Deploying a Firewall
|
Supported firewalls are Check Point CloudGuard, Fortinet FortiGate, and Palo Alto VM-Series. Supported firewall managers are Panorama (Palo Alto VM-Series). After firewalls are launched, you can configure them to check traffic flow. If you want to launch a firewall in AWS, you must first subscribe to a firewall instance in the AWS Marketplace. |
You can have more than one firewall in a FireNet Transit gateway.
-
On the Firewall tab, click +Firewall to open the Deploy Firewall dialog and add a new firewall instance.
From here you can also import a firewall you previously created in your cloud portal.
-
If deploying a new firewall, fill out the following fields:
Field |
Description |
Transit FireNet Gateway Instance |
Select the Transit FireNet gateway instance to associate with this firewall. |
Attach Firewall to FireNet after Launching |
Yes/No Select Yes to enable the firewall (the firewall instance is inserted into the data path). If you select No, the firewall is not attached at this time. You can attach it later. |
Availability Domain (OCI only) |
Data center within a region |
Fault Domain (OCI only) |
Fault domain is within Availability Domain; fault domains let you distribute your instances so that they are not on the same physical hardware within a single Availability Domain |
Zone (GCP) |
Availability Zone |
Name |
Your name for the firewall instance |
Firewall Image |
The image for your desired firewall: Palo Alto, Check Point, or Fortinet FortiGate |
Firewall Image Version |
Select a currently supported firewall image version |
Firewall Instance Size |
Recommended instance sizes: AWS Azure GCP OCI |
Egress Interface Subnet |
|
Key Pair Name (Check Point CloudGuard, Fortinet FortiGate) (optional) |
|
Management Interface Subnet (Palo Alto/AWS only) |
|
Authentication (Azure) |
Password or SSH Public Key If you select Password, enter a password of your choice. If you select SSH Public Key, enter the SSH Public Key of the firewall. |
Username (Azure) |
Username of your choice ('admin' is not allowed). Refer here for name requirements. |
Bootstrap Configuration (optional) |
Enable/Disable |
Bootstrap Configuration
The Bootstrap Configuration option simplifies the initial configuration setup of a firewall within the selected cloud. If the Bootstrap Configuration toggle is enabled, and a firewall image has been selected, you can configure your bootstrap options.
The fields to complete for bootstrap configuration depend on the selected cloud for the Transit FireNet gateway instance, and the selected firewall. Use the links in the below table to complete the bootstrap configuration.
Toggle the Bootstrap Configuration slider to On to continue with your bootstrap configuration.
| See the firewall example configuration topics for specific firewall image versions, instance size, and more. |
| Firewall | AWS | Azure | GCP |
|---|---|---|---|
Check Point |
AWS S3 Bucket: IAM Role, S3 Bucket or User Data Bootstrap Configuration Example for Check Point Security Gateway in AWS/Azure |
Azure Storage or User Data Bootstrap Configuration Example for Check Point Security Gateway in AWS/Azure |
Key-Value Pair |
Fortinet FortiGate |
AWS S3 Bucket: IAM Role, S3 Bucket or User Data Bootstrap Configuration Example for FortiGate Firewall in AWS |
Azure Storage: Storage, Container, SAS URL Config, SAS URL License or User Data Bootstrap Configuration Example for FortiGate Firewall in Azure |
Key-Value Pair |
Palo Alto |
AWS S3 Bucket: IAM Role, S3 Bucket or User Data |
Azure Storage: Storage, Storage Access Key, File-Share Folder, Share-Directory or User Data |
Bootstrap Bucket Name Key-Value Pair |
-
Click Save. This launches the firewall and also associates it with the selected Transit FireNet gateway.
Associating an Existing Firewall
-
On the Firewall tab, click the arrow next to the +Firewall drop-down and select Associate Existing Firewall.
-
On the Associate Existing Firewall dialog enter the following:
| Field | Description |
|---|---|
Transit FireNet Gateway Instance |
Select the Transit FireNet gateway instance where the existing firewall will be added. |
Resource Group (Azure only) |
The Resource Group in which the existing firewall is located. |
Attach Firewall to FireNet after Launching |
Yes/No (you can attach later) |
Firewall ID |
The ID/name you gave to the firewall when you created it in the cloud. |
Name (Azure, AWS, OCI) |
Enter a name for the firewall. |
LAN Interface |
|
Egress Interface |
Select the interface on the firewall that is dedicated to Egress. |
Management Interface (optional) |
Select the Management Interface for the firewall. |
-
Click Associate.