This article provides the steps to setup, demonstrate and teardown the Palo Alto Networks' VM-Series Next Generation Firewalls on AWS in integration with the AWS Gateway Load Balancer. This integration is the recommended design on AWS and you can find more information about the integration on the official documentation portal here.
This article is intended for anyone who wishes to get some hands-on experience with the VM-Series appliance on AWS, an understanding of how automation can be leveraged to easily deploy and bootstrap the firewalls and also how the integration of the Gateway Load Balancer, Transit Gateway and the VM-Series firewall works.
Prerequisites
- An AWS Account with the following permissions:
- Subscribe to services on the AWS Marketplace.
- Create, Delete all networking resources like VPCs, Subnets, Route tables, etc.
- Create, Delete EC2 instances, Elastic IPs.
- Optional: AWS CloudShell for executing the setup script.
- If you do not have access to AWS CloudShell, then additionally you would also need:
- Git and Terraform installed
- AWS Access Key and Secret Keys
- SSH Key-Pair to connect to the EC2 Instances.
- Optional: AWS CLI to configure the AWS credentials
Things to Consider
- This PoC deploys a PAYG version of the VM-Series appliance from the AWS Marketplace, so there is no additional licensing required. Free trial available for 15 days.
- The automation in this PoC bootstraps the VM-Series NGFW with bare minimum configuration. The bootstrapping is done using AWS S3 bucket which is also created as part of the setup.
- The VM-Series NGFW deployed in this PoC secures Inbound, Outbound and East-West traffic to 2 Linux servers connected as spokes through a Transit Gateway.
- This PoC can be deployed in any region, provided the VM-Series PAYG Bundle 2 appliance is available in that region.
- Autoscaling is not included in this PoC.
- Panorama is not included in this PoC.
Steps to Deploy
With AWS CloudShell
- Login to your AWS Account
- Open “AWS Marketplace Subscriptions” and Subscribe to the VM-Series PAYG service at the following link.
- Open AWS Cloud Shell and make sure that your workspace is clean.
- This is because disk size on CloudShell is limited and terraform would need to download modules required for resource deployment.
- Clone the GitHub repository.
git clone https://github.com/PaloAltoNetworks/aws-vmseries-gwlb-poc.git && cd aws-vmseries-gwlb-poc
./setup.sh
Without AWS CloudShell
- Login to your AWS Account
- Open “AWS Marketplace Subscriptions” and Subscribe to the VM-Series PAYG service at the following link.
- Create an SSH Key-Pair and download the private key.
- Configure the IAM policies for the account and download the Access Key and Secret Key credentials.
- Now, on your local workspace, where Git and Terraform has been installed, clone the GitHub repository.
git clone https://github.com/PaloAltoNetworks/aws-vmseries-gwlb-poc.git && cd aws-vmseries-gwlb-poc/terraform/vmseries
- Open the file named “student.auto.tfvars”.
vi student.auto.tfvars
- Update the following variables on the file with the appropriate values.
access-key = ""
secret-key = ""
region = ""
ssh-key-name = ""
- Run the following commands.
terraform init
terraform plan <<<< Ensure that there are no errors seen in the response of this command.
terraform apply -auto-approve
Lab Topology
VM-Series Walkthrough
Login
- On the AWS CloudShell terminal or your local workspace from where you ran the terraform commands, run the following commands to get the VM-Series URL.
cd ../aws-vmseries-gwlb-poc/terraform/vmseries
terraform output FIREWALL_IP_ADDRESS
- Copy the URL in the response of the above command and paste it on the browser tab.
- Login using the credentials provided.
Username – admin
Password – Paloalto@1
Policies
- The firewall is bootstrapped with two policies:
Logging
Connecting to the servers
- You can connect to the servers directly by selecting the server and clicking in "Connect" on the EC2 console. Ensure that the login name is "ec2-user".
- Alternatively, you can also connect to the servers directly from your terminal using the SSH private key that you downloaded as part of the Prerequisites.
- You could also use AWS CLI to connect to the servers by running the below command;
aws ec2-instance-connect ssh --instance-id <instance-id>
Sample Activities
- Add/Update the Security policies to allow/deny ssh traffic.
- Verify by trying to connect to the servers.
- Add/Update the Security policies to allow/deny ICMP traffic.
- Verify by trying to ping one server from the other.
- Update the Vulnerability Protection on the allow security policy to “strict”.
- Verify by trying to download the malware file on any one of the servers.
wget http://www.eicar.org/download/eicar.com.txt
- You should see the Threat log on the Firewall as shown below.
Steps to Teardown
Run the following commands to tear down the PoC lab:
cd ../aws-vmseries-gwlb-poc/terraform/vmseries
terraform destroy -auto-approve
While running the 1st command, make sure that you are in the root folder of the cloned Github repository.
References
