VM-Series Integration with AWS Cloud WAN
Table of Contents
10.2
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
- Enable NUMA Performance Optimization on the VM-Series
- Enable ZRAM on the VM-Series Firewall
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
- Use Panorama-Based Software Firewall License Management
-
- Maximum Limits Based on Tier and Memory
- Activate Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Register the VM-Series Firewall (Software NGFW Credits)
- Provision Panorama
- Migrate Panorama to a Software NGFW License
- Transfer Credits
- Renew Your Software NGFW Credits
- Amend and Extend a Credit Pool
- Deactivate License (Software NGFW Credits)
- Delicense Ungracefully Terminated Firewalls
- Set the Number of Licensed vCPUs
- Customize Dataplane Cores
- Migrate a Firewall to a Flexible VM-Series License
-
- Generate Your OAuth Client Credentials
- Manage Deployment Profiles Using the Licensing API
- Create a Deployment Profile Using the Licensing API
- Update a Deployment Profile Using the Licensing API
- Get Serial Numbers Associated with an Authcode Using the API
- Deactivate a VM-Series Firewall Using the API
- What Happens When Licenses Expire?
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Create Dynamic Address Groups
- Create Dynamic Address Group Membership Criteria
- Generate Steering Policy
- Generate Steering Rules
- Delete a Service Definition from Panorama
- Migrate from VM-Series on NSX-T Operation to Security Centric Deployment
- Extend Security Policy from NSX-V to NSX-T
- Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
- VM-Series Firewall Startup and Health Logs on AWS
-
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
-
- What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
- How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
- Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
- Customize the Firewall Template Before Launch (v2.0 and v2.1)
- Launch the VM-Series Auto Scaling Template for AWS (v2.0)
- SQS Messaging Between the Application Template and Firewall Template
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
- Modify Administrative Account and Update Stack (v2.0)
-
- Launch the Firewall Template (v2.1)
- Launch the Application Template (v2.1)
- Create a Custom Amazon Machine Image (v2.1)
- VM-Series Auto Scaling Template Cleanup (v2.1)
- SQS Messaging Between the Application Template and Firewall Template (v2.1)
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)
- Modify Administrative Account (v2.1)
- Change Scaling Parameters and CloudWatch Metrics (v2.1)
-
-
- Intelligent Traffic Offload
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Deploy the VM-Series with the Azure Gateway Load Balancer
- Create a Custom VM-Series Image for Azure
- Deploy the VM-Series Firewall on Azure Stack
- Deploy the VM-Series Firewall on Azure Stack HCI
- Deploy VM-Series on Azure Stack Edge
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Azure Stack HCI
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
VM-Series Integration with AWS Cloud WAN
Integrate VM-Series Firewall with AWS Cloud WAN.
AWS Cloud WAN is a managed wide area networking (WAN) service that enables you
to build a unified network that interconnects cloud and on-premises environments. It
provides a centralized dashboard to connect on-premises, branch offices, data centers,
and Amazon VPCs across the AWS global network and even other cloud providers.
Deploying a cloud WAN lets you employ next-generation firewalls (NGFW) and intrusion
prevention systems (IPS) to inspect network traffic as part of a defense-in-depth
strategy. This is often done using a separate and centralized security VPC where
security appliances are set up, and traffic is routed in and out using cloud WAN. Having
a separate security VPC provides a simplified and centralized way to manage security
inspection.
Cloud WAN helps with connectivity within AWS through AWS Network Manager, an interface
which centrally manages your global network. A global network is a single private
network that acts as the root-level container for your network objects and can contain
both transit gateways and a Core Network. The core network consists of network policies,
attachments such as VPCs, and transit gateway route tables.
Cloud WAN allows mapping of VPCs to segments and the regional connection point for your
attachments as defined in the policy. Policies can be defined for traffic redirection
between same or different segments to be inspected by a firewall.
You can use cloud WAN services to:
-
Deploy a security VPC behind GWLB in a security segment and redirect traffic arriving from cloud attachments to VPC, before forwarding to the destination.
-
Collect logs and manage activities such as autoscaling, TAG collection, and so on, in Panorama managed firewalls.
-
Filter and inspect traffic to/from the internet using north-south traffic.
- Inspect traffic for inter VPC communication
AWS Cloud WAN can be deployed using two methods:
-
Federating Transit Gateways with Cloud WAN – In this method you replace statically created transit gateway peering connections with Cloud WAN. While federating transit gateways with Cloud WAN, you will need to register the transit gateways using the AWS Network Manager and create peering between the transit gateways and create attachments to the transit gateways and then apply the Cloud WAN configuration.
-
Cloud WAN only – In this method Cloud WAN is used for all connectivity and transit gateways are removed.
Considerations before deploying the AWS Cloud WAN:
-
Peering between transit gateways and cloud WAN is supported in the same region, and not across regions.
-
Cloud WAN does not support native integration with AWS Direct Connect.
-
For use cases that require AWS site-to-site VPN connections over Direct Connect using private IP addresses, ensure that you connect Cloud WAN with a transit gateway.
-
While deploying Cloud WAN along with transit gateways, ensure that the transit gateway ASN is different from the ASN used for Cloud WAN’s core network edges.
-
While creating the core network, ensure that you add all the regions your VPCs are configured to, in the Edge locations section under core network policy settings. You will also need to create segments and add the type of segment (Dev, Prod, Management or Security) that these regions belong to, under segment name.
Use Cases
You can use Cloud WAN to route traffic between:
-
VPCs in the same segment and in the same region (isolated attachments).
-
VPCs in different segments of the same region.
-
VPCs in the same segment across different regions (isolated attachments).
-
VPCs in different segments across different regions.
Deploy the AWS Cloud WAN
Let us consider a use case where VPCs are in the same segment and in the
same region (isolated attachments). To configure this setup, deploy the VM-Series
firewall behind a GWLB similar to VM-Series integration with an AWS Gateway Load
Balancer. You can deploy the VM-Series firewall behind the GWLB
in a security VPC, which is directly connected to a Cloud WAN or through a transit
gateway with a Cloud WAN attachment.
To migrate completely off the transit gateway, you must
connect your VPCs directly to the Cloud WAN.
Egress traffic from the Production VPC is routed to the Cloud WAN, which is
then routed to the Security VPC for inspection and sent out through NAT gateway and
internal gateway. In the reverse direction, traffic from the Security VPC reaches
the Security segment and then based on the routing configuration, is sent to the VPC
attachment.
To inspect traffic between VPCs in the same segment and same region with AWS Cloud
WAN(only) deployment, execute the following tasks:
- Login to AWS Network Manager and Create global network.
- Create a core network and core network
policy.Use the AWS Cloud WAN console to create a core network policy version following these tasks:
- Configure the network
settings.
- To edit a policy version, click Policy versions, select the required policy and click Edit. Make necessary changes and click Create Policy.
- After the change set state of the policy version changes to Ready to execute, execute the policy by clicking View or apply change set . Alternatively, click Compare policy version to view the JSON document.
-
-
While configuring policy versions, ensure that you add the applications – APP VPC 1 (10.1.0.0/16) and APP VPC 2(10.2.0.0/16) in the Prod segment and the firewall, and Security VPC (100.64.0.0/16) in the security segment.
-
You may choose to add tags such as Prod Segment (value) to the Segment (key). These tags are reflected only after you add the segments in the Cloud WAN.
-
- Configure the network
settings.
- Create an attachment.
-
Use VPC or transit gateway route table as attachment type while creating an attachment.
-
To ensure that the VM-Series firewall can inspect traffic that is routed between VPC attachments, you must enable appliance mode on the VPC attachment for the security VPC containing the VM-Series firewall.
-
-
Update VPC Route tables.Now that the necessary Cloud WAN constructs are in place, the VPCs need to be adjusted to facilitate packet forwarding towards the core network. The application and firewall instances or the respective VPCs need to be tagged similar to that of the segment. Add specific tags to the attachment to match the attachment created during Create policy attachments. of step 2.
To enable communication between attachment VPCs and the Core network, VPC route
tables need to be updated from the existing target transit gateway route to
corresponding Core Network ARN as shown below.
Packet Walkthrough
The following steps describe a packet walkthrough when an EC2 instance in
Application VPC 1 communicates with an EC2 instance in Application VPC 2:
- When a client in APP VPC 1(10.1.0.0/16) starts a connection to a server in APP VPC 2 (10.2.0.0/16), it does a VPC (App Subnet) route table lookup. The packet matches the default route entry with the Core Network ARN as the target and the packet gets routed to the Core Network.
- When the packet arrives at the core network, it does a Prod Segment Route Table lookup because APP VPC 1 is associated with the Prod Segment. The packet matches the default entry with Security attachment as the target and the packet gets routed to Security VPC.
- When the packet arrives at the Security VPC(100.64.0.0/16) attachment, it does a VPC (CWAN Subnet) route table lookup. The packet matches the default route with firewall endpoint 1 as the target and the packet gets routed to a firewall, through the firewall’s endpoint, for inspection.
- The firewall inspects the traffic, compares it to its security policy, and allows it through. The firewall routes the packet back to the firewall’s endpoint, where it does a VPC (Firewall Subnet) route table lookup. The packet matches the default route entry with the Core Network ARN as the target, and the packet gets routed to the Core Network.
- When the packet arrives at the core network, it does a Shared Security Route Table lookup because the Security VPC is associated with the Security Segment. The packet matches the APP VPC 2 CIDR(10.2.0.0/16) entry with APP VPC 2 Attachment as the target and the packet gets routed to APP VPC 2.
- When the packet arrives at APP VPC 2, it does a VPC (CWAN Subnet) route table lookup. The packet matches the VPC CIDR entry with local as the target and the packet gets routed to Instance.
Return traffic traces the same path in the opposite direction.