VM-Series Deployment Guide
  1. Home
  2. VM-Series
  3. VM-Series Deployment Guide
  4. Set Up the VM-Series Firewall in AWS
  5. Use Case: VM-Series Firewalls as GlobalProtect Gateways in AWS
Previous
Next
Securing mobile users from threats and risky applications is often a complex mix of procuring and setting up the security and IT infrastructure, ensuring bandwidth and uptime requirements in multiple locations around the globe while staying within your budget.
The VM-Series firewall in AWS melds the security and IT logistics required to consistently and reliably protect devices used by mobile users in regions where you do not have a presence. By deploying the VM-Series firewall in the AWS cloud, you can quickly and easily deploy GlobalProtectâ„¢ gateways in any region without the expense or IT logistics that are typically required to set up this infrastructure using your own resources.
To minimize latency, select AWS regions that are closest to your users, deploy the VM-Series firewalls on EC2 instances, and configure the firewalls as GlobalProtect gateways. With this solution, the GlobalProtect gateways in the AWS cloud enforce security policy for internet traffic so there is no need to backhaul that traffic to the corporate network. Additionally, for access to resources on the corporate network, the VM-Series firewalls in AWS leverage the LSVPN functionality to establish IPSec tunnels back to the firewall on the corporate network.
For ease of deployment and centralized management of this distributed infrastructure, use Panorama to configure the GlobalProtect components used in this solution. Optionally, to ensure that mobile devices, such as smartphones and tablets, are safe for use on your network, use a Mobile Device Manager to configure and manage mobile devices.
Components of the GlobalProtect Infrastructure
To block risky applications and protect mobile users from malware, you must set up the GlobalProtect infrastructure, which includes the GlobalProtect portal, the GlobalProtect gateway, and the GlobalProtect app. Additionally, for access to corporate resources, you must set up an IPSec VPN connection between the VM-Series firewalls in AWS and the firewall in the corporate headquarters using LSVPN (a hub and spoke VPN deployment).
The GlobalProtect agent/app is installed on each end-user system that is allowed to access corporate applications and resources. The agent first connects to the portal to obtain information on the gateways and then establishes a secure VPN connection to the closest GlobalProtect gateway. The VPN connection between the end-user system and the gateway ensures data privacy. The GlobalProtect portal provides the management functions for the GlobalProtect infrastructure. Every end-user system receives configuration information from the portal, including information about available gateways as well as any client certificates that may be required to connect to the GlobalProtect gateway(s). In this use case, the GlobalProtect portal is a hardware-based firewall that is deployed in the corporate headquarters. The GlobalProtect gateway delivers mobile threat prevention and policy enforcement based on applications, users, content, device, and device state. In this use case, the VM-Series firewalls in AWS function as the GlobalProtect gateways. The GlobalProtect gateway scans each user request for malware and other threats, and, if policy allows, sends the request to the internet or to the corporate network over the IPSec tunnel (to the LSVPN gateway). For LSVPN, you must configure the GlobalProtect portal, GlobalProtect gateway for LSVPN (hub), and the GlobalProtect Satellites (spokes).
In this use case, the hardware-based firewall in the corporate office is deployed as the GlobalProtect portal and the LSVPN gateway. The VM-Series firewalls in AWS are configured to function as GlobalProtect satellites. The GlobalProtect satellites and gateway are configured to establish an IPSec tunnel that terminates on the gateway. When a mobile user requests an application or resource that resides on the corporate network, the VM-Series firewall routes the request over the IPSec tunnel.
Deploy GlobalProtect Gateways in AWS
To secure mobile users, in addition to deploying and configuring the GlobalProtect gateways in AWS, you need to set up the other components required for this integrated solution. The following table includes the recommended workflow:
Deploy GlobalProtect in AWS
Deploy the VM-Series firewall(s) in AWS. See Deploy the VM-Series Firewall in AWS.
Configure the firewall at the corporate headquarters. In this use case, the firewall is configured as the GlobalProtect portal and the LSVPN gateway. Configure the GlobalProtect portal. Configure the GlobalProtect portal for LSVPN. Configure the portal to authenticate LSVPN satellites. Configure the GlobalProtect gateway for LSVPN.
Set up a template on Panorama for configuring the VM-Series firewalls in AWS as GlobalProtect gateways and LSVPN satellites. To easily manage this distributed deployment, use Panorama to configure the firewalls in AWS. Create template(s) on Panorama. Then use the following links to define the configuration in the templates. Configure the firewall as a GlobalProtect gateway. Prepare the satellite to join the LSVPN.
Create device groups on Panorama to define the network access policies and internet access rules and apply them to the firewalls in AWS. See Create device groups.
Apply the templates and the device groups to the VM-Series firewalls in AWS, and verify that the firewalls are configured properly.
Deploy the GlobalProtect client software. Every end-user system requires the GlobalProtect agent or app to connect to the GlobalProtect gateway. See Deploy the GlobalProtect client software.
Previous
Next

Related Documentation

Deployments Supported in AWS

Deployments Supported in AWS The VM-Series firewall secures inbound and outbound traffic to and from EC2 instances within the AWS Virtual Private Cloud ( VPC ...

GlobalProtect Gateways

GlobalProtect Gateways The PA-3020 in the co-location space (mentioned previously) also doubles as a GlobalProtect gateway (the Santa Clara Gateway). 10 additional gateways are deployed ...

Configure GlobalProtect Gateways

Configure GlobalProtect Gateways Because the GlobalProtect configuration that the portal delivers to the agents includes the list of gateways the client can connect to, it ...

End-User Experience

End-User Experience End users who are remote (not inside the corporate network) connect to one of the gateways in AWS or Azure. When you configure ...

LSVPN Overview

LSVPN Overview GlobalProtect provides a complete infrastructure for managing secure access to corporate resources from your remote sites. This infrastructure includes the following components: GlobalProtect ...

Configure GlobalProtect Gateways for LSVPN

Configure GlobalProtect Gateways for LSVPN Because the GlobalProtect configuration that the portal delivers to the satellites includes the list of gateways the satellite can connect ...

Configure the GlobalProtect Portal for LSVPN

Configure the GlobalProtect Portal for LSVPN The GlobalProtect portal provides the management functions for your GlobalProtect LSVPN. Every satellite system that participates in the LSVPN ...

Network > GlobalProtect > Gateways

Network > GlobalProtect > Gateways Select Network > GlobalProtect > Gateways to configure a GlobalProtect gateway. A gateway can provide VPN connections for GlobalProtect agents ...

VM-Series Firewall in Microsoft Azure

VM-Series Firewall in Microsoft Azure Microsoft Azure allows you to deploy a virtual network in the cloud so that you can deploy a private cloud ...

Set Up the VM-Series Firewall in AWS

Set Up the VM-Series Firewall in AWS The VM-Series firewall can be deployed in the public Amazon Web Services (AWS) cloud and AWS GovCloud. It ...

© 2019 Palo Alto Networks, Inc. All rights reserved.