Palo Alto Panorama deployment example
The scope of this code is to deploy one or more vpc networks and subnetworks along with one or more panorama instances in a single project and region in Google Cloud. The example deploys panorama to be used in management only mode (without additional logging disks). For option on how to add additional logging disks - please refer to panorama module documentation
Topology
The topology consists of :
- A VPC network and a subnetwork
- A panorama instance with a Public IP address attached to the created vpc network and subnetwork
- Firewall rules that allow access to the panorama management interface
Prerequisites
-
Prepare panorama license
-
Configure the terraform google provider
Build
-
Access Google Cloud Shell or any other environment which has access to your GCP project
-
Clone the repository and fill out any modifications to tfvars file (
example.tfvars- at leastproject,ssh_keysandsource_rangesshould be filled in for successful deployment and access to the instance after deployment)
git clone https://github.com/PaloAltoNetworks/terraform-google-swfw-modules
cd terraform-google-swfw-modules/examples/panorama
- Apply the terraform code
terraform init
terraform apply -var-file=example.tfvars
-
Check the output plan and confirm the apply
-
Check the successful application and outputs of the resulting infrastructure:
Apply complete! Resources: 8 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars)
Outputs:
panorama_private_ips = {
"panorama-01" = "172.21.21.2"
}
panorama_public_ips = {
"panorama-01" = "x.x.x.x"
}
Post build
Connect to the panorama instance(s) via SSH using your associated private key and set a password :
ssh admin@x.x.x.x -i /PATH/TO/YOUR/KEY/id_rsa
Welcome admin.
admin@Panorama> configure
Entering configuration mode
[edit]
admin@Panorama# set mgt-config users admin password
Enter password :
Confirm password :
[edit]
admin@Panorama# commit
Configuration committed successfully
Check access via web UI
Use a web browser to access https://x.x.x.x and login with admin and your previously configured password
Reference
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.3, < 2.0 |
Providers
No providers.
Modules
| Name | Source | Version |
|---|---|---|
| panorama | ../../modules/panorama | n/a |
| vpc | ../../modules/vpc | n/a |
Resources
No resources.
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name_prefix | A string to prefix resource namings | string | "" | no |
| networks | A map containing each network setting. Example of variable deployment :networks = { "panorama-vpc" = { vpc_name = "firewall-vpc" create_network = true delete_default_routes_on_create = "false" mtu = "1460" routing_mode = "REGIONAL" subnetworks = { "panorama-sub" = { name = "panorama-subnet" create_subnetwork = true ip_cidr_range = "172.21.21.0/24" region = "us-central1" } } firewall_rules = { "allow-panorama-ingress" = { name = "panorama-mgmt" source_ranges = ["1.1.1.1/32", "2.2.2.2/32"] priority = "1000" allowed_protocol = "all" allowed_ports = [] } } }For a full list of available configuration items - please refer to module documentation Multiple keys can be added and will be deployed by the code | any | n/a | yes |
| panoramas | A map containing each panorama setting. Example of variable deployment :panoramas = { "panorama-01" = { panorama_name = "panorama-01" panorama_vpc = "panorama-vpc" panorama_subnet = "panorama-subnet" panorama_version = "panorama-byol-1000" ssh_keys = "admin:PUBLIC-KEY" attach_public_ip = true private_static_ip = "172.21.21.2" } }For a full list of available configuration items - please refer to module documentation Multiple keys can be added and will be deployed by the code | any | n/a | yes |
| project | The project name to deploy the infrastructure in to. | string | null | no |
| region | The region into which to deploy the infrastructure in to | string | "us-central1" | no |
Outputs
| Name | Description |
|---|---|
| panorama_private_ips | Private IP address of the Panorama instance. |
| panorama_public_ips | Public IP address of the Panorama instance. |