2

I'm looking for some directions. Has anyone implemented the use case described in this lab [Palo Alto Networks: VM-Series Advanced Deployment with site-to-site vpn to onprem?

Question. Which vpc did you attach the vpn traffic for both the inbound and outbound traffic to pass through the firewall?

It seems like if you attach the VPN in a VPC other than the Untrusted VPC, your inbound and outbound traffic will bypass firewall. If you use IPSec as this documentation You will not be able to achieve full HA on the PA.

Another approach worth investigating: 

If you make an internal load balancer in the untrusted vpc & attach the site-to-site VPN there you can force both traffics to be inspected. However, there's a setback on this, you will need an ILB since the VPN traffic is considered private you can't use the existing NLB, so adding a second LB requires adding another route for the GCP health check which will not be possible since route has to be unique. 

Has anyone implemented something similar, can you share some thoughts and ideas? 

Sunny J
  • 453
  • 2
  • 14
  • 1
    Qwiklabs has a series of training labs on how to set up Palo Alto Firewalls. https://www.qwiklabs.com/catalog?keywords=palo+alto Their labs provide training and you get to practice with real GCP networks. – John Hanley Oct 30 '21 at 21:40
  • Thanks John for the link. I already completed the " Palo Alto Networks: VM-Series Advanced Deployment" which is on this topic, but what wasn't included or mentioned is the site-to-site vpn setup. This is technically the missing piece right now. – Sunny J Oct 30 '21 at 21:53
  • 2
    To get a good answer requires a lot more details. Assuming that you want your on-prem traffic to flow thru the VPN and then through the firewall, then you will need to add a VPC to the diagram. The VPN is attached to that VPC. Then the firewall has network interfaces in that VPC and the VPC that you want traffic forward to. At this point, your question is way too broad. You need to provide a very detailed layout of what goes where and who talks to whom. I would engage a Palo Alto network engineer to help spec out the system. These setups can be expensive - small mistakes can break everything. – John Hanley Oct 31 '21 at 00:45
  • Thanks John. This response is very helpful. To provide further context around the use case. I have 2 spokes prj lets call them (A & B) peered directly to the (PA FW Trusted VPC) called (Trusted VPC). The rest of the firewall VPCs are (Untrusted & Mgtm ) as per GCP requirement. I then made another VPC called (VPN VPC) with a peered connection to the (Trusted VPC). To ensure full HA, there's an NLB in the (Untrusted VPC) for public traffic and another ILB in the (trusted VPC) for internal traffic. The firewall has no interface in the (VPN VPC), now I see that VPN traffic destined to either... – Sunny J Oct 31 '21 at 14:25
  • (A or B) spoke prj machines is not passing through the firewall. I took interest in what u said about having firewall interface in the VPN project. Does that mean the firewall will have 4 interfaces instead the usual 3? – Sunny J Oct 31 '21 at 14:32
  • Putting details in comments is not a good idea. Edit your question to include new information. – John Hanley Nov 01 '21 at 17:14
  • Thanks, working on workaround suggested by PaloAlto. I will update with the outcome. – Sunny J Nov 01 '21 at 21:27

0 Answers0