Manually Integrate the VM-Series with a Gateway Load Balancer
Table of Contents
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- IPv6 Support on Public Cloud
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
- Enable NUMA Performance Optimization on the VM-Series
- Enable ZRAM on the VM-Series Firewall
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
- Use Panorama-Based Software Firewall License Management
-
- Maximum Limits Based on Tier and Memory
- Activate Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Register the VM-Series Firewall (Software NGFW Credits)
- Provision Panorama
- Migrate Panorama to a Software NGFW License
- Transfer Credits
- Renew Your Software NGFW Credits
- Deactivate License (Software NGFW Credits)
- Delicense Ungracefully Terminated Firewalls
- Set the Number of Licensed vCPUs
- Customize Dataplane Cores
- Migrate a Firewall to a Flexible VM-Series License
-
- Generate Your OAuth Client Credentials
- Manage Deployment Profiles Using the Licensing API
- Create a Deployment Profile Using the Licensing API
- Update a Deployment Profile Using the Licensing API
- Get Serial Numbers Associated with an Authcode Using the API
- Deactivate a VM-Series Firewall Using the API
- What Happens When Licenses Expire?
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Create Dynamic Address Groups
- Create Dynamic Address Group Membership Criteria
- Generate Steering Policy
- Generate Steering Rules
- Delete a Service Definition from Panorama
- Migrate from VM-Series on NSX-T Operation to Security Centric Deployment
- Extend Security Policy from NSX-V to NSX-T
- Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
- VM-Series Firewall Startup and Health Logs on AWS
-
- Use AWS Secrets Manager to Store VM-Series Certificates
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
- Intelligent Traffic Offload
- Software Cut-through Based Offload
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Deploy the VM-Series with the Azure Gateway Load Balancer
- Create a Custom VM-Series Image for Azure
- Deploy the VM-Series Firewall on Azure Stack
- Deploy the VM-Series Firewall on Azure Stack HCI
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use Azure Key Vault to Store VM-Series Certificates
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Azure Stack HCI
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
Manually Integrate the VM-Series with a Gateway Load Balancer
Complete the following procedure to manually
integrate your VM-Series firewall on AWS with a GWLB.
If
you associate VPC endpoints to an interface or subinterfaces via
user data while bootstrapping and your bootstrap.xml file does not
include the interface configuration, you can configure the interfaces
after the firewall boots up.
- Set up the security VPC. See the AWS documentation for
more information about creating your security VPC.
- Create two subnets—one for management and one for data.
- Create two security groups—one for firewall management and one for data.
- The management subnet security groups should allow https and ssh for management access.
- Ensure that the security group(s) in your data VPC allows GENEVE-encapsulated packets (UDP port 6081).
- If your deployment includes a transit gateway and traffic that will move between VPCs, you must enable appliance mode on security VPC attachment.
The target group of the GWLB cannot use HTTP for health checks because the VM-Series firewall does not allow access with an unsecured protocol. Instead, use another protocol such as HTTPS or TCP. - Launch
the VM-Series firewall.
- On the EC2 Dashboard, click Launch Instance.
- Select the Palo Alto VM-Series AMI. To get the AMI, see Obtain the AMI.
- Launch the VM-Series firewall on an EC2 instance.
- Choose the EC2 instance type for allocating the resources required for the firewall, and click Next. See VM-Series System Requirements, for resource requirements.
- Select the security VPC.
- Select the data subnet to attach to eth0.
- Add another network interface for eth1 to act as the management interface after the interface swap. Swapping interfaces requires a minimum of two ENIs (eth0 and eth1).
- Expand the Network Interfaces section and click Add Device to add another network interface and configure Management subnet to this interface.Make sure that your VPC has more than one subnet so that you can add additional ENIs at launch.If you launch the firewall with only one ENI:
- The interface swap command will cause the firewall to boot into maintenance mode.
- You must reboot the firewall when you add the second ENI.
- Expand the Advanced Details section and in the User data field enter as text to perform the interface swap during launch.mgmt-interface-swap=enableplugin-op-commands=aws-gwlb-inspect:enableIf you set the target type to the IP address of a specific interface on the VM-Series firewall, you do not need to enable management interface swap.
- Accept the default Storage settings. The firewall uses volume type SSD (gp2).
- If prompted, select an appropriate SSD option for your setup.
- (Optional) Tagging. Add one or more tags to create your own metadata to identify and group the VM-Series firewall. For example, add a Name tag with a Value that helps you remember that the ENI interfaces have been swapped on this VM-Series firewall.
- Select the data Security Group for eth0 (data interface). Enable traffic on UDP port 6081.If you enable health checks to the firewall, you cannot use HTTP. Instead, use another protocol such as HTTPS or TCP.
- Select Review and Launch. Review that your selections are accurate and click Launch.
- Select an existing key pair or create a new one, and acknowledge the key disclaimer.This key pair is required for first time access to the firewall. It is also required to access the firewall in maintenance mode.
- Download and save the private key to a safe location; the file extension is .pem. You cannot regenerate this key, if lost.It takes 5-7 minutes to launch the VM-Series firewall. You can view the progress on the EC2 Dashboard.When the process completes, the VM-Series firewall displays on the Instances page of the EC2 Dashboard.
- Attach the management security group to eth1 (management interface). Allow ssh and https. See the AWS Documentation for more information.
- Create
and assign an Elastic IP address (EIP) to the ENI used for management
access (eth1) to the firewall.
- Select Elastic IPs and click Allocate New Address.
- Select EC2-VPC and click Yes, Allocate.
- Select the newly allocated EIP and click Associate Address.
- Select the Network Interface and the Private IP address associated with the management interface and click Yes, Associate.
- Configure
a new administrative password for the firewall.On the VM-Series firewall CLI, you must configure a unique administrative password before you can access the web interface of the firewall. To log in to the CLI, you require the private key that you used to launch the firewall.
- Use the EIP to SSH into the Command Line
Interface (CLI) of the VM-Series firewall. You will need the private
key that you used or created above and using the user name admin to
access the CLI.If you are using PuTTY for SSH access, you must convert the .pem format to a .ppk format. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html
- Enter the following command to log in to the firewall:ssh-i <private_key.pem> admin@<public-ip_address>
- Configure a new password, using the following command
and follow the onscreen prompts:configureset mgt-config users admin password
- If you have a BYOL that needs to be activated, set
the DNS server IP address so that the firewall can aceess the Palo
Alto Networks licensing server. Enter the following command to set
the DNS server IP address:set deviceconfig system dns-setting servers primary <ip_address>
- Commit your changes with the command:commit
- Terminate the SSH session.
- Use the EIP to SSH into the Command Line
Interface (CLI) of the VM-Series firewall. You will need the private
key that you used or created above and using the user name admin to
access the CLI.
- Configure the dataplane network interface as a Layer
3 interface on the firewall.On the application servers within the VPC, define the dataplane network interface of the firewall as the default gateway.
- Using a secure connection (https) from your web browser, log in using the EIP address and password you assigned during initial configuration (https://<Elastic_IP address>). You will see a certificate warning; that is okay. Continue to the web page.
- Select NetworkInterfacesEthernet.
- Click the link for ethernet 1/1 and
configure as follows:
- Interface Type: Layer3
- On the Config tab, assign the interface to the default virtual router.
- On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone and leave the remaining fields with default values and then click OK.
- On the IPv4 tab, select DHCP Client.If using DHCP, select DHCP Client; the private IP address that you assigned to the ENI in the AWS management console will be automatically acquired.
- On the Advanced tab, create a management profile to enable HTTP service as part of management profile creation and allow Health check probes from GWLB.
-
(optional) On the IPv6 tab, select Enable IPv6 on this Interfaceand select DHCPv6 Client.The VM-Series for AWS behind a GWLB only supports IPv6 as part of AWS Dualstack, meaning that clients communicate with load balancers using both IPv4 and IPv6 addresses. IPv6 only is not supported on the AWS GWLB. See AWS documentation for more information.Additionally, you must create security policy that allows IPv6 traffic.
- Click Commit. Verify that the link state for the interface is up.
- Create
security policies to allow/deny traffic.Because the VM-Series treats traffic as intrazone when integrated with a GWLB, a default intrazone rule allows all traffic. It is a best practice to override the default intrazone rule with a deny action for traffic that does not match any of your other security policy rules.
- Select PoliciesSecurity on the web interface of the firewall.
- Click Add, and specify the security zones, applications and logging options that you would like to execute to restrict and audit traffic traversing through the network.
- Commit the changes on the firewall.