deployment guide for panorama on azure · this guide provides reference architectures for deploying...

DEPLOYMENT GUIDE FOR PANORAMA ON AZURE

RELEASE 1FEBRUARY 2019

Palo Alto Networks

Table of Contents

Table of Contents

Preface ................................................................................................................................................................................... 1

Guide Types .......................................................................................................................................................................................................... 1

Document Conventions ..................................................................................................................................................................................... 1

Purpose of This Guide ........................................................................................................................................................ 2

Objectives .............................................................................................................................................................................................................. 2

Audience ................................................................................................................................................................................................................ 3

Related Documentation ..................................................................................................................................................................................... 3

Deployment Overview ....................................................................................................................................................... 4

Deployment Considerations .............................................................................................................................................................................. 4

Design Model ....................................................................................................................................................................... 5

Managing Cloud Deployments with Panorama ............................................................................................................................................. 5

Firewall Log Collection ....................................................................................................................................................................................... 5

Panorama Device Administration ..................................................................................................................................................................... 8

Panorama Operational Considerations .........................................................................................................................................................10

Assumptions and Prerequisites......................................................................................................................................11

Deployment Details for Panorama ................................................................................................................................12

Creating and Configuring Azure Common Resources ...............................................................................................................................13

Deploying Panorama on Azure ....................................................................................................................................................................... 25

Deployment Details for VM-Series ...............................................................................................................................44

Preparing VM-Series Firewall Configurations Using Panorama ...............................................................................................................44

Managing VM-Series with Panorama ............................................................................................................................................................49

What’s New in This Release ...........................................................................................................................................55

1Palo Alto Networks

Preface

PrefaceGUIDE TYPES

Overview guides provide high-level introductions to technologies or concepts.

Reference architecture guides provide an architectural overview for using Palo Alto Networks® technologies to provide visibility, control, and protection to applications built in a specific environment. These guides are required reading prior to using their companion deployment guides.

Deployment guides provide decision criteria for deployment scenarios, as well as procedures for combining Palo Alto Networks technologies with third-party technologies in an integrated design.

DOCUMENT CONVENTIONS

Notes provide additional information.

Cautions warn about possible data loss, hardware damage, or compromise of security.

Blue text indicates a configuration variable for which you need to substitute the correct value for your environment.

In the IP box, enter 10.5.0.4/24, and then click OK.

Bold text denotes:

• Command-line commands;

# show device-group branch-offices

• User-interface elements.

In the Interface Type list, choose Layer 3.

• Navigational paths.

Navigate to Network > Virtual Routers.

• A value to be entered.

Enter the password admin.

Italic text denotes the introduction of important terminology.

An external dynamic list is a file hosted on an external web server so that the firewall can import objects.

Highlighted text denotes emphasis.

Total valid entries: 755

2Palo Alto Networks

Purpose of This Guide

Purpose of This GuideThis guide provides reference architectures for deploying Palo Alto Networks® Panorama™ centralized management system for the Palo Alto Networks family of next-generation firewalls on the Microsoft Azure public cloud.

This guide:

• Provides architectural guidance and deployment details for using a Palo Alto Networks Panorama management system, deployed on Microsoft Azure, to provide a single location from which you can create network configu-rations and security policies that enable visibility, control, and protection to your applications built in an Azure public cloud.

• Requires that you first read the Reference Architecture Guide for Azure. The reference architecture guide pro-vides design insight and guidance necessary for your organization to plan linkage of pertinent features with the next-generation firewall in a scalable and highly available design, and then how to manage the environment with Panorama.

• Provides decision criteria for deployment scenarios, as well as procedures for programming features of the Azure compute and network resources and the Palo Alto Networks Panorama centralized management system in order to achieve an integrated design.

• Provides deployment details for programming advanced features and onboarding firewalls to the Panorama management system.

OBJECTIVES

Completing the procedures in this guide, you are able to successfully deploy a Palo Alto Networks Panorama manage-ment system on the Azure environment. You also enable the following functionality:

• Centralized management point for the firewalls on the Azure public cloud, and if desired, managing firewalls in other parts of your organization’s network.

• Device group to enable consistent features and functionality on the managed firewalls.

• Network and device templates to enable consistent features and functionality on the managed firewalls.

• Resilient design with primary and secondary Panorama systems each deployed in an Azure availability set.

• Centralized logging with Logging Service, which also enables cloud-delivered security analytics.

• An automation platform that can scale to configure and monitor thousands of Palo Alto Networks next- generation firewalls.

https://pandocs.tech/fw/115p-19a

3Palo Alto Networks

Purpose of This Guide

AUDIENCE

This guide is written for technical readers, including system architects and design engineers, who want to deploy the Palo Alto Networks Panorama centralized management system within a public cloud datacenter infrastructure. It as-sumes the reader is familiar with the basic concepts of applications, networking, virtualization, security, and high avail-ability, as well as a basic understanding of network architectures.

RELATED DOCUMENTATION

The following documents support this guide:

• Palo Alto Networks Security Operating Platform Overview—Introduces the various components of the Security Operating Platform and describes the roles they can serve in various designs

• Reference Architecture Guide for Azure—Presents a detailed discussion of the available design considerations and options for the next-generation VM-Series firewall on Microsoft Azure.

• Deployment Guide for Azure—Single VNet Design Model (Common Firewall Option)—Details deployment scenarios and step-by-step guidance for the common firewall option of the single virtual network (VNet) design model on Azure.

• Deployment Guide for Azure—Single VNet Design Model (Dedicated Inbound Option)—Details deployment scenari-os and step-by-step guidance for the dedicated inbound option of the single VNet design model on Azure.

The following document uses this guide as a prerequisite:

• Deployment Guide for Azure—Transit VNet Design Model—Details deployment scenarios and step-by-step guid-ance for the transit VNet design model on Azure.

If you are unable to access the URL for the guides listed above, please ask your account team to assist you.

https://pandocs.tech/fw/185p-prime





4Palo Alto Networks

Deployment Overview

Deployment OverviewThe Reference Architecture Guide for Azure describes Azure concepts that provide a cloud-based infrastructure as a service and how the Palo Alto Networks VM-Series firewalls can complement and enhance the security of applications and workloads in the cloud. The design models presented in that guide provide visibility and control over traffic in-bound to the applications in Azure, outbound to on-premises or internet services and flows internal to Azure VNets.

To reduce the time required to manage multiple devices, maintain consistency of configurations, and deploy security policy changes rapidly, Palo Alto Networks Panorama central management is included in the design. Panorama enables you to manage all the key features of the Palo Alto Networks next-generation firewalls using a model that provides central oversight and local control. You can deploy Panorama as either a hardware appliance or virtual appliance on-premise. You can also deploy it as a virtual appliance in the public cloud.

DEPLOYMENT CONSIDERATIONS

Before deploying Panorama, consider the following factors:

• Where to deploy the Panorama management system(s)—Many organizations have an existing on-premises Panorama system that is managing the firewalls in data centers and perhaps remote sites. They can use this Panorama system to manage the firewalls in the cloud, providing that there is a robust encrypted transport to the cloud firewalls. Panorama deployed in the cloud benefits from being inside of the provider’s robust network and reduces charges for data that needs to go to/from the cloud for managing the environment. Depending on size and scale projections, you may choose to deploy Panorama systems in both locations and interconnect the systems. This guide focuses on a cloud deployment of Panorama.

• Where to deploy logging—Transporting log data from a number of firewalls in the cloud can be an expensive operation due to the cost of transport. You can deploy dedicated logging inside of the cloud deployment even if the Panorama management nodes are not in the cloud. Alternatively, moving to the Palo Alto Networks Log-ging Service offers more than just a storage location option for your firewall logs; the services of the Palo Alto Networks Application Framework use the data lake created by Logging Service to provide visibility for a host network forensics tools.

• Resilience and availability—What are the management requirements for availability? Panorama can be deployed as a single node or a high availability (HA) pair operating in a primary/secondary role to reduce downtime and data loss in the event of a failure. Panorama HA nodes can operate in different cloud data center availability zones for enhanced availability. This guide demonstrates a high availability deployment.

• System Access—IP access to the Panorama system is required to deploy and operate Panorama. You should use network tools like access control lists (ACLs) and security grouping to limit the IP addresses that can access Panorama management to those required by your organization. You can pare the application ports allowed to connect to Panorama to those required for central management operation.


5Palo Alto Networks

Design Model

Design Model

MANAGING CLOUD DEPLOYMENTS WITH PANORAMA

The best method for ensuring up-to-date firewall configuration is to use Panorama for central management of firewall policies. Panorama simplifies consistent policy configuration across multiple independent firewalls through its device group and template stack capabilities. When multiple firewalls are part of the same device group, they receive a com-mon ruleset. Because Panorama enables you to control all of your firewalls—whether they are on-premises or in the public cloud, a physical appliance or virtual—device groups also provide configuration hierarchy. With device group hierarchy, lower-level groups include the policies of the higher-level groups. This allows you to configure consistent rulesets that apply to all firewalls, as well as consistent rulesets that apply to specific firewall deployment locations such as the public cloud.

You can deploy Panorama in your on-site data center or a public cloud provider such as Azure. When deployed in your on-site data center, Panorama can manage all the physical appliances and VM-Series firewalls in your organization. If you want a dedicated instance of Panorama for the VM-Series firewalls inside of Azure, deploy Panorama on Azure. Three deployment mode options are available for Panorama which, if necessary, allows for the separation of manage-ment and log collection.

• Panorama mode—Panorama controls both policy and log management functions for all the managed devices.

• Management-only mode—Panorama manages configurations for the managed devices but does not collect or manage logs.

• Log Collector mode—One or more Log Collectors collect and manage logs from the managed devices. This as-sumes that another deployment of Panorama is operating in management-only mode.

The separation of management and log collection enables the Panorama deployment to meet scalability, organizational, and geographical requirements. The choice of form factor and deployment mode gives you the maximum flexibility for managing Palo Alto Networks Next-Generation Firewalls in a distributed network.

FIREWALL LOG COLLECTION

Beyond management, your firewall log collection and retention need to be considered. Log collection, storage, and analysis is an important cybersecurity best practice that organizations perform to correlate potential threats and pre-vent successful cyber breaches.

6Palo Alto Networks

Design Model

On-Premises Panorama with Dedicated Log Collectors in the Cloud

Sending logging data back to the on-premises Panorama can be inefficient, costly, and pose data privacy and residency issues in some regions. An alternative to sending the logging data black to your on-premises Panorama is to deploy Panorama dedicated log collectors on Azure and use the on-premises Panorama for management. Deploying a dedi-cated Log Collector on Azure reduces the amount of logging data that leaves the cloud but still allows your on-site Panorama to manage the VM-Series firewalls in Azure and have full visibility to the logs as needed.

Figure 1 Panorama Log Collector mode in Azure

ManagementVirtual Network

VPN Gateway

Panorama Log Collector Mode Panorama

Panorama Management in Azure with Logging Service

There are two design options when deploying Panorama management on Azure. First, you can use Panorama for man-agement only and use the Palo Alto Networks Logging Service to store the logs generated by the VM-Series firewalls. The Logging Service is a cloud-based log collector service that provides resilient storage and fast search capabilities for large amounts of logging data. The Logging Service emulates a traditional log collector. Logs are encrypted and then sent by the VM-Series firewalls to the Logging Service over TLS/SSL connections. The Logging Service allows you to scale your logging storage as your Azure deployment scales as licensing is based on storage capacity and not the num-ber of devices sending log data.

The benefit of using Logging Service goes well beyond scale and convenience when tied into the Palo Alto Networks Application Framework. Application Framework is a scalable ecosystem of security applications that can apply ad-vanced analytics in concert with Palo Alto Networks enforcement points to prevent the most advanced attacks. Palo Alto Networks analytics applications such as Magnifier™ and AutoFocus™, as well as third-party analytics applications that you choose, use Logging Service as the primary data repository for all of Palo Alto Networks offerings.

7Palo Alto Networks

Design Model

Figure 2 Panorama management and the Logging Service


Panorama Management Only Mode

Logging Service

ApplicationFramework

3rd

Party

Panorama Management and Log Collection in the Cloud

Second, you can use Panorama for both management and log collection. Panorama on Azure supports high-availability deployment if both virtual appliances are in the same availability set. You can deploy the management and log collec-tion functionality as a shared virtual appliance or on dedicated virtual appliances. For smaller deployments, you can deploy Panorama and the Log Collector as a single virtual appliance. For larger deployments, a dedicated Log Collector per region allows traffic to stay within the region and reduce outbound data transfers.

Figure 3 Panorama management and Log Collection in Azure


Panorama

Panorama is available as a virtual appliance for deployment on Azure and supports Management Only mode, Panorama mode, and Log Collector mode with the system requirements defined in Table 1. Panorama on Azure is only available with a BYOL licensing model.

8Palo Alto Networks

Design Model

Table 1 Panorama Virtual Appliance on Azure

Log collector Management only Panorama

Minimum system requirements

16 CPUs 32 GB memory 2TB to 24 TB log storage capacity

4 CPUs 8 GB memory 81 GB system disk

8 CPUs 32 GB memory 2TB to 24TB log storage capacity

Azure sizingD5_V2 Standard D32_V3

D3_V2 Standard D3 Standard

D5_V2 Standard

PANORAMA DEVICE ADMINISTRATION

The time it takes to deploy changes across 10s or 100s of firewalls can be costly in the number of employees required, as well as the delay projects experience while employees wait for the process to be completed. In addition to time, errors can increase when network and security engineers program changes firewall-by-firewall. Panorama provides a number of tools for centralized administration that can reduce time and errors for your firewall management operation.

Templates/Template Stacks

Panorama manages common device and network configuration through templates. You can use templates to manage configuration centrally and then push the changes to all managed firewalls. This approach avoids making the same indi-vidual firewall change repeatedly across many devices. Templates are grouped together within a template stack, and the stack is applied to selected firewalls.

You can define common building blocks for device and network configuration within a template. These building blocks are logically combined by adding them to a template stack. If there are no overlapping parameters, then the stack reflects the combination of all the individual templates. If there is overlap, then the settings from the highest priority template take precedence. You may override the template settings at the stack level. A local administrator may also perform overrides directly on an individual device if necessary.

Firewall-specific settings such as IP addresses must be unique per-device. Instead of using overrides, these settings may be managed using variables within templates. Panorama manages the variable assignments at deployment time, either on a per-device basis through manual assignment or in bulk by importing a spreadsheet with the settings for multiple devices.

9Palo Alto Networks

Design Model

Figure 4 Panorama template stack and templates

Individual Devices

Local Admins

Template Stack (may override templates)

Template (Priority 1)



Up To8 Templates

Override Priority

Apply Override

Panorama Admins

Apply Override

Hierarchical Device Groups

Panorama manages common policies and objects through hierarchical device groups. You use multi-level device groups to centrally manage the policies across all deployment locations with common requirements. For example, device groups may be determined geographically, such as Europe and North America. Also, each device group can have a functional sub-device group (for example, perimeter or data center).

Figure 5 Panorama device groups and policy evaluation

Shared Policies (All Devices)

Local Rules(Individual Devices)

Shared Policies (All Devices)

Sub-Child Device Group

Child Device Group

Parent Device Group

Parent Device Group

Child Device Group

Sub-Child Device Group

Pre Rules

Post Rules

Panorama Admins Local Admins

Up ToFour Levels

Up ToFour Levels

EvaluationOrder

You can define shared policies for central control while granting your local firewall administrator the autonomy to make specific local adjustments. At the device group level, you can create common policies that are defined as the first set of rules (pre-rules) and the last set of rules (post-rules) to be evaluated against match criteria. You can view pre- and post-rules on a managed firewall, but they can only be edited in Panorama in the context of the defined administrative

10Palo Alto Networks

Design Model

roles. You can edit local device rules (those between pre- and post-rules) by either your local firewall administrator or by a Panorama administrator who has switched to a local firewall context. In addition, you can reference shared objects defined by a Panorama administrator in locally managed device rules.

Role-based administration delegates feature-level access, including availability of data (enabled, read-only, or disabled and hidden from view), to different members of your staff. You can give specific individuals access to tasks that are pertinent to their job while making other tasks either hidden or read-only.

As your deployment grows in size, you can make sure updates are sent to downstream boxes in an organized manner. For instance, you may prefer to centrally qualify a software update before it is delivered via Panorama to all production firewalls at once. Using Panorama, you can centrally manage the update process for software updates, content applica-tion updates, antivirus signatures, threat signatures, URL-filtering database, and licenses.

Panorama can also integrate with your IT workflow applications. When a log is generated on the next-generation firewall, Panorama can trigger actions and initiate workflows through HTTP-based APIs. Selective log forwarding allows you to define the criteria to automate a workflow or an action.

PANORAMA OPERATIONAL CONSIDERATIONS

Panorama on Azure Licensing

Panorama on Azure is available in a bring your own license (BYOL) and is composed of a license that you purchase from a channel partner. Panorama on Azure supports all deployment modes (Panorama, Log Collector, and Management Only), and shares the same processes and functionality as the M-Series hardware appliances. When using BYOL, you license Panorama like a traditionally deployed appliance, registering it on the Palo Alto Customer Support web site prior to implementation. After the Panorama instance is initialized and accessible, you must apply a licensed serial number for operation. After you apply the serial number to the device, the device registers with the Palo Alto Networks support portal and obtains information about its capacity and subscriptions.

System Access Control

This guide uses public IP Access protected by network security groups (NSGs) that limit the ports to those required for Panorama to reach firewalls and other services. The IP address ranges should also be reduced to those IP addresses or ranges in your operation necessary to operate the network using Panorama.


Assumptions and Prerequisites

Assumptions and PrerequisitesMicrosoft Azure:

• Your organization has a valid active subscription associated with your Azure user account.

• A dedicated resource group and VNet is used for Panorama.

• Managed devices are deployed in other resource groups by using one of the following options:

◦ Deployed in the same VNet as Panorama

◦ Deployed in a VNet that is peered to the Panorama VNet.

◦ Both of the above, concurrently.

• This design uses IPv4 IP addressing. IPv6 is available but is not covered.

• This deployment was tested predominantly in the US West region, although deploying this design should be possible in any Azure region.

Palo Alto Networks Panorama:

• The tested PAN-OS® version in this guide is 8.1.5.

• Panorama is implemented in management mode.

• Logging Service is provisioned for event logging.

• The Cloud services plugin for Panorama tested was 1.2.0-h2.

Palo Alto Networks VM-Series firewall:

• To complete this guide by onboarding a VM-Series (or hardware-based) firewall to your Panorama system, you need a Palo Alto Networks firewall that is licensed and IP-reachable by Panorama.

Palo Alto Networks licensing:

• Your organization has licenses for Panorama primary and secondary (if used) servers. Panorama requires BYOL at this time.

• Your organization has sufficient licenses for the VM-Series firewalls. This deployment guide uses BYOL; how-ever, you could use usage-based licenses.

• Logging Service requires a license with sufficient storage for your expected retention period. Logging Service requires an authcode and a Panorama system associated to the service. The Logging Service used in this guide is hosted in the Americas region.


Deployment Details for Panorama

Deployment Details for PanoramaYou deploy Panorama in a new, dedicated Azure Resource Group, which includes a VNet with a Management subnet for Panorama. You must complete two complementary procedure groups in order to deploy Panorama. The first proce-dure group configures the Azure environment. After you configure Azure, you may deploy Panorama.

Figure 6 Panorama high-availability mode deployed on Azure

Virtual Network(192.168.1.0/24)

192.168.1.4(active)

192.168.1.5(passive)

Management – 192.168.1.0/24

High Availability

You can modify Azure VNets after creation in order to add additional IP address space and subnets. You may choose to deploy your VM-Series firewalls and other resources in the same VNet originally deployed for Panorama. If additional modularity and scale is required, you can deploy your VM-Series firewalls and other resources in one or more other VNets using peer connections to the Panorama management VNet.

Figure 7 VNet deployment options for Panorama management

192.168.1.6

192.168.1.7

172.16.1.6(eth1)

10.5.0.6(eth2)

Virtual Network(192.168.1.0/24)(172.16.0.0/23)

(10.5.0.0/16)

172.16.1.7(eth1)

10.5.0.7(eth2)

10.5.15.6(eth3)

10.5.15.7(eth3)

VPN - 10.5.15.0/24

Private 10.5.0.0/24

Public 172.16.1.0/24

192.168.1.4(active)

192.168.1.5(passive)

Management – 192.168.1.0/24

High Availability

192.168.0.4

192.168.0.5

Management – 192.168.0.0/24

172.17.1.4(eth1)

10.1.0.4(eth2)

172.17.1.5(eth1)

10.1.0.5(eth2)

10.1.15.4(eth3)

10.1.15.5(eth3)

VPN - 10.1.15.0/24

Private 10.1.0.0/24

Public 172.17.1.0/24

VNet peering

Virtual Network(192.168.0.0/24)(172.17.0.0/23)

(10.1.0.0/16)

Virtual Network(192.168.1.0/24)

192.168.1.4(active)

192.168.1.5(passive)

Management – 192.168.1.0/24

High Availability

The deployment and configuration details in this guide support both the single VNet option and the peered VNet op-tion but do not include the procedures to modify the Panorama management VNet or create peer connections.



The single VNet option is used in Deployment Guide for Azure—Single VNet Design Model (Common Firewall Option) and Deployment Guide for Azure—Single VNet Design Model (Dedicated Inbound Option). These guides include the procedures for modifying an existing VNet to additional address space and subnets.

The peered VNet option is used in Deployment Guide for Azure—Transit VNet Design Model. This guide includes the procedures for creating peer connections between VNets.

Creating and Configuring Azure Common Resources

1.1 Create the Resource Group

1.2 Create the Virtual Network

1.3 Create the Public IP Address for Panorama

1.4 Create and Apply the Network Security Group

1.5 Create Whitelist Network Security Group

1.6 Create the Availability Set

1.7 Create the Storage Account

1.8 Verify Resource Creation Completed

Procedures

You use Azure Resource Manager to complete these procedures. Sign in to Azure at https://portal.azure.com.

Some Azure templates provide an option to create a new resource when needed at de-ployment time and other templates require resources to be created in advance. Where possible, this guide creates the resource in advance and then references the existing resource at deployment time.

Note




https://portal.azure.com



In these procedures, you create the resources listed in the following table as preparation for deploying Panorama.

Table 2 Azure resources required for deployment

Parameter Value Comments

Resource group AzureRefArch —

Subscription <value> Must have a valid Azure subscription

Resource group location <location> Tested in West US

Virtual network AzureRefArch-VNET —

Public IP for Panorama man-agement (primary)

Azure-Panorama-1 Panorama, or primary Panorama when using Panorama High Availability

Public IP for Panorama man-agement (secondary)

Azure-Panorama-2 Optional—secondary Panorama when using Panorama High Availability

Availability set AzureRefArch-AS Suggested if planning for Panorama High Availability

Diagnostics storage account azurerefarchv2diag —

1.1 Create the Resource Group

All resources deployed in this guide should use the same location. The deployment in this guide was tested in West US.

Step 1: In Home > Resource groups, click Add.

Step 2: In the Resource group name box, enter AzureRefArch and select the desired value for the Region. Click Re-view + Create.



Step 3: On the next screen, click Create.

1.2 Create the Virtual Network

Create the VNet with an initial IP address space and a subnet that must be within the IP address space.

Step 1: In Home > Virtual networks, click Add.

Step 2: In the Name box, enter AzureRefArch-VNET.

Step 3: In the Address space box, enter 192.168.1.0/24.

Azure Resource Manager provides a warning if the proposed address space overlaps with address space already assigned in another VNet within the same subscription. These warnings can be ignored if communication between these VNets is not required. Otherwise, choose a different non-overlapping address space.

Note

Step 4: In the Resource Group list, select AzureRefArch.

Step 5: In the Subnet section Name box, enter Management.

Step 6: In the Subnet section Address Range box, enter 192.168.1.0/24.



Step 7: Click Create.

1.3 Create the Public IP Address for Panorama

The Panorama virtual machines deployed on Azure are managed using public IP addresses unless on-site network con-nectivity has been established.

Next, you create a public IP address that is associated with the management interface of the primary Panorama system at deployment time. If necessary, you will repeat this procedure to create an additional public IP address for the sec-ondary Panorama system. Use the parameters listed in Table 2 to complete this procedure.



This guide uses Standard-SKU IP addresses in all procedures except where specifically noted.

Note

Take note of the fully qualified domain name that is defined by adding the location specific suffix to your DNS name label. We recommend managing your devices by using the DNS name rather than the public IP address, which may change.

Step 1: In Home > Public IP addresses, click Add.

Step 2: In the Name box, enter Azure-Panorama-1.

Step 3: Select Standard SKU.

Step 4: In the DNS name label box, enter ara-panorama-1.




Step 6: Click Create.

1.4 Create and Apply the Network Security Group

Azure requires that you apply an NSG on a subnet or NIC of your virtual machine resource, or traffic is not permitted to reach the resource when Standard SKU public IP addresses are associated with the resource.

This guide uses Standard-SKU IP addresses in all procedures except where specifically noted.

Note



In this procedure, you create NSGs for use with the management subnet. Each NSG includes default rules that allow for traffic within the VNET and from the Azure load balancer health probes.

Step 1: In Home > Network Security groups, click Add.

Step 2: In the Name box, enter AllowManagement-Subnet.


Step 4: In Home > Network security groups > AllowManagement-Subnet, in the Settings section, click Inbound secu-rity rules.

Step 5: Click Add. The Add inbound security rule pane appears.

Step 6: In the Destination port ranges box, enter 443.

Step 7: In the Protocol section, select TCP.

Step 8: In the Name box, enter AllowHTTPS-Inbound.

Step 9: Click Add.



Step 10: Repeat Step 4 through Step 9 with the following values:

• Destination port ranges—22

• Priority—110

• Name—AllowSSH-Inbound

Azure presents warning messages when the NSG rules expose various ports to the Internet. We advise using more restrictive rules outside of a testing environment.

Note

Step 11: In Home > Network security groups > AllowManagement-Subnet, in the Settings section, click Subnets.

Step 12: In the AllowManagement-Subnet—Subnets pane, click Associate.

Step 13: Click on the Virtual network—Choose a virtual network section. From the Choose virtual network list, select AzureRefArch-VNET.



Step 14: Click on the Subnet—Choose a subnet section. From the Choose subnet list, select Management, and then click OK.

1.5 Create Whitelist Network Security Group

Some virtual machines require the application of an NSG at deployment time. Because a subnet NSG is already applied, it is not necessary to apply additional rules to the virtual machine NIC. Next, you create a whitelist NSG, which is ap-plied to virtual machines as they are deployed. When NSGs are applied at both the subnet and NIC level, the security rules are merged.

Step 1: In Home > Network Security groups, click Add.

Step 2: In the Name box, enter AllowAll-NIC.


Step 4: In Home > Network security groups > AllowAll-NIC, in the Settings section, click Inbound security rules.

Step 5: Click Add. The Add inbound security rule pane appears.

Step 6: In the Destination port ranges box, enter *.

Step 7: In the Priority box, enter 100.



Step 8: In the Name box, enter AllowAll-Inbound.

Step 9: Click Add.

Azure presents warning messages when the Network Security Group rules expose vari-ous ports to the Internet.

Note

1.6 Create the Availability Set

The Panorama high-availability model benefits from the use of an availability set with two fault domains. This ensures that the primary and secondary Panorama systems are deployed on different fault domains.

You can only configure an availability set on a virtual machine during its initial deploy-ment. You can’t modify a virtual machine’s availability-set configuration after the virtual machine is deployed.

Note

Step 1: In Home > Availability sets, click Add.

Step 2: In the Name box, enter AzureRefArch-AS.



Step 3: In the Resource Group section, select AzureRefArch, and then click Create.

1.7 Create the Storage Account

Panorama and other resources require general purpose storage for diagnostics and bootstrapping.

Step 1: In Home > Storage accounts, click Add.


Step 3: In the Storage account name box, enter azurerefarchv2diag.

Step 4: In the Account kind list, select StorageV2 (general purpose v2).

Step 5: In the Replication list, select Locally-redundant storage (LRS).



Step 6: Click Review + create.

Step 7: On the next screen, click Create.

Step 8: On the next screen, after validation passes, click Create.

1.8 Verify Resource Creation Completed

Some Azure deployments are time consuming, and if any resources are missing, the deployment fails. It is quicker to verify that all of the necessary resources exist before proceeding with a deployment than it is to wait until a deploy-ment fails.



Step 1: In Home > Resource Groups, select AzureRefArch.

Step 2: Verify that the resource group, NSGs, public IP addresses, availability set, storage account, and VNet have been successfully created.

Deploying Panorama on Azure

2.1 Create Panorama Virtual Machine

2.2 Change Azure Assigned IP Address from Dynamic to Static

2.3 License Panorama on Azure

2.4 Update Panorama Software to Recommended Version

2.5 Configure Panorama High Availability

2.6 Activate Logging Service

2.7 Install Cloud Service Plugin

2.8 Configure Logging Service for Firewall Logging Storage Space

Procedures

The following procedures use the Azure Resource Manager and the Panorama device portal. Sign in to Azure at https://portal.azure.com. Details on how to access Panorama after deployment are included in the relevant procedures.

https://portal.azure.com



Use this procedure to deploy Panorama in management mode. Panorama defaults to management mode when it de-tects that there is not sufficient log storage capacity to run in Panorama mode.

After successful deployment to Azure, you complete the basic configuration for Panorama. This includes licensing, soft-ware update, high availability and the activation of the Logging Service.

Table 3 Panorama deployment parameters

Parameter Value Comments

Name Azure-Panorama-1 Azure-Panorama-2

Primary system Secondary system (optional for high availability)

VM disk type Standard HDD Required for D3_v2 Standard.

Username refarchadmin May not use “admin”

Authentication type <password> Complex password required

Subscription <value> Must have a valid Azure subscription

Resource group name AzureRefArch —

Location <location> Tested in West US

Panorama VM size D3_v2 Standard Setup Prerequisites for the Panorama Virtual Appliance

Availability set AzureRefArch-AS Recommend to use Availability Set if planning for active/standby Panorama. Cannot change setting after deployment.

Storage Use managed disks

Yes —

Virtual Network AzureRefArch-VNET —

Subnet Management —

Public IP Azure-Panorama-1 Azure-Panorama-2

DNS configured as: ara-panorama-1 DNS configured as: ara-panorama-2

Network security group AllowAll-NIC NSG is applied at subnet level

Auto-shutdown No —

Monitoring boot diagnostics

On —

Diagnostics storage account azurerefarchv2diag —

2.1 Create Panorama Virtual Machine

Use the parameters in Table 3 to deploy Panorama.

Step 1: In Home > Virtual machines, click Add.

https://www.paloaltonetworks.com/documentation/81/panorama/panorama_adminguide/set-up-panorama/set-up-the-panorama-virtual-appliance/setup-prerequisites-for-the-panorama-virtual-appliance



Step 2: Click Create VM from Azure Marketplace.

Step 3: In the Search compute box, enter Panorama, and then press Enter to search.

Step 4: In the search results, click Panorama (BYOL).

Step 5: In Home > Virtual machines > Create a virtual machine > Marketplace > Panorama (BYOL), click Create.


Step 7: In the Virtual machine name box, enter Azure-Panorama-1.

Step 8: In the Availability options list, select Availability set.

Step 9: In the Availability set list, select AzureRefArch-AS.

Step 10: In the Size section, click Change size.

Step 11: In the Select a VM size pane, in the Search box, enter D3_v2 to search.

Step 12: Click the D3_v2 Standard row, then click Select.



Step 13: For Authentication type, select Password.

Step 14: In the Username box, enter refarchadmin.

Step 15: For Authentication type, select Password.

Step 16: In the Password and Confirm Password boxes, enter the password, and then click Next: Disks>.



Step 17: In the OS disk type list, select Standard HDD, and then click Next: Networking>.

Step 18: In the Virtual network list, select AzureRefArch-VNET.

Step 19: In the Subnet list, select Management (192.168.1.0/24).

Step 20: In the Public IP list, select Azure-Panorama-1.



Step 21: In the Configure network security group list, select AllowAll-NIC for resource group AzureRefArch. The subnet already has an associated NSG, and then click Next: Management>.

Step 22: For Boot diagnostics, select On.

Step 23: In the Diagnostics storage account list, select azurerefarchv2diag.



Step 24: Click Review + create.

Step 25: After validation passes, review the Product Details, Terms of use and Summary sections. If the information is correct and acceptable, then click Create.

2.2 Change Azure Assigned IP Address from Dynamic to Static

You must configure Panorama with a static IP address. Azure networking provides the IP address to Panorama using DHCP but by default is configured to use dynamic assignment. If the current IP address is acceptable, convert the address assignment to static. To change the IP address, convert the assignment to static and then assign an available address. Any IP address changes require a restart of the Panorama virtual machine.

Step 1: In Home > Virtual machines > Azure-Panorama-1, click Networking.

Step 2: Click the Network interface name (example: azure-panorama-1179).



Step 3: Click IP configurations.

Step 4: Click the IP configuration row to edit the settings.

Step 5: In the Private IP address settings section, click Static to convert from dynamic to static configuration.

Step 6: If you want to change the static IP address to a value you prefer, in the IP address box, enter a new IP address. The chosen IP address must be unassigned in Azure.

Changing an IP address forces a restart of the virtual machine.

Caution



Step 7: Click Save. The virtual machine restarts if the IP address is changed.

2.3 License Panorama on Azure

Panorama is now running on Azure but is unlicensed and using a factory default configuration. Based on the size se-lected for the Panorama virtual machine, the System Mode is management-only.

This procedure assumes that you have a valid serial number for your Panorama device(s) and that registration on the customer support portal (https://support.palotaltonetworks.com) is complete.

Step 1: Log in to Panorama (example: https://ara-panorama-1.westus.cloudapp.azure.com).

You will see a series of dialog boxes and warnings.

Step 2: On the There are no device groups dialog box, click OK.

Step 3: On the Retrieve Panorama License dialog box, click OK.

Step 4: On the next Retrieve Panorama License dialog box, click Complete Manually.

Step 5: On the Offline Licensing Information dialog box, click OK.

https://support.palotaltonetworks.com

https://ara-panorama-1.westus.cloudapp.azure.com



Step 6: In Panorama > Setup > Management > General Settings, click the Edit cog.

Step 7: In the Domain box, enter the domain suffix.

Step 8: In the Time Zone list, select the appropriate time zone (example: US/Pacific).

Step 9: In the Serial Number box, enter the serial number from the customer support portal, and then click OK.

Step 10: In Panorama > Setup > Services, click the Edit cog.

Step 11: In the Primary DNS Server box, enter 168.63.129.16.

Step 12: On the NTP tab, in the Primary NTP Server section NTP Server Address box, enter 0.pool.ntp.org.



Step 13: In the Secondary NTP Server section NTP Server Address box, enter 1.pool.ntp.org, and then click OK.

Step 14: On the Commit menu, click Commit to Panorama.

Step 15: In Panorama > Licenses, click Retrieve license keys from license server.

Step 16: Verify Device Management License is active.

2.4 Update Panorama Software to Recommended Version

Step 1: Navigate to Panorama > Software.

If you receive an Operation Failed warning with the message No update information available, you may click Close to acknowledge. No action is required.

Note

Step 2: In Panorama > Software, click Check Now.

Step 3: For version 8.1.5, in the Actions column, click Download. When the download is complete, click Close.

Step 4: After the status in the Available column has changed to Downloaded, in the Action column, click Install.

Step 5: When prompted to Reboot Panorama, click Yes.



2.5 Configure Panorama High Availability

(Optional)

This procedure is necessary only to deploy Panorama in a high availability configuration. Panorama supports an HA configuration in which one peer is the active-primary and the other is the passive-secondary. If a failure occurs on the primary peer, it automatically fails over and the secondary peer becomes active.

The Panorama HA peers synchronize the running configuration each time you commit changes on the active Panorama peer. The candidate configuration is synchronized between the peers each time you save the configuration on the ac-tive peer or just before a failover occurs.

Settings that are common across the pair—such as shared objects and policy rules, device group objects and rules, tem-plate configuration, and administrative access configuration—are synchronized between the Panorama HA peers.

Several conditions must be met to configure Panorama high availability. Each Panorama system must run the same software version and have the same firewall management capacity license, and if Panorama plugins are used, the pl-ugins must be the same version.

Perform Step 1 through Step 6 on the primary Panorama.

Step 1: In Panorama > High Availability > Setup, click the Edit cog.

Step 2: Select Enable HA.

Step 3: In the Peer HA IP Address box, enter 192.168.1.5, and then click OK.

Step 4: In Panorama > High Availability > Election Settings, click the Edit cog.

Step 5: In the Priority list, select primary, and then click OK.




Perform Step 7 through Step 12 on the secondary Panorama.

Step 7: In Panorama > High Availability>Setup, click the Edit cog.

Step 8: Select Enable HA.

Step 9: In the Peer HA IP Address box, enter 192.168.1.4, and then click OK.

Step 10: In Panorama > High Availability > Election Settings, click the Edit cog.

Step 11: In the Priority list, select secondary, and then click OK.


Step 13: On the primary Panorama, in Dashboard > Widgets > System, click High Availability to enable the High Availability dashboard widget. This adds a dashboard pane that displays the status of the Panorama peers.



Step 14: Repeat Step 13 on the secondary Panorama.

Step 15: On the primary Panorama, in Dashboard > High Availability, click Sync to peer.

Step 16: Click Yes to accept the Overwrite Peer Configuration warning and proceed with the synchronization.

2.6 Activate Logging Service

The Logging Service requires an authorization code that activates the service. This procedure also assumes that you have a valid serial number for your Panorama device(s) and that registration on the customer support portal is com-plete.

The Logging Service instance is associated with the serial number of the primary Panorama. This procedure is not re-peated for the secondary Panorama.

Step 1: Log in to the Customer Support Portal at https://support.paloaltonetworks.com.

Step 2: Select Assets > Cloud Services.

Step 3: Click Activate Cloud Services Auth-Code.

Step 4: In the Cloud Services window, in the Authorization Code box, enter the authorization code (example: I7654321), and then press Tab key to advance. The Panorama and Logging Region boxes appear.

https://support.paloaltonetworks.com



Step 5: In the Cloud Services window, in the Panorama list, select the value that corresponds to the serial number as-signed to your primary Panorama.

Step 6: In the Cloud Services window, in the Logging Region list, select the value that corresponds to your region (example: Americas).

Step 7: Select the checkbox to acknowledge the warning. You will perform this update later, in Procedure 2.8.

Step 8: Accept the EULA by clicking on Agree and Submit.

2.7 Install Cloud Service Plugin

If running Panorama in high availability mode, perform this procedure on the primary Panorama first. Then repeat this procedure for the secondary Panorama.

Step 1: In Panorama > Plugins, click Check Now.

Step 2: For cloud _services-1.2.0-h2, in the Actions column, click Download.

Step 3: After the download is completed, click Close.



Step 4: After the status in the Available column changes to a check, and then in the Action column, click Install.

Step 5: Click OK to close the dialog box that indicates a successful installation.

Perform Step 6 through Step 8 on the customer support portal (https://support.paloaltonetworks.com) to complete the association of Panorama to the cloud service.

Step 6: In Assets > Cloud Services, click Generate OTP.

Step 7: In the Generate Cloud Services One Time Password window, in the Panorama list, select the serial number for the primary Panorama, and then click Generate OTP.

https://support.paloaltonetworks.com



Step 8: In the Generate Cloud Services One Time Password window, click Copy to Clipboard.

Step 9: On Panorama, navigate to Panorama > Cloud Services > Status, and then click Verify.



Step 10: In the One-Time Password box, paste the OTP that was generated from the Customer Support Portal.

Step 11: In Panorama > Cloud Service > Status, verify the status.

Step 12: Click details to verify successful certificate retrieval and active connection to the Logging Service.

Step 13: If necessary, repeat this procedure for the secondary Panorama.



2.8 Configure Logging Service for Firewall Logging Storage Space

In Procedure 2.6, Step 7, you acknowledged a warning that you must allocate storage space for firewall logs, or they will be purged from Logging Service. In this procedure, you provision storage space for firewall logs.

Step 1: Navigate to the Palo Alto Networks Cloud Services Apps portal, log in, and then click Logging Service.

Step 2: If you have multiple Logging Service instances and Panorama systems, select the appropriate instance.

Step 3: In the navigation pane, click Configuration.

Step 4: In the Firewall Log Type Size box, enter 10 TB, and then click Apply. This Firewall Log Type size is an example value. You are provisioning a portion of the total storage space for firewall logs. For storage sizing, see this Knowledge Base Article.

https://apps.paloaltonetworks.com/

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVMCA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVMCA0


Deployment Details for VM-Series


Preparing VM-Series Firewall Configurations Using Panorama

3.1 Create Panorama Device Group

3.2 Configure Azure Policies and Objects

3.3 Create Panorama Templates

3.4 Select Azure-Services Template for Configuration

3.5 Configure Device Parameters

3.6 Configure Logging-Service Template

Procedures

Panorama provides a number of tools for centralized administration:

• Hierarchical device groups—Panorama manages common policies and objects through hierarchical device groups. Multi-level device groups are used to centrally manage the policies across all deployment locations with common requirements.

• Templates/template stacks—Panorama manages common device and network configuration through templates. You can use templates to manage configuration centrally and then push the changes to all managed firewalls. This approach avoids your making the same individual firewall change repeatedly across many devices. To make things easier, you can stack templates and use them as building blocks for device and network configuration.

The following procedures create an example device group to configure a log-forwarding profile for the Logging Service and example templates for basic Azure networking services (DNS and NTP) and Logging Service. The additional proce-dures to add a VM-Series firewall to Panorama are included as an example.

The device group and templates created in this guide are used in Deployment Guide for Azure—Transit VNet Design Model.

Note





3.1 Create Panorama Device Group

This guide uses a single device group to demonstrate the basic functionality. You create policies in the procedures that require them.


Step 2: In Panorama > Device Groups, click Add.

Step 3: In the Name box, enter Azure Policies and Objects.

Step 4: In the Description box, enter a valid description.

Step 5: In the Parent Device Group box, verify the value is set to Shared, and then click OK.

3.2 Configure Azure Policies and Objects

Next, you create the log-forwarding profile to send security policy logs to Logging Service. This profile is associated to any security policy rules that are created that use the Logging Service.


Step 2: Navigate to Device Groups > Objects.

Step 3: In the Device Group list, select Azure Policies and Objects.

Step 4: In Device Groups > Objects > Log Forwarding, click Add.

Step 5: In the Name box, enter LoggingService-Profile.





Step 6: Select Enable enhanced application logging to Logging Service (including traffic and url logs), and then click OK.

3.3 Create Panorama Templates

The templates include configuration for all functions that are common across all the VM-Series devices in the Common Firewall design option.

Two templates are used. The Azure-Services template includes basic networking services including DNS and NTP. The Logging Service template includes device functions to enable the Logging Service. Both templates are applied to devices using a Panorama template stack, which logically merges the assigned templates and associates them with the relevant devices.

In this procedure, you create the templates that are used for subsequent procedures in this guide. You create the spe-cific configurations for these templates within the relevant procedures. You create the template stack later in this guide, when associating the first device to the templates.

Step 1: Log in to Panorama (example: https://ara-panorama-1.westus.cloudapp.azure.com)

Step 2: In Panorama > Templates, click Add.

Step 3: In the Name box, enter Azure-Services.




Step 4: In the Description box, enter a valid description, and then click OK.

Step 5: In Panorama > Templates, click Add.

Step 6: In the Name box, enter Logging Service.

Step 7: In the Description box, enter a valid description, and then click OK.


Step 9: Verify that the additional tabs for Device Groups (Policies and Objects) and Templates (Network and Device) are now visible on the Panorama management portal.

You may need to refresh the screen on the secondary Panorama and navigate to a dif-ferent tab before the additional tabs becomes visible.

Note

3.4 Select Azure-Services Template for Configuration


Step 2: Navigate to Templates > Device.

Step 3: In the Template list, select Azure-Services.

3.5 Configure Device Parameters

Performing this procedure ensures that DNS and NTP are configured consistently across all devices.

Step 1: In Templates > Device > Setup > Services > Global > Services, click the Edit cog.

Step 2: In the Primary DNS Server box, enter 168.63.129.16

Step 3: On the NTP tab, tin the Primary NTP Server section NTP Server Address box, enter 0.pool.ntp.org.




Step 4: In the Secondary NTP Server section NTP Server Address box, enter 1.pool.ntp.org, and then click OK.

3.6 Configure Logging-Service Template

Step 1: Navigate to Templates > Device.

Step 2: In the Template list, select Logging-Service.

Step 3: In Templates > Device > Setup > Management > Logging Service, click the Edit cog.

Step 4: Select Enable Logging Service.

Step 5: Select Enable Enhanced Application Logging.

Step 6: In Region list, select americas, and then click OK.

Step 7: In Templates > Device > Log Settings > System, click Add. The Log Settings—System configuration window appears.

Step 8: In the Name box, enter System Logs.



Step 9: Select Panorama/Logging Service, and then click OK.

Step 10: In Templates > Device > Log Settings > Configuration, click Add. The Log Settings—Configuration window appears.

Step 11: In the Name box, enter Configuration Logs.

Step 12: Select Panorama/Logging Service, and then click OK.


Managing VM-Series with Panorama

4.1 Add VM-Series to Panorama

4.2 Add VM-Series to Template Stack and Device Group

4.3 Refresh License to Enable Logging Service

Procedures



4.1 Add VM-Series to Panorama

This procedure is required for each new VM-Series device that is added to Azure.

Step 1: Log in to your VM-Series device (example: https://ara-vmfw1.westus.cloudapp.azure.com).

Step 2: In Dashboard > General Information, record the Serial #.

Step 3: In Device > Setup > Management > Panorama Settings, click the edit cog.

Step 4: In the Panorama Servers section, in the top box, enter 192.168.1.4.

Step 5: If you are using Panorama High Availability, in the bottom box, enter 192.168.1.5, and then click OK.

Step 6: Click Commit.


Step 8: In Panorama > Managed Devices > Summary, click Add.

https://ara-vmfw1.westus.cloudapp.azure.com




Step 9: In the Devices box, enter the serial number from Step 2 and then click OK.


Step 11: In Panorama > Managed Devices > Summary, verify that the device state of the VM-Series is Connected. It may take a few minutes for the state to change.

4.2 Add VM-Series to Template Stack and Device Group

In this procedure, you add devices to the template stack and device groups. The template stack is created and config-ured when you add the first VM-Series device only.


Option 1: Template stack does not already exist

This option creates a template stack.

Step 1: In Panorama > Templates, click Add Stack.

Step 2: In the Name box, enter Azure Services and Logging.

Step 3: In the Templates pane, click Add. Enter Azure-Services.

Step 4: In the Templates pane, click Add. Enter Logging-Service.




Option 2: Template stack has already been created

This option modifies the existing template stack.

Step 1: In Panorama > Templates, click Azure Services and Logging.

Proceed with configuring the template stack.

Step 2: In the Devices pane, select ARA-VMFW1 to assign it to the template stack, and then click OK.

Step 3: On the Commit menu, click Commit and Push.

The local configuration on each VM-Series should now reflect the template-based configuration that was created on Panorama. This includes interfaces, zones, virtual routers, management profiles, and Logging Service.

Step 4: In Panorama > Device Groups, click Azure Policies and Objects.



Step 5: In the Devices pane, select ARA-VMFW1 to assign it to the device group, and then click OK.

Step 6: On the Commit menu, click Commit and Push.

4.3 Refresh License to Enable Logging Service


Step 2: In Panorama > Device Deployment > Licenses, click Refresh. The Refresh License Deployment window ap-pears.




Step 3: In the Device Name column, select the VM-Series, and then click Refresh.

Step 4: Verify the details include Successfully installed license ‘Logging Service,’ and then click Close.

Step 5: Log in to ARA-VMFW1 (example https://ara-vmfw1.westus.cloudapp.azure.com).

View the system log on the local device to verify Logging Service certificate has been successfully retrieved.

Step 6: In Monitor > Logs > System search with (description contains “Logging service” ).

At this point, you are ready to add new Policies and Objects to your firewalls, using the Device Groups tabs in Panora-ma, and configure more Network and Device settings using the Templates tabs.

https://ara-vmfw1.westus.cloudapp.azure.com


What’s New in This Release

What’s New in This ReleasePalo Alto Networks made the following changes since the last version of this guide:

• This is a new document in which we describe the deployment of Panorama in the Azure public cloud in a stand-alone guide.

Headquarters

Palo Alto Networks 3000 Tannery Way Santa Clara, CA 95054, USA www.paloaltonetworks.com

© 2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trade-marks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Palo Alto Networks reserves the right to change, modify, transfer, or other-wise revise this publication without notice.

Phone: +1 (408) 753-4000 Sales: +1 (866) 320-4788 Fax: +1 (408) 753-4001 [email protected]

You can use the feedback form to send comments about this guide.

B-000183P-19A-1 02/19

http://www.paloaltonetworks.com/company/trademarks.html

https://pandocs.tech/feedback/?id=183p-19a

deployment guide for panorama on azure · this guide provides reference architectures for deploying...

Documents