Launch the VM-Series Firewall on AWS Outpost
Table of Contents
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
-
- Activate Credits
- Transfer Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Provision Panorama
- Migrate Panorama to a Software NGFW License
- Renew Your Software NGFW Credits
- Amend and Extend a Credit Pool
- Deactivate License (Software NGFW Credits)
- Delicense Ungracefully Terminated Firewalls
- Create and Apply a Subscription-Only Auth Code
- Migrate to a Flexible VM-Series License
-
- Generate Your OAuth Client Credentials
- Manage Deployment Profiles Using the Licensing API
- Create a Deployment Profile Using the Licensing API
- Update a Deployment Profile Using the Licensing API
- Get Serial Numbers Associated with an Authcode Using the API
- Deactivate a VM-Series Firewall Using the API
- Use Panorama-Based Software Firewall License Management
- What Happens When Licenses Expire?
- Install a Device Certificate on the VM-Series Firewall
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- VM-Series Firewall for NSX-V Deployment Checklist
- Install the VMware NSX Plugin
- Apply Security Policies to the VM-Series Firewall
- Steer Traffic from Guests that are not Running VMware Tools
- Add a New Host to Your NSX-V Deployment
- Dynamically Quarantine Infected Guests
- Migrate Operations-Centric Configuration to Security-Centric Configuration
- Use Case: Shared Compute Infrastructure and Shared Security Policies
- Use Case: Shared Security Policies on Dedicated Compute Infrastructure
- Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
- Use Migration Coordinator to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
- VM-Series Firewall Startup and Health Logs on AWS
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
-
- What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
- How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
- Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
- Customize the Firewall Template Before Launch (v2.0 and v2.1)
- Launch the VM-Series Auto Scaling Template for AWS (v2.0)
- SQS Messaging Between the Application Template and Firewall Template
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
- Modify Administrative Account and Update Stack (v2.0)
-
- Launch the Firewall Template (v2.1)
- Launch the Application Template (v2.1)
- Create a Custom Amazon Machine Image (v2.1)
- VM-Series Auto Scaling Template Cleanup (v2.1)
- SQS Messaging Between the Application Template and Firewall Template (v2.1)
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)
- Modify Administrative Account (v2.1)
- Change Scaling Parameters and CloudWatch Metrics (v2.1)
-
-
- Enable the Use of a SCSI Controller
- Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Deploy the VM-Series Firewall on Azure Stack
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on GCP
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Locate VM-Series Firewall Images in the GCP Marketplace
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
End-of-Life (EoL)
Launch the VM-Series Firewall on AWS Outpost
Follow this procedure to deploy the VM-Series
firewall on an AWS Ouptost rack. If you have not already registered
the capacity authcode that you received with the order fulfillment
email, with your support account, see Register
the VM-Series Firewall.
- Access the AWS Outposts Console.
- Extend your VPC to include your AWS Outpost rack.The VM-Series firewall must be able to receive traffic from the EC2 instances and perform inbound and outbound communication between the VPC and the internet.Refer to the AWS Outpost documentation for instructions on connecting your Outpost to your VPC.
- Verify that the network and security components
are defined suitably.
- Enable communication to the internet. The Outpost requires a local gateway to connect to your local LAN and the internet.
- Create an Outpost subnet.
- Create security groups as needed to manage inbound and outbound traffic from the EC2 instances/subnets.
- Add routes to the route table for a private subnet to ensure that traffic can be routed across subnets and security groups in the VPC, as applicable.
- If you want to deploy a pair of VM-Series firewalls in HA, you must define IAM Roles for HA before you can Configure Active/Passive HA on AWS.
- (Optional) If you are using bootstrapping to perform the configuration of your VM-Series firewall, refer to Bootstrap the VM-Series Firewall on AWS. For more information about bootstrapping, see Bootstrap the VM-Series Firewall.
- Verify that the network and security components
are defined suitably.
- Launch
the VM-Series firewall.Although you can add additional network interfaces (ENIs) to the VM-Series firewall when you launch, AWS releases the auto-assigned Public IP address for the management interface when you restart the firewall. Hence, to ensure connectivity to the management interface you must assign an Elastic IP address for the management interface, before attaching additional interfaces to the firewall.If you want to conserve EIP addresses, you can assign one EIP address to the eth 1/1 interface and use this interface for both management traffic and data traffic. To restrict services permitted on the interface or limit IP addresses that can log in the eth 1/1 interface, attach a management profile to the interface.
- On the EC2 Dashboard, click Launch Instance.
- Select the VM-Series AMI. To get the AMI, see Obtain the AMI.
- Launch the VM-Series firewall on an EC2 instance.
- Choose the EC2 instance type for allocating the resources required for the firewall, and click Next. See VM-Series System Requirements, for resource requirements.
- Select the VPC.
- Select the public subnet on Outpost to which the VM-Series management interface will attach.
- Select Automatically assign a public IP address. This allows you to obtain a publicly accessible IP address for the management interface of the VM-Series firewall.You can later attach an Elastic IP address to the management interface; unlike the public IP address that is disassociated from the firewall when the instance is terminated, the Elastic IP address provides persistence and can be reattached to a new (or replacement) instance of the VM-Series firewall without the need to reconfigure the IP address wherever you might have referenced it.
- Select Launch as an EBS-optimized instance.
- Add another network interface for deployments with ELB so that you can swap the management and data interfaces on the firewall. Swapping interfaces requires a minimum of two ENIs (eth0 and eth1).
- Expand the Network Interfaces section and click Add Device to add another network interface.Make sure that your VPC has more than one subnet so that you can add additional ENIs at launch.If you launch the firewall with only one ENI:
- The interface swap command will cause the firewall to boot into maintenance mode.
- You must reboot the firewall when you add the second ENI.
- Expand the Advanced Details section and in the User data field enter mgmt-interface-swap=enable as text to perform the interface swap during launch.If you are bootstrapping the firewall, you can also enter vmseries-bootstrap-aws-s3bucket=<bucketname> with a comma separator after mgmt-interface-swap=enable.
- Accept the default Storage settings. The firewall uses volume type SSD (gp2)This key pair is required for first time access to the firewall. It is also required to access the firewall in maintenance mode.
- (Optional) Tagging. Add one or more tags to create your own metadata to identify and group the VM-Series firewall. For example, add a Name tag with a Value that helps you remember that the ENI interfaces have been swapped on this VM-Series firewall.
- Select an existing Security Group or create a new one. This security group is for restricting access to the management interface of the firewall. At a minimum consider enabling https and ssh access for the management interface.
- If prompted, select an appropriate SSD option for your setup.
- Select Review and Launch. Review that your selections are accurate and click Launch.
- Select an existing key pair or create a new one, and acknowledge the key disclaimer.
- Download and save the private key to a safe location; the file extension is .pem. You cannot regenerate this key, if lost.It takes 5-7 minutes to launch the VM-Series firewall. You can view the progress on the EC2 Dashboard.When the process completes, the VM-Series firewall displays on the Instances page of the EC2 Dashboard.
- Configure
a new administrative password for the firewall.On the VM-Series firewall CLI, you must configure a unique administrative password before you can access the web interface of the firewall. To log in to the CLI, you require the private key that you used to launch the firewall.
- Use the public IP address to SSH into the
Command Line Interface (CLI) of the VM-Series firewall. You will
need the private key that you used or created in 3 above to access the
CLI.If you added an additional ENI to support deployments with ELB, you must first create and assign an Elastic IP address to the ENI to access the CLI, see 6.If you are using PuTTY for SSH access, you must convert the .pem format to a .ppk format. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html
- Enter the following command to log in to the firewall:ssh-i <private_key.pem> admin@<public-ip_address>
- Configure a new password, using the following command
and follow the onscreen prompts:configureset mgt-config users admin password
- If you have a BYOL that needs to be activated, set
the DNS server IP address so that the firewall can aceess the Palo
Alto Networks licensing server. Enter the following command to set
the DNS server IP address:set deviceconfig system dns-setting servers primary <ip_address>
- Commit your changes with the command:commit
- Terminate the SSH session.
- Use the public IP address to SSH into the
Command Line Interface (CLI) of the VM-Series firewall. You will
need the private key that you used or created in 3 above to access the
CLI.
- Shutdown the VM-Series firewall.
- On the EC2 Dashboard, select Instances.
- From the list, select the VM-Series firewall and click ActionsStop.
- Create
and assign an Elastic IP address (EIP) to the ENI used for management
access to the firewall and reboot the VM-Series firewall.
- Select Elastic IPs and click Allocate New Address.
- Select EC2-VPC and click Yes, Allocate.
- Select the newly allocated EIP and click Associate Address.
- Select the Network Interface and the Private IP address associated with the management interface and click Yes, Associate.
- Create virtual network interface(s) and attach the interface(s)
to the VM-Series firewall. The virtual network interfaces are called
Elastic Network Interfaces (ENIs) on AWS, and serve as the dataplane
network interfaces on the firewall. These interfaces are used for
handling data traffic to/from the firewall.You will need at least two ENIs that allow inbound and outbound traffic to/from the firewall. You can add up to seven ENIs to handle data traffic on the VM-Series firewall; check your EC2 instance type to verify the maximum number supported on it.
- On the EC2 Dashboard, select Network Interfaces, and click Create Network Interface.
- Enter a descriptive name for the interface.
- Select the subnet. Use the subnet ID to make sure that you have selected the correct subnet. You can only attach an ENI to an instance in the same subnet.
- Enter the Private IP address to assign to the interface or select Auto-assign to automatically assign an IP address within the available IP addresses in the selected subnet.
- Select the Security group to control access to the dataplane network interface.
- Click Yes, Create.
- To attach the ENI to the VM-Series firewall, select the interface you just created, and click Attach.
- Select the Instance ID of the VM-Series firewall, and click Attach.
- Repeat the steps above for creating and attaching at least one more ENI to the firewall.
- (Not required for the Usage-based licensing model)
Activate the licenses on the VM-Series firewall.This task is not performed on the AWS management console. Access to the Palo Alto Networks support portal and the web interface of the VM-Series firewall is required for license activation.See Activate the License.
- Disable Source/Destination check on every firewall dataplane
network interface(s). Disabling this option allows the interface
to handle network traffic that is not destined to the IP address
assigned to the network interface.
- On the EC2 Dashboard, select the network interface, for example eth1/1, in the Network Interfaces tab.
- In the Action drop-down, select Change Source/Dest. Check.
- Click Disabled and Save your changes.
- Repeat Steps 1-3 for each firewall dataplane interface.
- Configure the dataplane network interfaces as Layer 3
interfaces on the firewall.For an example configuration, see steps 14 through 17 in Use Case: Secure the EC2 Instances in the AWS Cloud.On the application servers within the VPC, define the dataplane network interface of the firewall as the default gateway.
- Using a secure connection (https) from your web browser, log in using the EIP address and password you assigned during initial configuration (https://<Elastic_IP address>). You will see a certificate warning; that is okay. Continue to the web page.
- Select NetworkInterfacesEthernet.
- Click the link for ethernet 1/1 and
configure as follows:
- Interface Type: Layer3
- On the Config tab, assign the interface to the default router.
- On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example VM_Series_untrust, and then click OK.
- On the IPv4 tab, select either Static or DHCP Client.If using the Static option, click Add in the IP section, and enter the IP address and network mask for the interface, for example 10.0.0.10/24.Make sure that the IP address matches the ENI IP address that you assigned earlier.If using DHCP, select DHCP Client; the private IP address that you assigned to the ENI in the AWS management console will be automatically acquired.
- Click the link for ethernet 1/2 and
configure as follows:
- Interface Type: Layer3
- Security Zone: VM_Series_trust
- IP address: Select the Static or DHCP Client radio button.For static, click Add in the IP section, and enter the IP address and network mask for the interface. Make sure that the IP address matches the attached ENI IP address that you assigned earlier.
- Click Commit. Verify that the
link state for the interfaces are up.For DHCP, clear the Automatically create default route to default gateway provided by server check box. For an interface that is attached to the private subnet in the VPC, disabling this option ensures that traffic handled by this interface does not flow directly to the internet gateway on the VPC.
- Create NAT rules to allow inbound and outbound traffic
from the servers deployed within the VPC.
- Select PoliciesNAT on the web interface of the firewall.
- Create a NAT rule to allow traffic from the dataplane network interface on the firewall to the web server interface in the VPC.
- Create a NAT rule to allow outbound access for traffic from the web server to the internet.
- Create
security policies to allow/deny traffic to/from the servers deployed
within the VPC.
- Select PoliciesSecurity on the web interface of the firewall.
- Click Add, and specify the zones, applications and logging options that you would like to execute to restrict and audit traffic traversing through the network.
- Commit the changes on the firewall.Click Commit.
- Verify that the VM-Series firewall is securing traffic
and that the NAT rules are in effect.
- Select MonitorLogsTraffic on the web interface of the firewall.
- View the logs to make sure that the applications traversing the network match the security policies you implemented.