Identify and Deploy Specific PAN-OS Versions of VM-Series on Google Cloud

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
L1 Bithead
No ratings

LIVEcommunity_PAN-OS-Versions_palo-alto-networks.jpg

 

 

There are a fair few ways to deploy the Palo Alto Networks VM-Series Next Generation Firewall appliances on Google Cloud, the recommended method to do the same is described in detail on the Palo Alto Networks official documentation here. There are a couple of restrictions with the official documentation, which are there only to ensure that only the qualified stable versions of VM-Series can be deployed, over which the user can upgrade to the desired version. 

 

This article will provide an alternative method to identify exact versions of the VM-Series NGFW directly without having to either upgrade or create a new base image. In this article, we will look at how to identify the VM-Series versions based on the PAN-OS version and licensing model, how to deploy a specific version of VM-Series and then also how we can deploy the same through automation.

 

Finding Your Desired VM-Series Image Version

 

All the official VM-Series images on Google Cloud can be found in the public Palo Alto Networks project, “paloaltonetworksgcp-public”. We can list the images by running the below command;

 

gcloud compute images list --project paloaltonetworksgcp-public --filter "name=vmseries-flex-"

 

Now, this command will list all the public images that have “vmseries”in their names, and that is a lot of images. So in order to identify what we are looking for, let us break down one of the image names, “vmseries-flex-byol-1022h2”, by splitting the name on the ‘-’;

  • vmseries
    This is, of course, the prefix that denotes the appliance itself.
  • flex
    This denotes the images that were created after Palo Alto Networks migrated to the Flex Licensing model. Any VM-Series image that does not have “flex” on it is now rendered deprecated and not supported. Please read the Software NGFW Credits official documentation for more details. 
  • byol
    This denotes the type of licensing for the VM-Series appliance. This can have 4 values;
    • byol – This denotes the BYOL (Bring Your Own License) type of licensing, one where you will need to have the Software NGFW Flex Credits to be able to license the firewalls deployed with this image.
    • bundle1 – Bundle1 includes the standard NGFW PAYG license, subscription to Threat Prevention and Premium Support
    • bundle2 – Bundle2 includes the standard NGFW PAYG license, subscriptions to Threat Prevention, DNS Security, WildFire, URL Filtering (PAN-DB), GlobalProtect and Premium Support
    • bundle3 – Bundle3 includes the standard NGFW PAYG license, subscriptions to Advanced Threat Prevention, WildFire, Advanced URL Filtering (PAN-DB), GlobalProtect and Premium Support.
  • 1022h2
    This is the PAN-OS version. This version specifically is the “10.2.2-h2” PAN-OS version. Some more examples of the versions are;
    • 1100 – 11.0.0
    • 9114h4 – 9.1.14-h4

 

So, now if I want to find the BYOL image for VM-Series version 11.0.2, I would use the command as shown below;

 

shv@cloudshell:~ (tme-demo-sandbox)$ gcloud compute images list --project paloaltonetworksgcp-public --sort-by "~creationTimestamp" --filter "name='vmseries-flex-byol-1102'" --format "value(NAME)"
vmseries-flex-byol-1102

 

You could list all the images for a specific version as well.

 

shv@cloudshell:~ (tme-demo-sandbox)$ gcloud compute images list --project paloaltonetworksgcp-public --sort-by "~creationTimestamp" --filter "name~'vmseries-flex-.*-1102'" --format "value(NAME)"
vmseries-flex-bundle3-1102
vmseries-flex-bundle2-1102
vmseries-flex-bundle1-1102
vmseries-flex-byol-1102

 

Deploying VM-Series With Your Desired PAN-OS Version

 

Now that we can identify the right image, all the remains to be done is deploy. You can do that through gcloud CLI, for example,

 

gcloud compute images create vmseries-flex-byol-1102 \
-–image-project=paloaltonetworksgcp-public \ --image=vmseries-flex-byol-1022 \
--zone=us-central1-a 
--network-interface \
--network=mgmt-vpc,--subnet=mgmt-subnet, address=’’ \
…
--network-interface \
--network=untrust-vpc,--subnet=untrust-subnet, address=’’ \
…
--network-interface \
--network=trust-vpc,--subnet=trust-subnet, address=’’ \
…

 

However, If you would like to deploy VM-Series using the GCP console, then you would first need to copy the image to your project, so that it can then be used to deploy the VM-Series instance. You can copy the image using the below gcloud CLI.

 

gcloud compute images create vmseries-flex-byol-1102 --project=my-google-project --source-image=vmseries-flex-byol-1022 --source-image-project=paloaltonetworksgcp-public

 

Deploy VM-Series Through Terraform Automation

 

There are two ways to identify the image to use as the source for the VM-Series compute instance to be deployed.

 

Using Data Source

You could fetch the image details using the “google_compute_image” data source in Terraform.

 

data "google_compute_image" "vmseries" {
  name    = “vmseries-flex-byol-1102”
  project = "paloaltonetworksgcp-public"
}

 

Then use the data source to provide the image URI to the “boot_disk” section of “google_compute_instance” resource block.

 

resource "google_compute_instance" "this" {
  … # All the other compute instance configuration

  boot_disk {
    initialize_params {
      image = data.google_compute_image.vmseries[0].self_link
      type  = var.disk_type
    }
  }
}

 

Using Image URI

You could also fetch the image URI directly using the gcloud command as shown below.

gcloud compute images list --project paloaltonetworksgcp-public --filter "name='vmseries-flex-byol-1102'" --uri

You will get the whole URI link as shown below.

 

shv@cloudshell:~ (tme-demo-sandbox)$ gcloud compute images list --project paloaltonetworksgcp-public --filter "name='vmseries-flex-byol-1102'" --uri
https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-flex-byol-1102

 

This URI can then be used directly for the value for “image” under “boot_disk” params as shown below.

 

resource "google_compute_instance" "this" {
  … # All the other compute instance configuration

  boot_disk {
    initialize_params {
      image = “https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-flex-byol-1102”
      type  = var.disk_type
    }
  }
}

 

Conclusion

 

In this document, we saw how you can identify the exact images for the VM-Series version that you need from the public Palo Alto Networks GCP Image repository. We also saw how we could then use that information to deploy VM-Series on your Google Cloud environments. I hope that this was informative for you, Thank you for reading! 

Rate this article:
(1)
Comments
L1 Bithead

Very helpful guide, really cool!

  • 1809 Views
  • 1 comments
  • 2 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎10-03-2023 02:43 PM
Updated by: