For details on cookie usage on our site, read our Privacy Policy
Networking-UDRs-in-Azure-Inserting-the-VM-Series-into-an-Azure
- LIVEcommunity
- Discussions
- Network Security
- VM-Series in the Public Cloud
- Networking-UDRs-in-Azure-Inserting-the-VM-Series-into-an-Azure
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Networking-UDRs-in-Azure-Inserting-the-VM-Series-into-an-Azure
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-10-2017 05:53 AM
Hi Team,
I am new to Paloalto and have some queries with regards to deployment of Paloalto on VM series Firewall on Azure.
Upon search we found
> The VM-Series firewall in Azure does not support native VM Monitoring capabilities for virtual machines that are hosted in Azure.
> VM-Series high availability configuration is not supported to avoid downtime during plannned/unplanned maintainance.
The way of solution is to have Azure application gateway in front of the VM series firewall
Queries that i had in mind:
1. If HA cannot be configured between the VM's( that might be 2 or 3) that are deployed in the VM Series firewall, how the configurations gets replicated between the firewall running on separate VM's?
2. How is the session state maintained when a connection is initiated from App gateway?
3. We want user defined routing between subnets and next hop should pass through Paloalto firewall (internal subnet- Trusted). What is the next hop address that we put if each VM in the VM series firewall with Paloalto holds a different IP address?
Refer to the subnet example in the link below
Thanks in advance
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-10-2017 04:34 PM
There are several options for high availability in Azure. Check out our cloud integration page and expand the Azure section for some examples: https://live.paloaltonetworks.com/t5/Public-Cloud-Integration/ct-p/Cloud_Templates
Firewall configurations can by synchronized accross multiple firewalls using:
- our Azure bootstrapping feature with a common config XML
- Panorama
- Ansible
- Our API
We don't maintain session state in the public cloud as most cloud applications are designed to handle state and the infrastructure is stateless. This is true of other services as well like load balancers in Azure.
If you want to have redundant firewalls for security between subnets, you will need to either:
- point a UDR at a primary interface and use an Azure function to move the UDR in the case of a failure
- front the redundant firewalls with an Azure LB and point a UDR to the LB
Follow the link above for examples.
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-10-2017 10:29 PM
Hi Warby, thanks for the prompt response.
======================================
Firewall configurations can by synchronized accross multiple firewalls using:
- our Azure bootstrapping feature with a common config XML
- Panorama
- Ansible
- Our API
======================================
I do need some clarity on the above. Following is what I have understood:
- We can achieve the config sync during startup with the bootstrapping feature.
- We configure the firewalls with Panorama
- I guess Ansible along with API's would be used to sync the configuration while firewalls are in operation.
Is my understanding correct. Also, please share any configuration guide for the same, if available.
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-26-2017 03:05 PM - edited 08-26-2017 03:06 PM
Either Ansible (using our API) or Panorama can keep the configs in synch post deployment (while the firewall is running.)
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-08-2018 06:28 AM
Hi Warby,
The subnet requirements for VM series as mentioned below
CIDR block 192.168.0.0/16, and allocates five subnets (192.168.1.0/24 - 192.168.5.0/24) for deploying the Azure Application Gateway, the VM-Series firewalls, the Azure load balancer and the web servers.
Question:
Is it a mandate to have 19.168.x.x/24 (subnet ./24) or we can use (/30) subnet as it will consume 1 IP for external NIC, internal nic, management nic?
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
