Palo Alto Networks PCNSE – Azure Palo Alto VM Deployment
May 7, 2023

1. Azure Networking Concepts

So in this lecture, we’ll talk about Azure Palo Alto firewall deployment. Before we show you how to do this, the first step, we have to make sure we understand what the Azure Networking consists of. So the first thing that you create in Azure Networking is the Virtual Network. And the Virtual Network is basically your overarching address space that you use in Azure. So you can create an overarching subnet. For example, you can create ten 10 00:16 and create under that different layer three subnets. And those layer three subnets will have your host sitting on. So you can have layer three subnet. And we could call this like Trust and then put the subnet ten 1124. And then you can have another layer three subnet and then call this untrust. And then ten one 200:24. So the layer three subnets is basically where you place the hosts.

So the Virtual Machine goes on the subnets. And the virtual machine has two terminology. I mean, VM is known. And then here the Network interface. Network interface basically is the connection to the subnet. Now the subnet can reside in a routing table. Now the subnet is where you place your Virtual Machine. And then you have routing tables. Routing tables and the routing table dictate the route for the subnet. So inside the routing table, you will place your subnet so you can say your Trust. And then you can create a routing table for Trust and routing table for table for untrust. So the components are Virtual Network, basically, and then create subnets. And this is where you place the Virtual Machines and then create the routing table. And this is where you place the subnets.

So in here, let’s assume we’re going to create Trust subnet ten 1001-1024. And then inside here is a subnet. And when I have a routing table on Trust that has a subnet, ten one 200:24. When you create a subnet, as soon as you put a Virtual machine inside the subnet, basically the Azure network will use one, two and three for routing connectivity. One will be basically your default gateway for the machine. So if you put a machine, create a machine on Trust Network and basically default gateway would be ten one, one four, and the routing table for the untrust. Same thing. If you create a Virtual machine there, you need to place the routing table as the default gateway as one, which is going to be the routing table that the VM interface would sit on.

Okay, so Virtual Network, routing table, subnets and then routing tables. So inside the routing tables, you can basically put your route. So you can say, I’m going to create a Virtual machine here for the Palo Alto Firewall and I’m going to place one of the interfaces in the Trust. So I’ll place this interface in the Trust. This is the trust interface. Let’s say ethernet. One, two. It’s going to be in the Trust segment and you’re going to have another interface in the Untrust segment. Let’s put Ethernet Eleven in the Untrust segment and then you place virtual machines, other virtual machines in the Trust segment, right Vmvm? So because we want to be able to route the traffic through the Palo Alto Firewall, basically what will happen is the PAVM here and this is sitting on the trust.

We need to shoot network, any network we can afford to the network interface of the PAVM.So if I have a virtual machine setting here and this virtual machine will send a packet, the packet will come to the Trust subnet and the Trust subnet and the routing table trust. The Trust subnet will look up in the routing table to see if there’s a specific route. There’s no specific route. It’s going to use zero, zero, zero. And because I specified in the routing table that this goes to the Palo Alto virtual machine interface, then the Azure network will forward that to the PAVM trust interface. But once it reaches the VM, the VM needs to make a routing decision. So basically exactly the same way like you set it up in your lab, you’re going to set a default route zero. And that default route will need to point to the Untrust default gateway, which is going to be ten one two, one.

The packet will come in on the Trust interface because I specified in the Trust subnet starting table that my default gateway is the Paulo VM. It’s going to come to the Palo Alto VM trust interface. The Palo Alto VM will look inside the routing table and say, oh my default route that goes to the Untrust and it’s going to forward it to the 1001 two, one. Okay? So inside the Untrust, you have to specify the default route to reach the Internet. And basically in the Untrust routing table you’d say send it to the Internet. So let’s draw this out again here. So we have the Palo Alto VM and this sits in the Ethernet is on a trust. And then the trust sits inside the routing table.

The trust segment sits inside the routing table. And this routing table has a default route that says send to the IP address of the PA Truss interface, which will be the first IP address available because one, two, three is going to be utilized by the Azure infrastructure. This is the first routing table. Then. Now gets to the Palo Alto Firewall. The Palo Alto Firewall has the routing table inside of it that says anything that goes to default route sends it out to the Ethernet one one interface. It’s going to go through the Ethernet one one interface, it’s going to get to the Untrust segment, it’s going to get into the Untrust routing table and inside that routing table there’s going to be default route zero, zero, send it out to the Internet gateway. So that Internet gateway is the default route.

It’s basically going to be sent it to the Internet. But I want to say what is my next stop to reach the Internet? The next top is going to be ten one two one, which is the IP address of the routing infrastructure of Azure. So now the traffic from VM sitting behind the trust will go out through the Pallet of Firewall and get to the untrust interface to the untrust router at Azure, which will check its routing table and we’ll find that gets to the Internet gateway. However, when you set up the Azure, this is private ten one two four, for example, and this is private ten one one four. Because this is private, we need to create a public IP assignment so that public IP assignment, the public IP assignment will basically say ten one two four is using any public IP that is available and basically that will be dynamic assignment.

So the dynamic assignment changes every time the VM is rebooted. And once you specify dynamic, it’s going to pick one of the IP address of the pool, say twelve one one five. Traffic that goes to the Internet will basically get netted on this Internet gateway which is an Azure function, right? You don’t see that it will be netted to the public IP. So my ten 124, which is the IP address of the untrust interface of the Alta Firewall. Once it gets routed to the Internet gateway, it’s going to get narrated behind 1012 one five in our case here as an example. And the reverse traffic will be narrowed as well.

So that basically allows you to route the traffic to route the traffic to the Internet and basically return traffic will come back to the Palo Alto Firewall. In the case of Dynamic net, let’s say you have multiple VMs here, you’re going to create a Dynamic net. Pool says any traffic coming in from source ten one 100:24 use the Dynamic IP import which is going to be the Dynamic IP import of Ethernet Eleven. And this will map it to the IP address of ten one two four. And as a result, the traffic that gets to the Internet will be Dynamically netted behind ten one two four, which will be added to the IP address twelve one five. And all your internal virtual machines will now be able to access the Internet. Internet through the Pallet of Firewall, through the translation that happens on the Internet gateway. That basically is just of it. Same thing we did in the Amazon setup. The same thing applies in the Azure. But the purpose of this lecture is to show you how it’s done. In the next lecture we’ll go through the setup and configure the setup for what we discussed here.

2. Setup Palo Alto VM In Azure

So once you log into the Azure environment, the first step we have to do, like we discussed in the previous lecture, is set up the Virtual Network. So we’re gonna set up a Virtual Network here. We call this testnet and we’re going to choose the address space ten 110, 10 00:16 and the subnet. Right now we can leave it default. We’re going to create a different subnet. This is basically the first subnet that it’s recommending to create Resource Group. You can give it a name of different testnet resource Group and then create that it takes a little bit of time to deploy. So now we created the resource group, the Virtual Network. We’re going to create subnet we can refresh here. And then we’re going to open up the test net virtual Network and I create subnet. Click on the subnet.

We’re going to add a subnet. We’ll call this trust panel. We’re going to give it ten one, 10. We’re not going to use Security Group because we’re going to rely on the Palato Firewall to do the security group. And then right now the routing table is none, but we leave it none. And then we’re going to add a routing table a little bit here. So it’s going to add the subnet and we’re going to need to add a subnet for untrust. So untrust all of same security group none, route table, none. So get a two subnet and untrust follow. And now we’re going to create routing tables. We’re going to go into the arrow here and put routing route tables. We’re going to create two routing tables, one for the internal network or trust network routing table.

We can use an existing resource we’re going to use the existing resource test net that we created, create that and refresh. And then we’re going to create an untrust routing table and we’re going to choose existing and we’re going to choose this testnet and then create so now we created the two routing tables. Now we want to open up the routing table trust routing table and associated with the subnet or the trust network. We’re going to choose the Virtual Network that’s overarching Virtual Network and then we can choose Trust Paolo for that route table. So now the routing table trust palo the trust routing table has the trust palo subnet and then untrust routing table. We’re going to add subnet, we’re going to add the untrust. So we’re going to choose the Virtual Network untrust specify the Virtual Network and the subnet.

 And now we have the trust routing table does have the untrust the trust routing table has the trust subnet. Okay, click here subnet see trust palo and the untrust routing table has untrust. So now that I’ve created the routing table, we’re going to create the Virtual Machine. So we’re going to go ahead and go to Virtual Machines here. Virtual Machines. We’re going to add virtual machine. We’re going to choose filter by paolo. We’re going to use the pay as you go bundle two and then click Create. So the basic configuration first you’re going to have to create a username test palo one. First you’re going to create a username that you can use to connect to the palo to firewall. So let’s call this palo admin. Give it a password and it has to be twelve characters.

So we’re going to call give it a password here and then we’re going to choose the existing resource group of test net and create a new one because that resource group is already used. We’re going to call this follow test and then we’re going to choose the virtual network test net and we’re going to configure the subnets. So the management, this is default management subnet. We’re going to choose default which is ten, 10, zero and this is not associated with any subnet right now. And the reason why is I want to be able to manage the firewall. So we’re going to see how to manage it once it gets deployed and then untrust subnet we’re going to choose untrust palo and then the trust subnet.

We’re going to choose trust palo and here the select subnet must be unique, select different subnet. Okay. It just sometimes acts upon a reason. Okay, network Security Group we’re going to basically allow this. Basically is this access list going to allow everything right now and then click okay and configure required settings. We are going to add the storage account and then we’re going to just basically create a storage account. If you haven’t created one, they’re basically provision the storage and then click okay. And you can give it a DNS name if you want. Just test follow two and the public IP address it’s going to automatically try to assign your public IP address for the management which is fine because that’s how we’re going to manage it. Give it a name for the VM and we’re going to choose the virtual machine which is the standard virtual machine that’s four core, 14 gig, that’s fine.

And then basically that’s the set up here and I have deployed in progress. I see now the network interfaces test follow two which is the management interface. Ethernet zero, ethernet one, ethernet two. I see the virtual machine getting created. I see the public IP address. That public IP address is for the management. We can click on the public IP address and see the IP address here. So that means it provisioned it and I can go ahead and start running the interface, the configuration spread. I go to virtual machines. I see it virtual machines, virtual machines here. I see this old one, this one is getting created. The status is getting created which is a good sign in the process. Hasn’t found any issues so far. And now I see the deployment successful, it sees it’s running. So I’m going to go ahead and connect to the management IP which is this guy here.

This is the IP just to make sure it’s working and then continue set up in the next lecture. So site cannot be reached. So let’s take a look at probably because the default is not in a subnet. So let’s take a look at that the default network it’s net and then subnets ten, 10, zero. So we need to put that management subnet in its own routing table. We’re just going to put it in a management routing table. This is where we separate it from the rest. So I’m going to create a new routing table here and then I’m going to add management and we’re going to use the existing resource group, follow a lot of the best two and then it should be creating here. And then once it creates I’m going to add the management subnet to it and add a route for the Internet. Going to add a default route internet and all this internet. So now the management should be reachable. Let’s see, we need to associate the subnet. So we’re going to associate the only one available is default testnet which is the management interface. So basically what happens is because I don’t have any, I don’t have the management interface in the routing table, doesn’t know how to get to the internet. So I tried to accept it from a different browser report. So now I should be able to log in, follow admin and we’re ready for the next step. So, next step is testing the connectivity and validating. So we’ll talk more in the next lecture.

3. Protecting Virtual Machines in Azure behind Palo Alto firewall

So now that the VM is running we’re gonna go to Network and ethernet one one is going to be the untrust. So we’re gonna create an untrust zone here and those steps, we’ve done it so many times so you should be able to do this pretty quickly. Call this untrust and click OK. And then I PV four. We’re gonna choose the DSCP client and automatically create a default. We’re going to uncheck this and we’re going to create a default gateway. Like we show in the two lecture ago, that default gateway should be the one IP address which is the Azure infrastructure. But here we’re going to specify to DSCP clients. This way it gets the IP address from the Azure network itself and then click okay. And then basically it’s not at one two. We are going to put also an IPV four address.

We’re going to configure this in the trust zone, choose default route and then put the zone trust and enable user identification. For trust I’m going to create a management profile that we can use to ping. We have to bring the interface up as well. Sorry. So that stuff you have to do for ethernet one one as well. Call this trust profile for management, allow ping and response pages and bring the interface up. And here I’m going to bring the interface up as well. I’m going to allow ping. So I’m going to call this untrust profile and then just allow ping and then click Commit. Now should be able to look and see here that the IP address of the device said ten one two four. However, that’s not going to be sufficient to connect to the internet. We have to create the visual router, default route and add a default route to point it to the IP address of the Microsoft network.

So we call this default Zero. We’re going to choose an interface ethernet Eleven and IP address is click okay. And then click okay. So that will basically set up the default route to go to the untrust, the segment that sits on the untrust routing table and send it to the Azure network. So we’re going to go ahead and commit that and commit and now they created the Palo Alto Firewall. We want to test and put some traffic to go through it. So I’m going to go to plus and then add a compute and look for Windows 2012 Windows Machine. And we are going to just go through the same setup here. Basic basic. We going to call this the name test Windows 2008 username then use existing resource, finish the testnet resource. Where do you have Windows Server? Save money, save a no choose machine size. I’m just going to use the A one basic which is pretty much pretty small instance. Use manage disks. Going to choose the virtual network, the false subnet.

We’re going to put in a trust subnet. Public IP address none because we’re going to pass it through the Palo Alto Firewall network security group? None because we’re going to pass it through the pallet of our wall. Boot diagnostics disabled. Guest OS diagnostics disabled. Click okay. Click OK, so it’s deploying the server. Let’s take a look at the virtual machines still creating. Since it’s a small machine, it’s taken quite a while since it’s small machine, it’s taken quite a while to create, so maybe you could choose a better machine. So while it is creating, we can basically do the next step which is assign a public IP to the untrust interface of the Palo Alto Firewall and set the route table on the untrust zone so we can go to resources. Here the untrust IP.

This is a resource that I created already. This is a public IP resource and it’s set to dynamic and I can associate this with the interface of the Palo Alto Firewall. So I’m going to go ahead and associate with the network interface, choose network interface and this is the Palo Alto Ethernet one interface and click okay, so that’s what gets netted here in the internet gateway like we saw. So this public IP address will get added here. So the deployment of the machine, this is the IP address that I got. So that’s going to be the IP address that’s going to be hidden behind Paul Alto Firewall. And let me check and see. The VM is running, it’s running now, so I should be able to connect to it, but how am I going to connect to it? I need to go through the Palo Alto Firewall in order for me to do that.

So in order for me to do that, what I need to do is this is the Palo Alto Firewall and this is the machine VM. And the default gateway of the machine is going to be the IP address of the router that belongs to the Azure network. So the inside interface was going to be ten one, two, one. And this interface sits in the routing table, the routing table trust. So I need to add a default route saying that anything that’s default that doesn’t exist on the internal network, send it out to the PA. Now on the PA I have the public IP interface which is I’m going to net it to a public IP address that I just created, 104 something. And I’m going to create a static net that allows port 3389 to get to my server. So port 3389 will be static netted to the VM. So let’s do that.

So that IP address of the management interface is still connected. So I can manage it this way. But now I’m going to create my static net. So let’s see what the IP address of the virtual machine is. So that IP address, let’s take a look at the interfaces that will show me the IP address. So this is the interface resources. This is the interface test windows 2008, six to seven. And this has the IP address ten one one five. So ten one one five is the IP address of the machine. So what I need to do is I’m going to create a static net that allows that.

First, since I’m doing testing, I’m just going to allow all traffic, I’m just going to add a rule to allow all traffic, any destination action, allow and log a session end. And I’m going to create a Nat policy. Basically it’s going to net the IP address of the Untrust interface of the Palo Alto Firewall to the Windows machine port 33, 89. So allow RDP to machine to VM original packet that’s coming from the untrust destination is untrust and untrust to the untrust. And I’m going to add service TCP TCP 33 89. Okay, so traffic that comes in from the untrust to the untrust, the IP of the Untrust interface, which is ten one two four. I’m going to translate the packet to destination. I’m going to do destination net to ten one one five.

Okay, you want to commit that. And then on the routing table for the trust, I need to tell the routing table for the trust that anything that you don’t know the destination, send it out to the Palo Alto Firewall. So trust routing table, I go to trust routing table and I create a route. I’m going to add a route and then default route, call it default route prefix zero. I’m going to send it to a network interface of the Palo Alto Firewall. So that’s going to be virtual network virtualappliance. And then I’m going to specify the next top address, ten one four. Okay, so now that’s going to go to the basically default gateway of the VM is the Palo Alto Firewall Azure network router. And then the Azure NATO crowd will basically send that traffic to the Firewall IP address.

So let’s take a look at here and I see the default route here going to the Palo Alto Firewall. So now the net is there, I should be able to net into that IP address. I should be able to RDP into the IP address. And IP address of the public interface that I got was untrust IP. So I’m going to put 104, 210, dot 37, dot 243. Let’s see if I’m getting the traffic here. Not getting the traffic. I see the traffic going ten one at five that’s coming on the Untrust zone, which is strange because the Untrust zone is validated here. This is 100, three, four. I’m sorry, different instance. Okay, this is the Ethernet one, which is the Untrust. And it’s in ten one two four. And three is ten 1410, one four. So I can easily make it the default gateway of the Firewall of the VM, but I can’t because I don’t have access to it.

I need to first have access to it. So that interface should be ten one four and it should be mapped to the public IP address 104. And I’m going to change the resource group to match the same resource well, let me disassociate here. I’m going to create a new untrust public IP. This way I test it out is going to make it in the same resource group as the Palo Alto Firewall. So the Palo Alto Firewall is in resource group. Palottest Two. So I’m going to add, I’m going to add a public IP and I’m going to add the public IP address create I’m going to create test pen two public IP and it’s IB before and it’s dynamic. And I’m going to choose the existing resource group of Palo Alto test two, which is the same resource group as the Palo Alto Firewall. And I’m going to get create.

 So it should be creating that. And let’s see what is the IP address. Now refresh the span public IP and I put it in the same resource group because sometimes I add that I’m going to associate with the interface network interface and I’m going to associate with ethernet one, which is the public untrust interface of the Palo Alto Firewall. Let’s see what IP address I got. Okay, 104, 42228, 104, 42228, 160 drive the RDP into it. See if I see the traffic here, I don’t see my IP address. I don’t see the traffic coming in for some reason. So 33, 89, I see the traffic and it’s not being allowed. So let’s take a look at that entry here detail. So I see untrusted trust ten 1124, it’s reaching the ten one one five. But I’m not getting any return package, no packet received. So something wrong with the trust network routing.

Let’s verify that trust network routing information here. So trust route table, the subnet is ten one 10. Okay. The route is default route and that’s pointing to an incorrect IP. So I need to change this to ten one four. That’s my issue here. I put ten one two which is incorrect. It send it to ten one four save. Okay. So now as soon as it saves, I should be able to RDP into that machine. Untrust trust destination ten one two four, which is incorrect. Oh, that’s the interface of the Palo Alto external interface. So it’s coming to the correct interface, but I don’t get any responses. So something is still not correct. I’m not getting any response from the request.

So let me troubleshoot that. Oh, there you go. Now it’s asking admin Windows and it’s slippery slow because I selected the smallest appliance and the smallest appliance is kind of 1. 5 gigs. So there you go. So now I’m connected to that VM through the Palo Alto Firewall. And to prove it, let’s take a look at the sessions here. Do a session browser and we should see the session of RDPing into that Windows machine. Now also on that window machine, if I create a dynamic net I should be able to access the Internet. So let me create a dynamic net on that firewall and then try to access the Internet through that VM.

So I’m going to create a dynamic net from trust to untrust translated to the dynamic IP import with the Interface IP and choose Interface Ethernet one one. So commit that. And now from my RDP session, let’s take a look and see if I can access the Internet. Let’s see, first if I have so let me try to access Google. com and see what happens. The default gateway here is the ten one one, which is the IP address of the Azure network. Let’s verify that resolution works. It works. So for some reason it’s pretty slow. Let’s take a look at the sessions and see if I have a session.

Okay, I have a whole bunch of sessions here. Okay, so I’m going to add this to browser trusted list. And now I’ve connected through the Palo Alto firewall. If I do what is my IP, I should get the IP address of the outside interface of the Palo Alto Firewall, which is the public IP address that’s assigned. So 104 422-2816. So that’s basically the way you can route the traffic from the behind the Palo Alto Firewall to the Internet and vice versa. We just do a static and dynamic net like we did a whole bunch of time before. So hopefully that was promotional and get you started. If you want to set up an Azure environment.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!