https://live.paloaltonetworks.com/t5/general-articles/get-started-with-vm-series-with-aws-gateway-load-balancer-a-poc/ta-p/556300 <DIV class="lia-message-template-symptoms-zone"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Title_Cyberpedia_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53489iCB0F97C8A00537C7/image-size/large?v=v2&amp;px=999" role="button" title="Title_Cyberpedia_palo-alto-networks.jpg" alt="Title_Cyberpedia_palo-alto-networks.jpg" /></span></DIV> <DIV class="lia-message-template-solution-zone"> <P>&nbsp;</P> <P>This article provides the steps to setup, demonstrate and teardown the Palo Alto Networks' VM-Series Next Generation Firewalls on AWS in integration with the <FONT color="#FF6600"><STRONG>AWS Gateway Load Balancer</STRONG></FONT>. This integration is the recommended design on AWS and you can find more information about the integration on the official documentation portal <A title="VM-Series Integration with an AWS Gateway Load Balancer" href="https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/vm-series-integration-with-gateway-load-balancer" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>This article is intended for anyone who wishes to get some hands-on experience with the VM-Series appliance on AWS, an understanding of how automation can be leveraged to easily deploy and bootstrap the firewalls and also how the integration of the Gateway Load Balancer, Transit Gateway and the VM-Series firewall works.</P> <P>&nbsp;</P> <H1><FONT size="5"><STRONG><FONT color="#FF6600">Prerequisites</FONT></STRONG></FONT></H1> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>An AWS Account with the following permissions:</SPAN></LI> </UL> <P>&nbsp;</P> <UL> <UL class="lia-list-style-type-circle"> <LI style="font-weight: 400;" aria-level="2"><SPAN>Subscribe to services on the AWS Marketplace.</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Create, Delete all networking resources like VPCs, Subnets, Route tables, etc.</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Create, Delete EC2 instances, Elastic IPs.</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Optional: AWS CloudShell for executing the setup script.</SPAN></LI> </UL> </UL> <P>&nbsp;</P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>If you do not have access to AWS CloudShell, then additionally you would also need:</SPAN></LI> </UL> <P>&nbsp;</P> <UL> <UL> <LI style="font-weight: 400;" aria-level="2"><SPAN>Git and Terraform installed</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>AWS Access Key and Secret Keys</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>SSH Key-Pair to connect to the EC2 Instances.</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Optional: AWS CLI to configure the AWS credentials</SPAN></LI> </UL> </UL> <P>&nbsp;</P> <H1><FONT size="5"><STRONG><FONT color="#FF6600">Things to Consider</FONT></STRONG></FONT></H1> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>This PoC deploys a PAYG version of the VM-Series appliance from the AWS Marketplace, so there is no additional licensing required. Free trial available for 15 days.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The automation in this PoC bootstraps the VM-Series NGFW with bare minimum configuration. The bootstrapping is done using AWS S3 bucket which is also created as part of the setup.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>The VM-Series NGFW deployed in this PoC secures Inbound, Outbound and East-West traffic to 2 Linux servers connected as spokes through a Transit Gateway.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>This PoC can be deployed in any region, provided the VM-Series PAYG Bundle 2 appliance is available in that region.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Autoscaling is not included in this PoC.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Panorama is not included in this PoC.</SPAN></LI> </UL> <P>&nbsp;</P> <H1><FONT size="5"><STRONG><FONT color="#FF6600">Steps to Deploy</FONT></STRONG></FONT></H1> <H3><STRONG>With AWS CloudShell</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Login to your AWS Account</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Open “AWS Marketplace Subscriptions” and Subscribe to the VM-Series PAYG service at the following link.</SPAN> <UL class="lia-list-style-type-circle"> <LI style="font-weight: 400;" aria-level="1"><A href="https://aws.amazon.com/marketplace/pp?sku=hd44w1chf26uv4p52cdynb2o" target="_blank" rel="noopener"><SPAN>https://aws.amazon.com/marketplace/pp?sku=hd44w1chf26uv4p52cdynb2o</SPAN></A></LI> </UL> </LI> </UL> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Open AWS Cloud Shell and make sure that your workspace is clean.</SPAN> <UL class="lia-list-style-type-circle"> <LI style="font-weight: 400;" aria-level="1"><SPAN>This is because disk size on CloudShell is limited and terraform would need to download modules required for resource deployment.</SPAN></LI> </UL> </LI> </UL> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Clone the GitHub repository.</SPAN></LI> </UL> <LI-CODE lang="python">git clone https://github.com/PaloAltoNetworks/aws-vmseries-gwlb-poc.git &amp;&amp; cd aws-vmseries-gwlb-poc</LI-CODE> <P><LI-WRAPPER></LI-WRAPPER></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Run the setup script.</SPAN></LI> </UL> <LI-CODE lang="python">./setup.sh</LI-CODE> <P>&nbsp;</P> <H3><STRONG>Without AWS CloudShell</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Login to your AWS Account</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Open “AWS Marketplace Subscriptions” and Subscribe to the VM-Series PAYG service at the following link.</SPAN> <UL class="lia-list-style-type-circle"> <LI style="font-weight: 400;" aria-level="1"><A href="https://aws.amazon.com/marketplace/pp?sku=hd44w1chf26uv4p52cdynb2o" target="_blank" rel="noopener"><SPAN>https://aws.amazon.com/marketplace/pp?sku=hd44w1chf26uv4p52cdynb2o</SPAN></A></LI> </UL> </LI> </UL> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Create an SSH Key-Pair and download the private key.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Configure the IAM policies for the account and download the Access Key and Secret Key credentials.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Now, on your local workspace, where Git and Terraform has been installed, clone the GitHub repository.</SPAN></LI> </UL> <LI-CODE lang="python">git clone https://github.com/PaloAltoNetworks/aws-vmseries-gwlb-poc.git &amp;&amp; cd aws-vmseries-gwlb-poc/terraform/vmseries</LI-CODE> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Open the file named “</SPAN><I><SPAN>student.auto.tfvars</SPAN></I><SPAN>”.</SPAN>&nbsp;</LI> </UL> <LI-CODE lang="python">vi student.auto.tfvars</LI-CODE> <UL> <LI><SPAN>Update the following variables on the file with the appropriate values.</SPAN></LI> </UL> <LI-CODE lang="python">access-key = "" secret-key = "" region = "" ssh-key-name = ""</LI-CODE> <UL> <LI><SPAN>Run the following commands.</SPAN></LI> </UL> <LI-CODE lang="python">terraform init terraform plan &lt;&lt;&lt;&lt; Ensure that there are no errors seen in the response of this command. terraform apply -auto-approve </LI-CODE> <P>&nbsp;</P> <H1><FONT size="5" color="#FF6600">Lab Topology</FONT></H1> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 1_AWS-Gateway-Load-Balancer_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53491iF4D6CA7D439DE871/image-size/large?v=v2&amp;px=999" role="button" title="Fig 1_AWS-Gateway-Load-Balancer_palo-alto-networks.png" alt="Fig 1_AWS-Gateway-Load-Balancer_palo-alto-networks.png" /></span> <P>&nbsp;</P> <H1><FONT size="5"><STRONG><FONT color="#FF6600">VM-Series Walkthrough</FONT></STRONG></FONT></H1> <H3><STRONG>Login</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>On the AWS CloudShell terminal or your local workspace from where you ran the terraform commands, run the following commands to get the VM-Series URL.</SPAN></LI> </UL> <LI-CODE lang="python">cd ../aws-vmseries-gwlb-poc/terraform/vmseries terraform output FIREWALL_IP_ADDRESS</LI-CODE> <P>&nbsp;</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 2_AWS-Gateway-Load-Balancer_palo-alto-networks.png" style="width: 683px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53492i156B110E3D379765/image-dimensions/683x176?v=v2" width="683" height="176" role="button" title="Fig 2_AWS-Gateway-Load-Balancer_palo-alto-networks.png" alt="Fig 2_AWS-Gateway-Load-Balancer_palo-alto-networks.png" /></span> <UL> <LI><SPAN>Copy the URL in the response of the above command and paste it on the browser tab.</SPAN></LI> <LI><SPAN>Login using the credentials provided.</SPAN></LI> </UL> <LI-CODE lang="markup">Username – admin Password – Paloalto@1</LI-CODE> <P>&nbsp;</P> <H3><STRONG>Policies</STRONG></H3> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>The firewall is bootstrapped with two policies:</SPAN></LI> </UL> <P>&nbsp;</P> <UL> <UL> <LI style="font-weight: 400;" aria-level="2"><SPAN>allow-all</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>explicit-deny</SPAN></LI> </UL> </UL> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 3_AWS-Gateway-Load-Balancer_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53493i5AC41F3602D57DF0/image-size/large?v=v2&amp;px=999" role="button" title="Fig 3_AWS-Gateway-Load-Balancer_palo-alto-networks.png" alt="Fig 3_AWS-Gateway-Load-Balancer_palo-alto-networks.png" /></span> <P>&nbsp;</P> <H3><STRONG>Logging</STRONG></H3> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 4_AWS-Gateway-Load-Balancer_palo-alto-networks.png" style="width: 997px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53494iD03E046483D72735/image-size/large?v=v2&amp;px=999" role="button" title="Fig 4_AWS-Gateway-Load-Balancer_palo-alto-networks.png" alt="Fig 4_AWS-Gateway-Load-Balancer_palo-alto-networks.png" /></span> <P>&nbsp;</P> <H1><FONT size="5" color="#FF6600"><STRONG>Connecting to the servers</STRONG></FONT></H1> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>You can connect to the servers directly by selecting the server and clicking in "Connect" on the EC2 console. Ensure that the login name is "ec2-user".</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>Alternatively, you can also connect to the servers directly from your terminal using the SSH private key that you downloaded as part of the </SPAN><A href="https://docs.google.com/presentation/d/1QNzzB8XQIfxK9Kfz_nNmRpEDnyCnygUeJg_bvM2Itlk/edit#slide=id.g2775313983c_0_157" target="_blank" rel="noopener"><SPAN>Prerequisites</SPAN></A><SPAN>.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><SPAN>You could also use AWS CLI to connect to the servers by running the below command;</SPAN>&nbsp;</LI> </UL> <LI-CODE lang="python">aws ec2-instance-connect ssh --instance-id &lt;instance-id&gt;</LI-CODE> <P>&nbsp;</P> <H1><FONT size="5"><STRONG><FONT color="#FF6600">Sample Activities</FONT></STRONG></FONT></H1> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>Add/Update the Security policies to allow/deny ssh traffic.</SPAN> <UL class="lia-list-style-type-circle"> <LI style="font-weight: 400;" aria-level="2"><SPAN>Verify by trying to connect to the servers.</SPAN></LI> </UL> </LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Add/Update the Security policies to allow/deny ICMP traffic.</SPAN> <UL class="lia-list-style-type-circle"> <LI style="font-weight: 400;" aria-level="2"><SPAN>Verify by trying to ping one server from the other.</SPAN></LI> </UL> </LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>Update the Vulnerability Protection on the allow security policy to “strict”.</SPAN> <UL class="lia-list-style-type-circle"> <LI style="font-weight: 400;" aria-level="2"><SPAN>Verify by trying to download the malware file on any one of the servers.</SPAN></LI> </UL> </LI> </UL> <LI-CODE lang="python">wget http://www.eicar.org/download/eicar.com.txt</LI-CODE> <UL> <LI>&nbsp;<SPAN>You should see the Threat log on the Firewall as shown below.</SPAN></LI> </UL> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 5_AWS-Gateway-Load-Balancer_palo-alto-networks.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53495iB5C72E1E235B341E/image-size/large?v=v2&amp;px=999" role="button" title="Fig 5_AWS-Gateway-Load-Balancer_palo-alto-networks.png" alt="Fig 5_AWS-Gateway-Load-Balancer_palo-alto-networks.png" /></span> <P>&nbsp;</P> <H1><FONT size="5" color="#FF6600"><STRONG>Steps to Teardown</STRONG></FONT></H1> <P><SPAN>Run the following commands to tear down the PoC lab:</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="python">cd ../aws-vmseries-gwlb-poc/terraform/vmseries terraform destroy -auto-approve</LI-CODE> <P>&nbsp;</P> <P><LI-WRAPPER></LI-WRAPPER></P> <P><SPAN>While running the 1st command, make sure that you are in the root folder of the cloned Github repository.</SPAN></P> <P>&nbsp;</P> <H1><STRONG><FONT size="5" color="#FF6600">References</FONT></STRONG></H1> <UL> <LI style="font-weight: 400;" aria-level="1"><A href="https://github.com/PaloAltoNetworks/aws-vmseries-gwlb-poc" target="_blank" rel="noopener"><SPAN>Terraform code for this PoC</SPAN></A></LI> <LI style="font-weight: 400;" aria-level="1"><A href="https://docs.paloaltonetworks.com/vm-series/11-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/vm-series-integration-with-gateway-load-balancer" target="_blank" rel="noopener"><SPAN>VM-Series integration with the AWS Gateway Load Balancer</SPAN></A></LI> <LI style="font-weight: 400;" aria-level="1"><A href="https://www.paloaltonetworks.com/resources/guides/intelligent-architectures-aws-reference-architecture" target="_blank" rel="noopener"><SPAN>VM-Series on AWS – Reference Architecture</SPAN></A></LI> <LI style="font-weight: 400;" aria-level="1"><A href="https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest" target="_blank" rel="noopener"><SPAN>Terraform modules for VM-Series on AWS</SPAN></A></LI> <LI style="font-weight: 400;" aria-level="1"><A href="https://www.youtube.com/watch?v=GH6S3HRGPuI&amp;pp=ygUtcGFsbyBhbHRvIGF3cyBnYXRld2F5IGxvYWQgYmFsYW5jZXIgdm0tc2VyaWVz" target="_blank" rel="noopener"><SPAN>Video – VM-Series with AWS GWLB Integration Overview</SPAN></A></LI> <LI style="font-weight: 400;" aria-level="1"><A href="https://www.youtube.com/watch?v=c28ZwlhCIWE&amp;pp=ygUtcGFsbyBhbHRvIGF3cyBnYXRld2F5IGxvYWQgYmFsYW5jZXIgdm0tc2VyaWVz" target="_blank" rel="noopener"><SPAN>Video – Step by Step guide to deploy VM-Series with AWS GWLB</SPAN></A></LI> </UL> </DIV> Wed, 06 Sep 2023 18:58:57 GMT shv 2023-09-06T18:58:57Z https://live.paloaltonetworks.com/t5/general-articles/get-started-with-vm-series-with-aws-gateway-load-balancer-a-poc/ta-p/556300 <P>This article provides the steps to setup, demonstrate and teardown the Palo Alto Networks' VM-Series Next Generation Firewalls on AWS in integration with the AWS Gateway Load Balancer.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Title_Cyberpedia_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53490i175191517383E828/image-size/large?v=v2&amp;px=999" role="button" title="Title_Cyberpedia_palo-alto-networks.jpg" alt="Title_Cyberpedia_palo-alto-networks.jpg" /></span></P> Wed, 06 Sep 2023 18:58:57 GMT https://live.paloaltonetworks.com/t5/general-articles/get-started-with-vm-series-with-aws-gateway-load-balancer-a-poc/ta-p/556300 shv 2023-09-06T18:58:57Z https://live.paloaltonetworks.com/t5/general-articles/get-started-with-vm-series-with-aws-gateway-load-balancer-a-poc/tac-p/595512#M742 <P>kepe getting this error :</P><P>&nbsp;</P><P>Error: no matching EC2 Key Pair found<BR />│<BR />│ with module.vulnerable-vpc.data.aws_key_pair.key_name,<BR />│ on ../modules/vpc/main.tf line 154, in data "aws_key_pair" "key_name":<BR />│ 154: data "aws_key_pair" "key_name" {</P><P>&nbsp;</P><P>can i modify the main.tf ?</P> Wed, 21 Aug 2024 20:17:26 GMT https://live.paloaltonetworks.com/t5/general-articles/get-started-with-vm-series-with-aws-gateway-load-balancer-a-poc/tac-p/595512#M742 VSingh26 2024-08-21T20:17:26Z https://live.paloaltonetworks.com/t5/general-articles/get-started-with-vm-series-with-aws-gateway-load-balancer-a-poc/tac-p/595579#M743 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/259756473">@VSingh26</a>,</P> <P>Absolutely. Once you have downloaded the code,&nbsp; you can make modifications relative to your environment as required.&nbsp;</P> Thu, 22 Aug 2024 05:40:06 GMT https://live.paloaltonetworks.com/t5/general-articles/get-started-with-vm-series-with-aws-gateway-load-balancer-a-poc/tac-p/595579#M743 shv 2024-08-22T05:40:06Z