cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PA firewall traffic to AWS API gateway

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
charles07
L2 Linker
‎09-07-2020 06:19 AM
‎09-07-2020 06:19 AM

PA firewall traffic to AWS API gateway

Planning to secure AWS infra using a VM firewall Palo Alto. Main AWS components are API Gateway & Lambda.
Traffic from external network (public) comes to API gateway and to lambda. Is it possible to route incoming traffic via PA firewall to API gateway.

0 Likes
Reply
jmeurer
L4 Transporter
‎09-07-2020 09:26 AM
‎09-07-2020 09:26 AM

The way I have solved this in the past is to configured the API Gateway with a private endpoint in the firewall VPC.  Configure the the firewall pool behind a Public ALB to serve as you front end with your desired app cert.  Use a source and destination NAT rule to forward that traffic through the firewalls to the API GW endpoint FQDN.

 

One nuance, if you intend to decrypt the traffic on the way through use a SSL Forward Proxy decryption profile rather than the more intuitive Inbound Decrypt profile.  The API gateway does not allow you to load a custom cert when using a private endpoint.  By flipping the profile, you can get around the SSL handshake errors.  The ALB will ignore the self signed cert warning.

0 Likes
Reply
charles07
L2 Linker
‎09-08-2020 02:50 AM
‎09-08-2020 02:50 AM

Thank you @jmeurer 

I was exploring around the method you said, could not get it done. Could you please help with the steps you followed?

Create Private APi

Private endpoint

......

 

Finally how was it linked with Palo Alto/Firewall DNAT.

0 Likes
Reply
jmeurer
L4 Transporter
‎09-08-2020 06:15 AM
‎09-08-2020 06:15 AM

I used this guide.

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html

 

When the private endpoint is created, it will have a zone redundant FQDN assigned to it.  You use that FDQN as our destination in the NAT rule.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/nat/configure-nat/configure-des...

 

You do also need a source nat on the same rule to ensure the proper return path from the api GW to the firewall.  That would typically be your trust side interface address.

0 Likes
Reply
charles07
L2 Linker
‎09-10-2020 08:59 AM
‎09-10-2020 08:59 AM

@jmeurer your reply is helping. I tried the following;

1. Create a sample lambda function of pet store - http://petstore-demo-endpoint.execute-api.com/petstore/pets

2. Created VPC endpoint

3. Created private REST API and attached endpoint

4. Created DNAT in PA with destination as VPC endpoint

 

**PA LAN and VPC endpoint are in same subnet

Now I called the URL http://PAWANIP/petstore/pets

 

Tried diff URLs, patterns, https nothing worked. Is there anything wrong in the method done. 

0 Likes
Reply
jmeurer
L4 Transporter
‎09-10-2020 09:29 AM
‎09-10-2020 09:29 AM

Did you add a source translation to the NAT rule with the firewall's interface address?  Otherwise the endpoint will try to respond directly to the original client IP.

 

If you spin up a bastion host in the VPC, can you access the end point?  It could an SG on the endpoint not allowing the traffic in.

 

0 Likes
Reply
charles07
L2 Linker
‎09-10-2020 10:38 AM
‎09-10-2020 10:38 AM

Thank you @jmeurer 

I did create an SNAT from internal to external with external interface IP.

DNAT from PA to an EC2 in AWS is working

I checked SG of API gateway, endpoint, lamda. It's all full allow.

 

Are the steps I followed correct? 

Is the URL I used to call lambda correct?

0 Likes
Reply
jmeurer
L4 Transporter
‎09-10-2020 11:07 AM
‎09-10-2020 11:07 AM

That SNAT flow does not sound correct.   The NAT rule that Destination Nats the traffic to Endpoint, should also have source translation set to the internal interface.  

 

Would you mind posting screen shots of the nat rule.

0 Likes
Reply
charles07
L2 Linker
‎09-11-2020 06:51 AM
‎09-11-2020 06:51 AM

APIGW2.JPG

APIGW.JPG

AWS2.JPG

AWS1.jpg

endpoint.jpg

SourceNAT1.JPG

DNAt2.JPG

DNAT1.JPG

SourceNAT2.JPG

FWlog.jpg

FWrule1.jpg

0 Likes
Reply
jmeurer
L4 Transporter
‎09-11-2020 07:02 AM
‎09-11-2020 07:02 AM

Assuming your IP specified it the Untrust IP and Eth1/2 is your Trust side interface, your NAT rule translated tab should look like this.  This indicates that we are sending the traffic on to the API Endpoint and setting the source IP to be the internal interface of the firewall so that they endpoint knows where to respond to.

 

jmeurer_0-1599832887506.png

 

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks