Easily Deploy Your Palo Alto NGFW with F5 Distributed Cloud Services
Introduction In this article, I will show you how to easily deploy your Palo Alto firewall in a Security Services VPC using F5 Distributed Cloud (XC) Security Service Insertion. Security service insertion from F5 Distributed Cloud Network Connect simplifies the deployment and operation of Palo Alto NGFW security services across hybrid and multi-cloud environments. Deploying security software in the public cloud—especially in multiple public clouds—is more complicated than deploying it in private cloud and on-premises because the virtualized infrastructure is explicitly designed to operate as multiple independent instances, easily leading to instance sprawl and policy skew. SecOps and NetOps teams are struggling to install, configure, and maintain security solutions that work consistently. Key Benefits Automated deployment and repeatable traffic-steering policies. Customers can leverage the same security solution they use in their data centers for the cloud, and easily integrate them with native cloud networking constructs. Gain granular visibility and managed the security posture of applications and network traffic across multiple clouds and networks. Enhanced Firewall Policy is an intent-based network policy supported on the Distributed Cloud Platform. Just like Network Policy, an Enhanced firewall policy can be applied at the site level, and it can use flexible and dynamically abstracted data to make decisions. For example, the tags or labels belonging to a source or destination VPC on a deployed site can be used to allow, deny, or steer traffic. Using the new Enhanced Firewall policy object, network admins can steer the traffic to an external service. Use Cases I am listing six different use cases that can easily be configured in the XC Console to enable traffic steering with our newly released Enhanced firewall policies. This article will highlight the (1) East-West and (4) North-South scenarios below. Application to Application Traffic through PAN (East-West) Application in a Different Site through PAN (Site-to-Site) Application to the Internet through PAN (Egress Traffic) Ingress Traffic from the Internet to an Application (North-South) Ingress Traffic from F5 Distributed Cloud Regional Edge to Application (North-South) Ingress traffic from on-premises to Application (AWS DirectConnect) In addition, different types of traffic can be individually steered to the PAN Firewall, potentially offloading the firewall from having to inspect traffic that can be blocked by Distributed Cloud. L3 traffic between VPCs L7 traffic between VPCs L5 TLS traffic can be decrypted on the TGW site, to securely send decrypted traffic to the firewall for complete inspection and to offload compute intensive SSL operations. Prerequisites The following prerequisites apply: A Distributed Cloud Services Account. If you do not have an account, see Create an Account. An AWS Account. See Required Access Policies for permissions needed to deploy an AWS TGW site. Resources required per node: Minimum 4 vCPUs and 14 GB RAM. There should be no pre-existing Site Local Outside, Site Local Inside, and Workload subnet association when attaching an existing VPC. If Internet Gateway (IGW) is attached with the VPC, at least one of the routes should point to IGW in any route table of the VPC. A Palo Alto Firewall License The steps below are what is required to set up Service Insertion. I will not cover every step, as I will assume most have some experience with VPCs and some related cloud concepts. I will highlight where Distributed Cloud simplifies building this environment and changing traffic policies. Create or use an existing AWS TGW Site Attach Spoke VPC’s Add an External Service Configure Enhanced Firewall Policies F5 Distributed Cloud Console Log In: Select Multi-Cloud Network Connect: Navigate to Manage > Site Management > AWS TGW Sites Click Add AWS TGW Site or Select a TGW Site that has already been built for your organization. Note: At any time, you need additional information, click the Tech Docs link. On this initial page, you need to supply the Metadata Name, Label, and Description. I will cover each additional section in detailed Screenshots. AWS Resources Associate Spoke VPCs Site Network and Security Direct Connect Software Version Advanced Click on Configure under AWS Resources: AWS Resources: AWS Credentials, either select your existing credentials in XC Console or create and store valid AWS Credentials that will be used to configure AWS resources. Region and Services VPC: Select the AWS Region for your TGW Site Either create a new AWS TGW Site or Select an existing AWS TGW Site Transit Gateway Select the Transit Gateway, again this can be a new or existing gateway. Site Node Parameters Select the appropriate AWS Instance Type (t3.xlarge) Click Add Item Configure your Ingress/Egress Gateway Nodes (inside/outside interface) Give the Site Node a Name, Select the Workload Subnet, Subnet of Outside interface, and Subnet for Inside Interface Click Apply You are returned to the previous screen. Enter the Public SSH Key that you will use to access your AWS instances. Worker Nodes and Advertise VIP’s will maintain their default values of Disabled. Click Apply Associate Spoke VPCs Now configure your Spoke VPC’s Click Configure. Supply the appropriate VPC ID you are connecting with labels. Click Apply and continue adding additional VPC’s if needed. Click Apply again as needed. Site Network and Security Under Site Network and Security, you will have to select Configure under both areas, but the settings are all correct. Click Apply Direct Connect Keep default Disabled. Software Version You can choose the latest versions of Software or Specify a specific version if needed. Advanced The only setting in here that needs to be configured is the Latitude and Longitude. Click Save and Exit You have now successfully set up all the requirements to have a functioning TGW site. This uses Enhanced Firewall Policies with the attached VPCs to steer and secure traffic to your Palo Alto NGFW. Add an External Service Navigate in Multi-Cloud Network Connect > Manage > External Services Click Add External Service Supply a Name, Label and Description External Service Provider (Defaults to BIG-IP, a previous article linked below) Select Palo Alto Networks VM on AWS Select Configure Select the AWS instance type for your configuration. Note: Instance types vary by region. More details about AWS instance types available here, and specific Palo Alto VM requirements here. Select the AMI Choice Note: Only Palo Alto AWS bundles 1 and 2 are currently available. Click here for more details. Configure the Public SSH Key Select the AWS Transit Gateway Site created in the steps above. Under AZ Nodes, Select Add Item Give the Service Node a Name, the AWS AZ Name, and the Subnet for Management Interface Note: Click here for information about AWS Availability Zones, the name choices are unique to your AWS Subscription. The subnet and CIDR block for the management interface can be autogenerated by Distributed Cloud, it can be created manually at this step in the process, or you can use an existing subnet. This step determines the IP address that the firewall uses for its lifespan. Click > Apply You will be returned to the previous screen. If you are integrating Panorama, you would do that here. We are not covering that in this article. Select the PA Version. (At the time of this article's publishing only 11.0.0 is available) Click Apply Depending on the configuration, you will either enable or disable HTTPS Management of the firewall, choose the domain name suffix to complete the URL that will be used to access the firewall, and whether the firewall will be available publicly on the Internet or through select locations and networks connected by Distributed Cloud. Click Save and Exit Distributed Cloud now deploys the Palo Alto Firewall instance(s) and builds the Geneve tunnels. Configure Enhanced Firewall Policy This brings us to the final configuration and most powerful feature of Service Insertion. You can manipulate traffic going to the external service in 6 key use case scenarios by making simple changes to F5 XC enhanced firewall policy and reordering rules Here are 5 different policies that were built. Let’s look at one policy and then see how to change it to manipulate traffic. Note that the Enhanced Firewall Policy only controls what traffic goes to the external service, it doesn’t control what happens to the traffic on the external service itself. To see the flexibility provided for building policies, notice the firewall option to set up and control traffic. Select Custom Enhanced Firewall Policy Rule Selection Click Configure In the following screenshots, I will Show all the items in the Source Traffic Filter, the Destination Traffic Filter, the Type of Traffic to Match, and the Action. This rule sends all traffic to the external service in one direction. Because the firewall is stateful and the connection path is symmetric, a corresponding rule to redirect traffic in the reverse direction is not needed. Source Traffic Filter: All Sources Destination Traffic Filter: All Destinations Types of Traffic to Match: Match All Traffic Action: Insert an External Service Source Traffic Filter Destination Traffic Filter Types of Traffic to Match Action Here is where the Distributed Cloud magic happens. Select Insert an External Service. We will select the Palo Alto External Service you created previously. A final and optional step could be to add keys/labels to further restrict the selection criteria for routing and controlling traffic. For example, if the origin site routes traffic for multiple VPC’s, each VPC having its own unique key value, then entering a key here further restricts which VPC the rule applies to, i.e. prod, staging, or dev. Demo In the following video, I use the Distributed Cloud Console to configure an NFV Service, provision an HA pair Palo Alto VM-series, and configure Distributed Cloud to use Panorama to complete the configuration on the firewalls. Closing You now have completed all the steps to integrate your Palo Alto Firewall into F5 Distributed Cloud Network Connect. This enables you to route traffic through or around your Firewall based on the architecture and design of your network. Based on these simple steps, you have granular control over all your traffic and how you handle your traffic across multiple clouds. Related Material F5 Distributed Cloud Platform F5 Distributed Cloud Network Connect F5 Distributed Cloud Security Service Insertion With BIG-IP Advanced WAF Real-World Use Case Simulator Demo VideoOrchestrated Infrastructure Security - Change at the speed of Business - Palo Alto NGFW
Introduction It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working. If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series on Implementing SSL Orchestrator here or the CloudDocs Deployment Guide here. This article focuses on using SSL Orchestrator as a tool to assist with simplifying Change Management processes, procedures and shortening the duration of the entire process. Configuration files of Palo Alto NGFW can be downloaded fromherefrom GitLab. Please forgive me for using SSL and TLS interchangeably in this article. This article is divided into the following high level sections: Create a new Topology to perform testing Monitor Palo Alto statistics – change the weight ratio – check Palo Alto stats again Remove a single Palo Alto device from the Service Perform maintenance on the Palo Alto device Add the Palo Alto device to the new Topology Test functionality with a single client Add the Palo Alto device back to the original Topology Test functionality again Repeat to perform maintenance on the other Palo Alto device Create a new Topology to perform testing A new Topology will be used to safely test the Service after maintenance is performed.The Topology should be similar to the one used for production traffic.This Topology can be re-used in the future. From the BIG-IP Configuration Utility select SSL Orchestrator > Configuration.Click Add under Topologies. Scroll to the bottom of the next screen and click Next. Give it a name, Topology_Staging in this example. Select L2 Inbound as the Topology type then click Save & Next. For the SSL Configurations you can leave the default settings.Click Save & Next at the bottom. Click Save & Next at the bottom of the Services List. Click the Add button under Services Chain List.A new Service Chain is needed so we can remove Palo_Alto1 from the Production Service and add it here. Give the Service Chain a name, Staging_Chain in this example.Click Save at the bottom. Note: The Service will be added to this Service Chain later. Click Save & Next. Click the Add button on the right to add a new rule. For Conditions select Client IP Subnet Match. Enter the Client IP and mask, 10.1.11.52/32 in this example.Click New to add the IP/Subnet. Set the SSL Proxy Action to Intercept. Set the Service Chain to the one created previously. Click OK. Note: This rule is written so that a single client computer (10.1.11.52) will match and can be used for testing. Select Save & Next at the bottom. For the Interception Rule set the Source Address to 10.1.11.52/32.Set the Destination Address/Mask to 10.4.11.0/24.Set the port to 443. Select the VLAN for your Ingress Network and move it to Selected. Set the L7 Profile to Common/http. Click Save & Next. For Log Settings, scroll to the bottom and select Save & Next. Click Deploy. Monitor Palo Alto statistics – change the weight ratio – check Palo Alto statistics again Check the statistics on the Palo Alto NGFW we will be performing maintenance on.It’s “Palo_Alto1” in this example. From the Palo Alto GUI select ACC (Application Command Center). Select Network Activity then Sessions.A time filter can be set on the left, in this case it’s set to the Last Hour. Palo_Alto1 appears to be completely healthy. Change the Weight Ratio Back to the SSL Orchestrator Configuration Utility.Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_PALOALTO in this example. Click the pencil icon to edit the Service. Click the pencil icon to edit the Network Configuration for Palo_Alto2. Set the ratio to 65535 and click Done. Note: Alternately you could disable the Pool Member from LTM > Pools. Click Save & Next at the bottom. Click OK if presented with the following warning. Click Deploy. Click OK when presented with the Success message. Check Palo Alto Statistics Again Check the ACC statistics on “Palo_Alto1”.It should look like the image below, with the number of sessions tapering off until there is zero. Remove a single Palo Alto device from the Service Back to the SSL Orchestrator Configuration Utility.Click SSL Orchestrator > Configuration > Services > then the Service name, ssloS_PALOALTO in this example. Click the pencil icon to edit the Service. Under Network Configuration, delete Palo_Alto1. Click Save & Next at the bottom. Click OK if presented with the following warning. Click Deploy. Click OK when presented with the Success message. Perform maintenance on the Palo Alto device At this point Palo_Alto1 has been removed from the Production Topology and is no longer handling production traffic.Palo_Alto2 is now handling all the production traffic. We can now perform a variety of maintenance tasks on Palo_Alto1 without disrupting production traffic.When done with the task(s) we can then safely test/verify the health of Palo_Alto1 prior to moving it back into production. Some examples of maintenance tasks: ·Perform a software upgrade to a newer version. ·Make policy changes and verify they work as expected. ·Physically move the device. ·Replace a hard drive, fan, and/or power supply. Add the Palo Alto device to the new Topology This will allow us to test its functionality with a single client computer, prior to moving it back to production. From the SSL Orchestrator Configuration Utility click SSL Orchestrator > Configuration > Topologies > sslo_Topology_Staging. Click the pencil icon on the right to edit the Service. Click Add Service. Select the Palo Alto Networks NGFW Inline Layer 2 Service and click Add. Give it a name or leave the default.Click Add under Network Configuration. Set the FROM and TO VLANS to the following and click Done. Click Save at the bottom. Click the Service Chain icon. Click the Staging_Chain. Move the PALO-test Service from Available to Selected and click Save. Click OK. Click Deploy. Click OK. Test functionality with a single client We created a policy with source IP = 10.1.11.52 to use the new Palo Alto Service that we just performed maintenance on. Go to that client computer and verify that everything is still working as expected. As you can see this is the test client with IP 10.1.11.52. The page still loads for one of the web servers. You can view the Certificate and see that it is not the same as the Production Certificate. To ensure that everything is working as expected you can view the ACC statistics on Palo_Alto1, which was the Palo Alto device removed from the Production network. From ACC select Network Activity then Sessions.A time filter can be set on the left. You should see something like the image below, where Sessions and Bytes sent/received are gradually increasing. Add the Palo Alto device back to the original Topology From the SSL Orchestrator GUI select SSL Orchestrator > Configuration > Service Chains. Select the Staging_Chain. Select ssloS_PALO-test on the right and click the left arrow to remove it from Selected. Click Deploy when done. Click OK. Click OK to the Success message. From the SSL Orchestrator Guided Configuration select SSL Orchestrator > Configuration > Services. Select the PALO-test Service and click Delete. Click OK to the Warning. When that is done click the ssloS_PALOALTO Service. Click the Pencil icon to edit the Service. Under Network Configuration click Add. Set the Ratio to the same value as PaloAlto2, 65535 in this example.Set the From and To VLAN the following and click Done. Click Save & Next at the bottom. Click OK. Click Deploy. Click OK. Test functionality again To ensure that everything is working as expected you can view the statistics on Palo_Alto1. From the Palo Alto GUI select ACC (Application Command Center). Select Network Activity then Sessions.A time filter can be set on the left. Palo_Alto1 appears to be completely healthy. Repeat these steps to perform maintenance on the other Palo Alto device (not covered in this guide) Remove a single Palo Alto device from the Service Perform maintenance on the Palo Alto device Add the Palo Alto device to the new Topology Test functionality with a single client Add Palo Alto device back to the original Topology Test functionality again
