How to deploy NG Firewall in Microsoft Azure

Overview

NG Firewall supports deployment via Microsoft Azure. NG Firewall for Microsoft Azure is a 64-bit Linux based virtual machine that is launched and managed from the Microsoft Azure Portal. This deployment option is useful for example in decentralized network environments that need to route through a remote gateway to enforce policy management, reporting, content filtering, and other types of network security.

Before you begin

You need a valid Microsoft Azure account before you can deploy NG Firewall in Azure. If you do not have an Azure account you can register here.

Getting Started

Step 1: Select an instance type

Before launching NG Firewall for Microsoft Azure, it is necessary to determine the type of licensing model and infrastructure that is appropriate for your intended usage.

Licensing

NG Firewall for Microsoft Azure is available as either a Pay-As-You-Go (PAYG) subscription or Bring-Your-Own-License (BYOL). The PAYG option combines the cost of software licensing and infrastructure into one monthly bill. The BYOL option enables you to deploy an unlicensed version of NG Firewall for Microsoft Azure.

Infrastructure

Both licensing options require the selection of Microsoft Azure infrastructure in the form of an instance type. Microsoft Azure instances are available in different sizes to accommodate the performance requirements of your deployment. The sizing table below outlines recommended instance types and their designed usage.

Sizing table

Instance Type

Specifications

Recommended max devices

Recommended storage

D1V2

1 vCPU core

3.5 GB memory

Up to 50 devices

64 GiB Standard SSD

D2V3

2 vCPU cores

8 GB memory

Up to 150 devices

128 GiB Standard SSD

D4V3

4 vCPU cores

16 GB memory

Up to 500 devices

256 GiB Standard SSD

D8V3

8 vCPU cores
32 GB memory

Up to 3000 devices

512 GiB Standard SSD

If you have different infrastructure requirements, you can select from an extended list of instance types. All instance sizes and their associated costs are available through the NG Firewall marketplace listing. For pricing of storage refer to managed disk pricing

Step 2: Prepare your networking environment

Before you deploy NG Firewall to your Microsoft Azure environment, you must prepare the virtual networking components. The following instructions describe how to add these components to an example Resource Group called my-resourcegroup.

Create a Virtual Network

A Virtual Network resource enables your virtual machines to communicate with each other and the Internet. When creating a virtual network you must define an Address space and at least one Subnet.

To create a virtual network:

  1. In the Azure Management Portal, click Create a resource.
  2. Click Networking.
  3. Click Virtual network.

    image12.png

  4. Configure the virtual network settings to your preference. See the table below for values and descriptions.

    Setting

    Example value

    Description

    Virtual network name

    my-vnet

    The name of your virtual network (e.g. my-vnet).

    Address space

    10.2.0.0/16

    The IP address range for your virtual network in CIDR notation.

    Subscription

    Pay-As-You-Go

    A subscription associated with your Microsoft Azure account.

    Resource group

    my-resourcegroup

    The resource group to contain your resources.

    Location

    Central US

    The geographic location that contains this resource.

    Subnet Name

    WAN

    The name of your primary, Internet facing subnet.

    Address range

    10.2.0.0/24

    The address range of your primary subnet in CIDR notation.

    DDoS protection

    Basic

    Optional premium paid service to mitigate the impact of DDoS attacks.

    Service endpoints

    Disabled

    Provides a direct connection to Microsoft Azure services. Learn more.

    Firewall

    Disabled

    Creates a Microsoft Azure virtual firewall. This option must be disabled to avoid a conflict with NG Firewall.

  5. Click Create
    image7.png 

Step 3: Deploy NG Firewall

Launch the instance

  1. Navigate to the NG Firewall listing in the Microsoft Azure Marketplace.image14.png
  2. Review the plans and pricing and take note of your selection.
  3. Click Get it now.
  4. Select either the PAYG or BYOL software plan and click Continue.image6.png
  5. Click Create.image19.png

Configure the instance

Once you begin the process of creating the instance, you must define its parameters. The Basics and Networking steps require attention. The sections below describe the necessary configuration for these steps. All other steps should be reviewed but do not require modification of the default values.

Basics

Setting

Example value

Description

Subscription

Pay-As-You-Go

The subscription option. Choose either PAYG or BYOL.

Resource group

my-resourcegroup

The name of the resource group that this image belongs to. This must be the same resource group as your virtual network.

Virtual machine name

NGFW

The name of this virtual machine.

Region

Central US

The geographic location of this resource. This must be the same region / location as your virtual network.

Availability options

No infrastructure redundancy required

Select if you require redundancy (optional).

Image

Untangle NG Firewall PAYG

The image must match the Subscription type (PAYG or BYOL).

Size

Standard F1

Click Change size to select the image size that suits your needs. Refer to the sizing table for guidance.

Authentication type

Password

Choose whether to authenticate via a Certificate or a username and password.

Public inbound ports

None

Choose None. This setting is managed a subsequent step.

Select inbound ports

-

This option is disabled when None is set for the public inbound ports.

image16.png

Networking

Setting

Example value

Description

Virtual network

my-vnet

Select the virtual network you created in step 2.

Subnet

WAN (10.2.0.0/24)

Select the primary WAN subnet you created in step 2.

Public IP

(new) NGFWip350

Allow Microsoft Azure to designate a new public IP address. This is the default option.

NIC network security group

None

Set the NIC network security group to none. NG Firewall uses its own set of inbound firewall rules.

Accelerated networking

Off

This option is not available.

Load Balancing

No

Select whether to use load balancing. Note this option may incur additional costs.

image13.png

Review + create

Proceed to the Review + create step. Review your configuration including the pricing and terms. If everything is correct, click Create.

Note: It may take several minutes to create your new instance. Wait until the process is complete before proceeding to the next step.

Screen_Shot_2019-01-16_at_12.36.51_PM.png

Expand your OS disk size

NG Firewall deploys with a 3 GiB Operating System volume. It is necessary to increase this disk size to suit your needs. The minimum suggested disk size is 32 GiB. Refer to the managed disk pricing for associated costs.

To increase the disk size:

  1. Locate your new virtual machine resource in the Virtual Machines page of the Microsoft Azure management portal.
  2. Click Stop to deallocate your virtual machine.
  3. Click Disks to access the OS disk for your instance. Screen_Shot_2019-01-31_at_4.08.20_PM.png
  4. Click the OS disk item.
  5. Click Configuration to access its settings.
  6. Enter the size you want to use. Refer to the sizing guide for recommended sizes based on the number of devices. 
  7. Click SaveScreen_Shot_2019-01-31_at_8.08.42_AM.png
  8. Return to the Overview screen of your virtual appliance and click Start.

Note: After increasing the disk size, the virtual machine may take a while to boot. During this time the operating system expands the partition into the available space. Depending on the size of the disk, this operation may take up to an hour or more.

Assign a hostname to the instance

In order to use services such as VPN, your instance must have a fully qualified hostname. The easiest way to create a hostname is to use a DNS name label through the Microsoft Azure DNS service.

To create a DNS name label:

  1. Locate your new virtual machine resource in the Virtual Machines page of the Microsoft Azure management portal.
  2. Click Networking.
  3. Click your NIC Public IP (e.g. NGFWip350).
  4. Click Configuration to access the IP and DNS configuration for your public IP address.
  5. Enter a DNS name label and click Save.image23.png

NOTE: You can also use a fully qualified hostname based on your own domain. For this type of configuration, consider choosing the static IP address assignment option and pointing your hostname to the static IP address. Alternatively, you can set up dynamic DNS.

Add an internal network

You can protect other Azure instances by adding a subnet and an internal network interface to your NG Firewall instance. This use case involves multiple steps. Refer to Configuring NG Firewall to protect instances in Microsoft Azure for detailed guidance. 

Step 4. Connect to your instance

After the deployment is complete and you have assigned a hostname, you can connect to your NG Firewall instance.

  1. In the Overview page of your virtual machine, locate and copy the DNS name.image21.png
  2. In a web browser go to the DNS name using HTTPS.
  3. Proceed through the security certificate warning to access the NG Firewall login page.
  4. Enter the instance name as the password and click Login.

NOTE: The default password is the name you assigned to the instance. For example NGFW.

Step 5. Configure NG Firewall for Microsoft Azure

After you log in to your NG Firewall for the first time, select the language and proceed with the initial configuration provided by the Setup Wizard.

Setup wizard

  1. On the first step of the wizard, configure a new administrative password, notification email address, install type, and timezone. Click Network Cards to proceed.image11.png
  2. On the Identify Network Cards step, choose Continue anyway. Click Internet Connection to proceed.image8.png
  3. On the Configure the Internet Connection step, confirm the Auto (DHCP) selection for the Configuration type and review the Status. Click Auto Upgrades to proceed.image5.png
  4. On the Automatic Upgrades and Command Center Access step, review the selections and Click Finish.image4.png
  5. Continue to the product registration and account activation screen and log in with your ETM Dashboard account or create a new one.

Internet Hostname

Components such as location services, notifications, and VPN profiles require knowledge of the Internet routable IP address that associates to the external interface of your instance. In Microsoft Azure, instances use privately routable IP addresses and do not attach directly to the Internet. Therefore you must configure NG Firewall with the hostname you designated to your instance.

To configure your NG Firewall hostname:

  1. Navigate to Config > Network in the NG Firewall web administration.
  2. In the Hostname field, set the unqualified part of your hostname (e.g. my-ngfw).
  3. In the Domain Name field, set the qualified part of your Public DNS (e.g. centralus.cloudapp.azure.com).

NOTE: If you set up a hostname using your own domain name, enter it here.

  1. Select Use Hostname.image27.png

VPN Server

After you complete the setup wizard and define a hostname, you can begin the VPN configuration of NG Firewall for Microsoft Azure. The VPN server enables remote hosts and networks to create a secure tunnel that routes traffic through the NG Firewall to access the Internet.

You can configure IPsec VPN and OpenVPN. NG Firewall supports both VPN types.

To set up IPsec VPN:

  1. In the IPsec VPN app, toggle the power to make sure it is enabled.
  2. Go to the VPN Config tab and enable the L2TP / Xauth server. This enables remote devices to connect to your server via IPsec with Xauth and IKEv2.

For configuring VPN tunnels to other servers see https://wiki.untangle.com/index.php/IPsec_VPN#IPsec_Tunnels

To set up the VPN server using OpenVPN:

  1. From the NG Firewall web administration navigate to Apps > OpenVPN.
  2. In the Status tab, toggle OpenVPN is enabled.image28.png
  3. In the Server tab, check Server Enabled.
  4. In the Server tab > Remote Clients tab, click Add to create a new profile.
  5. Assign the parameter of the profile. See OpenVPN for additional information.image20.png

Next steps

Once you have set up the basic configuration, you can proceed to configure other apps to control bandwidth, filter content, block malware, detect intrusions, and so on. The following links provide additional information.

Follow
Was this article helpful?
2 out of 5 found this helpful
Have more questions? Submit a request

Comments

2 comments

Please sign in to leave a comment.

  • Avatar
    Stevenrpearson

    It seems that it may be necessary to resize the OS disk to something larger than the default after the initial deployment, otherwise you end up with only 3 GB of total disk space of which only around 900 MB are available (maybe less depending on installed apps). It seems this is the case regardless of which vm "size" option is selected, however in my case I've selected an Azure D4v3 deployment.

  • Avatar
    Brian Carmichael

    Thanks Steven, yes you're right. I'll see if we can adjust the deployment to use the corresponding disk size for the instance type. I tested the process to modify the size of the disk in the configuration and NGFW did expand the partition to fit the disk size. I will add this information to the article.

Powered by Zendesk