1. Deploy Palo Alto firewall in Active/Active mode with OCI Flexible Network Load Balancer
  2. Configure the Deployment Settings

Configure the Deployment Settings

In this section we will review the configuration steps for VCN, route tables, gateways, Palo Alto firewall and OCI Flexible Network Load Balancer shown in the reference architecture.

Configure VCN

Configure the VCN, subnets and route tables as described in the following section.

  • The Hub VCN will have four subnets dedicated for Palo Alto, one subnet named hub-tok-inbound-sn is public.
  • The subnet hub-tok-mgmt-sn is for the Palo Alto management interfaces and this is where the primary Palo Alto interfaces is deployed.
  • The subnet hub-tok-trust-sn is for the Palo Alto trust interfaces, where the internal OCI Flexible Network Load Balancer is deployed.
  • The subnet hub-tok-untrust-sn is a private subnet and will be used to provide outbound internet access to the VMs in OCI.
  • The subnet hub-tok-publiclb-sn is the public subnet for exposing DMZ services to the internet, where containing all the Public IPs. The OCI Flexible Network Load Balancer will in this subnet, while the backed VMs will be on the spoke VCN of the application or environment.
  • Internet gateway, service gateway, NAT gateway of the Hub VCN will have routing table attached to it, that makes Palo Alto as a pass-through device between zones.
  • There is no public IP that is attached to Palo Alto for exposing the service to the Internet.
  • The load balancers, NLBs and servers that need to expose the service to internet will be deployed in the hub-tok-publiclb-sn subnet with Public IP attached.
  • Route table IGW RT will have route for Public Subnet to 10.1.1.0/25 pointing to the Inbound NLB IP 10.1.1.198.
  • Route table NGW-RT and SGW-RT will be empty, and no routes are needed.
  • Route table VCN Attachment Route table will have a default route 0.0.0.0/0 and specific route of hub-tok-shared-sn 10.1.1.128/27 pointing to the Trust NLB IP 10.1.1.229.
  • The route table of subnet hub-tok-publiclb-sn will have a default route pointing to inbound NLB IP 10.1.1.198 and for the Spoke ranges to the DRG.
  • The route table of the subnet hub-tok-inbound-sn will have the default route to the internet gateway.
  • The route table of the subnet hub-tok-untrust-sn will have the default route to the NAT gateway and all Oracle Services Network of that region to the service gateway.
  • The route table of the subnet hub-tok-trust-sn will have the routes for Spoke ranges and on-premises ranges to DRG.
  • All the spoke subnets route tables will have the static default route to DRG.

Configure OCI Flexible Network Load Balancer

In this section we will review the OCI Flexible Network Load Balancer configuration for Active/Active Palo Alto deployment.

  1. Create a private Inbound-nlb with Header preservation and symmetric hashing.
  2. Chose the inbound subnet, though it is a public subnet and create a Private NLB.
  3. The listener should be of type UDP/TCP/ICMP and any port.
  4. Add the Palo Alto VMs inbound NICs IP as the backends on any port to the NLB backend set.
  5. Configure the health check on TCP port 22, timer values can be changed according to requirement on how fast the failure should be detected. We have used the default value) in this example.
  6. Follow the same steps above to configure the trust NLB on trust subnet, only change is to choose the trust interface IPs of Palo Alto as the backend set.

Configure Palo Alto Firewall Settings

In this section, we will review the Palo Alto firewall configuration steps.

  1. Deploy two standalone Palo Alto devices in OCI referring to the link shared in the Before You Begin section, in this deployment each device will have four NICs: Management NIC, Trust NIC, Untrust NIC and Inbound NIC.
  2. Make sure the NICs on the Palo Alto device configuration GUI is in the same order as the console.
  3. Create an additional virtual router: inbound-rtr in Palo Alto and attach the Inbound NIC to the new virtual router.
  4. This virtual router is needed to make sure Palo Alto can have two default routes on its data plane, one for egress internet access via the OCI NAT gateway and the other for ingress internet exposure via internet gateway.

Configure Dynamic Routing Gateway

DRG acts as a router in the date plane of OCI between the Hub and the Spoke VCNs. We will modify the route table and import distribution of each attachment to force all traffic via the Palo Alto firewall in OCI.

  1. Create import distribution for Hub attachment route table and import all types of routes to it.
  2. Attach the Import distribution to the Hub VCN attached route table.
  3. On the route table of the IPSec VPN and OCI FastConnect attachment, add a static route to the Spoke VCN and Hub VCN ranges pointing to Hub VCN and remove the import distribution.

Note:

This architecture can be referred and modified to deploy any other marketplace firewalls like Checkpoint, Cisco firepower and others. The Palo Alto setup section will need to be modified with the equivalent configuration of other marketplace firewalls.