed from security groups on the NSX Manager. Panorama in turn then, pushes this information to the VM‐Series firewalls. Dynamic address groups referenced in firewall policies match against this information to determine the members that belong to the group. This process allows the firewall to enforce context‐aware security policy, which secures traffic to and from these virtual machines. For details on dynamic address groups, see Policy Enforcement using Dynamic Address Groups.
The following diagram illustrates how the information is relayed from the NSX Manager to Panorama.
To understand this process, let’s trace the information update sent from the NSX Manager to Panorama when a new server is added to a security group. Use the elements highlighted within the output in each phase of this example, to troubleshoot where the process failed.
Information Relay from the NSX Manager to Panorama Step 1
To view the updates in real‐time, log in to the Panorama CLI.
© Palo Alto Networks, Inc.
Log in to the Command Line Interface on Panorama.
VM‐Series 7.1 Deployment Guide • 155
Dynamic Address Groups—Information Relay from NSX Manager to PanoramaSet Up a VM‐Series NSX Edition Firewall
Information Relay from the NSX Manager to Panorama (Continued)
Step 1
Verify that the request from the NSX To check the webserver‐log on Panorama during an NSX Security Manager is routed to the web server on Group update, use the following command:
Panorama.
admin@Panorama> tail follow yes webserver-log cmsaccess.log
127.0.0.1 - - [Wed Dec 03 14:24:11 2014 PST] "POST
/unauth/php/RestApiAuthenticator.php HTTP/1.1" 200 433
127.0.0.1 - - [Wed Dec 03 14:24:11 2014 PST] "PUT
/api/index.php?client=wget&file-name=dummy&type=vmware/vmware/
2.0/si/serviceprofile/serviceprofile-1/containerset HTTP/1.0"
200 446
If your output does not include the elements above, check for routing issues. Ping the Panorama from the NSX Manager and check for ACLs or other network security devices that might be blocking the communication between the NSX Manager and Panorama.
156 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition FirewallDynamic Address Groups—Information Relay from NSX Manager to Panorama
Information Relay from the NSX Manager to Panorama (Continued)
Step 2
Verify that the request is parsed by the PHP daemon on Panorama.
1.
Enable debug using the following URL: https://<Panorama_IP>/php/utils/debug.php
2.
From the CLI, enter the following command to view the logs generated by the PHP server:
admin@Panorama> tail follow yes mp‐log php.debug.log
[2014/12/03 14:24:11]
<request cmd="op" cookie="0604879067249569"
refresh="no">
<operations xml="yes">
<show>
<cli>
...
<request>
<partner>
<vmware-service-manager>
<update>
<method>PUT</method>
<type>update</type>
<username>_vsm_admin</username>
<password>4006474760514053</password>
<url>/vmware/2.0/si/serviceprofile/serviceprofile1/containerset</url>
<data><![CDATA[
<containerSet><container><id>securitygroup‐10</id><name>Web
Servers</name><description></description><revision>8</revision
><type>IP</type><address>10.3.4.185</address><address>10.3.4.
186</address><address>15.0.0.203</address><address>15.0.0.20
2</address></container></containerSet>]]></data>
</update>
</vmware-service-manager>
</partner>
</request>
</operations>
</request>
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 157
Dynamic Address Groups—Information Relay from NSX Manager to PanoramaSet Up a VM‐Series NSX Edition Firewall
Information Relay from the NSX Manager to Panorama (Continued)
Step 3
The information is processed by the Management server on Panorama.
1.
Enable debugging on the management server using the following command:
admin@Panorama> debug management-server on
debug
2.
Enter the following command to view the logs generated by the configd log:
admin@Panorama> tail follow yes mp-log
configd.log
3.
In the output check that the update was relayed from the PHP daemon to the management server daemon.
2014-12-03 14:24:11.143 -0800 debug:
pan_job_progress_monitor(pan_job_mgr.c:3694):
job-monitor: updated 0 jobs
……
2014-12-03 14:24:11.641 -0800 debug:
recursive_add_params(pan_op_ctxt.c:158): >
'url'='/vmware/2.0/si/serviceprofile/serviceprofil
e-1/containerset'
2014-12-03 14:24:11.641 -0800 debug:
recursive_add_params(pan_op_ctxt.c:158): > 'data'='
<containerSet><container><id>securitygroup-10</id>
<name>WebServers</name><description></description>
<revision>8</revision><type>IP</type><address>10.3
.4.185</address><address>10.3.4.186</address><addr
ess>15.0.0.203</address><address>15.0.0.202</addre
ss></container></containerSet>'
2014-12-03 14:24:11.641 -0800 Received vshield
update: PUT
/vmware/2.0/si/serviceprofile/serviceprofile-1/con
tainerset
Received dynamic address update from VSM:
<request cmd='op' cookie='0604879067249569'
client="xmlapi"><operations xml='yes'><request>
<partner>
<vmware-service-manager>
<update>
<method>PUT</method>
<type>update</type>
<username>_vsm_admin</username>
<password>4006474760514053</password>
<url>/vmware/2.0/si/serviceprofile/serviceprofile1/containerset</url><data><![CDATA[
<containerSet><container><id>securitygroup‐10</id><nam
e>WebServers</name><description></description><revisio
n>8</revision><type>IP</type><address>10.3.4.185</addr
ess><address>10.3.4.186</address><address>15.0.0.203</
address><address>15.0.0.202</address></container></con
tainerSet>]]>
</data>
</update>
158 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up a VM‐Series NSX Edition FirewallDynamic Address Groups—Information Relay from NSX Manager to Panorama
Information Relay from the NSX Manager to Panorama (Continued)
4.
Look for the list of IP addresses and security group tags 2014-12-03 14:24:11.646 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3721): ip: 10.3.4.185
2014-12-03 14:24:11.646 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3738): tag: WebServers‐securitygroup‐10
2014-12-03 14:24:11.646 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3721): ip: 15.0.0.202
2014-12-03 14:24:11.646 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3738): tag: WebServers‐securitygroup‐10
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3738): tag: DomainControllers‐securitygroup‐16
2014-12-03 14:24:11.647 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3721): ip: 15.0.0.201
2014-12-03 14:24:11.648 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3738): tag: SQLServers‐securitygroup‐11
2014-12-03 14:24:11.665 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3738): tag: SharePointServers‐securitygroup‐13
2014-12-03 14:24:11.665 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3721): ip: 10.3.4.187
2014-12-03 14:24:11.665 -0800 debug:
pan_cfg_mongo_sel_ip_taglist_by_tag_rev(src_cms/pa
n_cfg_mongo_tables.c:3738): tag: SharePointServers‐securitygroup‐13
...
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 159
Dynamic Address Groups—Information Relay from NSX Manager to PanoramaSet Up a VM‐Series NSX Edition Firewall
Information Relay from the NSX Manager to Panorama (Continued)
5.
160 • VM‐Series 7.1 Deployment Guide
Finally, verify that the update was relayed from the management server daemon to the managed firewalls.
Send to device: 007900002079 [UNREG: 0; REG: 2] with dynamic address update : <request cmd='op' cookie='0604879067249569' target‐
….
<register>
<entry ip="15.0.0.203">
<tag>
<member>WebServers‐securitygroup‐10</member>
</tag>
</entry>
<entry ip="10.3.4.186">
<tag>
<member>WebServers‐securitygroup‐10</member>
</tag>
</entry>
</register>
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
The VM‐Series firewall can be deployed in the public Amazon Web Services (AWS) cloud and AWS GovCloud. It can then be configured to secure access to the applications that are deployed on EC2 instances and placed into a Virtual Private Cloud (VPC) in AWS.

About the VM‐Series Firewall in AWS

Deployments Supported in AWS

Deploy the VM‐Series Firewall in AWS

High Availability for VM‐Series Firewall in AWS

Use Case: Secure the EC2 Instances in the AWS Cloud

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC

Use Case: VM‐Series Firewalls as GlobalProtect Gateways in AWS

Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS

Auto Scale VM‐Series Firewalls with the Amazon ELB

List of Attributes Monitored on the AWS VPC
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 161
About the VM‐Series Firewall in AWS
Set Up the VM‐Series Firewall in AWS
About the VM‐Series Firewall in AWS
The Amazon Web Service (AWS) is a public cloud service that enables you to run your applications on a shared infrastructure managed by Amazon. These applications can be deployed on scalable computing capacity or EC2 instances in different AWS regions and accessed by users over the internet. For networking consistency and ease of management of EC2 instances, Amazon offers the Virtual Private Cloud (VPC). A VPC is apportioned from the AWS public cloud, and is assigned a CIDR block from the private network space (RFC 1918). Within a VPC, you can carve public/private subnets for your needs and deploy the applications on EC2 instances within those subnets. To then enable access to the applications within the VPC, you can deploy the VM‐Series firewall on an EC2 instance. The VM‐Series firewall can then be configured to secure traffic to and from the EC2 instances within the VPC. The VM‐Series firewall is available in both the public AWS cloud and in AWS GovCloud. The VM‐Series firewall in public AWS supports the Bring Your Own License (BYOL) model and the hourly Pay‐As‐You‐Go (PAYG), the usage‐based licensing model that you can avail from the AWS Marketplace. Because the AWS GovCloud does not have a Marketplace, the VM‐Series firewall is available in the bring your own license (BYOL) option in AWS GovCloud; the usage‐based (hourly or annual) options are not available in AWS GovCloud. For licensing details, see VM‐Series Firewall in Amazon Web Services (AWS) and Azure Licenses.

VM‐Series Firewall in AWS GovCloud

AWS Terminology

Management Interface Mapping for Use with Amazon ELB
VM‐Series Firewall in AWS GovCloud
AWS GovCloud is an isolated AWS region that meets the regulatory and compliance requirements of the US government agencies and customers. To secure your workloads that contain all categories of Controlled Unclassified Information (CUI) data and government‐oriented, publicly available data in the AWS GovCloud (US) Region, the VM‐Series firewall provides the same robust security features in the standard AWS public cloud and in AWS GovCloud. The only difference is how you obtain the AMI in AWS GovCloud to Deploy the VM‐Series Firewall in AWS. Because the AWS GovCloud does not have a Marketplace, the VM‐Series firewall is available in the bring your own license (BYOL) option in AWS GovCloud; the usage‐based (hourly or annual) options are not available in AWS GovCloud. AWS Terminology
This document assumes that you are familiar with the networking and configuration of the AWS VPC. In order to provide context for the terms used in this section, here is a brief refresher on the AWS terms (some definitions are taken directly from the AWS glossary) that are referred to in this document:
162 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
About the VM‐Series Firewall in AWS
Term
Description
EC2
Elastic Compute Cloud
A web service that enables you to launch and manage Linux/UNIX and Windows server instances in Amazon's datacenters.
AMI
Amazon Machine Image
An AMI provides the information required to launch an instance, which is a virtual server in the cloud. The VM‐Series AMI is an encrypted machine image that includes the operating system required to instantiate the VM‐Series firewall on an EC2 instance.
Instance type
Amazon‐defined specifications that stipulate the memory, CPU, storage capacity, and hourly cost for an instance. Some instance types are designed for standard applications, whereas others are designed for CPU‐intensive, memory‐intensive applications, and so on.
ELB
Elastic Load Balancing ELB is an Amazon web service that helps you improve the availability and scalability of your applications by routing traffic across multiple Elastic Compute Cloud (EC2) instances. ELB detects unhealthy EC2 instances and reroutes traffic to healthy instances until the unhealthy instances are restored. ELB can send traffic only to the primary interface of the next hop load‐balanced EC2 instance. So, to use ELB with a VM‐Series firewall in AWS, the firewall must be able to use the primary interface for dataplane traffic.
ENI
Elastic Network Interface
An additional network interface that can be attached to an EC2 instance. ENIs can include a primary private IP address, one or more secondary private IP addresses, a public IP address, an elastic IP address (optional), a MAC address, membership in specified security groups, a description, and a source/destination check flag.
IP address types for EC2 instances
An EC2 instance can have different types of IP addresses. • Public IP address: An IP address that can be routed across the internet.
• Private IP address: A IP address in the private IP address range as defined in the RFC 1918. You can choose to manually assign an IP address or to auto assign an IP address within the range in the CIDR block for the subnet in which you launch the EC2 instance. If you are manually assigning an IP address, Amazon reserves the first four (4) IP addresses and the last one (1) IP address in every subnet for IP networking purposes. • Elastic IP address (EIP): A static IP address that you have allocated in Amazon EC2 or Amazon VPC and then attached to an instance. Elastic IP addresses are associated with your account, not with a specific instance. They are elastic because you can easily allocate, attach, detach, and free them as your needs change.
An instance in a public subnet can have a Private IP address, a Public IP address, and an Elastic IP address (EIP); an instance in a private subnet will have a private IP address and optionally have an EIP. VPC
Virtual Private Cloud
An elastic network populated by infrastructure, platform, and application services that share common security and interconnection.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 163
About the VM‐Series Firewall in AWS
Set Up the VM‐Series Firewall in AWS
Term
Description
IGW
Internet gateway provided by Amazon.
Connects a network to the internet. You can route traffic for IP addresses outside your VPC to the internet gateway.
IAM Role
Identity and Access Management
Required for enabling High Availability for the VM‐Series firewall in AWS. The IAM role defines the API actions and resources the application can use after assuming the role. On failover, the IAM Role allows the VM‐Series firewall to securely make API requests to switch the dataplane interfaces from the active peer to the passive peer.
An IAM role is also required for VM Monitoring. See List of Attributes Monitored on the AWS VPC.
Subnets
A segment of the IP address range of a VPC to which EC2 instances can be attached. EC2 instances are grouped into subnets based on your security and operational needs.
There are two types of subnets:
• Private subnet: The EC2 instances in this subnet cannot be reached from the internet.
• Public subnet: The internet gateway is attached to the public subnet, and the EC2 instances in this subnet can be reached from the internet. Security groups
A security group is attached to an ENI and it specifies the list of protocols, ports, and IP address ranges that are allowed to establish inbound/outbound connections on the interface.
In the AWS VPC, security groups and network ACLs control inbound and outbound traffic; security groups regulate access to the EC2 instance, while network ACLs regulate access to the subnet. Because you are deploying the VM‐Series firewall, set more permissive rules in your security groups and network ACLs and allow the firewall to safely enable applications in the VPC.
Route tables
A set of routing rules that controls the traffic leaving any subnet that is associated with the route table. A subnet can be associated with only one route table.
Key pair
A set of security credentials you use to prove your identity electronically. The key pair consists of a private key and a public key. At time of launching the VM‐Series firewall, you must generate a key pair or select an existing key pair for the VM‐Series firewall. The private key is required to access the firewall in maintenance mode.
Management Interface Mapping for Use with Amazon ELB
By default, the elastic network interface (ENI) eth0 maps to the MGT interface on the firewall and ENI eth1 maps to ethernet 1/1 on the firewall. Because the ELB can send traffic only to the primary interface of the next hop load‐balanced EC2 instance, the VM‐Series firewall must be able to use the primary interface for dataplane traffic. The firewall can receive dataplane traffic on the primary interface in the following scenarios where the VM‐Series firewall is behind the Amazon ELB (for a topology diagram, see VM‐Series with ELB): 
The VM‐Series firewall(s) is securing traffic outbound directly to the internet without the need for using a VPN link or a Direct Connect link back to the corporate network. 164 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS

About the VM‐Series Firewall in AWS
The VM‐Series firewall secures an internet‐facing application when there is exactly one back‐end server, such as a web server, for each firewall. The VM‐Series firewalls and web servers can scale linearly, in pairs, behind ELB.
At present, for use cases that require an ELB sandwich‐type deployment to scale out firewalls and application layer EC2 instances, swapping the management interface will not allow you to seamlessly deploy the ELB solution. The ability to swap the management interface only partially solves the integration with ELB.
To allow the firewall to send and receive dataplane traffic on eth0 instead of eth1, you must swap the mapping of the ENIs within the firewall such that ENI eth0 maps to ethernet 1/1 and ENI eth1 maps to the MGT interface on the firewall as shown below.
Swapping how the interfaces are mapped allows ELB to distribute and route traffic to healthy instances of the VM‐Series firewall located in the same or different Availability Zones in AWS for increased capacity and fault tolerance. To swap the interfaces, you have the following options:


At launch—(Recommended) When you launch the firewall, you can either enter the
mgmt-interface-swap=enable command in the User data field on the AWS management console (see Launch the VM‐Series Firewall in AWS) or CLI or you can include the new mgmt-interface-swap
operational command in the bootstrap configuration.
After launch—After you launch the firewall, Use the VM‐Series Firewall CLI to Swap the Management Interface (set system setting mgmt-interface-swap enable yes operational command) on the firewall. • Pick one method to consistently specify the interface swap setting—in the bootstrap configuration, from the CLI on the firewall, or using the Amazon EC2 User data field on the AWS console—to prevent unpredictable behavior on the firewall.
• Ensure that you have access to the AWS console (management console or CLI) to view the IP address of the eth1 interface. Also, verify that the AWS Security Group rules allow connections (HTTPS and SSH) to the new management interface.
• Swap the management interface before you configure the firewall or define policy rules. If you have already configured the VM‐Series firewall, check whether any IP address changes for eth0 and eth1 impact policy rules.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 165
Deployments Supported in AWS
Set Up the VM‐Series Firewall in AWS
Deployments Supported in AWS
The VM‐Series firewall secures inbound and outbound traffic to and from EC2 instances within the AWS Virtual Private Cloud (VPC). Because the AWS VPC only supports an IP network (Layer 3 networking capabilities), the VM‐Series firewall can only be deployed with Layer 3 interfaces.

Deploy the VM‐Series firewall to secure the EC2 instances hosted in the AWS Virtual Private Cloud.
If you host your applications in the AWS cloud, deploy the VM‐Series firewall to protect and safely enable applications for users who access these applications over the internet. For example, the following diagram shows the VM‐Series firewall deployed in the Edge subnet to which the internet gateway is attached. The application(s) are deployed in the private subnet, which does not have direct access to the internet.
When users need to access the applications in the private subnet, the firewall receives the request and directs it to the appropriate application, after verifying security policy and performing Destination NAT. On the return path, the firewall receives the traffic, applies security policy and uses Source NAT to deliver the content to the user. See Use Case: Secure the EC2 Instances in the AWS Cloud.
VM‐Series for EC2 Instances

Deploy the VM‐Series firewall for VPN access between the corporate network and the EC2 instances within the AWS Virtual Private Cloud.
To connect your corporate network with the applications deployed in the AWS Cloud, you can configure the firewall as a termination point for an IPSec VPN tunnel. This VPN tunnel allows users on your network to securely access the applications in the cloud.
For centralized management, consistent enforcement of policy across your entire network, and for centralized logging and reporting, you can also deploy Panorama in your corporate network. If you need to set up VPN access to multiple VPCs, using Panorama allows you to group the firewalls by region and administer them with ease.
166 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Deployments Supported in AWS
VM‐Series for VPN Access

Deploy the VM‐Series firewall as a GlobalProtect gateway to secure access for remote users using laptops. The GlobalProtect agent on the laptop connects to the gateway, and based on the request, the gateway either sets up a VPN connection to the corporate network or routes the request to the internet. To enforce security compliance for users on mobile devices (using the GlobalProtect App), the GlobalProtect gateway is used in conjunction with the GlobalProtect Mobile Security Manager. The GlobalProtect Mobile Security Manager ensures that mobile devices are managed and configured with the device settings and account information for use with corporate applications and networks. In each of the use cases above, you can deploy the VM‐Series firewall in an active/passive high availability (HA) pair. For information on setting up the VM‐Series firewall in HA, see Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC.

Deploy the VM‐Series firewall with the Amazon Elastic Load Balancing (ELB) service, whereby the firewall can receive dataplane traffic on the primary interface in the following scenarios where the VM‐Series firewall is behind the Amazon ELB:
– The VM‐Series firewall(s) is securing traffic outbound directly to the internet without the need for using a VPN link or a Direct Connect link back to the corporate network. – The VM‐Series firewall secures an internet‐facing application when there is exactly one back‐end server, such as a web server, for each firewall. The VM‐Series firewalls and web servers can scale linearly, in pairs, behind ELB. If you want to Auto Scale VM‐Series Firewalls with the Amazon ELB, use the template in the GitHub repository. The VM‐Series Auto Scaling Template for AWS deploys the VM‐Series in an ELB sandwich topology with an internet‐facing classic ELB and an either an internal classic load balancer or an internal application load balancer (internal ELB).
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 167
Deployments Supported in AWS
Set Up the VM‐Series Firewall in AWS
VM‐Series with ELB
You cannot configure the firewall to send and receive dataplane traffic on eth0 when the firewall is in front of ELB. The VM‐Series firewall must be placed behind the Amazon ELB.
You can either Use the VM‐Series Firewall CLI to Swap the Management Interface or enable it on bootstrap. For details, see Management Interface Mapping for Use with Amazon ELB.
If you want to deploy a load balancer sandwich topology, use the Auto Scale VM‐Series Firewalls with the Amazon ELB.
168 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Deploy the VM‐Series Firewall in AWS
Deploy the VM‐Series Firewall in AWS

Obtain the AMI

Review System Requirements and Limitations for VM‐Series in AWS

Planning Worksheet for the VM‐Series in the AWS VPC

Launch the VM‐Series Firewall in AWS

Use the VM‐Series Firewall CLI to Swap the Management Interface
Obtain the AMI
Because the AWS GovCloud does not have a Marketplace, the process of obtaining the AMI is different in the public AWS cloud and in the AWS GovCloud.

AMI in the Public AWS Cloud

AMI in AWS GovCloud
AMI in the Public AWS Cloud
The AMI for the VM‐Series firewall is available in the AWS Marketplace for both the Bring Your Own License (BYOL) and the Usage‐based pricing options. For purchasing licenses with the BYOL option, contact your Palo Alto Networks sales engineer or reseller.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 169
Deploy the VM‐Series Firewall in AWS
Set Up the VM‐Series Firewall in AWS
AMI in AWS GovCloud
The Bring Your Own License (BYOL) model of the VM‐Series firewall is available as a shared AMI in AWS GovCloud. With a GovCloud account you can find the AMI for the VM‐Series firewall on the EC2 console (Instances >
Launch Instance > Community AMIs) using the AMI ID (ami‐bc9c21dd) or by searching for Palo Alto Networks. Alternatively, you can also use the link to directly launch the AMI in your GovCloud account. Make sure to review the supported EC2 instance types before you launch the firewall. For details, see Launch the VM‐Series Firewall in AWS.
Review System Requirements and Limitations for VM‐Series in AWS
Requirement
Details
EC2 instance types
Deploy the VM‐Series firewall on any of the following EC2 instance types:
• m4.xlarge
• m4.2xlarge
• m4.4xlarge
• m3.xlarge
• m3.2xlarge
• c4.xlarge
• c4.2xlarge
• c4.4xlarge
• c3.xlarge
• c3.2xlarge
• c3.4xlarge
The minimum resource requirements for the VM‐Series firewall are:
vCPU: 2; Memory: 4GB; 5GB for the VM‐1000‐HV; Disk: 40GB. If you deploy the VM‐Series firewall on an EC2 instance type that does not meet these requirements, the firewall will boot into maintenance mode.
• If you can select an instance type with more than 8 vCPUs for increased bandwidth (network performance), the VM‐Series firewall will use a maximum of 8 vCPUs only.
• To support VM Monitoring and high availability in AWS, the VM‐Series firewall must be able to directly reach the AWS API service endpoints without any proxy servers between the firewall management interface and the AWS API endpoints (such as ec2.us‐west‐2.amazonaws.com).
170 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Deploy the VM‐Series Firewall in AWS
Requirement
Details
Amazon Elastic Block Storage (EBS) The VM‐Series firewall must use the Amazon Elastic Block Storage (EBS) volume for storage. EBS optimization provides an optimized configuration stack and additional, dedicated capacity for Amazon EBS I/O.
Networking
Because the AWS only supports Layer 3 networking capabilities, the VM‐Series firewall can only be deployed with Layer 3 interfaces. Layer 2 interfaces, virtual wire, VLANs, and subinterfaces are not supported on the VM‐Series firewall deployed in the AWS VPC.
Interfaces
Support for a total of eight interfaces is available—one management interface and a maximum of seven Elastic Network Interfaces (ENIs) for data traffic. The VM‐Series firewall does not support hot attachment of ENIs; to detect the addition or removal of an ENI you must reboot the firewall.
Your EC2 instance type selection determines the total number of ENIs you can enable. For example, the c3.8xlarge supports eight (8) ENIs.
Support entitlement and Licenses
For the Bring Your Own License model, a support account and a valid VM‐Series license are required to obtain the Amazon Machine Image (AMI) file, which is required to install the VM‐Series firewall in the AWS VPC. The licenses required for the VM‐Series firewall—capacity license, support license, and subscriptions for Threat Prevention, URL Filtering, WildFire, etc—must be purchased from Palo Alto Networks. To purchase the licenses for your deployment, contact your sales representative. See VM‐Series Firewall in Amazon Web Services (AWS) and Azure Licenses.
For the usage‐based licensing model, hourly and annual pricing bundles can be purchased and billed directly to AWS. You must however, register your support entitlement with Palo Alto Networks. For details see, Register the Usage‐Based Model of the VM‐Series Firewall in AWS and Azure (no auth code).
Planning Worksheet for the VM‐Series in the AWS VPC
For ease of deployment, plan the subnets within the VPC and the EC2 instances that you want to deploy within each subnet. Before you begin, use the following table to collate the network information required to deploy and insert the VM‐Series firewall into the traffic flow in the VPC:
Configuration Item
Value
VPC CIDR
Security Groups
Subnet (public) CIDR
Subnet (private) CIDR
Subnet (public) Route Table
Subnet (private) Route Table
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 171
Deploy the VM‐Series Firewall in AWS
Configuration Item
Set Up the VM‐Series Firewall in AWS
Value
Security Groups
• Rules for Management Access to the firewall (eth0/0)
• Rules for access to the dataplane interfaces of the firewall
• Rules for access to the interfaces assigned to the application servers.
VM‐Series firewall behind ELB EC2 Instance 1 (VM‐Series firewall)
An EIP is only required for the dataplane interface that is attached to the public subnet.
Subnet: Instance type: Mgmt interface IP: Mgmt interface EIP: Dataplane interface eth1/1
• Private IP:
• EIP (if required):
• Security Group:
Dataplane interface eth1/2
• Private IP:
• EIP (if required):
• Security Group:
EC2 Instance 2 (Application to be secured)
Repeat these set of values for additional application(s) being deployed.
Subnet: Instance type: Mgmt interface IP: Default gateway:
Dataplane interface 1
• Private IP
Requirements for HA
If you are deploying the VM‐Series firewalls in a high availability (active/passive) configuration, you must ensure the following:
• Create an IAM role and assign the role to the VM‐Series firewall when you are deploying the instance. See IAM Roles for HA.
• Deploy the HA peers in the same AWS availability zone.
• The active firewall in the HA pair must have at a minimum three ENIs: two dataplane interfaces and one management interface. The passive firewall in the HA pair, must have one ENI for management, and one ENI that functions as dataplane interface; you will configure the dataplane interface as an HA2 interface. Do not attach additional dataplane interfaces to the passive firewall in the HA pair. On failover, the dataplane interfaces from the previously active firewall are moved —detached and then attached—to the now active (previously passive) firewall.
172 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Deploy the VM‐Series Firewall in AWS
Launch the VM‐Series Firewall in AWS
If you have not already registered the capacity auth‐code that you received with the order fulfillment email, with your support account, see Register the VM‐Series Firewall. After registering, deploy the VM‐Series firewall by launching it in the AWS VPC as follows:
Launch the VM‐Series Firewall in the AWS VPC Step 1
Access the AWS Console.
Step 2
Set up the VPC for your network needs. 1.
Whether you launch the VM‐Series firewall in an existing VPC or you create 2.
a new VPC, the VM‐Series firewall must be able to receive traffic from the EC2 instances and perform inbound and outbound communication between the VPC and the internet.
Refer to the AWS VPC documentation for instructions on creating a VPC and setting it up for access.
For an example with a complete workflow, see Use Case: Secure the EC2 Instances in the AWS Cloud.
© Palo Alto Networks, Inc.
Log in to the AWS console and select the EC2 Dashboard.
Create a new VPC or use an existing VPC. Refer to the AWS Getting Started documentation.
Verify that the network and security components are defined suitably.
• Enable communication to the internet. The default VPC includes an internet gateway, and if you install the VM‐Series firewall in the default subnet it has access to the internet.
• Create subnets. Subnets are segments of the IP address range assigned to the VPC in which you can launch the EC2 instances. The VM‐Series firewall must belong to the public subnet so that it can be configured to access the internet.
• Create security groups as needed to manage inbound and outbound traffic from the EC2 instances/subnets.
• Add routes to the route table for a private subnet to ensure that traffic can be routed across subnets and security groups in the VPC, as applicable.
3.
If you want to deploy a pair of VM‐Series firewalls in HA, you must define IAM Roles for HA before you can Configure Active/Passive HA in AWS.
4.
(Optional) If you are using bootstrapping to perform the configuration of your VM‐Series firewall on Hyper‐V, refer to Bootstrap the VM‐Series Firewall in AWS. For more information about bootstrapping, see Bootstrap the VM‐Series Firewall. VM‐Series 7.1 Deployment Guide • 173
Deploy the VM‐Series Firewall in AWS
Set Up the VM‐Series Firewall in AWS
Launch the VM‐Series Firewall in the AWS VPC (Continued)
Step 3
Launch the VM‐Series firewall.
Although you can add additional network interfaces (ENIs) to the VM‐Series firewall when you launch, AWS releases the auto‐assigned Public IP address for the management interface when you restart the firewall. Hence, to ensure connectivity to the management interface you must assign an Elastic IP address for the management interface, before attaching additional interfaces to the firewall.
If you want to conserve EIP addresses, you can assign one EIP address to the eth 1/1 interface and use this interface for both management traffic and data traffic. To restrict services permitted on the interface or limit IP addresses that can log in the eth 1/1 interface, attach a management profile to the interface.
1.
On the EC2 Dashboard, click Launch Instance.
2.
Select the VM‐Series AMI. To get the AMI, see Obtain the AMI.
3.
Launch the VM‐Series firewall on an EC2 instance.
a. Choose the EC2 instance type for allocating the resources required for the firewall, and click Next. See EC2 instance types, for a list of supported types.
b. Select the VPC.
c. Select the public subnet to which the VM‐Series management interface will attach.
d. Select Automatically assign a public IP address. This allows you to obtain a publicly accessible IP address for the management interface of the VM‐Series firewall.
You can later attach an Elastic IP address to the management interface; unlike the public IP address that is disassociated from the firewall when the instance is terminated, the Elastic IP address provides persistence and can be reattached to a new (or replacement) instance of the VM‐Series firewall without the need to reconfigure the IP address wherever you might have referenced it.
e. Select Launch as an EBS-optimized instance.
f. Add another network interface for deployments with ELB. Swapping interfaces requires a minimum of two ENIs (eth0 and eth1). Make sure that your VPC has more than one subnet so that you can add additional ENIs at launch.
If you launch the firewall with only one ENI, the interface swap command will cause the firewall to boot into maintenance mode.
– Expand the Network Interfaces section and click Add
Device to add another network interface.
– Expand the Advanced Details section and in the User data field enter mgmt-interface-swap=enable as text to perform the interface swap during launch.
g. Accept the default Storage settings.
174 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Deploy the VM‐Series Firewall in AWS
Launch the VM‐Series Firewall in the AWS VPC (Continued)
h. (Optional) Tagging. Add one or more tags to create your own metadata to identify and group the VM‐Series firewall. For example, add a Name tag with a Value that helps you remember that the ENI interfaces have been swapped on this VM‐Series firewall.
i. Select an existing Security Group or create a new one. This security group is for restricting access to the management interface of the firewall. At a minimum consider enabling https and ssh access for the management interface.
j. If prompted, select an appropriate SSD option for your setup. k. Select Review and Launch. Review that your selections are accurate and click Launch. l. Select an existing key pair or create a new one, and acknowledge the key disclaimer. m. Download and save the private key to a safe location; the file extension is .pem. You cannot regenerate this key, if lost.
It takes 5‐7 minutes to launch the VM‐Series firewall. You can view the progress on the EC2 Dashboard.When the process completes, the VM‐Series firewall displays on the Instances page of the EC2 Dashboard. This key pair is required for first time access to the firewall. It is also required to access the firewall in maintenance mode. Step 4
Configure a new administrative 1.
password for the firewall. On the VM‐Series firewall CLI, you must configure a unique administrative password before you can access the web interface of the firewall. To log in to the CLI, you require the private key that you used to launch the firewall.
Use the public IP address to SSH into the Command Line Interface (CLI) of the VM‐Series firewall. You will need the private key that you used or created in Step 3‐l to access the CLI.
If you added an additional ENI to support deployments with ELB, you must first create and assign an Elastic IP address to the ENI to access the CLI, see Step 6.
If you are using PuTTY for SSH access, you must convert the .pem format to a .ppk format. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/p
utty.html
2.
Enter the following command to log in to the firewall: ssh-i <private_key.pem> admin@<public‐ip_address>
3.
Configure a new password, using the following command and follow the onscreen prompts:
configure
set mgt‐config users admin password
4.
If you have a BYOL that needs to be activated, set the DNS server IP address so that the firewall can aceess the Palo Alto Networks licensing server. Enter the following command to set the DNS server IP address:
set deviceconfig system dns‐setting servers primary <ip_address>
5.
Commit your changes with the command:
commit
6.
© Palo Alto Networks, Inc.
Terminate the SSH session.
VM‐Series 7.1 Deployment Guide • 175
Deploy the VM‐Series Firewall in AWS
Set Up the VM‐Series Firewall in AWS
Launch the VM‐Series Firewall in the AWS VPC (Continued)
Step 5
Step 6
Step 7
Shutdown the VM‐Series firewall.
Create and assign an Elastic IP address (EIP) to the ENI used for management access to the firewall and reboot the VM‐Series firewall.
Create virtual network interface(s) and attach the interface(s) to the VM‐Series firewall. The virtual network interfaces are called Elastic Network Interfaces (ENIs) in AWS, and serve as the dataplane network interfaces on the firewall. These interfaces are used for handling data traffic to/from the firewall.
You will need at least two ENIs that allow inbound and outbound traffic to/from the firewall. You can add up to seven ENIs to handle data traffic on the VM‐Series firewall; check your EC2 instance type to verify the maximum number supported on it.
176 • VM‐Series 7.1 Deployment Guide
1.
On the EC2 Dashboard, select Instances.
2.
From the list, select the VM‐Series firewall and click Actions >
Stop.
1.
Select Elastic IPs and click Allocate New Address.
2.
Select EC2-VPC and click Yes, Allocate.
3.
Select the newly allocated EIP and click Associate Address. 4.
Select the Network Interface and the Private IP address associated with the management interface and click Yes,
Associate.
1.
On the EC2 Dashboard, select Network Interfaces, and click Create Network Interface.
2.
Enter a descriptive name for the interface.
3.
Select the subnet. Use the subnet ID to make sure that you have selected the correct subnet. You can only attach an ENI to an instance in the same subnet.
4.
Enter the Private IP address to assign to the interface or select Auto-assign to automatically assign an IP address within the available IP addresses in the selected subnet.
5.
Select the Security group to control access to the dataplane network interface.
6.
Click Yes, Create.
7.
To attach the ENI to the VM‐Series firewall, select the interface you just created, and click Attach.
8.
Select the Instance ID of the VM‐Series firewall, and click Attach.
9.
Repeat the steps above for creating and attaching at least one more ENI to the firewall. © Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Deploy the VM‐Series Firewall in AWS
Launch the VM‐Series Firewall in the AWS VPC (Continued)
Step 8
(Not required for the Usage‐based See Activate the License.
licensing model) Activate the licenses on the VM‐Series firewall. This task is not performed on the AWS management console. Access to the Palo Alto Networks support portal and the web interface of the VM‐Series firewall is required for license activation.
Step 9
Disable Source/Destination check on 1.
every firewall dataplane network interface(s). Disabling this option allows 2.
the interface to handle network traffic that is not destined to the IP address assigned to the network interface.
© Palo Alto Networks, Inc.
On the EC2 Dashboard, select the network interface, for example eth1/1, in the Network Interfaces tab.
In the Action drop‐down, select Change Source/Dest. Check.
3.
Click Disabled and Save your changes.
4.
Repeat Steps 1‐3 for each firewall dataplane interface.
VM‐Series 7.1 Deployment Guide • 177
Deploy the VM‐Series Firewall in AWS
Set Up the VM‐Series Firewall in AWS
Launch the VM‐Series Firewall in the AWS VPC (Continued)
Step 10 Configure the dataplane network interfaces as Layer 3 interfaces on the firewall.
For an example configuration, see Step 14 through Step 17 in Use Case: Secure the EC2 Instances in the AWS Cloud.
1.
Using a secure connection (https) from your web browser, log in using the EIP address and password you assigned during initial configuration (https://<Elastic_IP address>). You will see a certificate warning; that is okay. Continue to the web page.
2.
Select Network > Interfaces > Ethernet.
3.
Click the link for ethernet 1/1 and configure as follows:
– Interface Type: Layer3
– On the Config tab, assign the interface to the default router.
– On the Config tab, expand the Security Zone drop‐down and select New Zone. Define a new zone, for example VM_Series_untrust, and then click OK.
– On the IPv4 tab, select either Static or DHCP Client.
If using the Static option, click Add in the IP section, and enter the IP address and network mask for the interface, for example 10.0.0.10/24. Make sure that the IP address matches the ENI IP address that you assigned earlier.
If using DHCP, select DHCP Client; the private IP address that you assigned to the ENI in the AWS management console will be automatically acquired.
4.
Click the link for ethernet 1/2 and configure as follows:
– Interface Type: Layer3
– Security Zone: VM_Series_trust
– IP address: Select the Static or DHCP Client radio button.
For static, click Add in the IP section, and enter the IP address and network mask for the interface. Make sure that the IP address matches the attached ENI IP address that you assigned earlier. 5.
Click Commit. Verify that the link state for the interfaces are up.
On the application servers within the VPC, define the dataplane network interface of the firewall as the default gateway.
For DHCP, clear the Automatically create default
route to default gateway provided by server
check box. For an interface that is attached to the private subnet in the VPC, disabling this option ensures that traffic handled by this interface does not flow directly to the internet gateway on the VPC.
178 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Deploy the VM‐Series Firewall in AWS
Launch the VM‐Series Firewall in the AWS VPC (Continued)
Step 11 Create NAT rules to allow inbound and outbound traffic from the servers deployed within the VPC
1.
Select Policies > NAT on the web interface of the firewall.
2.
Create a NAT rule to allow traffic from the dataplane network interface on the firewall to the web server interface in the VPC.
3.
Create a NAT rule to allow outbound access for traffic from the web server to the internet.
Step 12 Create security policies to allow/deny traffic to/from the servers deployed within the VPC. 1.
Select Policies > Security on the web interface of the firewall.
2.
Click Add, and specify the zones, applications and logging options that you would like to execute to restrict and audit traffic traversing through the network.
Step 13 Commit the changes on the firewall. 1.
Click Commit. Step 14 Verify that the VM‐Series firewall is securing traffic and that the NAT rules are in effect.
1.
Select Monitor > Logs > Traffic on the web interface of the firewall.
2.
View the logs to make sure that the applications traversing the network match the security policies you implemented.
Use the VM‐Series Firewall CLI to Swap the Management Interface
If you did not swap the management interface (MGT) with the dataplane interface (ethernet 1/1) when deploying the firewall, you can use the CLI to enable the firewall to receive dataplane traffic on the primary interface after launching the firewall.


Swap the management interface before you configure the firewall or define policy rules. If you have already configured the VM‐Series firewall, check whether any IP address changes for eth0 and eth1 impact policy rules.
Ensure that you have access to the AWS console (management console or CLI) to view the IP address of the eth1 interface. Also, verify that the AWS Security Group rules allow connections (HTTPS and SSH) to the new management interface.
Management Interface Swap Using the VM‐Series Firewall CLI
Step 1
Complete Steps 1 through 7 in Launch the VM‐Series Firewall in AWS. Before you proceed, verify that the firewall has a minimum of two ENIs (eth0 and eth1). If you launch the firewall with only one ENI, the interface swap command will cause the firewall to boot into maintenance mode.
Step 2
On the EC2 Dashboard, view the IP address of the eth1 interface and verify that the AWS Security Group rules allow connections (HTTPS and SSH) to the new management interface (eth1).
Step 3
Log in to the VM‐Series firewall CLI and enter the following command:
set system setting mgmt-interface-swap enable yes
Step 4
Confirm that you want to swap the interface and use the eth1 dataplane interface as the management interface.
Step 5
Reboot the firewall for the swap to take effect. Use the following command: request restart system © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 179
Deploy the VM‐Series Firewall in AWS
Set Up the VM‐Series Firewall in AWS
Management Interface Swap Using the VM‐Series Firewall CLI
Step 6
Verify that the interfaces have been swapped. Use the following command:
debug show vm-series interfaces all
Phoenix_interface
Base-OS_port
Base-OS_MAC
mgt(interface-swap) eth0
0e:53:96:91:ef:29
Ethernet1/1
eth1
0e:4d:84:5f:7f:4d
180 • VM‐Series 7.1 Deployment Guide
PCI-ID
0000:00:04.0
0000:00:03.0
Driver
ixgbevf
ixgbevf
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
High Availability for VM‐Series Firewall in AWS
High Availability for VM‐Series Firewall in AWS
The VM‐Series firewall in AWS supports active/passive HA only; if it is deployed with Amazon Elastic Load Balancing (ELB), it does not support HA (in this case ELB provides the failover capabilities).

Overview of HA in AWS

IAM Roles for HA

HA Links

Heartbeat Polling and Hello Messages

Device Priority and Preemption

HA Timers

Configure Active/Passive HA in AWS
Overview of HA in AWS To ensure redundancy, you can deploy the VM‐Series firewalls in AWS in an active/passive high availability (HA) configuration. The active peer continuously synchronizes its configuration and session information with the identically configured passive peer. A heartbeat connection between the two devices ensures failover if the active device goes down. When the passive peer detects this failure it becomes active and triggers API calls to the AWS infrastructure to move all the dataplane interfaces (ENIs) from the failed peer to itself. The failover time can vary from 20 seconds to over a minute depending on the responsiveness from the AWS infrastructure. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 181
High Availability for VM‐Series Firewall in AWS
Set Up the VM‐Series Firewall in AWS
IAM Roles for HA
AWS requires that all API requests must be cryptographically signed using credentials issued by them. In order to enable API permissions for the VM‐Series firewalls that will be deployed as an HA pair, you must create a policy and attach that policy to a role in the AWS Identity and Access Management (IAM) service. The role must be attached to the VM‐Series firewalls at launch. The policy gives the IAM role permissions for initiating API actions for detaching and attaching network interfaces from the active peer in an HA pair to the passive peer when a failover is triggered. For detailed instructions on creating policy, refer to the AWS documentation on Creating Customer Managed Polices. For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation on IAM Roles for Amazon EC2.
The IAM policy, which is configured in the AWS console, must have permissions for the following actions and resources (at a minimum):


AttachNetworkInterface—For permission to attach an ENI to an instance.
DescribeNetworkInterface—For fetching the ENI parameters in order to attach an interface to the instance.

DetachNetworkInterface—For permission to detach the ENI from the EC2 instance.

DescribeInstances—For permission to obtain information on the EC2 instances in the VPC.

Wild card (*)—In the Amazon Resource Name (ARN) field use the * as a wild card. The following screenshot shows the access management settings for the IAM role described above:
182 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
High Availability for VM‐Series Firewall in AWS
HA Links
The devices in an HA pair use HA links to synchronize data and maintain state information. In AWS, the VM‐Series firewall uses the following ports:


Control Link—The HA1 link is used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing and User‐ID information. This link is also used to synchronize configuration changes on either the active or passive device with its peer. The Management port is used for HA1. TCP port 28769 and 28260 for cleartext communication; port 28 for encrypted communication (SSH over TCP). Data Link—The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between devices in an HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep‐alive); it flows from the active device to the passive device. Ethernet1/1 must be assigned as the HA2 link. The HA data link can be configured to use either IP (protocol number 99) or UDP (port 29281) as the transport.
The VM‐Series on AWS does not support backup links for HA1 or HA2.
Heartbeat Polling and Hello Messages
The firewalls use hello message and heartbeats to verify that the peer device is responsive and operational. Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the device. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds to the ping © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 183
High Availability for VM‐Series Firewall in AWS
Set Up the VM‐Series Firewall in AWS
to establish that the devices are connected and responsive. For details on the HA timers that trigger a failover, see HA Timers. (The HA timers for the VM‐Series firewall are the same as that of the PA‐5000 Series firewalls).
Device Priority and Preemption
The devices in an HA pair can be assigned a device priority value to indicate a preference for which device should assume the active role and manage traffic upon failover. If you need to use a specific device in the HA pair for actively securing traffic, you must enable the preemptive behavior on both the firewalls and assign a device priority value for each device. The device with the lower numerical value, and therefore higher priority, is designated as active and manages all traffic on the network. The other device is in a passive state, and synchronizes configuration and state information with the active device so that it is ready to transition to an active state should a failure occur. By default, preemption is disabled on the firewalls and must be enabled on both devices. When enabled, the preemptive behavior allows the firewall with the higher priority (lower numerical value) to resume as active after it recovers from a failure. When preemption occurs, the event is logged in the system logs.
HA Timers
High availability (HA) timers are used to detect a firewall failure and trigger a failover. To reduce the complexity in configuring HA timers, you can select from three profiles: Recommended, Aggressive, and Advanced. These profiles auto‐populate the optimum HA timer values for the specific firewall platform to enable a speedier HA deployment. Use the Recommended profile for typical failover timer settings and the Aggressive profile for faster failover timer settings. The Advanced profile allows you to customize the timer values to suit your network requirements. HA Timer on the VM‐Series in AWS
Default values for Recommended/Aggressive profiles
Promotion hold time
2000/500 ms
Hello interval
8000/8000 ms
Heartbeat interval
2000/1000 ms
Max number of flaps
3/3
Preemption hold time
1/1 min
Monitor fail hold up time
0/0 ms
Additional master hold up time
500/500 ms
184 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
High Availability for VM‐Series Firewall in AWS
Configure Active/Passive HA in AWS
Configure Active/Passive HA in AWS Step 1
Make sure that you have followed the prerequisites.
Step 2
Launch the VM‐Series Firewall in AWS.
Step 3
Enable HA.
Step 4
Configure ethernet 1/1 as an HA interface. This interface must be used for HA2 communication.
© Palo Alto Networks, Inc.
For deploying a pair of VM‐Series firewalls in HA in the AWS cloud, you must ensure the following:
• Select the IAM role you created when launching the VM‐Series firewall on an EC2 instance; you cannot assign the role to an instance that is already running. See IAM Roles for HA. For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, and defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation.
• The active firewall in the HA pair must have at a minimum three ENIs: two dataplane interfaces and one management interface. The passive firewall in the HA pair, must have one ENI for management, and one ENI that functions as dataplane interface; you will configure the dataplane interface as an HA2 interface. Do not attach additional dataplane interfaces to the passive firewall in the HA pair. On failover, the dataplane interfaces from the previously active firewall are moved —
detached and then attached—to the now active (previously passive) firewall.
• The HA peers must be deployed in the same AWS availability zone.
1.
Select Device > High Availability > General, and edit the Setup section.
2.
Select Enable HA.
1.
Select Network > Interfaces.
2.
Confirm that the link state is up on ethernet1/1.
3.
Click the link for ethernet1/1 and set the Interface Type to HA.
VM‐Series 7.1 Deployment Guide • 185
High Availability for VM‐Series Firewall in AWS
Set Up the VM‐Series Firewall in AWS
Configure Active/Passive HA in AWS (Continued)
Step 5
Set up the Control Link (HA1) to use the management port.
1.
Select Device > High Availability > General, and edit the Control Link (HA1) section. 2.
(Optional) Select Encryption Enabled, for secure HA communication between the peers. To enable encryption, you must export the HA key from a device and import it into the peer device. a. Select Device > Certificate Management > Certificates.
b. Select Export HA key. Save the HA key to a network location that the peer device can access.
c. On the peer device, navigate to Device > Certificate
Management > Certificates, and select Import HA key to browse to the location that you saved the key and import it in to the peer device.
186 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
High Availability for VM‐Series Firewall in AWS
Configure Active/Passive HA in AWS (Continued)
Step 6
Set up the Data Link (HA2) 1.
to use ethernet1/1.
© Palo Alto Networks, Inc.
Select Device > High Availability > General, edit the Data Link (HA2) section.
2.
Select Port ethernet1/1.
3.
Enter the IP address for ethernet1/1. This IP address must be the same that assigned to the ENI on the EC2 Dashboard.
4.
Enter the Netmask.
5.
Enter a Gateway IP address if the HA1 interfaces are on separate subnets.
6.
Select IP or UDP for Transport. Use IP if you need Layer 3 transport (IP protocol number 99). Use UDP if you want the firewall to calculate the checksum on the entire packet rather than just the header, as in the IP option (UDP port 29281). 7.
(Optional) Modify the Threshold for HA2 Keep-alive packets. By default, HA2 Keep-alive is enabled for monitoring the HA2 data link between the peers. If a failure occurs and this threshold (default is 10000 ms) is exceeded, the defined action will occur. A critical system log message is generated when an HA2 keep‐alive failure occurs. You can configure the HA2 keep-alive option on both devices, or just one device in the HA pair. If you enable this option on one device, only that device will send the keep‐alive messages.
VM‐Series 7.1 Deployment Guide • 187
High Availability for VM‐Series Firewall in AWS
Set Up the VM‐Series Firewall in AWS
Configure Active/Passive HA in AWS (Continued)
Step 7
Step 8
Step 9
Set the device priority and 1.
enable preemption.
Use this setting if you want 2.
to make sure that a specific device is the preferred active device. For information, see Device Priority and Preemption.
Select Device > High Availability > General and edit the Election Settings section.
Set the numerical value in Device Priority. Make sure to set a lower numerical value on the device that you want to assign a higher priority to.
If both firewalls have the same device priority value, the firewall with the lowest MAC address on the HA1 control link will become the active device.
3.
Select Preemptive. You must enable preemptive on both the active and the passive device.
4.
Modify the failover timers. By default, the HA timer profile is set to the Recommended profile and is suited for most HA deployments.
1.
Select Device > High Availability > General and edit the Active/Passive Settings.
2.
Modify the Monitor fail hold up time to a value between 1‐60 minutes; default is 1 minute. This is the time interval during which the firewall will remain active following a link failure. Use this setting to avoid an HA failover triggered by the occasional flapping of neighboring devices.
Configure the IP address of 1.
the HA peer.
Select Device > High Availability > General, and edit the Setup section.
2.
Enter the IP address of the HA1 port on the peer. This is the IP address assigned to the management interface (ethernet 0/0), which is also the HA1 link on the other firewall. 3.
Set the Group ID number between 1 and 63. Although this value is not used on the VM‐Series firewall in AWS, but cannot leave the field blank.
(Optional) Modify the wait time before a failover is triggered. Step 10 Configure the other peer.
Repeat Step 3 to Step 9 on the HA peer.
Step 11 After you finish configuring 1.
both devices, verify that the devices are paired in 2.
active/passive HA.
3.
188 • VM‐Series 7.1 Deployment Guide
Access the Dashboard on both devices, and view the High
Availability widget.
On the active device, click the Sync to peer link.
Confirm that the devices are paired and synced, as shown below:
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
High Availability for VM‐Series Firewall in AWS
Configure Active/Passive HA in AWS (Continued)
On the passive device: The state of the local device should display passive and the configuration is synchronized.
On the active device: The state of the local device should display active and the configuration is synchronized.
Step 12 Verify that failover occurs properly.
1.
Shut down the active HA peer.
a. On the EC2 Dashboard, select Instances.
b. From the list, select the VM‐Series firewall and click Actions
> Stop.
2.
Check that the passive peer assumes the role of the active peer and that the dataplane interfaces have moved over to the now active HA peer. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 189
Use Case: Secure the EC2 Instances in the AWS Cloud
Set Up the VM‐Series Firewall in AWS
Use Case: Secure the EC2 Instances in the AWS Cloud
In this example, the VPC is deployed in the 10.0.0.0/16 network with two /24 subnets: 10.0.0.0/24 and 10.0.1.0/24. The VM‐Series firewall will be launched in the 10.0.0.0/24 subnet to which the internet gateway is attached. The 10.0.1.0/24 subnet is a private subnet that will host the EC2 instances that need to be secured by the VM‐Series firewall; any server on this private subnet uses NAT for a routable IP address (which is an Elastic IP address) to access the internet. Use the Planning Worksheet for the VM‐Series in the AWS VPC to plan the design within your VPC; recording the subnet ranges, network interfaces and the associated IP addresses for the EC2 instances, and security groups, will make the setup process easier and more efficient.
The following image depicts the logical flow of traffic to/from the web server to the internet. Traffic to/from the web server is sent to the data interface of the VM‐Series firewall that is attached to the private subnet. The firewall applies policy and processes incoming/outgoing traffic from/to the internet gateway of the VPC. The image also shows the security groups to which the data interfaces are attached.
190 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Use Case: Secure the EC2 Instances in the AWS Cloud
Deploy the VM‐Series Firewall in AWS as a Cloud Gateway Step 1
Create a new VPC with a public subnet (or select an existing VPC).
© Palo Alto Networks, Inc.
1.
Log in to the AWS console and select the VPC Dashboard.
2.
Verify that you’ve selected the correct geographic area (AWS region). The VPC will be deployed in the currently selected region.
3.
Select Start VPC Wizard, and select VPC with a Single Public
Subnet. In this example, the IP CIDR block for the VPC is 10.0.0.0/16, the VPC name is Cloud DC, the public subnet is 10.0.0.0/24, and the subnet name is Cloud DC Public subnet. You will create a private subnet after creating the VPC.
4.
Click Create VPC.
VM‐Series 7.1 Deployment Guide • 191
Use Case: Secure the EC2 Instances in the AWS Cloud
Set Up the VM‐Series Firewall in AWS
Deploy the VM‐Series Firewall in AWS as a Cloud Gateway (Continued)
Step 2
Create a private subnet.
Step 3
Create a new route table for each subnet. 1.
Although a main route table is 2.
automatically created on the VPC, we recommend creating 3.
new route tables instead of modifying the default route table. To direct outbound traffic from each subnet, you will add routes to the route table associated with each subnet, later in this workflow.
192 • VM‐Series 7.1 Deployment Guide
Select Subnets, and click Create a Subnet. Fill in the information.
In this example, the Name tag for the subnet is Web/DB Server Subnet, it is created in the Cloud Datacenter VPC and is assigned a CIDR block of 10.0.1.0/24.
Select Route Tables > Create Route Table.
Add a Name, for example CloudDC‐public‐subnet‐RT, select the VPC you created in Step 1, and click Yes, Create.
Select the route table, click Subnet Associations and select the public subnet.
4.
Select Create Route Table.
5.
Add a Name, for example CloudDC‐private‐subnet‐RT, select the VPC you created in Step 1, and click Yes, Create.
6.
Select the route table, click Subnet Associations and select the private subnet.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Use Case: Secure the EC2 Instances in the AWS Cloud
Deploy the VM‐Series Firewall in AWS as a Cloud Gateway (Continued)
Step 4
Create Security Groups to restrict Select Security Groups and click the Create Security Group button. inbound/outbound internet access to In this example, we create three security groups with the following the EC2 instances in the VPC.
rules for inbound access:
• CloudDC‐Management that specifies the protocols and By default, AWS disallows source IP addresses that can connect to the management communication between interfaces that do not belong to the same security interface of the VM‐Series firewall. At a minimum you need group.
SSH, and HTTPS. In this example, we enable SSH, ICMP, HTTP, and HTTPS on the network interfaces that are attached to this security group.
The management interface (eth 0/0) of the VM‐Series firewall will be assigned to CloudDC‐management‐sg.
• Public‐Server‐CloudDC that specifies the source IP addresses that can connect over HTTP, FTP, SSH within the VPC. This group allows traffic from the external network to the firewall.
The dataplane interface eth1/1 of the VM‐Series firewall will be assigned to Public‐Server‐CloudDC.
• Private‐Server‐CloudDC that has very limited access. It only allows other EC2 instances on the same subnet to communicate with each other, and with the VM‐Series firewall.
The dataplane interface eth1/2 of the VM‐Series firewall and the application in the private subnet will be attached to this security group. The following screenshot shows the security groups for this use case.
Step 5
See Step 3 in Launch the VM‐Series Firewall in AWS.
Deploy the VM‐Series firewall.
Only the primary network interface that will serve as the management interface will be attached and configured for the firewall during the initial launch. The network interfaces required for handling data traffic will be added in Step 6.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 193
Use Case: Secure the EC2 Instances in the AWS Cloud
Set Up the VM‐Series Firewall in AWS
Deploy the VM‐Series Firewall in AWS as a Cloud Gateway (Continued)
Step 6
Create and attach virtual network 1.
interface(s), referred to as Elastic Network Interfaces (ENIs), to the 2.
VM‐Series firewall. These ENIs are used 3.
for handling data traffic to/from the firewall.
On the EC2 Dashboard, select Network Interfaces, and click Create Network Interface.
Enter a descriptive name for the interface.
Select the subnet. Use the subnet ID to make sure that you have selected the correct subnet. You can only attach an ENI to an instance in the same subnet.
4.
Enter the Private IP address that you want to assign to the interface or select Auto-assign to automatically assign an IP address within the available IP addresses in the selected subnet.
5.
Select the Security group to control access to the network interface.
6.
Click Yes, Create. In this example, we create two interfaces with the following configuration:
• For Eth1/1 (VM‐Series‐Untrust)
– Subnet: 10.0.0.0/24
– Private IP:10.0.0.10
– Security group: Public‐Server‐CloudDC
• For Eth1/2 (VM‐Series‐Trust)
– Subnet: 10.0.1.0/24
– Private IP:10.0.1.10
– Security group: Private‐Server‐CloudDC
194 • VM‐Series 7.1 Deployment Guide
7.
To attach the ENI to the VM‐Series firewall, select the interface you just created, and click Attach.
8.
Select the Instance ID of the VM‐Series firewall, and click Attach. 9.
Repeat steps 7 and 8 to attach the other network interface. © Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Use Case: Secure the EC2 Instances in the AWS Cloud
Deploy the VM‐Series Firewall in AWS as a Cloud Gateway (Continued)
Step 7
Create an Elastic IP address and attach it to the firewall dataplane network interface that requires direct internet access.
In this example, VM‐Series_Untrust is assigned an EIP. The EIP associated with the interface is the publicly accessible IP address for the web server in the private subnet.
1.
Select Elastic IPs and click Allocate New Address.
2.
Select EC2-VPC and click Yes, Allocate.
3.
Select the newly allocated EIP and click Associate Address. 4.
Select the Network Interface and the Private IP address associated with the interface and click Yes, Associate.
In this example, the configuration is:
Step 8
Step 9
Disable Source/Destination check on each network interface attached to the VM‐Series firewall. Disabling this attribute allows the interface to handle network traffic that is not destined to its IP address.
1.
2.
In the Action drop‐down, select Change Source/Dest. Check.
3.
Click Disabled and Save your changes.
4.
Repeat steps 1‐3 for additional network interfaces, firewall‐1/2 in this example.
In the route table associated with the 1.
public subnet (from Step 3), add a default route to the internet gateway for the 2.
VPC.
3.
© Palo Alto Networks, Inc.
Select the network interface in the Network Interfaces tab.
From the VPC Dashboard, select Route Tables and find the route table associated with the public subnet. Select the route table, select Routes and click Edit.
Add a route to forward packets from this subnet to the internet gateway. In this example, 0.0.0.0.0 indicates that all traffic from/to this subnet will use the internet gateway attached to the VPC.
VM‐Series 7.1 Deployment Guide • 195
Use Case: Secure the EC2 Instances in the AWS Cloud
Set Up the VM‐Series Firewall in AWS
Deploy the VM‐Series Firewall in AWS as a Cloud Gateway (Continued)
Step 10 In the route table associated with the 1.
private subnet, add a default route to send traffic to the VM‐Series firewall. 2.
Adding this route enables the forwarding 3.
of traffic from the EC2 instances in this private subnet to the VM‐Series firewall. From the VPC Dashboard, select Route Tables and find the route table associated with the private subnet. Select the route table, select Routes and click Edit.
Add a route to forward packets from this subnet to the VM‐Series firewall network interface that resides on the same subnet. In this example, 0.0.0.0/0 indicates that all traffic from/to this subnet will use eni‐abf355f2 (ethernet 1/2, which is CloudDC‐VM‐Series‐Trust) on the VM‐Series firewall.
For each web or database server deployed on an EC2 instance in the private subnet, you must also add the IP address of the VM‐Series firewall as the default gateway. Perform Step 11 through Step 16 on the VM‐Series firewall Step 11 Configure a new administrative 1.
password for the firewall.
An SSH tool such as PuTTY is required to access the CLI on the firewall and change the default administrative password. You cannot access the web interface until you 2.
SSH and change the default password.
Step 12 Access the web interface of the VM‐Series firewall.
Use the public IP address you configured on the firewall, to SSH into the Command Line Interface (CLI) of the VM‐Series firewall. You will need the private key that you used or created in Launch the VM‐Series firewall., Step 3‐k to access the CLI.
Enter the following command to log in to the firewall: ssh-i <private_key_name> admin@<public‐ip_address>
3.
Configure a new password, using the following command and follow the onscreen prompts:
set password configure
commit
4.
Terminate the SSH session.
Open a web browser and enter the EIP of the management interface. For example: https://54.183.85.163
Step 13 Activate the licenses on the VM‐Series SeeActivate the License.
firewall. This step is only required for the BYOL license; the usage‐based licenses are automatically activated.
196 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Use Case: Secure the EC2 Instances in the AWS Cloud
Deploy the VM‐Series Firewall in AWS as a Cloud Gateway (Continued)
Step 14 On the VM‐Series firewall, configure the 1.
dataplane network interfaces on the 2.
firewall as Layer 3 interfaces.
© Palo Alto Networks, Inc.
Select Network > Interfaces > Ethernet.
Click the link for ethernet 1/1 and configure as follows:
• Interface Type: Layer3
• Select the Config tab, assign the interface to the default router.
• On the Config tab, expand the Security Zone drop‐down and select New Zone. Define a new zone, for example untrust, and then click OK.
• Select IPv4, select DHCP Client; the private IP address that you assigned to the network interface in the AWS management console will be acquired automatically.
• On the Advanced > Other Info tab, expand the Management Profile drop‐down, and select New Management Profile.
• Enter a Name for the profile, such as allow_ping, and select Ping from the Permitted Services list, then click OK.
• To save the interface configuration, click OK.
3.
Click the link for ethernet 1/2 and configure as follows:
• Interface Type: Layer3
• Select the Config tab, assign the interface to the default router.
• On the Config tab, expand the Security Zone drop‐down and select New Zone. Define a new zone, for example trust, and then click OK.
• Select IPv4, select DHCP Client. • On the IPv4 tab, clear the Automatically create default
route to default gateway provided by server check box. For an interface that is attached to the private subnet in the VPC, disabling this option ensures that traffic handled by this interface does not flow directly to the IGW on the VPC.
• On the Advanced > Other Info, expand the Management Profile drop‐down, and select the allow_ping profile you created earlier.
• Click OK to save the interface configuration.
4.
Click Commit to save the changes. Verify that the Link state for the interface is up. . If the link state is not up, reboot the firewall.
VM‐Series 7.1 Deployment Guide • 197
Use Case: Secure the EC2 Instances in the AWS Cloud
Set Up the VM‐Series Firewall in AWS
Deploy the VM‐Series Firewall in AWS as a Cloud Gateway (Continued)
1.
Step 15 On the VM‐Series firewall, create Destination NAT and Source NAT rules 2.
to allow inbound/outbound traffic to/from the applications deployed within the VPC.
3.
198 • VM‐Series 7.1 Deployment Guide
Select Policies > NAT.
Create a Destination NAT rule that steers traffic from the firewall to the web server.
a. Click Add, and enter a name for the rule. For example, NAT2WebServer.
b. In the Original Packet tab, make the following selections:
– Source Zone: untrust (where the traffic originates)
– Destination Zone: untrust (the zone for the firewall dataplane interface with which the EIP for the web server is associated.)
– Source Address: Any
– Destination Address: 10.0.0.10
– In the Translated Packet tab, select the Destination Address Translation check box and set the Translated
Address: to 10.0.1.62, which is the private IP address of the web server.
c. Click OK. Create a Source NAT rule to allow outbound traffic from the web server to the internet.
a. Click Add, and enter a name for the rule. For example, NAT2External.
b. In the Original Packet tab, make the following selections:
– Source Zone: trust (where the traffic originates)
– Destination Zone: untrust (the zone for the firewall dataplane interface with which the EIP for the web server is associated.)
– Source Address: Any
– Destination Address: Any
c. In the Translated Packet tab, make the following selections in the Source Address Translation section:
– Translation Type: Dynamic IP and Port
– Address Type: Translated Address
– Translated Address: 10.0.0.10 (the firewall dataplane interface in the untrust zone.)
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Use Case: Secure the EC2 Instances in the AWS Cloud
Deploy the VM‐Series Firewall in AWS as a Cloud Gateway (Continued)
d. Click OK.
Step 16 On the VM‐Series firewall, create security policies to manage traffic.
© Palo Alto Networks, Inc.
4.
Click Commit to save the NAT policies.
1.
Select Policies > Security.
In this example, we have four rules. A rule that allows management access to the firewall traffic, a rule to allow inbound traffic to the web server, a third rule to allow internet access to the web server, and in the last rule we modify a predefined intrazone‐default rule to log all traffic that is denied. 2.
Create a rule to allow management access to the firewall.
a. Click Add and enter a Name for the rule. Verify that the Rule
Type is universal.
b. In the Source tab, add untrust as the Source Zone.
c. In the Destination tab, add trust as the Destination Zone.
d. In the Applications tab, Add ping and ssh.
e. In the Actions tab, set the Action to Allow.
f. Click OK.
3.
Create a rule to allow inbound traffic to the web server.
a. Click Add and enter a Name for the rule and verify that the Rule Type is universal.
b. In the Source tab, add untrust as the Source Zone.
c. In the Destination tab, add trust as the Destination Zone.
d. In the Applications tab, Add web‐browsing.
e. In the Service/URL Category tab, verify that the service is set to application‐default.
f. In the Actions tab, set the Action to Allow.
g. In the Profile Settings section of the Actions tab, select Profiles and then attach the default profiles for antivirus, anti‐spyware, and vulnerability protection.
h. Click OK.
VM‐Series 7.1 Deployment Guide • 199
Use Case: Secure the EC2 Instances in the AWS Cloud
Set Up the VM‐Series Firewall in AWS
Deploy the VM‐Series Firewall in AWS as a Cloud Gateway (Continued)
Instead of entering a static IP address for 4.
the web server, use a dynamic address group. Dynamic address groups allow you to create policy that automatically adapts to changes so that you do not need to update the policy when you launch additional web servers in the subnet. For details, see Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC.
Create a rule to allow internet access to the web server. a. Click Add and enter a Name for the rule and verify that the Rule Type is universal.
b. In the Source tab, add trust as the Source Zone.
c. In the Source Address section of the Source tab, add 10.0.1.62, the IP address of the web server.
d. In the Destination tab, add untrust as the Destination Zone.
e. In the Service/URL Category tab, verify that the service is set to application-default.
f. In the Actions tab, set the Action to Allow.
g. In the Profile Settings section of the Actions tab, select Profiles and then attach the default profiles for antivirus, anti‐spyware, and vulnerability protection.
h. Click OK.
5.
Edit the interzone‐default rule to log all traffic that is denied. This predefined interzone rule is evaluated when no other rule is explicitly defined to match traffic across different zones.
a. Select the interzone-default rule and click Override.
b. In the Actions tab, select Log at session end.
c. Click OK.
6.
Review the complete set of security rules defined on the firewall.
7.
Click Commit to save the policies.
200 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Use Case: Secure the EC2 Instances in the AWS Cloud
Deploy the VM‐Series Firewall in AWS as a Cloud Gateway (Continued)
Step 17 Verify that the VM‐Series firewall is securing traffic.
1.
Launch a web browser and enter the IP address for the web server. 2.
Log in to the web interface of the VM‐Series firewall and verify that you can see the traffic logs for the sessions at Monitor >
Logs > Traffic.
• Traffic inbound to the web server (arrives at EC2 instance in the AWS VPC):
• Traffic outbound from the web server (EC2 instance in the AWS VPC):
You have successfully deployed the VM‐Series firewall as a cloud gateway! © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 201
Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPCSet Up the VM‐Series Firewall in AWS
Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
In a dynamic environment such as the AWS‐VPC where you launch new EC2 instances on demand, the administrative overhead in managing security policy can be cumbersome. Using Dynamic Address Groups in security policy allows for agility and prevents disruption in services or gaps in protection.
In this example, we illustrate how you can monitor the VPC and use Dynamic Address Groups in security policy to discover and secure EC2 instances. As you spin up EC2 instances, the Dynamic Address Group collates the IP addresses of all instances that match the criteria defined for group membership, and then security policy is applied for the group. The security policy in this example allows internet access to all members of the group.
This workflow in the following section assumes that you have created the AWS VPC and deployed the VM‐Series firewall and some applications on EC2 instances. For instructions on setting up the VPC for the VM‐Series, see Use Case: Secure the EC2 Instances in the AWS Cloud.
202 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWSUse Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
Use Dynamic Address Groups in Policy Step 1
Configure the firewall to monitor the VPC.
1.
Select Device > VM Information Sources.
2.
Click Add and enter the following information:
a. A Name to identify the VPC that you want to monitor. For example, VPC‐CloudDC.
b. Set the Type to AWS VPC.
c. In Source, enter the URI for the VPC. The syntax is ec2.<your_region>.amazonaws.com
d. Add the credentials required for the firewall to digitally sign API calls made to the AWS services. You need the following:
– Access Key ID: Enter the alphanumeric text string that uniquely identifies the user who owns or is authorized to access the AWS account.
– Secret Access Key: Enter the password and confirm your entry.
e. (Optional) Modify the Update interval to a value between 5‐600 seconds. By default, the firewall polls every 5 seconds. The API calls are queued and retrieved within every 60 seconds, so updates may take up to 60 seconds plus the configured polling interval.
f. Enter the VPC ID that is displayed on the VPC Dashboard in the AWS management console.
g. Click OK, and Commit the changes.
h. Verify that the connection Status displays as connected
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 203
Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPCSet Up the VM‐Series Firewall in AWS
Use Dynamic Address Groups in Policy (Continued)
Step 2
Tag the EC2 instances in the VPC.
For a list of tags that the VM‐Series firewall can monitor, see List of Attributes Monitored on the AWS VPC.
A tag is a name‐value pair. You can tag the EC2 instances either on the EC2 Dashboard on the AWS management console or using the AWS API or AWS CLI. In this example, we use the EC2 Dashboard to add the tag:
Step 3
Create a dynamic address group on the firewall.
View the tutorial to see a big picture view of the feature.
3.
Select Object > Address Groups. 4.
Click Add and enter a Name and a Description for the address group.
5.
Select Type as Dynamic.
6.
Define the match criteria. a. Click Add Match Criteria, and select the And operator. b. Select the attributes to filter for or match against. In this example, we select the ExternalAccessAllowed tag that you just created and the subnet ID for the private subnet of the VPC.
7.
Click OK.
8.
Click Commit.
204 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWSUse Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
Use Dynamic Address Groups in Policy (Continued)
Step 4
Use the dynamic address group in a security policy.
To create a rule to allow internet access to any web server that belongs to the dynamic address group called ExternalServerAccess. 1.
Select Policies > Security.
2.
Click Add and enter a Name for the rule and verify that the Rule Type is universal.
3.
In the Source tab, add trust as the Source Zone.
4.
In the Source Address section of the Source tab, Add the ExternalServerAccess group you just created.
5.
In the Destination tab, add untrust as the Destination Zone.
6.
In the Service/URL Category tab, verify that the service is set to application-default.
7.
In the Actions tab, set the Action to Allow.
8.
In the Profile Settings section of the Actions tab, select Profiles and then attach the default profiles for antivirus, anti‐spyware, and vulnerability protection.
9.
Click OK.
10. Click Commit.
Step 5
Verify that members of the dynamic address group are populated on the firewall.
Policy will be enforced for all IP addresses that belong to this address group, and are displayed here
1.
Select Policies > Security, and select the rule. 2.
Select the drop‐down arrow next to the address group link, and select Inspect. You can also verify that the match criteria is accurate.
3.
Click the more link and verify that the list of registered IP addresses is displayed.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 205
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS Set Up the VM‐Series Firewall in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS
The AWS infrastructure and services provide an architecture that can scale and grow with your business. In addition to performance and application availability demands, your business requires assured security and application enablement. In order to reduce the attack surface for threats and to ensure that your business‐critical servers, applications, and data are secure, you require the Palo Alto Networks VM‐Series firewall. Together, AWS and the VM‐Series firewall deliver operational efficiency with increased agility and optimal security.

Solution Overview—Secure Highly Available Internet‐Facing Applications

Deploy the Solution Components for Highly Available Internet‐Facing Applications in AWS
Solution Overview—Secure Highly Available Internet‐Facing Applications
In this use case, we show you how to secure highly available two‐tier applications in Amazon Web Services (AWS) that are accessed by users over the internet. This setup is one specific example that uses WordPress and MySQL as the 2‐tier applications. It includes a relational database service, a DNS‐based global load balancing web service, Citrix NetScaler load balancers, and several VM‐Series firewalls to secure north‐south and east‐west traffic flows to the applications in the Amazon Virtual Private Cloud (VPC). For high availability, the VPC spans two Availability Zones (AZs) in AWS. There are many other applications and architectures that Palo Alto Networks firewalls can secure; this use case is just one option.
206 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
net‐Facing Applications in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Inter‐
The following table lists the elements required to deploy the solution for highly available internet‐facing applications in AWS.
Solution Elements Solutions Components Description
Internet‐Facing Applications
Amazon Elastic Compute Cloud (EC2) Instances Web applications that are accessed by users over the internet. These applications are typically deployed in a multi‐tier architecture on EC2 instances in an AWS VPC. AWS provides the infrastructure for ensuring uptime, scalability, and performance to meet your business needs.
Load Balancers
Examples include: Citrix NetScaler VPX, F5 Networks BIG‐IP Local Traffic Manager (LTM), and NGINX Plus
The load balancer monitors the availability of servers, the database service, and the firewalls to ensure a seamless failover when an instance fails.
This use case shows how to use the Citrix NetScaler VPX for deploying a highly available web application, but you can use a different load balancer.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 207
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS Set Up the VM‐Series Firewall in AWS
Solution Elements Solutions Components Description
Firewalls
VM‐Series
Multiple instances of the VM‐Series firewall are deployed to secure all your applications and database servers. The firewalls secure each subnet and restrict access in a way that matches the business and technical requirements of your multi‐tier architecture. This segmentation provides multiple layers of defense to ensure that business‐critical services and data are always safe.
Global Server Load Amazon Route 53
Balancing (GSLB) Service
Database Service
Amazon Route 53 is a DNS‐based GSLB web service that provides DNS and multi‐Availability Zone (AZ)/VPC redundancy. Route53 allows you to create and manage DNS records, connect user requests to an infrastructure, such as your web servers and load balancers running in AWS, and perform health checks to monitor the health of your servers and route traffic appropriately.
Amazon Relational Database The Amazon RDS is tightly integrated with other Service (RDS)
Amazon Web Services. Amazon RDS offers a selection of engines for your database instances.
See Deploy the Solution Components for Highly Available Internet‐Facing Applications in AWS for the configuration details.
Deploy the Solution Components for Highly Available Internet‐Facing Applications in AWS
Use these high‐level tasks to deploy the components listed in the Solution Overview—Secure Highly Available Internet‐Facing Applications.
 Set Up the VPC
Create the VPC and add the subnets, security groups, internet gateway, and a route table. You will also create Elastic Network Interfaces (ENIs) and allocate Elastic IP Addresses for some instances in the VPC. Duplicate this set up in another Availability Zone for redundancy.
 Deploy the VM‐Series Firewalls in the VPC
Deploy and configure four VM‐Series firewalls in each Availability Zone—a pair of firewalls to secure the web farm, one to secure the RDS, and one firewall for outbound access from the VPC. The firewall that regulates outbound access to the internet also secures all the management traffic to and from the firewalls, servers, and services in the VPC. This use case focuses primarily on how to set up the firewalls for securing your internet‐facing multi‐tiered application(s). It also briefly covers the process of deploying and configuring the NetScaler VPX to load balance traffic across the VM‐Series firewalls.
 Deploy the Web Farm in the VPC
 Set Up the Amazon Relational Database Service (RDS)
 Configure the Citrix NetScaler VPX
 Verify Traffic Enforcement
 Set up Amazon Route 53
208 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
net‐Facing Applications in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Inter‐
Set Up the VPC
Setting up the VPC requires you to—at a minimum—create the VPC, add the subnets, create the security groups, deploy EC2 instances, and attach ENIs with private IP addresses. To allow external access to the servers in the VPC, you also require an internet gateway and an Elastic IP Address for each EC2 instance that needs access to the internet. For this use case, the VPC setup is as follows:
Set Up the VPC
Step 1
Create the VPC and add the subnets.
© Palo Alto Networks, Inc.
In this example, we create four subnets within the 192.168.0.0/16 VPC as follows:
• 192.168.0.0/24 (Public: for external access and management)
• 192.168.1.0/24 (Firewall: for connecting the firewalls)
• 192.168.2.0/24 (Web: for connecting to the web farm)
• 192.168.3.0/24 (DB: for connecting to the database server)
VM‐Series 7.1 Deployment Guide • 209
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS Set Up the VM‐Series Firewall in AWS
Set Up the VPC (Continued)
Step 2
Set up the other basic components in the • Set up the internet gateway for incoming and outgoing traffic VPC.
to/from the VPC and attach the internet gateway to the VPC.
• Set up the security groups. These groups are a basic form of security based on IP addresses, ports, and protocols. Security groups do not provide next‐generation features like App‐ID or threat protection but these groups are part of a complimentary solution that helps secure the VPC. This example has six security groups that control access to the subnets within the VPC:
• PANOS‐MGMT—Attach to the management interface of Ensure that the web server security each VM‐Series firewall. The inbound access rules for this group allows access only to destinations security group allow SSH and HTTPS traffic.
that are in the same subnet.
• PANOS‐Dataplane—Attach to the dataplane interfaces of each VM‐Series firewall. The inbound access rules for this security group allow all traffic.
• Webserver—Attach to the interfaces of each web server. The inbound access rules for this security group allow all traffic that is sourced from the PAN‐OS Dataplane security group.
• NetScaler‐MGMT—Attach to the management interface of the Citrix NetScaler load balancer. The inbound access rules for this security group allow SSH and HTTPS traffic.
• NetScaler‐Loadbalancing—Attach to the other interfaces on the Citrix NetScaler load balancer that are used to load balance traffic to the web farm. The inbound access rules for this security group allow all traffic.
• Amazon RDS SG—Attach to the interfaces on the Relational Database Service. The inbound access rules for this security group allow traffic on port 3306.
For instructions, refer to the AWS documentation.
210 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
net‐Facing Applications in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Inter‐
Set Up the VPC (Continued)
• Allocate Elastic IP Addresses. For details on assigning Elastic IP Addresses, refer to the AWS documentation. AWS has a default maximum number of Elastic IP Addresses; if your specific architecture requires more than the default, you can request more Elastic IP Addresses through AWS.
This example uses seven Elastic IP Addresses. See Allocate and associate Elastic IP Addresses for the firewall and the NetScaler VPX.
• Set up the route tables:
• Rename the main router with a descriptive name (this route table is automatically created when you create the VPC) and attach the internet gateway to this route table.
• Add a new route table. This route table is required for routing traffic from the web servers to the VM‐Series firewall; this route table alleviates the need to create a default route on each web server as you horizontally scale out your web farm.
Step 3
Create the subnets, security groups, and Repeat routes in the other Availability Zone.
For the complete workflow, see Deploy the Solution Components for Highly Available Internet‐Facing Applications in AWS
Deploy the VM‐Series Firewalls in the VPC
You must deploy the firewalls, license the firewalls as appropriate, configure the network interfaces, and create policies that limit application and data traffic flows as appropriate for each server and application.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 211
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS Set Up the VM‐Series Firewall in AWS
In this use case, each Availability Zone has four VM‐Series firewalls:



Mgmt‐FW—A firewall that secures inbound and outbound traffic necessary for managing and updating the infrastructure. It secures all inbound and outbound management traffic to and from the EC2 instances and services in the VPC, including database engine updates, SSH and HTTPS access to the EC2 instances and services, and SNMP. See Launch the VM‐Series Firewalls and the NetScaler VPX and Configure the VM‐Series Firewall for Securing Outbound Access from the VPC
AZ1‐FW1 and AZ1‐FW2—A pair of firewalls that manage traffic from the NetScaler VPX to the web farm. In the event that a firewall fails, the load balancer uses service monitors to detect the failure and redirect traffic through the other firewall. See Launch the VM‐Series Firewalls and the NetScaler VPX and Configure the Firewalls that Secure the Web Farm
AZ1‐DB—A firewall to segment the web farm from the Relational Database Service (RDS). This architecture allows you to add a layer of security and isolate the database service and limit the exposure of front‐end servers to risks and threats. See Launch the VM‐Series Firewalls and the NetScaler VPX and Configure the Firewall that Secures the RDS.
Launch the VM‐Series Firewalls and the NetScaler VPX
On the AWS management console, launch the firewalls, launch the load balancer, and edit the route tables you added when you created the VPC.
212 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
net‐Facing Applications in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Inter‐
Launch the VM‐Series Firewalls
Step 1
Launch the firewalls and perform initial configuration.
1.
Launch the firewalls. See Deploy the VM‐Series Firewall in AWS for system requirements and step‐by‐step instructions for launching the firewall and performing initial configuration. For this use case, you deploy four VM‐Series firewalls on each AZ.
The IP address assigned to the management interfaces (eth0) of each firewall is as follows:
• Mgmt‐FW—192.168.0.10
• AZ1‐FW1—192.168.0.11
• AZ1‐FW2—192.168.0.12
• AZ1‐DB—192.168.0.13
© Palo Alto Networks, Inc.
2.
Establish an SSH connection to the IP address assigned to the management interface and perform initial configuration on the command line interface (CLI) of the VM‐Series firewall.
3.
Create and attach two ENIs to each firewall; these interfaces will serve as the dataplane interfaces on each firewall. Connect each ENI to the appropriate subnet and security group.
• Mgmt‐FW—The dataplane interface IP addresses are: – 192.168.2.254 (to web farm)
– 192.168.0.254 (external connectivity for internet access)
• AZ1‐FW1—The dataplane interface IP addresses are: – 192.168.1.11 (to NetScaler)
– 192.168.2.11 (to web farm)
• AZ1‐FW2—The dataplane interface IP addresses are: – 192.168.1.12 (to NetScaler)
– 192.168.2.12 (to web farm)
• AZ1‐DB—The dataplane interface IP addresses are: • 192.168.2.13 (to web farm)
• 192.168.3.13 (to RDS)
VM‐Series 7.1 Deployment Guide • 213
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS Set Up the VM‐Series Firewall in AWS
Launch the VM‐Series Firewalls (Continued)
Step 2
Step 3
Launch the NetScaler VPX.
Refer to the Citrix NetScaler documentation for instructions.
Allocate and associate Elastic IP Addresses for the firewall and the NetScaler VPX.
214 • VM‐Series 7.1 Deployment Guide
1.
Choose the Amazon Machine Image (AMI) from the AWS Marketplace and launch the NetScaler VPX. In this example, the NetScaler IP address used for management access is 192.168.0.14.
To log in to the NetScaler management console, you must assign an Elastic IP Address on the management interface.
2.
Attach two ENIs to the NetScaler VPX. Later in this example, Configure the Citrix NetScaler VPX interface IP addresses as: • 192.168.0.50—Virtual IP address that will be used for external access
• 192.168.1.50—Subnet IP address that will be used for connecting to the web farm within the VPC
Assign Elastic IP Addresses to the interfaces that provide access from the internet. In this example, the Elastic IP Addresses are as follows:
• One EIP address maps to the management interface of each of the four VM‐Series firewalls.
With the exception of the VM‐Series firewall that secures management access, the Elastic IP address that maps to the management interface of each VM‐Series firewall will be used for out‐of‐band management.
• One EIP address maps to the public‐facing interface on the VM‐Series firewall that manages outbound access from the VPC.
• Two EIP addresses map to the NetScaler VPX: one is associated with the NetScaler IP address and the other is bound to the Virtual IP address.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
net‐Facing Applications in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Inter‐
Launch the VM‐Series Firewalls (Continued)
Step 4
Edit the route tables.
1.
Add a new route table, if you did not add one when setting up the VPC. 2.
Add a new route that directs all traffic from the web farm to the ENI that is attached to the web server subnet on the VM‐Series firewall (Mgmt‐FW).
3.
Create and attach the internet gateway to the main router on the VPC to allow outbound internet access from the VPC.
Configure the VM‐Series Firewall for Securing Outbound Access from the VPC
The Mgmt‐FW in this use case is the VM‐Series firewall that secures inbound management traffic, such as infrastructure updates that include DNS and apt‐get updates for all web servers. This firewall is also the default gateway for all outbound traffic from the web farm to the internet.
Configure the VM‐Series Firewall that Secures Outbound Access
Step 1
Launch the firewalls and perform initial configuration.
Step 2
Allocate and assign Elastic IP Addresses.
This use case requires one Elastic IP Address for the management interface of the VM‐Series firewall and one for the dataplane interface that allows internet access from the VPC. See Step 3.
Step 3
Log in to the web interface of the VM‐Series firewall using the Elastic IP Address assigned to the management interface.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 215
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS Set Up the VM‐Series Firewall in AWS
Configure the VM‐Series Firewall that Secures Outbound Access (Continued)
Step 4
Configure the network interfaces. Select Network > Interfaces > Ethernet and click the links to configure ethernet1/1 and ethernet1/2.
1. Configure a DHCP client on each interface and create and attach security zones to each interface.
2. When configuring the interface that is connected to the web farm (ethernet1/2 in this use case), clear the check box to Automatically create default route to default gateway provided by server. For an interface that is attached to the private subnet in the VPC, disabling this option ensures that traffic handled by this interface does not flow directly to the internet gateway on the VPC.
Step 5
Create service objects and a service group.
A service object allows you to specify the port number that an applications can useif you plan to usea non‐default port for an application. You use these objects in NAT policy (Step 7) so that the firewall can perform port translation to route traffic properly.
1. Select Objects > Services and Add the service objects to enable TCP access to the web servers on ports 10000, 10001, 10002, and 10003.
2. Combine these service objects into a service group. Select Objects > Service Groups and Add a service group named Webserver_Services and Add Web1, Web 2, Web3, and Web4 to the group.
Step 6
Define security policy for sanctioned applications.
For example, allow SSH for inbound management and allow application and DNS updates to the web servers in the VPC. Because this use case employs non‐default ports for SSH access, change the Service for SSH Management from ‘application‐default’ to ‘Webserver_Services’ (the service group created in the last step) to define the ports thatprovide access to the web servers.
216 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
net‐Facing Applications in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Inter‐
Configure the VM‐Series Firewall that Secures Outbound Access (Continued)
Step 7
Define NAT policy rules. These rules ensure that the firewall performs IP address and port translation and secures all inbound and outbound traffic on the web server farm.
1. Create NAT rules for permitting inbound access to each web server. You need to enable destination translation to the service objects you defined earlier for each web server.
2. Create an outbound NAT rule that allows internet access for the web servers in the VPC. This rule allows the firewall to translate the source IP address as the public‐facing interface on the management firewall. The AWS internet gateway then translates the private IP address to the Elastic IP Address associated with the interface for routing the traffic to the internet.
See Port Translation for Service Objects for details on how the firewall performs IP address and port translation to properly route traffic.
Step 8
To ensure that traffic is routed properly to the firewall, perform the following tasks on the AWS management console:
1. Create a route table for the web farm subnet and add a new route that directs all traffic from the web farm to the ENI that is attached to the web server subnet on the VM‐Series firewall (Mgmt‐FW).See Step 4‐2.
2. Disable source and destination checks on the dataplane network interface(s) assigned to the firewall. Disabling this option allows the interface to handle network traffic that is not destined to the IP address assigned to the interface. Select the network interface in the Network Interfaces tab on the EC2 Dashboard, for example eth1/1, and in the Action drop‐down, select Change Source/Dest. Check. Click Disabled and Save your changes.
Configure the Firewalls that Secure the Web Farm
Use these instructions to configure the redundant pair of VM‐Series firewalls that secure the web servers within an Availability Zone.
For a topology and solution details see, Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS and Solution Overview—Secure Highly Available Internet‐Facing Applications.
Configure the VM‐Series Firewalls that Secure the Web Farm
Step 1
Launch the firewalls and perform initial configuration.
Step 2
Allocate and assign Elastic IP Addresses.
This use case requires one Elastic IP Address for the management interface of each VM‐Series firewall. See Step 3.
Step 3
Log in to the web interface of the VM‐Series firewall using the EIP address assigned to the management interface.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 217
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS Set Up the VM‐Series Firewall in AWS
Configure the VM‐Series Firewalls that Secure the Web Farm (Continued)
Step 4
Configure the network interfaces. Select Network > Interfaces > Ethernet and click the links to configure ethernet1/1 and ethernet1/2. 1. Configure a DHCP client on each interface and create and attach security zones to each interface.
2. Clear the check box to Automatically create default route to default gateway provided by server to ensure that the web servers do not use the default route provided by the firewall.
Step 5
Create a security policy rule to allow the sanctioned applications. Because we use the WordPress application in this example, the policy rule allows the web‐browsing and blog‐posting applications for WordPress.
Step 6
Create a NAT policy rule to ensure symmetric routing of traffic when the NetScaler VPX load balances traffic across the two (or more) firewalls that are protecting the web servers. This NAT policy rule is required to translate the private IP addresses to public IP addresses that can be routed to external networks. It also ensures that the same firewall manages the request and response traffic for a web server in the web farm.
218 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
net‐Facing Applications in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Inter‐
Configure the Firewall that Secures the RDS
This task helps you set up the VM‐Series firewall that secures the database service on AWS. For the topology and solution details, see Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS and Solution Overview—Secure Highly Available Internet‐Facing Applications.
Configure the VM‐Series Firewall that Secures the RDS
Step 1
Launch the firewalls and perform initial configuration.
Step 2
Allocate and assign Elastic IP Addresses for the management interface of the VM‐Series firewall. See Step 3.
Step 3
Log in to the web interface of the VM‐Series firewall using the Elastic IP Address assigned to the management interface.
Step 4
Configure the network interfaces. Select Network > Interfaces > Ethernet and click the links to configure ethernet1/1 and ethernet1/2. 1. Configure a DHCP client on each interface and create and attach security zones to each interface.
2. Clear the check box to Automatically create default route to default gateway provided by server to ensure that the RDS does not use the default route provided by the firewall to directly access the internet.
Step 5
Create the security policy rule that allows traffic to pass from the web servers to the database server.
Step 6
Create a Source NAT policy that allows outbound traffic initiated by the database server to be routed through ethernet1/2 interface (192.168.3.13) on the firewall to the web servers.
You cannot configure routing on the Amazon RDS. Source NAT policy on the firewall is required to ensure that the traffic is routed properly.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 219
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS Set Up the VM‐Series Firewall in AWS
Deploy the Web Farm in the VPC This workflow shows you how to deploy the web server and configure the WordPress application. These instructions are included solely for the purpose of taking you through the implementation in this use case. For concepts and details on deploying WordPress, refer to the WordPress documentation.
For the topology and solution details, see Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS and Solution Overview—Secure Highly Available Internet‐Facing Applications.
Deploy the Web Farm in the VPC Step 1
Step 2
Launch the web server in the VPC.
Configure the web server for access.
1.
Launch an Ubuntu instance (version 14.04) in the Web server subnet.
2.
Add an ENI and assign an IP address (for example, 192.168.2.50).
3.
Log in to the web server using the VM‐Series firewall configured for management access.
ssh –i ‘keypair.pem’ –p 10000 ubuntu@52.8.208.92
1.
Create and edit eth0.cfg file.
sudo vi /etc/network/interfaces.d/eth0.cfg
2.
Configure the file with a static network setting to direct database traffic to the VM‐Series firewall that secures the database service. The following settings are the same for each web server:
# The primary network interface
auto eth0
iface eth0 inet dhcp
#static route for database segment
up route add -net 192.168.3.0 netmask 255.255.255.0
gw 192.168.2.13 dev eth0
3.
Reboot to restart the networking on the web server.
sudo reboot now
220 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
net‐Facing Applications in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Inter‐
Deploy the Web Farm in the VPC (Continued)
Step 3
Connect the web server to the database 1.
service.
2.
3.
Establish an SSH connection to the server after the reboot.
(One‐time task—only when you deploy the first web server) Configure the database Endpoint name. This is the DNS name and port for your DB instance and is displayed on the RDS instance.
Connect to the database. For example:
mysql -u awsuser -h
myrdbinstances.cdfujxufuwlc.us-west-2.rds.amazonaw
s.com -p
4.
Create the database and add WordPress users and permissions.For example:
CREATE DATABASE Ignite;
CREATE USER 'student'@'%' IDENTIFIED BY 'paloalto';
GRANT ALL PRIVILEGES ON Ignite.* TO 'student'@'%';
FLUSH PRIVILEGES;
Exit
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 221
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS Set Up the VM‐Series Firewall in AWS
Deploy the Web Farm in the VPC (Continued)
Step 4
Install and configure WordPress.
1.
Install updates, Apache, and WordPress on each server.
sudo apt-get update
sudo apt-get install apache2
sudo apt-get install wordpress
2.
Create the WordPress path in Apache. sudo ln -s /usr/share/wordpress
/var/www/html/wordpress
3.
Create a WordPress configuration file and add a username and password for a new user. For example:
sudo gzip -d
/usr/share/doc/wordpress/examples/setup-mysql.gz
sudo bash
/usr/share/doc/wordpress/examples/setup-mysql -n
Ignite -u student -t
myrdbinstances.cdfujxufuwlc.us-west-2.rds.amazonaw
s.com 192.168.2.50
4.
Move the existing WordPress configuration file to a file that will match the domain name.
Sudo mv /etc/wordpress/config-192.168.2.50.php
/etc/wordpress/config-wordpress.ignite-aws-demo.co
m.php
If you see the error config-<Route53>.php file is
inaccessible when verifying access to the WordPress application, confirm that the file owner is www-data
and that the spelling and syntax are accurate.
Set Up the Amazon Relational Database Service (RDS)
This section shows how to set up the database service for this use case. These instructions are included solely for the purpose of taking you through the implementation of this specific use case. For setup and conceptual information on the service, refer to Amazon Relational Database Service documentation.
For the topology and solution details, see Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS and Solution Overview—Secure Highly Available Internet‐Facing Applications.
Set Up the Relational Database Service
Step 1
In the VPC Dashboard, make sure there are two database subnets. If not, create a second one (a minimum of two subnets is required for the RDS).
222 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
net‐Facing Applications in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Inter‐
Set Up the Relational Database Service (Continued)
Step 2
In the RDS Dashboard, create a DB Subnet Group that includes both subnets.
Step 3
Launch the Create DB Wizard. This example uses the following options:
• DB Engine—My SQL
• Multi‐AZ Deployment—Yes
• DB Instance class and Advanced Settings—Based on your deployment needs
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 223
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS Set Up the VM‐Series Firewall in AWS
Set Up the Relational Database Service (Continued)
Step 4
Verify that the RDS is running.
Configure the Citrix NetScaler VPX This section shows you how to set up the NetScaler VPX load balancer for this use case. These instructions are included solely for the purpose of taking you through the implementation in this use case. For set up and conceptual information on the NetScaler VPX, refer to the Citrix documentation.
For the topology and solution details, see Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS and Solution Overview—Secure Highly Available Internet‐Facing Applications.
Configure the Citrix NetScaler VPX
Step 1
Launch the NetScaler VPX and assign an 1.
Elastic IP Address.
2.
224 • VM‐Series 7.1 Deployment Guide
Launch the NetScaler VPX.
Allocate and associate Elastic IP Addresses for the firewall and the NetScaler VPX.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
net‐Facing Applications in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Inter‐
Configure the Citrix NetScaler VPX (Continued)
Step 2
Configure the Virtual IP and the Subnet 1.
IP on the NetScaler VPX.
2.
On the NetScaler management console, select Configuration
> System > Network > IPs.
Add the Virtual IP and the Subnet IP addresses.
Step 3
Add static routes to direct traffic to the web servers. Make sure to add routes for the web servers in both Availability Zones.
Add the routes in Configuration > System > Network > Routes. In this example, we add routes to direct traffic from web1 and web2 through eth 1/1 on AZ1‐FW1 and traffic from web 3 and web4 to eth1/1 on AZ1‐FW2.
Step 4
Create a service for each web server.
Add the web services in Configuration > Traffic Management >
Load Balancing > Services.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 225
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS Set Up the VM‐Series Firewall in AWS
Configure the Citrix NetScaler VPX (Continued)
Step 5
Step 6
Configure the virtual server. The Virtual 1.
server IP address is the only IP address that is exposed to users who connect to the web server from the internet.
Test your configuration.
Add a Virtual Server IP address in Configuration > Traffic
Management > Load Balancing > Virtual Servers. 2.
Bind the web services you created in Step 4 to this virtual server.
3.
Edit the settings for the virtual server to enable IP address persistence. IP address persistence is required for the application to authenticate properly. Based on your preference, select Cookie-based or Source-IP-based persistence.
Verify that you can log in to the web server.
The WordPress application in this use case would be accessible at http://ignite‐aws‐demo.com/wordpress.
Set up Amazon Route 53
Use Amazon Route 53 as the DNS service for your registered domain names.
For an overview of the topology and solution details see, Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS and Solution Overview—Secure Highly Available Internet‐Facing Applications.
Set up Route 53 Step 1
Create a hosted zone(s) for a domain(s).
226 • VM‐Series 7.1 Deployment Guide
Refer to the AWS documentation on Creating a Public Hosted Zone.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
net‐Facing Applications in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Inter‐
Set up Route 53 (Continued)
Step 2
Add the resource record sets to route traffic to the domain(s).
To create a resource record set in your hosted zone, refer to Working with Resource Record Sets.
In this example, the record set resolves the desired domain to the Elastic IP Address on the NetScaler VPX that fronts the web servers in the VPC. It is a Type A IPv4 address that is the Elastic IP Address assigned to the VIP (192.168.0.50) on the NetScaler VPX.
In a redundant configuration, configure the domain to resolve to every Elastic IP Address associated with a VIP on the NetScaler VPX.
The Citrix NetScaler can host multiple applications on one IP address with Content Switching enabled.
Step 3
Create a health check and associate it with a record set.
Use Route 53 health checks to validate that the application is available for a given Availability Zone. If Route 53 detects a failure, such as an Availability Zone failure, NetScaler VPX failure, or failure of the web servers, it stops serving the associated ElasticIP Address via DNS resolution until the health check is successful.
Verify Traffic Enforcement
Access the WordPress server and monitor the logs on the VM‐Series firewalls to verify that policy is being enforced for your multi‐tiered applications in AWS. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 227
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS Set Up the VM‐Series Firewall in AWS
Verify Traffic Enforcement Step 1
On the web interface of the VM‐Series firewall, select Monitor > Logs > Traffic. The following screenshot from the Mgmt‐FW firewall shows that management traffic (SSH) and infrastructure traffic (application updates) to the web servers are secured.
Step 2
Check the session browser (Monitor > Session Browser) on the firewall for sessions that are still in progress. By default, a traffic log is generated after a session terminates. The following screenshot is from the VM‐Series firewall that is securing the RDS.
For the overview of the topology and solution details see, Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Internet‐Facing Applications in AWS and Solution Overview—Secure Highly Available Internet‐Facing Applications.
Port Translation for Service Objects
This table shows how the firewall performs IP address and port translation for routing traffic to the web farm when you have configured service objects with NAT policy in Step 5 and Step 7 of Configure the VM‐Series Firewall for Securing Outbound Access from the VPC.
228 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
net‐Facing Applications in AWS
Use Case: Deploy the VM‐Series Firewalls to Secure Highly Available Inter‐
Server
Private IP: Port
Private IP: Translated Port
Public IP: Port Web1
192.168.2.50:22
192.168.2.50:10000
52.8.66.226:10000
Web2
192.168.2.51:22
192.168.2.51:10001
52.8.66.226:10001
Web3
192.168.2.52:22
192.168.2.52:10002
52.8.66.226:10002
Web4
192.168.2.53:22
192.168.2.53:10003
52.8.66.226:10003
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 229
Use Case: VM‐Series Firewalls as GlobalProtect Gateways in AWS
Set Up the VM‐Series Firewall in AWS
Use Case: VM‐Series Firewalls as GlobalProtect Gateways in AWS Securing mobile users from threats and risky applications is often a complex mix of procuring and setting up the security and IT infrastructure, ensuring bandwidth and uptime requirements in multiple locations around the globe while staying within your budget.
The VM‐Series firewall in AWS melds the security and IT logistics required to consistently and reliably protect devices used by mobile users in regions where you do not have a presence. By deploying the VM‐Series firewall in the AWS cloud, you can quickly and easily deploy GlobalProtect™ gateways in any region without the expense or IT logistics that are typically required to set up this infrastructure using your own resources.
To minimize latency, select AWS regions that are closest to your users, deploy the VM‐Series firewalls on EC2 instances, and configure the firewalls as GlobalProtect gateways. With this solution, the GlobalProtect gateways in the AWS cloud enforce security policy for internet traffic so there is no need to backhaul that traffic to the corporate network. Additionally, for access to resources on the corporate network, the VM‐Series firewalls in AWS leverage the LSVPN functionality to establish IPSec tunnels back to the firewall on the corporate network.
For ease of deployment and centralized management of this distributed infrastructure, use Panorama to configure the GlobalProtect components used in this solution. Optionally, to ensure that mobile devices, such as smartphones and tablets, are safe for use on your network, use a Mobile Device Manager to configure and manage mobile devices.
230 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Use Case: VM‐Series Firewalls as GlobalProtect Gateways in AWS
Components of the GlobalProtect Infrastructure
To block risky applications and protect mobile users from malware, you must set up the GlobalProtect infrastructure, which includes the GlobalProtect portal, the GlobalProtect gateway, and the GlobalProtect app. Additionally, for access to corporate resources, you must set up an IPSec VPN connection between the VM‐Series firewalls in AWS and the firewall in the corporate headquarters using LSVPN (a hub and spoke VPN deployment).




The GlobalProtect agent/app is installed on each end‐user system that is allowed to access corporate applications and resources. The agent first connects to the portal to obtain information on the gateways and then establishes a secure VPN connection to the closest GlobalProtect gateway. The VPN connection between the end‐user system and the gateway ensures data privacy.
The GlobalProtect portal provides the management functions for the GlobalProtect infrastructure. Every end‐user system receives configuration information from the portal, including information about available gateways as well as any client certificates that may be required to connect to the GlobalProtect gateway(s). In this use case, the GlobalProtect portal is a hardware‐based firewall that is deployed in the corporate headquarters.
The GlobalProtect gateway delivers mobile threat prevention and policy enforcement based on applications, users, content, device, and device state. In this use case, the VM‐Series firewalls in AWS function as the GlobalProtect gateways. The GlobalProtect gateway scans each user request for malware and other threats, and, if policy allows, sends the request to the internet or to the corporate network over the IPSec tunnel (to the LSVPN gateway).
For LSVPN, you must configure the GlobalProtect portal, GlobalProtect gateway for LSVPN (hub), and the GlobalProtect Satellites (spokes).
In this use case, the hardware‐based firewall in the corporate office is deployed as the GlobalProtect portal and the LSVPN gateway. The VM‐Series firewalls in AWS are configured to function as GlobalProtect satellites. The GlobalProtect satellites and gateway are configured to establish an IPSec tunnel that terminates on the gateway. When a mobile user requests an application or resource that resides on the corporate network, the VM‐Series firewall routes the request over the IPSec tunnel.
Deploy GlobalProtect Gateways in AWS
To secure mobile users, in addition to deploying and configuring the GlobalProtect gateways in AWS, you need to set up the other components required for this integrated solution. The following table includes the recommended workflow:
Deploy GlobalProtect in AWS • Deploy the VM‐Series firewall(s) in AWS.
See Deploy the VM‐Series Firewall in AWS.
• Configure the firewall at the corporate headquarters. In this use case, the firewall is configured as the GlobalProtect portal and the LSVPN gateway.
• • • • © Palo Alto Networks, Inc.
Configure the GlobalProtect portal.
Configure the GlobalProtect portal for LSVPN.
Configure the portal to authenticate LSVPN satellites.
Configure the GlobalProtect gateway for LSVPN.
VM‐Series 7.1 Deployment Guide • 231
Use Case: VM‐Series Firewalls as GlobalProtect Gateways in AWS
Set Up the VM‐Series Firewall in AWS
Deploy GlobalProtect in AWS (Continued)
• Set up a template on Panorama for configuring • the VM‐Series firewalls in AWS as GlobalProtect gateways and LSVPN satellites.
To easily manage this distributed deployment, • use Panorama to configure the firewalls in AWS. • Create template(s) on Panorama. Then use the following links to define the configuration in the templates.
Configure the firewall as a GlobalProtect gateway.
Prepare the satellite to join the LSVPN.
• Create device groups on Panorama to define the See Create device groups.
network access policies and internet access rules and apply them to the firewalls in AWS.
• Apply the templates and the device groups to the VM‐Series firewalls in AWS, and verify that the firewalls are configured properly. • Deploy the GlobalProtect client software.
232 • VM‐Series 7.1 Deployment Guide
Every end‐user system requires the GlobalProtect agent or app to connect to the GlobalProtect gateway.
See Deploy the GlobalProtect client software.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Auto Scale VM‐Series Firewalls with the Amazon ELB Palo Alto Networks delivers CloudFormation Templates (CFTs) for deploying an auto‐scaling tier of VM‐Series firewalls using several AWS services such as Lambda, auto scaling groups, Elastic Load Balancing (ELB), S3, SNS, and CloudWatch, and the VM‐Series automation capabilities including the PAN‐OS API and bootstrapping. The templates (latest is vpc‐classic‐v1.2.template and vpc‐alb‐v1.2.template) allow you to leverage the AWS scalability features designed to manage sudden surges in demand for application workload resources by simultaneously scaling the VM‐Series firewalls with changing workloads. The templates deploy the VM‐Series in an ELB sandwich topology with an internet‐facing classic ELB and an either an internal classic load balancer or an internal application load balancer (internal ELB). The internet‐facing ELB is accessible from the internet and distributes traffic that enters the VPC across a pool of VM‐Series firewalls. The firewalls then redirect traffic using NAT policy to the internal ELB. The internal ELB, which is only accessible inside the VPC, distributes traffic to an auto scaling tier of web servers. The API integration with AWS CloudWatch allows the CloudWatch service to monitor the health and resource load on the EC2 instances—VM‐Series firewalls and web servers—and then use that information to trigger a scale in or scale out event in the respective Auto Scaling Group (ASG).

What Components Does the VM‐Series Auto Scaling Template for AWS Deploy?

How Does the VM‐Series Auto Scaling Template for AWS Enable Dynamic Scaling?

Plan the VM‐Series Auto Scaling Template for AWS

Launch the the VM‐Series Auto Scaling Template for AWS

Customize the Bootstrap.xml File
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 233
Auto Scale VM‐Series Firewalls with the Amazon ELB

NAT Policy Rule and Address Objects in the Auto Scaling Template

Stack Update with VM‐Series Auto Scaling Template for AWS (v1.2)

Troubleshoot the VM‐Series Auto Scaling CFT for AWS
Set Up the VM‐Series Firewall in AWS
What Components Does the VM‐Series Auto Scaling Template for AWS Deploy?
The VM‐Series Auto Scaling Template for AWS provides two deployment options. The first option offers the flexibility to deploy a complete AWS environment along with the auto scaling tier of VM‐Series firewalls in one streamlined workflow. The second option allows you to deploy only the auto‐scaling tier of VM‐Series firewalls into your existing AWS deployment. The CFT does not deploy Panorama, and Panorama is optional in this deployment. If you want use Panorama to manage the VM‐Series firewalls that the CFT deploys, you can either use an M‐Series appliance inside your corporate network, or a Panorama virtual appliance on a VMware ESXi server inside your corporate network or in vCloud Air; you cannot deploy Panorama on AWS. The solution includes the following building blocks that make these options possible:
234 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Building Block
Description
VPC template
The VPC templates automate the process of deploying a VPC with two or three Availability Zones (AZs). It deploys an external ELB, a web server farm and an internal ELB that load balances traffic to the web server farm. In addition to the subnets, route tables, and security groups required for routing traffic across these AZs, it also creates the Auto Scaling Group (ASG) for the web server farm and an AWS NAT gateway, if you opt for one. Depending on your preference for the internal ELB, you can choose from these two templates:
• vpc‐classic‐v<number>.template—Use this template if you want to use a classic ELB for load balancing traffic to the internal web server farm.
• vpc‐alb‐v<number>.template— Use this template, if you prefer an application ELB for load balancing traffic to the internal web server farm.
Both templates, deploy the classic ELB for internet‐facing traffic. Firewall template
The VPC template invokes the firewall.template to launch the VM‐Series firewall. If you have an existing VPC with the required subnets, security groups, web servers, and ELBs, and want to only deploy the VM‐Series firewall at scale, you can use the firewall.template instead of the vpc.template.
The firewall.template creates an initial ASG with a single VM‐Series firewall to secure the web servers in each AZ, adds the ENIs for the trust and management interfaces, and triggers the bootstrap process including registration with Panorama. To enable auto scaling of the VM‐Series firewalls, this template leverages PAN‐OS metrics from the VM‐Series firewall and publishes data on your preferred metric to AWS CloudWatch.
You can select one of the following PAN‐OS metrics—active sessions, dataplane CPU utilization, or dataplane CPU buffer utilization.
Lambda functions
AWS Lambda provides robust, event‐driven automation without the need for complex orchestration software. In this CFT, AWS Lambda monitors the custom PAN‐OS metrics and the internal ELB to enable dynamic scaling of the VM‐Series firewalls. The Lambda functions add or remove elastic network interfaces (ENIs) when the firewall is launched or terminated, collect and publish CloudWatch metrics so that you can define auto scaling policy using CloudWatch alarms, delete all the associated resources when an instance is terminated or the stack is deleted, and remove the firewall as a managed device on Panorama. The Lambda functions also monitor the VIP addresses on the internal ELB so that it can add or remove an ASG for the VM‐Series firewall so that it can ensure a 1:1 ratio between the internal ELB VIP and the VM‐Series firewalls ASG.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 235
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Building Block
Description
Bootstrap files
The bootstrap.xml file provided in the GitHub repository is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch. See Customize the Bootstrap.xml File.
This solution requires the init‐cfg.txt file and the bootstrap.xml file so that the VM‐Series firewall has the basic configuration for handling traffic from the ELB. • The init‐cfg.txt file includes the mgmt‐interface‐swap operational command to enable the firewall to receive dataplane traffic on its primary interface (eth0). For details see Management Interface Mapping for Use with the AWS ELB. • The bootstrap.xml file contains a NAT policy rule to properly route traffic in this auto scaling ELB environment. In order to perform NAT, the firewall requires a single IP address in the NAT policy rule, the firewall cannot use an FQDN or round‐robin NAT to multiple IP addresses. But to enable auto scaling, the AWS ELB publishes an FQDN as a virtual IP address (VIP) rather that publishing an IP address. And as the internal ELB scales, the FQDN automatically resolves to multiple IP addresses (per AZ). The NAT policy rule included in the bootstrap. xml file resolved this conflict. The bootstrap.xml file references an address object within the NAT policy rule. When the firewall boots up, a Lambda function adds the IP address of the internal ELB in to the address object so that the NAT policy resolves to the correct IP address for the internal ELB, and can route traffic to and from the external ELB and the internal ELB in this solution. To deploy the solution, see Launch the the VM‐Series Auto Scaling Template for AWS.
How Does the VM‐Series Auto Scaling Template for AWS Enable Dynamic Scaling?
The VM‐Series firewalls scale in and scale out based on PAN‐OS metrics and on application traffic. 

PAN‐OS metric‐based scaling—The VM‐Series firewalls scale based on custom PAN‐OS metrics that trigger alarms and policies to dynamically deploy or terminate instances to increase or decrease capacity in the VM‐Series firewall ASG. To monitor traffic load on the VM‐Series firewalls, you can configure alarms based on the following custom PAN‐OS metrics—the number of active sessions on the firewall, dataplane CPU utilization, or dataplane buffer utilization. The CFT uses an AWS Lambda function to publish the metrics to AWS CloudWatch at a one‐minute frequency. When a metric that is being monitored reaches a configured threshold for the defined time interval, CloudWatch triggers an alarm and initiates an auto‐scaling event.
Application traffic‐based scaling—The VM‐Series firewalls scale based on the internal ELB, which scales in response to the demands of the application traffic in the web server ASG. There is a 1:1 ratio between the number of internal ELB Virtual IP addresses and the number of ASGs for the VM‐Series firewalls. So, when the Lambda function in the CFT detects the addition or the deletion of an internal ELB VIP address, an ASG for the VM‐Series firewall is added or deleted in response to the change. And the IP address of the firewall is added or removed from the external ELB pool so that the external ELB can distribute traffic across all the available firewalls in the ASG.
236 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
The VM‐Series firewalls within an ASG are identical in configuration. Each firewall is bootstrapped and configured with a NAT policy rule that directs all traffic to the IP address of the internal ELB. Similarly, when traffic volume is reduced and an internal ELB VIP address is deleted, the Lambda function deletes the ASG and the VM‐Series firewalls associated with the ASG. The IP address of the firewall is also removed from the external ELB pool.
Plan the VM‐Series Auto Scaling Template for AWS The GitHub repository provides CFT version 1.1 and version 1.2. Version 1.2 is the latest and it provides the mechanism to update the PAN‐OS version of the auto scaling tier of VM‐Series firewalls and other resources using the CFT stack update capability. To accommodate your business needs, it also allows you to choose and switch across three licensing options, BYOL, PAYG bundle 1 and PAYG bundle 2.
CFT version 1.1 provides support for PAYG bundle 2 only. In order to launch the CFT successfully, review this checklist before you begin. 
VM‐Series Auto Scaling Template for AWS Version 1.2

VM‐Series Auto Scaling Template for AWS Version 1.1
VM‐Series Auto Scaling Template for AWS Version 1.2
The items in this checklist are actions and choices you must make for implementing this solution. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 237
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Planning Checklist for Version 1.2
The CFT requires AWS Lambda and Signature versions 2 or 4 for PAN‐OS 8.0; PAN‐OS 7.1 requires signature version 2. Look up the list of supported regions and the AMI IDs.

Verify the requirements for deploying the CFT.

Assign the appropriate The user who deploys the CFT must either have administrative privileges or have the permissions for the permissions listed in the iam‐policy.json file to successfully launch the CFT. Copy and paste the permissions from this file in to a new IAM policy and then attach the policy IAM user role.
to a new or existing IAM role. 
Create a Support With CFT 1.2, you can opt for the BYOL or PAYG (bundle 1 or bundle 2) licenses. Account on the Palo For BYOL, you must register the auth code to your Palo Alto Networks support Alto Networks Support account prior to launching the CFT. portal.
For PAYG, you must register the VM‐Series firewalls to activate your support entitlement.

(For PAYG) Review and In the AWS Marketplace, search for Palo Alto Networks, and select the bundle you accept the End User plan to use. The CFT will fail to deploy if you have not accepted the EULA for the License Agreement bundle you plan to use.
(EULA).
• For example, search for VM-Series Next Generation Firewall Bundle 2.
Required, if you are launching a VM‐Series firewall in an AWS account for the first time. 
Click Continue, and select Manual Launch. Review the agreement and click Accept Software Terms to accept the EULA.
You can now close the browser.
238 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Planning Checklist for Version 1.2 (Continued)

Download the Templates, AWS Lambda code, and the bootstrap files.
Do not mix and match files across CFT versions. Get the files from the following GitHub repository at: https://github.com/PaloAltoNetworks/aws‐elb‐autoscaling/tree/master/Version‐1.
2
• Templates and Lambda code:
• panw‐aws.zip • firewall.template
• vpc‐classic‐v1.2.template or vpc‐alb‐v1.2.template. (you need only one)
The vpc‐classic‐v1.2.template includes support for two classic ELBs; the vpc‐alb‐v1.2.template includes support for a classic ELB and an internal application ELB.
Use the vpc‐alb.template if you want to deploy an application ELB for load balancing traffic to the internal web servers and a classic ELB for internet‐facing traffic.
Use the vpc‐classic.template if you want to deploy two classic ELBs; one for load balancing traffic to the internal web servers and another for internet‐facing traffic.
The solution is supported by Palo Alto Networks Technical Support as it is published. You may modify the template to suit your specific use case but Palo Alto Networks Technical Support cannot assist with issues that arise from customization.
• Bootstrap files:
• init‐cfg.txt
• bootstrap.xml
The bootstrap.xml file bundled with this solution is designed to help you get started, and is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch. See Customize the Bootstrap.xml File.

Customize the bootstrap.xml file for your production environment.
Make sure to use the bootstrap.xml file for CFT 1.2.
To ensure that your production environment is secure, you must Customize the Bootstrap.xml File with a unique administrative username and password. The default username and password is pandemo/demopassword. You can also use this opportunity to create an optimal firewall configuration with interfaces, zones, and security policy rules that meet your application security needs. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 239
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Planning Checklist for Version 1.2 (Continued)

Decide whether you Panorama is an option for administrative ease. It is not required to manage the auto want to use Panorama scaling tier of VM‐Series firewalls deployed in this solution. for centralized logging, If you want to use Panorama, you can either use the M‐Series appliance or a reporting, and firewall Panorama virtual appliance on a VMware ESXi server inside your corporate network, management.
or use a Panorama virtual appliance on vCloud Air. To successfully register the firewalls with Panorama, you must collect the following details:
• API key for Panorama. So that AWS Lambda can make API requests to Panorama, you must provide an API key when you launch the CFT. As a best practice, in a production deployment, you should create a separate administrative account just for the API call and generate an associated API key. • Panorama IP address. You must include the IP address in the configuration (init‐cfg.txt) file. The firewalls must be able to access this IP address from the VPC; to ensure a secure connection, use a direct connect link or an IPSec tunnel.
• VM auth key that allows Panorama to authenticate the firewalls in order to add each firewall as a managed device. You must include this key in the configuration (init‐cfg.txt) file. The vm auth key is required for the lifetime of the deployment. Without a valid key in the connection request, the VM‐Series firewall will be unable to register with Panorama. For details on the key, see Generate VM Auth Key. • Template name and the device group name to which to assign the firewalls. You must first add a template and create a device group on Panorama, and then include the template name and the device group name in the configuration (init‐cfg.txt) file.

Decide whether you To allow the firewalls to initiate outbound requests for retrieving updates, connecting want to use the AWS to Panorama, and publishing metrics to AWS CloudWatch, you can either deploy an NAT gateway or assign AWS NAT gateway or assign an EIP address to the management interface on each an EIP address to the firewall. management interface The AWS NAT gateway option allows you to conserve the use of EIP addresses; you on each VM‐Series only need one EIP address per Availability Zone (AZ). Hence, you must allocate a firewall.
maximum of three EIP addresses if you deploy the CFT across three AZs. When you use a NAT gateway and are not using Panorama to manage the firewalls, you must deploy a jump server (a bastion host with an EIP address) within the VPC to enable SSH and/or HTTPS access to the VM‐Series firewalls. This jump server is required because the management interface on the VM‐Series firewalls has a private IP address only.
If you choose to assign an EIP address to the management interface of each VM‐Series firewall, you must estimate the number of EIP addresses you need to enable outbound access for the VM‐Series firewalls. Based on the size of your deployment, you may need to request an increase in the maximum number of EIP addresses for the AWS region; the default limit is 5 EIP addresses per account. This estimation is crucial to the deployment because AWS Lambda requires the EIP address to successfully launch the firewall. 
Get started
Launch the VM‐Series Auto Scaling Template for AWS (v1.2)
Stack Update with VM‐Series Auto Scaling Template for AWS (v1.2)
VM‐Series Auto Scaling Template for AWS Version 1.1
The items in this checklist are actions and choices you must make for implementing this solution.
240 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Planning Checklist for Version 1.1
The CFT requires AWS Lambda and Signature version 2, and is supported in the following regions: US East (N. Virginia), US West (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney).

Verify the requirements for deploying the CFT.

Assign the appropriate The user who deploys the CFT must either have administrative privileges or have the permissions for the permissions listed in the iam‐policy.json file to successfully launch the CFT. Copy and paste IAM user role.
the permissions from this file in to a new IAM policy and then attach the policy to a new or existing IAM role. 
Create a Support All the VM‐Series firewalls deployed by CFT 1.1 support the usage‐based (PAYG bundle 2) Account on the Palo licenses. CFT 1.1 does not support the BYOL option.
Alto Networks Support You must register the VM‐Series firewalls to activate your support entitlement.
portal.

Review and accept the In the AWS Marketplace, search for Palo Alto Networks, and select VM-Series Next
Generation Firewall Bundle 2.
End User License Agreement (EULA).
Required, if you are launching a VM‐Series firewall on AWS for the first time. The CFT will fail to deploy if you have not accepted the EULA.

Click Continue, and select Manual Launch. Review the agreement and click Accept Software Terms to accept the EULA.
You can now close the browser.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 241
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Planning Checklist for Version 1.1 (Continued)

Download the Get the files from the following GitHub repository at: Templates, AWS https://github.com/PaloAltoNetworks/aws‐elb‐autoscaling/tree/master/Version‐1.1
Lambda code, and the • Templates and Lambda code:
bootstrap files.
• panw‐aws.zip Do not mix and • firewall.template
match files • vpc‐classic‐v1.1.template or vpc‐alb‐v1.1.template. (you need only one)
across CFT The vpc‐classic‐v1.1.template includes support for two classic ELBs; the versions. vpc‐alb‐v1.1.template includes support for a classic ELB and an internal application ELB.
Use the vpc‐alb.template if you want to deploy an application ELB for load balancing traffic to the internal web servers and a classic ELB for internet‐facing traffic.
Use the vpc‐classic.template if you want to deploy two classic ELBs; one for load balancing traffic to the internal web servers and another for internet‐facing traffic.
The solution is supported by Palo Alto Networks Technical Support as it is published. You may modify the template to suit your specific use case but Palo Alto Networks Technical Support cannot assist with issues that arise from customization.
• Bootstrap files:
• init‐cfg.txt
• bootstrap.xml
The bootstrap.xml file bundled with this solution is designed to help you get started, and is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch. See Customize the Bootstrap.xml File.

Customize the bootstrap.xml file for your production environment.
To ensure that your production environment is secure, you must Customize the Bootstrap.xml File with a unique administrative username and password. You can also use this opportunity to create an optimal firewall configuration with interfaces, zones, and security policy rules that meet your application security needs. 242 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Planning Checklist for Version 1.1 (Continued)

Decide whether you Panorama is an option for administrative ease. It is not required to manage the auto scaling want to use Panorama tier of VM‐Series firewalls deployed in this solution. for centralized logging, If you want to use Panorama, you can either use the M‐Series appliance or a Panorama reporting, and firewall virtual appliance on a VMware ESXi server inside your corporate network, or use a management.
Panorama virtual appliance on vCloud Air. And, if you use Panorama, you need the following information so that the firewalls can register with Panorama:
• API key for an administrative user account on Panorama. AWS Lambda uses this key to make API requests to Panorama. By default, the CFT uses an API key with username and password, admin/admin. For better security, create an administrative account on Panorama and generate a new API key for the account. You must enter this key when you launch the CFT.
• Panorama IP address. You must include the IP address in the configuration (init‐cfg.txt) file. The firewalls must be able to access this IP address from the VPC; to ensure a secure connection, use a direct connect link or an IPSec tunnel.
• VM auth key that allows Panorama to authenticate the firewalls in order to add each firewall as a managed device. You must include this key in the configuration (init‐cfg.txt) file. The vm auth key is required for the lifetime of the deployment. Without a valid key in the connection request, the VM‐Series firewall will be unable to register with Panorama. For details on the key, see Generate VM Auth Key. • Template name and the device group name to which to assign the firewalls. You must first add a template and create a device group on Panorama, and then include the template name and the device group name in the configuration (init‐cfg.txt) file.

Decide whether you To allow the firewalls to initiate outbound requests for retrieving updates, connecting to want to use the AWS Panorama, and publishing metrics to AWS CloudWatch, you can either deploy an AWS NAT gateway or assign NAT gateway or assign an EIP address to the management interface on each firewall. an EIP address to the The AWS NAT gateway option allows you to conserve the use of EIP addresses; you only management interface need one EIP address per Availability Zone (AZ). Hence, you must allocate a maximum of on each VM‐Series three EIP addresses if you deploy the CFT across three AZs. When you use a NAT gateway firewall.
and are not using Panorama to manage the firewalls, you must deploy a jump server (a bastion host with an EIP address) within the VPC to enable SSH and/or HTTPS access to the VM‐Series firewalls. This jump server is required because the management interface on the VM‐Series firewalls has a private IP address only.
If you choose to assign an EIP address to the management interface of each VM‐Series firewall, you must estimate the number of EIP addresses you need to enable outbound access for the VM‐Series firewalls. Based on the size of your deployment, you may need to request an increase in the maximum number of EIP addresses for the AWS region; the default limit is 5 EIP addresses per account. This estimation is crucial to the deployment because AWS Lambda requires the EIP address to successfully launch the firewall. 
Get started
Launch the VM‐Series Auto Scaling Template for AWS (v1.1)
Launch the the VM‐Series Auto Scaling Template for AWS
Pick the workflow for the CFT version you are deploying. 
Launch the VM‐Series Auto Scaling Template for AWS (v1.2)

Launch the VM‐Series Auto Scaling Template for AWS (v1.1)
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 243
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
If you have deployed the template v1.2 and want to update resources see Stack Update with VM‐Series Auto Scaling Template for AWS (v1.2).
Launch the VM‐Series Auto Scaling Template for AWS (v1.2)
Use the following workflow to deploy all the components in this solution using the vpc‐classic‐v1.2.template or the vpc‐alb‐v1.2.template. If you have an existing VPC with the required subnets, security groups, web servers, and ELBs, you only need to deploy the VM‐Series firewall at scale, use the firewall.template. The workflow for using only the firewall.tempate is not documented in this version of the document, but it is very similar.
Launch the Template Version 1.2
Step 1
Plan the VM‐Series Auto Scaling Template for AWS.
244 • VM‐Series 7.1 Deployment Guide
Make sure that you have completed the following tasks:
• (For PAYG only) Reviewed and accepted the EULA for the PAYG bundle you plan to use.
• (For BYOL only) Obtained the auth code. You will need to enter this authcode in the /license folder of the bootstrap package. For details, see Prepare the Bootstrap Package
• Downloaded the files required to launch the CFT from the GitHub repository.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Launch the Template Version 1.2 (Continued)
Step 2
(Optional) Modify the init‐cfg.txt file.
If you’re using Panorama to manage the firewalls, complete the following tasks:
For more information on the bootstrapping process see Bootstrap the 1. Generate the vm‐auth‐key on Panorama. The firewalls must VM‐Series Firewall; for details on the include a valid key in the connection request to Panorama. Set init‐cfg.txt file, see Create the init‐cfg.txt the lifetime for the key to 8760 hours (1 year). File.
2. Open the init‐cfg.txt file with a text editor, such as Notepad. Make sure that you do not alter the format as this will cause a failure in deploying the CFT. Add the following information as name‐value pairs:
• IP addresses for the primary Panorama and optionally a secondary Panorama. Enter:
panorama-server=
panorama-server-2=
• Specify the template and the device group to which you want to assign the firewall. Enter:
tplname=
dgname=
• VM auth key. Enter:
vm-auth-key=
3.
Verify that you have not deleted the command for swapping the management interface (mgmt) and the dataplane interface (ethernet 1/1) on the VM‐Series firewall on AWS. For example, the file must include name‐value pairs for the items in bold:
op-command-modes=mgmt-interface-swap
vm-auth-key=755036225328715
panorama-server=10.5.107.20
panorama-server-2=10.5.107.21
tplname=FINANCE_TG4
dgname=finance_dg
The vm auth key and Panorama IP address above are example values. You need to enter the values that match your setup.
4.Save and close the file.
Step 3
Step 4
(For BYOL only) Add the license auth code in the /license folder of the bootstrap package. For more information on the bootstrapping process see Prepare the Bootstrap Package.
1.
Create a new .txt file with a text editor, such as Notepad.
2.
Add the authcode for your BYOL licenses. The auth code must support the number of firewalls that may be required for your deployment. You must use an auth code bundle instead of individual auth codes so that the firewall can simultaneously fetch all license keys associated with a firewall. If you use individual auth codes instead of a bundle, the firewall will retrieve only the license key for the first auth code included in the file.
Change the default credentials for the Required for using the CFT in a production environment.
VM‐Series firewall administrator The bootstrap.xml file provided in the GitHub repository is account defined in the bootstrap.xml file. provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch, see Customize the Bootstrap.xml File
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 245
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Launch the Template Version 1.2 (Continued)
Step 5
Prepare the Amazon Simple Storage (S3) buckets for launching the CFT.
Make sure to create the S3 buckets in the same region in which you plan to deploy the template.
The CFT requires one S3 bucket for the VM‐Series bootstrap files; and another S3 bucket for the AWS Lambda functions and the nested firewall.template. 1.
Create a new S3 bucket for the bootstrap files.
a. Sign in to the AWS Management Console and open the S3 console.
b. Click Create Bucket. c. Enter a Bucket Name and a Region, and click Create. The bucket must be at the S3 root level. If you nest the bucket, bootstrapping will fail because you cannot specify a path to the location of the bootstrap files.
2.
Upload the bootstrap files to the S3 bucket.
a. Click the name of bucket and then click Create folder.
b. Create the following folder structure for bootstrapping.
c. Click the link to open the config folder.
d. Select Actions > Upload and Add Files, browse to select the init‐cfg.txt file and bootstrap.xml file, and click Open.
e. Click Start Upload to add the files to the config folder. The folder can contain only two files: init‐cfg.txt and the bootstrap.xml.
f. (For BYOL only) Click the link to open the license folder and upload the txt file with the auth code required for licensing the VM‐Series firewalls.
246 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Launch the Template Version 1.2 (Continued)
Step 6
Select the CFT that you want to launch.
© Palo Alto Networks, Inc.
3.
Create another S3 bucket and upload the AWS Lambda code and the firewall.template to the S3 bucket.
a. Click the bucket name.
b. Click Add Files to select the panw‐aws.zip file and the firewall.template, click Open.
c. Click Start Upload to add the files to the S3 bucket.
1.
In the AWS Management Console, select CloudFormation > Create Stack.
2.
Select Upload a template to Amazon S3, choose the vpc‐classic‐v1.2.template or the vpc‐alb‐v1.2.template that you downloaded previously, and click Open and Next.
3.
Specify the Stack name in 10 characters or less. The stack name allows you to uniquely identify all the resources that are deployed using this CFT. Using a longer stack name results in a failure to successfully deploy the CFT.
VM‐Series 7.1 Deployment Guide • 247
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Launch the Template Version 1.2 (Continued)
Step 7
Configure the parameters for the VPC.
248 • VM‐Series 7.1 Deployment Guide
4.
Enter the parameters for the VPC Configuration as follows:
a. Enter a VPCName and a VPC CIDR. The default CIDR is 192.168.0.0/16.
b. Enter the IP address blocks for the management, untrust and trust subnets for the VM‐Series firewalls in each Availability Zone. By default three subnets are allocated across three AZs. The default blocks for the management subnets are 192.168.0.0/24, 192.168.10.0/24 and 192.168.20.0/24, Untrust subnets are 192.168.1.0/24, 192.168.11.0/24 and 192.168.21.0/24 and Trust subnets are 192.168.2.0/24, 192.168.12.0/24 and 192.168.22.0/24
c. For Do you want to create a NAT Gateway in each AZ, enter Yes if you want the CFT to deploy an AWS NAT gateway. Enter No, if you want to assign EIPs to the management interface on each firewall to enable outbound access from the VPC. If you do not plan to allocate EIPs on the management interface for each VM‐Series firewall, the AWS NAT gateway is required for the firewalls to access the Palo Alto Networks Update servers, Panorama, and to publish metrics to CloudWatch.
d. (Required if you opted for the AWS NAT Gateway) Enter the IP address blocks for the NAT gateway in each AZ. The default assignment is 192.168.100.0/24, 192.168.101.0/24, 192.168.102.0/24, 192.168.103.0/24.
e. (Required if you opted for the AWS NAT Gateway) Enter the IP address blocks for the Lambda functions in each AZ. The default assignment is 192.168.200.0/24, 192.168.201.0/24, 192.168.202.0/24, 192.168.203.0/24
f. Select whether the uptime needs for your setup requires the VPC to span two or three Availability Zones in Number
of Availability Zones for deployment.
g. Select your AZ preference from the Select list of
Availability Zones drop‐down. Make sure to select two or three based on the number of AZs you selected above.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Launch the Template Version 1.2 (Continued)
Step 8
Step 9
Select your preferences for the VM‐Series firewalls.
Specify the name of the Amazon S3 buckets.
1.
Select the EC2 instance size for the VM‐Series firewall. 2.
Look up the AMI ID for the VM‐Series firewall and enter it. Make sure that the AMI ID matches the AWS region, PAN‐OS version and the BYOL or PAYG licensing option you have opted to use.
3.
Copy and paste the license deactivation API key for your account. This key is required to successfully deactivate licenses on your firewalls when a scale‐in event occurs. To get this key:
a. Log in to the Customer Support Portal.
b. From the Go To drop‐down, select License API.
c. Copy the API key.
4.
Select the EC2 Key pair (from the drop‐down) for launching the firewall. To log in to the firewall or the web servers, you must provide the name of this key pair and the private key associated with it. 5.
If you want to restrict access to the firewall, specify the IP address block or IP addresses that can SSH in to the firewall. Verify your IP address before configuring it on the CFT to make sure that you do not lock yourself out.
1.
Enter the name of the S3 bucket that contains the bootstrap files. If the bootstrap bucket is not set up properly or if you enter the bucket name incorrectly, the bootstrap process will fail and you will not be able to log in to the firewall; ELB health checks will also fail.
2.
Enter the name of the S3 bucket that contains the firewall.template and the Lambda code that you extracted from the zip file.
Step 10 Specify the keys for enabling API access 1.
to the firewall and Panorama.
Enter the key that the firewall will use to authenticate API calls. The default key is based on the sample bootstrap.xml file and should only be used for testing and evaluation. For a production deployment, you must create a separate PAN‐OS login just for the API call and generate an associated key.
2.
Enter the API Key to allow AWS Lambda to make API calls to Panorama, if you are using Panorama for centralized management. For a production deployment, you should create a separate login just for the API call and generate an associated key.
Step 11 Specify the name for the ELBs. © Palo Alto Networks, Inc.
The ELB name must be 12 characters or less. If the name is longer than 12 characters, the CFT will fail to deploy.
1.
Enter the name for the internet‐facing (or external) classic ELB. 2.
Enter the name for the internal classic or application ELB. VM‐Series 7.1 Deployment Guide • 249
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Launch the Template Version 1.2 (Continued)
Step 12 Configure the metric to monitor and 1.
define the thresholds for auto scaling. The custom PAN‐OS metrics create CloudWatch alarms that execute auto scaling policies to scale in or scale out the VM‐Series firewalls based on the thresholds you define. Select one scaling metric:
• Active Sessions (number)—Monitors the total number of sessions that are active on the firewall. Because the firewall uses NAT in this solution, the maximum number of sessions supported is 64, 000.
• Dataplane CPU Utilization (%)—Monitors the dataplane CPU usage to measure the traffic load on the firewall.
• Dataplane Buffer Utilization (%)—Monitors the dataplane buffer usage to measure buffer utilization. If you have a sudden burst in traffic, monitoring buffer utilization allows you to ensure that the firewall does not deplete the dataplane buffer and cause dropped packets.
2.
Enter the scaling period. This is the time interval for which a monitored metric must remain at the configured threshold to trigger a scaling event. The value is in seconds; choose one of these values for the scaling period: 60, 300, 900 (default), 3,600, 21,600, or 84,600. 3.
Enter the maximum number of VM‐Series firewalls in an ASG.
4.
Enter the minimum number of VM‐Series firewalls in an ASG. The minimum value of 1 means that every ASG will have at least one VM‐Series firewall.
5.
Enter the thresholds for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above.
For active sessions, as a best practice, set this value at a maximum of 51, 200 (80% of 64,000) to allow for scale out events to complete with a fully functioning firewall. Assess the traffic patterns for your application, and determine whether you need to set a more conservative threshold.
For dataplane buffer utilization, set the value at a maximum of 40% so that the firewall can optimally handle a burst in traffic.
Bootstrapping a PAN‐OS firewall can take 10 to 15 minutes. Make sure to set some buffer in your scale thresholds to accommodate that boot time. For example, don't wait until the session table is 95% full before launching a new firewall in the auto scale group.
Step 13 Select the EC2 instance type for the web Make sure to pick an instance size that matches the expected load servers.
on your web servers so that the internal ELB does not fluctuate hugely with variable demand. If the internal ELB fluctuates, it will trigger scaling events for the ASGs and the corresponding VM‐Series firewalls.
Step 14 (Optional) Apply tags to identify the CFT Add a name‐value pair to identify and categorize the resources in resources associated with the this CFT stack.
deployment.
250 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Launch the Template Version 1.2 (Continued)
Step 15 Review the template settings and launch 1.
the template.
Select I acknowledge that this template might cause AWS
CloudFormation to create IAM resources.
2.
Click Create to launch the template. The CREATE_IN_PROGRESS event displays. 3.
On successful deployment the status updates to CREATE_COMPLETE.
In each AZ, the CFT will launch an ASG that includes one VM‐Series firewall behind the external ELB. The firewalls will be bootstrapped with a NAT policy rule and a basic Security policy rule. It will also launch two web servers in an ASG behind the internal ELB. Step 16 Verify that the template has launched all 1.
required resources. 2.
To modify or update the resources for this CFT, see Stack Update with VM‐Series Auto Scaling Template for AWS (v1.2)
On the EC2 Dashboard, select Load Balancers.
Get the DNS name for the external ELB, and enter it into a web browser. For example:
http://public‐elb‐123456789.us‐east‐1.elb.amazonaws.com/
The web page will display to indicate that you have successfully launched the CloudFormation template.
3.
On the EC2 Dashboard, select Auto Scaling Groups. Verify that in each AZ, you have one ASG for the VM‐Series firewalls with the minimum number of firewalls you specified in the template and the web server ASG. If you selected three AZs and the AWS NAT gateway, the VM‐Series firewall ASG name displays this information as az3n; the details are appended to the stack name for example: VM‐Auto‐CFT‐az3n‐EB4Y7D3DMJ6E_ASG_LC_192‐168‐2‐
6
4.
Log in to the VM‐Series firewall. It may take up to 20 minutes for the firewalls to boot up and be available to handle traffic.
Use the EIP address, if you allocated one. If you chose the NAT gateway option, you must deploy a jump server or use Panorama to access the web interface on the firewall.
5.
Select Monitor > Logs > Traffic on the web interface of the firewall to view logs.
Launch the VM‐Series Auto Scaling Template for AWS (v1.1)
Use the following workflow to deploy all the components in this solution using the vpc‐classic‐v1.1.template or the vpc‐alb‐v1.1.template. If you have an existing VPC with the required subnets, security groups, web servers, and ELBs, you only need to deploy the VM‐Series firewall at scale, use the firewall.template. The workflow for using only the firewall.tempate is not documented in this version of the document, but it is very similar.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 251
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Launch the Template Version 1.1 • Plan the VM‐Series Auto Scaling Template Make sure that you have completed the following tasks:
for AWS
• Reviewed and accepted the EULA.
• Downloaded the files required to launch the CFT from the GitHub repository.
Step 17 (Optional) Modify the init‐cfg.txt file.
If you’re using Panorama to manage the firewalls, complete the following tasks:
For more information on the bootstrapping process see Bootstrap the 1. Generate the vm‐auth‐key on Panorama. The firewalls must VM‐Series Firewall; for details on the include a valid key in the connection request to Panorama. Set init‐cfg.txt file, see Create the init‐cfg.txt the lifetime for the key to 8760 hours (1 year). File.
2. Open the init‐cfg.txt file with a text editor, such as Notepad.
3.
Add the following information as name‐value pairs:
• IP addresses for the primary Panorama and optionally a secondary Panorama. Enter:
panorama-server=
panorama-server-2=
• Specify the template and the device group to which you want to assign the firewall. Enter:
tplname=
dgname=
• VM auth key. Enter:
vm-auth-key=
4.
Verify that you have not deleted the command for swapping the management interface (mgmt) and the dataplane interface (ethernet 1/1) on the VM‐Series firewall on AWS. For example, the file must include name‐value pairs for the items in bold:
op-command-modes=mgmt-interface-swap
vm-auth-key=755036225328715
panorama-server=10.5.107.20
panorama-server-2=10.5.107.21
tplname=FINANCE_TG4
dgname=finance_dg
5.
The vm auth key and Panorama IP address above are example values. You need to enter the values that match your setup.
Save and close the file.
Step 18 Change the default credentials for the Required for using the CFT in a production environment.
VM‐Series firewall administrator The bootstrap.xml file provided in the GitHub repository is account defined in the bootstrap.xml file. provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch, see Customize the Bootstrap.xml File
252 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Launch the Template Version 1.1 (Continued)
Step 19 Prepare the Amazon Simple Storage (S3) buckets for launching the CFT.
Make sure to create the S3 buckets in the same region in which you plan to deploy the template.
The CFT requires one S3 bucket for the VM‐Series bootstrap files; and another S3 bucket for the AWS Lambda functions and the nested firewall.template. 1.
Create a new S3 bucket for the bootstrap files.
a. Sign in to the AWS Management Console and open the S3 console.
b. Click Create Bucket. c. Enter a Bucket Name and a Region, and click Create. The bucket must be at the S3 root level. If you nest the bucket, bootstrapping will fail because you cannot specify a path to the location of the bootstrap files.
2.
Upload the bootstrap files to the S3 bucket.
a. Click the name of bucket and then click Create folder.
b. Create the following folder structure for bootstrapping.
c. Click the link to open the config folder.
d. Select Actions > Upload and Add Files, browse to select the init‐cfg.txt file and bootstrap.xml file, and click Open.
e. Click Start Upload to add the files to the config folder. The folder can contain only two files: init‐cfg.txt and the bootstrap.xml.
3.
© Palo Alto Networks, Inc.
Create another S3 bucket and upload the AWS Lambda code and the firewall.template to the S3 bucket.
a. Click the bucket name.
b. Click Add Files to select the panw‐aws.zip file and the firewall.template, click Open.
c. Click Start Upload to add the files to the S3 bucket.
VM‐Series 7.1 Deployment Guide • 253
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Launch the Template Version 1.1 (Continued)
Step 20 Select the CFT that you want to launch.
Step 21 Configure the parameters for the VPC.
254 • VM‐Series 7.1 Deployment Guide
1.
In the AWS Management Console, select CloudFormation > Create Stack.
2.
Select Upload a template to Amazon S3, choose the vpc‐classic‐v1.template or the vpc‐alb‐v1.template that you downloaded previously, and click Open and Next.
3.
Specify the Stack name in 10 characters or less. The stack name allows you to uniquely identify all the resources that are deployed using this CFT. 4.
Enter the parameters for the VPC Configuration as follows:
a. Enter a VPCName and a VPC CIDR. The default CIDR is 192.168.0.0/16.
b. Enter the IP address blocks for the management, untrust and trust subnets for the VM‐Series firewalls in each Availability Zone. By default three subnets are allocated across three AZs. The default blocks for the management subnets are 192.168.0.0/24, 192.168.10.0/24 and 192.168.20.0/24, Untrust subnets are 192.168.1.0/24, 192.168.11.0/24 and 192.168.21.0/24 and Trust subnets are 192.168.2.0/24, 192.168.12.0/24 and 192.168.22.0/24
c. For Do you want to create a NAT Gateway in each AZ, enter Yes if you want the CFT to deploy an AWS NAT gateway. Enter No, if you want to assign EIPs to the management interface on each firewall to enable outbound access from the VPC. If you do not plan to allocate EIPs on the management interface for each VM‐Series firewall, the AWS NAT gateway is required for the firewalls to access the Palo Alto Networks Update servers, Panorama, and to publish metrics to CloudWatch.
d. (Required if you opted for the AWS NAT Gateway) Enter the IP address blocks for the NAT gateway in each AZ. The default assignment is 192.168.100.0/24, 192.168.101.0/24, 192.168.102.0/24, 192.168.103.0/24.
e. (Required if you opted for the AWS NAT Gateway) Enter the IP address blocks for the Lambda functions in each AZ. The default assignment is 192.168.200.0/24, 192.168.201.0/24, 192.168.202.0/24, 192.168.203.0/24
f. Select whether the uptime needs for your setup requires the VPC to span two or three Availability Zones in Number
of Availability Zones for deployment.
g. Select your AZ preference from the Select list of
Availability Zones drop‐down. Make sure to select two or three based on the number of AZs you selected above.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Launch the Template Version 1.1 (Continued)
Step 22 Select your preferences for the VM‐Series firewalls.
Step 23 Specify the name of the Amazon S3 buckets.
1.
Select the EC2 instance size for the VM‐Series firewall. 2.
Select the EC2 Key pair (from the drop‐down) for launching the firewall. To log in to the firewall or the web servers, you must provide the name of this key pair and the private key associated with it. 3.
If you want to restrict access to the firewall, specify the IP address block or IP addresses that can SSH in to the firewall. Verify your IP address before configuring it on the CFT to make sure that you do not lock yourself out.
1.
Enter the name of the S3 bucket that contains the bootstrap files. If the bootstrap bucket is not set up properly or if you enter the bucket name incorrectly, the bootstrap process will fail and you will not be able to log in to the firewall; ELB health checks will also fail.
2.
Enter the name of the S3 bucket that contains the firewall.template and the Lambda code that you extracted from the zip file.
Step 24 Specify the keys for enabling API access 1.
to the firewall and Panorama.
Enter the key that the firewall will use to authenticate API calls. The default key is based on the sample bootstrap.xml file and should only be used for testing and evaluation. For a production deployment, you must create a separate PAN‐OS login just for the API call and generate an associated key.
2.
Enter the API Key to allow AWS Lambda to make API calls to th Panorama, if you are using Panorama for centralized management. For a production deployment, you should create a separate login just for the API call and generate an associated key.
Step 25 Specify the name for the ELBs. © Palo Alto Networks, Inc.
The ELB name must be 12 characters or less. If the name is longer than 12 characters, the CFT will fail to deploy.
1.
Enter the name for the internet‐facing (or external) classic ELB. 2.
Enter the name for the internal classic or application ELB. VM‐Series 7.1 Deployment Guide • 255
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Launch the Template Version 1.1 (Continued)
Step 26 Configure the metric to monitor and 1.
define the thresholds for auto scaling. The custom PAN‐OS metrics create CloudWatch alarms that execute auto scaling policies to scale in or scale out the VM‐Series firewalls based on the thresholds you define. Select one scaling metric:
• Active Sessions (number)—Monitors the total number of sessions that are active on the firewall. Because the firewall uses NAT in this solution, the maximum number of sessions supported is 64, 000.
• Dataplane CPU Utilization (%)—Monitors the dataplane CPU usage to measure the traffic load on the firewall.
• Dataplane Buffer Utilization (%)—Monitors the dataplane buffer usage to measure buffer utilization. If you have a sudden burst in traffic, monitoring buffer utilization allows you to ensure that the firewall does not deplete the dataplane buffer and cause dropped packets.
2.
Enter the scaling period. This is the time interval for which a monitored metric must remain at the configured threshold to trigger a scaling event. The value is in seconds; choose one of these values for the scaling period: 60, 300, 900 (default), 3,600, 21,600, or 84,600. 3.
Enter the maximum number of VM‐Series firewalls in an ASG.
4.
Enter the minimum number of VM‐Series firewalls in an ASG. The minimum value of 1 means that every ASG will have at least one VM‐Series firewall.
5.
Enter the thresholds for a scaling event. This input can be a number or a percentage based on the scaling metric you selected above.
For active sessions, as a best practice, set this value at a maximum of 51, 200 (80% of 64,000) to allow for scale out events to complete with a fully functioning firewall. Assess the traffic patterns for your application, and determine whether you need to set a more conservative threshold.
For dataplane buffer utilization, set the value at a maximum of 40% so that the firewall can optimally handle a burst in traffic.
Bootstrapping a PAN‐OS firewall can take 10 to 15 minutes. Make sure to set some buffer in your scale thresholds to accommodate that boot time. For example, don't wait until the session table is 95% full before launching a new firewall in the auto scale group.
Step 27 Select the EC2 instance type for the web Make sure to pick an instance size that matches the expected load servers.
on your web servers so that the internal ELB does not fluctuate hugely with variable demand. If the internal ELB fluctuates, it will trigger scaling events for the ASGs and the corresponding VM‐Series firewalls.
Step 28 (Optional) Apply tags to identify the CFT Add a name‐value pair to identify and categorize the resources in resources associated with the this CFT stack.
deployment.
256 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Launch the Template Version 1.1 (Continued)
Step 29 Review the template settings and launch 1.
the template.
Select I acknowledge that this template might cause AWS
CloudFormation to create IAM resources.
2.
Click Create to launch the template. The CREATE_IN_PROGRESS event displays. 3.
On successful deployment the status updates to CREATE_COMPLETE.
In each AZ, the CFT will launch an ASG that includes one VM‐Series firewall behind the external ELB. The firewalls will be bootstrapped with a NAT policy rule and a basic Security policy rule. It will also launch two web servers in an ASG behind the internal ELB. Step 30 Verify that the template has launched all 1.
required resources. 2.
On the EC2 Dashboard, select Load Balancers.
Get the DNS name for the external ELB, and enter it into a web browser. For example:
http://public‐elb‐123456789.us‐east‐1.elb.amazonaws.com/
The web page will display to indicate that you have successfully launched the CloudFormation template.
3.
On the EC2 Dashboard, select Auto Scaling Groups. Verify that in each AZ, you have one ASG for the VM‐Series firewalls with the minimum number of firewalls you specified in the template and the web server ASG. If you selected three AZs and the AWS NAT gateway, the VM‐Series firewall ASG name displays this information as az3n; the details are appended to the stack name for example: VM‐Auto‐CFT‐az3n‐EB4Y7D3DMJ6E_ASG_LC_192‐168‐2‐
6
4.
Log in to the VM‐Series firewall. It may take up to 20 minutes for the firewalls to boot up and be available to handle traffic.
Use the EIP address, if you allocated one. If you chose the NAT gateway option, you must deploy a jump server or use Panorama to access the web interface on the firewall.
5.
Select Monitor > Logs > Traffic on the web interface of the firewall to view logs.
When you are finished with testing or a production deployment, the only way to ensure charges stop occurring is to completely delete the stack. Shutting down instances, or changing the ASG maximum to 0, is not sufficient as the CFT might automatically deploy new ASGs.
If you are using Panorama, delete the internal ELB on AWS before you delete the stack. Deleting the internal ELB allows the VM‐Series firewalls to shut down gracefully, and Panorama can remove the firewalls from the list of managed devices.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 257
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Customize the Bootstrap.xml File
The bootstrap.xml file provided in the GitHub repository uses admin/admin as the username and password for the firewall administrator. Before deploying the CFT in a production environment, at a minimum, you must create a unique username and password for the administrative account on the VM‐Series firewall. Optionally, you can fully configure the firewall with zones, policy rules, security profiles and export a golden configuration snapshot. You can then use this configuration snapshot as the bootstrap.xml file for your production environment.
You have two ways to customize the bootstrap.xml file for use in a production environment:


Option 1: Launch a VM‐Series firewall in AWS using the bootstrap files provided in the GitHub repository, modify the firewall configuration and export the configuration to create a new bootstrap.xml file for the CFT. See Use the GitHub Bootstrap Files as Seed.
Option 2: Launch a new VM‐Series firewall in AWS without using the bootstrap files, add a NAT policy rule to ensure that the VM‐Series firewall handles traffic properly, and export the configuration to create a new bootstrap.xml file for the CFT. See Create a new Bootstrap File from Scratch.
Use the GitHub Bootstrap Files as Seed
Launch a VM‐Series firewall in AWS from the AWS Marketplace using the bootstrap files provided in the GitHub repository, modify the firewall configuration for your production environment and export the configuration to create a new bootstrap.xml file that you can now use for the CFT.
Option 1: Customize the Bootstrap.xml File 1.
To launch the firewall see Bootstrap the VM‐Series Firewall in AWS. 2.
Add an elastic network interface (ENI) and associate an elastic IP address (EIP) to it, so that you can access the web interface on the VM‐Series firewall. See Launch the VM‐Series Firewall in AWS for details.
3.
Use the EIP address to log in to the firewall web interface with admin as the username and password.
4.
Add a secure password for the admin user account (Device > Local User Database > Users). 5.
(Optional) Configure the firewall for securing your production environment. 6.
Select Policies > NAT to verify the firewall has the NAT policy rule required for the CFT. The NAT policy rule is included in the bootstrap.xml file, and is required to avoid blackholing traffic. The NAT policy rule routes traffic to the internal ELB and ensures symmetric return of the traffic from the web servers.
7.
Commit the changes on the firewall.
8.
Generate a new API key for the administrator account. Copy this new key to a new file. You will need to enter this API key when you launch the CFT; the AWS services use the API key to deploy the firewall and to publish metrics for auto scaling.
258 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Option 1: Customize the Bootstrap.xml File 9.
Export the configuration file and save it as bootstrap.xml. (Device > Setup > Operation > Export Named
Configuration Snapshot). 10. Open the bootstrap.xml file with a text editing tool and delete the management interface configuration. 11. Save the file. You can now proceed with Launch the the VM‐Series Auto Scaling Template for AWS.
Create a new Bootstrap File from Scratch
Launch a new VM‐Series firewall in AWS without using the bootstrap files, add a NAT policy rule to ensure that the VM‐Series firewall handles traffic properly, and export the configuration to create a new bootstrap.xml file for the CFT.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 259
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Option 2: Customize the Bootstrap.xml File 1.
Deploy the VM‐Series Firewall in AWS (no bootstrapping required) and use the public IP address to SSH into the Command Line Interface (CLI) of the VM‐Series firewall. You will need to configure a new administrative password for the firewall.
2.
Log in to the firewall web interface. 3.
(Optional) Configure the firewall. You can configure the dataplane interfaces, zones and policy rules. Commit the changes on the firewall.
4.
Export the configuration file and name it as bootstrap.xml. (Device > Setup > Operation > Export Named
Configuration Snapshot).
5.
Download the bootstrap.xml file from the GitHub repository, open it with a text editing tool, and copy lines 406 to 435 and 445 to 454. These lines define the NAT policy rule and the address object required for the CFT. If you want to copy and paste the NAT policy rule and address objects, see NAT Policy Rule and Address Objects in the Auto Scaling Template
260 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Option 2: Customize the Bootstrap.xml File 6.
Use a text editing tool to open the configuration file you exported earlier. a. Search for </security> and paste the lines 406 to 435 after </security>. b. Search for </import> and paste the lines 445 to 454 after </import>.
7.
Delete the management interface configuration. a. Search for </service> and delete the ip‐address, netmask and default gateway that follow.
b. Search for </type> and delete the ip‐address, netmask, default gateway, and public‐key that follow.
8.
Save the file. You can now proceed with Launch the the VM‐Series Auto Scaling Template for AWS.
NAT Policy Rule and Address Objects in the Auto Scaling Template
To Customize the Bootstrap.xml File for deploying the AWS CFT in your production environment, you must copy the following NAT policy rule into your configuration file. You can find the NAT rule and address objects in the bootstrap.xml file in the GitHub repository.

NAT Policy Rule © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 261
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
<nat>
<rules>
<entry name="nat-for-asg">
<to>
<member>Untrust</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>AWS-NAT-UNTRUST</member>
</destination>
<service>any</service>
<to-interface>ethernet1/1</to-interface>
<destination-translation>
<translated-address>AWS-NAT-ILB</translated-address>
</destination-translation>
<source-translation>
<dynamic-ip-and-port>
<interface-address>
<interface>ethernet1/2</interface>
</interface-address>
</dynamic-ip-and-port>
</source-translation>
</entry>
</rules>
</nat>
NAT Policy Address Objects
<address>
<entry name="AWS-NAT-ILB">
<ip-netmask>192.168.12.223</ip-netmask>
<description>ILB-IP-address</description>
</entry>
<entry name="AWS-NAT-UNTRUST">
<ip-netmask>192.168.11.115</ip-netmask>
<description>UNTRUST-IP-address</description>
</entry>
</address>

Stack Update with VM‐Series Auto Scaling Template for AWS (v1.2)
A stack update allows you to modify the resources that the CFT deploys. Instead of deleting your existing deployment and redeploying the solution, use the stack update to modify the following parameters in the CFT:

PAN‐OS version—Deploy new VM‐Series firewalls with a different PAN‐OS version.
262 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS


Auto Scale VM‐Series Firewalls with the Amazon ELB
License—Switch from BYOL to PAYG and vice versa or switch from one PAYG bundle to another.
Other stack resources— Change the launch configuration parameters such as the Amazon Machine Image (AMI) ID, the instance type, key pair for your auto scaling groups. You can also update the API key associated with the administrative user account on the firewall.
When you deploy the CFT, the auto scaling groups and the launch configuration are automatically created for you. The launch configuration is a template that an auto scaling group uses to launch EC2 instance, and it specifies parameters such as the AMI ID, the instance type, key pair for your auto scaling group. To modify these parameters, you must update the stack and then replace the existing auto scaling group with a new auto scaling group that uses the updated stack parameters to create the launch configuration and deploy new instances with these new parameters; existing instances continue to run with the configuration that they were originally launched with. This phased rollout allows you to verify the updates in one AZ at a time and then complete the changes across the other AZs without disruption. For critical applications, perform a stack update during a maintenance window.
You can update stack directly or create change sets. The workflow in this document takes you through the manual stack update. Stack Update with VM‐Series Auto Scaling Template v1.2
Step 1
In the AWS CloudFormation console, select the parent stack that you want to update and choose Actions > Update Stack.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 263
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Stack Update with VM‐Series Auto Scaling Template v1.2
Step 2
Modify the resources that you want to update.
• PAN‐OS version—To modify the PAN‐OS version look up the AMI ID for the version you want to use and enter the ID. If you are upgrading to PAN‐OS 8.0 make sure to select an instance type that meets the VM‐Series System Requirements.
• License option—Switch from BYOL to PAYG or across PAYG bundles 1 and 2. If you’re switching to BYOL, make sure to include the auth code in the bootstrap package (See Step 3 and Step 5). If you’re switching between PAYG bundle version 1 and 2, look up the AMI ID for the VM‐Series firewall. • Other stack resources— You can modify the AMI ID, the instance type, security group, key pair for the stack resources, or the API key associated with the administrative user account on the firewall. If you create a new administrative user account or modify the credentials of the existing administrator on the firewall, in order to update that stack and deploy new firewalls with the updated API key, you must generate the API key for the administrative user account, export the configuration from the firewall, rename it to bootstrap.xml and upload it to the S3 bootstrap folder. Uploading the bootstrap file allows you to ensure that new firewall instances are configured with the updated administrative user account.
Step 3
Acknowledge the notifications and review the changes and click Update to initiate the stack update.
264 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Stack Update with VM‐Series Auto Scaling Template v1.2
Step 4
On the EC2 dashboard > Auto Scaling Groups and pick an AZ in which to delete the ASG. Deleting an ASG allows you to replace the existing ASGs (one at a time) with a new ASG that uses the new parameters.
Step 5
Delete the launch configuration.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 265
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Stack Update with VM‐Series Auto Scaling Template v1.2
Step 6
Verify that the updated parameters are used to launch the VM‐Series firewalls in the new ASG. Test the new ASG thoroughly and ensure it is properly handling traffic. As a best practice, wait one hour before continuing to the next ASG.
Step 7
Repeat Step 4 through Step 6 to replace the ASGs in the remaining AZs.
Troubleshoot the VM‐Series Auto Scaling CFT for AWS
When deploying the VM‐Series Auto Scaling CFT, if the template stack is unable to provision the resources specified in the template, the process automatically rolls back and deletes the resources that were successfully created. Because an initial error can trigger a cascade of additional errors, you need to review the logs to locate the first failure event. 266 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Deployment Issues Error: Inadequate number of Elastic IP addresses (EIPs)
AWS Lambda requires EIP address to successfully launch the firewall. 1.
On the AWS Management Console, select CloudFormation.
2.
In the Stack list, select the name of the CFT that failed to deploy and view the list of Events.
3.
Look through the failure events for maximum number of addresses has been reached.
Error: Stack name is longer than 10 characters.
The CFT deployment fails if the stack name is longer than 10 characters in length.
1.
On the AWS Management Console, select CloudWatch > Logs.
2.
In the Log Groups list, select the name of the Log Stream for the CFT that failed to deploy so that you can find the error.
3.
Filter for ERROR events and look for stack name more than 10 characters long.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 267
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Deployment Issues (Continued)
Error: Unable to log in to the firewall
The reasons you cannot log in to the firewall can be because:
• The firewall is not configured properly because the bootstrap process failed.
• You chose the NAT gateway option to conserve the use of EIP addresses, so the firewall does not have a publicly accessible IP address. If you are not using Panorama to manage the firewall, to access the CLI or web interface on the firewall on the private IP address assigned by AWS, you must deploy a bastion host or jump server on the same subnet as the firewall and assign a public IP address to the jump server. Then log in to the jump server and connect to the firewall.
• You edited the bootstrap.xml file and the NAT policy is missing or incorrect.
1.
To troubleshoot, first check that the template references the correct S3 bucket with the bootstrap files:
a. On the EC2 Dashboard, select Instances.
b. Select the firewall instance, and click Actions > View/Change User Data.
c. Verify the name for the S3 bucket that contains the bootstrap files.
d. Verify that you created the S3 bucket at the root level, directly under All Buckets. If you nest the S3 bucket, bootstrapping will fail because you cannot specify a path to the location of the bootstrap files. See Prepare the Amazon Simple Storage (S3) buckets for launching the CFT.
e. Verify that the S3 bucket is in the same region in which you are deploying the CFT.
2.
Check if the internet‐facing ELB is in service. If bootstrapping fails, the VM‐Series firewall for load balancing traffic will be out‐of‐service.
a. Select EC2 > LoadBalancers.
b. Select the internet‐facing (or external) classic ELB to verify that the VM‐Series firewall instances are in‐service.
The following screenshot shows that the VM‐Series firewalls are not in service.
268 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Deployment Issues (Continued)
3.
If the VM‐Series firewalls are in service, check that the NAT policy was successfully committed.
If you edited the bootstrap.xml file and deleted or modified the NAT policy rules, the firewall may have a misconfiguration, that prevents traffic from being properly routed to the firewall. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 269
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Deployment Issues (Continued)
Error: AWS Lambda is not supported in the region in which you are deploying the CFT.
To find the error:
1.
On the AWS Management Console, select CloudFormation.
2.
In the Stack list, select the name of the CFT that failed to deploy and view the list of Events. The error Resource is not supported in this region.
270 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
Auto Scale VM‐Series Firewalls with the Amazon ELB
Deployment Issues (Continued)
Error: Failure to successfully create a resource with a message such as:
Embedded stack arn:aws:cloudformation:<AWS region>:290198859335:stack/<name of your stack>
was not successfully created: The following resource(s) failed to create:[ResourceName].
To find the errors:
1.
On the AWS Management Console, select CloudWatch.
2.
Click on Logs and then select Lambda function on the right. You’ll see one or more log streams.
3.
Search for [ERROR] and [CRITICAL]. The following example shows that the ELB specified was not found:
Error: Failure to launch the CFT because of a missing required parameter or not specifying the AWS Availability Zones for the template.
To find the error:
1.
On the AWS Management Console, select CloudFormation.
2.
In the Stack list, select the name of the CFT that failed to deploy. A generic template validation error displays.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 271
Auto Scale VM‐Series Firewalls with the Amazon ELB
Set Up the VM‐Series Firewall in AWS
Deployment Issues (Continued)
Error: Failure to launch the CFT because you did not accept the End User License Agreement (EULA) for the VM‐Series Firewall Bundle 2.
1.
On the EC2 Dashboard, select Auto Scaling Groups.
2.
Check the details on the failure to launch the firewalls in the ASG. The error indicates that you must accept the terms for deploying the VM‐Series firewalls.
272 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall in AWS
List of Attributes Monitored on the AWS VPC
List of Attributes Monitored on the AWS VPC
You can monitor up to a total of 32 attributes—14 pre‐defined and 18 user‐defined as key value pairs. The following attributes (or tag names) are available as match criteria for dynamic address groups.
Attribute
Format
Architecture
Architecture.<Architecture string>
Guest OS
GuestOS.<guest OS name>
Image ID
ImageId.<ImageId string>
Instance ID
InstanceId.<InstanceId string>
Instance State
InstanceState.<instance state>
Instance Type
InstanceType.<instance type>
Key Name
KeyName.<KeyName string>
Placement—Tenancy, Group Name, Availability
Placement.Tenancy.<string>
Placement.GroupName.<string>
Placement.AvailabilityZone.<string>
Private DNS Name
PrivateDnsName.<Private DNS Name>
Public DNS Name
PublicDnsName.<Public DNS Name>
Subnet ID
SubnetID.<subnetID string>
Tag (key, value)
aws‐tag.<key>.<value>
Maximum of 5 of these tags are supported per instance
VPC ID
VpcId.<VpcId string>
IAM Permissions Required for Monitoring the AWS VPC
In order to enable VM Monitoring the user’s AWS login credentials tied to the AWS Access Key and Secret Access Key must have permissions for the attributes listed above. These privileges allow the firewall to initiate API calls for monitoring the virtual machines in the AWS VPC.
The IAM policy associated with the user must either have global read‐only access such as AmazonEC2ReadOnlyAccess, or must include individual permissions for all of the monitored attributes. The following IAM policy example lists the permissions for initiating the API actions for monitoring the resources in the AWS VPC:
{
"Version": "2012‐10‐17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 273
List of Attributes Monitored on the AWS VPC
Set Up the VM‐Series Firewall in AWS
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeKeyPairs",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcs"
],
"Resource": [
"*"
]
}
]
}
274 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on KVM
Kernel‐based Virtual Machine (KVM) is an open‐source virtualization module for servers running Linux distributions. The VM‐Series firewall can be deployed on a Linux server that is running the KVM hypervisor.
This guide assumes that you have an existing IT infrastructure that uses Linux and have the foundation for using Linux/Linux tools. The instructions only pertain to deploying the VM‐Series firewall on KVM.

VM‐Series on KVM— Requirements and Prerequisites

Supported Deployments on KVM

Install the VM‐Series Firewall on KVM
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 275
VM‐Series on KVM— Requirements and Prerequisites
Set Up the VM‐Series Firewall on KVM
VM‐Series on KVM— Requirements and Prerequisites

System Requirements

Options for Attaching the VM‐Series on the Network

Prerequisites for VM‐Series on KVM
System Requirements
Requirements
Description
Hardware Resources • vCPU: 2, 4, 8
• Memory: 4 GB; 5 GB for the VM‐1000‐HV
• Disk: 40GB
• Disk types supported: Virtio and SCSI for best performance; IDE
• Disk‐controllers: virtio, virt‐scsi, IDE
• The host CPU must be a x86‐based Intel or AMD CPU with virtualization extension.
Software Versions
Ubuntu
• 12.04 LTS (QEMU‐KVM 1.0; libvirt 0.9.8; Open vSwitch: 1.9.3 with bridge compatibility mode)
• 14.04 LTS (QEMU‐KVM 2.0.0; libvirt 1.2.2; Open vSwitch: 1.9.3, 2.3.1)
• 16.04 LTS (QEMU‐KVM 2.5 0; libvirt 1.3.1; Open vSwitch: 2.5.0)
CentOS/RedHat Enterprise Linux: • 6.5 (QEMU‐KVM 0.12; libvirt 0.10; Open vSwitch: 1.9.3 with bridge compatibility mode)
• 7.0 (QEMU‐KVM 1.5.3; libvirt 1.2.8; Open vSwitch: 1.9.3, 2.3.1)
• 7.1 (QEMU‐KVM 1.5.3; libvirt 1.2.8; Open vSwitch: 1.9.3, 2.3.1)
• 7.2 (QEMU‐KVM 1.5.3; libvirt 2.0.0; Open vSwitch: 2.5.0)
276 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on KVM
VM‐Series on KVM— Requirements and Prerequisites
Requirements
Description
Network Interfaces—
Network Interface Cards and Software Bridges
The VM‐Series on KVM supports a total of 25 interfaces— 1 management interface and a maximum of 24 network interfaces for data traffic.
VM‐Series deployed on KVM supports software‐based virtual switches such as the Linux bridge or the Open vSwitch bridge, and direct connectivity to PCI passthrough or an SR‐IOV capable adapter.
• On the Linux bridge and OVS, the e1000 and virtio drivers are supported; the default driver rtl8139 is not supported.
• For PCI passthrough/SR‐IOV support, the VM‐Series firewall has been tested for the following network cards:
– Intel 82576 based 1G NIC: SR‐IOV support on all supported Linux distributions; PCI‐passthrough support on all except Ubuntu 12.04 LTS.
– Intel 82599 based 10G NIC: SR‐IOV support on all supported Linux distributions; PCI‐passthrough support on all except Ubuntu 12.04 LTS.
– Broadcom 57112 and 578xx based 10G NIC: SR‐IOV support on all supported Linux distributions; No PCI‐passthrough support.
• Drivers: igb; ixgbe; bnx2x
• Drivers: igbvf; ixgbevf; bnx2x
SR‐IOV capable interfaces assigned to the VM‐Series firewall, must be configured as Layer 3 interfaces or as HA interfaces.
Options for Attaching the VM‐Series on the Network
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 277
VM‐Series on KVM— Requirements and Prerequisites



Set Up the VM‐Series Firewall on KVM
With a Linux bridge or OVS, data traffic uses the software bridge to connect guests on the same host. For external connectivity, data traffic uses the physical interface to which the bridge is attached.
With PCI passthrough, data traffic is passed directly between the guest and the physical interface to which it is attached. When the interface is attached to a guest, it is not available to the host or to other guests on the host.
With SR‐IOV, data traffic is passed directly between the guest and the virtual function to which it is attached.
Prerequisites for VM‐Series on KVM
Before you install the VM‐Series firewall on the Linux server, review the following sections:

Prepare the Linux Server

Prepare to Deploy the VM‐Series Firewall
Prepare the Linux Server  Check the Linux distribution version. For a list of supported versions, see System Requirements.
 Verify that you have installed and configured KVM tools and packages that are required for creating and managing virtual machines, such as Libvirt.
 If you want to use a SCSI disk controller to access the disk to which the VM‐Series firewall stores data, you must use virsh to attach the virtio‐scsi controller to the VM‐Series firewall. You can then edit the XML template of the VM‐Series firewall to enable the use of the virtio‐scsi controller. For instructions, see Enable the Use of a SCSI Controller.
KVM on Ubuntu 12.04 does not support the virtio‐scsi controller.
 Verify that you have set up the networking infrastructure for steering traffic between the guests and the VM‐Series firewall and for connectivity to an external server or the Internet. The VM‐Series firewall can connect using a Linux bridge, the Open vSwitch, PCI passthrough, or SR‐IOV capable network card. –
–
–
–
–
Make sure that the link state for all interfaces you plan to use are up, sometimes you have to manually bring them up.
Verify the PCI ID of all the interfaces. To view the list, use the command: Virsh nodedev-list –tree
If using a Linux bridge or OVS, verify that you have set up the bridges required to send/receive traffic to/from the firewall. If not, create bridge(s) and verify that they are up before you begin installing the firewall.
If using PCI‐passthrough or SR‐IOV, verify that the virtualization extensions (VT‐d/IOMMU) are enabled in the BIOS. For example, to enable IOMMU, intel_iommu=on must be defined in /etc/grub.conf. Refer to the documentation provided by your system vendor for instructions.
If using PCI‐passthrough, ensure that the VM‐Series firewall has exclusive access to the interface(s) that you plan to attach to it. To allow exclusive access, you must manually detach the interface(s) from the Linux server; Refer to the documentation provided by your network card vendor for instructions.
To manually detach the interface(s) from the server., use the command:
Virsh nodedev-detach <pci id of interface> For example, pci_0000_07_10_0
278 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on KVM
–
VM‐Series on KVM— Requirements and Prerequisites
In some cases, in /etc/libvirt/qemu.conf, you may have to uncomment relaxed_acs_check = 1.
If using SR‐IOV, verify that the virtual function capability is enabled for each port that you plan to use on the network card. With SR‐IOV, a single Ethernet port (physical function) can be split into multiple virtual functions. A guest can be mapped to one or more virtual functions. To enable virtual functions, you need to:
1. Create a new file in this location: /etc/modprobe.d/
2. Modify the file using the vi editor to make the functions persistent: vim /etc/modprobe.d/igb.conf 3. Enable the number of number of virtual functions required: options igb max_vfs=4 After you save the changes and reboot the Linux server, each interface (or physical function) in this example will have 4 virtual functions.
Refer to the documentation provided by your network vendor for details on the actual number of virtual functions supported and for instructions to enable it. Prepare to Deploy the VM‐Series Firewall
 Purchase the VM‐Series model and register the authorization code on the Palo Alto Networks Customer Support web site. See Create a Support Account and Register the VM‐Series Firewall.
 Obtain the qcow2 image and save it on the Linux server. As a best practice, copy the image to the folder: /var/lib/libvirt/qemu/images.
If you plan to deploy more than one instance of the VM‐Series firewall, make the required number of copies of the image. Because each instance of the VM‐Series firewall maintains a link with the .qcow2 image that was used to deploy the firewall, to prevent any data corruption issues ensure that each image is independent and is used by a single instance of the firewall.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 279
Supported Deployments on KVM
Set Up the VM‐Series Firewall on KVM
Supported Deployments on KVM
You can deploy a single instance of the VM‐Series firewall per Linux host (single tenant) or multiple instances of the VM‐Series firewalls on a Linux host. The VM‐Series firewall can be deployed with virtual wire, Layer 2, or Layer 3 interfaces. If you plan on using SR‐IOV capable interfaces on the VM‐Series firewall, you can only configure the interfaces as Layer 3 interfaces.

Secure Traffic on a Single Host

Secure Traffic Across Linux hosts
Secure Traffic on a Single Host
To secure east west traffic across guests on a Linux server, the VM‐Series firewall can be deployed with virtual wire, Layer 2, or Layer 3 interfaces. The illustration below shows the firewall with Layer 3 interfaces, where the firewall and the other guests on the server are connected using Linux bridges. In this deployment, all traffic between the web servers and the database servers is routed through the firewall; traffic across the database servers only or across the web servers only is processed by the bridge and is not routed through the firewall.
Secure Traffic Across Linux hosts
To secure your workloads, more than one instance of the VM‐Series firewalls can be deployed on a Linux host. If, for example, you want to isolate traffic for separate departments or customers, you can use VLAN tags
280 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on KVM
Supported Deployments on KVM
to logically isolate network traffic and route it to the appropriate VM‐Series firewall. In the following example, one Linux host hosts the VM‐Series firewalls for two customers, Customer A and Customer B, and the workload for Customer B is spread across two servers. In order to isolate traffic and direct it to the VM‐Series firewall configured for each customer, VLANs are used. In another variation of this deployment, a pair of VM‐Series firewalls are deployed in a high availability set up. The VM‐Series firewalls in the following illustration are deployed on a Linux server with SR‐IOV capable adapters. With SR‐IOV, a single Ethernet port (physical function) can be split into multiple virtual functions. Each virtual function attached to the VM‐Series firewall is configured as a Layer 3 interface. The active peer in the HA pair secures traffic that is routed to it from guests that are deployed on a different Linux server.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 281
Install the VM‐Series Firewall on KVM
Set Up the VM‐Series Firewall on KVM
Install the VM‐Series Firewall on KVM The libvirt API that is used to manage KVM includes a host of tools that allow you to create and manage virtual machines. To install the VM‐Series firewall on KVM you can use any of the following methods:



Manually create the XML definition of the VM‐Series firewall, then use virsh to import the definition. Virsh is the most powerful tool that allows for full administration of the virtual machine.
Use virt‐install to create the definition for the VM‐Series firewall and install it.
Use the desktop user interface called virt‐manager; virt‐manager provides a convenient wizard to help you through the installation process.
The following procedure uses virt‐manager to install the VM‐Series firewall on a server running KVM on RHEL; the instructions for using virsh or virt‐install are not included in this document.
If you are deploying several VM‐Series firewalls and want to automate the initial configuration on the firewall, see Use an ISO File to Deploy the VM‐Series Firewall.
282 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on KVM
Install the VM‐Series Firewall on KVM
Install the VM‐Series on KVM Step 1
Install the VM‐Series firewall.
© Palo Alto Networks, Inc.
1.
On the Virt‐manager, select Create a new virtual machine.
2.
Add a descriptive Name for the VM‐Series firewall. 3.
Select Import existing disk image, browse to the image, and set the OS Type: Linux and Version: Red Hat Enterprise Linux 6. If you prefer, you can leave the OS Type and Version as Generic.
4.
Set the Memory to 4096 MB; or 5120 MB, if you have purchased the VM‐1000‐HV license.
5.
Set CPU to 2, 4, or 8.
VM‐Series 7.1 Deployment Guide • 283
Install the VM‐Series Firewall on KVM
Set Up the VM‐Series Firewall on KVM
Install the VM‐Series on KVM (Continued)
284 • VM‐Series 7.1 Deployment Guide
6.
Select Customize configuration before install.
7.
Under Advanced options, select the bridge for the management interface, and accept the default settings. © Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on KVM
Install the VM‐Series Firewall on KVM
Install the VM‐Series on KVM (Continued)
8.
© Palo Alto Networks, Inc.
To modify disk settings:
a. Select Disk, expand Advanced options and select Storage
format — qcow2; Disk Bus—Virtio or IDE, based on your set up.
If you want to use a SCSI disk bus, see Enable the Use of a SCSI Controller.
b. Expand Performance options, and set Cache
mode to writethrough. This setting improves installation time and execution speed on the VM‐Series firewall.
VM‐Series 7.1 Deployment Guide • 285
Install the VM‐Series Firewall on KVM
Set Up the VM‐Series Firewall on KVM
Install the VM‐Series on KVM (Continued)
9.
To add network adapters for the data interfaces: On Ubuntu 16.04 LTS, to pass L2 traffic when using an Open vSwitch, you must set the interface type to bridge and the virtual port type to openvswitch
a. Select Add Hardware > Network if you are using a software bridge such as the Linux bridge or the Open vSwitch.
• For Host Device, enter the name of the bridge or select it from the drop down list.
• To specify the driver, set Device Model to e‐1000 or virtio. These are the only supported virtual interface types.
b. Select Add Hardware > PCI Host Device for PCI‐passthrough or an SR‐IOV capable device.
• In the Host Device list, select the interface on the card or the virtual function.
c. Click Apply or Finish.
10. Click Begin Installation 286 • VM‐Series 7.1 Deployment Guide
.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on KVM
Install the VM‐Series Firewall on KVM
Install the VM‐Series on KVM (Continued)
By default, the XML template for the 11. Wait 5‐7 minutes for the installation to complete.
VM‐Series firewall is created and stored at etc/libvirt/qemu.
Step 2
(optional) Bootstrap the VM‐Series firewall
If you are using bootstrapping to perform the configuration of your VM‐Series firewall on KVM, refer to Bootstrap the VM‐Series Firewall on KVM. For more information about bootstrapping, see Bootstrap the VM‐Series Firewall. Step 3
Configure the network access settings for the management interface.
1.
Open a connection to the console.
2.
Log into the firewall with username/password: admin/admin.
3.
Enter configuration mode with the following command:
configure
4.
Use the following command to configure the management interface:
set deviceconfig system ip-address <Firewall-IP>
netmask <netmask> default-gateway <gateway-IP>
dns-setting servers primary <DNS-IP>
where <Firewall‐IP> is the IP address you want to assign to the management interface, <netmask> is the subnet mask, <gateway‐IP> is the IP address of the network gateway, and <DNS‐IP> is the IP address of the DNS server.
Step 4
Step 5
Verify which ports on the host are mapped to the interfaces on the VM‐Series firewall. In order to verify the order of interfaces on the Linux host, see Verify PCI‐ID for Ordering of Network Interfaces on the VM‐Series Firewall.
To make sure that traffic is handled by the correct interface, use the following command to identify which ports on the host are mapped to the ports on the VM‐Series firewall.
Access the web interface of the VM‐Series firewall and configure the interfaces and define security rules and NAT rules to safely enable the applications that you want to secure.
Refer to the PAN‐OS Administrator’s Guide.
© Palo Alto Networks, Inc.
admin@PAN-VM> debug show vm-series interfaces
all
Phoenix_interface Base‐OS_port Base‐OS_MAC PCI‐ID
mgt eth0 52:54:00:d7:91:52 0000:00:03.0
Ethernet1/1 eth1 52:54:00:fe:8c:80 0000:00:06.0
Ethernet1/2 eth2 0e:c6:6b:b4:72:06 0000:00:07.0
Ethernet1/3 eth3 06:1b:a5:7e:a5:78 0000:00:08.0
Ethernet1/4 eth4 26:a9:26:54:27:a1 0000:00:09.0
Ethernet1/5 eth5 52:54:00:f4:62:13 0000:00:10.0
VM‐Series 7.1 Deployment Guide • 287
Install the VM‐Series Firewall on KVM
Set Up the VM‐Series Firewall on KVM
Enable the Use of a SCSI Controller If you want the VM‐Series firewall to use the disk bus type SCSI to access the virtual disk, use the following instructions to attach the virtio scsi controller to the firewall and then enable the use of the virtio‐scsi controller.
KVM on Ubuntu 12.04 does not support the virtio‐scsi controller; the virtio‐scsi controller can only be enabled on the VM‐Series firewall running on RHEL or CentOS.
This process requires virsh because Virt manager does not support the virtio‐scsi controller.
Enable the VM‐Series Firewall to use a SCSI Controller
Step 1
Create an XML file for the SCSI controller. In this example, it is called virt‐scsi.xml.
[root@localhost ~]# cat /root/virt-scsi.xml
<controller type='scsi' index='0' model='virtio-scsi'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x0b'function='0x0'/>
</controller>
Make sure that the slot used for the virtio‐scsi controller does not conflict with another device.
Step 2Associate this controller with the XML template of the VM‐Series firewall.
[root@localhost ~]# virsh attach-device --config <VM-Series_name> /root/virt-scsi.xml
Device attached successfully
Step 3
Enable the firewall to use the SCSI controller.
[root@localhost ~]# virsh attach-disk
<VM-Series_name>/var/lib/libvirt/images/PA-VM-6.1.0-c73.qcow2 sda --cache none --persistent
Disk attached successfully
Step 4
Edit the XML template of the VM‐Series firewall. In the XML template, you must change the target disk and the disk bus, used by the firewall.
By default, the XML template is stored at etc/libvirt/qemu.
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2' cache='writeback'/>
<source file='/var/lib/libvirt/images/PA-VM-7.0.0-c73.qcow2'/>
<target dev='sda' bus='scsi'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
Verify PCI‐ID for Ordering of Network Interfaces on the VM‐Series Firewall Regardless of whether you use a virtual interfaces (Linux/OVS bridge) or PCI devices (PCI‐passthrough or SR‐IOV capable adapter) for connectivity to the VM‐Series firewall, the VM‐Series firewall treats the interface as a PCI device. The assignment of an interface on the VM‐Series firewall is based on PCI‐ID which is a value that combines the bus, device or slot, and function of the interface. The interfaces are ordered starting at the lowest PCI‐ID, which means that the management interface (eth0) of the firewall is assigned to the interface with the lowest PCI‐ID.
288 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on KVM
Install the VM‐Series Firewall on KVM
Let's say you assign four interfaces to the VM‐Series firewall, three virtual interfaces of type virtio and e1000 and the fourth is a PCI device. To view the PCI‐ID for each interface, enter the command virsh dumpxml
$domain <name of the VM-Series firewall> on the Linux host to view the list of interfaces attached to the VM‐Series firewall. In the output, check for the following networking configuration:
<interface type='bridge'>
<mac address='52:54:00:d7:91:52'/>
<source bridge='mgmt-br'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<interface type='bridge'>
<mac address='52:54:00:f4:62:13'/>
<source bridge='br8'/>
<model type='e1000'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x10' function='0x0'/>
</interface>
<interface type='bridge'>
<mac address='52:54:00:fe:8c:80'/>
<source bridge='br8'/>
<model type='e1000'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/>
</interface>
<hostdev mode='subsystem' type='pci' managed='yes'>
<source>
<address domain='0x0000' bus='0x08' slot='0x10' function='0x1'/>
</source>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
</hostdev>
In this case, the PCI‐ID of each interface is as follows:

First virtual interface PCI‐ID is 00:03:00

Second virtual interface PCI‐ID is 00:10:00

Third virtual interface PCI‐ID is 00:06:00

Fourth interface PCI‐ID is 00:07:00
Therefore, on the VM‐Series firewall, the interface with PCI‐ID of 00:03:00 is assigned as eth0 (management interface), the interface with PCI‐ID 00:06:00 is assigned as eth1 (ethernet1/1), the interface with PCI‐ID 00:07:00 is eth2 (ethernet1/2) and the interface with PCI‐ID 00:10:00 is eth3 (ethernet1/3).
Use an ISO File to Deploy the VM‐Series Firewall
If you want to pass a script to the VM‐Series firewall at boot time, you can mount a CD‐ROM with an ISO file. The ISO file allows you to define a bootstrap XML file that includes the initial configuration parameters for the management port of the firewall. The VM‐Series firewall on first boot checks for the bootstrap‐networkconfig.xml file, and uses the values defined in it. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 289
Install the VM‐Series Firewall on KVM
Set Up the VM‐Series Firewall on KVM
If a single error is encountered in parsing the bootstrap file, the VM‐Series firewall will reject all the configuration in this file and boot with default values.
Create a Bootable ISO File Step 1
Create the XML file and define it as a virtual machine instance.
For a sample file, see Sample XML file for the VM‐Series Firewall.
In this example, the VM‐Series firewall is called PAN_Firewall_DC1.
For example:
user-PowerEdge-R510:~/kvm_script$ sudo vi
/etc/libvirt/qemu/PAN_Firewall_DC1.xml
user-PowerEdge-R510:~/kvm_script$ sudo virsh
define/etc/libvirt/qemu/PAN_Firewall_DC1.xm
l
Domain PAN_Firewall_DC1_bootstp defined from
/etc/libvirt/qemu/PAN_Firewall_DC1.xml
user-PowerEdge-R510:~/kvm_script$ sudo virsh
-q attach-interface
PAN_Firewall_DC1_bootstp bridge br1
--model=virtio --persistent
user-PowerEdge-R510:~/kvm_script$ virsh list
--all
Id
Name
State
--------------------------------------------PAN_Firewall_DC1_bootstp
shut off
Step 2
Step 3
Create the bootstrap XML file. You can define the initial configuration parameters in this file and name it bootstrap‐networkconfig.
If you do not want to include a parameter, for example panorama‐server‐secondary. Delete the entire line from the file. If you leave the IP address field empty, the file will not be parsed successfully.
Use the following example as a template for the bootstrap‐networkconfig file. The bootstrap‐networkconfig file can include the following parameters only:
Create the ISO file. In this example, we use mkisofs.
Save the ISO file in the images directory (/var/lib/libvirt/image) or the qemu directory (/etc/libvirt/qemu) to ensure that the firewall has read access to the ISO file.
For example:
290 • VM‐Series 7.1 Deployment Guide
<vm-initcfg>
<hostname>VM_ABC_Company</hostname>
<ip-address>10.5.132.162</ip-address>
<netmask>255.255.254.0</netmask>
<default-gateway>10.5.132.1</default-gatewa
y>
<dns-primary>10.44.2.10</dns-primary>
<dns-secondary>8.8.8.8</dns-secondary>
<panorama-server-primary>10.5.133.4</panora
ma-server-primary>
<panorama-server-secondary>10.5.133.5</pano
rama-server-secondary>
</vm-initcfg>
# mkisofs -J -R -v -V "Bootstrap" -A
"Bootstrap" -ldots -l -allow-lowercase
-allow-multidot -o <iso-filename>
bootstrap-networkconfig.xml
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on KVM
Install the VM‐Series Firewall on KVM
Create a Bootable ISO File (Continued)
Step 4
Attach the ISO file to the CD‐ROM.
For example:
# virsh -q attach-disk <vm-name>
<iso-filename> sdc --type cdrom --mode
readonly –persistent\
Sample XML file for the VM‐Series Firewall
<?xml version="1.0"?>
<domain type="kvm">
<name>PAN_Firewall_DC1</name>
<memory>4194304</memory>
<currentMemory>4194304</currentMemory>
<vcpu placement="static">2</vcpu>
<os>
<type arch="x86_64">hvm</type>
<boot dev="hd"/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset="utc"/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/libexec/qemu-kvm</emulator>
<disk type="file" device="disk">
<driver type="qcow2" name="qemu"/>
<source file="/var/lib/libvirt/images/panos-kvm.qcow2"/>
<target dev="vda" bus="virtio"/>
</disk>
<controller type="usb" index="0"/>
<controller type="ide" index="0"/>
<controller type="scsi" index="0"/>
<serial type="pty">
<source path="/dev/pts/1"/>
<target port="0"/>
<alias name="serial0"/>
</serial>
<console type="pty" tty="/dev/pts/1">
<source path="/dev/pts/1"/>
<target type="serial" port="0"/>
<alias name="serial0"/>
</console>
<input type="mouse" bus="ps2"/>
<graphics type="vnc" port="5900" autoport="yes"/>
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 291
Install the VM‐Series Firewall on KVM
Set Up the VM‐Series Firewall on KVM
</devices>
</domain>
To modify the number of vCPUs assigned on the VM‐Series firewall, change the value 2 to 4 or 8 vCPUs in this line of the sample XML file:
<vcpu placement="static">2</vcpu>
292 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on Hyper‐V
The VM‐Series firewall can be deployed on a server running Microsoft Hyper‐V. Hyper‐V is packaged as a standalone hypervisor, called Hyper‐V Server 2012 R2, or as an add‐on/role for Windows Server 2012 R2. 
Supported Deployments on Hyper‐V

System Requirements on Hyper‐V

Install the VM‐Series Firewall on Hyper‐V
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 293
Supported Deployments on Hyper‐V
Set Up the VM‐Series Firewall on Hyper‐V
Supported Deployments on Hyper‐V
You can deploy one or more instances of the VM‐Series on hosts running Hyper‐V. Where you place the VM‐Series firewall depends on your network topology. VM‐Series supports tap, virtual wire, Layer 2, and Layer 3 interface deployments. 
Secure Traffic on a Single Hyper‐V Host

Secure Traffic Across Multiple Hyper‐V Hosts
Secure Traffic on a Single Hyper‐V Host
The VM‐Series firewall is deployed on a single Hyper‐V host along with other guest VMs. In the example below, the VM‐Series firewall has a Layer 3 interfaces and the VM‐Series and other guest VMs are connected by Hyper‐V vSwitches. All traffic between the web servers and database servers is routed through the firewall. Traffic across the database servers only or across the web servers only is processed by the external vSwitch and not routed through the firewall. Secure Traffic Across Multiple Hyper‐V Hosts
You can deploy your VM‐Series firewall to secure the traffic of multiple Hyper‐V hosts. In the example below, the VM‐Series is deployed in Layer 2 mode protecting traffic to and from the guest VMs. A single VM‐Series firewall protects traffic between four guest VMs spread across two Hyper‐V hosts. VLAN tagging is used to logically isolate traffic and direct it to the firewall. Additionally, management traffic is decoupled from all other traffic by placing it on its own external vSwitch.
294 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on Hyper‐V
© Palo Alto Networks, Inc.
Supported Deployments on Hyper‐V
VM‐Series 7.1 Deployment Guide • 295
System Requirements on Hyper‐V
Set Up the VM‐Series Firewall on Hyper‐V
System Requirements on Hyper‐V
The VM‐Series requires a minimum resource allocation on the Hyper‐V host, so make sure to conform to the requirements listed below to ensure optimal performance.








The host CPU must be a 64‐bit x86‐based Intel or AMD CPU with virtualization extension.
Minimum of two vCPUs per VM‐Series firewall; one for the management plane and one for the dataplane. You can assign two, four, or eight vCPUs to the firewall, however, the management plane only uses one vCPU and any additional vCPUs are used by the dataplane. Minimum of two network adapters. The VM‐Series firewall supports synthetic network adapters, which provide better performance than emulated network adapters. Hyper‐V supports up to eight synthetic network adapters. Minimum of 4GB of memory for all VM‐Series models except the VM‐1000HV, which requires a minimum of 5GB of memory. Any additional memory is used by the management plane only. Minimum of 40GB of virtual disk space. Windows Server 2012 R2 with Hyper‐V role add‐on. The Hyper‐V role add‐on for Windows Server 2012 R2 can be managed through Hyper‐V Manager or PowerShell.
Hyper‐V Server 2012 R2—Hyper‐V Server 2012 R2 does not have a native graphical user interface; all configuration is done through PowerShell. However, Hyper‐V Server 2012 R2 can be managed using Hyper‐V Manager running on a remote machine. The VM‐Series does not support Legacy Network Adapter or SR‐IOV/PCI‐Passthrough.
Linux Integration Services Linux Integration Services (LIS) is a package of drivers and services that enhance the performance of Linux‐based virtual machines on Hyper‐V. The VM‐Series firewall supports the following services to improve the integration between the host and the virtual machine:



Graceful Shutdown—Allows you to perform a graceful shutdown of the VM‐Series firewall from the Hyper‐V management interface without having to log into the guest. Heartbeat to Hyper‐V Manager—Provides heartbeat monitoring of the running status of guest VMs from the Hyper‐V management interface.
Firewall Management IP Address Visibility—Allows you to use Hyper‐V Manager to view the IP address assigned to the management interface on the firewall. 296 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on Hyper‐V
Install the VM‐Series Firewall on Hyper‐V
Install the VM‐Series Firewall on Hyper‐V
Use the instructions in this section to deploy your VM‐Series firewall on a Hyper‐V host. A Palo Alto Networks support account and a valid VM‐Series license are required to download the VHDX image file and install the VM‐Series on the Hyper‐V host. If you have not already registered the capacity auth‐code that you received with the order fulfillment email, with your support account, see Register the VM‐Series Firewall. After completing the registration continue to the following tasks:

Before You Begin

Provision the VM‐Series Firewall on a Hyper‐V host with Hyper‐V Manager

Provision the VM‐Series Firewall on a Hyper‐V host with PowerShell

Perform Initial Configuration on the VM‐Series Firewall
Before You Begin
Before installing and configuring your VM‐Series firewall, consider the following items and keep them in mind when completing your configuration.
Virtual Switch Types
Before installing the VM‐Series, you must create the vSwitches required for providing external connectivity for management access and for routing traffic from and to the virtual machines that the firewall will secure. Hyper‐V allows you to create three types of vSwitches: 


External vSwitch—binds to a physical network adapter and provides the vSwitch access to a physical network. Internal vSwitch—passes traffic between the virtual machines and the Hyper‐V host. This type of vSwitch does not provide connectivity to a physical network connection. Private vSwitch—passes traffic between the virtual machines on the Hyper‐V host only. An external vSwitch is required for management of the VM‐Series firewall. Other vSwitches connected to the VM‐Series firewall can be of any type and will depend on your network topology. MAC Address Spoofing
If you are deploying the VM‐Series firewall with interfaces enabled in Layer 3 mode, make sure to enable use of hypervisor assigned MAC addresses so that the hypervisor and the firewall can properly handle packets. Alternatively, use the Hyper‐V Manager to enable MAC address spoofing on the virtual network adapter for each dataplane interface on the firewall. For more information, see Enable Use of Hypervisor Assigned MAC Addresses.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 297
Install the VM‐Series Firewall on Hyper‐V
Set Up the VM‐Series Firewall on Hyper‐V
If you are deploying the VM‐Series firewall with interfaces enabled in Layer 2 mode or virtual‐wire mode, you must enable MAC address spoofing on the virtual network adapter in Hyper‐V for each dataplane interface on the firewall. This setting is required to ensure that packets sent by the VM‐Series are not dropped by the virtual network adapter if the source MAC address does not match the outgoing interface MAC address.
Provision the VM‐Series Firewall on a Hyper‐V host with Hyper‐V Manager
Use these instructions to deploy the VM‐Series firewall on Hyper‐V using Hyper‐V Manager. Install the VM‐Series Firewall on Hyper‐V
Step 1
Step 2
Step 3
Download the VHDX file.
Set up any vSwitch(es) that you will need.
Install the firewall.
Register your VM‐Series firewall and obtain the VHDX file.
1.
Go to https://www.paloaltonetworks.com/support.
2.
Filter by PAN-OS for VM-Series Base Images and download the VHDX file. For example, PA‐VM‐HPV‐7.1.0.vhdx.
To create a vSwitch:
1.
From Hyper‐V Manager, select the host and select Action > Virtual Switch Manager to open the Virtual Switch Manager window.
2.
Under Create virtual switch, select the type of vSwitch (external, internal, or private) to create and click Create Virtual
Switch.
1.
On the Hyper‐V Manager, select the host and select Action >
New > Virtual Machine. Configure the following settings in the New Virtual Machine Wizard:
a. Choose a Name and Location for the VM‐Series firewall. The VM‐Series firewall stores the VHDX file at the specified location.
b. Choose Generation 1. This is the default option and the only version supported. c. For Startup Memory, assign 4096MB; if you plan to install the VM‐1000‐HV license, assign 5120MB. Do not enable dynamic memory; the VM‐Series firewall requires static memory allocation.
d. Configure Networking. Select an external vSwitch to connect the management interface on the firewall. e. To connect the Virtual Hard Disk, select Use an existing
virtual hard disk and browse to the VHDX file you downloaded earlier. f. Review the summary and click Finish.
2.
298 • VM‐Series 7.1 Deployment Guide
Assign virtual CPUs to the firewall. a. Select the VM you created and navigate to Action >
Settings.
b. Select Processor and enter 2, 4, or 8 vCPUs. The management plane uses only one vCPU; any additional vCPUs are assigned to the dataplane.
c. Click OK.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on Hyper‐V
Install the VM‐Series Firewall on Hyper‐V
Install the VM‐Series Firewall on Hyper‐V
Step 4
Connect at least one network adapter for 1.
the dataplane interface on the firewall.
2.
Step 5
Step 6
(Optional) Enable MAC address spoofing 1.
on Hyper‐V if you are not using Layer 3 with hypervisor assigned MAC address. 2.
Power on the firewall.
Select Settings > Hardware > Add Hardware and select the Hardware type for your network adapter.
Legacy Network Adapter and SR‐IOV are not supported. If selected, the VM‐Series firewall will boot into maintenance mode.
Click OK.
Double click the dataplane virtual network adapter and click Advanced Settings.
Click the Enable MAC address spoofing check box and click Apply.
Select the firewall from the list of Virtual Machines and navigate to Action > Start to power on the firewall.
Provision the VM‐Series Firewall on a Hyper‐V host with PowerShell
Use these instructions to deploy the VM‐Series firewall on Hyper‐V using PowerShell. Install the VM‐Series Firewall on Hyper‐V
Step 1
Step 2
Download the VHDX file.
Set up any vSwitch(es) that you will need.
Register your VM‐Series firewall and obtain the VHDX file.
1.
Go to https://www.paloaltonetworks.com/support.
2.
Filter by PAN-OS for VM-Series Base Images and download the VHDX file. For example, PA‐VM‐HPV‐7.1.0.vhdx.
Create a vSwitch by using the following commands. Give the vSwitch a name and choose the switch type.
> New-VMSwitch -Name <"switch-name"> -SwitchType
<switch-type>
Step 3
Install the VM‐Series firewall.
1.
Create the new virtual machine.
> NEW-VM -Name <vm-name> -MemoryStartupBytes 4GB
-VHDPath <file-path-to-vhdx> 2.
Step 4
Set processor count on new VM to 2.
> SET‐VMProcessor –VMName <vm‐name> –Count 2 Connect at least one network adapter for Connect the default network adapter created during VM creation the management interface on the to management vSwitch.
firewall.
> connect-VMNetworkAdapter -vmname <vm-name> -Name
<"network-adapter-name"> -SwitchName
<"management-vswitch">
Step 5
(Optional) Enable MAC address spoofing > Set-VMNetworkAdapter -vmname <vm-name> -Name
on Hyper‐V if you are not using Layer 3 <"network-adapter-name"> -MacAddressSpoofing On
with hypervisor assigned MAC address.
Step 6
Power on the firewall.
For example:
> Start-VM -vmname <vm-name>
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 299
Install the VM‐Series Firewall on Hyper‐V
Set Up the VM‐Series Firewall on Hyper‐V
Perform Initial Configuration on the VM‐Series Firewall
Use these instructions to perform the initial configuration of your VM‐Series firewall. If you have Panorama for central management, refer to the Panorama Administrator’s Guide for information on managing the device using Panorama.
If you are using bootstrapping to perform the configuration of your VM‐Series firewall on Hyper‐V, refer to Bootstrap the VM‐Series Firewall on Hyper‐V. For more information about bootstrapping, see Bootstrap the VM‐Series Firewall. Configure the Management Interface
Step 1
Gather the required information from your network administrator.
• • • • Management port IP address
Netmask
Default gateway
DNS server IP address
Step 2
Access the console of the VM‐Series firewall. 1.
In Hyper‐V Manager, select the VM‐Series firewall and click Connect from the Actions list. 2.
Log in to the firewall with the default username and password: admin/admin
3.
Enter configuration mode using the following command: configure
Step 3
Configure the network access settings for the management interface. Use the following command to configure the management interface: set deviceconfig system ip-address <firewall-IP>
netmask <netmask> default-gateway <gateway-IP>
dns-setting servers primary <DNS-IP>
where <firewall-IP> is the IP address you want to assign to the management interface, <netmask> is the subnet mask, <gateway-IP> is the IP address of the network gateway, and <DNS-IP> is the IP address of the DNS server. Step 4
Commit your changes and exit the configuration mode.
300 • VM‐Series 7.1 Deployment Guide
1.
Enter commit.
2.
Enter exit.
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on Hyper‐V
Install the VM‐Series Firewall on Hyper‐V
Configure the Management Interface
Step 5
Step 6
Verify that you can view the management interface IP address from the Hyper‐V Manager.
Verify network access to external services required for firewall management, such as the Palo Alto Networks Update Server.
1.
Select the VM‐Series firewall from the list of Virtual
Machines.
2.
Select Networking. The first network adapter that displays in the list is used for management access to the firewall; subsequent adapters in the list are used as the dataplane interfaces on the firewall. 1.
Use the ping utility to verify network connectivity to the Palo Alto Networks Update server as shown in the following example. Verify that DNS resolution occurs and the response includes the IP address for the Update server; the update server does not respond to a ping request. admin@PA-200 > ping host
updates.paloaltonetworks.com
PING updates.paloaltonetworks.com (10.101.16.13)
56(84) bytes of data.
From 192.168.1.1 icmp_seq=1 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=2 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=3 Destination Host
Unreachable
From 192.168.1.1 icmp_seq=4 Destination Host
Unreachable
After verifying DNS resolution, press Ctrl+C to stop the ping request.
2.
Use the following CLI command to retrieve information on the support entitlement for the firewall from the Palo Alto Networks update server:
request support check
If you have connectivity, the update server will respond with the support status for your firewall.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 301
Install the VM‐Series Firewall on Hyper‐V
Set Up the VM‐Series Firewall on Hyper‐V
Configure the Management Interface
Step 7
(Optional) Verify that your VM‐Series jumbo frame configuration does not exceed the maximum MTU supported on Hyper‐V.
The VM‐Series has a default MTU size of 9216 bytes when jumbo frames are enabled. However, the maximum MTU size supported by the physical network adapter on the Hyper‐V host is 9000 or 9014 bytes depending on the network adapter capabilities. To verify the configured MTU on Hyper‐V:
1.
In Windows Server 2012 R2, open the Control Panel and navigate to Network and Internet > Network and Sharing
Center > View network status and tasks.
2.
Click on a network adapter or virtual switch from the list.
3.
Click Properties.
4.
Click Configure.
5.
On the Advanced tab, select Jumbo Packet from the list.
6.
Select 9000 or 9014 bytes from the Value drop‐down menu.
7. Click OK.
If you have enabled jumbo frames on Hyper‐V, Enable Jumbo Frames on the VM‐Series Firewall and set the MTU size to match that configured on the Hyper‐V host.
Step 8
Access the web interface of the Refer to the PAN‐OS Administrator’s Guide.
VM‐Series firewall and configure the interfaces and define security rules and NAT rules to safely enable the applications you want to secure.
302 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set up the VM‐Series Firewall in Azure
VM‐Series firewall on Azure brings the security features of Palo Alto Networks next generation firewall as a virtual machine in the Azure public cloud (starting with PAN‐OS 7.1.0) and Azure Government Cloud Marketplace (starting with PAN‐OS 7.1.1). Microsoft Azure allows you to deploy the firewall to secure your workloads within the virtual network in the cloud, so that you can deploy a public cloud solution or you can extend the on‐premises IT infrastructure to create a hybrid solution. 
About the VM‐Series Firewall in Azure

Deployments Supported in Azure

Deploy the VM‐Series Firewall in Azure (Solution Template)

Use the ARM Template to Deploy the VM‐Series Firewall

Deploy the VM‐Series and Azure Application Gateway Template
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 303
About the VM‐Series Firewall in Azure
Set up the VM‐Series Firewall in Azure
About the VM‐Series Firewall in Azure
The VM‐Series firewall on Azure must be deployed in a virtual network (VNet) using the Resource Manager deployment mode. You can deploy the VM‐Series firewall in both the standard Azure public cloud and in the Azure Government Cloud environments. The VM‐Series firewall in the Azure public marketplace supports the Bring Your Own License (BYOL) model and the hourly Pay‐As‐You‐Go (PAYG) option in the usage‐based licensing model. In the Azure Government Marketplace, the VM‐Series firewall is available in the bring your own license (BYOL) option only. For licensing details, see License Types—VM‐Series Firewalls, and refer to the list of supported Azure regions in which you can deploy the VM‐Series firewall.
Azure DoD is a special region that offers a higher level of security classification than Azure Government. The VM‐Series firewall is not supported on Azure DoD regions.

Azure Networking and VM‐Series

VM‐Series Firewall Templates in Azure

Minimum System Requirements for the VM‐Series in Azure
Azure Networking and VM‐Series
The Azure VNet infrastructure does not require virtual machines to have a network interface in each subnet. The architecture includes an internal route table (called system routes) that directly connects all virtual machines within a VNet such that traffic is automatically forwarded to a virtual machine in any subnet. For a destination IP address that is not within the VNet, the traffic is sent to the default Internet gateway or to a VPN gateway, if configured. In order to route traffic through the VM‐Series firewall, you must create user defined routes (UDRs) that specify the next hop for traffic leaving a subnet. This route forces traffic destined to another subnet to go to the VM‐Series firewall instead of using the system routes to directly access the virtual machine in the other subnet. For example, in a two‐tiered application with a web tier and a database tier, you can set up UDRs for directing traffic from the web subnet to the DB subnet through the VM‐Series firewall.
In Azure, UDRs are for traffic leaving a subnet only. You cannot create user defined routes to specify how traffic comes into a subnet from the Internet or to route traffic to virtual machines within a subnet.
For documentation on Microsoft Azure, refer to https://azure.microsoft.com/en‐us/documentation/.
The solution templates for deploying the VM‐Series firewall that are available in the Azure Marketplace, have three network interfaces. Because the VNet infrastructure does not require virtual machines to have a network interface in each subnet, three network interfaces are sufficient for most deployments. If you want to customize the template, use the ARM templates that are available in the GitHub repository.
VM‐Series Firewall Templates in Azure
You can deploy the VM‐Series firewall in Azure using templates. Palo Alto Networks provides two kinds of templates: 304 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set up the VM‐Series Firewall in Azure


About the VM‐Series Firewall in Azure
Solution Templates in the Azure Marketplace —The solution templates that are available in the Azure Marketplace allow you to deploy the VM‐Series firewall using the Azure portal. You can use an existing resource group and storage account (or create them new) to deploy the VM‐Series firewall with the following default settings:
– VNet CIDR 192.168.0.0/16; you can customize the CIDR to a different private IP address range.
– Three subnets— 192.168.0.0/24 (management), 192.168.1.0/24 (untrust), 192.168.2.0/24 (trust)
– Three network interfaces, one in each subnet. If you customize the VNet CIDR, the subnet ranges map to your changes.
To use the solution template, see Deploy the VM‐Series Firewall in Azure (Solution Template).
ARM Templates in the GitHub Repository—In addition to Marketplace based deployments, Palo Alto Networks provides Azure Resource Manager templates in the GitHub Repository to simplify the process of deploying the VM‐Series firewall in Azure. The ARM template includes two JSON files (a Template file and a Parameters File) to help you deploy and provision all the resources within the VNet in a single, coordinated operation. If you want to use the Azure CLI to locate all the images available from Palo Alto Networks, you the need the following details to complete the command (show vm‐image list):
• • • • Publisher: paloaltonetworks
Offer: vmseries1
SKU: byol, bundle1, bundle 2
Version: 7.1.1 or latest
To use the ARM templates, see Use the ARM Template to Deploy the VM‐Series Firewall.
Minimum System Requirements for the VM‐Series in Azure
You must deploy the VM‐Series firewall in the Azure Resource Manager (ARM) mode only; the classic mode (Service Management based deployments) is not supported. The VM‐Series firewall in Azure must meet the following requirements:



Azure VMs of the following types: Standard_D3 (default), Standard_D3_v2, Standard_D4, Standard_D4_v2, Standard_A4.
Four or eight CPU cores to deploy the firewall; the management plane only uses one CPU core and the additional cores are assigned to the dataplane.
Up to three network interfaces (NICs). A primary interface is required for management access and up to two interfaces for data traffic. On Azure, because a virtual machine does not require a network interface in each subnet, you can set up the VM‐Series firewall with just three network interfaces. To create zone‐based policy rules on the firewall, in addition to the management interface, you need at least two dataplane interfaces so that you can assign one dataplane interface to the trust zone, and the other dataplane interface to the untrust zone.
Because the Azure VNet is a Layer 3 network, the VM‐Series firewall in Azure supports Layer 3 interfaces only.


Minimum of 4GB of memory for all models except the VM‐1000‐HV, which needs 5GB. Any additional memory will be used by the management plane only. Minimum of 40GB of virtual disk space. You can add additional disk space of 40GB to 8TB for logging purposes. The VM‐Series firewall does not utilize the temporary disk that Azure provides. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 305
About the VM‐Series Firewall in Azure
Set up the VM‐Series Firewall in Azure
The VM‐Series firewall in Azure does not support a high availability configuration; native VM Monitoring capabilities for virtual machines that are hosted in Azure is also not available.
306 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set up the VM‐Series Firewall in Azure
Deployments Supported in Azure
Deployments Supported in Azure
Use the VM‐Series firewall in Azure to secure your network users in the following scenarios:




Hybrid and VNet to VNet—The VM‐Series firewall in Azure allows you to securely extend your physical data center/private cloud into Azure using IPSec and ExpressRoute. To improve your data center security, if you have segmented your network and deployed your workloads in separate VNets, you can secure traffic flowing between VNets with an IPSec tunnel and application whitelisting policies. Inter‐Subnet —The VM‐Series firewall can front your servers in a VNet and protects against lateral threats for inter‐subnet traffic between applications in a multi‐tier architecture. Gateway—The VM‐Series firewall serves as the VNet gateway to protect Internet‐facing deployments in the Azure Virtual Network (VNet). The VM‐Series firewall secures traffic destined to the servers in the VNet and it also protects against lateral threats for inter‐subnet traffic between applications in a multi‐tier architecture.
GlobalProtect—Use the Azure infrastructure to quickly and easily deploy the VM‐Series firewall as GlobalProtect™ and extend your gateway security policy to remote users and devices, regardless of location.
You can continue with Deploy the VM‐Series Firewall in Azure (Solution Template) and configure the firewall and Azure for your deployment needs, or you can learn about the VM‐Series Firewall Templates in Azure that you can use to deploy the firewall. For information on bootstrapping, see Bootstrap the VM‐Series Firewall in Azure.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 307
Deploy the VM‐Series Firewall in Azure (Solution Template)
Set up the VM‐Series Firewall in Azure
Deploy the VM‐Series Firewall in Azure (Solution Template)
The following instructions show you how to deploy the solution template for the VM‐Series firewall that is available in the Azure Marketplace. To use the customizable ARM templates available in the GitHub repository, see Use the ARM Template to Deploy the VM‐Series Firewall.
Deploy the VM‐Series Firewall in Azure Step 1
Step 2
Set up an Azure account.
1.
Create a Microsoft account.
2.
Log in to the Azure portal (https://portal.azure.com) using your Microsoft account credentials. If you are using a trial subscription, you may need to open a support request (Help + Support > New Support
Request) to increase the quota of allocated VM cores.
Find the VM‐Series solution template in 1.
the Azure Marketplace.
2.
3.
308 • VM‐Series 7.1 Deployment Guide
Select Azure Marketplace > Virtual Machines.
Search for Palo Alto Networks. The offerings for the VM‐Series firewall display. For the differences in the BYOL and PAYG models, see VM‐Series Firewall in Amazon Web Services (AWS) and Azure Licenses.
Select an offering and click Create.
© Palo Alto Networks, Inc.
Set up the VM‐Series Firewall in Azure
Deploy the VM‐Series Firewall in Azure (Solution Template)
Deploy the VM‐Series Firewall in Azure (Continued)
Step 3
Deploy the firewall.
1.
Configure basic settings for the firewall.
a. Enter a Username for the firewall administrator.
b. Enter a Password or copy and paste an SSH public key for securing administrative access to the firewall.
c. Select your Azure Subscription.
d. Create a new resource group for holding all the resources associated with the VM‐Series firewall for this deployment. From the Azure Marketplace, you can deploy the VM‐Series firewall into a new Resource Group, or an existing Resource Group that is empty. To deploy the firewall into an existing resource group that has other resources, use the ARM template in the GitHub Repository or your own custom ARM template. Ensure that the existing resources match the parameter values you provide in the ARM template.
e. Select the Azure Location. This is the region in which you are deploying the firewall.
2.
Configure storage and networking.
a. Select an existing storage account or create a new one. b. Select an existing VNet or create a new one, and enter the IP address space for the VNet. By default the CIDR is 10.0.0.0/16. c. Configure the subnets for the network interfaces. If you use an existing VNet, you must have defined three subnets, one each for the management, trust and untrust interfaces. If you create a new VNet, verify or change the prefixes for each subnet. The default subnets are 10.0.0.0/24 for the management subnet, 10.0.1.0/24 for the untrust subnet, and 10.0.2.0/24 for the trust subnet.
d. Enter the source IP address or IP range (include CIDR) that can access the VNet. Network Security Group:
inbound source IP allows you to restrict inbound access to the Azure VNet.
3.
Define management access to the firewall.
a. Use the default variable (new PublicIP) to assign a Public IP address to the management interface (eth0) of the firewall.
b. Enter a prefix to access the firewall using a DNS name. You must combine the prefix you enter with the suffix displayed on screen for example <yourname>centralus.cloudapp.azure.com to access the web interface of the firewall.
c. Enter a display name to identify the VM‐Series firewall within the resource group.
d. To select PAN‐OS version, use the VM-Series Version drop‐down.
e. Select the Azure virtual machine tier and size to meet your needs. See Minimum System Requirements for the VM‐Series in Azure.
4.
Review the summary, accept the terms of use and privacy policy, and click Create to deploy the firewall.
5.
Verify that you have successfully deployed the VM‐Series firewall.
a. Select Dashboard >Resource Groups, select the resource group.
b. Select All Settings > Deployments > Deployment History for detailed status.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 309
Deploy the VM‐Series Firewall in Azure (Solution Template)
Set up the VM‐Series Firewall in Azure
Deploy the VM‐Series Firewall in Azure (Continued)
Step 4
Attach a public IP address for the untrust interface of the VM‐Series firewall.
1. On the Azure portal, select the network interface for which you want to add a public IP address. For example the eth1 interface.
2. Select IP Configurations > Add and for Public IP address, select Enabled. Create a new public IP address or select one that you have available.
3. Verify that you can view the secondary IP address associated with the interface.
When you attach a secondary IP address to a network interface, the VM‐Series firewall does not automatically acquire the private IP address assigned to the interface. You will need to manually configure the private IP address using the VM‐Series firewall web interface. See Configure the dataplane network interfaces as Layer 3 interfaces on the firewall. Each interface on the VM‐Series firewall on Azure can have one dynamic (default) or static private IP address, and multiple public IP addresses (static or dynamic) associated with it. The maximum number of public IP addresses you can assign to an interface is based on your Azure subscription. When you create a new public IP address you get one from the block of IP addresses Microsoft owns, so you can’t choose a specific one.
Step 5
Log in to the web interface of the firewall.
310 • VM‐Series 7.1 Deployment Guide
1.
On the Azure portal, in All Resources, select the VM‐Series firewall and view the full DNS name for the firewall. 2.
Using a secure connection (https) from your web browser, log in to the DNS name for the firewall.
3.
Enter the username/password you defined in the parameters file. You will see a certificate warning; that is okay. Continue to the web page.
© Palo Alto Networks, Inc.
Set up the VM‐Series Firewall in Azure
Deploy the VM‐Series Firewall in Azure (Solution Template)
Deploy the VM‐Series Firewall in Azure (Continued)
Step 6
Activate the licenses on the VM‐Series firewall.
For the BYOL version
1.
Create a Support Account.
2.
Register the VM‐Series Firewall (with auth code).
3.
On the firewall web interface, select Device >Licenses and select Activate feature using authentication code.
4.
Enter the capacity auth‐code that you registered on the support portal. The firewall will connect to the update server (updates.paloaltonetworks.com), and download the license and reboot automatically.
5.
Log back in to the web interface and confirm the following on the Dashboard:
• A valid serial number displays in Serial#. If the term Unknown displays, it means the device is not licensed. To view traffic logs on the firewall, you must install a valid capacity license.
• The VM Mode displays as Microsoft Azure. For the PAYG version
Step 7
Configure the dataplane network interfaces as Layer 3 interfaces on the firewall.
© Palo Alto Networks, Inc.
1.
Create a Support Account.
2.
Register the Usage‐Based Model of the VM‐Series Firewall in AWS and Azure (no auth code).
1.
Select Network > Interfaces > Ethernet.
2.
Click the link for ethernet 1/1 and configure as follows:
– Interface Type: Layer3 (default).
– On the Config tab, assign the interface to the default router.
– On the Config tab, expand the Security Zone drop‐down and select New Zone. Define a new zone called UnTrust, and then click OK.
– On the IPv4 tab, select DHCP Client.
The private IP address assigned in the ARM template will be automatically acquired.
– Clear the Automatically create default route to default
gateway provided by server check box. Disabling this option ensures that traffic handled by this interface does not flow directly to the default gateway in the VNet.
3.
Click the link for ethernet 1/2 and configure as follows:
– Set Interface Type to Layer3 (default).
– Security Zone: Trust
– IP address: Select DHCP Client.
– Clear the Automatically create default route to default
gateway provided by server check box. Disabling this option ensures that traffic handled by this interface does not flow directly to the default gateway in the VNet.
4.
Click Commit. Verify that the link state for the interfaces is up. VM‐Series 7.1 Deployment Guide • 311
Deploy the VM‐Series Firewall in Azure (Solution Template)
Set up the VM‐Series Firewall in Azure
Deploy the VM‐Series Firewall in Azure (Continued)
Step 8
Configure the firewall for your specific deployment.
• Gateway—Deploy a 3rd party load balancer in front of the UnTrust zone.
• Hybrid and Inter‐VNet—Deploy an Azure VPN Gateway or a NAT virtual machine in front the UnTrust zone.
• Inter‐Subnet—On the VM‐Series firewall, add an intra‐zone security policy rule to allow traffic based on the subnets attached to the Trust interface.
• GlobalProtect—Deploy a NAT virtual machine in front of the UnTrust zone.
Step 9
Direct traffic to the VM‐Series firewall.
1.
To ensure that the VM‐Series firewall secures all traffic within the Azure resource group, configure static routes on the firewall.
2.
Configure UDRs to direct all traffic through the interfaces on the VM‐Series firewall. Refer to the Azure documentation on UDRs for details.
The UDRs on the internal subnets must send all traffic through the Trust interface. The UDRs on the UnTrust side direct all traffic from the Internet through the UnTrust interface on the VM‐Series firewall. The traffic from the Internet may be coming from a NAT virtual machine, a 3rd party load balancer, or through the Azure VPN Gateway in case of a hybrid deployment that connects your on‐premises network with the Azure cloud.
312 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set up the VM‐Series Firewall in Azure
Use the ARM Template to Deploy the VM‐Series Firewall
Use the ARM Template to Deploy the VM‐Series Firewall
In addition to Marketplace based deployments, Palo Alto Networks provides a GitHub repository which hosts sample ARM templates that you can download and customize for your needs. ARM templates are JSON files that describe the resources required for individual resources such as network interfaces, a complete virtual machine or even an entire application stack with multiple virtual machines. ARM templates are for advanced users; refer to the Microsoft documentation on ARM Templates.
To simplify the deployment of all the required resources, the template includes two json files: 

Template File—The azureDeploy.json is the main resources file that deploys all the components within the resource group. Parameters File—The azureDeploy.parameters.json is the file that includes the parameters required to successfully deploy the VM‐Series firewall in the VNet. It includes details such as the virtual machine tier and size, username and password for the firewall, the name of the storage container for the firewall. You can customize this file for your Azure VNet deployment. To help you deploy the firewall as a gateway for Internet‐facing applications, the template provisions the VM‐Series firewall, a database server, a web server and a virtual machine that performs NAT so that the VM‐Series firewall can receive data traffic from the Internet. The NAT virtual machine fronts the firewall and receives data traffic on its public IP address, which it then routes to the firewall. The VNet uses the private non‐routable IP address space 192.168.0.0/16. You can modify the template to use 172.16.0.0/12, or 10.0.0.0/8.
The ARM template also provides the necessary user‐defined rules and IP forwarding flags to enable the VM‐Series firewall to secure the Azure resource group. For the five subnets—Trust, Untrust, Web, DB, and NAT—included in the template, you have five route tables, one for each subnet with user defined rules for routing traffic to the VM‐Series firewall and the NAT virtual machine. Deploying VM‐Series Firewall using the ARM Template
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 313
Use the ARM Template to Deploy the VM‐Series Firewall
Set up the VM‐Series Firewall in Azure
Use the ARM Template to Deploy the VM‐Series Firewall Step 1
Download the ARM template from the GitHub repository.
Download and save the files to a local client: https://github.com/PaloAltoNetworks/azure
Step 2
Create a Resource Group in Azure.
1.
Log in to the Azure CLI using the command: azure login
If you need help, refer to the Azure documentation on installing the CLI.
2.
Switch to Resource Manager mode using the command: azure config mode arm
3.
Create a resource group.
1.
Open the Parameters File with a text editor and modify the values for your deployment:
2.
Deploy the template in the resource group you created.
Step 3
Deploy the ARM template.
azure group create -v -n
“<YourResourceGroupName>” -l
“<YourAzureLocation>” -d
“<GiveASmallDeploymentLabel>” -f
azureDeploy.json -e
azureDeploy.parameters.json
3.
Check the progress/status of the deployment from the Azure CLI: azure group deployment show
"<YourResourceGroupName>"
“<YourDeploymentLabel>“
When the template is successfully deployed the ProvisioningState is Running. If the ProvisioningState is Failed, you must check for errors on the Azure portal at Resource Group >
Events. Filter for only events in the last one hour, select the most recent events, and drill down to find the errors. 4.
314 • VM‐Series 7.1 Deployment Guide
Verify that you have successfully deployed the VM‐Series firewall.
a. Select Dashboard >Resource Groups, select the resource group.
b. Select All Settings > Deployments > Deployment History for detailed status. © Palo Alto Networks, Inc.
Set up the VM‐Series Firewall in Azure
Use the ARM Template to Deploy the VM‐Series Firewall
Use the ARM Template to Deploy the VM‐Series Firewall (Continued)
The address space within the VNet uses the prefix 192.168, which is defined in the ARM template.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 315
Use the ARM Template to Deploy the VM‐Series Firewall
Set up the VM‐Series Firewall in Azure
Use the ARM Template to Deploy the VM‐Series Firewall (Continued)
Step 4
Configure the firewall as a VNet gateway 1.
to protect your Internet‐facing 2.
deployment.
Log in to the management interface IP address on the firewall.
3.
Add static rules to the virtual router on the firewall. To route traffic through the firewall in this example, you need three static routes on the firewall (Network > Virtual Routers, select the router and click Static Routes):
a. Route all outbound traffic through the UnTrust zone, ethernet1/1 to the Azure router at 192.168.1.1.
b. Route all inbound traffic destined to the web server subnet through the Trust zone, ethernet1/2 to the Azure router at 192.168.2.1.
c. Route all inbound traffic destined to the database server subnet through the Trust zone, ethernet1/2 to the Azure router at 192.168.2.1.
4.
Create security policy rules (Policies > Security) to allow inbound and outbound traffic on the firewall. You also need security policy rules to allow appropriate traffic from the web server subnet to the database server subnet and vice versa.
5.
Add NAT policies (Policies > NAT).
a. Add a Destination NAT rule to send all traffic that the NAT virtual machine forwards to eth1/1 interface on the VM‐Series firewall in Azure to the webserver IP address.
b. Add a Source NAT rule to translate the IP address for all traffic from the eth1/2 interface to eth1/1 interface to the IP address of the eth 1/1 interface, 192.168.1.4 in this example.
316 • VM‐Series 7.1 Deployment Guide
Configure the dataplane network interfaces as Layer 3 interfaces on the firewall (Network > Interfaces > Ethernet).
6.
Commit the changes on the firewall.
7.
Verify that the VM‐Series firewall is securing traffic (Monitor
> Logs > Traffic).
© Palo Alto Networks, Inc.
Set up the VM‐Series Firewall in Azure
Deploy the VM‐Series and Azure Application Gateway Template
Deploy the VM‐Series and Azure Application Gateway Template
The VM‐Series and Azure Application Gateway template is a starter kit that you can use to deploy VM‐Series firewalls to secure web workloads for internet‐facing deployments on Microsoft Azure. This template deploys two VM‐Series firewalls between a pair of (external and internal) Azure load balancers. The external load balancer is an Azure Application Gateway, which is an HTTP (Layer 7) load balancer that also serves as the internet‐facing gateway, which receives traffic and distributes it through the VM‐Series firewall on to the internal load balancer. The internal load balancer is an Azure Load Balancer (Layer 4) that fronts a pair of web servers. The template supports the BYOL and the Azure Marketplace versions of the VM‐Series firewall.
As demand on your web workloads increases and you increase capacity for the web server tier you can manually deploy additional VM‐Series firewalls to secure your web server tier. 
VM‐Series and Azure Application Gateway Template

Start Using the VM‐Series & Azure Application Gateway Template
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 317
Deploy the VM‐Series and Azure Application Gateway Template
Set up the VM‐Series Firewall in Azure
VM‐Series and Azure Application Gateway Template
The VM‐Series and Azure Application Gateway template launches an Azure Application Gateway (Layer 7 load balancer) and an Azure (Layer 4) load balancer. Nested between the Application gateway and the load balancer are a pair of VM‐Series firewalls in an Availability Set, and a pair of sample web servers running Apache2 on Ubuntu in another Availability Set. The Availability Sets provide protection from planned and unplanned outages. The following topology diagram shows the resources that the template deploys:
You can use a new or an existing storage account and resource group in which to deploy all the resources for this solution within an Azure location. It does not provide default values for the resource group name and storage account name, you must enter a name for them. While you can create a new or use an existing VNet, the template creates a default VNet named vnet‐FW with the CIDR block 192.168.0.0/16, and allocates five subnets (192.168.1.0/24 ‐ 192.168.5.0/24) for deploying the Azure Application Gateway, the VM‐Series firewalls, the Azure load balancer and the web servers. Each VM‐Series firewall is deployed with three network interfaces—ethernet0/1 in Mgmt subnet (192.168.0.0/24), ethernet1/1 in Untrust subnet (192.168.1.0/24), and ethernet1/2 in Trust subnet(192.168.2.0/24). The template creates a Network Security Group (NSG) that allows inbound traffic from any source IP address on ports 80,443, and 22. It also deploys the pair of VM‐Series firewalls and the web server pair in their respective Availability Sets to ensure that at least one instance of each is available during a planned or unplanned maintenance window. Each Availability Set is configured to use three fault domains and five update domains.
The Azure Application Gateway acts as a reverse‐proxy service, which terminates a client connection and forwards the requests to back‐end web servers. The Azure Application Gateway is set up with an HTTP listener and uses a default health probe to test that the VM‐Series firewall IP address (for ethernet1/1) is healthy and can receive traffic. The template does not provide an auto‐scaling solution; you must plan your capacity needs and then deploy additional resources to Adapt the Template for your deployment. The VM‐Series firewalls are not configured to receive and secure web traffic destined to the web servers. Therefore, at a minimum, you must configure the firewall with a static route to send traffic from the VM‐Series firewalls to the default router, configure destination NAT policy to send traffic back to the IP address of the load balancer, and configure Security policy rules. The NAT policy rule is also required for the 318 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set up the VM‐Series Firewall in Azure
Deploy the VM‐Series and Azure Application Gateway Template
firewall to send responses back to the health probes from the HTTP listener on the Azure Application Gateway. To assist you with a basic firewall configuration, the GitHub repository includes a sample configuration file called appgw‐sample.xml that you can use to get started.
Start Using the VM‐Series & Azure Application Gateway Template
The VM‐Series & Azure Application Gateway template launches all the resources you need to deploy and secure your web workloads for Internet facing deployments on Microsoft Azure. This section provides details on how to deploy the template, configure the firewalls to route and secure traffic destined to the web servers, and extend the capabilities and resources that this template provides to accommodate your deployment needs.

Deploy the Template to Azure

VM‐Series and Azure Application Gateway Template Parameters 
Sample Configuration File

Adapt the Template
Deploy the Template to Azure
Use the following instructions to deploy the template to Azure.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 319
Deploy the VM‐Series and Azure Application Gateway Template
Set up the VM‐Series Firewall in Azure
Deploy the Template to Azure
Step 1
Deploy the template.
1.
Access the template from https://github.com/PaloAltoNetworks/azure‐application gateway
2.
Click Deploy to Azure.
3.
Fill in the details for deploying the template. See VM‐Series and Azure Application Gateway Template Parameters for a description and the default values, if any, for each parameter.
At a minimum, you have to pick the Azure Subscription, Resource Group, Location, Storage Account Name, and a Username/password or SSH Key for the administrative account on the VM‐Series firewalls. 4.
Click Purchase to accept the terms and conditions and deploy the resources.
If you have validation errors, click to view the details and fix your errors. 5.
On the Azure portal, verify that you have successfully deployed the template resources, including the VM‐Series firewalls.
a. Select Dashboard >Resource Groups, select the resource group.
b. Select Overview to review all the resources that have been deployed. The deployment status should display Succeeded.
c. Note the Public IP address or the DNS name assigned to eth0-VM-Series0 and eth0-VM-Series1 to access the management interface of the VM‐Series firewalls.
320 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set up the VM‐Series Firewall in Azure
Deploy the VM‐Series and Azure Application Gateway Template
Deploy the Template to Azure
Step 2
Step 3
Log in to the firewalls.
Configure the VM‐Series firewall.
© Palo Alto Networks, Inc.
1.
Using a secure connection (https) from your web browser, log in to the IP address for eth0‐VM‐Series0 or the DNS name for the firewall. 2.
Enter the username/password you defined in the parameters file. You will see a certificate warning; that is okay. Continue to the web page.
You can either configure the firewall manually or import the Sample Configuration File provided in the GitHub repository and customize it for your security needs. • To configure the firewall manually, you must do the following at a minimum:
1.
Configure the dataplane network interfaces as Layer 3 interfaces on the firewall (Network > Interfaces > Ethernet).
2.
Add a static rule to the virtual router on the firewall. This static rule specifies the firewall’s untrust interface IP address as the nexthop address for any traffic destined for ethernet1/1. (Network > Virtual Routers, select the router and click Static
Routes).
3.
Create security policy rules (Policies > Security) to allow inbound and outbound traffic on the firewall. 4.
Add NAT policies (Policies > NAT). You must create destination NAT and source NAT rules on the firewall to send traffic to the web servers and back out to the client who initiated the request. The destination NAT rule is for all traffic that arrives on the firewall’s untrust interface. This rule is required to translate the destination IP address on the packet to that of the internal load balancer so that all traffic is directed to the internal load balancer and on to the backend web servers.
The source NAT rule is for all traffic from the backend web server and destined to the untrust interface on the firewall. This rule translates the source address to the IP address of the trust interface on the firewall
5.
Commit your changes.
VM‐Series 7.1 Deployment Guide • 321
Deploy the VM‐Series and Azure Application Gateway Template
Set up the VM‐Series Firewall in Azure
Deploy the Template to Azure
• To import the sample configuration file:
1.
Download and save the Sample Configuration File to your local client.
2.
Select Device > Setup > Operations, click Import named
configuration snapshot, Browse to the sample configuration file that you have saved locally, and click OK. 3.
Click Load named configuration snapshot, select the Name of the sample configuration file you just imported, and click OK.
4.
Change the IP address of the address objects and the static route to match the IP address from the CIDR block you used.
5.
Click Commit to overwrite the running configuration with the sample configuration you just imported. When you commit, the hostname and the administrator user account that you specified when deploying the template will be overwritten. You must create a new admin user account and delete the pandemo admin account that is provided in the template.
6.
Create a new admin user account. Select Device >
Administrators and Add a new account.
7.
Modify the Hostname in the General Settings widget in Device
> Setup > Management.
8.
Commit your changes, and log out.
9.
Log in to the firewall using the credentials you created, and delete the pandemo admin account.
Step 4
Log in and configure the other instance See Configure the VM‐Series firewall.
of the VM‐Series firewall.
Step 5
Verify that you have configured the firewalls properly.
From your web browser, use http to access the IP address or DNS name for the app gateway. You should be able to view the default Apache 2 Ubuntu web page.
If you have used the sample configuration firewall, log in to the fireewall and view the Traffic logs generated on session start in Monitor > Logs > Traffic.
VM‐Series and Azure Application Gateway Template Parameters
The following table lists the required and optional parameters and the default values, if any.
322 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set up the VM‐Series Firewall in Azure
Deploy the VM‐Series and Azure Application Gateway Template
Parameter
Description Resource group Create new or use existing (no default).
Subscription
The type of Azure subscription you will use to cover the cost of the resources deployed with the template.
Location
Select the Azure location to which you want to deploy the template (no default).
Network Security Group
Network Security Group Name
The network security group limits the source IP addresses from which the VM‐Series firewalls and web servers can be accessed. Default: nsg‐mgmt
Network Security Group Inbound Src IP
The source IP addresses that can log in to the management port of the VMs deployed by the template.
The default value 0.0.0.0/0 means you can log into the firewall management port from any IP address.
Storage Account Storage Account Name
Create new or enter the name of an existing Storage Account (no default). The name must be globally unique.
Storage Account Type
Choose between standard and premium storage and your data replication needs for local redundancy, geo‐redundancy, and read‐access geo‐redundancy. The default option is Locally Redundant Storage (LRS). The other options are Standard GRS, Premium LRS, and Standard RAGRS.
VNet
Virtual Network
Create new or enter the name of an existing VNet. The default name for the VNet is vnet‐FW
Virtual Network Address Prefix
192.168.0.0/16
Azure Application Gateway
App Gateway Name
myAppGw
App Gateway DNS Name
Enter a globally unique DNS name for the Azure Application Gateway.
App Gateway Subnet Name and Default name is AppGWSubnet and the subnet prefix is 192.168.3.0/24.
Prefix
Azure Load Balancer and Web Servers
Internal Load Balancer Name
myPrivateLB
Internal Load Balancer Subnet Name and Prefix
Default name is backendSubnet and the subnet prefix is 192.168.4.0/24.
Backend Vm Size
The default size is Standard tier D1 Azure VM. Use the drop‐down in the template to view the other Azure VM options available for the backend web servers.
Firewalls Firewall Model
© Palo Alto Networks, Inc.
Choose from BYOL or PAYG (bundle 1 or bundle 2, each bundle includes the VM‐300 and a set of subscriptions).
VM‐Series 7.1 Deployment Guide • 323
Deploy the VM‐Series and Azure Application Gateway Template
Set up the VM‐Series Firewall in Azure
Parameter
Description Firewall Vm Name and Size
The default name for the firewall is VM‐Series, and the default size is Standard tier D3 Azure VM.
Use the drop‐down in the template to view the other Azure VM options available for the VM‐Series firewalls
Mgmt Subnet Name and Prefix The management subnet for the VM‐Series firewalls and the web servers deployed in this solution. Default name is Mgmt and the subnet prefix is 192.168.0.0/24.
Mgmt Public IP Address Name
Enter a hostname to access the management interface on each firewall. The names must be globally unique.
Trusted Subnet Name and Prefix The subnet to which eth1/1 on the VM‐Series firewall is connected; this subnet connects the VM‐Series firewall to the Azure Application gateway. The firewall receives web traffic destined to the web servers on eth1/1. Default name is Trust and the subnet prefix is 192.168.2.0/24. Untrusted Subnet Name The subnet to which eth1/2 on the VM‐Series firewall is connected. The firewall receives return and outbound web traffic on this interface. Default name is Untrust and the subnet prefix is 192.168.1.0/24. The name must be globally unique.
Username
Enter the username for the administrative account on the VM‐Series firewalls and the web servers.
Authentication Type
You must either enter a password for authentication or use an SSH public key (no default).
Sample Configuration File
To help you get started, the GitHub repository contains a sample configuration file named appgw‐sample.xml that includes the following rules/objects:



Address objects—Two address objects, firewall-untrust-IP and internal-load-balancer-IP, which you will need to modify to match the IP addresses in your setup.
Static route—The default virtual router on the firewall has a static route to 192.168.1.1, and this IP address is accurate if you use the default template values. If you have changed the Untrust subnet CIDR, you’ll need to update the IP address to match your setup. All traffic coming from the backend web servers, destined for the application gateway, uses this IP address as the next hop for delivering packets to the untrust interface on the firewall.
NAT Policy Rule—The NAT policy rule enables destination NAT and source NAT. – The destination NAT rule is for all traffic that arrives on the firewall’s untrust interface (ethernet1/2), which is the firewall‐untrust‐IP address object. This rule translates the destination IP address on the packet to that of the internal load balancer so that all traffic is directed to the internal load balancer and thus to the backend web servers. – The source NAT rule is for all traffic from the backend web server and destined to the untrust network interface on the firewall. This rule translates the source address to the IP address of the trust interface on the firewall (ethernet1/2).
324 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set up the VM‐Series Firewall in Azure


Deploy the VM‐Series and Azure Application Gateway Template
Security Policy Rule—Two Security policy rules are defined in the sample configuration file. The first rule allows all inbound web‐browsing traffic and generates a log at the start of a session on the firewall. The second rule blocks all other traffic and generates a log at the start and end of a session on the firewall. You can use these logs to monitor all traffic to the web servers in this deployment.
Administrative User Credentials— The sample configuration file includes a username and password for logging in to the firewall, which is set to pandemo/demopassword. After you import the sample configuration, you must either change the password and set it to a strong, custom password or create a new administrator account and delete the pandemo account.
Adapt the Template
As your needs evolve, you can scope your capacity needs and extend the template for your deployment scenario. Here are some ways you can build on the starter template to meet your planned capacity needs:




Deploy additional VM‐Series firewalls behind the Azure Application Gateway. You can manually install more VM‐Series firewalls into the same Availability Set or launch a new Availability Set and manually deploy additional VM‐Series firewalls.
Configure the VM‐Series firewalls beyond the basic configuration provided in the sample configuration file in the GitHub repository.
Enable HTTPS load balancing (SSL offload) on the Azure Application Gateway. Refer to the Azure documentation for details.
Add or replace the sample web servers included with the template.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 325
Deploy the VM‐Series and Azure Application Gateway Template
326 • VM‐Series 7.1 Deployment Guide
Set up the VM‐Series Firewall in Azure
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on OpenStack
The VM‐Series firewall for OpenStack allows you to deploy the VM‐Series firewall in your OpenStack environment to provide secure application delivery along with network security, performance and visibility. This solution deploys the VM‐Series firewall on a KVM/Ubuntu hypervisor in a Mirantis OpenStack environment that uses Contrail for virtualized networking functions. 
VM‐Series Firewall for OpenStack

VM‐Series Firewall on OpenStack Deployment Checklist

Install the VM‐Series Firewall in OpenStack
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 327
VM‐Series Firewall for OpenStack
Set Up the VM‐Series Firewall on OpenStack
VM‐Series Firewall for OpenStack
The VM‐Series firewall for OpenStack allows you to deploy the VM‐Series firewall on the KVM hypervisor running on a compute node in your OpenStack environment. This solution uses Heat Orchestration Templates and bootstrapping to deploy the VM‐Series firewall and a Linux server. The VM‐Series firewall protects the deployed Linux server by inspecting the traffic going in and out of the server. The sample bootstrap files allow the VM‐Series firewall to boot with basic configuration for handling traffic.

Components of the VM‐Series for OpenStack Solution

Orchestration with the Heat Template
Components of the VM‐Series for OpenStack Solution
The following components are required for deploying the VM‐Series firewall in an OpenStack environment.
Component
Description
Software • • • • • VM‐Series Hardware Resources
See System Requirements of the VM‐Series firewall for KVM for the minimum hardware requirements for your VM‐Series model. In OpenStack, flavors define the CPU, memory, and storage capacity of a compute instance. When setting up your Heat template, choose the compute flavor that meets or exceeds the hardware requirements for the VM‐Series model.
Fuel Master Fuel is a web UI‐driven deployment and management tool for OpenStack. OpenStack Controller
This node runs most of the shared OpenStack services, such API and scheduling. Additionally, the Horizon UI runs on this node. OpenStack Compute The compute node contains the virtual machines, including the VM‐Series firewall, in the OpenStack deployment. The compute node that houses the VM‐Series must meet the following criteria:
• Instance type OS::Nova::Server
• Allow configuration of at least three interfaces
• Accept the VM‐Series qcow2 image
• Accept the compute flavor parameter
Install the OpenStack compute node on a bare‐metal server because the VM‐Series firewall does not support nested virtualization. Contrail Controller The Contrail controller node is a software‐defined networking controller used for management, control, and analytics for the virtualized network. It provides routing information to the compute and gateway nodes. Hypervisor: KVM/Ubuntu 14.04
Networking: Contrail 3.0.2
OpenStack Distro: Mirantis 8.0 (Liberty)
Orchestration: OpenStack Heat Templates (Version 2015‐10‐15 or higher)
VM‐Series for KVM PAN‐OS 7.1.4 or later
328 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on OpenStack
VM‐Series Firewall for OpenStack
Component
Description
Contrail Gateway The Contrail gateway node provides IP connectivity to external networks from virtual networks. MPLS over GRE tunnels from the virtual machines terminate at the gateway node, where packets are decapsulated and sent to their destinations on IP networks.
Heat Orchestration Template Files
Palo Alto Networks provides a sample Heat template for deploying the VM‐Series firewall. This template is made up of a main template (pan_basic_gw.yaml) and an environment template (pan_basic_gw_env.yaml). These files instantiate one VM‐Series instance with one management interface and two data interfaces. The management interface and one data interface attach to an untrust network. The other data interface connects to the trust network.
Additionally, the template instantiates a Linux server with one interface. The interface of the server attaches to the private network created by the template. VM‐Series Firewall Bootstrap Files
The VM‐Series firewall bootstrap files consist of a init‐cfg.txt file, bootstrap.xml file, and VM‐Series auth codes. Along with the Heat template files, Palo Alto Networks provides a sample init‐cfg.txt and bootstrap.xml files. You must provide your own auth codes to license your VM‐Series firewall and activate any subscriptions. See Bootstrap the VM‐Series Firewall for more information about VM‐Series bootstrap files. Orchestration with the Heat Template
The heat template file includes the following four files to help you launch the VM‐Series firewall on KVM in OpenStack. All four files are required to deploy the VM‐Series firewall and Linux server. 



pan_basic_gw.yaml—Defines the resources created to support the VM‐Series firewall and Linux server on the compute node, such as interfaces and IP addresses.
pan_basic_gw_env.yaml—Defines the environment that the VM‐Series firewall and Linux server exist in. Many parameters in the pan_basic_gw.yaml file reference the parameters defined in this file, such as flavor for the VM‐Series and the Linux server.
init‐cfg.txt—Includes the operational command to enable DHCP on the firewall management interface. bootstrap.xml—Provides basic configuration for the VM‐Series firewall. The bootstrap.xml file configures the data interfaces and IP addresses. These values must match the corresponding values in the pan_basic_gw.yaml file. Additionally, the bootstrap.xml file includes a NAT rule called untrust2trust. This rule translate the trust port on the server to the untrust port of the VM‐Series firewall.
These heat template files and the bootstrap files combine to create two virtual machines, the VM‐Series firewall and Linux server, in a network configuration similar to that shown below.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 329
VM‐Series Firewall for OpenStack
Set Up the VM‐Series Firewall on OpenStack
The table below describes resources that the pan_basic_gw.yaml template file creates and provides the default value, if applicable. Resource
Description
pan_fw_instance
VM‐Series firewall with a management interface and two data interfaces.
server_instance
A Linux server with a single interface. pan_trust_net
A connection to the internal network to which the trust interface of the firewall and trust interface of the server are attached.
pan_trust_subnet
Subnet attached to the trust interface on the firewall (pan_trust_net) and has a CIDR value of 192.168.100.0/24.
pan_untrust_net
Untrust network to which the untrust port of the firewall is attached.
pan_untrust_subnet
Subnet attached to the untrust interface of the firewall (pan_untrust_net) and has a CIDR value of 192.168.200.0/24.
allow_ssh_https_icmp_sec Security group that allows TCP on ports 22 and 443 and ICMP traffic.
group
pan_untrust_port
The untrust port of the VM‐Series firewall deployed in Layer 3 mode. The Heat template provides a default IP address of 192.168.200.10 to this port. If you change this IP address in the heat template, you must change the IP address in the bootstrap.xml file. pan_untrust_floating_ip
A floating IP address assigned from the public_network.
pan_untrust_floating_ip_a
ssoc
This associates the pan_untrust_floating_ip to the pan_untrust_port.
pan_trust_port
The trust port of the VM‐Series firewall Layer 3 mode.
330 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on OpenStack
VM‐Series Firewall for OpenStack
Resource
Description
server_trust_port
The trust port of the Linux server Layer 3 mode. The Heat template provides a default IP address of 192.168.100.10 to this port. If you change this IP address in the heat template, you must change the IP address in the bootstrap.xml file. The pan_basic_gw.yaml file references the pan_basic_gw_env.yaml for many of the values needed to create the resources need to deploy the VM‐Series firewall and Linux server. The heat template environment file contains the following parameters.
Parameter
Description
mgmt_network
The VM‐Series firewall management interface attaches to the network specified in this parameter. The template does not create the management network; you must create this before deploying the heat templates. The default value is mgmt_ext_net.
public_network
Addresses that the OpenStack cluster and the virtual machines in the cluster use to communicate with the external or public network. The public network provides virtual IP addresses for public endpoints, which are used to connect to OpenStack services APIs. The template does not create the public network; you must create this before deploying the heat templates. The default value is public_net.
pan_image
This parameter specifies the VM‐Series base image used by the Heat template when deploying the VM‐Series firewall. The default value is pa‐vm‐7.1.4.
pan_flavor
This parameter defines the hardware resources allocated to the VM‐Series firewall. The default value is m1.medium. This value meets the System Requirements described in the Set Up the VM‐Series Firewall on KVM chapter. server_image
This parameter tells the Heat template which image to use for the Linux server. The default value is Ubuntu‐14.04.
server_flavor
This parameter defines the hardware resources allocated to the Linux server. The default value is m1.small.
server_key
The server key is used for accessing the Linux server through ssh. The default value is server_key. You can change this value by enter a new server key in the environment file. © Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 331
VM‐Series Firewall on OpenStack Deployment Checklist
Set Up the VM‐Series Firewall on OpenStack
VM‐Series Firewall on OpenStack Deployment Checklist
To deploy the VM‐Series firewall in OpenStack, use the following workflow:
 Step 1—Set up your OpenStack Environment.
If you have not already set up these components, see the OpenStack and Contrail documentation for instructions on setting up the OpenStack environment. This document does not take you through the process of setting up a complete OpenStack environment. –
–
–
Deploy the required nodes (see Components of the VM‐Series for OpenStack Solution for more information).
Create a public network. The default value in the Heat template is public_net. If you use a different name, change the default value in the pan_basic_gw_env.yaml file.
Create a management network. The default value in the Heat template is mgmt_ext_net. If you use a different name, change the default value in the pan_basic_gw_env.yaml file.
 Step 2—Install the VM‐Series Firewall in OpenStack.
–
–
–
–
–
–
Download the template files.
(Optional) Edit the default values in the template files to match your network.
Download the VM‐Series base image for KVM (PA‐VM‐KVM‐7.1.4.qcow2) from the Customer Support Portal.
Download Ubuntu 14.04 used for the Linux server.
Upload the files to your OpenStack controller node.
Deploy the VM‐Series firewall and Linux server.
332 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on OpenStack
Install the VM‐Series Firewall in OpenStack
Install the VM‐Series Firewall in OpenStack
Complete the following steps to prepare the heat templates, bootstrap files, and software images needed to deploy the VM‐Series firewall in OpenStack. After preparing the files, deploy the VM‐Series firewall and Linux server. Install the VM‐Series Firewall in OpenStack
Step 1
Download the Heat template and bootstrap files.
Download the Heat template package from the GitHub repository.
Step 2
Download the VM‐Series base image.
1.
Login in to the Palo Alto Networks Customer Support Portal.
2.
Select Software Updates and choose PAN-OS for VM-Series
KVM Base Images from the Filter By drop‐down.
3.
Download PA-VM-KVM-7.1.4.qcow2.
Step 3
Step 4
Step 5
Download Ubuntu 14.04 and upload the 1.
image to the OpenStack controller.
2.
The Heat template needs an Ubuntu 3.
image for launching the Linux server.
4.
Upload the VM‐Series for KVM base image to the OpenStack controller.
Upload the bootstrap files. © Palo Alto Networks, Inc.
Download Ubuntu 14.04.
Log in to the Horizon UI.
Select Project > Compute > Images > Create Image.
Name the image Ubuntu 14.04 to match the parameter in the pan_basic_gw_env.yaml file. 5.
Set Image Source to Image File.
6.
Click Choose File and navigate to your Ubuntu image file.
7.
Set the Format to match the file format of your Ubuntu image.
8.
Click Create Image. 1.
Log in to the Horizon UI.
2.
Select Project > Compute > Images > Create Image.
3.
Name the image pa‐vm‐7.1.4.
4.
Set Image Source to Image File.
5.
Click Choose File and navigate to your VM‐Series image file.
6.
Set the Format to QCOW2-QEMU Emulator.
7.
Click Create Image. You can upload the init‐cfg.txt, bootstrap.xml, and your VM‐Series auth codes to your OpenStack controller or a web server that the OpenStack controller can access. VM‐Series 7.1 Deployment Guide • 333
Install the VM‐Series Firewall in OpenStack
Set Up the VM‐Series Firewall on OpenStack
Install the VM‐Series Firewall in OpenStack
Step 6
Edit the pan_basic_gw.yaml template to point to the bootstrap files and auth codes. Under Personality, specify the file path or web server address to the location of your files. Uncomment whichever lines you are not using.
pan_fw_instance:
type: OS::Nova::Server
properties:
image: { get_param: pan_image }
flavor: { get_param: pan_flavor }
networks:
- network: { get_param: mgmt_network }
- port: { get_resource: pan_untrust_port }
- port: { get_resource: pan_trust_port }
user_data_format: RAW
config_drive: true
personality:
/config/init-cfg.txt: {get_file: "/opt/pan_bs/init-cfg.txt"}
#
/config/init-cfg.txt: { get_file: "http://web_server_name_ip/pan_bs/init-cfg.txt" }
/config/bootstrap.xml: {get_file: "/opt/pan_bs/bootstrap.xml"}
#
/config/bootstrap.xml: { get_file: "http://web_server_name_ip/pan_bs/bootstrap.xml" }
/license/authcodes: {get_file: "/opt/pan_bs/authcodes"}
#
/license/authcodes: {get_file: "http://web_server_name_ip/pan_bs/authcodes"}
Step 7
Edit the pan_basic_gw_env.yaml template environment file to suit your environment. Make sure that the management and public network values match those that you created in your OpenStack environment. You can also change your server key here.
root@node-2:~# cat basic_gateway/pan_basic_gw_env.yaml
parameters:
mgmt_network: mgmt_ext_net
public_network: public_net
pan_image: pa-vm-7.1.4
pan_flavor: m1.medium
server_image: Ubuntu-14.04
server_flavor: m1.small
server_key: server_key
Step 8
Deploy the Heat template. 1. Execute the command source openrc
2. Execute the command heat stack-create <stack-name> -f <template> -e ./<env-template>
Step 9
Verify that your VM‐Series firewall is deployed successfully.
334 • VM‐Series 7.1 Deployment Guide
You can use the following commands to check the creation status of the stack.
• Check the stack status with heat stack-list
• View a detailed list of events that occurred during stack creation with heat event-list
• View details about your stack with heat stack-show
© Palo Alto Networks, Inc.
Set Up the VM‐Series Firewall on OpenStack
Install the VM‐Series Firewall in OpenStack
Install the VM‐Series Firewall in OpenStack
Step 10 Verify that the VM‐Series firewall is bidirectionally inspecting traffic accessing the Linux server.
© Palo Alto Networks, Inc.
1.
From an external network, execute the command ssh ‐i <server‐key>@<pan_untrust_floating_ip>
2.
Log in to the firewall and select Monitor > Logs > Traffic to view the ssh session. VM‐Series 7.1 Deployment Guide • 335
Install the VM‐Series Firewall in OpenStack
336 • VM‐Series 7.1 Deployment Guide
Set Up the VM‐Series Firewall on OpenStack
© Palo Alto Networks, Inc.
Bootstrap the VM‐Series Firewall
Bootstrapping allows you to create a repeatable and streamlined process of deploying new VM‐Series firewalls on your network because it allows you to create a package with the model configuration for your network and then use that package to deploy VM‐Series firewalls anywhere. You can bootstrap the VM‐Series firewall off an external device (such as a virtual disk, a virtual CD‐ROM or an AWS S3 bucket) to complete the process of configuring and licensing the VM‐Series firewall. You can either bootstrap the firewall with basic initial configuration and licenses so that the firewall can register with Panorama and then retrieve its full configuration from Panorama, or you can bootstrap the complete configuration so that the firewall is fully configured on boot up.

VM‐Series Firewall Bootstrap Workflow

Bootstrap Package

Prepare the Licenses for Bootstrapping

Prepare the Bootstrap Package

Bootstrap the VM‐Series Firewall on ESXi

Bootstrap the VM‐Series Firewall on Hyper‐V

Bootstrap the VM‐Series Firewall on KVM

Bootstrap the VM‐Series Firewall on KVM in OpenStack

Bootstrap the VM‐Series Firewall in AWS

Bootstrap the VM‐Series Firewall in Azure

Verify Bootstrap Completion

Bootstrap Errors
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 337
VM‐Series Firewall Bootstrap Workflow
Bootstrap the VM‐Series Firewall
VM‐Series Firewall Bootstrap Workflow
After you familiarize yourself with the Bootstrap Package and assess whether you will want to fully configure the firewall or use Panorama to manage the bootstrapped firewall, use the following workflow to bootstrap your VM‐Series firewall.
Bootstrap a VM‐Series Firewall

For security reasons, you can only bootstrap a firewall when it is in factory default state. If you want to bootstrap a VM‐Series firewall that has been previously configured, Reset the Firewall to Factory Default Settings.

Generate the VM Auth Key on Panorama, if you want to use Panorama to manage the VM‐Series 
Prepare the Licenses for Bootstrapping.

Create the init‐cfg.txt File and optionally Create the bootstrap.xml File if you are not using Panorama to manage the firewall configuration.

Prepare the Bootstrap Package.

Place the bootstrap package in the format required by your hypervisor and bootstrap the VM‐Series firewall.
• Bootstrap the VM‐Series Firewall on ESXi
• Bootstrap the VM‐Series Firewall on Hyper‐V
• Bootstrap the VM‐Series Firewall on KVM
• Bootstrap the VM‐Series Firewall on KVM in OpenStack
• Bootstrap the VM‐Series Firewall in AWS
• Bootstrap the VM‐Series Firewall in Azure

Verify Bootstrap Completion.
firewalls being bootstrapped. You must include this key in the basic configuration (init‐cfg.txt) file, when you prepare the bootstrap package.
338 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Bootstrap the VM‐Series Firewall
Bootstrap Package
Bootstrap Package
The bootstrap process is initiated only on first boot when the firewall is in a factory default state. When you attach the virtual disk, virtual CD‐ROM, or AWS S3 bucket to the firewall, the firewall scans for a bootstrap package and, if one exists, the firewall uses the settings defined in the bootstrap package. If you have included a Panorama server IP address in the file, the firewall connects with Panorama. If the firewall has Internet connectivity, it contacts the licensing server to update the UUID and obtain the license keys and subscriptions. The firewall is then added as an asset in the Palo Alto Networks Support Portal. If the firewall does not have Internet connectivity, it either uses the license keys you included in the bootstrap package or it connects to Panorama, which retrieves the appropriate licenses and deploys them to the managed firewalls.
The bootstrap package that you create must include the following four folders, even if empty:

/config folder—Contains the configuration files. The folder can hold two files: init‐cfg.txt and the bootstrap.xml. For details see Bootstrap Configuration Files. If you intend to pre‐register VM‐Series firewalls with Panorama with bootstrapping, you must generate a VM auth key on Panorama and include the generated key in the init‐cfg file. See Generate the VM Auth Key on Panorama.

/license folder—Contains the license keys or auth codes for the licenses and subscriptions that you intend to activate on the firewalls. If the firewall does not have Internet connectivity, you must either manually obtain the license keys from the Palo Alto Networks Support portal or use the Licensing API to obtain the keys and then save each key in this folder. For details, see Prepare the Licenses for Bootstrapping.
You must include an auth code bundle instead of individual auth codes so that the firewall or orchestration service can simultaneously fetch all license keys associated with a firewall. If you use individual auth codes instead of a bundle, the firewall will retrieve only the license key for the first auth code included in the file.


/software folder—Contains the software images required to upgrade a newly provisioned VM‐Series firewall to the desired PAN‐OS version for your network. You must include all intermediate software versions between the Open Virtualization Format (OVF) version and the final PAN‐OS software version to which you want to upgrade the VM‐Series firewall.
/content folder—Contains the application and threat updates, WildFire updates, and the BrightCloud URL filtering database for the valid subscriptions on the VM‐Series firewall. You must include the minimum content versions required for the desired PAN‐OS version, without the minimum required content version associated with the PAN‐OS version, the VM‐Series firewall cannot complete the software upgrade. The file type used to deliver the bootstrap package to the VM‐Series firewall varies based on your hypervisor. Use the table below to determine the file type your hypervisor requires.
External Device for Bootstrapping (Bootstrap Package Format)
ESXi
KVM
Hyper‐V AWS
Azure
KVM in OpenStack
CD‐ROM (ISO image)
Yes
Yes
Yes
—
—
—
Disk (vhd)
—
—
—
—
Yes
—
S3 Bucket (ISO image)
—
—
—
Yes
—
—
config‐drive (PAN‐OS 7.1.4 and later)
—
—
—
—
—
Yes
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 339
Bootstrap Configuration Files
Bootstrap the VM‐Series Firewall
Bootstrap Configuration Files
The bootstrap package must include the basic configuration contained in the init‐cfg.txt file in the /config folder; the complete configuration (contained in bootstrap.xml file in the /config folder) is optional. When you include both files in the bootstrap package, the firewall merges the configurations of those files and, if any configuration settings overlap between the two files, the firewall uses the setting defined in the init‐cfg.txt file. 

Basic Configuration—The init‐cfg.txt file is a text file that contains basic initial configuration information. You can name this file generically as init‐cfg.txt, or you can prepend the UUID or Serial number of each firewall to the filename to be more specific (for example: 0008C100105‐init‐cfg.txt). This file must include basic information for configuring the management interface on the firewall, such as the IP address type (static or DHCP), IP address (IPv4 only or both IPv4 and IPv6), netmask, and default gateway. The DNS server IP address, Panorama IP address and device group and template parameters are optional. When the firewall boots, it searches for a text file that matches its UUID or serial number and, if none is found, it searches using the generic filename. For a sample file, see Create the init‐cfg.txt File.
For the VM‐Series firewalls that you want to manage using Panorama, you must generate a VM auth key on Panorama and include the key in the init‐cfg.txt file. For more information, see Generate the VM Auth Key on Panorama.
Complete Configuration—The bootstrap.xml file allows you to fully configure the firewall. The bootstrap.xml file is optional and is only required if you are not using Panorama for centrally managing your firewall. You can either define this manually or export the running configuration from an existing firewall and save the file as bootstrap.xml. If you include the bootstrap.xml file, make sure to export the XML file from a firewall of the same platform or hypervisor. If you provide the init‐cfg.txt file and the bootstrap.xml file, the firewall merges the files into a running configuration as part of the bootstrap process and, if any settings overlap, the firewall will use the setting from the basic configuration file. See Create the bootstrap.xml File.
340 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Bootstrap the VM‐Series Firewall
Generate the VM Auth Key on Panorama
Generate the VM Auth Key on Panorama
If you want to use Panorama to manage the VM‐Series firewalls that you are bootstrapping, you must generate a VM auth key on Panorama and include the key in the basic configuration (init‐cfg.txt) file. The VM auth key allows Panorama to authenticate the newly bootstrapped VM‐Series firewall. So, to manage the firewall using Panorama, you must include the IP address for Panorama and the VM auth key in the basic configuration file as well as the license auth codes in the /license folder of the bootstrap package. The firewall can then provide the IP address, serial number, and the VM auth key in its initial connection request to Panorama so that Panorama can verify the validity of the VM auth key and add the firewall as a managed device. If you provide a device group and template in the basic configuration file, Panorama will assign the firewall to the appropriate device group and template so that you can centrally configure and administer the firewall using Panorama.
The lifetime of the key can vary between 1 hour and 8760 hours (1 year). After the specified time, the key expires and Panorama will not register VM‐Series firewalls without a valid auth‐key in this connection request.
Generate the VM Auth Key on Panorama
Step 1
Log in to the Panorama CLI or access the API:
• In the CLI, use the following operational command:
request bootstrap vm-auth-key generate lifetime <1-8760>
For example to generate a key that is valid for 24 hrs, enter the following:
request bootstrap vm-auth-key generate lifetime 24
VM auth key 755036225328715 generated. Expires at: 2015/12/29 12:03:52
• In the API, use the following URL:
https://Panorama_IP_address/api/?type=op&cmd=<request><bootstrap><vm-auth-key><generate>
<lifetime><number-of-hours></lifetime></generate></vm-auth-key></bootstrap></request>
where the lifetime is the number of hours for which the VM auth key is valid.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 341
Generate the VM Auth Key on Panorama
Bootstrap the VM‐Series Firewall
Generate the VM Auth Key on Panorama (Continued)
Step 2
Verify the validity term of the VM auth key(s) you generated on Panorama. Make sure that the validity term allows enough time for the firewall(s) to register with Panorama.
https://Panorama_IP_address/api/?type=op&cmd=<request><bootstrap><vm-auth-key><show>
</show></vm-auth-key></bootstrap></request>
Step 3
Add the generated VM auth key to the basic configuration (init‐cfg.txt) file. See Create the init‐cfg.txt File
342 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Bootstrap the VM‐Series Firewall
Create the init‐cfg.txt File
Create the init‐cfg.txt File
Create the init‐cfg.txt File
Use a text editor such as Notepad, EditPad, or other plain‐text editors to create a text file.
Step 1
Create a new text file.
Step 2
There are no spaces between the key and value in each Add the basic network configuration for field. Do not add spaces as they could cause failures during the management interface on the parsing on the mgmtsrvr side.
firewall.
If any of the required parameters • To configure the management interface with a static IP address, you must specify the IP address, type of address, default are missing in the file, the firewall gateway, and netmask. An IPv4 address is required, IPv6 is exits the bootstrap process and optional. For syntax, see Sample init‐cfg.txt file (Static IP boots up using the default IP Address).
address, 192.168.1.1. You can view the system log on the • To configure the management interface as a DHCP client, you firewall to detect the reason for must specify only the type of address. If you enable the DHCP the bootstrap failure. For errors, client on the management interface, the firewall ignores the IP see Licensing API.
address, default gateway, netmask, IPv6 address, and IPv6 default gateway values defined in the file. For syntax, see Sample init‐cfg.txt file (DHCP Client).
When you enable DHCP on the management interface, the firewall takes the DHCP assigned IP address and is accessible over the network. You can view the DHCP assigned IP address on the General Information widget on the Dashboard or with the CLI command show system info. However, the default static management IP address 192.168.1.1 is retained in the running configuration (show config running) on the firewall. This static IP address ensures that you can always restore connectivity to your firewall, in the event you lose DHCP access to the firewall.
Step 3
Add the VM auth key to register a VM‐Series firewall with Panorama.
To add a VM‐Series firewall on Panorama, you must add the VM auth key that you generated on Panorama to the basic configuration (init‐cfg.txt) file. For details on generating a key, see Generate the VM Auth Key on Panorama.
Step 4
Add details for accessing Panorama.
• Add IP addresses for the primary and secondary Panorama servers.
• Specify the template and the device group to which you want to assign the firewall.
Step 5
(Optional) Include additional parameters • Add IP address for the primary and secondary DNS servers.
for the firewall.
• Add the hostname for the firewall.
• Enable either jumbo frames or multiple‐virtual systems (or both)
• Enable swapping of the management interface (mgmt) and the dataplane interface (ethernet 1/1) on the VM‐Series firewall in AWS. For more information on changing the management interface, see Management Interface Mapping for Use with Amazon ELB.
The following table describes the fields in the init‐cfg.txt file. The type, ip‐address, default‐gateway, and netmask are required.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 343
Create the init‐cfg.txt File
Bootstrap the VM‐Series Firewall
Fields in the init‐cfg.txt File
Field
Description
type=
Type of management IP address: static or dhcp‐client. This field is required.
ip‐address=
IPv4 address. This field is ignored if the type is dhcp‐client. If the type is static, an IPv4 address is required; the ipv6‐address field is optional and can be included.
You cannot specify the management IP address and netmask configuration for the VM‐Series firewall in AWS and Azure. If defined, the firewall ignores the values you specify.
default‐gateway=
IPv4 default gateway for the management interface. This field is ignored if the type is dhcp‐client. If the type is static, and ip‐address is used, this field is required.
netmask=
IPv4 netmask. This field is ignored if the type is dhcp‐client. If the type is static, and ip‐address is used, this field is required.
ipv6‐address=
(Optional) IPv6 address and /prefix length of the management interface. This field is ignored if the type is dhcp‐client. If the type is static, this field can be specified along with the ip‐address field, which is required.
ipv6‐default‐gateway=
IPv6 default gateway for the management interface. This field is ignored if the type is dhcp‐client. If the type is static and ipv6‐address is used, this field is required.
hostname=
Host name for the firewall.
panorama‐server=
IPv4 or IPv6 address of the primary Panorama server. This field is not required but recommended for centrally managing your firewalls.
panorama‐server‐2=
IPv4 or IPv6 address of the secondary Panorama server. This field is not required but recommended.
tplname=
Panorama template name. If you add a Panorama server IP address, as a best practice create a template on Panorama and enter the template name in this field so that you can centrally manage and push configuration settings to the firewall.
dgname=
Panorama device group name. If you add a Panorama server IP address, as a best practice create a device group on Panorama and enter the device group name in this field so that you can group the firewalls logically and push policy rules to the firewall.
dns‐primary=
IPv4 or IPv6 address of the primary DNS server.
dns‐secondary=
IPv4 or IPv6 address of the secondary DNS server.
vm‐auth‐key=
Virtual machine authentication key. (This field is ignored when bootstrapping hardware firewalls.)
op‐command‐modes=
The following values are allowed: multi‐vsys, jumbo‐frame, mgmt‐interface‐swap. If you enter multiple values, use a space or a comma to separate the entries. • multi‐vsys—(For hardware‐based firewalls only) Enables multiple virtual systems.
• jumbo frames—Enables the default MTU size for all Layer 3 interfaces to be set at 9192 bytes. • mgmt‐interface‐swap—(For VM‐Series firewall in AWS only) Allows you to swap the management interface (MGT) with the dataplane interface (ethernet 1/1) when deploying the firewall. For details, see Management Interface Mapping for Use with Amazon ELB.
344 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Bootstrap the VM‐Series Firewall
Create the init‐cfg.txt File
Fields in the init‐cfg.txt File
Field
Description
dhcp‐send‐hostname=
The value of yes or no comes from the DHCP server. If yes, the firewall will send its hostname to the DHCP server. This field is relevant only if type is dhcp‐client.
dhcp‐send‐client‐id=
The value of yes or no comes from the DHCP server. If yes, the firewall will send its client ID to the DHCP server. This field is relevant only if type is dhcp‐client.
dhcp‐accept‐server‐hostname
=
The value of yes or no comes from the DHCP server. If yes, the firewall will accept its hostname from the DHCP server. This field is relevant only if type is dhcp‐client.
dhcp‐accept‐server‐domain=
The value of yes or no comes from the DHCP server. If yes, the firewall will accept its DNS server from the DHCP server. This field is relevant only if type is dhcp‐client.
The following sample basic configuration (init‐cfg.txt) files shows all the parameters that are supported in the file; required parameters are in bold.
Sample init‐cfg.txt file (Static IP Address)
Sample init‐cfg.txt file (DHCP Client)
type=static
ip-address=10.5.107.19
default-gateway=10.5.107.1
netmask=255.255.255.0
ipv6-address=2001:400:f00::1/64
ipv6-default-gateway=2001:400:f00::2
hostname=Ca-FW-DC1
vm-auth-key=755036225328715
panorama-server=10.5.107.20
panorama-server-2=10.5.107.21
tplname=FINANCE_TG4
dgname=finance_dg
dns-primary=10.5.6.6
dns-secondary=10.5.6.7
op-command-modes=jumbo-frame,
mgmt-interface-swap**
dhcp-send-hostname=no
dhcp-send-client-id=no
dhcp-accept-server-hostname=no
dhcp-accept-server-domain=no
type=dhcp-client
ip-address=
default-gateway=
netmask=
ipv6-address=
ipv6-default-gateway=
hostname=Ca-FW-DC1
vm-auth-key=755036225328715
panorama-server=10.5.107.20
panorama-server-2=10.5.107.21
tplname=FINANCE_TG4
dgname=finance_dg
dns-primary=10.5.6.6
dns-secondary=10.5.6.7
op-command-modes=jumbo-frame,
mgmt-interface-swap**
dhcp-send-hostname=yes
dhcp-send-client-id=yes
dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=yes
You cannot specify the management IP address and netmask configuration for the VM-Series firewall in AWS. If
defined, the firewall ignores the values you specify because AWS uses a back-end metadata file to assign the
management IP address and netmask.
**The mgmt-interface-swap operational command pertains only to a VM‐Series firewall in AWS.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 345
Create the bootstrap.xml File
Bootstrap the VM‐Series Firewall
Create the bootstrap.xml File
Use these instructions to create the optional bootstrap.xml file.
Create the bootstrap.xml File
Step 1
Step 2
Export a configuration from a firewall.
Rename the configuration file as bootstrap.xml.
346 • VM‐Series 7.1 Deployment Guide
1.
Select Device > Setup > Operations.
2.
Select the configuration file you want to export.
• To export the running configuration, in the Configuration Management section, Export named configuration
snapshot and select running config.xml from the drop‐down.
• To export a previous version of a firewall configuration, in the Configuration Management section, Export
configuration version and select the appropriate configuration version in the drop‐down.
1.
Rename the file as bootstrap.xml. For the bootstrap process to be successful, the filename must be an exact (case‐sensitive) match.
2.
Save the bootstrap.xml file in the same location as the init‐cfg.txt file.
© Palo Alto Networks, Inc.
Bootstrap the VM‐Series Firewall
Prepare the Licenses for Bootstrapping
Prepare the Licenses for Bootstrapping
To license the firewall during the bootstrapping process, you must purchase the auth codes and register the licenses and subscriptions on the Palo Alto Networks Support portal before you begin bootstrapping. For the VM‐Series firewalls running BYOL (not applicable for usage‐based licensing—PAYG), you must have an auth code bundle that includes the capacity auth code, support subscription, and any other subscriptions you require. The process of preparing the licenses for bootstrapping depends on whether the firewall has internet access when bootstrapping:



Direct Internet access—The firewall is connected directly to the Internet.
Indirect Internet access—The firewall is managed by Panorama, which has direct Internet access and the ability to fetch the license keys on behalf of the firewall.
No Internet access—The firewall uses an orchestration service or a custom script to fetch the license keys on behalf of the firewall. Prepare the Licenses for Bootstrapping • For VM‐Series firewalls with Internet access.
Enter the auth code in the /license folder when you Prepare the Bootstrap Package.
• For VM‐Series firewalls with indirect Internet 1.
access.
2.
Register the auth code on the Palo Alto Networks Support portal.
a. Go to support.paloaltonetworks.com, log in, and select Assets > Register New Device > Register device using
Serial Number or Authorization Code. b. Follow the steps to Register the VM‐Series Firewall
c. Click Submit.
Activate the auth codes on the Palo Alto Networks Support portal to generate license keys.
a. Go to support.paloaltonetworks.com, log in, and select the Assets tab.
b. For each S/N, click the Action link.
c. Select the Activate Auth-Code button.
d. Enter the Authorization code, click Agree, and Submit.
e. Download the license keys and save it to a local folder.
f. Continue to Prepare the Bootstrap Package; you must add the license keys that you downloaded to the \license folder in the bootstrap package.
• For a custom script or an orchestration service The script or service must fetch the CPU ID and the UUID from the that can access the Internet on behalf of hypervisor on which the firewall is deployed and access the Palo firewalls.
Alto Networks Support portal with CPU ID, UUID, API key and the auth code to obtain the required keys. See Licensing API.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 347
Prepare the Bootstrap Package
Bootstrap the VM‐Series Firewall
Prepare the Bootstrap Package
Use the following procedure to prepare the bootstrap package.
Prepare the Bootstrap Package
Step 1
Create the top‐level directory structure On your local client or laptop, create the following folders:
for the bootstrap package.
/config
/license
/software
/content
You can leave a folder empty, but you must have all four folders.
Step 2
/config
Add content within each folder.
0008C100105‐init‐cfg.txt
For an overview of the process, see Bootstrap Package. For details on the 0008C100107‐init‐cfg.txt
files in the /config folder, see Bootstrap bootstrap.xml
Configuration Files.
/content
panupv2‐all‐contents‐488‐2590
panup‐all‐antivirus‐1494‐1969
panup‐all‐wildfire‐54746‐61460
/software
PanOS_vm‐7.1.1
PanOS_vm‐7.1.4
/license
0001A100105‐authcodes
0001A100110‐url3.key
0001A100110‐threats.key
0001A100110‐url3‐wildfire.key
Step 3
Create the bootstrap package.
348 • VM‐Series 7.1 Deployment Guide
For VM‐Series firewalls, create the image in the appropriate format for your hypervisor. © Palo Alto Networks, Inc.
Bootstrap the VM‐Series Firewall
Bootstrap the VM‐Series Firewall on ESXi
Bootstrap the VM‐Series Firewall on ESXi
Use these instructions to bootstrap the VM‐Series firewall on an ESXi server. Bootstrap the VM‐Series Firewall in ESXi
Step 1
Step 2
Step 3
Create an ISO image and upload it to a Virtual Machine File System (VMFS) datastore or to a Network File System (NFS) volume.
1.
Prepare the Bootstrap Package.
2.
Create an ISO image. The tool you use to create the image varies based on your client operating system.
3.
Upload the ISO image to a VMFS datastore or to an NFS volume that is accessible to the ESX/ESXI host.
Deploy the firewall.
1.
Provision the VM‐Series Firewall on an ESXi Server. By default, the firewall is deployed with two network interfaces— one for management traffic and one data traffic. Make sure that the first ethernet interface on the firewall, which is its management interface, is connected to the virtual switch port‐group assigned for device management.
2.
Do not power on the firewall.
1.
Select the VM‐Series firewall from the Inventory list.
2.
Click Edit Settings and select Virtual Hardware.
3.
Select Datastore iso file in the CD DVD drive drop‐down, and browse for the ISO image.
4.
Power on the firewall. The firewall will begin with the bootstrapping process, which will take several minutes. The status messages on the success or failure of the process will display on the console. 5.
Verify Bootstrap Completion.
Attach the bootstrap image to the firewall.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 349
Bootstrap the VM‐Series Firewall on Hyper‐V
Bootstrap the VM‐Series Firewall
Bootstrap the VM‐Series Firewall on Hyper‐V
Use these instructions to bootstrap the VM‐Series firewall on a Hyper‐V server. Bootstrap the VM‐Series Firewall in Hyper‐V
Step 1
Step 2
Step 3
Create an ISO image.
Deploy the firewall.
Attach the bootstrap image to the firewall.
350 • VM‐Series 7.1 Deployment Guide
1.
Prepare the Bootstrap Package.
2.
Create an ISO image. The tool you use to create the image varies based on your client operating system. 3.
Upload the ISO image to a location accessible to the Hyper‐V host.
1.
Provision the VM‐Series Firewall on a Hyper‐V host with Hyper‐V Manager.
By default, the firewall is deployed with two network interfaces— one for management traffic and one data traffic. Make sure that the first ethernet interface on the firewall, which is its management interface, is connected to the vSwitch assigned for device management.
2.
Do not power on the firewall.
1.
In Hyper‐V Manager, select the VM‐Series firewall from the Virtual Machines list.
2.
Click Settings > Hardware > IDE Controller > DVD Drive.
3.
Under Media, click the Image file radio button.
4.
Click Browse and select your uploaded ISO image.
5.
Click Apply and Ok to exit the virtual machine settings. 6.
Power on the firewall. The firewall will begin with the bootstrapping process, which will take several minutes. The status messages on the success or failure of the process will display on the console. 7.
Verify Bootstrap Completion.
© Palo Alto Networks, Inc.
Bootstrap the VM‐Series Firewall
Bootstrap the VM‐Series Firewall on KVM
Bootstrap the VM‐Series Firewall on KVM
Use these instructions to bootstrap the VM‐Series firewall on a KVM server. Bootstrap the VM‐Series Firewall in KVM
Step 1
Step 2
Step 3
Create an ISO image.
Deploy the firewall.
Attach the bootstrap image to the firewall.
© Palo Alto Networks, Inc.
1.
Prepare the Bootstrap Package.
2.
Create an ISO image. The tool you use to create the image varies based on your client operating system. 3.
Upload the ISO image to a location accessible to the KVM host.
1.
Install the VM‐Series Firewall on KVM.
By default, the firewall is deployed with two network interfaces— one for management traffic and one data traffic. Make sure that the first ethernet interface on the firewall, which is its management interface, is connected to the virtual switch port‐group assigned for device management.
2.
Do not power on the firewall.
1.
In virt‐manager, double‐click on the VM‐Series firewall to open the console. 2.
View the VM hardware details by navigating to View > Details.
3.
Open the Add New Virtual Hardware menu by clicking Add
Hardware.
4.
Change the device type to IDE CDROM.
5.
Click the Select managed or other existing storage radio button and click Browse. Locate the ISO image you created and click Choose Volume.
6.
Click Finish to exit the Add New Virtual Hardware menu.
7.
Power on the firewall by navigating to Virtual Machine > Run. The firewall will begin with the bootstrapping process, which will take several minutes. The status messages on the success or failure of the process will display on the console. 8.
Verify Bootstrap Completion.
VM‐Series 7.1 Deployment Guide • 351
Bootstrap the VM‐Series Firewall on KVM in OpenStack
Bootstrap the VM‐Series Firewall
Bootstrap the VM‐Series Firewall on KVM in OpenStack You can bootstrap the KVM edition of the VM‐Series firewall in an OpenStack environment with:

Red Hat OpenStack Platform 5 or OpenStack Platform 7 running on Red Hat Enterprise Linux 7.2 or Mirantis 7.0 running on Ubuntu 14.04.

Support for OpenStack CLI only; the UI is not supported.

Minimum PAN‐OS version is PAN‐OS 7.1.4.

ISO9660 or VFAT configuration drive formats. The KVM edition of the VM‐Series firewall in an OpenStack environment reads the bootstrap package from a config‐drive that attaches to the instance when it boots. The config‐drive is limited to a maximum size of 64MB. Therefore, only /config and /license of the Bootstrap Package can have content; /software and /content must remain empty. PAN‐OS supports two methods for passing the bootstrap package to the config‐drive:

file: passes the bootstrap package as cleartext files

user‐data: passes the bootstrap package in a compressed tar ball (.tgz file)
To use the user‐data method, ensure that your version of OpenStack Platform 5 (Icehouse‐based) has been patched with a fix for this Icehouse issue. Without the patch, use of a tar ball with the user‐data method causes the nova boot command to fail.
You can use both methods concurrently in deployments where some files in the bootstrap package are static across all VM‐Series instances while other files are unique to each firewall. If you include files using both methods, the compute node unpacks the tar ball first and any files passed by the --file command overwrite duplicate files from the tar ball. Bootstrap the VM‐Series Firewall on KVM in OpenStack
Step 1
Place the bootstrap package in your OpenStack environment.
1.
Prepare the Bootstrap Package.
2.
Access the OpenStack CLI.
3.
Save the bootstrap package and PAN‐OS image in a location accessible by the OpenStack controller node.
4.
If using the --user-data method to pass the bootstrap package to the config‐drive, you can use the following command to create the tar ball:
tar -cvzf <file-name>.tgz config/ license
software content
Step 2
Retrieve the network UUID(s).
To attach a NIC to the VM‐Series firewall instance with the ‐‐nic net‐id= argument, you need the network UUID. You can retrieve the network UUID through the OpenStack CLI by using the following command:
neutron net-list
352 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Bootstrap the VM‐Series Firewall
Bootstrap the VM‐Series Firewall on KVM in OpenStack
Bootstrap the VM‐Series Firewall on KVM in OpenStack (Continued)
Step 3
Deploy the firewall.
There are three methods for populating a config‐drive with the bootstrap package and attaching it to the host VM. Complete the command sequence of your choice on the OpenStack controller node. See Nova Boot Command Arguments for descriptions of the arguments required for bootstrapping.
• ‐‐user‐data
nova boot --config-drive true --image
<pan-os-image-file-name> --flavor <flavor>
--user-data <tgz location and filename>
--security-groups <security-group> --nic
net-id=<mgmt nic net-id> --nic net-id=<eth1
nic net-id> --nic net-id=<eth2 nic net-id>
<vm-series name>
• ‐‐file nova boot --config-drive true --image
<pan-os-image-file-name> --flavor <flavor>
--file /license/authcodes=<source-path>
--file /config/init-cfg.txt=<source-path>
--security-groups <security-group> --nic
net-id=<mgmt nic net-id> --nic net-id=<eth1
nic net-id> --nic net-id=<eth2 nic net-id>
<vm-series name>
• ‐‐user‐data and ‐‐file
nova boot --config-drive true --image
<pan-os-image-file-name> --flavor <flavor>
--file
/config/init-cfg.txt=<source-path>--user-da
ta <tgz location and filename>
--security-groups <security-group> --nic
net-id=<mgmt nic net-id> --nic net-id=<eth1
nic net-id> --nic net-id=<eth2 nic net-id>
<vm-series name>
Step 4
Verify Bootstrap Completion.
The nova boot command and the following arguments are required to Bootstrap the VM‐Series Firewall on KVM in OpenStack. Arguments
Description
nova boot
Used to boot a new compute instance.
‐‐config‐drive true
Enables the config‐drive.
‐‐image Specifies the PAN‐OS image file. Only the image name is required. This base image file is required to launch the VM‐Series firewall. You can view a list of images available in your OpenStack environment with the following command:
nova image-list
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 353
Bootstrap the VM‐Series Firewall on KVM in OpenStack
Bootstrap the VM‐Series Firewall
Arguments
Description
‐‐flavor
The VM instance type. Ensure that you select a flavor that provides the hardware resources required for your VM‐Series firewall. You can view a list of available flavors and their hardware resources with the following command:
nova flavor-list
See VM‐Series on KVM— Requirements and Prerequisites for minimum hardware resources required by the KVM VM‐Series firewall.
‐‐user‐data
Used to pass the tar ball containing the bootstrap package to the config‐drive.
‐‐file
Used to pass the init‐cfg.txt file and license file as cleartext files to the config‐drive.
For the bootstrap process to succeed, you must include the /config/init‐cfg.txt= argument and either the /license/license.key or /license/authcodes argument. Optionally, bootstrap.xml files are also supported.
‐‐file /config/init‐cfg.txt=
‐‐file /config/bootstrap.xml=
‐‐file /license/license.key=
‐‐file /license/authcodes=
The Server Personality defines the maximum number of files that can be passed using the --file command. Use the nova absolute-limits command to view the limit. In the example below, the Personality limit is five. Therefore, the maximum number of files is limited to five.
nova absolute-limits
+--------------------+-------+--------+
| Name
| Used | Max
|
+--------------------+-------+--------+
| Cores
| 18
| 240
|
| FloatingIps
| 0
| 10
|
| ImageMeta
| | 128
|
| Instances
| 12
| 1000
|
| Keypairs
| | 100
|
| Personality
| | 5
|
| Personality Size
| | 65536 |
| RAM
| 32256 | 393216 |
| SecurityGroupRules | | 20
|
| SecurityGroups
| 1
| 10
|
| Server Meta
| | 128
|
| ServerGroupMembers | | 10
|
| ServerGroups
| 0
| 10
|
+--------------------+-------+--------+
Exceeding this limit generates an error message. If you need to pass more files than this limit allows, use the user‐data method or the combined user‐data and file method.
‐‐nic net‐id <network UUID> Creates a NIC on the VM‐Series firewall with the specified UUID. You should create at least two NICs: one for a management port and one for a data port. ‐‐security‐group
You can provide a comma‐separated list of security groups to provide access to the VM‐Series firewall. If you do not specify a security group, the VM is placed in the default security group. 354 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Bootstrap the VM‐Series Firewall
Bootstrap the VM‐Series Firewall in AWS
Bootstrap the VM‐Series Firewall in AWS
To perform bootstrapping, you must be familiar with AWS S3 and IAM permissions required for completing this process. For detailed instructions on creating policy, refer to the AWS documentation on Creating Customer Managed Polices. The management interface of the VM‐Series firewall must be able to access the S3 bucket to complete bootstrapping. You can either assign a public IP address or an elastic IP address to the management interface so that the S3 bucket can be accessed over the Internet. Or, create a AWS VPC endpoint in the same region as the S3 bucket, if you prefer to create a private connection between your VPC and the S3 bucket and do not want to enable internet access on the firewall management interface. For more information refer to the AWS documentation on setting up VPC endpoints. Bootstrap the firewall in AWS
Step 1
On the AWS console, create an Amazon Simple Storage Service (S3) bucket at the root‐level. The S3 bucket in this example, vmseries‐aws‐bucket is at the All Buckets root folder level. Bootstrap will fail if you nest the folder because you cannot specify a path to the location of the bootstrap files.
Step 2
Create an IAM role with inline policy to enable read access to the S3 bucket [ListBucket, GetObject]. For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation on IAM Roles for Amazon EC2. When launching the VM‐Series firewall, you must attach this role to enable access to the S3 bucket and the objects included in the bucket for bootstrapping successfully. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::<bucketname>"]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::<bucketname>/*"]
}
]
}
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 355
Bootstrap the VM‐Series Firewall in AWS
Bootstrap the VM‐Series Firewall
Bootstrap the firewall in AWS
Step 3
Create the folders within the S3 bucket.
• Create the top‐level directory structure for the bootstrap package. Create the structure directly in this S3 bucket.
• Add content within each folder. You can leave a folder empty, but you must have all the four folders.
If you have enabled logging in Amazon S3, a Logs folder is automatically created in the S3 bucket. The Logs folder helps troubleshoot issues with access to the S3 bucket.
Step 4
Launch the VM‐Series Firewall in AWS. When launching the firewall as an EC2 instance, attach the IAM role you created in Step 2 and in the user data field (Advanced section), specify the following S3 keyvalue:
vmseries-bootstrap-aws-s3bucket=<bucketname>
Step 5
Verify Bootstrap Completion.
356 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Bootstrap the VM‐Series Firewall
Bootstrap the VM‐Series Firewall in Azure
Bootstrap the VM‐Series Firewall in Azure
To perform bootstrapping, you must be familiar with the process of creating a VHD and must know about storage accounts and containers in Azure, and how to attach the VHD to a virtual machine.
Bootstrap the firewall in Azure
Step 1
Create the VHD. Use the Azure documentation for the commands required to complete the process of creating a VHD. 1. On the Azure portal, deploy a Linux virtual machine.
2. In the Linux virtual machine, Create the top‐level directory structure for the bootstrap package. and Add content within each folder. You can leave a folder empty, but you must have all the four folders.
3. Attach a data disk less than 39 GB to the Linux virtual machine.
4. Connect to the console or CLI of the Linux virtual machine.
5. Partition the disk and format the file system as ext3.
6. Make a directory for the new file system and mount the disk to the Linux virtual machine.
7. Copy the contents of the bootstrap package you created in step 2 to the disk.
8. Unmount the disk.
9. Detach the disk. 10. Store the disk as a page blob within the same storage account that you will use for the VM‐Series firewall.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 357
Bootstrap the VM‐Series Firewall in Azure
Bootstrap the VM‐Series Firewall
Bootstrap the firewall in Azure
Step 2
Customize the ARM template to point to the VHD so that the firewall can access the disk on first boot. For example, you need to add the following object in the virtualMachine resource in the Template file:
"storageProfile": {
"imageReference": {
"publisher": "[parameters('imagePublisher')]",
"offer": "[parameters('imageOffer')]",
"sku": "[parameters('imageSku')]",
"version": "latest"
},
"dataDisks": [
{
"name": "datadisk1",
"diskSizeGB": "[parameters('BootstrapUriSizeGB')]",
"lun": 0,
"vhd": {
"uri": "[parameters('BootstrapUri')]"
},
"caching": "ReadOnly",
"createOption": "Attach"
}
],
"osDisk": {
"name": "osdisk",
"vhd": {
"uri": "[concat('http://',
parameters('storageAccountName'), '.blob.core.windows.net/vhds/',
parameters('vmName'), '-', parameters('imageOffer'), '-',
parameters('imageSku'), '.vhd')]"
},
"caching": "ReadWrite",
"createOption": "FromImage"
}
},
Step 3
Verify Bootstrap Completion.
358 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Bootstrap the VM‐Series Firewall
Verify Bootstrap Completion
Verify Bootstrap Completion
You can see basic status logs on the console during the bootstrap and you can verify that the process is complete.
Verify Bootstrap Completion
Step 1
If you included panorama‐server, tplname, and dgname in your init‐cfg.txt file, check Panorama managed devices, device group, and template name.
Step 2
Verify the general system settings and configuration. Access the web interface and select Dashboard >
Widgets > System or use the CLI operational commands show system info and show config running.
Step 3
Verify the license installation. Select Device > Licenses or use the CLI operational command request
license info.
Step 4
If you have Panorama configured, manage the content versions and software versions from Panorama. If you do not have Panorama configured, use the web interface to manage content versions and software versions.
© Palo Alto Networks, Inc.
VM‐Series 7.1 Deployment Guide • 359
Bootstrap Errors
Bootstrap the VM‐Series Firewall
Bootstrap Errors
If you receive an error message during the bootstrapping process, refer to the following table for details.
Error message (Severity)
Reasons
Boot image error (high)
• No external device was detected with the bootstrap package.
Or
• A critical error happened while booting from the image on the external device. The bootstrap process was aborted.
No bootstrap config file on external device (high)
The external device did not have the bootstrap configuration file.
Bad or no parameters for mandatory networking information in the bootstrap config file (high)
The networking parameters required for bootstrapping were either incorrect or missing. The error message lists the value—IP address, netmask, default gateway—
that caused the bootstrap failure.
Failed to install license key for file <license‐key‐filename> (high)
The license key could not be applied. This error indicates that the license key used was invalid. The output includes the name of the license key that could not be applied.
Failed to install license key using authcode <authcode> (high)
The license auth code could not be applied. This error indicates that the license auth code used was invalid. The output includes the name of the authcode that could not be applied.
Failed content update commits The content updates were not successfully applied.
(high)
USB media prepared The bootstrap image has been successfully complied on the USB flash device. successfully using given bundle <username>: Successfully prepared the USB using bundle <bundlename>
(informational)
Successful bootstrap (informational)
The firewall was successfully provisioned with the bootstrap configuration file. The output includes the license keys installed and the filename of the bootstrap configuration. On the VM‐Series firewalls only, the PAN‐OS version and content update version are also displayed.
Read about the Bootstrap Package and how to Prepare the Bootstrap Package.
360 • VM‐Series 7.1 Deployment Guide
© Palo Alto Networks, Inc.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising