Palo Alto Networks on AWS Transit Gateway

This page goes over the steps of deploying two Palo Alto Networks VMseries firewalls in AWS using a Transit Gateway to connect to other VPCs. Deploying the AWS environment is also covered.

In this lab, we have three VPCs. Security, Spoke1 and Spoke2.

Name: lab-vpc-security CIDR range: 10.0.0.0/16

• Create six subnets in the security VPC (three in each availability zone)
  • 10.0.10.0/24 lab-subnet-security-mgmt-a
  • 10.0.11.0/24 lab-subnet-security-public-a
  • 10.0.13.0/24 lab-subnet-security-tgw-a
  • 10.0.20.0/24 lab-subnet-security-mgmt-b
  • 10.0.21.0/24 lab-subnet-security-public-b
  • 10.0.23.0/24 lab-subnet-security-tgw-b
• Create three route tables in the security VPC
  • lab-rt-security-mgmt
  • lab-rt-security-public
  • lab-rt-security-tgw
• Mark lab-rt-security-public as the main route table.
• Delete the default (unnamed) route table in the security VPC. This should leave you with just three route tables.
• Create an Internet Gateway lab-igw-security-main
• Attach the new Internet Gateway to the security VPC
• Add a default route in the management and the public routing tables in the security VPC that points to the Internet Gateway as a next hop. Leave the tgw route table without a default route.
• Rename the default Network ACL in the security VPC to lab-nacl-default
• Create two security groups in the security VPC
  • lab-sg-security-public “Controls traffic hitting the firewall public interface”
  • lab-sg-security-mgmt “Controls traffic hitting the firewall management interface”
  • For the security group lab-sg-security-public, allow all traffic inbound from 10.0.0.0/16,10.1.0.0/16,10.10.0.0/16,10.20.0.0/16 (Or we could just allow all from 10.0.0.0/8). Also add an inbound from to all all traffic from “myip”.
  • For the security group lab-sg-security-mgmt, allow all traffic inbound from 10.0.0.0/16,10.1.0.0/16,10.10.0.0/16,10.20.0.0/16 (Or we could just allow all from 10.0.0.0/8). Also add an inbound from to all all traffic from “myip” to tcp-22 (SSH) and tcp-443 (https) and ICMP

• Under EC2, launch two instances (both firewalls). BYOL. Change from m5.2xlarge to m5.xlarge. This will make it a VM-100 instead of a VM-300.
• For both firewalls, deploy in the security VPC. (If you have to create a key-pair, go and read the notes on converting it to PuTTY format).
• For the first firewall
  • Set the network interface to be in the subnet 'lab-subnet-security-mgmt-a' and set the IP to 10.0.10.5
  • Add a tag where the Key is 'Name' and the value is 'lab-vm-fw1'
  • For the security group, use existing, lab-sg-security-mgmt
• For the second firewall
  • Set the network interface to be in the subnet 'lab-subnet-security-mgmt-b' and set the IP to 10.0.20.5
  • Add a tag where the Key is 'Name' and the value is 'lab-vm-fw2'
  • For the security group, use existing, lab-sg-security-mgmt
• Under EC2, rename the existing to network interfaces as follows. You will need to refence the instance ID though it should be sufficient to use the Zone (a or b) to identify which is fw1 (a) and fw2 (b).
  • lab-eni-security-fw1-mgmt
  • lab-eni-security-fw2-mgmt
• Under EC2, create two network interfaces
  • lab-eni-security-fw1-public
    • In subnet lab-subnet-security-public-a.
    • Set IPv4 Private IP to Custom and set 10.0.11.5
    • Set Security Group to lab-sg-security-public
    • Set tag 'Name' as 'lab-eni-security-fw1-public'
  • lab-eni-security-fw2-public
    • In subnet lab-subnet-security-public-a.
    • Set IPv4 Private IP to Custom and set 10.0.21.5
    • Set Security Group to lab-sg-security-public
    • Set tag 'Name' as 'lab-eni-security-fw2-public'
• Under EC2, create four Elastic IPs. After creating them, rename them as follows:
  • lab-eip-security-fw1-mgmt
  • lab-eip-security-fw1-public
  • lab-eip-security-fw2-mgmt
  • lab-eip-security-fw2-public
• For the four interfaces you just created, disable “Source/Dest Check”
• Under EC2, for the four interfaces you just created, attach them with their respective VM firewalls. MAKE SURE YOU ASSOCIATE PUBLIC FIRST TO ENSURE IT IS ETHERNET1/1 on the firewall.
• Then associate the elastic IP addresses WITH NETWORK INTERFACE (NOT 'Instance') as follows:
  • lab-eip-security-fw1-mgmt → lab-eni-security-fw1-mgmt with private IP as 10.0.10.5
  • lab-eip-security-fw2-mgmt → lab-eni-security-fw2-mgmt with private IP as 10.0.20.5
  • lab-eip-security-fw1-public → lab-eni-security-fw1-public with private IP as 10.0.11.5
  • lab-eip-security-fw2-public → lab-eni-security-fw2-public with private IP as 10.0.21.5

On Security VPC, we need two route tables.

• One public with 0.0.0.0/0 as IGW public subnet gets this
• One private with 0.0.0.0/0 as IGW and 10.0.0.0/8 as Transit VPC management subnet get this.

By this point your VM firewalls should have booted. Now that they have public IP addresses, try and HTTPS to them. HOWEVER, we can't log in because we can only SSH in with the private key we created. Once we have SSHed in, we can set a password and then use the web GUI. To set the password on the CLI:

configure
set mgt-config users admin password
commit

Remember, if the management security group has been correctly configured, only your public IP (home/office?) will be able to establish SSH/HTTPS sessions to the firewall management interfaces.

Setup the firewall with basic managment settings. The AWS DNS server is 169.254.169.253.

You can use the following CLI

configure
set deviceconfig system hostname VM1
set deviceconfig system timezone Europe/London
set deviceconfig system dns-setting servers primary 169.254.169.253
set deviceconfig system dns-setting servers secondary 1.1.1.1
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 0.uk.pool.ntp.org
set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address 1.uk.pool.ntp.org
commit
exit
request license fetch auth-code V1234567

The ssh session will disconnect around a minute after issuing this command and retrieving licenses. Wait another few minutes for the restart to complete and then re-establish your SSH session or login to the web console.

On the VM, enable Cloud Watch monitoring (Device > VM-Series)

• Create Interface Managment Profile imp-ping that allows Ping from anywhere.
• Create Interface Managment Profile imp-mgmt-ping that allows SSH, HTTPS and Ping from anywhere.
• Rename the default virtual router from 'default' to 'vr-main'.
• Create two security zones, sz-untrust and sz-trust.
• Configure ethernet1/1 as a member of sz-untrust, vr-main with imp-mgmt-ping. Set IPv4 to DHCP and “Automatically create default route”. Also tick “Send Hostname”.
• Create default log forwarding profile and default security group.

Security Policies

• Create a security policy rule that allows SSH, HTTPS and Ping to the firewall's external interface (for testing in this lab, don't do this on a production system). Remember, the firewalls 'public IP' on the firewall configuration should be a private IP. AWS will do the destination NAT to this private IP.
• Create a rule to allow all from Trust to Untrust.
• Create a rule to allow all from Trust to Trust.
• Create a default 'deny any' rule.

Create a Transit Gateway under 'VPC'

• Name tag: lab-tgw-hub
• Amazon side ASN: 64514 (pick anything you like between 64514 and 65534)
• ENABLE “DNS support”
• ENABLE “VPN ECMP support”
• DISABLE “Default route table association”
• DISABLE “Default route table propagation”

Wait for the gateway to be created

Create two TGW route tables that are associated with TGW we just created.

• lab-tgwrt-spoke
• lab-tgwrt-security

Now create an attachment between the Security VPC and the TGW

• lab-tgwattach-hub-security-vpc. When you do this, select the lab-subnet-security-tgw-a and lab-subnet-security-tgw-b as the subnets to peer with. This is what will allow the management subnet routes to be shared from the Security VPC directly to the TWG without going over the VPN tunnels that we will establish later.

Remember, the spoke VPCs will default route to the route table lab-tgwrt-spoke. This means that lab-tgwrt-spoke needs to learn the security VPC route and propagate it out. More specifically, the management subnet in the security VPC needs to be shared out via the Security VPC's direct attachment to the TGW while the default route needs to be shared out from the Security VPC to the TGW over VPN tunnel's that we will establish.

• lab-tgwrt-spoke needs to be propagated with both security VPC attachments.
• lab-tgwrt-security needs to be associated with security VPC attachments.

Finally, make sure you name the VPN attachment to the TGW that was created automatically (with no name) when you created the VPN in AWS. name it lab-tgwattach-hub-security-vpn1.

Note for future updates, this would be a good point to deploy Panorama and import the firewalls. This would make it simpler to configure both firewalls going forward.

Now we need to create a TGW attachment that is the VPN tunnel type. VPN tunnel on each firewall to the TGW. The tunnels will be used for outbound/outbound and east/west traffic. Normally, if you have a dedicate pair of firewalls for inbound traffic, a pair for outbound traffic and a pair for east/west traffic, the inbound pair would use their direct TGW connection to send traffic internally. We skip this for simplicity. The TGW will use ECMP to load balance outbound traffic. East/West traffic must be sent through the primary firewall to prevent asymmetric routing. Use BGP path pre-pending to achieve this.

At this point you will need to pick a BGP AS number that you will use on the firewalls. Each of the two firewalls will use the same AS number. In this example, we will use 64515.

Always create the VPN configuration in AWS first before configuring on the firewall. This is because you already have the public IP addresses of each firewall that you can put into the AWS Customer Gateway config. However, you will have to create the VPN in AWS before you can find out what the AWS VPN IP addresses are. Remember, for the tunnel /30 subnet, you can't control which IP from the /30 AWS will assign to the config. If you don't like the result, you have to keep recreating it until it picks the other IP. In general, AWS will probably pick the firewall IP out of the two in a /30.

Under VPC create two Customer gateways (one for each firewall)

• Name tag: lab-cgw-fw1
• Routing: Dynamic
• BGP AS: 65515
• IP Address: 1.2.3.4 (fw1 public IP on eth1/1)

• Name tag: lab-cgw-fw2
• Routing: Dynamic
• BGP AS: 65515
• IP Address: 5.6.7.8 (fw1 public IP on eth1/1)

You begin with the 169.254.x.4/30 range to avoid addressing used by AWS resources. That is to say, do not use 169.254.x.0/30 as that will not work.

Create a site-to-site VPN connection.

• Name tag: lab-vpn-security-fw1
• Type: transit gateway (select your tgw)
• Customer Gateway: existing / lab-cgw-fw1
• Local IPv4 Network CIDR (leave blank)
• Remote IPv4 Network CIDR (Leave blank)
• Inside IPV4 CIDR for Tun1 169.254.11.4/30
• PSK for Tun1 (Cannot contain special characters)
• Inside IPV4 CIDR for Tun2 169.254.21.4/30
• PSK for Tun2 (Cannot contain special characters)
• customer gateway lab-cgw-hub.
• BGP AS to what ever you set as the TGW AS (ie. 64514)

Once you have created the two VPN configurations, download the configuration for peer in Palo Alto Networks format. AWS will provide a text file with a load of SET commands. We will not use this but we will extract the required information out of it - BOTH peer IPs for each VPN tunnel. Remember, each firewall will connect to two different IP addresses (tunnel redundancy) so you will end up with a total of two VPN tunnels on each firewall (four tunnels in total) and the AWS side will show a total of two tunnels where each tunnel actually has two tunnels.

Download the configuration and look for the two sections starting with

edit network ike gateway

and then look for the

set peer-address ip

ip that is the two VPN IP for the AWS side of the tunnel. You need this information when configuring the firewalls.

Ensure there is a security policy on the firewalls allowing access between the firewall public interface and the TGW peer IP.

You now have all the information you need to create the two tunnels on each firewall.

Note, IPsec Crypto (Phase 2) on the firewalls must use aes-256-cbc if you don't edit the AWS defaults.

This section assumes that you have the AWS VPN IP addresses from the previous section.

Both firewalls will use the same BGP AS number. In this case 64515. For each firewall, set the router ID to be the firewalls' public EIP IP.

Create two tunnel interface on each firewall tunnel interface in the sz-trust zone and attached to the vr-main virtual router. Set it as pingable and set IP of the tunnel interfaces to

• FW1 - Tunnel 1 -169.254.11.6
• FW1 - Tunnel 2 -169.254.12.6
• FW2 - Tunnel 1 -169.254.21.6
• FW2 - Tunnel 2 -169.254.21.6

For each tunnel interface, set the tunnel interface MTU to 1427.

Create an IKE Crypto profile on both firewalls called “ike-aes-256-sha256-dh14”

Create an IPSec Crypto profile on both firewalls called ipsec-aes-256-sha256-dh14“ (aes-256-cbc)

On each firewall, create two IKE gateways ike-gw-tgw-1 and ike-gw-tgw-2:

• Set Version to “IKEv1 only mode.”
• Set interface to “ethernet1/1”
• Leave Local IP Address as “None”
• Set Peer IP address Type to “IP” and set the Peer IP. Remember, each VPN tunnel has a unique peer IP in AWS.
• Set the Pre-Shared key (alphanumeric characters as well as the period and underscore characters).
• Leave Local Identification as “None”
• Leave Peer Identification as “None”
• Disabled passive mode
• Disable NAT traversal
• Set exchange mode as “main”
• Set IKE crypto profile as “ike-aes-256-sha256-dh14”
• Disabled fragmentation
• Enable dead peer detection with interval of 10 and retry of 3.

On each firewall, create two IPsec tunnels ipsec-tun-tgw-1 and ipsec-tun-tgw-2.

• Set IPsec Crypto Profile to ipsec-aes-256-sha256-dh14
• Enable Replay Protection (show advanced options) to see this option)

The tunnels should come up after you commit.

Basic BGP Configuration for the virtual routes should be as follows:

• Reject Default Route - Yes
• Install Route - Yes
• Aggregate MED - Yes
• Default Local Preference should be 100
• AS Format should be 2 Byte
• Always Compare MED - No
• Deterministic MED comparison - Yes

Peer Group – Create one peer group on each firewall virtual router

• Name: pg-aws-tgw.
• Enabled : True
• Aggregated Confed AS Path : True
• Soft Reset With Stored Info : False
• Type: eBGPG.
• Import Next Hop: Use Peer
• Export Next Hop : Use Self
• Remove Private AS : No

On each firewall, configure two peers within the peer group. When configuring a peer, the “Connections Options” should be as follows:

• Auth Profile: None (not supported on AWS)
• Keep Alive Interval (Sec) : 10
• Multi Hop : 0
• Open Delay Time (sec) : 0
• Hold Time (sec) : 30
• Idle Hold Time (sec) : 15
• Min Route Advertisement Interval (sec) :30

Redistribution: Create a redistribution profile to redistribute Static routes. Mark the “Set Origin” as incomplete. The only static route should be the default route.

We have one import rule that is used by the peer group. Set action to allow and list the specific prefixes. 10.0.0.0/16, 10.1.0.0/16, 10.10.0.0/16, 10.20.0.0/16 and 10.0.0.0/12. No need to say that it has to be an exact match.

We need two export rules where both are to the same peer group. The default is done without any path pre-pending. That rule exports the default route and the public subnet route. Note that both firewalls will need to be unique. Firewall 1's first rule will export 0.0.0.0/0 and 10.0.11.0/24 while firewall 2's first rule will export 0.0.0.0/0 and 10.0.21.0/24. This ensures that the spokes can connect to the correct public subnets where needed.

The second export rule exports 10.0.0.0/8. The internal routes are prepended on the secondary firewall. The secondary firewall uses BGP prepending to make sure the neighbouring VPCs prefer the primary firewall for routing. In the PAN-OS GUI, this is set this under

Virtual Router->BGP->Export->(For each entry)->Action->AS Path->Type = Prepend. Value = 1

Create spoke VPCs

• lab-vpc-spoke1 (10.10.0.0/16)
• lab-vpc-spoke2 (10.20.0.0/16)

Rename VPC default Route tables

• lab-rt-spoke1-main
• lab-rt-spoke2-main

Create Security Groups

• lab-sg-spoke1-main
• lab-sg-spoke2-main

Both security groups should allow tcp-22 and tcp-80 and icmp-ipv4 inbound from 10.0.0.0/16 10.1.0.0/16 10.10.0.0/16 10.20.0.0/16.

lab-vpc-spoke1 (10.10.0.0/16)

• lab-subnet-spoke1-web-a (10.10.10.0/24) availability zone A
• lab-subnet-spoke1-web-b (10.10.20.0/24) availability zone B

lab-vpc-spoke2 (10.20.0.0/16)

• lab-subnet-spoke2-web-a (10.20.10.0/24) availability zone A
• lab-subnet-spoke2-web-b (10.20.20.0/24) availability zone B

Add Linux VM to lab-subnet-spoke1-web-a lab-vm-spoke1-web-a1 and use spoke1 security group

Under VPC, create a VPN transit Gateway attachment.

• lab-tgwrt-spoke needs to be associated with both spoke VPC attachments.
• lab-tgwrt-security needs to be propagated with both spoke VPC attachments need to export default route and then also export Spoke routes.

Security Routing table is associated with both VPNs and the firewall VPC.

Then the security routing table is propagated for both VPNs and the firewall VPC.

The Spoke VPCs are attached to a separate route table so you can select which routes are propagated to them to control east/west traffic flow. If you are not doing east-west security, you could use one transit gateway route table.

This means that spoke1 and spoke2 VPCs are “attached” to the lab-rt-tgw-spoke route table and the security VPC is “attached” to the lab-rt-tgw-security” route table. The Firewall VPN tunnels are also attached to the lab-rt-tgw-security route table.

Create two VPC attachement in TWG lab-tgwattach-hub-spoke1-vpc - include both subnets lab-tgwattach-hub-spoke2-vpc - include both subnets

Associate these two spoke attachments to the spoke route table. In spoek route table, propogate to security VPC In security, propogate to spoke1, and spoke2

Update both spoke1 route table and spoke2 route table to use TGW as default route

AWS Load Balancer - must have one listener and supports up to 10. Routing tables are defined on listeners. Listener is the portal and port on which the load balancer listens for incoming connection.

Create a load balancer. Create a listener for port 80 and a target group for that port 80. Create a second listener for 22 and a target group for 22.

Remember, when you deploy a public load balancer that points at the firewall public interface private IP addresses, the health probe with come from the load balancer's ip in the same subnet. This is assigned at random and you will need to check the logs to find out what it is.

When you add extra IP addresses onto the firewall public interface, make sure you DNAT these to a loopback

load balancer listener 22 and 80 with target being the new extra Ip on both firewalls. Configure both firewalls to DNAT their extra IP to the same backend IP. Remember the load balancer - you just configure tcp-80. It is the target groups that you need to open up the other port (22 3389,etc).

sudo yum update -y; sudo amazon-linux-extras install nginx1 -y; sudo service nginx start

Remember: for inbound NAT via load balancer, we need to translate to FQDN Remember: The AWS external load balancer translates the source of the traffic. The deploy a public network load balancer under EC2 Name: lab-nlb-public-1 Add TCP80 and TCP22 as listeners VPC = security. Subnet = public a and public b. Assign IP by AWS.

Create a target group Name; lab-tg-web Target type: IP health check protocol and path “http” “/” advanced health check settings - interval 10 seconds

add targets for VPC security as 10.0.11.5 and 10.0.21.5

If you export the firewall 1 configuration and import it into firewall 2, you can load the configuration using the following commands. In this case we assume the imported configuration file is called working.xml.

load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address mode merge from working.xml	
load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address-group mode merge from working.xml	
load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service mode merge from working.xml	
load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/service-group mode merge from working.xml	
load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application mode merge from working.xml	
load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application-group to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application-group mode merge from working.xml	
load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application-filter to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/application-filter mode merge from working.xml	

load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/security mode merge from working.xml	
load config partial from-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/nat to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/nat mode merge from working.xml