How to deploy Palo Alto firewall on AWS cloud using VPC and EC2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to this video and the Palo Alto series this video we will learn how to deploy Palo Alto Firewall using AWS marketplace and AWS ec2 service we will also break down the setup from the very beginning up until we get the Palo Alto firewall up and running so stick to the end of this video to learn how you can deploy Palo Alto firewall using AWS cloud also before we get started make sure you go down and click the like button on this video if you enjoyed this content and also subscribe so you can get the latest video as soon as they get release before we get started let's take a quick look at our topology in this topology we are using the Palo Alto recommended design for deploying photogate on AWS and we have basic lines here that we need to configure on our easy to to get this Palo Alto virtual machine up and running first off we need three different interfaces to deploy Palo Alto virtual machine inside AWS unlike a 48 virtual machine we only need two interfaces you just need to make a small tweak to our setup where we're gonna create a first interface for management so we can manage our firewall through the internet or internally and then we're gonna make two different interfaces which are Ethernet one and eternal two and those are to represent the public subnet and the private subnet and to be able to protect our virtual machines or other resources that we deploy inside AWS we make an arm for the firewall or an interface for the firewall inside the private subnet so that our virtual machine can talk to the firewall to get to other networks and talk to the internet for example and finally the firewall will also have an arm or an interface in the public subnet so that it can communicate to the Internet and can allow the clients in our private subnet to talk to the Internet through the firewall now let's switch to vbc and we're gonna create our first vbc and for those who are not familiar with vb c vb c is just a way for us to create networks in the cloud so basically everything has to be built inside a vb c like our virtual machines or firewall any other services that we use like RDS all of them have interfaces inside our vb c but therefore we first need to create our vb c we're just gonna call it Palo Alto and we're gonna give it like a big subnet mask like Tim 13/16 this will allow us all the subnets that we need inside and more for future growth and we just save it like that and then we can't work on our subjects and subnets allow you to segregate traffic between different resources and control them differently using route tables but therefore we need to create three different subnets for our management subnet or public subnet and finally our private subnet so let's start by our public subnet and we're gonna choose our vbc from the list and then we're gonna be asked to choose our availability zone and availability zone represent a data center for AWS inside a region so therefore for my specific region which is North Virginia there are six different availability zones which represents six different data centers that AWS own in North Virginia and they are completely isolated and completely separated assuming some disaster happened on North Virginia and one of the availability zones goes down the other five are completely isolated and not affected and therefore if you build your applications in different availability zones they are highly available and more broan to their a center outages but therefore in our case we can either go with no preference or we can specifically choose one availability zone from the list now you have to be careful when choosing the availability zone I would recommend you choose a B or C because I previously had failures deploying it on one II and it said that Palo Alto is not supported in that availability zone which doesn't make any sense but this is the case we have to deal with so I will be choosing us east 1b and then we will choose a subnet mask for our public subnet let's just choose 10.10 the 250 / 24 this will give us more than enough IPS for current and future deployment as well now we have our public subject created we can go ahead and create our second subnet which is going to be our private subnet we can choose abilities on again or automatically once you have one created it usually tries to match it with the same availability zone and finally for the mask let's give it a little bit bigger Network like tinder tinder 10.0 / 23 this will give us more than 500 IPS that we can deploy as many virtual machines and AWS services as we want and finally we just create our management subnet who's our DBC again and for the subnet mask will choose 10 that 10.12 that 0 / 25 and now we have our subnets ready we need to move on to round tables and withdraw tables we need two different route tables to control our traffic between the firewall and our private network the way this work is we start with our default route table which is just has our local network right now or our vbc slider I like to rename it first so we'll show what it actually is so let's give this one a name private route table and then we can proceed and create our second drought table and for this one this will be our public route table and as of now both route are completely the same there is no difference do you only have the local route table so the only difference we're gonna make between the Bob the crowd table and the private trout table is that the public crowd table will have a default route to the Internet this is represented by the igw so we can go ahead edit our route and add our default route 0 dot 0 dot 0 dot 0 slash 0 and for this one we will point it at the Internet gateway an AWS term and on a gateway is just a way for you to access the internet so a requirement for being able to connect to the internet from AWS first I need elastic IP which is a public IP and second you need an Internet gateway you can reach the internet but once we add our default route now our public crowd table is ready we just need to associate it with our subnets that we want to be exposed to the internet as of now there is no submit association under this route table we can go ahead edit our subnet and we can assign this public route table to all the subnets that need internet connection we assign it to the management subnet so we can have access to our firewall to manage it through the internet once we deploy our machine and we need the public subnet so that the firewall would have a presence in the public subnet and can control the actual data traffic between our virtual machines and the Internet through that isolated interface though for the FortiGate we were doing the public and management under one interface whereas in the Palo Alto we will do it in two different separate interfaces now our public route table is ready with all the needed routes and also the subnet Association on the other hand the bright route table is currently not associated with any subnet so we need to point it to the private subnet right now and we also need to add a route to point or default route and the brevet subnet to the firewall but because our firewall is not currently built we cannot add the step but we will add it by the end of this video now we have all our vbc requirements ready we can go ahead and move to ec2 and ec2 is the best place we can use to deploy virtual machines in AWS cloud and once we go ahead and launch an instance we can just search for Palo Alto we will find different offering in the AWS marketplace or Palo Alto and we may notice Palo Alto recently change their logo you have a really nice new logo now and this is really a nice step in the right direction because they haven't been doing much in the design lately now our options start with panorama and panorama is just a central management suite so it's not the actual firewall it just a management suite if you have multiple Palo Alto's and you when I control them easily this is something similar to 40 manager in Orion 8 terms so we are not looking for Bananarama right now we have our bring your own license model next which is only used if you really have a license we do not have a license right now so we want to use the on-demand innocence and what on-demand we have two different bundles with two different pricing and if we try to expand our bundle too to see what is this all about it's gonna send us the AWS marketplace page dedicated for this instance if we try to open this this will show us the actual difference between the bundle 1 and bundle 2 as bundle 2 allows us to control traffic as usual but also will allow us to use all the advanced feature or UTM feature that we are familiar with like IPS intrusion prevention URL filtering like Internet proxy so you can filter traffic based on the category and things like that also wildfire and other sandboxing technologies that can help you get the most out of your parallel to firewall on the other hand the bundle 1 which is all bit cheaper contains only the IPS license and we are not going to be able to use URL filtering or any other feature beside IPS so you can weigh your options based on which model do you need or which features you need to enable and also it's good to know that just like the 4 together is a free trial for two weeks for this innocence so you can try it risk-free and you're only obligated to pay for the ec2 cost which is the actual version machine where the Palo Alto software is deployed you don't have to pay for the software you just have to pay for the ec2 cost you can go down all the way and get an idea of how much would that come to so right now we are looking into the window recommended instance size for this particular version machine which is m5x large it's definitely more on the expensive side and it contains 4 CPUs and 16 gigs of memory course this is not justified as a beginner instance site but this is the one that is recommended for high production environment and mission-critical applications but the total cost for the software and the virtual machine together will be around one-and-a-half dollars an hour so keep that in mind also when considering long-term commitment can save you a lot of money if you decide to use this device or your production environment once we are happy with the pricing and the information we can go ahead and click continue to subscribe and don't worry that doesn't mean any commitment on your side that just means you are allowed to deploy this specific machine on easy to Marketplace after you subscribe to it so you only get to BAE once you deploy the actual machine and actually start using it but now we can go ahead and start to deploy our virtual machine we will choose the bundle tool that has all the features inside and once we get to the instance size we will see a lot of instance types that are not supported by this product and they are all in active so we will have to go down all the way until we find the first available option which is m5n but be careful do not choose this it's very misleading because this one is actually not supported you have to go down more and choose the m5x large net the m5n so make sure it doesn't have the end letter and then you can go ahead and deploy it going to give us first a warning that you are only allowed one free trial instance make sure you do not deploy to firewalls in the same time otherwise you will have to pay for the software cost and the free trial will not save you in this situation and now for the subnet selection we did say that we need three interfaces on all of these three subnets however as a requirement we need to make sure that our interfaces I created in the specific order that is specified in the document therefore we will start by the management interface alone in our weather to create the instance and after our virtual machine has fully loaded and everything we can actually start adding additional interfaces to it and this is the only way to get it to work properly so as a beginning wizard we will just choose the management interface and also assign it a public IP address so that we can control our instance remotely and we don't need to change anything else you can leave the network interfaces board for now we will do that later and we can just go ahead and review and launch our instance now once we get the choice for the key pair with previous setups we did not really need a key pair for the FortiGate firewall because the photogate assigns the instance ID as the initial password but for Palo Alto this is not the case in this case we must create a key pair and this key pair is going to be the only way we get initial access to our firewall to change our password so keep that in mind you have to create a key pair and now our virtual machine is actually showing and running status but don't fall easily for this that doesn't really mean the machine is ready for use if you go ahead and instant setting and use the innocence screenshot feature this will allow you to make sure that the machine is actually finished pudding and is not in this case but we have to wait until we actually see something like VM login and that means we are actually right now ready to use the machine now to use the machine using SSH I want to show you how you can use a tool like solar body and I'm a very big fan of this tool because it helps you manage a lot of profiles for different SSH connection and you can save them already and log into them back and forth and also it has a very good feature that it allows different tabs inside the same console whereas the normal body client does not have tabs aboard the solar body is just an addition above body and it's free to use a highly recommended and from the solar body you can just click the three dots to open the menu and we will use the generate certificate option to convert this key pair we just downloaded into a private key file that we can use to the log into the firewall so once we choose the file that we downloaded in the keeper section all we need to do from here is just to save it as a private key and saved in the same name but with PPK format PPK refers to private key and we no longer need the body generator we just need to create an uber file now and we can just call it Palo Alto firewall we can give it any name we want or the IP address we will use the IP address of our management interface which is 380 - 49 64 now if we go down we need to specify our username that will be admin we said we don't have the password but we can point to our PPK file we just generated and we have to give it a specific name for our setup let's just give it paolo key and then we can save it and this will allow us to log into the firewall initially it would say welcome admin I wouldn't ask for a password because we are already authenticated using the private key file Palo Alto firewall you have to start with the word configure to get into the configuration mode then we just need to enter one command which is sit management config users admin password just a whole static sentence that we need to enter and this will ask us what do you wanna change the password to and we can just choose any bus what we want and it has to be strong you can just use admin admin that will not work now once it says ok we also have to save this configuration unlike the FortiGate the parallel - you have to do a commit or write to save this configuration to the firewall once this has been committed we are ready to use our firewall using a normal HTTP session we can have access to our management console we will take the IP address of the management subnet and add HTTP and browse to it from here we can log in using our admin password we just change using the CLI we will get some information about the pan OS which is the operating system running on palo alto firewall and although there are some nice features coming with this version unfortunately this UI has been really really outdated hasn't been changed for as far as I know on palo alto so this is a big problem for us but at least the product is really strong with everything goes beside the UI so don't let the old design the score Gio I'm pretty sure with the new logo T have to come up with a new layout and change the logo at least in the management we also see the management IP address for our management interface and it does match AWS IP address so everything right now is ready as far as the management interface now we are ready to go and create our additional interfaces but what I like to do first is to name my management interface which is the only interface we have right now in go ahead and create additional interfaces to attach to our virtual machine we needed one for the public Nick and this has to be the second interface by order we assign it to or public subnet and for the security group this is the firewall policy on this specific interface we just give it the same security group that was created with the machine and go ahead and create it for this one we can also give it a name public NIC there are two things we need to do for every interface on the firewall first we have to attach it to the actual firewall this can be done with the machine running in the same time which is amazing because we don't have to waste time on rebooting or turning off the machine second thing we need to disable the source destination check and if you are wondering what that is this is just a security check that make sure that in order for AWS to honor specific traffic hitting an interface the IP address of the interface itself must be either the source IP or the destination IP in the packet and this is not gonna be the case in the firewall world for example if you have a virtual machine deployed on ec2 and you're trying to access the internet from this machine in this case the source IP will be the IP address of the machine and that this ination IP will be whatever IP address that on the internet so if the traffic packet hits the firewall with a source IP and the destination IP that do not match this interface will be denied automatically and the firewall will just be useless we always have to disable source destination checks for any firewall on AWS this is very important to get the full functionality of the firewall and once we do this we can go ahead and create our third interface which is gonna be our private interface just gonna give it the name Revit Nick and also choose our subnet and our security group that was already created with easy to launch wizard I know we give it a nice label and this also helped us really modify our route tables and point it to the correct interface using the alias that we gave it now finally we do the same thing for our brave ethnic we disable the source destination check to make sure our traffic will go through the firewall and finally we attach this third interface to our working Palo Alto firewall now all our network interfaces setup is now ready we can now go back to our Palo Alto firewall and get to the network gap so we can start modifying our interfaces and you may notice the ethernet 1 0 is not in the list but it does exist and it's actually the management interface where we managing the firewall right now the ethernet 1 0 is hidden from this menu but it was on the main screen on the dashboard now in order for us to get the public interface and the private interface to show up correctly we have to modify them with specific parameters to get them to work like we want to stopping from Ethernet 1 1 which is our public interface we need to change our interface type to layer 3 that means we're gonna allow routing and allow IP address to be assigned to this interface we can also give it a comment in here as well to make sure we don't mix this up with the management interface because this shows up number 1 in the list but is not the first interface and then we go into the ipv4 and change the mode from static to DHCP client so it can get the IP addresses from AWS side finally under config you need to assign it to a virtual router virtual router is just like a router table that contains our network and we need to assign interfaces to that router table by assigning it to the virtual router default and also palo alto support security zones and just a logical grouping format that allows you to create different zones for different areas in your network and this is just for management purposes but we can create one for our public subnet and we're just going to call it public zone now our public interface is ready we can do the same process using our private interface we're gonna go ahead and change the interface type to layer three then we need to enable DHCP client on this interface but we also need to make sure that we disable the create default route for the private interface finally we give it the default virtual router and also create a separate zone for this and just call a private zone finally we save our second interface now to get these changes take effect we need to do a commit again and from the GUI we can actually see a preview of the changes similar to the FortiGate so in here we can see a side-by-side configuration file before and after the proposed changes and it would show us a breakdown of how the CLI structure is on the Palo Alto firewall we can see the interface is getting updated and the different syntax being used in here it's definitely more on the complicated side compared to 48 firewall but still not the worst compared to other firewalls as well so this is how the CLI is structured and the Palo Alto world once we are comfortable with the file you can go ahead and do commit and in just a few seconds our changes will be completely pushed to the device be able to verify actually change the stock effect we can click on the dynamic DHCP client and this will show us which IP we were able to generate from the outside DHCP server this will chose the IP address of the public interface and it does match AWS but it doesn't show easily outside we have to click client to be able to see it same for our private interface we were able to get the IP address from AWS side as well but all our network interfaces are ready for use now the last step for us to get the firewall to protect our private network is to go back to the private router table and to add a default route this time to the private interface of the Palo Alto firewall and this way any device on our private network wanna talk outside of the subnet we'll need to go to the firewall to be able to talk to it and that's how you configure and deploy Palo Alto firewall on AWS ec2 thank you for watching

Info

Channel: ElastiCourse

Views: 14,960

Rating: undefined out of 5

Keywords: palo alto, firewall, network, security, deploy, aws firewall, aws cloud, vpc, ec2, securing cloud, cloud security

Id: bMlidOn76Uo

Channel Id: undefined

Length: 27min 41sec (1661 seconds)

Published: Thu Apr 30 2020