Here is the official troubleshooting guide.

• When you go to deploy the VM, you can only specify one interface. Make sure this is the management interface.
• You can add the others later. You should not specify a public IP now as you will want to reserve it (static) which you can do once the VM is deployed and booted. By default, the boot volume is set to 60GB. You can increase this during the setup screen if you want more space for logs.
• Go to advanced options and then networking to set the static private IP 10.0.0.4
• Specify SSH public key using PuTTY. This link gives more data. (i.e. save the private key but make sure you copy the public key from the text displayed on the PUTTYGen window rather than just saving the public key.
• You must supply bootstrap paremeters to the firewall even if you don't “normally ” bootstrap
• Click Show Advanced Options→Under User data→ select Paste cloud-init script
  • hostname=palo-fw-03
  • authocodes=V5756013
  • op-command-modes=jumbo-frame
• Deploy and let the machine boot.
• Create the public IP for MGMT and create the VNIC for public VPC (ethernet1/1) and VNIC for private VPC (ethernet1/2). Be sure to do it in that order. Don't forget to add a public IP to the public interface.
• Reboot the machine.
• Log in
• configure
• set mgt-config users admin password
• Set ethernet1/1 and ethernet1/2 using the normal cloud system of two virtual routers. Next hop for external is 10.1.0.1.
• When adding new VNIC, you will need to reboot the VM firewall for the firewall to detect the interfaces.
• set system setting mgmt-interface-swap enable yes

VM.Standard2.1 is limited to two network interfaces. One for MGMT and one for dataplane. VM.Standard2.2 is limited to two network interfaces. One for MGMT and one for dataplane. VM.Standard2.4 is limited to four network interfaces. One for MGMT and three for dataplane. VM.Standard2.8 is limited to eight network interfaces. One for MGMT and three for dataplane.

Load balancers will cost you about £0.40 per day.

Block Storage for Firewalls will cost you about £0.15 per day per firewall.

When clearning out a lab account, do not forget to got to Compute > Boot Columes and delete all instances. Otherwise you will be paying £5-£10 a month.

If you want the managment interfaces to ping each other, you must allow icmp in the ingress securty list for the MGMT subnet.

Create a public load balancer, set the VPC to public and the subnet to public-subnet. Then add both firewalls as the backend. However, this will only set the first two isntance Specify that the listener is TCP as we don't want the load balancer to actually terminate the session. E.G. specify 443

Ensure below Health check config for the Load Balancer:

• URL PATH (URI) is set to /php/login.php
• Status Code is set to 200

After you specify the load balancer backends and create the load balancer, you need to edit the backend and add two more backends where you specify the IP address of the firewall interface rather than just specifying the instance. Specifying the instance just added the first interfaec IP (i.e. the mgmt IP). You need to add the correct data plane private IP and remove teh mgmtm ones.

Remember, if you use the root compartment, you may run into issues deploying HA policy.

HA1 cannot use MGMT interface when MGMT interface is set to DHCP. You have to set the MGMT IP to be static. I also found that I had to go into the HA1 config, select MGMT and then select it from the drop down list (the preselected MGMT is somehow wrong).

Oracle supports only the following parameters for phase-2 (when your office firewall connects VPN to Oracle VPN gateway).

• IPSec Protocol: ESP
• Encryption: aes-256-cbc
• Authentication: sha1
• DH Group: group5
• Lifetime: 3600 secs