Secure Application Workloads

with VM-Series Firewalls on

Oracle Cloud Infrastructure

Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 1
Overview
Securely move or extend application workloads from Oracle E-Business Suite or PeopleSoft® in the cloud using Palo Alto Networks
VM-Series Virtual Next-Generation Firewalls (NGFWs). VM-Series NGFWs secure multi-cloud environments by providing full visi-
bility and control over traffic to and from custom applications, consistent cross-cloud firewall management and policy enforcement,
exfiltration and threat prevention powered by machine learning (ML), and automated deployment and provisioning capabilities to
keep up with even the most dynamic environments.
Security in the cloud is based on a shared responsibility model. In this model, Oracle is responsible for the security of the under-
lying infrastructure, such as data center facilities as well as the hardware and software to manage cloud operations and services.
Customers, meanwhile, are responsible for securing their workloads and configuring their services and applications securely to
meet their compliance obligations.
VM-Series firewalls provide consistent threat prevention and inline network security across cloud environments, helping network
security teams regain visibility and control over traffic in their cloud networks. The key features of the VM-Series include Layer 7
firewall functionality, cloud-delivered security subscriptions, and consolidated security management.

VM-
Series

TP UF WF DNS GP PN
Layer 7 Panorama
Threat URL WildFire DNS GlobalProtect
Stateful (Consolidated
Prevention Filtering Malware Security
Firewall Security
Prevention
Management)

Advanced Security Services

Figure 1: Security services on VM-Series NGFWs

Architecture
This reference architecture illustrates how organizations can protect Oracle applications, like Oracle E-Business Suite and
­PeopleSoft, deployed in Oracle Cloud Infrastructure (OCI) using VM-Series NGFWs.
To protect these traffic flows, Palo Alto Networks recommends segmenting the network using a hub-and-spoke topology, where
traffic is routed through a central hub and connected to multiple distinct networks (spokes). All traffic between spokes—whether
to and from the internet, to and from on-premises infrastructure, or to the Oracle Services Network—is routed through the hub,
where the VM-Series NGFW’s multilayered threat prevention technologies provide inspection.
Deploy each tier of your application in its own virtual cloud network (VCN), which acts as a spoke. The hub VCN contains a
VM-­Series NGFW high availability cluster, Oracle internet gateway, dynamic routing gateway (DRG), Oracle Service Gateway, and
local peering gateways (LPGs).
The hub VCN connects to the spoke VCNs through LPGs or by attaching secondary virtual network interface cards (VNIC) to
the VM-Series NGFW. All spoke traffic uses route table rules to route traffic through the LPGs to the hub for inspection by the
VM-­Series NGFW high availability cluster.
You can configure and manage the VM-Series NGFW locally, or you can manage it centrally using Panorama™ network security man-
agement. Panorama helps reduce complexity and administrative overhead in managing configuration, policies, software, and dynamic

Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 2
content updates. Using device groups and templates on Panorama, you can effectively manage firewall-specific configuration locally on
a firewall and enforce shared policies across all firewalls or device groups. Figure 2 illustrates this reference architecture.

Oracle Cloud Infrastructure (Region)

Availability Domain 1 Internet

Availability Domain 2
Gateway
Untrust Subnet
Customer
Data Center vNIC1 HA Subnet vNIC1 Internet
DRG Oracle Services
VM- vNIC3
HA
vNIC31
VM- Network
Series Series
Service
Gateway
VM-Series VM-Series
FastConnect Firewall
vNIC0 Firewall vNIC0
Object
Management Subnet
Storage
VPN vNIC2 vNIC2
HUB
Trust Subnet Route to Database Spoke LPG VCN

LPG Hub Route to WebApp Spoke LPG

WebApp Tier Subnet

LPG
Web/Application Web/Application
Virtual Machine Virtual Machine WebApp Spoke

Load 0.0.0.0/0 to LPG

Balancer
WebApp Tier
Spoke VCN

Database Primary Standby

Tier Subnet Database Database LPG
Database Spoke
0.0.0.0/0 to LPG
Database Database
System System
Database Tier
Spoke VCN

Figure 2: VM-Series NGFW on Oracle Cloud ­Infrastructure

North-South Inbound Traffic

Figure 3 illustrates how north-south inbound traffic accesses the web application tier from the internet and remote data centers. This
configuration ensures that network address translation (NAT) and security policies are open on the VM-Series NGFW.

Oracle Cloud Infrastructure (Region)

1 DST=10.0.0.10 over
Untrust Interface using
Availability Domain 1 Public IP
Availability Domain 2
FrontEnd Route Table Internet
Untrust Subnet Gateway
3 Destination CIDR Route Target
2
Destination Target vNIC1
DRG
vNIC1 0.0.0.0/0 Internet Gateway
HA Subnet Internet
0.0.0.0/0 Untrust Subnet
Default Gateway
VM- HA
VM-
Series Series
DRG Route Table
VM-Series VM-Series
Firewall Firewall
Destination CIDR Route Target
vNIC2 vNIC2
4 10.0.0.0/16 Secondary IP vNIC2
Destination Target DRG 172.16.0.0/12

10.0.0.0/16 Trust Subnet Default Gateway 5 Trust Route Table

Destination CIDR Route Target

Trust Subnet
Customer
10.0.0.0/24 LPG Hub
6 Data Center
HUB
192.168.0.0/16 LPG Hub
VCN

Peered
Connection

Spoke Subnet 7
Web/Application Web/Application
Virtual Machine Virtual Machine
Spoke Route Table
8 Load LPG Spoke
Balancer
Destination CIDR Route Target

0.0.0.0/0 LPG Spoke

10.0.0.0/24

Spoke VCN

Figure 3: North-south inbound traffic flow

Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 3
North-South Outbound Traffic
Figure 4 illustrates how outgoing connections from the web application and database tiers to the internet provide software updates
and access to external web services. This configuration ensures that the source NAT is configured in your Palo Alto Networks VM
Series firewall policy for the relevant networks.

Oracle Cloud Infrastructure (Region)

7

Availability Domain 1 Availability Domain 2 6

FrontEnd Route Table Internet
Untrust Subnet Gateway
5 Destination CIDR Route Target
Destination Target vNIC1
vNIC1
DRG Untrust Subnet 0.0.0.0/0 Internet Gateway Internet
0.0.0.0/0
Default Gateway VM- HA
VM- 172.16.0.0/12 DRG
Series Series

VM-Series VM-Series
Firewall vNIC2 Firewall
vNIC2
DRG
4 172.16.0.0/12

LPG Route Table

Trust Subnet Destination CIDR Route Target
Customer
0.0.0.0/0 Secondary IP vNIC2 Data Center
LPG Hub HUB
192.168.0.0/16 VCN

Peered
3 Connection

Spoke Subnet
Web/Application Web/Application
Virtual Machine Virtual Machine 2
1 Spoke Route Table
Load LPG Spoke
Balancer Destination CIDR Route Target

0.0.0.0/0 LPG Spoke

10.0.0.0/24

Spoke VCN

Figure 4: North-south outbound traffic flow

East-West Traffic: Web to Database

Figure 5 illustrates how traffic moves from the web application to the database tier.

Oracle Cloud Infrastructure (Region)

192.168.0.0/16

Trust Subnet Destination Target

Trust Route Table
0.0.0.0/16 Untrust Subnet Default Gateway Destination CIDR Route Target
VM- 5
DST = 10.0.1.10
10.0.0.0/16 LPG Hub
Series
vNIC2
VM-Series Firewall 6

4 LPG Hub Route Table

Destination CIDR Route Target
HUB
0.0.0.0/0 Secondary IP vNIC2 VCN
3
Peered LPG Hub
Connection Peered Connection

10.0.0.0/24
WebApp Tier Subnet WebApp Spoke Route Table
LPG
Web/Application Destination CIDR Route Target WebApp Spoke
Virtual Machine
7 1 0.0.0.0/0 LPG WebApp Spoke 2
DST = 10.0.1.10 Load
Balancer
WebApp Tier
Spoke VCN

Database Tier Subnet Database Spoke Route Table

Primary
Destination CIDR Route Target
Database
0.0.0.0/0 LPG Database Spoke
8 Database
System

10.0.1.0/24 Database Tier

Spoke VCN

Figure 5: East-west traffic flow (web to database)

Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 4
East-West Traffic: Database to Web
Figure 6 illustrates how traffic moves from the database tier to the web application.

Oracle Cloud Infrastructure (Region)

192.168.0.0/16

Trust Subnet Destination Target 5

Trust Route Table
10.0.0.0/0 Untrust Subnet Default Gateway
VM- Destination CIDR Route Target

Series 10.0.0.0/16 LPG Hub

6
vNIC2
VM-Series Firewall

LPG Hub Route Table 4

Destination CIDR Route Target
HUB
0.0.0.0/0 Secondary IP vNIC2 VCN
7
LPG Hub
Peered Peered
Connection Connection

10.0.0.0/24
WebApp Tier Subnet
LPG
Web/Application
WebApp Spoke
Virtual Machine
3 8
Load
Balancer
10.0.0.10
WebApp Tier
Spoke VCN

Database Tier Subnet

Database Spoke Route Table
2
Database
Destination CIDR Route Target 1
System
DST=10.0.0.10
0.0.0.0/0 LPG Database Spoke

10.0.1.0/24 Database Tier

Spoke VCN

Figure 6: East-west traffic flow (database to web)

East-West Traffic: Web Application to Oracle Services Network

Figure 7 illustrates how traffic moves from the web application to the Oracle Services Network. This configuration ensures that
you have enabled jumbo frame MTU on your VM-Series NGFW interfaces.

Oracle Cloud Infrastructure (Region)

192.168.0.0/16 Trust Route Table

Trust Subnet Destination CIDR Route Target

Destination Target
Oracle Services Service Gateway
Oracle Service
Trust Subnet Default Gateway 5
VM-
Network

Series 6
vNIC2
VM-Series Firewall 7
Oracle Services
Network
Destination CIDR Route Target

0.0.0.0/0 Secondary IP vNIC2

4
Service
Gateway
Object
LPG Hub Route Table
Storage
Destination CIDR Route Target HUB
VCN
0.0.0.0/0 Secondary IP vNIC2

LPG Hub 3

Peered
Connection
LPG
WebApp Spoke
10.0.0.0/24
WebApp Tier Subnet WebApp Spoke Route Table

Web/Application Destination CIDR Route Target

Virtual Machine 2
0.0.0.0/0 LPG Website Spoke
Load
Balancer
1
Database Tier
DST=Oracle Services Network (OSN) Spoke VCN

Figure 7: East-west traffic (web app to Oracle Services Network)

Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 5
East-West Traffic (Oracle Services Network to Web Application)
Figure 8 illustrates how traffic moves from the Oracle Services Network to the web application.

Oracle Cloud Infrastructure (Region)

192.168.0.0/16

Trust Subnet
Destination Target

10.0.0.0/16 Trust Subnet Default Gateway

3
VM-
Series
2
VM-Series Firewall vNIC2 Oracle Services
Destination CIDR Route Target Network
Trust Route Table 0.0.0.0/0 Secondary IP vNIC2
Destination CIDR Route Target
Service
10.0.0.0/24 LPG Hub Gateway
1 Object
Storage

DST=10.0.0.10
4 5
HUB
VCN

LPG Hub

Peered
Connection

LPG
10.0.0.0/24 WebApp Spoke
WebApp Tier Subnet
6
Web/Application
Virtual Machine

Load
Balancer

10.0.0.10
WebApp Tier
Spoke VCN

Figure 8: East-west traffic (Oracle Services Network to web app)

The architecture comprises the following components:

• VM-Series NGFW: These virtual machine (VM) firewalls provide all the capabilities of PA-Series Physical NGFWs, delivering
inline network security and threat prevention to consistently protect public and private clouds.
• Oracle E-Business Suite or PeopleSoft application tier: This tier is composed of Oracle E-Business Suite or PeopleSoft applica-
tion servers and file system.
• Oracle E-Business Suite or PeopleSoft database tier: This tier is composed of Oracle Database but not limited to Oracle Exadata
Database Cloud service or Oracle Database services.
• Region: An OCI region is a localized geographic area that contains one or more data centers, called availability domains. Regions
are independent of each other, and vast distances (even countries or continents) can separate them.
• Availability domain: These domains are standalone, independent data centers within a region. The physical resources in each
availability domain are isolated from the resources in other availability domains, which provides fault tolerance. Availability do-
mains do not share infrastructure (e.g., power or cooling) or the internal availability domain network. A failure at one availability
domain is unlikely to affect the others in the region.
• Fault domain: This is a grouping of hardware and infrastructure within an availability domain. Each availability domain has
three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your
applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.
• VCN and subnet: A VCN is a customizable software-defined network that you set up in an OCI region. Like traditional data center
networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks
that you can change after you create the VCN. You can segment a VCN into subnets that can be scoped to a region or availability
domain. Each subnet consists of a contiguous range of addresses that do not overlap with other subnets in the VCN. You can change
the size of a subnet after creation, and subnets can be public or private.
• Hub VCN: This is a centralized network where VM-Series NGFWs are deployed. It provides secure connectivity to all spoke VCNs,
OCI services, public endpoints and clients, and on-premises data center networks.
• Application tier spoke VCN: This VCN contains a private subnet to host Oracle E-Business Suite or PeopleSoft components.

Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 6
• Database tier spoke VCN: This VCN contains a private subnet for hosting Oracle databases.
• Load balancer: The OCI Load Balancing service provides automated traffic distribution from a single entry point to multiple
servers in the backend.
• Security list: For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be
allowed in and out of the subnet.
• Route table: Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gate-
ways. In the hub VCN, you have the following route tables:
• Management route table attached to the management subnet, which has a default route connected to the internet gateway.
• Untrust route table attached to the untrust subnet or default VCN for routing traffic from the hub VCN to the internet or
on-premises targets.
• Trust route table attached to the trust subnet, pointing to the CIDR block of the spoke VCNs through the associated LPGs.
• High availability route table attached to the high availability subnet, which manages high availability between VM-Series
NGFWs.
• A distinct route table defined and attached to an associated LPG for each spoke attached to the hub. These route tables for-
ward all traffic (0.0.0.0/0) from the associated spoke LPG through the VM-Series NGFW trust interface floating IP.
• Oracle Service Gateway route table attached to the Oracle Service Gateway for Oracle Services Network communication. This
route forwards all traffic (0.0.0.0/0) to the VM-Series NGFW trust floating IP.
• Routes to maintain traffic symmetry added to each VM-Series NGFW to point the CIDR block of spoke traffic to trust (internal)
subnet’s default gateway IP (default gateway IP available in the trust subnet on the hub VCN).
• Internet gateway: This allows traffic between the public subnets in a VCN and the public internet.
• NAT gateway: This enables private resources in a VCN to access hosts on the internet, without exposing those resources to in-
coming internet connections.
• Local peering gateway (LPG): An LPG enables you to peer one VCN with another VCN in the same region. Peering means the VCNs
communicate via private IP addresses without the traffic traversing the internet or routing through your on-premises network.
• Dynamic routing gateway (DRG): The DRG is a virtual router that provides a path for private network traffic between a VCN
and a network outside the region, such as a VCN in another OCI region, an on-premises network, or a network in another cloud
provider.
• Service gateway: This provides access from a VCN to other services, such as OCI Object Storage. The traffic from the VCN to the
Oracle service travels over the Oracle network fabric and never traverses the internet.
• OCI FastConnect: This provides an easy way to create a dedicated private connection between your data center and OCI.
­FastConnect provides higher bandwidth options and a more reliable networking experience when compared with internet-based
connections.
• VNIC: The services in OCI data centers have physical network interface cards (NICs). VM instances communicate using VNICs as-
sociated with the physical NICs. Each instance has a primary VNIC that is automatically created and attached during launch and
available during the instance’s lifetime. DHCP is offered to the primary VNIC only. You can add secondary VNICs after instance
launch, and you set static IPs for each interface.
• Private IPs: Each VNIC has a primary private IPv4 address and related information for addressing an instance, and you can add
and remove secondary private IPs. The primary private IP address on an instance is attached during instance launch and does not
change during the instance’s lifetime. Secondary IPs belong to the same CIDR as the VNIC’s subnet. The secondary IP is used as
a floating IP because it can move between VNICs on different instances within the same subnet. You can also use it as a different
endpoint to host different services.
• Public IPs: The networking services define a public IPv4 address chosen by Oracle that is mapped to a private IP. Public IPs have
the following types:
• Ephemeral: This address is temporary and exists for the lifetime of the instance.
• Reserved: This address persists beyond the lifetime of the instance. It can be unassigned and reassigned to another instance.
• Source and destination check: Every VNIC performs source and destination checks on its network traffic. Disabling this flag
enables the VM-Series NGFW to handle network traffic that is not targeted for the firewall.
• Compute shape: The shape of a compute instance specifies the number of CPUs and amount of memory allocated to the instance.
It also determines the number of VNICs and maximum bandwidth available for the instance.

Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 7
Recommendations
We recommend the following as a starting point to secure Oracle E-Business Suite or PeopleSoft workloads on OCI using VM-Series NGFWs.

VCN
When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources
you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space. You should also se-
lect CIDR blocks that do not overlap with any other network (i.e., in OCI, your on-premises data center, or another cloud ­provider)
to which you intend to set up private connections. After you create a VCN, you can change, add, and remove its CIDR blocks.
When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier
or role to the same subnet, which can serve as a security boundary. Use regional subnets.
Verify the maximum number of LPGs per VCN in your service limits in case you want to extend this architecture for multiple
­environments and applications.

VM-Series NGFWs
Deploy a high availability cluster. Whenever possible, deploy in distinct fault domains (at a minimum) or different availability
domains. You should ensure that MTU is set to 9000 on all VNICs, and utilize VFIO interfaces.

VM-Series NGFW Management

If you’re creating a deployment hosted in Oracle Cloud Infrastructure, create a dedicated subnet for management.
Use security lists or NSGs to restrict inbound access to ports 443 and 22 sourced from the internet for administration of the
­security policy and to view logs and events.

VM-Series Firewall Policies

Refer to the firewall documentation in the “More Information” section at the end of this paper for the most up-to-date ­information
on required security policies, ports, and protocols.

Considerations
When securing Oracle E-Business Suite or PeopleSoft workloads on OCI using VM-Series NGFWs, consider these factors:

Performance
Selecting the proper instance size, which is determined by the compute shape, determines the maximum available throughput,
CPU, RAM, and number of interfaces. You need to know what types of traffic traverse your environment, determine the ap-
propriate risk levels, and apply proper security controls as needed. Different combinations of enabled security controls impact
­performance.
Consider adding dedicated interfaces for FastConnect or VPN services. You should also consider using large compute shapes for
higher throughput and access to more network interfaces. Finally, run performance tests to validate the design can sustain the
performance and throughput you require.

Security
Deploying VM-Series NGFWs on OCI allows for centralized security policy configuration and monitoring of all physical and
­virtual Palo Alto Networks NGFWs. Define distinct identity and access management (IAM) dynamic group or policy per cluster
deployment.

Availability
Deploy your architecture to distinct geographic regions for the greatest redundancy. Configure site-to-site VPNs with relevant
organizational networks for redundant connectivity with on-premises networks.

Cost
VM-Series NGFWs are available in bring-your-own-license (BYOL) and pay-as-you-go (PAYG) license models for Bundle 1 and
Bundle 2 in the Oracle Cloud Marketplace.
• Bundle 1 includes the VM-Series capacity license, Threat Prevention license, and a Premium Support entitlement.
• Bundle 2 includes the VM-Series capacity license with the complete suite of subscription licenses, including Threat Prevention,
WildFire®, URL Filtering, DNS Security, ­GlobalProtect™, and a Premium Support entitlement.

Strata by Palo Alto Networks | Secure Application Workloads with VM-Series Firewalls on Oracle Cloud Infrastructure | White Paper 8
Deployment Steps
To secure Oracle E-Business Suite or PeopleSoft workloads on OCI using VM-Series NGFWs, perform the following steps:
1. Set up the required networking infrastructure as shown in the architecture diagram (figure 2). See Set up a hub-and-spoke
­ etwork topology in Oracle’s technical documentation.
n
2. Deploy the application (Oracle E-Business Suite or PeopleSoft) in your environment.
3. Oracle Cloud Marketplace has multiple stacks for different configurations and licensing requirements. For example, the ­following
stacks feature bring-your-own-license (BYOL). For each stack you choose, click Get App and follow the on-screen prompts:
• VM-Series Firewall—BYOL
• VM-Series Firewall—Listings
4. You can also refer to the GitHub Repository to deploy the architecture included in this document and relevant configuration steps
on the VM-Series NGFW.

More Information
These resources offer more detail about the features of this architecture and related information:
• Oracle documentation:
• Best practices framework for Oracle Cloud Infrastructure
• Learn about deploying Oracle E-Business Suite on Oracle Cloud Infrastructure
• Oracle Cloud Infrastructure Security Guide
• GitHub:
• Deploying a VM-Series NGFW on OCI using Terraform

3000 Tannery Way
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
© 2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered t­ rademark
of Palo Alto Networks. A list of our trademarks can be found at https://www.
paloaltonetworks.com/company/trademarks.html. All other marks men-
tioned herein may be trademarks of their respective companies. strata_wp_
secure-workloads-vm-series-oracle_041421

www.paloaltonetworks.com