01-18-2017 01:37 AM
We want to create a firewall with four or more interfaces (instead of the default 3) in Azure. We understand that for this to work, we will need to use ARM templates.
I have downloaded the ARM-template from here and edited it to contain four interfaces: https://github.com/PaloAltoNetworks/azure/tree/master/vmseries-avset
I have deployed my edited template succesfully using a Standard D4 v2 machine. The template does create the NIC's defined, but do not assign the DMZ interfaces to my newly created VM (only assigns the default ones).
What might be the issue?
Code below. Subnet 3 (DMZ) is the one I want to add in addition to the default interfaces, that the default template makes.
My custom azureDeploy.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"metadata": {
"description": "region of resources"
}
},
"newStorageAccount": {
"type": "string",
"metadata": {
"description": "Globally unique lowercase name of your storage account"
}
},
"storageAccountType": {
"type": "string",
"metadata": {
"description": "The type of the Storage Account created"
},
"defaultValue":"Standard_LRS"
},
"storageAccountNewOrExisting" : {
"type": "string",
"defaultValue" : "new",
"allowedValues" : [
"new",
"existing"
],
"metadata": {
"Description": "Indicates whether the Storage Account is new or existing"
}
},
"existingStorageAccountRG": {
"type": "string",
"defaultValue" : "",
"metadata": {
"description": "Storage Resource Group of the Existing VM."
}
},
"dnsNameForPublicIP": {
"type": "string",
"metadata": {
"description": "Globally unique DNS name to access management interface of VM-Series firewall"
}
},
"vmName": {
"type": "string",
"metadata": {
"description": "Name of VM-Series VM in the Azure portal"
}
},
"adminUserName": {
"type": "string",
"metadata": {
"description": "Username for VM-Series administrator"
}
},
"adminPassword": {
"type": "securestring",
"defaultValue": "Pal0Alt0!29",
"metadata": {
"description": "Password for VM-Series administrator"
}
},
"authenticationType": {
"type": "string",
"metadata": {
"descritpion": "Type of authentication "
},
"allowedValues": [
"sshPublicKey",
"password"
],
"defaultValue": "password"
},
"sshKey": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "SSH rsa public key file as a string."
}
},
"vmSize": {
"type": "string",
"allowedValues": [
"Standard_D4",
"Standard_D4_v2",
"Standard_A4"
],
"metadata": {
"description": "Azure VM size for VM-Series"
}
},
"srcIPInboundNSG": {
"type": "string",
"metadata": {
"description": "Your source public IP address. Added to the inbound DefaultNSG on eth0 (MGMT)"
},
"defaultValue": "0.0.0.0/0"
},
"baseUrl" : {
"type" : "string",
"metadata": {
"artifactsBaseUrl": ""
},
"defaultValue": "https://raw.githubusercontent.com/PaloAltoNetworks/azure/master/vmseries-avset"
},
"virtualNetworkName": {
"type": "string",
"metadata": {
"description": "Name of the virtual network that the consumer wants to use"
},
"defaultValue": "panVnet"
},
"virtualNetworkAddressPrefix": {
"type": "string",
"defaultValue": "192.168.0.0/16",
"metadata": {
"description": "Virtual network address CIDR"
}
},
"subnet0Name": {
"type": "string",
"defaultValue": "Mgmt",
"metadata": {
"description": "Subnet for the Mgmt"
}
},
"subnet1Name": {
"type": "string",
"defaultValue": "Untrust",
"metadata": {
"description": "Subnet for the Untrust"
}
},
"subnet2Name": {
"type": "string",
"defaultValue": "Trust",
"metadata": {
"description": "Subnet for the Trust"
}
},
"subnet3Name": {
"type": "string",
"defaultValue": "DMZ",
"metadata": {
"description": "Subnet for the DMZ"
}
},
"subnet0Prefix": {
"type": "string",
"defaultValue": "192.168.0.0/24",
"metadata": {
"description": "Mgmt subnet CIDR"
}
},
"subnet1Prefix": {
"type": "string",
"defaultValue": "192.168.1.0/24",
"metadata": {
"description": "Untrust subnet CIDR"
}
},
"subnet2Prefix": {
"type": "string",
"defaultValue": "192.168.2.0/24",
"metadata": {
"description": "Trust subnet CIDR"
}
},
"subnet3Prefix": {
"type": "string",
"defaultValue": "192.168.3.0/24",
"metadata": {
"description": "DMZ subnet CIDR"
}
},
"subnet0StartAddress": {
"type": "string",
"defaultValue": "192.168.0.4",
"metadata": {
"description": "Mgmt subnet start address"
}
},
"subnet1StartAddress": {
"type": "string",
"defaultValue": "192.168.1.4",
"metadata": {
"description": "Untrust subnet start address"
}
},
"subnet2StartAddress": {
"type": "string",
"defaultValue": "192.168.2.4",
"metadata": {
"description": "Trust subnet start address"
}
},
"subnet3StartAddress": {
"type": "string",
"defaultValue": "192.168.3.4",
"metadata": {
"description": "DMZ subnet start address"
}
}
},
"variables": {
"apiVersion": "2015-06-15",
"imagePublisher": "paloaltonetworks",
"imageSku" : "byol",
"imageOffer" : "vmseries1",
"fwpublicIPName": "[concat(parameters('vmName'), '-fwMgmtPublicIP')]",
"nicName": "[concat(parameters('vmName'), '-eth')]",
"FWPrivateIPAddressUntrust": "[parameters('subnet1StartAddress')]",
"FWPrivateIPAddressTrust": "[parameters('subnet2StartAddress')]",
"FWPrivateIPAddressDMZ": "[parameters('subnet3StartAddress')]",
"publicIPAddressType": "Dynamic",
"vnetID": "[resourceId('Microsoft.Network/virtualNetworks',parameters('virtualNetworkName'))]",
"nsgname-mgmt": "[concat(parameters('vmName'), '-DefaultNSG')]",
"subnet0Ref": "[concat(variables('vnetID'),'/subnets/',parameters('subnet0Name'))]",
"subnet1Ref": "[concat(variables('vnetID'),'/subnets/',parameters('subnet1Name'))]",
"subnet2Ref": "[concat(variables('vnetID'),'/subnets/',parameters('subnet2Name'))]",
"subnet3Ref": "[concat(variables('vnetID'),'/subnets/',parameters('subnet3Name'))]",
"storageAccountSetupURL" : "[concat(parameters('baseUrl'),'/storageAccount-',parameters('storageAccountNewOrExisting'),'.json')]",
"vmTemplateUrl": "[concat(parameters('baseUrl'), '/virtual-machine-', parameters('authenticationType'),'.json')]",
"availabilitySetName": "VMSeriesFwAvSet"
},
"resources": [
{
"name": "storageAcountSetup1",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2015-01-01",
"properties" : {
"mode": "Incremental",
"templateLink" : {
"uri" : "[variables('storageAccountSetupURL')]",
"contentVersion": "1.0.0.0"
},
"parameters" : {
"location": {
"value": "[parameters('location')]"
},
"storageAccountType": {
"value": "[parameters('storageAccountType')]"
},
"newStorageAccount" : {
"value": "[parameters('newStorageAccount')]"
},
"storageAccountExistingRG": {
"value": "[parameters('existingStorageAccountRG')]"
}
}
}
},
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Compute/availabilitySets",
"name": "[variables('availabilitySetName')]",
"location": "[resourceGroup().location]"
},
{
"apiVersion": "[variables('apiVersion')]",
"type": "Microsoft.Network/publicIPAddresses",
"name": "[variables('fwpublicIPName')]",
"location": "[parameters('location')]",
"properties": {
"publicIPAllocationMethod": "[variables('publicIPAddressType')]",
"dnsSettings": {
"domainNameLabel": "[parameters('dnsNameForPublicIP')]"
}
}
}, {
"apiVersion": "[variables('apiVersion')]",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "[concat(parameters('vmName'), '-DefaultNSG')]",
"location": "[parameters('location')]",
"properties": {
"securityRules": [{
"name": "Allow-Outside-From-IP",
"properties": {
"description": "Rule",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "[parameters('srcIPInboundNSG')]",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
}, {
"name": "Allow-Intra",
"properties": {
"description": "Allow intra network traffic",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "[concat(parameters('virtualNetworkAddressPrefix'))]",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 101,
"direction": "Inbound"
}
}, {
"name": "Default-Deny",
"properties": {
"description": "Default-Deny if we don't match Allow rule",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 200,
"direction": "Inbound"
}
}]
}
}, {
"apiVersion": "[variables('apiVersion')]",
"type": "Microsoft.Network/virtualNetworks",
"name": "[parameters('virtualNetworkName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/networkSecurityGroups/', variables('nsgname-mgmt'))]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('virtualNetworkAddressPrefix')]"
]
},
"subnets": [{
"name": "[parameters('subnet0Name')]",
"properties": {
"addressPrefix": "[parameters('subnet0Prefix')]",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgname-mgmt'))]"
}
}
}, {
"name": "[parameters('subnet1Name')]",
"properties": {
"addressPrefix": "[parameters('subnet1Prefix')]"
}
}, {
"name": "[parameters('subnet2Name')]",
"properties": {
"addressPrefix": "[parameters('subnet2Prefix')]"
}
}, {
"name": "[parameters('subnet3Name')]",
"properties": {
"addressPrefix": "[parameters('subnet3Prefix')]"
}
}]
}
}, {
"apiVersion": "[variables('apiVersion')]",
"type": "Microsoft.Network/networkInterfaces",
"name": "[concat(variables('nicName'), '0')]",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/', variables('fwpublicIPName'))]",
"[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]"
],
"tags": {
"displayName": "[concat('NetworkInterfaces', '0')]"
},
"properties": {
"ipConfigurations": [{
"name": "[concat('ipconfig', '0')]",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('fwpublicIPName'))]"
},
"subnet": {
"id": "[variables(concat('subnet','0','Ref'))]"
}
}
}]
}
}, {
"apiVersion": "[variables('apiVersion')]",
"type": "Microsoft.Network/networkInterfaces",
"name": "[concat(variables('nicName'), '1')]",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]"
],
"tags": {
"displayName": "[concat('NetworkInterfaces', '1')]"
},
"properties": {
"enableIPForwarding": true,
"ipConfigurations": [{
"name": "[concat('ipconfig', '1')]",
"properties": {
"privateIPAllocationMethod": "Static",
"privateIPAddress": "[variables('FWPrivateIPAddressUntrust')]",
"subnet": {
"id": "[variables(concat('subnet','1','Ref'))]"
}
}
}]
}
}, {
"apiVersion": "[variables('apiVersion')]",
"type": "Microsoft.Network/networkInterfaces",
"name": "[concat(variables('nicName'), '2')]",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]"
],
"tags": {
"displayName": "[concat('NetworkInterfaces', '2')]"
},
"properties": {
"enableIPForwarding": true,
"ipConfigurations": [{
"name": "[concat('ipconfig', '2')]",
"properties": {
"privateIPAllocationMethod": "Static",
"privateIPAddress": "[variables('FWPrivateIPAddressTrust')]",
"subnet": {
"id": "[variables(concat('subnet','2','Ref'))]"
}
}
}]
}
}, {
"apiVersion": "[variables('apiVersion')]",
"type": "Microsoft.Network/networkInterfaces",
"name": "[concat(variables('nicName'), '3')]",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]"
],
"tags": {
"displayName": "[concat('NetworkInterfaces', '3')]"
},
"properties": {
"enableIPForwarding": true,
"ipConfigurations": [{
"name": "[concat('ipconfig', '3')]",
"properties": {
"privateIPAllocationMethod": "Static",
"privateIPAddress": "[variables('FWPrivateIPAddressDMZ')]",
"subnet": {
"id": "[variables(concat('subnet','3','Ref'))]"
}
}
}]
}
},
{
"name": "PAN-VM",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2015-01-01",
"dependsOn": [
"storageAcountSetup1",
"[concat('Microsoft.Network/networkInterfaces/', variables('nicName'), '0')]",
"[concat('Microsoft.Network/networkInterfaces/', variables('nicName'), '1')]",
"[concat('Microsoft.Network/networkInterfaces/', variables('nicName'), '2')]",
"[concat('Microsoft.Network/networkInterfaces/', variables('nicName'), '3')]"
],
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[variables('vmTemplateUrl')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"location": {
"value": "[parameters('location')]"
},
"vmName": {
"value": "[parameters('vmName')]"
},
"imageSku": {
"value": "[variables('imageSku')]"
},
"imageOffer": {
"value": "[variables('imageOffer')]"
},
"imagePublisher": {
"value": "[variables('imagePublisher')]"
},
"nicName": {
"value": "[variables('nicName')]"
},
"vmSize": {
"value": "[parameters('vmSize')]"
},
"adminUsername": {
"value": "[parameters('adminUsername')]"
},
"adminPassword": {
"value": "[parameters('adminPassword')]"
},
"newStorageAccount": {
"value": "[parameters('newStorageAccount')]"
},
"sshKey": {
"value": "[parameters('sshKey')]"
},
"availabilitySetName": {
"value": "[variables('availabilitySetName')]"
}
}
}
}
]
}My custom defined parameters.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01-preview/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"metadata": {
"description": "region of resources"
}
},
"newStorageAccount": {
"type": "string",
"metadata": {
"description": "Globally unique lowercase name of your storage account"
}
},
"storageAccountType": {
"type": "string",
"metadata": {
"description": "The type of the Storage Account created"
},
"defaultValue":"Standard_LRS"
},
"storageAccountNewOrExisting" : {
"type": "string",
"defaultValue" : "new",
"allowedValues" : [
"new",
"existing"
],
"metadata": {
"Description": "Indicates whether the Storage Account is new or existing"
}
},
"existingStorageAccountRG": {
"type": "string",
"defaultValue" : "",
"metadata": {
"description": "Storage Resource Group of the Existing VM."
}
},
"dnsNameForPublicIP": {
"type": "string",
"metadata": {
"description": "Globally unique DNS name to access management interface of VM-Series firewall"
}
},
"vmName": {
"type": "string",
"metadata": {
"description": "Name of VM-Series VM in the Azure portal"
}
},
"adminUserName": {
"type": "string",
"metadata": {
"description": "Username for VM-Series administrator"
}
},
"adminPassword": {
"type": "securestring",
"defaultValue": "<YOUR PASSWORD",
"metadata": {
"description": "Password for VM-Series administrator"
}
},
"authenticationType": {
"type": "string",
"metadata": {
"descritpion": "Type of authentication "
},
"allowedValues": [
"sshPublicKey",
"password"
],
"defaultValue": "password"
},
"sshKey": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "SSH rsa public key file as a string."
}
},
"vmSize": {
"type": "string",
"allowedValues": [
"Standard_D3",
"Standard_D3_v2",
"Standard_D4",
"Standard_D4_v2",
"Standard_A4"
],
"metadata": {
"description": "Azure VM size for VM-Series"
}
},
"srcIPInboundNSG": {
"type": "string",
"metadata": {
"description": "Your source public IP address. Added to the inbound DefaultNSG on eth0 (MGMT)"
}
},
"baseUrl" : {
"type" : "string",
"metadata": {
"artifactsBaseUrl": ""
},
"defaultValue": "https://raw.githubusercontent.com/saurabhtrekker/UI1/master"
},
"virtualNetworkName": {
"type": "string",
"metadata": {
"description": "Name of the virtual network that the consumer wants to use"
},
"defaultValue": "panVnet"
},
"virtualNetworkAddressPrefix": {
"type": "string",
"defaultValue": "192.168.0.0/16",
"metadata": {
"description": "Virtual network address CIDR"
}
},
"subnet0Name": {
"type": "string",
"defaultValue": "Mgmt",
"metadata": {
"description": "Subnet for the Mgmt"
}
},
"subnet1Name": {
"type": "string",
"defaultValue": "Untrust",
"metadata": {
"description": "Subnet for the Untrust"
}
},
"subnet2Name": {
"type": "string",
"defaultValue": "Trust",
"metadata": {
"description": "Subnet for the Trust"
}
},
"subnet3Name": {
"type": "string",
"defaultValue": "DMZ",
"metadata": {
"description": "Subnet for the DMZ"
}
},
"subnet0Prefix": {
"type": "string",
"defaultValue": "192.168.0.0/24",
"metadata": {
"description": "Mgmt subnet CIDR"
}
},
"subnet1Prefix": {
"type": "string",
"defaultValue": "192.168.1.0/24",
"metadata": {
"description": "Untrust subnet CIDR"
}
},
"subnet2Prefix": {
"type": "string",
"defaultValue": "192.168.2.0/24",
"metadata": {
"description": "Trust subnet CIDR"
}
},
"subnet3Prefix": {
"type": "string",
"defaultValue": "192.168.3.0/24",
"metadata": {
"description": "DMZ subnet CIDR"
}
},
"subnet0StartAddress": {
"type": "string",
"defaultValue": "192.168.0.4",
"metadata": {
"description": "Mgmt subnet start address"
}
},
"subnet1StartAddress": {
"type": "string",
"defaultValue": "192.168.1.4",
"metadata": {
"description": "Untrust subnet start address"
}
},
"subnet2StartAddress": {
"type": "string",
"defaultValue": "192.168.2.4",
"metadata": {
"description": "Trust subnet start address"
}
},
"subnet3StartAddress": {
"type": "string",
"defaultValue": "192.168.3.4",
"metadata": {
"description": "DMZ subnet start address"
}
}
}
}
05-10-2017 11:43 AM - edited 05-10-2017 11:45 AM
Hello mathiasj,
I have reviewed and your template and I can also duplicate your issue.
I modified your code a little -(also removed the password from your code) check your post!
https://github.com/dmaynard1/Azure-Custom/tree/master/vmseries-ARM4interface
My template creates 4 interfaces but eth3 does not get assigned. I have not found out why but have found a work around in powershell to get the interface attached.
Powershell = PS
ps>
Install-Module -Name AzureRM
Login-AzureRMaccount
Get-AzureRmNetworkInterface -ResourceGroupName "{your RG name}"Save the VM you want to add the vNic to a variable
$myvm = Get-AzureRmVM -ResourceGroupName {your RG name} -VMName {your vm firewall name}Get the network interface Location ID information for the vNic you want attached to firewall
example (/subscriptions/{your subscription number}/resourceGroups/{your RG name}/providers/
Microsoft.Network/networkInterfaces/fw-eth3)
Add vNic
Add-AzureRmVMNetworkInterface -VM $myvm -Id "/subscriptions/{your subscription number}/resourceGroups/{your RG name}/providers/
Microsoft.Network/networkInterfaces/fw-eth3"
Update VM with new vNic
Update-AzureRmVM -ResourceGroupName "{your RG name}" -VM $myvmStart VM
Configure IPv4 address and zone on firewall GUI
05-10-2017 11:53 AM
Did you modify the virtual-machine-password.json and/or virtual-machine-sshPubliKey.json?
That is the template that deploys the actual VM-Seires and need to know how many interfaces to attach to itself.
"networkProfile": {
"networkInterfaces": [{
"id": "[resourceId('Microsoft.Network/networkInterfaces',concat(parameters('nicName'),'0'))]",
"properties": {
"primary": true
}
}, {
"id": "[resourceId('Microsoft.Network/networkInterfaces',concat(parameters('nicName'),'1'))]",
"properties": {
"primary": false
}
}, {
"id": "[resourceId('Microsoft.Network/networkInterfaces',concat(parameters('nicName'),'2'))]",
"properties": {
"primary": false
}
}]
}
05-10-2017 12:22 PM
I didnt add 4th interface to the deployment files
vmseries-ARM4interface/virtual-machine-password.json
And
vmseries-ARM4interface/virtual-machine-sshPublicKey.json
The vm is getting delployed using those files as refernced the "base uri" to be my githup repo
Added the forth interface to those files and worked
Since you are calling the paloalto master json files as your "base uri" and those files do not have the 4th interface is why the interface is not getting attached to firewall.
08-28-2017 08:39 AM
There is an example of a 4 interface template on the Palo Alto Networks Github site. A link to the template can be found on Live Public Cloud Integration website located here:
https://live.paloaltonetworks.com/t5/Public-Cloud-Integration/ct-p/Cloud_Templates
The direct link to the template is: https://github.com/PaloAltoNetworks/Azure-FW-4-Interfaces-
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
