topic Re: VM Series FW - Traffic from Cloudflare in VM-Series in the Public Cloud

VM Series FW - Traffic from Cloudflare

N-Open — Thu, 30 Nov 2023 04:44:20 GMT

Dear Members,

Hope you are doing well.

We are looking to protect our 2 internet facing VM series firewall by using cloudflare. The plan is use the magic transit tunnel from cloudflare and pass the traffic to internet facing vm series.

Once i create the magic transit tunnel at cloud flare side, what should be the end of the tunnel connected to in Azure? Will it be VPN gateway which than direct the traffic to public load balancer managing VM series fw

Please advice

Re: VM Series FW - Traffic from Cloudflare

LAYER_8 — Fri, 01 Dec 2023 02:53:09 GMT

PANW supports GRE tunnels and IPSec, so yes you could terminate it on a load balancer or directly onto the box, if you wanted.

Re: VM Series FW - Traffic from Cloudflare

N-Open — Fri, 01 Dec 2023 15:33:49 GMT

Dear LAYER_8,

Thanks for the reply. What is recommended place to terminate the tunnel please on Azure?

Will it be Azure VPN Gateway or Azure private load balancer or Palo alto VM series?

Any specific requirements to terminate the tunnel like public IP???

Please advice.

Re: VM Series FW - Traffic from Cloudflare

LAYER_8 — Fri, 01 Dec 2023 18:57:44 GMT

This is a question on your requirements, not my recommendation.

Terminating the tunnel on a VPN gateway allows for resiliency (for example, using OSPF/eBGP for anycast to distribute traffic across global infrastructure of many firewalls sharing the same interfaces) by having hot/hot datacenter configuration.

Terminating the tunnel on a load balancer allows for redundancy (multiple tunnels always up, potentially allowing for auto-scaling) across multiple sites and better application performance/scalability.

There aren't specific requirements to terminate the tunnel on public IP assuming CloudFlare and PANW share the same IPSec Crypto libraries and algorithms, which I am quite sure they do (AES, GCM, GBC, ECC, DHE, etc). You would just get an elastic IP attached to the VM series, and then add a tunnel interface to the Palo Alto with the IP information of CloudFlare and they will do the handshake and then your Palo Alto will allow traffic based off your policies.

What are your requirements? Auto-scaling? Disaster recovery? Cost optimization? Hybrid on-site and cloud? Either, or both, can be suitable depending on what the intended outcomes of the project are.

Re: VM Series FW - Traffic from Cloudflare

N-Open — Fri, 01 Dec 2023 19:29:14 GMT

Dear Layer 8,

Thanks for the reply. Appreciated.

We are planning to use Cloudflare services to host the DDoS protection and WAF protection for Azure tenent. The plan is to create a tunnel (Cloudflare magic transit) between Cloudflare and Palo Alto hosted in Azure tenent.

What configuration I will need at the palo alto end please? Can I front end the Palo alto with a Azure application gateway which can load balance the 2 palo alto HA VMs.

There is going to be traffic of 10,000 users concurrnelty going through Palo Alto for different works - like web applications access. What memory and cpu spec do you suggest for palo alto VM-series firewall for this requirements.

Re: VM Series FW - Traffic from Cloudflare

N-Open — Fri, 01 Dec 2023 19:34:01 GMT

Dear LAYER_8,

I need your advice on another point.

Our old employee has left the company and we have received below configuration from palo alto based on the requirements, Below is the spec.

Install 6 VM NGFWs with 8 vCPUs, Each virtual firewall will have
the following licenses: Advanced Threat Prevention, Advanced
URL Filtering ,Advanced Wildfire, DNS Security, Global
Protect,Data Loss Protection (DLP), with Premium Support,

it says 6 VMs with 8 vCPU.

Is it 8 vCPU for each VM?

Can we have 12 VMs with 4 vCPU each? Please advice.