A mostly Terraform IaC template written for Azure I compiled from many different sources. This is different than the Palo Alto NGFW Firewall resource type as you will be deploying the firewall VMs and required load balancers.
Blog Post: https://www.jcdoes.com/index.php/programming/cloud/palo-alto-ngfw-in-azure
Make sure you have Terraform installed and in the user environment path.
-
Make sure you have a role that can deploy the necessary components in the subscription. I use an Azure free account to do my testing, so I had access to everything.
-
Update the variables.tf file with the required information, especially the account information.
-
Perform the standard Terraform init, plan and apply.
Default credentials:
- username: paloalto
- password: Admin1234!
For most all the configuration options you can use on the Palo Alto VM-Series firewall from the image gallery, visit Palo’s ARM template example here:
https://github.com/PaloAltoNetworks/Azure-GWLB/blob/main/security-stack.json
custom_data is a Base64 encoded string that the VM will use, upon first boot, to configure the firewall.
Here are the fields you would need to use a bootstrap script:
- storage-account=
- access-key=
- file-share=
- share-directory=
If you are using Panorama, you would paste the configuration string that Panorama generates for the firewall.
I do use the bootstrap method demonstrated from Palo Alo.
Here is the original documentation of everything you can do:
If just deploying in Azure, here is the minimalistic directory structure:
- bootstrap
- config
- bootstrap.xml
- init-cfg.txt
- content
- license
- authcodes
- software
- config
The above bootstrap.xml is just your standard device configuration file. If you would like a complete archive (tgz), visit Palo’s page:
https://github.com/PaloAltoNetworks/Azure-GWLB
The init-cfg.txt is not documented well, but I was able to verify these options work:
If configuring plugins, you would start a line with this text:
plugin-op-commands=
And then add the options you’d, separated by commas:
Azure-gwlb-inspect:enable
This example will enable VXLAN support for a Azure Gateway Load Balancer. Other options are documented here: