Launch the VM-Series Firewall on AWS

If you have not already registered the capacity auth-code that you received with the order fulfillment email, with your support account, see Register the VM-Series Firewall. After registering, deploy the VM-Series firewall using an AMI published in the Marketplace or Create a Custom Amazon Machine Image (AMI) in the AWS VPC as follows:
  1. Access the AWS Console.
    Log in to the AWS console and select the EC2 Dashboard.
  2. Set up the VPC for your network needs.
    Whether you launch the VM-Series firewall in an existing VPC or you create a new VPC, the VM-Series firewall must be able to receive traffic from the EC2 instances and perform inbound and outbound communication between the VPC and the internet.
    Refer to the AWS VPC documentation for instructions on creating a VPC and setting it up for access.
    For an example with a complete workflow, see Use Case: Secure the EC2 Instances in the AWS Cloud.
    1. Create a new VPC or use an existing VPC. Refer to the AWS Getting Started documentation.
    2. Verify that the network and security components are defined suitably.
      • Enable communication to the internet. The default VPC includes an internet gateway, and if you install the VM-Series firewall in the default subnet it has access to the internet.
      • Create subnets. Subnets are segments of the IP address range assigned to the VPC in which you can launch the EC2 instances. The VM-Series firewall must belong to the public subnet so that it can be configured to access the internet.
      • Create security groups as needed to manage inbound and outbound traffic from the EC2 instances/subnets.
      • Add routes to the route table for a private subnet to ensure that traffic can be routed across subnets and security groups in the VPC, as applicable.
    3. If you want to deploy a pair of VM-Series firewalls in HA, you must define IAM Roles for HA before you can Configure Active/Passive HA on AWS.
    4. (
      Optional
      ) If you are using bootstrapping to perform the configuration of your VM-Series firewall, refer to Bootstrap the VM-Series Firewall on AWS. For more information about bootstrapping, see Bootstrap the VM-Series Firewall.
  3. Launch the VM-Series firewall.
    Although you can add additional network interfaces (ENIs) to the VM-Series firewall when you launch, AWS releases the auto-assigned Public IP address for the management interface when you restart the firewall. Hence, to ensure connectivity to the management interface you must assign an Elastic IP address for the management interface, before attaching additional interfaces to the firewall.
    If you want to conserve EIP addresses, you can assign one EIP address to the eth 1/1 interface and use this interface for both management traffic and data traffic. To restrict services permitted on the interface or limit IP addresses that can log in the eth 1/1 interface, attach a management profile to the interface.
    1. On the EC2 Dashboard, click
      Launch Instance
      .
    2. Select the VM-Series AMI. To get the AMI, see Obtain the AMI.
    3. Launch the VM-Series firewall on an EC2 instance.
      1. Choose the
        EC2 instance type
        for allocating the resources required for the firewall, and click
        Next
        . See VM-Series System Requirements, for resource requirements.
      2. Select the VPC.
      3. Select the public subnet to which the VM-Series management interface will attach.
      4. Select
        Automatically assign a public IP address
        . This allows you to obtain a publicly accessible IP address for the management interface of the VM-Series firewall.
        You can later attach an Elastic IP address to the management interface; unlike the public IP address that is disassociated from the firewall when the instance is terminated, the Elastic IP address provides persistence and can be reattached to a new (or replacement) instance of the VM-Series firewall without the need to reconfigure the IP address wherever you might have referenced it.
      5. Select
        Launch as an EBS-optimized instance
        .
      6. Add another network interface for deployments with ELB so that you can swap the management and data interfaces on the firewall. Swapping interfaces requires a minimum of two ENIs (eth0 and eth1).
        • Expand the Network Interfaces section and click
          Add Device
          to add another network interface.
          Make sure that your VPC has more than one subnet so that you can add additional ENIs at launch.
          If you launch the firewall with only one ENI:
          • The interface swap command will cause the firewall to boot into maintenance mode.
          • You must reboot the firewall when you add the second ENI.
        • Expand the Advanced Details section and in the User data field enter
          mgmt-interface-swap=enable
          as text to perform the interface swap during launch.
        aws_ec2_userdata_mgt_swap.PNG
      7. Accept the default
        Storage
        settings. The firewall uses volume type SSD (gp2).
        This key pair is required for first time access to the firewall. It is also required to access the firewall in maintenance mode.
      8. (
        Optional
        )
        Tagging
        . Add one or more tags to create your own metadata to identify and group the VM-Series firewall. For example, add a
        Name
        tag with a
        Value
        that helps you remember that the ENI interfaces have been swapped on this VM-Series firewall.
      9. Select an existing
        Security Group
        or create a new one. This security group is for restricting access to the management interface of the firewall. At a minimum consider enabling https and ssh access for the management interface.
      10. If prompted, select an appropriate
        SSD
        option for your setup.
      11. Select
        Review and Launch
        . Review that your selections are accurate and click
        Launch
        .
      12. Select an existing key pair or create a new one, and acknowledge the key disclaimer.
      13. Download and save the private key to a safe location; the file extension is
        .pem
        . You cannot regenerate this key, if lost.
        It takes 5-7 minutes to launch the VM-Series firewall. You can view the progress on the EC2 Dashboard.When the process completes, the VM-Series firewall displays on the
        Instances
        page of the EC2 Dashboard.
  4. Configure a new administrative password for the firewall.
    On the VM-Series firewall CLI, you must configure a unique administrative password before you can access the web interface of the firewall. To log in to the CLI, you require the private key that you used to launch the firewall.
    1. Use the public IP address to SSH into the Command Line Interface (CLI) of the VM-Series firewall. You will need the private key that you used or created in 3 above to access the CLI.
      If you added an additional ENI to support deployments with ELB, you must first create and assign an Elastic IP address to the ENI to access the CLI, see step 6.
      If you are using PuTTY for SSH access, you must convert the .pem format to a .ppk format. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html
    2. Enter the following command to log in to the firewall:
      ssh-i
      <private_key.pem>
      admin@
      <public-ip_address>
    3. Configure a new password, using the following command and follow the onscreen prompts:
      configure
      set mgt-config users admin password
    4. If you have a BYOL that needs to be activated, set the DNS server IP address so that the firewall can aceess the Palo Alto Networks licensing server. Enter the following command to set the DNS server IP address:
      set deviceconfig system dns-setting servers primary
      <ip_address>
    5. Commit your changes with the command:
      commit
    6. Terminate the SSH session.
  5. Shutdown the VM-Series firewall.
    1. On the EC2 Dashboard, select
      Instances
      .
    2. From the list, select the VM-Series firewall and click
      Actions
      Stop
      .
  6. Create and assign an Elastic IP address (EIP) to the ENI used for management access to the firewall and reboot the VM-Series firewall.
    1. Select
      Elastic IPs
      and click
      Allocate New Address
      .
    2. Select
      EC2-VPC
      and click
      Yes, Allocate
      .
    3. Select the newly allocated EIP and click
      Associate Address
      .
    4. Select the
      Network Interface
      and the
      Private IP address
      associated with the management interface and click
      Yes, Associate
      .
  7. Create virtual network interface(s) and attach the interface(s) to the VM-Series firewall. The virtual network interfaces are called Elastic Network Interfaces (ENIs) on AWS, and serve as the dataplane network interfaces on the firewall. These interfaces are used for handling data traffic to/from the firewall.
    You will need at least two ENIs that allow inbound and outbound traffic to/from the firewall. You can add up to seven ENIs to handle data traffic on the VM-Series firewall; check your EC2 instance type to verify the maximum number supported on it.
    1. On the EC2 Dashboard, select
      Network Interfaces
      , and click
      Create Network Interface
      .
    2. Enter a descriptive name for the interface.
    3. Select the subnet. Use the subnet ID to make sure that you have selected the correct subnet. You can only attach an ENI to an instance in the same subnet.
    4. Enter the
      Private IP
      address to assign to the interface or select
      Auto-assign
      to automatically assign an IP address within the available IP addresses in the selected subnet.
    5. Select the
      Security group
      to control access to the dataplane network interface.
    6. Click
      Yes, Create
      .
      create_network_interface_EC2_instance.PNG
    7. To attach the ENI to the VM-Series firewall, select the interface you just created, and click
      Attach
      .
      attach_interface.png
    8. Select the
      Instance ID
      of the VM-Series firewall, and click
      Attach
      .
    9. Repeat the steps above for creating and attaching at least one more ENI to the firewall.
  8. (
    Not required for the Usage-based licensing model
    ) Activate the licenses on the VM-Series firewall.
    This task is not performed on the AWS management console. Access to the Palo Alto Networks support portal and the web interface of the VM-Series firewall is required for license activation.
  9. Disable Source/Destination check on every firewall dataplane network interface(s). Disabling this option allows the interface to handle network traffic that is not destined to the IP address assigned to the network interface.
    1. On the EC2 Dashboard, select the network interface, for example eth1/1, in the
      Network Interfaces
      tab.
    2. In the
      Action
      drop-down, select
      Change Source/Dest. Check
      .
      disable_src_dest_check_EC2_instance_1.PNG
    3. Click
      Disabled
      and
      Save
      your changes.
    4. Repeat Steps 1-3 for each firewall dataplane interface.
  10. Configure the dataplane network interfaces as Layer 3 interfaces on the firewall.
    For an example configuration, see 14 through 17 in Use Case: Secure the EC2 Instances in the AWS Cloud.
    On the application servers within the VPC, define the dataplane network interface of the firewall as the default gateway.
    1. Using a secure connection (https) from your web browser, log in using the EIP address and password you assigned during initial configuration (https://<Elastic_IP address>). You will see a certificate warning; that is okay. Continue to the web page.
    2. Select
      Network
      Interfaces
      Ethernet
      .
    3. Click the link for
      ethernet 1/1
      and configure as follows:
      • Interface Type
        :
        Layer3
      • On the
        Config
        tab, assign the interface to the default router.
      • On the
        Config
        tab, expand the
        Security Zone
        drop-down and select
        New Zone
        . Define a new zone, for example VM_Series_untrust, and then click
        OK
        .
      • On the
        IPv4
        tab, select either
        Static
        or
        DHCP Client
        .
        If using the
        Static
        option, click
        Add
        in the IP section, and enter the IP address and network mask for the interface, for example 10.0.0.10/24.
        Make sure that the IP address matches the ENI IP address that you assigned earlier.
        If using DHCP, select
        DHCP Client
        ; the private IP address that you assigned to the ENI in the AWS management console will be automatically acquired.
    4. Click the link for
      ethernet 1/2
      and configure as follows:
      • Interface Type
        :
        Layer3
      • Security Zone: VM_Series_trust
      • IP address
        : Select the
        Static
        or
        DHCP Client
        radio button.
        For static, click
        Add
        in the IP section, and enter the IP address and network mask for the interface. Make sure that the IP address matches the attached ENI IP address that you assigned earlier.
    5. Click
      Commit
      . Verify that the link state for the interfaces are up.
      linkstate_up.png
      For DHCP, clear the
      Automatically create default route to default gateway provided by server
      check box. For an interface that is attached to the private subnet in the VPC, disabling this option ensures that traffic handled by this interface does not flow directly to the internet gateway on the VPC.
      interface-disable_default_route.PNG
  11. Create NAT rules to allow inbound and outbound traffic from the servers deployed within the VPC.
    1. Select
      Policies
      NAT
      on the web interface of the firewall.
    2. Create a NAT rule to allow traffic from the dataplane network interface on the firewall to the web server interface in the VPC.
    3. Create a NAT rule to allow outbound access for traffic from the web server to the internet.
  12. Create security policies to allow/deny traffic to/from the servers deployed within the VPC.
    1. Select
      Policies
      Security
      on the web interface of the firewall.
    2. Click
      Add
      , and specify the zones, applications and logging options that you would like to execute to restrict and audit traffic traversing through the network.
  13. Commit the changes on the firewall.
    Click
    Commit
    .
  14. Verify that the VM-Series firewall is securing traffic and that the NAT rules are in effect.
    1. Select
      Monitor
      Logs
      Traffic
      on the web interface of the firewall.
    2. View the logs to make sure that the applications traversing the network match the security policies you implemented.

Related Documentation