Azure

Azure Health Probes come from

• 168.63.129.16

HA Pair of Firewalls in Availability Set

Standalone Firewall

You can deploy Panorama on 4CPU/8GB RAM but it will be limited to Management Mode only. For Panorama mode, you need at least 8 CPU and 16 GB of RAM.

In Azure for just managing 6 VM's, standard_D3_v2 should be sufficient if there is no logging happening. If you need Panorama in mixed mode, you must apply proper resource to the VM.

HOWEVER, recent PAN-OS versions will complain every single time you log in to Panorama if you don't have 16 CPU and 32 GB of RAM. It will complain even if you have 8 CPU and 32 GB of RAM.

Use D5_v2 (or, as of Sep 2022, Standard_D16s_v3 apparently) for the correct performance (16 CPU and 56 GB RAM). This will be ~£750 a month in Q4 2021. However Azure Reserved Instances is an Azure Accounting “thing” that can save end users month on machines that are permamently deployed.

In June 2022, the reference archtiecture says to use Standard_D16s_v3.

As of Sep 2022:

• D16_v3 is 16 CPU and 64 GB RAM and is about $675 per month to run (not including 'reserved instance')
• D5_v2 is 16CPU and 56 GB RAM and is about $1,025 per month to run (not including 'reserved instance')

As of 28th Feb 2018

When using D3_V2 Server

• Pay-As-You-Go VM-Series Bundle 1 is £631.12 per month
• Pay-As-You-Go VM-Series Bundle 2 is £844.31 per month

When using D4_V2 Server

• Pay-As-You-Go VM-Series Bundle 1 is £825.76 per month
• Pay-As-You-Go VM-Series Bundle 2 is £1,038.94 per month

In addition, the VM will have to use a storage account.I'm not sure if this is paid for separately.

Bear in mind that the cost below does no include the cost of the Palo Alto Networks licence that comes bundled with the Pay-As-You-Go model. The cash figures below a very vauge guestimates and are based on 2018 pricing.

• D3_V2 Standard - 4 vCPUs, 14 GB RAM, 200GB SSD, 8×500 Max IOPS, Load balancing
• D4_V2 Standard - 8 vCPUs, 28 GB RAM, 400GB SSD, 16×500 Max IPOS, Load balancing

As of 28th Feb 2018

• D3_V2 Standard - Estimated cost £196 per month or £2,352 per year.
• D4_V2 Standard - Estimated cost £390 per month or £4,680 per year.

• D3_V2 Standard - Used for VM-100 or VM-300
• D4_V2 Standard - used for VM-500
• Apparently VM-700 needs D5_v2 but I didn't see that on the options list in Azure.

You will need to get a quote from your re-seller before you can properly determine the cost difference between buying Pay-As-You-Go and buying BYOL (see BYOL Licence Options below). As a rough guide, for one year exactly, when comparing the BYOL VM-300 to the PAYG VM-300, the BYOL is likely to be slightly more expensive for Bundle 1 and slightly cheaper for Bundle 2. If you use the VM-100 BYOL licence, both Bundle 1 and Bundle 2 should be cheaper than PAYG (always VM-300) over the year. However, if you just need a Palo VM for a few hours or days, the PAYG will turn out cheaper.

In addition, the VM will have to use a storage account.I'm not sure if this is paid for separately.

• Pay-As-You-Go VM-Series Bundle 2 = VM-300 + Premium Support + Threat Prevention + WildFire + URL Filtering + GlobalProtect
• Pay-As-You-Go VM-Series Bundle 1 = VM-300 + Premium Support + Threat Prevention
• BYOL = VM-100 or VM-300 or VM-500 or VM-700 + Whatever support you have purchased. (VM-50 is not supported in Azure).

You can by any of the following for 1, 3 or 5 years.

• Palo Alto Networks Perpetual Bundle (Basic) - Premium Support
• Palo Alto Networks Perpetual Bundle (BND1) - Premium Support + Threat Prevention
• Palo Alto Networks Perpetual Bundle (BND2) - Premium Support + Threat Prevention + WildFire + URL Filtering + GlobalProtect

The first time you buy the licences above, they come with a perpetual VM licence. This allows you to run the VM for ever. It also means that it is much cheaper to renew the licences as the renewal cost does not include the VM licence. The renewal cost only contains the support and feature licences.

Azure Health Probes target the firewall interface IP.

The Azure LB health probe does not complete a 3 way handshake - just the SYN and the SYNACK. On tcp-80 this is identified as “incomplete”. On tcp-22 this is identified as ssh. Palo Alto Networks suggest using tcp-22 as the CPU related issues seem to only occur when deploying in GCP.

For public load balancers, enable “Floating IP”. For load balancers, “Floating IP” is not technically needed. All it gives you is that the firewalls will see the public IP that the remote resource is connecting to instead of the load balancer applying a DNAT. However, this can be very useful. It also makes it easier to scale when adding in new public IPs.

REMEMBER. When adding a secondary IP to the front end load balancer, you must enable “Floating IP” before setting the backend pool and ports.

Configure the firewall to update its domain based on the DHCP allocation.

Yes. Azure reserves 5 IP addresses within each subnet. These are x.x.x.0-x.x.x.3 and the last address of the subnet. x.x.x.1-x.x.x.3 is reserved in each subnet for Azure services.

• x.x.x.0: Network address
• x.x.x.1: Reserved by Azure for the default gateway
• x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space
• x.x.x.255: Network broadcast address for subnets of size /25 and larger. This will be a different address in smaller subnets.