Saucepan

User Tools

Site Tools

Trace: multi_vsys misc pan_configurator multicast fips sfp threat-logs azure stats_dump aws_transit_gateway
paloaltonetworks:vmseries:aws_transit_gateway

This is an old revision of the document!

Table of Contents

Palo Alto Networks on AWS Transit Gateway

This page goes over the steps of deploying two Palo Alto Networks VMseries firewalls in AWS using a Transit Gateway to connect to other VPCs. Deploying the AWS environment is also covered.

In this lab, we have three VPCs. Security, Spoke1 and Spoke2.

Create the security VPC

Name: lab-vpc-security CIDR range: 10.0.0.0/16

  • Create six subnets in the security VPC (three in each availability zone)
    • 10.0.10.0/24 lab-subnet-security-mgmt-a
    • 10.0.11.0/24 lab-subnet-security-public-a
    • 10.0.13.0/24 lab-subnet-security-tgw-a
    • 10.0.20.0/24 lab-subnet-security-mgmt-b
    • 10.0.21.0/24 lab-subnet-security-public-b
    • 10.0.23.0/24 lab-subnet-security-tgw-b
  • Create three route tables in the security VPC
    • lab-rt-security-mgmt
    • lab-rt-security-public
    • lab-rt-security-tgw
  • Mark lab-rt-security-public as the main route table.
  • Delete the default (unnamed) route table in the security VPC. This should leave you with just three route tables.
  • Create an Internet Gateway lab-igw-security-main
  • Attach the new Internet Gateway to the security VPC
  • Add a default route in the management and the public routing tables in the security VPC that points to the Internet Gateway as a next hop. Leave the tgw route table without a default route.
  • Rename the default Network ACL in the security VPC to lab-nacl-default
  • Create two security groups in the security VPC
    • lab-sg-security-public “Controls traffic hitting the firewall public interface”
    • lab-sg-security-mgmt “Controls traffic hitting the firewall management interface”
    • For the security group lab-sg-security-public, allow all traffic inbound from 10.0.0.0/16,10.1.0.0/16,10.10.0.0/16,10.20.0.0/16 (Or we could just allow all from 10.0.0.0/8). Also add an inbound from to all all traffic from “myip”.
    • For the security group lab-sg-security-mgmt, allow all traffic inbound from 10.0.0.0/16,10.1.0.0/16,10.10.0.0/16,10.20.0.0/16 (Or we could just allow all from 10.0.0.0/8). Also add an inbound from to all all traffic from “myip” to tcp-22 (SSH) and tcp-443 (https) and ICMP

Deploy the Firewall VMs

  • Under EC2, launch two instances (both firewalls). BYOL. Change from m5.2xlarge to m5.xlarge. This will make it a VM-100 instead of a VM-300.
  • For both firewalls, deploy in the security VPC. (If you have to create a key-pair, go and read the notes on converting it to PuTTY format).
  • For the first firewall
    • Set the network interface to be in the subnet 'lab-subnet-security-mgmt-a' and set the IP to 10.0.10.5
    • Add a tag where the Key is 'Name' and the value is 'lab-vm-fw1'
    • For the security group, use existing, lab-sg-security-mgmt
  • For the second firewall
    • Set the network interface to be in the subnet 'lab-subnet-security-mgmt-b' and set the IP to 10.0.20.5
    • Add a tag where the Key is 'Name' and the value is 'lab-vm-fw2'
    • For the security group, use existing, lab-sg-security-mgmt
  • Under EC2, rename the existing to network interfaces as follows. You will need to refence the instance ID though it should be sufficient to use the Zone (a or b) to identify which is fw1 (a) and fw2 (b).
    • lab-eni-security-fw1-mgmt
    • lab-eni-security-fw2-mgmt
  • Under EC2, create two network interfaces
    • lab-eni-security-fw1-public
      • In subnet lab-subnet-security-public-a.
      • Set IPv4 Private IP to Custom and set 10.0.11.5
      • Set Security Group to lab-sg-security-public
      • Set tag 'Name' as 'lab-eni-security-fw1-public'
    • lab-eni-security-fw2-public
      • In subnet lab-subnet-security-public-a.
      • Set IPv4 Private IP to Custom and set 10.0.21.5
      • Set Security Group to lab-sg-security-public
      • Set tag 'Name' as 'lab-eni-security-fw2-public'
  • Under EC2, create four Elastic IPs. After creating them, rename them as follows:
    • lab-eip-security-fw1-mgmt
    • lab-eip-security-fw1-public
    • lab-eip-security-fw2-mgmt
    • lab-eip-security-fw2-public
  • For the four interfaces you just created, disable “Source/Dest Check”
  • Under EC2, for the four interfaces you just created, attach them with their respective VM firewalls. MAKE SURE YOU ASSOCIATE PUBLIC FIRST TO ENSURE IT IS ETHERNET1/1 on the firewall.
  • Then associate the elastic IP addresses WITH NETWORK INTERFACE (NOT 'Instance') as follows:
    • lab-eip-security-fw1-mgmt → lab-eni-security-fw1-mgmt with private IP as 10.0.10.5
    • lab-eip-security-fw2-mgmt → lab-eni-security-fw2-mgmt with private IP as 10.0.20.5
    • lab-eip-security-fw1-public → lab-eni-security-fw1-public with private IP as 10.0.11.5
    • lab-eip-security-fw2-public → lab-eni-security-fw2-public with private IP as 10.0.21.5
paloaltonetworks/vmseries/aws_transit_gateway.1608491374.txt.gz · Last modified: (external edit)