PALO-ALTO FIREWALL SETUP WITH AWS INFRA
In the given scenario, there are two Virtual Private Clouds (VPCs) involved:
- Network VPC: This VPC contains an Internet-facing Application Load Balancer (ALB), a Palo Alto instance for network security, a Gateway Load Balancer endpoint, and an Endpoint service.
- Webserver VPC: This VPC is dedicated to web servers and consists of two private instances attached to an internal Network Load Balancer (NLB). Additionally, this VPC has a VPC-Endpoint that is connected to the Gateway Load Balancer in the Network VPC.
To summarize, the scenario involves two VPCs, one for network-related components such as ALB, Palo Alto instance, and endpoint services, and the other specifically for web servers, with instances connected to an internal NLB and a VPC-Endpoint linked to the Network VPC’s Gateway Load Balancer.
Step 1: Create a VPC named “network VPC” for the Firewall, and create another VPC called “web server VPC” for the server.
Web Server VPC
Step 2: Create two web servers in a private subnet within the web-server VPC.
Step 3: Create a target group specifically for the internal Network Load Balancer (NLB).
Note : if service is down inside the server then target will show unhealthy
Step 4: Create a Network Load Balancer (NLB) within a private subnet.
Important point: The Network Load Balancer (NLB) operates on TCP ports and does not have its own security group.
Note: Please review the security group of the server and whitelist the Subnet CIDR that is connected to the NLB.
Check the NLB url using internal server using http://nlburl :port
Check the URL of the internal load balancer in both servers.
Congratulations! The Internal NLB is functioning properly in the Web-Server VPC. Well done!
Now we are going to deploy firewall setup in Network VPC
Step 1: Launch an instance of Palo Alto Firewall from the marketplace with an instance type of m5.xlarge. Create the instance in a private subnet, which we will refer to as the private interface.
Step 2: Create two additional interfaces with public subnets, named “mgmt” and “untrust.” When creating each interface, assign a separate security group (SG). Please ensure that the Elastic Network Interfaces (ENIs) have the same CIDR range as the corresponding subnets; otherwise, they will not attach to the server.
Once the Palo Alto server is up and running, you can log in to the server using the admin credentials.
Step 3: First break the default password with the help of below command
CLI : configure
Attempt to access the Palo Alto user interface (UI) by using the previously set username and password, along with the Public IP address.
Step 4: Create interface
Ethernet 1/1 :
Ethernet ½ :
After successfully creating the interfaces, configure the “mgmt” profile to allow ping, SSH, HTTPS, and HTTP traffic.
Integration with an AWS Gateway Load Balancer
The AWS Gateway Load Balancer (GWLB) is an AWS managed service that allows you to deploy a stack of VM-Series firewalls and operate in a horizontally scalable and fault-tolerant manner. You can then expose the AWS GWLB with the stack of firewalls as a VPC endpoint service for traffic inspection and threat prevention. By creating Gateway Load Balancer endpoints (GWLBE) for the VPC endpoint service, you can easily insert an auto-scaling VM-Series firewall stack in the outbound, east-west, and inbound traffic paths of your applications. VM-Series firewalls and the GWLB use the GENEVE encapsulation to keep your traffic packet headers and payload intact, providing complete visibility of the source’s identity to your applications
plugin-op-commands=aws-gwlb-inspect:enable
request plugins vm_series aws gwlb associate vpc-endpoint vpce-063c000f6ca671d9d interface ethernet1/1.10
Enable Overlay Routing for the VM-Series on AWS
Using overlay routing in your VM-Series firewall integration the AWS GWLB allows you to use two-zone policy to inspect traffic leaving (egressing) your AWS environment. This allows packets to leave the VM-Series firewall through a different interface than that which they entered through.
Create a Gateway Load Balancer in the Firewall VPC and attach the Palo Alto Firewall server as a target group to the load balancer.
Endpoint service
When creating an endpoint in the Webserver VPC, provide the custom VPC endpoint service link and verify its connectivity.
Copy the service name and paste it into the VPC endpoint configuration field.
web-server VPC : gateway load balancer endpoint
Palto alto Firewall configuration for giving internet access to private server
- Configure Network Address Translation (NAT) rules to translate the private server's internal IP address to a public IP address for internet communication.
2. Security policy :
3. Nat Policy :
To enable pinging the server from another VPC to the Palo Alto Firewall VPC, you have two options: VPC peering or using a transit gateway. Once the peering is established, you can proceed with the following steps:
- Set up VPC peering between the two VPCs, allowing them to communicate with each other. Alternatively, if you decide to use a transit gateway, configure the transit gateway to connect the VPCs.
- Update the route tables in both VPCs to include the appropriate routes for the peering connection or transit gateway. Ensure that the necessary routes are correctly configured to enable traffic between the VPCs.
- Verify the connectivity by attempting to ping the server in the Palo Alto Firewall VPC from the other VPC. This will test the successful communication between the VPCs.
To ping the firewall server from either a private or public server, follow these steps:
- Access the private or public server that you want to use to initiate the ping.
- Open a command prompt or terminal on the server.
- Execute the ping command, specifying the IP address or hostname of the firewall server.
ping <firewall server IP address or hostname>4.Observe the ping results to check if the server is able to reach the firewall. Successful pings indicate that the server can communicate with the firewall.
NOTE : Please note that in some cases, ICMP (ping) traffic may be blocked by default in security groups or firewall configurations. Ensure that any necessary network or firewall rules are in place to allow ICMP traffic between the servers.
IMPORTANT : If ping is not working
Check whether the firewall UI is receiving incoming traffic and not providing a response to the server.
To obtain a response from that server, we need to add a static route with the source subnet CIDR ID.
DO OK and commit it .
Now try to ping the server
Congratulations! You have successfully established connectivity and are now able to ping the server. Well done!
The setup involves an internet-facing Application Load Balancer (ALB) that directs traffic to a firewall on port 3030. The firewall then redirects the traffic to a Internal Network Load Balancer (NLB) on port 9090.
Allow 3030 port to firewall server SG to ALB Security group
Create policy for traffic
Okay and commit
Note: The translated packet contains the IP address of the Network Load Balancer (NLB), which can be found in the network interface configuration.
ex : 10.0.138.67 translating port on 9090
Commit and Okay
Verify the subnet CIDR of the Network Load Balancer (NLB) in the static route configuration.
Now you should be able to access the ALB URL and obtain the result from the web server.
Congratulations! The traffic is successfully flowing from the external Application Load Balancer (ALB) to the firewall and then to the internal Network Load Balancer (NLB), finally reaching the web server. Well done!
Reference link: https://www.paloaltonetworks.com/resources/guides/intelligent-architectures-aws-reference-architecture
