VM Firewall Deployment in AWS Flashcards
Can Panorama be deployed in cloud?
Yes; deploy Panorama in on-premises data center or in a public cloud environment such as AWS
Can bootstrapped firewalls automatically pull information from Panorama?
yes; VM-Series firewalls use a VM authorization key and Panorama IP address in the bootstrap package to authenticate and register to Panorama the firewall on its initial boot
What is the only supported interface type in AWS?
because the AWS VPC only supports an IP network (Layer 3 networking capabilities), the VM-Series firewall can only be deployed with Layer 3 interfaces
To deploy VM-Series firewalls in AWS, what deployment is typically used?
AWS Transit Gateway deployment (centralized)
What are the options to route outbound and east-west traffic through the VM-Series firewalls in Transit Gateway environment?
- deploy VM-Series with encrypted tunnels using AWS Transit Gateway VPN attachments
- deploy VM-Series in active-passive high availability (HA) mode using AWS Transit Gateway VPC attachments
What are the trade-offs of the typical AWS Transit Gateway deployment?
-
Scale and Throughput Performance
- each VPN attachment offers a limited throughput of 1.25Gbps
- does not scale beyond a single active VM-Series firewall (per AWS availability zone)
-
Visibility and Centralized Firewall Management
- requires the firewalls to apply source address translation (SNAT) on the traffic to maintain flow symmetry, which obfuscates the source’s identity to applications
Which architecture is used by most deployments?
- sandwich architecture that forces all inbound application traffic to flow through an inbound security VPC
- requires the firewalls to apply source SNAT to maintain traffic symetry
What is the role of the the Gateway Load Balancer (GWLB)?
distribute traffic across a set of network appliances, such as firewalls
What kind of firewall deployment does AWS GWLB allow to do?
allows to deploy a stack of VM-Series firewalls that operate in a horizontally scalable and fault-tolerant manner
What are the 4 benefits of integrating the PA VM with GWLB?
- horizontally scalable
- high performance (no VPNs)
- no source NAT
- great option for new or existing deployments
What traffic directions can the VM integration with GWLB protect?
all - outbound, east-west, and inbound
What protocol is used by VM-Series and the GWLB to keep traffic packet headers and payload intact, providing complete visibility of the source’s identity to the applications?
GENEVE
By using the GENEVE protocol, what design requirement is eliminated?
no need for using SNAT
Why is integrating PA VM FWs with AWS GWLB cost effective?
reduce the number of firewalls needed to protect AWS environment
Why is integrating PA VM FWs with AWS good for performance?
there is no longer need to encrypted tunnels for east-west and outbound traffic inspection – no IPSec tunnel overhead
When choosing an AWS design model, what factors should be considered?
- scale
- segmentation
How can an HQ be connected to AWS?
IPSec VPN through the internet or AWS Direct Connect as a private link outside of the public internet
Why separate VPCs need to be used for segmentation?
because traffic between resources in the same VPC cannot be redirected to a firewall - traffic always flows directly (like hosts would be communicating in an L2 network)
Should Panorama be deployed in the same VPC as managed firewalls?
no - deploy Panorama in a VPC dedicated to management and use another VPC to deploy the VM-Series firewalls
What is the role of GWLB in the security VPC?
transparently distribute traffic across the VM-Series firewalls