Deploy the Palo Alto firewall on Amazon Web Services
This article provides initial steps for deploying Palo Alto Firewall on AWS, but the configuration of advanced features in AWS is beyond the scope of this article.
As the cloud computing world moves fast, network security over the cloud is of prime importance. Enterprises require consistent security in the cloud without sacrificing deployment flexibility and choice. Along with the inline threat prevention capabilities, the integration of the VM-series virtualized Palo Alto firewall with the newly announced Amazon Web Services (AWS) virtual private connection (VPC) traffic-mirroring capability gives organizations the following choices:
- To deploy the firewall out-of-band for application visibility.
- To deploy advanced threat detection in AWS cloud and extend your corporate network.
You can move corporate applications to the cloud, launch additional web servers, or add more compute capacity to your network by connecting your VPC to your corporate network. Because you can host your VPC behind your corporate firewall, you can seamlessly move your IT resources into the cloud without changing how your users access these applications.
The following detailed steps show you how to create and save key pairs, prepare your VPC for different subnets, and create an AWS instance with a Palo Alto image.
Step 1: Create the key pairs
- Log in to your AWS account.
- On the left navigation bar, choose Network Security -> Key Pairs.
- Create a key pair by giving it a name and saving the key pair. In the
PuTTY® Key Generator, choose type
- Choose the PEM file you created.
- Choose Save private key, but do not put in the password.
- Save the file with a .ppk extension.
- Go to PuTTY. On the left pane, choose SSH and select Auth.
- Click Browse and point PuTTY to the .ppk file created that you just created.
- Save the session by clicking on the session on the left-hand side of PuTTY and select Save.
Step 2: Prepare the VPC
- In AWS, choose Services -> VPC and delete the default subnets.
- Create four new subnets: Management, Inside, Outside, and DMZ. You can choose the IP addresses, but they should be in the VPC address range.
Step 3: Select the Palo Alto image
- Log in to your AWS account, go to AWS Services -> Under Services -> EC2, and create an instance.
- Choose Amazon Market Place, and search for Palo Alto.
- Select VM-Series Next Generation Firewall Bundle 2.
Step 4: Create an instance
- Launch a new EC2 instance by clicking the Launch Instance radio button as shown in the following image:
- To choose an Amazon Machine Image (AMI), go to AWS Marketplace. On the left-hand side, search for Paloalto -> Select VM-Series Next-Generation Firewall Bundle 2.
- Click Select.
- Highlight the instance type M3 Extra Large.
- Click Next: Configure Instance Details.
- Configure the instance details. Select Management for the subnet, auto-assign the Public IP, and click Next: Add Storage as shown in the following images:
- Select General Purpose SSD (Solid State Drive) (GP2) Volume type<\b> and click Next: Add Tags.
- Keep the default settings for Add Tags and click Next: Configure Security Group, use the Unrestricted Security Group, and click Review and Launch.
- Review all the details of the instance and click Launch.
- Select the key pair that you created previously and click Launch Instances.
- Go to Services -> EC2 -> Instances and validate that the new instance is running as shown in the following image:
Configure the VPC
- Go to the VPC dashboard from Services -> VPC -> Subnets.
- Select the Management subnet and choose the Route Table Tab.
- Click Edit and associate it with the Outside Routing table to reach it from the Internet. Verify that the new associated Route Entry is listed under Route Table.
Assign an IP address to the instance
- Go to EC2 and select your instance.
- Go to Network & Security on left hand side, choose Elastic IPs, and click Allocate new address.
- Click Action -> Associate Address -> Assign the running instance.
- Select an IP address from the drop-down menu to assign it.
- Click Associate.
Test the configuration
Because the management interface is associated with the outside Public IP, you
should be able to connect to the management interface with the AWS Public IP
address outside interface of the EC2 instance by using a PuTTY session a web
browser (for example, https://
The following images provide some examples of this test:
Create a Palo Alto support account
- Go to support.paloaltonetworks.com and create an account.
- Log in to your Palo Alto support account.
- Click the Assets tab.
- Click Register new device.
- Choose Software Updates to verify that you have access to the software.
By using the steps in this post, you can deploy and provision a Palo Alto firewall in AWS. Be aware that AWS is not free for Palo Alto, and you are charged per hour when the instance is running. The charges are for EC2 and a software license for Palo Alto, which runs around $1.50 an hour. There is also a monthly cost associated with the storage. Make sure you have the budget before you opt for using Palo Alto.
After you have finished working on the instance, ensure that you stop it so that you incur no further charges. Don't terminate the instance, which deletes the instance altogether.
Use the Feedback tab to make any comments or ask questions.
Optimize your environment with expert administration, management, and configuration
- eCommerce and Digital Experience platforms
- Enterprise Resource Planning (ERP)
- Business Intelligence
- Salesforce Customer Relationship Management (CRM)
- Email Hosting and Productivity
- Unbiased expertise: We simplify and guide your modernization journey, focusing on the capabilities that deliver immediate value.
- Fanatical Experience™: We combine a Process first. Technology second.® approach with dedicated technical support to provide comprehensive solutions.
- Unrivaled portfolio: We apply extensive cloud experience to help you choose and deploy the right technology on the right cloud.
- Agile delivery: We meet you where you are in your journey and align our success with yours.
Chat now to get started.