Palo Alto Networks Notes

All these notes are based on configuring PAN-OS using a VM-300 appliance in Azure.

Some helpful online resources:

Backup and restore using Recovery Services vault:

Important: These were my results using Azure Recovery Services vault on PAN-OS at the time of writing (November 2019). I personally I would not recommend enabling it for network appliances in Azure. Instead, backup your configurations, ensure your 'As Built' is well documented and utilise the two in the event you need to rebuild your appliance.  

If the Azure VM agent (waagent for Unix-list OS’) is present, the backup will:

  • Either work, but the chances of restoring it completely will differ and are not considered reliable
  • The backup will fail
  • The VM agent will fail to function with the restored copy

 Below are my findings are why I wouldn’t recommend configuring backups.

  • Application-consistent backup:
    • Initially worked, failed second time around. Crash-consistent backup works every time
    • Performing a live backup which broke the Azure VM Agent, much like what occurred with the Juniper vSRX
    • Tested restoring backup prior to this event which was a crash-consistent backup, still the Azure VM Agent fails to load
    • Test re-installing PAN-OS whether it restores the Azure VM Agent (waagent) using a restored VHD, still the Azure VM Agent fails to load
  • Restore VHD:
    • Works, performed OS Disk Swap, PAN-OS booted and firewall operational
  • Restore complete VM:
    • All interfaces are restored attached to desired subnet (management) on VNet. PAN-OS boots, can't log into the Azure Serial Console as the log in prompt doesn’t appear…
    • The three interfaces are restored, but public IP for management interface was re-allocated to the third NIC, originally associated to the first NIC
    • Can't get management interface up, as a policy permits specific IP's from accessing it externally - testing internal permitted IP address…
  • Restore from configuration (also required if the Azure VM Agent (waagent) stops working):
    • Re-create the VM-300, either form the Azure Marketplace, Github JSON file or via PowerShell
    • Once the new VM has been provisioned, deallocate it before proceeding
    • If the resources still exist, ie: OsDisk and NIC's, perform an OS Disk Swap and restore the original NIC’s, ie: mgmt, untrust and trust, and will restore:
      • Entire PAN-OS state; no need to restore device state/configuration backups
      • Connectivity, zones and IP addresses of interfaces
      • No need to update NSG(s) or UDR(s)
    • When PAN-OS successfully boots, perform the following tasks:
      • Re-install the current or updated PAN-OS (fixes Azure Serial Console)

NB: There's a new PAN-OS (XFR) that's specific to the VM-series line of PAN NGFW's. This particular version is purposely built for Azure and this would be worth considering as this branch matures. 

  • Create an VM-300 appliance via Azure PowerShell:

While you can create an appliance from the Azure Portal, you can also use PowerShell to define your options and name the associated resources for the appliance to your liking:

Clear-Host
# To get all available regions, run 'Get-AzureRmLocation | Format-Table'
# Declare variables
Write-Host "Azure VM creation script" -foreground yellow
$resourceGroup = 'Networking'
$location = 'eastus'
$vmName = Read-Host -Prompt 'Enter VM Name'
$cred = Get-Credential -Message "Enter VM's credentials"
$vmName = "$vmName"
$vnetName = 'magrin-pan'
$vnetSubnet = 'mgmt'
$vmDiskName = (''+$vmName.ToLower()+'_OsDisk')
$vmDiskSize = '60'
$vmDiskaccountType = 'Standard_LRS'
#$vmAvailabilitySet = Get-AzAvailabilitySet -ResourceGroupName Networking -Name magrin
$vmStorageDiag = Get-AzStorageAccount -ResourceGroupName Servers -Name magrinservers
$vnet = Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName Networking
$SubnetID = Get-AzVirtualNetworkSubnetConfig -Name $vnetSubnet -VirtualNetwork $vnet
$tags += @{Networking="Virtual Machine"}

# Create a public IP address
$pip = New-AzPublicIpAddress -ResourceGroupName $resourceGroup -Location $location  -Name "$vmName" -AllocationMethod Dynamic -IdleTimeoutInMinutes 4

# Create a virtual network card and associate with public IP address
$nic = New-AzNetworkInterface -Name $vmName -ResourceGroupName $resourceGroup -Location $location -SubnetId $SubnetID.Id -PublicIpAddressId $pip.Id 

# Create a virtual machine configuration
$vmConfig = New-AzVMConfig -VMName $vmName -VMSize Standard_B4ms | Set-AzVMOperatingSystem -Linux -ComputerName $vmName -Credential $cred | Set-AzVMSourceImage -PublisherName paloaltonetworks -Offer vmseries1 -Skus bundle1 -Version latest | Set-AzVMPlan -Publisher paloaltonetworks -Product vmseries1 -Name "bundle1" | Add-AzVMNetworkInterface -Id $nic.Id

# Define Storage Account for boot diagnostics
Set-AzVMBootDiagnostics -Enable -ResourceGroupName $vmStorageDiag.ResourceGroupName -VM $vmConfig -StorageAccountName $vmStorageDiag.StorageAccountName

# Specify VM OsDisk name
Set-AzVMOSDisk -CreateOption fromImage -VM $vmConfig -Name $vmDiskName -DiskSizeInGB $vmDiskSize -Caching ReadWrite -StorageAccountType $vmDiskaccountType -Linux

# Accept T&C's of the Publisher
Get-AzMarketplaceTerms -Publisher paloaltonetworks -Product vmseries1 -Name bundle1 | Set-AzMarketplaceTerms -Accept

# Create the virtual machine
New-AzureRmVM -ResourceGroupName $resourceGroup -Location $location -VM $vmConfig

# Set tag
Set-AzResource -Name $vmName -ResourceGroupName $resourceGroup -ResourceType "Microsoft.Compute/VirtualMachines" -Tag $tags -Force

 
# Write completion message
Write-Host "Azure VM creation completed" -foreground green

# Clear variables
Remove-Variable * -ErrorAction SilentlyContinue
  • Change permitted IP for remote management:

configure
set deviceconfig system permitted-ip 11.22.33.44 description Home
commit
  • Change Object address:

configure

set address ip-home ip-netmask 11.22.33.44
commit
  • Update an existing policy:
     
show running security-policy
configure
set rulebase security rules "RDP 3389 inbound" to Trust
set rulebase security rules "RDP 3389 inbound" from Untrust
set rulebase security rules "RDP 3389 inbound" source any
set rulebase security rules "RDP 3389 inbound" destination any
set rulebase security rules "RDP 3389 inbound" source-user any
set rulebase security rules "RDP 3389 inbound" category any
set rulebase security rules "RDP 3389 inbound" application any
set rulebase security rules "RDP 3389 inbound" service any
set rulebase security rules "RDP 3389 inbound" hip-profiles any
set rulebase security rules "RDP 3389 inbound" action allow
set rulebase security rules "RDP 3389 inbound" log-start yes
commit
  • Azure - Restoring a PAN from backup:

Restore OS Disk (Easier):

  1. Perform a VHD restore
  2. Ensure the OS Disk is a managed Disk, perform a OS Disk Swap with the restored VHD
  3. Boot the PAN with the restored VHD

Restore entire VM (Difficult):

  1. When restoring the complete VM (ie: VM, OS Disk and NIC resources), all NIC's will be associated to the designated VNet and subnet during that you select in the restore options. Post-restore, you'll need to:
    1. Stop (deallocate) the restored VM
    2. detach all but the management NIC, ie: Untrust and Trust NIC's, and delete these detached NIC's
  2. Create a new NIC for Untrust and Trust zones, associating them to the appropriate subnet zones, allocate static IP's, enable IP forwarding and associate them to the required NSG's
  3. Update any UDR's if the IP addresses have changed for the restored PAN
  4. Power on the restored PAN
  • Change configuration output, read more here

set cli config-output-format set
configure
Entering configuration mode
[edit]                                                                                                              
show