Get Started with VM-Series with AWS Gateway Load Balancer - A PoC Playbook Guide

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L1 Bithead
No ratings
Title_Cyberpedia_palo-alto-networks.jpg

 

This article provides the steps to setup, demonstrate and teardown the Palo Alto Networks' VM-Series Next Generation Firewalls on AWS in integration with the AWS Gateway Load Balancer. This integration is the recommended design on AWS and you can find more information about the integration on the official documentation portal here.

 

This article is intended for anyone who wishes to get some hands-on experience with the VM-Series appliance on AWS, an understanding of how automation can be leveraged to easily deploy and bootstrap the firewalls and also how the integration of the Gateway Load Balancer, Transit Gateway and the VM-Series firewall works.

 

Prerequisites

  • An AWS Account with the following permissions:

 

    • Subscribe to services on the AWS Marketplace.
    • Create, Delete all networking resources like VPCs, Subnets, Route tables, etc.
    • Create, Delete EC2 instances, Elastic IPs.
    • Optional: AWS CloudShell for executing the setup script.

 

  • If you do not have access to AWS CloudShell, then additionally you would also need:

 

    • Git and Terraform installed
    • AWS Access Key and Secret Keys
    • SSH Key-Pair to connect to the EC2 Instances.
    • Optional: AWS CLI to configure the AWS credentials

 

Things to Consider

  • This PoC deploys a PAYG version of the VM-Series appliance from the AWS Marketplace, so there is no additional licensing required. Free trial available for 15 days.
  • The automation in this PoC bootstraps the VM-Series NGFW with bare minimum configuration. The bootstrapping is done using AWS S3 bucket which is also created as part of the setup.
  • The VM-Series NGFW deployed in this PoC secures Inbound, Outbound and East-West traffic to 2 Linux servers connected as spokes through a Transit Gateway.
  • This PoC can be deployed in any region, provided the VM-Series PAYG Bundle 2 appliance is available in that region.
  • Autoscaling is not included in this PoC.
  • Panorama is not included in this PoC.

 

Steps to Deploy

With AWS CloudShell

  • Open AWS Cloud Shell and make sure that your workspace is clean.
    • This is because disk size on CloudShell is limited and terraform would need to download modules required for resource deployment.
  • Clone the GitHub repository.
git clone https://github.com/PaloAltoNetworks/aws-vmseries-gwlb-poc.git && cd aws-vmseries-gwlb-poc

  • Run the setup script.
./setup.sh

 

Without AWS CloudShell

  • Create an SSH Key-Pair and download the private key.
  • Configure the IAM policies for the account and download the Access Key and Secret Key credentials.
  • Now, on your local workspace, where Git and Terraform has been installed, clone the GitHub repository.
git clone https://github.com/PaloAltoNetworks/aws-vmseries-gwlb-poc.git && cd aws-vmseries-gwlb-poc/terraform/vmseries
  • Open the file named “student.auto.tfvars”. 
vi student.auto.tfvars
  • Update the following variables on the file with the appropriate values.
access-key      = ""
secret-key      = ""
region          = ""
ssh-key-name    = ""
  • Run the following commands.
terraform init
terraform plan		<<<< Ensure that there are no errors seen in the response of this command.
terraform apply -auto-approve

 

Lab Topology

Fig 1_AWS-Gateway-Load-Balancer_palo-alto-networks.png

 

VM-Series Walkthrough

Login

  • On the AWS CloudShell terminal or your local workspace from where you ran the terraform commands, run the following commands to get the VM-Series URL.
cd ../aws-vmseries-gwlb-poc/terraform/vmseries
terraform output FIREWALL_IP_ADDRESS

 

Fig 2_AWS-Gateway-Load-Balancer_palo-alto-networks.png
  • Copy the URL in the response of the above command and paste it on the browser tab.
  • Login using the credentials provided.
Username – admin
Password – Paloalto@1

 

Policies

  • The firewall is bootstrapped with two policies:

 

    • allow-all
    • explicit-deny
Fig 3_AWS-Gateway-Load-Balancer_palo-alto-networks.png

 

Logging

Fig 4_AWS-Gateway-Load-Balancer_palo-alto-networks.png

 

Connecting to the servers

  • You can connect to the servers directly by selecting the server and clicking in "Connect" on the EC2 console. Ensure that the login name is "ec2-user".
  • Alternatively, you can also connect to the servers directly from your terminal using the SSH private key that you downloaded as part of the Prerequisites.
  • You could also use AWS CLI to connect to the servers by running the below command; 
aws ec2-instance-connect ssh --instance-id <instance-id>

 

Sample Activities

  • Add/Update the Security policies to allow/deny ssh traffic.
    • Verify by trying to connect to the servers.
  • Add/Update the Security policies to allow/deny ICMP traffic.
    • Verify by trying to ping one server from the other.
  • Update the Vulnerability Protection on the allow security policy to “strict”.
    • Verify by trying to download the malware file on any one of the servers.
wget http://www.eicar.org/download/eicar.com.txt
  •  You should see the Threat log on the Firewall as shown below.
Fig 5_AWS-Gateway-Load-Balancer_palo-alto-networks.png

 

Steps to Teardown

Run the following commands to tear down the PoC lab:

 

cd ../aws-vmseries-gwlb-poc/terraform/vmseries
terraform destroy -auto-approve

 

While running the 1st command, make sure that you are in the root folder of the cloned Github repository.

 

References

Rate this article:
Comments
L1 Bithead

kepe getting this error :

 

Error: no matching EC2 Key Pair found

│ with module.vulnerable-vpc.data.aws_key_pair.key_name,
│ on ../modules/vpc/main.tf line 154, in data "aws_key_pair" "key_name":
│ 154: data "aws_key_pair" "key_name" {

 

can i modify the main.tf ?

L1 Bithead

Hello @VSingh26,

Absolutely. Once you have downloaded the code,  you can make modifications relative to your environment as required. 

  • 6662 Views
  • 2 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎09-06-2023 11:58 AM
Updated by: