August 2017 – Smartnets

You can auto scale Palo Alto Firewall in AWS Cloud.

Recently I came across an issue that I observed during Palo Alto firewall Auto Scaling in Asia Pacific Region.

Requirements were :
———————————
— Use CloudFormation in AWS – Create Stack
— VPC template to use : classic – version 1.2
— Bootstrap the PA-VM to integrate with Panorama.
— Use NAT Gateway rather than assigning EIP to each virtual Palo Alto Firewall.
— Region : Asia Pacific South 1.

NOTE : This article is not a step by step Autoscaling tutorial.

Lambda Function is available for Asia Pacific Region (Esp. Mumbai).
I found some issues with the auto-scaling GitHub Repository – version 1.2 (https://github.com/PaloAltoNetworks/aws-elb-autoscaling) provided by Palo Alto for Asia Pacific Region.
If you are using Cloud Formation stack to achieve the task you might come across an error that says :

This is because the template that has been downloaded from GitHub is missing Region – AMI ID mapping.
Here is what you need to do, for any auto-scaling in AP Region, you need to make modifications in the template “vpc-classic-v1.2.template” (AWSRegionArch2AMI and BucketRegionMap).
Exact changes to be made are mentioned below :
Template from GitHub Repository :
———————————————————-

“AWSRegionArch2AMI” : {

“us-east-1” : {“PV64” : “ami-1ccae774”, “HVM64” : “ami-1ecae776”, “HVMG2” : “ami-8c6b40e4”},

“us-east-2” : {“PV64” : “NOT_SUPPORTED”, “HVM64” : “ami-c55673a0”, “HVMG2” : “NOT_SUPPORTED”},

“us-west-2” : {“PV64” : “ami-ff527ecf”, “HVM64” : “ami-e7527ed7”, “HVMG2” : “ami-abbe919b”},

“us-west-1” : {“PV64” : “ami-d514f291”, “HVM64” : “ami-d114f295”, “HVMG2” : “ami-f31ffeb7”},

“eu-west-1” : {“PV64” : “ami-bf0897c8”, “HVM64” : “ami-a10897d6”, “HVMG2” : “ami-d5bc24a2”},

“eu-central-1” : {“PV64” : “ami-ac221fb1”, “HVM64” : “ami-a8221fb5”, “HVMG2” : “ami-7cd2ef61”},

“ap-northeast-1” : {“PV64” : “ami-27f90e27”, “HVM64” : “ami-cbf90ecb”, “HVMG2” : “ami-6318e863”},

“ap-southeast-1” : {“PV64” : “ami-acd9e8fe”, “HVM64” : “ami-68d8e93a”, “HVMG2” : “ami-3807376a”},

“ap-southeast-2” : {“PV64” : “ami-ff9cecc5”, “HVM64” : “ami-fd9cecc7”, “HVMG2” : “ami-89790ab3”},

“sa-east-1” : {“PV64” : “ami-bb2890a6”, “HVM64” : “ami-b52890a8”, “HVMG2” : “NOT_SUPPORTED”},

“cn-north-1” : {“PV64” : “ami-fa39abc3”, “HVM64” : “ami-f239abcb”, “HVMG2” : “NOT_SUPPORTED”}

},

“BucketRegionMap” : {

“us-west-2” : { “Name”: “panw-aws-us-west-2” },

“us-west-1” : { “Name”: “panw-aws-us-west-1” },

“us-east-1” : { “Name”: “panw-aws-us-east-1” },

“us-east-2” : { “Name”: “panw-aws-us-east-2” },

“eu-west-1” : { “Name”: “panw-aws-eu-west-1” },

“eu-central-1” : { “Name”: “panw-aws-eu-central-1” },

“ap-northeast-1” : { “Name”: “panw-aws-ap-northeast-1” },

“ap-northeast-2” : { “Name”: “panw-aws-ap-northeast-2” },

“ap-southeast-1” : { “Name”: “panw-aws-ap-southeast-1” },

“ap-southeast-2” : { “Name”: “panw-aws-ap-southeast-2” },

“sa-east-1” : { “Name”: “panw-aws-sa-east-1” }

},

The changes I had to make to get Autoscaling working in Asia Pacific Region is :
—————————————————————————————————————————

“AWSRegionArch2AMI” : {

“us-east-1” : {“PV64” : “ami-1ccae774”, “HVM64” : “ami-1ecae776”, “HVMG2” : “ami-8c6b40e4”},

“us-east-2” : {“PV64” : “NOT_SUPPORTED”, “HVM64” : “ami-c55673a0”, “HVMG2” : “NOT_SUPPORTED”},

“us-west-2” : {“PV64” : “ami-ff527ecf”, “HVM64” : “ami-e7527ed7”, “HVMG2” : “ami-abbe919b”},

“us-west-1” : {“PV64” : “ami-d514f291”, “HVM64” : “ami-d114f295”, “HVMG2” : “ami-f31ffeb7”},

“eu-west-1” : {“PV64” : “ami-bf0897c8”, “HVM64” : “ami-a10897d6”, “HVMG2” : “ami-d5bc24a2”},

“eu-central-1” : {“PV64” : “ami-ac221fb1”, “HVM64” : “ami-a8221fb5”, “HVMG2” : “ami-7cd2ef61”},

“ap-northeast-1” : {“PV64” : “ami-27f90e27”, “HVM64” : “ami-cbf90ecb”, “HVMG2” : “ami-6318e863”},

“ap-southeast-1” : {“PV64” : “ami-acd9e8fe”, “HVM64” : “ami-68d8e93a”, “HVMG2” : “ami-3807376a”},

“ap-southeast-2” : {“PV64” : “ami-ff9cecc5”, “HVM64” : “ami-fd9cecc7”, “HVMG2” : “ami-89790ab3”},

“ap-south-1” : {“PV64” : “ami-d4fe86bb”, “HVM64” : “ami-2dfc8442”, “HVMG2” : “ami-a5fe86ca”}, ———————->Modification

“sa-east-1” : {“PV64” : “ami-bb2890a6”, “HVM64” : “ami-b52890a8”, “HVMG2” : “NOT_SUPPORTED”},

“cn-north-1” : {“PV64” : “ami-fa39abc3”, “HVM64” : “ami-f239abcb”, “HVMG2” : “NOT_SUPPORTED”}

},

“BucketRegionMap” : {

“us-west-2” : { “Name”: “panw-aws-us-west-2” },

“us-west-1” : { “Name”: “panw-aws-us-west-1” },

“us-east-1” : { “Name”: “panw-aws-us-east-1” },

“us-east-2” : { “Name”: “panw-aws-us-east-2” },

“eu-west-1” : { “Name”: “panw-aws-eu-west-1” },

“eu-central-1” : { “Name”: “panw-aws-eu-central-1” },

“ap-northeast-1” : { “Name”: “panw-aws-ap-northeast-1” },

“ap-northeast-2” : { “Name”: “panw-aws-ap-northeast-2” },

“ap-southeast-1” : { “Name”: “panw-aws-ap-southeast-1” },

“ap-southeast-2” : { “Name”: “panw-aws-ap-southeast-2” },

“sa-east-1” : { “Name”: “panw-aws-sa-east-1” },

“ap-south-1” : { “Name”: “panw-aws-ap-south-1” } –>Modification

},
Also make sure that the firewall template has the BucketRegionMapping.

NOTE : Make sure that the AMI Id that you use in the mapping will depend upon the kind of license (BYOL or PAYG), PAN OS version and the Region where it is to be used.
Another important update is regarding bootstrapping the virtual firewall in AWS cloud : Inorder to get the licensing automated, do not follow the procedure of creating “License.txt” file (as mentioned in Admin Guide) the S3 bucket used for bootstrapping. Instead upload a plane file named “authcodes” in the S3 bucket under License Folder.
After the Cloud Formation stack creation is successful, this is how it looks:

This is something very basic but thought of sharing with beginners.

Here is something that I have tested and works absolutely fine.

KVM is an opensource Type 2 hypervisor installed on Linux machines.

Below mentioned is the procedure to setup KVM in a virtual Environment (VMWare Workstation)
_________________________________________________________________________________

Step 1: Install kvm

terminal# apt-get install qemu-kvm libvirt-bin virtinst bridge-utils cpu-checker

_________________________________________________________________________________

Step 2: Verify kvm installation

Ideally the output should be:

terminal# kvm-ok

INFO: /dev/kvm exists

KVM acceleration can be used

If you come across something like this :

INFO : Your CPU does not support KVM extensions

KVM acceleration cannot be used

terminal# ls -l /dev/kvm

ls: cannot access ‘/dev/kvm’: No such file or directory

Make the following changes on the workstation :

Start the server again and execute the command “terminal# kvm-ok”.

INFO : /dev/kvm exists

KVM acceleration can be used

_________________________________________________________________________________

Step 3 : Check libvirtd status : For QEMU/KVM to connect you need to have libvirt daemon active.

terminal# systemctl status libvirtd

If libvirt daemon is not active, you need to manually start the service using the following command :

terminal# systemctl start libvirtd

_________________________________________________________________________________

Step 4 : Working on getting the GUI access : Need to install virt-manager

terminal# apt-get install virt-manager

To open the GUI :

terminal# virt-manager

This is what a KVM looks like :

KVM-GUI

That is all. KVM should work absolutely fine.
Note :

To deploy PA you need to allocate RAM > 4 GB.
Also make sure that you configure bridged network on Ubuntu before installing PA. (I will share the details sometime later about the same. This email is just to make you guys aware of KVM)
Installing KVM on Kali Linux is bit tricky as kali cannot find libvirt-bin in its repository (Please stick to Ubuntu Server 14 TLS).

Month: August 2017

Autoscale Palo Alto Networks Firewall in AWS Cloud

Setup KVM on VMWare Workstation