From d0ef5f2fc316082fd49ae62c891b919ac3a2debc Mon Sep 17 00:00:00 2001
From: Jakub Bielecki <47531708+jabielecki@users.noreply.github.com>
Date: Mon, 11 Oct 2021 12:47:20 +0200
Subject: [PATCH] fix(vmseries): disallow IP forwarding through the mgmt
 interface

Prevent the first network interface (the management intrface) from
receiving packets with a non-matching destination IP address.

This is per recommendation of the official Reference Architecture. Also,
there are currently no known use cases which would require that.
---
 modules/vmseries/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/vmseries/main.tf b/modules/vmseries/main.tf
index 14bcab70..667dd5fb 100644
--- a/modules/vmseries/main.tf
+++ b/modules/vmseries/main.tf
@@ -25,7 +25,7 @@ resource "azurerm_network_interface" "this" {
   location                      = var.location
   resource_group_name           = var.resource_group_name
   enable_accelerated_networking = count.index == 0 ? false : var.accelerated_networking # for interface 0 it is unsupported by PAN-OS
-  enable_ip_forwarding          = true
+  enable_ip_forwarding          = count.index == 0 ? false : true                       # for interface 0 use false per Reference Arch
   tags                          = try(var.interfaces[count.index].tags, var.tags)
 
   ip_configuration {