fix(vmseries): disallow IP forwarding through the mgmt interface

Prevent the first network interface (the management intrface) from receiving packets with a non-matching destination IP address. This is per recommendation of the official Reference Architecture. Also, there are currently no known use cases which would require that.
PaloAltoNetworks · Oct 11, 2021 · d0ef5f2 · d0ef5f2
1 parent 1ab7d21
commit d0ef5f2
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/modules/vmseries/main.tf b/modules/vmseries/main.tf
@@ -25,7 +25,7 @@ resource "azurerm_network_interface" "this" {
   location                      = var.location
   resource_group_name           = var.resource_group_name
   enable_accelerated_networking = count.index == 0 ? false : var.accelerated_networking # for interface 0 it is unsupported by PAN-OS
-  enable_ip_forwarding          = true
+  enable_ip_forwarding          = count.index == 0 ? false : true                       # for interface 0 use false per Reference Arch
   tags                          = try(var.interfaces[count.index].tags, var.tags)
 
   ip_configuration {