Protection and security of cloud computing resources are key challenges that many organizations face. Palo Alto Network’s VM-Series solves these challenges by protecting AWS workloads through state-of-the-art application visibility, control and advanced threat prevention. The VM-Series on AWS analyzes all traffic in a single pass to determine the application identity, the content, and the user identity. The application, content within, and the user are used as core elements of the security policy in addition to being used for visibility, reporting and incident investigation.

Konekti Systems, a leader in public cloud security, provides organizations the means to build secure, cloud-centric architectures based on Palo Alto VM-series firewalls that are scalable and highly available. Konekti uses a team of experienced Palo Alto Networks consultants with extensive experience of deployment of VM-Series firewalls in cloud environments. Konekti makes the integration of firewalls into the AWS environment seamless and cost effective through a well-designed delivery process that includes the following phases.

Planning and Requirements Gathering

Konekti, with customer’s participation, will conduct planning activities and a project kick-off call. The project kick-off will include review of the project requirements and discussion of milestones. As part of the planning phase, Konekti will provide a Technical Requirements Document (TRD) to be reviewed and approved by the customer. The TRD will consider the following aspects of customers’ requirements:

  • Application architecture and security requirements

  • Size of organization and experience with Palo Alto Networks next-generation firewalls

  • Current AWS native services employed

  • External and internal compliance requirements

  • High Availability requirements

  • Encryption and decryption needs

  • Management platform and integration with other IT Systems

After approval, the final TRD will be delivered to the customer prior to moving to the next phase of the project. 

Architecture and Design

Once the initial assessment and requirement gathering is completed, Konekti works closely with customer teams to design the AWS architectural changes required for the introduction of the VM series firewalls, leveraging Konekti’s best practice architecture and design blueprints. Konekti will provide customers a High-Level Design (HLD) document that clearly defines the changes needed to integrate the Palo Alto VM-series into the AWS environment. This document will also address performance and scaling concerns. In addition, we include recommendations for VM-series selection and EC2 instance families/sizes to be used in the design. This proposed architecture will follow Palo Alto Network’s tested and verified reference architectures leveraging one or more of the following design constructs determined through careful consideration of requirements:

  • Multiple Availability Zone “Sandwich” architecture providing redundancy through AWS ELBs

  • Transit Gateway integration

  • Centralized approach using Gateway Load Balancer and dedicated security VPC

  • Hybrid and Multi-cloud setup

  • Integration with AWS Auto-Scaling 

  • Automatically provisioning using Infrastructure as Code (IAC) tools such as Terraform and CloudFormation

  • Zero touch configuration, complete with licenses and subscriptions

Deployment and Initial Configuration

Konekti will—with the customer’s assistance—perform the deployment and the initial configuration of the VM-series. The goal would be to create a deployment strategy with zero down-time for the customer applications. The deployment and configuration tasks will include the following: 

  • Activation of VM series Palo Alto firewalls

  • Configuration of Palo Alto zones and security policies 

  • Configuration of predefined antivirus, anti-spyware, and vulnerability protection profiles 

  • Configuration of Wildfire malware analysis engine

  • Integration with Panorama management platform if required

  • Active VM-Series Monitoring with AWS CloudWatch 

  • Integration with third party tools if required

Policy Tuning

Upon completion of all configuration activities, Konekti will work with the customer to perform policy tuning. Konekti will document all non-standard changes in the configuration. 

Knowledge Transfer

Konekti system consultant can provide knowledge transfer upon completion of all the tasks identified above. The sessions will include a description of the as-built environment, and a transfer of information on how to manage and operate the environment. Knowledge transfer activities can include: 

  • Review as-built environment

  • Review the actions and decisions that were taken during the deployment phase

  • Operations knowledge transfer for Palo Alto Firewalls