使用Gateway Load Balancer和Palo alto防火墙实现集中的网络流量检测

使用Gateway Load Balancer和Palo alto防火墙实现集中的网络流量检测

AWS-GWLB-VMSeries

使用Gateway Load Balancer和Palo alto防火墙实现集中的网络流量检测

最近有一个项目，客户的需求是在AWS 里使用Palo Alto, 要求Inbound and Outbound 流量经过Palo Alto 防火墙

然后我找到了这个项目，根据文档做了一遍，完成了客户的两个需求

GWLB的推出使得防火墙可以在实现高可用的情况下同时检测入向和出向的流量，GWLB使用Geneve协议（UDP 6081）与防火墙建立通信，将收到的流量转发到后端一组防火墙，并实现健康检查、负载均衡、粘性链接等管理功能。通过采用GWLB的架构部署VM-Series系列防火墙，将具备以下优势：\简化连接：在应用程序的出站、东西向和入站流量路径中轻松插入自动扩展的 VM 系列防火墙堆栈。VM 系列和 GWLB 使用 GENEVE 封装来保持您的流量数据包标头和有效负载完整，为您的应用程序提供源身份的完整可见性——换句话说，不再需要 SNAT。大规模性能：通过使用 AMAZON 原生网络结构和 AMAZON Transit Gateway VPC 附件，以更高的吞吐量跨多个 VM 系列防火墙扩展您的流量。您不再需要用于东西向和出站流量检查的加密隧道——换句话说，没有 IPsec 隧道开销。经济高效：减少保护 AMAZON 环境所需的防火墙数量，并通过集中安全管理整合整体网络安全状况。我这里的两个VPC

参数仅供参考，你可以按照你的网络环境进行相应调整。 SecurityVPC 10.0.0.0/24 App VPC 172.32.0.0/25

Security VPC （防火墙所在的VPC）10.0.0.0/24 Application VPC ( web 服务器所在的VPC) 172.32.0.0/25

所有的VPC通过AWS Transit Gateway 连起来，如果有新的App VPC，也可以通过Transit Gatway 连起来，扩展性更好。这样所有的流量都是穿过Transit Gateway 来到防火墙（在Security VPC里）检测完再回去。

废话不多少，做了才知道行不行。

运行下面脚本，前提你要有AWS 命令行环境，这个你得先设置好。 #你可以参考这个文本cloudformation deploy --template-file SecurityVPC.yaml --stack-name SecurityVPC --capabilities "CAPABILITY_IAM" --parameter-overrides "VMSeriesAMI=ami-06cb3ae59e4c46288" "EC2KeyPair=eu-west-1" "VmseriesBootstrapS3BucketName=" "TGWID="

这个命令里，你需要提供三个参数 参数仅供参考，你可以按照你的网络环境进行相应调整。 SecurityVPC 10.0.0.0/24 VMSeriesAMI=ami-06cb3ae59e4c46288EC2KeyPair=eu-west-1 <---新建一个KEYPAIR name:eu-west-1 或者任意一个你喜欢的名字"VmseriesBootstrapS3BucketName=vmseries-bucket""TGWID=tgw-09b48a1f1e451dba2"\新建一个S3 vmseries-bucket，把 CFT_2_Firewalls 的的bootstrap 都上传到这里来“TGWID=tgw-09b48a1f1e451dba2” 新建一个transite gateway 然后把这个transite gateway ID 拷贝进来\然后就可以运行这一条命令了\aws cloudformation deploy --template-file SecurityVPC.yaml --stack-name SecurityVPC --capabilities "CAPABILITY_IAM" --parameter-overrides "VMSeriesAMI=ami-06cb3ae59e4c46288" "EC2KeyPair=eu-west-1" "VmseriesBootstrapS3BucketName=vmseries-bucket" "TGWID=tgw-09b48a1f1e451dba2"\一杯茶的功夫，你就可以登陆进去看看，security vpc 已经建好了，防火墙也OK了（原始密码git-hub有)\Step 2

创建Application VPC 和ELB和GWLB 然后把它们连起来,具体步骤在AWS-GWLB-VMSeries/cft with autoscale/app_stack/这个PDF 文档里，创建App_stack你你可以一步一步来它的模版是在“panw-aws-app-v3.0.template”里。

\***** pan_awsThis is the V3 (CFT) template to deploy sample application topology for inbound, east-west and outbound traffic.

Traffic template: panw-aws-app-v3.0.template

Note:

Upload app.zip to S3 bucket, the lambda function inside will create Gateway LoadBalancer Endpoint. Need to enter the Gateway LoadBalancer service configuration name from security VPC. Need to provide Transit Gateway Id. Customers need to create a route in App attachment route table pointing to security attachment if they decide to protect east-west traffic. A concept of service insertion.

建好之后，你可以登陆进你的虚拟几和防火墙，去查看流量的走向，是不是符合你的要求

1. Outbound traffic web 服务器访问Internet 外网路径

Web Server 172.32.0.38 and 172.32.0.52

#第一步，看APP的路由，默认都是到transite gateway 的rtb-05958ba7a9f8cb624 / App-1-AppRouteTable1172.32.0.0/25 local Active No0.0.0.0/0 tgw-09b48a1f1e451dba2 Active No#subnet associations subnet-044ff117d43d534fb / App-1-App SubnetAz1 172.32.0.32/28\rtb-05958ba7a9f8cb624 / App-1-AppRouteTable2172.32.0.0/25 local Active No0.0.0.0/0 tgw-09b48a1f1e451dba2 Active No#subnet associations subnet-0dec4bdda78ac6014 / App-1-App SubnetAz2 172.32.0.48/28\#第二步 tgw 查看路由表，看吓一跳是security vpc,tgw0.0.0.0/0 tgw-attach-045cffd93ed30d5ab vpc-04d0b16621e964204 <---security vpc\#第三步 上面这些数据被发送到这个路由表了，然后你看默认路由被发送到GWLBE 的endpoint 了，这个数据被发送给防火墙就检测\rtb-06af167cd6ac287d6 / SecurityVPC-TGW-AZ110.0.0.0/24 local Active No0.0.0.0/0 vpce-01fe34ed51d489026 subnet-04e20853730e52f16 us-east-2a (use2-az1) 10.0.0.24 - eni-0bec8b7633078a19e#subnet associations subnet-08d59ab93b446e74f / SecurityVPC-TGW-AZ1 10.0.0.32/28

\#这里，我为了省钱，只开了一个palo alto 防火墙，所以把默认路由制到和SecurityVPC-TGW-AZ1一样的，原来是只想到另外一个GWLBE 的rtb-0c1bd161c18153668 / SecurityVPC-TGW-AZ210.0.0.0/24 local Active No0.0.0.0/0 vpce-01fe34ed51d489026 Active No#subnet associations subnet-076519f971751d79e / SecurityVPC-TGW-AZ2 10.0.0.96/28

\##检测完的数据返回到GWLBW. 被发送到了相应的NAT Gateway #from firewall GWLBE, it go with the NAT GATEWAY and out to the internet rtb-0c2a947ff0535ffe9 / SecurityVPC-GWLBE-AZ1 172.32.0.0/25 tgw-09b48a1f1e451dba2 Active No10.0.0.0/24 local Active No10.0.0.0/8 tgw-09b48a1f1e451dba2 Active No0.0.0.0/0 nat-0dd33352954186b8e Active No

#subnet associations subnet-04e20853730e52f16 / SecurityVPC-GWLBE-AZ1 10.0.0.16/28\rtb-0d4cf8bfa249e2bd1 / SecurityVPC-GWLBE-AZ2172.32.0.0/25 tgw-09b48a1f1e451dba2 Active No10.0.0.0/24 local Active No10.0.0.0/8 tgw-09b48a1f1e451dba2 Active No0.0.0.0/0 nat-0acb118f884e7b1d9 Active No

\##NAT Gateway 发送给Internet 网关#out to internet rtb-052e9b02f1a352bdc / SecurityVPC-NATGW-AZ1172.32.0.0/24 vpce-01fe34ed51d489026 Active No <---return traffic go to GWLBEW endpoint and to firewall. 10.0.0.0/24 local Active No10.0.0.0/8 vpce-01fe34ed51d489026 Active No0.0.0.0/0 igw-07e4978c32b20be74 Active No\rtb-0656f212a348a2f75 / SecurityVPC-NATGW-AZ210.0.0.0/24 local Active No10.0.0.0/8 vpce-048fb2b73f6167932 Active No0.0.0.0/0 igw-07e4978c32b20be74 Active No#subnet associations subnet-08877bc1ab7801ac9 / SecurityVPC-NATGW-AZ2 10.0.0.64/28

\########返回的数据相反的路径，172.32.0.38 and 172.32.0.52 直接发往GWLB endpoint，然后让防火墙去检查#return traffic from Internet #Step 1 rtb-052e9b02f1a352bdc / SecurityVPC-NATGW-AZ1172.32.0.0/24 vpce-01fe34ed51d489026 Active No <---return traffic go to GWLBEW endpoint and to firewall. 10.0.0.0/24 local Active No10.0.0.0/8 vpce-01fe34ed51d489026 Active No0.0.0.0/0 igw-07e4978c32b20be74 Active No\#step 2 数据检测完油回到了GWLBE 路由表，然后发送到tgwrtb-0c2a947ff0535ffe9 / SecurityVPC-GWLBE-AZ1 172.32.0.0/25 tgw-09b48a1f1e451dba2 Active No ---to TGW10.0.0.0/24 local Active No10.0.0.0/8 tgw-09b48a1f1e451dba2 Active No0.0.0.0/0 nat-0dd33352954186b8e Active No\#tgw 查看路由表，把它发送给App VPC 发送到web 去处理#Step 3 return back to App vpc and in TGW 10.0.0.0/24 tgw-attach-045cffd93ed30d5ab vpc-04d0b16621e964204 VPC Propagated Active –172.32.0.0/25 tgw-attach-0a01e75781baa626a vpc-0698f7d242c6c9b71 VPC Propagated Active

\2. Inbound traffic #######Internet 访问 web 服务器 ELB App-1-ALB-1866726614.us-east-2.elb.amazonaws.comApp-1-ALB 3.134.25.214 172.32.0.30 3.18.246.22 172.32.0.12Web Server 172.32.0.38 and 172.32.0.52访问数据到达ELB 后，会发送给后面的两台web服务器

go to App IGW 172.32.0.0/28 eni-0884dca32dc7744ef 172.32.0.5 172.32.0.16/28 eni-01c7c66916ccfad94 172.32.0.90 172.32.0.0/25 local Active No

到了IGW，之后，流量就被送到GWLB endpoint，然后发给防火墙做数据的监控再发送回来后，就到了下面这一个路由表172.32.0.5 所在的路由表此时的source IP： 172.32.0.12 or 172.32.0.30 Destination IP: 172.32.0.28 or 172.32.0.52 \172.32.0.0/25 local Active No10.0.0.0/24 tgw-09b48a1f1e451dba2 Active No0.0.0.0/0 igw-01f8f77dbef6d9731 Active No\#subnet associations 你可以看到，上面两个eni的网段 就是依附在这个路由表里的subnet-0c131865790b50b2c / App-1-Gwlbe SubnetAz1 172.32.0.64/28subnet-0cb264936c9337b66 / App-1-Gwlbe SubnetAz2 172.32.0.80/28然后发送到App 所在的路由表去处理\rtb-05958ba7a9f8cb624 / App-1-AppRouteTable1172.32.0.0/25 local Active No0.0.0.0/0 tgw-09b48a1f1e451dba2 Active No#subnet associations subnet-044ff117d43d534fb / App-1-App SubnetAz1 172.32.0.32/28\rtb-05958ba7a9f8cb624 / App-1-AppRouteTable2172.32.0.0/25 local Active No0.0.0.0/0 tgw-09b48a1f1e451dba2 Active No#subnet associations subnet-0dec4bdda78ac6014 / App-1-App SubnetAz2 172.32.0.48/28\然后返回来的数据第一步点到ELB，应为destination is ELB 172.32.0.12 or 172.32.0.30rtb-0c9e1b175533cd8c2 / App-1-ALBRouteTable1172.32.0.0/25 local Active No0.0.0.0/0 eni-0884dca32dc7744ef Active No#subnet associationssubnet-0ae6ae5c7c26d6234 / App-1-ALB SubnetAz1 172.32.0.0/28\rtb-067697f98375ed98e / App-1-ALBRouteTable2172.32.0.0/25 local Active No0.0.0.0/0 eni-01c7c66916ccfad94 Active No#subnet associationssubnet-00596d9276022f65f / App-1-ALB SubnetAz2 172.32.0.16/28\ELB 路由表把目的地址换成真实 用户的地址比如8.8.8.8，然后查看路由表，一看所有的默认路由油发送给GWLB的endpoint了，让防火墙去检查然后返回到eni-01c7c66916ccfad94/eni-0884dca32dc7744ef回到了GWLBE 后，把路由发送到IGW网关，然后出去了rtb-014d72563443c1bbd / App-1-GwlbeRouteTable172.32.0.0/25 local Active No10.0.0.0/24 tgw-09b48a1f1e451dba2 Active No0.0.0.0/0 igw-01f8f77dbef6d9731 Active No

\下面有一些问题我有一些地方没搞清楚

1. 防火墙的配置只有一个端口，它们需要和AWS GWLB 结合起来 以下命令可以做到，其实在git-hub 里的init-cfg.txt 脚本里已经包括了

a. set deviceconfig setting management initcfg op-command-modes jumbo-frame,mgmt-interface-swap\b. request plugins vm_series aws gwlb associate vpc-endpoint vpce-xxxxxxxxxxxxxxxxx interface ethernet1/1request plugins vm_series aws gwlb inspect enable yes

可以看看这个文档路由的具体走向 3. 支持global protect VPN 吗？ 4. GWLB 用的是AWS的私有链路,可以看看下面文档 1 里的具体步骤AMI of Palo Alto Networks VM-Series v10.0.2 or above Palo Alto 防火墙具体版本用下面这条命了去查看\aws ec2 describe-images --filters "Name=name,Values=PA-VM-AWS-10.0" "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" --region us-west-2 --query "Images[].{Name:Name,AMI:ImageId,State:State}" --output table\To obtain the AMI ID for other Licenses such as Bundle 1, 2, or BYOL you can get change the "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" section with the appropriate product code from here (see step 2).\Step2 链接ec2 describe-images --filters "Name=name,Values=PA-VM-AWS-10.0" "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" --region us-west-2 --query "Images[].{Name:Name,AMI:ImageId,State:State}" --output table

| DescribeImages |+-----------------------+-----------------------------------------------------------------------------------------------------------------------+------------+| AMI | Name | State |+-----------------------+-----------------------------------------------------------------------------------------------------------------------+------------+| ami-01ec09e9bec6c5ac4| PA-VM-AWS-10.0.7-7064e142-2859-40a4-ab62-8b0996b842e9 | available || ami-024cf1b1d5e7c0c5d| PA-VM-AWS-10.0.4-7064e142-2859-40a4-ab62-8b0996b842e9 | available || ami-067dcad5f8531be6d| PA-VM-AWS-10.0.5-7064e142-2859-40a4-ab62-8b0996b842e9 | available || ami-0779455ce4b23a97e| PA-VM-AWS-10.0.3-f1260463-68e1-4bfb-bf2e-075c2664c1d7-ami-0f502ec3bbfb767df.4-7064e142-2859-40a4-ab62-8b0996b842e9 | available || ami-094ba6894a3ad2084| PA-VM-AWS-10.0.0-7064e142-2859-40a4-ab62-8b0996b842e9-ami-0890de69ba91da468.4 | available || ami-09f2c1dc3d089170e| PA-VM-AWS-10.0.2-7064e142-2859-40a4-ab62-8b0996b842e9-ami-07a0e94019f2a2001.4 | available || ami-0cfe2981f3188ecd0| PA-VM-AWS-10.0.6-7064e142-2859-40a4-ab62-8b0996b842e9 | available |+-----------------------+-----------------------------------------------------------------------------------------------------------------------+------------+(END)

\"VmseriesBootstrapS3BucketName=vmseries-bucket"新建一个S3 vmseries-bucket，把 CFT_2_Firewalls 的的bootstrap 都上传到这里来"TGWID=tgw-09b48a1f1e451dba2" 新建一个transite gateway 然后把这个transite gateway 拷贝进来

\参数仅供参考，你可以按照你的网络环境进行相应调整。 SecurityVPC 10.0.0.0/24 App VPC 172.32.0.0/25

\ecurityVPC-GWLBE-AZ2subnet-06588a23dabf87931 | SecurityVPC-SecurityVPC 10.0.0.80/28 us-east-2b

SecurityVPC-NATGW-AZ2subnet-08877bc1ab7801ac9 | SecurityVPC-SecurityVPC 10.0.0.64/28 us-east-2b

SecurityVPC-NATGW-AZ1subnet-08c6a72636b900021 | SecurityVPC-SecurityVPC 10.0.0.0/28 us-east-2a

SecurityVPC-GWLBE-AZ1subnet-04e20853730e52f16 | SecurityVPC-SecurityVPC 10.0.0.16/28 us-east-2a

SecurityVPC-VMSeries-Data-AZ2subnet-027cefbc727d253b2 | SecurityVPC-SecurityVPC 10.0.0.112/28 us-east-2b

SecurityVPC-Firewall-Outside-AZ1subnet-0903684e34f17f388 | SecurityVPC-SecurityVPC 10.0.0.160/28 us-east-2a

SecurityVPC-TGW-AZ2subnet-076519f971751d79e | SecurityVPC-SecurityVPC 10.0.0.96/28 us-east-2b

SecurityVPC-VMSeries-Data-AZ1subnet-04d34d3df117167e3 | SecurityVPC-SecurityVPC 10.0.0.48/28 us-east-2a

SecurityVPC-TGW-AZ1subnet-08d59ab93b446e74f | SecurityVPC-SecurityVPC 10.0.0.32/28 us-east-2a

App-1-ALB SubnetAz1subnet-0ae6ae5c7c26d6234 | App-1-VPC 172.32.0.0/28 – 9 us-east-2a

App-1-Gwlbe SubnetAz2subnet-0cb264936c9337b66 | App-1-VPC 172.32.0.80/28 – 10 us-east-2b

App-1-Gwlbe SubnetAz1subnet-0c131865790b50b2c | App-1-VPC 172.32.0.64/28 – 9 us-east-2a

App-1-App SubnetAz2subnet-0dec4bdda78ac6014 | App-1-VPC 172.32.0.48/28 – 10 us-east-2b <--web server

App-1-App SubnetAz1subnet-044ff117d43d534fb | App-1-VPC 172.32.0.32/28 – 9 us-east-2a <--web server

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。