Table of Contents
Palo Alto VM-Series Interface Mapping in Microsoft Azure
| Azure NIC order | PAN-OS name (CLI / GUI) | Typical purpose | Notes |
|---|---|---|---|
| NIC0 | Management – eth0 / mgmt | Out-of-band management (HTTPS, SSH, Panorama, HA1 if you want) | Lives in its own management subnet; the marketplace template always assigns a private IP and (optionally) a public IP. |
| NIC1 | Dataplane – ethernet1/1 | Untrust / Internet-facing | First dataplane port; the template wires it to an untrust subnet and can attach a public IP. |
| NIC2 | Dataplane – ethernet1/2 | Trust / internal side | Second dataplane port; the template puts it in a trust subnet. |
| NIC3, NIC4 … | ethernet1/3, ethernet1/4, … | Extra zones (DMZ, HA2, etc.) | Added in ascending order. For HA you normally use ethernet1/3 as HA2. |
Key facts to remember
The marketplace template deploys three NICs by default (mgmt, untrust, trust).
For HA you attach a fourth NIC (which becomes ethernet1/3) while the VM is powered off.
Azure numbers NICs sequentially (0, 1, 2 …) and PAN-OS picks them up in that exact order. Adding a new NIC later: stop the VM → attach NIC → start the VM.
Each NIC must be in its own subnet. Azure won’t allow two NICs from the same VM in the same subnet; plan separate management, untrust, trust, dmz (or ha) subnets.
Management-interface swap is optional. If you need the first dataplane port to act as management (e.g., behind a Gateway Load Balancer), enable the swap feature (see below).
VM size limits NIC count. Common sizes (D-series, F-series) allow up to 4 NICs; certain families (e.g., Dsv5) allow up to 8. Plan for DMZ and HA links accordingly.
Management-interface swap (optional)
set system setting mgmt-interface-swap enable yes request restart system
Checking the mapping from the CLI
show interface all show interface management
The MAC addresses shown match the NIC blades in the Azure portal.
Quick configuration workflow
Deploy the marketplace solution (or ARM/Bicep/Terraform) and point the three default NICs at your management, untrust, and trust subnets.
Power off the VM → add extra NIC(s) for HA2 or DMZ → power on the VM.
In PAN-OS → Network → Interfaces, set:
ethernet1/1 → untrust zone (public IP optional)
ethernet1/2 → trust zone
ethernet1/3 (if present) → HA2 or DMZ as needed
Create UDRs (user-defined routes) in every spoke subnet so the next hop is the private IP of the relevant firewall interface instead of Azure’s default system route.
Commit and verify with a ping or security-policy test.
Once you remember the mapping NIC0 → mgmt, NIC1 → ethernet1/1, NIC2 → ethernet1/2, everything else falls neatly into place.
Configuring Azure Interfaces for Palo Alto VM-Series Firewall
This guide explains how to configure Azure network interfaces for Palo Alto Networks VM-Series firewall using the Azure CLI and Palo Alto CLI.
1. Azure CLI: Configuring Network Interfaces
1.1. Create a Network Interface
To create a network interface in a specific resource group and attach it to a virtual network (VNet): ```bash az network nic create \
- -resource-group <ResourceGroupName> \
- -name <NICName> \
- -vnet-name <VNetName> \
- -subnet <SubnetName>