How to rebuild PA-VM Firewall in Azure
Objective
- The Palo Alto Networks Firewall hosted in Azure has stopped functioning and is not recoverable.
- A new Palo Alto Networks VM (PA-VM) instance can be deployed in the same resource group.
- The same network interfaces can be reused so IP addresses do not change.
- User Defined Routes (UDR) and Security Groups (SG) can be left as is.
Environment
- Palo Alto Networks VM-Series Firewall
- Deployed in Microsoft Azure
Procedure
-
In the Azure Portal go to the instance and gather the following information:
Overview > Essentials:
Resource group:PA-VM-boot2
Location: Central US
Subscription(change): Azure-Subscription-Name
Subscription ID:00000000-11aa-22b2-33cc-d4dd444d444
Computer name:(Hostname of Firewall)
Size:Standard D4 v2 (4 vcpus, 14 GiB memory)
Overview > Properties:
Settings > Networking:
Gather names of all attached network interfaces
- Take a configuration backup before proceeding. See Backing Up and Restoring Configurations
-
Power Down, Create and Attach Dummy NIC, and Detach NICs.
b) Create a network interface and attach to downed firewall. The VM must have one or more nics attached at all times; this dummy nic will allow detachment of other nics.
c) Detach all other network interfaces (leaving the new dummy nic)
-
Launch New PA-VM Instance using Same Settings
Build Azure CLI commands that will create a new instance:
Template:
az vm create -- subscription <subscription-id> --resource-group <resource group name> --name <FW-Hostname> --location <REGION FW is in (eastus,centrualus, etc)> --nics <mgmtnic eth1nic eth2nic > --size Standard_D3_V2 --image paloaltonetworks:vmseries1:byol:9.0.1 --plan-name byol --plan-product vmseries1 --plan-publisher paloaltonetworks --authentication-type password --admin-username demouser --admin-password yourpassword
Example:
az vm create --subscription 81000000-11aa-22b2-33cc-d4dd444d444 --resource-group PA-VM-boot2 --name FW-Hostname --location centrualus --nics mgmtnic eth1-untrust-nic eth2-trust-nic --size Standard_D4_V2 --image paloaltonetworks:vmseries-flex:byol:10.1.5 --plan-name byol --plan-product vmseries-flex --plan-publisher paloaltonetworks --authentication-type password --admin-username pavmadmin --admin-password adminpassword --zone 1
Additional Information on the Azure CLI:
b) "--image" Use the Azure CLI to locate all the images available from Palo Alto Networks.
PS Azure:\> az vm image list --publisher paloaltonetworks --all
Example output.
{ "offer": "vmseries-flex", "publisher": "paloaltonetworks", "sku": "byol", "urn": "paloaltonetworks:vmseries-flex:byol:10.1.5", "version": "10.1.5" },
c) "--nics" order of nics does matter
d) "--name" To reuse the same computer name (FW-Hostname) the old needs to be removed fist.
e) "--zone" refers to availability zone.
f) "--offer" for PA-VM firewalls there is "vmseries1" or the newer "vmseries-flex"
g) More information about Azure CLI commands can be found here: https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest
-
License New PA-VM
a) If BYOL: Gather the old serial number, the new CPUID and UUID. Palo Alto Networks TAC can update the serial number with the new CPUID and UUID. Once complete install licenses, starting with PA-VM capacity license.
-
Install Content (Dynamic Updates) and Preferred PAN-OS Maintenance Release.
b) Download and install needed dynamic updates (Apps & Threats, URL Filtering, etc).
c) Download and install latest VM-Series Plugin (PAN-OS 9.0 and above)
-
Load Backup Config:
a) Import config backup from old firewall.
- A "device-state" is preferable as it is the most complete backup.
- A "running-config.xml" will work if a full device state is not available.
- If all configuration was added by Panorama, add Panorama IP to PA-VM and commit. Once device connects to Panorama, push policy to firewall.
-
Commit and verify traffic
Once commit completes, firewall should be operational and passing traffic.
- No adjustments should be required in Azure (UDRs, SGs, etc).
- IP addresses should remain the same. Assuming the option to retain them has been enabled.
Additional Information
There are two offers "vmseries1" and "vmseries-flex".
- vmseries1: PAYG firewalls will be launched with VM-300 license. No matter instance type.
- vmseries-flex: PAYG firewalls launch with diffrent license sizes, depending on instance type.
WARNING:
if PA-VM firewall was deployed via Terraform: Since these changes are made outside of Terraform, this will break state information maintained by Terraform and result in broken scripts. This can be cleaned up later.