Launch the Firewall Template

Learn how to launch VM-Series Auto Scaling template for AWS to integrate a VM-Series auto scaling group with a gateway load balancer.
This workflow describes how to deploy the firewall template.
All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
  1. Modify the
    init-cfg.txt
    file and upload it to the
    /config
    folder.
    Because you use Panorama to bootstrap the VM-Series firewalls, your
    init-cfg.txt
    file should be modified as follows. No
    bootstrap.xml
    file is needed.
    Ensure that you use the device group and template names you created above in the init-cfg.txt file.
    type=dhcp-client ip-address= default-gateway= netmask= ipv6-address= ipv6-default-gateway= hostname= vm-auth-key= panorama-server= panorama-server-2= tplname= dgname= dhcp-send-hostname=yes dhcp-send-client-id=yes dhcp-accept-server-hostname=yesdhcp-accept-server-domain=yes plugin-op-commands=aws-gwlb-inspect:enable
    Your init-cfg.txt file must include
    plugin-op-commands=aws-gwlb-inspect:enable
    . This is required when integrating the VM-Series firewall with a GWLB.
    You must add the device certificate auto-registration PIN to the init-cfg.txt file to automatically install a device certificate when your VM-Series firewall instance is deployed.
  2. Add the license auth code in the
    /license
    folder of the bootstrap package.
    1. Use a text editor to create a new text file named
      authcodes
      (no extension).
    2. Add the authcode for your BYOL licenses to this file, and save. The authcode must represent a bundle, and it must support the number of firewalls that might be required for your deployment. If you use individual authcodes instead of a bundle, the firewall only retrieves the license key for the first authcode in the file.
  3. Upload Lambda code for the firewall template (
    panw-aws.zip
    ) and the Application template (
    app.zip
    ) to an S3 bucket. You can use the same S3 bucket that you use for bootstrapping.
    If the Application stack is managed by a different account than the firewall, use the Application account to create another s3 bucket in the same AWS region as the firewall template and copy
    app.zip
    to that s3 bucket.
  4. Select the firewall template.
    1. In the AWS Management Console, select
      CloudFormation
      Create Stack
      .
    2. Select
      Upload
      a template to Amazon S3, to choose the application template to deploy the resources that the template launches within the same VPC as the firewalls, or to a different VPC. Click Open and Next.
    3. Specify the Stack name. The stack name allows you to uniquely identify all the resources that are deployed using this template.
  5. Enter a descriptive
    Name
    for your stack. The name must be 28 characters or less.
  6. Configure the parameters for the VPC.
    1. Enter the number of availability zones and select the region from the availability zone drop-down.
    2. Look up the AMI ID for the VM-Series firewall and enter it. Make sure that the AMI ID matches the AWS region, PAN-OS version and the BYOL or PAYG licensing option you opted to use. See Get the Amazon Machine Image IDs for more information.
    3. Select the EC2 
      Key pair
       (from the drop-down) for launching the firewall. To log in to the firewalls, you must provide the name of this key pair and the private key associated with it.
    4. Select 
      Yes
       if you want to 
      Enable Debug Log
      . Enabling the debug log generates more verbose logs that help with troubleshooting issues with the deployment. These logs are generated using the stack name and are saved in AWS CloudWatch.
    By default, the template uses CPU utilization as the scaling parameter for the VM-Series firewalls. Custom PAN-OS metrics are automatically published to the CloudWatch namespace that matches the stack name you specified earlier.
  7. Specify the name of the Amazon S3 bucket(s).
    1. Enter the name of the S3 bucket that contains the bootstrap package.
      If the bootstrap bucket is not set up properly or if you enter the bucket name incorrectly, the bootstrap process fails, and you cannot log in to the firewall. Health checks for the load balancers also fail.
    2. Enter the name of the S3 bucket that contains the panw-aws.zip file. As mentioned earlier you can use one S3 bucket for the Bootstrap and Lambda code.
  8. Specify the keys for enabling API access to the firewall and Panorama.
    1. Enter the key that the firewall must use to authenticate API calls. The default key is based on the sample file and you should only use it for testing and evaluation. For a production deployment, you must create a separate PAN-OS login just for the API call and generate an associated key.
    2. Enter the API Key to allow AWS Lambda to make API calls to Panorama. For a production deployment, you should create a separate login just for the API call and generate an associated key.
  9. Add your AWS account number(s). You must provide the account number used to deploy any VPC that is connected to your GWLB. Add these values as a comma-separated list. You can add additional account numbers after deploying the template.
    To locate your account number, click your AWS username in the top right of the AWS console and select
    My Security Credentials
    .
  10. Enter the transit gateway ID. The transit gateway ID is required to secure east-west and outbound traffic. If you do not enter a transit gateway ID, the template assumes that only inbound traffic should be inspected by firewalls integrated with the GWLB.
  11. Enter the CIDR for the security VPC.
  12. Review the template settings and launch the template.
    1. Select
      I acknowledge that this template might cause AWS CloudFormation to create IAM resources
      .
    2. Click
      Create
      to launch the template. The CREATE_IN_PROGRESS event displays.
    3. On successful deployment the status updates to CREATE_COMPLETE.
  13. Verify that the template has launched all required resources.
  14. Create rules allowing the NAT gateway IP address(es) on the security group where your Panorama appliance is deployed. This is required to allow your firewalls to connect to Panorama. You can find the list of NAT gateway IP addresses in the CFT security stack output.
    1. Access the AWS VPC console.
    2. Select
      Security Groups
      on the navigation pane.
    3. Select the security where Panorama is deployed.
    4. Select
      Actions
      Edit Inbound Rules
      Add rule
      .
    5. Add rules allowing the NAT gateway IP addresses for Custom TCP Rule for port range 3978.
    6. Click
      Save rules
      .

Recommended For You