NAS Solutions – Huawei Cloud Partner
Topic: Deploying Palo Alto Next-Generation Firewall on Huawei Cloud
Introduction:
Deploying a Palo Alto Next-Generation Firewall (NGFW) on Huawei Cloud provides enhanced security and advanced threat prevention capabilities for cloud environments. This article outlines the deployment process, the environment design, and features. Tha article has many screenshots from the practical implementation.
Overview of the Environment:
The environment is designed to host a secure, scalable WordPress-based web application leveraging Huawei Cloud’s Elastic Cloud Server (ECS). Below are the key components:
- WordPress Servers: o Two WordPress servers deployed on ECS each configured with 4 vCPUs and 8 GB RAM.
- F5 Load Balancer: o F5 Load Balancer deployed on ECS, configured with 4 vCPUs and 8 GB RAM, used to distribute traffic evenly between the two WordPress servers, ensuring high availability and fault tolerance.
- Palo Alto NGFW: o Deployed on an ECS instance with 4 vCPU and 8 GB RAM. o Acts as a gateway to secure traffic flowing to and from the internet, offering features such as advanced threat prevention, application control, and URL filtering.
Design Architecture:
The design of the environment incorporates the following elements:
- Internet Gateway: o The Palo Alto NGFW is deployed at the perimeter of the environment, directly connected to the internet. It filters inbound and outbound traffic to enforce security policies.
- Application Layer Load Balancer: o The F5 Load Balancer sits behind the NGFW, managing incoming requests and distributing them to the WordPress servers based on predefined rules.
- Secure Communication: o All communication between the components is encrypted and monitored by the NGFW, ensuring the integrity and confidentiality of data. Below is a diagram illustrating the environment: ________________________________________
Step-by-Step Deployment:
- Upload PA image to OBS Bucket
- Create PA Private Image
- Create PA ECS Create PA ECS using the created PA image, Palo Alo ECS requires a minimum of 2 vcpu, 6.5G memory and 3 network cards, on our scenario c7.xlarge.2 ECS with 4vcpu and 8G memory we will be chose.
Then configure three network interfaces as follows:
• First interface, enter Internet interface information.
• Second interface, enter internal interface information.
• Third interface, management interface information.
• The security group is fully enabled.
The next step is to configure password from the image to use the default one of PA image(admin/admin)
Configure management interface SWAP in Palo Alto to bind the instance's primary network interface as an Internet network interface, which facilitates the use of cloud services (such as ELB) that use the default port as the primary network card.
To do this configuration once PA ECS is created, open Advanced Settings and write the following command on User Data as Text
set system setting mgmt interface swap enable yes
After completing the configuration submit and create the ECS.
- Login to PA web interface Use the default username & password to login to PA
Modify Telemetry Region
Set the PA device general setting (Hostname, Domain, time zone, and etc.) as follows
The next step is to update PA device License as follows
- Configure PA interfaces The next step is to configure the interfaces of PA ECS as follows
Two new policies will be configured, 'Trust to Trust' and 'Trust to Trust', with the action 'Allow'
The next step is to configure default virtual router and add a default route in the table of network virtual router default router Static routing. The target is 0.0.0.0/0, the interface is the trust interface, and the next hop is the gateway address of the trust interface.
Conclusion
Deploying the Palo Alto Next-Generation Firewall on Huawei Cloud allows organizations to establish a secure and scalable cloud environment with robust initial configuration. By leveraging Huawei Cloud’s flexible infrastructure and Palo Alto’s advanced security features, businesses can achieve strong protection for their workloads while maintaining operational simplicity.
In the next article, we will explore Palo Alto’s HA architecture and advanced configuration for enhanced resilience and performance.
Top comments (0)