Saucepan

User Tools

Site Tools

Trace: zone_protection firewall-hardware certificates panos_versions dns_sinkhole vmware_workstation aws_transit_gateway useful_security_policies set_commands url_override
paloaltonetworks:vmseries:aws_transit_gateway

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:vmseries:aws_transit_gateway [2021/01/05 11:49] – [Configure Firewall BGP] bstaffordpaloaltonetworks:vmseries:aws_transit_gateway [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 3: Line 3:
  
 In this lab, we have three VPCs. Security, Spoke1 and Spoke2. In this lab, we have three VPCs. Security, Spoke1 and Spoke2.
 +
 +
 +
  
  
Line 68: Line 71:
     * lab-eip-security-fw1-public -> lab-eni-security-fw1-public with private IP as 10.0.11.5     * lab-eip-security-fw1-public -> lab-eni-security-fw1-public with private IP as 10.0.11.5
     * lab-eip-security-fw2-public -> lab-eni-security-fw2-public with private IP as 10.0.21.5     * lab-eip-security-fw2-public -> lab-eni-security-fw2-public with private IP as 10.0.21.5
 +
 +On Security VPC, we need two route tables. 
 +  * One public with 0.0.0.0/0 as IGW public subnet gets this
 +  * One private with 0.0.0.0/0 as IGW and 10.0.0.0/8 as Transit VPC management subnet get this.
 +
 +
 ===== Login to Firewalls ===== ===== Login to Firewalls =====
 By this point your VM firewalls should have booted. Now that they have public IP addresses, try and HTTPS to them. By this point your VM firewalls should have booted. Now that they have public IP addresses, try and HTTPS to them.
Line 77: Line 86:
  
 Remember, if the management security group has been correctly configured, only your public IP (home/office?) will be able to establish SSH/HTTPS sessions to the firewall management interfaces. Remember, if the management security group has been correctly configured, only your public IP (home/office?) will be able to establish SSH/HTTPS sessions to the firewall management interfaces.
 +
 ===== Configure the Firewalls ===== ===== Configure the Firewalls =====
 Setup the firewall with basic managment settings. The AWS DNS server is 169.254.169.253. Setup the firewall with basic managment settings. The AWS DNS server is 169.254.169.253.
Line 189: Line 199:
   * FW2 - Tunnel 1 -169.254.21.6   * FW2 - Tunnel 1 -169.254.21.6
   * FW2 - Tunnel 2 -169.254.21.6   * FW2 - Tunnel 2 -169.254.21.6
 +
 +For each tunnel interface, set the tunnel interface MTU to 1427.
  
 Create an IKE Crypto profile on both firewalls called "ike-aes-256-sha256-dh14" Create an IKE Crypto profile on both firewalls called "ike-aes-256-sha256-dh14"
Line 228: Line 240:
 Peer Group – Create one peer group on each firewall virtual router Peer Group – Create one peer group on each firewall virtual router
   * Name: pg-aws-tgw.    * Name: pg-aws-tgw. 
 +  * Enabled : True
 +  * Aggregated Confed AS Path : True
 +  * Soft Reset With Stored Info : False
   * Type: eBGPG.   * Type: eBGPG.
   * Import Next Hop: Use Peer   * Import Next Hop: Use Peer
   * Export Next Hop : Use Self   * Export Next Hop : Use Self
 +  * Remove Private AS : No
 +
 +On each firewall, configure two peers within the peer group. When configuring a peer, the "Connections Options" should be as follows:
 +  * Auth Profile: None (not supported on AWS)
 +  * Keep Alive Interval (Sec) : 10
 +  * Multi Hop : 0
 +  * Open Delay Time (sec) : 0
 +  * Hold Time (sec) : 30
 +  * Idle Hold Time (sec) : 15
 +  * Min Route Advertisement Interval (sec) :30
  
 Redistribution: Create a redistribution profile to redistribute Static routes. Mark the "Set Origin" as incomplete. The only static route should be the default route. Redistribution: Create a redistribution profile to redistribute Static routes. Mark the "Set Origin" as incomplete. The only static route should be the default route.
  
-We need two export rules to the same peer group. The default is done without any path pre-pending. The internal routes are prepended on the secondary firewall. The secondary firewall uses BGP prepending to make sure the neighbouring VPCs prefer the primary firewall for routing. In the PAN-OS GUI, this is set this under <code>Virtual Router->BGP->Export->(For each entry)->Action->AS Path->Type = Prepend. Value = 1</code>+We have one import rule that is used by the peer group. Set action to allow and list the specific prefixes. 10.0.0.0/16, 10.1.0.0/16, 10.10.0.0/16, 10.20.0.0/16 and 10.0.0.0/12. No need to say that it has to be an exact match. 
 + 
 +We need two export rules where both are to the same peer group. The default is done without any path pre-pending. That rule exports the default route and the public subnet route. Note that both firewalls will need to be unique. Firewall 1's first rule will export 0.0.0.0/0 and 10.0.11.0/24 while firewall 2's first rule will export 0.0.0.0/0 and 10.0.21.0/24. This ensures that the spokes can connect to the correct public subnets where needed. 
 + 
 +The second export rule exports 10.0.0.0/8. The internal routes are prepended on the secondary firewall. The secondary firewall uses BGP prepending to make sure the neighbouring VPCs prefer the primary firewall for routing. In the PAN-OS GUI, this is set this under <code>Virtual Router->BGP->Export->(For each entry)->Action->AS Path->Type = Prepend. Value = 1</code> 
 + 
 +===== Create Spoke VPCs ===== 
 +Create spoke VPCs  
 +  * lab-vpc-spoke1 (10.10.0.0/16) 
 +  * lab-vpc-spoke2 (10.20.0.0/16) 
 +Rename VPC default Route tables 
 +  * lab-rt-spoke1-main 
 +  * lab-rt-spoke2-main 
 +Create Security Groups 
 +  * lab-sg-spoke1-main 
 +  * lab-sg-spoke2-main 
 +Both security groups should allow tcp-22 and tcp-80 and icmp-ipv4 inbound from 10.0.0.0/16 10.1.0.0/16 10.10.0.0/16 10.20.0.0/16. 
 + 
 + 
 +lab-vpc-spoke1 (10.10.0.0/16) 
 +  * lab-subnet-spoke1-web-a (10.10.10.0/24) availability zone A 
 +  * lab-subnet-spoke1-web-b (10.10.20.0/24) availability zone B 
 +lab-vpc-spoke2 (10.20.0.0/16) 
 +  * lab-subnet-spoke2-web-a (10.20.10.0/24) availability zone A 
 +  * lab-subnet-spoke2-web-b (10.20.20.0/24) availability zone B 
 + 
 +Add Linux VM to lab-subnet-spoke1-web-a lab-vm-spoke1-web-a1 and use spoke1 security group 
 + 
 +===== Spoke VPC to TGW ===== 
 +Under VPC, create a VPN transit Gateway attachment. 
 + 
 +  * lab-tgwrt-spoke needs to be associated with both spoke VPC attachments. 
 +  * lab-tgwrt-security needs to be propagated with both spoke VPC attachments need to export default route and then also export Spoke routes. 
 + 
 +Security Routing table is associated with both VPNs and the firewall VPC. 
 + 
 +Then the security routing table is propagated for both VPNs and the firewall VPC. 
 + 
 +The Spoke VPCs are attached to a separate route table so you can select which routes are propagated to them to control east/west traffic flow. If you are not doing east-west security, you could use one transit gateway route table. 
 + 
 +This means that spoke1 and spoke2 VPCs are "attached" to the lab-rt-tgw-spoke route table and the security VPC is "attached" to the lab-rt-tgw-security" route table. The Firewall VPN tunnels are also attached to the lab-rt-tgw-security route table. 
 + 
 + 
 +Create two VPC attachement in TWG 
 +lab-tgwattach-hub-spoke1-vpc - include both subnets 
 +lab-tgwattach-hub-spoke2-vpc - include both subnets 
 + 
 +Associate these two spoke attachments to the spoke route table. 
 +In spoek route table, propogate to security VPC 
 +In security, propogate to spoke1, and spoke2 
 + 
 +Update both spoke1 route table and spoke2 route table to use TGW as default route 
 + 
 +===== Inbound Load Balancer ===== 
 +AWS Load Balancer - must have one listener and supports up to 10. Routing tables are defined on listeners. Listener is the portal and port on which the load balancer listens for incoming connection. 
 + 
 + 
 + 
 +Create a load balancer. Create a listener for port 80 and a target group for that port 80. Create a second listener for 22 and a target group for 22. 
 + 
 + 
 + 
 +Remember, when you deploy a public load balancer that points at the firewall public interface private IP addresses, the health probe with come from the load balancer's ip in the same subnet. This is assigned at random and you will need to check the logs to find out what it is. 
 + 
 +When you add extra IP addresses onto the firewall public interface, make sure you DNAT these to a loopback  
 + 
 +load balancer listener 22 and 80 with target being the new extra Ip on both firewalls. Configure both firewalls to DNAT their extra IP to the same backend IP. 
 +Remember the load balancer - you just configure tcp-80. It is the target groups that you need to open up the other port (22 3389,etc). 
 + 
 +<code>sudo yum update -y; sudo amazon-linux-extras install nginx1 -y; sudo service nginx start</code> 
 + 
 +Remember: for inbound NAT via load balancer, we need to translate to FQDN 
 +Remember: The AWS external load balancer translates the source of the traffic. 
 +The deploy a public network load balancer under EC2 
 +Name: lab-nlb-public-1 
 +Add TCP80 and TCP22 as listeners 
 +VPC = security. 
 +Subnet = public a and public b.  
 +Assign IP by AWS. 
 + 
 +Create a target group 
 +Name; lab-tg-web 
 +Target type: IP 
 +health check protocol and path "http" "/" 
 +advanced health check settings - interval 10 seconds 
 + 
 +add targets for VPC security as 10.0.11.5 and 10.0.21.5 
 + 
 + 
 + 
 +===== Clone Firewall Configuration ===== 
 +If you export the firewall 1 configuration and import it into firewall 2, you can load the configuration using the following commands. In this case we assume the imported configuration file is called **working.xml**. 
 +<code>load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address mode merge from working.xml  
 +load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group mode merge from working.xml  
 +load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service mode merge from working.xml  
 +load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service-group mode merge from working.xml  
 +load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application mode merge from working.xml  
 +load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application-group mode merge from working.xml  
 +load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application-filter to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application-filter mode merge from working.xml  
 + 
 +load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security mode merge from working.xml  
 +load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/nat to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/nat mode merge from working.xml</code> 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
  
  
paloaltonetworks/vmseries/aws_transit_gateway.1609847355.txt.gz · Last modified: (external edit)