paloaltonetworks / azure-applicationgateway Goto Github PK

Scale out security for web deployments using VM-Series firewalls and Azure Application Gateway web load balancer

azure-applicationgateway's Introduction

Using VM-Series Firewalls and the Azure Application Gateway to Secure Internet-Facing Web Workloads

This ARM template deploys two VM-Series firewalls between a pair of Azure load balancers. The external load balancer is an Azure Application Gateway (a web load balancer) that also serves as the Internet facing gateway, which receives traffic and distributes it to the VM-Series firewalls. The firewalls enforce security policies to protect your workloads, and send the allowed traffic to the internal load balancer which is an Azure Load Balancer (Layer 4) that load balances across a pair of sample Apache web servers.

As demand for your web services increase, you can add more web servers and deploy additional VM-Series firewalls for more capacity. Each tier, the VM-Series firewalls and web servers, are deployed in separate Availability Sets for higher availability and redundancy against planned and unplanned outages. Refer to Azure documentation for more information on Availability Sets. A sample configuration file for VM-Series firewall is also included. After you import this configuration file, be sure to (a) customize the security policies to your needs and (b) set a custom password for the firewall instead of the value in the sample file. Refer to the documentation for steps on how to import the sample configuration file.

Support Policy

Supported

This project is released under the official support policy of Palo Alto Networks through the support options that you've purchased, for example Premium Support, support teams, or ASC (Authorized Support Centers) partners and Premium Partner Support options. The support scope is restricted to troubleshooting for the stated/intended use cases and product versions specified in the project documentation and does not cover customization of the scripts or templates. Only projects explicitly tagged with "Supported" information are officially supported. Unless explicitly tagged, all projects or work posted in our GitHub repository or sites other than our official Downloads page are provided under the best effort policy.

Documentation

Release Notes: Included in this repository.
Technical Documentation:VM-Series Deployment Guide
About the VM-Series Firewall for Azure

azure-applicationgateway's People

Contributors

Stargazers

Watchers

Forkers

eplexity kytx42 narayan-iyengar djspears joshsumit iancampelo pavanw5 jigarshah04 jasonmeurer melamin0 paulpc tsuryaprak robotechredmond kiranjshetty gradevic sougatachatterjee lgiancaterini cjmunday isahunter asubmani smgilliam25 pvuorile adrickholt rfbayona qingc2019 winapp81 arvinderk1984 amritshergill warrendt expoearchie mvsupport sumitkup1 james7977 keith-thai christiankurta wedmund jtl-ops przemykk radhekrishna001 marciasheila medimansouri sabinj211 pelinore breakdown123 oecjedwards dermotreynolds 5l1v3r1 samrat58 ranjithneu22 ghas-results

azure-applicationgateway's Issues

Deploying to existing RG

Has anyone had the issue of deploying this script into an existing VNET. I have and it does not deploy into the existing VNET, it creates a duplicated. If someone has found out how to fix this behavior I would love to know how.

Solution incomplete - missing static route in panos config via appgw sample config

The solution provides the appgw sample configuration file. That sample configuration file is missing a static route on the default VR. That static route should be:
destination: 192.168.4.0/24
interface: ethernet 1/2
next hop: ip address: 192.168.2.1

Once that is in place and the configuration is committed the default apache web server is accessible via application gateway.

Here's the updated sample xml config file code:

<config urldb="paloaltonetworks" version="9.1.0">
<mgt-config>
<users>
<entry name="admin">
<phash>*</phash>
<permissions>
<role-based>
<superuser>yes</superuser>
</role-based>
</permissions>
</entry>
<entry name="pandemo">
<permissions>
<role-based>
<superuser>yes</superuser>
</role-based>
</permissions>
<phash>$1$ljjdxeva$.isIbumicIMfaHvG/EKqd.</phash>
</entry>
</users>
</mgt-config>
<shared>
<application/>
<application-group/>
<service/>
<service-group/>
<botnet>
<configuration>
<http>
<dynamic-dns>
<enabled>yes</enabled>
<threshold>5</threshold>
</dynamic-dns>
<malware-sites>
<enabled>yes</enabled>
<threshold>5</threshold>
</malware-sites>
<recent-domains>
<enabled>yes</enabled>
<threshold>5</threshold>
</recent-domains>
<ip-domains>
<enabled>yes</enabled>
<threshold>10</threshold>
</ip-domains>
<executables-from-unknown-sites>
<enabled>yes</enabled>
<threshold>5</threshold>
</executables-from-unknown-sites>
</http>
<other-applications>
<irc>yes</irc>
</other-applications>
<unknown-applications>
<unknown-tcp>
<destinations-per-hour>10</destinations-per-hour>
<sessions-per-hour>10</sessions-per-hour>
<session-length>
<maximum-bytes>100</maximum-bytes>
<minimum-bytes>50</minimum-bytes>
</session-length>
</unknown-tcp>
<unknown-udp>
<destinations-per-hour>10</destinations-per-hour>
<sessions-per-hour>10</sessions-per-hour>
<session-length>
<maximum-bytes>100</maximum-bytes>
<minimum-bytes>50</minimum-bytes>
</session-length>
</unknown-udp>
</unknown-applications>
</configuration>
<report>
<topn>100</topn>
<scheduled>yes</scheduled>
</report>
</botnet>
</shared>
<devices>
<entry name="localhost.localdomain">
<network>
<interface>
<ethernet>
<entry name="ethernet1/1">
<layer3>
<ipv6>
<neighbor-discovery>
<router-advertisement>
<enable>no</enable>
</router-advertisement>
</neighbor-discovery>
</ipv6>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<lldp>
<enable>no</enable>
</lldp>
<dhcp-client/>
</layer3>
</entry>
<entry name="ethernet1/2">
<layer3>
<ipv6>
<neighbor-discovery>
<router-advertisement>
<enable>no</enable>
</router-advertisement>
</neighbor-discovery>
</ipv6>
<ndp-proxy>
<enabled>no</enabled>
</ndp-proxy>
<dhcp-client>
<create-default-route>no</create-default-route>
</dhcp-client>
<lldp>
<enable>no</enable>
</lldp>
</layer3>
</entry>
</ethernet>
</interface>
<profiles>
<monitor-profile>
<entry name="default">
<interval>3</interval>
<threshold>5</threshold>
<action>wait-recover</action>
</entry>
</monitor-profile>
</profiles>
<ike>
<crypto-profiles>
<ike-crypto-profiles>
<entry name="default">
<encryption>
<member>aes-128-cbc</member>
<member>3des</member>
</encryption>
<hash>
<member>sha1</member>
</hash>
<dh-group>
<member>group2</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-128">
<encryption>
<member>aes-128-cbc</member>
</encryption>
<hash>
<member>sha256</member>
</hash>
<dh-group>
<member>group19</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-256">
<encryption>
<member>aes-256-cbc</member>
</encryption>
<hash>
<member>sha384</member>
</hash>
<dh-group>
<member>group20</member>
</dh-group>
<lifetime>
<hours>8</hours>
</lifetime>
</entry>
</ike-crypto-profiles>
<ipsec-crypto-profiles>
<entry name="default">
<esp>
<encryption>
<member>aes-128-cbc</member>
<member>3des</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</esp>
<dh-group>group2</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-128">
<esp>
<encryption>
<member>aes-128-gcm</member>
</encryption>
<authentication>
<member>none</member>
</authentication>
</esp>
<dh-group>group19</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
<entry name="Suite-B-GCM-256">
<esp>
<encryption>
<member>aes-256-gcm</member>
</encryption>
<authentication>
<member>none</member>
</authentication>
</esp>
<dh-group>group20</dh-group>
<lifetime>
<hours>1</hours>
</lifetime>
</entry>
</ipsec-crypto-profiles>
<global-protect-app-crypto-profiles>
<entry name="default">
<encryption>
<member>aes-128-cbc</member>
</encryption>
<authentication>
<member>sha1</member>
</authentication>
</entry>
</global-protect-app-crypto-profiles>
</crypto-profiles>
</ike>
<qos>
<profile>
<entry name="default">
<class-bandwidth-type>
<mbps>
<class>
<entry name="class1">
<priority>real-time</priority>
</entry>
<entry name="class2">
<priority>high</priority>
</entry>
<entry name="class3">
<priority>high</priority>
</entry>
<entry name="class4">
<priority>medium</priority>
</entry>
<entry name="class5">
<priority>medium</priority>
</entry>
<entry name="class6">
<priority>low</priority>
</entry>
<entry name="class7">
<priority>low</priority>
</entry>
<entry name="class8">
<priority>low</priority>
</entry>
</class>
</mbps>
</class-bandwidth-type>
</entry>
</profile>
</qos>
<virtual-router>
<entry name="default">
<protocol>
<bgp>
<enable>no</enable>
<dampening-profile>
<entry name="default">
<cutoff>1.25</cutoff>
<reuse>0.5</reuse>
<max-hold-time>900</max-hold-time>
<decay-half-life-reachable>300</decay-half-life-reachable>
<decay-half-life-unreachable>900</decay-half-life-unreachable>
<enable>yes</enable>
</entry>
</dampening-profile>
<routing-options>
<graceful-restart>
<enable>yes</enable>
</graceful-restart>
</routing-options>
</bgp>
<rip>
<enable>no</enable>
</rip>
<ospf>
<enable>no</enable>
</ospf>
<ospfv3>
<enable>no</enable>
</ospfv3>
</protocol>
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
</interface>
<ecmp>
<algorithm>
<ip-modulo/>
</algorithm>
</ecmp>
<routing-table>
<ip>
<static-route>
<entry name="appgw">
<nexthop>
<ip-address>192.168.1.1</ip-address>
</nexthop>
<bfd>
<profile>None</profile>
</bfd>
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<interface>ethernet1/1</interface>
<metric>10</metric>
<destination>0.0.0.0/0</destination>
</entry>
<entry name="webBackendSubnet">
<path-monitor>
<enable>no</enable>
<failure-condition>any</failure-condition>
<hold-time>2</hold-time>
</path-monitor>
<nexthop>
<ip-address>192.168.2.1</ip-address>
</nexthop>
<bfd>
<profile>None</profile>
</bfd>
<interface>ethernet1/2</interface>
<metric>10</metric>
<destination>192.168.4.0/24</destination>
<route-table>
<unicast/>
</route-table>
</entry>
</static-route>
</ip>
</routing-table>
</entry>
</virtual-router>
</network>
<deviceconfig>
<system>
<update-server>updates.paloaltonetworks.com</update-server>
<update-schedule>
<threats>
<recurring>
<weekly>
<day-of-week>wednesday</day-of-week>
<at>01:02</at>
<action>download-only</action>
</weekly>
</recurring>
</threats>
</update-schedule>
<timezone>US/Pacific</timezone>
<service>
<disable-telnet>yes</disable-telnet>
<disable-http>yes</disable-http>
</service>
<type>
<dhcp-client>
<send-hostname>yes</send-hostname>
<send-client-id>no</send-client-id>
<accept-dhcp-hostname>no</accept-dhcp-hostname>
<accept-dhcp-domain>no</accept-dhcp-domain>
</dhcp-client>
</type>
<server-verification>yes</server-verification>
</system>
<setting>
<config>
<rematch>yes</rematch>
</config>
</setting>
</deviceconfig>
<vsys>
<entry name="vsys1">
<application/>
<application-group/>
<zone>
<entry name="untrust">
<network>
<layer3>
<member>ethernet1/1</member>
</layer3>
</network>
</entry>
<entry name="trust">
<network>
<layer3>
<member>ethernet1/2</member>
</layer3>
</network>
</entry>
</zone>
<service/>
<service-group/>
<schedule/>
<rulebase>
<security>
<rules>
<entry name="allow_http" uuid="17016239-fae2-4aa4-b23f-50a8cfea0f41">
<to>
<member>any</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>any</member>
</application>
<service>
<member>service-http</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>allow</action>
</entry>
<entry name="deny_all" uuid="ba84cbca-aa47-486f-ba47-2bdf7476cf26">
<to>
<member>any</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>any</member>
</destination>
<source-user>
<member>any</member>
</source-user>
<category>
<member>any</member>
</category>
<application>
<member>any</member>
</application>
<service>
<member>any</member>
</service>
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>deny</action>
<log-start>yes</log-start>
</entry>
</rules>
</security>
<nat>
<rules>
<entry name="ilb" uuid="d6b8a22c-a8e9-45cb-9ed2-6cfdf3b43040">
<source-translation>
<dynamic-ip-and-port>
<interface-address>
<interface>ethernet1/2</interface>
</interface-address>
</dynamic-ip-and-port>
</source-translation>
<to>
<member>untrust</member>
</to>
<from>
<member>any</member>
</from>
<source>
<member>any</member>
</source>
<destination>
<member>firewall-untrust-IP</member>
</destination>
<destination-translation>
<translated-address>internal-load-balancer-IP</translated-address>
</destination-translation>
<service>any</service>
</entry>
</rules>
</nat>
</rulebase>
<import>
<network>
<interface>
<member>ethernet1/1</member>
<member>ethernet1/2</member>
</interface>
</network>
</import>
<address>
<entry name="firewall-untrust-IP">
<ip-netmask>192.168.1.4</ip-netmask>
</entry>
<entry name="internal-load-balancer-IP">
<ip-netmask>192.168.2.6</ip-netmask>
</entry>
</address>
</entry>
</vsys>
</entry>
</devices>
</config>

appgwUpdated.txt

Support for V2 AppGW

Currently this looks to deploy a V1 AppGW/WAF. Are there plans to update this to the V2 SKU?

Added interface(eth3) can not work

I have a problem, when I added another interface(eth3) on Azure. It look like that does not work very well. I can see the SSH session between eth3 to Azure internal LB. But there is not any traffic can pass the Palo Firewall. Does anyone have the same problem?

Can I add interface DMZ (eth3) on this tempalte

Anyone can tell me May I add interface DMZ (eth3) on this tempalte?

Deployment error when deploying into existing RG - reference resource not found

The script is trying to reference /subscriptions/"subscriptionID"/resourceGroups/RG-Network/providers/Microsoft.Network/virtualNetworks/VNET-Network/subnets/FW-Management but the resource doesn't exist in that resource group, it's in a separate RG, is there any way to change the script to point to the correct location instead of deploying and the separate RG that has unrelated resources in it?

[Community Health Assessment] Changes needed

This issue was opened by a bot called Community Health (PANW) because this repo has failed too many community health checks.

Repo maintainers: Please take the time to fix the issues in the table to reach the target score. These improvements will help others find your work and contribute to it. This issue will update as your score improves until it hits the target score.

Click More info for instructions to fix each item.

Health Check	Pass	Score	More Info
Contains a meaningful README.md file	✅	20 / 20	More info
SUPPORT.md file exists	❌	0 / 20	More info
Repo has a description	✅	15 / 15	More info
Has a recognized open source license	❌	0 / 15	More info
Has a descriptive repo name	✅	15 / 15	More info
Required topics attached to repo	❌	0 / 15	More info
CONTRIBUTING.md file with contribution guidelines	❌	0 / 5	More info
Has custom issue and pull request templates	❌	0 / 5	More info

Current score: 50
Target threshold: 100
Total possible: 110

Azure US Government/DoD

Is anyone aware of the values that must be changed to have this template functioning in US Gov or DoD Space. Thanks.

boot loop

is it just me, or are the new Palo Images just boot looping upon creation?

Tried to use the Portal and the vmseries template from this repo (with latest and 8.0.0 version), leading me to believe other things might be wrong with the vmseries image.

At least one resource deployment operation failed. Please list deployment operations for details.

{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.",
"details": [
{
"code": "BadRequest",
"message": "{\r\n "error": {\r\n "code": "InvalidParameter",\r\n "target": "vmSize",\r\n "message": "The requested VM size Standard_D3 is not available in the current region. The sizes available in the current region are: Standard_A0,Standard_A1,Standard_A2,Standard_A3,Standard_A5,Standard_A4,Standard_A6,Standard_A7,Basic_A0,Basic_A1,Basic_A2,Basic_A3,Basic_A4,Standard_D1_v2,Standard_D2_v2,Standard_D3_v2,Standard_D4_v2,Standard_D5_v2,Standard_D11_v2,Standard_D12_v2,Standard_D13_v2,Standard_D14_v2,Standard_D15_v2,Standard_D2_v2_Promo,Standard_D3_v2_Promo,Standard_D4_v2_Promo,Standard_D5_v2_Promo,Standard_D11_v2_Promo,Standard_D12_v2_Promo,Standard_D13_v2_Promo,Standard_D14_v2_Promo,Standard_F1,Standard_F2,Standard_F4,Standard_F8,Standard_F16,Standard_A1_v2,Standard_A2m_v2,Standard_A2_v2,Standard_A4m_v2,Standard_A4_v2,Standard_A8m_v2,Standard_A8_v2,Standard_DS1_v2,Standard_DS2_v2,Standard_DS3_v2,Standard_DS4_v2,Standard_DS5_v2,Standard_DS11_v2,Standard_DS12_v2,Standard_DS13-2_v2,Standard_DS13-4_v2,Standard_DS13_v2,Standard_DS14-4_v2,Standard_DS14-8_v2,Standard_DS14_v2,Standard_DS15_v2,Standard_DS2_v2_Promo,Standard_DS3_v2_Promo,Standard_DS4_v2_Promo,Standard_DS5_v2_Promo,Standard_DS11_v2_Promo,Standard_DS12_v2_Promo,Standard_DS13_v2_Promo,Standard_DS14_v2_Promo,Standard_F1s,Standard_F2s,Standard_F4s,Standard_F8s,Standard_F16s,Standard_B1ms,Standard_B1s,Standard_B2ms,Standard_B2s,Standard_B4ms,Standard_B8ms,Standard_D2_v3,Standard_D4_v3,Standard_D8_v3,Standard_D16_v3,Standard_D32_v3,Standard_D64_v3,Standard_D2s_v3,Standard_D4s_v3,Standard_D8s_v3,Standard_D16s_v3,Standard_D32s_v3,Standard_D64s_v3,Standard_E2_v3,Standard_E4_v3,Standard_E8_v3,Standard_E16_v3,Standard_E32_v3,Standard_E64_v3,Standard_E2s_v3,Standard_E4s_v3,Standard_E8s_v3,Standard_E16s_v3,Standard_E32-8s_v3,Standard_E32-16s_v3,Standard_E32s_v3,Standard_E64-16s_v3,Standard_E64-32s_v3,Standard_E64s_v3,Standard_G1,Standard_G2,Standard_G3,Standard_G4,Standard_G5,Standard_GS1,Standard_GS2,Standard_GS3,Standard_GS4,Standard_GS4-4,Standard_GS4-8,Standard_GS5,Standard_GS5-8,Standard_GS5-16,Standard_L4s,Standard_L8s,Standard_L16s,Standard_L32s. Find out more on the available VM sizes in each region at https://aka.ms/azure-regions."\r\n }\r\n}"
}
]
}

The backend pool is Unhealthy

Hi!

After deploying the template, when I try to access to the web through the App Gateway DNS I get an 502 because the VMs in the backend pool have the state Unhealthy... I psping the 80 port of those VMs It seems they're not open.

do I need to do anything else after deploying the template?

thanks

Unable to Deploy

Hey there. has anyone tried to deploy this as of late? I am getting a conflict on the VMFirewall creation portion.

I have tried using different firewall versions, that did not help. Is anyone at Palo able to deploy this now?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.