Planning Checklist for Version 1.1
Verify the requirements for deploying the CFT.
|
The CFT requires
AWS Lambda
and
Signature version 2, and is supported in the following regions: US East (N. Virginia), US West (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney).
|
Assign the appropriate permissions for the IAM user role.
|
The user who deploys the CFT must either have administrative privileges or have the permissions listed in the
iam-policy.json
file to successfully launch the CFT. Copy and paste the permissions from this file in to a new IAM policy and then attach the policy to a new or existing IAM role.
|
Create a Support Account
on the Palo Alto Networks Support portal.
|
All the VM-Series firewalls deployed by CFT 1.1 support the usage-based (PAYG bundle 2) licenses. CFT 1.1 does not support the BYOL option.
You must register the VM-Series firewalls to activate your support entitlement.
|
Review and accept the End User License Agreement (EULA).
Required, if you are launching a VM-Series firewall on AWS for the first time. The CFT will fail to deploy if you have not accepted the EULA.
|
In the AWS Marketplace, search for Palo Alto Networks, and select
VM-Series Next Generation Firewall Bundle 2.
Click
Continue, and select
Manual Launch. Review the agreement and click
Accept Software Terms
to accept the EULA.
You can now close the browser.
|
Download the Templates, AWS Lambda code, and the bootstrap files.
Do not mix and match files across CFT versions.
|
Get the files from the following GitHub repository at:
https://github.com/PaloAltoNetworks/aws-elb-autoscaling/tree/master/Version-1.1
Templates and Lambda code:
panw-aws.zip
firewall.template
vpc-classic-v1.1.template or vpc-alb-v1.1.template. (you need only one)
The vpc-classic-v1.1.template includes support for two classic ELBs; the vpc-alb-v1.1.template includes support for a classic ELB and an internal application ELB.
Use the vpc-alb.template if you want to deploy an application ELB for load balancing traffic to the internal web servers and a classic ELB for internet-facing traffic.
Use the vpc-classic.template if you want to deploy two classic ELBs; one for load balancing traffic to the internal web servers and another for internet-facing traffic.
The solution is supported by Palo Alto Networks Technical Support as it is published. You may modify the template to suit your specific use case but Palo Alto Networks Technical Support cannot assist with issues that arise from customization.
Bootstrap files:
init-cfg.txt
bootstrap.xml
The bootstrap.xml file bundled with this solution is designed to help you get started, and is provided for testing and evaluation only. For a production deployment, you must modify the bootstrap.xml prior to launch. See
Customize the Bootstrap.xml File.
|
Customize the bootstrap.xml file for your production environment.
|
To ensure that your production environment is secure, you must
Customize the Bootstrap.xml File
with a unique administrative username and password. You can also use this opportunity to create an optimal firewall configuration with interfaces, zones, and security policy rules that meet your application security needs.
|
Decide whether you want to use Panorama for centralized logging, reporting, and firewall management.
|
Panorama is an option for administrative ease. It is not required to manage the auto scaling tier of VM-Series firewalls deployed in this solution.
If you want to use Panorama, you can either use the M-Series appliance or a Panorama virtual appliance on a VMware ESXi server inside your corporate network, or use a Panorama virtual appliance on vCloud Air.
And, if you use Panorama, you need the following information so that the firewalls can register with Panorama:
API key for an administrative user account on Panorama. AWS Lambda uses this key to make API requests to Panorama. By default, the CFT uses an API key with username and password, admin/admin. For better security, create an administrative account on Panorama and
generate a new API key
for the account. You must enter this key when you launch the CFT.
Panorama IP address. You must include the IP address in the configuration (init-cfg.txt) file. The firewalls must be able to access this IP address from the VPC; to ensure a secure connection, use a direct connect link or an IPSec tunnel.
VM auth key that allows Panorama to authenticate the firewalls in order to add each firewall as a managed device. You must include this key in the configuration (init-cfg.txt) file.
The vm auth key is required for the lifetime of the deployment. Without a valid key in the connection request, the VM-Series firewall will be unable to register with Panorama. For details on the key, see
Generate VM Auth Key.
Template name and the device group name to which to assign the firewalls. You must first
add a template
and create a
device group
on Panorama, and then include the template name and the device group name in the configuration (init-cfg.txt) file.
|
Decide whether you want to use the AWS NAT gateway or assign an EIP address to the management interface on each VM-Series firewall.
|
To allow the firewalls to initiate outbound requests for retrieving updates, connecting to Panorama, and publishing metrics to AWS CloudWatch, you can either deploy an AWS NAT gateway or assign an EIP address to the management interface on each firewall.
The AWS NAT gateway option allows you to conserve the use of EIP addresses; you only need one EIP address per Availability Zone (AZ). Hence, you must allocate a maximum of three EIP addresses if you deploy the CFT across three AZs. When you use a NAT gateway and are not using Panorama to manage the firewalls, you must deploy a jump server (a bastion host with an EIP address) within the VPC to enable SSH and/or HTTPS access to the VM-Series firewalls. This jump server is required because the management interface on the VM-Series firewalls has a private IP address only.
If you choose to assign an EIP address to the management interface of each VM-Series firewall, you must estimate the number of EIP addresses you need to enable outbound access for the VM-Series firewalls. Based on the size of your deployment, you may need to
request an increase
in the maximum number of EIP addresses for the AWS region; the default limit is 5 EIP addresses per account. This estimation is crucial to the deployment because AWS Lambda requires the EIP address to successfully launch the firewall.
|
Get started
|
Launch the VM-Series Auto Scaling Template for AWS (v1.1)
|