- Enter a BGP ASN (autonomous system number). We are using ASN 65512 for the Palo Alto Firewall (Customer Gateway) and 64512 for the Transit gateway. For more details about using a BGP ASN on with an AWS Site-to-Site VPN, please refer to this guide.
- Enter the PublicIP address of the Palo Alto firewall. In this guide, we are using interface Ethernet 1/1 on the Palo Alto firewall.
- In this guide, we will use the pre-shared key method for authentication. Do not select a certificate ARN if you are following this guide. For more details about using certificate-based authentication with an AWS Site-to-Site VPN, please refer to this guide.
- When finished, select Create customer gateway.
Figure 2: Creating the customer gateway
Part 2: Configure the AWS Site-to-Site VPN connection and associate it with the Transit Gateway
In this section, we will configure the VPN tunnels. AWS recommends using Internet Key Exchange version 2 (IKEv2) where possible, because of the lower overhead in establishing a tunnel and enhanced health check functionality, as compared to IKEv1. For more information on the benefits of IKEv2 with Palo Alto, refer to this guide.
Select Create VPN Connection:
- Enter the VPN connection Name
- Select Transit gateway in Target gateway type and select the desired transit gateway.
- In the Customer gateway section, choose existing and select the customer gateway that was created in Part 1.
- In the Routing options section, choose Dynamic (require BGP).
- In the Tunnel inside IP version, select IPv4.
- Using an Accelerated Site-to-Site VPN connection is out of scope for this guide. For more details, refer to the User Guide.
Figure 3: Creating the VPN connection
- Expand the Tunnel 1 and Tunnel 2 options section. - For the Local and Remote IPv4 network CIDR sections, leave the default 0.0.0.0/0. This will be controlled by firewall policy and routing advertisements, addressed in a later section of this guide. - Enable the tunnel activity log and tunnel endpoint lifecycle control. AWS Site-to-Site VPN logs provide you with deeper visibility into your Site-to-Site VPN deployments. Site-to-Site VPN connection logs that provide details on IP Security (IPsec) tunnel establishment, IKE negotiations, and dead peer detection (DPD) protocol messages. Tunnel endpoint lifecycle control provides control over the schedule of endpoint replacements.
Figure 4: Enabling the tunnel activity log and tunnel endpoint lifecycle control
We recommend being more selective with IKE Phase 1 and Phase 2 parameters. These options can be modified by selecting “Edit tunnel (#) options”. Your decisions will depend on your specific compliance and security requirements. For a list of supported parameters, please refer to the VPN tunnel options documentation. Ensure modifications in this section are applied to both VPN tunnels.
Figure 5: Advanced tunnel encryption options
Encryption algorithms
AWS supports both AES128-GCM-16 and AES256-GCM-16. We recommend AES256-GCM-16 where supported and within requirements.
Integrity algorithms
Integrity algorithms ensure the sender’s identity and also ensure that the message has not been modified in transit. Select your SHA algorithm based on your customer gateway device support and security requirements. If you don’t have specific requirements, then we recommend using SHA-384 because of its performance and security characteristics.
DH group numbers
A Diffie-Hellman (DH) group determines how key material is generated for encryption. As with SHA, we recommend you pick DH groups based on compatibility with your customer gateway device and your security requirements. If you don’t have specific requirements, then we recommend using DH group 20 because of its security characteristics.
IKE version
To establish an IPsec tunnel, the IKE protocol is used. IKE has two iterations: IKEv1 and IKEv2. We recommend using IKEv2, as it gives some key performance optimizations over IKEv1.
For more details on how AWS secures the IPsec tunnel and the shared responsibility model, please refer to this blog post, AWS Site-to-Site VPN, choosing the right options to optimize performance.
After the tunnel creation, a VPN connection summary will be displayed.
Figure 6: VPN connection details after creation
Part 3: Configure the site-to-site VPN on the Palo Alto firewall
In this section, we will guide you on how to configure your Palo Alto Firewall tunnel interface.
The inside tunnel IP addresses can be found in the downloadable configuration file in the AWS console or by using the AWS console to navigate to VPC > Site-to-Site VPN Connections > vpn-xxxxx and selecting the Tunnel Details tab.
Figure 7: Displaying the inside IPv4 CIDR block
Step 1 - Create a tunnel Interface:
The steps in this section will take place in the Palo Alto user interface. Step 1 will need to be repeated for both AWS tunnel endpoints.
Navigate to Network > Interfaces > Tunnel:
Select Add
- Assign a Virtual Router and Security Zone: These are requirements for Palo Alto’s interfaces. You can also create a security zone from this interface by clicking on the security zone tab. Refer to Figure 8.
Figure 8: Creating a tunnel interface in the Palo Alto firewall
- Configure the tunnel IPv4 address. Within the /30 CIDR block assigned by AWS, the AWS side is the first available IP address and the Palo Alto side is the second available IP address.
Figure 9: Adding the inside IPv4 CIDR block to the tunnel interface in the Palo Alto firewall
Step 2 - Create IKE Profile:
Go to Network > Network > IKE Crypto:
Select Add
- Enter a name for the Crypto Profile
- Select the desired parameters for DH Group, Authentication, Encryption and IKE timers. Make sure the parameters selected here match what you have selected on AWS side of the VPN connection. If they do not, the tunnel cannot establish.
Figure 10: IKE Crypto Profile configuration in the Palo Alto firewall
In this guide, we are using GCM cipher suite, which includes a hashing algorithm within it. Therefore, we have selected “none” in the authentication section. If your connection uses the CBC cipher suite, you will need to select an authentication algorithm that matches what we selected on the AWS side of the VPN connection.
Step 3 - Create IKE Gateway:
Go to Network > Network Profiles > IKE Gateways:
Select Add:
- Enter a name for the gateway
- Select IKEv2 only mode as the version
- Choose IPv4 as the address type
- Select the tunnel interface (this guide uses ethernet1/1)
- Enter the Local IP Address. The address in this case is referring to the private IP address associated with the interface, in this case, ethernet 1/1.
- Select Pre-Shared Key as the authentication method
- Leave the local identification and Peer identification as default (None).
- Enter and confirm the Pre-shared Key
Figure 11: IKE Gateway configuration details in the Palo Alto firewall
Step 4 - Create an IPSec Crypto Profile
Go to Network > Network Profiles > IPSec Crypto:
Select Add:
- Enter a Crypto Profile Name
- Select ESP as the IPSec Protocol
- Select the desired parameters for Encryption, Authentication, DH Group and IPsec lifetime. The parameters selected here must match what we selected on the AWS side of the VPN connection.
Figure 12: IPSec Crypto Profile options in the Palo Alto firewall
Step 5 - Create an IPSec Tunnel
Go to Network > IPSec Tunnel:
Select Add:
- Enter the IPSec Tunnel Name
- Select the tunnel interface that was created in Step 1
- Leave the Address Type as IPv4
- Select the IKE Gateway that was created in Step 3
- Select the IPSec Crypto Profile that was created in Step 4
Figure 13: IPSec Tunnel configuration in the Palo Alto firewall
Part 4: Configure security policies on the Palo Alto firewall
In this guide, we have created a security zone named ‘VPN’ and placed the IPSec tunnels in that zone. The next step is configuring security policies. These security policies are required for the VPN to communicate:
- Allow IPSec/IKE traffic from the Public zone to the VPN IP addresses on the AWS side.
- Allow BGP traffic from the tunnel interfaces to the AWS site-to-site VPN endpoint.
Figure 14: Palo Alto security policy overview
Part 5: Configure BGP on the Palo Alto firewall
Step 1 - BGP Parameters
Go to Network > Virtual Router:
Depending on your needs, create a new virtual router or select the default option. For more information on virtual routers, please visit this page. In this guide, we will use the default router. Select the BGP option**:**
- Select Enable to enable BGP.
- Enter BGP router ID - Use the public IP address of the customer gateway to ensure the router ID is unique.
- Enter the BGP AS Number. This needs to match the ASN that we chose for the customer gateway (65512) in Step 1. if the ASN doesn’t match the customer gateway, the BGP session won’t establish, and it will not exchange routes. Find this information in the downloaded CGW configuration.
- AWS does not currently support BFD for IPsec VPN, so leave this set to “None”.
- Select the option to install the routes learned from BGP.
- Select the option to Aggregate MED to enable route aggregation, even when routes have different Multi-Exit Discriminator (MED) values.
- Depending on the BGP ASN configured, choose the option for either a 2 Byte or 4 Byte ASN.
- Select the option “Deterministic MED Comparison” to choose between routes that are advertised by IBGP peers (BGP peers in the same autonomous system).
Figure 15: Palo Alto BGP configuration
For further details about how Palo Alto firewalls select the best path using BGP, please refer to this guide.
Step 2 - Configure Peer Group:
Go to Network > Virtual Router:
Create your router or select the default option and leave other parameters as default. For this guide, we will use the default router. Navigate to BGP:
Figure 16: Palo Alto BGP peer configuration
In this guide, we have enabled equal-cost multi-path routing (ECMP) on the virtual router to take advantage of the higher combined throughput offered. To configure ECMP on your Palo Alto firewall, please refer to this guide. For more on AWS Site-to-Site VPN bandwidth and throughput, please review this documentation. If using the ECMP feature, you must also enable ECMP on your transit gateway by selecting the VPN ECMP support option, as shown below.
Figure 17: AWS Transit Gateway advanced configuration options
Step 3 - Create BGP Peer
Go to Network > Virtual Router:
Create your router or select the default option. For this guide, we will use the default router and go to BGP:
- Select the BGP peer group that was created in Step 2
- Select Add
- Enter the BGP Peer Name
- Enter the BGP peer AS
- Select the tunnel interface that was created in the IPSec section (Part 3, Step 1).
- Select the IP address of the tunnel interface.
- Select Peer Address Type IP
- Enter the Peer Address
A BGP network that uses IPv4 multicast routes or IPv6 unicast prefixes needs multiprotocol BGP (MP-BGP) in order to exchange routes of address types other than IPv4 unicast. Please refer to this documentation for more information.
Figure 18: Palo Alto BGP peer advanced configuration
Step 4 - Create a Redistribution Profile. A redistribution rule is required to redistribute host routes and unknown routes that are not on the local RIB and advertise to its neighbors.
Go to Network > Virtual Router:
If you have created your own virtual router, select that, or select the default and go to Redistribution Profile:
In the IPv4 section:
Select Add
- Under Redistribute, select Redist
- For this guide, we will advertise connected routes. Please follow the security policy adopted in your organization. The advertised routes are to the AWS Transit Gateway BGP peers.
- Select the ethernet interfaces that need to be advertised and choose OK to continue.
Figure 19: Palo Alto IPv4 Route Redistribution configuration
Step 5 - Create BGP Redistribution Rules
Go to Network > Virtual Router:
If you have created your own virtual router, select that, or select the default and go to BGP:
Select Add
- Select the IPv4 address family type
- Choose the Redistribution Profile created in Step 4
- Set the metrics to anything between 1 - 65535. The higher the metric, the less preferred the route.
Figure 20: Palo Alto BGP route redistribution configuration rules
For further details on BGP redistribution rules, please refer to this Palo Alto guide.
After completing these steps, you will need to commit the changes to the Palo Alto FW after verifying that all the steps are completed.
Part 6 - Verification
Now that the VPN connections are configured, we must verify connectivity. In the AWS console, navigate to VPC > Transit Gateways > Transit Gateway Route Tables
Select your route table. If the VPN and BGP are properly functioning, the routes being propagated from the Palo Alto VPN will appear.
Figure 21: AWS Transit Gateway routes
Figure 22: AWS Site-to-Site VPN tunnel details and status
Figure 23: AWS CloudWatch Logs Log Group detail of Site-to-Site VPN logs
Within the Palo Alto firewall, navigate to Network > IPsec Tunnels. The status of both tunnels will be Up.
Figure 24: Palo Alto IPsec Tunnel status
Figure 25: Palo Alto Routing Information received from the AWS Transit Gateway
Figure 26: Palo Alto BGP peer details
Figure 27: Palo Alto BGP routing information advertised to the AWS Transit Gateway
Figure 28: Communication verification across the tunnel using ICMP and HTTP
Cleanup
The intention of this guide was to assist you in configuring a Site-to-Site VPN connection in a production environment. If this was created for temporary purposes, follow these steps to clean up your AWS environment so that you do not incur unnecessary costs.
- Clean up AWS resources.
- Delete the VPN connection.
- VPC > Virtual Private Network (VPN) > Site-to-Site VPN connections >Select the VPN connection > from Actions Menu > Select Delete VPN connection.
- VPC > Virtual Private Network (VPN) > Customer gateways > Select the customer gateway > from Actions Menu > Delete customer gateway
- Delete BGP configuration
- Delete BGP peers
Network > Virtual routers > select the configured virtual router > select BGP > Peer Group > select the configured peer Group > select the peers that need to be delete > choose Delete > ok.
Network > Virtual routers > select the configured virtual router > select BGP > peer Group > select the configured peer Group > choose Delete > ok.
- Delete the tunnel interfaces
- Network > IPsec Tunnels > Select the tunnel interface > choose Delete > ok.
- Delete IPSec policies
- Policies > Security > select the desired policies > choose Delete > ok.
- Commit the changes
- Delete the tunnel interfaces
Conclusion
In this guide, we have covered detailed best practices for configuring a Site-to-Site VPN connection between a Palo Alto firewall and an AWS Transit Gateway with a VPN attachment.
When configuring security settings between a Palo Alto firewall and AWS, always refer to the latest AWS Well-Architected Framework Security Pillar documentation, as well as Palo Alto’s Key Firewall Best Practices.
Authors: Mostafa Elkhouly, Olabanji Soaga, Tyler Applebaum
Special thanks to: Calvin Bock, Pablo Sanchez Carmona, Arshdeep Grover, Nikesh Preethapal, Austin Leath, Riggs Goodman III
- Delete the VPN connection.