05-07-2014 01:36 PM
Hi all,
We are working on moving some of our servers to AWS and they require 2 VPN redundant tunnels to be configured with our network. Amazon suggested to terminate the VPN on Internet edge router because the VPN redundancy requires BGP. Between the Internet edge router and the Palo Alto firewall, it is unprotected (but it will be on our physical premises).
I have suggested to project team to terminate the VPN on Palo Alto instead. However, in this case, the PA3020 has to run BGP which is supported. My questions are:
- whether running BGP will have a significant impact on performance?
- As the existing firewall traffic does not run BGP, my plan is to run this AWS VPN on a different virtual router with 2 separate external and internal interfaces totally segregated from existing firewall traffic but still performs traffic inspection. Does this work?
Do you have any best practice and recommendations for this VPN connectivity?
Thanks!
FYI:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html
vs.
05-07-2014 02:16 PM
Hello Peterpan,
- whether running BGP will have a significant impact on performance?
Ans: It depends upon how many routes you are having into your PAN routing table. Generally speaking, if you configure BGP on a PAN firewall and having route-filter to import and export limited routes from PAN firewall, in that situation it would not take large CPU cycles from the PAN management plane.
--As the existing firewall traffic does not run BGP, my plan is to run this AWS VPN on a different virtual router with 2 separate external and internal interfaces totally segregated from existing firewall traffic but still performs traffic inspection. Does this work?
Ans: Yes, it will work perfectly. As, creating an another virtual-router means, the PAN firewall will create an another routing table ( segregation of routing table)
--Do you have any best practice and recommendations for this VPN connectivity?
Ans: VPN traffic will be encrypted by ESP/AH header. Hence an extra layer will be added on the top of the packet. Hence adjust the TCP MSS or reduce it to 1420 will be a good practice. Secondly, using a higher length encryption key ( AES-256, 3 DES ) might bring latency during traffic flow, because it will take more CPU cycles to encrypt/decrypt traffic on PAN firewall. I would recommend you to use AES-128 on both VPN gateways.
Hope this helps.
Thanks
05-07-2014 08:32 PM
Thanks for the great answer. By BGP filtering, do you mean implementing BGP filtering on the Edge router or on the PAN itself (an available feature?)?
Another question is whether I should insist VPN termination on the firewall and not the Internet edge router as the latter is Amazon's authoritative recommendation but NIST has some caution against it. I look like an idiot to our team because Amazon is God to them.
05-07-2014 10:37 PM
Hello Peterpan,
1) I am talking about route filter implementation on PAN firewall itself. PAN is having capability to filter routes ( advartize by BGP peers) and accordingly install into it's rib/routing-table ( routing information base).
These docs might help you to implement BGP:
How to Configure BGP Route Filtering
How to Perform Route Filtering with BGP
2) How many VPN tunnels you are planning to terminate into the PAN firewall..? 
Thanks
05-08-2014 05:34 AM
Amazon requires 2 VPN tunnels per firewall (and we have 2 firewalls). We have around a dozen of tunnels but they are quite low traffic.
Thanks a lot for your great reply!!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
