SlideShare a Scribd company logo

stackArmor Security MicroSummit - Next Generation Firewalls for AWS

Download as PPTX, PDF
Gaurav "GP" Pal, profile picture
Gaurav "GP" Pal

This document discusses deploying Palo Alto Networks' VM-Series firewalls in AWS environments, emphasizing automation through CloudFormation templates and CloudWatch for scaling and monitoring. Key components include bootstrapping firewalls, auto-scaling groups, and various AWS services to manage security and performance. It outlines the architecture for securing VPCs and managing interconnectivity between different applications and environments.

Technology
1 of 19
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Ed Caswell Consulting Engineer Palo Alto Networks Securing the Public Cloud AWS Deployment Scenarios
in
ELB Interoperability
4 | ©2014, Palo Alto Networks. Confidential and Proprietary. Region 1 Web farm Web farm Internal ELB AZ1 AZ2 External ELB
CloudFormation Template: Automates full use case deployments S3: AWS service where bootstrapping files are stored CloudWatch: Consumes metrics and makes intelligent scale in/out decisions Lambda: Code as a service pushes custom metrics to CloudWatch via XML API Auto Scale Groups (ASG): The firewalls are members of an ASG that scales in/out based on custom metrics PAN-OS Bootstrapping: Automates creation of fully configured firewall PAN-OS API: enables delivery of custom metric to CloudWacth Panorama: Optional but highly recommended to simplify VM-Series management Native AWS and PAN-OS/VM-Series Services Used 5 | © 2015, Palo Alto Networks. Confidential and Proprietary. AWS Services PAN-OS/VM-Series Services
Region 1 AZ1 External ELB AZ2 Internal ELB Web ASG 1 CFT deploys base topology ASG1 2 Initial firewalls are bootstrapped from S3 ASG2 Bootstrapping adds VM-Series firewalls to Panorama Auto Scaling the VM-Series on AWS 6 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Region 1 AZ1 External ELB AZ2 Internal ELB Web ASG ASG1 3 Standard metrics sent to CloudWatch 4 Alarm triggers ASG scale out ASG2 Auto Scaling the VM-Series on AWS 7 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Region 1 AZ1 External ELB AZ2 Internal ELB Web ASG ASG1 5 l function collects PAN-OS metrics via API Custom metrics sent to CloudWatch 6 7 Alarm triggers FW ASG scale events ASG2 Bootstrapping continues to add FWs to Panorama l Function removes FWs from Panorama Auto Scaling the VM-Series on AWS 8 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Region 1 AZ1 IELB VIP 1 IELB VIP 2 AZ2 Web ASG ASG1 ASG2 8 l function monitors for ELB VIP changes IELB VIP 3 9 l function deploys new ASG with NAT rule for new VIP ASG3 IELB VIP 4 ASG4 External ELB Internal ELB Auto Scaling the VM-Series on AWS 9 | © 2016, Palo Alto Networks. Confidential and Proprietary.
InterVPC
Securing one VPC IPSec VPN DC-FW1 DC-FW2 AZ1b Web1-01 Web1-02
AZ1c Securing one VPC AZ1b IPSec VPN DC-FW1 DC-FW2 Web1-01 Web1-02 Web2-01 Web2-02 IPSec VPNs
Securing lots of VPCs DC-FW1 DC-FW2 Marketing App HR App QA Environment Dev Environment
Region Services VPC Subnet 1 Availability Zone 2 Availability Zone 1 Subnet 2 Region Subscribing VPC Subnet 1 Availability Zone 2 Availability Zone 1 Subnet 2
Region Services VPC Subnet 1 Availability Zone 2 Availability Zone 1 Subnet 2
DC-FW1 DC-FW2 Services VPC + Hybrid + Internet Gateway
DC-FW1 DC-FW2 Routing Default route learned via DHCP from IGW on E1/1 Static route defined for enterprise network Redistribution profile shares static routes with BGP peers BGP routes propagated into local route table SNAT on gateway firewall ensure symmetric return
DC-FW1 DC-FW2 More scale
DC-FW1 DC-FW2 LOTS more scale Direct Connect Location Service Provider Links

More Related Content

PPTX
stackArmor - Security MicroSummit - McAfee
Gaurav "GP" Pal
 
PPTX
stackArmor Security MicroSummit - AWS Security with Splunk
Gaurav "GP" Pal
 
PPTX
Strengthening Operations with Splunk and AWS CloudTrail
Alan Williams
 
PPTX
The Serverless Tidal Wave - SwampUP 2018 Keynote
Arun Gupta
 
PPTX
Splunk Cloud
Splunk
 
PPTX
Running Splunk on AWS
Alan Williams
 
PPTX
How Autodesk Leverages Splunk as an Assurance Platform on AWS
Alan Williams
 
PPTX
Using the Force.com Integration APIs
Richard Seroter
 
stackArmor - Security MicroSummit - McAfee
Gaurav "GP" Pal
 
stackArmor Security MicroSummit - AWS Security with Splunk
Gaurav "GP" Pal
 
Strengthening Operations with Splunk and AWS CloudTrail
Alan Williams
 
The Serverless Tidal Wave - SwampUP 2018 Keynote
Arun Gupta
 
Splunk Cloud
Splunk
 
Running Splunk on AWS
Alan Williams
 
How Autodesk Leverages Splunk as an Assurance Platform on AWS
Alan Williams
 
Using the Force.com Integration APIs
Richard Seroter
 

Similar to stackArmor Security MicroSummit - Next Generation Firewalls for AWS (20)

PPTX
AWS Introduction
arconsis
 
PPTX
AWS Introduction
Dimosthenis Botsaris
 
PDF
AWS VPC, ELB, Route53 and CloudFront
Szilveszter Molnár
 
PDF
Aws Architecture Fundamentals
2nd Watch
 
PPTX
AWS Security Architecture - Overview
Sai Kesavamatham
 
PDF
Overview of AWS Building Blocks
Satish Raghavan
 
PDF
[Jun AWS 201] Technical Workshop
Amazon Web Services Korea
 
PPTX
AcademyCloudFoundations_Module_10 (2).pptx
rawwatchtime
 
PPTX
Enterprise grade firewall and ssl termination to ac by will stevens
buildacloud
 
PDF
saa3_wk5.pdf
Michgo1
 
DOC
AWS.doc
RakeshKumarKumar11
 
PDF
Trusted Application Delivery: Achieving Ultimate Security
Weaveworks
 
PPTX
Don't think about the difficulty Let's try to connect easy to IPv6 network w...
Namba Kazuo
 
PDF
AWS BaseCamp: AWS Architecture Fundamentals
Nicole Maus
 
PPTX
Modernizing DevOps
CloudHesive
 
PDF
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
PDF
게임을 위한 Cloud Native on AWS (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018
Amazon Web Services Korea
 
PPTX
Understanding Virtual Networking in the Cloud - RightScale Compute 2013
RightScale
 
PPTX
AWS Accelerated Program - Session 2 - Storage Services.pptx
DipaliKulshrestha2
 
PDF
Aws Architecture Fundamentals | Dallas
Nicole Maus
 
AWS Introduction
arconsis
 
AWS Introduction
Dimosthenis Botsaris
 
AWS VPC, ELB, Route53 and CloudFront
Szilveszter Molnár
 
Aws Architecture Fundamentals
2nd Watch
 
AWS Security Architecture - Overview
Sai Kesavamatham
 
Overview of AWS Building Blocks
Satish Raghavan
 
[Jun AWS 201] Technical Workshop
Amazon Web Services Korea
 
AcademyCloudFoundations_Module_10 (2).pptx
rawwatchtime
 
Enterprise grade firewall and ssl termination to ac by will stevens
buildacloud
 
saa3_wk5.pdf
Michgo1
 
AWS.doc
RakeshKumarKumar11
 
Trusted Application Delivery: Achieving Ultimate Security
Weaveworks
 
Don't think about the difficulty Let's try to connect easy to IPv6 network w...
Namba Kazuo
 
AWS BaseCamp: AWS Architecture Fundamentals
Nicole Maus
 
Modernizing DevOps
CloudHesive
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
게임을 위한 Cloud Native on AWS (김일호 솔루션즈 아키텍트, AWS) :: Gaming on AWS 2018
Amazon Web Services Korea
 
Understanding Virtual Networking in the Cloud - RightScale Compute 2013
RightScale
 
AWS Accelerated Program - Session 2 - Storage Services.pptx
DipaliKulshrestha2
 
Aws Architecture Fundamentals | Dallas
Nicole Maus
 
Ad

More from Gaurav "GP" Pal (17)

PPTX
stackArmor - FedRAMP and 800-171 compliant cloud solutions
Gaurav "GP" Pal
 
PPTX
stackArmor - FedRAMP and 800-171 compliant cloud solutions
Gaurav "GP" Pal
 
PDF
stackArmor MicroSummit - Niksun Network Monitoring - DPI
Gaurav "GP" Pal
 
PDF
Magento Hosting on AWS
Gaurav "GP" Pal
 
PDF
Rapid deployment of Sitecore on AWS
Gaurav "GP" Pal
 
PDF
Secured Hosting of PCI DSS Compliant Web Applications on AWS
Gaurav "GP" Pal
 
PDF
Implementing Secure DevOps on Public Cloud Platforms
Gaurav "GP" Pal
 
PDF
FGMC - Managed Data Platform - CloudDC Meetup
Gaurav "GP" Pal
 
PPTX
stackArmor presentation for DevOpsDC ver 4
Gaurav "GP" Pal
 
PDF
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
PPTX
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
Gaurav "GP" Pal
 
PPTX
Hosting Tableau on AWS
Gaurav "GP" Pal
 
PDF
AWS Security Best Practices, SaaS and Compliance
Gaurav "GP" Pal
 
PDF
Big Data - Accountability Solutions for Public Sector Programs
Gaurav "GP" Pal
 
PDF
2013 11-06 adopting aws at scale - lessons from the trenches
Gaurav "GP" Pal
 
PDF
DevOps in the Amazon Cloud – Learn from the pioneersNetflix suro
Gaurav "GP" Pal
 
PPTX
Enterprise transformation with cloud computing Jan 2014
Gaurav "GP" Pal
 
stackArmor - FedRAMP and 800-171 compliant cloud solutions
Gaurav "GP" Pal
 
stackArmor - FedRAMP and 800-171 compliant cloud solutions
Gaurav "GP" Pal
 
stackArmor MicroSummit - Niksun Network Monitoring - DPI
Gaurav "GP" Pal
 
Magento Hosting on AWS
Gaurav "GP" Pal
 
Rapid deployment of Sitecore on AWS
Gaurav "GP" Pal
 
Secured Hosting of PCI DSS Compliant Web Applications on AWS
Gaurav "GP" Pal
 
Implementing Secure DevOps on Public Cloud Platforms
Gaurav "GP" Pal
 
FGMC - Managed Data Platform - CloudDC Meetup
Gaurav "GP" Pal
 
stackArmor presentation for DevOpsDC ver 4
Gaurav "GP" Pal
 
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
Gaurav "GP" Pal
 
Hosting Tableau on AWS
Gaurav "GP" Pal
 
AWS Security Best Practices, SaaS and Compliance
Gaurav "GP" Pal
 
Big Data - Accountability Solutions for Public Sector Programs
Gaurav "GP" Pal
 
2013 11-06 adopting aws at scale - lessons from the trenches
Gaurav "GP" Pal
 
DevOps in the Amazon Cloud – Learn from the pioneersNetflix suro
Gaurav "GP" Pal
 
Enterprise transformation with cloud computing Jan 2014
Gaurav "GP" Pal
 
Ad

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Teaching material agriculture food technology
LiaRayya
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Cloud computing and distributed systems.
kkkkkhan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
KodekX | Application Modernization Development
KodekX
 
Approach and Philosophy of On baking technology
30anthuong17
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 

stackArmor Security MicroSummit - Next Generation Firewalls for AWS

  • 1. Ed Caswell Consulting Engineer Palo Alto Networks Securing the Public Cloud AWS Deployment Scenarios
  • 2. in
  • 4. 4 | ©2014, Palo Alto Networks. Confidential and Proprietary. Region 1 Web farm Web farm Internal ELB AZ1 AZ2 External ELB
  • 5. CloudFormation Template: Automates full use case deployments S3: AWS service where bootstrapping files are stored CloudWatch: Consumes metrics and makes intelligent scale in/out decisions Lambda: Code as a service pushes custom metrics to CloudWatch via XML API Auto Scale Groups (ASG): The firewalls are members of an ASG that scales in/out based on custom metrics PAN-OS Bootstrapping: Automates creation of fully configured firewall PAN-OS API: enables delivery of custom metric to CloudWacth Panorama: Optional but highly recommended to simplify VM-Series management Native AWS and PAN-OS/VM-Series Services Used 5 | © 2015, Palo Alto Networks. Confidential and Proprietary. AWS Services PAN-OS/VM-Series Services
  • 6. Region 1 AZ1 External ELB AZ2 Internal ELB Web ASG 1 CFT deploys base topology ASG1 2 Initial firewalls are bootstrapped from S3 ASG2 Bootstrapping adds VM-Series firewalls to Panorama Auto Scaling the VM-Series on AWS 6 | © 2016, Palo Alto Networks. Confidential and Proprietary.
  • 7. Region 1 AZ1 External ELB AZ2 Internal ELB Web ASG ASG1 3 Standard metrics sent to CloudWatch 4 Alarm triggers ASG scale out ASG2 Auto Scaling the VM-Series on AWS 7 | © 2016, Palo Alto Networks. Confidential and Proprietary.
  • 8. Region 1 AZ1 External ELB AZ2 Internal ELB Web ASG ASG1 5 l function collects PAN-OS metrics via API Custom metrics sent to CloudWatch 6 7 Alarm triggers FW ASG scale events ASG2 Bootstrapping continues to add FWs to Panorama l Function removes FWs from Panorama Auto Scaling the VM-Series on AWS 8 | © 2016, Palo Alto Networks. Confidential and Proprietary.
  • 9. Region 1 AZ1 IELB VIP 1 IELB VIP 2 AZ2 Web ASG ASG1 ASG2 8 l function monitors for ELB VIP changes IELB VIP 3 9 l function deploys new ASG with NAT rule for new VIP ASG3 IELB VIP 4 ASG4 External ELB Internal ELB Auto Scaling the VM-Series on AWS 9 | © 2016, Palo Alto Networks. Confidential and Proprietary.
  • 11. Securing one VPC IPSec VPN DC-FW1 DC-FW2 AZ1b Web1-01 Web1-02
  • 12. AZ1c Securing one VPC AZ1b IPSec VPN DC-FW1 DC-FW2 Web1-01 Web1-02 Web2-01 Web2-02 IPSec VPNs
  • 13. Securing lots of VPCs DC-FW1 DC-FW2 Marketing App HR App QA Environment Dev Environment
  • 14. Region Services VPC Subnet 1 Availability Zone 2 Availability Zone 1 Subnet 2 Region Subscribing VPC Subnet 1 Availability Zone 2 Availability Zone 1 Subnet 2
  • 15. Region Services VPC Subnet 1 Availability Zone 2 Availability Zone 1 Subnet 2
  • 16. DC-FW1 DC-FW2 Services VPC + Hybrid + Internet Gateway
  • 17. DC-FW1 DC-FW2 Routing Default route learned via DHCP from IGW on E1/1 Static route defined for enterprise network Redistribution profile shares static routes with BGP peers BGP routes propagated into local route table SNAT on gateway firewall ensure symmetric return
  • 19. DC-FW1 DC-FW2 LOTS more scale Direct Connect Location Service Provider Links

Editor's Notes

  • #14: Too many firewalls to purchase, manage, monitor Too many enforcements points Who’s job to add the FWs to the VPCs?
  • #15: Routing: VM-Series learns default route via DHCP VM-Series redistributes default route into BGP VM-Series shares default route with each VGW via BGP peering Each VGW propagates the default route it learned via BGP into the local route table EC2 instances require no special configuration for routing – just the default GW they learned via DHCP