VM Series in Azure - Active/Passive or Active/Active

Hi

Thank you for your answer. So if I understand, the recommanded configuration is to deploy 2 VM-Series "standalone" (without HA configuration) and use Azure Load Balancer feature to route the trafic correctly on each firewall.

I plan to use our VM-Series in Azure with GlobalProtect to connect our users on the network with a vpn SSL. In this configuration, is-it possibleto provide a redundant solution to keep access to the newtwork even if a firewall reboots dûe to an upgrade version for example ? Or, if I restart FW1 for an upgrade version, all GlobalProtect SSL VPN connexions started on this firewall will be cut ? And what's happening for new connexion during the firewall reboots ?

Regards 

Hi @aleksandar.astardzhiev 

Thank's for your comment. Regarding our VPN site 2 site between our on-prem and Azure, your recommandation is to create our VPN between our local site and the Azure VPN Gateway and forward the trafic to the Azure LB-->FW-->VM and not to create the VPN directly on the VM-Serie to avoid lost connection when I upgrade the first firewall in architecture with 2 VM-Series with LB ?

Regards 

Hi @jeromecarrier ,

I personally prefer to use Azure VPN gateway and build the the tunnel between on-prem and VPN GW, instead of terminating it on the VM-Series FW. This will eliminate the complexity for handling redundant inbound traffic.

It would vouch for such setup instead of terminating the VPN on the FW.

The only benefit (IMHO) of terminating the VPN on the FW is to reduce the cost, which for us is not worth it. 

By the way you don't really have to route the traffic from VPN GW over VM-Series VM.

You most probably will use NGFW (Palo or other vendor) to terminate the on-prem side of the tunnel. Which means you already have a way to restrict/inspect traffic on-prem <--> cloud. But to achieve this you will need to add your on-prem IP range as separate route in the UDR (user defined route table) for each vnet/subnet. which means:

- Outbound traffic: default route pointing to internal LB and traffic flow is VM -> internal LB -> FW ->  Internet

- On-prem traffic: on-prem range route pointing to VPN GW. traffic flow would be VM -> VPN GW -> on-prem FW -> on-prem network
respecting opposite direction on-prem FW-> VPN GW -> VM

In our case we decided to route the on-prem traffic over VM-series firewall (on-prem FW -> VPN GW -> internal LB -> FW -> VM), because we wanted to control/restrict traffic with VM firewall. Mainly our idea was to use the Azure plug-in for Panorama. The plugin will monitor Azure tag and create ip-to-tag mapping, which will be used with dynamic groups and allow VMs automatically after deployment.

Hi @aleksandar.astardzhiev 

Why I saided Lan(OnPrem) --> FW (OnPrem) -->Azure VPN Gateway --> AzureLB-->FW VM-Series-->VM, it's to control all traffic to/from our servers in Azure via the VM Series Palo Alto.

Hey @jeromecarrier ,

That is exactly our current setup.

The only problem with this setup it is hard to manage - you will need to allow same traffic on both firewalls.

That is why you can create "trust all" rule on one of the firewalls. For example on on-prem FW create "any on-prem to/from any azure, any port/app, allow". Then on the VM-series FW you can create specific rules and control the traffic only with one policy.

Hi @aleksandar.astardzhiev 

I would like to have your opinion. My architecture is similar than the below architecture provided by Palo Alto (without VPN gateway at the moment). But in the following configuration, if I understand, all traffic from On-Premisses network to App01 or App02 servers  is not controled  by the VM-Series (the default route from VPN Gateway is the private LB 10.110.0.21).

If I wan't to control all traffic from On-Premisses to our servers zones (10.112.0.0/16 or 10.113.0.0/16 VNet), I need to add 1 network interface on each VM-Series and add one LoadBalancer between or firewalls and the VPN Gateway ? So at the end, we will have 2 LB : 1xLB dedicated to the traffic between the Gateway and firewalls and 1xLB for the traffic between servers networks (10.112.0.0/16 or 10.113.0.0/16) and VM-Series firewall (10.110.0.4 & 10.110.0.5) ? Is-it correct ?

Hi @jeromecarrier ,

Quite the opposite actually.

1. Traffic from on-prem will travel over the tunnel and reach VPN Gateway (VNG)

2. VNG needs to be associated with User Defined Routing table (UDR), which should have route for App1 and App2 Vnet ranges pointing to internal LB

3. Internal LB will select available FW and forward the traffic over the INSIDE interface

4. FW will receive this traffic, inspect it and should have route for AppX Vnets and on-prem pointing to INSIDE subnet gateway (which means traffic will route the traffic back from the same interface, therefor traffic will be intrazone)

5. Azure will forward the traffic to the peered AppX Vnet and the corresponding VM instance

6. When VM send a reply back it will take the default route in the UDR pointing again to internal LB

7. With the help of the Standard LB with "HA ports" enabled, LB will know that this packet belongs to existing session and route the traffic to the same firewall which processed the request packet.

8. FW will receive the packet match it with existing session, inspect it and route it INSIDE subnet gateway

9. Azure will forward the traffic to the VNG (checking the destination and route in the UDR for FW INSIDE subnet) and from there it is back into your on-prem

The picture you send above it one of the suggested approached by Palo Alto - to have separate firewall for East-West and Outbound/Inbound traffic. As you can imaging this could get quite expensive. The second option is the so called "common firewall"

Basically the same I explained above, but here they haven't put the detailed information for the UDRs.