AWS Palo Alto and Configuring Interfaces

Reply
Highlighted
L4 Transporter

AWS Palo Alto and Configuring Interfaces

I'm new to AWS, but not new to Palo Alto. We are at the initial phases of building out our AWS environment. I'm getting familiar with AWS but not an expert by any means. I thought I'd start with a trial version of Palo Alto for AWS. At any rate, I've followed some Palo Alto documentation (Set Up the VM-Series Firewall in AWS) to get things rolling. I created a public subnet, an ENI, attached them to the Palo Alto instance and got this specific ENI working within the VM (the link eth1/2 shows up), but I can't ping it, HTTPs to it or anything (all security groups and filtering are wide open on the AWS side) and interface mgmt configured to allow this on the VM side. This is my first problem.

 

My second problem is, I tried creating another ENI for the "public/untrust" (eth1/1) facing interface on the PA and it raised a dozen questions How do I do this? Do I need a seperate AWS subnet for this interface? Should it be private or public subnet if I need a new one? Do I need to attach the ENI to an EIP then to the instance so the ENI has a public IP? Do I configure the public IP on the PA VM or the private IP? Are the configurations supposed to be static (and I match the AWS assigned IPs)? The documentation doesn't clarify any of this. Perhaps these are things they assume we should know.

 

If anybody has experience with this and willing to share (with some detail) how it was setup in your environment I'd appreciate it.

Highlighted
L1 Bithead

Re: AWS Palo Alto and Configuring Interfaces

Before deploying a VM-Series into AWS, you should configure three subnets (management, untrust, and trust) as well as three interfaces corresponding to those subnets.

 

Attach those interfaces to the VM-Series as you are deploying it - eth0 (first interface configured) should be on the management network.  I usually make eth1 my untrust interface and eth2 is my trust interface.

 

When the instance comes up, ethernet1/1 in the firewall maps to eth1 and ethernet1/2 maps to eth2.  If you configure the interfaces in the firewall management GUI to match the configuration in the AWS portal, you should be ready to go.  You can also set the interfaces to DHCP and they should get the appropriate IP addresses assigned automatically.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!