Palo Alto VM-Series Firewall Configuration in Azure
There are some configuration on Azure network to get your Palo Alto firewall working well for the passing through traffic. Especially for ping traffic, by default, you wont be able to ping Internet ip through Palo Alto firewall.
In this post, it will give you some small tricks to get ping working for local interfaces and internet.
Topology
Enable Ping on Interfaces
Steps
- Go to Network > Network Profiles > Interface Mgmt
- Create a profile allowing ping:
- Go to Network > Interfaces and assign the profile, created above, to the interface under the Advanced tab:
- Commit the changes
From CLI:
> configure
# set network profiles interface-management-profile mgmt ping yes
# set network interface ethernet ethernet1/3 layer3 interface-management-profile mgmt
Add a Route Table and Route
By default all Azure subnet traffic will go to Azure default gateway for that subnet, which is .1 ip address.
Add Public IP Address To Untrusted Interface
By default Azure vnet will not allow ping or tracert packet going through well.
Associate this new public ip with Palo Alto's untrusted interface, which is eth1:
Updates
After did Check Now from Device -> Dynamic Updates page, you will be able to see some updates available for downloading. You can install them after downloaded.
共有 0 条评论