Deploying a Firewall

Supported firewalls are Check Point CloudGuard, Fortinet FortiGate, and Palo Alto VM-Series.

Supported firewall managers are Panorama (Palo Alto VM-Series).

After firewalls are launched, you can configure them to check traffic flow.

If you want to launch a firewall in AWS, you must first subscribe to a firewall instance in the AWS Marketplace.

You can have more than one firewall in a FireNet Transit gateway.

  1. On the Firewall tab, click +Firewall to open the Deploy Firewall dialog and add a new firewall instance.

    From here you can also import a firewall you previously created in your cloud portal.

  1. If deploying a new firewall, fill out the following fields:

Field

Description

Transit FireNet Gateway Instance

Select the Transit FireNet gateway instance to associate with this firewall.

Attach Firewall to FireNet after Launching

Yes/No

Select Yes to enable the firewall (the firewall instance is inserted into the data path). If you select No, the firewall is not attached at this time. You can attach it later.

Availability Domain (OCI only)

Data center within a region

Fault Domain (OCI only)

Fault domain is within Availability Domain; fault domains let you distribute your instances so that they are not on the same physical hardware within a single Availability Domain

Zone (GCP)

Availability Zone

Name

Your name for the firewall instance

Firewall Image

The image for your desired firewall: Palo Alto, Check Point, or Fortinet FortiGate

Firewall Image Version

Select a currently supported firewall image version

Firewall Instance Size

Recommended instance sizes:

AWS

Azure

GCP

OCI

Egress Interface Subnet

Key Pair Name (Check Point CloudGuard, Fortinet FortiGate) (optional)

Management Interface Subnet (Palo Alto/AWS only)

Authentication (Azure)

Password or SSH Public Key

If you select Password, enter a password of your choice.

If you select SSH Public Key, enter the SSH Public Key of the firewall.

Username (Azure)

Username of your choice ('admin' is not allowed). Refer here for name requirements.

Bootstrap Configuration (optional)

Enable/Disable

Bootstrap Configuration

The Bootstrap Configuration option simplifies the initial configuration setup of a firewall within the selected cloud. If the Bootstrap Configuration toggle is enabled, and a firewall image has been selected, you can configure your bootstrap options.

The fields to complete for bootstrap configuration depend on the selected cloud for the Transit FireNet gateway instance, and the selected firewall. Use the links in the below table to complete the bootstrap configuration.

Toggle the Bootstrap Configuration slider to On to continue with your bootstrap configuration.

See the firewall example configuration topics for specific firewall image versions, instance size, and more.
Firewall AWS Azure GCP

Check Point

AWS S3 Bucket: IAM Role, S3 Bucket

or

User Data

Bootstrap Configuration Example for Check Point Security Gateway in AWS/Azure

Azure Storage

or

User Data

Bootstrap Configuration Example for Check Point Security Gateway in AWS/Azure

Key-Value Pair

Fortinet FortiGate

AWS S3 Bucket: IAM Role, S3 Bucket

or

User Data

Bootstrap Configuration Example for FortiGate Firewall in AWS

Azure Storage: Storage, Container, SAS URL Config, SAS URL License

or

User Data

Bootstrap Configuration Example for FortiGate Firewall in Azure

Key-Value Pair

Palo Alto

AWS S3 Bucket: IAM Role, S3 Bucket

or

User Data

Bootstrap Configuration Example for VM-Series in AWS

Azure Storage: Storage, Storage Access Key, File-Share Folder, Share-Directory

or

User Data

Bootstrap Configuration Example for VM-Series in Azure

Bootstrap Bucket Name

Key-Value Pair

  1. Click Save. This launches the firewall and also associates it with the selected Transit FireNet gateway.

Associating an Existing Firewall

  1. On the Firewall tab, click the arrow next to the +Firewall drop-down and select Associate Existing Firewall.

  2. On the Associate Existing Firewall dialog enter the following:

Field Description

Transit FireNet Gateway Instance

Select the Transit FireNet gateway instance where the existing firewall will be added.

Resource Group (Azure only)

The Resource Group in which the existing firewall is located.

Attach Firewall to FireNet after Launching

Yes/No (you can attach later)

Firewall ID

The ID/name you gave to the firewall when you created it in the cloud.

Name (Azure, AWS, OCI)

Enter a name for the firewall.

LAN Interface

Egress Interface

Select the interface on the firewall that is dedicated to Egress.

Management Interface (optional)

Select the Management Interface for the firewall.

  1. Click Associate.