@Warby wrote: Hello, The easiest way to synchronize polices on multiple Palo Alto Networks firewalls is to use Panorama (our management station) to push policy. This works for all of our physical and virtual firewalls. Config elements can be shared or completely independant by device groups. Another option is to use a thrid party tool like Ansible to push configs to multiple firewalls. We have some sample Ansible plabooks available: https://live.paloaltonetworks.com/t5/Ansible/ct-p/Ansible The VM-Series firewalls can terminate IPsec tunnels very well. The decision to use the VM-Series versus the Azure VPN gateways should be based on the architecture, routing, performance, etc. HTH, Warby Hi Warby, Thanks for the reply the client don’t have Panorama. I guess I will explore the Ansible playbook route. If I have multiple FWs on Azure how would I create the IPSEC tunnel from high level? Wouldn't External LB Break the IPSEC tunnel? I could use multiple public IPs and tunnel monitor but that would mean only one tunnel will be up at a time. Also what is the performance impact of PAN IPSEC tunnel VS Azure VPN Gateway? What about Global Protect? Would it work with External LB? Would you assign two GP pools? One for FW1 and one for FW2 so the destinations know which firewall to return traffic to? Thanks
... View more