All Azure Technologies @ one Place

Set up Active/Passive Palo Alto DataCenter Firewall on Azure - Part Three

11/20/2020

In the Previous Post, I've explained how to configure Palo Alto VMs from Azure side including the configuration of floating-IPs

In this Post, I will explain how to complete the configuration from Palo Alto side

Steps

1- Login to 1st Palo Alto Firewall using the public IPs
2- Enter the credentials

3- On the Main screen you will see the current active firewall in case you have active/passive scenario

4- Next Step is Assigning the IPs for the interfaces, including the Floating IPs

5- Select the First Interface in order to assign the IP

6- Then you have to Add a Virtual Route between the Interfaces (trust and untrust)

7- You can add multiple Static Route between your subnets

Below is an example:

8- At this point, you are ready to add new Policies and Objects to your firewalls, using the Device Groups tabs in Panora-ma, and configure more Network and Device settings using the Templates tabs.

You can go through this guide porvided from Palo Alto for more details about adding polices
Read the Guide

Feel free to post any question in comments secion

2 Comments

AyGit

1/20/2022 10:51:32 pm

Hello Mohammad

Great detailed posts ! Thanks.

Based on your experience you have, I'd like to request a question for an architecture I'd like to implement.
Did you already faced with applications which are in different HA modes and secured (Firewall) with the deplyoment of NVAs (such as Palo Alto) in each region:
1- Active/Passive mode spread through 2 regions
2- Active/Active mode spread through 2 regions

The assumptions are:
- Region#1: East US (always Active)
- Region#2: North Central US (Active or Passive - depending the case)
- Firewall NVA: deployment of Azure Autoscaling Palo Alto firewalls with Inbound and Hub VMSS in each region
- Usage of cloud native solution as much as possilbe for the other security features (DDoS, WAF
* Front Door (global service) or App GW (regional needs)
* Azure Standard LB
* Azure DDoS & WAF

So, do you think that I can respond to the HA requirement with Azure Front Door?

I can send a diagram if you agree.

Kind regards.

AyG

Rousan

1/27/2022 01:47:41 am

Thanks AyGit for your kind words,

For sure you can use Layer-7 load balancer such as the Front Door or Azure Application Gateway. In this case, the NVAs will only require an internal Load Balancer in front of them, since traffic from the Front Door/Application Gateway will be sourced from inside the VNet, and traffic asymmetry is not a concern.

Point to Cosnider:
While both Front Door and Application Gateway are layer 7 load balancers, the primary difference is that Front Door is a non-regional service whereas Application Gateway is a regional service. While Front Door can load balance between your different scale units/clusters/stamp units across regions, Application Gateway allows you to load balance between your VMs/containers etc. that is within the scale unit.

so for sure you can use it

Author

Mohammad Al Rousan is a Microsoft MVP (Azure), Microsoft Certified Solution Expert (MCSE) in Cloud Platform & Azure DevOps & Infrastructure, An active community blogger and speaker. Al Rousan has over 8 years of professional experience in IT Infrastructure and very passionate about Microsoft technologies and products.

Top 10 Microsoft Azure Blogs

Set up Active/Passive Palo Alto DataCenter Firewall on Azure - Part Three

Steps

Leave a Reply.

Author

Archives

Categories