From there, navigate to the Policies option and select the Create Policy button at the top:

Similar documents
Configuring a Palo Alto Firewall in AWS

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

EdgeConnect for Amazon Web Services (AWS)

Deploying the Cisco CSR 1000v on Amazon Web Services

High Availability. Palo Alto Supports Two types of High Availability. I. Active/Passive II. Active/Active

Deploy the Firepower Management Center Virtual On the AWS Cloud

Pexip Infinity and Amazon Web Services Deployment Guide

Amazon Virtual Private Cloud. Getting Started Guide

NGF0502 AWS Student Slides

FortiMail AWS Deployment Guide

Load Balancing FreePBX / Asterisk in AWS

How to Deploy an AMI Test Agent in Amazon Web Services

AWS VPC Cloud Environment Setup

Sputnik Installation and Configuration Guide

EC2 and VPC Deployment Guide

Deploy ERSPAN with the ExtraHop Discover Appliance and Brocade 5600 vrouter in AWS

Alliance Key Manager AKM for AWS Quick Start Guide. Software version: Documentation version:

Immersion Day. Getting Started with Windows Server on Amazon EC2. June Rev

Load Balancing Web Servers with OWASP Top 10 WAF in AWS

Launching the SafeArchive Amazon Machine Instance

F5 BIG-IQ Centralized Management and Amazon Web Services: Setup. Version 5.4

AWS Remote Access VPC Bundle

Pexip Infinity and Amazon Web Services Deployment Guide

MyIGW Main. Oregon. MyVPC /16. MySecurityGroup / us-west-2b. Type Port Source SSH /0 HTTP

Training on Amazon AWS Cloud Computing. Course Content

Infoblox Trinzic V-x25 Series Appliances for AWS

DenyAll WAF User guide for AWS

Configuring AWS for Zerto Virtual Replication

Sangoma VM SBC AMI at AWS (Amazon Web Services)

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in AWS

OnCommand Cloud Manager 3.2 Deploying and Managing ONTAP Cloud Systems

AltaVault Cloud Integrated Storage Installation and Service Guide for Cloud Appliances

AppGate for AWS Step-by-Step Setup Guide. Last revised April 28, 2017

Amazon Web Services Hands- On VPC

Using AWS Data Migration Service with RDS

CloudEdge Deployment Guide

Enroll Now to Take online Course Contact: Demo video By Chandra sir

Introduction to cloud computing

CPM. Quick Start Guide V2.4.0

Figure 1 0: AMI Instances

AWS Solution Architect (AWS SA)

FusionHub. SpeedFusion Virtual Appliance. Installation Guide Version Peplink

AWS Integration Guide. Full documentation available at

SonicWall Web Application Firewall 2.0. AWS Deployment Guide

CIT 668: System Architecture

Eucalyptus User Console Guide

PCoIP Connection Manager for Amazon WorkSpaces

Firebox Cloud. Deployment Guide. Firebox Cloud for AWS and Microsoft Azure

Confluence Data Center on the AWS Cloud

VNS3 Configuration. IaaS Private Cloud Deployments

Eucalyptus User Console Guide

Infoblox Installation Guide. vnios for Amazon Web Services

Introduction to Cloud Computing

SIOS DataKeeper Cluster Edition on the AWS Cloud

Control-M Workload Automation

Installation and User Guide

Amazon Web Services Training. Training Topics:

Provisioning Lumeta SPECTRE via AWS Sign in to the Amazon Web Services console at

PAN-OS Integration with SafeNet Luna SA HSM Tech Note PAN-OS 6.0

EDB Ark. Administrative User s Guide. Version 2.2

IBM Security Guardium Cloud Deployment Guide AWS EC2

Immersion Day. Getting Started with Windows Server on. Amazon EC2. Rev

QUICK START: SYMANTEC ENDPOINT PROTECTION FOR AMAZON EC2

CloudEdge SG6000-VM Installation Guide

QUICK START: VERITAS STORAGE FOUNDATION BASIC FOR AMAZON EC2

Transit VPC Deployment Using AWS CloudFormation Templates. White Paper

LB Cache Quick Start Guide v1.0

ArcGIS 10.3 Server on Amazon Web Services

HOW TO PLAN & EXECUTE A SUCCESSFUL CLOUD MIGRATION

Quick start guide for Infscape UrBackup Appliance on Amazon Web Services

Amazon Web Services (AWS) Training Course Content

Mediant Cloud Edition (CE)

SUREedge Migrator Installation Guide for Amazon AWS

ThoughtSpot on AWS Quick Start Guide

How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT

labibi Documentation Release 1.0 C. Titus Brown

Immersion Day. Getting Started with Linux on Amazon EC2

Netwrix Auditor. Virtual Appliance and Cloud Deployment Guide. Version: /25/2017

Nagios Core AMI Setup Guide

Create a Dual Stack Virtual Private Cloud (VPC) in AWS

PCoIP Connection Manager for Amazon WorkSpaces

WAF on AWS Deployment Kit. On Demand. Configuration Guide

Immersion Day. Getting Started with Amazon RDS. Rev

LINUX, WINDOWS(MCSE),

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

EDB Ark. Getting Started Guide. Version 2.2

Tutorial 1. Account Registration

EASYHA SQL SERVER V1.0

vmx Getting Started Guide for AWS Release 15.1F6 Modified: Copyright 2018, Juniper Networks, Inc.

Netflix OSS Spinnaker on the AWS Cloud

CIT 668: System Architecture. Amazon Web Services

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

Splunk Enterprise on the AWS Cloud

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

SelectSurvey.NET AWS (Amazon Web Service) Integration

Cloudera s Enterprise Data Hub on the AWS Cloud

EDB Ark. Getting Started Guide. Version 3.0

Use AWS Config to Monitor License Compliance on Amazon EC2 Dedicated Hosts. April 2016

Ross Whetten, North Carolina State University

Transcription:

Information on the Palo Alto AWS AMI and the HA configuration steps. This will help avoid future pitfalls when deploying this. Policy Configuration: When deploying HA in AWS, before you do anything else you need to set up a specific role and policy to be deployed with the AMI's. Navigate to AWS > Identity and Access Management: From there, navigate to the Policies option and select the Create Policy button at the top:

Select the Policy Generator Option:

1. Select Amazon EC2 from the AWS Service Drop-Down. 2. Add the following actions to the Policy: o ec2:attachnetworkinterface o ec2:describenetworkinterface o ec2:detachnetworkinterface o ec2:describeinstances 3. Set the ARN to * The final output should look like below:

Review the policy and give it a name, then press Create Policy:

Role Configuration: Navigate to the Policies option and select the Create Policy button at the top:

Set a new Role Name:

Select the Amazon EC2 Role Type:

Attach the previously made policy (you can type the name of the policy to help filter quicker):

On the Review Page, select Create Role:

Deploying the AMI: Navigate to Compute > EC2 and select the Launch Instance button. From here navigate to the AWS Marketplace:

Select your instance. If a customer has VM Licenses already, choose the BYOL Option. Otherwise, choose one of the other options. In the Instance Type I would just accept the default c3.xlarge. Only certain instances are compatible:

In the Instance Details set the number of instances to 2, and set the IAM Role created in the previous step. *** WARNING If you do not the set the role here you'll need to start all over again! ***

Proceed with accepting the defaults for all other settings, and then launch the two instances. Optonally, you may change the security group name and description to something a little friendlier as well. It will make later steps easier to configure. *** NOTE you may be prompted to create a private key for the new AMI's or use an existing one. Create a new key and save a copy it'll be used for a SSH connection later *** Network Settings We now need to create the interfaces and assign a security policy to allow communication between the two Palos. Let's start with creating the network interfaces:

Navigate to Network & Security > Network Interfaces and press the Create Network Interface button. Set a description, subnet, and security group as shown below: Repeat this until you have all the interfaces needed. You will need at minimum 3 interfaces one for each HA interface on each Palo AMI, and another dataplane interface to forward traffic. From there, assign the interfaces to the Palo AMI's. Each attached interface will be applied in order as so: Default interface eth0 in AWS mgt interface in PAN First added interface eth1 in AWS ethernet1/1 in PAN Second added interface eth2 in AWS ethernet1/2 in PAN You can optionally set descriptions of intefaces to help keep track. From there, assign the interfaces to the AMI's. You will assign eth1 to each Palo AMI, and eth2-eth8 to the primary

Palo AMI. You do NOT need to duplicate interfaces, just apply and assign the remaining dataplane interfaces to the primary Palo AMI as shown below: We also need to disable source/dst. checking on each data plane interface (eth1/1-eth1/7). Right click on each interface (other than the management interface) and select Change Source/Dest. Check. Set it to Disabled as shown below: Take note of the private IP's for each interface as we will used them to set up HA:

From here, lets allocate elastic IP's for our Palo AMI's. Navigate to Network & Security > Elastic IP's and press the Allocate New IP button to allocate two addresses:

From here, associate one address to each AMI. Use the private IP Address of the mgt interface of each Palo AMI: Once this is complete, be sure to power off and power back on each Palo Alto unit. Interface creation is not a hot-swappable feature. You can do this by navigating to Instances > Instances and right-clicking an AMI and selecting Instance State > Stop. Once the instance is stopped you can start it back up by right-clicking an AMI and selecting Instance State > Start. Security Profile Group Navigate to Network & Security > Security Groups, right click the policy bound to the Palo AMI's, and select Edit Inbound Rules. From here, you will need to add 4 rules matching all traffic from the IP Addresses of the Palo Alto Management and HA2 interfaces. Click Add Rule and set the parameters as shown below (replace 1.2.3.4/32 with the addresses of the Management and HA2 Interfaces):

Click Save once all 4 rules are added. Review the profile to make sure it looks something like this: Setting the Admin password: You will need to SSH using the private key saved in the previous steps. If you're on OS X/Linux you will need to reset the permissions on the keyfile: chmod 600 <keyname.pem> From there, ssh into both Palo AMI's using the public Elastic IP set on each unit. In OS X/Linux: ssh -i PAN.pem admin@52.27.161.236 Once logged in, feel free to configure the admin account just like any other palo:

Setting up HA: Setting up HA is very similar to setting up HA on a physical device. There are some caveats: HA1 interface is the management interface HA2 interface can only be ethernet1/1 No backup HA interfaces are permitted Preempt MUST be turned on both units Configure ethernet1/1 to be a HA interface by navigating to Network > Interfaces and clicking on ethernet1/1. Set the interface type to HA:

From there, navigate to Device > High Availability and set up HA using the following screenshots: The Peer Address is the Management interface of the neighboring Palo Alto AMI (eth0 in the AWS console)

Select the management interface from the drop-down Set the HA2 interface to ethernet1/1, and use the neighboring AMI's ethernet1/1 address as the peer (eth1 in the AWS Console). Set the Transport to UDP. Set the Election Settings. I like using 50 on the primary AMI, and 100 on the secondary AMI. Make sure Preemptive is selected on both Palo AMIs.

Commit the configuration on both units and confirm that HA comes up: And that's it! Configure your remaining interfaces like any other Palo. During a failover situation those interfaces will automatically be detached from the primary Palo AMI and re-attached to the secondary unit. Once the primary comes back online the interfaces are reattached.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback