Deploy Palo Alto in Azure

There are many ways to deploy Palo Alto Firewall in Azure. Out of those options today I will discuss how Palo Alto can be configured to protect your Azure workload. This setup is suitable for Proof of Concept only.

Planning-Includes Minimum Requirement - Without HA

Logical Diagram: 

Create Virtual Network

Name: PAN-VNet
Address Space: 10.0.0.0/16
Subnet Name: Management
Subnet Address Space: 10.0.1.0/24

Subnet Name: Untrust
Subnet Address Space: 10.0.2.0/24

Subnet Name: Trust
Subnet Address Space: 10.0.3.0/24

Resource Group: PA-VNet

 

 Subnet


Spin Web Server Virtual Machine 

Name: SecureWebServices
Image: Windows Server 2016
Resource Group: Services
Network: PAN-VNet
Subnet: Trust
Role: Web Server (IIS) Installed

Change NSG rules of Web Server to accept request on port 80, if you wish to test the web request. However, later on, this behaviour will be controlled through firewall.

Spin Palo Alto Firewall Virtual Machine

Name: vmseries300
Image: VM-Series Next Generation Firewall (BYOL)
Storage Account: PANStorage
Network: PAN-VNet
Subnet: Match with the Existing subnet
Mgmt = Mgmt
Untrust = Untrust
Trust = Trust

Assign Public IP to xxxxxx-Eth1 - Untrust Interface
Apply DefaultNSG, which had been created while deploying Firewall Virtual Machine to all interface



Configuration of Palo Alto Firewall

Access Palo Alto Firewall via browser :
https://<PAFirewall VM Public address on Azure NIC eth0-Management>
Apply License: Device/Licenses/License Management and click the Activate feature using authorization code (Palo Alto Support Account is required for this)

Create Zone

Network> Zone: Create UnTrust and Trust Zone


Setup Interface

Network>Interface:

For Ethernet1/1
Virtual Route: Default
Security Zone: UnTrust
IPv4 tab: Type: Static
IPv4 tab: Address: Private IP address assigned by Azure in CIDR notation

For Ethernet1/2
Virtual Route: Default
Security Zone: Trust
IPv4 tab: Type: Static
IPv4 tab: Address: Private IP address assigned by Azure in CIDR notation




Configure Virtual Router 

Network> Virtual Router and Open Default
Add Static Route
Name: Default
Destination: 0.0.0.0/0
Interface: Ethernet1/1
Next Hop Type: IP Address
Value: The UnTrust network number with a .1 (UnTrust IP: so, Value= 10.0.2.1-gateway of Untrust Subnet)




Configure Security and NAT for Web Server


- Public IP Address assigned to UnTrusted NIC Eth1 will be used to access Web Services running inside the SecureWebService Virtual Machine

Configure NAT

Policies>NAT- Add
Name: SecureWebServices
Original Packet Tab > Source Zone: Untrust
Original Packet Tab > Destination Zone: Untrust
Original Packet Tabe > Destination Address: Private IP of Eth1/1
Translated Packet Tab: Translated Address: Private IP Address of SecureWebServices NIC


Configure Security

Policy>Security> Add
Name: WebServicesInbound
Source Zone: Untrust
Destination Zone: Trust
Destination Address: Private IP Address of Eth1/1
Application: ms-rdp, web-browsing

Securing Azure VNet
By default, Azure allow inbound and outbound communication with within virtual network and outbound access to the Internet. In order to control the flow of incoming and outgoing traffic from Trust Interface, we will create NSG and enforce rules.

Create Network Security Group (NSG)


Name: TrustedNSG
Add Inbound and Outbound Rules



This will enable unrestricted communication with the services/resources attached to 10.0.3.0/24 address space. However, it can't communicate with other subnets within the network.

Now, associate it to the WebServices NIC

Change the Default Routes behaviour of Azure Network via Default Route

Create new Route Table
Name: TrustedRouting

Once deployment is completed, Open TrustedRouting Route Table.




Click at Routes
Add the following
Route Name: DefaultviaFirewall
Address Prefix: 0.0.0.0/0
Next Hop type: Virtual Appliances
Next Hop address: Private IP of Eth1/2(Trust Interface)


Click at Subnet:
Click at Associate
Choose PaloAltoNetwork
Subnet: Trust





Now, access Web Server using the Ethernet1/1 Public IP address of the Palo Alto Firewall.






Comments

  1. Unknown22 December 2017 at 10:07

    Deepak,no doubt its good article but we need to accomplish Routing,NAT and Rule part as well.
    Keep it up bro we are all benefiting from your research work.

    Thanks,
    Tanveer Bhatti

    ReplyDelete
  2. Unknown1 June 2018 at 02:53

    Thanks for providing for more updates on Azure Azure Online Training Bangalore

    ReplyDelete
  3. Unknown20 July 2018 at 07:51

    And still, if you going for VPN, stick to the bestvpnrating.cоm

    ReplyDelete
  4. Unknown6 August 2018 at 15:37

    Great article... I followed it to the "T" and had one outstanding issue. Once I apply the DefaultviaFirewall route, my virtual servers behind the trusted interface can no longer access the Internet. Is this expected? and if so, who do you work around this issue?

    ReplyDelete
    Replies
    1. Unknown7 August 2018 at 16:25

      Outbound NAT and security rule solved the access from the VMs to the internet.

      Delete
  5. Druss23 August 2018 at 12:58

    How does this apply to access to multiple web servers? How can we configure multiple static NATs?

    In fact we are aiming to have our external firewalls in HA behind a LB but just cannot seem to get traffic routed to the untrust interface of the fw to get to the trusted servee

    ReplyDelete
  6. CrazyTravellers25 January 2019 at 09:25

    This was a great article. Thanks for putting this together

    ReplyDelete
  7. Azure DevOps24 March 2019 at 23:24


    Thank you for sharing
    Microsoft Azure Online Training

    ReplyDelete
  8. bretton atkin10 May 2019 at 00:28

    I am from a Accredited Configuration Engineer background, and now looking for a change in ACE PAN-OS 8.0. Now since do not have much knowledge of ACE Exam. Will Paloalto ACE exam help in getting a decent job? Also You can prepare yourself for the ACE questions to get ACE PAN-OS 8.0 credentials.

    ReplyDelete
  9. Defis14 July 2019 at 12:42

    hi sir,

    why I can't do RDP to the host in azure after do your steps ?

    I only can do remotely by using anydesk :(

    ReplyDelete
  10. Alexander Jacob22 December 2021 at 09:34


    You are truly an excellent webmaster. Site loading velocity is unbelievable. It sounds like you're doing a specific trick. Also, The contents are masterwork. The contents are masterwork. you’ve done a magnificent process on this topic! Turkey e visa cost is required to cover the expenses involved in processing the visa application. The amount will depend on your nationality, purpose of travel and whether you need an e-visa.

    ReplyDelete
  11. Niyaz4 April 2022 at 02:07

    Great Post!!! thanks for it
    Why Java is Platform Independent
    How Java is Platform Independent

    ReplyDelete
  12. Anonymous25 May 2022 at 23:53

    smm panel
    Smm Panel
    Https://isilanlariblog.com/
    İnstagram Takipçi Satın Al
    hirdavatci
    BEYAZESYATEKNİKSERVİSİ.COM.TR
    servis
    Jeton Hile

    ReplyDelete
  13. Edison hope4 August 2022 at 23:39

    Hello everyone, If you are a citizen of Canada and you are planning a trip to Turkey. Turkish visa for Canadian citizens is available online. They can apply for a Turkey visa and enjoy a trip to Turkey.

    ReplyDelete
  14. Johanson28 January 2024 at 22:24

    I'm a consistent blogger, and your content is something I highly appreciate. This great article has caught my attention. I've bookmarked your site and will be checking for updates approximately once a week. I've also chosen to receive your RSS feed.Explore the Best SIM Cards For Tourists In Georgia, ensuring convenient communication and connectivity during your visit. Discover the best deals for seamless internet access in this picturesque destination.

    ReplyDelete
  15. Salva Marquina24 February 2024 at 04:36

    Would you mind if I featured your posts on my blog? I promise to give full credit and cite your sources properly. Given our similar niche, I believe your content would greatly benefit my audience. Thank you for considering my request. Does a US citizen need a visa to go to Egypt? Yes, a US citizen needs a visa to travel to Egypt. However, they can obtain a visa upon arrival at Egyptian airports or apply for an e-visa before their trip. It's advisable to check the latest visa requirements and regulations before traveling.

    ReplyDelete
  16. judeson26 February 2024 at 20:44

    Your blog is a sanctuary of knowledge and inspiration! Each post is a testament to your passion and expertise, offering valuable insights and practical advice. Traveling from Saudi Arabia to Australia offers a diverse experience, from the ancient wonders of Saudi Arabia to the stunning landscapes and vibrant culture of Australia. Prepare for an enriching journey filled with exploration and adventure.

    ReplyDelete

Post a Comment

Popular posts from this blog

Demystifying System and User Define Routes of Azure

Image
As Virtual Network is created, Azure automatically create its own route tables for that Virtual Network, so that all the packets which enters the virtual network can traverse within its address prefix and leave the subnet for its destination. These are known as the Default Routes . We can’t modify these routes; however, we can add our custom routes on top of default routes for the traffic leaving the subnet. These custome route is known as User Define Routes . In this case, we are modifying the default behaviour of packets routing but still the internal and external routing of packet is done by virtual network to ensure that our packets are never hijacked.  In another word, we are adding routes and requesting virtual network to routes traffic in the way we want. So far its not possible to route the traffic independently bypassing the Azure Virtual Network routing mechanism and for security reason I do not think this will ever be possible. Common Use Case of UDR:  Every bus
Read more

Azure Private DNS Zone - App Service Environment V2 Step by step - Part 2

Image
Create a Private DNS Zone for App Service Environment  From the Azure Portal, Click at +, and search for Private DNS Zone, and select Create. Provide the resource group name and Zone name. Make sure it matches with the domain name used in web app running inside the Isolated Environment. Once is completed, create "A" record for '*', '*.scm", web app name, ftp, and publish.  I have not created pointer for ftp and publish.   We can bind this to Virtual Network. App Service Environment V2 Step by step - Part 2
Read more