Palo Alto Networks Notes
All these notes are based on configuring PAN-OS using a VM-300 appliance in Azure.
Some helpful online resources:
- Update polices via CLI
- GitHub Azure Deployment
- Azure Marketplace Pricing
- Management Access
- VM-Series Models and Sizes
- PAN-OS XFR Release
- Azure Deployment Resources here and here
- Azure AD (SAML) Integration - Admin UI
- Azure AD (SAML) Integration - GlobalProtect
Backup and restore using Recovery Services vault:
Important: These were my results using Azure Recovery Services vault on PAN-OS at the time of writing (November 2019). I personally I would not recommend enabling it for network appliances in Azure. Instead, backup your configurations, ensure your 'As Built' is well documented and utilise the two in the event you need to rebuild your appliance.
If the Azure VM agent (waagent for Unix-list OS’) is present, the backup will:
- Either work, but the chances of restoring it completely will differ and are not considered reliable
- The backup will fail
- The VM agent will fail to function with the restored copy
Below are my findings are why I wouldn’t recommend configuring backups.
- Application-consistent backup:
- Initially worked, failed second time around. Crash-consistent backup works every time
- Performing a live backup which broke the Azure VM Agent, much like what occurred with the Juniper vSRX
- Tested restoring backup prior to this event which was a crash-consistent backup, still the Azure VM Agent fails to load
- Test re-installing PAN-OS whether it restores the Azure VM Agent (waagent) using a restored VHD, still the Azure VM Agent fails to load
- Restore VHD:
- Works, performed OS Disk Swap, PAN-OS booted and firewall operational
- Restore complete VM:
- All interfaces are restored attached to desired subnet (management) on VNet. PAN-OS boots, can't log into the Azure Serial Console as the log in prompt doesn’t appear…
- The three interfaces are restored, but public IP for management interface was re-allocated to the third NIC, originally associated to the first NIC
- Can't get management interface up, as a policy permits specific IP's from accessing it externally - testing internal permitted IP address…
- Restore from configuration (also required if the Azure VM Agent (waagent) stops working):
- Re-create the VM-300, either form the Azure Marketplace, Github JSON file or via PowerShell
- Once the new VM has been provisioned, deallocate it before proceeding
- If the resources still exist, ie: OsDisk and NIC's, perform an OS Disk Swap and restore the original NIC’s, ie: mgmt, untrust and trust, and will restore:
- Entire PAN-OS state; no need to restore device state/configuration backups
- Connectivity, zones and IP addresses of interfaces
- No need to update NSG(s) or UDR(s)
- When PAN-OS successfully boots, perform the following tasks:
- Re-install the current or updated PAN-OS (fixes Azure Serial Console)
NB: There's a new PAN-OS (XFR) that's specific to the VM-series line of PAN NGFW's. This particular version is purposely built for Azure and this would be worth considering as this branch matures.
- Create an VM-300 appliance via Azure PowerShell:
While you can create an appliance from the Azure Portal, you can also use PowerShell to define your options and name the associated resources for the appliance to your liking:
- Change permitted IP for remote management:
- Change Object address:
configure
set address ip-home ip-netmask 11.22.33.44commit- Update an existing policy:
- Azure - Restoring a PAN from backup:
Restore OS Disk (Easier):
- Perform a VHD restore
- Ensure the OS Disk is a managed Disk, perform a OS Disk Swap with the restored VHD
- Boot the PAN with the restored VHD
Restore entire VM (Difficult):
- When restoring the complete VM (ie: VM, OS Disk and NIC resources), all NIC's will be associated to the designated VNet and subnet during that you select in the restore options. Post-restore, you'll need to:
- Stop (deallocate) the restored VM
- detach all but the management NIC, ie: Untrust and Trust NIC's, and delete these detached NIC's
- Create a new NIC for Untrust and Trust zones, associating them to the appropriate subnet zones, allocate static IP's, enable IP forwarding and associate them to the required NSG's
- Update any UDR's if the IP addresses have changed for the restored PAN
- Power on the restored PAN
- Change configuration output, read more here
set cli config-output-format setconfigureEntering configuration mode[edit]
show