top of page
Search

Capabilities and limitations of Palo Alto Firewall in AWS

In the previous post, we looked at how we can analyze and filter egress traffic via the dedicated central appliance (Palo Alto Firewall). A set of Firewall VMs was deployed behind the AWS Gateway Load Balancer. The Palo Alto Firewall was intended to solve many different problems for the organization. In the process of the firewall configuration, we faced some limitations and had to find solutions for them, which will be described in this post.


Limitation 1. Configuration synchronization

We have two VMs, deployed in different AZ for high availability, traffic will be forwarded to a random VM, so configurations should be identical.

Palo Alto firewalls support high availability with session and configuration synchronization, but unfortunately today (October 2022, PAN-OS 10.2) it has several limitations:

- AWS supports active/passive HA only.

- On AWS, when you deploy the firewall with the Amazon Elastic Load Balancing service, it does not support HA


Solution. Palo Alto Panorama

We need HA + configuration sync due to requirements and common sense. Nobody wants to repeat the same configuration several times in different VMs. Palo Alto provides a solution for this (that has to be bought separately), called Panorama. It can be used for centralized configuration and visibility. The diagram below shows how it is deployed in the "Egress VPC" (other parts will be discussed later).

Here you can find an instruction on how to add a firewall VM to the Panorama-managed devices. The only thing that needs to be kept in mind, is that versions of Panorama and Firewalls OS should be the same. Unfortunately, the Panorama version in the AWS Marketplace is not up to date, so it should be updated separately (October 2022).


Once you finished with managed devices, you can see that VMs are "In Sync":


You can also see some basic health metrics:


Then you can create policies, objects, and other configurations and push them to the relevant device groups:


Limitation 2. Palo Alto GlobalProtect VPN


Another pair of Palo Alto virtual machines are depicted in the above diagram (VPN VPC) because they can not be configured on the same VMs, that is used for Egress traffic filtering. GlobalProtect is used as a VPN solution to get access to private resources. Instances are deployed in the public subnets because they should be accessible for end-users from the internet, a single endpoint should be exposed for users' convenience, and the deployment should be highly available.


Active/Active HA is not available in AWS, so our choice is Active/Passive.

Here you can find an instruction on how to configure Active/Passive HA for Palo Alto VMs in AWS. When the active peer goes down, the passive peer detects the failure and becomes active. Additionally, it triggers API calls to the AWS infrastructure to move all the data-plane interfaces (ENIs) from the failed peer to itself.


We can see that the Config is Synchronized between VMs: