Create a Palo Alto Networks VM-Series Firewall VNF

Device Connectivity Management

This topic explains how to create and operate a Palo Alto Networks VM-Series Firewall. See Palo Alto Networks VNF Specifications for CPU, Memory, Software Package and other information about the Palo Alto Networks VM-Series Firewall virtual device.

Licensing

Obtain a license from the vendor device reseller for a VM-Series Firewall device. Bring Your Own License (BYOL) is the only available option for this virtual device. Network Edge supports both Fixed and Flexible vCPU licensing models. A Flexible vCPU license requires a specific version of PAN-OS. You will need an Auth Code (8 or 9 digit alphanumeric code) when creating a VM-Series Firewall VNF.

Deployment Type

There are three deployment types available for VM-Series Firewall.

Deployment Type Description
Single Provision a single device that operates as a standalone device. Another single device can be paired with the existing single device (requires same resource configuration) to form a local redundancy (redundancy in single metro) or geo-redundancy (each device operates in different metro).
Redundant Provision two firewall devices. Each device operates individually, and you are responsible for configuring those in an Active-Active fashion. You have the option of deploying both devices in two different metros (recommended) to achieve distributed architecture or keep both devices in the same metro.
Cluster Provision two firewall devices with Active-Standby redundancy in a single metro. (No geo-redundancy option available.)

Create a VM-Series Firewall

  1. Sign in to the Network Edge Marketplace. If the Identity and Access Management (IAM) feature is enabled for your account, make sure to switch to the intended Project Name/ID before proceeding to the device creation workflow.
  2. Click Select and Continue on the Palo Alto Networks VM-Series Firewall card to start device creation.

    Note: Click View Details on the card to see a preview of the configuration options available for this virtual device.

  3. Select Deployment Type (Single, Redundant and Cluster device). If you select Redundant Device, follow the workflow and select the Redundancy option. (Create a new pair of redundant devices or add an additional device to an existing device.)

  4. In the Select Edge Device Location section, click a location.

  5. In the Account section, select a billing account from the Your accounts in this metro drop-down.

    Note: Metro selection is linked to your billing account country. For example, if you select Silicon Valley for deployment metro, your will need to have a billing account in the United States. If you need to deploy the VNF to a different metro such as Tokyo, you need to create a billing account in Japan.

    If you do not have a billing account for the selected metro, a message will display.

    To create a billing account, click Go to Account Management, and then click Create New Billing Account. Without selecting an account, you will not be able to create your device. For more information, see Billing Account Management.

  6. In the Connectivity Type section, select either With Equinix Public IP Address or Without Equinix Public IP Address. For more information, see the Connectivity Type section to determine which connectivity type is right for your deployment.

  7. In the Licensing section, enter an Auth Code in the Bring Your Own License card if your Connectivity type is With Equinix Public IP Address. If your Connectivity type is Without Equinix Public IP Address, the Auth Code needs to be applied manually using CLI or through a device management application such as Panorama after the device is provisioned.

  8. In the Device Resources section, select the virtual machine resource type, along with theSoftware Package and Software Version. See Palo Alto Networks VNF Specifications for more information.

    If a software version is being retired within the next 2 months, you will see a icon next to the version number. It is strongly recommended that you select a different version because once a version is retired, Equinix will not support it.

    Note: The Flexible vCPU license requires a specific version of PAN-OS.

  9. In the Device Details section, enter:

    • Device Name – Enter a name for the device to be used in the Fabric portal.
    • Host Name Prefix – Enter a host name prefix for the VNF.
    • Click to see the naming rules.
  10. In the Interfaces section, keep the default number of interfaces available on the VNF. If you select the With Equinix Public IP Address connectivity option, you have an option to map your firewall management interface to the private virtual connection. This option allows you to operate the Panorama application in the private network and manage the firewalls using Panorama application. If this option is not selected, your management interface will be connected through the Internet. You can also automatically map WAN/SSH interfaces to the next available interface, or manually select a specific interface for WAN/SSH use. WAN/SSH interface provides Internet access. For the Without Equinix Public IP Address option, you do not have a WAN/SSH interface available for mapping.

  11. In the Device Status Notifications box, enter the email addresses of anyone who should receive email notifications regarding device status.

  12. Note: We strongly recommend adding multiple email addresses so that more than one user receives any notification for this device.

  13. (Optional) In the Optional Details box, enter the Purchase Order Number and Order Reference/Identifier.
  14. In the Term Length drop-down menu, select a term length.
  15. Click Next: Additional Services to add additional services. Additional Services options are based on connectivity type.
  16. Configuration With Equinix Public IP Address Without Equinix Public IP Address
    Add User ü ü
    SSH RSA Public Keys ü Optional
    Diverse Compute from an Existing Single Device ü ü
    Access Control List Template ü N/A (No WAN/MGMT Interface)
    Additional Internet Bandwidth ü N/A (No WAN Interface)
    • Add Users – Enter a user name for SSH and Web-Console access.

    • (Optional) RSA Public Keys – Enter an existing RSA Public Key, or click Add New RSA Public Key to generate a new one. See Network Edge Device Access for more information about generating an RSA public key.
    • Diverse Compute from an Existing Single Device – If you already have another single device and you want this new device to exist in a different plane, click Select Diverse From and then select the existing device.
    • Add Access Control List Templates – Select an access control list (ACL) template. This template will be applied to the gateway interface connected to the WAN/SSH interface of your VNF. ACL templates control communication from the Internet. For more information, see the ACL documentation. This option is available only for theWith Equinix Public IP Address connectivity option.
    • Note: By default, the communication required for initial bootstrap (DNS, NTP, License Server communication, SD-WAN controller communication, etc.) is allowed to properly configure the initial VNF configuration. Additional protocols such as SSH need to be intentionally permitted using an ACL template (Custom ACL). If you need to create a template to apply to your device, click Create Access Control List Template. See Configure Access Controls on Virtual Devices for more information.

    • Additional Internet Bandwidth – Add between 25 and 5000 additional Mbps of internet bandwidth (for a fee). 15 Mbps of Internet Bandwidth is included free in the package by default. This option is available only for With Equinix Public IP Address connectivity option.
  1. Click Next: Review.
  2. In the Terms & Conditions box, click Review and Accept Order Terms.
  3. Select I have read and understand these terms and click Accept.
  4. Click Create Virtual Device.

Important: Your device will be assigned an external IP address for reachability when the With Equinix Public IP Address connectivity option is selected. If you change the configuration, you could experience connectivity issues.

Connectivity Type

The Connectivity Type feature is available for the Palo Alto Networks VM-Series Firewall VNF. This feature provides options to include a virtual interface with a Public IP address from Equinix or not. This helps in cases where a VNF needs to be separated from the Internet. You can manage virtual devices from their private network or virtual connection, not from the Internet.

Note: The Connectivity Type option is only available when provisioning a new device. This option can’t be enabled for devices provisioned before 2023.4 release.

The following diagrams show two kinds of connectivity types, with and without Equinix Public IP address.

The connectivity type with Equinix Public IP Address also offers two options. The first option allows VNF management interface to be connected to the Internet.

With Equinix Public IP Address

The second option connects VNF management interface to the private virtual connection where management application such as Panorama can be deployed.

With Equinix Public IP Address (Management through Private Virtual Connections

Without Equinix Public IP Address (No Internet Connectivity)

The following table summarizes connectivity type options and the difference between the two options.

Connectivity Type With Equinix Public IP Address Without Equinix Public IP Address
Use Cases

This option comes with Public IP Addresses from Equinix and does not require an additional Virtual Connection to manage the virtual device.
After the 2023.8 release, you can choose an option to connect the firewall management interface to the private virtual connection.

This option removes Equinix-sourced Public IP Address assignment and will segregate the VNF from the Internet after the device creation. If the device needs to be managed by software running in the Colo cage or through a private virtual connection, this option is recommended.
Internet Connectivity

Public IP addresses from Equinix are assigned to the following interfaces and accessible from the Internet:

  • Management (MGMT)

  • Ethernet 1/1 (WAN)

No public IP Address from Equinix included. This option requires a separate virtual connection from your Network Service Provider (NSP) or Internet Service Provider (ISP). See Bring Your Own Connection - Remote Fabric Port for more information.
Access Control List Create an Access Control List (ACL) to limit traffic to the VNF Management (MGMT) or WAN interface. The ACL option is not available. Additional compensating controls can be implemented for traffic from any private virtual connection.
SSH Access Use Ethernet 1/1 (WAN) interface for SSH Access. You are required to generate an RSA public key for SSH access and configure it in the device creation workflow (mandatory). No SSH access by default. You need to create a user name for device access. One option is to generate an RSA public key for SSH access and configure it. Establish the Internet Connectivity through your NSP or ISP.
Device Manageability For Single/Redundant devices, Management (MGMT) is mapped to Panorama access by default. Use the Service Route feature to re-map to the different interface. For Cluster devices, Panorama access can be mapped only to the Management (MGMT) interface. A virtual connection (via the BYOC option) needs to be first assigned to the Management (MGMT) interface for Panorama accessibility for Single, Redundant, and cluster deployment.
License Registration Provide the AuthCode during the device creation workflow. The AuthCode will be registered automatically when the virtual device reaches out to the Palo Alto Network license registration server. No AuthCode is rquired during device creation workflow. User is responsible for registering license using Internet access through private virtual connection (Online License Registration), or Offline Mode License.
Clustering Setup Cluster setup is automated during device creation workflow. Users are required to configure cluster devices manually.

Set Up Palo Alto Networks VM-Series Firewall without Equinix Public IP Address

When the connectivity type Without Equinix Public IP Address is selected, the VNF is provisioned without any public IP Address on the WAN or Management interface. You are responsible for configuring the license registration, overlay network configuration, and clustering (optional). For more information, see the VM-Series Firewall documentation.

Management Interface Configuration

The following is a sample, reference only configuration for management interface setup.

Commands
set deviceconfig system type static
set deviceconfig system ip-address x.x.x.x
set deviceconfig system netmask y.y.y.y
set deviceconfig system default-gateway z.z.z.z

License Registration

You are responsible for manually adding the license to the device. You should already have access to the Palo Alto Networks Customer Support Portal (License portal), where you can register your device using UUID and CPU-ID information. Use the license key from the portal to add the license on the device. License activation documentation is available from the Palo Alto Networks documentation.

Deployment Scenarios

The following section describes deployment scenarios Without Equinix Public IP Address.

Scenario 1: Manage Firewall from Colocation (Offline License Registration)
Requirement
  • Management interface accessible only from the network connected to colocation space

  • Offline License registration

Deployment Flow
  1. Create a VM-Series firewall VNF Without Equinix Public IP Address in the Network Edge portal.

  2. Log in to VNF console with your username and password.

  3. Create a virtual connection from the VNF to colocation on the first interface (management interface).

  4. Assign an IP address to the management interface.

  5. Confirm IP reachability from devices in the colocation space.

  6. Access the VNF using SSH from device in the colocation space.

  7. Identify the CPU ID and UUID for the VNF.

  8. Access the Palo Alto Networks Customer Support Portal (License portal) and generate a license for this VNF.

  9. Apply the offline mode license to the VNF.

  10. (Optional) You can manage the VNF from Panorama management software configured in the colocation space.

  11. Create the virtual connections to the Cloud Service Providers (CSPs) from the remaining interfaces.

  12. Continue to use offline device management for software updates.

 

Scenario 2: Manage Firewall from an NSP Network (Online License Registration)
Requirement
  • Management interface accessible from the NSP Virtual Connection or BYOC connected interface

  • Online License registration

Deployment Flow
  1. Create a VM-Series firewall VNF Without Equinix Public IP Address in the Network Edge portal.

  2. Log in to VNF console with your username and password.

  3. Create a virtual connection from the VNF to the NSP on the first interface (management interface).

  4. Assign an IP address to the management interface.

  5. Confirm IP reachability from devices in the NSP network.

  6. Access the VNF using SSH from device in the NSP network.

  7. Identify the CPU ID and UUID for the VNF.

  8. Access the Palo Alto Networks Customer Support Portal (License portal) and generate a license and auth code for this VNF.

  9. Apply the Auth Code to the VNF.

  10. (Optional) You can manage the VNF from Panorama management software configured in the NSP network.

  11. Create virtual connections to CSPs from the remaining interfaces.