Posted in Cloud

Deploying Palo Alto VM-Series Firewall in HA Mode on Google Cloud Platform

Avatar photoWilliam Funchal

Implementing a Palo Alto VM-Series firewall in High Availability (HA) configuration on Google Cloud Platform (GCP) ensures robust cybersecurity while maintaining service continuity. Below, we detail each step along with necessary configurations, commands, and code snippets to build a resilient architecture using multiple Virtual Private Clouds (VPCs).

1. VPC Setup

Start by creating four distinct VPCs to segregate traffic effectively:

  • Untrusted VPC: Where external traffic from the internet enters.
  • Management/HA1 VPC: Handles firewall management and HA control links.
  • HA2 VPC: Manages data traffic synchronization between HA firewall instances.
  • Trusted VPC: For communication with secure internal resources and services.
gcloud compute networks create untrusted-vpc --subnet-mode=custom
gcloud compute networks create management-ha1-vpc --subnet-mode=custom
gcloud compute networks create ha2-vpc --subnet-mode=custom
gcloud compute networks create trusted-vpc --subnet-mode=custom

2. Interconnectivity

Set up VPC peering or VPN tunnels to allow communication between the VPCs. Be sure to configure firewall rules to permit necessary traffic.

gcloud compute networks peerings create peer-to-management --network=untrusted-vpc --peer-network=management-ha1-vpc
gcloud compute networks peerings create peer-to-ha2 --network=management-ha1-vpc --peer-network=ha2-vpc
    
gcloud compute firewall-rules create allow-internal --allow tcp,udp --source-ranges 10.0.0.0/8 --target-tags=firewall-instances

3. Firewall Instance Deployment

Deploy two instances of the Palo Alto VM-Series firewall within the Management/HA1 VPC with active/passive configuration.

gcloud compute instances create palo-alto-active --zone=us-central1-a --machine-type=e2-standard-4 --network=management-ha1-vpc --subnet=management-subnet --image=YOUR_FIREWALL_IMAGE --image-project=YOUR_IMAGE_PROJECT
gcloud compute instances create palo-alto-passive --zone=us-central1-b --machine-type=e2-standard-4 --network=management-ha1-vpc --subnet=management-subnet --image=YOUR_FIREWALL_IMAGE --image-project=YOUR_IMAGE_PROJECT

4. HA Network Interfaces

Configure network interfaces for HA communication in both the Management/HA1 and HA2 VPCs. Assign appropriate IP addresses.

# Access the active firewall instance
gcloud compute ssh palo-alto-active --zone=us-central1-a
# Configure HA interfaces
set network interface ethernet1/1 ip <HA1-IP>   # For HA1
set network interface ethernet1/2 ip <HA2-IP>   # For HA2

5. Routing Configuration

Define routing rules to ensure traffic flows correctly through the specified routes. Use GCP custom routes for adjustments.

gcloud compute routes create route-to-trusted --network=untrusted-vpc --next-hop-instance=palo-alto-active --next-hop-instance-zone=us-central1-a --destination-range=10.1.0.0/16

6. Load Balancer Type

A GCP HTTP(S) Load Balancer ensures traffic management for incoming requests and distributes them across your firewall instances.

Load Balancer Setup Steps

  1. Create a Global IP address 
    gcloud compute addresses create my-load-balancer-ip --global
  2. Create Health Check 
    gcloud compute health-checks create http my-health-check --port 80 --request-path /
  3. Create a Backend Service 
    gcloud compute backend-services create my-backend-service --protocol=HTTP --port-name=http --health-checks=my-health-check --global
  4. Add Backend to the Service 
    gcloud compute backend-services add-backend my-backend-service --instance-group=my-instance-group --global
  5. Create URL Map 
    gcloud compute url-maps create my-url-map --default-service=my-backend-service
  6. Create Target HTTP Proxy 
    gcloud compute target-http-proxies create my-target-proxy --url-map=my-url-map
  7. Create Forwarding Rule 
    gcloud compute forwarding-rules create my-forwarding-rule --global --target-http-proxy=my-target-proxy --ports=80 --address=my-load-balancer-ip

7. Load Balancer Configuration

This setup directs traffic to the VM-Series firewalls while ensuring only the healthy instances receive requests through the defined health checks.

gcloud compute backend-services create my-backend-service --protocol=HTTP --health-checks=my-health-check --global

8. Session Synchronization

Ensure that session synchronization is configured to facilitate seamless failovers.

# Access the active firewall instance
gcloud compute ssh palo-alto-active --zone=us-central1-a
# Enable session synchronization
set high-availability sync-to-passive

9. Monitoring and Alerts

Utilize Google Cloud’s Monitoring and Logging services to keep track of the firewall’s performance. Set alerts for critical metrics.

gcloud alpha monitoring policies create --notification-channels=my-channel \
  --alert-strategy=notification-scheme:ALL --condition-display-name='High Latency' \
  --condition-filter='metric.type="compute.googleapis.com/instance/disk/write_bytes_count"' \
  --condition-aggregations='alignment_period: "60s", per_series_aligner: "ALIGN_RATE"' \
  --notification-channels 'your-notification-channel'

10. Failover Testing

Training for failovers is essential. You should run regular failover tests to ensure that traffic reroutes properly from active to passive instances without interruption.

gcloud compute instances stop palo-alto-active --zone=us-central1-a

Conclusion

This comprehensive guide outlines the deployment of a Palo Alto VM-Series firewall in HA mode within the Google Cloud Platform. By following these steps and utilizing the associated code snippets, you can establish a resilient and secure architecture that not only meets current cybersecurity needs but also adapts to future challenges. Emphasizing redundancy and effective traffic management, this implementation safeguards your applications and data in a cloud-based environment.

Avatar photo

William Funchal

I'm CrewAI certified by @CrewAI and @DeepLearning, specializing in developing AI-driven microservices and Multi AI Agents architecture. (Java | Python | Crew AI).
I’ve been developing multi-agents-systems powered by Gen AI, as distributed event-driven microservices. With over 21 years of experience, I have a proven track record in web, mobile, IoT, and high-availability application development.

My core competencies include Crew AI framework, Multi AI Agents development, Python, Java (Spring Boot, Quarkus, Mutiny, Vert.x Event-Driven Architecture, and Kubernetes cluster deployment. I am also proficient in .NET Core, NoSQL Databases, Docker, and device protocols like BLE, Modbus, and TCP.

In my previous job at Philips, I helped design and develop backend microservices for Philips ECG Solutions (Heart Monitoring). This teamwork provided real-time diagnostic systems for patients' heart care.
Today, I work part-time as the System Architect at Mobitraxx. I lead the development of new software solutions.

You May Also Like

More From Author

Creating CrewAI Agents Tasks

Implementing Reactive Programming Using Node.js

Leave a Reply

Your email address will not be published. Required fields are marked *