I'm working with a client who's transitioning from Azure Firewalls to Palo Alto Cloud NGFWs, specifically aiming for deployment within Azure Virtual WAN with Routing Intent enabled. I'm new to these devices and am curious if anyone here has experience deploying them, especially in a Virtual WAN context. Any suggestions or tips would be greatly appreciated! One significant challenge is that the client uses Terraform for their deployments, but the Palo Alto provider only supports local rulestack or Panorama, while they utilize Strata Cloud Manager (SCM). In an initial test with the local rulestack, everything seemed to deploy fine, but effective routes on the cloud NGFW in the Virtual WAN showed no routes. The firewall was labeled as 'Azure Firewall' rather than 'SaaS NVA' in routing intent—could this indicate a deployment or routing intent configuration issue?
4 Answers
My experience with NGFWs in Virtual WAN has been quite distinct. They register under the NVA section and auto-deploy, which is managed through the Palo Alto login portal—no VM creation needed. I had a similar setup with Versa NVA, and it worked smoothly!
I've been managing NGFW deployments in VNets for over five years, so I can share some insights. Since the NGFWs are essentially VMs, deploying them via Terraform isn't too different from deploying regular VMs, just with some extra considerations.
Here are some tips:
- Ensure you're using the correct VM size to meet your throughput expectations based on your licensing.
- Use Panorama to manage rules. If you ever need to redeploy, Panorama really saves you trouble. In my experience, handling rules through Terraform was quite complex and I wouldn’t recommend it.
- Keep firmware updated, and definitely read the release notes. We've encountered issues where firewall firmware bugs caused major problems, especially if the VNet experiences any hiccups. Avoiding these complications is key!
What challenges did you face with integrating rules into Panorama? We’re looking into it and it feels a bit daunting, haha. We ultimately opted for Cisco SD-WAN in our hub instead of NGFW.
Managing rules as Infrastructure as Code can be tricky. I recommend being cautious; it might not be the best approach to take them as IaC. There could be hidden issues that pop up down the line.
We’re actually deploying NGFWs in a similar setup. I recommend using Consul-Terraform-Sync over Panorama for management since our team is more comfortable with Terraform Enterprise. It streamlines the process a lot better!
Thanks for sharing those tips! I appreciate the insight on rules management with Terraform. I'm still learning the ropes on this project but have a solid grasp of Virtual WAN and Terraform—it’s just the Cloud NGFWs that throw me.