Today, working remotely has never been easier, due to the ubiquity of mobile devices and reliable Internet connectivity. The ease with which a worker can get connected to the corporate network delivers the impression that your co-worker is down the hall, when in fact they are traveling internationally. Global Workplace Analytics’ research shows that increasingly, working remotely is not only commonplace, it is encouraged and has shown to improve productivity.
Studies repeatedly show they are not at their desk 50–60% of the time.
With the VM-Series and GlobalProtect™ now available on AWS®, you can protect your mobile workforce and your network from Internet-borne threats while dramatically reducing administrative effort and associated costs with an appliance-based, mobile-security and remote-access solution.
When building a remote-access solution with GlobalProtect, a firewall appliance is deployed with a GlobalProtect subscription and depending on the volume and location of users, additional GlobalProtect instances are deployed. Mobile users connecting to the Gateway are protected by the corporate security policy and are granted secure access to network resources. Additional components of a hardware-based GlobalProtect deployment may include co-location facilities and associated services if a suitable company facility is unavailable. A hardware-based approach to a GlobalProtect infrastructure is a common deployment option; you can now use the globally available AWS infrastructure to eliminate some of the hardware-based dependencies and simplify your GlobalProtect deployment. An added benefit to deploying the VM-Series with GlobalProtect in AWS is that now you can leverage some of the scalability and automation features to build a solution that can dynamically scale to better support any planned or unplanned traffic spikes.
The world you need to secure continues to expand, as both users and applications shift to locations outside of the traditional network perimeter. Security teams face challenges when maintaining visibility into network traffic and enforcing security policies to stop threats. Traditional technologies that were used to protect mobile endpoints, such as host endpoint antivirus software and remote access VPN, are not capable of stopping the advanced techniques employed by today’s more sophisticated attacker.
GlobalProtect safeguards the mobile workforce by inspecting all traffic using the VM-Series Next-Generation Firewall and Threat Prevention services. Laptops, smartphones and tablets with the GlobalProtect app automatically establish a secure SSL/IPsec VPN connection to the VM-Series located in the AWS region, which will provide the best performance. By eliminating the blind spots in mobile workforce traffic, the organization maintains a consistent view into applications.
Image 1: GlobalProtect ensures policy consistency for all users and devices regardless of location
Deployed as an optional subscription for the VM-Series for AWS, GlobalProtect enables you to enforce security policy consistency to all users, regardless of location. Traffic flowing across a GlobalProtect connection is secured with the native VM-Series security capabilities, which allows you to understand application usage, determine
if the content within is malicious, take action accordingly, and then tie the traffic to the user identity. Policies extended to your mobile workforce can help you protect the network in the following ways.
Grant access based on user identity and business need – Granting secure network access to mobile or remote users can be more tightly controlled by including the user identity in the security policy. User profiles can be developed for local users. When they are remote, a different, more restrictive policy can be applied, while different groups, such as finance, can be granted access to confidential data.
In addition to the ability to grant access based on user identity, additional user authentication options can be applied to all users, including Kerberos, RADIUS, LDAP, client certificates and a local user database. Once
GlobalProtect authenticates the user, their IP address is immediately provided to the VM-Series for use in the security policy. A range of third-party, multifactor authentication methods are also supported by GlobalProtect, including one-time password tokens, certificates and smart cards through RADIUS integration. These options help organizations strengthen the proof of identity for access to internal data center or SaaS applications.
VM-Series to enforce application policies that only permit access when the endpoint is properly configured and secured. These principles help enforce compliance with policies that govern the amount of access a given user should have with a particular device.
When deployed in conjunction with the VM-Series in AWS, GlobalProtect protects your mobile users and your network from Internet-borne threats of all types. An added benefit of using AWS as your infrastructure for your mobile workforce is a more consistent and reliable user experience as mobile users are connecting to the AWS region that delivers the best performance.
A GlobalProtect deployment is comprised of two components – a GlobalProtect Portal and a GlobalProtect Gateway. The Portal is used to manage mobile and device security policies which are pushed out to the Gateways, typically located in closer proximity of the end users. Multiple Gateways are often deployed in regions where there are a high concentration of users and devices. To dynamically scale GlobalProtect in AWS, an AWS Auto Scaling Group with GlobalProtect is first created. Then, using native AWS services and GlobalProtect automation features, additional Gateways are programmatically added or removed as fluctuating traffic patterns dictate. Learn more about the GlobalProtect Portal and Gateway relationship here.
Most organizations will have a firm grasp on the number of mobile users who will be working remotely when building a remote access infrastructure and will take into account traditional daily spikes in usage that may occur, such as in the morning, just after lunch, and perhaps at the end of the day. These spikes are relatively predictable and are typically accommodated through planning and a robust infrastructure. Despite these best efforts, there are several known, but manageable challenges that accompany a hardware-based GlobalProtect infrastructure.
The best laid capacity planning for your GlobalProtect architecture can be waylaid when an unplanned spike in usage occurs due to a severe weather event that forces many local users to work remotely or when a large event, such as the Super Bowl, forces local employees who normally work from the office to work from home. Another type of event that can impact remote network access usability is a large company event, such as an annual kickoff held in a different geographic location, where hundreds, perhaps thousands, of users all need remote network access. The impact from an unplanned (or semi-unplanned) spike in usage can be significant.
To address the challenges and ramifications of both planned and unplanned spikes in remote-access traffic, the VM-Series with GlobalProtect can be deployed on AWS, taking full advantage of the global infrastructure and Auto Scaling capabilities.
To address both planned and unplanned spikes in mobile access to network resources, the VM-Series with GlobalProtect can be deployed to take full advantage of AWS global infrastructure and Auto Scaling. A base set of GlobalProtect instances can be deployed to select regions, and when traffic demands dictate, new instances can be added and removed.
Image 2: GlobalProtect deployed in AWS to support all users
To build a VM-Series with GlobalProtect Auto Scaling environment, an AWS Auto Scaling group with VM-Series and GlobalProtect is created that is then augmented with additional GlobalProtect Gateways based on user-defined traffic metrics from the VM-Series. Using the VM-Series XML API, traffic metrics are fed to CloudWatch, which in turn will initiate an AWS Lambda function stored in S3 that deploys an additional, fully configured GlobalProtect Gateway. The AWS services used include:
AWS Auto Scaling: A web service designed to launch or terminate Amazon EC2 instances automatically based on user-defined policies, schedules and health checks. The guidelines outlined in this document deploy one or more VM-Series with GlobalProtect in an Auto Scaling group and establish policies to initiate the deployment or
removal of a GlobalProtect Gateway based on metrics collected in real time. More details about AWS Auto Scaling.
In addition to the VM-Series and GlobalProtect features mentioned earlier, the PAN-OS features used to enable the Auto Scaling GlobalProtect on AWS solution include:
Read about XML API.
The VM-Series can be licensed using a consumption-based model directly from AWS Marketplace, or as a traditional, bring-your-own-license (BYOL) model.
Next-Generation Firewall and select Subscriptions and Premium Support as a bundle directly through your AWS Management console on either an hourly or annual payment structure.
For purposes of this paper, the consumption-based Bundle 2 is used (and recommended) to accommodate the ability to add and remove VM-Series and GlobalProtect instances on demand.
To deploy the VM-Series with GlobalProtect Auto Scaling solution, the user needs to first establish the base AWS infrastructure, then deploy the GlobalProtect CloudFormation Template as defined below, then test the scaling capability.
Building out the AWS infrastructure to support the solution is very straightforward and entails selecting an AWS region, downloading the package files and creating the requisite S3 buckets.
Image 3: Github resources for the GlobalProtect Auto Scaling deployment
Creating S3 buckets: With the region chosen, create the following S3 buckets:
The initial GlobalProtect Auto Scaling solution is created by deploying the AWS CloudFormation Template (gp-asg.json) within the AWS console. The template will create all resources needed, along with an AWS Auto Scaling group for GlobalProtect Gateways. The GlobalProtect Auto Scaling Solution will have a minimum of one bootstrapped VM-Series with GlobalProtect
Figure 4: Initial VM-Series and GlobalProtect on AWS
The template will also initiate AWS Lambda functions that will periodically poll the GlobalProtect Gateway instances in the Auto Scaling group and gather metrics, publishing them to Amazon CloudWatch. Once the solution is deployed, the topology should be similar to the image shown.
Once the initial GlobalProtect Auto Scaling solution is deployed, it will begin publishing active-session metrics to Amazon CloudWatch using the VM-Series XML API and AWS Lambda functions. The initial metric published and used to initiate a scaling event will be “maximum firewall sessions.” Other custom metrics that can also be used to drive scaling events include the number of active GlobalProtect users, data plane CPU utilization, and management plane CPU utilization. As discussed earlier, an Auto Scaling event can be:
Image 5: As more users access GlobalProtect, added gateways are added to the ASG
As more mobile employees use GlobalProtect to access corporate resources, CloudWatch continuously monitors the VM-Series based on session count and acts accordingly, based on the thresholds set. When the configured threshold metrics are met or exceeded, a scale-out event initiates the deployment of an additional GlobalProtect Gateway. For instance, if CloudWatch is monitoring the total number of active sessions and the session limit threshold is exceeded:
As the number of sessions lessens to where it now meets the minimum threshold set, the scaling policy will execute a scale-in event, where GlobalProtect Gateways are removed from the Auto Scaling Group. When GlobalProtect Gateways are removed based on the scale-in policy, each executes randomly, resulting in the removal of a GlobalProtect Gateway with a sizable number of users attached to it.
There are several options to mitigate this:
Regardless of the scale-in approach taken, the Auto Scaling Group will honor the minimum amount of GlobalProtect Gateways configured.
GlobalProtect enables you to extend your corporate security policies to all users, regardless of location and device type. To that end, an added consideration will be the type of connection that is established from your corporate network to AWS. One option to consider is to use the IPsec VPN capabilities in the VM-Series, while a second option would be to use AWS Direct Connect. Direct Connect provides a mechanism for customers to establish a dedicated network from their own premise to AWS. This provides dedicated connectivity with the performance levels granted by the customer’s service provider. The dedicated connection terminates on customer-managed hardware located in an AWS Direct Connect location. From that point, one or more 802.1q VLANs are used to complete the connection into the customer VPCs.
Many AWS customers prefer that the entire connection be IPSec-encrypted all the way into the VPC – even when Direct Connect is used. This provides an extra layer of security for their network traffic. In this scenario, the deployment looks no different from the perspective of the VM-Series firewall than if the Internet had been used instead of Direct Connect. In either case, the solution is the same, including routing, redundancy, managed scale, etc. For maximum security and flexibility in a hybrid cloud architecture, IPsec tunnels terminating on the VM-Series firewall are recommended, including where Direct Connect is used. Find more information about Direct Connect.
The VM-Series can be managed in a 1:1 manner via the web UI or a full command line interface (CLI). To manage multiple instances of the VM-Series, perhaps in combination with one or more Palo Alto Networks hardware firewalls, Panorama™ network security management provides centralized visibility into traffic patterns, logging and reporting, as well as a mechanism to manage all of your security policies across all devices. Additional information on Panorama.
A detailed deployment guide that walks you through the process of setting up the base infrastructure, creating S3 buckets, deploying the template, and generating scale events is available here. The deployment guide can be used to deploy a scalable VM-Series with GlobalProtect environment. Alternatively, it can be used to deploy a single VM-Series with GlobalProtect instance for smaller-scale operations by setting the desired, minimum and maximum quantities toon. If scaling is needed, those parameters can be increased based on projected need.
CloudFormation Template Support Policy: The GlobalProtect Auto Scaling CloudFormation Template is released under an as-is, best effort, support policy. These templates should be seen as community supported, and Palo Alto Networks will contribute its expertise as and when possible. We do not provide technical support or help in using or troubleshooting the components of the project through our normal support options such as Palo Alto Networks support teams, or ASC (Authorized Support Centers) partners and backline support options. The underlying product used (the VM-Series firewall) by the scripts or templates are still supported, but the support is only for the product functionality and not for help in deploying or using the template or script itself. Unless explicitly tagged, all projects or work posted in AWS S3, GitHub or sites other than our official Downloads page at https://support.paloaltonetworks.com/ are provided under the best effort policy.
Combining the VM-Series GlobalProtect with the global AWS infrastructure allows you to extend your corporate network security policies to all users, regardless of their location or device type. Integration with AWS Auto Scaling introduces the ability to allow GlobalProtect to dynamically adapt to fluctuating traffic patterns in a manner that is more efficient and more cost effective than an alternative hardware-based deployment.
Access a wealth of educational materials, such as datasheets, whitepapers, critical threat reports, informative cybersecurity topics, and top research analyst reports