Buildbook -Palo Alto VM-Series High Availability on AWS

SummaryThis is a buildbook for the deployment of a VM-Series Palo Alto firewall cluster in Amazon Web Services that will be managed by TELUS through a VPN tunnel to the MSS Environment.

For this particular deployment it outlines a deployment of the firewall cluster that contains two Security Zones; one zone for the Public interface and one more for the Management Zone.

This architecture is necessary in order to ensure that both the Active and Passive firewalls are accessible through the MSS VPN Tunnel.

For High Availability deployments in AWS, the HA1 synchronization occurs on the Palo Alto MGMT interface, while ethernet1/1 is configured for HA2 synchronization.

Planning Worksheet for VM-Series in the AWS VPCVPC VPC CIDR:

SubnetSubnet (Untrust) CIDR:Subnet (HA2) CIDR:Subnet (Management) CIDR:

Route TableSubnet (Untrust) Route TableSubnet (Management) Route Table

Security GroupSecurity Groups

Rules for access to Management InterfaceRules for access to Untrust Interface

Network Interfaces

FW01 MGMT Interface Private IP:FW01 HA2 Interface Private IP:FW01 Untrust Interface Private IPFW01 MGMT2 Interface Private IP:

FW02 MGMT Interface Private IP:FW02 HA2 Interface Private IP:

Elastic IP (EIP)FW01 MGMT Interface :FW02 MGMT Interface :FW01 Untrust Interface :

EC2 Instance (VM-Series Firewall #1)

Subnet:Instance type:Mgmt interface IP:Mgmt interface EIP:HA2 interface eth1/1• Private IP:• Security Group:Dataplane interface eth1/2• Private IP:• Security Group:Mgmt interface IP:

·          Private IP:·          Security Group

EC2 Instance (VM-Series Firewall #2)

Subnet:Instance type:Mgmt interface IP:Mgmt interface EIP:HA2 interface eth1/1• Private IP:• Security Group:

Create a Key Pair1. Log onto the Key Pair Dashboard2. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html3. You will need to convert the Key Pair from the .pem file to a .ppk file. In order to do this follow

the instructions in the link below

Refer to Appendix B : Generating SSH Key for use in Putty.

Build AWS VPC1. Access the AWS VPC Dashboard2. Set up the VPC for your network needs. As part of the VPC setup, both a network range for the

entire network and an Internet Gateway will be created. For details on how to create a VPC, refer to Appendix A : Building a VPC on how to create a VPC.

3. Create Subnets that will need to be attached to the firewalls.a. Create an AWS Subnet for Management subnetb. Create an AWS Subnet for HA2 subnetc. Create an AWS Subnet for Internet subnet

4. Create Route Tablea. Ensure the default route is sent to the Internet Gatewayb. Ensure the Management Subnet is in the Subnet associations

5. Access the AWS EC2 Dashboard. Create a Security Group that will allow all Inbound Traffic and all Outbound Traffic.

a. Create Security Group

6. Create an IAM Policy and attach that policy to an IAM Role. Refer to the Appendix for these steps

Create the Primary Palo Alto Instance

Primary Firewall Interface MappingAWS Elastic Network Interface Palo Alto Interface Interface TypeEth0 MGMT n/aEth1 Ethernet1/1 HAEth2 Ethernet1/2 Layer3Eth3 Ethernet1/3 Layer3

7. Access the EC2 AWS Dashboard. Click ‘Instances’ to create the Primary Firewall8. Click “Launch Instances”

9. Select the VM-Series AMI (Amazon Machine Image)a. Obtain the AMI from the AWS Marketplace. The AMI is available for both Bring Your

Own License (BYOL) and Usage-based pricing options.b. Select the ‘EC2 Instance Type’ to match the appropriate specs you require for your

deployment. Click ‘Next: Configure Instance Details’.i. For Number of Instances, specify ‘1’

ii. For Network, select the correct VPC iii. For Subnet , specify the Management Subnet you created earlieriv. For Auto-assign Public IP, select enablev. For IAM role, select the IAM role that you previously created for Palo Alto HA

vi. For Enable termination protection, put a checkmark beside ‘Protect against accidental termination’

vii. Under Network interfaces, 1. Edit the eth0 interface by adding in the Primary IP for MGMT of the

Primary firewall2. Click Add Device3. Edit the eth1 interface by specifying ‘New Network Interface’4. Edit the eth1 interface by specifying HA2 Subnet you previously created.5. Edit the eth1 interface by adding the Primary IP for HA2 interface of the

Primary firewall viii. Click ‘Next: Add Storage’

c. Accept the default settings for Storage. Click ‘Next: Add Tags’d. Accept the default settings for Tags. Click ‘Next: Configure Security Groups’

For Assign a Security group, choose ‘Select an existing security group’, and choose the security group that you previously created.

e. Click ‘Review and Launch’.f. Select an existing Security Group or create a new oneg. Select the key pair that you previously created.h. Download and save the private key to a safe location; the file extension is .pem. You

cannot regenerate this key, if lost.

Configure the administration of the Primary Firewall10. Access the Firewall using SSH and configure a new administrative password for the firewall

i. Login to the firewall using the SSH keyj. Type : configure k. Type : set mgt-config users admin passwordl. Type : set deviceconfig system dns-setting servers primary 8.8.8.8m. Type : commit

11. Shutdown the VM-Series firewalln. On AWS EC2 Dashboard, select Instanceso. From the list, Actions -> Stop

12. Create and assign an Elastic IP address (EIP) to the ENI used for management access to the firewall and reboot the VM-Series firewall

p. Select Elastic IPs and click Allocation New Addressq. Select EC2-VPC and click Yes, Allocater. Select the newly allocated EIP and click Associate Addresss. Select the Network Interface and the Private IP address associate with the management

interface and click Yes, Associate13. Create virtual network interfaces (ENI) for the both the Internet Interface and an additional

Management Interface and attach the interfaces to the VM-Series firewalla. On AWS EC2 Dashboard, select Network Interfacesb. Click ‘Create Network Interface’

c. Specify the Subnet and Private IP address for the Internet Interface and MGMT2 Interface and specify the Security Group for the interface.

d. Attach the Internet Interface to the Primary Firewalle. Attach the MGMT interface to the Primary Firewall

14. Disable Source/Destination check on every firewall dataplane network interface15. Log onto the WebGUI of the Firewall, configure ethernet1/1 as an HA interface, ethernet1/2 as

Layer3 and ethernet1/3 as Layer3.

16. Configure NAT rules and Security Policies to allow/deny traffic. 17. Commit the changes18. Verify that the VM-Series firewall is securing traffic and that NAT rules are in effect19. Create an Elastic IP for the Public interface20. Activate the licenses on the VM-Series firewall

Create the Secondary Palo Alto Instance

Secondary Firewall Interface MappingAWS Elastic Network Interface Palo Alto Interface Interface TypeEth0 MGMT n/aEth1 Ethernet1/1 HA

21. Access the EC2 AWS Dashboard. Click ‘Instances’ to create the Primary Firewall22. Click “Launch Instances”

23. Select the VM-Series AMI (Amazon Machine Image)t. Obtain the AMI from the AWS Marketplace. The AMI is available for both Bring Your

Own License (BYOL) and Usage-based pricing options.u. Select the ‘EC2 Instance Type’ to match the appropriate specs you require for your

deployment. Click ‘Next: Configure Instance Details’.i. For Number of Instances, specify ‘1’

ii. For Network, select the correct VPC iii. For Subnet , specify the Management Subnet you created earlieriv. For Auto-assign Public IP, select enablev. For IAM role, select the IAM role that you previously created for Palo Alto HA

vi. For Enable termination protection, put a checkmark beside ‘Protect against accidental termination’

vii. Under Network interfaces, 1. Edit the eth0 interface by adding in the Primary IP for MGMT of the

Primary firewall2. Click Add Device3. Edit the eth1 interface by specifying ‘New Network Interface’4. Edit the eth1 interface by specifying HA2 Subnet you previously created.5. Edit the eth1 interface by adding the Primary IP for HA2 interface of the

Primary firewall viii. Click ‘Next: Add Storage’

v. Accept the default settings for Storage. Click ‘Next: Add Tags’w. Accept the default settings for Tags. Click ‘Next: Configure Security Groups’

For Assign a Security group, choose ‘Select an existing security group’, and choose the security group that you previously created.

x. Click ‘Review and Launch’.y. Select an existing Security Group or create a new onez. Select the key pair that you previously created.aa. Download and save the private key to a safe location; the file extension is .pem. You

cannot regenerate this key, if lost.

Configure the administration of the Secondary Firewall24. Access the Firewall using SSH and configure a new administrative password for the firewall

bb. Login to the firewall using the SSH keycc. Type : configure dd. Type : set mgt-config users admin passwordee. Type : set deviceconfig system dns-setting servers primary 8.8.8.8ff. Type : commit

25. Shutdown the VM-Series firewallgg. On AWS EC2 Dashboard, select Instanceshh. From the list, Actions -> Stop

26. Create and assign an Elastic IP address (EIP) to the ENI used for management access to the firewall and reboot the VM-Series firewall

ii. Select Elastic IPs and click Allocation New Addressjj. Select EC2-VPC and click Yes, Allocatekk. Select the newly allocated EIP and click Associate Addressll. Select the Network Interface and the Private IP address associate with the management

interface and click Yes, Associate27. Disable Source/Destination check on the firewall dataplane network interface28. Activate the licenses on the VM-Series firewall

Configure High Availability1. Enable HA2. Configure ethernet1/1 as an HA interface for use for HA23. Set up Control Link (HA1) to use the management port4. Set up Data Link (HA2) to use ethernet1/15. Set the device priority6. Configure the IP address of the HA peer7. Configure the other peer8. Verify that they are in an HA peer9. Verify that failover occurs properly

Connectivity to MSS1. Configure route entry in AWS Route Table for 209.29.2.0/24 destination is sent to the Secondary

Mgmt Interface

Automated Instantiation of VM-Series in AWSA template can be created using CloudFormation to build the firewall as described and outlined in the diagram above.

1. Log onto CloudFormation Dashboard2. Click ‘Create Stack”

3. Upload the Template file by clicking “Choose File” then Next.4. Specify a name under Stack Name5. Select the SSH KeyPair under ServerKeyName 6.

Appendix A : Building a VPChttps://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/get-set-up-for-amazon-ec2.html

Appendix B : Generating SSH Key for use in Puttyhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html

Appendix C : IAM Roles for HA1. Access the AWS IAM Console2. Click Policies3. Click “Create Policy”

4. Select “Choose a Service”5. Choose the “EC2” Service6. For Actions, add the following:

a. AttachNetworkInterface—For permission to attach an ENI to an instanceb. DescribeNetworkInterfaces—For fetching the ENI parameters in order to

attach an interface to the instance. c. DetachNetworkInterface—For permission to detach the ENI from the EC2

instance. d. DescribeInstances—For permission to obtain information on the EC2

instances in the VPC.

7. For Resources, ensure that this is applied to all resources

8. Access the AWS IAM Console. Create an IAM Role a. Choose the service “AWS Service”b. Choose the EC2 Servicec. Click Next: Permissions

d. Add the Policy that was previously created for Palo Alto HA

e. Click “Review”