This page goes over the steps of deploying two Palo Alto Networks VMseries firewalls in AWS using a Transit Gateway to connect to other VPCs. Deploying the AWS environment is also covered.

In this lab, we have three VPCs. Security, Spoke1 and Spoke2.

Name: lab-vpc-security CIDR range: 10.0.0.0/16

• Create six subnets in the security VPC (three in each availability zone)
  • 10.0.10.0/24 lab-subnet-security-mgmt-a
  • 10.0.11.0/24 lab-subnet-security-public-a
  • 10.0.13.0/24 lab-subnet-security-tgw-a
  • 10.0.20.0/24 lab-subnet-security-mgmt-b
  • 10.0.21.0/24 lab-subnet-security-public-b
  • 10.0.23.0/24 lab-subnet-security-tgw-b
• Create three route tables in the security VPC
  • lab-rt-security-mgmt
  • lab-rt-security-public
  • lab-rt-security-tgw
• Mark lab-rt-security-public as the main route table.
• Delete the default (unnamed) route table in the security VPC. This should leave you with just three route tables.
• Create an Internet Gateway lab-igw-security-main
• Attach the new Internet Gateway to the security VPC
• Add a default route in the management and the public routing tables in the security VPC that points to the Internet Gateway as a next hop. Leave the tgw route table without a default route.
• Rename the default Network ACL in the security VPC to lab-nacl-default
• Create two security groups in the security VPC
  • lab-sg-security-public “Controls traffic hitting the firewall public interface”
  • lab-sg-security-mgmt “Controls traffic hitting the firewall management interface”
  • For the security group lab-sg-security-public, allow all traffic inbound from 10.0.0.0/16,10.1.0.0/16,10.10.0.0/16,10.20.0.0/16 (Or we could just allow all from 10.0.0.0/8). Also add an inbound from to all all traffic from “myip”.
  • For the security group lab-sg-security-mgmt, allow all traffic inbound from 10.0.0.0/16,10.1.0.0/16,10.10.0.0/16,10.20.0.0/16 (Or we could just allow all from 10.0.0.0/8). Also add an inbound from to all all traffic from “myip” to tcp-22 (SSH) and tcp-443 (https) and ICMP

• Under EC2, launch two instances (both firewalls). BYOL. Change from m5.2xlarge to m5.xlarge. This will make it a VM-100 instead of a VM-300.
• For both firewalls, deploy in the security VPC. (If you have to create a key-pair, go and read the notes on converting it to PuTTY format).
• For the first firewall
  • Set the network interface to be in the subnet 'lab-subnet-security-mgmt-a' and set the IP to 10.0.10.5
  • Add a tag where the Key is 'Name' and the value is 'lab-vm-fw1'
  • For the security group, use existing, lab-sg-security-mgmt
• For the second firewall
  • Set the network interface to be in the subnet 'lab-subnet-security-mgmt-b' and set the IP to 10.0.20.5
  • Add a tag where the Key is 'Name' and the value is 'lab-vm-fw2'
  • For the security group, use existing, lab-sg-security-mgmt
• Under EC2, rename the existing to network interfaces as follows. You will need to refence the instance ID though it should be sufficient to use the Zone (a or b) to identify which is fw1 (a) and fw2 (b).
  • lab-eni-security-fw1-mgmt
  • lab-eni-security-fw2-mgmt
• Under EC2, create two network interfaces
  • lab-eni-security-fw1-public
    • In subnet lab-subnet-security-public-a.
    • Set IPv4 Private IP to Custom and set 10.0.11.5
    • Set Security Group to lab-sg-security-public
    • Set tag 'Name' as 'lab-eni-security-fw1-public'
  • lab-eni-security-fw2-public
    • In subnet lab-subnet-security-public-a.
    • Set IPv4 Private IP to Custom and set 10.0.21.5
    • Set Security Group to lab-sg-security-public
    • Set tag 'Name' as 'lab-eni-security-fw2-public'
• Under EC2, create four Elastic IPs. After creating them, rename them as follows:
  • lab-eip-security-fw1-mgmt
  • lab-eip-security-fw1-public
  • lab-eip-security-fw2-mgmt
  • lab-eip-security-fw2-public
• For the four interfaces you just created, disable “Source/Dest Check”
• Under EC2, for the four interfaces you just created, attach them with their respective VM firewalls. MAKE SURE YOU ASSOCIATE PUBLIC FIRST TO ENSURE IT IS ETHERNET1/1 on the firewall.
• Then associate the elastic IP addresses WITH NETWORK INTERFACE (NOT 'Instance') as follows:
  • lab-eip-security-fw1-mgmt → lab-eni-security-fw1-mgmt with private IP as 10.0.10.5
  • lab-eip-security-fw2-mgmt → lab-eni-security-fw2-mgmt with private IP as 10.0.20.5
  • lab-eip-security-fw1-public → lab-eni-security-fw1-public with private IP as 10.0.11.5
  • lab-eip-security-fw2-public → lab-eni-security-fw2-public with private IP as 10.0.21.5

By this point your VM firewalls should have booted. Now that they have public IP addresses, try and HTTPS to them. HOWEVER, we can't log in because we can only SSH in with the private key we created. Once we have SSHed in, we can set a password and then use the web GUI. To set the password on the CLI:

configure
set mgt-config users admin password
commit

Remember, if the management security group has been correctly configured, only your public IP (home/office?) will be able to establish SSH/HTTPS sessions to the firewall management interfaces.

Setup the firewall with basic managment settings. The AWS DNS server is 169.254.169.253.

You can use the following CLI

configure
set deviceconfig system hostname VM1
set deviceconfig system timezone Europe/London
set deviceconfig system dns-setting servers primary 169.254.169.253
set deviceconfig system dns-setting servers secondary 1.1.1.1
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 0.uk.pool.ntp.org
set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address 1.uk.pool.ntp.org
commit
exit
request license fetch auth-code V1234567

The ssh session will disconnect around a minute after issuing this command and retrieving licenses. Wait another few minutes for the restart to complete and then re-establish your SSH session or login to the web console.

On the VM, enable Cloud Watch monitoring (Device > VM-Series)

• Create Interface Managment Profile imp-ping that allows Ping from anywhere
• Create Interface Managment Profile imp-mgmt-ping that allows SSH, HTTPS and Ping from anywhere
• Rename the default virtual router from 'default' to 'vr-main'
• Create two security zones, sz-untrust and sz-trust
• Configure ethernet1/1 as a member of sz-untrust, vr-main with imp-mgmt-ping. Set IPv4 to DHCP and “Automatically create default route”. Also tick “Send Hostname”
• Create default log forwarding profile and default security group