This example showcases deploying a PAN device as a standalone GCE Intance with a Management network, an Untrust network, a trust network for web traffic and a trust network for DB traffic. Terraform handles creating the GCS bucket used for bootstrapping and populates the respective directories with content. In this sample the content is mapped to a static ./assets directory.
- TF v0.12+
| Name | Description | Default |
|---|---|---|
| gcp_project_id | Target GCP Project ID | None |
| gcp_credentials | Path to the GCP Service Account json key file | None |
| zone | GCP Zone to deploy into ref | us-central1-a |
| region | GCP Region to deploy into ref | us-central1 |
| bootstrap_bucket | Name to use for the bootstrap bucket | None |
| bootstrap_bucket_admin | Email of the GCS Bucket Admin | None |
| bootstrap_folders | These folders are required to bootstrap PAN devices, do not change | ["config/", "software/", "license/", "content/"] |
| pan_fw_image | URL to PAN Image to use or name of image if published to GCR for the project identified in gcp_project_id | None |
| management_ip | Management IP for the device interface | None |
| untrust_ip | Untrust IP for the device interface | None |
| trust_ip_web | Trust IP for the device interface for web traffic | None |
| trust_ip_db | Trust IP for the device interface for DB traffic | None |
| pan_int_0_name | Interface name for the Management interface | None |
| pan_int_1_name | Interface name for the Untrust interface | None |
| pan_int_0_name | Interface name for the Trust interface | None |
| pan_int_0_name | Interface name for the Management interface | None |
| pan_machine_type | Machine type for PAN Devices | n1-standard-4 |
| pan_cpu | CPU for the PAN Device | Intel Skylake |
| pan_scopes | API Scopes for the PAN Device | "cloud.useraccounts.readonly", "devstorage.read_only", "logging.write", "monitoring.write" |
Given the variable nature of the PAN configurations, it is recommended to leverage a minimum acceptable config for bootstrap.xml populated into the /config bootstrap folder and apply the working policy upon completion of bootstrapping. The included boostrap.xml will apply a configuration for a 3 tier web app consisting of a Web network (trust), DB network (trust), Management network and an Untrust network. An alternate approach to a static bootstrap file would be to leverage jinja templates and populate variables accordingly.
Login configured in this bootstrap.xml file: paloalto / Pal0Alt0@123 . Do not use this for production
- Set up terraform.tfvars with appropriate values for your project
terraform initterraform apply
The device can take a few minutes to boot and be available on the public IP assigned.
Note: it is assumed you already have a GCP project and Service Account created.
Final note: there is no authcode file included. This demo will bring the device online, but it will not pass traffic until a valid license has been applied.