Submit a request

Nerdio Help Center

How do I use a Third-Party Firewall in Azure?


Applies to: Nerdio for Azure (NFA) ProfessionalEnterprise and Core.

Refer to this KB article to determine if you are a NFA user.


By default, network security in Azure is accomplished through Network Security Groups (NSG).  NSGs contain security rules that allow or deny inbound network traffic to, or outbound network traffic from Azure resources.

There are times when you might want to user a third-party firewall for a variety of reasons.  Familiarity with a certain firewall, centralized management, more features,  etc.

We will use a WatchGuard Firebox Cloud in this example.


Identify your Firebox Cloud Software Plan and License Type

When you create a Firebox Cloud VM in Azure, you select one of these two software plans.

Firebox Cloud (BYOL)

With the Bring Your  Own License (BYOL) software plan, you purchase a Firebox Cloud license for a specified size, SmallMediumLarge, or Extra Large. The Firebox Cloud license defines the maximum number of Azure CPU cores that the Firebox Cloud VM can use.

When you create a Firebox Cloud (BYOL) VM, you select a License Type. To deploy your VM with appropriate resources, select the License Type that matches your Firebox Cloud license size.

Firebox Cloud (PAYG)

With the Pay As You Go (PAYG) software plan, you do not purchase a Firebox Cloud license. The PAYG option includes a 30 day free trial.

Create a Key Pair for SSH Authentication

Before you create a Firebox Cloud instance, you must generate an SSH-2 RSA public key / private key pair. You can use a tool such as puttygen, or ssh-keygen command in Linux to generate the key pair.

  • Use the public key when you deploy your Firebox Cloud instance.
  • Use the private key for ssh connections to the Fireware command line interface (CLI) for your Firebox Cloud instance.

To use the puttygen utility to generate an SSH-2 RSA key pair:

  1. Download and install the PuTTYgen utility available from www.putty.org.
  2. Start PuTTYgen.
  3. Click Generate.
  4. Move the mouse over the blank area to generate some randomness.
    PuTTYgen uses the mouse movements as input to generate the key pair.Screen shot of the PuTTY Key Generator
  5. To save the generated public key to a file, click Save public key.
  6. (Optional) Specify a passphrase to protect the private key file.
  7. To save the generated private key to a file, click Save private key.

Deploy Firebox Cloud

To create the Firebox Cloud instance:

  1. Log on to the Azure portal with your Microsoft Azure account credentials.
  2. Click Create a Resource.
    The Azure Marketplace appears.
  3. In the Search text box, type Firebox Cloud.
  4. Select WatchGuard Firebox Cloud. 
    The WatchGuard Firebox Cloud license options appear.
    Screen shot of the WatchGuard Firebox Cloud software plan selection page
  5. From the Select a software plan drop-down list, select WatchGuard Firebox Cloud (BYOL) or WatchGuard Firebox Cloud (PAYG).
  6. Click Create.
    The VM configuration steps appear.
    mceclip0.png
  7. In the Basics step, specify basic information about your virtual machine.

Firebox Cloud VM Name

The name for the Firebox Cloud virtual machine in the Azure portal.

Subscription

The name of the Azure subscription where the virtual machine and resources are stored. This is the account that Microsoft bills for VM use and storage.

Resource group

A resource group is a collection of resources that share the same lifecycle, permissions, and policies. All objects, such as networks and interfaces, and data for the Firebox Cloud instance will be associated with the resource group you specify.

Location

The Azure region for this Firebox Cloud instance.

Nerdio Tip

Please Note: Microsoft Azure does not support deployment of a managed application to a resource group with existing resources. You must create a new resource group or use an empty resource group.

Watchguard automatically creates the peering needed between the two resource groups.  If you're using another firewall you might have to manually create the proper peering between the two resource groups.  For more information, see the article virtual network peering

 

  1. In the VM Size and Key Data step, specify virtual machine configuration details.

Firebox Cloud License Type and VM Size — for Firebox Cloud (BYOL)

For a BYOL license, select the Firebox Cloud License Type. This is the Firebox Cloud license you purchased from WatchGuard or a WatchGuard reseller. Select Small, Medium, Large or Extra Large. After you select the License Type, an appropriate VM size is selected by default. To select a different size, click Change size.

Azure VM Tier and VM Size — for Firebox Cloud (PAYG)

For a PAYG license, select the Azure VM tier for the virtual machine. Select Free Tier Eligible or Standard. After you select the VM tier, an appropriate VM size is selected by default. To select a different size, click Change size.

SSH public key

The public key for this Firebox. You can use a tool such as puttygen, or ssh-keygen command in Linux to generate the key pair. You must use the private key associated with this public key to connect to the Firebox Cloud CLI.

Storage account

The name of the storage account to store boot diagnostic log files. The storage account you select must not be in another resource group in your subscription. Boot diagnostic log files contain information that can help WatchGuard support troubleshoot issues.

  1. In the Network step, specify required network configuration information.

Virtual network

The virtual network to use for this Firebox Cloud. Select the NerdioVnet virtual network.

Subnets

Choose DMZ for External (Public) and LAN for Trusted (Private) networks.

External Network Security Group

Select management only.

Public IP address

Select or create a public IP address to use for your Firebox Cloud external interface. For a new public IP address, specify a name, and select the SKU type (Basic or Standard). If you select a Basic SKU type, select the IP address assignment type, Dynamic or Static.

Domain name label

Specify the DNS label for the Firebox Cloud public IP address. It must be all lowercase letters and numbers.

Nerdio Tip

Inbound connections to a public IP address with the Standard SKU type fail until you create and associate a network security group and explicitly allow the desired inbound traffic. For more information, see the article IP address types and allocation methods in Azure in the Microsoft Azure documentation.

 

  1. In the Summary step, review the information, and correct any errors.
  2. In the Buy step, review the terms and conditions and click Create.
    The deployment starts.

After the deployment is completed, you can go to the resource group or pin the VM to the Microsoft Azure dashboard.

Find the Instance ID (VM ID)

After you deploy your Firebox Cloud instance, you must find the Instance ID, also known as the VM ID. You will need this to activate your license, and to log in to the Fireware Web UI to run the Firebox Cloud Setup Wizard. You can find the instance ID in the name of the storage container for boot diagnostic logs.

To find the Firebox Cloud Instance ID:

  1. In the Azure left navigation menu, select Storage accounts.
  2. Click the name of the storage account associated with your Firebox Cloud instance.
  3. In the Blob Service list, select Containers.
  4. Find the boot diagnostic container.The name of the boot diagnostic container is in the format:
    <bootdiagnostics>-<vmname>-<vmid>
    For example: 
    bootdiagnostics-fbcloud-11111111-2222-3333-4444-f86331913a6d
  5. Copy the VMID at the end of the container name.

You must have this instance ID to activate your Firebox Cloud license and to run the Firebox Cloud Setup Wizard.

Activate your Firebox Cloud License

For Firebox Cloud with a BYOL license, you must activate the Firebox Cloud serial number in the WatchGuard portal. Before you can activate Firebox Cloud, you must have the Firebox Cloud serial number you received from WatchGuard and you must know the Firebox Cloud Instance ID.

To activate your Firebox Cloud license:

  1. Go to www.watchguard.com.
  2. Click Support.
  3. Click Activate Products.
  4. Log in to your WatchGuard Customer or Partner portal account. If you do not have an account, you can create one.
  5. If necessary, navigate to the Support Center and select My WatchGuard > Activate Product.
  6. When prompted, provide your Firebox Cloud serial number and Instance ID.
  7. When activation is complete, copy the feature key and save it to a local file

Run the Firebox Cloud Setup Wizard

After you deploy Firebox Cloud, you can connect to Fireware Web UI through the public IP address to run the Firebox Cloud Setup Wizard. You use the wizard to set the administrative passphrases for Firebox Cloud.

To run the Firebox Cloud Setup Wizard:

  1. Connect to Fireware Web UI for your Firebox Cloud with the public IP address:
    https://<eth0_public_IP>:8080
    To find the public IP address of your Firebox Cloud Instance:
    1. In the Azure left navigation menu, select Resource groups.
    2. Click the name of the resource group associated with your Firebox Cloud instance.
    3. Click the WatchGuard virtual machine associated.
    4. Click networking.
    5. Copy the NIC Public IP.

  2. Log in with the default Administrator account user name and passphrase:
    • User name — admin
    • Passphrase — The Firebox Cloud Instance ID

    The Firebox Cloud Setup Wizard welcome page appears.

  3. Click Next.
    The setup wizard starts.
  4. Review and accept the End-User License Agreement. Click Next.

Screen shot of the Create passphrases step in the Web Setup Wizard

  1. Specify new passphrases for the built-in status and admin user accounts.
  2. Click Next. 
    The configuration is saved to Firebox Cloud and the wizard is complete.

 

Connect to Fireware Web UI

To connect to Fireware Web UI and administer Firebox Cloud:

  1. Open a web browser and go to the public IP address for your instance of Firebox Cloud at:
    https://<eth0_public_IP>:8080
  2. Log in with the admin user account. Make sure to specify the passphrase you set in the Firebox Cloud Setup Wizard.

By default, Firebox Cloud allows more than one user with Device Administrator credentials to log in at the same time. To prevent changes by more than one administrator at the same time, the configuration is locked by default. To unlock the configuration so you can make changes, click the Locked icon.

If you prefer to allow only one Device Administrator to log in at the same time, select System > Global Settings and clear the Enable more than one Device Administrator to log in at the same time check box.

Nerdio Tip

Microsoft Azure automatically terminates your management connection to Firebox Cloud after 30 minutes of inactivity. To avoid unexpected disconnection of your management session, do not set the Management Session Idle Timeout in the Fireware Authentication > Settings page to a value higher than 30 minutes.

 

Add the Feature Key

If you have received or downloaded the Firebox Cloud feature key to a local file, in the Feature Key Wizard select Yes I have a local copy of the feature key and paste the feature key into the wizard.

If you activated a Firebox Cloud license in the WatchGuard portal, your feature key is available directly from WatchGuard. You must add this feature key to the Firebox Cloud configuration to enable all functionality and configuration options on Firebox Cloud.

Nerdio Tip

After you add the feature key, Firebox Cloud automatically reboots with a new serial number.  

To add the feature key, from Fireware Web UI:

  1. Select System > Feature Key.
    The Feature Key Wizard page appears.

Screen shot of the Feature Key Wizard welcome page

  1. To unlock the configuration file, click the Locked icon.
  2. To download and install the feature key, click Next.
  3. On the Summary page, verify that your feature key was successfully installed. 
    When your feature key has been installed, Feature Key Retrieval Success appears on the Summary page.

Screen shot of the Feature Key wizard Summary page

  1. Click Next.
    The wizard completes and Firebox Cloud reboots with a new serial number

Configure Firewall Policies

Allow Azure External Traffic

  1. Select Firewall > Firewall Policies.
  2. Click Add Policy.
  3. From the Packet Filter drop-down list, select Any.
  4. Click Add Policy.
    The policy settings appear.
  5. In the Name text box, type a name to identify this policy. 
    For example, type Allow Azure External Traffic.
  6. In the From list, select Any-External and click Remove.
  7. In the From list, click Add.
  8. Select Any-Trusted.

mceclip0.png

  1. Click OK.
  2. In the To list, select Any-Trusted and click Remove.
  3. In the To list, click Add.
  4. Select Any-External.
  5. Click OK.
  6. Click Save.

Allow DNS to SafeDNS

  1. Select Firewall > Firewall Policies.
  2. Click Add Policy.
  3. From the Packet Filter drop-down list, select DNS.
  4. Click Add Policy.
    The policy settings appear.
  5. In the Name text box, type a name to identify this policy. 
    For example, type Allow DNS to SafeDNS.
  6. In the From list, select Any-External and click Remove.
  7. In the From list, click Add.
  8. Select Any.
  9. Click OK.
  10. In the To list, select Any-Trusted and click Remove.
  11. In the To list, click Add.
  12. From the Member Type drop-down list, select Network IPv4.

mceclip1.png

  1. In the text box, enter 195.46.39.0/24
  2. Click OK.
    The Network IPv4 is added as the destination for the policy.
  3. Click Save.

Create Azure Route Table

  1. Log on to the Azure portal with your Microsoft Azure account credentials.
  2. Click Create a Resource.
  3. In the Search text box, type route table.
  4. Click Create. 
    mceclip2.png

Name

The name for the route table.

Subscription

The name of the Azure subscription where the virtual machine and resources are stored. This is the account that Microsoft bills for VM use and storage.

Resource group

Select the Resource group that makes the most sense to you.  We're using the same RG that the WatchGuard appliance is installed on in this case.

Location

Select the same location that your Nerdio environment is in.

Virtual network gateway route propagation

Enabled

  1. Click Create. 

Configure Azure Route Table

    1. In the Search text box, type route table.
    2. Select Route tables under Services.
    3. Select the route table you just created.
    4. Click on Routes under Settings.
    5. Click on Add.

mceclip3.png

Route Name

to-Internet

Address prefix

0.0.0.0/0

Next hop type

Virtual appliance

Next hop address

Internal IP of the WatchGuard VM, 10.125.0.9 in our case. 

Virtual network gateway route propagation

Enabled

  1. Click Ok. 

Assign Route Table to NerdioVnet Lan Subnet 

  1. Click Resource Groups.
  2. Click the RG that your Nerdio environment is deployed to.
  3. Click NerdioVnet virtual network. 
  4. Click Subnets.
  5. Click the LAN subnet.
  6. Select the newly created route table under Route Table.

mceclip4.png

Internet traffic will now route out from the WatchGuard Firebox Cloud appliance with the external IP address of the appliance.

Was this article helpful?
0 out of 0 found this helpful

Comments

Article is closed for comments.