Palo Alto VM-Series Firewall Configuration in Azure

There are some configuration on Azure network to get your Palo Alto firewall working well for the passing through traffic. Especially for ping traffic, by default, you wont be able to ping Internet ip through Palo Alto firewall. 

In this post, it will give you some small tricks to get ping working for local interfaces and internet. 

Topology

Enable Ping on Interfaces

Steps

1. Go to Network > Network Profiles > Interface Mgmt
2. Create a profile allowing ping:

1. Go to Network > Interfaces and assign the profile, created above, to the interface under the Advanced tab:
   
2. Commit the changes

   From CLI:

   > configure
   # set network profiles interface-management-profile mgmt ping yes
   # set network interface ethernet ethernet1/3 layer3 interface-management-profile mgmt
   

Associate this new public ip with Palo Alto's untrusted interface, which is eth1:

Now you should be able to use Ping to Internet through Palo Alto firewall.

Updates

After did Check Now from Device -> Dynamic Updates page, you will be able to see some updates available for downloading.  You can install them after downloaded. 

Even the VM firewall is not able to connect to Palo Alto networks update server, you will be still able to proceed with installation without valid the content. 

References

• DOES AZURE CLOUD SUPPORT PING AND TRACEROUTE
• Azure Virtual Network frequently asked questions (FAQ)
• New VM-100 deployment, cannot ping or tracert to external websites
• Palo Alto Firewall Lab Setup-Allow Inside Users To The Internet