Configuring Palo Alto in GCP

Example Config for Palo Alto Network VM-Series in GCP

In this document, we provide an example to set up the VM-Series for you to validate that packets are indeed sent to the VM-Series for VPC-to-VPC and from VPC to internet traffic inspection.

VM-Series in AWS can be set up using the guide Palo Alto Networks VM-Series AWS Example.

VM-Series in Azure can be set up using the guide Palo Alto Networks VM-Series Azure Example.

You must first have launched a firewall instance in GCP.

After the firewall is launched, you can access its management UI from the Firewall tab.

Downloading VM-Series Access Key

After this step in the workflow is completed, you can click the vertical ellipsis button 25 and select Download Access Key.

If you get a download error, usually it means the VM-Series is not ready. Wait until it is ready, refresh the browser and then try again.

Resetting VM-Series Password

After you download the .pem file, change the file permission to 400. If you are asked to enter a password during the login, the VM-Series is still not ready. Wait and try again. It usually takes up to 15 minutes for the VM-Series to be ready. When the VM-Series is ready, you will no longer be prompted for a password.

For Metered AMI, open a terminal and run the following command.

ssh -i <private_key.pem> admin@<public-ip_address>
configure
set mgt-config users admin password
commit

For BYOL, open a terminal and run the following command.

ssh -i <private_key.pem> admin@<public-ip_address>
configure
set mgt-config users admin password
set deviceconfig system dns-setting servers primary <ip_address>
commit

Terminate the SSH session.

Logging in to the VM-Series

  1. In Aviatrix CoPilot, navigate to FireNet > Firewall.

  2. Click the Management UI link for the firewall. It takes you to the VM-Series you just launched.

  3. Login with Username "admin". The password is the password you set in the previous step.

Dynamic Updates

  1. From Device > Dynamic Updates, click on Check Now to download and install the latest versions of Applications and Threats and Wildfire updates.

  2. Click on Check Now again to download and install the latest version of Antivirus.

Configuring VM-Series ethernet1/1 with WAN Zone

After logging in, select the Network tab to see a list of ethernet interfaces. Click ethernet1/1 and configure as per the following screenshot.

  1. Select the Network tab.

  2. Click ethernet1/1.

  3. Select layer3 for Interface Type.

  4. Select the Config tab in the popup Ethernet Interface window.

  5. Select the default for Virtual Router at the Config tab.

  6. Click New Zone for Security Zone to create a WAN zone.

  7. At the next popup screen, name the new zone "WAN" and click OK.

    new_zone

  1. Select IPV4 tab in the popup Ethernet Interface window.

  2. Select DHCP Client.

  3. Uncheck the Automatically create default route pointing to default gateway provided by server, as shown below.

    ipv4

  1. Click Commit. Once Commit is complete, you should see the Link State turn green at the Network page for ethernet1/1.

Configuring VM-Series ethernet1/2 with LAN Zone

  1. Repeat the steps from Configuring VM-Series ethernet1/1 with WAN Zone section above for ethernet1/2. Name the new zone LAN.

  2. Click Commit. Once Commit is complete, you should see the Link State turn green at the Network page for ethernet1/2.

GCP VM-Series Health Check

Configuring a DNAT rule for Health Check is a mandatory requirement in GCP. Go to Polices > NAT > Add NAT. See the example below for NAT configurations.

health_check_dnat

Also, follow VM-Series Health Check Steps to allow Google Load Balancer to check firewall instance health at regular intervals.

Configure Basic Allow-all Policy

In this step, we will configure a basic traffic security policy that allows traffic to pass through the VM-Series firewall.

  1. Select the Policies tab.

  2. Select the +Add at the bottom-left corner to create a new policy.

  3. Select the General tab. Name the policy Allow-all.

  4. Select the Source tab. Select Any for both panels.

  5. Select the Destination tab. Select Any for both panels.

  6. Select the Application tab. Select Any.

  7. Click OK.

  8. Click Commit to install the Allow-all policy.

Configuring NAT for Egress

If you would also like to enable NAT to test egress, follow these steps.

  1. Navigate to Policies > NAT and click Add.

  2. Select the General tab.

  3. Name the policy and click Original Packet.

  4. At Source Zone, click Add, select "LAN".

  5. At Destination Zone, select WAN.

  6. At Destination Interface, select Ethernet1/1, as shown below.

    nat_original_packet

  1. Click Translated Packet. At Translation Type, select Dynamic IP And Port. At Address Type, select Interface Address.

  2. At Interface, select ethernet1/1, as shown below.

    nat_translated_packet

Ready to Go

Now your firewall instance is ready to receive packets.

The next step is to validate your configurations and polices using FlightPath and Diagnostic Tools (ping, traceroute etc.).

View Traffic Log

You can view if traffic is forwarded to the firewall instance by logging in to the VM-Series console.

  1. Click Monitor.

  2. Start pinging packets from one Spoke VPC to another Spoke VPC where one or both of the Network Domains are connected to Firewall Network Security Domain.