How to deploy NG Firewall in Microsoft Azure

Overview

NG Firewall supports deployment via Microsoft Azure. NG Firewall for Microsoft Azure is a 64-bit Linux based virtual machine that is launched and managed from the Microsoft Azure Portal. This deployment option is useful for example in decentralized network environments that need to route through a remote gateway to enforce policy management, reporting, content filtering, and other types of network security.

Before you begin

You need a valid Microsoft Azure account before you can deploy NG Firewall in Azure. If you do not have an Azure account you can register here.

Getting Started

Step 1: Select an instance type

Before launching NG Firewall for Microsoft Azure, it is necessary to determine the type of licensing model and infrastructure that is appropriate for your intended usage.

Licensing

NG Firewall for Microsoft Azure is available as either a Pay-As-You-Go (PAYG) subscription or Bring-Your-Own-License (BYOL). The PAYG option combines the cost of software licensing and infrastructure into one monthly bill. The BYOL option enables you to deploy an unlicensed version of NG Firewall for Microsoft Azure.

Infrastructure

Both licensing options require the selection of Microsoft Azure infrastructure in the form of an instance type. Microsoft Azure instances are available in different sizes to accommodate the performance requirements of your deployment. The sizing table below outlines recommended instance types and their designed usage.

Sizing table

Instance Type	Specifications	Recommended max devices	Recommended storage
D1V2	1 vCPU core 3.5 GB memory	Up to 50 devices	64 GiB Standard SSD
D2V3	2 vCPU cores 8 GB memory	Up to 150 devices	128 GiB Standard SSD
D4V3	4 vCPU cores 16 GB memory	Up to 500 devices	256 GiB Standard SSD
D8V3	8 vCPU cores 32 GB memory	Up to 3000 devices	512 GiB Standard SSD

If you have different infrastructure requirements, you can select from an extended list of instance types. All instance sizes and their associated costs are available through the NG Firewall marketplace listing. For pricing of storage refer to managed disk pricing. 

Step 2: Prepare your networking environment

Before you deploy NG Firewall to your Microsoft Azure environment, you must prepare the virtual networking components. The following instructions describe how to add these components to an example Resource Group called my-resourcegroup.

Create a Virtual Network

A Virtual Network resource enables your virtual machines to communicate with each other and the Internet. When creating a virtual network you must define an Address space and at least one Subnet.

To create a virtual network:

1. In the Azure Management Portal, click Create a resource.
2. Click Networking.
3. Click Virtual network.

   

4. Configure the virtual network settings to your preference. See the table below for values and descriptions.

   Setting	Example value	Description
   Virtual network name	my-vnet	The name of your virtual network (e.g. my-vnet).
   Address space	10.2.0.0/16	The IP address range for your virtual network in CIDR notation.
   Subscription	Pay-As-You-Go	A subscription associated with your Microsoft Azure account.
   Resource group	my-resourcegroup	The resource group to contain your resources.
   Location	Central US	The geographic location that contains this resource.
   Subnet Name	WAN	The name of your primary, Internet facing subnet.
   Address range	10.2.0.0/24	The address range of your primary subnet in CIDR notation.
   DDoS protection	Basic	Optional premium paid service to mitigate the impact of DDoS attacks.
   Service endpoints	Disabled	Provides a direct connection to Microsoft Azure services. Learn more.
   Firewall	Disabled	Creates a Microsoft Azure virtual firewall. This option must be disabled to avoid a conflict with NG Firewall.

5. Click Create. 
    

Step 3: Deploy NG Firewall

Launch the instance

1. Navigate to the NG Firewall listing in the Microsoft Azure Marketplace.
2. Review the plans and pricing and take note of your selection.
3. Click Get it now.
4. Select either the PAYG or BYOL software plan and click Continue.
5. Click Create.

Configure the instance

Once you begin the process of creating the instance, you must define its parameters. The Basics and Networking steps require attention. The sections below describe the necessary configuration for these steps. All other steps should be reviewed but do not require modification of the default values.

Basics

Setting	Example value	Description
Subscription	Pay-As-You-Go	The subscription option. Choose either PAYG or BYOL.
Resource group	my-resourcegroup	The name of the resource group that this image belongs to. This must be the same resource group as your virtual network.
Virtual machine name	NGFW	The name of this virtual machine.
Region	Central US	The geographic location of this resource. This must be the same region / location as your virtual network.
Availability options	No infrastructure redundancy required	Select if you require redundancy (optional).
Image	Untangle NG Firewall PAYG	The image must match the Subscription type (PAYG or BYOL).
Size	Standard F1	Click Change size to select the image size that suits your needs. Refer to the sizing table for guidance.
Authentication type	Password	Choose whether to authenticate via a Certificate or a username and password.
Public inbound ports	None	Choose None. This setting is managed a subsequent step.
Select inbound ports	-	This option is disabled when None is set for the public inbound ports.

Networking

Setting	Example value	Description
Virtual network	my-vnet	Select the virtual network you created in step 2.
Subnet	WAN (10.2.0.0/24)	Select the primary WAN subnet you created in step 2.
Public IP	(new) NGFWip350	Allow Microsoft Azure to designate a new public IP address. This is the default option.
NIC network security group	None	Set the NIC network security group to none. NG Firewall uses its own set of inbound firewall rules.
Accelerated networking	Off	This option is not available.
Load Balancing	No	Select whether to use load balancing. Note this option may incur additional costs.

Review + create

Proceed to the Review + create step. Review your configuration including the pricing and terms. If everything is correct, click Create.

Note: It may take several minutes to create your new instance. Wait until the process is complete before proceeding to the next step.

Expand your OS disk size

NG Firewall deploys with a 3 GiB Operating System volume. It is necessary to increase this disk size to suit your needs. The minimum suggested disk size is 32 GiB. Refer to the managed disk pricing for associated costs.

To increase the disk size:

1. Locate your new virtual machine resource in the Virtual Machines page of the Microsoft Azure management portal.
2. Click Stop to deallocate your virtual machine.
3. Click Disks to access the OS disk for your instance. 
4. Click the OS disk item.
5. Click Configuration to access its settings.
6. Enter the size you want to use. Refer to the sizing guide for recommended sizes based on the number of devices. 
7. Click Save. 
8. Return to the Overview screen of your virtual appliance and click Start.

Note: After increasing the disk size, the virtual machine may take a while to boot. During this time the operating system expands the partition into the available space. Depending on the size of the disk, this operation may take up to an hour or more.

Assign a hostname to the instance

In order to use services such as VPN, your instance must have a fully qualified hostname. The easiest way to create a hostname is to use a DNS name label through the Microsoft Azure DNS service.

To create a DNS name label:

1. Locate your new virtual machine resource in the Virtual Machines page of the Microsoft Azure management portal.
2. Click Networking.
3. Click your NIC Public IP (e.g. NGFWip350).
4. Click Configuration to access the IP and DNS configuration for your public IP address.
5. Enter a DNS name label and click Save.

NOTE: You can also use a fully qualified hostname based on your own domain. For this type of configuration, consider choosing the static IP address assignment option and pointing your hostname to the static IP address. Alternatively, you can set up dynamic DNS.

Add an internal network

You can protect other Azure instances by adding a subnet and an internal network interface to your NG Firewall instance. This use case involves multiple steps. Refer to Configuring NG Firewall to protect instances in Microsoft Azure for detailed guidance. 

Step 4. Connect to your instance

After the deployment is complete and you have assigned a hostname, you can connect to your NG Firewall instance.

1. In the Overview page of your virtual machine, locate and copy the DNS name.
2. In a web browser go to the DNS name using HTTPS.
3. Proceed through the security certificate warning to access the NG Firewall login page.
4. Enter the instance name as the password and click Login.

NOTE: The default password is the name you assigned to the instance. For example NGFW.

Step 5. Configure NG Firewall for Microsoft Azure

After you log in to your NG Firewall for the first time, select the language and proceed with the initial configuration provided by the Setup Wizard.

Setup wizard

1. On the first step of the wizard, configure a new administrative password, notification email address, install type, and timezone. Click Network Cards to proceed.
2. On the Identify Network Cards step, choose Continue anyway. Click Internet Connection to proceed.
3. On the Configure the Internet Connection step, confirm the Auto (DHCP) selection for the Configuration type and review the Status. Click Auto Upgrades to proceed.
4. On the Automatic Upgrades and Command Center Access step, review the selections and Click Finish.
5. Continue to the product registration and account activation screen and log in with your ETM Dashboard account or create a new one.

Internet Hostname

Components such as location services, notifications, and VPN profiles require knowledge of the Internet routable IP address that associates to the external interface of your instance. In Microsoft Azure, instances use privately routable IP addresses and do not attach directly to the Internet. Therefore you must configure NG Firewall with the hostname you designated to your instance.

To configure your NG Firewall hostname:

1. Navigate to Config > Network in the NG Firewall web administration.
2. In the Hostname field, set the unqualified part of your hostname (e.g. my-ngfw).
3. In the Domain Name field, set the qualified part of your Public DNS (e.g. centralus.cloudapp.azure.com).

NOTE: If you set up a hostname using your own domain name, enter it here.

4. Select Use Hostname.

VPN Server

After you complete the setup wizard and define a hostname, you can begin the VPN configuration of NG Firewall for Microsoft Azure. The VPN server enables remote hosts and networks to create a secure tunnel that routes traffic through the NG Firewall to access the Internet.

You can configure IPsec VPN and OpenVPN. NG Firewall supports both VPN types.

To set up IPsec VPN:

1. In the IPsec VPN app, toggle the power to make sure it is enabled.
2. Go to the VPN Config tab and enable the L2TP / Xauth server. This enables remote devices to connect to your server via IPsec with Xauth and IKEv2.

For configuring VPN tunnels to other servers see https://wiki.untangle.com/index.php/IPsec_VPN#IPsec_Tunnels

To set up the VPN server using OpenVPN:

1. From the NG Firewall web administration navigate to Apps > OpenVPN.
2. In the Status tab, toggle OpenVPN is enabled.
3. In the Server tab, check Server Enabled.
4. In the Server tab > Remote Clients tab, click Add to create a new profile.
5. Assign the parameter of the profile. See OpenVPN for additional information.

Next steps

Once you have set up the basic configuration, you can proceed to configure other apps to control bandwidth, filter content, block malware, detect intrusions, and so on. The following links provide additional information.

• Tunnel VPN
• Firewall
• Application Control
• Web Filter
• Reports
• Policy Manager
• Intrusion Prevention
• Bandwidth Control

Follow