Skip to main content
After you deploy your Palo Alto VM-Series firewall in the Transit VNet, you can use this example to ensure that traffic is inspected between Spoke VNets using firewall policies. In Azure, you can scale firewall deployment to multiple Availability Zones and multiple instances/VMs in a maximum throughput Active/Active state without SNAT.
You must first have launched a firewall instance in the cloud portal.
For more information on using a bootstrap configuration to set up your Palo Alto firewall in Azure, click here. For Palo Alto example configurations in other clouds, see: The three Palo Alto VM-Series interfaces are:
Palo Alto VM InterfacesDescriptionInbound Security Group Rule
eth0 (on subnet -Public-gateway-and-firewall-mgmt)Management interfaceAllow SSH, HTTPS, ICMP, TCP 3978
eth1 (on subnet -Public-FW-ingress-egress)Egress or Untrusted interfaceAllow ALL
eth2 (on subnet -dmz-firewall_lan)LAN or Trusted interfaceAllow ALL (do not change)

Logging into the VM-Series

Click the Management UI link on the FireNet tab to access the UI of the Palo Alto VM-Series firewall. firewall management ui

Dynamic Updates (all clouds)

To make sure your firewall is up to date, in your firewall UI you can navigate to Device > Dynamic Updates and click Check Now. You can then download and install the latest versions of Applications and Threat Wildfire updates.

Configuring VM-Series Ethernet 1/1 with WAN Zone

WAN is Wide Area Network. Ethernet 1/1 is Management Interface. Provides access to data center applications.
  1. Once logged in, click on the Network tab to see a list of ethernet interfaces. Click ethernet1/1 and configure as per the following screenshot.
  2. Select the Network tab.
  3. Click ethernet1/1.
  4. Select layer3 for Interface Type.
  5. Select the Config tab in the popup Ethernet Interface window.
  6. Select default for Virtual Router at the Config tab.
  7. Click New Zone for Security Zone to create a WAN zone.
  8. At the next popup screen, name the new zone WAN and click OK.
new zone aws
  1. Select the IPV4 tab in the popup Ethernet Interface window.
  2. Select DHCP Client.
  3. Clear the Automatically create default route pointing to default gateway provided by server checkbox as shown below.
ipv4 aws
  1. Click Commit. Once Commit is complete, you should see the Link State turn green at the Network page for ethernet1/1.

Configuring VM-Series Ethernet 1/2 with LAN Zone

  1. Repeat the steps from Configuring VM-Series ethernet1/1 with WAN Zone section above for ethernet1/2. Name the new zone LAN.
  2. Click Commit. Once Commit is complete, you should see the Link State turn green at the Network page for ethernet1/2.
If Keepalive via Firewall LAN Interface is enabled for the FireNet where this firewall is deployed, ensure that ping is allowed in the Firewall LAN interface configuration: FireNet keep alive.

Vendor Firewall Integration

Use vendor integration to program RFC 1918 and non-RFC 1918 routes into the firewall.
IPv6 vendor integration in Azure is currently not functional. If you require vendor-driven IPv6 route programming in Azure, configure IPv6 routes manually in the firewall.

Enabling VM-Series Health Check

Allowing access to HTTPS or TCP 443 port. not in the AWS procedure for Palo Alto setup.
  1. Go to Network > Interface Mgmt under Network Profiles and click Add.
  2. Enter a name in the Interface Management Profile, mark the HTTPS checkbox under Administrative Management Service, and click OK.
  3. Attach Profile with LAN interface: Network > Interfaces > Select LAN Ethernet Interface > Advanced > Management Profile > Select appropriate profile.
Example for attaching a profile to an interface. pan gcp azure Firewall health check probes can be verified in Monitor > Traffic.

Basic Traffic Policy to Allow Traffic VNet to VNet

In this step, we will configure a basic traffic security policy that allows traffic to pass through the VM-Series firewall.
  1. Select the Policies tab.
  2. Click +Add in the bottom left corner to create a new policy.
  3. Select the General tab. Name the policy “Allow-all.”
  4. Select the Source tab. Select Any for both panels.
  5. Select the Destination tab. Select Any for both panels.
  6. Select the Application tab. Select Any.
  7. Click OK.
  8. Click Commit to commit the Allow-all policy.

Configuring Basic Traffic Policy to Allow Traffic VNet to Internet

If you would also like to enable NAT to test egress, follow these steps.
  1. Policies > NAT > click Add.
  2. Select the General tab, give it a name > click Original Packet.
  3. At Source Zone, click Add, and select LAN.
  4. At Destination Zone, select WAN. At Destination Interface, select Ethernet1/1, as shown below.
nat original packet
  1. Click Translated Packet. At Translation Type, select Dynamic IP And Port.
  2. At Address Type, select Interface Address.
  3. At Interface, select ethernet1/1, as shown below.

Verifying Traffic Flow

In the VM-Series console, go to Monitor > Traffic. Launch one firewall instance in Spoke VNet-1 and one in Spoke VNet-2.

(Optional) VNet to Internet Traffic

You can inspect VNet to Internet traffic by launching a private instance in the Spoke VNet and pinging packets from the private instance toward the Internet (e.g. 8.8.8.8) to verify the egress function.