Chapter 4. Cloud Technologies
4.2 Deploy Palo Alto to Azure
Learning Objectives
- Configure a Virtual Network in Microsoft Azure
- Set up and configure the Azure VPN Gateway for IPsec VPN
- Implement Network Security Groups (NSGs) in Azure for traffic control
- Monitor and troubleshoot IPsec VPN connections on Palo Alto
Scenario: In this lab, we’ll learn how to deploy Palo Alto Firewall to Azure.
- Go to Azure Marketplace and search for Palo Alto.
- Select VM-Series Next-Generation Firewall from Palo Alto.
- Then, Select VM-Series Next Generation Firewall from dropdown list.
- Create a Firewall information, as Figure 4.48.
- Leave other tabs as default and press on “Review + create.” It will validate your information and then you can create a Palo Alto Firewall.
- Then, it will start deployment of Palo Alto. It takes around 5 minutes to deploy Palo Alto.
- After deployment is completed, go to Resource group > hamid > Overview and look for Palo Alto Public IP address.
- Type the IP address in the browser. You should be able to see the Palo Alto credentials page. Enter your username and password to log in to the firewall.
- Azure will create three interfaces, as Figure 4.57. By default, Eth0 is set as a management port and this port has the public IP address and you can reach the GUI through this IP address. Eth1 is set as an Untrusted interface and to be able to access the firewall through this port, you should set the Public address for this port.
- To set interfaces in the firewall, you should go to Network > Interfaces and set both ethernet1/1 and ethernet1/2 as a DHCP client. Also, uncheck “Automatically create default route pointing to default gateway.”
- Then, you set a default route and set a zone for each interface.
and then in Ethernet1/1 under the advanced tab, set management interface profile as Figure 4.62.
- Create a static route to 10.0.1.1.
- Create a public IP address and assign the public IP address to interface eth1 (Untrusted interface).
- Open the browser and type the public IP address. You should be able to access the firewall.