: Before Launching the Templates
Focus
Focus

Before Launching the Templates

Table of Contents

Before Launching the Templates

Learn what is required to launch a VM-Series firewall behind a GWLB using templates.
Before you launch the templates to integrate a VM-Series firewall auto scaling group with an AWS GWLB, you must complete the following procedure.
  1. Ensure that you have the following before you begin.
    • Obtain the auth code for a bundle that supports the number of firewalls that might be required for your deployment. You must save this auth code in a text file named
      authcodes
      (no extensions), and put the
      authcodes
      file in the
      /license
      folder of the bootstrap package.
    • Download the files required to launch the VM-Series Gateway Load Balancer template from the GitHub repository.
    • Create a Transit Gateway. This transit gateway connects your security and application VPCs.
      • Take note of the transit gateway ID; you will need it later when deploying the template.
      • You must add a 0.0.0.0/0 route to the application attachment route table pointing to the security attachment to protect east-west and outbound traffic.
      • Ensure that
        Default route table association
        and
        Default route table propagation
        are disabled.
    • The recommended VPC CIDR for the firewall and application templates should be larger than /23.
    The target group of the gateway GWLB cannot use HTTP for health checks because the VM-Series firewall does not allow access with an unsecured protocol. Instead use HTTPS or TCP.
  2. Deploy Panorama running 10.0.2 and configure the following.
    Panorama must allow AWS public IP addresses. The VM-Series firewall accesses Panorama using the external IP address of the NAT gateway created by the template.
  3. Download and install the VM-Series plugin on Panorama.
    1. Select
      Panorama
      Plugins
        and use
      Check Now
      to look for new plugin packages. The VM-Series plugin name is
      vm_series
      .
    2. Consult the plugin release notes to determine which version provides upgrades useful to you.
    3. Select a version of the plugin and select
      Download
      in the Action column.
    4. Click
      Install
      in the Action column. Panorama alerts you when the installation is complete.
    5. To view the plugin, select
      Device
      VM-Series
      .
  4. Configure the template.
    1. Log in to the Panorama web interface.
    2. Select
      Panorama
      Templates
      and click
      Add
      .
      1. Enter a descriptive
        Name
        .
      2. Click
        OK
        .
    3. Configure the virtual router.
      1. Select
        Network
        Virtual Routers
        .
      2. Ensure that you have selected the template you create above from the
        Template
        drop-down.
      3. Click
        Add
        .
      4. Name the virtual router using the following format: VR-<tempstackname>.
      5. Enable ECMP on the virtual router.
      6. Click
        OK
        .
    4. Configure the interface and create the zone.
      1. Select
        Network
        Interfaces
        and click
        Add Interface
        .
      2. Select
        Slot 1
        and then select the Interface name (for example, ethernet 1/1).
      3. Set
        Interface Type
        to Layer 3.
      4. On the
        Config
        tab, select
        New Zone
        from the
        Security Zone
        drop-down. In the Zone dialog, define a
        Name
        for new zone, for example Internet, and then click
        OK
        .
      5. In the
        Virtual Router
        drop-down, select virtual router your created above.
      6. Select
        IPv4
        and click
        DHCP Client
        .
      7. Click
        OK
        .
    5. Create a management profile that allows HTTPS on the interface created above to support Health Checks.
      1. Select
        Network
        Network Profiles
        Interface Mgmt
        and click
        Add
        .
      2. Select the protocols that the interface permits for management traffic:
        Ping
        ,
        Telnet
        ,
        SSH
        ,
        HTTP
        ,
        HTTP OCSP
        ,
        HTTPS
        , or
        SNMP
        .
        Don’t enable
        HTTP
        or
        Telnet
        because those protocols transmit in cleartext and therefore aren’t secure.
    6. Assign the Interface Management profile to an interface.
      1. Select
        Network
        Interfaces
        , select the type of interface (
        Ethernet
        ,
        VLAN
        ,
        Loopback
        , or
        Tunnel
        ), and select the interface.
      2. Select
        Advanced
        Other info
        and select the Interface
        Management Profile
        you just added.
      3. Click
        OK
        .
    7. Configure the DNS server and FQDN refresh time.
      1. Select
        Device
        Setup
        Services
        and click the Edit icon.
      2. Set the
        Primary DNS Server
        to 169.254.169.253. This is the AWS DNS address.
      3. Set the
        Minimum FQDN Refresh Time
        to 60 seconds.
      4. Click
        OK
        .
    8. Commit
      your changes. This is required before proceeding to the next step.
    9. Create an administrator.
      1. Select
        Device
        Administrators.
      2. Enter
        pandemo
        as the
        Name
        .
      3. Set the
        Password
        to
        demopassword
        and
        Confirm
        .
      4. Click
        OK
        .
    10. Commit
      your changes.
  5. Configure a template stack and add the template to the template stack.
    1. Select
      Panorama
      Templates
      and
      Add Stack
      .
    2. Enter a unique
      Name
      to identify the stack.
    3. Click
      Add
      and select the template.
    4. Click
      OK
      to save the template stack.
  6. Create the
    Device Group
    .
    1. Select
      Panorama
      Device Groups
      .
    2. Click
      Add
      .
    3. Enter a descriptive
      Name
      .
    4. Click
      OK
      .
    5. Add an allow all security pre-rule.
      1. Ensure that you have selected the device group you create above from the
        Device Group
        drop-down.
      2. Select
        Policies
        Security
        Pre Rules
        and click
        Add
        .
      3. Enter a descriptive
        Name
        .
      4. Under
        Source
        ,
        User
        ,
        Destination
        ,
        Application
        , and
        Service/URL Category
        , select any.
      5. Under
        Actions
        , select
        Allow
        .
      6. Click
        OK
        .
    6. Commit
      your changes.
  7. Add the license deactivation API key for the firewall to Panorama.
    1. Log in to the Customer Support Portal.
    2. Select
      Products
      Assets
      API Key Management
      .
    3. Copy the API key.
    4. Use the CLI to install the API key copied in the previous step.
      request license api-key set key
      <key>
  8. After deploying Panorama, you must open the following ports as described below on the Panorama security group in AWS.
    • Port 443 (HTTPS)
      —Upon initial deployment of the firewall template, leave HTTPS open so Lambda can connect to Panorama.
      When you secure port 443 you specify an IP address range from which you will allow connections, as well as the EIPs assigned to the NAT gateways. The number of NAT gateways in your deployment depends on the number of availability zones you configure. To find NAT gateway EIPs in AWS, go to
      VPC
      NAT Gateways
      . Note the EIP information for the security group for HTTPS.
      Additionally, to allow Panorama to release the firewall license after stack deletion, you must allow traffic from the CIDR range of the region where you deployed the firewall template. You can find the CIDR for your region at this link.
    • Port 3978
      —Port 3978 must be able to receive traffic from any IP address.

Recommended For You