VM Firewall Deployment in AWS

Question 1

Can Panorama be deployed in cloud?

Answer 1

Yes; deploy Panorama in on-premises data center or in a public cloud environment such as AWS

Question 2

Can bootstrapped firewalls automatically pull information from Panorama?

Answer 2

yes; VM-Series firewalls use a VM authorization key and Panorama IP address in the bootstrap package to authenticate and register to Panorama the firewall on its initial boot

Question 3

What is the only supported interface type in AWS?

Answer 3

because the AWS VPC only supports an IP network (Layer 3 networking capabilities), the VM-Series firewall can only be deployed with Layer 3 interfaces

Question 4

To deploy VM-Series firewalls in AWS, what deployment is typically used?

Answer 4

AWS Transit Gateway deployment (centralized)

Question 5

What are the options to route outbound and east-west traffic through the VM-Series firewalls in Transit Gateway environment?

Answer 5

1. deploy VM-Series with encrypted tunnels using AWS Transit Gateway VPN attachments
2. deploy VM-Series in active-passive high availability (HA) mode using AWS Transit Gateway VPC attachments

Question 6

What are the trade-offs of the typical AWS Transit Gateway deployment?

Answer 6

• Scale and Throughput Performance
  
  • each VPN attachment offers a limited throughput of 1.25Gbps
  • does not scale beyond a single active VM-Series firewall (per AWS availability zone)
• Visibility and Centralized Firewall Management
  
  • requires the firewalls to apply source address translation (SNAT) on the traffic to maintain flow symmetry, which obfuscates the source’s identity to applications

Question 7

Which architecture is used by most deployments?

Answer 7

• sandwich architecture that forces all inbound application traffic to flow through an inbound security VPC
• requires the firewalls to apply source SNAT to maintain traffic symetry

Question 8

What is the role of the the Gateway Load Balancer (GWLB)?

Answer 8

distribute traffic across a set of network appliances, such as firewalls

Question 9

What kind of firewall deployment does AWS GWLB allow to do?

Answer 9

allows to deploy a stack of VM-Series firewalls that operate in a horizontally scalable and fault-tolerant manner

Question 10

What are the 4 benefits of integrating the PA VM with GWLB?

Answer 10

1. horizontally scalable
2. high performance (no VPNs)
3. no source NAT
4. great option for new or existing deployments

Question 11

What traffic directions can the VM integration with GWLB protect?

Answer 11

all - outbound, east-west, and inbound

Question 12

What protocol is used by VM-Series and the GWLB to keep traffic packet headers and payload intact, providing complete visibility of the source’s identity to the applications?

Answer 12

GENEVE

Question 13

By using the GENEVE protocol, what design requirement is eliminated?

Answer 13

no need for using SNAT

Question 14

Why is integrating PA VM FWs with AWS GWLB cost effective?

Answer 14

reduce the number of firewalls needed to protect AWS environment

Question 15

Why is integrating PA VM FWs with AWS good for performance?

Answer 15

there is no longer need to encrypted tunnels for east-west and outbound traffic inspection – no IPSec tunnel overhead

Question 16

When choosing an AWS design model, what factors should be considered?

Answer 16

1. scale
2. segmentation

Question 17

How can an HQ be connected to AWS?

Answer 17

IPSec VPN through the internet or AWS Direct Connect as a private link outside of the public internet

Question 18

Why separate VPCs need to be used for segmentation?

Answer 18

because traffic between resources in the same VPC cannot be redirected to a firewall - traffic always flows directly (like hosts would be communicating in an L2 network)

Question 19

Should Panorama be deployed in the same VPC as managed firewalls?

Answer 19

no - deploy Panorama in a VPC dedicated to management and use another VPC to deploy the VM-Series firewalls

Question 20

What is the role of GWLB in the security VPC?

Answer 20

transparently distribute traffic across the VM-Series firewalls

Question 21

How should be GWLB deployed?

Answer 21

in all of the security VPC’s availability zones, with a single endpoint service

Question 22

What is the purpose of AWS CloudFormation Templates?

Answer 22

define and declare the AWS resources that should be configured

Question 23

In which files are AWS CloudFormation Templates stored?

Answer 23

JSON or YAML files

Question 24

Which two cloud provider independent solutions are used to deploy and configure the VM-Series?

Answer 24

Terraform and Ansible

Question 25

What kind of security does the Isolated design model provide?

Answer 25

outbound and inbound security to one or more VPCs but does not provide VPC-to-VPC connectivity or security

Question 26

How does Centralized model segment application resources?

Answer 26

centralized design model segments application resources across multiple VPCs that connect in a hub-and-spoke topology

Question 27

In the centralized deployment, what ensures that all spoke-to-spoke and spoke-to-enterprise traffic transits the VM-series firewalls?

Answer 27

Transit Gateway

Question 28

lize

The TGW has VPC attachments in the availability zones of each…?

Answer 28

• spoke VPC
• management VPC (Panorama)
• security VPC

Question 29

How does TGW know about IP addressing of VPCs so it can route to them and between them?

Answer 29

there are route tables configured for each VPC on a TGW and each of these VPCs (attachments) are assigned their respective route tables?

Question 29

What does it mean that TGW route table behaves like route domains?

Answer 29

• route tables in AWS TGW allow to create isolated network segments, much like how route domains (VRF) function in traditional network architecture
• means that TGW route tables can manage overlapping IP address spaces by treating each route table as an isolated routing domain

Question 29

An attachment can be associated with how many TGW route tables?

Answer 29

only one; however, each TGW route table can associate with multiple attachments

Question 30

To supply inbound and outbound internet access to a Security VPC, what needs to be deployed?

Answer 30

IGW

Question 30

TGW route tables can support up to how many routes?

Answer 30

10k

Question 30

When integrating GWLB an FWs, how should be the firewalls deployed to achieve high availability?

Answer 30

VM FWs should be deployed in separate availability zones

Question 30

What is the BGP prefix limitation in TGW route table?

Answer 30

100 prefixes

Question 31

The IGW performs NAT to reach the internet for?

Answer 31

1. PA FW VM management interface’s private IP address to its associated public IP address
2. outbound traffic from the firewall

Question 31

In Centralized design, what are the three required interfaces?

Answer 31

1. management interface
2. private dataplane interface for traffic from the GWLB
3. public dataplane interface for outbound traffic

Question 31

How should be VM FWs interfaces configured to obtain IPs?

Answer 31

through DHCP

Question 32

When deploying a VM-Series instance from the AWS Marketplace, how many interfaces does it have by default?

Answer 32

a single interface; therefore the two additional interfaces are needed to be configured manually

Question 33

When deploying VM firewall from AWS Marketplace, there is a need to create two Elastic IP addresses. How should they be assigned?

Answer 33

• assign one to the management interface so it is possible to manage the firewal
• assign the other to the public interface so the VM-Series firewall can support outbound traffic flows

Question 34

What is the content of the management route table?

Answer 34

• all the management subnets
• a default route to the IGW for internet access
• a route to the TGW for access to Panorama

Question 35

What is the content of the public route table?

Answer 35

• all the public subnets assigned to it
• a default route to the IGW for internet access

Question 36

Is there a need to modify the default routing of the subnets dedicated to the private dataplane interface?

Answer 36

no

Question 37

What security group should be created on the firewall’s private dataplane interface and why?

Answer 37

• to allow health checks and UDP traffic destined to port 6081 from all the GWLB subnets
• the security group should deny all other traffic

Question 38

Why does the private dataplane interface should have at least one subinterface?

Answer 38

• the GWLB endpoints should map to subinterfaces instead of the dataplane interface
• mapping all endpoints to a subinterface allows to have a restrictive security policy on the dataplane interface that allows health checks only from the GWLB subnets

Question 39

How should be GWLB deployed?

Answer 39

in all of the security VPC’s availability zones, with a single endpoint service

Question 40

Why should appliance mode be enabled on the attachments in the security VPC?

Answer 40

in order to ensure that traffic routes through the same attachment zone even when the source and destination of the traffic are in different zones - if appliance mode is not enabled, it is possible to have asymmetric traffic flowing through different firewalls, which the firewalls drop

Question 41

What does the security auto scaling VPC template deploy?

Answer 41

1. VM-Series firewall auto scaling group
2. GWLB
3. GWLB endpoint (GWLBE)
4. GWLBE subnet
5. security attachment subnet
6. NAT gateway for each availability zone

Question 42

Where can you find the CloudFormation templates from Palo Alto Networks?

Answer 42

at GitHub Repository