This example showcases deploying a PAN device as a standalone GCE Intance with a Management network, an Untrust network, a trust network for web traffic and a trust network for DB traffic. Terraform handles creating the GCS bucket used for bootstrapping and populates the respective directories with content. In this sample the content is mapped to a static ./assets directory.
- TF v0.12+
Name | Description | Default |
---|---|---|
gcp_project_id | Target GCP Project ID | None |
gcp_credentials | Path to the GCP Service Account json key file | None |
zone | GCP Zone to deploy into ref | us-central1-a |
region | GCP Region to deploy into ref | us-central1 |
bootstrap_bucket | Name to use for the bootstrap bucket | None |
bootstrap_bucket_admin | Email of the GCS Bucket Admin | None |
bootstrap_folders | These folders are required to bootstrap PAN devices, do not change | ["config/", "software/", "license/", "content/"] |
pan_fw_image | URL to PAN Image to use or name of image if published to GCR for the project identified in gcp_project_id | None |
management_ip | Management IP for the device interface | None |
untrust_ip | Untrust IP for the device interface | None |
trust_ip_web | Trust IP for the device interface for web traffic | None |
trust_ip_db | Trust IP for the device interface for DB traffic | None |
pan_int_0_name | Interface name for the Management interface | None |
pan_int_1_name | Interface name for the Untrust interface | None |
pan_int_0_name | Interface name for the Trust interface | None |
pan_int_0_name | Interface name for the Management interface | None |
pan_machine_type | Machine type for PAN Devices | n1-standard-4 |
pan_cpu | CPU for the PAN Device | Intel Skylake |
pan_scopes | API Scopes for the PAN Device | "cloud.useraccounts.readonly", "devstorage.read_only", "logging.write", "monitoring.write" |
Given the variable nature of the PAN configurations, it is recommended to leverage a minimum acceptable config for bootstrap.xml populated into the /config bootstrap folder and apply the working policy upon completion of bootstrapping. The included boostrap.xml will apply a configuration for a 3 tier web app consisting of a Web network (trust), DB network (trust), Management network and an Untrust network. An alternate approach to a static bootstrap file would be to leverage jinja templates and populate variables accordingly.
Login configured in this bootstrap.xml file: paloalto / Pal0Alt0@123 . Do not use this for production
- Set up terraform.tfvars with appropriate values for your project
terraform init
terraform apply
The device can take a few minutes to boot and be available on the public IP assigned.
Note: it is assumed you already have a GCP project and Service Account created.
Final note: there is no authcode file included. This demo will bring the device online, but it will not pass traffic until a valid license has been applied.