Palo Alto VM-Series Firewall Configuration in Azure

There are some configuration on Azure network to get your Palo Alto firewall working well for the passing through traffic. Especially for ping traffic, by default, you wont be able to ping Internet ip through Palo Alto firewall. 

In this post, it will give you some small tricks to get ping working for local interfaces and internet. 

Topology

Enable Ping on Interfaces

To allow Ping and other management traffic, configure an Interface Management Profile and apply it to the interface.

Steps

    1. Go to Network > Network Profiles > Interface Mgmt
    2. Create a profile allowing ping:

Capture.PNG

    1. Go to Network > Interfaces and assign the profile, created above, to the interface under the Advanced tab:
      Capture.PNG
    2. Commit the changes

      From CLI:

      > configure
      # set network profiles interface-management-profile mgmt ping yes
      # set network interface ethernet ethernet1/3 layer3 interface-management-profile mgmt

Add a Route Table and Route

By default all Azure subnet traffic will go to Azure default gateway for that subnet, which is .1 ip address. 

If we will need to re-route traffic to our virtual appliance, such as our Palo Alto firewall, we will need to create a separate route table and add a new route in it. 

Create a new route to reroute all default traffic to Palo Alto firewall interface which is 10.0.2.4

Associate your subnet which will use this  routing table. 

Add Public IP Address To Untrusted Interface

By default Azure vnet will not allow ping or tracert packet going through well. 

To make ping working through Azure network and Palo Alto firewall, you will have to assign a public ip to untrusted interface on Palo Alto

Associate this new public ip with Palo Alto's untrusted interface, which is eth1:

Now you should be able to use Ping to Internet through Palo Alto firewall.

Updates

After did Check Now from Device -> Dynamic Updates page, you will be able to see some updates available for downloading.  You can install them after downloaded. 

Even the VM firewall is not able to connect to Palo Alto networks update server, you will be still able to proceed with installation without valid the content. 

版权声明:
作者:ht
链接:https://www.techfm.club/p/7857.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>