The VM-Series virtual firewalls by Palo Alto Networks can be used in both public and private cloud environments. They use the same version PAN-OS as physical firewall devices and offer the same basic functionality.
Depending on the hosting environment, certain functionalities may not be possible or implemented in a different way. For example, most public cloud providers only support Layer 3 interfaces to connect to their virtual networks. Another example is the varying levels of HA support available in public cloud deployments.
Some support-natives offer HA connections using two VM-Series firewalls, while others allow scaling of parallel VM-Series firewall implementations without requiring HA settings. This post will cover 4 important considerations when deploying Palo Alto virtual firewalls in a cloud environment. These are covered in Section1.2 of the PCNSE Blueprint.
Palo Alto Virtual Firewalls
The Palo Alto Networks Next-Generation Firewall VM-Series virtualized version of next-generation firewall can be used in both public cloud architectures and private cloud environments. The same PAN-OS software works on VM-Series firewalls just as it does on appliances. It has the same capabilities and features. Depending on the cloud technology used each environment offers the full functionality of PANOS software with slight modifications.
VM-50 (Lite), VM-50 and VM-100 are the versions that can be deployed within cloud environments.
These virtualization environments can be supported by Palo Alto VM-Series firewalls
Amazon Web Services
Cisco ACI
Citrix NetScaler SDX
Google CloudPlatform
KVM
Microsoft Azure
Microsoft Hyper-V
OpenStack, and
VMware products include VMware ESXi and VMware NSX.
These cloud-native infrastructures can also be supported by the VM-Series firewalls
Alibaba Cloud
Amazon Web Services
Docker EE
Google CloudPlatform
IBM Cloud
Kubernetes
Microsoft Azure
Rancher
Red Hat OpenShift,
VMware Tanzu
License requirements
All Palo Alto VM-Series firewalls need a capacity license to enable full firewall capability. Once you apply for the capacity licence, the model number and the related capacities are applied to the VM-Series firewall.
Capacity refers to the number of sessions, rules and security zones that the VM-Series firewall is able to manage.
The table below will show you how to determine the maximum capacity of each model and the differences between models. This will help you to choose the right model for your network needs.
How to Deploy Palo Alto Firewalls
Here are four things to keep in mind when installing a virtual firewall in Palo Alto
1. Private Cloud Deployment
The VM-Series virtual firewall is based on private clouds technology. A suitable virtual appliance or OVA can downloaded from Palo Alto Networks Support Portal and uploaded to the cloud. Once the cloud has been configured, it can then be deployed to meet the requirements for each private cloud architecture. These virtual firewalls cannot be licensed and require a capacity code.
2. Public Cloud Deployment
Public cloud markets offer virtual firewalls. The majority of public cloud markets offer three virtual firewall options, each with its unique set of licensing requirements.
Bring Your Own License: A Bring Your Own License version (BYOL), is an unlicensed VM-Series firewall. It requires the client to provide capacity code and feature licences that were obtained separately after provisioning.
Bundle 1 of VM-Series: This Bundle 1 includes pre-licensed VM-300s. Bundle 1 only includes Threat Prevention.
VM-Series Bundle 2, Threat Prevention, WildFire URL Filtering and G