Enable Overlay Routing for the VM-Series on AWS
Overly routing requires PAN-OS 10.0.5 or later.
Using overlay routing in your VM-Series firewall integration the AWS GWLB allows you to use two-zone policy to inspect traffic leaving (egressing) your AWS environment. This allows packets to leave the VM-Series firewall through a different interface than that which they entered through.
When overlay routing is configured, the firewall is able to perform a Layer 3 route lookup a packet’s inner header. If the destination is the same as the ingress interface, the packet will be directed as normal. All future packets in the session are treated as vwire; as if overlay routing was not enabled. If the packet is going to an outbound destination, the firewall decapsulates the packet and forwards the packet to the IGW or NAT gateway. When the packet returns, the firewall reapplies the encapsulation.
Use the following procedure to enable overlay routing.
- Before you begin, ensure that you create different subnets for the trust and untrust interfaces.
- Use overlay routing CLI command. This CLI command is not required if you included the overlay routing op-command in the AWS user-data or the init-cfg.txt bootstrap file.
- Log in to the firewall command line interface.
- Execute the following command.request plugins vm_series aws gwlb overlay-routing enable yes
- Log in to the firewall web interface.
- Ensure that you have disabledAutomatically create default route pointing to default gateway provided by serveron the trust (ingress) interface.
- Click on your trust interface and then the IPv4 tab.
- UncheckAutomatically create default route pointing to default gateway provided by server.
- Click OK.
- Configure interface Ethernet 1/2.
- Select theInterface Type—Layer 3.
- On theConfigtab, expand theSecurity Zonedrop-down and selectNew Zone. This zone will act as your untrust zone and directing outbound traffic out of your security VPC. Define the new zone, such as VM-Series-untrust, and then clickOK.
- On theIPv4tab, selectDHCP Client.
- SelectAutomatically create default route pointing to default gateway provided by server.
- Configure a virtual router.
- Select.NetworkVirtual RoutersAdd
- Enter a descriptiveNamefor the virtual router.
- UnderInterfaces,AddEthernet1/1, any subinterfaces under Ethernet1/1, and Ethernet1/2.
- Click.Static RoutesAdd
- Enter a descriptive name for the static route.
- As theDestination, enter the private IP address of the application VPC subnet.
- Select the trust (ingress) interface from theInterfacedrop-down.
- ForNext Hop, select IP Address and enter the IP address of the gateway of the trust interface. You can find the gateway IP address on.NetworkInterfacesEthernetDynamic-DHCP Client
- Ensure that the static routes can reach all application VPC in your deployment. You can either make a few large aggregated routes (covering all RFC1918) or application VPC specific routes. If you use subinterfaces, you do not need to route back to the sub-interface. The egress check looks only for the matching interface instead of the matching subinterface.
- Create a NAT policy for traffic egressing Ethernet1/2.
- Enter a descriptiveNamefor the NAT policy rule.
- Selectipv4from theNAT Typedrop-down.
- On theOriginal Packettab, set theSource Zoneto any and theDestination Zoneto your untrust (egress) zone.
- On theTranslated Packettab, set the following parameters.
- Translation Type: Dynamic IP and Port
- Address Type: Interface Address
- Interface: Select your untrust (egress) port from the drop-down.
- IP Address: None
- Commityour changes.
Recommended For You
Recommended videos not found.