I’ve been told, but can not find anything written, that it is ill-advised to have users VPN to a palo alto VM300 Global Protect Portal inside Azure. Does anyone have any experience or knowledge they can share?
whoever told you that needs to look at Prisma Access. A silly statement for sure.
Why specifically would Azure be a problem? I run it on all kinds of simple hypervisors, KVM, VirtualBox, etc. As long as the platform can emulate a x86 machine, PAN-OS should be happy with it.
Did palo tell you this because they want to sell you prisma access instead?
I am doing exactly that with a global footprint of users with no issues. I have never seen anything advised against it, and I can verify it works. I traffic steer using azure traffic manager for dns based on continent.
VM-300 in Azure here with Global Protect working fine and good performance
Having a portal (or gateway) in public cloud is probably just as reliable as using a hardware gateway from a PAN-OS perspective.
From an ISP perspective, it’s likely multitudes more reliable than hosting on your premises or at a colocation facility.
I do this for multiple environments with zero issues.
Also - think about migrating that VM-300 license to Software NGFW credits. I think you will be forced to after July of 2024 anyway.
Yeah … need more info here … I had Palos doing gp portal and gateway and ipsec termination and firewalling for my vnets … So unless there is a really niche thing you are doing I’m gonna say don’t talk to that person again …
There are HA limitations, bandwidth limitations (same for all VM series), traffic routing/cost considerations (do you want all your traffic routing through Azure?), but if you understand all that you’re probably fine. Plenty of people do it.
Been using this setup for about 2 years. Roughly 70 concurrent users. No troubles at all. Load balancer sandwich (trust and untrust) for an additional vm100 to be added if necessary.
Yes, we’re very happy with it.
I have 2 PA-VM active active in Azure at the moment. Troubleshooting performance issues right now. Compared to on-prem gateway which speedtests show 90% of the ISP link in testing, Azure Gateways currently only getting 50 Mbps.
I’m still investigating.
This works fine - generally. Depending on the type of Nat (if any) used to expose the portal /gateway - fragmentation may be problematic. A workaround for this might be to use the firewall side config to tell the client to use a gp tunnel mtu of 1200 - 1300 or so. 1300 seems to work well in most implementations, but the best setting (that fixes issues for more users than it creates issues for) might take some trial and error.
Using accelerated networking and ensuring that bandwidth remains available for tunnel clients and their traffic - again so long as there is no underlying dataplane constraints I have not observed any performance issues in any such implementations to date.
The certificate used for gp, how did you tie it to the firewall with a/a external lb
I think the problem you would have that you can run only single instance and this setup isn’t supported neither by Azure or Palo Alto. If you don’t expect it to be HA, then it shouldn’t be a real problem.
echo what /u/projectself said - we are doing the exact same thing. Today is a light day (being vacation week) - we only have about 3,000 (total) users connected.
I’ve done it to Lab some authentication stuff and it worked, but I haven’t put any pressure on it.
If you’re going the Cloud route then a better architecture would be Prisma Access with a service VPN, either back to on-prem or to Azure whichever is best for your environment.
No major issues with our deployment so far.
I’m currently hosting a GlobalProtect portal, external, and internal gateway on our VM-300 HA pair (active/passive). Currently POCing it with ~400 daily concurrent users spread across the NA region using an always-on config.
As others have mentioned, there will be additional costs due to bandwidth use and the HA failover time can range from 5 - 15 minutes. The biggest issues I ran across was a memory leak caused by the USER-ID service which seems to have resolved itself on 10.2.5 and if using Azure SAML, the TCP timeout had to be increased.
how you set pa vm interface … have you set it on DHCP? If i leave it on DHCP , my GP GW runs fine, as soon as i turn interface to static , connection to GP gw is intermittent .
It’s not available anymore as a vm series but credits to get 8 interfaces, 28 gigs ram and 8 processors is 189 credits per VM.