AWS Gateway Load Balancer

Panorama - use c5.4xlarge (16CPU and 32 GB of RAM). This is okay for managment mode only. However, if you want Panorama mode, you will need 16 CPU and 32 RAM and Panorama will only detect the c5.4xlarge as having 31 GB of RAM even though it has 32. This will cause an annoying popup on every login. (NOTE: I didn't see this issue on PAN-OS 10.2.3)

• Panorama-AWS-10.1.5-h1-f264c750-1102-41c9-a14d-b54ea51780e4
• ami-0e7d693c0e72ad111

AWS CLI command to get AMI for PAN-OS 10.1.7 in region eu-west-1.

aws ec2 describe-images --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" Name=name,Values=PA-VM-AWS*10.1.7*  --region eu-west-1 --output json

Or, even better

aws ec2 describe-images --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" Name=name,Values=PA-VM-AWS*10.1.7*  --region eu-west-1 --output json | grep ImageId | awk -F "\"" '{print $4}'

because –query Images.ImageId didn't work.

Values specifies BND1, BND2 or BYOL

• BND1 = e9yfvyj3uag5uo5j2hjikv74n
• BND2 = hd44w1chf26uv4p52cdynb2o
• BYOL = 6njl1pau431dv1qxipg63mvah

vm-series-auto-registration-pin-id=
vm-series-auto-registration-pin-value=

c5.12xlarge is more expensive but has 48vCPU and 96GB RAM.

request system system-mode panorama

show system info | match system-mode

Create the security and spoke VPCs

For each spoke VPC, create the “instances” subnet and the “tgw” subnet. You will want a “tgw” subnet in each availability zone.

Create security groups for each VPC. All “all traffic” from RFC1918.

Create Transit Gateway with ASN = ?. Make sure you clear “Default route table association” and “Default route table propagation”.

Create two transit gateway route tables called “security” and “spokes”

Each spoke VPC needs a custom route table to point 0.0.0.0/0 at the TGW. Associate that route table to the two “instance” subnets in the VPC.

Create security VPC

Create security subnets

• AZa
  • security-mgmt-2a 10.100.0.0/24
  • security-fw-2a 10.100.1.0/24
  • security-public-2a 10.100.2.0/24
  • security-tgw-2a 10.100.3.0/24
  • security-gwlbe-2a 10.100.4.0/24
  • security-gwlb-2a 10.100.5.0/24
• AZb
  • security-mgmt-2b 10.100.64.0/24
  • security-fw-2b 10.100.65.0/24
  • security-public-2b 10.100.66.0/24
  • security-tgw-2b 10.100.67.0/24
  • security-gwlbe-2b 10.100.68.0/24
  • security-gwlb-2b 10.100.69.0/24

Create a VPC Internet Gateway and then attach it to the security VPC

Create Transit Gateway Attachments for each spoke VPC. Make sure you peer with the two “tgw” subnets.

Create Transit Gateway Attachments for the secuirty VPC.

• security - peer with security-tgw-2a and security-tgw-2b
• THEN ENABLE APPLIANCE MODE on the attachment.
  • copy the Transit Gateway attachment ID (NOT the transit gateway id - it must be the attachment ID). e.g. tgw-attach-0d40dbe0417e1c4ba
  • launch AWS Cloud Shell
  • aws ec2 modify-transit-gateway-vpc-attachment –transit-gateway-attachment-id tgw-attach-0d40dbe0417e1c4ba –options ApplianceModeSupport=enable

You must enable appliance mode on the attachments in the securi ty VPC in order to ensure that traffic routes through the same attachment zone even when the source an d destination of the traffic are in different zones. If appliance mode is not enabled, it is possibl e to have asymmetric traffic flowing through different firewalls, which the firewalls drop.

Associate Attachments to Route Tables

• Edit 'security' transit gateway route table
  • Create association with the security VPC
  • Create propergation with the security VPC
  • Create propergation for the spoke VPC
• Edit 'spokes' transit gateway route table
  • Create propergation with the security VPC
  • Create association for the spoke VPCs
  • Create static default route pointing at security VPC

Edit 'spokes' TGW route table and create static route 0.0.0.0/0 pointing at the security attachment

Probably don't need this bit as we create the target group as we create the Load Balancer.

Create Target Group (under EC2 instead of VPC)

• Name: firewalls
• Target Type: Instance
• Protocol: HTTPS.
• Port: 443
• VPC: Security
• Health check settings:
  • Protocol: HTTPS
  • Path: /php/login.php
  • Expand Advanced health check settings.
    • In the Port box, enter 443.

Create Gateway Load Balancer (under EC2 instead of VPC)

• Name: demo-gwlb
• Associate with security VPC and with the secuirty-gwlb-2a and secuirty-gwlb-2b subnets
• Click Next: (actually, AWS seems to have merged two pages so “next” at this bit may not be needed.)
• Create new target group
• Name: firewalls
• Target type: Instasnce — no no no. IP Address shoudl be the target type
• Protocol: Port = GENEVE : 6081
• Healthchecks = HTTPS
• Path = /php/login.php
• Expand Advanced health check settings.
  • In the Port box, enter 443.
• Click next
• Ignore register targets as they don't exist yet.
• Click next and finish

• Now you have to enable cross zone load balancing.
• Open demo-gwlb. In the action slist, click Edit atrributes.
• Enable Cross Zone Load Balancing.

Create Endpoint Service (back in VPC)

• Load balancer Type = Gateway and select the gateway you created.
• Leave “Acceptance Required” enabled.
• Copy the SERVICE NAME of the object.

Create Endpoint

• Service Cateogry: “Other endpoint services”
• Service name (paste in and then click Verify service) com.amazonaws.vpce.eu-west-1.vpce-svc-0a43607b111111111
• set VPC
• add subnet demo-prod-gwlbe-1a (AWS limitation - Only one subnet can be specified for GatewayLoadBalancer type VPC Endpoint.)

• Repeat for demo-security-gwlbe02

• Now go to Endpoint services
• Select the endpoint.
• Near the bottom of the gui, select “Endpoint connections”.
• Select each connection and, under Action click “Accept Endptoin conection request”

Create VPC Route tables

• rename default security route table to security-default
• security-public 0.0.0.0/0 to IGW both public subnets
• security-mgmt 0.0.0.0/0 to IGW for both mgmt subnets. 10.255.0.0/16 to TGW for both MGMT subnets
• security-tgw-2a 0.0.0.0/0 to gateway loadbalancer endpoint gwlbe01 subnet tgw-2a
• security-tgw-2b 0.0.0.0/0 to gateway loadbalancer endpoint gwlbe02 subnet tgw-2b
• security-gwlbe 0.0.0.0/0 to TWG both gwlbe subnets

Create Security Groups (remember to add the tag 'Name' at the end with the name.)

• security-firewall-public no special rules. default will do. Block inbound. allow outbound
• security-firewall-managment allow icmp, ssh and https from your public IP
• security-firewall-private allow all traffic for health checks and also for UDP-6081 (GWLB GENEVE tunnel)

1. Go to AWS Marketplace
2. Search for “VM-Series Next-Generation Firewall (BYOL and ELA)”
3. Launch New Instance
4. Click “For older software versions, please visit the full AWS Marketplace website.”
5. Select firewall - PAN-OS 10.1.5-h1
   • Ami Id: ami-03fb807bf4124f4cb
   • Ami Alias: /aws/service/marketplace/prod-wugpib4atxp4y/pan-os-10.1.5-h1 Learn More New
   • Product Code: 6njl1pau431dv1qxipg63mvah
   • Region EU (Ireland)
6. Continue to Launch
7. Launch through EC2.

• Name: demo-security-pan1
• Application and OS Images (AMI): Should already be selected.
• Instance type: m5.xlarge for VM-300 (4CPU + 16GB).
• Key pair name: Set as appropriate. Create a new one if needed.
• Configure storage: leave this alone/blank.
• Advanced details:
  • EBS-optimized instance : set this to 'Enabled'
  • User data: plugin-op-commands=aws-gwlb-inspect:enable

type=dhcp-client
panorama-server=10.255.0.4
panorama-server-2=10.255.1.4
tplname=AWS-a stack
dgname=AWS
dns-primary=169.254.169.253
authcodes=XXXXXXXX
vm-auth-key=123456789012345
plugin-op-commands=aws-gwlb-inspect:enable,aws-gwlb-associate-vpce:vpce-
0903806b111111111@ethernet1/1.1,aws-gwlb-associate-vpce:vpce-0a81d66a111111111@
ethernet1/1.1,aws-gwlb-overlay-routing:enable
dhcp-accept-server-hostname=yes
dhcp-accept-server-domain=yes

Create four Elastic Network Interfaces

• fw-a-public security-public-2a 10.100.2.10 security-firewall-public
• fw-a-private security-fw-2a 10.100.1.10 security-firewall-private
• fw-b-public security-public-2b 10.100.66.10 security-firewall-public
• fw-b-private security-fw-2b 10.100.65.10 security-firewall-private

MAKE SURE AFTER YOU CREATE THEM THAT YOU SELECT EACH INTERFACE ONE-BY-ONE AND DISABLE Source/Dest CHECK.

Attach the network interface. Private to eth1 and public to eth2. To make this happen, add private first and then add public.

Create four public IP addreses and associated with the mgmt and public interfaces of the firewalls.

Log in and configure the boxes if you haven't bootstrapped them to Panoram.

Launch Instance

View Network Interfaces and be sure that each interface has a name (use descriptions above).

Wait for instance to finish deploying

use elastic IP to connect to firewall over ssh (admin@ipaddress) and use the key from the key pair to authenticate.

configure
set mgt-config users admin password
putapasswordhere
set deviceconfig system hostname panorama
set deviceconfig system timezone Europe/London
set deviceconfig system dns-setting servers primary 169.254.169.253
set deviceconfig system dns-setting servers secondary 1.1.1.1
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 0.uk.pool.ntp.org
set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address 1.uk.pool.ntp.org

commit
exit
request license api-key set key <key>
request license fetch auth-code <authcode>

Do main config. Eth1/1 is Trust. DHCP and don't accept default route. Find default gateway looking at the runtime DHCP data and then use that to create a route to it for 10.0.0.0/8 etc.

			Eth1/2 is Untrust. DHCP and accept default route.

create eth1/1.1 in trust and vr-1 and dhcp (no auto route) and mgmt interface with ping and https.

request plugins vm_series aws gwlb inspect enable yes

To enable overlay routing, run the following on the cli of each firewall.

request plugins vm_series aws gwlb overlay-routing enable yes

On the VM, enable Cloud Watch monitoring (Device → VM-Series)

• Create Interface Managment Profile imp-ping that allows Ping from anywhere.
• Create Interface Managment Profile imp-mgmt-ping that allows SSH, HTTPS and Ping from anywhere.
• Rename the default virtual router from 'default' to 'vr-main'.
• Create two security zones, sz-untrust and sz-trust.
• Configure ethernet1/1 as a member of sz-trust, vr-main with imp-mgmt-ping. Set IPv4 to DHCP and “Automatically create default route”. Also tick “Send Hostname”.
• Configure ethernet1/2 as a member of sz-untrust, vr-main with imp-mgmt-ping. Set IPv4 to DHCP and NOT “Automatically create default route”. Also tick “Send Hostname”.
• Create default log forwarding profile and default security group.

request plugins vm_series aws gwlb disassociate vpc-endpoint vpce-0415cb80111111111 interface ethernet1/1
request plugins vm_series aws gwlb disassociate vpc-endpoint vpce-0479d893222222222 interface ethernet1/1
request plugins vm_series aws gwlb associate vpc-endpoint vpce-0415cb222222222 interface ethernet1/1.1
request plugins vm_series aws gwlb associate vpc-endpoint vpce-0479d8222222222 interface ethernet1/1.1

request plugins vm_series aws gwlb overlay-routing enable yes

show plugins vm_series aws gwlb

000710007935

Create VPC Customer Gateway definition of remote IP Then create Virtual Private Gateway Create site-to-site VPN Connection

• myremotesite-vpn
• Target gateway type - transit gateway (select our main transit gateway)
• Customer gateway - remote-site-home
• routing options - static
• local and remote IPv4 network CIDR - for this lab I left it blank
• Tunnel 1 you can select a 169.254.0.0/16 range 169.254.77.12/30 and PSK
• Tunnel 2 you can select a 169.254.0.0/16 range 169.254.78.12/30 and PSK
• You can also edit options
  • phase 1 and phase 2 ase128, ase256, aes128-gcm-16, aes265-gcm-16
  • phase 1 and phase 2 - sha, sha2-256, sha2-348, sha2-512
  • phase 1 - dh 2, 14,15,16,17,18,19,20,21,22,23,24
  • phase 1 - dh 2,5,14,15,16,17,18,19,20,21,22,23,24
  • ike1 and 2 available
  • phase 1 lifetiem 28,800 (8 hours)
  • phase2 lifetime 3,600 seconds (1 hour)

I made it IKE2 only on the site firewall.

Create and find out the public IP under tunnel > Tunnel details

Create VPN at third party site

Update transit gatewy attachment that was automatically created and make sure it is names correctly for readability (e.g. site1)

after adding panorama, had to add panorama vpc to TGW as a spoke. Also had to create association to panorama vpc in spoke attacment and a propogation to panorama on security attagement.

Remember - On the Palo firewalls, set the MTU of the VPN tunnel interface to 1427 and set the /30 IP address using the AWS downloadable config as a reference for which IP to use (it will probably be the higher IP in the /30).

Create a static route in the secuity route table on the TGW in AWS that points 192.168.0.0/16 to the site1 VPN attachment.

Secuity

Associations:
	vpc-security
Propergations:
	vpc-web
	vpc-db
	vpc-management
	vpc-security
	vpn-site1
Routes:
	summary of web vpc should be visible thanks to propagations
	summary of db vpc should be visible thanks to propagations
	summary of management vpc should be visible thanks to propagations
	summary of security vpc should be visible thanks to propagations
	static route to Site 1 pointing at the site1 VPN object should be created

Spokes

Associations:
	vpc-web
	vpc-db
	vpc-management
	vpn-site1
Propergations:
	vpc-security
Routes:
	summary of security vpc should be visible thanks to propagations
	static route 0.0.0.0/0 pointing at the security VPC should be created
	

When creating VPN with BGP to third party

• For each VPN that you do dynamic routing in, create a dedicated route table and attach the VPN to it.
• Then propergate only those VPCs whose routes you want to share with your new VPN.
• Associate with the VPN peer.

Association = Who gets these routes

Propergations = What routes get installed

When we connect GlobalProtect firewalls via VPN to VPN gateway attached to TGW, we create a dedicated TGW Route Table and set

• Association - associate with GP VPN attachments
• Propergations - None
• static route - static route to internal routes and point at the security VPC