This is a diagram that is used to deploy this lab.
![](https://tungle.ca/wp-content/uploads/2022/08/image-1024x740.png)
Below are a couple of steps to deploy Palo Alto on AWS
- Create a key pair, VPC, subnets, Internet Gateway, Route tables
- Create a Palo Alto instance on AWS
- Create Elastic IP addresses for Management and Public interface
- Create a Windows VM on private subnet
- Modify Security Group to allow traffic from the Internet to PA and Windows VM
- Configure a Security Policy, NAT to allow traffic from the Internet to the Windows VM via RDP
Create a key pair.
![](https://tungle.ca/wp-content/uploads/2022/08/2.png)
![](https://tungle.ca/wp-content/uploads/2022/08/4.png)
![](https://tungle.ca/wp-content/uploads/2022/08/32.png)
Create a Public subnet on availability zone US-East-1a. I got an error that I cannot create a Palo Alto if my VPC is randomly used US-East-1e.
![](https://tungle.ca/wp-content/uploads/2022/08/33.png)
Create a Private subnet.
![](https://tungle.ca/wp-content/uploads/2022/08/34.png)
There are 3 subnets on AWS Subnet VPC.
![](https://tungle.ca/wp-content/uploads/2022/08/35.png)
![](https://tungle.ca/wp-content/uploads/2022/08/14.png)
![](https://tungle.ca/wp-content/uploads/2022/08/16-1024x607.png)
Create a Public Route table.
![](https://tungle.ca/wp-content/uploads/2022/08/17.png)
![](https://tungle.ca/wp-content/uploads/2022/08/18-1024x642.png)
![](https://tungle.ca/wp-content/uploads/2022/08/37-1024x584.png)
![](https://tungle.ca/wp-content/uploads/2022/08/20-1024x626.png)
Launch a Palo Alto Firewall on AWS.
![](https://tungle.ca/wp-content/uploads/2022/08/23-1024x382.png)
![](https://tungle.ca/wp-content/uploads/2022/08/24-1024x597.png)
![](https://tungle.ca/wp-content/uploads/2022/08/25-1024x654.png)
Select “Management Subnet” in the Subnet setting.
![](https://tungle.ca/wp-content/uploads/2022/08/38-1024x622.png)
Leave “Add Storage” and Tags as default.
![](https://tungle.ca/wp-content/uploads/2022/08/27.png)
Use a Security Group that has been generated automatically when creating the PA VM.
![](https://tungle.ca/wp-content/uploads/2022/08/29.png)
![](https://tungle.ca/wp-content/uploads/2022/08/30.png)
![](https://tungle.ca/wp-content/uploads/2022/08/31.png)
![](https://tungle.ca/wp-content/uploads/2022/08/39-1024x649.png)
Actions – Monitor – get instance screenshot.
![](https://tungle.ca/wp-content/uploads/2022/08/40.png)
Go to EC2 – Network interfaces. Rename a name of the “-” to “Management interface”.
![](https://tungle.ca/wp-content/uploads/2022/08/41-1024x516.png)
![](https://tungle.ca/wp-content/uploads/2022/08/42.png)
Create a Public interface of PA and link it to the “Public Subnet”.
![](https://tungle.ca/wp-content/uploads/2022/08/43.png)
![](https://tungle.ca/wp-content/uploads/2022/08/44.png)
Rename a name of the “-” to “Public interface”.
![](https://tungle.ca/wp-content/uploads/2022/08/45.png)
![](https://tungle.ca/wp-content/uploads/2022/08/46.png)
![](https://tungle.ca/wp-content/uploads/2022/08/47.png)
![](https://tungle.ca/wp-content/uploads/2022/08/48.png)
Create a Private interface of PA and link it to the “Private Subnet”.
![](https://tungle.ca/wp-content/uploads/2022/08/49.png)
![](https://tungle.ca/wp-content/uploads/2022/08/50.png)
Rename a name of the “-” to “Private interface”.
![](https://tungle.ca/wp-content/uploads/2022/08/51.png)
Attach the Private interface into PA.
![](https://tungle.ca/wp-content/uploads/2022/08/54.png)
![](https://tungle.ca/wp-content/uploads/2022/08/53.png)
Disable “Change source/dest. check” in all interfaces.
![](https://tungle.ca/wp-content/uploads/2022/08/54-1.png)
![](https://tungle.ca/wp-content/uploads/2022/08/55.png)
![](https://tungle.ca/wp-content/uploads/2022/08/56.png)
![](https://tungle.ca/wp-content/uploads/2022/08/57.png)
![](https://tungle.ca/wp-content/uploads/2022/08/58.png)
![](https://tungle.ca/wp-content/uploads/2022/08/59.png)
![](https://tungle.ca/wp-content/uploads/2022/08/60-1024x460.png)
![](https://tungle.ca/wp-content/uploads/2022/08/61.png)
![](https://tungle.ca/wp-content/uploads/2022/08/62.png)
Select “Public interface”
![](https://tungle.ca/wp-content/uploads/2022/08/63.png)
Rename “-” to Public EIP.
![](https://tungle.ca/wp-content/uploads/2022/08/65.png)
Back to Route table,
![](https://tungle.ca/wp-content/uploads/2022/08/71.png)
Create a default route via Internet Gateway.
![](https://tungle.ca/wp-content/uploads/2022/08/72-1024x629.png)
![](https://tungle.ca/wp-content/uploads/2022/08/73.png)
Back to PA instance, rename it into PaloAltoVM.
![](https://tungle.ca/wp-content/uploads/2022/08/67.png)
![](https://tungle.ca/wp-content/uploads/2022/08/68.png)
Access SSH to Palo Alto instance.
![](https://tungle.ca/wp-content/uploads/2022/08/69.png)
![](https://tungle.ca/wp-content/uploads/2022/08/70.png)
Change password of user admin.
![](https://tungle.ca/wp-content/uploads/2022/08/76.png)
Log into PA via a web browser.
![](https://tungle.ca/wp-content/uploads/2022/08/77.png)
![](https://tungle.ca/wp-content/uploads/2022/08/78.png)
![](https://tungle.ca/wp-content/uploads/2022/08/79.png)
![](https://tungle.ca/wp-content/uploads/2022/08/80.png)
Back to EC2 – EIP. Assign a permanent Elastic IP address (IP address does not change when the instance is stopped) for Management interface to and rename “-” to Mgmt EIP.
![](https://tungle.ca/wp-content/uploads/2022/08/120.png)
![](https://tungle.ca/wp-content/uploads/2022/08/118.png)
![](https://tungle.ca/wp-content/uploads/2022/08/124.png)
Access the PA via Elastic IP address.
![](https://tungle.ca/wp-content/uploads/2022/08/122.png)
Configure the Public interface (e1/1) of PA.
![](https://tungle.ca/wp-content/uploads/2022/08/81.png)
![](https://tungle.ca/wp-content/uploads/2022/08/82.png)
![](https://tungle.ca/wp-content/uploads/2022/08/83.png)
![](https://tungle.ca/wp-content/uploads/2022/08/89.png)
Configure the Private interface (e1/2) of PA.
![](https://tungle.ca/wp-content/uploads/2022/08/85.png)
![](https://tungle.ca/wp-content/uploads/2022/08/86.png)
![](https://tungle.ca/wp-content/uploads/2022/08/87.png)
![](https://tungle.ca/wp-content/uploads/2022/08/90.png)
![](https://tungle.ca/wp-content/uploads/2022/08/123-1024x588.png)
Create a default route via the Public interface.
![](https://tungle.ca/wp-content/uploads/2022/08/91.png)
![](https://tungle.ca/wp-content/uploads/2022/08/104.png)
![](https://tungle.ca/wp-content/uploads/2022/08/105.png)
Back to VPC, edit routes in “Private route”.
![](https://tungle.ca/wp-content/uploads/2022/08/101.png)
Add a default route via “Private network”.
![](https://tungle.ca/wp-content/uploads/2022/08/102-1024x636.png)
![](https://tungle.ca/wp-content/uploads/2022/08/103-1024x638.png)
Back to EC2 – instances, create a new Windows VM in the Private network.
![](https://tungle.ca/wp-content/uploads/2022/08/92-1024x344.png)
![](https://tungle.ca/wp-content/uploads/2022/08/93.png)
Select “Private Subnet” in Subnet setting and Disable in “Auto-assign Public IP”.
![](https://tungle.ca/wp-content/uploads/2022/08/94-1024x672.png)
![](https://tungle.ca/wp-content/uploads/2022/08/95.png)
![](https://tungle.ca/wp-content/uploads/2022/08/96.png)
Add the ICMP line to allow ICMP traffic in this Security Group.
![](https://tungle.ca/wp-content/uploads/2022/08/97.png)
![](https://tungle.ca/wp-content/uploads/2022/08/98.png)
![](https://tungle.ca/wp-content/uploads/2022/08/99.png)
![](https://tungle.ca/wp-content/uploads/2022/08/100.png)
Move to PA, create 2 security polices to allow traffic from Private Zone to Public Zone and vice versa.
![](https://tungle.ca/wp-content/uploads/2022/08/109.png)
Create a SNAT and DNAT to allow traffic from Windows VM to the Internet and RDP traffic from Internet to Windows VM in Private subnet.
SNAT.
![](https://tungle.ca/wp-content/uploads/2022/08/110.png)
DNAT.
![](https://tungle.ca/wp-content/uploads/2022/08/112.png)
![](https://tungle.ca/wp-content/uploads/2022/08/113.png)
![](https://tungle.ca/wp-content/uploads/2022/08/114.png)
Back to AWS – EC2 – Security Group, add RDP and ICMP into the following Security Group.
![](https://tungle.ca/wp-content/uploads/2022/08/116.png)
Add RDP and ICMP into this Security Group.
![](https://tungle.ca/wp-content/uploads/2022/08/129-1024x609.png)
![](https://tungle.ca/wp-content/uploads/2022/08/172.png)
Now access RDP to Windows VM via Public EIP.
![](https://tungle.ca/wp-content/uploads/2022/08/126.png)
![](https://tungle.ca/wp-content/uploads/2022/08/127.png)
Disable Windows Firewall.
![](https://tungle.ca/wp-content/uploads/2022/08/128.png)
Ping 8.8.8.8 from Windows instance.
![](https://tungle.ca/wp-content/uploads/2022/08/130.png)