In this article, I will show you how to easily deploy your Palo Alto firewall in a Security Services VPC using F5 Distributed Cloud (XC) Security Service Insertion.
Security service insertion from F5 Distributed Cloud Network Connect simplifies the deployment and operation of Palo Alto NGFW security services across hybrid and multi-cloud environments.
Deploying security software in the public cloud—especially in multiple public clouds—is more complicated than deploying it in private cloud and on-premises because the virtualized infrastructure is explicitly designed to operate as multiple independent instances, easily leading to instance sprawl and policy skew. SecOps and NetOps teams are struggling to install, configure, and maintain security solutions that work consistently.
Enhanced Firewall Policy is an intent-based network policy supported on the Distributed Cloud Platform. Just like Network Policy, an Enhanced firewall policy can be applied at the site level, and it can use flexible and dynamically abstracted data to make decisions. For example, the tags or labels belonging to a source or destination VPC on a deployed site can be used to allow, deny, or steer traffic.
Using the new Enhanced Firewall policy object, network admins can steer the traffic to an external service.
I am listing six different use cases that can easily be configured in the XC Console to enable traffic steering with our newly released Enhanced firewall policies. This article will highlight the (1) East-West and (4) North-South scenarios below.
In addition, different types of traffic can be individually steered to the PAN Firewall, potentially offloading the firewall from having to inspect traffic that can be blocked by Distributed Cloud.
The following prerequisites apply:
The steps below are what is required to set up Service Insertion. I will not cover every step, as I will assume most have some experience with VPCs and some related cloud concepts. I will highlight where Distributed Cloud simplifies building this environment and changing traffic policies.
F5 Distributed Cloud Console
Select Multi-Cloud Network Connect:
Navigate to Manage > Site Management > AWS TGW Sites
Click Add AWS TGW Site or Select a TGW Site that has already been built for your organization.
Note: At any time, you need additional information, click the Tech Docs link.
On this initial page, you need to supply the Metadata Name, Label, and Description. I will cover each additional section in detailed Screenshots.
Click on Configure under AWS Resources:
Region and Services VPC:
Site Node Parameters
Click Add Item
You are returned to the previous screen.
Enter the Public SSH Key that you will use to access your AWS instances.
Associate Spoke VPCs
Now configure your Spoke VPC’s
Supply the appropriate VPC ID you are connecting with labels.
Click Apply and continue adding additional VPC’s if needed.
Click Apply again as needed.
Site Network and Security
Under Site Network and Security, you will have to select Configure under both areas, but the settings are all correct. Click Apply
Click Save and Exit
You have now successfully set up all the requirements to have a functioning TGW site. This uses Enhanced Firewall Policies with the attached VPCs to steer and secure traffic to your Palo Alto NGFW.
Add an External Service
Navigate in Multi-Cloud Network Connect > Manage > External Services
Click Add External Service
Supply a Name, Label and Description
Under AZ Nodes, Select Add Item
Give the Service Node a Name, the AWS AZ Name, and the Subnet for Management Interface
Note: Click here for information about AWS Availability Zones, the name choices are unique to your AWS Subscription. The subnet and CIDR block for the management interface can be autogenerated by Distributed Cloud, it can be created manually at this step in the process, or you can use an existing subnet. This step determines the IP address that the firewall uses for its lifespan.
Click > Apply
You will be returned to the previous screen.
If you are integrating Panorama, you would do that here. We are not covering that in this article.
Select the PA Version. (At the time of this article's publishing only 11.0.0 is available)
Depending on the configuration, you will either enable or disable HTTPS Management of the firewall, choose the domain name suffix to complete the URL that will be used to access the firewall, and whether the firewall will be available publicly on the Internet or through select locations and networks connected by Distributed Cloud.
Click Save and Exit
Distributed Cloud now deploys the Palo Alto Firewall instance(s) and builds the Geneve tunnels.
Configure Enhanced Firewall Policy
This brings us to the final configuration and most powerful feature of Service Insertion. You can manipulate traffic going to the external service in 6 key use case scenarios by making simple changes to F5 XC enhanced firewall policy and reordering rules
Here are 5 different policies that were built. Let’s look at one policy and then see how to change it to manipulate traffic. Note that the Enhanced Firewall Policy only controls what traffic goes to the external service, it doesn’t control what happens to the traffic on the external service itself.
To see the flexibility provided for building policies, notice the firewall option to set up and control traffic.
Select Custom Enhanced Firewall Policy Rule Selection
In the following screenshots, I will Show all the items in the Source Traffic Filter, the Destination Traffic Filter, the Type of Traffic to Match, and the Action. This rule sends all traffic to the external service in one direction. Because the firewall is stateful and the connection path is symmetric, a corresponding rule to redirect traffic in the reverse direction is not needed.
Source Traffic Filter: All Sources
Destination Traffic Filter: All Destinations
Types of Traffic to Match: Match All Traffic
Action: Insert an External Service
Source Traffic Filter
Destination Traffic Filter
Types of Traffic to Match
Here is where the Distributed Cloud magic happens.
Select Insert an External Service. We will select the Palo Alto External Service you created previously.
A final and optional step could be to add keys/labels to further restrict the selection criteria for routing and controlling traffic. For example, if the origin site routes traffic for multiple VPC’s, each VPC having its own unique key value, then entering a key here further restricts which VPC the rule applies to, i.e. prod, staging, or dev.
In the following video, I use the Distributed Cloud Console to configure an NFV Service, provision an HA pair Palo Alto VM-series, and configure Distributed Cloud to use Panorama to complete the configuration on the firewalls.
You now have completed all the steps to integrate your Palo Alto Firewall into F5 Distributed Cloud Network Connect. This enables you to route traffic through or around your Firewall based on the architecture and design of your network. Based on these simple steps, you have granular control over all your traffic and how you handle your traffic across multiple clouds.