VM Series FW - Traffic from Cloudflare

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VM Series FW - Traffic from Cloudflare

L1 Bithead

Dear Members,

 

Hope you are doing well.

 

We are looking to protect our 2 internet facing VM series firewall by using cloudflare. The plan is use the magic transit tunnel from cloudflare and pass the traffic to internet facing vm series.

 

Once i create the magic transit tunnel at cloud flare side, what should be the end of the tunnel connected to in Azure? Will it be VPN gateway which than direct the traffic to public load balancer managing VM series fw

 

Please advice

2 accepted solutions

Accepted Solutions

L5 Sessionator

PANW supports GRE tunnels and IPSec, so yes you could terminate it on a load balancer or directly onto the box, if you wanted.

Help the community! Add tags and mark solutions please.

View solution in original post

L5 Sessionator

This is a question on your requirements, not my recommendation. 

 

Terminating the tunnel on a VPN gateway allows for resiliency (for example, using OSPF/eBGP for anycast to distribute traffic across global infrastructure of many firewalls sharing the same interfaces) by having hot/hot datacenter configuration. 

 

Terminating the tunnel on a load balancer allows for redundancy (multiple tunnels always up, potentially allowing for auto-scaling) across multiple sites and better application performance/scalability.

 

There aren't specific requirements to terminate the tunnel on public IP assuming CloudFlare and PANW share the same IPSec Crypto libraries and algorithms, which I am quite sure they do (AES, GCM, GBC, ECC, DHE, etc). You would just get an elastic IP attached to the VM series, and then add a tunnel interface to the Palo Alto with the IP information of CloudFlare and they will do the handshake and then your Palo Alto will allow traffic based off your policies. 

 

What are your requirements? Auto-scaling? Disaster recovery? Cost optimization? Hybrid on-site and cloud? Either, or both, can be suitable depending on what the intended outcomes of the project are. 

Help the community! Add tags and mark solutions please.

View solution in original post

5 REPLIES 5

L5 Sessionator

PANW supports GRE tunnels and IPSec, so yes you could terminate it on a load balancer or directly onto the box, if you wanted.

Help the community! Add tags and mark solutions please.

Dear LAYER_8,

Thanks for the reply. What is recommended place to terminate the tunnel please on Azure?

 

Will it be Azure VPN Gateway or Azure private load balancer or Palo alto VM series?

 

Any specific requirements to terminate the tunnel like public IP???

 

Please advice.

 

L5 Sessionator

This is a question on your requirements, not my recommendation. 

 

Terminating the tunnel on a VPN gateway allows for resiliency (for example, using OSPF/eBGP for anycast to distribute traffic across global infrastructure of many firewalls sharing the same interfaces) by having hot/hot datacenter configuration. 

 

Terminating the tunnel on a load balancer allows for redundancy (multiple tunnels always up, potentially allowing for auto-scaling) across multiple sites and better application performance/scalability.

 

There aren't specific requirements to terminate the tunnel on public IP assuming CloudFlare and PANW share the same IPSec Crypto libraries and algorithms, which I am quite sure they do (AES, GCM, GBC, ECC, DHE, etc). You would just get an elastic IP attached to the VM series, and then add a tunnel interface to the Palo Alto with the IP information of CloudFlare and they will do the handshake and then your Palo Alto will allow traffic based off your policies. 

 

What are your requirements? Auto-scaling? Disaster recovery? Cost optimization? Hybrid on-site and cloud? Either, or both, can be suitable depending on what the intended outcomes of the project are. 

Help the community! Add tags and mark solutions please.

Dear Layer 8,

 

Thanks for the reply. Appreciated.

 

We are planning to use Cloudflare services to host the DDoS protection and WAF protection for Azure tenent. The plan is to create a tunnel (Cloudflare magic transit) between Cloudflare and Palo Alto hosted in Azure tenent.

 

What configuration I will need at the palo alto end please? Can I front end the Palo alto with a Azure application gateway which can load balance the 2 palo alto HA VMs.

 

There is going to be traffic of 10,000 users concurrnelty going through Palo Alto for different works - like web applications access.  What memory and cpu spec do you suggest for palo alto VM-series firewall for this requirements.

 

 

 

Dear  LAYER_8,

 

I need your advice on another point.

 

Our old employee has left the company and we have received below configuration from palo alto based on the requirements, Below is the spec.

 

Install 6 VM NGFWs with 8 vCPUs, Each virtual firewall will have
the following licenses: Advanced Threat Prevention, Advanced
URL Filtering ,Advanced Wildfire, DNS Security, Global
Protect,Data Loss Protection (DLP), with Premium Support,

it says 6 VMs with 8 vCPU. 

 

Is it 8 vCPU for each VM?

 

Can we have 12 VMs with 4 vCPU each? Please advice.

  • 2 accepted solutions
  • 3248 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!