Your AWS Cloud Journey: Deploying Palo Alto HA in AWS

If you have a need for HA in AWS and you follow the tech docs on the Palo Alto site, they can be a bit confusing. There are two methods, one being the Palo Alto proper and the other using AWS native ELB. The Palo Alto VM-Series firewall on AWS supports active/passive HA only. If it is deployed with Amazon Elastic Load Balancing (ELB), it does not support HA. This blog will describe the former, using HA.

As I mentioned the docs are confusing and not very clear in some spots. They mix the two deployments without really having a clear line of delineation for some steps. I actually went through about four or five configurations, terminating and recreating. My hope is this blog will save you some time.

I will assume you already have a good understanding of AWS and EC2 instance creation and connecting to them, along with roles and policies. I will also assume you have a good understanding of the Palo Alto CLI and GUI, and the HA configuration parameters such as timers, hellos, and such.

The AMI for the Palo Alto firewall is in the AWS Marketplace. There are two options, BYOL and usage-based. Choose one for this deployment.

For deploying a pair of firewalls in HA in the AWS cloud, you must ensure the following:

  • Select the AWS Identity and Access Management (IAM) role you created when launching the VM-Series firewall on an EC2 instance. You cannot assign the role to an instance that is already running.
  • The active firewall in the HA pair must have at least three ENIs: two dataplane interfaces and one management interface.
  • The passive firewall in the HA pair must have one ENI for management and one ENI that functions as dataplane interface; you will configure the dataplane interface as an HA2 interface.
  • Do not attach additional dataplane interfaces to the passive firewall in the HA pair. On failover, the dataplane interfaces from the previously active firewall are moved—detached and then attached—to the now-active (previously passive) firewall.
  • The HA peers must be deployed in the same AWS availability zone.

As stated previously, prior to launching the EC2 you must create a policy and attach that policy to a role in the AWS IAM service. The role must be attached to the VM-Series firewalls at launch.

The permissions for the policy you will need are:

{"Version": "2012-10-17","Statement": [{"Sid": "VisualEditor0","Effect": "Allow","Action": ["ec2:AttachNetworkInterface","ec2:DetachNetworkInterface","ec2:DescribeInstances","ec2:DescribeNetworkInterfaces"],"Resource": "*"}]}
  • Launch the VM-Series firewall on an EC2 instance.
    1. Choose the EC2 instance type for allocating the resources required for the firewall, and click Next.
      • The PA site states the VM-Series firewalls support the following AWS instance types: C3, C4, M3, M4. However it defaults to m5.large, limiting you to three interfaces. I chose m5.xlarge which give me four. See the chart for more information:
    2. Select the VPC.
    3. Select the public subnet to which the VM-Series management interface will attach.
    4. Select Automatically assign a public IP address.
      • You can later attach an Elastic IP address to the management interface.
    5. Select Launch as an EBS-optimized instance.
    6. This is where the Palo Alto Tech docs become confusing. They state to add another network interface so you can swap the management and data interfaces on the firewall. However, for this deployment it is not needed. We will not be doing the interface swap.
    7. Expand the Network Interfaces section and click Add Device to add another network interface.
      • Make sure that your VPC has more than one subnet so you can add additional ENIs.
    8. Accept the default Storage settings.
    9. (Optional) Tagging.
    10. Select an existing Security Group or create a new one. At a minimum, enable https and ssh access for the management interface.
      • However, I had issues with HA 1 coming up. I decided to open up all TCP to the local IP 10.x.x.x and it finally worked. The actual ports used for HA1—TCP port 28769 and 28260 for clear text communication; port 28 for encrypted communication (SSH over TCP).
    11. Select Review and Launch.
    12. Review that your selections are accurate and click Launch.
    13. Select an existing key pair or create a new one and acknowledge the key disclaimer.
    14. Download and save the private key to a safe location; the file extension is .pem.
    15. It takes 5 to 7 minutes to launch the VM-Series firewall.
  • Configure a new admin password.
    1. Use the public IP to ssh to the instance CLI.
    2. Enter the following: configure set mgt-config users admin password
    3. Type a new password.
    4. Commit the changes: commit
    5. Exit the SSH session.
    6. Shutdown the instance.
  • Create and assign Elastic IPs and Elastic Network Interfaces to the instance.
    1. You will need at least two ENIs that allow inbound and outbound traffic to/from the firewall.
    2. One thing to note is that the EC2 ENIs and the PA GUI do not sync up interface names. For example, the AWS console lists the following:

The Palo Alto GUI shows:

However, the Palo Alto CLI shows the below, so use the CLI to verify. Eth0 is the management interface that will be used for HA1.

  • Disable Source/Destination check on every dataplane ENI.
  • Configure the Dataplane Network Interfaces as Layer 3 interfaces on the firewall.
    1. HTTPS to the firewall and login with the admin PW combination that you set earlier.
    2. Select Network > Interfaces > Ethernet.
    3. Click the link for ethernet1/1 and configure as follows:
    4. Interface Type: Layer3
    5. On the Config tab, assign the interface to the default router.
    6. On the Config tab, expand the Security Zone drop-down and select New Zone. Define a new zone, for example VM_Series_”untrust”, and then click OK.
    7. On the IPv4 tab, select either Static or DHCP Client.
    8. If using the Static option, click Add in the IP section, and enter the IP address and network mask for the interface, for example 10.0.0.10/24.
    9. If using static, make sure that the IP address matches the ENI IP address that you assigned earlier.
    10. If using DHCP, select DHCP Client; the private IP address that you assigned to the ENI in the AWS management console will be automatically acquired.
      1. I did a “commit” after each interface to make sure the IP mappings were correct.
      2. You should see the interface as Green.
      3. You can also verify the DHCP by clicking the “Dynamic DHCP Client”. It should show the assignment and match to the AWS EC2 console. Verify each interface.
    11. Commit all changes at the end.
    12. Repeat for the second firewall.
  • Enable HA
    1. Select Device > High Availability > General and edit the setup section.
    2. Select Enable HA.

 

  • Configure ethernet1/1 as an HA interface
    1. Select Network > Interfaces.
    2. Confirm that the link state is up on ethernet1/1.
    3. Click the link for ethernet1/1 and set the Interface Type to HA.

  • Set up the control link HA1 to use the management port
    1. Select Device > High Availability > General and edit the HA1 section.
      1. Here is where I ran into another issue. The tech docs show the selection as a “Dedicated management port” as depicted below:

I was never able to get this choice. After four attempts resulting in terminating instances and reconfiguring, my console shows the below, so I decided to choose “non-dedicated”.

I did not use encryption.

  • Set up the data link HA2 to use the ethernet1/1
    1. Select Device > High Availability > General and edit the Data Link HA2 section.
    2. Select Port: ethernet1/1.
    3. Enter the IP address for ethernet1/1. This IP address must be the same as that assigned to the ENI on the EC2 dashboard.
    4. Enter the Netmask.
    5. Enter a Gateway IP address if the HA1 interfaces are on separate subnets.
    6. Select IP or UDP for Transport. Use IP if you need Layer 3 transport (IP protocol number 99). Use UDP if you want the firewall to calculate the checksum on the entire packet rather than just the header, as in the IP option (UDP port 29281).

See the screenshot below:

  • Set the device priority and enable preemption on ethernet1/1
    1. Select Device > High Availability > General and edit the election settings section.
    2. Set numerical value. “Lower value is higher priority”.

  • Configure the IP of the HA peer
    1. Select Device > High Availability > General and edit the setup section.
    2. Enter the IP address of the HA1 port on the peer. This is the IP address assigned to the management interface (ethernet 0), which is also the HA1 link on the other firewall.
    3. Set the Group ID number between 1 and 63. Although this value is not used on the VM-Series firewall on AWS, you cannot leave the field blank. I just used “1”.
  • Configure the IP of the other peer, repeating the previous steps
  • Confirm the devices are paired and synced
    1. Active device:
    2. Passive device:

  • Verify Failover
    1. Shut down the active HA peer.
    2. On the EC2 dashboard, select Instances.
    3. From the list, select the Active HA Firewall and click Actions > Stop.
    4. Check that the passive HA peer assumes the role of the active peer, and that the dataplane interfaces have moved over to the now active HA peer.

 

Regardless of where you are in your AWS journey, Sirius cloud experts can help architect, implement and manage an optimal solution designed to enable and accelerate your business outcomes. For more details on how Sirius can help accelerate your cloud journey, contact a Sirius cloud expert today.

By |2019-10-01T14:44:46-05:00August 29th, 2019|Blog|Comments Off on Your AWS Cloud Journey: Deploying Palo Alto HA in AWS

About the Author:

Joe Flanagan is a Global Cloud Architect at Sirius.