VM Firewall Deployment in AWS Flashcards

1
Q

Can Panorama be deployed in cloud?

A

Yes; deploy Panorama in on-premises data center or in a public cloud environment such as AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Can bootstrapped firewalls automatically pull information from Panorama?

A

yes; VM-Series firewalls use a VM authorization key and Panorama IP address in the bootstrap package to authenticate and register to Panorama the firewall on its initial boot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the only supported interface type in AWS?

A

because the AWS VPC only supports an IP network (Layer 3 networking capabilities), the VM-Series firewall can only be deployed with Layer 3 interfaces

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

To deploy VM-Series firewalls in AWS, what deployment is typically used?

A

AWS Transit Gateway deployment (centralized)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the options to route outbound and east-west traffic through the VM-Series firewalls in Transit Gateway environment?

A
  1. deploy VM-Series with encrypted tunnels using AWS Transit Gateway VPN attachments
  2. deploy VM-Series in active-passive high availability (HA) mode using AWS Transit Gateway VPC attachments
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the trade-offs of the typical AWS Transit Gateway deployment?

A
  • Scale and Throughput Performance
    • each VPN attachment offers a limited throughput of 1.25Gbps
    • does not scale beyond a single active VM-Series firewall (per AWS availability zone)
  • Visibility and Centralized Firewall Management
    • requires the firewalls to apply source address translation (SNAT) on the traffic to maintain flow symmetry, which obfuscates the source’s identity to applications
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which architecture is used by most deployments?

A
  • sandwich architecture that forces all inbound application traffic to flow through an inbound security VPC
  • requires the firewalls to apply source SNAT to maintain traffic symetry
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the role of the the Gateway Load Balancer (GWLB)?

A

distribute traffic across a set of network appliances, such as firewalls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What kind of firewall deployment does AWS GWLB allow to do?

A

allows to deploy a stack of VM-Series firewalls that operate in a horizontally scalable and fault-tolerant manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the 4 benefits of integrating the PA VM with GWLB?

A
  1. horizontally scalable
  2. high performance (no VPNs)
  3. no source NAT
  4. great option for new or existing deployments
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What traffic directions can the VM integration with GWLB protect?

A

all - outbound, east-west, and inbound

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What protocol is used by VM-Series and the GWLB to keep traffic packet headers and payload intact, providing complete visibility of the source’s identity to the applications?

A

GENEVE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

By using the GENEVE protocol, what design requirement is eliminated?

A

no need for using SNAT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Why is integrating PA VM FWs with AWS GWLB cost effective?

A

reduce the number of firewalls needed to protect AWS environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Why is integrating PA VM FWs with AWS good for performance?

A

there is no longer need to encrypted tunnels for east-west and outbound traffic inspection – no IPSec tunnel overhead

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When choosing an AWS design model, what factors should be considered?

A
  1. scale
  2. segmentation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How can an HQ be connected to AWS?

A

IPSec VPN through the internet or AWS Direct Connect as a private link outside of the public internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Why separate VPCs need to be used for segmentation?

A

because traffic between resources in the same VPC cannot be redirected to a firewall - traffic always flows directly (like hosts would be communicating in an L2 network)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Should Panorama be deployed in the same VPC as managed firewalls?

A

no - deploy Panorama in a VPC dedicated to management and use another VPC to deploy the VM-Series firewalls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the role of GWLB in the security VPC?

A

transparently distribute traffic across the VM-Series firewalls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How should be GWLB deployed?

A

in all of the security VPC’s availability zones, with a single endpoint service

22
Q

What is the purpose of AWS CloudFormation Templates?

A

define and declare the AWS resources that should be configured

23
Q

In which files are AWS CloudFormation Templates stored?

A

JSON or YAML files

24
Q

Which two cloud provider independent solutions are used to deploy and configure the VM-Series?

A

Terraform and Ansible

25
Q

What kind of security does the Isolated design model provide?

A

outbound and inbound security to one or more VPCs but does not provide VPC-to-VPC connectivity or security

26
Q

How does Centralized model segment application resources?

A

centralized design model segments application resources across multiple VPCs that connect in a hub-and-spoke topology

27
Q

In the centralized deployment, what ensures that all spoke-to-spoke and spoke-to-enterprise traffic transits the VM-series firewalls?

A

Transit Gateway

28
Q

lize

The TGW has VPC attachments in the availability zones of each…?

A
  • spoke VPC
  • management VPC (Panorama)
  • security VPC
29
Q

How does TGW know about IP addressing of VPCs so it can route to them and between them?

A

there are route tables configured for each VPC on a TGW and each of these VPCs (attachments) are assigned their respective route tables?

29
Q

What does it mean that TGW route table behaves like route domains?

A
  • route tables in AWS TGW allow to create isolated network segments, much like how route domains (VRF) function in traditional network architecture
  • means that TGW route tables can manage overlapping IP address spaces by treating each route table as an isolated routing domain
29
Q

An attachment can be associated with how many TGW route tables?

A

only one; however, each TGW route table can associate with multiple attachments

30
Q

To supply inbound and outbound internet access to a Security VPC, what needs to be deployed?

A

IGW

30
Q

TGW route tables can support up to how many routes?

A

10k

30
Q

When integrating GWLB an FWs, how should be the firewalls deployed to achieve high availability?

A

VM FWs should be deployed in separate availability zones

30
Q

What is the BGP prefix limitation in TGW route table?

A

100 prefixes

31
Q

The IGW performs NAT to reach the internet for?

A
  1. PA FW VM management interface’s private IP address to its associated public IP address
  2. outbound traffic from the firewall
31
Q

In Centralized design, what are the three required interfaces?

A
  1. management interface
  2. private dataplane interface for traffic from the GWLB
  3. public dataplane interface for outbound traffic
31
Q

How should be VM FWs interfaces configured to obtain IPs?

A

through DHCP

32
Q

When deploying a VM-Series instance from the AWS Marketplace, how many interfaces does it have by default?

A

a single interface; therefore the two additional interfaces are needed to be configured manually

33
Q

When deploying VM firewall from AWS Marketplace, there is a need to create two Elastic IP addresses. How should they be assigned?

A
  • assign one to the management interface so it is possible to manage the firewal
  • assign the other to the public interface so the VM-Series firewall can support outbound traffic flows
34
Q

What is the content of the management route table?

A
  • all the management subnets
  • a default route to the IGW for internet access
  • a route to the TGW for access to Panorama
35
Q

What is the content of the public route table?

A
  • all the public subnets assigned to it
  • a default route to the IGW for internet access
36
Q

Is there a need to modify the default routing of the subnets dedicated to the private dataplane interface?

A

no

37
Q

What security group should be created on the firewall’s private dataplane interface and why?

A
  • to allow health checks and UDP traffic destined to port 6081 from all the GWLB subnets
  • the security group should deny all other traffic
38
Q

Why does the private dataplane interface should have at least one subinterface?

A
  • the GWLB endpoints should map to subinterfaces instead of the dataplane interface
  • mapping all endpoints to a subinterface allows to have a restrictive security policy on the dataplane interface that allows health checks only from the GWLB subnets
39
Q

How should be GWLB deployed?

A

in all of the security VPC’s availability zones, with a single endpoint service

40
Q

Why should appliance mode be enabled on the attachments in the security VPC?

A

in order to ensure that traffic routes through the same attachment zone even when the source and destination of the traffic are in different zones - if appliance mode is not enabled, it is possible to have asymmetric traffic flowing through different firewalls, which the firewalls drop

41
Q

What does the security auto scaling VPC template deploy?

A
  1. VM-Series firewall auto scaling group
  2. GWLB
  3. GWLB endpoint (GWLBE)
  4. GWLBE subnet
  5. security attachment subnet
  6. NAT gateway for each availability zone
42
Q

Where can you find the CloudFormation templates from Palo Alto Networks?

A

at GitHub Repository

43
Q
A