Palo Alto Networks PCNSE – Optional – Installing PaloAlto 8.1 In AWS

1. Palo Alto 8.1 Section Intro

Okay, so in this section I will show you guys how to set up the Palo Alto Eight one Firewall on AWS. And you can I created this section just to make sure that you guys are aware of the steps. And it’s not much different than when we, we did for the original AWS install, but it’s a good refresher. There’s a different VM size that is required by 8. 1 and it costs a little bit more per hour compared to the 7. 1 Palo Alto VMs on AWS. The Palo Alto 8. 1 was just recently released and it includes a lot more features. In 8. 0 there was new platforms introduced. I’m just going to use this opportunity to kind of talk about 80 as well. So 8. 0 introduced new platforms, the PA 5200. The PA 5200 provides better performance, increased performance than the PA 5000. It has three different flavors BA 52 2052 50 and 52 60. And this significantly increased the platform capacity compared to the 5000 series. They also introduced the PA 800 828 50.

This gives you up to 1. 9 gigabits of app ID and 780 megabits of threat prevention on the PA 850 has multi CPU cores, eight gig of memory, and they also introduced PA 220, which gives you new features that is available in the 8. 0 code. Then the 8. 1 introduced an additional platform, the PA 220 R, which is rugged to provide the ability to offer customers that have regularized environments like manufacturing and areas where temperature is high, the ability to run Palo Alto Firewall as well. They also introduced a new one, a 50 to 80, which goes up to 68 gigabits of throughput and session capacity up to 64 million capacity. So if we take a look at the comparing the highest platform is the 78 70 and 70 50.

And quickly those provides you app ID like 7000, gives you appID up to 200 gig for that prevention, up to 100 gig million, 200,000 session per second. EA 750, PA 70 50 gives you. This is a chassis platform that has eight modules, e 70 50. This is also a chassis chassis based platform. They have the PA 52 80, which was just recently introduced with 8. 152,605,250,522. Those are the new platforms that got introduced with 8.

0, and 52 80 got introduced with 8. 1. And then you have the 50 60 50 and the newly introduced 3260-325-0322 previous platform that was existing 30 60 and the PA 850, and the PA 820, PA 500, 220 R and then 220, and then 200. So those are pretty much all the Alto Firewalls platforms that are available. 8. 1 introduces the 52 80 and the 220 are. So one notable new feature is software as a service application controls. This gives you the ability of looking at software as a service. It gives you streamlined SSL decryption innovation in 8. 1 overcomes the challenges of supporting devices that complement next generation Firewall. Now we can decrypt once and share decrypted traffic with other devices easily.

So they have the ability of decrypting and sending the traffic to other devices like Network Forensics and DLP. The performance boost they have a performance boost hardware, the Pre 2200 which was introduced to the eight one that gives you seven times the decryption performance and up to 20 times decryption session capacity compared with the existing hardware. And then you have the 220 R, the rugged platform that is available for customers that have an environment with high temperature and requires ruggedised platform. Then you have the PA 50 to 80, that gives you up to 68 gigabits. Another notable new introduction is Panorama can now run on both AWS, AWS and Azure.

So which is a great thing because that was thing that a lot of people were asking for. So that’s now available. If we look at the Amazon instances we can see it’s not available in AWS but available in Azure. Follow alto panorama. So it’s still not available in AWS, but it’s available in Azure and they also now offer with 8. 1 integration with the Google Cloud. So that’s a new thing for a . 1. So I’m hoping to cover as many features as I can in the upcoming lectures. And if you want to follow along with the next couple of lectures showing you how I migrated my AWS environment to a . 1, please follow along. If you’ve you don’t think that you need that, you can skip it to the next section.

2. Provisioning PaloAlto Firewall 8.1 in AWS – Part 1

All righty. So what we’re going to do right now is create a new EC two instance and this EC two instance we’re going to create a Palo Alto Firewall that’s version eight one. Okay. So launch instance and then we’re going to do to Amazon Marketplace. We’re going to search for Palo Alto palo Alto VM Series 8. 1 is now available and I kind of increased the price a little bit but that’s fine. We’re going to select this. The minimum that you can basically provision is the m three extra and extra large and let’s see if there’s anything else option available okay. So M three extra large dollar 28 for software and $0. 30 so dollar 50 /hour which is not bad let me go ahead and continue. And then M three extra large. So next configure instance detail management is going to be the network it’s going to be management network and IP address auto assign public IP, no autoassign okay.

So I’m going to auto assign it. That’s fine. And then next general purpose provision I ops now general purpose is fine. Next add tag I’m not going to add a tag nest configure security group default, no restriction unrestricted okay and then review so it has M three x large ECU VCP 415 gig of memory peter group is unrestricted instance detail that’s the instance detail and so on launch I have that keep air going to launch the instance. So under services EC two I see the instances, I see this instance. This one is running so let’s let it run here and then I’m going to assign it to an IP address. If I look at the instance I see here assigned an IP address 172 31 112 let me see if I can go to my VPC and see which network is that attached to. So subnets management so the management subnet should be right now attached to let me see the outside routes subnet associated we’ll see what these routes default gateway is active.

So I’m going to associate this subnet temporarily with Edit and I’m going to associate it with the default subnet. And then to make sure this route okay, it’s close to the Internet gateway. What I’m going to do right now is I’m going to assign it an IP address event. So running instances. Okay, it’s running right now go to elastic IPS IP address, locate new address, associate address we can associate with the running instance which has only one IP associate. Now I should be able to SSH into password and then put your new password. So now I should be able to reach it from the internet go to device licenses. I basically have the license issued and it should be now ready to configure.

So I’m going to set this to be the untrust and then we’re going to call this zone config default and then security zone. We’re going to create a new security zone called untrust IPV four, IPV six management and I am going to choose the management profile, create a new management profile, allow ping, okay? And then IPV. Four DSCP client. And this will basically set the default route. This is going to be Ethernet one, two is going to be the trust label, user identification and the management profile. We’re going to set the management profile to be user facing bing user ID response pages.

We’re going to accept the link state to up linkstate to up to add the DMZ. Also DMZ IPV four DCP client. We’re now going to set it to automatically get the default gateway. And then this is also going to be user facing, might be before the ASP client. Do not set default gateway because this is not the untrust interface. Commit. We’re going to go to set up the interfaces, right? So we’re going to look at the interfaces.

So basically ethernet zero is the first ethernet interface and this is the management interface, right? So now we need to set up ethernet One, ethernet Two and Ethernet three. Now we need to go to network network interfaces. And then we’re going to create a network interface. We’re going to call this PA 816231, 211, create subnet. Well, we’re going to choose the outside and that’s unrestricted. Also 172, 31, 311. So I set up the interfaces. Let’s attach the interfaces. Attach the interfaces here. Let’s give them a tag, a name. This way easy to know. Paci one inside where’s the DMZ and then PaMZ in my EC two, I have the Windows server. I need to be able to connect to the Windows server using RDP. So basically I’m repeating the steps done in previous lectures.

But we’re setting up the eight one. So it’s good. If you want to replace your existing with an 8. 1, you can follow the steps that I’m doing. All right, so now attach the interfaces. So we’re going to attach the interface here. Choose the outside. That basically going to be the running instance. Attach this is Ethernet one and then this is Ethernet two. We’re going to attach Ethernet Two, which is the second interface. Then we’re going to attach Ethernet Three, which is the third interface. Attach this interface. So now let’s go to the instances. You will see in the instance what is currently attached. So we have Ethernet one, ethernet zero that’s attached. Okay, that’s the management. So this is the outside. That’s good. Attached. And this is the inside. That’s good. The two address. That’s good. That’s all good. So not sure why this one picked up 2197. I want to change it to 211.

So this interface should be 211. Here, let me go back to network interfaces and then PA inside and then edit. How do you edit? You can’t edit until because it’s attached, it’s detached. Then I need to edit that. No. So that’s an issue. So I probably need to detach also the DMZ because that’s the third interface. So I’m going to detach that too. And I’m going to delete this one. And then I’m going to create a new interface here inside. Once we do 31 211 unrestricted.

Where did it go? I’m going to give it the name PA 8. 1. Inside ethernet one is the outside and is attached, right? So the next one you can attach to that instance is going to take the next interface down. So I should choose the inside interface because that’s my Ethernet two. And then I’m going to choose the DMZ interface because that’s the Ethernet three. I need to be able to connect to my server instances. My server is this guy here. Let’s see ethernet. So we’re all good. But now I want to bring up my domain control so I can connect to it. That’s 215 and I need to connect to it using RDP. So I’m going to bring that up. Going to launch the instance. I’m going to start it and then action start.

3. Provisioning PaloAlto Firewall 8.1 in AWS – Part 2

And then now I’m going to create the rule so I can net into that. I’m going to create a net rule to net to the outside RDP to server. Original packet is coming from the untrust destination untrust the sensor address should be the interface IP which is outside IP which is 172 31 dot two five dot eleven. I am going to translate it to static IP. This is going to be 172 31 dot two dot 15 under service I need to set it to the 33 89 RDP servers 3389-3389. Now services from the outside is going to be able to RDP into the server. I’m going to go to security and I’m going to set up untrust RDP to ad on trust source any destination. It’s going to be trust and then destination IP is going to be the public IP which is this guy here. And then application it’s going to be Msrdp service. You are category action allow. In order for my server to be able to reach the outside I’m going to allow anything from trust to untrust trust.

I’m going to allow everything right now. Okay I’m going to commit that and then basically the test is going to be by me just changing the default route to go out this firewall. It’s easy to revert back if we need to. I need to set up this one to make that let me just make sure here attached up I might need to reboot restart system. Okay so restarting it. Okay go ahead and log in again here. It rebooted maybe because I attached and detached the interface wasn’t happy. Okay so that’s as good if we look at this peak line. Okay IP address 211 all right this is 311. Okay so now what I need to do is go ahead and change my routing. So we need to find the interface. I need to find which interface to use. So let me go back here and find the interface. I’m going to find the instance what’s interface? Ethernet two, this is the interface ID and copy that and then go back to VPC and go back to route tables, inside routes and then edit and I’m going to use this interface instead.

Save that traffic should route to the inside. So now that that’s the case I need to change the management interface subnets MZ outside management, the route table and then subnet association you get to associate the management as well. Let’s switch it to management. Okay. And then I want to be able to point the public IP address to my firewall. So we’ll go ahead and go to ECT and then we are going to go to instances plastic IPS and then DTA disassociate this address and then we’re going to go ahead and associate then we’re going to choose the instance. Then we’re going to associate with outside interface network interface associate. Okay so now I should be able to RDP into my machine but I cannot connect to it. I should have allowed the management from the outside interface with any issues.

All right, let me try again. I want to add another one. Is the management something that this inside land routes I need to associate with the management interface and try and see what happened. All right, let’s see what traffic logs what does it show? Age, doubt, destination. What is the netted IP? That destination IP 215. So that’s correct. So 215 is not responding. Let me just allow any for now, networks. This is the default gateway. Okay. All right, so I’m going to get another public IP here, get new address. I’m going to assign it to the public interface and then we set the public interface to allow for management. Just temporary here until I troubleshoot the issue. And then attach associate to associate address. We’re going to associate with network interface 8. 1 outside, but that’s associated again. Let me make sure I can connect to it. Okay, cool. I can connect to it.

Alright, so now what I can do is I can easily now just have two IP addresses, which is fine. I can easily change the release this IP address and assign it to the outside interface. Let me assign this to the ad controller to see why is it stuck in limbo instances.

I’m going to assign it to the ad controller. This is the interface which interface it is. All right. Instance interface ID So let me assign it to this interface ID elastic IP. So I’m going to disassociate associate address. Let me try to connect to it. Well, I can try to associate into let me see if I am able to under monitor traffic policies. Net RDP to server on trust from trust outside IP scrap IP RDP service. That’s an issue. Translation address. Okay, I’m going to go to VPC. Let me open VPC in a different tab here and then internet route tables. Inside that routes we have this interface attach associated subnet association. That’s correct. All right. And I can ping it. I know. Okay, so there’s one issue here that always becomes a pain point is when you attach an interface, you have to make sure that it allows promiscuous PA inside and then action change source destination check.

Disable destination check. I bet you this is the reason why PA outside change also source destination check. And then the domain controller. Also we have to make sure that should have been set up already with a 15. Okay. So I’m gonna detach that IP. There you go. So I am connected now? Yes. So I should be connected now. All right. So that’s that. So I’m connected. So now I should be able to just detach the management interface from the management network and remove it and put it in the regular network. So we’ll go to VPC and then subnets and then the management subnet route table. We’re going to change the route table to be inside land and if that’s the case now I should be able to access I need to probably do the same thing with the management interface network interface. I’m going to change this to disable source definition check and I’m able to access it from here. So that basically is allowing me to connect to the RDP server and manage the firewall.

So because now I’m able to manage the firewall from the RDP server I don’t need to have the outside interface with management enabled. So I can change the management profile. I’ll change the management profile, remove Https and SSH and then commit that. So now the next step that I have to do is register this Palo Alto firewall so I can get support or well the typical stuff right so we’re just going to basically license it, just make sure we register it. But then we’re going to go to dynamic updates and check the dynamic updates there yet. So I’m going to add the DNS server. All right so let’s see now if are acting differently still I’m not getting through virtual router routes, static routes.

I’m gonna point to static cloud D management network 20 31, 00:24 interface, ethernet 31 two, one there you go. Now it’s banging. Okay so I needed to go directly to the default gateway. So now we should be able to update show session all filter. Okay now it’s working. All right so clicking for new updates we’re going to basically schedule hourly action, download and install five minutes after the hour. I’m going to basically just set it everything to update all the time, lot less VPN. I’m going to also set it to update hourly six minutes after the hour.

Download and install altfire floor, protect data files or do it hourly also seven minutes every 15 minutes. Then commit that. I’m going to check and see if there’s any software update. Check now eight 10. Okay so eight 10. There’s no update after eight 10. Still brand new. All right so basically that’s how it’s set up 8. 1 and we’ll take a look and see what’s new.

• Category: Uncategorized