VM Firewall Deployment in AWS Flashcards
Can Panorama be deployed in cloud?
Yes; deploy Panorama in on-premises data center or in a public cloud environment such as AWS
Can bootstrapped firewalls automatically pull information from Panorama?
yes; VM-Series firewalls use a VM authorization key and Panorama IP address in the bootstrap package to authenticate and register to Panorama the firewall on its initial boot
What is the only supported interface type in AWS?
because the AWS VPC only supports an IP network (Layer 3 networking capabilities), the VM-Series firewall can only be deployed with Layer 3 interfaces
To deploy VM-Series firewalls in AWS, what deployment is typically used?
AWS Transit Gateway deployment (centralized)
What are the options to route outbound and east-west traffic through the VM-Series firewalls in Transit Gateway environment?
- deploy VM-Series with encrypted tunnels using AWS Transit Gateway VPN attachments
- deploy VM-Series in active-passive high availability (HA) mode using AWS Transit Gateway VPC attachments
What are the trade-offs of the typical AWS Transit Gateway deployment?
-
Scale and Throughput Performance
- each VPN attachment offers a limited throughput of 1.25Gbps
- does not scale beyond a single active VM-Series firewall (per AWS availability zone)
-
Visibility and Centralized Firewall Management
- requires the firewalls to apply source address translation (SNAT) on the traffic to maintain flow symmetry, which obfuscates the source’s identity to applications
Which architecture is used by most deployments?
- sandwich architecture that forces all inbound application traffic to flow through an inbound security VPC
- requires the firewalls to apply source SNAT to maintain traffic symetry
What is the role of the the Gateway Load Balancer (GWLB)?
distribute traffic across a set of network appliances, such as firewalls
What kind of firewall deployment does AWS GWLB allow to do?
allows to deploy a stack of VM-Series firewalls that operate in a horizontally scalable and fault-tolerant manner
What are the 4 benefits of integrating the PA VM with GWLB?
- horizontally scalable
- high performance (no VPNs)
- no source NAT
- great option for new or existing deployments
What traffic directions can the VM integration with GWLB protect?
all - outbound, east-west, and inbound
What protocol is used by VM-Series and the GWLB to keep traffic packet headers and payload intact, providing complete visibility of the source’s identity to the applications?
GENEVE
By using the GENEVE protocol, what design requirement is eliminated?
no need for using SNAT
Why is integrating PA VM FWs with AWS GWLB cost effective?
reduce the number of firewalls needed to protect AWS environment
Why is integrating PA VM FWs with AWS good for performance?
there is no longer need to encrypted tunnels for east-west and outbound traffic inspection – no IPSec tunnel overhead
When choosing an AWS design model, what factors should be considered?
- scale
- segmentation
How can an HQ be connected to AWS?
IPSec VPN through the internet or AWS Direct Connect as a private link outside of the public internet
Why separate VPCs need to be used for segmentation?
because traffic between resources in the same VPC cannot be redirected to a firewall - traffic always flows directly (like hosts would be communicating in an L2 network)
Should Panorama be deployed in the same VPC as managed firewalls?
no - deploy Panorama in a VPC dedicated to management and use another VPC to deploy the VM-Series firewalls
What is the role of GWLB in the security VPC?
transparently distribute traffic across the VM-Series firewalls
How should be GWLB deployed?
in all of the security VPC’s availability zones, with a single endpoint service
What is the purpose of AWS CloudFormation Templates?
define and declare the AWS resources that should be configured
In which files are AWS CloudFormation Templates stored?
JSON or YAML files
Which two cloud provider independent solutions are used to deploy and configure the VM-Series?
Terraform and Ansible
What kind of security does the Isolated design model provide?
outbound and inbound security to one or more VPCs but does not provide VPC-to-VPC connectivity or security
How does Centralized model segment application resources?
centralized design model segments application resources across multiple VPCs that connect in a hub-and-spoke topology
In the centralized deployment, what ensures that all spoke-to-spoke and spoke-to-enterprise traffic transits the VM-series firewalls?
Transit Gateway
lize
The TGW has VPC attachments in the availability zones of each…?
- spoke VPC
- management VPC (Panorama)
- security VPC
How does TGW know about IP addressing of VPCs so it can route to them and between them?
there are route tables configured for each VPC on a TGW and each of these VPCs (attachments) are assigned their respective route tables?
What does it mean that TGW route table behaves like route domains?
- route tables in AWS TGW allow to create isolated network segments, much like how route domains (VRF) function in traditional network architecture
- means that TGW route tables can manage overlapping IP address spaces by treating each route table as an isolated routing domain
An attachment can be associated with how many TGW route tables?
only one; however, each TGW route table can associate with multiple attachments
To supply inbound and outbound internet access to a Security VPC, what needs to be deployed?
IGW
TGW route tables can support up to how many routes?
10k
When integrating GWLB an FWs, how should be the firewalls deployed to achieve high availability?
VM FWs should be deployed in separate availability zones
What is the BGP prefix limitation in TGW route table?
100 prefixes
The IGW performs NAT to reach the internet for?
- PA FW VM management interface’s private IP address to its associated public IP address
- outbound traffic from the firewall
In Centralized design, what are the three required interfaces?
- management interface
- private dataplane interface for traffic from the GWLB
- public dataplane interface for outbound traffic
How should be VM FWs interfaces configured to obtain IPs?
through DHCP
When deploying a VM-Series instance from the AWS Marketplace, how many interfaces does it have by default?
a single interface; therefore the two additional interfaces are needed to be configured manually
When deploying VM firewall from AWS Marketplace, there is a need to create two Elastic IP addresses. How should they be assigned?
- assign one to the management interface so it is possible to manage the firewal
- assign the other to the public interface so the VM-Series firewall can support outbound traffic flows
What is the content of the management route table?
- all the management subnets
- a default route to the IGW for internet access
- a route to the TGW for access to Panorama
What is the content of the public route table?
- all the public subnets assigned to it
- a default route to the IGW for internet access
Is there a need to modify the default routing of the subnets dedicated to the private dataplane interface?
no
What security group should be created on the firewall’s private dataplane interface and why?
- to allow health checks and UDP traffic destined to port 6081 from all the GWLB subnets
- the security group should deny all other traffic
Why does the private dataplane interface should have at least one subinterface?
- the GWLB endpoints should map to subinterfaces instead of the dataplane interface
- mapping all endpoints to a subinterface allows to have a restrictive security policy on the dataplane interface that allows health checks only from the GWLB subnets
How should be GWLB deployed?
in all of the security VPC’s availability zones, with a single endpoint service
Why should appliance mode be enabled on the attachments in the security VPC?
in order to ensure that traffic routes through the same attachment zone even when the source and destination of the traffic are in different zones - if appliance mode is not enabled, it is possible to have asymmetric traffic flowing through different firewalls, which the firewalls drop
What does the security auto scaling VPC template deploy?
- VM-Series firewall auto scaling group
- GWLB
- GWLB endpoint (GWLBE)
- GWLBE subnet
- security attachment subnet
- NAT gateway for each availability zone
Where can you find the CloudFormation templates from Palo Alto Networks?
at GitHub Repository
