: Launch the Firewall Template
Focus
Focus

Launch the Firewall Template

Table of Contents

Launch the Firewall Template

Learn how to launch VM-Series Auto Scaling template for AWS to integrate a VM-Series auto scaling group with a gateway load balancer.
This workflow describes how to deploy the firewall template.
All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
  1. Modify the init-cfg.txt file and upload it to the /config folder.
    Because you use Panorama to bootstrap the VM-Series firewalls, your init-cfg.txt file should be modified as follows. No bootstrap.xml file is needed.
    Ensure that you use the device group and template names you created above in the init-cfg.txt file.
    type=dhcp-client
    ip-address=
    default-gateway=
    netmask=
    ipv6-address=
    ipv6-default-gateway=
    hostname=
    vm-auth-key=
    panorama-server=
    panorama-server-2=
    tplname=
    dgname=
    dhcp-send-hostname=yes
    dhcp-send-client-id=yes
    dhcp-accept-server-hostname=yesdhcp-accept-server-domain=yes
    plugin-op-commands=aws-gwlb-inspect:enable
    
    Your init-cfg.txt file must include plugin-op-commands=aws-gwlb-inspect:enable. This is required when integrating the VM-Series firewall with a GWLB.
    You must add the device certificate auto-registration PIN to the init-cfg.txt file to automatically install a device certificate when your VM-Series firewall instance is deployed.
  2. Add the license auth code in the /license folder of the bootstrap package.
    1. Use a text editor to create a new text file named authcodes (no extension).
    2. Add the authcode for your BYOL licenses to this file, and save. The authcode must represent a bundle, and it must support the number of firewalls that might be required for your deployment. If you use individual authcodes instead of a bundle, the firewall only retrieves the license key for the first authcode in the file.
  3. Upload Lambda code for the firewall template (panw-aws.zip) and the Application template (app.zip) to an S3 bucket. You can use the same S3 bucket that you use for bootstrapping.
    If the Application stack is managed by a different account than the firewall, use the Application account to create another s3 bucket in the same AWS region as the firewall template and copy app.zip to that s3 bucket.
  4. Select the firewall template.
    1. In the AWS Management Console, select CloudFormationCreate Stack.
    2. Select Upload the latest firewall template from the Git repository, to choose the firewall template to deploy the resources that the template launches. Click Open and Next.
    3. Specify the Stack name. The stack name allows you to uniquely identify all the resources that are deployed using this template.
  5. Enter a descriptive Name for your stack. The name must be 28 characters or less.
  6. Configure the parameters for the VPC.
    1. Enter the number of availability zones and select the region from the availability zone drop-down.
    2. Look up the AMI ID for the VM-Series firewall and enter it. Make sure that the AMI ID matches the AWS region, PAN-OS version and the BYOL or PAYG licensing option you opted to use. See Get the Amazon Machine Image IDs for more information.
    3. Select the EC2 Key pair (from the drop-down) for launching the firewall. To log in to the firewalls, you must provide the name of this key pair and the private key associated with it.
    4. Select Yes if you want to Enable Debug Log. Enabling the debug log generates more verbose logs that help with troubleshooting issues with the deployment. These logs are generated using the stack name and are saved in AWS CloudWatch.
    By default, the template uses CPU utilization as the scaling parameter for the VM-Series firewalls. Custom PAN-OS metrics are automatically published to the CloudWatch namespace that matches the stack name you specified earlier.
  7. Specify the name of the Amazon S3 bucket(s).
    1. Enter the name of the S3 bucket that contains the bootstrap package.
      If the bootstrap bucket is not set up properly or if you enter the bucket name incorrectly, the bootstrap process fails, and you cannot log in to the firewall. Health checks for the load balancers also fail.
    2. Enter the name of the S3 bucket that contains the panw-aws.zip file. As mentioned earlier you can use one S3 bucket for the Bootstrap and Lambda code.
  8. Specify the keys for enabling API access to the firewall and Panorama.
    1. Enter the key that the firewall must use to authenticate API calls. The default key is based on the sample file and you should only use it for testing and evaluation. For a production deployment, you must create a separate PAN-OS login just for the API call and generate an associated key.
    2. Enter the API Key to allow AWS Lambda to make API calls to Panorama. For a production deployment, you should create a separate login just for the API call and generate an associated key.
  9. Add your AWS account number(s). You must provide the account number used to deploy any VPC that is connected to your GWLB. Add these values as a comma-separated list. You can add additional account numbers after deploying the template.
    To locate your account number, click your AWS username in the top right of the AWS console and select My Security Credentials.
  10. Enter the transit gateway ID. The transit gateway ID is required to secure east-west and outbound traffic. If you do not enter a transit gateway ID, the template assumes that only inbound traffic should be inspected by firewalls integrated with the GWLB.
  11. Enter the CIDR for the security VPC.
  12. Review the template settings and launch the template.
    1. Select I acknowledge that this template might cause AWS CloudFormation to create IAM resources.
    2. Click Create to launch the template. The CREATE_IN_PROGRESS event displays.
    3. On successful deployment the status updates to CREATE_COMPLETE.
  13. Verify that the template has launched all required resources.
  14. Create rules allowing the NAT gateway IP address(es) on the security group where your Panorama appliance is deployed. This is required to allow your firewalls to connect to Panorama. You can find the list of NAT gateway IP addresses in the CFT security stack output.
    1. Access the AWS VPC console.
    2. Select Security Groups on the navigation pane.
    3. Select the security where Panorama is deployed.
    4. Select ActionsEdit Inbound RulesAdd rule.
    5. Add rules allowing the NAT gateway IP addresses for Custom TCP Rule for port range 3978.
    6. Click Save rules.