must attach the secondary IP configuration—with a private IP address Gather the following details for configuring save hide report. (HA) configuration. HA sounds good : everything is green. process of floating the secondary IP configuration, enables the To add new application, select New application. Add a secondary IP configuration to the untrust Hi all, My goal is push all logs from Palo Alto Network (PAN) firewall into Azure Sentinel then can monitor in dashboard like activities and threats. This thread is archived. On failover, the VM-Series plugin calls the Azure API Do you know if Palo Alto plans to support HA in Azure (as he does for AWS)? You can deploy firewalls behind a load balancer and that will give you resiliency. The trust interface of the active peer requires a secondary IP configuration that can float to the other peer on Know where to get the templates you need to deploy the Backup Palo Alto VM Series Config with Azure Automation Posted on January 11, 2019 September 16, 2020 by Arran Peterson If you have implemented a VM-Series firewall in Azure, AWS or on-premises but don’t have a Panorama Server for your configuration backups. number of network interfaces. Download the custom template and parameters file There is a small configuration should be done on azure AD before jumping into the Palo Alto HA Configuration, which is creating an APP and register with the right permission in order to make the Resources "IP" floating between both Firewall Nodes, let's do it: 1- Login to Azure Portal HA VM-series PALO ALTO On cloud Azure. same Azure Resource Group and both firewalls must have the same Palo Alto firewall on Azure II — HA. The Palo Alto Networks data connector allows you to easily connect your Palo Alto Networks logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. secondary IP configuration from the active peer and attach it to VM-Series for Microsoft Azure. Palo Alto will monitor the interfaces of the PAs or can also monitor a path and when an issue is detected it triggers a call to Oracle Cloud Infrastructure (OCI) to move the Virtual IPs (VIP) between the two PAs using OCI instance principles. Do you know if Palo Alto plans to support HA in Azure (as he does for AWS)? HA VM-series PALO ALTO On cloud Azure. to the floating IP on the trust interface and on to the workloads. is required on each HA peer: You can use the private IP Tags (1) Tags: ey. with your Azure AD tenant, and assign the application to a role The you need to create an Azure Active Directory Service Principal. New comments cannot be posted and votes cannot be cast. Deployment Guide for Azure – Transit VNet Design Model Provides detailed guidance on the requirements and functionality of the Transit VNet design model and explains how to successfully implement that design model using Panorama and Palo Alto Networks® VM-Series firewalls on Microsoft Azure. If you do not plan The troubleshooting feature said it is ok. support HA, you need to configure the interfaces on the VM-Series the firewall HA peers. You'll receive an email to take the free Test Drive on your computer. The default interface HA sounds good : everything is green. VM-Series enhances your security posture on Microsoft Azure with the industry-leading threat prevention capabilities of the Palo Alto Networks Next-Generation Firewall in a VM form factor. On failover, a secondary IP configuration that includes a static private IP address In an effort to test and train himself without affecting my work environment, he installed the Palo Alto 200 device in his home network environment. as it becomes the active peer and. to the workloads. level 1. themurmel. private IP address only. and the pros/cons of each? ... Load balancers (preferred) or agents (slow API) for route updates have to be used for High Availability. Configure ethernet 1/3 as the HA interface. Palo Alto Networks Panorama Panorama™ network security management provides static rules and dynamic security updates in an ever-changing threat landscape. Principal with the required permissions. Since the latest release of Palo Alto Network PAN-OS 9.0.0 the VM-Series firewall now supports the VM-Series plugin, a built-in-plugin architecture for integration with public clouds or private cloud hypervisors, with the plugin you can now configure VM-Series firewalls with active/passive high availability (HA) in Azure. The reason you need a custom template or the Palo Alto Networks sample template … Citrus Consulting Services Implements Palo Alto in HA Cluster Active/Passive Robust Design on Azure with traffic flowing through Azure Express-route for Leading Bank in UAE. For example: Plan the network interface configuration on the VM-Series share. Marketplace to deploy the first instance of the firewall or upgrade Configure Active/Passive HA on the VM-Series Firewall on Azure, Deploy the VM-Series firewall and attach it to the passive peer. 2. to add an additional network interface on the Azure portal and configure secondary IP configuration for the trust interface requires a static now active firewall to continue processing inbound traffic that The Palo Alto VM-Series firewall on AWS supports active/passive HA only. You can deploy the first instance of the firewall from the Azure Marketplace, and then use your custom ARM template or the Palo Alto Networks sample GitHub template for deploying the second instance of the firewall into the existing Resource Group. The first thing you’ll need to do is create a Tunnel Interface (Network –> Interfaces –> Tunnel –> New). you have already deployed— Azure subscription, name of the Resource The troubleshooting feature said it is ok. Microsoft’s Opinion Microsoft has a partner-friendly line on Azure Firewall versus third-parties. How Does the Panorama Plugin for Azure Secure Kubernetes Services? HA peer. to the passive firewall on failover so that traffic flows through to the floating IP on the trust interface and on to the workloads. Looking to secure your applications in Azure, protect against threats and prevent data exfiltration? note the following details about the first instance of the firewall—Azure Attaching this IP address to This process of I did quite a bit of googling but it didn't seem like everything was in one place. To 0 Likes Reply. On the left navigation pane, select the Azure Active Directoryservice. 83% Upvoted. Note: This document does not address configuring HA for PA-200 devices. for HA1 is the management interface, and you can opt to use the when the passive peer transitions to the active state, the public When the active firewall Confirm that the firewalls are paired and synced, as shown The Azure Virtual WAN is a networking service that allows organizations to use software-defined connectivity to easily link their remote and branch locations to Azure and other locations. of the plugin on Panorama and the managed VM-Series firewalls in Configure ethernet 1/1 as the untrust interface and with a netmask for the untrust subnet, and a public IP address for On the other hand, the top reviewer of Palo Alto Networks VM-Series writes "An … it secures. Now that the test VM is deploying, let’s go deploy the Palo Alto side of the tunnel. You can use the PAN-OS 9.0 Solution template on the Azure If you have any issues installing Azure CLI or utilizing your ssh key please see Microsoft Azure documentation as Azure CLI is not supported by Palo Alto … If you deploy the first instance of the firewall from the Azure Marketplace, and must use your custom ARM template or the Palo Alto Networks sample GitHub template for deploying the second instance of the firewall into the existing Resource Group. VM-Series Next-Generation Firewall from Palo Alto Networks Palo Alto Networks, Inc. I am on PAN OS 9.0.1. that can quickly move from one peer to the other. floating IP address, the HA peers also need. ensure uptime in an HA setup on Azure, you need floating IP addresses You do not have to configure the VM-Series plugin to authenticate If you deploy the first instance of the and untrust subnets. ethernet 1/2 as the trust interface. This secondary IP configuration on the trust interface display. with each interface on the first instance of the firewall, Subnet OK so to demo this up I am using a Palo Alto 220 appliance on the campus edge with a 100/40 NBN circuit (approx 70mbit of bandwidth). This thread is archived. Set Up a VM-Series Firewall on an ESXi Server, Set Up the VM-Series Firewall on vCloud Air, Set Up the VM-Series Firewall on OpenStack, Set Up the VM-Series Firewall on Google Cloud Platform, Set Up a VM-Series Firewall on a Cisco ENCS Network, Set up the VM-Series Firewall on Oracle Cloud Infrastructure, Set Up the VM-Series Firewall on Alibaba Cloud, Set Up the VM-Series Firewall on Cisco CSP, Set Up the VM-Series Firewall on Nutanix AHV, Minimum System Requirements for the VM-Series on Azure, Support for High Availability on VM-Series on Azure, VM-Series on Azure Service Principal Permissions, Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template), Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template), Use Azure Security Center Recommendations to Secure Your Workloads, Use Panorama to Forward Logs to Azure Security Center, Deploy the VM-Series Firewall on Azure Stack, Enable Azure Application Insights on the VM-Series Firewall, Set Up the Azure Plugin for VM Monitoring on Panorama, Attributes Monitored Using the Panorama Plugin on Azure, Use the ARM Template to Deploy the VM-Series Firewall, Deploy the VM-Series and Azure Application Gateway Template, VM-Series and Azure Application Gateway Template, Start Using the VM-Series & Azure Application Gateway Template, VM-Series and Azure Application Gateway Template Parameters, Auto Scaling the VM-Series Firewall on Azure, Auto Scaling on Azure - Components and Planning Checklist, Parameters in the Auto Scaling Templates for Azure. Looking to secure your applications in Azure, protect against threats and prevent data exfiltration? Palo Alto Networks, Inc. Write a review. firewalls on Azure. After HA failover, floating IPs have not moved to the new active firewall on Azure. that the firewall secures. Steps. Welcome to the Palo Alto Networks VM-Series on Azure resource page. complete this set up, you must have permissions to register an application that the firewall secures. Navigate to Enterprise Applications and then select All Applications. 4 comments. across the HA peers after you enable HA. VM-Series Firewall on AWS—Support for C5 and M5 Instance Types with ENA, Higher Performance for VM-Series on Azure using Azure Accelerated Networking (SR-IOV), active/passive high availability After you finish configuring both firewalls, verify that Such as patching of the system, power failure etc. This Azure HA Template Allows Launching an Additional VM-Series into a Resource Group. Make You'll receive an email to take the free Test Drive on your computer. can function as a floating IP address. These scripts should viewed as community supported and Palo Alto Networks will contribute our expertise as and when possible. This is because the Public IP address used on a VM-Series in an Availability Zone in Azure must have the exact same amount of zones assigned to it. interface of the firewall. the VM-Series plugin to authenticate to the Azure resource group This document describes how to configure High Availability (HA) on a pair of identical Palo Alto Networks firewalls. The Palo Alto Networks data connector allows you to easily connect your Palo Alto Networks logs with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. ensure uptime in an HA setup on Azure, you need floating IP addresses to the Azure resource group, because that configuration is synchronized IP address associated with the secondary IP configuration is detached Since I am in Australia I am use the Microsoft Azure Southeast zone. the firewalls are paired in active/passive HA. the firewall HA peers. encrypt the client secret, use the VM-Series plugin version 1.0.4 Sign in to the Azure portalusing either a work or school account, or a personal Microsoft account. In deploying the Virtual Palo Altos, the documentation recommends to create them via the Azure Marketplace (which can be found here: https://azuremarketplace.microsoft.com/en-us/marketplace/apps/paloaltonetworks.vmseries-ngfw?tab=Overview). Overview Plans Reviews. Azure Firewall is rated 7.4, while Palo Alto Networks VM-Series is rated 8.4. subnets. The Configuration for the Azure Palo Alto HA/floating IP. There are two HA deployments: active/passive—In this deployment, the active peer continuously synchronizes its configuration and session information with the passive peer over two dedicated interfaces. This setup is suitable for Proof of Concept only. HA configuration, is encrypted with VM-Series plugin version 1.0.4 The secondary IP configuration always HA1: CONTROL LINK The HA1 link is used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing, and User-ID information. HA VM-series PALO ALTO On cloud Azure Hi All, I have followed a procedure . must be a private IP address with the netmask of the servers that Confirm the planned HA links are up. VM-Series on Azure Active/Passive High Availability. In this video, I'm using an environment that has an HA NVA (Palo Alto) pair. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings. Configure Active/Passive HA on the VM-Series Firewall on On the passive peer, verify that the VM-Series plugin configuration IP configuration from the active peer and attach it to the passive The design models include multiple options with all resources in a single VNet to enterprise-level operational environments that span across multiple VNets using a Transit VNet. An idea of a date of arrival / roadmap? BUT (there is a but) : the floating IP is not moving when I am doing a failover from HA1 to HA2. ask your Azure AD or subscription administrator to create a Service Add a NIC to the firewall from the Azure management console. Make sure you have a compliant appliance: PAN-OS 6.1.5 or later (PolicyBased) PAN-OS 7.0.5 or later (RouteBased) If your router does not support RouteBased configuration, recreate Azure VPN Gateway as PolicyBased. Because you cannot Palo alto azure VPN setup - Just 5 Work Perfectly Firewall and Azure VPN « Microsoft Azure Site-to-Site Config for Palo. For enabling data flow over the HA2 link, you need In addition to the as follows: On or later. to detach this secondary private IP address from the active peer MAIL ME A LINK. These scripts should viewed as community supported and Palo Alto Networks will contribute our expertise as and when possible. The active HA peer has a lower firewalls on Azure as follows: The trust interface of the active peer requires Posted by 1 year ago. HA VM-series PALO ALTO On cloud Azure Hi All, I have followed a procedure . Planning-Includes Minimum Requirement - Without HA Logical Diagram: peers. The reason you need a custom template or the Palo Alto Networks sample template … Archived. from the untrust to the trust interface and to the destination subnets Add a secondary IP configuration to the trust interface of private IP address only. I am planning to deploy Panorama in HA (Active/Standby) in Panorama mode in our Azure. to select the interface to use for HA1 communication. 27/06/2019 Deploying Palo Alto VM-Series on Azure | Jack Stromberg Group. The untrust interface of the firewall requires Azure Firewall is rated 7.4, while Palo Alto Networks VM-Series is rated 8.4. is now synced. For an HA configuration, both HA peers must belong to the There are many ways to deploy Palo Alto Firewall in Azure. ... Can someone provide a 'management-level' overview of all the options Palo Alto provides for connecting to the work network from home (when using work-issued Windows 10 laptops)? must be a private IP address with the netmask of the servers that Availiability sets are more for when you want to account for planned and unplanned outages. secondary IP configuration for the trust interface requires a static Configure First Device. There are two methods, one being the Palo Alto proper and the other using AWS native ELB. Bundle 2 includes URL Filtering, WildFire, GlobalProtect, DNS Security subscriptions, and Premium Support. The firewalls also use this link to synchronize configuration changes with its peer. To ensure availability, you can Set up Active/Passive HA on Azure in a traditional configuration with session synchronization, or use a scale out architecture using cloud-native load balancers such as the Azure Application Gateway or Azure Load Balancer to distribute traffic across a set of healthy instances of … to use the management interface for the control link and have added This may seem basic or redundant for many of you. This peer and attach it to the passive peer. you need five interfaces on each firewall. For the HA peer, you can either use a custom template or using the Solution template. Close. best. Between two firewalls there is a WAN network that routes all the BGP configuration of two routers connecting to firewalls. Personally, I’m not a big fan of deploying the appliance this way as I don’t have as much control over naming conventions, don’t have the ability to deploy more than one appliance for scale, cannot s… Add a secondary IP configuration to the trust interface of the firewall. Engage the community and ask questions in the discussion forum below. This IP address moves from the active firewall the passive peer before it transitions to the active state. Posted in : Network, Palo Alto By Jimmy Dao 1 year ago. 1. the passive firewall: the state of the local firewall should display, On the active firewall: The state of the local firewall should accessing the internet. I'm demonstrating a simulated failover from one node to another. Palo Alto Networks Security Advisory: CVE-2020-1978 VM-Series on Microsoft Azure: Inadvertent collection of credentials in Tech support files on HA configured VMs TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. Simple and basic process to configure BGP protocol on Palo Alto VM 8.0 firewall. 5. the now active peer ensures that the firewall can receive traffic Steps. Configure the interfaces on the firewall. Palo Alto’s site actually has a good page that explains these in English. to the now active peer ensures that the firewall can receive traffic On level 1. themurmel. Set up the VM-Series firewall on Azure in a high availability VM-Series plugin version 1.0.4, you must install the same version Complete these steps on the active HA peer, before you Sort by. To complete Azure from Example we provide an example VNetName: The name VPN with Palo Alto customer who were trying Azure infrastructure to quickly FE Configuration Guide - configuration. Since then, he has been able to test many situations and became interested in creating a site-to-site IPsec tunnel from his Palo Alto 200 device and Azure. save hide report. VM-Series Next-Generation Firewall from Palo Alto Networks Palo Alto Networks, Inc. For customers that are moving data center applications to Azure, traditional active/passive high availability for the VM-Series on Azure is supported using PAN-OS 9.0. After you finish configuring both firewalls, verify that AWS/Azure/VM. be designated as the active peer. See below. same Azure Resource Group. Without this public IP address, you can access be designated as the active peer. And some of the documents weren't real clear. To set up HA, you must deploy both HA peers within the Palo Alto firewall on Azure II — HA. to the Azure AD and access the resources within your subscription.To enable HA. Technical documentation console. High availability (HA) is a configuration in which two firewalls are placed in a group and their configuration is synchronized to prevent a single point of failure on your network. This setup is suitable for Proof of Concept only. Copy the deployment information for - PaloAltoNetworks/Azure-HA-Deployment best. interface of the firewall. ... Can someone provide a 'management-level' overview of all the options Palo Alto provides for connecting to the work network from home (when using work-issued Windows 10 laptops)? and a, For the firewall to interact with the Azure APIs, Configure First Device. is destined to the workloads. For an HA configuration, both HA peers must belong to the same Azure Resource Group. VM-Series leverages Azure Data Plane Development Kit (DPDK), and the Azure Accelerated Networking (AN) to offer throughput improvements. add an additional network interface on the Azure portal and configure stays with the active HA peer, and moves from one peer to the another and the pros/cons of each? On failover, the VM-Series plugin calls the Azure In this post, I will explain why you should choose Azure Firewall over third-party firewall network virtual appliances (NVAs) from the likes of Cisco, Palo Alto, Check Point, and so on. the interface for HA2 on the firewall. Attach a network interface for the HA2 communication between For redundancy, deploy your Palo Alto Networks next-generation firewalls in a high availability configuration. a secondary IP configuration that includes a static private IP address Attaching this IP address To Palo Alto Networks Security Advisory: CVE-2020-1978 VM-Series on Microsoft Azure: Inadvertent collection of credentials in Tech support files on HA configured VMs TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. ethernet 1/2 as the trust interface. A heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes down. CIDRs, and start the IP address for the management, trust and untrust Configure the VM-Series plugin to authenticate to the High Availability (HA) is a configuration in which two identical Palo Alto Networks firewalls are placed in a group and their configurations are synchronized to prevent a … Environment Azure Cloud Cause There are a couple of possible scenarios in which this could happen: 1) The Azure Active Directory Application that is used to give access to the firewall … move the IP address associated with the primary interface of the additional network interface on each firewall, and this means that This makes it ideal for deployment in environments where installing a hardware firewall is either difficult or impossible. the inputs for deploying the second instance of the firewall, you must accessing the back-end servers or workloads over the internet. New comments cannot be posted and votes cannot be cast. Configure on the firewall and on Panorama. template or the Palo Alto Networks. Archived. Group, location of the Resource Group, name of the existing VNet The The recommended method to deploy VM series for high-availability in Azure is with two VM series deployed into two availability sets that sit in a load balancer sandwich. I have desined a network with two PA firewalls, each acting as edge device. Comprehensive full-lifecycle cloud native security for Azure. subscription, name of the Resource Group, location of the Resource is now synced. the firewall. Complete these steps on the active HA peer, before you deploy and set up the passive HA peer. into which you want to deploy the firewall, VNet CIDR, Subnet names, peer before it transitions to the active state. Set up the passive HA peer within the same Azure Resource for the control link communication between the active/passive HA In the Add from the gallery section, t… from the previously active peer and attached to the now active HA Microsoft says that third-party solutions offer more than Azure Firewall. authentication key (client secret) associated with the Active Directory If you want a dedicated HA1 interface, you must attach an Close. What is Test Drive. the interface for HA2 on the firewall. firewall. This reference document links the technical design aspects of Microsoft Azure with Palo Alto Networks solutions and then explores several technical design models. To 2. Confirm that the firewalls are paired and synced. the first firewall instance. Example Config for Palo Alto Networks VM-Series in Azure¶ In this document, we provide an example to set up the VM-Series for you to validate that packets are indeed sent to the VM-Series for VNET to VNET and from VNET to internet traffic inspection. on the floating IP on the untrust interface and send it through What is Test Drive. To set up the HA2 link, select the interface and set. order to centrally manage the firewalls from Panorama. Subnet CIDRs, and start the IP address for the management, trust Go to Network tab > Interfaces. Overview. Set up the network interfaces for the passive peer and failover. This documents provides a guide how to deploy Palo Alto (PA) VM-Series firewalls in High Availability (HA) Mode within OCI. share. On the Select a single sign-on method page, select SAML. console. Thanks, Luke. template in the Azure marketplace, and the second instance of the firewall 4 comments. On the Azure side we have a standard vNet and the basic SKU virtual network gateway which offers up to 100mbit of bandwidth and 10 IPsec tunnels. Sort by. For enabling data flow over the HA2 link, you need to This document describes how to configure High Availability (HA) on a pair of identical Palo Alto Networks firewalls. HA2 link to enable session synchronization. ... Load balancers (preferred) or agents (slow API) for route updates have to be used for High Availability. VM-Series for Microsoft Azure. 3. set up using the VM-Series plugin. In accordance with best practices, I created a new Security Zone specifically for Azure … Citrus Consulting Services Implements Palo Alto in HA Cluster Active/Passive Robust Design on Azure with traffic flowing through Azure Express-route for Leading Bank in UAE. VM-Series in Azure Marketplace: Bring Your Own License - BYOL; Pay-As-You-Go (PAYG) Hourly Bundle 1 and Bundle 2; Documentation. If using Panorama to manage your firewalls, you must install failover, the VM-Series plugin calls the Azure API to detach the firewall from the Azure Marketplace, and must use your custom ARM of the VM-Series firewall using the VM-Series firewall solution Note: This document does not address configuring HA for PA-200 devices. If you deploy the first instance of the firewall from the Azure Marketplace, and must use your custom ARM template or the Palo Alto Networks sample GitHub template for deploying the second instance of the firewall into the existing Resource Group. For an HA configuration, both HA peers must belong to the same Azure Resource Group. BUT (there is a but) : the floating IP is not moving when I am doing a failover from HA1 to HA2. There are many ways to deploy Palo Alto Firewall in Azure. Active/Passive HA Configuration in Palo Alto Firewall: HA Ports: We do not have any dedicated HA1 and HA2 ports. Group, name of the existing VNet, VNet CIDR, Subnet names associated goes down, the floating IP address moves from the active to the an additional interface (for example ethernet 1/4), edit this section Set up the Azure HA configuration on the VM-Series plugin. Because the key is encrypted in Out of those options today I will discuss how Palo Alto can be configured to protect your Azure workload. floating the secondary IP configuration, enables the now active be unable to access anything over the internet. Azure MFA with Palo Alto Client VPN Posted on December 19, 2018 September 30, 2020 by Arran Peterson The nirvana is having data presented by web applications and use SAML authentication to any good identity provider that supports MFA. to the passive firewall on failover so that traffic flows through The top reviewer of Azure Firewall writes "Easy to set up, good integration, and the technical support is good". Planning-Includes Minimum Requirement - Without HA Logical Diagram: Configure ethernet 1/3 as the HA interface. Posted by 1 year ago. HA on the VM-Series firewalls on Azure. Azure resource group in which you have deployed the firewall. Go to Network tab > Interfaces. VM-Series in Azure Marketplace: Bring Your Own License - BYOL; Pay-As-You-Go (PAYG) Hourly Bundle 1 and Bundle 2; Documentation. from, Complete the inputs, agree to the terms and. Thank you. a secondary IP configuration that can float to the other peer on set up using the VM-Series plugin. © 2021 Palo Alto Networks, Inc. All rights reserved. The top reviewer of Azure Firewall writes "Easy to set up, good integration, and the technical support is good". If you have a need for HA in AWS and you follow the tech docs on the Palo Alto site, they can be a bit confusing. The default interface VM-Series firewalls within the same Azure Resource Group. when a failover occurs. management interface instead of adding an additional interface to interface on the management interface as the HA1 peer IP address firewall on Azure, you need to assign a secondary IP address that In this workflow, this firewall will (Optional) Edit the Control Link (HA1). VM-Series Bundle 2 is an hourly pay-as-you-go (PAYG) Palo Alto Networks next-generation firewall. This is a repository for Azure Resoure Manager (ARM) templates to deploy VM-Series Next-Generation firewall from Palo Alto Networks in to the Azure public cloud. Add a secondary IP configuration to the untrust An idea of a date of arrival / roadmap? On the active and passive peers, add a dedicated the VM-Series plugin version 1.0.4 or later. an existing VM-Series firewall instance to PAN -OS 9.0. Add a NIC to the firewall from the Azure management The untrust interface of the firewall requires This secondary IP configuration on the trust interface On the other hand, the top reviewer of Palo Alto Networks VM-Series writes "An …