: Manually Integrate the VM-Series with a Gateway Load Balancer
Focus
Focus

Manually Integrate the VM-Series with a Gateway Load Balancer

Table of Contents

Manually Integrate the VM-Series with a Gateway Load Balancer

Complete the following procedure to manually integrate your VM-Series firewall on AWS with a GWLB.
If you associate VPC endpoints to an interface or subinterfaces via user data while bootstrapping and your bootstrap.xml file does not include the interface configuration, you can configure the interfaces after the firewall boots up.
  1. Set up the security VPC. See the AWS documentation for more information about creating your security VPC.
    • Create two subnets—one for management and one for data.
    • Create two security groups—one for firewall management and one for data.
    • The management subnet security groups should allow https and ssh for management access.
    • Ensure that the security group(s) in your data VPC allows GENEVE-encapsulated packets (UDP port 6081).
    • If your deployment includes a transit gateway and traffic that will move between VPCs, you must enable appliance mode on security VPC attachment.
    The target group of the GWLB cannot use HTTP for health checks because the VM-Series firewall does not allow access with an unsecured protocol. Instead, use another protocol such as HTTPS or TCP.
  2. Launch the VM-Series firewall.
    1. On the EC2 Dashboard, click
      Launch Instance
      .
    2. Select the Palo Alto VM-Series AMI. To get the AMI, see Obtain the AMI.
    3. Launch the VM-Series firewall on an EC2 instance.
      1. Choose the
        EC2 instance type
        for allocating the resources required for the firewall, and click
        Next
        . See VM-Series System Requirements, for resource requirements.
      2. Select the security VPC.
      3. Select the data subnet to attach to eth0.
      4. Add another network interface for eth1 to act as the management interface after the interface swap. Swapping interfaces requires a minimum of two ENIs (eth0 and eth1).
        • Expand the Network Interfaces section and click
          Add Device
          to add another network interface and configure Management subnet to this interface.
          Make sure that your VPC has more than one subnet so that you can add additional ENIs at launch.
          If you launch the firewall with only one ENI:
          • The interface swap command will cause the firewall to boot into maintenance mode.
          • You must reboot the firewall when you add the second ENI.
        • Expand the Advanced Details section and in the
          User data
          field enter as text to perform the interface swap during launch.
          mgmt-interface-swap=enable
          plugin-op-commands=aws-gwlb-inspect:enable
          If you set the target type to the IP address of a specific interface on the VM-Series firewall, you do not need to enable management interface swap.
      5. Accept the default
        Storage
        settings. The firewall uses volume type SSD (gp2).
      6. If prompted, select an appropriate
        SSD
        option for your setup.
      7. (
        Optional
        )
        Tagging
        . Add one or more tags to create your own metadata to identify and group the VM-Series firewall. For example, add a
        Name
        tag with a
        Value
        that helps you remember that the ENI interfaces have been swapped on this VM-Series firewall.
      8. Select the data
        Security Group
        for eth0 (data interface). Enable traffic on UDP port 6081.
        If you enable health checks to the firewall, you cannot use HTTP. Instead, use another protocol such as HTTPS or TCP.
      9. Select
        Review and Launch
        . Review that your selections are accurate and click
        Launch
        .
      10. Select an existing key pair or create a new one, and acknowledge the key disclaimer.
        This key pair is required for first time access to the firewall. It is also required to access the firewall in maintenance mode.
      11. Download and save the private key to a safe location; the file extension is
        .pem
        . You cannot regenerate this key, if lost.
        It takes 5-7 minutes to launch the VM-Series firewall. You can view the progress on the EC2 Dashboard.When the process completes, the VM-Series firewall displays on the
        Instances
        page of the EC2 Dashboard.
  3. Attach the management security group to eth1 (management interface). Allow ssh and https. See the AWS Documentation for more information.
  4. Create and assign an Elastic IP address (EIP) to the ENI used for management access (eth1) to the firewall.
    1. Select
      Elastic IPs
      and click
      Allocate New Address
      .
    2. Select
      EC2-VPC
      and click
      Yes, Allocate
      .
    3. Select the newly allocated EIP and click
      Associate Address
      .
    4. Select the
      Network Interface
      and the
      Private IP address
      associated with the management interface and click
      Yes, Associate
      .
  5. Configure a new administrative password for the firewall.
    On the VM-Series firewall CLI, you must configure a unique administrative password before you can access the web interface of the firewall. To log in to the CLI, you require the private key that you used to launch the firewall.
    1. Use the EIP to SSH into the Command Line Interface (CLI) of the VM-Series firewall. You will need the private key that you used or created above and using the user name
      admin
      to access the CLI.
      If you are using PuTTY for SSH access, you must convert the .pem format to a .ppk format. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html
    2. Enter the following command to log in to the firewall:
      ssh-i
      <private_key.pem>
      admin@
      <public-ip_address>
    3. Configure a new password, using the following command and follow the onscreen prompts:
      configure
      set mgt-config users admin password
    4. If you have a BYOL that needs to be activated, set the DNS server IP address so that the firewall can aceess the Palo Alto Networks licensing server. Enter the following command to set the DNS server IP address:
      set deviceconfig system dns-setting servers primary
      <ip_address>
    5. Commit your changes with the command:
      commit
    6. Terminate the SSH session.
  6. Configure the dataplane network interface as a Layer 3 interface on the firewall.
    On the application servers within the VPC, define the dataplane network interface of the firewall as the default gateway.
    1. Using a secure connection (https) from your web browser, log in using the EIP address and password you assigned during initial configuration (https://<Elastic_IP address>). You will see a certificate warning; that is okay. Continue to the web page.
    2. Select
      Network
      Interfaces
      Ethernet
      .
    3. Click the link for
      ethernet 1/1
      and configure as follows:
      • Interface Type
        :
        Layer3
      • On the
        Config
        tab, assign the interface to the default virtual router.
      • On the
        Config
        tab, expand the
        Security Zone
        drop-down and select
        New Zone
        . Define a new zone and leave the remaining fields with default values and then click
        OK
        .
      • On the
        IPv4
        tab, select
        DHCP Client
        .
        If using DHCP, select
        DHCP Client
        ; the private IP address that you assigned to the ENI in the AWS management console will be automatically acquired.
      • On the Advanced tab, create a management profile to enable HTTP service as part of management profile creation and allow Health check probes from GWLB.
      • (
        optional
        ) On the IPv6 tab, select
        Enable IPv6 on this Interface
        and select
        DHCPv6 Client
        .
        The VM-Series for AWS behind a GWLB only supports IPv6 as part of AWS Dualstack, meaning that clients communicate with load balancers using both IPv4 and IPv6 addresses. IPv6 only is not supported on the AWS GWLB. See AWS documentation for more information.
        Additionally, you must create security policy that allows IPv6 traffic.
    4. Click
      Commit
      . Verify that the link state for the interface is up.
  7. Create security policies to allow/deny traffic.
    Because the VM-Series treats traffic as intrazone when integrated with a GWLB, a default intrazone rule allows all traffic. It is a best practice to override the default intrazone rule with a deny action for traffic that does not match any of your other security policy rules.
    1. Select
      Policies
      Security
      on the web interface of the firewall.
    2. Click
      Add
      , and specify the security zones, applications and logging options that you would like to execute to restrict and audit traffic traversing through the network.
  8. Commit
    the changes on the firewall.

Recommended For You