topic Re: Palo Alto VM 300 behind AWS ELB with public HTTPS traffic forwarded to it in VM-Series in the Public Cloud

Palo Alto VM 300 behind AWS ELB with public HTTPS traffic forwarded to it

NithinN — Sat, 16 Dec 2017 14:31:44 GMT

Hi,

my existing environment have a nearly 20 AWS load balancers which are public facing, now I want to implement Palo Alto VM 300 behind this ELBs, and monitor and trasalate the traffic to the backend instances.

I've tested this requirement with one load balacners, however when I'm adding my second load balancer, the port trasalation is not working as expected.

Secondly I also have some classic load balacners which are required to send the traffic to the VM 300, as per the Palo Alto knowledge base, we have to do only the interface swapping in the AWS environment for the CLassic ELB, however its not working,

Any help appreciated

-Nithin

Re: Palo Alto VM 300 behind AWS ELB with public HTTPS traffic forwarded to it

jmeurer — Sat, 16 Dec 2017 16:16:51 GMT

In order to bring multiple applications through the firewalls, you need to differentiate them in someway. You can either consider adding secondary IPs to the Untrust ENI and have the Load Balancers target the individual IPs if using ALB or NLB or use PAT to use a port per app on the Untrust interface which will be necessary Instance targeting LBs. You then configure the NAT rules per app to destination translate the Untrust port to the application server port with the source translated to the Trust Interface.

ie.

LB1:443 -> Untrust:1443 -> App1:443

LB2:443 -> Untrust:2443 -> App2:443

Have a look Autoscale v2.0 model currently in Beta utilizing the method.

https://github.com/PaloAltoNetworks/aws-elb-autoscaling/tree/master/Version-2.0

To Answer your interface swap question, whenever you use an Instance as a target on any of the load balancers, you need to perform Interface Swap on the Firewalls. Instance targeting only supports ETH0. If you use IP address targeting, then you can select the correct IP if Inteface Swap is not implemented.

Re: Palo Alto VM 300 behind AWS ELB with public HTTPS traffic forwarded to it

jperry1 — Sun, 17 Dec 2017 23:01:08 GMT

Nithin,

To start we need to a bit more about your configuration and topology. You mention 20 load balancers and also some classic load balancers also. just from that statement I am assuming the 20 AWS load balancers are all ALB is this correct? Are all these load balancers in the same AZ? Can you provide a detail of your architecture so we can understand what you are lookingn to accomplish?

Also when you say you are not receiving the expecfted behavior, please elaborate on what type of behavior you are receiving?

What is the difference in the traffic source per load balancer?

Also the ethernet swap must happen whether using Application LB's or Classic LB's because Dataplane traffic has to be received on Eth0.

See link below for Details.

https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/set-up-the-vm-series-firewall-on-aws/auto-scale-vm-series-firewalls-with-the-amazon-elb/what-components-does-the-vm-series-auto-scaling-template-for-aws-deploy

Management Interface Mapping for Use with Amazon ELB

https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/set-up-the-vm-series-firewall-on-aws/about-the-vm-series-firewall-on-aws/management-interface-mapping-for-use-with-amazon-elb#id7e1c2653-88af-4a85-8bb8-aae1847c0d9f

Just off the top of my head you have to be sure to select the appropriate subnet for the firewall eth0 BUT the eth0 interface has to be swapped.

Also how are you swapping the ENI's?

Please answer these questions and provide a diagram of what you are looking to accomplish as well. Once I receive that I can take a look at it and we can go from there. Thanks Nithin.