topic Re: GWLB and Palo Alto Zones in VM-Series in the Public Cloud

GWLB and Palo Alto Zones

jon.swick — Tue, 06 Apr 2021 19:57:59 GMT

I am building some PA VM's behind GWLB.

i would like to do traffic between VPC's to flow through this GWLB and TGW which appears to be possible however i can not find any documentation on how to seperate these into different Zones within the palo. I would like the Traffic from VPC A and VPC B to be mapped to different Palo Alto Zones. I was told this is possible but can't find any reference.

Re: GWLB and Palo Alto Zones

jmeurer — Tue, 06 Apr 2021 20:09:38 GMT

The zoning capabilities is dependant on the traffic direction.

Inbound, we have the ability to map GWLBe's from the various inbound VPCs to a subInterface. This traffic will still be Intrazone, but you can have each VPC in its own zone.

https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/vm-series-integration-with-gateway-load-balancer/integrate-the-vm-series-with-an-aws-gateway-load-balancer/associate-a-vpc-endpoint-with-a-vm-series-interface.html

Outbound, we added the ability to route traffic outbound out of an Untrust interface using Overlay routing in 10.0.5. This allows for the creation of the traditional Trust->Untrust style policy.

https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/vm-series-integration-with-gateway-load-balancer/integrate-the-vm-series-with-an-aws-gateway-load-balancer/enable-overlay-routing-for-the-vm-series-on-aws.html

East-West, VPC to VPC communication through a TGW deployment cannot be broken into zones. This traffic must hairpin back to the GWLB for routing. This traffic will continue to be Intrazone and your policies will need to be DAG or Subnet based.

Re: GWLB and Palo Alto Zones

jon.swick — Tue, 06 Apr 2021 20:33:30 GMT

Is there any reason to map the VPC's to zones for inbound then if i can't create zone based policies?

are you stating that if VPC A is sending traffic to VPC B the palo will recognize the inbound as coming from Zone A but will send it out "Zone A" because it hairpins. so i just couldnt define destination zones but i could still utilize source zone?

Re: GWLB and Palo Alto Zones

jmeurer — Tue, 06 Apr 2021 21:32:59 GMT

The purpose for the Zones in an inbound flow is to handle the possibility of overlapping IP schemes when not using TGW. Diagrams for this flow are here. https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/aws-vm-series-gateway-load-balancers-not-working/m-p/373760#M1074

In VPC to VPC communication the traffic is as follows. This traffic flow hairpins back to the GWLBe before routing back to the TGW. This traffic must stay within the GENEVE encapsulation tunnel to maintain the 5-tuple perisistence that the GWLB performs.

VPCa -> TGW -> Firewall VPC -> GWLBe -> firewalls -> GWLBe -> tgw -> VPCb

Re: GWLB and Palo Alto Zones

jon.swick — Tue, 06 Apr 2021 21:38:59 GMT

Awesome!! Thank you so much for your help that put a light on a lot of things.