Deploy Palo Alto Networks Firewall Service

Published April 5, 2023 | Last modified March 20, 2025

Objective

This guide provides instructions on how to insert a Palo Alto Networks VM-Series Firewall as a network functions virtualization (NFV) service in an AWS TGW site. For more information on F5® Distributed Cloud Services Sites, see Site.

Note: This NFV service feature is supported on AWS TGW Site.

Feature Overview

The use case for this feature is large enterprises that are expanding into public clouds and have standardized their operational model around their on-premises security appliance and wish to use the same appliance in the cloud mandated by their SecOps department. F5 Distributed Cloud now allows integration of PAN Next-Generation Firewalls in an AWS TGW Site. It automates and orchestrates the deployment of a PAN firewall with mesh CEs in a services VPC. It provides the ability to define granular traffic steering policies using an enhanced firewall policy, with observability and monitoring.

Traffic Flow

The next sections describe how East-West and North-South traffic is handled using this feature.

East-West Traffic

In this case, the traffic coming from VPC 1 to VPC 2 is steered to the PAN firewall using the enhanced firewall rule with source filter selecting VPC 1 and destination filter as VPC 2 and next-hop as PAN service. This example assumes that the PAN firewall rule is to allow the traffic. The following image shows the topological view for spoke VPCs and services VPC, where the TGW Site and PAN service object are deployed.

Figure: East-West Diagram

In this topology, the spoke VPCs VPC 1 and VPC 2 are identified by vpc-0c62e170f0f70c53 and vpc-08f651b1b229d5eb8 as the VPC IDs. The TGW Site and PAN firewall service are in the services VPC identified by vpc-0298763ff885a0424. And within the services VPC, the TGW Site and PAN firewall instance are connected using Geneve tunnel over the Site's Site Local Interface (SLI). The transit gateway is connected to the TWG Site using Site to Site VPN connection (also known as IPsec tunnels) terminating on the TGW Site's SLI.

The following list presents the sequence for East-West traffic flow (VPC 1 to VPC 2):

Traffic sent from VPC 1 with destination in VPC 2 network first lands on the transit gateway spoke route table.
Spoke route table has default route pointing to VPN connection of TGW site, the traffic is then sent to the TGW Site.
Traffic is received on the TGW Site's SLI is evaluated for the enhanced firewall rules. The matching rule has action Insert PAN service for traffic from VPC 1 to VPC 2. The traffic is then sent to the Site's SLI connected to the PAN firewall instance.
The Site initiates a Geneve tunnel (adds the necessary TLV headers) toward the PAN firewall instance and then traffic is sent to the PAN firewall instance.
The PAN firewall evaluates the traffic against matching rule, determines that the action is to allow the traffic to VPC 2, and sends the traffic to the SLI of TGW Site over the Geneve tunnel.
The TGW Site inspects the received traffic, determines its next-hop as the SLI towards the transit gateway, sends traffic on the tunnel interface towards the TGW.
Traffic will land on the hub TGW route table from where it has route to destination VPC 2.

North-South Traffic

In this case, the traffic coming from the Internet to the Site Local Outside Internet VIP defined through the HTTP load balancer. Whenever such network type is selected on an HTTP load balancer, Distributed Cloud Services orchestrate an Internet facing AWS Network Load balancer. The traffic reaches the AWS network load balancer from where it will select the target group and route it to AWS TGW Site SLO interface. The Site then steers the traffic to the PAN firewall using the enhanced firewall rule with next-hop as PAN service. This example assumes that the PAN firewall rule is to allow the traffic. The following image shows the topological view for spoke VPCs and services VPC, where the TGW Site and PAN service object are deployed.

Figure: North-South Diagram

In this topology, the spoke VPC VPC 2 is identified by VPC ID vpc-08f651b1b229d5eb8. The TGW Site and PAN firewall service are in the services VPC identified by vpc-0298763ff885a0424. Within the services VPC, the TGW Site and PAN firewall instance are connected using Geneve tunnel over the Site's Site Local Interface (SLI). The transit gateway is connected to the TGW Site using IPsec tunnels terminating on the TGW Site's SLI.

The following list presents the sequence for East-West traffic flow (Internet to VPC1):

Traffic sent from the Internet to the AWs Internet VIP lands on the AWS Internet facing network load balancer.
From the load balancer it is routed to the AWS TGW Site SLO Interface.
Traffic received on the TGW Site's SLO is evaluated for the enhanced firewall rule ACL. The rule will have next-hop as PAN firewall Service.
The traffic is then forwarded to the PAN firewall instance over Geneve tunnel.
The PAN firewall evaluates the traffic against matching rule, determines that the action is to allow the traffic to VPC1, and then sends the traffic to the SLI of TGW Site over the Geneve tunnel.
The TGW Site then process the HTTP load balancer traffic and sends the traffic to origin server on VPC 2 over the tunnel interface toward the TGW.
Traffic will land on the hub TGW route table from where it has route to destination VPC 2.

Note: The enhanced firewall rule can be applied using VPC ID or labels that identify the VPCs. Also, the enhanced firewall rules can evaluate traffic received on the TGW Site's Site Local OutSide (SLO) interface for Site-to-Site traffic and steer traffic as per the rule match. For example, traffic from source in a VNet connected to an Azure Site can be sent over the F5 Distributed Global Network to the SLO of the AWS TGW Site and the Site's firewall rules can allow, deny, or steer to the PAN firewall for further processing.

Prerequisites

A Distributed Cloud Services Account. If you do not have an account, see Create an Account.
An AWS TGW site.
A Palo Alto Networks account for managing the firewall.

Create NFV Service Object

In Console, create an NFV service object for the Palo Alto Networks VM-Series Firewall.

Step 1: Navigate to NFV services menu.

In Multi-Cloud Network Connect, select Manage > NFV Services.
Click Add External Service.

Step 2: Configure NFV service object.

In the Name field, enter a name for this new NFV service.
Optionally, click Add Label to group this object with others using a key-value pair.
From the External Service Provider menu, select Palo Alto Networks VM-Series Firewall on AWS.
Click Configure.

Step 3: Configure firewall settings.

From the Instance Type menu, select the instance size for your deployed site.
From the AMI Choice menu, select the Amazon Machine Image (AMI) of your firewall.
Make a choice in the Initial Setup Option menu. For Setup Authorized Public SSH key, enter the public SSH for the user to access the node. For Auto Setup API Access & Users, click Configure:
- Enter user given public and private SSH keys
- In the Private SSH key section, click Configure.
  - For a clear secret, enter it in the Secret field and select Text or Base64 to indicate the format of the secret.
  - For an existing blindfold secret, the existing blindfold secret.
  - For a new blindfold secret, select either a built-in or custom secret, and then enter the secret.
  - Click Apply to save it as the private SSH key.
- Enter the Firewall Admin Username.
- For the Firewall Admin Password, click Configure.
  - For a clear secret, enter it in the Secret field and select Text or Base64 to indicate the format of the secret.
  - For an existing blindfold secret, the existing blindfold secret.
  - For a new blindfold secret, select either a built-in or custom secret, and then enter the secret.
  - Click Apply to save it as the firewall admin password.
- Click Apply to save the auto setup API access and users configuration.
From the AWS Transit Gateway Site menu, select the AWS TGW site from the list displayed.

Step 4: Configure firewall instance.

In the AZ Nodes section, click Add Item.
In the Node Name field, enter the name to use for the service nodes.
From the AWS AZ Name menu, select the availability zone used with the region your AWS TGW site is deployed in.
From the Subnet for Mgmt Interface menu, select how you want to configure the subnet for the management interface. You can select from the following options:
- Autogenerate Subnet: Default option. The system will autogenerate this subnet for you.
- Specify Subnet: You can manually enter the subnet. You can use a New Subnet or Existing Subnet ID.
Click Apply.

Step 5: Optionally, connect firewall to Panorama.

Panorama is used to configure and manage your Palo Alto Networks VM-Series Firewall. You can configure one or more firewall VMs. By default, the firewall does not connect to Panorama. However, you can optionally choose to connect to it.

In the Panorama Connection section, perform the following:
- From the Panorama Connection menu, select Enable connection from firewall to panorama.
- Click Configure.
- In the Server Ipv4 Address field, enter the IP address for the server the firewall will connect to.
- Under the Authentication key for Panorama section, click Configure.
- Configure your secret with Blindfolded Secret or Clear Secret.
- Click Apply.
- Click Apply.
Click Apply to complete firewall configuration.

Step 6: Optionally, set node management based on HTTP.

From the HTTPS Based Management of Nodes menu, enable the HTTPS Based Management option.
Enter a domain suffix in the HTTPS Based Management field. This will be used along with the Node Name set in the previous step to form the management URL for the node.

Note: Ensure that the domain is delegated to F5 Distributed Cloud Services. Default HTTPS port is 443 and Internet access is enabled by default.

From the Access on Site Local Networks menu, select an option for the site local network. The default option is Enable Internet Access. For all other options, click Configure. In the form that appears, configure TLS settings, and then click Apply.

Note: For enabling both the East-West and North-South traffic, configure both inside VIP and outside VIP.

Figure: HTTP Based Node Management Settings

Step 7: Optionally, set node management based on SSH.

From the SSH based management of nodes menu, select Enable SSH access to nodes.
From the Enable SSH access to nodes menu, select an option for the site local network.

Note: It is recommended to use the default option of Enable On Site Local Outside.

Click Add Item.

Figure: SSH Node Management

From the Node Name menu, select the node name to use for management. Click See Suggestions to display a list.
From the SSH Port menu, enter a TCP port number.
Click Apply.
In the Domain Suffix field, enter a suffix value that will be used to generate the node hostname.

Step 8: Save firewall object.

Click Save and Exit.
To verify, navigate to Overview > Security. In the dashboard, under Service Instances section, verify if the columns display the configuration previously set. It may take a few minutes for the items to appear.

Figure: Verify Configuration

Create Enhanced Firewall Policy

An enhanced firewall policy enables you to create network level policies based on VPC tags, VPC IDs, IP, and IP prefix set object. The label selector option can also be used for selecting traffic coming from VPC-level tags, a global network, or interfaces. You can configure the enhanced firewall policy to allow, deny, or forward traffic to an NFV service.

The following steps provide instructions on creating an enhanced firewall policy to forward traffic to the Palo Alto Networks VM-Series Firewall (NFV service):

Step 1: Navigate to Enhanced Firewall Policies.

In Multi-Cloud Network Connect, select Firewall > Enhanced Firewall Policies.
Click Add Enhanced Firewall Policy.
In the Name field, enter a name for the new enhanced firewall policy.
From the Select Enhanced Firewall Policy Rule Type menu, select Custom Enhanced Firewall Policy Rule Selection.
Click Configure.
Click Add Item.

Step 2: Create custom rule.

In the Name field, enter a name for this new rule.
From the Source Traffic Filter menu, select an option to filter on source traffic.
From the Destination Traffic Filter menu, select an option to filter on destination traffic.
From the Select Type of Traffic to Match menu, select the type of traffic to match to this new rule.
From the Action menu, select the action to take if traffic matches to this new rule. For the NFV service, select Insert an External Service.
From the Select External Service menu, select the NFV services object previously created for the firewall.
Click Apply.
Click Apply.

Step 3: Save configuration.

Click Save and Exit.

Add Enhanced Firewall Policy to Site

After each enhanced firewall policy is created, you must add it to your site.

Step 1: Navigate to list of sites.

Navigate to the list of AWS TGW sites.
Find your site and click ....
Click Manage Configuration > Edit Configuration.

Step 2: Add policy to site.

In the Security Configuration section, click Configure.
From the Manage Firewall Policy menu, select Active Enhanced Firewall Policies.
Click Configure.
From the list, select the enhanced firewall policy previously created for the NFV service.
Click Apply.
Click Apply to add the firewall configuration.

Step 3: Save configuration.

Click Save and Exit.

Monitor Firewall Service

This section provides instructions on how to verify your PAN VM NFV service and to monitor instance metrics using F5 Distributed Cloud Console.

Navigate to Multi-Cloud Network Connect > Overview > Security.
Select your PAN VM. This page includes the Dashboard, Top Talkers, and Flow Table tabs. Also provided is basic service details, like vendor and software information and the URL for the management interface. You can also verify with Deployment status set to APPLIED to confirm the PAN VM is successfully deployed. The Active Alerts section provides details on security events, and the Top Sources section provides more information on specific locations interacting with the PAN VM. The Traffic to Service section provides information on data rates flowing into the PAN VM.
To locate the PAN FW instance's management IP, find the value displayed as Panorama URL under the Service Details.

Figure: Dashboard

Toward the bottom of the page select the node instance to see specific metrics.
To log into your Panorama management account, click the link under Management Dashboard. This opens a new tab so that you can log into Panorama.

Access PAN Virtual Machine Instance

You can log into your Panorama management account or use SSH to access the PAN VM instance.

To access the Panorama management account, click the link under the Management Dashboard column.

Accessing the PAN VM instance with SSH requires you to create a TCP load balancer with origin pool pointing to the PAN VM management interface IP. Perform the following to enable SSH access to PAN VM instance:

In the Multi-Cloud App Connect service, navigate to Manage > Load Balancers > TCP Load Balancers.
Click Add TCP Load Balancer.
Enter a name for the load balancer.
Enter a domain name in the Basic Configuration section.
Under Origin Pools, click Add Item.
Create a new origin pool from the origin pools form. Add a name for your new origin pool.
In the Origin Servers section, click Add Item to create a new origin server.
From the Select Type of Origin Server menu, select the Public IP of Origin Server option and then enter the PAN management IP. Click Apply to add the origin server. Click Continue to add the origin pool.
Click Apply.
Click Save and Exit to create the TCP load balancer.
Access the domain in the TCP load balancer with SSH from a terminal.

Note: For more information, see TCP Load Balancer.