Easily Deploy Your Palo Alto NGFW with F5 Distributed Cloud Services

Introduction

In this article, I will show you how to easily deploy your Palo Alto firewall in a Security Services VPC using F5 Distributed Cloud (XC) Security Service Insertion.

Security service insertion from F5 Distributed Cloud Network Connect simplifies the deployment and operation of Palo Alto NGFW security services across hybrid and multi-cloud environments.

Deploying security software in the public cloud—especially in multiple public clouds—is more complicated than deploying it in private cloud and on-premises because the virtualized infrastructure is explicitly designed to operate as multiple independent instances, easily leading to instance sprawl and policy skew. SecOps and NetOps teams are struggling to install, configure, and maintain security solutions that work consistently.

Key Benefits

Automated deployment and repeatable traffic-steering policies.
Customers can leverage the same security solution they use in their data centers for the cloud, and easily integrate them with native cloud networking constructs.
Gain granular visibility and managed the security posture of applications and network traffic across multiple clouds and networks.

Enhanced Firewall Policy is an intent-based network policy supported on the Distributed Cloud Platform. Just like Network Policy, an Enhanced firewall policy can be applied at the site level, and it can use flexible and dynamically abstracted data to make decisions. For example, the tags or labels belonging to a source or destination VPC on a deployed site can be used to allow, deny, or steer traffic.

Using the new Enhanced Firewall policy object, network admins can steer the traffic to an external service.

Use Cases

I am listing six different use cases that can easily be configured in the XC Console to enable traffic steering with our newly released Enhanced firewall policies. This article will highlight the (1) East-West and (4) North-South scenarios below.

Application to Application Traffic through PAN (East-West)
Application in a Different Site through PAN (Site-to-Site)
Application to the Internet through PAN (Egress Traffic)
Ingress Traffic from the Internet to an Application (North-South)
Ingress Traffic from F5 Distributed Cloud Regional Edge to Application (North-South)
Ingress traffic from on-premises to Application (AWS DirectConnect)

In addition, different types of traffic can be individually steered to the PAN Firewall, potentially offloading the firewall from having to inspect traffic that can be blocked by Distributed Cloud.

L3 traffic between VPCs
L7 traffic between VPCs
L5 TLS traffic can be decrypted on the TGW site, to securely send decrypted traffic to the firewall for complete inspection and to offload compute intensive SSL operations.

Prerequisites

The following prerequisites apply:

A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
An AWS Account. See Required Access Policies for permissions needed to deploy an AWS TGW site.
Resources required per node: Minimum 4 vCPUs and 14 GB RAM.
There should be no pre-existing Site Local Outside, Site Local Inside, and Workload subnet association when attaching an existing VPC.
If Internet Gateway (IGW) is attached with the VPC, at least one of the routes should point to IGW in any route table of the VPC.
A Palo Alto Firewall License

The steps below are what is required to set up Service Insertion. I will not cover every step, as I will assume most have some experience with VPCs and some related cloud concepts. I will highlight where Distributed Cloud simplifies building this environment and changing traffic policies.

Create or use an existing AWS TGW Site
Attach Spoke VPC’s
Add an External Service
Configure Enhanced Firewall Policies

F5 Distributed Cloud Console

Select Multi-Cloud Network Connect:

Navigate to Manage > Site Management > AWS TGW Sites

Click Add AWS TGW Site or Select a TGW Site that has already been built for your organization.

Note: At any time, you need additional information, click the Tech Docs link.

On this initial page, you need to supply the Metadata Name, Label, and Description. I will cover each additional section in detailed Screenshots.

AWS Resources
Associate Spoke VPCs
Site Network and Security
Direct Connect
Software Version
Advanced

Click on Configure under AWS Resources:

AWS Resources:

AWS Credentials, either select your existing credentials in XC Console or create and store valid AWS Credentials that will be used to configure AWS resources.

Region and Services VPC:

Select the AWS Region for your TGW Site
Either create a new AWS TGW Site or Select an existing AWS TGW Site

Transit Gateway

Select the Transit Gateway, again this can be a new or existing gateway.

Site Node Parameters

Select the appropriate AWS Instance Type (t3.xlarge)

Click Add Item

Configure your Ingress/Egress Gateway Nodes (inside/outside interface)
- Give the Site Node a Name, Select the Workload Subnet, Subnet of Outside interface, and Subnet for Inside Interface
- Click Apply

You are returned to the previous screen.

Enter the Public SSH Key that you will use to access your AWS instances.

Worker Nodes and Advertise VIP’s will maintain their default values of Disabled.
Click Apply

Associate Spoke VPCs

Now configure your Spoke VPC’s

Click Configure.

Supply the appropriate VPC ID you are connecting with labels.

Click Apply and continue adding additional VPC’s if needed.

Click Apply again as needed.

Site Network and Security

Under Site Network and Security, you will have to select Configure under both areas, but the settings are all correct. Click Apply

Direct Connect

Keep default Disabled.

Software Version

You can choose the latest versions of Software or Specify a specific version if needed.

Advanced

The only setting in here that needs to be configured is the Latitude and Longitude.

Click Save and Exit

You have now successfully set up all the requirements to have a functioning TGW site. This uses Enhanced Firewall Policies with the attached VPCs to steer and secure traffic to your Palo Alto NGFW.

Add an External Service

Navigate in Multi-Cloud Network Connect > Manage > External Services

Click Add External Service

Supply a Name, Label and Description

External Service Provider (Defaults to BIG-IP, a previous article linked below)
Select Palo Alto Networks VM on AWS
Select Configure

Select the AWS instance type for your configuration.
- Note: Instance types vary by region. More details about AWS instance types available here, and specific Palo Alto VM requirements here.
Select the AMI Choice
- Note: Only Palo Alto AWS bundles 1 and 2 are currently available. Click here for more details.
Configure the Public SSH Key
Select the AWS Transit Gateway Site created in the steps above.

Under AZ Nodes, Select Add Item

Give the Service Node a Name, the AWS AZ Name, and the Subnet for Management Interface

Note: Click here for information about AWS Availability Zones, the name choices are unique to your AWS Subscription. The subnet and CIDR block for the management interface can be autogenerated by Distributed Cloud, it can be created manually at this step in the process, or you can use an existing subnet. This step determines the IP address that the firewall uses for its lifespan.

Click > Apply

You will be returned to the previous screen.

If you are integrating Panorama, you would do that here. We are not covering that in this article.

Select the PA Version. (At the time of this article's publishing only 11.0.0 is available)

Click Apply

Depending on the configuration, you will either enable or disable HTTPS Management of the firewall, choose the domain name suffix to complete the URL that will be used to access the firewall, and whether the firewall will be available publicly on the Internet or through select locations and networks connected by Distributed Cloud.

Click Save and Exit

Distributed Cloud now deploys the Palo Alto Firewall instance(s) and builds the Geneve tunnels.

Configure Enhanced Firewall Policy

This brings us to the final configuration and most powerful feature of Service Insertion. You can manipulate traffic going to the external service in 6 key use case scenarios by making simple changes to F5 XC enhanced firewall policy and reordering rules

Here are 5 different policies that were built. Let’s look at one policy and then see how to change it to manipulate traffic. Note that the Enhanced Firewall Policy only controls what traffic goes to the external service, it doesn’t control what happens to the traffic on the external service itself.

To see the flexibility provided for building policies, notice the firewall option to set up and control traffic.

Select Custom Enhanced Firewall Policy Rule Selection

Click Configure

In the following screenshots, I will Show all the items in the Source Traffic Filter, the Destination Traffic Filter, the Type of Traffic to Match, and the Action. This rule sends all traffic to the external service in one direction. Because the firewall is stateful and the connection path is symmetric, a corresponding rule to redirect traffic in the reverse direction is not needed.

Source Traffic Filter: All Sources
Destination Traffic Filter: All Destinations
Types of Traffic to Match: Match All Traffic
Action: Insert an External Service

Source Traffic Filter

Destination Traffic Filter

Types of Traffic to Match

Action

Here is where the Distributed Cloud magic happens.

Select Insert an External Service. We will select the Palo Alto External Service you created previously.

A final and optional step could be to add keys/labels to further restrict the selection criteria for routing and controlling traffic. For example, if the origin site routes traffic for multiple VPC’s, each VPC having its own unique key value, then entering a key here further restricts which VPC the rule applies to, i.e. prod, staging, or dev.

Demo

In the following video, I use the Distributed Cloud Console to configure an NFV Service, provision an HA pair Palo Alto VM-series, and configure Distributed Cloud to use Panorama to complete the configuration on the firewalls.

Closing

You now have completed all the steps to integrate your Palo Alto Firewall into F5 Distributed Cloud Network Connect. This enables you to route traffic through or around your Firewall based on the architecture and design of your network. Based on these simple steps, you have granular control over all your traffic and how you handle your traffic across multiple clouds.