Set Up the VM-Series Firewall in AWS

Palo Alto Networks

VM-Series Deployment Guide

PAN-OS 6.1

Copyright 2007-2015 Palo Alto Networks

Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
http://www.paloaltonetworks.com/contact/contact/

About this Guide

This guide describes how to set up and license the VM-Series firewall; it is
intended for administrators who want to deploy the VM-Series firewall.
For more information, refer to the following sources:

PAN-OS Administrator's Guide for instructions on configuring the

features on the firewall.

https://paloaltonetworks.com/documentation for access to the

knowledge base, complete documentation set, discussion forums, and videos.

https://support.paloaltonetworks.com for contacting support, for

information on the support programs, or to manage your account or
devices.

For the latest release notes, go to the software downloads page at

https://support.paloaltonetworks.com/Updates/SoftwareUpdates.

To provide feedback on the documentation, please write to us at:

[email protected].
Palo Alto Networks, Inc.
www.paloaltonetworks.com
2015 Palo Alto Networks Inc. All rights reserved.
Palo Alto Networks, and PAN-OS are registered trademarks of Palo Alto
Networks, Inc.
Revision Date: November 16, 2015

ii

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

The VM-Series firewall can be deployed in the Amazon Web Services (AWS) cloud. It can then be configured
to secure access to the applications that are deployed on EC2 instances and placed into a Virtual Private Cloud
(VPC) in AWS.

About the VM-Series Firewall in AWS

Deployments Supported in AWS

Deploy the VM-Series Firewall in AWS

Use Case: Secure the EC2 Instances in the AWS Cloud

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC

Use Case: VM-Series Firewalls as GlobalProtect Gateways in AWS

List of Attributes Monitored on the AWS VPC

89

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

About the VM-Series Firewall in AWS

Set Up the VM-Series Firewall in AWS

About the VM-Series Firewall in AWS

The Amazon Web Service (AWS) is a public cloud service that enables you to run your applications on a shared
infrastructure managed by Amazon. These applications can be deployed on scalable computing capacity or EC2
instances in different AWS regions and accessed by users over the Internet. For networking consistency and ease
of management of EC2 instances, Amazon offers the Virtual Private Cloud (VPC). A VPC is apportioned from
the AWS public cloud, and is assigned a CIDR block from the private network space (RFC 1918). Within a VPC,
you can carve public/private subnets for your needs and deploy the applications on EC2 instances within those
subnets. To then enable access to the applications within the VPC, you can deploy the VM-Series firewall on an
EC2 instance. The VM-Series firewall can then be configured to secure traffic to and from the EC2 instances
within the VPC.
This document assumes that you are familiar with the networking and configuration of the AWS VPC. In order
to provide context for the terms used in this section, here is a brief refresher on the AWS terms (some
definitions are taken directly from the AWS glossary) that are referred to in this document:
Term

Description

EC2

Elastic Compute Cloud

A web service that enables you to launch and manage Linux/UNIX and Windows
server instances in Amazon's datacenters.

AMI

Amazon Machine Image

An AMI provides the information required to launch an instance, which is a virtual
server in the cloud.
The VM-Series AMI is an encrypted machine image that includes the operating system
required to instantiate the VM-Series firewall on an EC2 instance.

Instance type

Amazon-defined specifications that stipulate the memory, CPU, storage capacity, and
hourly cost for an instance. Some instance types are designed for standard applications,
whereas others are designed for CPU-intensive, memory-intensive applications, and so
on.

ENI

Elastic Network Interface

An additional network interface that can be attached to an EC2 instance. ENIs can
include a primary private IP address, one or more secondary private IP addresses, a
public IP address, an elastic IP address (optional), a MAC address, membership in
specified security groups, a description, and a source/destination check flag.

90

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Term

About the VM-Series Firewall in AWS

Description

IP address types for EC2 An EC2 instance can have different types of IP addresses.
instances
Public IP address: An IP address that can be routed across the Internet.
Private IP address: A IP address in the private IP address range as defined in the
RFC 1918. You can choose to manually assign an IP address or to auto assign an IP
address within the range in the CIDR block for the subnet in which you launch the
EC2 instance.
If you are manually assigning an IP address, Amazon reserves the first four (4) IP
addresses and the last one (1) IP address in every subnet for IP networking
purposes.
Elastic IP address (EIP): A static IP address that you have allocated in Amazon EC2
or Amazon VPC and then attached to an instance. Elastic IP addresses are
associated with your account, not with a specific instance. They are elastic because
you can easily allocate, attach, detach, and free them as your needs change.
An instance in a public subnet can have a Private IP address, a Public IP address, and
an Elastic IP address (EIP); an instance in a private subnet will have a private IP address
and optionally have an EIP.
VPC

Virtual Private Cloud

An elastic network populated by infrastructure, platform, and application services that
share common security and interconnection.

IGW

Internet gateway provided by Amazon.

Connects a network to the Internet. You can route traffic for IP addresses outside your
VPC to the Internet gateway.

Subnets

A segment of the IP address range of a VPC to which EC2 instances can be attached.
EC2 instances are grouped into subnets based on your security and operational needs.
There are two types of subnets:
Private subnet: The EC2 instances in this subnet cannot be reached from the
Internet.
Public subnet: The Internet gateway is attached to the public subnet, and the EC2
instances in this subnet can be reached from the Internet.

Security groups

A security group is attached to an ENI and it specifies the list of protocols, ports, and
IP address ranges that are allowed to establish inbound/outbound connections on the
interface.
In the AWS VPC, security groups and network ACLs control inbound and
outbound traffic; security groups regulate access to the EC2 instance, while
network ACLs regulate access to the subnet. Because you are deploying the
VM-Series firewall, set more permissive rules in your security groups and
network ACLs and allow the firewall to safely enable applications in the VPC.

Route tables

A set of routing rules that controls the traffic leaving any subnet that is associated with
the route table. A subnet can be associated with only one route table.

91

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

About the VM-Series Firewall in AWS

Set Up the VM-Series Firewall in AWS

Term

Description

Key pair

A set of security credentials you use to prove your identity electronically. The key pair
consists of a private key and a public key. At time of launching the VM-Series firewall,
you must generate a key pair or select an existing key pair for the VM-Series firewall.
The private key is required to access the firewall in maintenance mode.

92

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Deployments Supported in AWS

Deployments Supported in AWS

The VM-Series firewall secures inbound and outbound traffic to and from EC2 instances within the AWS
Virtual Private Cloud (VPC). Because the AWS VPC only supports an IP network (Layer 3 networking
capabilities), the VM-Series firewall can only be deployed with Layer 3 interfaces.

Deploy the VM-Series firewall to secure the EC2 instances hosted in the AWS Virtual Private Cloud.
If you host your applications in the AWS cloud, deploy the VM-Series firewall to protect and safely enable
applications for users who access these applications over the Internet. For example, the following diagram
shows the VM-Series firewall deployed in the Edge subnet to which the Internet gateway is attached. The
application(s) are deployed in the private subnet, which does not have direct access to the Internet.
When users need to access the applications in the private subnet, the firewall receives the request and directs
it to the appropriate application, after verifying security policy and performing Destination NAT. On the
return path, the firewall receives the traffic, applies security policy and uses Source NAT to deliver the
content to the user. See Use Case: Secure the EC2 Instances in the AWS Cloud.

Deploy the VM-Series firewall for VPN access between the corporate network and the EC2 instances within
the AWS Virtual Private Cloud.
To connect your corporate network with the applications deployed in the AWS Cloud, you can configure the
firewall as a termination point for an IPSec VPN tunnel. This VPN tunnel allows users on your network to
securely access the applications in the cloud.
For centralized management, consistent enforcement of policy across your entire network, and for
centralized logging and reporting, you can also deploy Panorama in your corporate network. If you need to
set up VPN access to multiple VPCs, using Panorama allows you to group the firewalls by region and
administer them with ease.

93

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Deployments Supported in AWS

Set Up the VM-Series Firewall in AWS

Deploy the VM-Series firewall as a GlobalProtect gateway to secure access for remote users using laptops.
The GlobalProtect agent on the laptop connects to the gateway, and based on the request, the gateway either
sets up a VPN connection to the corporate network or routes the request to the Internet. To enforce security
compliance for users on mobile devices (using the GlobalProtect App), the GlobalProtect gateway is used
in conjunction with the GlobalProtect Mobile Security Manager. The GlobalProtect Mobile Security
Manager ensures that mobile devices are managed and configured with the device settings and account
information for use with corporate applications and networks.

94

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Deploy the VM-Series Firewall in AWS

Deploy the VM-Series Firewall in AWS

Obtain the AMI

Review System Requirements and Limitations for VM-Series in AWS

Planning Worksheet for the VM-Series in the AWS VPC

Launch the VM-Series Firewall in AWS

Obtain the AMI

The AMI for the VM-Series firewall is available in the AWS Marketplace with the Bring Your Own License
(BYOL) pricing option. For purchasing licenses contact your Palo Alto Networks sales engineer or reseller.

Review System Requirements and Limitations for VM-Series in AWS

Requirement

Details

EC2 instance types

Deploy the VM-Series firewall on any of the following EC2 instance types:
m3.xlarge
m3.2xlarge
c3.xlarge
c3.2xlarge
c3.4xlarge
c3.8xlarge
The minimum resource requirements for the VM-Series firewall are:
vCPU: 2; Memory: 4GB; 5GB for the VM-1000-HV; Disk: 40GB.
If you deploy the VM-Series firewall on an EC2 instance type that does not meet these
requirements, the firewall will boot into maintenance mode.

Amazon Elastic Block

Storage (EBS)

The VM-Series firewall must use the Amazon Elastic Block Storage (EBS) volume for
storage. EBS optimization provides an optimized configuration stack and additional,
dedicated capacity for Amazon EBS I/O.

Networking

Because the AWS only supports Layer 3 networking capabilities, the VM-Series firewall
can only be deployed with Layer 3 interfaces. Layer 2 interfaces, virtual wire, VLANs,
and subinterfaces are not supported on the VM-Series firewall deployed in the AWS
VPC.

95

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Deploy the VM-Series Firewall in AWS

Set Up the VM-Series Firewall in AWS

Requirement

Details

Interfaces

Support for a total of eight interfaces is availableone management interface and a

maximum of seven Elastic Network Interfaces (ENIs) for data traffic. The VM-Series
firewall does not support hot attachment of ENIs; to detect the addition or removal of
an ENI you must reboot the firewall.
Your EC2 instance type selection determines the total number of ENIs you can
enable. For example, the c3.8xlarge supports eight (8) ENIs.

Support entitlement and

Licenses

A support account and a valid VM-Series license are required to obtain the Amazon
Machine Image (AMI) file, which is required to install the VM-Series firewall in the
AWS VPC.
The licenses required for the VM-Series firewallcapacity license, support license, and
subscriptions for Threat Prevention, URL Filtering, WildFire, etcmust be purchased
from Palo Alto Networks. To purchase the licenses for your deployment, contact your
sales representative.

Planning Worksheet for the VM-Series in the AWS VPC

For ease of deployment, plan the subnets within the VPC and the EC2 instances that you want to deploy within
each subnet. Before you begin, use the following table to collate the network information required to deploy
and insert the VM-Series firewall into the traffic flow in the VPC:
Configuration Item

Value

VPC CIDR
Security Groups
Subnet (public) CIDR
Subnet (private) CIDR
Subnet (public) Route Table
Subnet (private) Route Table
Security Groups
Rules for Management Access to
the firewall (eth0/0)
Rules for access to the dataplane
interfaces of the firewall
Rules for access to the interfaces
assigned to the application servers.

96

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Deploy the VM-Series Firewall in AWS

Configuration Item

Value

EC2 Instance 1 (VM-Series firewall)

Subnet:
Instance type:
Mgmt interface IP:
Mgmt interface EIP:

Dataplane interface eth1/1

An EIP is only required for the
dataplane interface that is attached
Private IP:
to the public subnet.
EIP (if required):
Security Group:
Dataplane interface eth1/2
Private IP:
EIP (if required):
Security Group:
EC2 Instance 2 (Application to be
secured)

Subnet:

Repeat these set of values for additional

application(s) being deployed.

Mgmt interface IP:

Instance type:
Default gateway:
Dataplane interface 1
Private IP

Launch the VM-Series Firewall in AWS

If you have not already registered the capacity auth-code that you received with the order fulfillment email, with
your support account, see Register the VM-Series Firewall. After registering, deploy the VM-Series firewall by
launching it in the AWS VPC as follows:
Launch the VM-Series Firewall in the AWS VPC

Step 1

Access the AWS Console.

Log in to the AWS console and select the EC2 Dashboard.

97

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Deploy the VM-Series Firewall in AWS

Set Up the VM-Series Firewall in AWS

Launch the VM-Series Firewall in the AWS VPC

Step 2

Set up the VPC for your network needs.

1.

2.
Whether you launch the VM-Series
firewall in an existing VPC or you create a
new VPC, the VM-Series firewall must be
able to receive traffic from the EC2
instances and perform inbound and
outbound communication between the
VPC and the Internet.
Refer to the AWS VPC documentation
for instructions on creating a VPC and
setting it up for access.
For an example with a complete
workflow, see Use Case: Secure the EC2
Instances in the AWS Cloud.

Create a new VPC or use an existing VPC.

Verify that the network and security components are defined
suitably.
Enable communication to the Internet. The default VPC
includes an Internet gateway, and if you install the VM-Series
firewall in the default subnet it has access to the Internet.
Create subnets. Subnets are segments of the IP address range
assigned to the VPC in which you can launch the EC2
instances. The VM-Series firewall must belong to the public
subnet so that it can be configured to access the Internet.
Create security groups as needed to manage inbound and
outbound traffic from the EC2 instances/subnets.
Add routes to the route table for a private subnet to ensure
that traffic can be routed across subnets and security groups
in the VPC, as applicable.

98

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Deploy the VM-Series Firewall in AWS

Launch the VM-Series Firewall in the AWS VPC

Step 3

Launch the VM-Series firewall.

1.

On the EC2 Dashboard, click Launch Instance.

2.

Select the VM-Series AMI. To get the AMI, see Obtain the AMI.

3.

Launch the VM-Series firewall on an EC2 instance.

a. Choose the EC2 instance typem3.xlarge, c3.xlarge, or
c3.8xlargefor allocating the resources required for the
firewall, and click Next.
b. Select the VPC.
c. Select the public subnet to which the VM-Series management
interface will attach.

Although you can add additional network

interfaces (ENIs) to the VM-Series
firewall when you launch, AWS releases
the auto-assigned Public IP address for
the management interface when you
restart the firewall. Hence, to ensure
connectivity to the management interface you
must assign an Elastic IP address for the
management interface, before attaching
additional interfaces to the firewall.
If you want to conserve EIP addresses, you can
assign one EIP addresss to the eth 1/1 interface
and use this interface for both management
traffic and data traffic. To restrict services
permitted on the interface or limit IP addresses
that can log in the eth 1/1 interface, attach a
management profile to the interface.

This key pair is required for first time

access to the firewall. It is also required to
access the firewall in maintenance mode.

d. Select Automatically assign a public IP address. This allows

you to obtain a publicly accessible IP address for the
management interface of the VM-Series firewall.
You can later attach an Elastic IP address to the management
interface; unlike the public IP address that is disassociated
from the firewall when the instance is terminated, the Elastic
IP address provides persistence and can be reattached to a
new (or replacement) instance of the VM-Series firewall
without the need to reconfigure the IP address wherever you
might have referenced it.
e. Select Launch as an EBS-optimized instance.
f. Accept the default Storage settings.
g. Skip Tagging. You can add tags later.
h. Select an existing Security Group or create a new one. This
security group is for restricting access to the management
interface of the firewall.
i. If prompted, select an appropriate SSD option for your setup.
j. Select Review and Launch. Review that your selections are
accurate and click Launch.
k. Select an existing key pair or create a new one, and
acknowledge the key disclaimer.
l. Download and save the private key to a safe location; the file
extension is .pem. You cannot regenerate this key, if lost.
It takes 5-7 minutes to launch the VM-Series firewall. You
can view the progress on the EC2 Dashboard.When the
process completes, the VM-Series firewall displays on the
Instances page of the EC2 Dashboard.

99

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Deploy the VM-Series Firewall in AWS

Set Up the VM-Series Firewall in AWS

Launch the VM-Series Firewall in the AWS VPC

Step 4

Configure a new administrative password 1.

for the firewall.

Use public IP address to SSH into the Command Line Interface

(CLI) of the VM-Series firewall.

The default password is admin. Using the

CLI, you must configure a unique
password for the firewall before you can
access the web interface of the firewall.

You will need the private key that you used or created in
Step 3-k to access the CLI.
If you are using PuTTY for SSH access, you must convert the
.pem format to a .ppk format. See
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/p
utty.html
2.

Enter the following command to log in to the firewall:

ssh-i

3.

<private_key.pem> admin@<public-ip_address>

Configure a new password, using the following command and

follow the onscreen prompts:
configure
set mgt-config users admin password
commit

Step 5

Shutdown the VM-Series firewall.

4.

Terminate the SSH session.

1.

On the EC2 Dashboard, select Instances.

2.

From the list, select the VM-Series firewall and click Actions >
Stop.

100

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Deploy the VM-Series Firewall in AWS

Launch the VM-Series Firewall in the AWS VPC

Step 6

Create virtual network interface(s) and

attach the interface(s) to the VM-Series
firewall. The virtual network interfaces
are called Elastic Network Interfaces
(ENIs) in AWS, and serve as the
dataplane network interfaces on the
firewall. These interfaces are used for
handling data traffic to/from the firewall.

1.
2.

Enter a descriptive name for the interface.

3.

Select the subnet. Use the subnet ID to make sure that you have
selected the correct subnet. You can only attach an ENI to an
instance in the same subnet.

4.

Enter the Private IP address to assign to the interface or select

Auto-assign to automatically assign an IP address within the
available IP addresses in the selected subnet.

You will need at least two ENIs. You can

add up to seven ENIs to handle data
5.
traffic on the VM-Series firewall; check
your EC2 instance type to verify the
6.
maximum number supported on it.
To detect the newly attached
ENIs, the VM-Series firewall
requires a reboot. If you have not
shutdown the firewall yet,
proceed with the license
activation process, which triggers
7.
a reboot on the firewall. When the
firewall reboots, the ENIs will be
detected.

Step 7

Activate the licenses on the VM-Series

firewall.

On the EC2 Dashboard, select Network Interfaces, and click

Create Network Interface.

Select the Security group to control access to the dataplane

network interface.
Click Yes, Create.

To attach the ENI to the VM-Series firewall, select the interface

you just created, and click Attach.

8.

Select the Instance ID of the VM-Series firewall, and click

Attach.

9.

Repeat the steps above for creating and attaching at least one
more ENI to the firewall.

See Activate the License.

This task is not performed on the

AWS management console.
Access to the Palo Alto Networks
support portal and the web interface of
the VM-Series firewall is required for
license activation.

101

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Deploy the VM-Series Firewall in AWS

Set Up the VM-Series Firewall in AWS

Launch the VM-Series Firewall in the AWS VPC

Step 8

Step 9

Disable Source/Destination check on

every firewall dataplane network
interface(s). Disabling this option allows
the interface to handle network traffic
that is not destined to the IP address
assigned to the network interface.

Configure the dataplane network

interfaces as Layer 3 interfaces on the
firewall.

1.

On the EC2 Dashboard, select the network interface, for

example eth1/1, in the Network Interfaces tab.

2.

In the Action drop-down, select Change Source/Dest. Check

3.

Click Disabled and Save your changes.

4.

Repeat Steps 1-3 for each firewall dataplane interface.

1.

Launch a web browser and enter the Public IP address or EIP

assigned to the management interface of the VM-Series firewall.

2.

Select Network > Interfaces > Ethernet.

For an example configuration, see Step 14

through Step 17 in Use Case: Secure the
EC2 Instances in the AWS Cloud.

Before you begin setting up the network interfaces,

verify that the Link state for the interface is up.
.
If the link state is not up, reboot the firewall.
3.

Click the link for ethernet 1/1 and configure as follows:

Interface Type: Layer3
On the Config tab, assign the interface to the default router.
On the Config tab, expand the Security Zone drop-down
and select New Zone. Define a new zone, for example
VM_Series_untrust, and then click OK.
On the IPv4 tab, select either Static or DHCP Client.
If using the Static option, click Add in the IP section, and
enter the IP address and network mask for the interface, for
example 10.0.0.10/24.
Make sure that the IP address matches the ENI IP address
that you assigned earlier.

On the application servers within the VPC,

define the dataplane network interface of
the firewall as the default gateway.

If using DHCP, select DHCP Client; the private IP address

that you assigned to the ENI in the AWS management
console will be automatically acquired.
4.

Click the link for ethernet 1/2 and configure as follows:

Interface Type: Layer3
Security Zone: VM_Series_trust
IP address: Select the Static or DHCP Client radio button.
For static, click Add in the IP section, and enter the IP
address and network mask for the interface. Make sure that
the IP address matches the attached ENI IP address that
you assigned earlier.

102

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Deploy the VM-Series Firewall in AWS

Launch the VM-Series Firewall in the AWS VPC

For DHCP, clear the Automatically create default

route to default gateway provided by server
checkbox. For an interface that is attached to the
private subnet in the VPC, disabling this option ensures
that traffic handled by this interface does not flow directly
to the Internet gateway on the VPC.

Step 10 Create NAT rules to allow inbound and

outbound traffic from the servers
deployed within the VPC

1.

Select Policies > NAT on the web interface of the firewall.

2.

Create a NAT rule to allow traffic from the dataplane network

interface on the firewall to the web server interface in the VPC.

3.

Create a NAT rule to allow outbound access for traffic from the
web server to the Internet.

Step 11 Create security policies to allow/deny

traffic to/from the servers deployed
within the VPC.

1.

Select Policies > Security on the web interface of the firewall.

2.

Click Add, and specify the zones, applications and logging

options that you would like to execute to restrict and audit traffic
traversing through the network.

Step 12 Commit the changes on the firewall.

1.

Click Commit.

Step 13 Verify that the VM-Series firewall is

securing traffic and that the NAT rules
are in effect.

1.

Select Monitor > Logs > Traffic on the web interface of the
firewall.

2.

View the logs to make sure that the applications traversing the
network match the security policies you implemented.

103

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Use Case: Secure the EC2 Instances in the AWS Cloud

Set Up the VM-Series Firewall in AWS

Use Case: Secure the EC2 Instances in the AWS Cloud

In this example, the VPC is deployed in the 10.0.0.0/16 network with two /24 subnets: 10.0.0.0/24 and
10.0.1.0/24. The VM-Series firewall will be launched in the 10.0.0.0/24 subnet to which the Internet gateway is
attached. The 10.0.1.0/24 subnet is a private subnet that will host the EC2 instances that need to be secured by
the VM-Series firewall; any server on this private subnet uses NAT for a routable IP address (which is an Elastic
IP address) to access the Internet. Use the Planning Worksheet for the VM-Series in the AWS VPC to plan the
design within your VPC; recording the subnet ranges, network interfaces and the associated IP addresses for the
EC2 instances, and security groups, will make the setup process easier and more efficient.

The following image depicts the logical flow of traffic to/from the web server to the Internet. Traffic to/from
the web server is sent to the data interface of the VM-Series firewall that is attached to the private subnet. The
firewall applies policy and processes incoming/outgoing traffic from/to the Internet Gateway of the VPC. The
image also shows the security groups to which the data interfaces are attached.

104

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Use Case: Secure the EC2 Instances in the AWS Cloud

Deploy the VM-Series Firewall as a Cloud Gateway

Step 1

Create a new VPC with a public subnet

(or select an existing VPC).

1.

Log in to the AWS console and select the VPC Dashboard.

2.

Verify that youve selected the correct geographic area (AWS

region). The VPC will be deployed in the currently selected
region.

3.

Select Start VPC Wizard, and select VPC with a Single Public
Subnet.
In this example, the IP CIDR block for the VPC is 10.0.0.0/16,
the VPC name is Cloud DC, the public subnet is 10.0.0.0/24,
and the subnet name is Cloud DC Public subnet. You will create
a private subnet after creating the VPC.

4.

Click Create VPC.

105

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Use Case: Secure the EC2 Instances in the AWS Cloud

Set Up the VM-Series Firewall in AWS

Deploy the VM-Series Firewall as a Cloud Gateway

Step 2

Create a private subnet.

Select Subnets, and click Create a Subnet. Fill in the information.

In this example, the Name tag for the subnet is Web/DB Server
Subnet, it is created in the Cloud Datacenter VPC and is assigned a
CIDR block of 10.0.1.0/24.

Step 3

Create a new route table for each subnet. 1.

2.
Although a main route table is
automatically created on the VPC,
we recommend creating new route 3.
tables instead of modifying the
default route table.

Select Route Tables > Create Route Table.

Add a Name, for example CloudDC-public-subnet-RT, select
the VPC you created in Step 1, and click Yes, Create.
Select the route table, click Subnet Associations and select the
public subnet.

To direct outbound traffic from

each subnet, you will add routes to
the route table associated with each
subnet, later in this workflow.

4.

Select Create Route Table.

5.

Add a Name, for example CloudDC-private-subnet-RT, select

the VPC you created in Step 1, and click Yes, Create.

6.

Select the route table, click Subnet Associations and select the
private subnet.

106

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Use Case: Secure the EC2 Instances in the AWS Cloud

Deploy the VM-Series Firewall as a Cloud Gateway

Step 4

Select Security Groups and click the Create Security Group button.
Create Security Groups to restrict
inbound/outbound Internet access to the In this example, we create three security groups with the following
EC2 instances in the VPC.
rules for inbound access:
By default, AWS disallows
communication between interfaces that
do not belong to the same security group.

CloudDC-Management that specifies the protocols and

source IP addresses that can connect to the management
interface of the VM-Series firewall. At a minimum you need
SSH, and HTTPS. In this example, we enable SSH, ICMP,
HTTP, and HTTPS on the network interfaces that are
attached to this security group.
The management interface (eth 0/0) of the VM-Series
firewall will be assigned to CloudDC-management-sg.
Public-Server-CloudDC that specifies the source IP
addresses that can connect over HTTP, FTP, SSH within the
VPC. This group allows traffic from the external network to
the firewall.
The dataplane interface eth1/1 of the VM-Series firewall will
be assigned to Public-Server-CloudDC.
Private-Server-CloudDC that has very limited access. It only
allows other EC2 instances on the same subnet to
communicate with each other, and with the VM-Series
firewall.
The dataplane interface eth1/2 of the VM-Series firewall and
the application in the private subnet will be attached to this
security group.

Step 5

See Step 3 in Launch the VM-Series Firewall in AWS.

Deploy the VM-Series firewall.
Only the primary network interface
that will serve as the management
interface will be attached and
configured for the firewall during the
initial launch. The network interfaces
required for handling data traffic will be
added in Step 6.

107

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Use Case: Secure the EC2 Instances in the AWS Cloud

Set Up the VM-Series Firewall in AWS

Deploy the VM-Series Firewall as a Cloud Gateway

Step 6

1.
Create and attach virtual network
interface(s), referred to as Elastic
Network Interfaces (ENIs), to the
2.
VM-Series firewall. These ENIs are used
3.
for handling data traffic to/from the
firewall.

On the EC2 Dashboard, select Network Interfaces, and click

Create Network Interface.

Enter a descriptive name for the interface.

Select the subnet. Use the subnet ID to make sure that you have
selected the correct subnet. You can only attach an ENI to an
instance in the same subnet.

4.

Enter the Private IP address that you want to assign to the

interface or select Auto-assign to automatically assign an IP
address within the available IP addresses in the selected subnet.

5.

Select the Security group to control access to the network

interface.

6.

Click Yes, Create.

In this example, we create two interfaces with the following
configuration:

For Eth1/1 (VM-Series-Untrust)

Subnet: 10.0.0.0/24
Private IP:10.0.0.10
Security group: Public-Server-CloudDC
For Eth1/2 (VM-Series-Trust)
Subnet: 10.0.1.0/24
Private IP:10.0.1.10
Security group: Private-Server-CloudDC
7.

8.

To attach the ENI to the VM-Series firewall, select the interface

you just created, and click Attach.

Select the Instance ID of the VM-Series firewall, and click

Attach.

9.

Repeat steps 7 and 8 to attach the other network interface.

108

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Use Case: Secure the EC2 Instances in the AWS Cloud

Deploy the VM-Series Firewall as a Cloud Gateway

Step 7

Create an Elastic IP address and attach it 1.

to the firewall dataplane network interface 2.
that requires direct Internet access.
3.
In this example, VM-Series_Untrust is
4.
assigned an EIP. The EIP associated with
the interface is the publicly accessible IP
address for the web server in the private
subnet.

Select Elastic IPs and click Allocate New Address.

Select EC2-VPC and click Yes, Allocate.
Select the newly allocated EIP and click Associate Address.
Select the Network Interface and the Private IP address
associated with the interface and click Yes, Associate.

In this example, the configuration is:

Step 8

Step 9

Disable Source/Destination check on

each network interface attached to the
VM-Series firewall. Disabling this
attribute allows the interface to handle
network traffic that is not destined to its
IP address.

1.

Select the network interface in the Network Interfaces tab.

2.

In the Action drop-down, select Change Source/Dest. Check.

3.

Click Disabled and Save your changes.

4.

Repeat steps 1-3 for additional network interfaces, firewall-1/2

in this example.

1.
In the route table associated with the
public subnet (from Step 3), add a default
route to the Internet gateway for the
2.
VPC.
3.

From the VPC Dashboard, select Route Tables and find the
route table associated with the public subnet.
Select the route table, select Routes and click Edit.
Add a route to forward packets from this subnet to the Internet
gateway. In this example, 0.0.0.0.0 indicates that all traffic
from/to this subnet will use the Internet gateway attached to the
VPC.

109

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Use Case: Secure the EC2 Instances in the AWS Cloud

Set Up the VM-Series Firewall in AWS

Deploy the VM-Series Firewall as a Cloud Gateway

1.
Step 10 In the route table associated with the
private subnet, add a default route to send
traffic to the VM-Series firewall.
2.
Adding this route enables the forwarding 3.
of traffic from the EC2 instances in this
private subnet to the VM-Series firewall.

From the VPC Dashboard, select Route Tables and find the
route table associated with the private subnet.
Select the route table, select Routes and click Edit.
Add a route to forward packets from this subnet to the
VM-Series firewall network interface that resides on the same
subnet. In this example, 0.0.0.0/0 indicates that all traffic
from/to this subnet will use eni-abf355f2 (ethernet 1/2, which
is CloudDC-VM-Series-Trust) on the VM-Series firewall.

For each web or database server deployed on an EC2

instance in the private subnet, you must also add the IP
address of the VM-Series firewall as the default gateway.
Perform Step 11 through Step 16 on the
VM-Series firewall

Step 11 Configure a new administrative password 1.

for the firewall.
An SSH tool such as PuTTY is required to
access the CLI on the firewall and change
the default administrative password. You
cannot access the web interface until you 2.
SSH and change the default password.
3.

Use the public IP address you configured on the firewall, to SSH

into the Command Line Interface (CLI) of the VM-Series
firewall.
You will need the private key that you used or created in Launch
the VM-Series firewall., Step 3-k to access the CLI.
Enter the following command to log in to the firewall:
ssh-i

<private_key_name> admin@<public-ip_address>

Configure a new password, using the following command and

follow the onscreen prompts:
set password
configure
commit

4.

Terminate the SSH session.

Step 12 Access the web interface of the

VM-Series firewall.

Open a web browser and enter the public IP address or the EIP of
the management interface. For example: https://54.183.85.163

Step 13 Activate the licenses on the VM-Series

firewall.

SeeActivate the License.

110

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Use Case: Secure the EC2 Instances in the AWS Cloud

Deploy the VM-Series Firewall as a Cloud Gateway

Step 14 On the VM-Series firewall, configure the 1.

dataplane network interfaces on the
firewall as Layer 3 interfaces.
2.

Select Network > Interfaces > Ethernet.

Before you begin setting up the network interfaces, verify that
the Link state for the interface is up.
. If the link state
is not up, reboot the firewall.
Click the link for ethernet 1/1 and configure as follows:
Interface Type: Layer3
Select the Config tab, assign the interface to the default
router.
On the Config tab, expand the Security Zone drop-down and
select New Zone. Define a new zone, for example untrust,
and then click OK.
Select IPv4, select DHCP Client; the private IP address that
you assigned to the network interface in the AWS
management console will be acquired automatically.
On the Advanced > Other Info tab, expand the Management
Profile drop-down, and select New Management Profile.
Enter a Name for the profile, such as allow_ping, and select
Ping from the Permitted Services list, then click OK.
To save the interface configuration, click OK.

3.

Click the link for ethernet 1/2 and configure as follows:

Interface Type: Layer3
Select the Config tab, assign the interface to the default
router.
On the Config tab, expand the Security Zone drop-down and
select New Zone. Define a new zone, for example trust, and
then click OK.
Select IPv4, select DHCP Client.
On the IPv4 tab, clear the Automatically create default
route to default gateway provided by server check box. For
an interface that is attached to the private subnet in the VPC,
disabling this option ensures that traffic handled by this
interface does not flow directly to the IGW on the VPC.
On the Advanced > Other Info, expand the Management
Profile drop-down, and select the allow_ping profile you
created earlier.
Click OK to save the interface configuration.

4.

Click Commit to save the changes.

111

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Use Case: Secure the EC2 Instances in the AWS Cloud

Set Up the VM-Series Firewall in AWS

Deploy the VM-Series Firewall as a Cloud Gateway

1.
Step 15 On the VM-Series firewall, create
Destination NAT and Source NAT rules 2.
to allow inbound/outbound traffic
to/from the applications deployed within
the VPC.

Select Policies > NAT.

Create a Destination NAT rule that steers traffic from the
firewall to the web server.
a. Click Add, and enter a name for the rule. For example,
NAT2WebServer.
b. In the Original Packet tab, make the following selections:
Source Zone: untrust (where the traffic originates)
Destination Zone: untrust (the zone for the firewall
dataplane interface with which the EIP for the web server
is associated.)
Source Address: Any
Destination Address: 10.0.0.10
In the Translated Packet tab, select the Destination
Address Translation checkbox and set the Translated
Address: to 10.0.1.62, which is the private IP address of the
web server.
c. Click OK.

3.

Create a Source NAT rule to allow outbound traffic from the

web server to the Internet.
a. Click Add, and enter a name for the rule. For example,
NAT2External.
b. In the Original Packet tab, make the following selections:
Source Zone: trust (where the traffic originates)
Destination Zone: untrust (the zone for the firewall
dataplane interface with which the EIP for the web server
is associated.)
Source Address: Any
Destination Address: Any
c. In the Translated Packet tab, make the following selections
in the Source Address Translation section:
Translation Type: Dynamic IP and Port
Address Type: Translated Address
Translated Address: 10.0.0.10 (the firewall dataplane
interface in the untrust zone.)

112

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Use Case: Secure the EC2 Instances in the AWS Cloud

Deploy the VM-Series Firewall as a Cloud Gateway

d. Click OK.

4.

Click Commit to save the NAT policies.

113

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Use Case: Secure the EC2 Instances in the AWS Cloud

Set Up the VM-Series Firewall in AWS

Deploy the VM-Series Firewall as a Cloud Gateway

Step 16 On the VM-Series firewall, create security 1.

policies to manage traffic.

2.

Select Policies > Security.

In this example, we have four rules. A rule that allows
management access to the firewall traffic, a rule to allow
inbound traffic to the web server, a third rule to allow Internet
access to the web server, and in the last rule we modify a
predefined intrazone-default rule to log all traffic that is denied.
Create a rule to allow management access to the firewall.
a. Click Add and enter a Name for the rule. Verify that the Rule
Type is universal.
b. In the Source tab, add untrust as the Source Zone.
c. In the Destination tab, add trust as the Destination Zone.
d. In the Applications tab, Add ping and ssh.
e. In the Actions tab, set the Action to Allow.
f. Click OK.

3.

Create a rule to allow inbound traffic to the web server.

a. Click Add and enter a Name for the rule and verify that the
Rule Type is universal.
b. In the Source tab, add untrust as the Source Zone.
c. In the Destination tab, add trust as the Destination Zone.
d. In the Applications tab, Add web-browsing.
e. In the Service/URL Category tab, verify that the service is set
to application-default.
f. In the Actions tab, set the Action to Allow.
g. In the Profile Settings section of the Actions tab, select
Profiles and then attach the default profiles for antivirus,
anti-spyware, and vulnerability protection.
h. Click OK.

114

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Use Case: Secure the EC2 Instances in the AWS Cloud

Deploy the VM-Series Firewall as a Cloud Gateway

Instead of entering a static IP address for the 4.

web server, use a dynamic address group.
Dynamic address groups allow you to create
policy that automatically adapts to changes
so that you do not need to update the policy
when you launch additional web servers in
the subnet. For details, see Use Case: Use
Dynamic Address Groups to Secure New
EC2 Instances within the VPC.

Create a rule to allow Internet access to the web server.

a. Click Add and enter a Name for the rule and verify that the
Rule Type is universal.
b. In the Source tab, add trust as the Source Zone.
c. In the Source Address section of the Source tab, add
10.0.1.62, the IP address of the web server.
d. In the Destination tab, add untrust as the Destination Zone.
e. In the Service/URL Category tab, verify that the service is set
to application-default.
f. In the Actions tab, set the Action to Allow.
g. In the Profile Settings section of the Actions tab, select
Profiles and then attach the default profiles for antivirus,
anti-spyware, and vulnerability protection.
h. Click OK.

5.

Edit the interzone-default rule to log all traffic that is denied.

This predefined interzone rule is evaluated when no other rule
is explicitly defined to match traffic across different zones.
a. Select the interzone-default rule and click Override.
b. In the Actions tab, select Log at session end.
c. Click OK.

6.

Review the complete set of security rules defined on the firewall.

7.

Click Commit to save the policies.

115

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Use Case: Secure the EC2 Instances in the AWS Cloud

Set Up the VM-Series Firewall in AWS

Deploy the VM-Series Firewall as a Cloud Gateway

Step 17 Verify that the VM-Series firewall is

securing traffic.

1.

Launch a web browser and enter the IP address for the web
server.

2.

Log in to the web interface of the VM-Series firewall and verify

that you can see the traffic logs for the sessions at Monitor >
Logs > Traffic.
Traffic inbound to the web server (arrives at EC2 instance in
the AWS VPC):

Traffic outbound from the web server (EC2 instance in the

AWS VPC):

You have successfully deployed the VM-Series firewall as a cloud gateway!

116

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within
the VPC

Use Case: Use Dynamic Address Groups to Secure New

EC2 Instances within the VPC
In a dynamic environment such as the AWS-VPC where you launch new EC2 instances on demand, the
administrative overhead in managing security policy can be cumbersome. Using Dynamic Address Groups in
security policy allows for agility and prevents disruption in services or gaps in protection.
In this example, we illustrate how you can monitor the VPC and use Dynamic Address Groups in security policy
to discover and secure EC2 instances. As you spin up EC2 instances, the Dynamic Address Group collates the
IP addresses of all instances that match the criteria defined for group membership, and then security policy is
applied for the group. The security policy in this example allows Internet access to all members of the group.
This workflow in the following section assumes that you have created the AWS VPC and deployed the
VM-Series firewall and some applications on EC2 instances. For instructions on setting up the VPC for the
VM-Series, see Use Case: Secure the EC2 Instances in the AWS Cloud.

117

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
wall in AWS

Set Up the VM-Series Fire-

Use Dynamic Address Groups in Policy

Step 1

Configure the firewall to monitor the

VPC.

1.

Select Device > VM Information Sources.

2.

Click Add and enter the following information:

a. A Name to identify the VPC that you want to monitor. For
example, VPC-CloudDC.
b. Set the Type to AWS VPC.
c. In Source, enter the URI for the VPC. The syntax is
ec2.<your_region>.amazonaws.com
d. Add the credentials required for the firewall to digitally sign
API calls made to the AWS services. You need the following:
Access Key ID: Enter the alphanumeric text string that
uniquely identifies the user who owns or is authorized to
access the AWS account.
Secret Access Key: Enter the password and confirm your
entry.
e. (Optional) Modify the Update interval to a value between
5-600 seconds. By default, the firewall polls every 5 seconds.
The API calls are queued and retrieved within every 60
seconds, so updates may take up to 60 seconds plus the
configured polling interval.

f. Enter the VPC ID that is displayed on the VPC Dashboard in

the AWS management console.
g. Click OK, and Commit the changes.
h. Verify that the connection Status displays as

118

connected

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within
the VPC

Use Dynamic Address Groups in Policy

Step 2

Tag the EC2 instances in the VPC.

A tag is a name-value pair. You can tag the EC2 instances either on
the EC2 Dashboard on the AWS management console or using the
AWS API or AWS CLI.

For a list of tags that the VM-Series

firewall can monitor, see List of Attributes
In this example, we use the EC2 Dashboard to add the tag:
Monitored on the AWS VPC.

Step 3

Create a dynamic address group on the

firewall.
View the tutorial to see a big
picture view of the feature.

3.

Select Object > Address Groups.

4.

Click Add and enter a Name and a Description for the address
group.

5.

Select Type as Dynamic.

6.

Define the match criteria.

a. Click Add Match Criteria, and select the And operator.
b. Select the attributes to filter for or match against. In this
example, we select the ExternalAccessAllowed tag that you
just created and the subnet ID for the private subnet of the
VPC.

7.

Click OK.

8.

Click Commit.

119

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
wall in AWS

Set Up the VM-Series Fire-

Use Dynamic Address Groups in Policy

Step 4

Use the dynamic address group in a

security policy.

To create a rule to allow Internet access to any web server that

belongs to the dynamic address group called ExternalServerAccess.
1. Select Policies > Security.
2.

Click Add and enter a Name for the rule and verify that the Rule
Type is universal.

3.

In the Source tab, add trust as the Source Zone.

4.

In the Source Address section of the Source tab, Add the

ExternalServerAccess group you just created.

5.

In the Destination tab, add untrust as the Destination Zone.

6.

In the Service/URL Category tab, verify that the service is set

to application-default.

7.

In the Actions tab, set the Action to Allow.

8.

In the Profile Settings section of the Actions tab, select Profiles

and then attach the default profiles for antivirus, anti-spyware,
and vulnerability protection.

9.

Click OK.

10. Click Commit.

Step 5

Verify that members of the dynamic

address group are populated on the
firewall.

1.

Select Policies > Security, and select the rule.

2.

Select the drop-down arrow next to the address group link, and
select Inspect. You can also verify that the match criteria is
accurate.

Policy will be enforced for all IP addresses

that belong to this address group, and are 3.
displayed here

Click the more link and verify that the list of registered IP
addresses is displayed.

120

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

List of Attributes Monitored on the AWS VPC

List of Attributes Monitored on the AWS VPC

The following attributes (or tag names) are available as match criteria for dynamic address groups.
Attribute

Format

Architecture

Architecture.<Architecture string>

Guest OS

GuestOS.<guest OS name>

Image ID

ImageId.<ImageId string>

Instance ID

InstanceId.<InstanceId string>

Instance State

InstanceState.<instance state>

Instance Type

InstanceType.<instance type>

Key Name

KeyName.<KeyName string>

PlacementTenancy,
Group Name, Availability

Placement.Tenancy.<string>
Placement.GroupName.<string>
Placement.AvailabilityZone.<string>

Private DNS Name

PrivateDnsName.<Private DNS Name>

Public DNS Name

PublicDnsName.<Public DNS Name>

Subnet ID

SubnetID.<subnetID string>

Tag (key, value)

aws-tag.<key>.<value>
Maximum of 5 of these tags are supported per instance

VPC ID

VpcId.<VpcId string>

121

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Use Case: VM-Series Firewalls as GlobalProtect Gateways in AWS

Set Up the VM-Series Firewall in AWS

Use Case: VM-Series Firewalls as GlobalProtect Gateways

in AWS
Securing mobile users from threats and risky applications is often a complex mix of procuring and setting up
the security and IT infrastructure, ensuring bandwidth and uptime requirements in multiple locations around
the globe, all while staying on budget.
The VM-Series firewall in AWS melds the security and IT logistics required to consistently and reliably protect
devices used by mobile users in regions where you do not have a presence. By deploying the VM-Series firewall
in the AWS cloud you can quickly and easily deploy GlobalProtect gateways in any region without the expense
or IT logistics that are typically required to set up this infrastructure using your own resources.
To minimize latency, select AWS regions that are closest to your users, deploy the VM-Series firewalls on EC2
instances and configure the firewalls as GlobalProtect gateways. With this solution, the GlobalProtect gateways
in the AWS cloud enforce security policy for Internet traffic, so there is no need to backhaul that traffic to the
corporate network. Additionally, for access to resources on the corporate network, the VM-Series firewalls in
AWS leverage the LSVPN functionality to establish IPSec tunnels back to the firewall on the corporate network.
For ease of deployment and centralized management of this distributed infrastructure, use Panorama to
configure the GlobalProtect components used in this solution. Optionally, to ensure that mobile devices
smartphones and tabletsare safe for use on your network, use the Mobile Security Manager to configure and
manage mobile devices.

122

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Set Up the VM-Series Firewall in AWS

Use Case: VM-Series Firewalls as GlobalProtect Gateways in AWS

Components of the GlobalProtect Infrastructure

To block risky applications and protect mobile users from malware, you must set up the GlobalProtect
infrastructure which includes the GlobalProtect portal, the GlobalProtect gateway, and the GlobalProtect app.
Additionally, for access to corporate resources you must set up an IPSec VPN connection between the
VM-Series firewalls in AWS and the firewall in the corporate headquarters using LSVPN (a hub and spoke VPN
deployment).

The GlobalProtect agent/app is installed on each end-user system that is used to access corporate
applications/resources. The agent first connects to the portal to obtain information on the gateways and
then establishes a secure VPN connection to the closest GlobalProtect gateway. The VPN connection
between the end-user system and the gateway ensures data privacy.

The GlobalProtect portal provides the management functions for the GlobalProtect infrastructure. Every
end-user system receives configuration information from the portal, including information about available
gateways as well as any client certificates that may be required to connect to the GlobalProtect gateway(s).
In this use case, the GlobalProtect portal is a hardware-based firewall that is deployed in the corporate
headquarters.

The GlobalProtect gateway delivers mobile threat prevention and policy enforcement based on applications,
users, content, device and device state. In this use case, the VM-Series firewalls in AWS function as the
GlobalProtect gateways. The GlobalProtect gateway scans each user request for malware and other threats,
and if policy allows, sends the request to the Internet or to the corporate network over the IPSec tunnel (to
the LSVPN gateway).

For LSVPN, you must configure the GlobalProtect portal, GlobalProtect gateway for LSVPN (hub), and
GlobalProtect Satellites (spokes).
In this use case, the hardware-based firewall in the corporate office is deployed as the GlobalProtect portal
and the LSVPN gateway. The VM-Series firewalls in AWS are configured to function as GlobalProtect
satellites. The GlobalProtect satellites and gateway are configured to establish an IPSec tunnel that
terminates on the gateway. When a mobile user requests an application or resource that resides on the
corporate network, the VM-Series firewall routes the request over the IPSec tunnel.

Deploy GlobalProtect Gateways in AWS

In order to secure mobile users, in addition to deploying and configuring the GlobalProtect gateways in AWS,
you need to set up the other components required for this integrated solution. The following table includes the
recommended workflow:
Deploy GlobalProtect in AWS

Deploy the VM-Series firewall(s) in AWS.

See Deploy the VM-Series Firewall in AWS.

123

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks

Use Case: VM-Series Firewalls as GlobalProtect Gateways in AWS

Set Up the VM-Series Firewall in AWS

Deploy GlobalProtect in AWS

Configure the GlobalProtect portal.

Configure the firewall at the corporate

headquarters.

Configure the GlobalProtect portal for LSVPN.

In this use case, the firewall is configured as the
Configure the portal to authenticate LSVPN satellites.
GlobalProtect portal and the LSVPN gateway.
Configure the GlobalProtect gateway for LSVPN.

Set up a template on Panorama for configuring Create template(s) on Panorama.

the VM-Series firewalls in AWS as GlobalProtect
Then use the following links to define the configuration in the
gateways and LSVPN satellites.
templates.
To easily manage this distributed deployment, use Configure the firewall as a GlobalProtect gateway.
Panorama to configure the firewalls in AWS.
Prepare the satellite to join the LSVPN.
Create device groups on Panorama to define the See Create device groups.
network access policies and Internet access rules
and apply them to the firewalls in AWS.
Apply the templates and the device groups to the
VM-Series firewalls in AWS, and verify that the
firewalls are configured properly.
Deploy the GlobalProtect client software.

Every end-user system requires the GlobalProtect agent or app to

connect to the GlobalProtect gateway.
See Deploy the GlobalProtect client software.

(Optional) Set up the GlobalProtect Mobile

Security Manager.

See Set up the Mobile Security Manager.

The Mobile Security Manager allows you to

configure and manage mobile devices
smartphones and tabletsfor use with corporate
applications.

124

VM-Series Deployment Guide

Copyright 2007-2015 Palo Alto Networks