Skip to main content

Palo Alto Panorama deployment example

The scope of this code is to deploy one or more vpc networks and subnetworks along with one or more panorama instances in a single project and region in Google Cloud. The example deploys panorama to be used in management only mode (without additional logging disks). For option on how to add additional logging disks - please refer to panorama module documentation

GitHub Logo Terraform Logo

Topology

The topology consists of :

  • A VPC network and a subnetwork
  • A panorama instance with a Public IP address attached to the created vpc network and subnetwork
  • Firewall rules that allow access to the panorama management interface

panorama-topology

Prerequisites

  1. Prepare panorama license

  2. Configure the terraform google provider

Build

  1. Access Google Cloud Shell or any other environment which has access to your GCP project

  2. Clone the repository and fill out any modifications to tfvars file (example.tfvars - at least project, ssh_keys and source_ranges should be filled in for successful deployment and access to the instance after deployment)

git clone https://github.com/PaloAltoNetworks/terraform-google-swfw-modules
cd terraform-google-swfw-modules/examples/panorama
  1. Apply the terraform code
terraform init
terraform apply -var-file=example.tfvars

  1. Check the output plan and confirm the apply

  2. Check the successful application and outputs of the resulting infrastructure:

Apply complete! Resources: 8 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars)

Outputs:

panorama_private_ips = {
  "panorama-01" = "172.21.21.2"
}
panorama_public_ips = {
  "panorama-01" = "x.x.x.x"
}

Post build

Connect to the panorama instance(s) via SSH using your associated private key and set a password :

ssh admin@x.x.x.x -i /PATH/TO/YOUR/KEY/id_rsa
Welcome admin.
admin@Panorama> configure
Entering configuration mode
[edit]                                                                                                                                                                                  
admin@Panorama# set mgt-config users admin password
Enter password   : 
Confirm password : 

[edit]                                                                                                                                                                                  
admin@Panorama# commit
Configuration committed successfully

Check access via web UI

Use a web browser to access https://x.x.x.x and login with admin and your previously configured password

Reference

Requirements

NameVersion
terraform>= 1.3, < 2.0

Providers

No providers.

Modules

NameSourceVersion
panorama../../modules/panoraman/a
vpc../../modules/vpcn/a

Resources

No resources.

Inputs

NameDescriptionTypeDefaultRequired
name_prefixA string to prefix resource namingsstring""no
networksA map containing each network setting.

Example of variable deployment :
networks = {
  "panorama-vpc" = {
    vpc_name                        = "firewall-vpc"
    create_network                  = true
    delete_default_routes_on_create = "false"
    mtu                             = "1460"
    routing_mode                    = "REGIONAL"
    subnetworks = {
      "panorama-sub" = {
        name              = "panorama-subnet"
        create_subnetwork = true
        ip_cidr_range     = "172.21.21.0/24"
        region            = "us-central1"
      }
    }
    firewall_rules = {
      "allow-panorama-ingress" = {
        name             = "panorama-mgmt"
        source_ranges    = ["1.1.1.1/32", "2.2.2.2/32"]
        priority         = "1000"
        allowed_protocol = "all"
        allowed_ports    = []
      }
    }
  }
For a full list of available configuration items - please refer to module documentation

Multiple keys can be added and will be deployed by the code		anyn/ayes
panoramasA map containing each panorama setting.

Example of variable deployment :
panoramas = {
  "panorama-01" = {
    panorama_name     = "panorama-01"
    panorama_vpc      = "panorama-vpc"
    panorama_subnet   = "panorama-subnet"
    panorama_version  = "panorama-byol-1000"
    ssh_keys          = "admin:PUBLIC-KEY"
    attach_public_ip  = true
    private_static_ip = "172.21.21.2"
  }
}
For a full list of available configuration items - please refer to module documentation

Multiple keys can be added and will be deployed by the code		anyn/ayes
projectThe project name to deploy the infrastructure in to.stringnullno
regionThe region into which to deploy the infrastructure in tostring"us-central1"no

Outputs

NameDescription
panorama_private_ipsPrivate IP address of the Panorama instance.
panorama_public_ipsPublic IP address of the Panorama instance.