Palo Alto Networks VM-Series ML-NGFW is the industry-leading virtualized security platform to protect applications and data with next-generation security features in Google Cloud. In this build, VM-Series firewalls are deployed to secure north/south traffic for a single VPC network. This build also provides guidance on how to leverage network tags to steer traffic to specific internal TCP/UDP load balancers that frontend VM-Series firewalls. Network tags have a variety of use-cases, including:
- Prevention of cross-region traffic flows.
- Isolation of egress traffic between development and production environments.
- Creation of “swimming-lanes” to distribute traffic to different sets of load balanced firewalls.
This lab specifically focuses on leveraging network tags to isolate regional traffic flows for a global VPC network.
- Secure north-south traffic for a multi-region VPC network (us-east & us-west) with regionally distributed VM-Series firewalls.
- Use internal TCP/UDP load balancers to distribute traffic to each pair of VM-Series firewalls.
- Leverage network tags to prevent cross-region traffic flows.
- Modify network tags on an internal Google compute resource to change which firewall pair handles the instance’s outbound traffic.
The diagram below shows the topology of the lab. Everything depicted in the diagram is built through Terraform, including the local configuration of the compute resources.
There are 3 VPC networks (management, untrust, and trust) with subnets that span across two regions in Google Cloud (us-east4 and us-west2). Two network tags (us-east4-fw and us-west2-fw) are applied to the custom default routes in the trust VPC network. The network tags are also applied to the private VM instances in each region (US-EAST4-VM and US-WEST2-VM). The network tags make the custom routes applicable only to the instances that use the same network tag. The table below describes the purpose of each VPC network in more detail.
Table 1. VPC Network Description
| VPC Network | Description |
| Management | The management VPC is used only to host the VM-Series management interfaces. The management interfaces are used to access the VM-Series user interface and terminal console. |
| Untrust | The untrust VPC network contains a dataplane interface from each VM-Series firewall (ethernet1/1). Each untrust interface has an associated external IP address to provide outbound internet access for the internal compute resources deployed in the trust network. |
| Trust | The trust VPC network contains a dataplane interface from each VM-Series firewall (ethernet1/2). The dataplane interfaces serve as the backendpool of a Google Cloud internal TCP/UDP load balancer.
The trust network’s VPC route table has two default routes that use the forwarding rule of either internal load balancer as the next hop. Each route has a separate network tag applied ( |
In this section, we will deploy the lab with Terraform. Please note, after the build completes, the virtual machines will take an additional 10 minutes to finish their boot-up process.
Important! This build only creates 1 VM-Series firewall in each region. We recommend using Panorama (which is not covered in this build) to centrally manage load balanced VM-Series firewalls. If you would like to deploy additional firewalls to the load balancer's backend pool, uncomment lines 41-59 and 72-75 in the vmseries_region0.tf and vmseries_region1.tf files before proceeding.
- Open Google cloud shell.
- In cloud shell, copy and paste the following to enable the required APIs and to create an SSH key.
gcloud services enable compute.googleapis.com
ssh-keygen -f ~/.ssh/gcp-demo -t rsa -C gcp-demo
Note. If you are using a SSH key name that is different from the gcp-demo name, you must modify the public_key_path value in your terraform.tfvars file to match the name of the key you created.
- Copy and paste the following to clone the repository and to apply the Terraform plan.
git clone https://github.com/wwce/gcp-vmseries-tf-ilbnh-tags
cd gcp-vmseries-tf-ilbnh-tags
terraform init
terraform apply
- Verify that the Terraform plan will create 54 resources. Enter
yesto start the build.
- Once the build completes, the following output is generated.
A description of the output values is summarized in the table below.
| Output Key | Output Value |
FW_MGMT_ACCESS_REGION0
|
Displays the management address for the US-EAST4 VM-Series firewalls. |
FW_MGMT_ACCESS_REGION1
|
Displays the management address for the US-WEST2 VM-Series firewalls. |
SSH_TO_REGION0-VM
|
Command to open an SSH session through the VM-Series to the US-EAST4-VM instance on TCP/220. |
SSH_TO_REGION1-VM
|
Command opens a SSH session through the VM-Series to the US-WEST2-VM instance on TCP/221. |
In this section, we will review the trust VPC network’s effective route table. We will then examine the network tags applied to the VPC's custom routes and compute resources.
- In the Google Cloud console, navigate to VPC Network → VPC Networks.
- Open the Trust VPC network (
xxxx-trust-vpc).
- Click ROUTES.
We can see the trust VPC has two default that use different internal load balancers as their next hop. The internal load balancers are in separate regions and frontend the VM-Series firewall's trust dataplane interfaces. Each route also has a network tag applied: us-east4-fw & us-west2-fw.
- Click the
xxxx-us-east4-routename to open the route details.
Within the xxxx-us-east4-route details, we can see the US-EAST4-VM (10.0.2.10) has the us-east4-fw network tag applied. Therefore, any outbound traffic from this VM will traverse through the us-east4 internal load balancer and VM-Series firewalls.
- Click the
xxxx-us-west2-routename to open the route details.
Within the xxxx-us-west2-route route details, we can see the US-WEST2-VM (10.0.2.28) has us-west2-fw the network tag applied. Therefore, any outbound traffic from this VM will traverse through the us-west2 load balancer and VM-Series firewalls.
In this section, we will access the VM-Series management interfaces. Please note, the virtual machines in this build take an additional 5-10 minutes to finish their deployment.
- Copy and paste the output values for
FW_MGMT_ACCESS_REGION0andFW_MGMT_ACCESS_REGION1into separate web-browser tabs.
- Use the credentials below to log into the firewalls.
Username: paloalto
Password: Pal0Alt0@123
In this section, we will open an SSH session to the private virtual machines in each region. The SSH sessions are established through the public IP address on the VM-Series untrust interfaces.
The diagram below describes how the VM-Series is translating the inbound SSH connections. TCP/220 is translated to the US-EAST4-VM instance and TCP/221 is translated to the US-WEST2-VM instance.
Tip. You can redisplay your Terraform outputs at anytime by running terraform output from the Terraform build directory.
- Copy and paste the
SSH_TO_REGION0-VMoutput value into your cloud shell terminal. This will open an SSH session to the US-EAST4-VM instance.
- Enter the following password to log into the US-EAST4-VM instance.
Password: Pal0Alt0@123
- Generate outbound traffic by installing the following packages.
sudo apt update
sudo apt install traceroute
traceroute www.paloaltonetworks.com
- Type
exitto close the SSH session to the US-EAST4-VM instance.
exit
- Open an SSH session to the US-WEST2-VM instance by copying the
SSH_TO_REGION1-VMoutput value into the cloud shell terminal.
- Enter the password to log into the US-WEST2-VM instance.
Password: Pal0Alt0@123
- Generate outbound traffic by installing the following packages.
sudo apt update
sudo apt install traceroute
traceroute www.paloaltonetworks.com
- Type
exitto close the SSH session to the US-WEST2-VM instance.
exit
In this section, we will view the traffic logs on VM-Series firewalls in both regions. We should see the outbound traffic from US-EAST4-VM flows only though the us-east4 VM-Series. Likewise, we should see US-WEST2-VM traffic flowing only through the us-west2 VM-Series firewalls.
- On both VM-Series firewalls, navigate to Monitor → Traffic.
- Copy and paste the following into the log filter. This filter displays the logs for all traffic originating from the trust VPC network (10.0.2.0/24).
( addr.src in 10.0.2.0/24 ) and ( app neq insufficient-data )
- We can see the us-east4 VM-Series is only receiving traffic from the US-EAST4-VM (10.0.2.10) and the us-west2 VM-Series is only receiving traffic from US-WEST2-VM (10.0.2.28).
Tip. You can quickly determine the firewall’s region by looking at the firewall name in the web-browser tab.
In this section, we will modify the network tags on the US-EAST4-VM to use the default route to the us-west internal load balancer and VM-Series firewalls.
- On the Google Console, navigate to Compute Engine → VM Instances.
- Open the
xxxx-us-east4-vminstance. Click Edit.
- Scroll down to Network tags. We can see that the VM has the
us-east4-fwnetwork tag applied. This tag matches the tag applied on the default route to the us-east4 internal load balancer. This means the us-east4 VM instance will only use the us-east4 firewalls for its outbound traffic requests.
- Replace the
us-east4-fwtag withus-west2-fwtag. This will force the default route to the us-west2 internal load balancer to be applied to this VM instance.
- Scroll to the bottom and click Save.
- Log back into the US-EAST4-VM by copying the output
SSH_TO_REGION0-VMvalue into cloud shell (password: Pal0Alt0@123).
- Start a ping to 8.8.8.8.
ping 8.8.8.8
- On us-west2 VM-Series, navigate to Monitor → Traffic. Verify the log filter below is still applied.
( addr.src in 10.0.2.0/24 ) and ( app neq insufficient-data )
- You should see US-EAST4-VM (10.0.2.10) is now flowing through the VM-Series in us-west2.
If you would like to destroy the environment, enter the following in Google cloud shell.
cd gcp-vmseries-tf-ilbnh-tags
terraform destroy -auto-approve
rm ~/.ssh/gcp-demo
You have completed the lab guide. You ahve learned how to leverage network tags to route traffic to specific internal TCP/UDP load balancers that frontend VM-Series firewalls.