![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/palo-alto-logo-1024x186.png\"){kind=logo}
<\/p>\n<\/p>\n
<\/p>\n
The Palo Alto VM-Series Firewall uses an active\/passive configuration for high availability. In which the active firewall constantly synchronizes its configuration and information about active sessions with a similarly configured passive firewall. There are two options<\/a> for achieving HA on AWS: "Secondary IP Move<\/strong>" and "Dataplane Interface Move<\/strong>".<\/p>\n If the active firewall is unavailable, the passive one becomes active. It also makes API requests to transfer secondary IP addresses from an inaccessible host to itself and updates the routing tables so that traffic is sent to the new active firewall. Switching firewall roles in this method is faster than in "Dataplane Interface Move<\/strong>".<\/p>\n As in the case of "Secondary IP Move<\/strong>", if the passive firewall detects that the active one is no longer available, then it becomes active, but instead of transferring IP addresses, it transfers ENI from the inaccessible firewall to itself.<\/span><\/span><\/span><\/p>\n Since it is planned to use VM Firewall as GlobalProtect<\/strong> to access local resources from outside, and firewalls must be in different AZs, only the "Secondary IP Move<\/strong>" option is suitable, but in this case, it will be the EIP that is associated with the main private IP address.<\/p>\n HA requires at least 4 interfaces on each firewall:<\/p>\n Keep in mind that there is a limit on the maximum number of ENIs attached to an instance, depending on its type and size. Limits can be found here<\/a>. In this case, instances will be used — m5.xlarge<\/strong><\/p><\/blockquote>\n For clarity, the ranges of networks will be formed as follows:<\/p>\n 10.0."firewall_number"+"interface_number".0\/24<\/p><\/blockquote>\n Total we have:<\/p>\n By type, these will be public subnets and isolated\/private (for GlobalProtect they do not need Internet access)<\/p>\n As a result, we have the following scheme:<\/p>\n Let’s go to the "VPC<\/strong>" section and select "Create VPC<\/strong>". We will not use the wizard, we will create the necessary resources ourselves. Specify the name and CIDR, the rest will be left by default.<\/p>\n In the "VPC<\/strong>" tab, find "Internet gateways<\/strong>" and select "Create internet gateway<\/strong>"<\/p>\n Let’s attach the created IGW<\/strong> to our VPC<\/strong><\/p>\n Let’s create the necessary subnets, for this we go to "VPC<\/strong>" -> "Subnets<\/strong>" and select "Create subnet<\/strong>". It is necessary to create 4 subnets in 2 AZs according to the table above<\/p>\n Check the created subnets, their CIDR, and Availability zones<\/p>\n Let’s create 3 routing tables:<\/p>\n To do this, go to "VPC<\/strong>" -> "Route tables<\/strong>" and select "Create route table<\/strong>"<\/p>\n For the "TRUST<\/strong>" zone, we create a separate table, since we will add routes to it on the Transit Gateway<\/strong>.<\/p><\/blockquote>\n Select the routing table "PA-LAB-NETWORK-PUBLIC-RT<\/strong>" go to the "Routes<\/strong>" tab and select "Edit routes<\/strong>" and add a default route on IGW<\/strong><\/p>\n We also associate the routing table with public subnets:<\/p>\n Go to the "Subnet associations<\/strong>" tab and select "Edit subnet associations<\/strong>"<\/p>\n We also associate the table "TRUST-RT<\/strong>" with the networks "TRUST-A<\/strong>" and "TRUST-B<\/strong>"<\/p>\n Now select the "DEFAULT-RT<\/strong>" table and set it as the main table.<\/p>\n Next, we need to create 4 security groups:<\/p>\n For HA, you can leave only the necessary ports, but we will simply allow traffic within the security group.<\/p><\/blockquote>\n To do this, go to "VPC<\/strong>" -> "Security<\/strong>" and select "Create security group<\/strong>". Let’s create 4 security groups with the following rules:<\/p>\n Check the security groups that they belong to the correct VPC and their rules<\/p>\n Let’s create 8 ENIs according to the names of our SGs, associate them with the appropriate security groups, and add a description and a "Name<\/strong>" tag.<\/p>\n Go to "EC2<\/strong>" -> "Network & Security<\/strong>" -> "Network Interfaces<\/strong>" and select "Create network interface<\/strong>"<\/p>\n Check the created interfaces that they belong to the correct VPC, AZ, and subnets<\/p>\n Now we need to create 3 EIPs:<\/p>\n To do this, go to "VPC<\/strong>" -> "Virtual private cloud<\/strong>" -> "Elastic IPs<\/strong>" and select "Allocate Elastic IP address<\/strong>". And add the "Name<\/strong>" tag<\/p>\n Check the generated EIPs<\/p>\n IP addresses "MGMT-A-EIP<\/strong>" and "MGMT-B-EIP<\/strong>" we need to associate with the corresponding interfaces, "GP-PORTAL-IP<\/strong>" — with the interface "GP-UNTRUST-A<\/strong>", it is the instance in AZ A that will be initially active.<\/p>\n For HA mode, you need to create an IAM Policy<\/strong> with the following content:<\/p>\n More information about the required rights can be found here<\/a>.<\/p>\n To do this, go to the "IAM<\/strong>" -> "Access management<\/strong>" -> "Policies<\/strong>" section and select "Create policy<\/strong>", switch from the visual editor to the "JSON<\/strong>" tab, and paste our policy.<\/p>\n We will also create an IAM Role, go to the "IAM<\/strong>" -> "Access management<\/strong>" -> "Roles<\/strong>" section and select "Create role<\/strong>"<\/p>\n And associate the previously created policy.<\/p>\n We will be using the "VM-Series Next-Generation Firewall (BYOL and ELA)<\/strong>" AMI, but before that, you need to subscribe to it in AWS MarketPlace<\/a><\/p>\n After you have subscribed to AMI, if you go to the configuration you can find the AMI ID for your region<\/p>\n Let’s create the first instance for AZ A<\/strong>, specify the AMI ID from the previous step, instance type: m5.xlarge<\/strong>. Be sure to specify the SSH key, if you don’t have one, first create or export it.<\/p>\n Network settings<\/strong><\/p>\n Let’s select our VPC, select any subnet from<\/strong> AZ A<\/strong>, as we will connect network interfaces manually (WebUI bug, you will be shown for manual adding only interfaces that are created in the same zone as the subnet, even though we will not use it directly) and be sure to indicate that we will use the existing security group and leave this field empty.<\/p>\n Next, in the tab "Advanced network configuration<\/strong>" as "Network interface 1<\/strong>" select the "MGMT<\/strong>" interface, do not touch all other settings.<\/p>\n We add 3 more additional interfaces in the following order:<\/p>\n In the tab "Advanced details<\/strong>" we find the item "IAM instance profile<\/strong>" and select the created IAM Role.<\/p>\n In the same way, we create an instance for AZ B<\/strong>.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" The Palo Alto VM-Series Firewall uses an active\/passive configuration for high availability. In which the active firewall constantly synchronizes its configuration and information about active sessions with a similarly configured passive firewall. There are two options for achieving HA on AWS: "Secondary IP Move" and "Dataplane Interface Move". Secondary IP Move If the active … \u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u0447\u0438\u0442\u0430\u0442\u044c "Palo Alto VM-Series Firewall: AWS HA Multi AZ for GlobalProtect — Part 1"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[599,1335],"tags":[543,1899,1901,1903,1905],"_links":{"self":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2419"}],"collection":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2419"}],"version-history":[{"count":6,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2419\/revisions"}],"predecessor-version":[{"id":2462,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2419\/revisions\/2462"}],"wp:attachment":[{"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Secondary IP Move<\/h2>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-06-at-20.52.36.png\")
<\/p>\nDataplane Interface Move<\/span><\/span><\/span><\/h2>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-06-at-21.20.18.png\")
<\/p>\n\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-06-at-22.19.58.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-06-at-22.22.28.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/pa-globalprotect-hld.png\")
<\/p>\nAWS Infrastructure<\/h2>\n
VPC<\/h4>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-07-at-14.23.05.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-07-at-14.20.40.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-07-at-14.24.45.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-07-at-14.27.24.png\")
<\/p>\nSubnets<\/h4>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-07-at-18.11.55.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-07-at-18.15.59.png\")
<\/p>\nRoute tables<\/h4>\n
\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-07-at-16.29.38.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-07-at-16.47.31.png\")
<\/p>\n\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-16.21.32.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-16.30.19.png\")
<\/p>\nSecurity Group<\/h4>\n
\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-08-at-19.49.12.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-08-at-19.45.30.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-15.48.46.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-08-at-20.46.48.png\")
<\/h4>\nENI<\/h4>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-08-at-20.32.36.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-08-at-20.32.52.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-08-at-20.52.12.png\")
<\/h4>\nEIP<\/h4>\n
\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-08-at-20.18.42.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-08-at-20.30.49.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-13.53.27.png\")
<\/p>\nIAM<\/h4>\n
\r\n{\r\n "Version": "2012-10-17",\r\n "Statement": [\r\n {\r\n "Action": [\r\n "ec2:AttachNetworkInterface",\r\n "ec2:DetachNetworkInterface",\r\n "ec2:DescribeInstances",\r\n "ec2:DescribeNetworkInterfaces",\r\n "ec2:AssignPrivateIpAddresses",\r\n "ec2:AssociateAddress",\r\n "ec2:DescribeRouteTables"\r\n ],\r\n "Resource": [\r\n "*"\r\n ],\r\n "Effect": "Allow"\r\n },\r\n {\r\n "Action": [\r\n "ec2:ReplaceRoute"\r\n ],\r\n "Resource": [\r\n "arn:aws:ec2:*:*:route-table\/*"\r\n ],\r\n "Effect": "Allow"\r\n }\r\n ]\r\n}\r\n<\/pre>\n\n
MarketPlace<\/h4>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-13.45.50.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-13.46.13.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-13.48.23.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-13.50.38.png\")
<\/p>\nEC2 Instance<\/h4>\n
![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-15.24.01.png\")
<\/p>\n![\"\"](\"https:\/\/artem.services\/wp-content\/uploads\/2022\/09\/Screenshot-2022-09-20-at-15.31.33.png\")
<\/p>\n\n